This module implements a minimal, opinionated project factory (see [Factories](../README.md) for rationale) that allows for the creation of projects.
While the module can be invoked by manually populating the required variables, its interface is meant for the massive creation of resources leveraging a set of well-defined YaML documents, as shown in the examples below.
The Project Factory is meant to be executed by a Service Account (or a regular user) having this minimal set of permissions over your resources:
* **Org level** - a custom role for networking operations including the following permissions
*`"compute.organizations.enableXpnResource"`,
*`"compute.organizations.disableXpnResource"`,
*`"compute.subnetworks.setIamPolicy"`,
*`"dns.networks.bindPrivateDNSZone"`
* and role `"roles/orgpolicy.policyAdmin"`
* **on each folder** where projects will be created
*`"roles/logging.admin"`
*`"roles/owner"`
*`"roles/resourcemanager.folderAdmin"`
*`"roles/resourcemanager.projectCreator"`
* **on the host project** for the Shared VPC/s
*`"roles/browser"`
*`"roles/compute.viewer"`
*`"roles/dns.admin"`
## Example
### Directory structure
```
.
├── data
│ ├── defaults.yaml
│ └── projects
│ ├── project-example-one.yaml
│ ├── project-example-two.yaml
│ └── project-example-three.yaml
├── main.tf
└── terraform.tfvars
```
### Terraform code
```tfvars
# ./terraform.tfvars
data_dir = "data/projects/"
defaults_file = "data/defaults.yaml"
```
```hcl
# ./main.tf
locals {
defaults = yamldecode(file(var.defaults_file))
projects = {
for f in fileset("${var.data_dir}", "**/*.yaml") :
| [dns_zones](variables.tf#L57) | DNS private zones to create as child of var.defaults.environment_dns_zone. | <code>list(string)</code> | | <code>[]</code> |
| [essential_contacts](variables.tf#L63) | Email contacts to be used for billing and GCP notifications. | <code>list(string)</code> | | <code>[]</code> |
| [group_iam](variables.tf#L74) | Custom IAM settings in group => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
| [iam](variables.tf#L80) | Custom IAM settings in role => [principal] format. | <code>map(list(string))</code> | | <code>{}</code> |
| [kms_service_agents](variables.tf#L86) | KMS IAM configuration in as service => [key]. | <code>map(list(string))</code> | | <code>{}</code> |
| [labels](variables.tf#L92) | Labels to be assigned at project level. | <code>map(string)</code> | | <code>{}</code> |
| [service_accounts](variables.tf#L123) | Service accounts to be created, and roles to assign them. | <code>map(list(string))</code> | | <code>{}</code> |
| [service_identities_iam](variables.tf#L136) | Custom IAM settings for service identities in service => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |