Fix data platform roles (#1725)
* Fix Data Platform roles * Fix README * Fix blueprint tests * Update cleanup dp steps --------- Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
This commit is contained in:
parent
4b15605711
commit
6889f02954
|
@ -17,7 +17,8 @@
|
||||||
locals {
|
locals {
|
||||||
load_iam = {
|
load_iam = {
|
||||||
data_engineers = [
|
data_engineers = [
|
||||||
"roles/dataflow.admin"
|
"roles/dataflow.admin",
|
||||||
|
"roles/dataflow.developer"
|
||||||
]
|
]
|
||||||
robots_dataflow_load = [
|
robots_dataflow_load = [
|
||||||
"roles/storage.objectAdmin"
|
"roles/storage.objectAdmin"
|
||||||
|
@ -54,6 +55,7 @@ module "load-project" {
|
||||||
"cloudkms.googleapis.com",
|
"cloudkms.googleapis.com",
|
||||||
"compute.googleapis.com",
|
"compute.googleapis.com",
|
||||||
"dataflow.googleapis.com",
|
"dataflow.googleapis.com",
|
||||||
|
"datalineage.googleapis.com",
|
||||||
"dlp.googleapis.com",
|
"dlp.googleapis.com",
|
||||||
"pubsub.googleapis.com",
|
"pubsub.googleapis.com",
|
||||||
"servicenetworking.googleapis.com",
|
"servicenetworking.googleapis.com",
|
||||||
|
|
|
@ -69,6 +69,7 @@ module "orch-sa-cmp-0" {
|
||||||
|
|
||||||
resource "google_composer_environment" "orch-cmp-0" {
|
resource "google_composer_environment" "orch-cmp-0" {
|
||||||
count = var.composer_config.disable_deployment == true ? 0 : 1
|
count = var.composer_config.disable_deployment == true ? 0 : 1
|
||||||
|
provider = google-beta
|
||||||
project = module.orch-project.project_id
|
project = module.orch-project.project_id
|
||||||
name = "${var.prefix}-orc-cmp-0"
|
name = "${var.prefix}-orc-cmp-0"
|
||||||
region = var.region
|
region = var.region
|
||||||
|
@ -78,6 +79,9 @@ resource "google_composer_environment" "orch-cmp-0" {
|
||||||
pypi_packages = try(var.composer_config.software_config.pypi_packages, null)
|
pypi_packages = try(var.composer_config.software_config.pypi_packages, null)
|
||||||
env_variables = local.env_variables
|
env_variables = local.env_variables
|
||||||
image_version = try(var.composer_config.software_config.image_version, null)
|
image_version = try(var.composer_config.software_config.image_version, null)
|
||||||
|
cloud_data_lineage_integration {
|
||||||
|
enabled = var.composer_config.software_config.cloud_data_lineage_integration
|
||||||
|
}
|
||||||
}
|
}
|
||||||
dynamic "workloads_config" {
|
dynamic "workloads_config" {
|
||||||
for_each = (try(var.composer_config.workloads_config, null) != null ? { 1 = 1 } : {})
|
for_each = (try(var.composer_config.workloads_config, null) != null ? { 1 = 1 } : {})
|
||||||
|
|
|
@ -21,10 +21,13 @@ locals {
|
||||||
"roles/bigquery.dataEditor",
|
"roles/bigquery.dataEditor",
|
||||||
"roles/bigquery.jobUser",
|
"roles/bigquery.jobUser",
|
||||||
"roles/cloudbuild.builds.editor",
|
"roles/cloudbuild.builds.editor",
|
||||||
|
"roles/composer.admin",
|
||||||
|
"roles/composer.user",
|
||||||
"roles/composer.environmentAndStorageObjectAdmin",
|
"roles/composer.environmentAndStorageObjectAdmin",
|
||||||
"roles/iam.serviceAccountUser",
|
"roles/iam.serviceAccountUser",
|
||||||
"roles/iap.httpsResourceAccessor",
|
"roles/iap.httpsResourceAccessor",
|
||||||
"roles/serviceusage.serviceUsageConsumer"
|
"roles/serviceusage.serviceUsageConsumer",
|
||||||
|
"roles/storage.objectAdmin"
|
||||||
]
|
]
|
||||||
robots_cloudbuild = [
|
robots_cloudbuild = [
|
||||||
"roles/storage.objectAdmin"
|
"roles/storage.objectAdmin"
|
||||||
|
@ -33,6 +36,10 @@ locals {
|
||||||
"roles/composer.ServiceAgentV2Ext",
|
"roles/composer.ServiceAgentV2Ext",
|
||||||
"roles/storage.objectAdmin"
|
"roles/storage.objectAdmin"
|
||||||
]
|
]
|
||||||
|
sa_df_build = [
|
||||||
|
"roles/cloudbuild.serviceAgent",
|
||||||
|
"roles/storage.objectAdmin"
|
||||||
|
]
|
||||||
sa_load = [
|
sa_load = [
|
||||||
"roles/artifactregistry.reader",
|
"roles/artifactregistry.reader",
|
||||||
"roles/bigquery.dataEditor",
|
"roles/bigquery.dataEditor",
|
||||||
|
@ -63,9 +70,7 @@ module "orch-project" {
|
||||||
)
|
)
|
||||||
iam = local.use_projects ? {} : local.orch_iam_auth
|
iam = local.use_projects ? {} : local.orch_iam_auth
|
||||||
iam_bindings_additive = !local.use_projects ? {} : local.orch_iam_additive
|
iam_bindings_additive = !local.use_projects ? {} : local.orch_iam_additive
|
||||||
compute_metadata = {
|
|
||||||
enable-oslogin = "false"
|
|
||||||
}
|
|
||||||
services = concat(var.project_services, [
|
services = concat(var.project_services, [
|
||||||
"artifactregistry.googleapis.com",
|
"artifactregistry.googleapis.com",
|
||||||
"bigquery.googleapis.com",
|
"bigquery.googleapis.com",
|
||||||
|
@ -79,6 +84,7 @@ module "orch-project" {
|
||||||
"containerregistry.googleapis.com",
|
"containerregistry.googleapis.com",
|
||||||
"artifactregistry.googleapis.com",
|
"artifactregistry.googleapis.com",
|
||||||
"dataflow.googleapis.com",
|
"dataflow.googleapis.com",
|
||||||
|
"datalineage.googleapis.com",
|
||||||
"orgpolicy.googleapis.com",
|
"orgpolicy.googleapis.com",
|
||||||
"pubsub.googleapis.com",
|
"pubsub.googleapis.com",
|
||||||
"servicenetworking.googleapis.com",
|
"servicenetworking.googleapis.com",
|
||||||
|
|
|
@ -19,12 +19,14 @@ locals {
|
||||||
data_analysts = [
|
data_analysts = [
|
||||||
"roles/bigquery.dataViewer",
|
"roles/bigquery.dataViewer",
|
||||||
"roles/bigquery.jobUser",
|
"roles/bigquery.jobUser",
|
||||||
|
"roles/datacatalog.tagTemplateViewer",
|
||||||
"roles/datacatalog.viewer",
|
"roles/datacatalog.viewer",
|
||||||
"roles/storage.objectViewer"
|
"roles/storage.objectViewer"
|
||||||
]
|
]
|
||||||
data_engineers = [
|
data_engineers = [
|
||||||
"roles/bigquery.dataViewer",
|
"roles/bigquery.dataViewer",
|
||||||
"roles/bigquery.jobUser",
|
"roles/bigquery.jobUser",
|
||||||
|
"roles/datacatalog.tagTemplateViewer",
|
||||||
"roles/datacatalog.viewer",
|
"roles/datacatalog.viewer",
|
||||||
"roles/storage.objectViewer"
|
"roles/storage.objectViewer"
|
||||||
]
|
]
|
||||||
|
@ -41,10 +43,13 @@ locals {
|
||||||
data_engineers = [
|
data_engineers = [
|
||||||
"roles/bigquery.dataViewer",
|
"roles/bigquery.dataViewer",
|
||||||
"roles/bigquery.jobUser",
|
"roles/bigquery.jobUser",
|
||||||
|
"roles/datacatalog.tagTemplateViewer",
|
||||||
"roles/datacatalog.viewer",
|
"roles/datacatalog.viewer",
|
||||||
"roles/storage.objectViewer"
|
"roles/storage.objectViewer"
|
||||||
]
|
]
|
||||||
sa_load = [
|
sa_load = [
|
||||||
|
"roles/bigquery.dataOwner",
|
||||||
|
"roles/bigquery.jobUser",
|
||||||
"roles/storage.objectCreator"
|
"roles/storage.objectCreator"
|
||||||
]
|
]
|
||||||
sa_transf_bq = [
|
sa_transf_bq = [
|
||||||
|
@ -52,9 +57,7 @@ locals {
|
||||||
"roles/datacatalog.categoryAdmin"
|
"roles/datacatalog.categoryAdmin"
|
||||||
]
|
]
|
||||||
sa_transf_df = [
|
sa_transf_df = [
|
||||||
"roles/bigquery.dataOwner",
|
"roles/bigquery.dataViewer"
|
||||||
"roles/bigquery.dataViewer",
|
|
||||||
"roles/bigquery.jobUser"
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -228,7 +228,7 @@ module "data-platform" {
|
||||||
}
|
}
|
||||||
prefix = "myprefix"
|
prefix = "myprefix"
|
||||||
}
|
}
|
||||||
# tftest modules=43 resources=279
|
# tftest modules=43 resources=290
|
||||||
```
|
```
|
||||||
|
|
||||||
## Customizations
|
## Customizations
|
||||||
|
@ -255,24 +255,43 @@ Once you have identified the required project granularity for your use case, we
|
||||||
The application layer is out of scope of this script. As a demo purpuse only, several Cloud Composer DAGs are provided. Demos will import data from the `drop off` area to the `Data Warehouse Confidential` dataset suing different features.
|
The application layer is out of scope of this script. As a demo purpuse only, several Cloud Composer DAGs are provided. Demos will import data from the `drop off` area to the `Data Warehouse Confidential` dataset suing different features.
|
||||||
|
|
||||||
You can find examples in the `[demo](./demo)` folder.
|
You can find examples in the `[demo](./demo)` folder.
|
||||||
|
|
||||||
|
## Cleanup
|
||||||
|
|
||||||
|
If you want to destroy the Data Platform deployment, follow these steps.
|
||||||
|
|
||||||
|
**ATTENTION**: The following procedure will permanently delete all of your data in an irreversible manner.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# remove GCS buckets and BQ dataset manually. Projects will be destroyed anyway
|
||||||
|
for x in $(terraform state list | grep google_storage_bucket.bucket); do
|
||||||
|
terraform state rm "$x";
|
||||||
|
done
|
||||||
|
|
||||||
|
for x in $(terraform state list | grep google_bigquery_dataset); do
|
||||||
|
terraform state rm "$x";
|
||||||
|
done
|
||||||
|
|
||||||
|
terraform destroy
|
||||||
|
```
|
||||||
<!-- BEGIN TFDOC -->
|
<!-- BEGIN TFDOC -->
|
||||||
## Variables
|
## Variables
|
||||||
|
|
||||||
| name | description | type | required | default |
|
| name | description | type | required | default |
|
||||||
|---|---|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|
|
||||||
| [organization_domain](variables.tf#L164) | Organization domain. | <code>string</code> | ✓ | |
|
| [organization_domain](variables.tf#L165) | Organization domain. | <code>string</code> | ✓ | |
|
||||||
| [prefix](variables.tf#L169) | Prefix used for resource names. | <code>string</code> | ✓ | |
|
| [prefix](variables.tf#L170) | Prefix used for resource names. | <code>string</code> | ✓ | |
|
||||||
| [project_config](variables.tf#L178) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object({ billing_account_id = optional(string, null) parent = string project_ids = optional(object({ drop = string load = string orc = string trf = string dwh-lnd = string dwh-cur = string dwh-conf = string common = string exp = string }), { drop = "drp" load = "lod" orc = "orc" trf = "trf" dwh-lnd = "dwh-lnd" dwh-cur = "dwh-cur" dwh-conf = "dwh-conf" common = "cmn" exp = "exp" } ) })">object({…})</code> | ✓ | |
|
| [project_config](variables.tf#L179) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object({ billing_account_id = optional(string, null) parent = string project_ids = optional(object({ drop = string load = string orc = string trf = string dwh-lnd = string dwh-cur = string dwh-conf = string common = string exp = string }), { drop = "drp" load = "lod" orc = "orc" trf = "trf" dwh-lnd = "dwh-lnd" dwh-cur = "dwh-cur" dwh-conf = "dwh-conf" common = "cmn" exp = "exp" } ) })">object({…})</code> | ✓ | |
|
||||||
| [composer_config](variables.tf#L17) | Cloud Composer config. | <code title="object({ disable_deployment = optional(bool) environment_size = optional(string, "ENVIRONMENT_SIZE_SMALL") software_config = optional( object({ airflow_config_overrides = optional(any) pypi_packages = optional(any) env_variables = optional(map(string)) image_version = string }), { image_version = "composer-2-airflow-2" } ) workloads_config = optional( object({ scheduler = optional( object({ cpu = number memory_gb = number storage_gb = number count = number }), { cpu = 0.5 memory_gb = 1.875 storage_gb = 1 count = 1 } ) web_server = optional( object({ cpu = number memory_gb = number storage_gb = number }), { cpu = 0.5 memory_gb = 1.875 storage_gb = 1 } ) worker = optional( object({ cpu = number memory_gb = number storage_gb = number min_count = number max_count = number }), { cpu = 0.5 memory_gb = 1.875 storage_gb = 1 min_count = 1 max_count = 3 } ) })) })">object({…})</code> | | <code title="{ environment_size = "ENVIRONMENT_SIZE_SMALL" software_config = { image_version = "composer-2-airflow-2" } workloads_config = { scheduler = { cpu = 0.5 memory_gb = 1.875 storage_gb = 1 count = 1 } web_server = { cpu = 0.5 memory_gb = 1.875 storage_gb = 1 } worker = { cpu = 0.5 memory_gb = 1.875 storage_gb = 1 min_count = 1 max_count = 3 } } }">{…}</code> |
|
| [composer_config](variables.tf#L17) | Cloud Composer config. | <code title="object({ disable_deployment = optional(bool) environment_size = optional(string, "ENVIRONMENT_SIZE_SMALL") software_config = optional( object({ airflow_config_overrides = optional(any) pypi_packages = optional(any) env_variables = optional(map(string)) image_version = string cloud_data_lineage_integration = optional(bool, true) }), { image_version = "composer-2-airflow-2" } ) workloads_config = optional( object({ scheduler = optional( object({ cpu = number memory_gb = number storage_gb = number count = number }), { cpu = 0.5 memory_gb = 1.875 storage_gb = 1 count = 1 } ) web_server = optional( object({ cpu = number memory_gb = number storage_gb = number }), { cpu = 0.5 memory_gb = 1.875 storage_gb = 1 } ) worker = optional( object({ cpu = number memory_gb = number storage_gb = number min_count = number max_count = number }), { cpu = 0.5 memory_gb = 1.875 storage_gb = 1 min_count = 1 max_count = 3 } ) })) })">object({…})</code> | | <code title="{ environment_size = "ENVIRONMENT_SIZE_SMALL" software_config = { image_version = "composer-2-airflow-2" } workloads_config = { scheduler = { cpu = 0.5 memory_gb = 1.875 storage_gb = 1 count = 1 } web_server = { cpu = 0.5 memory_gb = 1.875 storage_gb = 1 } worker = { cpu = 0.5 memory_gb = 1.875 storage_gb = 1 min_count = 1 max_count = 3 } } }">{…}</code> |
|
||||||
| [data_catalog_tags](variables.tf#L105) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | <code title="map(object({ description = optional(string) iam = optional(map(list(string)), {}) }))">map(object({…}))</code> | | <code title="{ "3_Confidential" = {} "2_Private" = {} "1_Sensitive" = {} }">{…}</code> |
|
| [data_catalog_tags](variables.tf#L106) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | <code title="map(object({ description = optional(string) iam = optional(map(list(string)), {}) }))">map(object({…}))</code> | | <code title="{ "3_Confidential" = {} "2_Private" = {} "1_Sensitive" = {} }">{…}</code> |
|
||||||
| [data_force_destroy](variables.tf#L119) | Flag to set 'force_destroy' on data services like BiguQery or Cloud Storage. | <code>bool</code> | | <code>false</code> |
|
| [data_force_destroy](variables.tf#L120) | Flag to set 'force_destroy' on data services like BiguQery or Cloud Storage. | <code>bool</code> | | <code>false</code> |
|
||||||
| [groups](variables.tf#L125) | User groups. | <code>map(string)</code> | | <code title="{ data-analysts = "gcp-data-analysts" data-engineers = "gcp-data-engineers" data-security = "gcp-data-security" }">{…}</code> |
|
| [groups](variables.tf#L126) | User groups. | <code>map(string)</code> | | <code title="{ data-analysts = "gcp-data-analysts" data-engineers = "gcp-data-engineers" data-security = "gcp-data-security" }">{…}</code> |
|
||||||
| [location](variables.tf#L135) | Location used for multi-regional resources. | <code>string</code> | | <code>"eu"</code> |
|
| [location](variables.tf#L136) | Location used for multi-regional resources. | <code>string</code> | | <code>"eu"</code> |
|
||||||
| [network_config](variables.tf#L141) | Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values. | <code title="object({ host_project = string network_self_link = string subnet_self_links = object({ load = string transformation = string orchestration = string }) composer_ip_ranges = object({ cloudsql = string gke_master = string }) composer_secondary_ranges = object({ pods = string services = string }) })">object({…})</code> | | <code>null</code> |
|
| [network_config](variables.tf#L142) | Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values. | <code title="object({ host_project = string network_self_link = string subnet_self_links = object({ load = string transformation = string orchestration = string }) composer_ip_ranges = object({ cloudsql = string gke_master = string }) composer_secondary_ranges = object({ pods = string services = string }) })">object({…})</code> | | <code>null</code> |
|
||||||
| [project_services](variables.tf#L212) | List of core services enabled on all projects. | <code>list(string)</code> | | <code title="[ "cloudresourcemanager.googleapis.com", "iam.googleapis.com", "serviceusage.googleapis.com", "stackdriver.googleapis.com" ]">[…]</code> |
|
| [project_services](variables.tf#L213) | List of core services enabled on all projects. | <code>list(string)</code> | | <code title="[ "cloudresourcemanager.googleapis.com", "iam.googleapis.com", "serviceusage.googleapis.com", "stackdriver.googleapis.com" ]">[…]</code> |
|
||||||
| [project_suffix](variables.tf#L223) | Suffix used only for project ids. | <code>string</code> | | <code>null</code> |
|
| [project_suffix](variables.tf#L224) | Suffix used only for project ids. | <code>string</code> | | <code>null</code> |
|
||||||
| [region](variables.tf#L229) | Region used for regional resources. | <code>string</code> | | <code>"europe-west1"</code> |
|
| [region](variables.tf#L230) | Region used for regional resources. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||||
| [service_encryption_keys](variables.tf#L235) | Cloud KMS to use to encrypt different services. Key location should match service region. | <code title="object({ bq = string composer = string dataflow = string storage = string pubsub = string })">object({…})</code> | | <code>null</code> |
|
| [service_encryption_keys](variables.tf#L236) | Cloud KMS to use to encrypt different services. Key location should match service region. | <code title="object({ bq = string composer = string dataflow = string storage = string pubsub = string })">object({…})</code> | | <code>null</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -38,9 +38,6 @@ DWH_CURATED_GCS = Variable.get("DWH_CURATED_GCS")
|
||||||
DWH_CONFIDENTIAL_PRJ = Variable.get("DWH_CONFIDENTIAL_PRJ")
|
DWH_CONFIDENTIAL_PRJ = Variable.get("DWH_CONFIDENTIAL_PRJ")
|
||||||
DWH_CONFIDENTIAL_BQ_DATASET = Variable.get("DWH_CONFIDENTIAL_BQ_DATASET")
|
DWH_CONFIDENTIAL_BQ_DATASET = Variable.get("DWH_CONFIDENTIAL_BQ_DATASET")
|
||||||
DWH_CONFIDENTIAL_GCS = Variable.get("DWH_CONFIDENTIAL_GCS")
|
DWH_CONFIDENTIAL_GCS = Variable.get("DWH_CONFIDENTIAL_GCS")
|
||||||
DWH_PLG_PRJ = Variable.get("DWH_PLG_PRJ")
|
|
||||||
DWH_PLG_BQ_DATASET = Variable.get("DWH_PLG_BQ_DATASET")
|
|
||||||
DWH_PLG_GCS = Variable.get("DWH_PLG_GCS")
|
|
||||||
GCP_REGION = Variable.get("GCP_REGION")
|
GCP_REGION = Variable.get("GCP_REGION")
|
||||||
DRP_PRJ = Variable.get("DRP_PRJ")
|
DRP_PRJ = Variable.get("DRP_PRJ")
|
||||||
DRP_BQ = Variable.get("DRP_BQ")
|
DRP_BQ = Variable.get("DRP_BQ")
|
||||||
|
|
|
@ -39,9 +39,6 @@ DWH_CURATED_GCS = Variable.get("DWH_CURATED_GCS")
|
||||||
DWH_CONFIDENTIAL_PRJ = Variable.get("DWH_CONFIDENTIAL_PRJ")
|
DWH_CONFIDENTIAL_PRJ = Variable.get("DWH_CONFIDENTIAL_PRJ")
|
||||||
DWH_CONFIDENTIAL_BQ_DATASET = Variable.get("DWH_CONFIDENTIAL_BQ_DATASET")
|
DWH_CONFIDENTIAL_BQ_DATASET = Variable.get("DWH_CONFIDENTIAL_BQ_DATASET")
|
||||||
DWH_CONFIDENTIAL_GCS = Variable.get("DWH_CONFIDENTIAL_GCS")
|
DWH_CONFIDENTIAL_GCS = Variable.get("DWH_CONFIDENTIAL_GCS")
|
||||||
DWH_PLG_PRJ = Variable.get("DWH_PLG_PRJ")
|
|
||||||
DWH_PLG_BQ_DATASET = Variable.get("DWH_PLG_BQ_DATASET")
|
|
||||||
DWH_PLG_GCS = Variable.get("DWH_PLG_GCS")
|
|
||||||
GCP_REGION = Variable.get("GCP_REGION")
|
GCP_REGION = Variable.get("GCP_REGION")
|
||||||
DRP_PRJ = Variable.get("DRP_PRJ")
|
DRP_PRJ = Variable.get("DRP_PRJ")
|
||||||
DRP_BQ = Variable.get("DRP_BQ")
|
DRP_BQ = Variable.get("DRP_BQ")
|
||||||
|
|
|
@ -40,9 +40,6 @@ DWH_CURATED_GCS = Variable.get("DWH_CURATED_GCS")
|
||||||
DWH_CONFIDENTIAL_PRJ = Variable.get("DWH_CONFIDENTIAL_PRJ")
|
DWH_CONFIDENTIAL_PRJ = Variable.get("DWH_CONFIDENTIAL_PRJ")
|
||||||
DWH_CONFIDENTIAL_BQ_DATASET = Variable.get("DWH_CONFIDENTIAL_BQ_DATASET")
|
DWH_CONFIDENTIAL_BQ_DATASET = Variable.get("DWH_CONFIDENTIAL_BQ_DATASET")
|
||||||
DWH_CONFIDENTIAL_GCS = Variable.get("DWH_CONFIDENTIAL_GCS")
|
DWH_CONFIDENTIAL_GCS = Variable.get("DWH_CONFIDENTIAL_GCS")
|
||||||
DWH_PLG_PRJ = Variable.get("DWH_PLG_PRJ")
|
|
||||||
DWH_PLG_BQ_DATASET = Variable.get("DWH_PLG_BQ_DATASET")
|
|
||||||
DWH_PLG_GCS = Variable.get("DWH_PLG_GCS")
|
|
||||||
GCP_REGION = Variable.get("GCP_REGION")
|
GCP_REGION = Variable.get("GCP_REGION")
|
||||||
DRP_PRJ = Variable.get("DRP_PRJ")
|
DRP_PRJ = Variable.get("DRP_PRJ")
|
||||||
DRP_BQ = Variable.get("DRP_BQ")
|
DRP_BQ = Variable.get("DRP_BQ")
|
||||||
|
|
|
@ -39,9 +39,6 @@ DWH_CURATED_GCS = Variable.get("DWH_CURATED_GCS")
|
||||||
DWH_CONFIDENTIAL_PRJ = Variable.get("DWH_CONFIDENTIAL_PRJ")
|
DWH_CONFIDENTIAL_PRJ = Variable.get("DWH_CONFIDENTIAL_PRJ")
|
||||||
DWH_CONFIDENTIAL_BQ_DATASET = Variable.get("DWH_CONFIDENTIAL_BQ_DATASET")
|
DWH_CONFIDENTIAL_BQ_DATASET = Variable.get("DWH_CONFIDENTIAL_BQ_DATASET")
|
||||||
DWH_CONFIDENTIAL_GCS = Variable.get("DWH_CONFIDENTIAL_GCS")
|
DWH_CONFIDENTIAL_GCS = Variable.get("DWH_CONFIDENTIAL_GCS")
|
||||||
DWH_PLG_PRJ = Variable.get("DWH_PLG_PRJ")
|
|
||||||
DWH_PLG_BQ_DATASET = Variable.get("DWH_PLG_BQ_DATASET")
|
|
||||||
DWH_PLG_GCS = Variable.get("DWH_PLG_GCS")
|
|
||||||
GCP_REGION = Variable.get("GCP_REGION")
|
GCP_REGION = Variable.get("GCP_REGION")
|
||||||
DRP_PRJ = Variable.get("DRP_PRJ")
|
DRP_PRJ = Variable.get("DRP_PRJ")
|
||||||
DRP_BQ = Variable.get("DRP_BQ")
|
DRP_BQ = Variable.get("DRP_BQ")
|
||||||
|
|
|
@ -43,9 +43,6 @@ DWH_CURATED_GCS = Variable.get("DWH_CURATED_GCS")
|
||||||
DWH_CONFIDENTIAL_PRJ = Variable.get("DWH_CONFIDENTIAL_PRJ")
|
DWH_CONFIDENTIAL_PRJ = Variable.get("DWH_CONFIDENTIAL_PRJ")
|
||||||
DWH_CONFIDENTIAL_BQ_DATASET = Variable.get("DWH_CONFIDENTIAL_BQ_DATASET")
|
DWH_CONFIDENTIAL_BQ_DATASET = Variable.get("DWH_CONFIDENTIAL_BQ_DATASET")
|
||||||
DWH_CONFIDENTIAL_GCS = Variable.get("DWH_CONFIDENTIAL_GCS")
|
DWH_CONFIDENTIAL_GCS = Variable.get("DWH_CONFIDENTIAL_GCS")
|
||||||
DWH_PLG_PRJ = Variable.get("DWH_PLG_PRJ")
|
|
||||||
DWH_PLG_BQ_DATASET = Variable.get("DWH_PLG_BQ_DATASET")
|
|
||||||
DWH_PLG_GCS = Variable.get("DWH_PLG_GCS")
|
|
||||||
GCP_REGION = Variable.get("GCP_REGION")
|
GCP_REGION = Variable.get("GCP_REGION")
|
||||||
DRP_PRJ = Variable.get("DRP_PRJ")
|
DRP_PRJ = Variable.get("DRP_PRJ")
|
||||||
DRP_BQ = Variable.get("DRP_BQ")
|
DRP_BQ = Variable.get("DRP_BQ")
|
||||||
|
|
|
@ -50,6 +50,7 @@ locals {
|
||||||
"cloudkms.googleapis.com",
|
"cloudkms.googleapis.com",
|
||||||
"compute.googleapis.com",
|
"compute.googleapis.com",
|
||||||
"dataflow.googleapis.com",
|
"dataflow.googleapis.com",
|
||||||
|
"datalineage.googleapis.com",
|
||||||
"pubsub.googleapis.com",
|
"pubsub.googleapis.com",
|
||||||
"servicenetworking.googleapis.com",
|
"servicenetworking.googleapis.com",
|
||||||
"storage.googleapis.com",
|
"storage.googleapis.com",
|
||||||
|
|
|
@ -43,6 +43,7 @@ locals {
|
||||||
robots_composer = "serviceAccount:${module.orch-project.service_accounts.robots.composer}"
|
robots_composer = "serviceAccount:${module.orch-project.service_accounts.robots.composer}"
|
||||||
robots_dataflow_load = "serviceAccount:${module.load-project.service_accounts.robots.dataflow}"
|
robots_dataflow_load = "serviceAccount:${module.load-project.service_accounts.robots.dataflow}"
|
||||||
robots_dataflow_trf = "serviceAccount:${module.transf-project.service_accounts.robots.dataflow}"
|
robots_dataflow_trf = "serviceAccount:${module.transf-project.service_accounts.robots.dataflow}"
|
||||||
|
sa_df_build = module.orch-sa-df-build.iam_email
|
||||||
sa_drop_bq = module.drop-sa-bq-0.iam_email
|
sa_drop_bq = module.drop-sa-bq-0.iam_email
|
||||||
sa_drop_cs = module.drop-sa-cs-0.iam_email
|
sa_drop_cs = module.drop-sa-cs-0.iam_email
|
||||||
sa_drop_ps = module.drop-sa-ps-0.iam_email
|
sa_drop_ps = module.drop-sa-ps-0.iam_email
|
||||||
|
|
|
@ -25,6 +25,7 @@ variable "composer_config" {
|
||||||
pypi_packages = optional(any)
|
pypi_packages = optional(any)
|
||||||
env_variables = optional(map(string))
|
env_variables = optional(map(string))
|
||||||
image_version = string
|
image_version = string
|
||||||
|
cloud_data_lineage_integration = optional(bool, true)
|
||||||
}),
|
}),
|
||||||
{ image_version = "composer-2-airflow-2" }
|
{ image_version = "composer-2-airflow-2" }
|
||||||
)
|
)
|
||||||
|
|
|
@ -2,108 +2,88 @@
|
||||||
|
|
||||||
Legend: <code>+</code> additive, <code>•</code> conditional.
|
Legend: <code>+</code> additive, <code>•</code> conditional.
|
||||||
|
|
||||||
## Project <i>dev-data-cmn-0</i>
|
## Project <i>cmn</i>
|
||||||
|
|
||||||
| members | roles |
|
| members | roles |
|
||||||
|---|---|
|
|---|---|
|
||||||
|<b>gcp-data-analysts</b><br><small><i>group</i></small>|[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) |
|
|<b>gcp-data-analysts</b><br><small><i>group</i></small>|[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) |
|
||||||
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/dlp.estimatesAdmin](https://cloud.google.com/iam/docs/understanding-roles#dlp.estimatesAdmin) <br>[roles/dlp.reader](https://cloud.google.com/iam/docs/understanding-roles#dlp.reader) <br>[roles/dlp.user](https://cloud.google.com/iam/docs/understanding-roles#dlp.user) |
|
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/dlp.estimatesAdmin](https://cloud.google.com/iam/docs/understanding-roles#dlp.estimatesAdmin) <br>[roles/dlp.reader](https://cloud.google.com/iam/docs/understanding-roles#dlp.reader) <br>[roles/dlp.user](https://cloud.google.com/iam/docs/understanding-roles#dlp.user) |
|
||||||
|<b>gcp-data-security</b><br><small><i>group</i></small>|[roles/datacatalog.admin](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.admin) <br>[roles/dlp.admin](https://cloud.google.com/iam/docs/understanding-roles#dlp.admin) |
|
|<b>gcp-data-security</b><br><small><i>group</i></small>|[roles/datacatalog.admin](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.admin) <br>[roles/dlp.admin](https://cloud.google.com/iam/docs/understanding-roles#dlp.admin) |
|
||||||
|<b>dev-data-load-df-0</b><br><small><i>serviceAccount</i></small>|[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) <br>[roles/dlp.user](https://cloud.google.com/iam/docs/understanding-roles#dlp.user) |
|
|<b>load-df</b><br><small><i>serviceAccount</i></small>|[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) <br>[roles/dlp.user](https://cloud.google.com/iam/docs/understanding-roles#dlp.user) |
|
||||||
|<b>dev-data-trf-bq-0</b><br><small><i>serviceAccount</i></small>|[roles/datacatalog.categoryFineGrainedReader](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.categoryFineGrainedReader) <br>[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) |
|
|<b>trf-bq</b><br><small><i>serviceAccount</i></small>|[roles/datacatalog.categoryFineGrainedReader](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.categoryFineGrainedReader) <br>[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) |
|
||||||
|<b>dev-data-trf-df-0</b><br><small><i>serviceAccount</i></small>|[roles/datacatalog.categoryFineGrainedReader](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.categoryFineGrainedReader) <br>[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) <br>[roles/dlp.user](https://cloud.google.com/iam/docs/understanding-roles#dlp.user) |
|
|<b>trf-df</b><br><small><i>serviceAccount</i></small>|[roles/datacatalog.categoryFineGrainedReader](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.categoryFineGrainedReader) <br>[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) <br>[roles/dlp.user](https://cloud.google.com/iam/docs/understanding-roles#dlp.user) |
|
||||||
|
|
||||||
## Project <i>dev-data-dtl-0-0</i>
|
## Project <i>drp</i>
|
||||||
|
|
||||||
| members | roles |
|
| members | roles |
|
||||||
|---|---|
|
|---|---|
|
||||||
|<b>gcp-data-analysts</b><br><small><i>group</i></small>|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/bigquery.metadataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.metadataViewer) <br>[roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user) <br>[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer) <br>[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user) |
|
||||||
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) |
|
|<b>drp-bq</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) |
|
||||||
|
|<b>drp-cs</b><br><small><i>serviceAccount</i></small>|[roles/storage.objectCreator](https://cloud.google.com/iam/docs/understanding-roles#storage.objectCreator) |
|
||||||
|
|<b>drp-ps</b><br><small><i>serviceAccount</i></small>|[roles/pubsub.publisher](https://cloud.google.com/iam/docs/understanding-roles#pubsub.publisher) |
|
||||||
|
|<b>load-df</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user) <br>[roles/pubsub.subscriber](https://cloud.google.com/iam/docs/understanding-roles#pubsub.subscriber) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||||
|
|<b>orc-cmp</b><br><small><i>serviceAccount</i></small>|[roles/pubsub.subscriber](https://cloud.google.com/iam/docs/understanding-roles#pubsub.subscriber) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
||||||
|
|
||||||
|
## Project <i>dwh-conf</i>
|
||||||
|
|
||||||
|
| members | roles |
|
||||||
|
|---|---|
|
||||||
|
|<b>gcp-data-analysts</b><br><small><i>group</i></small>|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer) <br>[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
||||||
|
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer) <br>[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
||||||
|<b>SERVICE_IDENTITY_service-networking</b><br><small><i>serviceAccount</i></small>|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) <code>+</code>|
|
|<b>SERVICE_IDENTITY_service-networking</b><br><small><i>serviceAccount</i></small>|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) <code>+</code>|
|
||||||
|<b>dev-data-load-df-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataOwner](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataOwner) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/storage.objectCreator](https://cloud.google.com/iam/docs/understanding-roles#storage.objectCreator) |
|
|<b>trf-bq</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataOwner](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataOwner) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) |
|
||||||
|<b>dev-data-trf-bq-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataOwner](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataOwner) <br>[roles/datacatalog.categoryAdmin](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.categoryAdmin) |
|
|<b>trf-df</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataOwner](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataOwner) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||||
|<b>dev-data-trf-df-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataOwner](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataOwner) |
|
|
||||||
|
|
||||||
## Project <i>dev-data-dtl-1-0</i>
|
## Project <i>dwh-cur</i>
|
||||||
|
|
||||||
| members | roles |
|
| members | roles |
|
||||||
|---|---|
|
|---|---|
|
||||||
|<b>gcp-data-analysts</b><br><small><i>group</i></small>|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/bigquery.metadataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.metadataViewer) <br>[roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user) <br>[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer) <br>[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
|<b>gcp-data-analysts</b><br><small><i>group</i></small>|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer) <br>[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
||||||
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) |
|
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer) <br>[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
||||||
|<b>SERVICE_IDENTITY_service-networking</b><br><small><i>serviceAccount</i></small>|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) <code>+</code>|
|
|<b>SERVICE_IDENTITY_service-networking</b><br><small><i>serviceAccount</i></small>|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) <code>+</code>|
|
||||||
|<b>dev-data-load-df-0</b><br><small><i>serviceAccount</i></small>|[roles/datacatalog.categoryAdmin](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.categoryAdmin) |
|
|<b>trf-bq</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataOwner](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataOwner) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) |
|
||||||
|<b>dev-data-trf-bq-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataOwner](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataOwner) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) |
|
|<b>trf-df</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataOwner](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataOwner) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||||
|<b>dev-data-trf-df-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataOwner](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataOwner) <br>[roles/storage.objectCreator](https://cloud.google.com/iam/docs/understanding-roles#storage.objectCreator) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
|
||||||
|
|
||||||
## Project <i>dev-data-dtl-2-0</i>
|
## Project <i>dwh-lnd</i>
|
||||||
|
|
||||||
| members | roles |
|
| members | roles |
|
||||||
|---|---|
|
|---|---|
|
||||||
|<b>gcp-data-analysts</b><br><small><i>group</i></small>|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/bigquery.metadataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.metadataViewer) <br>[roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user) <br>[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer) <br>[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer) <br>[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
||||||
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) |
|
|
||||||
|<b>SERVICE_IDENTITY_service-networking</b><br><small><i>serviceAccount</i></small>|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) <code>+</code>|
|
|<b>SERVICE_IDENTITY_service-networking</b><br><small><i>serviceAccount</i></small>|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) <code>+</code>|
|
||||||
|<b>dev-data-load-df-0</b><br><small><i>serviceAccount</i></small>|[roles/datacatalog.categoryAdmin](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.categoryAdmin) |
|
|<b>load-df</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataOwner](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataOwner) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/storage.objectCreator](https://cloud.google.com/iam/docs/understanding-roles#storage.objectCreator) |
|
||||||
|<b>dev-data-trf-bq-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataOwner](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataOwner) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) |
|
|<b>trf-bq</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer) <br>[roles/datacatalog.categoryAdmin](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.categoryAdmin) |
|
||||||
|<b>dev-data-trf-df-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataOwner](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataOwner) <br>[roles/storage.objectCreator](https://cloud.google.com/iam/docs/understanding-roles#storage.objectCreator) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
|<b>trf-df</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer) |
|
||||||
|
|
||||||
## Project <i>dev-data-dtl-plg-0</i>
|
## Project <i>lod</i>
|
||||||
|
|
||||||
| members | roles |
|
| members | roles |
|
||||||
|---|---|
|
|---|---|
|
||||||
|<b>gcp-data-analysts</b><br><small><i>group</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/bigquery.metadataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.metadataViewer) <br>[roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user) <br>[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer) <br>[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) <br>[roles/dataflow.developer](https://cloud.google.com/iam/docs/understanding-roles#dataflow.developer) |
|
||||||
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) |
|
|
||||||
|<b>SERVICE_IDENTITY_service-networking</b><br><small><i>serviceAccount</i></small>|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) <code>+</code>|
|
|
||||||
|
|
||||||
## Project <i>dev-data-lnd-0</i>
|
|
||||||
|
|
||||||
| members | roles |
|
|
||||||
|---|---|
|
|
||||||
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/pubsub.editor](https://cloud.google.com/iam/docs/understanding-roles#pubsub.editor) <br>[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) |
|
|
||||||
|<b>dev-data-lnd-bq-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) |
|
|
||||||
|<b>dev-data-lnd-cs-0</b><br><small><i>serviceAccount</i></small>|[roles/storage.objectCreator](https://cloud.google.com/iam/docs/understanding-roles#storage.objectCreator) |
|
|
||||||
|<b>dev-data-lnd-ps-0</b><br><small><i>serviceAccount</i></small>|[roles/pubsub.publisher](https://cloud.google.com/iam/docs/understanding-roles#pubsub.publisher) |
|
|
||||||
|<b>dev-data-load-df-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user) <br>[roles/pubsub.subscriber](https://cloud.google.com/iam/docs/understanding-roles#pubsub.subscriber) <br>[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
|
||||||
|<b>dev-data-orc-cmp-0</b><br><small><i>serviceAccount</i></small>|[roles/pubsub.subscriber](https://cloud.google.com/iam/docs/understanding-roles#pubsub.subscriber) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
|
||||||
|
|
||||||
## Project <i>dev-data-lod-0</i>
|
|
||||||
|
|
||||||
| members | roles |
|
|
||||||
|---|---|
|
|
||||||
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/compute.viewer](https://cloud.google.com/iam/docs/understanding-roles#compute.viewer) <br>[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) <br>[roles/dataflow.developer](https://cloud.google.com/iam/docs/understanding-roles#dataflow.developer) <br>[roles/viewer](https://cloud.google.com/iam/docs/understanding-roles#viewer) |
|
|
||||||
|<b>SERVICE_IDENTITY_dataflow-service-producer-prod</b><br><small><i>serviceAccount</i></small>|[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
|<b>SERVICE_IDENTITY_dataflow-service-producer-prod</b><br><small><i>serviceAccount</i></small>|[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||||
|<b>SERVICE_IDENTITY_service-networking</b><br><small><i>serviceAccount</i></small>|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) <code>+</code>|
|
|<b>SERVICE_IDENTITY_service-networking</b><br><small><i>serviceAccount</i></small>|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) <code>+</code>|
|
||||||
|<b>dev-data-load-df-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) <br>[roles/dataflow.worker](https://cloud.google.com/iam/docs/understanding-roles#dataflow.worker) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
|<b>load-df</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) <br>[roles/dataflow.worker](https://cloud.google.com/iam/docs/understanding-roles#dataflow.worker) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||||
|<b>dev-data-orc-cmp-0</b><br><small><i>serviceAccount</i></small>|[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) |
|
|<b>orc-cmp</b><br><small><i>serviceAccount</i></small>|[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) |
|
||||||
|
|
||||||
## Project <i>dev-data-orc-0</i>
|
## Project <i>orc</i>
|
||||||
|
|
||||||
| members | roles |
|
| members | roles |
|
||||||
|---|---|
|
|---|---|
|
||||||
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/cloudbuild.builds.editor](https://cloud.google.com/iam/docs/understanding-roles#cloudbuild.builds.editor) <br>[roles/composer.admin](https://cloud.google.com/iam/docs/understanding-roles#composer.admin) <br>[roles/composer.environmentAndStorageObjectAdmin](https://cloud.google.com/iam/docs/understanding-roles#composer.environmentAndStorageObjectAdmin) <br>[roles/iam.serviceAccountUser](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountUser) <br>[roles/iap.httpsResourceAccessor](https://cloud.google.com/iam/docs/understanding-roles#iap.httpsResourceAccessor) <br>[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/artifactregistry.admin](https://cloud.google.com/iam/docs/understanding-roles#artifactregistry.admin) <br>[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/cloudbuild.builds.editor](https://cloud.google.com/iam/docs/understanding-roles#cloudbuild.builds.editor) <br>[roles/composer.admin](https://cloud.google.com/iam/docs/understanding-roles#composer.admin) <br>[roles/composer.environmentAndStorageObjectAdmin](https://cloud.google.com/iam/docs/understanding-roles#composer.environmentAndStorageObjectAdmin) <br>[roles/composer.user](https://cloud.google.com/iam/docs/understanding-roles#composer.user) <br>[roles/iam.serviceAccountUser](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountUser) <br>[roles/iap.httpsResourceAccessor](https://cloud.google.com/iam/docs/understanding-roles#iap.httpsResourceAccessor) <br>[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||||
|<b>SERVICE_IDENTITY_cloudcomposer-accounts</b><br><small><i>serviceAccount</i></small>|[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
|<b>SERVICE_IDENTITY_cloudcomposer-accounts</b><br><small><i>serviceAccount</i></small>|[roles/composer.ServiceAgentV2Ext](https://cloud.google.com/iam/docs/understanding-roles#composer.ServiceAgentV2Ext) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||||
|
|<b>SERVICE_IDENTITY_gcp-sa-cloudbuild</b><br><small><i>serviceAccount</i></small>|[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||||
|<b>SERVICE_IDENTITY_service-networking</b><br><small><i>serviceAccount</i></small>|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) <code>+</code>|
|
|<b>SERVICE_IDENTITY_service-networking</b><br><small><i>serviceAccount</i></small>|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) <code>+</code>|
|
||||||
|<b>dev-data-load-df-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
|<b>load-df</b><br><small><i>serviceAccount</i></small>|[roles/artifactregistry.reader](https://cloud.google.com/iam/docs/understanding-roles#artifactregistry.reader) <br>[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
||||||
|<b>dev-data-orc-cmp-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/composer.worker](https://cloud.google.com/iam/docs/understanding-roles#composer.worker) <br>[roles/iam.serviceAccountUser](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountUser) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
|<b>orc-cmp</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/composer.worker](https://cloud.google.com/iam/docs/understanding-roles#composer.worker) <br>[roles/iam.serviceAccountUser](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountUser) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||||
|<b>dev-data-trf-df-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) |
|
|<b>orc-sa-df-build</b><br><small><i>serviceAccount</i></small>|[roles/cloudbuild.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#cloudbuild.serviceAgent) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||||
|
|<b>trf-df</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) |
|
||||||
|
|
||||||
## Project <i>dev-data-trf-0</i>
|
## Project <i>trf</i>
|
||||||
|
|
||||||
| members | roles |
|
| members | roles |
|
||||||
|---|---|
|
|---|---|
|
||||||
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) |
|
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) |
|
||||||
|<b>SERVICE_IDENTITY_dataflow-service-producer-prod</b><br><small><i>serviceAccount</i></small>|[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
|<b>SERVICE_IDENTITY_dataflow-service-producer-prod</b><br><small><i>serviceAccount</i></small>|[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||||
|<b>SERVICE_IDENTITY_service-networking</b><br><small><i>serviceAccount</i></small>|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) <code>+</code>|
|
|<b>SERVICE_IDENTITY_service-networking</b><br><small><i>serviceAccount</i></small>|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) <code>+</code>|
|
||||||
|<b>dev-data-orc-cmp-0</b><br><small><i>serviceAccount</i></small>|[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) |
|
|<b>orc-cmp</b><br><small><i>serviceAccount</i></small>|[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) |
|
||||||
|<b>dev-data-trf-bq-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) |
|
|<b>trf-bq</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) |
|
||||||
|<b>dev-data-trf-df-0</b><br><small><i>serviceAccount</i></small>|[roles/dataflow.worker](https://cloud.google.com/iam/docs/understanding-roles#dataflow.worker) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
|<b>trf-df</b><br><small><i>serviceAccount</i></small>|[roles/dataflow.worker](https://cloud.google.com/iam/docs/understanding-roles#dataflow.worker) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||||
|
|
||||||
## Project <i>dev-net-spoke-0</i>
|
|
||||||
|
|
||||||
| members | roles |
|
|
||||||
|---|---|
|
|
||||||
|<b>PROJECT_CLOUD_SERVICES</b><br><small><i>serviceAccount</i></small>|[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) <code>+</code>|
|
|
||||||
|<b>SERVICE_IDENTITY_cloudcomposer-accounts</b><br><small><i>serviceAccount</i></small>|[roles/composer.sharedVpcAgent](https://cloud.google.com/iam/docs/understanding-roles#composer.sharedVpcAgent) <code>+</code>|
|
|
||||||
|<b>SERVICE_IDENTITY_container-engine-robot</b><br><small><i>serviceAccount</i></small>|[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) <code>+</code><br>[roles/container.hostServiceAgentUser](https://cloud.google.com/iam/docs/understanding-roles#container.hostServiceAgentUser) <code>+</code>|
|
|
||||||
|<b>SERVICE_IDENTITY_dataflow-service-producer-prod</b><br><small><i>serviceAccount</i></small>|[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) <code>+</code><br>[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) <code>+</code><br>[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) <code>+</code><br>[roles/container.hostServiceAgentUser](https://cloud.google.com/iam/docs/understanding-roles#container.hostServiceAgentUser) <code>+</code>|
|
|
||||||
|<b>dev-data-load-df-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) <code>+</code>|
|
|
||||||
|<b>dev-data-trf-df-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) <code>+</code>|
|
|
||||||
|
|
|
@ -185,22 +185,23 @@ You can find examples in the `[demo](../../../../blueprints/data-solutions/data-
|
||||||
|---|---|:---:|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|:---:|
|
||||||
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object({ id = string is_org_level = optional(bool, true) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||||
| [folder_ids](variables.tf#L105) | Folder to be used for the networking resources in folders/nnnn format. | <code title="object({ data-platform-dev = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
| [folder_ids](variables.tf#L107) | Folder to be used for the networking resources in folders/nnnn format. | <code title="object({ data-platform-dev = string })">object({…})</code> | ✓ | | <code>1-resman</code> |
|
||||||
| [host_project_ids](variables.tf#L123) | Shared VPC project ids. | <code title="object({ dev-spoke-0 = string })">object({…})</code> | ✓ | | <code>2-networking</code> |
|
| [host_project_ids](variables.tf#L125) | Shared VPC project ids. | <code title="object({ dev-spoke-0 = string })">object({…})</code> | ✓ | | <code>2-networking</code> |
|
||||||
| [organization](variables.tf#L153) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>00-globals</code> |
|
| [organization](variables.tf#L155) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>00-globals</code> |
|
||||||
| [prefix](variables.tf#L169) | Unique prefix used for resource names. Not used for projects if 'project_create' is null. | <code>string</code> | ✓ | | <code>00-globals</code> |
|
| [prefix](variables.tf#L171) | Unique prefix used for resource names. Not used for projects if 'project_create' is null. | <code>string</code> | ✓ | | <code>00-globals</code> |
|
||||||
| [composer_config](variables.tf#L38) | Cloud Composer configuration options. | <code title="object({ disable_deployment = optional(bool) environment_size = string software_config = object({ airflow_config_overrides = optional(any) pypi_packages = optional(any) env_variables = optional(map(string)) image_version = string }) workloads_config = object({ scheduler = object( { cpu = number memory_gb = number storage_gb = number count = number } ) web_server = object( { cpu = number memory_gb = number storage_gb = number } ) worker = object( { cpu = number memory_gb = number storage_gb = number min_count = number max_count = number } ) }) })">object({…})</code> | | <code title="{ environment_size = "ENVIRONMENT_SIZE_SMALL" software_config = { image_version = "composer-2-airflow-2" } workloads_config = null }">{…}</code> | |
|
| [composer_config](variables.tf#L38) | Cloud Composer configuration options. | <code title="object({ disable_deployment = optional(bool) environment_size = string software_config = object({ airflow_config_overrides = optional(any) pypi_packages = optional(any) env_variables = optional(map(string)) image_version = string cloud_data_lineage_integration = optional(bool, true) }) workloads_config = object({ scheduler = object( { cpu = number memory_gb = number storage_gb = number count = number } ) web_server = object( { cpu = number memory_gb = number storage_gb = number } ) worker = object( { cpu = number memory_gb = number storage_gb = number min_count = number max_count = number } ) }) })">object({…})</code> | | <code title="{ environment_size = "ENVIRONMENT_SIZE_SMALL" software_config = { image_version = "composer-2-airflow-2" cloud_data_lineage_integration = true } workloads_config = null }">{…}</code> | |
|
||||||
| [data_catalog_tags](variables.tf#L85) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | <code title="map(object({ description = optional(string) iam = optional(map(list(string)), {}) }))">map(object({…}))</code> | | <code title="{ "3_Confidential" = {} "2_Private" = {} "1_Sensitive" = {} }">{…}</code> | |
|
| [data_catalog_tags](variables.tf#L87) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | <code title="map(object({ description = optional(string) iam = optional(map(list(string)), {}) }))">map(object({…}))</code> | | <code title="{ "3_Confidential" = {} "2_Private" = {} "1_Sensitive" = {} }">{…}</code> | |
|
||||||
| [data_force_destroy](variables.tf#L99) | Flag to set 'force_destroy' on data services like BigQery or Cloud Storage. | <code>bool</code> | | <code>false</code> | |
|
| [data_force_destroy](variables.tf#L101) | Flag to set 'force_destroy' on data services like BigQery or Cloud Storage. | <code>bool</code> | | <code>false</code> | |
|
||||||
| [groups](variables.tf#L113) | Groups. | <code>map(string)</code> | | <code title="{ data-analysts = "gcp-data-analysts" data-engineers = "gcp-data-engineers" data-security = "gcp-data-security" }">{…}</code> | |
|
| [groups-dp](variables.tf#L115) | Data Platform groups. | <code>map(string)</code> | | <code title="{ data-analysts = "gcp-data-analysts" data-engineers = "gcp-data-engineers" data-security = "gcp-data-security" }">{…}</code> | |
|
||||||
| [location](variables.tf#L131) | Location used for multi-regional resources. | <code>string</code> | | <code>"eu"</code> | |
|
| [location](variables.tf#L133) | Location used for multi-regional resources. | <code>string</code> | | <code>"eu"</code> | |
|
||||||
| [network_config_composer](variables.tf#L137) | Network configurations to use for Composer. | <code title="object({ cloudsql_range = string gke_master_range = string gke_pods_name = string gke_services_name = string })">object({…})</code> | | <code title="{ cloudsql_range = "192.168.254.0/24" gke_master_range = "192.168.255.0/28" gke_pods_name = "pods" gke_services_name = "services" }">{…}</code> | |
|
| [network_config_composer](variables.tf#L139) | Network configurations to use for Composer. | <code title="object({ cloudsql_range = string gke_master_range = string gke_pods_name = string gke_services_name = string })">object({…})</code> | | <code title="{ cloudsql_range = "192.168.254.0/24" gke_master_range = "192.168.255.0/28" gke_pods_name = "pods" gke_services_name = "services" }">{…}</code> | |
|
||||||
| [outputs_location](variables.tf#L163) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
| [outputs_location](variables.tf#L165) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
| [project_services](variables.tf#L179) | List of core services enabled on all projects. | <code>list(string)</code> | | <code title="[ "cloudresourcemanager.googleapis.com", "iam.googleapis.com", "serviceusage.googleapis.com", "stackdriver.googleapis.com" ]">[…]</code> | |
|
| [project_services](variables.tf#L181) | List of core services enabled on all projects. | <code>list(string)</code> | | <code title="[ "cloudresourcemanager.googleapis.com", "iam.googleapis.com", "serviceusage.googleapis.com", "stackdriver.googleapis.com" ]">[…]</code> | |
|
||||||
| [region](variables.tf#L190) | Region used for regional resources. | <code>string</code> | | <code>"europe-west1"</code> | |
|
| [project_suffix](variables.tf#L192) | Suffix used only for project ids. | <code>string</code> | | <code>null</code> | |
|
||||||
| [service_encryption_keys](variables.tf#L196) | Cloud KMS to use to encrypt different services. Key location should match service region. | <code title="object({ bq = string composer = string dataflow = string storage = string pubsub = string })">object({…})</code> | | <code>null</code> | |
|
| [region](variables.tf#L198) | Region used for regional resources. | <code>string</code> | | <code>"europe-west1"</code> | |
|
||||||
| [subnet_self_links](variables.tf#L208) | Shared VPC subnet self links. | <code title="object({ dev-spoke-0 = map(string) })">object({…})</code> | | <code>null</code> | <code>2-networking</code> |
|
| [service_encryption_keys](variables.tf#L204) | Cloud KMS to use to encrypt different services. Key location should match service region. | <code title="object({ bq = string composer = string dataflow = string storage = string pubsub = string })">object({…})</code> | | <code>null</code> | |
|
||||||
| [vpc_self_links](variables.tf#L217) | Shared VPC self links. | <code title="object({ dev-spoke-0 = string })">object({…})</code> | | <code>null</code> | <code>2-networking</code> |
|
| [subnet_self_links](variables.tf#L216) | Shared VPC subnet self links. | <code title="object({ dev-spoke-0 = map(string) })">object({…})</code> | | <code>null</code> | <code>2-networking</code> |
|
||||||
|
| [vpc_self_links](variables.tf#L225) | Shared VPC self links. | <code title="object({ dev-spoke-0 = string })">object({…})</code> | | <code>null</code> | <code>2-networking</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -25,7 +25,7 @@ module "data-platform" {
|
||||||
billing_account_id = var.billing_account.id
|
billing_account_id = var.billing_account.id
|
||||||
parent = var.folder_ids.data-platform-dev
|
parent = var.folder_ids.data-platform-dev
|
||||||
}
|
}
|
||||||
groups = var.groups
|
groups = var.groups-dp
|
||||||
location = var.location
|
location = var.location
|
||||||
network_config = {
|
network_config = {
|
||||||
host_project = var.host_project_ids.dev-spoke-0
|
host_project = var.host_project_ids.dev-spoke-0
|
||||||
|
@ -46,9 +46,9 @@ module "data-platform" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
organization_domain = var.organization.domain
|
organization_domain = var.organization.domain
|
||||||
prefix = "${var.prefix}-dev-dt"
|
prefix = "${var.prefix}-dev-dp"
|
||||||
project_services = var.project_services
|
project_services = var.project_services
|
||||||
project_suffix = "0"
|
project_suffix = var.project_suffix
|
||||||
region = var.region
|
region = var.region
|
||||||
service_encryption_keys = var.service_encryption_keys
|
service_encryption_keys = var.service_encryption_keys
|
||||||
}
|
}
|
||||||
|
|
|
@ -45,6 +45,7 @@ variable "composer_config" {
|
||||||
pypi_packages = optional(any)
|
pypi_packages = optional(any)
|
||||||
env_variables = optional(map(string))
|
env_variables = optional(map(string))
|
||||||
image_version = string
|
image_version = string
|
||||||
|
cloud_data_lineage_integration = optional(bool, true)
|
||||||
})
|
})
|
||||||
workloads_config = object({
|
workloads_config = object({
|
||||||
scheduler = object(
|
scheduler = object(
|
||||||
|
@ -77,6 +78,7 @@ variable "composer_config" {
|
||||||
environment_size = "ENVIRONMENT_SIZE_SMALL"
|
environment_size = "ENVIRONMENT_SIZE_SMALL"
|
||||||
software_config = {
|
software_config = {
|
||||||
image_version = "composer-2-airflow-2"
|
image_version = "composer-2-airflow-2"
|
||||||
|
cloud_data_lineage_integration = true
|
||||||
}
|
}
|
||||||
workloads_config = null
|
workloads_config = null
|
||||||
}
|
}
|
||||||
|
@ -110,8 +112,8 @@ variable "folder_ids" {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "groups" {
|
variable "groups-dp" {
|
||||||
description = "Groups."
|
description = "Data Platform groups."
|
||||||
type = map(string)
|
type = map(string)
|
||||||
default = {
|
default = {
|
||||||
data-analysts = "gcp-data-analysts"
|
data-analysts = "gcp-data-analysts"
|
||||||
|
@ -187,6 +189,12 @@ variable "project_services" {
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "project_suffix" {
|
||||||
|
description = "Suffix used only for project ids."
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
variable "region" {
|
variable "region" {
|
||||||
description = "Region used for regional resources."
|
description = "Region used for regional resources."
|
||||||
type = string
|
type = string
|
||||||
|
|
|
@ -26,6 +26,25 @@ done
|
||||||
terraform destroy
|
terraform destroy
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Stage 3 (Data Platform)
|
||||||
|
|
||||||
|
Terraform refuses to delete non-empty GCS buckets and BigQuery datasets, so they need to be removed manually from the state.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cd $FAST_PWD/3-data-platform/dev/
|
||||||
|
|
||||||
|
# remove GCS buckets and BQ dataset manually. Projects will be destroyed anyway
|
||||||
|
for x in $(terraform state list | grep google_storage_bucket.bucket); do
|
||||||
|
terraform state rm "$x";
|
||||||
|
done
|
||||||
|
|
||||||
|
for x in $(terraform state list | grep google_bigquery_dataset); do
|
||||||
|
terraform state rm "$x";
|
||||||
|
done
|
||||||
|
|
||||||
|
terraform destroy
|
||||||
|
```
|
||||||
|
|
||||||
## Stage 2 (Security)
|
## Stage 2 (Security)
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
|
Loading…
Reference in New Issue