diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7fceea9c..03c801f3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,8 +3,14 @@
All notable changes to this project will be documented in this file.
## [Unreleased]
+
- new 'Cloud Storage to Bigquery with Cloud Dataflow' end to end data solution
-- new 'Cloud Endpoints' module
+
+## [2.2.0] - 2020-06-29
+
+- make project creation optional in `project` module to allow managing a pre-existing project
+- new `cloud-endpoints` module
+- new `cloud-function` module
## [2.1.0] - 2020-06-22
@@ -106,7 +112,8 @@ All notable changes to this project will be documented in this file.
- merge development branch with suite of new modules and end-to-end examples
-[Unreleased]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v2.1.0...HEAD
+[Unreleased]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v2.2.0...HEAD
+[2.2.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v2.1.0...v2.2.0
[2.1.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v2.0.0...v2.1.0
[2.0.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v1.9.0...v2.0.0
[1.9.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v1.8.1...v1.9.0
diff --git a/README.md b/README.md
index 9a83c632..8ca9bca1 100644
--- a/README.md
+++ b/README.md
@@ -37,7 +37,8 @@ Currently available modules:
- **networking** - [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC peering](./modules/net-vpc-peering), [VPN static](./modules/net-vpn-static), [VPN dynamic](./modules/net-vpn-dynamic), [VPN HA](./modules/net-vpn-ha), [NAT](./modules/net-cloudnat), [address reservation](./modules/net-address), [DNS](./modules/dns), [L4 ILB](./modules/net-ilb), [Service Directory](./modules/service-directory), [Cloud Endpoints](./modules/cloudenpoints)
- **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [GKE cluster](./modules/gke-cluster), [GKE nodepool](./modules/gke-nodepool), [COS container](./modules/cos-container) (coredns, mysql, onprem, squid)
- **data** - [GCS](./modules/gcs), [BigQuery dataset](./modules/bigquery-dataset), [Pub/Sub](./modules/pubsub), [Datafusion](./modules/datafusion), [Bigtable instance](./modules/bigtable-instance)
-- **security** - [KMS](./modules/kms), [SecretManager](./modules/secret-manager)
- **development** - [Cloud Source Repository](./modules/source-repository), [Container Registry](./modules/container-registry), [Artifact Registry](./modules/artifact-registry)
+- **security** - [KMS](./modules/kms), [SecretManager](./modules/secret-manager)
+- **serverless** - [Cloud Functions](./cloud-functions)
For more information and usage examples see each module's README file.
diff --git a/infrastructure/onprem-google-access-dns/README.md b/infrastructure/onprem-google-access-dns/README.md
index 2820c8f5..9f646104 100644
--- a/infrastructure/onprem-google-access-dns/README.md
+++ b/infrastructure/onprem-google-access-dns/README.md
@@ -153,16 +153,16 @@ The VPN used to connect to the on-premises environment does not account for HA,
| project_id | Project id for all resources. | string
| ✓ | |
| *bgp_asn* | BGP ASNs. | map(number)
| | ...
|
| *bgp_interface_ranges* | BGP interface IP CIDR ranges. | map(string)
| | ...
|
+| *dns_forwarder_address* | Address of the DNS server used to forward queries from on-premises. | string
| | 10.0.0.2
|
+| *forwarder_address* | GCP DNS inbound policy forwarder address. | string
| | 10.0.0.2
|
| *ip_ranges* | IP CIDR ranges. | map(string)
| | ...
|
| *region* | VPC region. | string
| | europe-west1
|
-| *resolver_address* | GCP DNS resolver address for the inbound policy. | string
| | 10.0.0.2
|
| *ssh_source_ranges* | IP CIDR ranges that will be allowed to connect via SSH to the onprem instance. | list(string)
| | ["0.0.0.0/0"]
|
## Outputs
| name | description | sensitive |
|---|---|:---:|
-| foo | None | |
| onprem-instance | Onprem instance details. | |
| test-instance | Test instance details. | |
diff --git a/infrastructure/onprem-google-access-dns/versions.tf b/infrastructure/onprem-google-access-dns/versions.tf
index de5425c2..057095c0 100644
--- a/infrastructure/onprem-google-access-dns/versions.tf
+++ b/infrastructure/onprem-google-access-dns/versions.tf
@@ -13,5 +13,5 @@
# limitations under the License.
terraform {
- required_version = ">= 0.12"
+ required_version = ">= 0.12.6"
}
diff --git a/modules/README.md b/modules/README.md
index d94f6dc0..4c73872a 100644
--- a/modules/README.md
+++ b/modules/README.md
@@ -58,3 +58,7 @@ Specific modules also offer support for non-authoritative bindings (e.g. `google
- [Cloud KMS](./kms)
- [Secret Manager](./secret-manager)
+
+## Serverless
+
+- [Cloud Functions](./cloud-function)
diff --git a/modules/cloud-config-container/coredns/README.md b/modules/cloud-config-container/coredns/README.md
index 5f8d5719..82ba51d8 100644
--- a/modules/cloud-config-container/coredns/README.md
+++ b/modules/cloud-config-container/coredns/README.md
@@ -24,7 +24,7 @@ This example will create a `cloud-config` that uses the module's defaults, creat
```hcl
module "cos-coredns" {
- source = "./modules/cos-container/coredns"
+ source = "./modules/cloud-config-container/coredns"
}
# use it as metadata in a compute instance or template
@@ -40,8 +40,8 @@ This example will create a `cloud-config` using a custom CoreDNS configuration,
```hcl
module "cos-coredns" {
- source = "./modules/cos-container/coredns"
- coredns_config = "./modules/cos-container/coredns/Corefile-hosts"
+ source = "./modules/cloud-config-container/coredns"
+ coredns_config = "./modules/cloud-config-container/coredns/Corefile-hosts"
files = {
"/etc/coredns/example.hosts" = {
content = "127.0.0.2 foo.example.org foo"
@@ -57,7 +57,7 @@ This example shows how to create the single instance optionally managed by the m
```hcl
module "cos-coredns" {
- source = "./modules/cos-container/coredns"
+ source = "./modules/cloud-config-container/coredns"
test_instance = {
project_id = "my-project"
zone = "europe-west1-b"
diff --git a/modules/cloud-function/README.md b/modules/cloud-function/README.md
new file mode 100644
index 00000000..fb386a0c
--- /dev/null
+++ b/modules/cloud-function/README.md
@@ -0,0 +1,162 @@
+# Cloud Function Module
+
+Cloud Function management, with support for IAM roles and optional bucket creation.
+
+The GCS object used for deployment uses a hash of the bundle zip contents in its name, which ensures change tracking and avoids recreating the function if the GCS object is deleted and needs recreating.
+
+## TODO
+
+- [ ] add support for `ingress_settings`
+- [ ] add support for `vpc_connector` and `vpc_connector_egress_settings`
+- [ ] add support for `source_repository`
+
+## Examples
+
+### HTTP trigger
+
+This deploys a Cloud Function with an HTTP endpoint, using a pre-existing GCS bucket for deployment, setting the service account to the Cloud Function default one, and delegating access control to the containing project.
+
+```hcl
+module "cf-http" {
+ source = "../modules/net-cloudnat"
+ project_id = "my-project"
+ name = "test-cf-http"
+ bucket_name = "test-cf-bundles"
+ bundle_config = {
+ source_dir = "my-cf-source-folder
+ output_path = "bundle.zip"
+ }
+}
+```
+
+### Non-HTTP triggers
+
+Other trigger types other than HTTP are configured via the `trigger_config` variable. This example shows a PubSub trigger.
+
+```hcl
+module "cf-http" {
+ source = "../modules/net-cloudnat"
+ project_id = "my-project"
+ name = "test-cf-http"
+ bucket_name = "test-cf-bundles"
+ bundle_config = {
+ source_dir = "my-cf-source-folder
+ output_path = "bundle.zip"
+ }
+ trigger_config = {
+ event = "google.pubsub.topic.publish"
+ resource = local.my-topic
+ retry = null
+ }
+}
+```
+
+### Controlling HTTP access
+
+To allow anonymous access to the function, grant the `roles/cloudfunctions.invoker` role to the special `allUsers` identifier. Use specific identities (service accounts, groups, etc.) instead of `allUsers` to only allow selective access.
+
+```hcl
+module "cf-http" {
+ source = "../modules/net-cloudnat"
+ project_id = "my-project"
+ name = "test-cf-http"
+ bucket_name = "test-cf-bundles"
+ bundle_config = {
+ source_dir = "my-cf-source-folder
+ output_path = "bundle.zip"
+ }
+ iam_roles = ["roles/cloudfunctions.invoker"]
+ iam_members = {
+ "roles/cloudfunctions.invoker" = ["allUsers"]
+ }
+}
+```
+
+### GCS bucket creation
+
+You can have the module auto-create the GCS bucket used for deployment via the `bucket_config` variable. Setting `bucket_config.location` to `null` will also use the function region for GCS.
+
+```hcl
+module "cf-http" {
+ source = "../modules/net-cloudnat"
+ project_id = "my-project"
+ name = "test-cf-http"
+ bucket_name = "test-cf-bundles"
+ bucket_config = {
+ location = null
+ lifecycle_delete_age = 1
+ }
+ bundle_config = {
+ source_dir = "my-cf-source-folder
+ output_path = "bundle.zip"
+ }
+}
+```
+
+### Service account management
+
+To use a custom service account managed by the module, set `service_account_create` to `true` and leave `service_account` set to `null` value (default).
+
+```hcl
+module "cf-http" {
+ source = "../modules/net-cloudnat"
+ project_id = "my-project"
+ name = "test-cf-http"
+ bucket_name = "test-cf-bundles"
+ bundle_config = {
+ source_dir = "my-cf-source-folder
+ output_path = "bundle.zip"
+ }
+ service_account_create = true
+}
+```
+
+To use an externally managed service account, pass its email in `service_account` and leave `service_account_create` to `false` (the default).
+
+```hcl
+module "cf-http" {
+ source = "../modules/net-cloudnat"
+ project_id = "my-project"
+ name = "test-cf-http"
+ bucket_name = "test-cf-bundles"
+ bundle_config = {
+ source_dir = "my-cf-source-folder
+ output_path = "bundle.zip"
+ }
+ service_account = local.service_account_email
+}
+```
+
+
+## Variables
+
+| name | description | type | required | default |
+|---|---|:---: |:---:|:---:|
+| bucket_name | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | string
| ✓ | |
+| bundle_config | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | object({...})
| ✓ | |
+| name | Name used for cloud function and associated resources. | string
| ✓ | |
+| project_id | Project id used for all resources. | string
| ✓ | |
+| *bucket_config* | Enable and configure auto-created bucket. Set fields to null to use defaults. | object({...})
| | null
|
+| *environment_variables* | Cloud function environment variables. | map(string)
| | {}
|
+| *function_config* | Cloud function configuration. | object({...})
| | ...
|
+| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use. | map(list(string))
| | {}
|
+| *iam_roles* | List of roles used to set authoritative bindings. Ignored for template use. | list(string)
| | []
|
+| *labels* | Resource labels | map(string)
| | {}
|
+| *prefix* | Optional prefix used for resource names. | string
| | null
|
+| *region* | Region used for all resources. | string
| | us-central1
|
+| *service_account* | Service account email. Unused if service account is auto-created. | string
| | null
|
+| *service_account_create* | Auto-create service account. | bool
| | false
|
+| *trigger_config* | Function trigger configuration. Leave null for HTTP trigger. | object({...})
| | null
|
+
+## Outputs
+
+| name | description | sensitive |
+|---|---|:---:|
+| bucket | Bucket resource (only if auto-created). | |
+| bucket_name | Bucket name. | |
+| function | Cloud function resources. | |
+| function_name | Cloud function name. | |
+| service_account | Service account resource. | |
+| service_account_email | Service account email. | |
+| service_account_iam_email | Service account email. | |
+
diff --git a/modules/cloud-function/main.tf b/modules/cloud-function/main.tf
new file mode 100644
index 00000000..a668a8bc
--- /dev/null
+++ b/modules/cloud-function/main.tf
@@ -0,0 +1,122 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+ bucket = (
+ var.bucket_name != null
+ ? var.bucket_name
+ : (
+ length(google_storage_bucket.bucket) > 0
+ ? google_storage_bucket.bucket[0].name
+ : null
+ )
+ )
+ prefix = var.prefix == null ? "" : "${var.prefix}-"
+ service_account_email = (
+ var.service_account_create
+ ? (
+ length(google_service_account.service_account) > 0
+ ? google_service_account.service_account[0].email
+ : null
+ )
+ : var.service_account
+ )
+}
+
+resource "google_cloudfunctions_function" "function" {
+ project = var.project_id
+ region = var.region
+ name = "${local.prefix}${var.name}"
+ description = "Terraform managed."
+ runtime = var.function_config.runtime
+ available_memory_mb = var.function_config.memory
+ max_instances = var.function_config.instances
+ timeout = var.function_config.timeout
+ entry_point = var.function_config.entry_point
+ environment_variables = var.environment_variables
+ service_account_email = local.service_account_email
+ source_archive_bucket = local.bucket
+ source_archive_object = google_storage_bucket_object.bundle.name
+ labels = var.labels
+ trigger_http = var.trigger_config == null ? true : null
+
+ dynamic event_trigger {
+ for_each = var.trigger_config == null ? [] : [""]
+ content {
+ event_type = var.trigger_config.event
+ resource = var.trigger_config.resource
+ dynamic failure_policy {
+ for_each = var.trigger_config.retry == null ? [] : [""]
+ content {
+ retry = var.trigger_config.retry
+ }
+ }
+ }
+ }
+
+}
+
+resource "google_cloudfunctions_function_iam_binding" "default" {
+ for_each = toset(var.iam_roles)
+ project = var.project_id
+ region = var.region
+ cloud_function = google_cloudfunctions_function.function.name
+ role = each.value
+ members = try(var.iam_members[each.value], {})
+}
+
+resource "google_storage_bucket" "bucket" {
+ count = var.bucket_config == null ? 0 : 1
+ project = var.project_id
+ name = "${local.prefix}${var.bucket_name}"
+ location = (
+ var.bucket_config.location == null
+ ? var.region
+ : var.bucket_config.location
+ )
+ labels = var.labels
+
+ dynamic lifecycle_rule {
+ for_each = var.bucket_config.lifecycle_delete_age == null ? [] : [""]
+ content {
+ action { type = "Delete" }
+ condition { age = var.bucket_config.lifecycle_delete_age }
+ }
+ }
+}
+
+resource "google_storage_bucket_object" "bundle" {
+ name = "bundle-${data.archive_file.bundle.output_md5}.zip"
+ bucket = local.bucket
+ source = data.archive_file.bundle.output_path
+}
+
+data "archive_file" "bundle" {
+ type = "zip"
+ source_dir = var.bundle_config.source_dir
+ output_path = (
+ var.bundle_config.output_path == null
+ ? "/tmp/bundle.zip"
+ : var.bundle_config.output_path
+ )
+}
+
+resource "google_service_account" "service_account" {
+ count = var.service_account_create ? 1 : 0
+ project = var.project_id
+ account_id = "tf-cf-${var.name}"
+ display_name = "Terraform Cloud Function ${var.name}."
+}
diff --git a/modules/cloud-function/outputs.tf b/modules/cloud-function/outputs.tf
new file mode 100644
index 00000000..43e0eda7
--- /dev/null
+++ b/modules/cloud-function/outputs.tf
@@ -0,0 +1,55 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "bucket" {
+ description = "Bucket resource (only if auto-created)."
+ value = var.bucket_config == null ? null : google_storage_bucket.bucket.0
+}
+
+output "bucket_name" {
+ description = "Bucket name."
+ value = local.bucket
+}
+
+output "function" {
+ description = "Cloud function resources."
+ value = google_cloudfunctions_function.function
+}
+
+output "function_name" {
+ description = "Cloud function name."
+ value = google_cloudfunctions_function.function.name
+}
+
+output "service_account" {
+ description = "Service account resource."
+ value = (
+ var.service_account_create ? google_service_account.service_account[0] : null
+ )
+}
+
+output "service_account_email" {
+ description = "Service account email."
+ value = local.service_account_email
+}
+
+output "service_account_iam_email" {
+ description = "Service account email."
+ value = join("", [
+ "serviceAccount:",
+ local.service_account_email == null ? "" : local.service_account_email
+ ])
+}
diff --git a/modules/cloud-function/variables.tf b/modules/cloud-function/variables.tf
new file mode 100644
index 00000000..83c8c048
--- /dev/null
+++ b/modules/cloud-function/variables.tf
@@ -0,0 +1,123 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "bucket_config" {
+ description = "Enable and configure auto-created bucket. Set fields to null to use defaults."
+ type = object({
+ location = string
+ lifecycle_delete_age = number
+ })
+ default = null
+}
+
+variable "bucket_name" {
+ description = "Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null."
+ type = string
+}
+
+variable "bundle_config" {
+ description = "Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null."
+ type = object({
+ source_dir = string
+ output_path = string
+ })
+}
+
+variable "environment_variables" {
+ description = "Cloud function environment variables."
+ type = map(string)
+ default = {}
+}
+
+variable "iam_members" {
+ description = "Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use."
+ type = map(list(string))
+ default = {}
+}
+
+variable "iam_roles" {
+ description = "List of roles used to set authoritative bindings. Ignored for template use."
+ type = list(string)
+ default = []
+}
+
+variable "function_config" {
+ description = "Cloud function configuration."
+ type = object({
+ entry_point = string
+ instances = number
+ memory = number
+ runtime = string
+ timeout = number
+ })
+ default = {
+ entry_point = "main"
+ instances = 1
+ memory = 256
+ runtime = "python37"
+ timeout = 180
+ }
+}
+
+variable "labels" {
+ description = "Resource labels"
+ type = map(string)
+ default = {}
+}
+
+variable "name" {
+ description = "Name used for cloud function and associated resources."
+ type = string
+}
+
+variable "prefix" {
+ description = "Optional prefix used for resource names."
+ type = string
+ default = null
+}
+
+variable "project_id" {
+ description = "Project id used for all resources."
+ type = string
+}
+
+variable "region" {
+ description = "Region used for all resources."
+ type = string
+ default = "europe-west1"
+}
+
+variable "service_account" {
+ description = "Service account email. Unused if service account is auto-created."
+ type = string
+ default = null
+}
+
+variable "service_account_create" {
+ description = "Auto-create service account."
+ type = bool
+ default = false
+}
+
+variable "trigger_config" {
+ description = "Function trigger configuration. Leave null for HTTP trigger."
+ type = object({
+ event = string
+ resource = string
+ retry = bool
+ })
+ default = null
+}
diff --git a/modules/cloud-function/versions.tf b/modules/cloud-function/versions.tf
new file mode 100644
index 00000000..bc4c2a9d
--- /dev/null
+++ b/modules/cloud-function/versions.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_version = ">= 0.12.6"
+}
diff --git a/modules/dns/versions.tf b/modules/dns/versions.tf
index 09324d5d..50c4c4e5 100644
--- a/modules/dns/versions.tf
+++ b/modules/dns/versions.tf
@@ -18,6 +18,6 @@ terraform {
required_version = ">= 0.12.20"
required_providers {
google = "~> 3.10"
- google-beta = "~> 3.10"
+ google-beta = "~> 3.20"
}
}
diff --git a/modules/project/README.md b/modules/project/README.md
index 9ab49796..cd640673 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -58,9 +58,8 @@ module "project" {
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| name | Project name and id suffix. | string
| ✓ | |
-| parent | The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. | string
| ✓ | |
| *auto_create_network* | Whether to create the default network for the project | bool
| | false
|
-| *billing_account* | Billing account id. | string
| |
|
+| *billing_account* | Billing account id. | string
| | null
|
| *custom_roles* | Map of role name => list of permissions to create in this project. | map(list(string))
| | {}
|
| *iam_additive_members* | Map of member lists used to set non authoritative bindings, keyed by role. | map(list(string))
| | {}
|
| *iam_additive_roles* | List of roles used to set non authoritative bindings. | list(string)
| | []
|
@@ -71,9 +70,12 @@ module "project" {
| *oslogin* | Enable OS Login. | bool
| | false
|
| *oslogin_admins* | List of IAM-style identities that will be granted roles necessary for OS Login administrators. | list(string)
| | []
|
| *oslogin_users* | List of IAM-style identities that will be granted roles necessary for OS Login users. | list(string)
| | []
|
+| *parent* | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | string
| | null
|
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | map(bool)
| | {}
|
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | map(object({...}))
| | {}
|
| *prefix* | Prefix used to generate project id and name. | string
| | null
|
+| *project_create* | Create project. When set to false, uses a data source to reference existing project. | bool
| | true
|
+| *service_config* | Configure service API activation. | object({...})
| | ...
|
| *services* | Service APIs to enable. | list(string)
| | []
|
## Outputs
@@ -81,7 +83,7 @@ module "project" {
| name | description | sensitive |
|---|---|:---:|
| custom_roles | Ids of the created custom roles. | |
-| name | Project ame. | |
+| name | Project name. | |
| number | Project number. | |
| project_id | Project id. | |
| service_accounts | Product robot service accounts in project. | |
diff --git a/modules/project/main.tf b/modules/project/main.tf
index 5ccee12e..637aa8de 100644
--- a/modules/project/main.tf
+++ b/modules/project/main.tf
@@ -25,12 +25,21 @@ locals {
for pair in local.iam_additive_pairs :
"${pair.role}-${pair.member}" => pair
}
- parent_type = split("/", var.parent)[0]
- parent_id = split("/", var.parent)[1]
+ parent_type = var.parent == null ? null : split("/", var.parent)[0]
+ parent_id = var.parent == null ? null : split("/", var.parent)[1]
prefix = var.prefix == null ? "" : "${var.prefix}-"
+ project = (
+ var.project_create ? google_project.project.0 : data.google_project.project.0
+ )
+}
+
+data "google_project" "project" {
+ count = var.project_create ? 0 : 1
+ project_id = "${local.prefix}${var.name}"
}
resource "google_project" "project" {
+ count = var.project_create ? 1 : 0
org_id = local.parent_type == "organizations" ? local.parent_id : null
folder_id = local.parent_type == "folders" ? local.parent_id : null
project_id = "${local.prefix}${var.name}"
@@ -42,7 +51,7 @@ resource "google_project" "project" {
resource "google_project_iam_custom_role" "roles" {
for_each = var.custom_roles
- project = google_project.project.project_id
+ project = local.project.project_id
role_id = each.key
title = "Custom role ${each.key}"
description = "Terraform-managed"
@@ -51,7 +60,7 @@ resource "google_project_iam_custom_role" "roles" {
resource "google_compute_project_metadata_item" "oslogin_meta" {
count = var.oslogin ? 1 : 0
- project = google_project.project.project_id
+ project = local.project.project_id
key = "enable-oslogin"
value = "TRUE"
# depend on services or it will fail on destroy
@@ -60,7 +69,7 @@ resource "google_compute_project_metadata_item" "oslogin_meta" {
resource "google_resource_manager_lien" "lien" {
count = var.lien_reason != "" ? 1 : 0
- parent = "projects/${google_project.project.number}"
+ parent = "projects/${local.project.number}"
restrictions = ["resourcemanager.projects.delete"]
origin = "created-by-terraform"
reason = var.lien_reason
@@ -68,10 +77,10 @@ resource "google_resource_manager_lien" "lien" {
resource "google_project_service" "project_services" {
for_each = toset(var.services)
- project = google_project.project.project_id
+ project = local.project.project_id
service = each.value
- disable_on_destroy = true
- disable_dependent_services = true
+ disable_on_destroy = var.service_config.disable_on_destroy
+ disable_dependent_services = var.service_config.disable_dependent_services
}
# IAM notes:
@@ -81,7 +90,7 @@ resource "google_project_service" "project_services" {
resource "google_project_iam_binding" "authoritative" {
for_each = toset(var.iam_roles)
- project = google_project.project.project_id
+ project = local.project.project_id
role = each.value
members = lookup(var.iam_members, each.value, [])
depends_on = [
@@ -92,42 +101,46 @@ resource "google_project_iam_binding" "authoritative" {
resource "google_project_iam_member" "additive" {
for_each = length(var.iam_additive_roles) > 0 ? local.iam_additive : {}
- project = google_project.project.project_id
+ project = local.project.project_id
role = each.value.role
member = each.value.member
+ depends_on = [
+ google_project_service.project_services,
+ google_project_iam_custom_role.roles
+ ]
}
resource "google_project_iam_member" "oslogin_iam_serviceaccountuser" {
for_each = var.oslogin ? toset(distinct(concat(var.oslogin_admins, var.oslogin_users))) : toset([])
- project = google_project.project.project_id
+ project = local.project.project_id
role = "roles/iam.serviceAccountUser"
member = each.value
}
resource "google_project_iam_member" "oslogin_compute_viewer" {
for_each = var.oslogin ? toset(distinct(concat(var.oslogin_admins, var.oslogin_users))) : toset([])
- project = google_project.project.project_id
+ project = local.project.project_id
role = "roles/compute.viewer"
member = each.value
}
resource "google_project_iam_member" "oslogin_admins" {
for_each = var.oslogin ? toset(var.oslogin_admins) : toset([])
- project = google_project.project.project_id
+ project = local.project.project_id
role = "roles/compute.osAdminLogin"
member = each.value
}
resource "google_project_iam_member" "oslogin_users" {
for_each = var.oslogin ? toset(var.oslogin_users) : toset([])
- project = google_project.project.project_id
+ project = local.project.project_id
role = "roles/compute.osLogin"
member = each.value
}
resource "google_project_organization_policy" "boolean" {
for_each = var.policy_boolean
- project = google_project.project.project_id
+ project = local.project.project_id
constraint = each.key
dynamic boolean_policy {
@@ -148,7 +161,7 @@ resource "google_project_organization_policy" "boolean" {
resource "google_project_organization_policy" "list" {
for_each = var.policy_list
- project = google_project.project.project_id
+ project = local.project.project_id
constraint = each.key
dynamic list_policy {
diff --git a/modules/project/outputs.tf b/modules/project/outputs.tf
index 67c9af68..1250f846 100644
--- a/modules/project/outputs.tf
+++ b/modules/project/outputs.tf
@@ -16,7 +16,7 @@
output "project_id" {
description = "Project id."
- value = google_project.project.project_id
+ value = local.project.project_id
depends_on = [
google_project_organization_policy.boolean,
google_project_organization_policy.list,
@@ -25,8 +25,8 @@ output "project_id" {
}
output "name" {
- description = "Project ame."
- value = google_project.project.name
+ description = "Project name."
+ value = local.project.name
depends_on = [
google_project_organization_policy.boolean,
google_project_organization_policy.list,
@@ -36,7 +36,7 @@ output "name" {
output "number" {
description = "Project number."
- value = google_project.project.number
+ value = local.project.number
depends_on = [
google_project_organization_policy.boolean,
google_project_organization_policy.list,
@@ -56,5 +56,8 @@ output "service_accounts" {
output "custom_roles" {
description = "Ids of the created custom roles."
- value = [for role in google_project_iam_custom_role.roles : role.role_id]
+ value = {
+ for name, role in google_project_iam_custom_role.roles :
+ name => role.id
+ }
}
diff --git a/modules/project/service_accounts.tf b/modules/project/service_accounts.tf
index 64d5566e..d4a1be83 100644
--- a/modules/project/service_accounts.tf
+++ b/modules/project/service_accounts.tf
@@ -15,12 +15,12 @@
*/
locals {
- service_account_cloud_services = "${google_project.project.number}@cloudservices.gserviceaccount.com"
+ service_account_cloud_services = "${local.project.number}@cloudservices.gserviceaccount.com"
service_accounts_default = {
# TODO: Find a better place to store BQ service account
bq = "bq-${google_project.project.number}@bigquery-encryption.iam.gserviceaccount.com"
- compute = "${google_project.project.number}-compute@developer.gserviceaccount.com"
- gae = "${google_project.project.project_id}@appspot.gserviceaccount.com"
+ compute = "${local.project.number}-compute@developer.gserviceaccount.com"
+ gae = "${local.project.project_id}@appspot.gserviceaccount.com"
}
service_accounts_robot_services = {
cloudasset = "gcp-sa-cloudasset"
@@ -37,6 +37,6 @@ locals {
}
service_accounts_robots = {
for service, name in local.service_accounts_robot_services :
- service => "service-${google_project.project.number}@${name}.iam.gserviceaccount.com"
+ service => "service-${local.project.number}@${name}.iam.gserviceaccount.com"
}
}
diff --git a/modules/project/variables.tf b/modules/project/variables.tf
index fc6e12ab..6676b76a 100644
--- a/modules/project/variables.tf
+++ b/modules/project/variables.tf
@@ -23,7 +23,7 @@ variable "auto_create_network" {
variable "billing_account" {
description = "Billing account id."
type = string
- default = ""
+ default = null
}
variable "custom_roles" {
@@ -92,8 +92,9 @@ variable "oslogin_users" {
}
variable "parent" {
- description = "The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id."
+ description = "Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format."
type = string
+ default = null
}
variable "policy_boolean" {
@@ -119,8 +120,26 @@ variable "prefix" {
default = null
}
+variable "project_create" {
+ description = "Create project. When set to false, uses a data source to reference existing project."
+ type = bool
+ default = true
+}
+
variable "services" {
description = "Service APIs to enable."
type = list(string)
default = []
}
+
+variable "service_config" {
+ description = "Configure service API activation."
+ type = object({
+ disable_on_destroy = bool
+ disable_dependent_services = bool
+ })
+ default = {
+ disable_on_destroy = true
+ disable_dependent_services = true
+ }
+}
diff --git a/tests/modules/project/fixture/variables.tf b/tests/modules/project/fixture/variables.tf
index 3c467da1..4b859c92 100644
--- a/tests/modules/project/fixture/variables.tf
+++ b/tests/modules/project/fixture/variables.tf
@@ -71,7 +71,7 @@ variable "oslogin_users" {
variable "parent" {
type = string
- default = "folders/12345678"
+ default = null
}
variable "policy_boolean" {
diff --git a/tests/modules/project/test_plan.py b/tests/modules/project/test_plan.py
index 4c5aba82..a526c1a5 100644
--- a/tests/modules/project/test_plan.py
+++ b/tests/modules/project/test_plan.py
@@ -32,7 +32,7 @@ def test_prefix(plan_runner):
def test_parent(plan_runner):
"Test project parent."
- _, resources = plan_runner(FIXTURES_DIR)
+ _, resources = plan_runner(FIXTURES_DIR, parent='folders/12345678')
assert len(resources) == 1
assert resources[0]['values']['folder_id'] == '12345678'
assert resources[0]['values'].get('org_id') == None
@@ -40,3 +40,11 @@ def test_parent(plan_runner):
assert len(resources) == 1
assert resources[0]['values']['org_id'] == '12345678'
assert resources[0]['values'].get('folder_id') == None
+
+
+def test_no_parent(plan_runner):
+ "Test null project parent."
+ _, resources = plan_runner(FIXTURES_DIR)
+ assert len(resources) == 1
+ assert resources[0]['values'].get('folder_id') == None
+ assert resources[0]['values'].get('org_id') == None