zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #321 from terraform-google-modules/jccb/linter 

Improve linter
This commit is contained in:
Julio Castillo 2021-10-08 21:26:27 +02:00 committed by GitHub
parent 505a42cffd 1d13e3e624
commit 6740f454c3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
85 changed files with 991 additions and 943 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.ci/cloudbuild.lint.yaml
View File

@ -46,6 +46,7 @@ steps:
"modules",
"cloud-operations",
"data-solutions",
"data-solutions/data-platform-foundations",
"foundations",
"networking",
]

16
cloud-operations/dns-fine-grained-iam/outputs.tf
View File

@ -14,14 +14,6 @@
* limitations under the License.
*/
output "vms" {
description = "VM names."
value = {
ns-editor = module.vm-ns-editor.instance.name
svc-editor = module.vm-svc-editor.instance.name
}
}
output "gcloud_commands" {
description = "Commands used to SSH to the VMs."
value = {
@ -29,3 +21,11 @@ output "gcloud_commands" {
svc-editor = "gcloud compute ssh ${module.vm-svc-editor.instance.name} --zone ${var.region}-b --tunnel-through-iap"
}
}
output "vms" {
description = "VM names."
value = {
ns-editor = module.vm-ns-editor.instance.name
svc-editor = module.vm-svc-editor.instance.name
}
}

24
data-solutions/cmek-via-centralized-kms/variables.tf
View File

@ -24,18 +24,18 @@ variable "location" {
default = "europe"
}
variable "project_service_name" {
description = "Name for the new Service Project."
type = string
default = "my-project-service-001"
}
variable "project_kms_name" {
description = "Name for the new KMS Project."
type = string
default = "my-project-kms-001"
}
variable "project_service_name" {
description = "Name for the new Service Project."
type = string
default = "my-project-service-001"
}
variable "region" {
description = "The region where resources will be deployed."
type = string
@ -47,6 +47,12 @@ variable "root_node" {
type = string
}
variable "vpc_ip_cidr_range" {
description = "Ip range used in the subnet deployef in the Service Project."
type = string
default = "10.0.0.0/20"
}
variable "vpc_name" {
description = "Name of the VPC created in the Service Project."
type = string
@ -58,9 +64,3 @@ variable "vpc_subnet_name" {
type = string
default = "subnet"
}
variable "vpc_ip_cidr_range" {
description = "Ip range used in the subnet deployef in the Service Project."
type = string
default = "10.0.0.0/20"
}

4
data-solutions/data-platform-foundations/01-environment/README.md
View File

@ -54,14 +54,12 @@ The script use 'google_access_context_manager_service_perimeter_resource' terraf
|---|---|:---: |:---:|:---:|
| billing_account_id | Billing account id. | <code title="">string</code> | ✓ | |
| root_node | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | <code title="">string</code> | ✓ | |
| *admins* | List of users allowed to impersonate the service account | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">null</code> |
| *prefix* | Prefix used to generate project id and name. | <code title="">string</code> | | <code title="">null</code> |
| *project_names* | Override this variable if you need non-standard names. | <code title="object&#40;&#123;&#10;datamart &#61; string&#10;dwh &#61; string&#10;landing &#61; string&#10;services &#61; string&#10;transformation &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;datamart &#61; &#34;datamart&#34;&#10;dwh &#61; &#34;datawh&#34;&#10;landing &#61; &#34;landing&#34;&#10;services &#61; &#34;services&#34;&#10;transformation &#61; &#34;transformation&#34;&#10;&#125;">...</code> |
| *service_account_names* | Override this variable if you need non-standard names. | <code title="object&#40;&#123;&#10;main &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;main &#61; &#34;data-platform-main&#34;&#10;&#125;">...</code> |
| *service_encryption_key_ids* | Cloud KMS encryption key in {LOCATION => [KEY_URL]} format. Keys belong to existing project. | <code title="object&#40;&#123;&#10;multiregional &#61; string&#10;global &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;multiregional &#61; null&#10;global &#61; null&#10;&#125;">...</code> |
| *service_perimeter_standard* | VPC Service control standard perimeter name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. All projects will be added to the perimeter in enforced mode. | <code title="">string</code> | | <code title="">null</code> |
| *admins* | List of users allowed to impersonate the service account | <code title="">list</code> | | <code title="">null</code> |
## Outputs

10
data-solutions/data-platform-foundations/01-environment/outputs.tf
View File

@ -25,12 +25,12 @@ output "project_ids" {
}
}
output "service_encryption_key_ids" {
description = "Cloud KMS encryption keys in {LOCATION => [KEY_URL]} format."
value = var.service_encryption_key_ids
}
output "service_account" {
description = "Main service account."
value = module.sa-services-main.email
}
output "service_encryption_key_ids" {
description = "Cloud KMS encryption keys in {LOCATION => [KEY_URL]} format."
value = var.service_encryption_key_ids
}

3
data-solutions/data-platform-foundations/02-resources/README.md
View File

@ -57,6 +57,7 @@ You can configure GCP resources to use existing CMEK keys configuring the 'servi
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| project_ids | Project IDs. | <code title="object&#40;&#123;&#10;datamart &#61; string&#10;dwh &#61; string&#10;landing &#61; string&#10;services &#61; string&#10;transformation &#61; string&#10;&#125;&#41;">object({...})</code> | ✓ | |
| *admins* | List of users allowed to impersonate the service account | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">null</code> |
| *datamart_bq_datasets* | Datamart Bigquery datasets | <code title="map&#40;object&#40;&#123;&#10;iam &#61; map&#40;list&#40;string&#41;&#41;&#10;location &#61; string&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="&#123;&#10;bq_datamart_dataset &#61; &#123;&#10;location &#61; &#34;EU&#34;&#10;iam &#61; &#123;&#10;&#125;&#10;&#125;&#10;&#125;">...</code> |
| *dwh_bq_datasets* | DWH Bigquery datasets | <code title="map&#40;object&#40;&#123;&#10;location &#61; string&#10;iam &#61; map&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="&#123;&#10;bq_raw_dataset &#61; &#123;&#10;iam &#61; &#123;&#125;&#10;location &#61; &#34;EU&#34;&#10;&#125;&#10;&#125;">...</code> |
| *landing_buckets* | List of landing buckets to create | <code title="map&#40;object&#40;&#123;&#10;location &#61; string&#10;name &#61; string&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="&#123;&#10;raw-data &#61; &#123;&#10;location &#61; &#34;EU&#34;&#10;name &#61; &#34;raw-data&#34;&#10;&#125;&#10;data-schema &#61; &#123;&#10;location &#61; &#34;EU&#34;&#10;name &#61; &#34;data-schema&#34;&#10;&#125;&#10;&#125;">...</code> |
@ -67,8 +68,6 @@ You can configure GCP resources to use existing CMEK keys configuring the 'servi
| *transformation_buckets* | List of transformation buckets to create | <code title="map&#40;object&#40;&#123;&#10;location &#61; string&#10;name &#61; string&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="&#123;&#10;temp &#61; &#123;&#10;location &#61; &#34;EU&#34;&#10;name &#61; &#34;temp&#34;&#10;&#125;,&#10;templates &#61; &#123;&#10;location &#61; &#34;EU&#34;&#10;name &#61; &#34;templates&#34;&#10;&#125;,&#10;&#125;">...</code> |
| *transformation_subnets* | List of subnets to create in the transformation Project. | <code title="list&#40;object&#40;&#123;&#10;ip_cidr_range &#61; string&#10;name &#61; string&#10;region &#61; string&#10;secondary_ip_range &#61; map&#40;string&#41;&#10;&#125;&#41;&#41;">list(object({...}))</code> | | <code title="&#91;&#10;&#123;&#10;ip_cidr_range &#61; &#34;10.1.0.0&#47;20&#34;&#10;name &#61; &#34;transformation-subnet&#34;&#10;region &#61; &#34;europe-west3&#34;&#10;secondary_ip_range &#61; &#123;&#125;&#10;&#125;,&#10;&#93;">...</code> |
| *transformation_vpc_name* | Name of the VPC created in the transformation Project. | <code title="">string</code> | | <code title="">transformation-vpc</code> |
| *admins* | List of users allowed to impersonate the service account | <code title="">list</code> | | <code title="">null</code> |
## Outputs

25
data-solutions/data-platform-foundations/02-resources/variables.tf
View File

@ -116,7 +116,6 @@ variable "project_ids" {
})
}
variable "service_account_names" {
description = "Project service accounts list."
type = object({
@ -135,6 +134,18 @@ variable "service_account_names" {
}
}
variable "service_encryption_key_ids" {
description = "Cloud KMS encryption key in {LOCATION => [KEY_URL]} format. Keys belong to existing project."
type = object({
multiregional = string
global = string
})
default = {
multiregional = null
global = null
}
}
variable "transformation_buckets" {
description = "List of transformation buckets to create"
type = map(object({
@ -176,15 +187,3 @@ variable "transformation_vpc_name" {
type = string
default = "transformation-vpc"
}
variable "service_encryption_key_ids" {
description = "Cloud KMS encryption key in {LOCATION => [KEY_URL]} format. Keys belong to existing project."
type = object({
multiregional = string
global = string
})
default = {
multiregional = null
global = null
}
}

32
data-solutions/gcs-to-bq-with-dataflow/variables.tf
View File

@ -24,13 +24,13 @@ variable "location" {
default = "europe"
}
variable "project_service_name" {
description = "Name for the new Service Project."
variable "project_kms_name" {
description = "Name for the new KMS Project."
type = string
}
variable "project_kms_name" {
description = "Name for the new KMS Project."
variable "project_service_name" {
description = "Name for the new Service Project."
type = string
}
@ -45,6 +45,18 @@ variable "root_node" {
type = string
}
variable "ssh_source_ranges" {
description = "IP CIDR ranges that will be allowed to connect via SSH to the onprem instance."
type = list(string)
default = ["0.0.0.0/0"]
}
variable "vpc_ip_cidr_range" {
description = "Ip range used in the subnet deployef in the Service Project."
type = string
default = "10.0.0.0/20"
}
variable "vpc_name" {
description = "Name of the VPC created in the Service Project."
type = string
@ -56,15 +68,3 @@ variable "vpc_subnet_name" {
type = string
default = "subnet"
}
variable "vpc_ip_cidr_range" {
description = "Ip range used in the subnet deployef in the Service Project."
type = string
default = "10.0.0.0/20"
}
variable "ssh_source_ranges" {
description = "IP CIDR ranges that will be allowed to connect via SSH to the onprem instance."
type = list(string)
default = ["0.0.0.0/0"]
}

54
foundations/business-units/outputs.tf
View File

@ -14,9 +14,9 @@
* limitations under the License.
*/
output "terraform_project" {
description = "Project that holds the base Terraform resources."
value = module.tf-project.project_id
output "audit_logs_project" {
description = "Project that holds the audit logs export resources."
value = module.audit-project.project_id
}
output "bootstrap_tf_gcs_bucket" {
@ -24,27 +24,6 @@ output "bootstrap_tf_gcs_bucket" {
value = module.tf-gcs-bootstrap.name
}
output "shared_folder_id" {
description = "Shared folder id."
value = module.shared-folder.id
}
output "bu_machine_learning" {
description = "Machine Learning attributes."
value = {
unit_folder = module.bu-machine-learning.unit_folder,
env_gcs_buckets = module.bu-machine-learning.env_gcs_buckets
env_folders = module.bu-machine-learning.env_folders
env_service_accounts = module.bu-machine-learning.env_service_accounts
}
}
output "bu_machine_learning_keys" {
description = "Machine Learning service account keys."
sensitive = true
value = module.bu-machine-learning.env_sa_keys
}
output "bu_business_intelligence" {
description = "Business Intelligence attributes."
value = {
@ -61,9 +40,25 @@ output "bu_business_intelligence_keys" {
value = module.bu-business-intelligence.env_sa_keys
}
output "audit_logs_project" {
description = "Project that holds the audit logs export resources."
value = module.audit-project.project_id
output "bu_machine_learning" {
description = "Machine Learning attributes."
value = {
unit_folder = module.bu-machine-learning.unit_folder,
env_gcs_buckets = module.bu-machine-learning.env_gcs_buckets
env_folders = module.bu-machine-learning.env_folders
env_service_accounts = module.bu-machine-learning.env_service_accounts
}
}
output "bu_machine_learning_keys" {
description = "Machine Learning service account keys."
sensitive = true
value = module.bu-machine-learning.env_sa_keys
}
output "shared_folder_id" {
description = "Shared folder id."
value = module.shared-folder.id
}
output "shared_resources_project" {
@ -71,5 +66,10 @@ output "shared_resources_project" {
value = module.shared-project.project_id
}
output "terraform_project" {
description = "Project that holds the base Terraform resources."
value = module.tf-project.project_id
}
# Add further outputs here for the additional modules that manage shared
# resources, like GCR, GCS buckets, KMS, etc.

1
foundations/business-units/variables.tf
View File

@ -84,6 +84,7 @@ variable "project_services" {
"stackdriver.googleapis.com",
]
}
variable "root_node" {
description = "Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'."
type = string

33
foundations/environments/outputs.tf
View File

@ -12,9 +12,14 @@
# See the License for the specific language governing permissions and
# limitations under the License.
output "terraform_project" {
description = "Project that holds the base Terraform resources."
value = module.tf-project.project_id
output "audit_logs_bq_dataset" {
description = "Bigquery dataset for the audit logs export."
value = module.audit-dataset.id
}
output "audit_logs_project" {
description = "Project that holds the audit logs export resources."
value = module.audit-project.project_id
}
output "bootstrap_tf_gcs_bucket" {
@ -27,30 +32,19 @@ output "environment_folders" {
value = { for folder in module.environment-folders : folder.name => folder.id }
}
output "environment_tf_gcs_buckets" {
description = "GCS buckets used for each environment Terraform state."
value = { for env, bucket in module.tf-gcs-environments : env => bucket.name }
}
output "environment_service_account_keys" {
description = "Service account keys used to run each environment Terraform modules."
sensitive = true
value = { for env, sa in module.tf-service-accounts : env => sa.key }
}
output "environment_service_accounts" {
description = "Service accounts used to run each environment Terraform modules."
value = { for env, sa in module.tf-service-accounts : env => sa.email }
}
output "audit_logs_bq_dataset" {
description = "Bigquery dataset for the audit logs export."
value = module.audit-dataset.id
}
output "audit_logs_project" {
description = "Project that holds the audit logs export resources."
value = module.audit-project.project_id
output "environment_tf_gcs_buckets" {
description = "GCS buckets used for each environment Terraform state."
value = { for env, bucket in module.tf-gcs-environments : env => bucket.name }
}
output "shared_services_project" {
@ -58,5 +52,10 @@ output "shared_services_project" {
value = module.sharedsvc-project.project_id
}
output "terraform_project" {
description = "Project that holds the base Terraform resources."
value = module.tf-project.project_id
}
# Add further outputs here for the additional modules that manage shared
# resources, like GCR, GCS buckets, KMS, etc.

10
foundations/environments/variables.tf
View File

@ -101,11 +101,6 @@ variable "prefix" {
type = string
}
variable "root_node" {
description = "Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'."
type = string
}
variable "project_services" {
description = "Service APIs enabled by default in new projects."
type = list(string)
@ -115,6 +110,11 @@ variable "project_services" {
]
}
variable "root_node" {
description = "Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'."
type = string
}
variable "service_account_keys" {
description = "Generate and store service account keys in the state file."
type = bool

2
modules/apigee-organization/README.md
View File

@ -106,7 +106,7 @@ module "apigee-organization" {
|---|---|:---: |:---:|:---:|
| analytics_region | Analytics Region for the Apigee Organization (immutable). See https://cloud.google.com/apigee/docs/api-platform/get-started/install-cli. | <code title="">string</code> | ✓ | |
| project_id | Project ID to host this Apigee organization (will also become the Apigee Org name). | <code title="">string</code> | ✓ | |
| runtime_type | None | <code title="string&#10;validation &#123;&#10;condition &#61; contains&#40;&#91;&#34;CLOUD&#34;, &#34;HYBRID&#34;&#93;, var.runtime_type&#41;&#10;error_message &#61; &#34;Allowed values for runtime_type &#92;&#34;CLOUD&#92;&#34; or &#92;&#34;HYBRID&#92;&#34;.&#34;&#10;&#125;">string</code> | ✓ | |
| runtime_type | Apigee runtime type. Must be `CLOUD` or `HYBRID`. | <code title="string&#10;validation &#123;&#10;condition &#61; contains&#40;&#91;&#34;CLOUD&#34;, &#34;HYBRID&#34;&#93;, var.runtime_type&#41;&#10;error_message &#61; &#34;Allowed values for runtime_type &#92;&#34;CLOUD&#92;&#34; or &#92;&#34;HYBRID&#92;&#34;.&#34;&#10;&#125;">string</code> | ✓ | |
| *apigee_envgroups* | Apigee Environment Groups. | <code title="map&#40;object&#40;&#123;&#10;environments &#61; list&#40;string&#41;&#10;hostnames &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">{}</code> |
| *apigee_environments* | Apigee Environment Names. | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">[]</code> |
| *authorized_network* | VPC network self link (requires service network peering enabled (Used in Apigee X only). | <code title="">string</code> | | <code title="">null</code> |

16
modules/apigee-organization/variables.tf
View File

@ -14,12 +14,6 @@
* limitations under the License.
*/
variable "authorized_network" {
description = "VPC network self link (requires service network peering enabled (Used in Apigee X only)."
type = string
default = null
}
variable "analytics_region" {
description = "Analytics Region for the Apigee Organization (immutable). See https://cloud.google.com/apigee/docs/api-platform/get-started/install-cli."
type = string
@ -40,6 +34,12 @@ variable "apigee_environments" {
default = []
}
variable "authorized_network" {
description = "VPC network self link (requires service network peering enabled (Used in Apigee X only)."
type = string
default = null
}
variable "database_encryption_key" {
description = "Cloud KMS key self link (e.g. `projects/foo/locations/us/keyRings/bar/cryptoKeys/baz`) used for encrypting the data that is stored and replicated across runtime instances (immutable, used in Apigee X only)."
type = string
@ -64,8 +64,8 @@ variable "project_id" {
}
variable "runtime_type" {
type = string
description = "Apigee runtime type. Must be `CLOUD` or `HYBRID`."
type = string
validation {
condition = contains(["CLOUD", "HYBRID"], var.runtime_type)
error_message = "Allowed values for runtime_type \"CLOUD\" or \"HYBRID\"."

46
modules/artifact-registry/variables.tf
View File

@ -14,12 +14,35 @@
* limitations under the License.
*/
variable "description" {
description = "An optional description for the repository"
type = string
default = "Terraform-managed registry"
}
variable "format" {
description = "Repository format. One of DOCKER or UNSPECIFIED"
type = string
default = "DOCKER"
}
variable "iam" {
description = "IAM bindings in {ROLE => [MEMBERS]} format."
type = map(list(string))
default = {}
}
variable "id" {
description = "Repository id"
type = string
}
variable "labels" {
description = "Labels to be attached to the registry."
type = map(string)
default = {}
}
variable "location" {
description = "Registry location. Use `gcloud beta artifacts locations list' to get valid values"
type = string
@ -30,26 +53,3 @@ variable "project_id" {
description = "Registry project id."
type = string
}
variable "labels" {
description = "Labels to be attached to the registry."
type = map(string)
default = {}
}
variable "format" {
description = "Repository format. One of DOCKER or UNSPECIFIED"
type = string
default = "DOCKER"
}
variable "description" {
description = "An optional description for the repository"
type = string
default = "Terraform-managed registry"
}
variable "id" {
description = "Repository id"
type = string
}

16
modules/bigquery-dataset/outputs.tf
View File

@ -55,22 +55,22 @@ output "self_link" {
]
}
output "tables" {
description = "Table resources."
value = google_bigquery_table.default
}
output "table_ids" {
description = "Map of fully qualified table ids keyed by table ids."
value = { for k, v in google_bigquery_table.default : v.table_id => v.id }
}
output "views" {
description = "View resources."
value = google_bigquery_table.views
output "tables" {
description = "Table resources."
value = google_bigquery_table.default
}
output "view_ids" {
description = "Map of fully qualified view ids keyed by view ids."
value = { for k, v in google_bigquery_table.views : v.table_id => v.id }
}
output "views" {
description = "View resources."
value = google_bigquery_table.views
}

22
modules/bigquery-dataset/variables.tf
View File

@ -55,12 +55,23 @@ variable "encryption_key" {
default = null
}
variable "friendly_name" {
description = "Dataset friendly name."
type = string
default = null
}
variable "iam" {
description = "IAM bindings in {ROLE => [MEMBERS]} format. Mutually exclusive with the access_* variables used for basic roles."
type = map(list(string))
default = {}
}
variable "id" {
description = "Dataset id."
type = string
}
variable "labels" {
description = "Dataset labels."
type = map(string)
@ -73,17 +84,6 @@ variable "location" {
default = "EU"
}
variable "friendly_name" {
description = "Dataset friendly name."
type = string
default = null
}
variable "id" {
description = "Dataset id."
type = string
}
variable "options" {
description = "Dataset options."
type = object({

10
modules/bigtable-instance/outputs.tf
View File

@ -32,15 +32,15 @@ output "instance" {
]
}
output "tables" {
description = "Table resources."
value = google_bigtable_table.default
}
output "table_ids" {
description = "Map of fully qualified table ids keyed by table name."
value = { for k, v in google_bigtable_table.default : v.name => v.id }
}
output "tables" {
description = "Table resources."
value = google_bigtable_table.default
}

18
modules/bigtable-instance/variables.tf
View File

@ -64,15 +64,6 @@ variable "storage_type" {
default = "SSD"
}
variable "tables" {
description = "Tables to be created in the BigTable instance, options can be null."
type = map(object({
split_keys = list(string)
column_family = string
}))
default = {}
}
variable "table_options_defaults" {
description = "Default option of tables created in the BigTable instance."
type = object({
@ -85,6 +76,15 @@ variable "table_options_defaults" {
}
}
variable "tables" {
description = "Tables to be created in the BigTable instance, options can be null."
type = map(object({
split_keys = list(string)
column_family = string
}))
default = {}
}
variable "zone" {
description = "The zone to create the Cloud Bigtable cluster in."
type = string

2
modules/billing-budget/README.md
View File

@ -69,7 +69,7 @@ module "pubsub" {
|---|---|:---: |:---:|:---:|
| billing_account | Billing account id. | <code title="">string</code> | ✓ | |
| name | Budget name. | <code title="">string</code> | ✓ | |
| thresholds | None | <code title="object&#40;&#123;&#10;current &#61; list&#40;number&#41;&#10;forecasted &#61; list&#40;number&#41;&#10;&#125;&#41;&#10;validation &#123;&#10;condition &#61; length&#40;var.thresholds.current&#41; &#62; 0 &#124;&#124; length&#40;var.thresholds.forecasted&#41; &#62; 0&#10;error_message &#61; &#34;Must specify at least one budget threshold.&#34;&#10;&#125;">object({...})</code> | ✓ | |
| thresholds | Thresholds percentages at which alerts are sent. Must be a value between 0 and 1. | <code title="object&#40;&#123;&#10;current &#61; list&#40;number&#41;&#10;forecasted &#61; list&#40;number&#41;&#10;&#125;&#41;&#10;validation &#123;&#10;condition &#61; length&#40;var.thresholds.current&#41; &#62; 0 &#124;&#124; length&#40;var.thresholds.forecasted&#41; &#62; 0&#10;error_message &#61; &#34;Must specify at least one budget threshold.&#34;&#10;&#125;">object({...})</code> | ✓ | |
| *amount* | Amount in the billing account's currency for the budget. Use 0 to set budget to 100% of last period's spend. | <code title="">number</code> | | <code title="">0</code> |
| *credit_treatment* | How credits should be treated when determining spend for threshold calculations. Only INCLUDE_ALL_CREDITS or EXCLUDE_ALL_CREDITS are supported | <code title="">string</code> | | <code title="INCLUDE_ALL_CREDITS&#10;validation &#123;&#10;condition &#61; &#40;&#10;var.credit_treatment &#61;&#61; &#34;INCLUDE_ALL_CREDITS&#34; &#124;&#124;&#10;var.credit_treatment &#61;&#61; &#34;EXCLUDE_ALL_CREDITS&#34;&#10;&#41;&#10;error_message &#61; &#34;Argument credit_treatment must be INCLUDE_ALL_CREDITS or EXCLUDE_ALL_CREDITS.&#34;&#10;&#125;">...</code> |
| *email_recipients* | Emails where budget notifications will be sent. Setting this will create a notification channel for each email in the specified project. | <code title="object&#40;&#123;&#10;project_id &#61; string&#10;emails &#61; list&#40;string&#41;&#10;&#125;&#41;">object({...})</code> | | <code title="">null</code> |

1
modules/billing-budget/variables.tf
View File

@ -83,6 +83,7 @@ variable "services" {
}
variable "thresholds" {
description = "Thresholds percentages at which alerts are sent. Must be a value between 0 and 1."
type = object({
current = list(number)
forecasted = list(number)

38
modules/cloud-identity-group/variables.tf
View File

@ -14,14 +14,13 @@
* limitations under the License.
*/
variable "display_name" {
description = "Group display name."
type = string
}
variable "name" {
description = "Group ID (usually an email)."
variable "customer_id" {
description = "Directory customer ID in the form customers/C0xxxxxxx."
type = string
validation {
condition = can(regex("^customers/C0[a-z0-9]{7}$", var.customer_id))
error_message = "Customer ID must be in the form customers/C0xxxxxxx."
}
}
variable "description" {
@ -30,13 +29,20 @@ variable "description" {
default = null
}
variable "customer_id" {
description = "Directory customer ID in the form customers/C0xxxxxxx."
variable "display_name" {
description = "Group display name."
type = string
}
variable "members" {
description = "List of group members."
type = list(string)
default = []
}
variable "name" {
description = "Group ID (usually an email)."
type = string
validation {
condition = can(regex("^customers/C0[a-z0-9]{7}$", var.customer_id))
error_message = "Customer ID must be in the form customers/C0xxxxxxx."
}
}
# variable "owners" {
@ -50,9 +56,3 @@ variable "customer_id" {
# type = list(string)
# default = []
# }
variable "members" {
description = "List of group members."
type = list(string)
default = []
}

2
modules/cloudsql-instance/README.md
View File

@ -106,7 +106,7 @@ module "db" {
| *availability_type* | Availability type for the primary replica. Either `ZONAL` or `REGIONAL` | <code title="">string</code> | | <code title="">ZONAL</code> |
| *backup_configuration* | Backup settings for primary instance. Will be automatically enabled if using MySQL with one or more replicas | <code title="object&#40;&#123;&#10;enabled &#61; bool&#10;binary_log_enabled &#61; bool&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;enabled &#61; false&#10;binary_log_enabled &#61; false&#10;&#125;">...</code> |
| *databases* | Databases to create once the primary instance is created. | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">null</code> |
| *deletion_protection* | None | <code title="">bool</code> | | <code title="">false</code> |
| *deletion_protection* | Allow terraform to delete instances. | <code title="">bool</code> | | <code title="">false</code> |
| *disk_size* | Disk size in GB. Set to null to enable autoresize. | <code title="">number</code> | | <code title="">null</code> |
| *disk_type* | The type of data disk: `PD_SSD` or `PD_HDD`. | <code title="">string</code> | | <code title="">PD_SSD</code> |
| *flags* | Map FLAG_NAME=>VALUE for database-specific tuning. | <code title="map&#40;string&#41;">map(string)</code> | | <code title="">null</code> |

15
modules/cloudsql-instance/variables.tf
View File

@ -50,8 +50,9 @@ variable "databases" {
}
variable "deletion_protection" {
type = bool
default = false
description = "Allow terraform to delete instances."
type = bool
default = false
}
variable "disk_size" {
@ -110,13 +111,13 @@ variable "replicas" {
default = null
}
variable "tier" {
description = "The machine type to use for the instances."
type = string
}
variable "users" {
description = "Map of users to create in the primary instance (and replicated to other replicas) in the format USER=>PASSWORD. For MySQL, anything afterr the first `@` (if persent) will be used as the user's host. Set PASSWORD to null if you want to get an autogenerated password"
type = map(string)
default = null
}
variable "tier" {
description = "The machine type to use for the instances."
type = string
}

18
modules/compute-mig/variables.tf
View File

@ -14,6 +14,15 @@
* limitations under the License.
*/
variable "auto_healing_policies" {
description = "Auto-healing policies for this group."
type = object({
health_check = string
initial_delay_sec = number
})
default = null
}
variable "autoscaler_config" {
description = "Optional autoscaler configuration. Only one of 'cpu_utilization_target' 'load_balancing_utilization_target' or 'metric' can be not null."
type = object({
@ -33,15 +42,6 @@ variable "autoscaler_config" {
default = null
}
variable "auto_healing_policies" {
description = "Auto-healing policies for this group."
type = object({
health_check = string
initial_delay_sec = number
})
default = null
}
variable "default_version" {
description = "Default application version template. Additional versions can be specified via the `versions` variable."
type = object({

30
modules/compute-vm/variables.tf
View File

@ -14,6 +14,21 @@
* limitations under the License.
*/
variable "attached_disk_defaults" {
description = "Defaults for attached disks options."
type = object({
mode = string
replica_zone = string
type = string
})
default = {
auto_delete = true
mode = "READ_WRITE"
replica_zone = null
type = "pd-balanced"
}
}
variable "attached_disks" {
description = "Additional disks, if options is null defaults will be used in its place. Source type is one of 'image' (zonal disks in vms and template), 'snapshot' (vm), 'existing', and null."
type = list(object({
@ -40,21 +55,6 @@ variable "attached_disks" {
}
}
variable "attached_disk_defaults" {
description = "Defaults for attached disks options."
type = object({
mode = string
replica_zone = string
type = string
})
default = {
auto_delete = true
mode = "READ_WRITE"
replica_zone = null
type = "pd-balanced"
}
}
variable "boot_disk" {
description = "Boot disk properties."
type = object({

36
modules/datafusion/variables.tf
View File

@ -36,6 +36,24 @@ variable "enable_stackdriver_monitoring" {
default = false
}
variable "firewall_create" {
description = "Create Network firewall rules to enable SSH."
type = bool
default = true
}
variable "ip_allocation" {
description = "Ip allocated for datafusion instance when not using the auto created one and created outside of the module."
type = string
default = null
}
variable "ip_allocation_create" {
description = "Create Ip range for datafusion instance."
type = bool
default = true
}
variable "labels" {
description = "The resource labels for instance to use to annotate any related underlying resources, such as Compute Engine VMs."
type = map(string)
@ -52,12 +70,6 @@ variable "network" {
type = string
}
variable "firewall_create" {
description = "Create Network firewall rules to enable SSH."
type = bool
default = true
}
variable "network_peering" {
description = "Create Network peering between project and DataFusion tenant project."
type = bool
@ -80,18 +92,6 @@ variable "region" {
type = string
}
variable "ip_allocation_create" {
description = "Create Ip range for datafusion instance."
type = bool
default = true
}
variable "ip_allocation" {
description = "Ip allocated for datafusion instance when not using the auto created one and created outside of the module."
type = string
default = null
}
variable "type" {
description = "Datafusion Instance type. It can be BASIC or ENTERPRISE (default value)."
type = string

2
modules/dns/README.md
View File

@ -68,7 +68,7 @@ module "private-dns" {
| *dnssec_config* | DNSSEC configuration: kind, non_existence, state. | <code title="">any</code> | | <code title="">{}</code> |
| *forwarders* | Map of {IPV4_ADDRESS => FORWARDING_PATH} for 'forwarding' zone types. Path can be 'default', 'private', or null for provider default. | <code title="map&#40;string&#41;">map(string)</code> | | <code title="">{}</code> |
| *peer_network* | Peering network self link, only valid for 'peering' zone types. | <code title="">string</code> | | <code title="">null</code> |
| *recordsets* | None | <code title="map&#40;object&#40;&#123;&#10;ttl &#61; number&#10;records &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="&#123;&#125;&#10;validation &#123;&#10;condition &#61; alltrue&#40;&#91;&#10;for k, v in var.recordsets &#61;&#61; null &#63; &#123;&#125; : var.recordsets :&#10;length&#40;split&#40;&#34; &#34;, k&#41;&#41; &#61;&#61; 2&#10;&#93;&#41;&#10;error_message &#61; &#34;Recordsets must have keys in the format &#92;&#34;type name&#92;&#34;.&#34;&#10;&#125;">...</code> |
| *recordsets* | Map of DNS recordsets in \"type name\" => {ttl, [records]} format. | <code title="map&#40;object&#40;&#123;&#10;ttl &#61; number&#10;records &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="&#123;&#125;&#10;validation &#123;&#10;condition &#61; alltrue&#40;&#91;&#10;for k, v in var.recordsets &#61;&#61; null &#63; &#123;&#125; : var.recordsets :&#10;length&#40;split&#40;&#34; &#34;, k&#41;&#41; &#61;&#61; 2&#10;&#93;&#41;&#10;error_message &#61; &#34;Recordsets must have keys in the format &#92;&#34;type name&#92;&#34;.&#34;&#10;&#125;">...</code> |
| *service_directory_namespace* | Service directory namespace id (URL), only valid for 'service-directory' zone types. | <code title="">string</code> | | <code title="">null</code> |
| *type* | Type of zone to create, valid values are 'public', 'private', 'forwarding', 'peering', 'service-directory'. | <code title="">string</code> | | <code title="private&#10;validation &#123;&#10;condition &#61; contains&#40;&#91;&#34;public&#34;, &#34;private&#34;, &#34;forwarding&#34;, &#34;peering&#34;, &#34;service-directory&#34;&#93;, var.type&#41;&#10;error_message &#61; &#34;Zone must be one of &#39;public&#39;, &#39;private&#39;, &#39;forwarding&#39;, &#39;peering&#39;, &#39;service-directory&#39;.&#34;&#10;&#125;">...</code> |
| *zone_create* | Create zone. When set to false, uses a data source to reference existing zone. | <code title="">bool</code> | | <code title="">true</code> |

40
modules/dns/outputs.tf
View File

@ -14,6 +14,26 @@
* limitations under the License.
*/
output "dns_keys" {
description = "DNSKEY and DS records of DNSSEC-signed managed zones."
value = local.dns_keys
}
output "domain" {
description = "The DNS zone domain."
value = try(local.zone.dns_name, null)
}
output "name" {
description = "The DNS zone name."
value = try(local.zone.name, null)
}
output "name_servers" {
description = "The DNS zone name servers."
value = try(local.zone.name_servers, null)
}
output "type" {
description = "The DNS zone type."
value = var.type
@ -23,23 +43,3 @@ output "zone" {
description = "DNS zone resource."
value = local.zone
}
output "name" {
description = "The DNS zone name."
value = try(local.zone.name, null)
}
output "domain" {
description = "The DNS zone domain."
value = try(local.zone.dns_name, null)
}
output "name_servers" {
description = "The DNS zone name servers."
value = try(local.zone.name_servers, null)
}
output "dns_keys" {
description = "DNSKEY and DS records of DNSSEC-signed managed zones."
value = local.dns_keys
}

12
modules/dns/variables.tf
View File

@ -24,12 +24,6 @@ variable "client_networks" {
default = []
}
variable "description" {
description = "Domain description."
type = string
default = "Terraform managed."
}
variable "default_key_specs_key" {
description = "DNSSEC default key signing specifications: algorithm, key_length, key_type, kind."
type = any
@ -42,6 +36,12 @@ variable "default_key_specs_zone" {
default = {}
}
variable "description" {
description = "Domain description."
type = string
default = "Terraform managed."
}
variable "dnssec_config" {
description = "DNSSEC configuration: kind, non_existence, state."
type = any

12
modules/endpoints/outputs.tf
View File

@ -14,9 +14,9 @@
* limitations under the License.
*/
output "service_name" {
description = "The name of the service.."
value = google_endpoints_service.default.service_name
output "endpoints" {
description = "A list of Endpoint objects."
value = google_endpoints_service.default.endpoints
}
output "endpoints_service" {
@ -24,7 +24,7 @@ output "endpoints_service" {
value = google_endpoints_service.default
}
output "endpoints" {
description = "A list of Endpoint objects."
value = google_endpoints_service.default.endpoints
output "service_name" {
description = "The name of the service.."
value = google_endpoints_service.default.service_name
}

31
modules/folder/outputs.tf
View File

@ -13,6 +13,21 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "firewall_policies" {
description = "Map of firewall policy resources created in this folder."
value = {
for name, _ in var.firewall_policies :
name => google_compute_organization_security_policy.policy[name]
}
}
output "firewall_policy_id" {
description = "Map of firewall policy ids created in this folder."
value = {
for name, _ in var.firewall_policies :
name => google_compute_organization_security_policy.policy[name].id
}
}
output "folder" {
description = "Folder resource."
@ -34,22 +49,6 @@ output "name" {
value = local.folder.display_name
}
output "firewall_policies" {
description = "Map of firewall policy resources created in this folder."
value = {
for name, _ in var.firewall_policies :
name => google_compute_organization_security_policy.policy[name]
}
}
output "firewall_policy_id" {
description = "Map of firewall policy ids created in this folder."
value = {
for name, _ in var.firewall_policies :
name => google_compute_organization_security_policy.policy[name].id
}
}
output "sink_writer_identities" {
description = "Writer identities created for each sink."
value = {

12
modules/folder/variables.tf
View File

@ -66,6 +66,12 @@ variable "id" {
default = null
}
variable "logging_exclusions" {
description = "Logging exclusions for this folder in the form {NAME -> FILTER}."
type = map(string)
default = {}
}
variable "logging_sinks" {
description = "Logging sinks to create for this folder."
type = map(object({
@ -80,12 +86,6 @@ variable "logging_sinks" {
default = {}
}
variable "logging_exclusions" {
description = "Logging exclusions for this folder in the form {NAME -> FILTER}."
type = map(string)
default = {}
}
variable "name" {
description = "Folder name."
type = string

40
modules/folders-unit/outputs.tf
View File

@ -14,22 +14,6 @@
* limitations under the License.
*/
output "unit_folder" {
description = "Unit top level folder."
value = {
id = google_folder.unit.name,
name = google_folder.unit.display_name
}
}
output "env_gcs_buckets" {
description = "Unit environments tfstate gcs buckets."
value = {
for key, bucket in google_storage_bucket.tfstate
: key => bucket.name
}
}
output "env_folders" {
description = "Unit environments folders."
value = {
@ -41,11 +25,11 @@ output "env_folders" {
}
}
output "env_service_accounts" {
description = "Unit environments service accounts."
output "env_gcs_buckets" {
description = "Unit environments tfstate gcs buckets."
value = {
for key, sa in google_service_account.environment
: key => sa.email
for key, bucket in google_storage_bucket.tfstate
: key => bucket.name
}
}
@ -57,3 +41,19 @@ output "env_sa_keys" {
key => sa_key.private_key
}
}
output "env_service_accounts" {
description = "Unit environments service accounts."
value = {
for key, sa in google_service_account.environment
: key => sa.email
}
}
output "unit_folder" {
description = "Unit top level folder."
value = {
id = google_folder.unit.name,
name = google_folder.unit.display_name
}
}

86
modules/gcs/variables.tf
View File

@ -14,10 +14,21 @@
* limitations under the License.
*/
variable "uniform_bucket_level_access" {
description = "Allow using object ACLs (false) or not (true, this is the recommended behavior) , defaults to true (which is the recommended practice, but not the behavior of storage API)."
type = bool
default = true
variable "cors" {
description = "CORS configuration for the bucket. Defaults to null."
type = object({
origin = list(string)
method = list(string)
response_header = list(string)
max_age_seconds = number
})
default = null
}
variable "encryption_key" {
description = "KMS key that will be used for encryption."
type = string
default = null
}
variable "force_destroy" {
@ -32,18 +43,34 @@ variable "iam" {
default = {}
}
variable "encryption_key" {
description = "KMS key that will be used for encryption."
type = string
default = null
}
variable "labels" {
description = "Labels to be attached to all buckets."
type = map(string)
default = {}
}
variable "lifecycle_rule" {
description = "Bucket lifecycle rule"
type = object({
action = object({
type = string
storage_class = string
})
condition = object({
age = number
created_before = string
with_state = string
matches_storage_class = list(string)
num_newer_versions = string
custom_time_before = string
days_since_custom_time = string
days_since_noncurrent_time = string
noncurrent_time_before = string
})
})
default = null
}
variable "location" {
description = "Bucket location."
type = string
@ -94,41 +121,14 @@ variable "storage_class" {
}
}
variable "uniform_bucket_level_access" {
description = "Allow using object ACLs (false) or not (true, this is the recommended behavior) , defaults to true (which is the recommended practice, but not the behavior of storage API)."
type = bool
default = true
}
variable "versioning" {
description = "Enable versioning, defaults to false."
type = bool
default = false
}
variable "cors" {
description = "CORS configuration for the bucket. Defaults to null."
type = object({
origin = list(string)
method = list(string)
response_header = list(string)
max_age_seconds = number
})
default = null
}
variable "lifecycle_rule" {
description = "Bucket lifecycle rule"
type = object({
action = object({
type = string
storage_class = string
})
condition = object({
age = number
created_before = string
with_state = string
matches_storage_class = list(string)
num_newer_versions = string
custom_time_before = string
days_since_custom_time = string
days_since_noncurrent_time = string
noncurrent_time_before = string
})
})
default = null
}

12
modules/gke-cluster/outputs.tf
View File

@ -14,6 +14,12 @@
* limitations under the License.
*/
output "ca_certificate" {
description = "Public certificate of the cluster (base64-encoded)."
value = google_container_cluster.cluster.master_auth.0.cluster_ca_certificate
sensitive = true
}
output "cluster" {
description = "Cluster resource."
sensitive = true
@ -39,9 +45,3 @@ output "name" {
description = "Cluster name."
value = google_container_cluster.cluster.name
}
output "ca_certificate" {
description = "Public certificate of the cluster (base64-encoded)."
value = google_container_cluster.cluster.master_auth.0.cluster_ca_certificate
sensitive = true
}

24
modules/gke-cluster/variables.tf
View File

@ -42,12 +42,6 @@ variable "addons" {
}
}
variable "enable_dataplane_v2" {
description = "Enable Dataplane V2 on the cluster, will disable network_policy addons config"
type = bool
default = false
}
variable "authenticator_security_group" {
description = "RBAC security group for Google Groups for GKE, format is gke-security-groups@yourdomain.com."
type = string
@ -98,12 +92,24 @@ variable "description" {
default = null
}
variable "enable_autopilot" {
description = "Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node)"
type = bool
default = false
}
variable "enable_binary_authorization" {
description = "Enable Google Binary Authorization."
type = bool
default = null
}
variable "enable_dataplane_v2" {
description = "Enable Dataplane V2 on the cluster, will disable network_policy addons config"
type = bool
default = false
}
variable "enable_intranode_visibility" {
description = "Enable intra-node visibility to make same node pod to pod traffic visible."
type = bool
@ -256,9 +262,3 @@ variable "workload_identity" {
default = true
}
variable "enable_autopilot" {
description = "Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node)"
type = bool
default = false
}

30
modules/gke-nodepool/variables.tf
View File

@ -72,6 +72,12 @@ variable "node_boot_disk_kms_key" {
default = null
}
variable "node_count" {
description = "Number of nodes per instance group, can be updated after creation. Ignored when autoscaling is set."
type = number
default = null
}
variable "node_disk_size" {
description = "Node disk size, defaults to 100GB."
type = number
@ -102,17 +108,16 @@ variable "node_labels" {
default = {}
}
variable "node_taints" {
description = "Kubernetes taints applied to nodes. E.g. type=blue:NoSchedule"
type = list(string)
default = []
}
variable "node_local_ssd_count" {
description = "Number of local SSDs attached to nodes."
type = number
default = 0
}
variable "node_locations" {
description = "Optional list of zones in which nodes should be located. Uses cluster locations if unset."
type = list(string)
default = null
}
variable "node_machine_type" {
description = "Nodes machine type."
@ -179,17 +184,12 @@ variable "node_tags" {
default = null
}
variable "node_count" {
description = "Number of nodes per instance group, can be updated after creation. Ignored when autoscaling is set."
type = number
default = null
variable "node_taints" {
description = "Kubernetes taints applied to nodes. E.g. type=blue:NoSchedule"
type = list(string)
default = []
}
variable "node_locations" {
description = "Optional list of zones in which nodes should be located. Uses cluster locations if unset."
type = list(string)
default = null
}
variable "project_id" {
description = "Cluster project id."

10
modules/iam-service-account/outputs.tf
View File

@ -14,11 +14,6 @@
* limitations under the License.
*/
output "service_account" {
description = "Service account resource."
value = local.service_account
}
output "email" {
description = "Service account email."
value = local.resource_email_static
@ -40,3 +35,8 @@ output "key" {
sensitive = true
value = local.key
}
output "service_account" {
description = "Service account resource."
value = local.service_account
}

12
modules/iam-service-account/variables.tf
View File

@ -14,6 +14,12 @@
* limitations under the License.
*/
variable "display_name" {
description = "Display name of the service account to create."
type = string
default = "Terraform-managed."
}
variable "generate_key" {
description = "Generate a key for service account."
type = bool
@ -61,12 +67,6 @@ variable "name" {
type = string
}
variable "display_name" {
description = "Display name of the service account to create."
type = string
default = "Terraform-managed."
}
variable "prefix" {
description = "Prefix applied to service account names."
type = string

39
modules/kms/outputs.tf
View File

@ -14,6 +14,18 @@
* limitations under the License.
*/
output "key_self_links" {
description = "Key self links."
value = {
for name, resource in google_kms_crypto_key.default :
name => resource.self_link
}
depends_on = [
google_kms_crypto_key_iam_binding.default
]
}
output "keyring" {
description = "Keyring resource."
value = local.keyring
@ -22,6 +34,14 @@ output "keyring" {
]
}
output "keys" {
description = "Key resources."
value = google_kms_crypto_key.default
depends_on = [
google_kms_crypto_key_iam_binding.default
]
}
output "location" {
description = "Keyring location."
value = local.keyring.location
@ -45,22 +65,3 @@ output "self_link" {
google_kms_key_ring_iam_binding.default
]
}
output "keys" {
description = "Key resources."
value = google_kms_crypto_key.default
depends_on = [
google_kms_crypto_key_iam_binding.default
]
}
output "key_self_links" {
description = "Key self links."
value = {
for name, resource in google_kms_crypto_key.default :
name => resource.self_link
}
depends_on = [
google_kms_crypto_key_iam_binding.default
]
}

2
modules/logging-bucket/README.md
View File

@ -57,5 +57,5 @@ module "bucket-default" {
| name | description | sensitive |
|---|---|:---:|
| id | None | |
| id | ID of the created bucket. | |
<!-- END TFDOC -->

1
modules/logging-bucket/outputs.tf
View File

@ -15,6 +15,7 @@
*/
output "id" {
description = "ID of the created bucket."
value = try(
google_logging_project_bucket_config.bucket.0.id,
google_logging_folder_bucket_config.bucket.0.id,

18
modules/logging-bucket/variables.tf
View File

@ -14,13 +14,14 @@
* limitations under the License.
*/
variable "parent_type" {
description = "Parent object type for the bucket (project, folder, organization, billing_account)."
variable "description" {
description = "Human-readable description for the logging bucket."
type = string
default = null
}
variable "parent" {
description = "ID of the parentresource containing the bucket in the format 'project_id' 'folders/folder_id', 'organizations/organization_id' or 'billing_account_id'."
variable "id" {
description = "Name of the logging bucket."
type = string
}
@ -30,15 +31,14 @@ variable "location" {
default = "global"
}
variable "id" {
description = "Name of the logging bucket."
variable "parent" {
description = "ID of the parentresource containing the bucket in the format 'project_id' 'folders/folder_id', 'organizations/organization_id' or 'billing_account_id'."
type = string
}
variable "description" {
description = "Human-readable description for the logging bucket."
variable "parent_type" {
description = "Parent object type for the bucket (project, folder, organization, billing_account)."
type = string
default = null
}
variable "retention" {

4
modules/naming-convention/README.md
View File

@ -72,11 +72,11 @@ module "project-tf" {
|---|---|:---: |:---:|:---:|
| environment | Environment abbreviation used in names and labels. | <code title="">string</code> | ✓ | |
| resources | Short resource names by type. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> | ✓ | |
| team | Optional name suffix. | <code title="">string</code> | ✓ | |
| team | Team name. | <code title="">string</code> | ✓ | |
| *labels* | Per-resource labels. | <code title="map&#40;map&#40;map&#40;string&#41;&#41;&#41;">map(map(map(string)))</code> | | <code title="">{}</code> |
| *prefix* | Optional name prefix. | <code title="">string</code> | | <code title="">null</code> |
| *separator_override* | Optional separator override for specific resource types. | <code title="map&#40;string&#41;">map(string)</code> | | <code title="">{}</code> |
| *suffix* | None | <code title="">string</code> | | <code title="">null</code> |
| *suffix* | Optional name suffix. | <code title="">string</code> | | <code title="">null</code> |
| *use_resource_prefixes* | Prefix names with the resource type. | <code title="">bool</code> | | <code title="">false</code> |
## Outputs

19
modules/naming-convention/variables.tf
View File

@ -19,18 +19,18 @@ variable "environment" {
type = string
}
variable "prefix" {
description = "Optional name prefix."
type = string
default = null
}
variable "labels" {
description = "Per-resource labels."
type = map(map(map(string)))
default = {}
}
variable "prefix" {
description = "Optional name prefix."
type = string
default = null
}
variable "resources" {
description = "Short resource names by type."
type = map(list(string))
@ -43,12 +43,13 @@ variable "separator_override" {
}
variable "suffix" {
type = string
default = null
description = "Optional name suffix."
type = string
default = null
}
variable "team" {
description = "Optional name suffix."
description = "Team name."
type = string
}

8
modules/net-address/README.md
View File

@ -83,8 +83,8 @@ module "addresses" {
| name | description | sensitive |
|---|---|:---:|
| external_addresses | None | |
| global_addresses | None | |
| internal_addresses | None | |
| psc_addresses | None | |
| external_addresses | Allocated external addresses. | |
| global_addresses | Allocated global external addresses. | |
| internal_addresses | Allocated internal addresses. | |
| psc_addresses | Allocated internal addresses for PSC endpoints. | |
<!-- END TFDOC -->

4
modules/net-address/outputs.tf
View File

@ -15,6 +15,7 @@
*/
output "external_addresses" {
description = "Allocated external addresses."
value = {
for address in google_compute_address.external :
address.name => {
@ -25,6 +26,7 @@ output "external_addresses" {
}
output "global_addresses" {
description = "Allocated global external addresses."
value = {
for address in google_compute_global_address.global :
address.name => {
@ -35,6 +37,7 @@ output "global_addresses" {
}
output "internal_addresses" {
description = "Allocated internal addresses."
value = {
for address in google_compute_address.internal :
address.name => {
@ -45,6 +48,7 @@ output "internal_addresses" {
}
output "psc_addresses" {
description = "Allocated internal addresses for PSC endpoints."
value = {
for address in google_compute_global_address.psc :
address.name => {

10
modules/net-ilb/outputs.tf
View File

@ -49,11 +49,6 @@ output "forwarding_rule_self_link" {
value = google_compute_forwarding_rule.default.self_link
}
output "groups" {
description = "Optional unmanaged instance group resources."
value = google_compute_instance_group.unmanaged
}
output "group_self_links" {
description = "Optional unmanaged instance group self links."
value = {
@ -61,6 +56,11 @@ output "group_self_links" {
}
}
output "groups" {
description = "Optional unmanaged instance group resources."
value = google_compute_instance_group.unmanaged
}
output "health_check" {
description = "Auto-created health-check resource."
value = local.health_check_resource

28
modules/net-ilb/variables.tf
View File

@ -20,15 +20,6 @@ variable "address" {
default = null
}
variable "backends" {
description = "Load balancer backends, balancing mode is one of 'CONNECTION' or 'UTILIZATION'."
type = list(object({
failover = bool
group = string
balancing_mode = string
}))
}
variable "backend_config" {
description = "Optional backend configuration."
type = object({
@ -39,6 +30,15 @@ variable "backend_config" {
default = null
}
variable "backends" {
description = "Load balancer backends, balancing mode is one of 'CONNECTION' or 'UTILIZATION'."
type = list(object({
failover = bool
group = string
balancing_mode = string
}))
}
variable "failover_config" {
description = "Optional failover configuration."
type = object({
@ -105,17 +105,17 @@ variable "network" {
type = string
}
variable "project_id" {
description = "Project id where resources will be created."
type = string
}
variable "ports" {
description = "Comma-separated ports, leave null to use all ports."
type = list(string)
default = null
}
variable "project_id" {
description = "Project id where resources will be created."
type = string
}
variable "protocol" {
description = "IP protocol used, defaults to TCP."
type = string

32
modules/net-vpc-firewall-yaml/outputs.tf
View File

@ -14,22 +14,6 @@
* limitations under the License.
*/
output "ingress_allow_rules" {
description = "Ingress rules with allow blocks."
value = [
for rule in google_compute_firewall.rules :
rule if rule.direction == "INGRESS" && length(rule.allow) > 0
]
}
output "ingress_deny_rules" {
description = "Ingress rules with deny blocks."
value = [
for rule in google_compute_firewall.rules :
rule if rule.direction == "INGRESS" && length(rule.deny) > 0
]
}
output "egress_allow_rules" {
description = "Egress rules with allow blocks."
value = [
@ -45,3 +29,19 @@ output "egress_deny_rules" {
rule if rule.direction == "EGRESS" && length(rule.deny) > 0
]
}
output "ingress_allow_rules" {
description = "Ingress rules with allow blocks."
value = [
for rule in google_compute_firewall.rules :
rule if rule.direction == "INGRESS" && length(rule.allow) > 0
]
}
output "ingress_deny_rules" {
description = "Ingress rules with deny blocks."
value = [
for rule in google_compute_firewall.rules :
rule if rule.direction == "INGRESS" && length(rule.deny) > 0
]
}

20
modules/net-vpc-firewall-yaml/variables.tf
View File

@ -14,16 +14,6 @@
* limitations under the License.
*/
variable "network" {
description = "Name of the network this set of firewall rules applies to."
type = string
}
variable "project_id" {
description = "Project Id."
type = string
}
variable "config_directories" {
description = "List of paths to folders where firewall configs are stored in yaml format. Folder may include subfolders with configuration files. Files suffix must be `.yaml`"
type = list(string)
@ -36,3 +26,13 @@ variable "log_config" {
})
default = null
}
variable "network" {
description = "Name of the network this set of firewall rules applies to."
type = string
}
variable "project_id" {
description = "Project Id."
type = string
}

32
modules/net-vpc-firewall/outputs.tf
View File

@ -23,22 +23,6 @@ output "admin_ranges" {
}
}
output "custom_ingress_allow_rules" {
description = "Custom ingress rules with allow blocks."
value = [
for rule in google_compute_firewall.custom-rules :
rule.name if rule.direction == "INGRESS" && try(length(rule.allow), 0) > 0
]
}
output "custom_ingress_deny_rules" {
description = "Custom ingress rules with deny blocks."
value = [
for rule in google_compute_firewall.custom-rules :
rule.name if rule.direction == "INGRESS" && try(length(rule.deny), 0) > 0
]
}
output "custom_egress_allow_rules" {
description = "Custom egress rules with allow blocks."
value = [
@ -55,6 +39,22 @@ output "custom_egress_deny_rules" {
]
}
output "custom_ingress_allow_rules" {
description = "Custom ingress rules with allow blocks."
value = [
for rule in google_compute_firewall.custom-rules :
rule.name if rule.direction == "INGRESS" && try(length(rule.allow), 0) > 0
]
}
output "custom_ingress_deny_rules" {
description = "Custom ingress rules with deny blocks."
value = [
for rule in google_compute_firewall.custom-rules :
rule.name if rule.direction == "INGRESS" && try(length(rule.deny), 0) > 0
]
}
output "rules" {
description = "All google_compute_firewall resources created."
value = merge(

35
modules/net-vpc-peering/variables.tf
View File

@ -14,20 +14,11 @@
* limitations under the License.
*/
variable "prefix" {
description = "Name prefix for the network peerings."
type = string
default = "network-peering"
}
variable "local_network" {
description = "Resource link of the network to add a peering to."
type = string
}
variable "peer_network" {
description = "Resource link of the peer network."
type = string
variable "export_local_custom_routes" {
description = "Export custom routes to peer network from local network."
type = bool
default = false
}
variable "export_peer_custom_routes" {
@ -36,10 +27,9 @@ variable "export_peer_custom_routes" {
default = false
}
variable "export_local_custom_routes" {
description = "Export custom routes to peer network from local network."
type = bool
default = false
variable "local_network" {
description = "Resource link of the network to add a peering to."
type = string
}
variable "peer_create_peering" {
@ -47,3 +37,14 @@ variable "peer_create_peering" {
type = bool
default = true
}
variable "peer_network" {
description = "Resource link of the peer network."
type = string
}
variable "prefix" {
description = "Name prefix for the network peerings."
type = string
default = "network-peering"
}

2
modules/net-vpc/README.md
View File

@ -180,7 +180,7 @@ module "vpc" {
| *auto_create_subnetworks* | Set to true to create an auto mode subnet, defaults to custom mode. | <code title="">bool</code> | | <code title="">false</code> |
| *delete_default_routes_on_create* | Set to true to delete the default routes at creation time. | <code title="">bool</code> | | <code title="">false</code> |
| *description* | An optional description of this resource (triggers recreation on change). | <code title="">string</code> | | <code title="">Terraform-managed.</code> |
| *dns_policy* | None | <code title="object&#40;&#123;&#10;inbound &#61; bool&#10;logging &#61; bool&#10;outbound &#61; object&#40;&#123;&#10;private_ns &#61; list&#40;string&#41;&#10;public_ns &#61; list&#40;string&#41;&#10;&#125;&#41;&#10;&#125;&#41;">object({...})</code> | | <code title="">null</code> |
| *dns_policy* | DNS policy setup for the VPC. | <code title="object&#40;&#123;&#10;inbound &#61; bool&#10;logging &#61; bool&#10;outbound &#61; object&#40;&#123;&#10;private_ns &#61; list&#40;string&#41;&#10;public_ns &#61; list&#40;string&#41;&#10;&#125;&#41;&#10;&#125;&#41;">object({...})</code> | | <code title="">null</code> |
| *iam* | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> | | <code title="">{}</code> |
| *log_config_defaults* | Default configuration for flow logs when enabled. | <code title="object&#40;&#123;&#10;aggregation_interval &#61; string&#10;flow_sampling &#61; number&#10;metadata &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;aggregation_interval &#61; &#34;INTERVAL_5_SEC&#34;&#10;flow_sampling &#61; 0.5&#10;metadata &#61; &#34;INCLUDE_ALL_METADATA&#34;&#10;&#125;">...</code> |
| *log_configs* | Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled. | <code title="map&#40;map&#40;string&#41;&#41;">map(map(string))</code> | | <code title="">{}</code> |

54
modules/net-vpc/outputs.tf
View File

@ -14,26 +14,31 @@
* limitations under the License.
*/
output "network" {
description = "Network resource."
value = local.network
depends_on = [
google_service_networking_connection.psn_connection
]
output "bindings" {
description = "Subnet IAM bindings."
value = { for k, v in google_compute_subnetwork_iam_binding.binding : k => v }
}
output "name" {
description = "The name of the VPC being created."
value = local.network.name
depends_on = [
google_compute_network_peering.local,
google_compute_network_peering.remote,
google_compute_shared_vpc_host_project.shared_vpc_host,
google_compute_shared_vpc_service_project.service_projects,
google_service_networking_connection.psn_connection
]
}
output "self_link" {
description = "The URI of the VPC being created."
value = local.network.self_link
output "network" {
description = "Network resource."
value = local.network
depends_on = [
google_compute_network_peering.local,
google_compute_network_peering.remote,
google_compute_shared_vpc_host_project.shared_vpc_host,
google_compute_shared_vpc_service_project.service_projects,
google_service_networking_connection.psn_connection
]
}
@ -51,10 +56,16 @@ output "project_id" {
]
}
# TODO(ludoo): use input names as keys
output "subnets" {
description = "Subnet resources."
value = { for k, v in google_compute_subnetwork.subnetwork : k => v }
output "self_link" {
description = "The URI of the VPC being created."
value = local.network.self_link
depends_on = [
google_compute_network_peering.local,
google_compute_network_peering.remote,
google_compute_shared_vpc_host_project.shared_vpc_host,
google_compute_shared_vpc_service_project.service_projects,
google_service_networking_connection.psn_connection
]
}
output "subnet_ips" {
@ -62,11 +73,6 @@ output "subnet_ips" {
value = { for k, v in google_compute_subnetwork.subnetwork : k => v.ip_cidr_range }
}
output "subnet_self_links" {
description = "Map of subnet self links keyed by name."
value = { for k, v in google_compute_subnetwork.subnetwork : k => v.self_link }
}
output "subnet_regions" {
description = "Map of subnet regions keyed by name."
value = { for k, v in google_compute_subnetwork.subnetwork : k => v.region }
@ -83,7 +89,13 @@ output "subnet_secondary_ranges" {
}
}
output "bindings" {
description = "Subnet IAM bindings."
value = { for k, v in google_compute_subnetwork_iam_binding.binding : k => v }
output "subnet_self_links" {
description = "Map of subnet self links keyed by name."
value = { for k, v in google_compute_subnetwork.subnetwork : k => v.self_link }
}
# TODO(ludoo): use input names as keys
output "subnets" {
description = "Subnet resources."
value = { for k, v in google_compute_subnetwork.subnetwork : k => v }
}

38
modules/net-vpc/variables.tf
View File

@ -33,6 +33,7 @@ variable "description" {
}
variable "dns_policy" {
description = "DNS policy setup for the VPC."
type = object({
inbound = bool
logging = bool
@ -50,12 +51,6 @@ variable "iam" {
default = {}
}
variable "log_configs" {
description = "Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled."
type = map(map(string))
default = {}
}
variable "log_config_defaults" {
description = "Default configuration for flow logs when enabled."
type = object({
@ -70,6 +65,12 @@ variable "log_config_defaults" {
}
}
variable "log_configs" {
description = "Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled."
type = map(map(string))
default = {}
}
variable "mtu" {
description = "Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes."
default = null
@ -134,7 +135,6 @@ variable "routing_mode" {
condition = var.routing_mode == "GLOBAL" || var.routing_mode == "REGIONAL"
error_message = "Routing type must be GLOBAL or REGIONAL."
}
}
variable "shared_vpc_host" {
@ -149,18 +149,6 @@ variable "shared_vpc_service_projects" {
default = []
}
variable "subnets" {
description = "The list of subnets being created"
type = list(object({
name = string
ip_cidr_range = string
name = string
region = string
secondary_ip_range = map(string)
}))
default = []
}
variable "subnet_descriptions" {
description = "Optional map of subnet descriptions, keyed by subnet 'region/name'."
type = map(string)
@ -179,6 +167,18 @@ variable "subnet_private_access" {
default = {}
}
variable "subnets" {
description = "The list of subnets being created"
type = list(object({
name = string
ip_cidr_range = string
name = string
region = string
secondary_ip_range = map(string)
}))
default = []
}
variable "vpc_create" {
description = "Create VPC. When set to false, uses a data source to reference existing VPC."
type = bool

23
modules/net-vpn-dynamic/outputs.tf
View File

@ -29,6 +29,12 @@ output "name" {
value = google_compute_vpn_gateway.gateway.name
}
output "random_secret" {
description = "Generated secret."
value = local.secret
}
output "router" {
description = "Router resource (only if auto-created)."
value = var.router_create ? google_compute_router.router[0] : null
@ -44,14 +50,6 @@ output "self_link" {
value = google_compute_vpn_gateway.gateway.self_link
}
output "tunnels" {
description = "VPN tunnel resources."
value = {
for name in keys(var.tunnels) :
name => google_compute_vpn_tunnel.tunnels[name]
}
}
output "tunnel_names" {
description = "VPN tunnel names."
value = {
@ -68,7 +66,10 @@ output "tunnel_self_links" {
}
}
output "random_secret" {
description = "Generated secret."
value = local.secret
output "tunnels" {
description = "VPN tunnel resources."
value = {
for name in keys(var.tunnels) :
name => google_compute_vpn_tunnel.tunnels[name]
}
}

12
modules/net-vpn-dynamic/variables.tf
View File

@ -14,18 +14,18 @@
* limitations under the License.
*/
variable "gateway_address_create" {
description = "Create external address assigned to the VPN gateway. Needs to be explicitly set to false to use address in gateway_address variable."
type = bool
default = true
}
variable "gateway_address" {
description = "Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false."
type = string
default = ""
}
variable "gateway_address_create" {
description = "Create external address assigned to the VPN gateway. Needs to be explicitly set to false to use address in gateway_address variable."
type = bool
default = true
}
variable "name" {
description = "VPN gateway name, and prefix used for dependent resources."
type = string

16
modules/net-vpn-ha/outputs.tf
View File

@ -73,14 +73,6 @@ output "self_link" {
value = local.vpn_gateway
}
output "tunnels" {
description = "VPN tunnel resources."
value = {
for name in keys(var.tunnels) :
name => try(google_compute_vpn_tunnel.tunnels[name], null)
}
}
output "tunnel_names" {
description = "VPN tunnel names."
value = {
@ -96,3 +88,11 @@ output "tunnel_self_links" {
name => try(google_compute_vpn_tunnel.tunnels[name].self_link, null)
}
}
output "tunnels" {
description = "VPN tunnel resources."
value = {
for name in keys(var.tunnels) :
name => try(google_compute_vpn_tunnel.tunnels[name], null)
}
}

24
modules/net-vpn-ha/variables.tf
View File

@ -19,18 +19,6 @@ variable "name" {
type = string
}
variable "vpn_gateway_create" {
description = "Create HA VPN Gateway."
type = bool
default = true
}
variable "vpn_gateway" {
description = "HA VPN Gateway Self Link for using an existing HA VPN Gateway, leave empty if `vpn_gateway_create` is set to `true`."
type = string
default = null
}
variable "network" {
description = "VPC used for the gateway and routes."
type = string
@ -122,3 +110,15 @@ variable "tunnels" {
}))
default = {}
}
variable "vpn_gateway" {
description = "HA VPN Gateway Self Link for using an existing HA VPN Gateway, leave empty if `vpn_gateway_create` is set to `true`."
type = string
default = null
}
variable "vpn_gateway_create" {
description = "Create HA VPN Gateway."
type = bool
default = true
}

22
modules/net-vpn-static/outputs.tf
View File

@ -29,19 +29,16 @@ output "name" {
value = google_compute_vpn_gateway.gateway.name
}
output "random_secret" {
description = "Generated secret."
value = local.secret
}
output "self_link" {
description = "VPN gateway self link."
value = google_compute_vpn_gateway.gateway.self_link
}
output "tunnels" {
description = "VPN tunnel resources."
value = {
for name in keys(var.tunnels) :
name => google_compute_vpn_tunnel.tunnels[name]
}
}
output "tunnel_names" {
description = "VPN tunnel names."
value = {
@ -58,7 +55,10 @@ output "tunnel_self_links" {
}
}
output "random_secret" {
description = "Generated secret."
value = local.secret
output "tunnels" {
description = "VPN tunnel resources."
value = {
for name in keys(var.tunnels) :
name => google_compute_vpn_tunnel.tunnels[name]
}
}

12
modules/net-vpn-static/variables.tf
View File

@ -14,18 +14,18 @@
* limitations under the License.
*/
variable "gateway_address_create" {
description = "Create external address assigned to the VPN gateway. Needs to be explicitly set to false to use address in gateway_address variable."
type = bool
default = true
}
variable "gateway_address" {
description = "Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false."
type = string
default = ""
}
variable "gateway_address_create" {
description = "Create external address assigned to the VPN gateway. Needs to be explicitly set to false to use address in gateway_address variable."
type = bool
default = true
}
variable "name" {
description = "VPN gateway name, and prefix used for dependent resources."
type = string

57
modules/organization/outputs.tf
View File

@ -14,20 +14,25 @@
* limitations under the License.
*/
output "organization_id" {
description = "Organization id dependent on module resources."
value = var.organization_id
output "custom_role_id" {
description = "Map of custom role IDs created in the organization."
value = {
for role_id, role in google_organization_iam_custom_role.roles :
# build the string manually so that role IDs can be used as map
# keys (useful for folder/organization/project-level iam bindings)
(role_id) => "${var.organization_id}/roles/${role_id}"
}
depends_on = [
google_organization_iam_audit_config.config,
google_organization_iam_binding.authoritative,
google_organization_iam_custom_role.roles,
google_organization_iam_member.additive,
google_organization_iam_policy.authoritative,
google_organization_policy.boolean,
google_organization_policy.list
google_organization_iam_custom_role.roles
]
}
output "custom_roles" {
description = "Map of custom roles resources created in the organization."
value = google_organization_iam_custom_role.roles
}
output "firewall_policies" {
description = "Map of firewall policy resources created in the organization."
value = {
@ -44,27 +49,23 @@ output "firewall_policy_id" {
}
}
output "organization_id" {
description = "Organization id dependent on module resources."
value = var.organization_id
depends_on = [
google_organization_iam_audit_config.config,
google_organization_iam_binding.authoritative,
google_organization_iam_custom_role.roles,
google_organization_iam_member.additive,
google_organization_iam_policy.authoritative,
google_organization_policy.boolean,
google_organization_policy.list
]
}
output "sink_writer_identities" {
description = "Writer identities created for each sink."
value = {
for name, sink in google_logging_organization_sink.sink : name => sink.writer_identity
}
}
output "custom_roles" {
description = "Map of custom roles resources created in the organization."
value = google_organization_iam_custom_role.roles
}
output "custom_role_id" {
description = "Map of custom role IDs created in the organization."
value = {
for role_id, role in google_organization_iam_custom_role.roles :
# build the string manually so that role IDs can be used as map
# keys (useful for folder/organization/project-level iam bindings)
(role_id) => "${var.organization_id}/roles/${role_id}"
}
depends_on = [
google_organization_iam_custom_role.roles
]
}

100
modules/organization/variables.tf
View File

@ -14,12 +14,42 @@
* limitations under the License.
*/
variable "contacts" {
description = "List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES"
type = map(list(string))
default = {}
}
variable "custom_roles" {
description = "Map of role name => list of permissions to create in this project."
type = map(list(string))
default = {}
}
variable "firewall_policies" {
description = "Hierarchical firewall policies to *create* in the organization."
type = map(map(object({
description = string
direction = string
action = string
priority = number
ranges = list(string)
ports = map(list(string))
target_service_accounts = list(string)
target_resources = list(string)
logging = bool
#preview = bool
})))
default = {}
}
variable "firewall_policy_attachments" {
description = "List of hierarchical firewall policy IDs to *attach* to the organization"
# set to avoid manual casting with toset()
type = map(string)
default = {}
}
variable "group_iam" {
description = "Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable."
type = map(list(string))
@ -72,6 +102,26 @@ variable "iam_bindings_authoritative" {
default = null
}
variable "logging_exclusions" {
description = "Logging exclusions for this organization in the form {NAME -> FILTER}."
type = map(string)
default = {}
}
variable "logging_sinks" {
description = "Logging sinks to create for this organization."
type = map(object({
destination = string
type = string
filter = string
iam = bool
include_children = bool
# TODO exclusions also support description and disabled
exclusions = map(string)
}))
default = {}
}
variable "organization_id" {
description = "Organization id in organizations/nnnnnn format."
type = string
@ -97,53 +147,3 @@ variable "policy_list" {
}))
default = {}
}
variable "firewall_policies" {
description = "Hierarchical firewall policies to *create* in the organization."
type = map(map(object({
description = string
direction = string
action = string
priority = number
ranges = list(string)
ports = map(list(string))
target_service_accounts = list(string)
target_resources = list(string)
logging = bool
#preview = bool
})))
default = {}
}
variable "firewall_policy_attachments" {
description = "List of hierarchical firewall policy IDs to *attach* to the organization"
# set to avoid manual casting with toset()
type = map(string)
default = {}
}
variable "logging_sinks" {
description = "Logging sinks to create for this organization."
type = map(object({
destination = string
type = string
filter = string
iam = bool
include_children = bool
# TODO exclusions also support description and disabled
exclusions = map(string)
}))
default = {}
}
variable "logging_exclusions" {
description = "Logging exclusions for this organization in the form {NAME -> FILTER}."
type = map(string)
default = {}
}
variable "contacts" {
description = "List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES"
type = map(list(string))
default = {}
}

40
modules/project/outputs.tf
View File

@ -14,18 +14,12 @@
* limitations under the License.
*/
output "project_id" {
description = "Project id."
value = "${local.prefix}${var.name}"
depends_on = [
google_project.project,
data.google_project.project,
google_project_organization_policy.boolean,
google_project_organization_policy.list,
google_project_service.project_services,
google_compute_shared_vpc_service_project.service_projects,
google_kms_crypto_key_iam_member.crypto_key
]
output "custom_roles" {
description = "Ids of the created custom roles."
value = {
for name, role in google_project_iam_custom_role.roles :
name => role.id
}
}
output "name" {
@ -52,6 +46,20 @@ output "number" {
]
}
output "project_id" {
description = "Project id."
value = "${local.prefix}${var.name}"
depends_on = [
google_project.project,
data.google_project.project,
google_project_organization_policy.boolean,
google_project_organization_policy.list,
google_project_service.project_services,
google_compute_shared_vpc_service_project.service_projects,
google_kms_crypto_key_iam_member.crypto_key
]
}
output "service_accounts" {
description = "Product robot service accounts in project."
value = {
@ -66,14 +74,6 @@ output "service_accounts" {
]
}
output "custom_roles" {
description = "Ids of the created custom roles."
value = {
for name, role in google_project_iam_custom_role.roles :
name => role.id
}
}
output "sink_writer_identities" {
description = "Writer identities created for each sink."
value = {

100
modules/project/variables.tf
View File

@ -26,12 +26,24 @@ variable "billing_account" {
default = null
}
variable "contacts" {
description = "List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES"
type = map(list(string))
default = {}
}
variable "custom_roles" {
description = "Map of role name => list of permissions to create in this project."
type = map(list(string))
default = {}
}
variable "descriptive_name" {
description = "Name of the project name. Used for project name instead of `name` variable"
type = string
default = null
}
variable "group_iam" {
description = "Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable."
type = map(list(string))
@ -68,6 +80,26 @@ variable "lien_reason" {
default = ""
}
variable "logging_exclusions" {
description = "Logging exclusions for this project in the form {NAME -> FILTER}."
type = map(string)
default = {}
}
variable "logging_sinks" {
description = "Logging sinks to create for this project."
type = map(object({
destination = string
type = string
filter = string
iam = bool
unique_writer = bool
# TODO exclusions also support description and disabled
exclusions = map(string)
}))
default = {}
}
variable "name" {
description = "Project name and id suffix."
type = string
@ -130,12 +162,6 @@ variable "project_create" {
default = true
}
variable "services" {
description = "Service APIs to enable."
type = list(string)
default = []
}
variable "service_config" {
description = "Configure service API activation."
type = object({
@ -154,6 +180,24 @@ variable "service_encryption_key_ids" {
default = {}
}
variable "service_perimeter_bridges" {
description = "Name of VPC-SC Bridge perimeters to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'."
type = list(string)
default = null
}
variable "service_perimeter_standard" {
description = "Name of VPC-SC Standard perimeter to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'."
type = string
default = null
}
variable "services" {
description = "Service APIs to enable."
type = list(string)
default = []
}
variable "shared_vpc_host_config" {
description = "Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project)."
type = object({
@ -177,47 +221,3 @@ variable "shared_vpc_service_config" {
host_project = ""
}
}
variable "logging_sinks" {
description = "Logging sinks to create for this project."
type = map(object({
destination = string
type = string
filter = string
iam = bool
unique_writer = bool
# TODO exclusions also support description and disabled
exclusions = map(string)
}))
default = {}
}
variable "logging_exclusions" {
description = "Logging exclusions for this project in the form {NAME -> FILTER}."
type = map(string)
default = {}
}
variable "contacts" {
description = "List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES"
type = map(list(string))
default = {}
}
variable "service_perimeter_standard" {
description = "Name of VPC-SC Standard perimeter to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'."
type = string
default = null
}
variable "service_perimeter_bridges" {
description = "Name of VPC-SC Bridge perimeters to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'."
type = list(string)
default = null
}
variable "descriptive_name" {
description = "Name of the project name. Used for project name instead of `name` variable"
type = string
default = null
}

16
modules/pubsub/outputs.tf
View File

@ -22,14 +22,6 @@ output "id" {
]
}
output "subscriptions" {
description = "Subscription resources."
value = google_pubsub_subscription.default
depends_on = [
google_pubsub_subscription_iam_binding.default
]
}
output "subscription_id" {
description = "Subscription ids."
value = {
@ -40,6 +32,14 @@ output "subscription_id" {
]
}
output "subscriptions" {
description = "Subscription resources."
value = google_pubsub_subscription.default
depends_on = [
google_pubsub_subscription_iam_binding.default
]
}
output "topic" {
description = "Topic resource."
value = google_pubsub_topic.default

25
modules/pubsub/variables.tf
View File

@ -62,18 +62,11 @@ variable "name" {
type = string
}
variable "regions" {
description = "List of regions used to set persistence policy."
type = list(string)
default = []
}
variable "project_id" {
description = "Project used for resources."
type = string
}
variable "push_configs" {
description = "Push subscription configurations."
type = map(object({
@ -87,6 +80,18 @@ variable "push_configs" {
default = {}
}
variable "regions" {
description = "List of regions used to set persistence policy."
type = list(string)
default = []
}
variable "subscription_iam" {
description = "IAM bindings for subscriptions in {SUBSCRIPTION => {ROLE => [MEMBERS]}} format."
type = map(map(list(string)))
default = {}
}
variable "subscriptions" {
description = "Topic subscriptions. Also define push configs for push subscriptions. If options is set to null subscription defaults will be used. Labels default to topic labels if set to null."
type = map(object({
@ -100,9 +105,3 @@ variable "subscriptions" {
}))
default = {}
}
variable "subscription_iam" {
description = "IAM bindings for subscriptions in {SUBSCRIPTION => {ROLE => [MEMBERS]}} format."
type = map(map(list(string)))
default = {}
}

10
modules/secret-manager/outputs.tf
View File

@ -26,14 +26,14 @@ output "secrets" {
value = google_secret_manager_secret.default
}
output "versions" {
description = "Secret versions."
value = google_secret_manager_secret_version.default
}
output "version_ids" {
description = "Version ids keyed by secret name : version name."
value = {
for k, v in google_secret_manager_secret_version.default : k => v.id
}
}
output "versions" {
description = "Secret versions."
value = google_secret_manager_secret_version.default
}

10
modules/secret-manager/variables.tf
View File

@ -26,17 +26,17 @@ variable "labels" {
default = {}
}
variable "project_id" {
description = "Project id where the keyring will be created."
type = string
}
variable "secrets" {
description = "Map of secrets to manage and their locations. If locations is null, automatic management will be set."
type = map(list(string))
default = {}
}
variable "project_id" {
description = "Project id where the keyring will be created."
type = string
}
variable "versions" {
description = "Optional versions to manage for each secret. Version names are only used internally to track individual versions."
type = map(map(object({

16
modules/service-directory/outputs.tf
View File

@ -37,14 +37,6 @@ output "namespace" {
]
}
output "services" {
description = "Service resources."
value = google_service_directory_service.default
depends_on = [
google_service_directory_service_iam_binding.default
]
}
output "service_id" {
description = "Service ids (short names)."
value = {
@ -64,3 +56,11 @@ output "service_names" {
google_service_directory_service_iam_binding.default
]
}
output "services" {
description = "Service resources."
value = google_service_directory_service.default
depends_on = [
google_service_directory_service_iam_binding.default
]
}

10
modules/source-repository/variables.tf
View File

@ -14,11 +14,6 @@
* limitations under the License.
*/
variable "project_id" {
description = "Project used for resources."
type = string
}
variable "iam" {
description = "IAM bindings in {ROLE => [MEMBERS]} format."
type = map(list(string))
@ -29,3 +24,8 @@ variable "name" {
description = "Repository name."
type = string
}
variable "project_id" {
description = "Project used for resources."
type = string
}

26
modules/vpc-sc/outputs.tf
View File

@ -14,11 +14,6 @@
* limitations under the License.
*/
output "access_policy_name" {
description = "Access Policy resource"
value = local.access_policy_name
}
output "access_levels" {
description = "Access Levels."
value = {
@ -27,6 +22,11 @@ output "access_levels" {
}
}
output "access_policy_name" {
description = "Access Policy resource"
value = local.access_policy_name
}
output "organization_id" {
description = "Organization id dependent on module resources."
value = var.organization_id
@ -35,14 +35,6 @@ output "organization_id" {
]
}
output "perimeters_standard" {
description = "VPC-SC standard perimeter resources."
value = {
for key, value in google_access_context_manager_service_perimeter.standard :
key => value
}
}
output "perimeters_bridge" {
description = "VPC-SC bridge perimeter resources."
value = {
@ -50,3 +42,11 @@ output "perimeters_bridge" {
key => value
}
}
output "perimeters_standard" {
description = "VPC-SC standard perimeter resources."
value = {
for key, value in google_access_context_manager_service_perimeter.standard :
key => value
}
}

24
modules/vpc-sc/variables.tf
View File

@ -14,6 +14,12 @@
* limitations under the License.
*/
variable "access_level_perimeters" {
description = "Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run'"
type = map(map(list(string)))
default = {}
}
variable "access_levels" {
description = "Map of Access Levels to be created. For each Access Level you can specify 'ip_subnetworks, required_access_levels, members, negate or regions'."
type = map(object({
@ -41,12 +47,6 @@ variable "access_policy_name" {
default = null
}
variable "access_level_perimeters" {
description = "Enforced mode -> Access Level -> Perimeters mapping. Enforced mode can be 'enforced' or 'dry_run'"
type = map(map(list(string)))
default = {}
}
variable "access_policy_title" {
description = "Access Policy title to be created."
type = string
@ -80,6 +80,12 @@ variable "organization_id" {
type = string
}
variable "perimeter_projects" {
description = "Perimeter -> Enforced Mode -> Projects Number mapping. Enforced mode can be 'enforced' or 'dry_run'."
type = map(map(list(number)))
default = {}
}
variable "perimeters" {
description = "Set of Perimeters."
type = map(object({
@ -95,9 +101,3 @@ variable "perimeters" {
}))
default = {}
}
variable "perimeter_projects" {
description = "Perimeter -> Enforced Mode -> Projects Number mapping. Enforced mode can be 'enforced' or 'dry_run'."
type = map(map(list(number)))
default = {}
}

36
networking/decentralized-firewall/outputs.tf
View File

@ -12,6 +12,24 @@
# See the License for the specific language governing permissions and
# limitations under the License.
output "fw_rules" {
description = "Firewall rules."
value = {
prod = {
ingress_allow_rules = module.vpc-firewall-prod.ingress_allow_rules
ingress_deny_rules = module.vpc-firewall-prod.ingress_deny_rules
egress_allow_rules = module.vpc-firewall-prod.egress_allow_rules
egress_deny_rules = module.vpc-firewall-prod.egress_deny_rules
}
dev = {
ingress_allow_rules = module.vpc-firewall-dev.ingress_allow_rules
ingress_deny_rules = module.vpc-firewall-dev.ingress_deny_rules
egress_allow_rules = module.vpc-firewall-dev.egress_allow_rules
egress_deny_rules = module.vpc-firewall-dev.egress_deny_rules
}
}
}
output "projects" {
description = "Project ids."
value = {
@ -33,21 +51,3 @@ output "vpc" {
}
}
}
output "fw_rules" {
description = "Firewall rules."
value = {
prod = {
ingress_allow_rules = module.vpc-firewall-prod.ingress_allow_rules
ingress_deny_rules = module.vpc-firewall-prod.ingress_deny_rules
egress_allow_rules = module.vpc-firewall-prod.egress_allow_rules
egress_deny_rules = module.vpc-firewall-prod.egress_deny_rules
}
dev = {
ingress_allow_rules = module.vpc-firewall-dev.ingress_allow_rules
ingress_deny_rules = module.vpc-firewall-dev.ingress_deny_rules
egress_allow_rules = module.vpc-firewall-dev.egress_allow_rules
egress_deny_rules = module.vpc-firewall-dev.egress_deny_rules
}
}
}

38
networking/decentralized-firewall/variables.tf
View File

@ -17,11 +17,30 @@ variable "billing_account_id" {
type = string
}
variable "ip_ranges" {
description = "Subnet IP CIDR ranges."
type = map(string)
default = {
prod = "10.0.16.0/24"
dev = "10.0.32.0/24"
}
}
variable "prefix" {
description = "Prefix used for resources that need unique names."
type = string
}
variable "project_services" {
description = "Service APIs enabled by default in new projects."
type = list(string)
default = [
"container.googleapis.com",
"dns.googleapis.com",
"stackdriver.googleapis.com",
]
}
variable "region" {
description = "Region used."
type = string
@ -32,22 +51,3 @@ variable "root_node" {
description = "Hierarchy node where projects will be created, 'organizations/org_id' or 'folders/folder_id'."
type = string
}
variable "ip_ranges" {
description = "Subnet IP CIDR ranges."
type = map(string)
default = {
prod = "10.0.16.0/24"
dev = "10.0.32.0/24"
}
}
variable "project_services" {
description = "Service APIs enabled by default in new projects."
type = list(string)
default = [
"container.googleapis.com",
"dns.googleapis.com",
"stackdriver.googleapis.com",
]
}

2
networking/filtering-proxy/README.md
View File

@ -33,5 +33,5 @@ You can optionally deploy the Squid server as [Managed Instance Group](https://c
| name | description | sensitive |
|---|---|:---:|
| squid-address | None | |
| squid-address | IP address of the Squid proxy. | |
<!-- END TFDOC -->

3
networking/filtering-proxy/outputs.tf
View File

@ -15,5 +15,6 @@
*/
output "squid-address" {
value = local.squid_address
description = "IP address of the Squid proxy."
value = local.squid_address
}

58
networking/filtering-proxy/variables.tf
View File

@ -14,27 +14,20 @@
* limitations under the License.
*/
variable "allowed_domains" {
description = "List of domains allowed by the squid proxy."
type = list(string)
default = [
".google.com",
".github.com"
]
}
variable "billing_account" {
description = "Billing account id used as default for new projects."
type = string
}
variable "prefix" {
description = "Prefix used for resources that need unique names."
type = string
}
variable "root_node" {
description = "Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'."
type = string
}
variable "region" {
description = "Default region for resources"
type = string
default = "europe-west1"
}
variable "cidrs" {
description = "CIDR ranges for subnets"
type = map(string)
@ -44,23 +37,30 @@ variable "cidrs" {
}
}
variable "nat_logging" {
description = "Enables Cloud NAT logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'."
type = string
default = "ERRORS_ONLY"
}
variable "mig" {
description = "Enables the creation of an autoscaling managed instance group of squid instances."
type = bool
default = false
}
variable "allowed_domains" {
description = "List of domains allowed by the squid proxy."
type = list(string)
default = [
".google.com",
".github.com"
]
variable "nat_logging" {
description = "Enables Cloud NAT logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'."
type = string
default = "ERRORS_ONLY"
}
variable "prefix" {
description = "Prefix used for resources that need unique names."
type = string
}
variable "region" {
description = "Default region for resources"
type = string
default = "europe-west1"
}
variable "root_node" {
description = "Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'."
type = string
}

18
networking/hub-and-spoke-vpn/variables.tf
View File

@ -12,15 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
variable "bgp_custom_advertisements" {
description = "BGP custom advertisement IP CIDR ranges."
type = map(string)
default = {
hub-to-spoke-1 = "10.0.32.0/20"
hub-to-spoke-2 = "10.0.16.0/20"
}
}
variable "bgp_asn" {
description = "BGP ASNs."
type = map(number)
@ -31,6 +22,15 @@ variable "bgp_asn" {
}
}
variable "bgp_custom_advertisements" {
description = "BGP custom advertisement IP CIDR ranges."
type = map(string)
default = {
hub-to-spoke-1 = "10.0.32.0/20"
hub-to-spoke-2 = "10.0.16.0/20"
}
}
variable "bgp_interface_ranges" {
description = "BGP interface IP CIDR ranges."
type = map(string)

12
networking/onprem-google-access-dns/variables.tf
View File

@ -40,6 +40,12 @@ variable "dns_forwarder_address" {
default = "10.0.0.2"
}
variable "forwarder_address" {
description = "GCP DNS inbound policy forwarder address."
type = string
default = "10.0.0.2"
}
variable "ip_ranges" {
description = "IP CIDR ranges."
type = map(string)
@ -64,12 +70,6 @@ variable "region" {
}
}
variable "forwarder_address" {
description = "GCP DNS inbound policy forwarder address."
type = string
default = "10.0.0.2"
}
variable "ssh_source_ranges" {
description = "IP CIDR ranges that will be allowed to connect via SSH to the onprem instance."
type = list(string)

14
networking/shared-vpc-gke/outputs.tf
View File

@ -30,6 +30,13 @@ output "projects" {
}
}
output "vms" {
description = "GCE VMs."
value = {
(module.vm-bastion.instance.name) = module.vm-bastion.internal_ip
}
}
output "vpc" {
description = "Shared VPC."
value = {
@ -38,10 +45,3 @@ output "vpc" {
}
}
output "vms" {
description = "GCE VMs."
value = {
(module.vm-bastion.instance.name) = module.vm-bastion.internal_ip
}
}

52
tools/check_documentation.py
View File

@ -25,34 +25,60 @@ BASEDIR = pathlib.Path(__file__).resolve().parents[1]
class DocState(enum.Enum):
MISSING = 1
OK = 2
STALE = 3
UNKNOWN = 4
OK = 1
FAIL = 2
UNKNOWN = 3
def __str__(self):
return {1: '', 2: '', 3: '!', 4: '?'}[self.value]
return {
self.FAIL.value: '',
self.OK.value: '',
self.UNKNOWN.value: '?'
}[self.value]
def check_path(pathname):
path = BASEDIR / pathname
subpaths = sorted(list(path.iterdir()))
for subpath in subpaths:
errors = []
if not subpath.is_dir():
continue
if subpath.stem.startswith('_'):
continue
doc = subpath / 'README.md'
if not doc.exists():
yield DocState.MISSING, subpath.stem
continue
errors.append(f'{doc} does not exist')
variables = tfdoc.get_variables(subpath)
variable_names = [v.name for v in variables]
for variable in variables:
if not variable.description:
errors.append(f'variable {variable.name} has no description')
if sorted(variable_names) != variable_names:
message = f'variable order should be: {sorted(variable_names)}'
errors.append(message)
outputs = tfdoc.get_outputs(subpath)
output_names = [v.name for v in outputs]
for output in outputs:
if not output.description:
errors.append(f'output {output.name} has no description')
if sorted(output_names) != output_names:
message = f'output order should be: {sorted(output_names)}'
errors.append(message)
state = tfdoc.check_state(subpath)
if state is False:
yield DocState.STALE, subpath.stem
errors.append("documentation is out of date")
elif state:
yield DocState.OK, subpath.stem
pass
else:
yield DocState.UNKNOWN, subpath.stem
yield DocState.UNKNOWN, subpath.stem, errors
continue
yield DocState.FAIL if errors else DocState.OK, subpath.stem, errors
@click.command()
@ -62,10 +88,12 @@ def main(paths):
error = False
for path in paths:
print(f'checking {path}')
for state, name in check_path(path):
if state in (DocState.MISSING, DocState.STALE):
for state, name, errors in check_path(path):
if state == DocState.FAIL:
error = True
print(f' [{state}] {name}')
for error in errors:
print(f' {error}')
if error:
print('errors were present')
sys.exit(1)

4
tools/tfdoc.py
View File

@ -28,7 +28,7 @@ MARK_BEGIN = '<!-- BEGIN TFDOC -->'
MARK_END = '<!-- END TFDOC -->'
RE_OUTPUTS = re.compile(r'''(?smx)
(?:^\s*output\s*"([^"]+)"\s*\{$) |
(?:^\s*description\s*=\s*"([^"]+)"\s*$) |
(?:^\s*description\s*=\s*"((?:[^"\\]|\\")+)"\s*$) |
(?:^\s*sensitive\s*=\s*(\S+)\s*$)
''')
RE_TYPE = re.compile(r'([\(\{\}\)])')
@ -42,7 +42,7 @@ RE_VARIABLES = re.compile(r'''(?smx)
# variable declaration start
(?:^\s*variable\s*"([^"]+)"\s*\{$) |
# variable description start
(?:^\s*description\s*=\s*"([^"]+)"\s*$) |
(?:^\s*description\s*=\s*"((?:[^"\\]|\\")+)"\s*$) |
# variable type start
(?:^\s*type\s*=\s*(.*?)$) |
# variable default start