在 Deployment Manager 中使用 'gcloud services vpc-peerings connect'

Question

我正在 .jinja 中设置部署管理器包，它执行以下操作： - 为 GCP 服务创建 VPC 网络、子网和专用范围 - 在 'servicenetworking.googleapis.com' 和我的 VPC 网络之间创建对等互连 - 将云 SQL 数据库分配到分配给我的 VPC

中的 google 服务的专用范围

事实证明，部署管理器无法执行第二步，因为没有可调用的操作来执行此操作。我已确认在此阶段手动修复是调用以下 gcloud 命令，然后在 VPC 中设置 Cloud SQL 数据库：

gcloud services vpc-peerings connect --service=servicenetworking.googleapis.com --ranges=<my-range> --network=<my-network> --project=<my-project>

在我的 .jinja 中使用以下 gcp 类型是不够的，因为它不允许映射到预先存在的 gcp 服务，但需要源和目标网络。

- name: {{ env['deployment' ]}}-gcp-private-vpc-peering
  action: gcp-types/compute-v1:compute.networks.addPeering
  metadata:
    runtimePolicy:
    - CREATE
  properties:
    network: $(ref.{{ env['deployment']}}-network.name)
    name: {{ env['deployment' ]}}-gcp-private-vpc-peering
    autoCreateRoutes: true
    peerNetwork: servicenetworking.googleapis.com
    dependsOn:
    - $(ref.{{ env['deployment']}}-network.selfLink)

有没有办法从部署管理器调用 gcloud 命令，或者我可以调用一个操作来实现服务对等。我可以确认服务 API 确实已在项目上启用。

（请注意，目标 VPC 和项目是可变的，由 Google 分配，因此我无法将此值输入到上述模板中）

---

更新 05/07/19 我相信我已经找到了我需要执行的 API 服务调用，但是我非常不确定实际调用以从部署管理器创建服务 link 的语法：

https://cloud.google.com/service-infrastructure/docs/service-networking/reference/rest/v1beta/services.connections/create

需要一些指导 - 类似于下面的内容？

- name: {{ env['deployment' ]}}-gcp-private-vpc-peering
  action:  gcp-types/servicenetworking.googleapis.com:services.connections
  metadata:
    runtimePolicy:
    - CREATE
  properties:
    propertyA: valueA
    ...

Answer 1

创建对等互连所需的唯一参数是 "network" 和 "reservedPeeringRanges"。这是他们两个的语法 网络："projects/{project}/global/networks/{network}" 保留对等范围："x.x.x.x/x" 我认为您可能在网络中遗漏了一些变量。我使用 API 对其进行了测试，它没有问题。

Answer 2

@u-phoria

你是对的 - 这是他们目前正在准备的东西。

我为此向他们提出了产品改进票，可以在这里看到：

---

云 SQL 的私有 VPC 对等互连不受部署管理器支持。 这导致需要从相关 VPC 中升级的特权 VM 实例进行 VPC 对等，因为这是最安全的选项 （2019 年 7 月 9 日更新） https://issuetracker.google.com/137033144

执行此操作所需的资源示例如下所示：

{# Bootstrapped box to complete the VPC Peering Setup #}
- name: {{ env['deployment'] }}-peering-setup
  type: compute.v1.instance
  properties:

    {# Checking whether the creation of new resources are specified #}
    {% if properties['createNewResources'] %}
    zone: {{ properties["zone"] }}
    machineType: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/zones/{{ properties["zone"] }}/machineTypes/f1-micro
    networkInterfaces:
    - network: $(ref.{{ env['deployment']}}-network.selfLink)
      subnetwork: $(ref.{{ env['deployment']}}-subnetwork.selfLink)
      accessConfigs:
      - name: External NAT
        type: ONE_TO_ONE_NAT
    {% else %}
    zone: {{ common.ZONES[0] }}
    machineType: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/zones/{{ common.ZONES[0] }}/machineTypes/f1-micro
    networkInterfaces:
    - network: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/global/networks/default
      subnetwork: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/regions/{{ common.REGION }}/subnetworks/default
      accessConfigs:
      - name: External NAT
        type: ONE_TO_ONE_NAT
    {% endif %}

    disks:
    - deviceName: boot
      type: PERSISTENT
      boot: true
      autoDelete: true
      initializeParams:
        sourceImage: https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/family/debian-9
    metadata:
      items:
      - key: startup-script
        value: |
          {# Creating VPC Peering to Google Services for the Managed Postgres in the existing network or the newly created one #}
          {% if properties['createNewResources'] %}
          #!/bin/bash
          sudo su -
          echo "Checking relevant peering connections to google services exist in local VPC" >> checking-status.sh
          output=$(gcloud services vpc-peerings list --network={{ env['deployment'] }}-network | grep "servicenetworking.googleapis.com")
          if [[ -z $output ]]; then
          echo "Peering not found, creating peering to servicenetworking.googleapis.com from private VPC" && gcloud services vpc-peerings connect --service=servicenetworking.googleapis.com --ranges={{ env['deployment'] }}-google-managed-services --network={{ env['deployment'] }}-network
          else
          echo "No peering created as relevant peering already exists"
          fi
          echo "Sending the signal to deployment manager to carry on with the deployment"
          gcloud beta runtime-config configs variables set success/{{ env['deployment'] }}-vpc-peering-setup success --config-name {{ env['deployment'] }}-startup-config

          echo "Destroying this instance now that it has succesfully executed peering change"
          gcloud compute instances delete --quiet --delete-disks=all --zone=europe-west1-b {{ env['deployment'] }}-peering-setup
          {% else %}
          #!/bin/bash
          sudo su -
          echo "Checking relevant peering connections to google services exist in local VPC" >> checking-status.sh
          output=$(gcloud services vpc-peerings list --network={{ properties['network'] }} | grep "servicenetworking.googleapis.com")

          if [[ -z $output ]]; then
          echo "Known GCP bug when re-creating GCP peering deployment into the same network reserved range, using the workaround published here: https://issuetracker.google.com/issues/118849070 and here https://github.com/terraform-providers/terraform-provider-google/issues/3294 to make sure this has no effect on the deployment"
          gcloud beta services vpc-peerings update --service=servicenetworking.googleapis.com --ranges={{ env['deployment'] }}-google-managed-services --network={{ properties['network'] }} --project={{ env['project'] }} --force

          echo "Peering not found, creating peering to servicenetworking.googleapis.com from private VPC" && gcloud services vpc-peerings connect --service=servicenetworking.googleapis.com --ranges={{ env['deployment'] }}-google-managed-services --network={{ properties['network'] }}
          else
          echo "No peering created as relevant peering already exists"
          fi
          echo "Sending the signal to deployment manager to carry on with the deployment"
          gcloud beta runtime-config configs variables set success/{{ env['deployment'] }}-vpc-peering-setup success --config-name {{ env['deployment'] }}-startup-config

          echo "Destroying this instance now that it has succesfully executed peering change"
          gcloud compute instances delete --quiet --delete-disks=all --zone=europe-west1-b {{ env['deployment'] }}-peering-setup
          {% endif %}
    serviceAccounts:
        - email: default
          scopes:
          - 'https://www.googleapis.com/auth/cloud-platform'
          - 'https://www.googleapis.com/auth/cloudruntimeconfig'
    dependsOn:
    - $(ref.{{ env['deployment'] }}-google-managed-services.selfLink)
    {% if properties['createNewResources'] %}
    - $(ref.{{ env['deployment'] }}-subnetwork.selfLink)
    {% endif %}

如果设置了相关参数（在本例中为 createNewResources 标志），它将在两个网络之间创建 vpc 对等互连。

请记住，在执行上述 jinja 之前，您还必须为此设置一个全局地址范围。下面显示了一个例子：

- name: {{ env['deployment'] }}-google-managed-services
  type: compute.v1.globalAddresses
  properties:
    name: google-managed-services-{{ env['deployment'] }}
    {% if properties['createNewResources'] %}
    address: 10.73.144.0
    prefixLength: 20
    {% else %}
    address: {{ CIDRSplit[0] }}
    prefixLength: {{ CIDRSplit[1] }}
    {% endif %}
    addressType: INTERNAL
    purpose: VPC_PEERING

    {# Create the peering to the new network or the specified one #}
    {% if properties['createNewResources'] %}
    network: $(ref.{{ env['deployment']}}-network.selfLink)
    {% else %}
    network: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/global/networks/{{ properties['network'] }}
    {% endif %}

    description: >
      Address range reserved for Google Managed Services.
      https://cloud.google.com/vpc/docs/configure-private-services-access

    {% if properties['createNewResources'] %}
    dependsOn:
    - $(ref.{{ env['deployment']}}-network.selfLink)
    {% endif %}

我希望这对某人有所帮助。