feat(TPG >= 4.74)!: Added labels, update TPG and Terraform version re…

…quirements (#112)

README.md

@@ -12,7 +12,7 @@ If you want to deploy [HA VPN](https://cloud.google.com/vpn/docs/how-to/moving-t
 
 ## Compatibility
 
- This module is meant for use with Terraform 0.12. If you haven't [upgraded](https://www.terraform.io/upgrade-guides/0-12.html)
+ This module is meant for use with Terraform 1.3+. If you haven't [upgraded](https://developer.hashicorp.com/terraform/language/v1.3.x/upgrade-guides)
   and need a Terraform 0.11.x-compatible version of this module, the last released version intended for
   Terraform 0.11.x is [0.3.0](https://registry.terraform.io/modules/terraform-google-modules/vpn/google/0.3.0).
 
@@ -21,6 +21,7 @@ If you want to deploy [HA VPN](https://cloud.google.com/vpn/docs/how-to/moving-t
 The following guides are available to assist with upgrades:
 
 - [1.X -> 2.0](./docs/upgrading_to_vpn_v2.0.md)
+- [2.X -> 3.0](./docs/upgrading_to_vpn_v3.0.md)
 
 ## Usage
 
@@ -131,8 +132,8 @@ References the variable descriptions below to determine the right configuration.
 
 ## Requirements
 ### Terraform plugins
-- [Terraform](https://www.terraform.io/downloads.html) 0.12.x
-- [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) plugin v1.8.0
+- [Terraform](https://www.terraform.io/downloads.html) 1.3+
+- [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) plugin v4.64+
 
 ### Configure a Service Account
 In order to execute this module you must have a Service Account with the following roles:

build/int.cloudbuild.yaml

@@ -21,18 +21,44 @@ steps:
     - 'TF_VAR_org_id=$_ORG_ID'
     - 'TF_VAR_folder_id=$_FOLDER_ID'
     - 'TF_VAR_billing_account=$_BILLING_ACCOUNT'
-- id: create
+- id: single-tunnel-init
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create']
-- id: converge
+  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/single_tunnels --stage init --verbose']
+- id: single-tunnel-init-apply
+  waitFor:
+    - single-tunnel-init
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge']
-- id: verify
+  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/single_tunnels --stage apply --verbose']
+- id: single-tunnel-init-verify
+  waitFor:
+    - single-tunnel-init-apply
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify']
-- id: destroy
+  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/single_tunnels --stage verify --verbose']
+- id: single-tunnel-init-teardown
+  waitFor:
+    - single-tunnel-init-verify
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy']
+  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/single_tunnels --stage teardown --verbose']
+- id: vpn-ha-init
+  waitFor:
+    - single-tunnel-init-teardown
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestVpnHa --stage init --verbose']
+- id: vpn-ha-init-apply
+  waitFor:
+    - vpn-ha-init
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestVpnHa --stage apply --verbose']
+- id: vpn-ha-init-verify
+  waitFor:
+    - vpn-ha-init-apply
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestVpnHa --stage verify --verbose']
+- id: vpn-ha-init-teardown
+  waitFor:
+    - vpn-ha-init-verify
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestVpnHa --stage teardown --verbose']
 tags:
 - 'ci'
 - 'integration'

docs/upgrading_to_vpn_v3.0.md

@@ -0,0 +1,8 @@
+# Upgrading to v3.0.0
+
+The v3.0 release contains backwards-incompatible changes.
+
+This update requires upgrading the minimum provider version `4.64`.
+
+### [Terraform](https://www.terraform.io/downloads.html) >= 1.3.0 is required as `peer_external_gateway`, `router_advertise_config`, `tunnels` and its nested attributes and objects are made optional
+Since [optional attributes](https://developer.hashicorp.com/terraform/language/expressions/type-constraints#optional-object-type-attributes) is a version 1.3 feature, the configuration will fail if the pinned version is < 1.3..

examples/single_tunnels/variables.tf

@@ -20,6 +20,7 @@ variable "prod_project_id" {
 
 variable "prod_network" {
   type        = string
+  default     = "default"
   description = "The name of the production VPC to be created."
 }
 
@@ -30,6 +31,7 @@ variable "mgt_project_id" {
 
 variable "mgt_network" {
   type        = string
+  default     = "default"
   description = "The name of the management VPC to be created."
 }
 

examples/vpn_ha/outputs.tf

@@ -14,11 +14,29 @@
  * limitations under the License.
  */
 
+output "mgt_project_id" {
+  value = var.mgt_project_id
+}
+
 output "mgt_gateway_name" {
   description = "Mgt VPN gateway name."
   value       = module.vpn-ha-to-prod.name
 }
 
+output "mgt_tunnel_names" {
+  description = "Mgt VPN tunnel names."
+  value       = module.vpn-ha-to-prod.tunnel_names
+}
+
+output "mgt_tunnel_names_list" {
+  description = "Mgt VPN tunnel names list."
+  value       = [for x, y in module.vpn-ha-to-prod.tunnel_names : y]
+}
+
+output "prod_project_id" {
+  value = var.prod_project_id
+}
+
 output "prod_gateway_name" {
   description = "Prod VPN gateway name."
   value       = module.vpn-ha-to-mgmt.name
@@ -27,12 +45,14 @@ output "prod_gateway_name" {
 output "prod_tunnel_names" {
   description = "Prod VPN tunnel names."
   value       = module.vpn-ha-to-mgmt.tunnel_names
-  sensitive   = true
 }
 
-output "mgt_tunnel_names" {
-  description = "Mgt VPN tunnel names."
-  value       = module.vpn-ha-to-prod.tunnel_names
-  sensitive   = true
+output "prod_tunnel_names_list" {
+  description = "Prod VPN tunnel names list."
+  value       = [for x, y in module.vpn-ha-to-mgmt.tunnel_names : y]
 }
 
+output "region" {
+  description = "Region"
+  value       = var.region
+}

examples/vpn_ha/versions.tf

@@ -15,5 +15,5 @@
  */
 
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 1.3"
 }

modules/vpn_ha/README.md

@@ -132,20 +132,21 @@ module "vpn_ha" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | create\_vpn\_gateway | create a VPN gateway | `bool` | `true` | no |
+| external\_vpn\_gateway\_description | An optional description of external VPN Gateway | `string` | `"Terraform managed external VPN gateway"` | no |
 | keepalive\_interval | The interval in seconds between BGP keepalive messages that are sent to the peer. | `number` | `20` | no |
 | labels | Labels for vpn components | `map(string)` | `{}` | no |
 | name | VPN gateway name, and prefix used for dependent resources. | `string` | n/a | yes |
 | network | VPC used for the gateway and routes. | `string` | n/a | yes |
-| peer\_external\_gateway | Configuration of an external VPN gateway to which this VPN is connected. | <pre>object({<br>    name            = optional(string)<br>    redundancy_type = string<br>    interfaces = list(object({<br>      id         = number<br>      ip_address = string<br>    }))<br>  })</pre> | `null` | no |
+| peer\_external\_gateway | Configuration of an external VPN gateway to which this VPN is connected. | <pre>object({<br>    name            = optional(string)<br>    redundancy_type = optional(string)<br>    interfaces = list(object({<br>      id         = number<br>      ip_address = string<br>    }))<br>  })</pre> | `null` | no |
 | peer\_gcp\_gateway | Self Link URL of the peer side HA GCP VPN gateway to which this VPN tunnel is connected. | `string` | `null` | no |
 | project\_id | Project where resources will be created. | `string` | n/a | yes |
 | region | Region used for resources. | `string` | n/a | yes |
 | route\_priority | Route priority, defaults to 1000. | `number` | `1000` | no |
-| router\_advertise\_config | Router custom advertisement configuration, ip\_ranges is a map of address ranges and descriptions. | <pre>object({<br>    groups    = list(string)<br>    ip_ranges = map(string)<br>    mode      = string<br>  })</pre> | `null` | no |
+| router\_advertise\_config | Router custom advertisement configuration, ip\_ranges is a map of address ranges and descriptions. | <pre>object({<br>    groups    = list(string)<br>    ip_ranges = map(string)<br>    mode      = optional(string)<br>  })</pre> | `null` | no |
 | router\_asn | Router ASN used for auto-created router. | `number` | `64514` | no |
 | router\_name | Name of router, leave blank to create one. | `string` | `""` | no |
 | stack\_type | The IP stack type will apply to all the tunnels associated with this VPN gateway. | `string` | `"IPV4_ONLY"` | no |
-| tunnels | VPN tunnel configurations, bgp\_peer\_options is usually null. | <pre>map(object({<br>    bgp_peer = object({<br>      address = string<br>      asn     = number<br>    })<br>    bgp_session_name = optional(string)<br>    bgp_peer_options = object({<br>      ip_address          = string<br>      advertise_groups    = list(string)<br>      advertise_ip_ranges = map(string)<br>      advertise_mode      = string<br>      route_priority      = number<br>    })<br>    bgp_session_range               = string<br>    ike_version                     = number<br>    vpn_gateway_interface           = number<br>    peer_external_gateway_interface = number<br>    shared_secret                   = string<br>  }))</pre> | `{}` | no |
+| tunnels | VPN tunnel configurations, bgp\_peer\_options is usually null. | <pre>map(object({<br>    bgp_peer = object({<br>      address = string<br>      asn     = number<br>    })<br>    bgp_session_name = optional(string)<br>    bgp_peer_options = optional(object({<br>      ip_address          = optional(string)<br>      advertise_groups    = optional(list(string))<br>      advertise_ip_ranges = optional(map(string))<br>      advertise_mode      = optional(string)<br>      route_priority      = optional(number)<br>    }))<br>    bgp_session_range               = optional(string)<br>    ike_version                     = optional(number)<br>    vpn_gateway_interface           = optional(number)<br>    peer_external_gateway_interface = optional(number)<br>    shared_secret                   = optional(string, "")<br>  }))</pre> | `{}` | no |
 | vpn\_gateway\_self\_link | self\_link of existing VPN gateway to be used for the vpn tunnel | `string` | `null` | no |
 
 ## Outputs

modules/vpn_ha/main.tf

@@ -51,7 +51,8 @@ resource "google_compute_external_vpn_gateway" "external_gateway" {
   name            = var.peer_external_gateway.name != null ? var.peer_external_gateway.name : "external-${var.name}"
   project         = var.project_id
   redundancy_type = var.peer_external_gateway.redundancy_type
-  description     = "Terraform managed external VPN gateway"
+  description     = var.external_vpn_gateway_description
+  labels          = var.labels
   dynamic "interface" {
     for_each = var.peer_external_gateway.interfaces
     content {

modules/vpn_ha/outputs.tf

@@ -59,7 +59,6 @@ output "tunnels" {
 
 output "tunnel_names" {
   description = "VPN tunnel names."
-  sensitive   = true
   value = {
     for name in keys(var.tunnels) :
     name => google_compute_vpn_tunnel.tunnels[name].name

modules/vpn_ha/variables.tf

@@ -18,7 +18,7 @@ variable "peer_external_gateway" {
   description = "Configuration of an external VPN gateway to which this VPN is connected."
   type = object({
     name            = optional(string)
-    redundancy_type = string
+    redundancy_type = optional(string)
     interfaces = list(object({
       id         = number
       ip_address = string
@@ -70,7 +70,7 @@ variable "router_advertise_config" {
   type = object({
     groups    = list(string)
     ip_ranges = map(string)
-    mode      = string
+    mode      = optional(string)
   })
   default = null
 }
@@ -101,18 +101,18 @@ variable "tunnels" {
       asn     = number
     })
     bgp_session_name = optional(string)
-    bgp_peer_options = object({
-      ip_address          = string
-      advertise_groups    = list(string)
-      advertise_ip_ranges = map(string)
-      advertise_mode      = string
-      route_priority      = number
-    })
-    bgp_session_range               = string
-    ike_version                     = number
-    vpn_gateway_interface           = number
-    peer_external_gateway_interface = number
-    shared_secret                   = string
+    bgp_peer_options = optional(object({
+      ip_address          = optional(string)
+      advertise_groups    = optional(list(string))
+      advertise_ip_ranges = optional(map(string))
+      advertise_mode      = optional(string)
+      route_priority      = optional(number)
+    }))
+    bgp_session_range               = optional(string)
+    ike_version                     = optional(number)
+    vpn_gateway_interface           = optional(number)
+    peer_external_gateway_interface = optional(number)
+    shared_secret                   = optional(string, "")
   }))
   default = {}
 }
@@ -134,3 +134,9 @@ variable "labels" {
   type        = map(string)
   default     = {}
 }
+
+variable "external_vpn_gateway_description" {
+  description = "An optional description of external VPN Gateway"
+  type        = string
+  default     = "Terraform managed external VPN gateway"
+}

modules/vpn_ha/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 3.30.0, < 5.0"
+      version = ">= 4.74, < 5.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.30.0, < 5.0"
+      version = ">= 4.74, < 5.0"
     }
     random = {
       source  = "hashicorp/random"