Apigee southbound PSC

Author: danistrebel

README.md

@@ -12,7 +12,8 @@ Currently the following modules are a available and can be used either as part o
 * [Apigee X mTLS MIG](modules/apigee-x-mtls-mig) Configures a managed instance group of Envoy proxies that can be used to terminate mutual TLS and forward traffic to the internal Apigee X endpoint.
 * [L7 external LB for MIG](modules/mig-l7xlb) Configures an external HTTPS Cloud Load Balancer that fronts a managed instance groups.
 * [Routing Appliance](modules/routing-appliance) Configures a routing appliance and custom routes to overcome transitive peering problems.
-* [HTTPbin Development Backend](modules/httpbin-development-backend) Configures an example HTTP backend based on a locally hosted httpbin.org service and an internal load balancer.
+* [Southbound PSC Backend](modules/sb-psc-attachment) Private Service Connect (PSC) service attachment and Apigee endpoint attachment.
+* [Development Backend](modules/development-backend) Configures an example HTTP backend and an internal load balancer.
 * [NIP.io Development Hostname](modules/nip-development-hostname) Configures an external IP address and hostname based on the IP and the nip.io mechanism as well as a Google-managed SSL certificate.
 
 ## Deploying End-To-End Samples
@@ -27,6 +28,7 @@ Select one of the available sample deployments:
 
 * [X Basic](samples/x-basic) for a basic Apigee X setup with the raw instance endpoints exposed as internal IP addresses.
 * [X with external L7 LB](samples/x-l7xlb) for an Apigee X setup that is exposed via a global external L7 load balancer.
+* [X with southbound PSC (Preview)](samples/x-sb-psc) for an Apigee X setup that uses Private Service Connect (PSC) to connect to a backend service in another VPC.
 * [X with internal L4 LB and mTLS](samples/x-ilb-mtls) for a basic Apigee X setup plus exposure via regional L4 load balancer and envoy proxy to terminate mTLS.
 * [X with network appliance for transitive peering](samples/x-transitive-peering) for an Apigee X organization that is peered to a network is transitively peered to another VPC that contains the backend.
 To deploy the sample, first create a copy of the example variables and edit according to your requirements.

modules/apigee-x-core/outputs.tf

@@ -20,3 +20,8 @@ output "instance_endpoints" {
     for name, instance in module.apigee-x-instance : name => instance.endpoint
   })
 }
+
+output "org_id" {
+  description = "Apigee Organization ID"
+  value       = module.apigee.org_id
+}

modules/httpbin-development-backend/README.md renamed to modules/development-backend/README.md

@@ -24,18 +24,18 @@ module "demo-backend-template" {
   network_interfaces = [{
     network    = var.network,
     subnetwork = var.subnet
-    nat        = true
+    nat        = false
     addresses  = null
     alias_ips  = null
   }]
   boot_disk = {
-    image = "projects/cos-cloud/global/images/family/cos-stable"
+    image = "projects/debian-cloud/global/images/family/debian-10"
     type  = "pd-standard"
     size  = 10
   }
   create_template = true
   metadata = {
-    startup-script = "docker run -p 80:80 kennethreitz/httpbin"
+    startup-script = "sudo mkdir -p /var/www && cd /var/www && echo 'hello from demo' > index.html && python3 -m http.server 80"
   }
   service_account_create = true
   service_account_scopes = ["cloud-platform"]

modules/httpbin-development-backend/main.tf renamed to modules/development-backend/main.tf

@@ -19,7 +19,12 @@ output "instance_group" {
   value       = module.demo-backend-mig.group_manager.instance_group
 }
 
-output "ilb_ip" {
+output "ilb_forwarding_rule_address" {
   description = "ILB forwarding rule IP address."
   value       = module.ilb-backend.forwarding_rule_address
 }
+
+output "ilb_forwarding_rule_self_link" {
+  description = "ILB forwarding rule self link."
+  value       = module.ilb-backend.forwarding_rule_self_link
+}

modules/httpbin-development-backend/outputs.tf renamed to modules/development-backend/outputs.tf

@@ -0,0 +1,34 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_compute_service_attachment" "psc_service_attachment" {
+  name        = var.name
+  region      = var.region
+  project = var.project_id
+  description = "A service attachment to be used by Apigee"
+
+  enable_proxy_protocol = true
+  connection_preference = "ACCEPT_AUTOMATIC"
+  nat_subnets           = var.nat_subnets
+  target_service        = var.target_service
+}
+
+resource "google_apigee_endpoint_attachment" "endpoint_attachment" {
+  org_id                 = var.apigee_organization
+  endpoint_attachment_id = var.name
+  location               = var.region
+  service_attachment     = google_compute_service_attachment.psc_service_attachment.id
+}

modules/httpbin-development-backend/variables.tf renamed to modules/development-backend/variables.tf

@@ -0,0 +1,21 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "endpoint_attachment_host" {
+    description = "Host for the endpoint attachment to be used in Apigee."
+    value = google_apigee_endpoint_attachment.endpoint_attachment.host
+}
+

modules/httpbin-development-backend/versions.tf renamed to modules/development-backend/versions.tf

@@ -0,0 +1,45 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "Project id."
+  type        = string
+}
+
+variable "region" {
+  description = "GCP region where the service attachment should be created."
+  type        = string
+}
+
+variable "name" {
+  description = "Name for the service attachment."
+  type        = string
+}
+
+variable "nat_subnets" {
+  description = "One or more NAT subnets to be used for PSC."
+  type        = list(string)
+}
+
+variable "target_service" {
+  description = "Target Service for the service attachment e.g. a forwarding rule."
+  type        = string
+}
+
+variable "apigee_organization" {
+  description = "Apigee organization where the Endpoint Attachment should be added to."
+  type        = string
+}

modules/sb-psc-attachment/main.tf

@@ -0,0 +1,29 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 1.0.0"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 4.0.0"
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 4.0.0"
+    }
+  }
+}

modules/sb-psc-attachment/outputs.tf

@@ -7,7 +7,7 @@ with the Apigee X service network.
 The private DNS Zone for the `internal.` domain contains the following
 A records:
 
-* **httpbin.internal** pointing at the ILB of the demo backend
+* **demo.internal** pointing at the ILB of the demo backend
 * **${ENV_GROUP_NAME}-api.internal** pointing at all Apigee instance endpoints
 
 ## Setup Instructions
@@ -27,7 +27,7 @@ for detailed instructions.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_apigee-x-core"></a> [apigee-x-core](#module\_apigee-x-core) | ../../modules/apigee-x-core | n/a |
-| <a name="module_backend-example"></a> [backend-example](#module\_backend-example) | ../../modules/httpbin-development-backend | n/a |
+| <a name="module_backend-example"></a> [backend-example](#module\_backend-example) | ../../modules/development-backend | n/a |
 | <a name="module_private-dns"></a> [private-dns](#module\_private-dns) | github.com/terraform-google-modules/cloud-foundation-fabric//modules/dns | v14.0.0 |
 | <a name="module_project"></a> [project](#module\_project) | github.com/terraform-google-modules/cloud-foundation-fabric//modules/project | v14.0.0 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | github.com/terraform-google-modules/cloud-foundation-fabric//modules/net-vpc | v14.0.0 |

modules/sb-psc-attachment/variables.tf

@@ -67,7 +67,7 @@ module "apigee-x-core" {
 }
 
 module "backend-example" {
-  source     = "../../modules/httpbin-development-backend"
+  source     = "../../modules/development-backend"
   project_id = module.project.project_id
   name       = var.backend.name
   network    = module.vpc.self_link
@@ -83,7 +83,7 @@ module "private-dns" {
   domain          = var.dns.domain
   client_networks = [module.vpc.self_link]
   recordsets = merge(
-    { "A ${var.backend.name}" = { type = "A", ttl = 300, records = [module.backend-example.ilb_ip] } },
+    { "A ${var.backend.name}" = { type = "A", ttl = 300, records = [module.backend-example.ilb_forwarding_rule_address] } },
     { for eg_name in keys(var.apigee_envgroups) : "A ${eg_name}-api" => { type = "A", ttl = 300, records = values(module.apigee-x-core.instance_endpoints) } }
   )
 }

modules/sb-psc-attachment/versions.tf

@@ -34,7 +34,7 @@ apigee_instances = {
 }
 
 backend = {
-  name        = "httpbin"
+  name        = "demo"
   region      = "europe-west1"
   subnet      = "demo-backend"
   subnet_cidr = "10.100.0.0/24"

samples/x-dns-peering/README.md

@@ -0,0 +1,53 @@
+# Basic Apigee X Setup wih internal backend reached through PSC
+
+## Setup Instructions
+
+Please see the main [README](https://github.com/apigee/terraform-modules#deploying-end-to-end-samples)
+for detailed instructions.
+
+A successful run will print the endpoint attachment's host that you can then
+use for your target server in Apigee:
+
+```txt
+Outputs:
+
+psc_endpoint_attachment_host = "7.0.5.2"
+```
+
+<!-- BEGIN_TF_DOCS -->
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_apigee-x-core"></a> [apigee-x-core](#module\_apigee-x-core) | ../../modules/apigee-x-core | n/a |
+| <a name="module_project"></a> [project](#module\_project) | github.com/terraform-google-modules/cloud-foundation-fabric//modules/project | v14.0.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | github.com/terraform-google-modules/cloud-foundation-fabric//modules/net-vpc | v14.0.0 |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_apigee_envgroups"></a> [apigee\_envgroups](#input\_apigee\_envgroups) | Apigee Environment Groups. | <pre>map(object({<br>    environments = list(string)<br>    hostnames    = list(string)<br>  }))</pre> | `{}` | no |
+| <a name="input_apigee_environments"></a> [apigee\_environments](#input\_apigee\_environments) | List of Apigee Environment Names. | `list(string)` | `[]` | no |
+| <a name="input_apigee_instances"></a> [apigee\_instances](#input\_apigee\_instances) | Apigee Instances (only one instance for EVAL orgs). | <pre>map(object({<br>    region       = string<br>    ip_range     = string<br>    environments = list(string)<br>  }))</pre> | `{}` | no |
+| <a name="input_ax_region"></a> [ax\_region](#input\_ax\_region) | GCP region for storing Apigee analytics data (see https://cloud.google.com/apigee/docs/api-platform/get-started/install-cli). | `string` | n/a | yes |
+| <a name="input_billing_account"></a> [billing\_account](#input\_billing\_account) | Billing account id. | `string` | `null` | no |
+| <a name="input_network"></a> [network](#input\_network) | Name of the VPC network to peer with the Apigee tennant project. | `string` | n/a | yes |
+| <a name="input_peering_range"></a> [peering\_range](#input\_peering\_range) | Service Peering CIDR range. | `string` | n/a | yes |
+| <a name="input_project_create"></a> [project\_create](#input\_project\_create) | Create project. When set to false, uses a data source to reference existing project. | `bool` | `false` | no |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | Project id (also used for the Apigee Organization). | `string` | n/a | yes |
+| <a name="input_project_parent"></a> [project\_parent](#input\_project\_parent) | Parent folder or organization in 'folders/folder\_id' or 'organizations/org\_id' format. | `string` | `null` | no |
+| <a name="input_support_range"></a> [support\_range](#input\_support\_range) | Support CIDR range of length /28 (required by Apigee for troubleshooting purposes). | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

samples/x-dns-peering/main.tf

@@ -0,0 +1,88 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "project" {
+  source          = "github.com/terraform-google-modules/cloud-foundation-fabric//modules/project?ref=v14.0.0"
+  name            = var.project_id
+  parent          = var.project_parent
+  billing_account = var.billing_account
+  project_create  = var.project_create
+  services = [
+    "apigee.googleapis.com",
+    "cloudkms.googleapis.com",
+    "compute.googleapis.com",
+    "servicenetworking.googleapis.com"
+  ]
+}
+
+module "vpc" {
+  source     = "github.com/terraform-google-modules/cloud-foundation-fabric//modules/net-vpc?ref=v14.0.0"
+  project_id = module.project.project_id
+  name       = var.network
+  subnets    = []
+  psa_ranges = {
+    apigee-range         = var.peering_range
+    apigee-support-range = var.support_range
+  }
+}
+
+module "apigee-x-core" {
+  source              = "../../modules/apigee-x-core"
+  project_id          = module.project.project_id
+  apigee_environments = var.apigee_environments
+  ax_region           = var.ax_region
+  apigee_envgroups    = var.apigee_envgroups
+  network             = module.vpc.network.id
+  apigee_instances    = var.apigee_instances
+}
+
+module "backend-vpc" {
+  source     = "github.com/terraform-google-modules/cloud-foundation-fabric//modules/net-vpc?ref=v14.0.0"
+  project_id = module.project.project_id
+  name       = var.backend_network
+  subnets = [
+    var.backend_subnet,
+  ]
+}
+
+module "backend-example" {
+  source     = "../../modules/development-backend"
+  project_id = module.project.project_id
+  name       = var.backend_name
+  network    = module.backend-vpc.network.id
+  subnet     = module.backend-vpc.subnet_self_links["${var.backend_subnet.region}/${var.backend_subnet.name}"]
+  region     = var.backend_region
+}
+
+resource "google_compute_subnetwork" "psc_nat_subnet" {
+  name   = var.backend_psc_nat_subnet.name
+  project = module.project.project_id
+  region = var.backend_region
+  network       = module.backend-vpc.network.id
+  ip_cidr_range = var.backend_psc_nat_subnet.ip_cidr_range
+  purpose       =  "PRIVATE_SERVICE_CONNECT"
+}
+
+
+module "southbound-psc" {
+  source     = "../../modules/sb-psc-attachment"
+  project_id = module.project.project_id
+  name       = var.psc_name
+  region     = var.backend_region
+  apigee_organization = module.apigee-x-core.org_id
+  nat_subnets = [google_compute_subnetwork.psc_nat_subnet.id]
+  target_service = module.backend-example.ilb_forwarding_rule_self_link
+}