feat: Feature/private service connect module (#722)

* create the private service connector module

* fixes the domain for dns

* Fixes an warning regarding parameters suage

* fixes the test

* fix Copyright year

* remove unused variables at private service connect module

* add global_address_id output

* fix lint

* add private_service_connect_ip variable

* fix lint issues

Co-authored-by: Daniel da Silva Andrade <dandrade@ciandt.com>

3-networks/modules/base_shared_vpc/dns.tf

@@ -50,105 +50,6 @@ resource "google_dns_policy" "default_policy" {
   }
 }
 
-/******************************************
-  Private Google APIs DNS Zone & records.
- *****************************************/
-
-module "private_googleapis" {
-  source      = "terraform-google-modules/cloud-dns/google"
-  version     = "~> 4.0"
-  project_id  = var.project_id
-  type        = "private"
-  name        = "dz-${var.environment_code}-shared-base-apis"
-  domain      = "googleapis.com."
-  description = "Private DNS zone to configure private.googleapis.com"
-
-  private_visibility_config_networks = [
-    module.main.network_self_link
-  ]
-
-  recordsets = [
-    {
-      name    = "*"
-      type    = "CNAME"
-      ttl     = 300
-      records = ["private.googleapis.com."]
-    },
-    {
-      name    = "private"
-      type    = "A"
-      ttl     = 300
-      records = ["199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"]
-    },
-  ]
-}
-
-/******************************************
-  Private GCR DNS Zone & records.
- *****************************************/
-
-module "base_gcr" {
-  source      = "terraform-google-modules/cloud-dns/google"
-  version     = "~> 3.1"
-  project_id  = var.project_id
-  type        = "private"
-  name        = "dz-${var.environment_code}-shared-base-gcr"
-  domain      = "gcr.io."
-  description = "Private DNS zone to configure gcr.io"
-
-  private_visibility_config_networks = [
-    module.main.network_self_link
-  ]
-
-  recordsets = [
-    {
-      name    = "*"
-      type    = "CNAME"
-      ttl     = 300
-      records = ["gcr.io."]
-    },
-    {
-      name    = ""
-      type    = "A"
-      ttl     = 300
-      records = ["199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"]
-    },
-  ]
-}
-
-/***********************************************
-  Private Artifact Registry DNS Zone & records.
- ***********************************************/
-
-module "base_pkg_dev" {
-  source      = "terraform-google-modules/cloud-dns/google"
-  version     = "~> 3.1"
-  project_id  = var.project_id
-  type        = "private"
-  name        = "dz-${var.environment_code}-shared-base-pkg-dev"
-  domain      = "pkg.dev."
-  description = "Private DNS zone to configure pkg.dev"
-
-  private_visibility_config_networks = [
-    module.main.network_self_link
-  ]
-
-  recordsets = [
-    {
-      name    = "*"
-      type    = "CNAME"
-      ttl     = 300
-      records = ["pkg.dev."]
-    },
-    {
-      name    = ""
-      type    = "A"
-      ttl     = 300
-      records = ["199.36.153.8", "199.36.153.9", "199.36.153.10", "199.36.153.11"]
-    },
-  ]
-}
-
 /******************************************
  Creates DNS Peering to DNS HUB
 *****************************************/

3-networks/modules/base_shared_vpc/main.tf

@@ -18,7 +18,7 @@ locals {
   mode                    = var.mode == null ? "" : var.mode == "hub" ? "-hub" : "-spoke"
   vpc_name                = "${var.environment_code}-shared-base${local.mode}"
   network_name            = "vpc-${local.vpc_name}"
-  private_googleapis_cidr = "199.36.153.8/30"
+  private_googleapis_cidr = module.private_service_connect.private_service_connect_ip
 }
 
 /******************************************
@@ -52,13 +52,6 @@ module "main" {
   secondary_ranges = var.secondary_ranges
 
   routes = concat(
-    [{
-      name              = "rt-${local.vpc_name}-1000-all-default-private-api"
-      description       = "Route through IGW to allow private google api access."
-      destination_range = "199.36.153.8/30"
-      next_hop_internet = "true"
-      priority          = "1000"
-    }],
     var.nat_enabled ?
     [
       {

3-networks/modules/base_shared_vpc/private_service_connect.tf

@@ -0,0 +1,26 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+module "private_service_connect" {
+  source                     = "../private_service_connect"
+  project_id                 = var.project_id
+  network_id                 = module.main.network_self_link
+  environment_code           = var.environment_code
+  network_self_link          = module.main.network_self_link
+  private_service_connect_ip = "10.3.0.5"
+  forwarding_rule_target     = "all-apis"
+}

3-networks/modules/private_service_connect/dns.tf

@@ -0,0 +1,114 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/******************************************
+  Private Google APIs DNS Zone & records.
+ *****************************************/
+
+module "googleapis" {
+  source      = "terraform-google-modules/cloud-dns/google"
+  version     = "~> 4.0"
+  project_id  = var.project_id
+  type        = "private"
+  name        = "dz-${var.environment_code}-shared-${local.vpc_type}-apis"
+  domain      = "googleapis.com."
+  description = "Private DNS zone to configure ${local.googleapis_url}"
+
+  private_visibility_config_networks = [
+    var.network_self_link
+  ]
+
+  recordsets = [
+    {
+      name    = "*"
+      type    = "CNAME"
+      ttl     = 300
+      records = [local.googleapis_url]
+    },
+    {
+      name    = local.recordsets_name
+      type    = "A"
+      ttl     = 300
+      records = [var.private_service_connect_ip]
+    },
+  ]
+}
+
+/******************************************
+  GCR DNS Zone & records.
+ *****************************************/
+
+module "gcr" {
+  source      = "terraform-google-modules/cloud-dns/google"
+  version     = "~> 3.1"
+  project_id  = var.project_id
+  type        = "private"
+  name        = "dz-${var.environment_code}-shared-${local.vpc_type}-gcr"
+  domain      = "gcr.io."
+  description = "Private DNS zone to configure gcr.io"
+
+  private_visibility_config_networks = [
+    var.network_self_link
+  ]
+
+  recordsets = [
+    {
+      name    = "*"
+      type    = "CNAME"
+      ttl     = 300
+      records = ["gcr.io."]
+    },
+    {
+      name    = ""
+      type    = "A"
+      ttl     = 300
+      records = [var.private_service_connect_ip]
+    },
+  ]
+}
+
+/***********************************************
+  Artifact Registry DNS Zone & records.
+ ***********************************************/
+
+module "pkg_dev" {
+  source      = "terraform-google-modules/cloud-dns/google"
+  version     = "~> 3.1"
+  project_id  = var.project_id
+  type        = "private"
+  name        = "dz-${var.environment_code}-shared-${local.vpc_type}-pkg-dev"
+  domain      = "pkg.dev."
+  description = "Private DNS zone to configure pkg.dev"
+
+  private_visibility_config_networks = [
+    var.network_self_link
+  ]
+
+  recordsets = [
+    {
+      name    = "*"
+      type    = "CNAME"
+      ttl     = 300
+      records = ["pkg.dev."]
+    },
+    {
+      name    = ""
+      type    = "A"
+      ttl     = 300
+      records = [var.private_service_connect_ip]
+    },
+  ]
+}

3-networks/modules/private_service_connect/main.tf

@@ -0,0 +1,41 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  vpc_type        = var.forwarding_rule_target == "vpc-sc" ? "restricted" : "base"
+  googleapis_url  = var.forwarding_rule_target == "vpc-sc" ? "restricted.googleapis.com." : "private.googleapis.com."
+  recordsets_name = split(".", local.googleapis_url)[0]
+}
+
+resource "google_compute_global_address" "private_service_connect" {
+  provider     = google-beta
+  project      = var.project_id
+  name         = "global-psconnect-ip"
+  address_type = "INTERNAL"
+  purpose      = "PRIVATE_SERVICE_CONNECT"
+  network      = var.network_id
+  address      = var.private_service_connect_ip
+}
+
+resource "google_compute_global_forwarding_rule" "forwarding_rule_private_service_connect" {
+  provider              = google-beta
+  project               = var.project_id
+  name                  = "globalrule"
+  target                = var.forwarding_rule_target
+  network               = var.network_id
+  ip_address            = google_compute_global_address.private_service_connect.id
+  load_balancing_scheme = ""
+}

3-networks/modules/private_service_connect/outputs.tf

@@ -0,0 +1,29 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "private_service_connect_ip" {
+  value       = var.private_service_connect_ip
+  description = "The private service connect ip"
+
+  depends_on = [
+    google_compute_global_forwarding_rule.forwarding_rule_private_service_connect
+  ]
+}
+
+output "global_address_id" {
+  value       = google_compute_global_address.private_service_connect.id
+  description = "An identifier for the global address created for the private service connect with format `projects/{{project}}/global/addresses/{{name}}`"
+}

3-networks/modules/private_service_connect/variables.tf

@@ -0,0 +1,50 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "Project ID for Private Service Connect."
+  type        = string
+}
+
+variable "network_id" {
+  description = "Network ID for Private Service Connect."
+  type        = string
+}
+
+variable "network_self_link" {
+  description = "Network self link for Private Service Connect."
+  type        = string
+}
+
+variable "environment_code" {
+  description = "A short form of the folder level resources (environment) within the Google Cloud organization."
+  type        = string
+}
+
+variable "private_service_connect_ip" {
+  description = "The internal IP to be used for the private service connect."
+  type        = string
+}
+
+variable "forwarding_rule_target" {
+  description = "Target resource to receive the matched traffic. Only `all-apis` and `vpc-sc` are valid."
+  type        = string
+
+  validation {
+    condition     = var.forwarding_rule_target == "all-apis" || var.forwarding_rule_target == "vpc-sc"
+    error_message = "For forwarding_rule_target only `all-apis` and `vpc-sc` are valid."
+  }
+}