Merge pull request #81 from GoogleCloudPlatform/PM-Q1-2025

Q1 2025 - includes 

- NCC (VPC as a Spoke)
- Vertex AI Workbench
- App Engine
   - Standard Environment
   - Flexible Environment
- Load Balancers
   - External Application 
- Alloy DB 
   - Click to deploy
   - Support for PSC
 - MIG as a Consumer
- Other fixes and patches

Author: mamgainparas

README.md

@@ -20,7 +20,7 @@ The project is structured into the following folders:
           ├── bootstrap.tfvars
           ├── organization.tfvars
           ├── networking.tfvars
-          ├── networking-manual.tfvars
+          ├── producer-connectivity.tfvars
           ├── producer
               ├── alloydb
               ├── cloudsql
@@ -30,20 +30,33 @@ The project is structured into the following folders:
               └── mrc
           ├── consumer
               ├── cloudrun
-              └── gce
-          └── security
+              ├── gce
+              ├── mig
+              ├── workbench
+              ├── severless
+                ├── appengine
+                    ├── flexible
+                    ├── standard
+                ├── cloudrun
+                    ├── job
+                    ├── service
+                ├── vpcaccessconnector
+          ├──security
               ├── alloydb.tfvars
               ├── cloudsql.tfvars
               ├── gce.tfvars
-              └── mrc.tfvars
+              ├── mig.tfvars
+              ├── mrc.tfvars
+              └── workbench.tfvars
       ├──execution
           ├── 00-bootstrap
           ├── 01-organization
           ├── 02-networking
           ├── 03-security
           ├── 04-producer
-          ├── 05-networking-manual
-          └── 06-consumer
+          ├── 05-producer-connectivity
+          ├── 06-consumer
+          └── 07-consumer-load-balancing
       └──modules
           ├── net-vpc
           └── psc_forwarding_rule
@@ -59,8 +72,9 @@ The project is structured into the following folders:
   * `02-networking`: Manages VPCs, subnets, Cloud HA VPN and other core networking components like PSA, SCP, Cloud NAT.
   * `03-security`:  Configures firewalls and other security measures.
   * `04-producer`: Implements producer services like AlloyDB, Memorystore for Redis clusters, and Cloud SQL.
-  * `05-networking-manual`: Implements networking services like Private Service Connectivity.
-  * `06-consumer`: Implements consumer services like Google Compute Engine instances.
+  * `05-producer-connectivity`: Implements networking services like Private Service Connectivity.
+  * `06-consumer`: Implements consumer services like Google Compute Engine instances, Cloud Run, Workbench, AppEngine and Managed Instance Groups.
+  * `07-consumer-load-balancing`: Implements load balancing services.
 
 * `modules`: contains reusable Terraform modules.
 

configuration/README.md

@@ -12,6 +12,7 @@ This directory serves as a centralized repository for all Terraform configuratio
     - MRC (mrc.tfvars)
     - Cloud SQL (sql.tfvars)
     - GCE (gce.tfvars)
+    - Workbench (workbench.tfvars)
 - 04-producer stage
     - AlloyDB
       - alloydb.tfvars
@@ -37,21 +38,47 @@ This directory serves as a centralized repository for all Terraform configuratio
       - vertex-ai-online-endpoints.tfvars
       - config
         - endpoint.yaml.example
-- 05-networking-manual stage (networking-manual.tfvars)
+- 05-producer-connectivity stage (producer-connectivity.tfvars)
 - 06-consumer stage
   - GCE
         - gce.tfvars
         - config
           - instance.yaml.example
-  - CloudRun
-    - Job
-      - cloudrunjob.tfvars
-      - config
+  - MIG
+    - mig.tfvars
+    - config
+      - instance.yaml.example
+  - Serverless
+    - AppEngine
+      - Flexible
+        - appengineflexible.tfvars
+        - config
+          - instance1.yaml.example
+      - Standard
+        - appenginestandard.tfvars
+        - config
+          - instance1.yaml.example
+    - CloudRun
+      - Job
+        - cloudrunjob.tfvars
+        - config
           - instance.yaml.example
-    - Service
-      - cloudrunservice.tfvars
-      - config
+      - Service
+        - cloudrunservice.tfvars
+        - config
           - instance.yaml.example
+    - VPCAccessConnector
+  - Workbench
+    - config
+      - instance-lite.yaml.example
+      - instance-expanded.yaml.example
+- 07-consumer-load-balancing stage
+  - Application
+    - External
+      - external-application.tfvars
+      - config
+        - instance1.yaml.example
+        - instance2.yaml.example
 
 
 # Usage
@@ -95,15 +122,15 @@ This would run the terraform plan based on the values for the variables declared
 **Example usage**
 
 ```
-bootstrap_project_id                  = "test-bootstrap-project"
-network_hostproject_id                = "host-project-id"
-network_serviceproject_id             = "consumer-project-id"
-organization_stage_administrator      = ["example@example.com"]
-networking_stage_administrator        = ["example@example.com"]
-security_stage_administrator          = ["example@example.com"]
-producer_stage_administrator          = ["example@example.com"]
-networking_manual_stage_administrator = ["example@example.com"]
-consumer_stage_administrator          = ["example@example.com"]
+bootstrap_project_id                      = "test-bootstrap-project"
+network_hostproject_id                    = "host-project-id"
+network_serviceproject_id                 = "consumer-project-id"
+organization_stage_administrator          = ["example@example.com"]
+networking_stage_administrator            = ["example@example.com"]
+security_stage_administrator              = ["example@example.com"]
+producer_stage_administrator              = ["example@example.com"]
+producer_connectivity_stage_administrator = ["example@example.com"]
+consumer_stage_administrator              = ["example@example.com"]
 ```
 
 ## 01-organization
@@ -124,6 +151,12 @@ consumer_stage_administrator          = ["example@example.com"]
         "aiplatform.googleapis.com",
         "container.googleapis.com",
         "run.googleapis.com",
+        "appengine.googleapis.com",
+        "cloudbuild.googleapis.com",
+        "cloudresourcemanager.googleapis.com",
+        "artifactregistry.googleapis.com",
+        "notebooks.googleapis.com",
+        "vpcaccess.googleapis.com",
       ],
     },
   }
@@ -200,41 +233,81 @@ egress_rules = {
 
 Producer specific configuration examples can be found under the `/config` folder of that specific producer. Such as for AlloyDB, the example would be in the folder `configuration/producer/AlloyDB/config/instance.yaml.example`.
 
-## 05-networking-manual (networking-manual.tfvars)
-
-Defined using `psc_endpoints` which is a list of PSC endpoint configurations consisting of:
-
-1. `endpoint_project_id` : Consumer project ID (where the forwarding rule is created).
-
-2. `producer_instance_project_id` : Project where the producer service such as Cloud SQL is created.
+## 05-producer-connectivity (producer-connectivity.tfvars)
 
-2. `producer_instance_name` : Name of the producer service instance.
+The `producer-connectivity.tfvars` file defines configurations for Private Service Connect (PSC) endpoints. These endpoints enable connectivity between consumer and producer services, such as Cloud SQL, AlloyDB, or other targets.
 
-3. `subnetwork_name` : this variable names the specific subnetwork within your Virtual Private Cloud (VPC) network from which the internal IP address for the PSC connection will be allocated.
+### Key Variables
 
-4. `network_name` : VPC network for the forwarding rule which hosts the subnetwork mentioned above.
+1. `endpoint_project_id`: Consumer project ID where the forwarding rule is created.
+2. `producer_instance_project_id`: Project where the producer service (e.g., Cloud SQL, AlloyDB) is created.
+3. `subnetwork_name`: Name of the subnetwork within the VPC network from which the internal IP address for the PSC connection will be allocated.
+4. `network_name`: VPC network hosting the subnetwork mentioned above.
+5. `ip_address_literal`: **(Optional)** Specific internal IP address for the PSC connection. Leave null for automatic allocation.
+6. `region`: Region where the PSC endpoint is created.
+7. `producer_cloudsql`: **(Optional)** Configuration for Cloud SQL instances. Includes:
+   - `instance_name`: Name of the Cloud SQL instance.
+8. `producer_alloydb`: **(Optional)** Configuration for AlloyDB instances. Includes:
+   - `instance_name`: Name of the AlloyDB instance.
+   - `cluster_id`: ID of the AlloyDB cluster.
+9. `target`: **(Optional)** Service attachment URL for other targets.
 
-5. `ip_address_literal` : **(Optional)** Specific internal IP, or leave null for automatic allocation.
+### Example Usage
 
-**Example Usage**
-
-```
+```hcl
 psc_endpoints = [
+  // Configuration for a PSC endpoint with a CloudSQL instance
   {
-    endpoint_project_id          = "endpoint-project-id"
-    producer_instance_project_id = "instance-project-id"
-    producer_instance_name       = "sql-1"
+    endpoint_project_id          = "your-endpoint-project-id"
+    producer_instance_project_id = "your-producer-instance-project-id"
     subnetwork_name              = "subnetwork-1"
     network_name                 = "network-1"
-    ip_address_literal           = "10.128.0.50"
+    ip_address_literal           = "10.128.0.26"
+    region                       = "us-central1"
+    producer_cloudsql = {
+      instance_name = "psc-instance-name"
+    }
   },
-  # Add more endpoint objects as needed
+  // Configuration for a PSC endpoint with an AlloyDB instance
+  {
+    endpoint_project_id          = "your-endpoint-project-id"
+    producer_instance_project_id = "your-producer-instance-project-id"
+    subnetwork_name              = "subnetwork-2"
+    network_name                 = "network-2"
+    ip_address_literal           = "10.128.0.27"
+    region                       = "us-central2"
+    producer_alloydb = {
+      instance_name = "your-alloydb-instance-name"
+      cluster_id    = "your-cluster-id"
+    }
+  },
+  // Configuration for a PSC endpoint with a target
+  {
+    endpoint_project_id          = "your-endpoint-project-id"
+    producer_instance_project_id = "your-producer-instance-project-id"
+    subnetwork_name              = "subnetwork-3"
+    network_name                 = "network-3"
+    ip_address_literal           = "10.0.0.10"
+    region                       = "us-central1"
+    target                       = "projects/your-project-id/regions/us-central1/serviceAttachments/your-service-attachment-id"
+  }
 ]
 ```
 
+### Notes
+
+- **Cloud SQL Configuration**: Use the `producer_cloudsql` block to specify the Cloud SQL instance name.
+- **AlloyDB Configuration**: Use the `producer_alloydb` block to specify the AlloyDB instance name and cluster ID.
+- **Target Configuration**: Use the `target` field to specify the service attachment URL for other targets.
+- Ensure that the `region` field is specified for all PSC endpoints to avoid deployment issues.
+
 ## 06-consumer
 
-Consumer specific configuration examples can be found under the `/config` folder of that specific consumer. Such as for GCE, the example would be in the folder `configuration/consumer/GCE/config/instance.yaml.example`.
+Consumer specific configuration examples can be found under the `/config` folder of that specific consumer. Such as for GCE, the example would be in the folder `configuration/consumer/GCE/config/`.
+
+## 07-consumer-load-balancing
+
+Consumer load balancing specific configuration examples can be found under the `/config` folder of that specific load balancer. Such as for Application External Load Balancer, the example would be in the folder `configuration/consumer-load-balancing/Application/External/config/`.
 
 ## Considerations
 

configuration/bootstrap.tfvars

@@ -13,7 +13,12 @@ producer_alloydb_administrator  = ["user:user-example@example.com"]
 producer_vertex_administrator   = ["user:user-example@example.com"]
 producer_mrc_administrator      = ["user:user-example@example.com"]
 
-networking_manual_administrator = ["user:user-example@example.com"]
+producer_connectivity_administrator = ["user:user-example@example.com"]
 
-consumer_gce_administrator      = ["user:user-example@example.com"]
-consumer_cloudrun_administrator = ["user:user-example@example.com"]
+consumer_gce_administrator           = ["user:user-example@example.com"]
+consumer_cloudrun_administrator      = ["user:user-example@example.com"]
+consumer_workbench_administrator     = ["user:workbench-user-example@example.com"]
+consumer_mig_administrator           = ["user:mig-user-example@example.com"]
+consumer_vpc_connector_administrator = ["user:user-example@example.com"]
+consumer_appengine_administrator     = ["user:user-example@example.com"]
+consumer_load_balacing_administrator = ["user:user-example@example.com"]

configuration/consumer-load-balancing/Application/External/config/instance1.yaml.example

@@ -0,0 +1,19 @@
+name: <load-balancer-name>
+project: <project-id>
+network: <network-name>
+backends:
+  default:
+    protocol: "HTTP"
+    port: 80
+    port_name: "http"
+    timeout_sec: 30
+    enable_cdn: false
+    health_check:
+      request_path: "/healthz"
+      port: 80
+    log_config:
+      enable: true
+      sample_rate: 0.5
+    groups:
+      - group: <instance-group-name>
+        region : <region>

configuration/consumer-load-balancing/Application/External/config/instance2.yaml.example

@@ -0,0 +1,8 @@
+name: <load-balancer-name>
+project: <project-id>
+network: <network-name>
+backends:
+  default:
+    groups:
+      - group: <instance-group-name>
+        region: <region>

configuration/consumer-load-balancing/Application/External/external-application-lb.tfvars

@@ -0,0 +1,2 @@
+#Location of YAML files holding LB configuration values.
+config_folder_path = "../../../../configuration/consumer-load-balancing/Application/External/config/"

configuration/consumer/CloudRun/Job/cloudrunjob.tfvars

@@ -0,0 +1,6 @@
+name: minimal-mig
+project_id: <project-id>
+location: <region> E.g. : us-central1
+zone : <zone> E.g. : us-central1-a
+vpc_name : <network-name>
+subnetwork_name : <subnetwork-name>

configuration/consumer/CloudRun/Service/cloudrunservice.tfvars

@@ -0,0 +1,2 @@
+#Location of YAML files holding GCE configuration values.
+config_folder_path = "../../../configuration/consumer/MIG/config/"