diff --git a/CHANGELOG.md b/CHANGELOG.md index 7fceea9c..03c801f3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,8 +3,14 @@ All notable changes to this project will be documented in this file. ## [Unreleased] + - new 'Cloud Storage to Bigquery with Cloud Dataflow' end to end data solution -- new 'Cloud Endpoints' module + +## [2.2.0] - 2020-06-29 + +- make project creation optional in `project` module to allow managing a pre-existing project +- new `cloud-endpoints` module +- new `cloud-function` module ## [2.1.0] - 2020-06-22 @@ -106,7 +112,8 @@ All notable changes to this project will be documented in this file. - merge development branch with suite of new modules and end-to-end examples -[Unreleased]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v2.1.0...HEAD +[Unreleased]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v2.2.0...HEAD +[2.2.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v2.1.0...v2.2.0 [2.1.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v2.0.0...v2.1.0 [2.0.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v1.9.0...v2.0.0 [1.9.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v1.8.1...v1.9.0 diff --git a/README.md b/README.md index 9a83c632..8ca9bca1 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,8 @@ Currently available modules: - **networking** - [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC peering](./modules/net-vpc-peering), [VPN static](./modules/net-vpn-static), [VPN dynamic](./modules/net-vpn-dynamic), [VPN HA](./modules/net-vpn-ha), [NAT](./modules/net-cloudnat), [address reservation](./modules/net-address), [DNS](./modules/dns), [L4 ILB](./modules/net-ilb), [Service Directory](./modules/service-directory), [Cloud Endpoints](./modules/cloudenpoints) - **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [GKE cluster](./modules/gke-cluster), [GKE nodepool](./modules/gke-nodepool), [COS container](./modules/cos-container) (coredns, mysql, onprem, squid) - **data** - [GCS](./modules/gcs), [BigQuery dataset](./modules/bigquery-dataset), [Pub/Sub](./modules/pubsub), [Datafusion](./modules/datafusion), [Bigtable instance](./modules/bigtable-instance) -- **security** - [KMS](./modules/kms), [SecretManager](./modules/secret-manager) - **development** - [Cloud Source Repository](./modules/source-repository), [Container Registry](./modules/container-registry), [Artifact Registry](./modules/artifact-registry) +- **security** - [KMS](./modules/kms), [SecretManager](./modules/secret-manager) +- **serverless** - [Cloud Functions](./cloud-functions) For more information and usage examples see each module's README file. diff --git a/infrastructure/onprem-google-access-dns/README.md b/infrastructure/onprem-google-access-dns/README.md index 2820c8f5..9f646104 100644 --- a/infrastructure/onprem-google-access-dns/README.md +++ b/infrastructure/onprem-google-access-dns/README.md @@ -153,16 +153,16 @@ The VPN used to connect to the on-premises environment does not account for HA, | project_id | Project id for all resources. | string | ✓ | | | *bgp_asn* | BGP ASNs. | map(number) | | ... | | *bgp_interface_ranges* | BGP interface IP CIDR ranges. | map(string) | | ... | +| *dns_forwarder_address* | Address of the DNS server used to forward queries from on-premises. | string | | 10.0.0.2 | +| *forwarder_address* | GCP DNS inbound policy forwarder address. | string | | 10.0.0.2 | | *ip_ranges* | IP CIDR ranges. | map(string) | | ... | | *region* | VPC region. | string | | europe-west1 | -| *resolver_address* | GCP DNS resolver address for the inbound policy. | string | | 10.0.0.2 | | *ssh_source_ranges* | IP CIDR ranges that will be allowed to connect via SSH to the onprem instance. | list(string) | | ["0.0.0.0/0"] | ## Outputs | name | description | sensitive | |---|---|:---:| -| foo | None | | | onprem-instance | Onprem instance details. | | | test-instance | Test instance details. | | diff --git a/infrastructure/onprem-google-access-dns/versions.tf b/infrastructure/onprem-google-access-dns/versions.tf index de5425c2..057095c0 100644 --- a/infrastructure/onprem-google-access-dns/versions.tf +++ b/infrastructure/onprem-google-access-dns/versions.tf @@ -13,5 +13,5 @@ # limitations under the License. terraform { - required_version = ">= 0.12" + required_version = ">= 0.12.6" } diff --git a/modules/README.md b/modules/README.md index d94f6dc0..4c73872a 100644 --- a/modules/README.md +++ b/modules/README.md @@ -58,3 +58,7 @@ Specific modules also offer support for non-authoritative bindings (e.g. `google - [Cloud KMS](./kms) - [Secret Manager](./secret-manager) + +## Serverless + +- [Cloud Functions](./cloud-function) diff --git a/modules/cloud-config-container/coredns/README.md b/modules/cloud-config-container/coredns/README.md index 5f8d5719..82ba51d8 100644 --- a/modules/cloud-config-container/coredns/README.md +++ b/modules/cloud-config-container/coredns/README.md @@ -24,7 +24,7 @@ This example will create a `cloud-config` that uses the module's defaults, creat ```hcl module "cos-coredns" { - source = "./modules/cos-container/coredns" + source = "./modules/cloud-config-container/coredns" } # use it as metadata in a compute instance or template @@ -40,8 +40,8 @@ This example will create a `cloud-config` using a custom CoreDNS configuration, ```hcl module "cos-coredns" { - source = "./modules/cos-container/coredns" - coredns_config = "./modules/cos-container/coredns/Corefile-hosts" + source = "./modules/cloud-config-container/coredns" + coredns_config = "./modules/cloud-config-container/coredns/Corefile-hosts" files = { "/etc/coredns/example.hosts" = { content = "127.0.0.2 foo.example.org foo" @@ -57,7 +57,7 @@ This example shows how to create the single instance optionally managed by the m ```hcl module "cos-coredns" { - source = "./modules/cos-container/coredns" + source = "./modules/cloud-config-container/coredns" test_instance = { project_id = "my-project" zone = "europe-west1-b" diff --git a/modules/cloud-function/README.md b/modules/cloud-function/README.md new file mode 100644 index 00000000..fb386a0c --- /dev/null +++ b/modules/cloud-function/README.md @@ -0,0 +1,162 @@ +# Cloud Function Module + +Cloud Function management, with support for IAM roles and optional bucket creation. + +The GCS object used for deployment uses a hash of the bundle zip contents in its name, which ensures change tracking and avoids recreating the function if the GCS object is deleted and needs recreating. + +## TODO + +- [ ] add support for `ingress_settings` +- [ ] add support for `vpc_connector` and `vpc_connector_egress_settings` +- [ ] add support for `source_repository` + +## Examples + +### HTTP trigger + +This deploys a Cloud Function with an HTTP endpoint, using a pre-existing GCS bucket for deployment, setting the service account to the Cloud Function default one, and delegating access control to the containing project. + +```hcl +module "cf-http" { + source = "../modules/net-cloudnat" + project_id = "my-project" + name = "test-cf-http" + bucket_name = "test-cf-bundles" + bundle_config = { + source_dir = "my-cf-source-folder + output_path = "bundle.zip" + } +} +``` + +### Non-HTTP triggers + +Other trigger types other than HTTP are configured via the `trigger_config` variable. This example shows a PubSub trigger. + +```hcl +module "cf-http" { + source = "../modules/net-cloudnat" + project_id = "my-project" + name = "test-cf-http" + bucket_name = "test-cf-bundles" + bundle_config = { + source_dir = "my-cf-source-folder + output_path = "bundle.zip" + } + trigger_config = { + event = "google.pubsub.topic.publish" + resource = local.my-topic + retry = null + } +} +``` + +### Controlling HTTP access + +To allow anonymous access to the function, grant the `roles/cloudfunctions.invoker` role to the special `allUsers` identifier. Use specific identities (service accounts, groups, etc.) instead of `allUsers` to only allow selective access. + +```hcl +module "cf-http" { + source = "../modules/net-cloudnat" + project_id = "my-project" + name = "test-cf-http" + bucket_name = "test-cf-bundles" + bundle_config = { + source_dir = "my-cf-source-folder + output_path = "bundle.zip" + } + iam_roles = ["roles/cloudfunctions.invoker"] + iam_members = { + "roles/cloudfunctions.invoker" = ["allUsers"] + } +} +``` + +### GCS bucket creation + +You can have the module auto-create the GCS bucket used for deployment via the `bucket_config` variable. Setting `bucket_config.location` to `null` will also use the function region for GCS. + +```hcl +module "cf-http" { + source = "../modules/net-cloudnat" + project_id = "my-project" + name = "test-cf-http" + bucket_name = "test-cf-bundles" + bucket_config = { + location = null + lifecycle_delete_age = 1 + } + bundle_config = { + source_dir = "my-cf-source-folder + output_path = "bundle.zip" + } +} +``` + +### Service account management + +To use a custom service account managed by the module, set `service_account_create` to `true` and leave `service_account` set to `null` value (default). + +```hcl +module "cf-http" { + source = "../modules/net-cloudnat" + project_id = "my-project" + name = "test-cf-http" + bucket_name = "test-cf-bundles" + bundle_config = { + source_dir = "my-cf-source-folder + output_path = "bundle.zip" + } + service_account_create = true +} +``` + +To use an externally managed service account, pass its email in `service_account` and leave `service_account_create` to `false` (the default). + +```hcl +module "cf-http" { + source = "../modules/net-cloudnat" + project_id = "my-project" + name = "test-cf-http" + bucket_name = "test-cf-bundles" + bundle_config = { + source_dir = "my-cf-source-folder + output_path = "bundle.zip" + } + service_account = local.service_account_email +} +``` + + +## Variables + +| name | description | type | required | default | +|---|---|:---: |:---:|:---:| +| bucket_name | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | string | ✓ | | +| bundle_config | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | object({...}) | ✓ | | +| name | Name used for cloud function and associated resources. | string | ✓ | | +| project_id | Project id used for all resources. | string | ✓ | | +| *bucket_config* | Enable and configure auto-created bucket. Set fields to null to use defaults. | object({...}) | | null | +| *environment_variables* | Cloud function environment variables. | map(string) | | {} | +| *function_config* | Cloud function configuration. | object({...}) | | ... | +| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use. | map(list(string)) | | {} | +| *iam_roles* | List of roles used to set authoritative bindings. Ignored for template use. | list(string) | | [] | +| *labels* | Resource labels | map(string) | | {} | +| *prefix* | Optional prefix used for resource names. | string | | null | +| *region* | Region used for all resources. | string | | us-central1 | +| *service_account* | Service account email. Unused if service account is auto-created. | string | | null | +| *service_account_create* | Auto-create service account. | bool | | false | +| *trigger_config* | Function trigger configuration. Leave null for HTTP trigger. | object({...}) | | null | + +## Outputs + +| name | description | sensitive | +|---|---|:---:| +| bucket | Bucket resource (only if auto-created). | | +| bucket_name | Bucket name. | | +| function | Cloud function resources. | | +| function_name | Cloud function name. | | +| service_account | Service account resource. | | +| service_account_email | Service account email. | | +| service_account_iam_email | Service account email. | | + diff --git a/modules/cloud-function/main.tf b/modules/cloud-function/main.tf new file mode 100644 index 00000000..a668a8bc --- /dev/null +++ b/modules/cloud-function/main.tf @@ -0,0 +1,122 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + bucket = ( + var.bucket_name != null + ? var.bucket_name + : ( + length(google_storage_bucket.bucket) > 0 + ? google_storage_bucket.bucket[0].name + : null + ) + ) + prefix = var.prefix == null ? "" : "${var.prefix}-" + service_account_email = ( + var.service_account_create + ? ( + length(google_service_account.service_account) > 0 + ? google_service_account.service_account[0].email + : null + ) + : var.service_account + ) +} + +resource "google_cloudfunctions_function" "function" { + project = var.project_id + region = var.region + name = "${local.prefix}${var.name}" + description = "Terraform managed." + runtime = var.function_config.runtime + available_memory_mb = var.function_config.memory + max_instances = var.function_config.instances + timeout = var.function_config.timeout + entry_point = var.function_config.entry_point + environment_variables = var.environment_variables + service_account_email = local.service_account_email + source_archive_bucket = local.bucket + source_archive_object = google_storage_bucket_object.bundle.name + labels = var.labels + trigger_http = var.trigger_config == null ? true : null + + dynamic event_trigger { + for_each = var.trigger_config == null ? [] : [""] + content { + event_type = var.trigger_config.event + resource = var.trigger_config.resource + dynamic failure_policy { + for_each = var.trigger_config.retry == null ? [] : [""] + content { + retry = var.trigger_config.retry + } + } + } + } + +} + +resource "google_cloudfunctions_function_iam_binding" "default" { + for_each = toset(var.iam_roles) + project = var.project_id + region = var.region + cloud_function = google_cloudfunctions_function.function.name + role = each.value + members = try(var.iam_members[each.value], {}) +} + +resource "google_storage_bucket" "bucket" { + count = var.bucket_config == null ? 0 : 1 + project = var.project_id + name = "${local.prefix}${var.bucket_name}" + location = ( + var.bucket_config.location == null + ? var.region + : var.bucket_config.location + ) + labels = var.labels + + dynamic lifecycle_rule { + for_each = var.bucket_config.lifecycle_delete_age == null ? [] : [""] + content { + action { type = "Delete" } + condition { age = var.bucket_config.lifecycle_delete_age } + } + } +} + +resource "google_storage_bucket_object" "bundle" { + name = "bundle-${data.archive_file.bundle.output_md5}.zip" + bucket = local.bucket + source = data.archive_file.bundle.output_path +} + +data "archive_file" "bundle" { + type = "zip" + source_dir = var.bundle_config.source_dir + output_path = ( + var.bundle_config.output_path == null + ? "/tmp/bundle.zip" + : var.bundle_config.output_path + ) +} + +resource "google_service_account" "service_account" { + count = var.service_account_create ? 1 : 0 + project = var.project_id + account_id = "tf-cf-${var.name}" + display_name = "Terraform Cloud Function ${var.name}." +} diff --git a/modules/cloud-function/outputs.tf b/modules/cloud-function/outputs.tf new file mode 100644 index 00000000..43e0eda7 --- /dev/null +++ b/modules/cloud-function/outputs.tf @@ -0,0 +1,55 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "bucket" { + description = "Bucket resource (only if auto-created)." + value = var.bucket_config == null ? null : google_storage_bucket.bucket.0 +} + +output "bucket_name" { + description = "Bucket name." + value = local.bucket +} + +output "function" { + description = "Cloud function resources." + value = google_cloudfunctions_function.function +} + +output "function_name" { + description = "Cloud function name." + value = google_cloudfunctions_function.function.name +} + +output "service_account" { + description = "Service account resource." + value = ( + var.service_account_create ? google_service_account.service_account[0] : null + ) +} + +output "service_account_email" { + description = "Service account email." + value = local.service_account_email +} + +output "service_account_iam_email" { + description = "Service account email." + value = join("", [ + "serviceAccount:", + local.service_account_email == null ? "" : local.service_account_email + ]) +} diff --git a/modules/cloud-function/variables.tf b/modules/cloud-function/variables.tf new file mode 100644 index 00000000..83c8c048 --- /dev/null +++ b/modules/cloud-function/variables.tf @@ -0,0 +1,123 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "bucket_config" { + description = "Enable and configure auto-created bucket. Set fields to null to use defaults." + type = object({ + location = string + lifecycle_delete_age = number + }) + default = null +} + +variable "bucket_name" { + description = "Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null." + type = string +} + +variable "bundle_config" { + description = "Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null." + type = object({ + source_dir = string + output_path = string + }) +} + +variable "environment_variables" { + description = "Cloud function environment variables." + type = map(string) + default = {} +} + +variable "iam_members" { + description = "Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use." + type = map(list(string)) + default = {} +} + +variable "iam_roles" { + description = "List of roles used to set authoritative bindings. Ignored for template use." + type = list(string) + default = [] +} + +variable "function_config" { + description = "Cloud function configuration." + type = object({ + entry_point = string + instances = number + memory = number + runtime = string + timeout = number + }) + default = { + entry_point = "main" + instances = 1 + memory = 256 + runtime = "python37" + timeout = 180 + } +} + +variable "labels" { + description = "Resource labels" + type = map(string) + default = {} +} + +variable "name" { + description = "Name used for cloud function and associated resources." + type = string +} + +variable "prefix" { + description = "Optional prefix used for resource names." + type = string + default = null +} + +variable "project_id" { + description = "Project id used for all resources." + type = string +} + +variable "region" { + description = "Region used for all resources." + type = string + default = "europe-west1" +} + +variable "service_account" { + description = "Service account email. Unused if service account is auto-created." + type = string + default = null +} + +variable "service_account_create" { + description = "Auto-create service account." + type = bool + default = false +} + +variable "trigger_config" { + description = "Function trigger configuration. Leave null for HTTP trigger." + type = object({ + event = string + resource = string + retry = bool + }) + default = null +} diff --git a/modules/cloud-function/versions.tf b/modules/cloud-function/versions.tf new file mode 100644 index 00000000..bc4c2a9d --- /dev/null +++ b/modules/cloud-function/versions.tf @@ -0,0 +1,19 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 0.12.6" +} diff --git a/modules/dns/versions.tf b/modules/dns/versions.tf index 09324d5d..50c4c4e5 100644 --- a/modules/dns/versions.tf +++ b/modules/dns/versions.tf @@ -18,6 +18,6 @@ terraform { required_version = ">= 0.12.20" required_providers { google = "~> 3.10" - google-beta = "~> 3.10" + google-beta = "~> 3.20" } } diff --git a/modules/project/README.md b/modules/project/README.md index 9ab49796..cd640673 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -58,9 +58,8 @@ module "project" { | name | description | type | required | default | |---|---|:---: |:---:|:---:| | name | Project name and id suffix. | string | ✓ | | -| parent | The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. | string | ✓ | | | *auto_create_network* | Whether to create the default network for the project | bool | | false | -| *billing_account* | Billing account id. | string | | | +| *billing_account* | Billing account id. | string | | null | | *custom_roles* | Map of role name => list of permissions to create in this project. | map(list(string)) | | {} | | *iam_additive_members* | Map of member lists used to set non authoritative bindings, keyed by role. | map(list(string)) | | {} | | *iam_additive_roles* | List of roles used to set non authoritative bindings. | list(string) | | [] | @@ -71,9 +70,12 @@ module "project" { | *oslogin* | Enable OS Login. | bool | | false | | *oslogin_admins* | List of IAM-style identities that will be granted roles necessary for OS Login administrators. | list(string) | | [] | | *oslogin_users* | List of IAM-style identities that will be granted roles necessary for OS Login users. | list(string) | | [] | +| *parent* | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | string | | null | | *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | map(bool) | | {} | | *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | map(object({...})) | | {} | | *prefix* | Prefix used to generate project id and name. | string | | null | +| *project_create* | Create project. When set to false, uses a data source to reference existing project. | bool | | true | +| *service_config* | Configure service API activation. | object({...}) | | ... | | *services* | Service APIs to enable. | list(string) | | [] | ## Outputs @@ -81,7 +83,7 @@ module "project" { | name | description | sensitive | |---|---|:---:| | custom_roles | Ids of the created custom roles. | | -| name | Project ame. | | +| name | Project name. | | | number | Project number. | | | project_id | Project id. | | | service_accounts | Product robot service accounts in project. | | diff --git a/modules/project/main.tf b/modules/project/main.tf index 5ccee12e..637aa8de 100644 --- a/modules/project/main.tf +++ b/modules/project/main.tf @@ -25,12 +25,21 @@ locals { for pair in local.iam_additive_pairs : "${pair.role}-${pair.member}" => pair } - parent_type = split("/", var.parent)[0] - parent_id = split("/", var.parent)[1] + parent_type = var.parent == null ? null : split("/", var.parent)[0] + parent_id = var.parent == null ? null : split("/", var.parent)[1] prefix = var.prefix == null ? "" : "${var.prefix}-" + project = ( + var.project_create ? google_project.project.0 : data.google_project.project.0 + ) +} + +data "google_project" "project" { + count = var.project_create ? 0 : 1 + project_id = "${local.prefix}${var.name}" } resource "google_project" "project" { + count = var.project_create ? 1 : 0 org_id = local.parent_type == "organizations" ? local.parent_id : null folder_id = local.parent_type == "folders" ? local.parent_id : null project_id = "${local.prefix}${var.name}" @@ -42,7 +51,7 @@ resource "google_project" "project" { resource "google_project_iam_custom_role" "roles" { for_each = var.custom_roles - project = google_project.project.project_id + project = local.project.project_id role_id = each.key title = "Custom role ${each.key}" description = "Terraform-managed" @@ -51,7 +60,7 @@ resource "google_project_iam_custom_role" "roles" { resource "google_compute_project_metadata_item" "oslogin_meta" { count = var.oslogin ? 1 : 0 - project = google_project.project.project_id + project = local.project.project_id key = "enable-oslogin" value = "TRUE" # depend on services or it will fail on destroy @@ -60,7 +69,7 @@ resource "google_compute_project_metadata_item" "oslogin_meta" { resource "google_resource_manager_lien" "lien" { count = var.lien_reason != "" ? 1 : 0 - parent = "projects/${google_project.project.number}" + parent = "projects/${local.project.number}" restrictions = ["resourcemanager.projects.delete"] origin = "created-by-terraform" reason = var.lien_reason @@ -68,10 +77,10 @@ resource "google_resource_manager_lien" "lien" { resource "google_project_service" "project_services" { for_each = toset(var.services) - project = google_project.project.project_id + project = local.project.project_id service = each.value - disable_on_destroy = true - disable_dependent_services = true + disable_on_destroy = var.service_config.disable_on_destroy + disable_dependent_services = var.service_config.disable_dependent_services } # IAM notes: @@ -81,7 +90,7 @@ resource "google_project_service" "project_services" { resource "google_project_iam_binding" "authoritative" { for_each = toset(var.iam_roles) - project = google_project.project.project_id + project = local.project.project_id role = each.value members = lookup(var.iam_members, each.value, []) depends_on = [ @@ -92,42 +101,46 @@ resource "google_project_iam_binding" "authoritative" { resource "google_project_iam_member" "additive" { for_each = length(var.iam_additive_roles) > 0 ? local.iam_additive : {} - project = google_project.project.project_id + project = local.project.project_id role = each.value.role member = each.value.member + depends_on = [ + google_project_service.project_services, + google_project_iam_custom_role.roles + ] } resource "google_project_iam_member" "oslogin_iam_serviceaccountuser" { for_each = var.oslogin ? toset(distinct(concat(var.oslogin_admins, var.oslogin_users))) : toset([]) - project = google_project.project.project_id + project = local.project.project_id role = "roles/iam.serviceAccountUser" member = each.value } resource "google_project_iam_member" "oslogin_compute_viewer" { for_each = var.oslogin ? toset(distinct(concat(var.oslogin_admins, var.oslogin_users))) : toset([]) - project = google_project.project.project_id + project = local.project.project_id role = "roles/compute.viewer" member = each.value } resource "google_project_iam_member" "oslogin_admins" { for_each = var.oslogin ? toset(var.oslogin_admins) : toset([]) - project = google_project.project.project_id + project = local.project.project_id role = "roles/compute.osAdminLogin" member = each.value } resource "google_project_iam_member" "oslogin_users" { for_each = var.oslogin ? toset(var.oslogin_users) : toset([]) - project = google_project.project.project_id + project = local.project.project_id role = "roles/compute.osLogin" member = each.value } resource "google_project_organization_policy" "boolean" { for_each = var.policy_boolean - project = google_project.project.project_id + project = local.project.project_id constraint = each.key dynamic boolean_policy { @@ -148,7 +161,7 @@ resource "google_project_organization_policy" "boolean" { resource "google_project_organization_policy" "list" { for_each = var.policy_list - project = google_project.project.project_id + project = local.project.project_id constraint = each.key dynamic list_policy { diff --git a/modules/project/outputs.tf b/modules/project/outputs.tf index 67c9af68..1250f846 100644 --- a/modules/project/outputs.tf +++ b/modules/project/outputs.tf @@ -16,7 +16,7 @@ output "project_id" { description = "Project id." - value = google_project.project.project_id + value = local.project.project_id depends_on = [ google_project_organization_policy.boolean, google_project_organization_policy.list, @@ -25,8 +25,8 @@ output "project_id" { } output "name" { - description = "Project ame." - value = google_project.project.name + description = "Project name." + value = local.project.name depends_on = [ google_project_organization_policy.boolean, google_project_organization_policy.list, @@ -36,7 +36,7 @@ output "name" { output "number" { description = "Project number." - value = google_project.project.number + value = local.project.number depends_on = [ google_project_organization_policy.boolean, google_project_organization_policy.list, @@ -56,5 +56,8 @@ output "service_accounts" { output "custom_roles" { description = "Ids of the created custom roles." - value = [for role in google_project_iam_custom_role.roles : role.role_id] + value = { + for name, role in google_project_iam_custom_role.roles : + name => role.id + } } diff --git a/modules/project/service_accounts.tf b/modules/project/service_accounts.tf index 64d5566e..d4a1be83 100644 --- a/modules/project/service_accounts.tf +++ b/modules/project/service_accounts.tf @@ -15,12 +15,12 @@ */ locals { - service_account_cloud_services = "${google_project.project.number}@cloudservices.gserviceaccount.com" + service_account_cloud_services = "${local.project.number}@cloudservices.gserviceaccount.com" service_accounts_default = { # TODO: Find a better place to store BQ service account bq = "bq-${google_project.project.number}@bigquery-encryption.iam.gserviceaccount.com" - compute = "${google_project.project.number}-compute@developer.gserviceaccount.com" - gae = "${google_project.project.project_id}@appspot.gserviceaccount.com" + compute = "${local.project.number}-compute@developer.gserviceaccount.com" + gae = "${local.project.project_id}@appspot.gserviceaccount.com" } service_accounts_robot_services = { cloudasset = "gcp-sa-cloudasset" @@ -37,6 +37,6 @@ locals { } service_accounts_robots = { for service, name in local.service_accounts_robot_services : - service => "service-${google_project.project.number}@${name}.iam.gserviceaccount.com" + service => "service-${local.project.number}@${name}.iam.gserviceaccount.com" } } diff --git a/modules/project/variables.tf b/modules/project/variables.tf index fc6e12ab..6676b76a 100644 --- a/modules/project/variables.tf +++ b/modules/project/variables.tf @@ -23,7 +23,7 @@ variable "auto_create_network" { variable "billing_account" { description = "Billing account id." type = string - default = "" + default = null } variable "custom_roles" { @@ -92,8 +92,9 @@ variable "oslogin_users" { } variable "parent" { - description = "The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id." + description = "Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format." type = string + default = null } variable "policy_boolean" { @@ -119,8 +120,26 @@ variable "prefix" { default = null } +variable "project_create" { + description = "Create project. When set to false, uses a data source to reference existing project." + type = bool + default = true +} + variable "services" { description = "Service APIs to enable." type = list(string) default = [] } + +variable "service_config" { + description = "Configure service API activation." + type = object({ + disable_on_destroy = bool + disable_dependent_services = bool + }) + default = { + disable_on_destroy = true + disable_dependent_services = true + } +} diff --git a/tests/modules/project/fixture/variables.tf b/tests/modules/project/fixture/variables.tf index 3c467da1..4b859c92 100644 --- a/tests/modules/project/fixture/variables.tf +++ b/tests/modules/project/fixture/variables.tf @@ -71,7 +71,7 @@ variable "oslogin_users" { variable "parent" { type = string - default = "folders/12345678" + default = null } variable "policy_boolean" { diff --git a/tests/modules/project/test_plan.py b/tests/modules/project/test_plan.py index 4c5aba82..a526c1a5 100644 --- a/tests/modules/project/test_plan.py +++ b/tests/modules/project/test_plan.py @@ -32,7 +32,7 @@ def test_prefix(plan_runner): def test_parent(plan_runner): "Test project parent." - _, resources = plan_runner(FIXTURES_DIR) + _, resources = plan_runner(FIXTURES_DIR, parent='folders/12345678') assert len(resources) == 1 assert resources[0]['values']['folder_id'] == '12345678' assert resources[0]['values'].get('org_id') == None @@ -40,3 +40,11 @@ def test_parent(plan_runner): assert len(resources) == 1 assert resources[0]['values']['org_id'] == '12345678' assert resources[0]['values'].get('folder_id') == None + + +def test_no_parent(plan_runner): + "Test null project parent." + _, resources = plan_runner(FIXTURES_DIR) + assert len(resources) == 1 + assert resources[0]['values'].get('folder_id') == None + assert resources[0]['values'].get('org_id') == None