2022-01-14 01:29:09 -08:00
# Minimal Project Factory
This module implements a minimal, opinionated project factory (see [Factories ](../README.md ) for rationale) that allows for the creation of projects.
While the module can be invoked by manually populating the required variables, its interface is meant for the massive creation of resources leveraging a set of well-defined YaML documents, as shown in the examples below.
The Project Factory is meant to be executed by a Service Account (or a regular user) having this minimal set of permissions over your resources:
* **Org level** - a custom role for networking operations including the following permissions
* `"compute.organizations.enableXpnResource"` ,
* `"compute.organizations.disableXpnResource"` ,
* `"compute.subnetworks.setIamPolicy"` ,
* `"dns.networks.bindPrivateDNSZone"`
* and role `"roles/orgpolicy.policyAdmin"`
* **on each folder** where projects will be created
2022-07-21 06:13:39 -07:00
* `"roles/logging.admin"`
* `"roles/owner"`
* `"roles/resourcemanager.folderAdmin"`
2022-01-14 01:29:09 -08:00
* `"roles/resourcemanager.projectCreator"`
* **on the host project** for the Shared VPC/s
2022-07-21 06:13:39 -07:00
* `"roles/browser"`
2022-01-14 01:29:09 -08:00
* `"roles/compute.viewer"`
2022-07-21 06:13:39 -07:00
* `"roles/dns.admin"`
2022-01-14 01:29:09 -08:00
## Example
### Directory structure
```
.
├── data
│ ├── defaults.yaml
│ └── projects
│ ├── project-example-one.yaml
│ ├── project-example-two.yaml
│ └── project-example-three.yaml
├── main.tf
└── terraform.tfvars
```
### Terraform code
```hcl
locals {
2022-09-14 05:34:30 -07:00
defaults = yamldecode(file(local._defaults_file))
2022-01-14 01:29:09 -08:00
projects = {
2022-09-14 05:34:30 -07:00
for f in fileset("${local._data_dir}", "**/*.yaml") :
trimsuffix(f, ".yaml") => yamldecode(file("${local._data_dir}/${f}"))
2022-01-14 01:29:09 -08:00
}
2022-09-14 05:34:30 -07:00
# these are usually set via variables
_base_dir = "./fabric/blueprints/factories/project-factory"
_data_dir = "${local._base_dir}/sample-data/projects/"
_defaults_file = "${local._base_dir}/sample-data/defaults.yaml"
2022-01-14 01:29:09 -08:00
}
module "projects" {
2022-09-14 05:34:30 -07:00
source = "./fabric/blueprints/factories/project-factory"
for_each = local.projects
defaults = local.defaults
project_id = each.key
billing_account_id = try(each.value.billing_account_id, null)
billing_alert = try(each.value.billing_alert, null)
dns_zones = try(each.value.dns_zones, [])
essential_contacts = try(each.value.essential_contacts, [])
folder_id = each.value.folder_id
group_iam = try(each.value.group_iam, {})
iam = try(each.value.iam, {})
kms_service_agents = try(each.value.kms, {})
labels = try(each.value.labels, {})
2022-10-28 08:27:33 -07:00
org_policies = try(each.value.org_policies, {})
2022-11-23 02:09:00 -08:00
prefix = each.value.prefix
2022-09-14 05:34:30 -07:00
service_accounts = try(each.value.service_accounts, {})
services = try(each.value.services, [])
service_identities_iam = try(each.value.service_identities_iam, {})
vpc = try(each.value.vpc, null)
2022-01-14 01:29:09 -08:00
}
2022-11-01 06:25:07 -07:00
# tftest modules=7 resources=29
2022-01-14 01:29:09 -08:00
```
### Projects configuration
```yaml
# ./data/defaults.yaml
# The following applies as overrideable defaults for all projects
# All attributes are required
billing_account_id: 012345-67890A-BCDEF0
billing_alert:
amount: 1000
thresholds:
current: [0.5, 0.8]
forecasted: [0.5, 0.8]
credit_treatment: INCLUDE_ALL_CREDITS
environment_dns_zone: prod.gcp.example.com
essential_contacts: []
labels:
environment: production
department: legal
application: my-legal-bot
notification_channels: []
shared_vpc_self_link: https://www.googleapis.com/compute/v1/projects/project-example-host-project/global/networks/vpc-one
vpc_host_project: project-example-host-project
```
```yaml
# ./data/projects/project-example-one.yaml
# One file per project - projects will be named after the filename
# [opt] Billing account id - overrides default if set
billing_account_id: 012345-67890A-BCDEF0
2022-11-23 02:09:00 -08:00
2022-01-14 01:29:09 -08:00
# [opt] Billing alerts config - overrides default if set
2022-11-23 02:09:00 -08:00
billing_alert:
2022-01-14 01:29:09 -08:00
amount: 10
thresholds:
current:
- 0.5
- 0.8
forecasted: []
2022-11-23 02:09:00 -08:00
# [opt] DNS zones to be created as children of the environment_dns_zone defined in defaults
dns_zones:
2022-01-14 01:29:09 -08:00
- lorem
- ipsum
2022-11-23 02:09:00 -08:00
# [opt] Contacts for billing alerts and important notifications
essential_contacts:
2022-01-14 01:29:09 -08:00
- team-a-contacts@example.com
# Folder the project will be created as children of
folder_id: folders/012345678901
# [opt] Authoritative IAM bindings in group => [roles] format
2022-11-23 02:09:00 -08:00
group_iam:
2022-01-14 01:29:09 -08:00
test-team-foobar@fast-lab-0.gcp-pso-italy.net:
- roles/compute.admin
# [opt] Authoritative IAM bindings in role => [principals] format
# Generally used to grant roles to service accounts external to the project
2022-11-23 02:09:00 -08:00
iam:
2022-01-14 01:29:09 -08:00
roles/compute.admin:
- serviceAccount:service-account
2022-11-23 02:09:00 -08:00
# [opt] Service robots and keys they will be assigned as cryptoKeyEncrypterDecrypter
2022-01-14 01:29:09 -08:00
# in service => [keys] format
2022-11-23 02:09:00 -08:00
kms_service_agents:
2022-01-14 01:29:09 -08:00
compute: [key1, key2]
storage: [key1, key2]
# [opt] Labels for the project - merged with the ones defined in defaults
2022-11-23 02:09:00 -08:00
labels:
2022-01-14 01:29:09 -08:00
environment: prod
# [opt] Org policy overrides defined at project level
2022-10-28 08:27:33 -07:00
org_policies:
2022-11-23 02:09:00 -08:00
constraints/compute.disableGuestAttributesAccess:
2022-10-28 08:27:33 -07:00
enforce: true
constraints/compute.trustedImageProjects:
allow:
2022-01-14 01:29:09 -08:00
values:
2022-10-28 08:27:33 -07:00
- projects/fast-dev-iac-core-0
2022-10-28 08:34:34 -07:00
constraints/compute.vmExternalIpAccess:
deny:
all: true
2022-01-14 01:29:09 -08:00
# [opt] Service account to create for the project and their roles on the project
# in name => [roles] format
2022-11-23 02:09:00 -08:00
service_accounts:
2022-01-14 01:29:09 -08:00
another-service-account:
- roles/compute.admin
my-service-account:
- roles/compute.admin
2022-07-21 06:13:39 -07:00
# [opt] IAM bindings on the service account resources.
# in name => {role => [members]} format
service_accounts_iam:
another-service-account:
- roles/iam.serviceAccountTokenCreator:
- group: app-team-1@example.com
2022-11-23 02:09:00 -08:00
# [opt] APIs to enable on the project.
services:
2022-01-14 01:29:09 -08:00
- storage.googleapis.com
- stackdriver.googleapis.com
- compute.googleapis.com
# [opt] Roles to assign to the robots service accounts in robot => [roles] format
2022-11-23 02:09:00 -08:00
services_iam:
2022-01-14 01:29:09 -08:00
compute:
- roles/storage.objectViewer
2022-11-23 02:09:00 -08:00
# [opt] VPC setup.
# If set enables the `compute.googleapis.com` service and configures
2022-01-14 01:29:09 -08:00
# service project attachment
2022-11-23 02:09:00 -08:00
vpc:
2022-01-14 01:29:09 -08:00
# [opt] If set, enables the container API
2022-11-23 02:09:00 -08:00
gke_setup:
2022-01-14 01:29:09 -08:00
2022-11-23 02:09:00 -08:00
# Grants "roles/container.hostServiceAgentUser" to the container robot if set
2022-01-14 01:29:09 -08:00
enable_host_service_agent: false
2022-11-23 02:09:00 -08:00
# Grants "roles/compute.securityAdmin" to the container robot if set
2022-01-14 01:29:09 -08:00
enable_security_admin: true
2022-11-23 02:09:00 -08:00
# Host project the project will be service project of
2022-01-14 01:29:09 -08:00
host_project: fast-prod-net-spoke-0
# [opt] Subnets in the host project where principals will be granted networkUser
2022-11-23 02:09:00 -08:00
# in region/subnet-name => [principals]
subnets_iam:
2022-08-04 01:39:28 -07:00
europe-west1/prod-default-ew1:
2022-01-14 01:29:09 -08:00
- user:foobar@example.com
2022-07-21 06:13:39 -07:00
- serviceAccount:service-account1@my-project.iam.gserviceaccount.com
2022-01-14 01:29:09 -08:00
```
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
2022-01-22 04:34:35 -08:00
| [billing_account_id ](variables.tf#L17 ) | Billing account id. | < code > string</ code > | ✓ | |
2022-11-23 02:09:00 -08:00
| [prefix ](variables.tf#L151 ) | Prefix used for resource names. | < code > string</ code > | ✓ | |
| [project_id ](variables.tf#L160 ) | Project id. | < code > string</ code > | ✓ | |
2022-01-22 04:34:35 -08:00
| [billing_alert ](variables.tf#L22 ) | Billing alert configuration. | < code title = "object({ amount = number thresholds = object({ current = list(number) forecasted = list(number) }) credit_treatment = string })" > object({…}) </ code > | | < code > null</ code > |
2022-02-07 02:33:03 -08:00
| [defaults ](variables.tf#L35 ) | Project factory default values. | < code title = "object({ billing_account_id = string billing_alert = object({ amount = number thresholds = object({ current = list(number) forecasted = list(number) }) credit_treatment = string }) environment_dns_zone = string essential_contacts = list(string) labels = map(string) notification_channels = list(string) shared_vpc_self_link = string vpc_host_project = string })" > object({…}) </ code > | | < code > null</ code > |
| [dns_zones ](variables.tf#L57 ) | DNS private zones to create as child of var.defaults.environment_dns_zone. | < code > list( string) </ code > | | < code > [] </ code > |
| [essential_contacts ](variables.tf#L63 ) | Email contacts to be used for billing and GCP notifications. | < code > list( string) </ code > | | < code > [] </ code > |
2022-07-21 06:13:39 -07:00
| [folder_id ](variables.tf#L69 ) | Folder ID for the folder where the project will be created. | < code > string</ code > | | < code > null</ code > |
| [group_iam ](variables.tf#L75 ) | Custom IAM settings in group => [role] format. | < code > map( list( string)) </ code > | | < code > {} </ code > |
2022-10-31 10:24:25 -07:00
| [group_iam_additive ](variables.tf#L81 ) | Custom additive IAM settings in group => [role] format. | < code > map( list( string)) </ code > | | < code > {} </ code > |
| [iam ](variables.tf#L87 ) | Custom IAM settings in role => [principal] format. | < code > map( list( string)) </ code > | | < code > {} </ code > |
| [iam_additive ](variables.tf#L93 ) | Custom additive IAM settings in role => [principal] format. | < code > map( list( string)) </ code > | | < code > {} </ code > |
| [kms_service_agents ](variables.tf#L99 ) | KMS IAM configuration in as service => [key]. | < code > map( list( string)) </ code > | | < code > {} </ code > |
| [labels ](variables.tf#L105 ) | Labels to be assigned at project level. | < code > map( string) </ code > | | < code > {} </ code > |
| [org_policies ](variables.tf#L111 ) | Org-policy overrides at project level. | < code title = "map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))" > map( object({…})) </ code > | | < code > {} </ code > |
2022-11-23 02:09:00 -08:00
| [service_accounts ](variables.tf#L165 ) | Service accounts to be created, and roles assigned them on the project. | < code > map( list( string)) </ code > | | < code > {} </ code > |
| [service_accounts_additive ](variables.tf#L171 ) | Service accounts to be created, and roles assigned them on the project additively. | < code > map( list( string)) </ code > | | < code > {} </ code > |
| [service_accounts_iam ](variables.tf#L177 ) | IAM bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]} | < code > map( map( list( string))) </ code > | | < code > {} </ code > |
| [service_accounts_iam_additive ](variables.tf#L184 ) | IAM additive bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]} | < code > map( map( list( string))) </ code > | | < code > {} </ code > |
| [service_identities_iam ](variables.tf#L191 ) | Custom IAM settings for service identities in service => [role] format. | < code > map( list( string)) </ code > | | < code > {} </ code > |
| [service_identities_iam_additive ](variables.tf#L198 ) | Custom additive IAM settings for service identities in service => [role] format. | < code > map( list( string)) </ code > | | < code > {} </ code > |
| [services ](variables.tf#L205 ) | Services to be enabled for the project. | < code > list( string) </ code > | | < code > [] </ code > |
| [vpc ](variables.tf#L212 ) | VPC configuration for the project. | < code title = "object({ host_project = string gke_setup = object({ enable_security_admin = bool enable_host_service_agent = bool }) subnets_iam = map(list(string)) })" > object({…}) </ code > | | < code > null</ code > |
2022-01-14 01:29:09 -08:00
## Outputs
| name | description | sensitive |
|---|---|:---:|
2022-02-07 02:33:03 -08:00
| [project ](outputs.tf#L19 ) | The project resource as return by the `project` module | |
2022-02-09 02:06:51 -08:00
| [project_id ](outputs.tf#L29 ) | Project ID. | |
2022-01-14 01:29:09 -08:00
<!-- END TFDOC -->
