terraform-modules icon indicating copy to clipboard operation
terraform-modules copied to clipboard

Published 20 hours ago verified publisher icon apigee

nb-psc-l7ilb: support passing in subnet

Open derhally opened this issue 1 year ago • 3 comments

The psc internal load balancer module creates a subnet, but there are scenarios were subnets are provisioned ahead of time by the team that manages the network.

For example, our org heavily relies on shared VPCS and the networking team provisions the subnets for the dev teams, and from my understanding, only one regional managed proxy can be active in a given region for a VPC.

It would be nice to support passing in a subnet for the proxy and skip the creation of it.

derhally avatar Jan 17 '24 10:01 derhally

Hi @derhally , thanks for the input. Certainly understand the flexibility that you're asking for.

@g-greatdevaks created the module so I'll let him chip in. From what I saw in this specific case the module doesn't even use the created subnet but the one passed in via the module param: https://github.com/apigee/terraform-modules/blob/main/modules/nb-psc-l7ilb/main.tf#L79.

In this case just commenting out the network resources on the module should do the trick for you.

I'm leaving this open to consider a clean up and implement more modular defaults.

danistrebel avatar Jan 19 '24 15:01 danistrebel

Thanks for raising the issue. As Daniel pointed out, the module is flexible to take subnet from the subnet resource or from the module param/variable.

I believe some usage documentation should be added to provide clarity on the same with some examples of passing subnet link(s). One example is shown here.

Will take the documentation task for this issue and update here once done.

Will have some clean up performed with tweaking the module a bit as well.

g-greatdevaks avatar Jan 24 '24 09:01 g-greatdevaks

@g-greatdevaks I'm specifically referring to the resource google_compute_subnetwork.proxy_subnet not the subnet being used with the google_compute_forwarding_rule

edit:

There are two issues I see, which I apologize for not making it clear in the issue.

  1. This module assumes the VPC is in the same project as backend service. Which won't be the case with a shared vpc setup.

  2. In a shared VPC setup, the dev team may not have permissions to create a proxy subnets. e.g. In our org, network management is handled by the platform team. Dev teams can't create new subnets.

derhally avatar Jan 24 '24 11:01 derhally