Merge branch 'master' into gcs-to-bq
This commit is contained in:
commit
22f3451573
11
CHANGELOG.md
11
CHANGELOG.md
|
@ -3,8 +3,14 @@
|
|||
All notable changes to this project will be documented in this file.
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
- new 'Cloud Storage to Bigquery with Cloud Dataflow' end to end data solution
|
||||
- new 'Cloud Endpoints' module
|
||||
|
||||
## [2.2.0] - 2020-06-29
|
||||
|
||||
- make project creation optional in `project` module to allow managing a pre-existing project
|
||||
- new `cloud-endpoints` module
|
||||
- new `cloud-function` module
|
||||
|
||||
## [2.1.0] - 2020-06-22
|
||||
|
||||
|
@ -106,7 +112,8 @@ All notable changes to this project will be documented in this file.
|
|||
|
||||
- merge development branch with suite of new modules and end-to-end examples
|
||||
|
||||
[Unreleased]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v2.1.0...HEAD
|
||||
[Unreleased]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v2.2.0...HEAD
|
||||
[2.2.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v2.1.0...v2.2.0
|
||||
[2.1.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v2.0.0...v2.1.0
|
||||
[2.0.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v1.9.0...v2.0.0
|
||||
[1.9.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v1.8.1...v1.9.0
|
||||
|
|
|
@ -37,7 +37,8 @@ Currently available modules:
|
|||
- **networking** - [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC peering](./modules/net-vpc-peering), [VPN static](./modules/net-vpn-static), [VPN dynamic](./modules/net-vpn-dynamic), [VPN HA](./modules/net-vpn-ha), [NAT](./modules/net-cloudnat), [address reservation](./modules/net-address), [DNS](./modules/dns), [L4 ILB](./modules/net-ilb), [Service Directory](./modules/service-directory), [Cloud Endpoints](./modules/cloudenpoints)
|
||||
- **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [GKE cluster](./modules/gke-cluster), [GKE nodepool](./modules/gke-nodepool), [COS container](./modules/cos-container) (coredns, mysql, onprem, squid)
|
||||
- **data** - [GCS](./modules/gcs), [BigQuery dataset](./modules/bigquery-dataset), [Pub/Sub](./modules/pubsub), [Datafusion](./modules/datafusion), [Bigtable instance](./modules/bigtable-instance)
|
||||
- **security** - [KMS](./modules/kms), [SecretManager](./modules/secret-manager)
|
||||
- **development** - [Cloud Source Repository](./modules/source-repository), [Container Registry](./modules/container-registry), [Artifact Registry](./modules/artifact-registry)
|
||||
- **security** - [KMS](./modules/kms), [SecretManager](./modules/secret-manager)
|
||||
- **serverless** - [Cloud Functions](./cloud-functions)
|
||||
|
||||
For more information and usage examples see each module's README file.
|
||||
|
|
|
@ -153,16 +153,16 @@ The VPN used to connect to the on-premises environment does not account for HA,
|
|||
| project_id | Project id for all resources. | <code title="">string</code> | ✓ | |
|
||||
| *bgp_asn* | BGP ASNs. | <code title="map(number)">map(number)</code> | | <code title="{ gcp = 64513 onprem = 64514 }">...</code> |
|
||||
| *bgp_interface_ranges* | BGP interface IP CIDR ranges. | <code title="map(string)">map(string)</code> | | <code title="{ gcp = "169.254.1.0/30" }">...</code> |
|
||||
| *dns_forwarder_address* | Address of the DNS server used to forward queries from on-premises. | <code title="">string</code> | | <code title="">10.0.0.2</code> |
|
||||
| *forwarder_address* | GCP DNS inbound policy forwarder address. | <code title="">string</code> | | <code title="">10.0.0.2</code> |
|
||||
| *ip_ranges* | IP CIDR ranges. | <code title="map(string)">map(string)</code> | | <code title="{ gcp = "10.0.0.0/24" onprem = "10.0.16.0/24" }">...</code> |
|
||||
| *region* | VPC region. | <code title="">string</code> | | <code title="">europe-west1</code> |
|
||||
| *resolver_address* | GCP DNS resolver address for the inbound policy. | <code title="">string</code> | | <code title="">10.0.0.2</code> |
|
||||
| *ssh_source_ranges* | IP CIDR ranges that will be allowed to connect via SSH to the onprem instance. | <code title="list(string)">list(string)</code> | | <code title="">["0.0.0.0/0"]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| foo | None | |
|
||||
| onprem-instance | Onprem instance details. | |
|
||||
| test-instance | Test instance details. | |
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -13,5 +13,5 @@
|
|||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 0.12"
|
||||
required_version = ">= 0.12.6"
|
||||
}
|
||||
|
|
|
@ -58,3 +58,7 @@ Specific modules also offer support for non-authoritative bindings (e.g. `google
|
|||
|
||||
- [Cloud KMS](./kms)
|
||||
- [Secret Manager](./secret-manager)
|
||||
|
||||
## Serverless
|
||||
|
||||
- [Cloud Functions](./cloud-function)
|
||||
|
|
|
@ -24,7 +24,7 @@ This example will create a `cloud-config` that uses the module's defaults, creat
|
|||
|
||||
```hcl
|
||||
module "cos-coredns" {
|
||||
source = "./modules/cos-container/coredns"
|
||||
source = "./modules/cloud-config-container/coredns"
|
||||
}
|
||||
|
||||
# use it as metadata in a compute instance or template
|
||||
|
@ -40,8 +40,8 @@ This example will create a `cloud-config` using a custom CoreDNS configuration,
|
|||
|
||||
```hcl
|
||||
module "cos-coredns" {
|
||||
source = "./modules/cos-container/coredns"
|
||||
coredns_config = "./modules/cos-container/coredns/Corefile-hosts"
|
||||
source = "./modules/cloud-config-container/coredns"
|
||||
coredns_config = "./modules/cloud-config-container/coredns/Corefile-hosts"
|
||||
files = {
|
||||
"/etc/coredns/example.hosts" = {
|
||||
content = "127.0.0.2 foo.example.org foo"
|
||||
|
@ -57,7 +57,7 @@ This example shows how to create the single instance optionally managed by the m
|
|||
|
||||
```hcl
|
||||
module "cos-coredns" {
|
||||
source = "./modules/cos-container/coredns"
|
||||
source = "./modules/cloud-config-container/coredns"
|
||||
test_instance = {
|
||||
project_id = "my-project"
|
||||
zone = "europe-west1-b"
|
||||
|
|
|
@ -0,0 +1,162 @@
|
|||
# Cloud Function Module
|
||||
|
||||
Cloud Function management, with support for IAM roles and optional bucket creation.
|
||||
|
||||
The GCS object used for deployment uses a hash of the bundle zip contents in its name, which ensures change tracking and avoids recreating the function if the GCS object is deleted and needs recreating.
|
||||
|
||||
## TODO
|
||||
|
||||
- [ ] add support for `ingress_settings`
|
||||
- [ ] add support for `vpc_connector` and `vpc_connector_egress_settings`
|
||||
- [ ] add support for `source_repository`
|
||||
|
||||
## Examples
|
||||
|
||||
### HTTP trigger
|
||||
|
||||
This deploys a Cloud Function with an HTTP endpoint, using a pre-existing GCS bucket for deployment, setting the service account to the Cloud Function default one, and delegating access control to the containing project.
|
||||
|
||||
```hcl
|
||||
module "cf-http" {
|
||||
source = "../modules/net-cloudnat"
|
||||
project_id = "my-project"
|
||||
name = "test-cf-http"
|
||||
bucket_name = "test-cf-bundles"
|
||||
bundle_config = {
|
||||
source_dir = "my-cf-source-folder
|
||||
output_path = "bundle.zip"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Non-HTTP triggers
|
||||
|
||||
Other trigger types other than HTTP are configured via the `trigger_config` variable. This example shows a PubSub trigger.
|
||||
|
||||
```hcl
|
||||
module "cf-http" {
|
||||
source = "../modules/net-cloudnat"
|
||||
project_id = "my-project"
|
||||
name = "test-cf-http"
|
||||
bucket_name = "test-cf-bundles"
|
||||
bundle_config = {
|
||||
source_dir = "my-cf-source-folder
|
||||
output_path = "bundle.zip"
|
||||
}
|
||||
trigger_config = {
|
||||
event = "google.pubsub.topic.publish"
|
||||
resource = local.my-topic
|
||||
retry = null
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Controlling HTTP access
|
||||
|
||||
To allow anonymous access to the function, grant the `roles/cloudfunctions.invoker` role to the special `allUsers` identifier. Use specific identities (service accounts, groups, etc.) instead of `allUsers` to only allow selective access.
|
||||
|
||||
```hcl
|
||||
module "cf-http" {
|
||||
source = "../modules/net-cloudnat"
|
||||
project_id = "my-project"
|
||||
name = "test-cf-http"
|
||||
bucket_name = "test-cf-bundles"
|
||||
bundle_config = {
|
||||
source_dir = "my-cf-source-folder
|
||||
output_path = "bundle.zip"
|
||||
}
|
||||
iam_roles = ["roles/cloudfunctions.invoker"]
|
||||
iam_members = {
|
||||
"roles/cloudfunctions.invoker" = ["allUsers"]
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### GCS bucket creation
|
||||
|
||||
You can have the module auto-create the GCS bucket used for deployment via the `bucket_config` variable. Setting `bucket_config.location` to `null` will also use the function region for GCS.
|
||||
|
||||
```hcl
|
||||
module "cf-http" {
|
||||
source = "../modules/net-cloudnat"
|
||||
project_id = "my-project"
|
||||
name = "test-cf-http"
|
||||
bucket_name = "test-cf-bundles"
|
||||
bucket_config = {
|
||||
location = null
|
||||
lifecycle_delete_age = 1
|
||||
}
|
||||
bundle_config = {
|
||||
source_dir = "my-cf-source-folder
|
||||
output_path = "bundle.zip"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Service account management
|
||||
|
||||
To use a custom service account managed by the module, set `service_account_create` to `true` and leave `service_account` set to `null` value (default).
|
||||
|
||||
```hcl
|
||||
module "cf-http" {
|
||||
source = "../modules/net-cloudnat"
|
||||
project_id = "my-project"
|
||||
name = "test-cf-http"
|
||||
bucket_name = "test-cf-bundles"
|
||||
bundle_config = {
|
||||
source_dir = "my-cf-source-folder
|
||||
output_path = "bundle.zip"
|
||||
}
|
||||
service_account_create = true
|
||||
}
|
||||
```
|
||||
|
||||
To use an externally managed service account, pass its email in `service_account` and leave `service_account_create` to `false` (the default).
|
||||
|
||||
```hcl
|
||||
module "cf-http" {
|
||||
source = "../modules/net-cloudnat"
|
||||
project_id = "my-project"
|
||||
name = "test-cf-http"
|
||||
bucket_name = "test-cf-bundles"
|
||||
bundle_config = {
|
||||
source_dir = "my-cf-source-folder
|
||||
output_path = "bundle.zip"
|
||||
}
|
||||
service_account = local.service_account_email
|
||||
}
|
||||
```
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---: |:---:|:---:|
|
||||
| bucket_name | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | <code title="">string</code> | ✓ | |
|
||||
| bundle_config | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | <code title="object({ source_dir = string output_path = string })">object({...})</code> | ✓ | |
|
||||
| name | Name used for cloud function and associated resources. | <code title="">string</code> | ✓ | |
|
||||
| project_id | Project id used for all resources. | <code title="">string</code> | ✓ | |
|
||||
| *bucket_config* | Enable and configure auto-created bucket. Set fields to null to use defaults. | <code title="object({ location = string lifecycle_delete_age = number })">object({...})</code> | | <code title="">null</code> |
|
||||
| *environment_variables* | Cloud function environment variables. | <code title="map(string)">map(string)</code> | | <code title="">{}</code> |
|
||||
| *function_config* | Cloud function configuration. | <code title="object({ entry_point = string instances = number memory = number runtime = string timeout = number })">object({...})</code> | | <code title="{ entry_point = "main" instances = 1 memory = 256 runtime = "python37" timeout = 180 }">...</code> |
|
||||
| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_roles* | List of roles used to set authoritative bindings. Ignored for template use. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *labels* | Resource labels | <code title="map(string)">map(string)</code> | | <code title="">{}</code> |
|
||||
| *prefix* | Optional prefix used for resource names. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *region* | Region used for all resources. | <code title="">string</code> | | <code title="">us-central1</code> |
|
||||
| *service_account* | Service account email. Unused if service account is auto-created. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *service_account_create* | Auto-create service account. | <code title="">bool</code> | | <code title="">false</code> |
|
||||
| *trigger_config* | Function trigger configuration. Leave null for HTTP trigger. | <code title="object({ event = string resource = string retry = bool })">object({...})</code> | | <code title="">null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| bucket | Bucket resource (only if auto-created). | |
|
||||
| bucket_name | Bucket name. | |
|
||||
| function | Cloud function resources. | |
|
||||
| function_name | Cloud function name. | |
|
||||
| service_account | Service account resource. | |
|
||||
| service_account_email | Service account email. | |
|
||||
| service_account_iam_email | Service account email. | |
|
||||
<!-- END TFDOC -->
|
|
@ -0,0 +1,122 @@
|
|||
/**
|
||||
* Copyright 2020 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
locals {
|
||||
bucket = (
|
||||
var.bucket_name != null
|
||||
? var.bucket_name
|
||||
: (
|
||||
length(google_storage_bucket.bucket) > 0
|
||||
? google_storage_bucket.bucket[0].name
|
||||
: null
|
||||
)
|
||||
)
|
||||
prefix = var.prefix == null ? "" : "${var.prefix}-"
|
||||
service_account_email = (
|
||||
var.service_account_create
|
||||
? (
|
||||
length(google_service_account.service_account) > 0
|
||||
? google_service_account.service_account[0].email
|
||||
: null
|
||||
)
|
||||
: var.service_account
|
||||
)
|
||||
}
|
||||
|
||||
resource "google_cloudfunctions_function" "function" {
|
||||
project = var.project_id
|
||||
region = var.region
|
||||
name = "${local.prefix}${var.name}"
|
||||
description = "Terraform managed."
|
||||
runtime = var.function_config.runtime
|
||||
available_memory_mb = var.function_config.memory
|
||||
max_instances = var.function_config.instances
|
||||
timeout = var.function_config.timeout
|
||||
entry_point = var.function_config.entry_point
|
||||
environment_variables = var.environment_variables
|
||||
service_account_email = local.service_account_email
|
||||
source_archive_bucket = local.bucket
|
||||
source_archive_object = google_storage_bucket_object.bundle.name
|
||||
labels = var.labels
|
||||
trigger_http = var.trigger_config == null ? true : null
|
||||
|
||||
dynamic event_trigger {
|
||||
for_each = var.trigger_config == null ? [] : [""]
|
||||
content {
|
||||
event_type = var.trigger_config.event
|
||||
resource = var.trigger_config.resource
|
||||
dynamic failure_policy {
|
||||
for_each = var.trigger_config.retry == null ? [] : [""]
|
||||
content {
|
||||
retry = var.trigger_config.retry
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
resource "google_cloudfunctions_function_iam_binding" "default" {
|
||||
for_each = toset(var.iam_roles)
|
||||
project = var.project_id
|
||||
region = var.region
|
||||
cloud_function = google_cloudfunctions_function.function.name
|
||||
role = each.value
|
||||
members = try(var.iam_members[each.value], {})
|
||||
}
|
||||
|
||||
resource "google_storage_bucket" "bucket" {
|
||||
count = var.bucket_config == null ? 0 : 1
|
||||
project = var.project_id
|
||||
name = "${local.prefix}${var.bucket_name}"
|
||||
location = (
|
||||
var.bucket_config.location == null
|
||||
? var.region
|
||||
: var.bucket_config.location
|
||||
)
|
||||
labels = var.labels
|
||||
|
||||
dynamic lifecycle_rule {
|
||||
for_each = var.bucket_config.lifecycle_delete_age == null ? [] : [""]
|
||||
content {
|
||||
action { type = "Delete" }
|
||||
condition { age = var.bucket_config.lifecycle_delete_age }
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_storage_bucket_object" "bundle" {
|
||||
name = "bundle-${data.archive_file.bundle.output_md5}.zip"
|
||||
bucket = local.bucket
|
||||
source = data.archive_file.bundle.output_path
|
||||
}
|
||||
|
||||
data "archive_file" "bundle" {
|
||||
type = "zip"
|
||||
source_dir = var.bundle_config.source_dir
|
||||
output_path = (
|
||||
var.bundle_config.output_path == null
|
||||
? "/tmp/bundle.zip"
|
||||
: var.bundle_config.output_path
|
||||
)
|
||||
}
|
||||
|
||||
resource "google_service_account" "service_account" {
|
||||
count = var.service_account_create ? 1 : 0
|
||||
project = var.project_id
|
||||
account_id = "tf-cf-${var.name}"
|
||||
display_name = "Terraform Cloud Function ${var.name}."
|
||||
}
|
|
@ -0,0 +1,55 @@
|
|||
/**
|
||||
* Copyright 2020 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
output "bucket" {
|
||||
description = "Bucket resource (only if auto-created)."
|
||||
value = var.bucket_config == null ? null : google_storage_bucket.bucket.0
|
||||
}
|
||||
|
||||
output "bucket_name" {
|
||||
description = "Bucket name."
|
||||
value = local.bucket
|
||||
}
|
||||
|
||||
output "function" {
|
||||
description = "Cloud function resources."
|
||||
value = google_cloudfunctions_function.function
|
||||
}
|
||||
|
||||
output "function_name" {
|
||||
description = "Cloud function name."
|
||||
value = google_cloudfunctions_function.function.name
|
||||
}
|
||||
|
||||
output "service_account" {
|
||||
description = "Service account resource."
|
||||
value = (
|
||||
var.service_account_create ? google_service_account.service_account[0] : null
|
||||
)
|
||||
}
|
||||
|
||||
output "service_account_email" {
|
||||
description = "Service account email."
|
||||
value = local.service_account_email
|
||||
}
|
||||
|
||||
output "service_account_iam_email" {
|
||||
description = "Service account email."
|
||||
value = join("", [
|
||||
"serviceAccount:",
|
||||
local.service_account_email == null ? "" : local.service_account_email
|
||||
])
|
||||
}
|
|
@ -0,0 +1,123 @@
|
|||
/**
|
||||
* Copyright 2020 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "bucket_config" {
|
||||
description = "Enable and configure auto-created bucket. Set fields to null to use defaults."
|
||||
type = object({
|
||||
location = string
|
||||
lifecycle_delete_age = number
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "bucket_name" {
|
||||
description = "Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null."
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "bundle_config" {
|
||||
description = "Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null."
|
||||
type = object({
|
||||
source_dir = string
|
||||
output_path = string
|
||||
})
|
||||
}
|
||||
|
||||
variable "environment_variables" {
|
||||
description = "Cloud function environment variables."
|
||||
type = map(string)
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "iam_members" {
|
||||
description = "Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use."
|
||||
type = map(list(string))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "iam_roles" {
|
||||
description = "List of roles used to set authoritative bindings. Ignored for template use."
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "function_config" {
|
||||
description = "Cloud function configuration."
|
||||
type = object({
|
||||
entry_point = string
|
||||
instances = number
|
||||
memory = number
|
||||
runtime = string
|
||||
timeout = number
|
||||
})
|
||||
default = {
|
||||
entry_point = "main"
|
||||
instances = 1
|
||||
memory = 256
|
||||
runtime = "python37"
|
||||
timeout = 180
|
||||
}
|
||||
}
|
||||
|
||||
variable "labels" {
|
||||
description = "Resource labels"
|
||||
type = map(string)
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
description = "Name used for cloud function and associated resources."
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "prefix" {
|
||||
description = "Optional prefix used for resource names."
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "project_id" {
|
||||
description = "Project id used for all resources."
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
description = "Region used for all resources."
|
||||
type = string
|
||||
default = "europe-west1"
|
||||
}
|
||||
|
||||
variable "service_account" {
|
||||
description = "Service account email. Unused if service account is auto-created."
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "service_account_create" {
|
||||
description = "Auto-create service account."
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "trigger_config" {
|
||||
description = "Function trigger configuration. Leave null for HTTP trigger."
|
||||
type = object({
|
||||
event = string
|
||||
resource = string
|
||||
retry = bool
|
||||
})
|
||||
default = null
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
/**
|
||||
* Copyright 2020 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
terraform {
|
||||
required_version = ">= 0.12.6"
|
||||
}
|
|
@ -18,6 +18,6 @@ terraform {
|
|||
required_version = ">= 0.12.20"
|
||||
required_providers {
|
||||
google = "~> 3.10"
|
||||
google-beta = "~> 3.10"
|
||||
google-beta = "~> 3.20"
|
||||
}
|
||||
}
|
||||
|
|
|
@ -58,9 +58,8 @@ module "project" {
|
|||
| name | description | type | required | default |
|
||||
|---|---|:---: |:---:|:---:|
|
||||
| name | Project name and id suffix. | <code title="">string</code> | ✓ | |
|
||||
| parent | The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. | <code title="">string</code> | ✓ | |
|
||||
| *auto_create_network* | Whether to create the default network for the project | <code title="">bool</code> | | <code title="">false</code> |
|
||||
| *billing_account* | Billing account id. | <code title="">string</code> | | <code title=""></code> |
|
||||
| *billing_account* | Billing account id. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *custom_roles* | Map of role name => list of permissions to create in this project. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_additive_members* | Map of member lists used to set non authoritative bindings, keyed by role. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_additive_roles* | List of roles used to set non authoritative bindings. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
|
@ -71,9 +70,12 @@ module "project" {
|
|||
| *oslogin* | Enable OS Login. | <code title="">bool</code> | | <code title="">false</code> |
|
||||
| *oslogin_admins* | List of IAM-style identities that will be granted roles necessary for OS Login administrators. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *oslogin_users* | List of IAM-style identities that will be granted roles necessary for OS Login users. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *parent* | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map(bool)">map(bool)</code> | | <code title="">{}</code> |
|
||||
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
| *prefix* | Prefix used to generate project id and name. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *project_create* | Create project. When set to false, uses a data source to reference existing project. | <code title="">bool</code> | | <code title="">true</code> |
|
||||
| *service_config* | Configure service API activation. | <code title="object({ disable_on_destroy = bool disable_dependent_services = bool })">object({...})</code> | | <code title="{ disable_on_destroy = true disable_dependent_services = true }">...</code> |
|
||||
| *services* | Service APIs to enable. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
|
||||
## Outputs
|
||||
|
@ -81,7 +83,7 @@ module "project" {
|
|||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| custom_roles | Ids of the created custom roles. | |
|
||||
| name | Project ame. | |
|
||||
| name | Project name. | |
|
||||
| number | Project number. | |
|
||||
| project_id | Project id. | |
|
||||
| service_accounts | Product robot service accounts in project. | |
|
||||
|
|
|
@ -25,12 +25,21 @@ locals {
|
|||
for pair in local.iam_additive_pairs :
|
||||
"${pair.role}-${pair.member}" => pair
|
||||
}
|
||||
parent_type = split("/", var.parent)[0]
|
||||
parent_id = split("/", var.parent)[1]
|
||||
parent_type = var.parent == null ? null : split("/", var.parent)[0]
|
||||
parent_id = var.parent == null ? null : split("/", var.parent)[1]
|
||||
prefix = var.prefix == null ? "" : "${var.prefix}-"
|
||||
project = (
|
||||
var.project_create ? google_project.project.0 : data.google_project.project.0
|
||||
)
|
||||
}
|
||||
|
||||
data "google_project" "project" {
|
||||
count = var.project_create ? 0 : 1
|
||||
project_id = "${local.prefix}${var.name}"
|
||||
}
|
||||
|
||||
resource "google_project" "project" {
|
||||
count = var.project_create ? 1 : 0
|
||||
org_id = local.parent_type == "organizations" ? local.parent_id : null
|
||||
folder_id = local.parent_type == "folders" ? local.parent_id : null
|
||||
project_id = "${local.prefix}${var.name}"
|
||||
|
@ -42,7 +51,7 @@ resource "google_project" "project" {
|
|||
|
||||
resource "google_project_iam_custom_role" "roles" {
|
||||
for_each = var.custom_roles
|
||||
project = google_project.project.project_id
|
||||
project = local.project.project_id
|
||||
role_id = each.key
|
||||
title = "Custom role ${each.key}"
|
||||
description = "Terraform-managed"
|
||||
|
@ -51,7 +60,7 @@ resource "google_project_iam_custom_role" "roles" {
|
|||
|
||||
resource "google_compute_project_metadata_item" "oslogin_meta" {
|
||||
count = var.oslogin ? 1 : 0
|
||||
project = google_project.project.project_id
|
||||
project = local.project.project_id
|
||||
key = "enable-oslogin"
|
||||
value = "TRUE"
|
||||
# depend on services or it will fail on destroy
|
||||
|
@ -60,7 +69,7 @@ resource "google_compute_project_metadata_item" "oslogin_meta" {
|
|||
|
||||
resource "google_resource_manager_lien" "lien" {
|
||||
count = var.lien_reason != "" ? 1 : 0
|
||||
parent = "projects/${google_project.project.number}"
|
||||
parent = "projects/${local.project.number}"
|
||||
restrictions = ["resourcemanager.projects.delete"]
|
||||
origin = "created-by-terraform"
|
||||
reason = var.lien_reason
|
||||
|
@ -68,10 +77,10 @@ resource "google_resource_manager_lien" "lien" {
|
|||
|
||||
resource "google_project_service" "project_services" {
|
||||
for_each = toset(var.services)
|
||||
project = google_project.project.project_id
|
||||
project = local.project.project_id
|
||||
service = each.value
|
||||
disable_on_destroy = true
|
||||
disable_dependent_services = true
|
||||
disable_on_destroy = var.service_config.disable_on_destroy
|
||||
disable_dependent_services = var.service_config.disable_dependent_services
|
||||
}
|
||||
|
||||
# IAM notes:
|
||||
|
@ -81,7 +90,7 @@ resource "google_project_service" "project_services" {
|
|||
|
||||
resource "google_project_iam_binding" "authoritative" {
|
||||
for_each = toset(var.iam_roles)
|
||||
project = google_project.project.project_id
|
||||
project = local.project.project_id
|
||||
role = each.value
|
||||
members = lookup(var.iam_members, each.value, [])
|
||||
depends_on = [
|
||||
|
@ -92,42 +101,46 @@ resource "google_project_iam_binding" "authoritative" {
|
|||
|
||||
resource "google_project_iam_member" "additive" {
|
||||
for_each = length(var.iam_additive_roles) > 0 ? local.iam_additive : {}
|
||||
project = google_project.project.project_id
|
||||
project = local.project.project_id
|
||||
role = each.value.role
|
||||
member = each.value.member
|
||||
depends_on = [
|
||||
google_project_service.project_services,
|
||||
google_project_iam_custom_role.roles
|
||||
]
|
||||
}
|
||||
|
||||
resource "google_project_iam_member" "oslogin_iam_serviceaccountuser" {
|
||||
for_each = var.oslogin ? toset(distinct(concat(var.oslogin_admins, var.oslogin_users))) : toset([])
|
||||
project = google_project.project.project_id
|
||||
project = local.project.project_id
|
||||
role = "roles/iam.serviceAccountUser"
|
||||
member = each.value
|
||||
}
|
||||
|
||||
resource "google_project_iam_member" "oslogin_compute_viewer" {
|
||||
for_each = var.oslogin ? toset(distinct(concat(var.oslogin_admins, var.oslogin_users))) : toset([])
|
||||
project = google_project.project.project_id
|
||||
project = local.project.project_id
|
||||
role = "roles/compute.viewer"
|
||||
member = each.value
|
||||
}
|
||||
|
||||
resource "google_project_iam_member" "oslogin_admins" {
|
||||
for_each = var.oslogin ? toset(var.oslogin_admins) : toset([])
|
||||
project = google_project.project.project_id
|
||||
project = local.project.project_id
|
||||
role = "roles/compute.osAdminLogin"
|
||||
member = each.value
|
||||
}
|
||||
|
||||
resource "google_project_iam_member" "oslogin_users" {
|
||||
for_each = var.oslogin ? toset(var.oslogin_users) : toset([])
|
||||
project = google_project.project.project_id
|
||||
project = local.project.project_id
|
||||
role = "roles/compute.osLogin"
|
||||
member = each.value
|
||||
}
|
||||
|
||||
resource "google_project_organization_policy" "boolean" {
|
||||
for_each = var.policy_boolean
|
||||
project = google_project.project.project_id
|
||||
project = local.project.project_id
|
||||
constraint = each.key
|
||||
|
||||
dynamic boolean_policy {
|
||||
|
@ -148,7 +161,7 @@ resource "google_project_organization_policy" "boolean" {
|
|||
|
||||
resource "google_project_organization_policy" "list" {
|
||||
for_each = var.policy_list
|
||||
project = google_project.project.project_id
|
||||
project = local.project.project_id
|
||||
constraint = each.key
|
||||
|
||||
dynamic list_policy {
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
|
||||
output "project_id" {
|
||||
description = "Project id."
|
||||
value = google_project.project.project_id
|
||||
value = local.project.project_id
|
||||
depends_on = [
|
||||
google_project_organization_policy.boolean,
|
||||
google_project_organization_policy.list,
|
||||
|
@ -25,8 +25,8 @@ output "project_id" {
|
|||
}
|
||||
|
||||
output "name" {
|
||||
description = "Project ame."
|
||||
value = google_project.project.name
|
||||
description = "Project name."
|
||||
value = local.project.name
|
||||
depends_on = [
|
||||
google_project_organization_policy.boolean,
|
||||
google_project_organization_policy.list,
|
||||
|
@ -36,7 +36,7 @@ output "name" {
|
|||
|
||||
output "number" {
|
||||
description = "Project number."
|
||||
value = google_project.project.number
|
||||
value = local.project.number
|
||||
depends_on = [
|
||||
google_project_organization_policy.boolean,
|
||||
google_project_organization_policy.list,
|
||||
|
@ -56,5 +56,8 @@ output "service_accounts" {
|
|||
|
||||
output "custom_roles" {
|
||||
description = "Ids of the created custom roles."
|
||||
value = [for role in google_project_iam_custom_role.roles : role.role_id]
|
||||
value = {
|
||||
for name, role in google_project_iam_custom_role.roles :
|
||||
name => role.id
|
||||
}
|
||||
}
|
||||
|
|
|
@ -15,12 +15,12 @@
|
|||
*/
|
||||
|
||||
locals {
|
||||
service_account_cloud_services = "${google_project.project.number}@cloudservices.gserviceaccount.com"
|
||||
service_account_cloud_services = "${local.project.number}@cloudservices.gserviceaccount.com"
|
||||
service_accounts_default = {
|
||||
# TODO: Find a better place to store BQ service account
|
||||
bq = "bq-${google_project.project.number}@bigquery-encryption.iam.gserviceaccount.com"
|
||||
compute = "${google_project.project.number}-compute@developer.gserviceaccount.com"
|
||||
gae = "${google_project.project.project_id}@appspot.gserviceaccount.com"
|
||||
compute = "${local.project.number}-compute@developer.gserviceaccount.com"
|
||||
gae = "${local.project.project_id}@appspot.gserviceaccount.com"
|
||||
}
|
||||
service_accounts_robot_services = {
|
||||
cloudasset = "gcp-sa-cloudasset"
|
||||
|
@ -37,6 +37,6 @@ locals {
|
|||
}
|
||||
service_accounts_robots = {
|
||||
for service, name in local.service_accounts_robot_services :
|
||||
service => "service-${google_project.project.number}@${name}.iam.gserviceaccount.com"
|
||||
service => "service-${local.project.number}@${name}.iam.gserviceaccount.com"
|
||||
}
|
||||
}
|
||||
|
|
|
@ -23,7 +23,7 @@ variable "auto_create_network" {
|
|||
variable "billing_account" {
|
||||
description = "Billing account id."
|
||||
type = string
|
||||
default = ""
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "custom_roles" {
|
||||
|
@ -92,8 +92,9 @@ variable "oslogin_users" {
|
|||
}
|
||||
|
||||
variable "parent" {
|
||||
description = "The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id."
|
||||
description = "Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format."
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "policy_boolean" {
|
||||
|
@ -119,8 +120,26 @@ variable "prefix" {
|
|||
default = null
|
||||
}
|
||||
|
||||
variable "project_create" {
|
||||
description = "Create project. When set to false, uses a data source to reference existing project."
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "services" {
|
||||
description = "Service APIs to enable."
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "service_config" {
|
||||
description = "Configure service API activation."
|
||||
type = object({
|
||||
disable_on_destroy = bool
|
||||
disable_dependent_services = bool
|
||||
})
|
||||
default = {
|
||||
disable_on_destroy = true
|
||||
disable_dependent_services = true
|
||||
}
|
||||
}
|
||||
|
|
|
@ -71,7 +71,7 @@ variable "oslogin_users" {
|
|||
|
||||
variable "parent" {
|
||||
type = string
|
||||
default = "folders/12345678"
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "policy_boolean" {
|
||||
|
|
|
@ -32,7 +32,7 @@ def test_prefix(plan_runner):
|
|||
|
||||
def test_parent(plan_runner):
|
||||
"Test project parent."
|
||||
_, resources = plan_runner(FIXTURES_DIR)
|
||||
_, resources = plan_runner(FIXTURES_DIR, parent='folders/12345678')
|
||||
assert len(resources) == 1
|
||||
assert resources[0]['values']['folder_id'] == '12345678'
|
||||
assert resources[0]['values'].get('org_id') == None
|
||||
|
@ -40,3 +40,11 @@ def test_parent(plan_runner):
|
|||
assert len(resources) == 1
|
||||
assert resources[0]['values']['org_id'] == '12345678'
|
||||
assert resources[0]['values'].get('folder_id') == None
|
||||
|
||||
|
||||
def test_no_parent(plan_runner):
|
||||
"Test null project parent."
|
||||
_, resources = plan_runner(FIXTURES_DIR)
|
||||
assert len(resources) == 1
|
||||
assert resources[0]['values'].get('folder_id') == None
|
||||
assert resources[0]['values'].get('org_id') == None
|
||||
|
|
Loading…
Reference in New Issue