From 9b1487a090371f88148cc41ea9ac89f3631feab2 Mon Sep 17 00:00:00 2001 From: Horia Gunica <43091730+horiagunica@users.noreply.github.com> Date: Mon, 14 Oct 2024 12:15:40 +0300 Subject: [PATCH] feat(modules/vpc): Add log_config block support for subnetworks (#46) Co-authored-by: michalbil <92343355+michalbil@users.noreply.github.com> --- modules/vpc/README.md | 2 +- modules/vpc/main.tf | 14 +++++++++++++- modules/vpc/variables.tf | 27 ++++++++++++++++++++++++++- 3 files changed, 40 insertions(+), 3 deletions(-) diff --git a/modules/vpc/README.md b/modules/vpc/README.md index 01dc5df..66ddd2f 100644 --- a/modules/vpc/README.md +++ b/modules/vpc/README.md @@ -137,7 +137,7 @@ No modules. | [name](#input\_name) | The name of the created or already existing VPC Network. | `string` | n/a | yes | | [project\_id](#input\_project\_id) | Project in which to create or look for VPCs and subnets | `string` | `null` | no | | [routing\_mode](#input\_routing\_mode) | Type of network-wide routing mode to use. Possible types are: REGIONAL and GLOBAL.
REGIONAL routing mode will set the cloud routers to only advertise subnetworks within the same region as the router.
GLOBAL routing mode will set the cloud routers to advertise all the subnetworks that belong to this network. | `string` | `"REGIONAL"` | no | -| [subnetworks](#input\_subnetworks) | A map containing subnetworks configuration. Subnets can belong to different regions.
List of available attributes of each subnetwork entry:
- `name` : Name of the subnetwork.
- `create_subnetwork` : Boolean value to control the creation or reading of the subnetwork. If set to `true` - this will create the subnetwork. If set to `false` - this will read a subnet with provided information.
- `ip_cidr_range` : A string that contains the subnetwork to create. Only IPv4 format is supported.
- `region` : Region where to configure or import the subnet.
- `stack_type` : IP stack type. IPV4\_ONLY (default) and IPV4\_IPV6 are supported.
- `ipv6_access_type` : The access type of IPv6 address. It's immutable and can only be specified during creation or the first time the subnet is updated into IPV4\_IPV6 dual stack. Possible values are: EXTERNAL, INTERNAL.

Example:
subnetworks = {
my-sub = {
name = "my-sub"
create_subnetwork = true
ip_cidr_range = "192.168.0.0/24"
region = "us-east1"
}
}
|
map(object({
name = string
create_subnetwork = optional(bool, true)
ip_cidr_range = string
region = string
stack_type = optional(string)
ipv6_access_type = optional(string)
}))
| `{}` | no | +| [subnetworks](#input\_subnetworks) | A map containing subnetworks configuration. Subnets can belong to different regions.
List of available attributes of each subnetwork entry:
- `name` : Name of the subnetwork.
- `create_subnetwork` : Boolean value to control the creation or reading of the subnetwork. If set to `true` - this will create the subnetwork. If set to `false` - this will read a subnet with provided information.
- `ip_cidr_range` : A string that contains the subnetwork to create. Only IPv4 format is supported.
- `region` : Region where to configure or import the subnet.
- `stack_type` : IP stack type. IPV4\_ONLY (default) and IPV4\_IPV6 are supported.
- `ipv6_access_type` : The access type of IPv6 address. It's immutable and can only be specified during creation or the first time the subnet is updated into IPV4\_IPV6 dual stack. Possible values are: EXTERNAL, INTERNAL.
- `log_config` : (Optional) A map containing the logging configuration for the subnetwork.
- `aggregation_interval` : (Optional) The interval at which logs are aggregated for the subnetwork. Possible values are: `INTERVAL_5_SEC`, `INTERVAL_30_SEC`, `INTERVAL_1_MIN`, `INTERVAL_5_MIN`, `INTERVAL_10_MIN`, `INTERVAL_15_MIN`.
- `flow_sampling` : (Optional) The value of the field must be in [0, 1]. Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported.
- `metadata` : (Optional) Configures whether metadata fields should be added to the reported VPC flow logs. Default value is `INCLUDE_ALL_METADATA`. Possible values are: `EXCLUDE_ALL_METADATA`, `INCLUDE_ALL_METADATA`, `CUSTOM_METADATA`.
- `metadata_fields` : (Optional) List of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and `metadata` is set to `CUSTOM_METADATA`.
- `filter_expr` : (Optional) Export filter used to define which VPC flow logs should be logged, as as CEL expression.

Example:
subnetworks = {
my-sub = {
name = "my-sub"
create_subnetwork = true
ip_cidr_range = "192.168.0.0/24"
region = "us-east1"
}
}
|
map(object({
name = string
create_subnetwork = optional(bool, true)
ip_cidr_range = string
region = string
stack_type = optional(string)
ipv6_access_type = optional(string)
log_config = optional(object({
aggregation_interval = optional(string)
flow_sampling = optional(string)
metadata = optional(string)
metadata_fields = optional(list(string))
filter_expr = optional(string)
}))
}))
| `{}` | no | ### Outputs diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf index b8d94fe..67b9efe 100644 --- a/modules/vpc/main.tf +++ b/modules/vpc/main.tf @@ -51,6 +51,18 @@ resource "google_compute_subnetwork" "this" { project = var.project_id stack_type = each.value.stack_type ipv6_access_type = each.value.ipv6_access_type + + dynamic "log_config" { + for_each = each.value.log_config != null ? [each.value.log_config] : [] + + content { + aggregation_interval = log_config.value.aggregation_interval + flow_sampling = log_config.value.flow_sampling + metadata = log_config.value.metadata + metadata_fields = log_config.value.metadata_fields + filter_expr = log_config.value.filter_expr + } + } } resource "google_compute_firewall" "this" { @@ -80,4 +92,4 @@ resource "google_compute_firewall" "this" { metadata = log_config.value } } -} \ No newline at end of file +} diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf index 43a62a9..3dc30ec 100644 --- a/modules/vpc/variables.tf +++ b/modules/vpc/variables.tf @@ -29,6 +29,12 @@ variable "subnetworks" { - `region` : Region where to configure or import the subnet. - `stack_type` : IP stack type. IPV4_ONLY (default) and IPV4_IPV6 are supported. - `ipv6_access_type` : The access type of IPv6 address. It's immutable and can only be specified during creation or the first time the subnet is updated into IPV4_IPV6 dual stack. Possible values are: EXTERNAL, INTERNAL. + - `log_config` : (Optional) A map containing the logging configuration for the subnetwork. + - `aggregation_interval` : (Optional) The interval at which logs are aggregated for the subnetwork. Possible values are: `INTERVAL_5_SEC`, `INTERVAL_30_SEC`, `INTERVAL_1_MIN`, `INTERVAL_5_MIN`, `INTERVAL_10_MIN`, `INTERVAL_15_MIN`. + - `flow_sampling` : (Optional) The value of the field must be in [0, 1]. Set the sampling rate of VPC flow logs within the subnetwork where 1.0 means all collected logs are reported and 0.0 means no logs are reported. + - `metadata` : (Optional) Configures whether metadata fields should be added to the reported VPC flow logs. Default value is `INCLUDE_ALL_METADATA`. Possible values are: `EXCLUDE_ALL_METADATA`, `INCLUDE_ALL_METADATA`, `CUSTOM_METADATA`. + - `metadata_fields` : (Optional) List of metadata fields that should be added to reported logs. Can only be specified if VPC flow logs for this subnetwork is enabled and `metadata` is set to `CUSTOM_METADATA`. + - `filter_expr` : (Optional) Export filter used to define which VPC flow logs should be logged, as as CEL expression. Example: ``` @@ -50,7 +56,26 @@ variable "subnetworks" { region = string stack_type = optional(string) ipv6_access_type = optional(string) + log_config = optional(object({ + aggregation_interval = optional(string) + flow_sampling = optional(string) + metadata = optional(string) + metadata_fields = optional(list(string)) + filter_expr = optional(string) + })) })) + validation { + condition = alltrue([ + for subnet in var.subnetworks : + subnet.log_config != null ? (anytrue([ + (subnet.log_config.aggregation_interval != null && can(regex("^INTERVAL_(5_SEC|30_SEC|1_MIN|5_MIN|10_MIN|15_MIN)$", subnet.log_config.aggregation_interval)) ? true : false), + (subnet.log_config.metadata != null && can(regex("^(EXCLUDE_ALL_METADATA|INCLUDE_ALL_METADATA|CUSTOM_METADATA)$", subnet.log_config.metadata)) ? true : false), + (subnet.log_config.flow_sampling != null && can(subnet.log_config.flow_sampling >= 0 && subnet.log_config.flow_sampling <= 1) ? true : false), + (subnet.log_config.filter_expr != null ? true : false) + ])) : true + ]) + error_message = "If log_config is specified, at least one of the following must be specified : aggregation_interval, metadata, flow_sampling, filter_expr." + } } variable "firewall_rules" { @@ -180,4 +205,4 @@ variable "internal_ipv6_range" { EOF type = string default = "" -} \ No newline at end of file +}