terraform-google-modules · sid-occrp · Jul 2, 2024 · Jul 8, 2024 · Jul 10, 2024 · Jul 16, 2024
@@ -25,6 +25,22 @@ locals {
   }
 }
 
+module "network-auto-psc" {
+  source  = "terraform-google-modules/network/google"
+  version = "~> 9.0"
+
+  project_id   = var.project_id
+  network_name = "your_network_name"
-  network_name = "your_network_name"
+  network_name = "sample-network"
-  network_name = "your_network_name"
+  network_name = "sample-network"
+
+  subnets = [
+    {
+      subnet_name   = "your-subnet"
+      subnet_ip     = "10.4.0.0/16"
+      subnet_region = "us-central1"
+    }
+  ]
+}
+
 module "pg" {
   source  = "terraform-google-modules/sql-db/google//modules/postgresql"
   version = "~> 21.0"
@@ -86,6 +102,12 @@ module "pg" {
     },
   ]
 
+  psc_consumer = {
+    enabled    = true
+    subnet_id  = module.network-auto-psc.subnets_ids[0]
+    network_id = module.network-auto-psc.network_id
+  }
+
   db_name      = var.pg_psc_name
   db_charset   = "UTF8"
   db_collation = "en_US.UTF8"

@@ -159,6 +159,7 @@ module "pg" {
 | password\_validation\_policy\_config | The password validation policy settings for the database instance. | <pre>object({<br>    min_length                  = optional(number)<br>    complexity                  = optional(string)<br>    reuse_interval              = optional(number)<br>    disallow_username_substring = optional(bool)<br>    password_change_interval    = optional(string)<br>  })</pre> | `null` | no |
 | pricing\_plan | The pricing plan for the Cloud SQL instance. | `string` | `"PER_USE"` | no |
 | project\_id | The project ID to manage the Cloud SQL resources | `string` | n/a | yes |
+| psc\_consumer | The psc consumer to be created on the same project as the SQL instance(s). Remember to add the project under psc\_allowed\_consumer\_projects in the ip\_configuration block. | <pre>object({<br>    subnet_id               = optional(string, "")<br>    network_id              = optional(string, "")<br>    enabled                 = optional(bool, false)<br>    allow_psc_global_access = optional(bool, false)<br>  })</pre> | `{}` | no |
 | random\_instance\_name | Sets random suffix at the end of the Cloud SQL resource name | `bool` | `false` | no |
 | read\_replica\_deletion\_protection | Used to block Terraform from deleting replica SQL Instances. | `bool` | `false` | no |
 | read\_replica\_deletion\_protection\_enabled | Enables protection of replica instance from accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform). | `bool` | `false` | no |

@@ -44,7 +44,12 @@ locals {
   // Force the usage of connector_enforcement
   connector_enforcement = var.connector_enforcement ? "REQUIRED" : "NOT_REQUIRED"
 
+
+  psc_consumers = var.psc_consumer.enabled ? { for instance in concat([google_sql_database_instance.default], values(google_sql_database_instance.replicas)) : instance.name => instance } : {}
+
+
   database_name = var.enable_default_db ? google_sql_database.default[0].name : (length(local.databases) > 0 ? google_sql_database.additional_databases[0].name : "")
+
 }
 
 resource "random_id" "suffix" {
@@ -320,15 +325,62 @@ resource "google_sql_user" "iam_account" {
   deletion_policy = var.user_deletion_policy
 }
 
+
+resource "google_compute_address" "psc_ilb_consumer_address" {
+  for_each     = local.psc_consumers
+  region       = var.region
+  name         = each.value.name
+  subnetwork   = var.psc_consumer.subnet_id
+  address_type = "INTERNAL"
+}
+
+resource "google_compute_forwarding_rule" "psc_ilb_consumer" {
+  for_each                = local.psc_consumers
+  region                  = var.region
+  name                    = each.value.name
+  target                  = each.value.psc_service_attachment_link
+  load_balancing_scheme   = ""
+  network                 = var.psc_consumer.network_id
+  subnetwork              = var.psc_consumer.subnet_id
+  allow_psc_global_access = var.psc_consumer.allow_psc_global_access
+  ip_address              = google_compute_address.psc_ilb_consumer_address[each.value.name].id
+}
+
+resource "google_dns_managed_zone" "psc_dns_zone" {
+  for_each   = local.psc_consumers
+  name       = each.value.name
+  dns_name   = each.value.dns_name
+  visibility = "private"
+  private_visibility_config {
+    networks {
+      network_url = var.psc_consumer.network_id
+    }
+  }
+}
+
+resource "google_dns_record_set" "a" {
+  for_each     = local.psc_consumers
+  name         = each.value.dns_name
+  managed_zone = google_dns_managed_zone.psc_dns_zone[each.value.name].name
+  type         = "A"
+  ttl          = 300
+  rrdatas      = [google_compute_address.psc_ilb_consumer_address[each.value.name].address]
+}
+
+
+
 resource "google_project_iam_member" "database_integration" {
   for_each = toset(var.database_integration_roles)
   project  = var.project_id
   role     = each.value
   member   = "serviceAccount:${google_sql_database_instance.default.service_account_email_address}"
 }
 
+
 resource "null_resource" "module_depends_on" {
   triggers = {
     value = length(var.module_depends_on)
   }
 }
+
+
@@ -440,6 +440,25 @@ variable "data_cache_enabled" {
   default     = false
 }
 
+
+variable "psc_consumer" {
+  description = "The psc consumer to be created on the same project as the SQL instance(s). Remember to add the project under psc_allowed_consumer_projects in the ip_configuration block."
+  type = object({
+    subnet_id               = optional(string, "")
+    network_id              = optional(string, "")
+    enabled                 = optional(bool, false)
+    allow_psc_global_access = optional(bool, false)
+  })
+
+  default = {}
+
+  validation {
+    condition     = (!var.psc_consumer.enabled || (var.psc_consumer.network_id != "" && var.psc_consumer.subnet_id != ""))
+    error_message = "In order to use the psc_consumer submodule you must specify both network and subnet id"
+  }
+}
+
+
 variable "enable_google_ml_integration" {
   description = "Enable database ML integration"
   type        = bool
@@ -451,3 +470,4 @@ variable "database_integration_roles" {
   type        = list(string)
   default     = []
 }
+
@@ -22,6 +22,7 @@ locals {
     "roles/cloudsql.admin",
     "roles/compute.admin",
     "roles/compute.networkAdmin",
+    "roles/dns.admin",
     "roles/iam.serviceAccountAdmin",
     "roles/iam.serviceAccountUser",
     "roles/monitoring.editor",

@@ -35,6 +35,7 @@ module "project" {
     "serviceusage.googleapis.com",
     "sqladmin.googleapis.com",
     "workflows.googleapis.com",
+    "dns.googleapis.com",
   ]
 }