Skip to content

Commit

Permalink
feat(modules/vpc): Add log_config block support for subnetworks (#46)
Browse files Browse the repository at this point in the history
Co-authored-by: michalbil <[email protected]>
  • Loading branch information
horiagunica and michalbil authored Oct 14, 2024
1 parent 7ae2526 commit 9b1487a
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 3 deletions.
2 changes: 1 addition & 1 deletion modules/vpc/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ No modules.
| <a name="input_name"></a> [name](#input\_name) | The name of the created or already existing VPC Network. | `string` | n/a | yes |
| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | Project in which to create or look for VPCs and subnets | `string` | `null` | no |
| <a name="input_routing_mode"></a> [routing\_mode](#input\_routing\_mode) | Type of network-wide routing mode to use. Possible types are: REGIONAL and GLOBAL.<br>REGIONAL routing mode will set the cloud routers to only advertise subnetworks within the same region as the router.<br>GLOBAL routing mode will set the cloud routers to advertise all the subnetworks that belong to this network. | `string` | `"REGIONAL"` | no |
| <a name="input_subnetworks"></a> [subnetworks](#input\_subnetworks) | A map containing subnetworks configuration. Subnets can belong to different regions.<br>List of available attributes of each subnetwork entry:<br>- `name` : Name of the subnetwork.<br>- `create_subnetwork` : Boolean value to control the creation or reading of the subnetwork. If set to `true` - this will create the subnetwork. If set to `false` - this will read a subnet with provided information.<br>- `ip_cidr_range` : A string that contains the subnetwork to create. Only IPv4 format is supported.<br>- `region` : Region where to configure or import the subnet.<br>- `stack_type` : IP stack type. IPV4\_ONLY (default) and IPV4\_IPV6 are supported.<br>- `ipv6_access_type` : The access type of IPv6 address. It's immutable and can only be specified during creation or the first time the subnet is updated into IPV4\_IPV6 dual stack. Possible values are: EXTERNAL, INTERNAL.<br><br>Example:<pre>subnetworks = {<br> my-sub = {<br> name = "my-sub"<br> create_subnetwork = true<br> ip_cidr_range = "192.168.0.0/24"<br> region = "us-east1"<br> }<br>}</pre> | <pre>map(object({<br> name = string<br> create_subnetwork = optional(bool, true)<br> ip_cidr_range = string<br> region = string<br> stack_type = optional(string)<br> ipv6_access_type = optional(string)<br> }))</pre> | `{}` | no |
| <a name="input_subnetworks"></a> [subnetworks](#input\_subnetworks) | A map containing subnetworks configuration. Subnets can belong to different regions.<br>List of available attributes of each subnetwork entry:<br>- `name` : Name of the subnetwork.<br>- `create_subnetwork` : Boolean value to control the creation or reading of the subnetwork. If set to `true` - this will create the subnetwork. If set to `false` - this will read a subnet with provided information.<br>- `ip_cidr_range` : A string that contains the subnetwork to create. Only IPv4 format is supported.<br>- `region` : Region where to configure or import the subnet.<br>- `stack_type` : IP stack type. IPV4\_ONLY (default) and IPV4\_IPV6 are supported.<br>- `ipv6_access_type` : The access type of IPv6 address. It's immutable and can only be specified during creation or the first time the subnet is updated into IPV4\_IPV6 dual stack. Possible values are: EXTERNAL, INTERNAL.<br>- `log_config` : (Optional) A map containing the logging configuration for the subnetwork.<br> - `aggregation_interval` : (Optional) The interval at which logs are aggregated for the subnetwork. Possible values are: `INTERVAL_5_SEC`, `INTERVAL_30_SEC`, `INTERVAL_1_MIN`, `INTERVAL_5_MIN`, `INTERVAL_10_MIN`, `INTERVAL_15_MIN`.<br> - `flow_sampling` : (Optional) The value of the field must be in [0, 1]. Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported.<br> - `metadata` : (Optional) Configures whether metadata fields should be added to the reported VPC flow logs. Default value is `INCLUDE_ALL_METADATA`. Possible values are: `EXCLUDE_ALL_METADATA`, `INCLUDE_ALL_METADATA`, `CUSTOM_METADATA`.<br> - `metadata_fields` : (Optional) List of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and `metadata` is set to `CUSTOM_METADATA`.<br> - `filter_expr` : (Optional) Export filter used to define which VPC flow logs should be logged, as as CEL expression.<br><br>Example:<pre>subnetworks = {<br> my-sub = {<br> name = "my-sub"<br> create_subnetwork = true<br> ip_cidr_range = "192.168.0.0/24"<br> region = "us-east1"<br> }<br>}</pre> | <pre>map(object({<br> name = string<br> create_subnetwork = optional(bool, true)<br> ip_cidr_range = string<br> region = string<br> stack_type = optional(string)<br> ipv6_access_type = optional(string)<br> log_config = optional(object({<br> aggregation_interval = optional(string)<br> flow_sampling = optional(string)<br> metadata = optional(string)<br> metadata_fields = optional(list(string))<br> filter_expr = optional(string)<br> }))<br> }))</pre> | `{}` | no |

### Outputs

Expand Down
14 changes: 13 additions & 1 deletion modules/vpc/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,18 @@ resource "google_compute_subnetwork" "this" {
project = var.project_id
stack_type = each.value.stack_type
ipv6_access_type = each.value.ipv6_access_type

dynamic "log_config" {
for_each = each.value.log_config != null ? [each.value.log_config] : []

content {
aggregation_interval = log_config.value.aggregation_interval
flow_sampling = log_config.value.flow_sampling
metadata = log_config.value.metadata
metadata_fields = log_config.value.metadata_fields
filter_expr = log_config.value.filter_expr
}
}
}

resource "google_compute_firewall" "this" {
Expand Down Expand Up @@ -80,4 +92,4 @@ resource "google_compute_firewall" "this" {
metadata = log_config.value
}
}
}
}
27 changes: 26 additions & 1 deletion modules/vpc/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,12 @@ variable "subnetworks" {
- `region` : Region where to configure or import the subnet.
- `stack_type` : IP stack type. IPV4_ONLY (default) and IPV4_IPV6 are supported.
- `ipv6_access_type` : The access type of IPv6 address. It's immutable and can only be specified during creation or the first time the subnet is updated into IPV4_IPV6 dual stack. Possible values are: EXTERNAL, INTERNAL.
- `log_config` : (Optional) A map containing the logging configuration for the subnetwork.
- `aggregation_interval` : (Optional) The interval at which logs are aggregated for the subnetwork. Possible values are: `INTERVAL_5_SEC`, `INTERVAL_30_SEC`, `INTERVAL_1_MIN`, `INTERVAL_5_MIN`, `INTERVAL_10_MIN`, `INTERVAL_15_MIN`.
- `flow_sampling` : (Optional) The value of the field must be in [0, 1]. Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported.
- `metadata` : (Optional) Configures whether metadata fields should be added to the reported VPC flow logs. Default value is `INCLUDE_ALL_METADATA`. Possible values are: `EXCLUDE_ALL_METADATA`, `INCLUDE_ALL_METADATA`, `CUSTOM_METADATA`.
- `metadata_fields` : (Optional) List of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and `metadata` is set to `CUSTOM_METADATA`.
- `filter_expr` : (Optional) Export filter used to define which VPC flow logs should be logged, as as CEL expression.
Example:
```
Expand All @@ -50,7 +56,26 @@ variable "subnetworks" {
region = string
stack_type = optional(string)
ipv6_access_type = optional(string)
log_config = optional(object({
aggregation_interval = optional(string)
flow_sampling = optional(string)
metadata = optional(string)
metadata_fields = optional(list(string))
filter_expr = optional(string)
}))
}))
validation {
condition = alltrue([
for subnet in var.subnetworks :
subnet.log_config != null ? (anytrue([
(subnet.log_config.aggregation_interval != null && can(regex("^INTERVAL_(5_SEC|30_SEC|1_MIN|5_MIN|10_MIN|15_MIN)$", subnet.log_config.aggregation_interval)) ? true : false),
(subnet.log_config.metadata != null && can(regex("^(EXCLUDE_ALL_METADATA|INCLUDE_ALL_METADATA|CUSTOM_METADATA)$", subnet.log_config.metadata)) ? true : false),
(subnet.log_config.flow_sampling != null && can(subnet.log_config.flow_sampling >= 0 && subnet.log_config.flow_sampling <= 1) ? true : false),
(subnet.log_config.filter_expr != null ? true : false)
])) : true
])
error_message = "If log_config is specified, at least one of the following must be specified : aggregation_interval, metadata, flow_sampling, filter_expr."
}
}

variable "firewall_rules" {
Expand Down Expand Up @@ -180,4 +205,4 @@ variable "internal_ipv6_range" {
EOF
type = string
default = ""
}
}

0 comments on commit 9b1487a

Please sign in to comment.