From b32dd66325f006f7c6ff9eea670ee532ee1f572d Mon Sep 17 00:00:00 2001
From: David Gleich <gleichda@google.com>
Date: Tue, 27 Aug 2024 13:45:15 +0000
Subject: [PATCH 1/8] feat: Create module and example for NCC

---
 examples/network_connectivity_center/main.tf  | 262 ++++++++++++++++++
 .../network_connectivity_center/outputs.tf    |  41 +++
 .../network_connectivity_center/variables.tf  |  59 ++++
 .../network_connectivity_center/versions.tf   |  27 ++
 modules/network-connectivity-center/README.md |  42 +++
 modules/network-connectivity-center/main.tf   | 100 +++++++
 .../network-connectivity-center/outputs.tf    |  54 ++++
 .../network-connectivity-center/variables.tf  |  65 +++++
 .../network-connectivity-center/versions.tf   |  27 ++
 .../network_connectivity_center/main.tf       |  33 +++
 .../network_connectivity_center/outputs.tf    |  41 +++
 .../network_connectivity_center/variables.tf  |  24 ++
 .../network_connectivity_center_test.go       |  44 +++
 test/setup/main.tf                            |   1 +
 14 files changed, 820 insertions(+)
 create mode 100644 examples/network_connectivity_center/main.tf
 create mode 100644 examples/network_connectivity_center/outputs.tf
 create mode 100644 examples/network_connectivity_center/variables.tf
 create mode 100644 examples/network_connectivity_center/versions.tf
 create mode 100644 modules/network-connectivity-center/README.md
 create mode 100644 modules/network-connectivity-center/main.tf
 create mode 100644 modules/network-connectivity-center/outputs.tf
 create mode 100644 modules/network-connectivity-center/variables.tf
 create mode 100644 modules/network-connectivity-center/versions.tf
 create mode 100644 test/fixtures/network_connectivity_center/main.tf
 create mode 100644 test/fixtures/network_connectivity_center/outputs.tf
 create mode 100644 test/fixtures/network_connectivity_center/variables.tf
 create mode 100644 test/integration/network_connectivity_center/network_connectivity_center_test.go

diff --git a/examples/network_connectivity_center/main.tf b/examples/network_connectivity_center/main.tf
new file mode 100644
index 00000000..84c843ff
--- /dev/null
+++ b/examples/network_connectivity_center/main.tf
@@ -0,0 +1,262 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "network_connectivity_center" {
+  source       = "terraform-google-modules/network/google//modules/network-connectivity-center"
+  project_id   = var.project_id
+  ncc_hub_name = var.ncc_hub_name
+  vpc_spokes = {
+    "vpc-1" = {
+      uri = module.vpc_spoke_vpc.network_id
+    }
+  }
+  hybrid_spokes = {
+    "vpn-1" = {
+      type                       = "vpn"
+      uris                       = [for k, v in module.local_to_remote_vpn.tunnel_self_links : v]
+      site_to_site_data_transfer = true
+      location                   = var.vpn_region
+    }
+  }
+  router_appliance_spokes = {
+    "appliance-1" = {
+      instances = [
+        {
+          virtual_machine = google_compute_instance.router_appliance_1.id
+          ip_address      = google_compute_instance.router_appliance_1.network_interface[0].network_ip
+        },
+        {
+          virtual_machine = google_compute_instance.router_appliance_2.id
+          ip_address      = google_compute_instance.router_appliance_2.network_interface[0].network_ip
+        }
+      ]
+      location                   = var.instance_region
+      site_to_site_data_transfer = false
+    }
+  }
+}
+
+################################
+#          VPC Spoke           #
+################################
+module "vpc_spoke_vpc" {
+  source       = "terraform-google-modules/network/google"
+  project_id   = var.project_id
+  network_name = var.vpc_spoke_vpc_name
+  routing_mode = "GLOBAL"
+
+  subnets = [
+    {
+      subnet_name   = "vpc-spoke-subnet-01"
+      subnet_ip     = "10.10.10.0/24"
+      subnet_region = "us-west1"
+    },
+    {
+      subnet_name   = "vpc-spoke-subnet-02"
+      subnet_ip     = "10.10.20.0/24"
+      subnet_region = "us-east1"
+    },
+    {
+      subnet_name   = "vpc-spoke-subnet-03"
+      subnet_ip     = "10.10.30.0/24"
+      subnet_region = "europe-west4"
+    }
+  ]
+}
+
+################################
+#          VPN Spoke           #
+################################
+# Simulates an on-prem network that will be connected over VPN
+module "vpn_spoke_remote_vpc" {
+  source       = "terraform-google-modules/network/google"
+  project_id   = var.project_id
+  network_name = var.vpn_spoke_remote_vpc_name
+  routing_mode = "GLOBAL"
+
+  subnets = [
+    {
+      subnet_name   = "vpn-subnet-01"
+      subnet_ip     = "10.20.10.0/24"
+      subnet_region = "us-west1"
+    },
+    {
+      subnet_name   = "vpn-subnet-02"
+      subnet_ip     = "10.20.20.0/24"
+      subnet_region = "us-east1"
+    },
+    {
+      subnet_name   = "vpn-subnet-03"
+      subnet_ip     = "10.20.30.0/24"
+      subnet_region = "europe-west4"
+    }
+  ]
+}
+
+module "vpn_spoke_local_vpc" {
+  source       = "terraform-google-modules/network/google"
+  project_id   = var.project_id
+  network_name = var.vpn_spoke_local_vpc_name
+  routing_mode = "GLOBAL"
+  subnets      = []
+}
+
+module "remote_to_local_vpn" {
+  source  = "terraform-google-modules/vpn/google//modules/vpn_ha"
+  version = "~> 4.0"
+
+  project_id       = var.project_id
+  region           = var.vpn_region
+  network          = module.vpn_spoke_remote_vpc.network_id
+  name             = "remote-to-local"
+  router_asn       = 64513
+  peer_gcp_gateway = module.local_to_remote_vpn.self_link
+  tunnels = {
+    remote-0 = {
+      bgp_peer = {
+        address = "169.254.1.2"
+        asn     = 64514
+      }
+      bgp_peer_options                = null
+      bgp_session_range               = "169.254.1.1/30"
+      ike_version                     = 2
+      vpn_gateway_interface           = 0
+      peer_external_gateway_interface = null
+      shared_secret                   = module.local_to_remote_vpn.random_secret
+    }
+    remote-1 = {
+      bgp_peer = {
+        address = "169.254.2.2"
+        asn     = 64514
+      }
+      bgp_peer_options                = null
+      bgp_session_range               = "169.254.2.1/30"
+      ike_version                     = 2
+      vpn_gateway_interface           = 1
+      peer_external_gateway_interface = null
+      shared_secret                   = module.local_to_remote_vpn.random_secret
+    }
+  }
+}
+
+module "local_to_remote_vpn" {
+  source  = "terraform-google-modules/vpn/google//modules/vpn_ha"
+  version = "~> 4.0"
+
+  project_id       = var.project_id
+  region           = var.vpn_region
+  network          = module.vpn_spoke_local_vpc.network_id
+  name             = "local-to-remote"
+  peer_gcp_gateway = module.remote_to_local_vpn.self_link
+  router_asn       = 64514
+  tunnels = {
+    remote-0 = {
+      bgp_peer = {
+        address = "169.254.1.1"
+        asn     = 64513
+      }
+      bgp_peer_options                = null
+      bgp_session_range               = "169.254.1.2/30"
+      ike_version                     = 2
+      vpn_gateway_interface           = 0
+      peer_external_gateway_interface = null
+      shared_secret                   = ""
+    }
+    remote-1 = {
+      bgp_peer = {
+        address = "169.254.2.1"
+        asn     = 64513
+      }
+      bgp_peer_options                = null
+      bgp_session_range               = "169.254.2.2/30"
+      ike_version                     = 2
+      vpn_gateway_interface           = 1
+      peer_external_gateway_interface = null
+      shared_secret                   = ""
+    }
+  }
+}
+
+
+################################
+#    Router Appliance Spoke    #
+################################
+data "google_compute_zones" "available" {
+  project = var.project_id
+  region  = var.instance_region
+}
+
+resource "random_shuffle" "zone" {
+  input        = data.google_compute_zones.available.names
+  result_count = 1
+}
+
+module "router_appliance_spoke_vpc" {
+  source       = "terraform-google-modules/network/google"
+  project_id   = var.project_id
+  network_name = var.router_appliance_vpc_name
+  routing_mode = "GLOBAL"
+
+  subnets = [
+    {
+      subnet_name   = "router-appliance-subnet-01"
+      subnet_ip     = "10.20.10.0/24"
+      subnet_region = var.instance_region
+    }
+  ]
+}
+
+resource "google_compute_instance" "router_appliance_1" {
+  name           = "fake-router-appliance-1"
+  machine_type   = "e2-medium"
+  project        = var.project_id
+  can_ip_forward = true
+  zone           = random_shuffle.zone.result[0]
+
+  boot_disk {
+    initialize_params {
+      image = "debian-cloud/debian-11"
+    }
+  }
+
+  network_interface {
+    subnetwork = module.router_appliance_spoke_vpc.subnets["${var.instance_region}/router-appliance-subnet-01"].id
+    access_config {
+      network_tier = "PREMIUM"
+    }
+  }
+}
+
+resource "google_compute_instance" "router_appliance_2" {
+  name           = "fake-router-appliance-2"
+  machine_type   = "e2-medium"
+  project        = var.project_id
+  can_ip_forward = true
+  zone           = random_shuffle.zone.result[0]
+
+  boot_disk {
+    initialize_params {
+      image = "debian-cloud/debian-11"
+    }
+  }
+
+  network_interface {
+    subnetwork = module.router_appliance_spoke_vpc.subnets["${var.instance_region}/router-appliance-subnet-01"].id
+    access_config {
+      network_tier = "PREMIUM"
+    }
+  }
+}
diff --git a/examples/network_connectivity_center/outputs.tf b/examples/network_connectivity_center/outputs.tf
new file mode 100644
index 00000000..be46209a
--- /dev/null
+++ b/examples/network_connectivity_center/outputs.tf
@@ -0,0 +1,41 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "ncc_hub" {
+  description = "The NCC Hub object"
+  value       = module.network_connectivity_center.ncc_hub
+}
+
+output "vpc_spokes" {
+  description = "All vpc spoke objects"
+  value       = module.network_connectivity_center.vpc_spokes
+}
+
+
+output "hybrid_spokes" {
+  description = "All hybrid spoke objects"
+  value       = module.network_connectivity_center.hybrid_spokes
+}
+
+output "router_appliance_spokes" {
+  description = "All router appliance spoke objects"
+  value       = module.network_connectivity_center.router_appliance_spokes
+}
+
+output "spokes" {
+  description = "All spoke objects prefixed with the type of spoke (vpc, hybrid, appliance)"
+  value       = module.network_connectivity_center.spokes
+}
diff --git a/examples/network_connectivity_center/variables.tf b/examples/network_connectivity_center/variables.tf
new file mode 100644
index 00000000..e677e98c
--- /dev/null
+++ b/examples/network_connectivity_center/variables.tf
@@ -0,0 +1,59 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The project ID to host the network in"
+}
+
+variable "vpn_region" {
+  description = "The region where to deploy the VPN"
+  default     = "europe-west4"
+}
+
+variable "instance_region" {
+  description = "The region where to deploy the Router Instance in"
+  default     = "us-central1"
+}
+
+variable "ncc_hub_name" {
+  description = "The Name of the NCC Hub"
+  type        = string
+  default     = "ncc-hub"
+}
+
+variable "vpc_spoke_vpc_name" {
+  description = "The VPC Name for the VPC Spoke"
+  type        = string
+  default     = "vpc-spoke"
+}
+
+variable "vpn_spoke_local_vpc_name" {
+  description = "The name for the local VPC (GCP side) for the VPN Spoke"
+  type        = string
+  default     = "vpn-local-spoke"
+}
+
+variable "vpn_spoke_remote_vpc_name" {
+  description = "The name for the remote VPC (fake on-orem) for the VPN Spoke"
+  type        = string
+  default     = "vpn-remote-spoke"
+}
+
+variable "router_appliance_vpc_name" {
+  description = "The VPC Name for the VPC Spoke"
+  type        = string
+  default     = "router-appliance-spoke"
+}
diff --git a/examples/network_connectivity_center/versions.tf b/examples/network_connectivity_center/versions.tf
new file mode 100644
index 00000000..5ebf9393
--- /dev/null
+++ b/examples/network_connectivity_center/versions.tf
@@ -0,0 +1,27 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">=0.13.0"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 5.40.0"
+
+    }
+  }
+}
diff --git a/modules/network-connectivity-center/README.md b/modules/network-connectivity-center/README.md
new file mode 100644
index 00000000..6eb91329
--- /dev/null
+++ b/modules/network-connectivity-center/README.md
@@ -0,0 +1,42 @@
+# Terraform Network Connectivity Center Module
+
+This submodule is part of the the `terraform-google-network` module. It creates a Network Connectivity Center Hub and attaches spokes.
+
+## Usage
+
+Basic usage of this submodule is as follows:
+
+```hcl
+module "ncc" {
+    source  = "terraform-google-modules/network/google//modules/network-connectivity-center"
+    version = "~> 9.0.0"
+
+    project_id   = "<PROJECT ID>"
+}
+```
+
+An extensive example that also contains the creation and attachment of multiple spokes can be found in [examples/network-connectivity-center](../../examples/network_connectivity_center/)
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| export\_psc | Whether Private Service Connect transitivity is enabled for the hub | `bool` | `true` | no |
+| hybrid\_spokes | VLAN attachments and VPN Tunnels that are associated with the spoke. Type must be one of `interconnect` and `vpn`. | <pre>map(object({<br>    location                   = string<br>    uris                       = set(string)<br>    site_to_site_data_transfer = optional(bool, false)<br>    type                       = string<br>  }))</pre> | `{}` | no |
+| ncc\_hub\_name | The Name of the NCC Hub | `string` | `"ncc-hub"` | no |
+| project\_id | Project id of the project that holds the network. | `string` | n/a | yes |
+| router\_appliance\_spokes | Router appliance instances that are associated with the spoke. | <pre>map(object({<br>    instances = set(object({<br>      virtual_machine = string<br>      ip_address      = string<br>    }))<br>    location                   = string<br>    site_to_site_data_transfer = optional(bool, false)<br>  }))</pre> | `{}` | no |
+| vpc\_spokes | VPC network that is associated with the spoke | <pre>map(object({<br>    uri                   = string<br>    exclude_export_ranges = optional(set(string))<br>  }))</pre> | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| hybrid\_spokes | All hybrid spoke objects |
+| ncc\_hub | The NCC Hub object |
+| router\_appliance\_spokes | All router appliance spoke objects |
+| spokes | All spoke objects prefixed with the type of spoke (vpc, hybrid, appliance) |
+| vpc\_spokes | All vpc spoke objects |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/network-connectivity-center/main.tf b/modules/network-connectivity-center/main.tf
new file mode 100644
index 00000000..4a21202a
--- /dev/null
+++ b/modules/network-connectivity-center/main.tf
@@ -0,0 +1,100 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  default_description = "Managed by Terraform"
+  vpc_spokes = {
+    for k, v in google_network_connectivity_spoke.vpc_spoke :
+    k => v
+  }
+  hybrid_spokes = {
+    for k, v in google_network_connectivity_spoke.hybrid_spoke :
+    k => v
+  }
+  router_appliance_spokes = {
+    for k, v in google_network_connectivity_spoke.router_appliance_spoke :
+    k => v
+  }
+}
+
+resource "google_network_connectivity_hub" "hub" {
+  name        = var.ncc_hub_name
+  project     = var.project_id
+  description = local.default_description
+  export_psc  = var.export_psc
+}
+
+
+resource "google_network_connectivity_spoke" "vpc_spoke" {
+  for_each    = var.vpc_spokes
+  project     = var.project_id
+  name        = each.key
+  location    = "global"
+  description = local.default_description
+  hub         = google_network_connectivity_hub.hub.id
+
+  linked_vpc_network {
+    uri                   = each.value.uri
+    exclude_export_ranges = each.value.exclude_export_ranges
+  }
+}
+
+resource "google_network_connectivity_spoke" "hybrid_spoke" {
+  for_each    = var.hybrid_spokes
+  project     = var.project_id
+  name        = each.key
+  location    = each.value.location
+  description = local.default_description
+  hub         = google_network_connectivity_hub.hub.id
+
+  dynamic "linked_interconnect_attachments" {
+    for_each = each.value.type == "interconnect" ? [1] : []
+    content {
+      uris                       = each.value.uris
+      site_to_site_data_transfer = each.value.site_to_site_data_transfer
+    }
+  }
+
+  dynamic "linked_vpn_tunnels" {
+    for_each = each.value.type == "vpn" ? [1] : []
+    content {
+      uris                       = each.value.uris
+      site_to_site_data_transfer = each.value.site_to_site_data_transfer
+    }
+  }
+}
+
+resource "google_network_connectivity_spoke" "router_appliance_spoke" {
+  for_each    = var.router_appliance_spokes
+  project     = var.project_id
+  name        = each.key
+  location    = each.value.location
+  description = local.default_description
+  hub         = google_network_connectivity_hub.hub.id
+
+  linked_router_appliance_instances {
+    dynamic "instances" {
+      for_each = each.value.instances
+      iterator = instance_list
+      content {
+        virtual_machine = instance_list.value.virtual_machine
+        ip_address      = instance_list.value.ip_address
+      }
+    }
+    site_to_site_data_transfer = each.value.site_to_site_data_transfer
+
+  }
+}
diff --git a/modules/network-connectivity-center/outputs.tf b/modules/network-connectivity-center/outputs.tf
new file mode 100644
index 00000000..3b306adf
--- /dev/null
+++ b/modules/network-connectivity-center/outputs.tf
@@ -0,0 +1,54 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "ncc_hub" {
+  description = "The NCC Hub object"
+  value       = google_network_connectivity_hub.hub
+}
+
+output "vpc_spokes" {
+  description = "All vpc spoke objects"
+  value       = local.vpc_spokes
+}
+
+
+output "hybrid_spokes" {
+  description = "All hybrid spoke objects"
+  value       = local.hybrid_spokes
+}
+
+output "router_appliance_spokes" {
+  description = "All router appliance spoke objects"
+  value       = local.router_appliance_spokes
+}
+
+output "spokes" {
+  description = "All spoke objects prefixed with the type of spoke (vpc, hybrid, appliance)"
+  value = flatten([
+    {
+      for k, v in local.vpc_spokes :
+      "vpc/${k}" => v
+    },
+    {
+      for k, v in local.hybrid_spokes :
+      "hybrid/${k}" => v
+    },
+    {
+      for k, v in local.router_appliance_spokes :
+      "appliance/${k}" => v
+    },
+  ])
+}
diff --git a/modules/network-connectivity-center/variables.tf b/modules/network-connectivity-center/variables.tf
new file mode 100644
index 00000000..3e54178f
--- /dev/null
+++ b/modules/network-connectivity-center/variables.tf
@@ -0,0 +1,65 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "Project id of the project that holds the network."
+  type        = string
+}
+
+variable "ncc_hub_name" {
+  description = "The Name of the NCC Hub"
+  type        = string
+  default     = "ncc-hub"
+}
+
+variable "export_psc" {
+  description = "Whether Private Service Connect transitivity is enabled for the hub"
+  type        = bool
+  default     = true
+}
+
+variable "vpc_spokes" {
+  description = "VPC network that is associated with the spoke"
+  type = map(object({
+    uri                   = string
+    exclude_export_ranges = optional(set(string))
+  }))
+  default = {}
+}
+
+variable "hybrid_spokes" {
+  description = "VLAN attachments and VPN Tunnels that are associated with the spoke. Type must be one of `interconnect` and `vpn`."
+  type = map(object({
+    location                   = string
+    uris                       = set(string)
+    site_to_site_data_transfer = optional(bool, false)
+    type                       = string
+  }))
+  default = {}
+}
+
+variable "router_appliance_spokes" {
+  description = "Router appliance instances that are associated with the spoke."
+  type = map(object({
+    instances = set(object({
+      virtual_machine = string
+      ip_address      = string
+    }))
+    location                   = string
+    site_to_site_data_transfer = optional(bool, false)
+  }))
+  default = {}
+}
diff --git a/modules/network-connectivity-center/versions.tf b/modules/network-connectivity-center/versions.tf
new file mode 100644
index 00000000..5ebf9393
--- /dev/null
+++ b/modules/network-connectivity-center/versions.tf
@@ -0,0 +1,27 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">=0.13.0"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 5.40.0"
+
+    }
+  }
+}
diff --git a/test/fixtures/network_connectivity_center/main.tf b/test/fixtures/network_connectivity_center/main.tf
new file mode 100644
index 00000000..348fe1e5
--- /dev/null
+++ b/test/fixtures/network_connectivity_center/main.tf
@@ -0,0 +1,33 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  ncc_hub_name              = "ncc-hub-${var.random_string_for_testing}"
+  vpc_spoke_vpc_name        = "vpc-spoke-${var.random_string_for_testing}"
+  vpn_spoke_local_vpc_name  = "vpn-local-spoke-${var.random_string_for_testing}"
+  vpn_spoke_remote_vpc_name = "vpn-remote-spoke-${var.random_string_for_testing}"
+  router_appliance_vpc_name = "router-appliance-spoke-${var.random_string_for_testing}"
+}
+
+module "example" {
+  source                    = "../../../examples/network_connectivity_center"
+  project_id                = var.project_id
+  ncc_hub_name              = local.ncc_hub_name
+  vpc_spoke_vpc_name        = local.vpc_spoke_vpc_name
+  vpn_spoke_local_vpc_name  = local.vpn_spoke_local_vpc_name
+  vpn_spoke_remote_vpc_name = local.vpn_spoke_remote_vpc_name
+  router_appliance_vpc_name = local.router_appliance_vpc_name
+}
diff --git a/test/fixtures/network_connectivity_center/outputs.tf b/test/fixtures/network_connectivity_center/outputs.tf
new file mode 100644
index 00000000..761ddbc1
--- /dev/null
+++ b/test/fixtures/network_connectivity_center/outputs.tf
@@ -0,0 +1,41 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "project_id" {
+  value       = var.project_id
+  description = "The ID of the project being used"
+}
+
+output "ncc_hub_name" {
+  value = local.ncc_hub_name
+}
+
+output "vpc_spoke_vpc_name" {
+  value = local.vpc_spoke_vpc_name
+}
+
+output "vpn_spoke_local_vpc_name" {
+  value = local.vpn_spoke_local_vpc_name
+}
+
+output "vpn_spoke_remote_vpc_name" {
+  value = local.vpn_spoke_remote_vpc_name
+}
+
+output "router_appliance_vpc_name" {
+  value = local.router_appliance_vpc_name
+}
+
diff --git a/test/fixtures/network_connectivity_center/variables.tf b/test/fixtures/network_connectivity_center/variables.tf
new file mode 100644
index 00000000..e631230e
--- /dev/null
+++ b/test/fixtures/network_connectivity_center/variables.tf
@@ -0,0 +1,24 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The GCP project to use for integration tests"
+}
+
+variable "random_string_for_testing" {
+  description = "A random string of characters to be appended to resource names to ensure uniqueness"
+  default     = "a1"
+}
diff --git a/test/integration/network_connectivity_center/network_connectivity_center_test.go b/test/integration/network_connectivity_center/network_connectivity_center_test.go
new file mode 100644
index 00000000..757727c2
--- /dev/null
+++ b/test/integration/network_connectivity_center/network_connectivity_center_test.go
@@ -0,0 +1,44 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ncc
+
+import (
+	// "strings"
+
+	"testing"
+
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud"
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNetworkConnectivityCenter(t *testing.T) {
+	net := tft.NewTFBlueprintTest(t)
+	net.DefineVerify(
+		func(assert *assert.Assertions) {
+			net.DefaultVerify(assert)
+			projectID := net.GetStringOutput("project_id")
+			nccHubName := net.GetStringOutput("ncc_hub_name")
+			expectedNccSpokesCount := 3
+
+			op := gcloud.Run(t, "network-connectivity hubs describe ", gcloud.WithCommonArgs([]string{nccHubName, "--project", projectID, "--format", "json"}))
+			nccSpokeStateCount := op.Get("spokeSummary.spokeStateCounts").Array()
+			assert.Equal(1, len(nccSpokeStateCount), "should have spokes in one State")
+			assert.Equal("ACTIVE", nccSpokeStateCount[0].Get("state").String(), "should have only active spokes")
+			assert.Equal(int64(expectedNccSpokesCount), nccSpokeStateCount[0].Get("count").Int(), "should have exactly 3 spokes")
+			assert.Equal(expectedNccSpokesCount, len(op.Get("spokeSummary.spokeTypeCounts").Array()), "should have 3 different spoke types")
+		})
+	net.Test()
+}
diff --git a/test/setup/main.tf b/test/setup/main.tf
index 79cbb95d..59d1825e 100644
--- a/test/setup/main.tf
+++ b/test/setup/main.tf
@@ -53,6 +53,7 @@ module "project" {
     "vpcaccess.googleapis.com",
     "dns.googleapis.com",
     "networksecurity.googleapis.com",
+    "networkconnectivity.googleapis.com",
     "iam.googleapis.com",
   ]
 }

From 51db90a090e3bbac33502d53b7a3e5ef2a2145a1 Mon Sep 17 00:00:00 2001
From: David Gleich <gleichda@google.com>
Date: Mon, 23 Sep 2024 12:13:31 +0000
Subject: [PATCH 2/8] Implement findings from Review

---
 build/int.cloudbuild.yaml                     | 15 +++++++
 examples/network_connectivity_center/main.tf  |  9 ++++
 .../network_connectivity_center/outputs.tf    | 10 +++++
 modules/network-connectivity-center/README.md | 15 ++++---
 modules/network-connectivity-center/main.tf   | 13 +++---
 .../network-connectivity-center/variables.tf  | 28 +++++++++++--
 .../network-connectivity-center/versions.tf   |  7 +++-
 .../network_connectivity_center/main.tf       | 33 ---------------
 .../network_connectivity_center/outputs.tf    | 41 -------------------
 .../network_connectivity_center/variables.tf  | 24 -----------
 10 files changed, 81 insertions(+), 114 deletions(-)
 delete mode 100644 test/fixtures/network_connectivity_center/main.tf
 delete mode 100644 test/fixtures/network_connectivity_center/outputs.tf
 delete mode 100644 test/fixtures/network_connectivity_center/variables.tf

diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
index 8c80949b..9b42735f 100644
--- a/build/int.cloudbuild.yaml
+++ b/build/int.cloudbuild.yaml
@@ -226,6 +226,21 @@ steps:
     - verify hierarchical-firewall-policy
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestHierarchicalFirewallPolicy --stage teardown --verbose']
+- id: converge network-connectivity-center
+  waitFor:
+    - destroy hierarchical-firewall-policy
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestNetworkConnectivityCenter --stage apply --verbose']
+- id: verify network-connectivity-center
+  waitFor:
+    - converge network-connectivity-center
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestNetworkConnectivityCenter --stage verify --verbose']
+- id: destroy network-connectivity-center
+  waitFor:
+    - verify network-connectivity-center
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestNetworkConnectivityCenter --stage teardown --verbose']
 tags:
 - 'ci'
 - 'integration'
diff --git a/examples/network_connectivity_center/main.tf b/examples/network_connectivity_center/main.tf
index 84c843ff..85d9380e 100644
--- a/examples/network_connectivity_center/main.tf
+++ b/examples/network_connectivity_center/main.tf
@@ -18,9 +18,18 @@ module "network_connectivity_center" {
   source       = "terraform-google-modules/network/google//modules/network-connectivity-center"
   project_id   = var.project_id
   ncc_hub_name = var.ncc_hub_name
+  ncc_hub_labels = {
+    "module" = "ncc"
+  }
+  spoke_labels = {
+    "created-by" = "terraform-google-ncc-example"
+  }
   vpc_spokes = {
     "vpc-1" = {
       uri = module.vpc_spoke_vpc.network_id
+      labels = {
+        "spoke-type" = "vpc"
+      }
     }
   }
   hybrid_spokes = {
diff --git a/examples/network_connectivity_center/outputs.tf b/examples/network_connectivity_center/outputs.tf
index be46209a..668497cd 100644
--- a/examples/network_connectivity_center/outputs.tf
+++ b/examples/network_connectivity_center/outputs.tf
@@ -14,6 +14,16 @@
  * limitations under the License.
  */
 
+output "project_id" {
+  description = "The project ID (required for testing)"
+  value       = var.project_id
+}
+
+output "ncc_hub_name" {
+  description = "Name of the NCC Hub (required for testing)"
+  value       = module.network_connectivity_center.ncc_hub.name
+}
+
 output "ncc_hub" {
   description = "The NCC Hub object"
   value       = module.network_connectivity_center.ncc_hub
diff --git a/modules/network-connectivity-center/README.md b/modules/network-connectivity-center/README.md
index 6eb91329..ff5b6036 100644
--- a/modules/network-connectivity-center/README.md
+++ b/modules/network-connectivity-center/README.md
@@ -22,12 +22,15 @@ An extensive example that also contains the creation and attachment of multiple
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| export\_psc | Whether Private Service Connect transitivity is enabled for the hub | `bool` | `true` | no |
-| hybrid\_spokes | VLAN attachments and VPN Tunnels that are associated with the spoke. Type must be one of `interconnect` and `vpn`. | <pre>map(object({<br>    location                   = string<br>    uris                       = set(string)<br>    site_to_site_data_transfer = optional(bool, false)<br>    type                       = string<br>  }))</pre> | `{}` | no |
-| ncc\_hub\_name | The Name of the NCC Hub | `string` | `"ncc-hub"` | no |
-| project\_id | Project id of the project that holds the network. | `string` | n/a | yes |
-| router\_appliance\_spokes | Router appliance instances that are associated with the spoke. | <pre>map(object({<br>    instances = set(object({<br>      virtual_machine = string<br>      ip_address      = string<br>    }))<br>    location                   = string<br>    site_to_site_data_transfer = optional(bool, false)<br>  }))</pre> | `{}` | no |
-| vpc\_spokes | VPC network that is associated with the spoke | <pre>map(object({<br>    uri                   = string<br>    exclude_export_ranges = optional(set(string))<br>  }))</pre> | `{}` | no |
+| export\_psc | Whether Private Service Connect transitivity is enabled for the hub | `bool` | `false` | no |
+| hybrid\_spokes | VLAN attachments and VPN Tunnels that are associated with the spoke. Type must be one of `interconnect` and `vpn`. | <pre>map(object({<br>    location                   = string<br>    uris                       = set(string)<br>    site_to_site_data_transfer = optional(bool, false)<br>    type                       = string<br>    description                = optional(string, "Managed by Terraform")<br>    labels                     = optional(map(string))<br>  }))</pre> | `{}` | no |
+| ncc\_hub\_description | The description of the NCC Hub | `string` | `"Managed by Terraform"` | no |
+| ncc\_hub\_labels | These labels will be added the NCC hub | `map(string)` | `{}` | no |
+| ncc\_hub\_name | The Name of the NCC Hub | `string` | n/a | yes |
+| project\_id | Project ID of the project that holds the network. | `string` | n/a | yes |
+| router\_appliance\_spokes | Router appliance instances that are associated with the spoke. | <pre>map(object({<br>    instances = set(object({<br>      virtual_machine = string<br>      ip_address      = string<br>    }))<br>    location                   = string<br>    site_to_site_data_transfer = optional(bool, false)<br>    description                = optional(string, "Managed by Terraform")<br>    labels                     = optional(map(string))<br>  }))</pre> | `{}` | no |
+| spoke\_labels | These labels will be added to all NCC spokes | `map(string)` | `{}` | no |
+| vpc\_spokes | VPC network that is associated with the spoke | <pre>map(object({<br>    uri                   = string<br>    exclude_export_ranges = optional(set(string))<br>    description           = optional(string, "Managed by Terraform")<br>    labels                = optional(map(string))<br>  }))</pre> | `{}` | no |
 
 ## Outputs
 
diff --git a/modules/network-connectivity-center/main.tf b/modules/network-connectivity-center/main.tf
index 4a21202a..bbf8ff7f 100644
--- a/modules/network-connectivity-center/main.tf
+++ b/modules/network-connectivity-center/main.tf
@@ -15,7 +15,6 @@
  */
 
 locals {
-  default_description = "Managed by Terraform"
   vpc_spokes = {
     for k, v in google_network_connectivity_spoke.vpc_spoke :
     k => v
@@ -33,8 +32,9 @@ locals {
 resource "google_network_connectivity_hub" "hub" {
   name        = var.ncc_hub_name
   project     = var.project_id
-  description = local.default_description
+  description = var.ncc_hub_description
   export_psc  = var.export_psc
+  labels      = var.ncc_hub_labels
 }
 
 
@@ -43,8 +43,9 @@ resource "google_network_connectivity_spoke" "vpc_spoke" {
   project     = var.project_id
   name        = each.key
   location    = "global"
-  description = local.default_description
+  description = each.value.description
   hub         = google_network_connectivity_hub.hub.id
+  labels      = merge(var.spoke_labels, each.value.labels)
 
   linked_vpc_network {
     uri                   = each.value.uri
@@ -57,8 +58,9 @@ resource "google_network_connectivity_spoke" "hybrid_spoke" {
   project     = var.project_id
   name        = each.key
   location    = each.value.location
-  description = local.default_description
+  description = each.value.description
   hub         = google_network_connectivity_hub.hub.id
+  labels      = merge(var.spoke_labels, each.value.labels)
 
   dynamic "linked_interconnect_attachments" {
     for_each = each.value.type == "interconnect" ? [1] : []
@@ -82,8 +84,9 @@ resource "google_network_connectivity_spoke" "router_appliance_spoke" {
   project     = var.project_id
   name        = each.key
   location    = each.value.location
-  description = local.default_description
+  description = each.value.description
   hub         = google_network_connectivity_hub.hub.id
+  labels      = merge(var.spoke_labels, each.value.labels)
 
   linked_router_appliance_instances {
     dynamic "instances" {
diff --git a/modules/network-connectivity-center/variables.tf b/modules/network-connectivity-center/variables.tf
index 3e54178f..47cbf7d7 100644
--- a/modules/network-connectivity-center/variables.tf
+++ b/modules/network-connectivity-center/variables.tf
@@ -15,20 +15,30 @@
  */
 
 variable "project_id" {
-  description = "Project id of the project that holds the network."
+  description = "Project ID of the project that holds the network."
   type        = string
 }
 
 variable "ncc_hub_name" {
   description = "The Name of the NCC Hub"
   type        = string
-  default     = "ncc-hub"
+}
+
+variable "ncc_hub_description" {
+  description = "The description of the NCC Hub"
+  type        = string
+  default     = "Managed by Terraform"
+}
+variable "ncc_hub_labels" {
+  description = "These labels will be added the NCC hub"
+  type        = map(string)
+  default     = {}
 }
 
 variable "export_psc" {
   description = "Whether Private Service Connect transitivity is enabled for the hub"
   type        = bool
-  default     = true
+  default     = false
 }
 
 variable "vpc_spokes" {
@@ -36,6 +46,8 @@ variable "vpc_spokes" {
   type = map(object({
     uri                   = string
     exclude_export_ranges = optional(set(string))
+    description           = optional(string, "Managed by Terraform")
+    labels                = optional(map(string))
   }))
   default = {}
 }
@@ -47,6 +59,8 @@ variable "hybrid_spokes" {
     uris                       = set(string)
     site_to_site_data_transfer = optional(bool, false)
     type                       = string
+    description                = optional(string, "Managed by Terraform")
+    labels                     = optional(map(string))
   }))
   default = {}
 }
@@ -60,6 +74,14 @@ variable "router_appliance_spokes" {
     }))
     location                   = string
     site_to_site_data_transfer = optional(bool, false)
+    description                = optional(string, "Managed by Terraform")
+    labels                     = optional(map(string))
   }))
   default = {}
 }
+
+variable "spoke_labels" {
+  description = "These labels will be added to all NCC spokes"
+  type        = map(string)
+  default     = {}
+}
diff --git a/modules/network-connectivity-center/versions.tf b/modules/network-connectivity-center/versions.tf
index 5ebf9393..ab114a30 100644
--- a/modules/network-connectivity-center/versions.tf
+++ b/modules/network-connectivity-center/versions.tf
@@ -15,13 +15,16 @@
  */
 
 terraform {
-  required_version = ">=0.13.0"
+  required_version = ">= 1.3.0"
 
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.40.0"
+      version = ">= 5.40.0, < 7"
 
     }
   }
+  provider_meta "google" {
+    module_name = "blueprints/terraform/terraform-google-network:network-connectivity-center/v9.2.0"
+  }
 }
diff --git a/test/fixtures/network_connectivity_center/main.tf b/test/fixtures/network_connectivity_center/main.tf
deleted file mode 100644
index 348fe1e5..00000000
--- a/test/fixtures/network_connectivity_center/main.tf
+++ /dev/null
@@ -1,33 +0,0 @@
-/**
- * Copyright 2024 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-locals {
-  ncc_hub_name              = "ncc-hub-${var.random_string_for_testing}"
-  vpc_spoke_vpc_name        = "vpc-spoke-${var.random_string_for_testing}"
-  vpn_spoke_local_vpc_name  = "vpn-local-spoke-${var.random_string_for_testing}"
-  vpn_spoke_remote_vpc_name = "vpn-remote-spoke-${var.random_string_for_testing}"
-  router_appliance_vpc_name = "router-appliance-spoke-${var.random_string_for_testing}"
-}
-
-module "example" {
-  source                    = "../../../examples/network_connectivity_center"
-  project_id                = var.project_id
-  ncc_hub_name              = local.ncc_hub_name
-  vpc_spoke_vpc_name        = local.vpc_spoke_vpc_name
-  vpn_spoke_local_vpc_name  = local.vpn_spoke_local_vpc_name
-  vpn_spoke_remote_vpc_name = local.vpn_spoke_remote_vpc_name
-  router_appliance_vpc_name = local.router_appliance_vpc_name
-}
diff --git a/test/fixtures/network_connectivity_center/outputs.tf b/test/fixtures/network_connectivity_center/outputs.tf
deleted file mode 100644
index 761ddbc1..00000000
--- a/test/fixtures/network_connectivity_center/outputs.tf
+++ /dev/null
@@ -1,41 +0,0 @@
-/**
- * Copyright 2024 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-output "project_id" {
-  value       = var.project_id
-  description = "The ID of the project being used"
-}
-
-output "ncc_hub_name" {
-  value = local.ncc_hub_name
-}
-
-output "vpc_spoke_vpc_name" {
-  value = local.vpc_spoke_vpc_name
-}
-
-output "vpn_spoke_local_vpc_name" {
-  value = local.vpn_spoke_local_vpc_name
-}
-
-output "vpn_spoke_remote_vpc_name" {
-  value = local.vpn_spoke_remote_vpc_name
-}
-
-output "router_appliance_vpc_name" {
-  value = local.router_appliance_vpc_name
-}
-
diff --git a/test/fixtures/network_connectivity_center/variables.tf b/test/fixtures/network_connectivity_center/variables.tf
deleted file mode 100644
index e631230e..00000000
--- a/test/fixtures/network_connectivity_center/variables.tf
+++ /dev/null
@@ -1,24 +0,0 @@
-/**
- * Copyright 2024 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-variable "project_id" {
-  description = "The GCP project to use for integration tests"
-}
-
-variable "random_string_for_testing" {
-  description = "A random string of characters to be appended to resource names to ensure uniqueness"
-  default     = "a1"
-}

From bf9a6b6e88df68965b7cd9b26d991f6987c08f8a Mon Sep 17 00:00:00 2001
From: David Gleich <gleichda@google.com>
Date: Tue, 24 Sep 2024 06:21:45 +0000
Subject: [PATCH 3/8] Remove default text for description and add NCC Hub Admin
 for test setup

---
 modules/network-connectivity-center/variables.tf | 8 ++++----
 test/setup/iam.tf                                | 1 +
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/modules/network-connectivity-center/variables.tf b/modules/network-connectivity-center/variables.tf
index 47cbf7d7..0804f4dc 100644
--- a/modules/network-connectivity-center/variables.tf
+++ b/modules/network-connectivity-center/variables.tf
@@ -27,7 +27,7 @@ variable "ncc_hub_name" {
 variable "ncc_hub_description" {
   description = "The description of the NCC Hub"
   type        = string
-  default     = "Managed by Terraform"
+  default     = ""
 }
 variable "ncc_hub_labels" {
   description = "These labels will be added the NCC hub"
@@ -46,7 +46,7 @@ variable "vpc_spokes" {
   type = map(object({
     uri                   = string
     exclude_export_ranges = optional(set(string))
-    description           = optional(string, "Managed by Terraform")
+    description           = optional(string)
     labels                = optional(map(string))
   }))
   default = {}
@@ -59,7 +59,7 @@ variable "hybrid_spokes" {
     uris                       = set(string)
     site_to_site_data_transfer = optional(bool, false)
     type                       = string
-    description                = optional(string, "Managed by Terraform")
+    description                = optional(string)
     labels                     = optional(map(string))
   }))
   default = {}
@@ -74,7 +74,7 @@ variable "router_appliance_spokes" {
     }))
     location                   = string
     site_to_site_data_transfer = optional(bool, false)
-    description                = optional(string, "Managed by Terraform")
+    description                = optional(string)
     labels                     = optional(map(string))
   }))
   default = {}
diff --git a/test/setup/iam.tf b/test/setup/iam.tf
index c13c61d3..779f2663 100644
--- a/test/setup/iam.tf
+++ b/test/setup/iam.tf
@@ -25,6 +25,7 @@ locals {
     "roles/resourcemanager.tagAdmin",
     "roles/iam.serviceAccountAdmin",
     "roles/compute.orgFirewallPolicyAdmin",
+    "roles/networkconnectivity.hubAdmin",
   ]
 }
 

From df17a73e3a6762fbb6643c6fec3724c56a6de280 Mon Sep 17 00:00:00 2001
From: David Gleich <gleichda@google.com>
Date: Tue, 24 Sep 2024 12:15:34 +0000
Subject: [PATCH 4/8] Change default for empty string to null instead and
 regenerate docs

---
 modules/network-connectivity-center/README.md    | 8 ++++----
 modules/network-connectivity-center/variables.tf | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/network-connectivity-center/README.md b/modules/network-connectivity-center/README.md
index ff5b6036..b857a0cc 100644
--- a/modules/network-connectivity-center/README.md
+++ b/modules/network-connectivity-center/README.md
@@ -23,14 +23,14 @@ An extensive example that also contains the creation and attachment of multiple
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | export\_psc | Whether Private Service Connect transitivity is enabled for the hub | `bool` | `false` | no |
-| hybrid\_spokes | VLAN attachments and VPN Tunnels that are associated with the spoke. Type must be one of `interconnect` and `vpn`. | <pre>map(object({<br>    location                   = string<br>    uris                       = set(string)<br>    site_to_site_data_transfer = optional(bool, false)<br>    type                       = string<br>    description                = optional(string, "Managed by Terraform")<br>    labels                     = optional(map(string))<br>  }))</pre> | `{}` | no |
-| ncc\_hub\_description | The description of the NCC Hub | `string` | `"Managed by Terraform"` | no |
+| hybrid\_spokes | VLAN attachments and VPN Tunnels that are associated with the spoke. Type must be one of `interconnect` and `vpn`. | <pre>map(object({<br>    location                   = string<br>    uris                       = set(string)<br>    site_to_site_data_transfer = optional(bool, false)<br>    type                       = string<br>    description                = optional(string)<br>    labels                     = optional(map(string))<br>  }))</pre> | `{}` | no |
+| ncc\_hub\_description | The description of the NCC Hub | `string` | `null` | no |
 | ncc\_hub\_labels | These labels will be added the NCC hub | `map(string)` | `{}` | no |
 | ncc\_hub\_name | The Name of the NCC Hub | `string` | n/a | yes |
 | project\_id | Project ID of the project that holds the network. | `string` | n/a | yes |
-| router\_appliance\_spokes | Router appliance instances that are associated with the spoke. | <pre>map(object({<br>    instances = set(object({<br>      virtual_machine = string<br>      ip_address      = string<br>    }))<br>    location                   = string<br>    site_to_site_data_transfer = optional(bool, false)<br>    description                = optional(string, "Managed by Terraform")<br>    labels                     = optional(map(string))<br>  }))</pre> | `{}` | no |
+| router\_appliance\_spokes | Router appliance instances that are associated with the spoke. | <pre>map(object({<br>    instances = set(object({<br>      virtual_machine = string<br>      ip_address      = string<br>    }))<br>    location                   = string<br>    site_to_site_data_transfer = optional(bool, false)<br>    description                = optional(string)<br>    labels                     = optional(map(string))<br>  }))</pre> | `{}` | no |
 | spoke\_labels | These labels will be added to all NCC spokes | `map(string)` | `{}` | no |
-| vpc\_spokes | VPC network that is associated with the spoke | <pre>map(object({<br>    uri                   = string<br>    exclude_export_ranges = optional(set(string))<br>    description           = optional(string, "Managed by Terraform")<br>    labels                = optional(map(string))<br>  }))</pre> | `{}` | no |
+| vpc\_spokes | VPC network that is associated with the spoke | <pre>map(object({<br>    uri                   = string<br>    exclude_export_ranges = optional(set(string))<br>    description           = optional(string)<br>    labels                = optional(map(string))<br>  }))</pre> | `{}` | no |
 
 ## Outputs
 
diff --git a/modules/network-connectivity-center/variables.tf b/modules/network-connectivity-center/variables.tf
index 0804f4dc..4ce08715 100644
--- a/modules/network-connectivity-center/variables.tf
+++ b/modules/network-connectivity-center/variables.tf
@@ -27,7 +27,7 @@ variable "ncc_hub_name" {
 variable "ncc_hub_description" {
   description = "The description of the NCC Hub"
   type        = string
-  default     = ""
+  default     = null
 }
 variable "ncc_hub_labels" {
   description = "These labels will be added the NCC hub"

From 27c1e6ac6348f342439e7f9432149a71d63d70a4 Mon Sep 17 00:00:00 2001
From: David Gleich <gleichda@google.com>
Date: Tue, 24 Sep 2024 12:51:30 +0000
Subject: [PATCH 5/8] Allowing the test SA to also create GCE instances

---
 test/setup/iam.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test/setup/iam.tf b/test/setup/iam.tf
index 779f2663..b9f270c6 100644
--- a/test/setup/iam.tf
+++ b/test/setup/iam.tf
@@ -16,6 +16,7 @@
 
 locals {
   int_required_roles = [
+    "roles/compute.instanceAdmin",
     "roles/compute.networkAdmin",
     "roles/compute.securityAdmin",
     "roles/iam.serviceAccountUser",

From 2a7c753cd40c4cc74307346e71e9472917d0ae99 Mon Sep 17 00:00:00 2001
From: David Gleich <gleichda@google.com>
Date: Thu, 26 Sep 2024 14:24:35 +0000
Subject: [PATCH 6/8] Fix permadiff in output

---
 examples/network_connectivity_center/main.tf  | 26 +------------------
 .../network_connectivity_center/outputs.tf    |  7 +----
 2 files changed, 2 insertions(+), 31 deletions(-)

diff --git a/examples/network_connectivity_center/main.tf b/examples/network_connectivity_center/main.tf
index 85d9380e..f6345c8f 100644
--- a/examples/network_connectivity_center/main.tf
+++ b/examples/network_connectivity_center/main.tf
@@ -47,10 +47,7 @@ module "network_connectivity_center" {
           virtual_machine = google_compute_instance.router_appliance_1.id
           ip_address      = google_compute_instance.router_appliance_1.network_interface[0].network_ip
         },
-        {
-          virtual_machine = google_compute_instance.router_appliance_2.id
-          ip_address      = google_compute_instance.router_appliance_2.network_interface[0].network_ip
-        }
+
       ]
       location                   = var.instance_region
       site_to_site_data_transfer = false
@@ -248,24 +245,3 @@ resource "google_compute_instance" "router_appliance_1" {
     }
   }
 }
-
-resource "google_compute_instance" "router_appliance_2" {
-  name           = "fake-router-appliance-2"
-  machine_type   = "e2-medium"
-  project        = var.project_id
-  can_ip_forward = true
-  zone           = random_shuffle.zone.result[0]
-
-  boot_disk {
-    initialize_params {
-      image = "debian-cloud/debian-11"
-    }
-  }
-
-  network_interface {
-    subnetwork = module.router_appliance_spoke_vpc.subnets["${var.instance_region}/router-appliance-subnet-01"].id
-    access_config {
-      network_tier = "PREMIUM"
-    }
-  }
-}
diff --git a/examples/network_connectivity_center/outputs.tf b/examples/network_connectivity_center/outputs.tf
index 668497cd..1ac306ba 100644
--- a/examples/network_connectivity_center/outputs.tf
+++ b/examples/network_connectivity_center/outputs.tf
@@ -21,12 +21,7 @@ output "project_id" {
 
 output "ncc_hub_name" {
   description = "Name of the NCC Hub (required for testing)"
-  value       = module.network_connectivity_center.ncc_hub.name
-}
-
-output "ncc_hub" {
-  description = "The NCC Hub object"
-  value       = module.network_connectivity_center.ncc_hub
+  value       = element(reverse(split("/", module.network_connectivity_center.ncc_hub.name)), 0)
 }
 
 output "vpc_spokes" {

From 6dd56261bf460bd736ae8f65d62713635bf0e20d Mon Sep 17 00:00:00 2001
From: David Gleich <gleichda@google.com>
Date: Fri, 27 Sep 2024 09:43:32 +0000
Subject: [PATCH 7/8] Add include export ranges to ncc module

---
 modules/network-connectivity-center/README.md    | 2 +-
 modules/network-connectivity-center/main.tf      | 1 +
 modules/network-connectivity-center/variables.tf | 3 ++-
 modules/network-connectivity-center/versions.tf  | 2 +-
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/modules/network-connectivity-center/README.md b/modules/network-connectivity-center/README.md
index b857a0cc..3b1e5b6b 100644
--- a/modules/network-connectivity-center/README.md
+++ b/modules/network-connectivity-center/README.md
@@ -30,7 +30,7 @@ An extensive example that also contains the creation and attachment of multiple
 | project\_id | Project ID of the project that holds the network. | `string` | n/a | yes |
 | router\_appliance\_spokes | Router appliance instances that are associated with the spoke. | <pre>map(object({<br>    instances = set(object({<br>      virtual_machine = string<br>      ip_address      = string<br>    }))<br>    location                   = string<br>    site_to_site_data_transfer = optional(bool, false)<br>    description                = optional(string)<br>    labels                     = optional(map(string))<br>  }))</pre> | `{}` | no |
 | spoke\_labels | These labels will be added to all NCC spokes | `map(string)` | `{}` | no |
-| vpc\_spokes | VPC network that is associated with the spoke | <pre>map(object({<br>    uri                   = string<br>    exclude_export_ranges = optional(set(string))<br>    description           = optional(string)<br>    labels                = optional(map(string))<br>  }))</pre> | `{}` | no |
+| vpc\_spokes | VPC network that is associated with the spoke | <pre>map(object({<br>    uri                   = string<br>    exclude_export_ranges = optional(set(string), [])<br>    include_export_ranges = optional(set(string), [])<br>    description           = optional(string)<br>    labels                = optional(map(string))<br>  }))</pre> | `{}` | no |
 
 ## Outputs
 
diff --git a/modules/network-connectivity-center/main.tf b/modules/network-connectivity-center/main.tf
index bbf8ff7f..8f68618e 100644
--- a/modules/network-connectivity-center/main.tf
+++ b/modules/network-connectivity-center/main.tf
@@ -50,6 +50,7 @@ resource "google_network_connectivity_spoke" "vpc_spoke" {
   linked_vpc_network {
     uri                   = each.value.uri
     exclude_export_ranges = each.value.exclude_export_ranges
+    include_export_ranges = each.value.include_export_ranges
   }
 }
 
diff --git a/modules/network-connectivity-center/variables.tf b/modules/network-connectivity-center/variables.tf
index 4ce08715..26612b3b 100644
--- a/modules/network-connectivity-center/variables.tf
+++ b/modules/network-connectivity-center/variables.tf
@@ -45,7 +45,8 @@ variable "vpc_spokes" {
   description = "VPC network that is associated with the spoke"
   type = map(object({
     uri                   = string
-    exclude_export_ranges = optional(set(string))
+    exclude_export_ranges = optional(set(string), [])
+    include_export_ranges = optional(set(string), [])
     description           = optional(string)
     labels                = optional(map(string))
   }))
diff --git a/modules/network-connectivity-center/versions.tf b/modules/network-connectivity-center/versions.tf
index ab114a30..de82dd4a 100644
--- a/modules/network-connectivity-center/versions.tf
+++ b/modules/network-connectivity-center/versions.tf
@@ -20,7 +20,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.40.0, < 7"
+      version = ">= 6.2.0, < 7"
 
     }
   }

From 3e2a92fba410cf1a4656e9ff917eaaf355c02e7b Mon Sep 17 00:00:00 2001
From: David Gleich <gleichda@google.com>
Date: Sun, 29 Sep 2024 13:43:22 +0000
Subject: [PATCH 8/8] Add artificial dependency to overcome internal error
 until the underlying bug is fixed

---
 modules/network-connectivity-center/main.tf | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/modules/network-connectivity-center/main.tf b/modules/network-connectivity-center/main.tf
index 8f68618e..7dc0a7bc 100644
--- a/modules/network-connectivity-center/main.tf
+++ b/modules/network-connectivity-center/main.tf
@@ -78,6 +78,11 @@ resource "google_network_connectivity_spoke" "hybrid_spoke" {
       site_to_site_data_transfer = each.value.site_to_site_data_transfer
     }
   }
+
+  # TODO: gleichda remove once b/369823133 is fixed
+  depends_on = [
+    google_network_connectivity_spoke.vpc_spoke
+  ]
 }
 
 resource "google_network_connectivity_spoke" "router_appliance_spoke" {
@@ -101,4 +106,9 @@ resource "google_network_connectivity_spoke" "router_appliance_spoke" {
     site_to_site_data_transfer = each.value.site_to_site_data_transfer
 
   }
+
+  # TODO: gleichda remove once b/369823133 is fixed
+  depends_on = [
+    google_network_connectivity_spoke.hybrid_spoke
+  ]
 }