apigee / terraform-modules

Terraform modules and ready to use end-to-end examples for Apigee.
Apache License 2.0
54 stars 61 forks source link

nb-psc-l7ilb: support passing in subnet #147

Open derhally opened 9 months ago

derhally commented 9 months ago

The psc internal load balancer module creates a subnet, but there are scenarios were subnets are provisioned ahead of time by the team that manages the network.

For example, our org heavily relies on shared VPCS and the networking team provisions the subnets for the dev teams, and from my understanding, only one regional managed proxy can be active in a given region for a VPC.

It would be nice to support passing in a subnet for the proxy and skip the creation of it.

danistrebel commented 9 months ago

Hi @derhally , thanks for the input. Certainly understand the flexibility that you're asking for.

@g-greatdevaks created the module so I'll let him chip in. From what I saw in this specific case the module doesn't even use the created subnet but the one passed in via the module param: https://github.com/apigee/terraform-modules/blob/main/modules/nb-psc-l7ilb/main.tf#L79.

In this case just commenting out the network resources on the module should do the trick for you.

I'm leaving this open to consider a clean up and implement more modular defaults.

g-greatdevaks commented 9 months ago

Thanks for raising the issue. As Daniel pointed out, the module is flexible to take subnet from the subnet resource or from the module param/variable.

I believe some usage documentation should be added to provide clarity on the same with some examples of passing subnet link(s). One example is shown here.

Will take the documentation task for this issue and update here once done.

Will have some clean up performed with tweaking the module a bit as well.

derhally commented 9 months ago

@g-greatdevaks I'm specifically referring to the resource google_compute_subnetwork.proxy_subnet not the subnet being used with the google_compute_forwarding_rule

edit:

There are two issues I see, which I apologize for not making it clear in the issue.

  1. This module assumes the VPC is in the same project as backend service. Which won't be the case with a shared vpc setup.

  2. In a shared VPC setup, the dev team may not have permissions to create a proxy subnets. e.g. In our org, network management is handled by the platform team. Dev teams can't create new subnets.