Merge branch 'master' into updates-quota-monitoring-function
This commit is contained in:
commit
a2651f46f8
|
@ -37,7 +37,7 @@ jobs:
|
||||||
- name: Set up Terraform
|
- name: Set up Terraform
|
||||||
uses: hashicorp/setup-terraform@v1
|
uses: hashicorp/setup-terraform@v1
|
||||||
with:
|
with:
|
||||||
terraform_version: 1.1.8
|
terraform_version: 1.3
|
||||||
|
|
||||||
- name: Install dependencies
|
- name: Install dependencies
|
||||||
run: |
|
run: |
|
||||||
|
|
|
@ -30,7 +30,7 @@ env:
|
||||||
PYTEST_ADDOPTS: "--color=yes"
|
PYTEST_ADDOPTS: "--color=yes"
|
||||||
PYTHON_VERSION: "3.10"
|
PYTHON_VERSION: "3.10"
|
||||||
TF_PLUGIN_CACHE_DIR: "/home/runner/.terraform.d/plugin-cache"
|
TF_PLUGIN_CACHE_DIR: "/home/runner/.terraform.d/plugin-cache"
|
||||||
TF_VERSION: 1.1.8
|
TF_VERSION: 1.3.0
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
doc-examples:
|
doc-examples:
|
||||||
|
|
19
CHANGELOG.md
19
CHANGELOG.md
|
@ -8,6 +8,8 @@ All notable changes to this project will be documented in this file.
|
||||||
|
|
||||||
### BLUEPRINTS
|
### BLUEPRINTS
|
||||||
|
|
||||||
|
- [[#839](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/839)] **incompatible change:** Update to terraform 1.3 ([juliocc](https://github.com/juliocc)) <!-- 2022-09-28 11:25:27+00:00 -->
|
||||||
|
- [[#828](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/828)] Update firewall rules. ([lcaggio](https://github.com/lcaggio)) <!-- 2022-09-20 15:24:12+00:00 -->
|
||||||
- [[#813](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/813)] Add documentation example test for pf ([ludoo](https://github.com/ludoo)) <!-- 2022-09-14 12:34:30+00:00 -->
|
- [[#813](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/813)] Add documentation example test for pf ([ludoo](https://github.com/ludoo)) <!-- 2022-09-14 12:34:30+00:00 -->
|
||||||
- [[#809](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/809)] Renaming and moving blueprints ([juliocc](https://github.com/juliocc)) <!-- 2022-09-12 10:19:15+00:00 -->
|
- [[#809](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/809)] Renaming and moving blueprints ([juliocc](https://github.com/juliocc)) <!-- 2022-09-12 10:19:15+00:00 -->
|
||||||
|
|
||||||
|
@ -17,10 +19,27 @@ All notable changes to this project will be documented in this file.
|
||||||
|
|
||||||
### FAST
|
### FAST
|
||||||
|
|
||||||
|
- [[#842](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/842)] Comment redundant role in bootstrap stage, align IAM.md files, improve IAM tool ([ludoo](https://github.com/ludoo)) <!-- 2022-09-29 06:30:02+00:00 -->
|
||||||
|
- [[#841](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/841)] FAST: revert 00-cicd provider changes ([ludoo](https://github.com/ludoo)) <!-- 2022-09-28 14:17:40+00:00 -->
|
||||||
|
- [[#835](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/835)] Fix workflow-gitlab.yaml template rendering ([muresan](https://github.com/muresan)) <!-- 2022-09-22 12:26:22+00:00 -->
|
||||||
|
- [[#828](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/828)] Update firewall rules. ([lcaggio](https://github.com/lcaggio)) <!-- 2022-09-20 15:24:12+00:00 -->
|
||||||
- [[#807](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/807)] FAST: refactor Gitlab template ([ludoo](https://github.com/ludoo)) <!-- 2022-09-12 05:26:49+00:00 -->
|
- [[#807](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/807)] FAST: refactor Gitlab template ([ludoo](https://github.com/ludoo)) <!-- 2022-09-12 05:26:49+00:00 -->
|
||||||
|
|
||||||
|
### MODULES
|
||||||
|
|
||||||
|
- [[#843](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/843)] Add support for disk encryption to instance templates in compute-vm module ([ludoo](https://github.com/ludoo)) <!-- 2022-09-29 07:01:16+00:00 -->
|
||||||
|
- [[#840](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/840)] **incompatible change:** Refactor net-address module for 1.3 ([ludoo](https://github.com/ludoo)) <!-- 2022-09-28 12:10:05+00:00 -->
|
||||||
|
- [[#839](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/839)] **incompatible change:** Update to terraform 1.3 ([juliocc](https://github.com/juliocc)) <!-- 2022-09-28 11:25:27+00:00 -->
|
||||||
|
- [[#824](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/824)] Add simple composer 2 blueprint ([lcaggio](https://github.com/lcaggio)) <!-- 2022-09-28 09:07:29+00:00 -->
|
||||||
|
- [[#834](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/834)] Add support for service_label property in internal load balancer ([kmucha555](https://github.com/kmucha555)) <!-- 2022-09-21 21:30:35+00:00 -->
|
||||||
|
- [[#833](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/833)] regional MySQL DBs - automatic backup conf ([skalolazka](https://github.com/skalolazka)) <!-- 2022-09-21 08:40:53+00:00 -->
|
||||||
|
- [[#827](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/827)] Project module: Add Artifactregistry Service Identity SA creation. ([lcaggio](https://github.com/lcaggio)) <!-- 2022-09-20 09:48:17+00:00 -->
|
||||||
|
- [[#826](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/826)] Added new binary_authorization argument in gke-cluster module ([sirohia](https://github.com/sirohia)) <!-- 2022-09-20 06:19:15+00:00 -->
|
||||||
|
- [[#819](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/819)] Removed old and unused modules ([juliocc](https://github.com/juliocc)) <!-- 2022-09-15 15:02:58+00:00 -->
|
||||||
|
|
||||||
### TOOLS
|
### TOOLS
|
||||||
|
|
||||||
|
- [[#842](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/842)] Comment redundant role in bootstrap stage, align IAM.md files, improve IAM tool ([ludoo](https://github.com/ludoo)) <!-- 2022-09-29 06:30:02+00:00 -->
|
||||||
- [[#811](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/811)] Fix changelog generator ([ludoo](https://github.com/ludoo)) <!-- 2022-09-13 09:41:29+00:00 -->
|
- [[#811](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/811)] Fix changelog generator ([ludoo](https://github.com/ludoo)) <!-- 2022-09-13 09:41:29+00:00 -->
|
||||||
- [[#810](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/810)] Fully recursive e2e test runner for examples ([juliocc](https://github.com/juliocc)) <!-- 2022-09-12 12:35:46+00:00 -->
|
- [[#810](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/810)] Fully recursive e2e test runner for examples ([juliocc](https://github.com/juliocc)) <!-- 2022-09-12 12:35:46+00:00 -->
|
||||||
|
|
||||||
|
|
|
@ -5,7 +5,7 @@ This section **[networking blueprints](./networking/)** that implement core patt
|
||||||
Currently available blueprints:
|
Currently available blueprints:
|
||||||
|
|
||||||
- **cloud operations** - [Resource tracking and remediation via Cloud Asset feeds](./cloud-operations/asset-inventory-feed-remediation), [Granular Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Granular Cloud DNS IAM for Shared VPC](./cloud-operations/dns-shared-vpc), [Compute Engine quota monitoring](./cloud-operations/quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Packer image builder](./cloud-operations/packer-image-builder), [On-prem SA key management](./cloud-operations/onprem-sa-key-management), [TCP healthcheck for unmanaged GCE instances](./cloud-operations/unmanaged-instances-healthcheck), [HTTP Load Balancer with Cloud Armor](./cloud-operations/glb_and_armor)
|
- **cloud operations** - [Resource tracking and remediation via Cloud Asset feeds](./cloud-operations/asset-inventory-feed-remediation), [Granular Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Granular Cloud DNS IAM for Shared VPC](./cloud-operations/dns-shared-vpc), [Compute Engine quota monitoring](./cloud-operations/quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Packer image builder](./cloud-operations/packer-image-builder), [On-prem SA key management](./cloud-operations/onprem-sa-key-management), [TCP healthcheck for unmanaged GCE instances](./cloud-operations/unmanaged-instances-healthcheck), [HTTP Load Balancer with Cloud Armor](./cloud-operations/glb_and_armor)
|
||||||
- **data solutions** - [GCE/GCS CMEK via centralized Cloud KMS](./data-solutions/gcs-to-bq-with-least-privileges/), [Cloud Storage to Bigquery with Cloud Dataflow with least privileges](./data-solutions/gcs-to-bq-with-least-privileges/), [Data Platform Foundations](./data-solutions/data-platform-foundations/), [SQL Server AlwaysOn availability groups blueprint](./data-solutions/sqlserver-alwayson), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion/)
|
- **data solutions** - [GCE/GCS CMEK via centralized Cloud KMS](./data-solutions/gcs-to-bq-with-least-privileges/), [Cloud Storage to Bigquery with Cloud Dataflow with least privileges](./data-solutions/gcs-to-bq-with-least-privileges/), [Data Platform Foundations](./data-solutions/data-platform-foundations/), [SQL Server AlwaysOn availability groups blueprint](./data-solutions/sqlserver-alwayson), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion/), [Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key](./data-solutions/composer-2/)
|
||||||
- **factories** - [The why and the how of resource factories](./factories/README.md)
|
- **factories** - [The why and the how of resource factories](./factories/README.md)
|
||||||
- **GKE** - [GKE multitenant fleet](./gke/multitenant-fleet/), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [Binary Authorization Pipeline](./gke/binauthz/), [Multi-cluster mesh on GKE (fleet API)](./gke/multi-cluster-mesh-gke-fleet-api/)
|
- **GKE** - [GKE multitenant fleet](./gke/multitenant-fleet/), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [Binary Authorization Pipeline](./gke/binauthz/), [Multi-cluster mesh on GKE (fleet API)](./gke/multi-cluster-mesh-gke-fleet-api/)
|
||||||
- **networking** - [hub and spoke via peering](./networking/hub-and-spoke-peering/), [hub and spoke via VPN](./networking/hub-and-spoke-vpn/), [DNS and Google Private Access for on-premises](./networking/onprem-google-access-dns/), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [ILB as next hop](./networking/ilb-next-hop), [PSC for on-premises Cloud Function invocation](./networking/private-cloud-function-from-onprem/), [decentralized firewall](./networking/decentralized-firewall)
|
- **networking** - [hub and spoke via peering](./networking/hub-and-spoke-peering/), [hub and spoke via VPN](./networking/hub-and-spoke-vpn/), [DNS and Google Private Access for on-premises](./networking/onprem-google-access-dns/), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [ILB as next hop](./networking/ilb-next-hop), [PSC for on-premises Cloud Function invocation](./networking/private-cloud-function-from-onprem/), [decentralized firewall](./networking/decentralized-firewall)
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -30,7 +30,7 @@ This [blueprint](./data-platform-foundations/) implements SQL Server Always On A
|
||||||
|
|
||||||
### Cloud SQL instance with multi-region read replicas
|
### Cloud SQL instance with multi-region read replicas
|
||||||
|
|
||||||
<a href="./cloudsql-multiregion/" title="Cloud SQL instance with multi-region read replicas"><img src="./cloudsql-multiregion/diagram.png" align="left" width="280px"></a>
|
<a href="./cloudsql-multiregion/" title="Cloud SQL instance with multi-region read replicas"><img src="./cloudsql-multiregion/images/diagram.png" align="left" width="280px"></a>
|
||||||
This [blueprint](./cloudsql-multiregion/) creates a [Cloud SQL instance](https://cloud.google.com/sql) with multi-region read replicas as described in the [Cloud SQL for PostgreSQL disaster recovery](https://cloud.google.com/architecture/cloud-sql-postgres-disaster-recovery-complete-failover-fallback) article.
|
This [blueprint](./cloudsql-multiregion/) creates a [Cloud SQL instance](https://cloud.google.com/sql) with multi-region read replicas as described in the [Cloud SQL for PostgreSQL disaster recovery](https://cloud.google.com/architecture/cloud-sql-postgres-disaster-recovery-complete-failover-fallback) article.
|
||||||
<br clear="left">
|
<br clear="left">
|
||||||
|
|
||||||
|
@ -41,3 +41,10 @@ This [blueprint](./data-playground/) creates a [Vertex AI
|
||||||
Notebook](https://cloud.google.com/vertex-ai/docs/workbench/introduction)
|
Notebook](https://cloud.google.com/vertex-ai/docs/workbench/introduction)
|
||||||
running on a VPC with a private IP and a dedicated Service Account. A GCS bucket and a BigQuery dataset are created to store inputs and outputs of data experiments.
|
running on a VPC with a private IP and a dedicated Service Account. A GCS bucket and a BigQuery dataset are created to store inputs and outputs of data experiments.
|
||||||
<br clear="left">
|
<br clear="left">
|
||||||
|
|
||||||
|
### Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key
|
||||||
|
|
||||||
|
<a href="./composer-2/" title="# Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key
|
||||||
|
"><img src="./composer-2/diagram.png" align="left" width="280px"></a>
|
||||||
|
This [blueprint](./composer-2/) creates a [Cloud Composer](https://cloud.google.com/composer/) version 2 instance on a VPC with a dedicated service account. The solution supports as inputs: a Shared VPC and Cloud KMS CMEK keys.
|
||||||
|
<br clear="left">
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -0,0 +1,115 @@
|
||||||
|
# Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key
|
||||||
|
|
||||||
|
This blueprint creates a Private instance of [Cloud Composer version 2](https://cloud.google.com/composer/docs/composer-2/composer-versioning-overview) on a VPC with a dedicated service account. Cloud Composer 2 is the new major version for Cloud Composer that supports:
|
||||||
|
- environment autoscaling
|
||||||
|
- workloads configuration: CPU, memory, and storage parameters for Airflow workers, schedulers, web server, and database.
|
||||||
|
|
||||||
|
Please consult the [documentation page](https://cloud.google.com/composer/docs/composer-2/composer-versioning-overview) for an exhaustive comparison between Composer Version 1 and Version 2.
|
||||||
|
|
||||||
|
The solution will use:
|
||||||
|
- Cloud Composer
|
||||||
|
- VPC with Private Service Access to deploy resources, if no Shared VPC configuration provided.
|
||||||
|
- Google Cloud NAT to access internet resources, if no Shared VPC configuration provided.
|
||||||
|
|
||||||
|
The solution supports as inputs:
|
||||||
|
- Shared VPC
|
||||||
|
- Cloud KMS CMEK keys
|
||||||
|
|
||||||
|
This is the high level diagram:
|
||||||
|
|
||||||
|
![Cloud Composer 2 architecture overview](./diagram.png "Cloud Composer 2 architecture overview")
|
||||||
|
|
||||||
|
# Requirements
|
||||||
|
This blueprint will deploy all its resources into the project defined by the project_id variable. Please note that we assume this project already exists. However, if you provide the appropriate values to the `project_create` variable, the project will be created as part of the deployment.
|
||||||
|
|
||||||
|
If `project_create` is left to null, the identity performing the deployment needs the owner role on the project defined by the `project_id` variable. Otherwise, the identity performing the deployment needs `resourcemanager.projectCreator` on the resource hierarchy node specified by `project_create.parent` and `billing.user` on the billing account specified by `project_create.billing_account_id`.
|
||||||
|
|
||||||
|
# Deployment
|
||||||
|
Run Terraform init:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ terraform init
|
||||||
|
```
|
||||||
|
|
||||||
|
Configure the Terraform variable in your terraform.tfvars file. You need to specify at least the following variables:
|
||||||
|
|
||||||
|
```tfvars
|
||||||
|
project_id = "lcaggioni-sandbox"
|
||||||
|
prefix = "lc"
|
||||||
|
```
|
||||||
|
|
||||||
|
You can run now:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ terraform apply
|
||||||
|
```
|
||||||
|
|
||||||
|
You can now connect to your instance.
|
||||||
|
|
||||||
|
# Customizations
|
||||||
|
|
||||||
|
## VPC
|
||||||
|
If a shared VPC is not configured, a VPC will be created within the project. The following IP ranges will be used:
|
||||||
|
- Cloudsql: `10.20.10.0/24`
|
||||||
|
- GKE: `10.20.11.0/28`
|
||||||
|
|
||||||
|
Change the code as needed to match your needed configuration, remember that these addresses should not overlap with any other range used in network.
|
||||||
|
## Shared VPC
|
||||||
|
As is often the case in real-world configurations, this blueprint accepts as input an existing [`Shared-VPC`](https://cloud.google.com/vpc/docs/shared-vpc) via the `network_config` variable.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
```tfvars
|
||||||
|
network_config = {
|
||||||
|
host_project = "PROJECT"
|
||||||
|
network_self_link = "projects/PROJECT/global/networks/VPC_NAME"
|
||||||
|
subnet_self_link = "projects/PROJECT/regions/REGION/subnetworks/VPC_NAME"
|
||||||
|
composer_secondary_ranges = {
|
||||||
|
pods = "pods"
|
||||||
|
services = "services"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Make sure that:
|
||||||
|
- The GKE API (`container.googleapis.com`) is enabled in the VPC host project.
|
||||||
|
- The subnet has secondary ranges configured with 2 ranges:
|
||||||
|
- pods: `/22` example: `10.10.8.0/22`
|
||||||
|
- services = `/24` example: 10.10.12.0/24`
|
||||||
|
- Firewall rules are set, as described in the [documentation](https://cloud.google.com/composer/docs/composer-2/configure-private-ip#step_3_configure_firewall_rules)
|
||||||
|
|
||||||
|
In order to run the example and deploy Cloud Composer on a shared VPC the identity running Terraform must have the following IAM role on the Shared VPC Host project.
|
||||||
|
- Compute Network Admin (roles/compute.networkAdmin)
|
||||||
|
- Compute Shared VPC Admin (roles/compute.xpnAdmin)
|
||||||
|
|
||||||
|
## Encryption
|
||||||
|
As is often the case in real-world configurations, this blueprint accepts as input an existing [`Cloud KMS keys`](https://cloud.google.com/kms/docs/cmek) via the `service_encryption_keys` variable.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
```tfvars
|
||||||
|
service_encryption_keys = {
|
||||||
|
`europe/west1` = `projects/PROJECT/locations/REGION/keyRings/KR_NAME/cryptoKeys/KEY_NAME`
|
||||||
|
}
|
||||||
|
```
|
||||||
|
<!-- BEGIN TFDOC -->
|
||||||
|
|
||||||
|
## Variables
|
||||||
|
|
||||||
|
| name | description | type | required | default |
|
||||||
|
|---|---|:---:|:---:|:---:|
|
||||||
|
| [prefix](variables.tf#L81) | Unique prefix used for resource names. Not used for project if 'project_create' is null. | <code>string</code> | ✓ | |
|
||||||
|
| [project_id](variables.tf#L95) | Project id, references existing project if `project_create` is null. | <code>string</code> | ✓ | |
|
||||||
|
| [composer_config](variables.tf#L17) | Composer environemnt configuration. See [attribute reference](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/composer_environment#argument-reference---cloud-composer-2) for details on settings variables. | <code title="object({ environment_size = string software_config = any workloads_config = object({ scheduler = object( { cpu = number memory_gb = number storage_gb = number count = number } ) web_server = object( { cpu = number memory_gb = number storage_gb = number } ) worker = object( { cpu = number memory_gb = number storage_gb = number min_count = number max_count = number } ) }) })">object({…})</code> | | <code title="{ environment_size = "ENVIRONMENT_SIZE_SMALL" software_config = { image_version = "composer-2-airflow-2" env_variables = { FOO = "bar" } } workloads_config = null }">{…}</code> |
|
||||||
|
| [iam_groups_map](variables.tf#L61) | Map of Role => groups to be added on the project. Example: { \"roles/composer.admin\" = [\"group:gcp-data-engineers@example.com\"]}. | <code>map(list(string))</code> | | <code>null</code> |
|
||||||
|
| [network_config](variables.tf#L67) | Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values. | <code title="object({ host_project = string network_self_link = string subnet_self_link = string composer_secondary_ranges = object({ pods = string services = string }) })">object({…})</code> | | <code>null</code> |
|
||||||
|
| [project_create](variables.tf#L86) | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object({ billing_account_id = string parent = string })">object({…})</code> | | <code>null</code> |
|
||||||
|
| [region](variables.tf#L100) | Region where instances will be deployed. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||||
|
| [service_encryption_keys](variables.tf#L106) | Cloud KMS keys to use to encrypt resources. Provide a key for each reagion in use. | <code>map(string)</code> | | <code>null</code> |
|
||||||
|
|
||||||
|
## Outputs
|
||||||
|
|
||||||
|
| name | description | sensitive |
|
||||||
|
|---|---|:---:|
|
||||||
|
| [composer_airflow_uri](outputs.tf#L22) | The URI of the Apache Airflow Web UI hosted within the Cloud Composer environment.. | |
|
||||||
|
| [composer_dag_gcs](outputs.tf#L17) | The Cloud Storage prefix of the DAGs for the Cloud Composer environment. | |
|
||||||
|
|
||||||
|
<!-- END TFDOC -->
|
|
@ -0,0 +1,30 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
# The `impersonate_service_account` option require the identity launching terraform
|
||||||
|
# role `roles/iam.serviceAccountTokenCreator` on the Service Account specified.
|
||||||
|
|
||||||
|
terraform {
|
||||||
|
backend "gcs" {
|
||||||
|
bucket = "BUCKET_NAME"
|
||||||
|
prefix = "PREFIX"
|
||||||
|
impersonate_service_account = "SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
provider "google" {
|
||||||
|
impersonate_service_account = "SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com"
|
||||||
|
}
|
||||||
|
provider "google-beta" {
|
||||||
|
impersonate_service_account = "SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com"
|
||||||
|
}
|
|
@ -0,0 +1,111 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2022 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
module "comp-sa" {
|
||||||
|
source = "../../../modules/iam-service-account"
|
||||||
|
project_id = module.project.project_id
|
||||||
|
prefix = var.prefix
|
||||||
|
name = "cmp"
|
||||||
|
display_name = "Composer service account"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_composer_environment" "env" {
|
||||||
|
name = "${var.prefix}-composer"
|
||||||
|
project = module.project.project_id
|
||||||
|
region = var.region
|
||||||
|
config {
|
||||||
|
dynamic "software_config" {
|
||||||
|
for_each = (
|
||||||
|
try(var.composer_config.software_config, null) != null
|
||||||
|
? { 1 = 1 }
|
||||||
|
: {}
|
||||||
|
)
|
||||||
|
content {
|
||||||
|
airflow_config_overrides = try(var.composer_config.software_config.airflow_config_overrides, null)
|
||||||
|
pypi_packages = try(var.composer_config.software_config.pypi_packages, null)
|
||||||
|
env_variables = try(var.composer_config.software_config.env_variables, null)
|
||||||
|
image_version = try(var.composer_config.software_config.image_version, null)
|
||||||
|
python_version = try(var.composer_config.software_config.python_version, null)
|
||||||
|
scheduler_count = try(var.composer_config.software_config.scheduler_count, null)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
dynamic "workloads_config" {
|
||||||
|
for_each = (try(var.composer_config.workloads_config, null) != null ? { 1 = 1 } : {})
|
||||||
|
|
||||||
|
content {
|
||||||
|
scheduler {
|
||||||
|
cpu = try(var.composer_config.workloads_config.scheduler.cpu, null)
|
||||||
|
memory_gb = try(var.composer_config.workloads_config.scheduler.memory_gb, null)
|
||||||
|
storage_gb = try(var.composer_config.workloads_config.scheduler.storage_gb, null)
|
||||||
|
count = try(var.composer_config.workloads_config.scheduler.count, null)
|
||||||
|
}
|
||||||
|
web_server {
|
||||||
|
cpu = try(var.composer_config.workloads_config.web_server.cpu, null)
|
||||||
|
memory_gb = try(var.composer_config.workloads_config.web_server.memory_gb, null)
|
||||||
|
storage_gb = try(var.composer_config.workloads_config.web_server.storage_gb, null)
|
||||||
|
}
|
||||||
|
worker {
|
||||||
|
cpu = try(var.composer_config.workloads_config.worker.cpu, null)
|
||||||
|
memory_gb = try(var.composer_config.workloads_config.worker.memory_gb, null)
|
||||||
|
storage_gb = try(var.composer_config.workloads_config.worker.storage_gb, null)
|
||||||
|
min_count = try(var.composer_config.workloads_config.worker.min_count, null)
|
||||||
|
max_count = try(var.composer_config.workloads_config.worker.max_count, null)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
environment_size = var.composer_config.environment_size
|
||||||
|
|
||||||
|
node_config {
|
||||||
|
network = local.orch_vpc
|
||||||
|
subnetwork = local.orch_subnet
|
||||||
|
service_account = module.comp-sa.email
|
||||||
|
enable_ip_masq_agent = "true"
|
||||||
|
tags = ["composer-worker"]
|
||||||
|
ip_allocation_policy {
|
||||||
|
cluster_secondary_range_name = try(
|
||||||
|
var.network_config.composer_secondary_ranges.pods, "pods"
|
||||||
|
)
|
||||||
|
services_secondary_range_name = try(
|
||||||
|
var.network_config.composer_secondary_ranges.services, "services"
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
private_environment_config {
|
||||||
|
enable_private_endpoint = "true"
|
||||||
|
cloud_sql_ipv4_cidr_block = try(
|
||||||
|
var.network_config.composer_ip_ranges.cloudsql, "10.20.10.0/24"
|
||||||
|
)
|
||||||
|
master_ipv4_cidr_block = try(
|
||||||
|
var.network_config.composer_ip_ranges.gke_master, "10.20.11.0/28"
|
||||||
|
)
|
||||||
|
}
|
||||||
|
dynamic "encryption_config" {
|
||||||
|
for_each = (
|
||||||
|
try(var.service_encryption_keys[var.region], null) != null
|
||||||
|
? { 1 = 1 }
|
||||||
|
: {}
|
||||||
|
)
|
||||||
|
content {
|
||||||
|
kms_key_name = try(var.service_encryption_keys[var.region], null)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
depends_on = [
|
||||||
|
google_project_iam_member.shared_vpc,
|
||||||
|
module.project
|
||||||
|
]
|
||||||
|
}
|
Binary file not shown.
After Width: | Height: | Size: 17 KiB |
|
@ -0,0 +1,148 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2022 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
locals {
|
||||||
|
iam = merge(
|
||||||
|
{
|
||||||
|
"roles/composer.worker" = [module.comp-sa.iam_email]
|
||||||
|
"roles/composer.ServiceAgentV2Ext" = ["serviceAccount:${module.project.service_accounts.robots.composer}"]
|
||||||
|
},
|
||||||
|
var.iam_groups_map
|
||||||
|
)
|
||||||
|
|
||||||
|
# Adding Roles on Service Identities Service account as per documentation: https://cloud.google.com/composer/docs/composer-2/configure-shared-vpc#edit_permissions_for_the_google_apis_service_account
|
||||||
|
_shared_vpc_bindings = {
|
||||||
|
"roles/compute.networkUser" = [
|
||||||
|
"prj-cloudservices", "prj-robot-gke"
|
||||||
|
]
|
||||||
|
"roles/composer.sharedVpcAgent" = [
|
||||||
|
"prj-robot-cs"
|
||||||
|
]
|
||||||
|
"roles/container.hostServiceAgentUser" = [
|
||||||
|
"prj-robot-gke"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
shared_vpc_role_members = {
|
||||||
|
prj-cloudservices = "serviceAccount:${module.project.service_accounts.cloud_services}"
|
||||||
|
prj-robot-gke = "serviceAccount:${module.project.service_accounts.robots.container-engine}"
|
||||||
|
prj-robot-cs = "serviceAccount:${module.project.service_accounts.robots.composer}"
|
||||||
|
}
|
||||||
|
# reassemble in a format suitable for for_each
|
||||||
|
shared_vpc_bindings_map = {
|
||||||
|
for binding in flatten([
|
||||||
|
for role, members in local._shared_vpc_bindings : [
|
||||||
|
for member in members : { role = role, member = member }
|
||||||
|
]
|
||||||
|
]) : "${binding.role}-${binding.member}" => binding
|
||||||
|
}
|
||||||
|
|
||||||
|
shared_vpc_project = try(var.network_config.host_project, null)
|
||||||
|
use_shared_vpc = var.network_config != null
|
||||||
|
|
||||||
|
vpc_self_link = (
|
||||||
|
local.use_shared_vpc
|
||||||
|
? var.network_config.network_self_link
|
||||||
|
: module.vpc.0.self_link
|
||||||
|
)
|
||||||
|
|
||||||
|
orch_subnet = (
|
||||||
|
local.use_shared_vpc
|
||||||
|
? var.network_config.subnet_self_link
|
||||||
|
: values(module.vpc.0.subnet_self_links)[0]
|
||||||
|
)
|
||||||
|
|
||||||
|
orch_vpc = (
|
||||||
|
local.use_shared_vpc
|
||||||
|
? var.network_config.network_self_link
|
||||||
|
: module.vpc.0.self_link
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
module "project" {
|
||||||
|
source = "../../../modules/project"
|
||||||
|
name = var.project_id
|
||||||
|
parent = try(var.project_create.parent, null)
|
||||||
|
billing_account = try(var.project_create.billing_account_id, null)
|
||||||
|
project_create = var.project_create != null
|
||||||
|
prefix = var.project_create == null ? null : var.prefix
|
||||||
|
iam = var.project_create != null ? local.iam : {}
|
||||||
|
iam_additive = var.project_create == null ? local.iam : {}
|
||||||
|
services = [
|
||||||
|
"artifactregistry.googleapis.com",
|
||||||
|
"cloudkms.googleapis.com",
|
||||||
|
"container.googleapis.com",
|
||||||
|
"containerregistry.googleapis.com",
|
||||||
|
"composer.googleapis.com",
|
||||||
|
"compute.googleapis.com",
|
||||||
|
"iap.googleapis.com",
|
||||||
|
"logging.googleapis.com",
|
||||||
|
"monitoring.googleapis.com",
|
||||||
|
"networkmanagement.googleapis.com",
|
||||||
|
"servicenetworking.googleapis.com",
|
||||||
|
"storage.googleapis.com",
|
||||||
|
"storage-component.googleapis.com",
|
||||||
|
]
|
||||||
|
|
||||||
|
shared_vpc_service_config = local.shared_vpc_project == null ? null : {
|
||||||
|
attach = true
|
||||||
|
host_project = local.shared_vpc_project
|
||||||
|
service_identity_iam = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
service_encryption_key_ids = {
|
||||||
|
composer = [try(lookup(var.service_encryption_keys, var.region, null), null)]
|
||||||
|
}
|
||||||
|
|
||||||
|
service_config = {
|
||||||
|
disable_on_destroy = false, disable_dependent_services = false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
module "vpc" {
|
||||||
|
source = "../../../modules/net-vpc"
|
||||||
|
count = local.use_shared_vpc ? 0 : 1
|
||||||
|
project_id = module.project.project_id
|
||||||
|
name = "vpc"
|
||||||
|
subnets = [
|
||||||
|
{
|
||||||
|
ip_cidr_range = "10.0.0.0/20"
|
||||||
|
name = "subnet"
|
||||||
|
region = var.region
|
||||||
|
secondary_ip_range = {
|
||||||
|
pods = "10.10.8.0/22"
|
||||||
|
services = "10.10.12.0/24"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
# No explicit firewall rules set, created automatically by GKE autopilot
|
||||||
|
|
||||||
|
module "nat" {
|
||||||
|
source = "../../../modules/net-cloudnat"
|
||||||
|
count = local.use_shared_vpc ? 0 : 1
|
||||||
|
project_id = module.project.project_id
|
||||||
|
region = var.region
|
||||||
|
name = "${var.prefix}-default"
|
||||||
|
router_network = module.vpc.0.name
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_project_iam_member" "shared_vpc" {
|
||||||
|
for_each = local.use_shared_vpc ? local.shared_vpc_bindings_map : {}
|
||||||
|
project = var.network_config.host_project
|
||||||
|
role = each.value.role
|
||||||
|
member = lookup(local.shared_vpc_role_members, each.value.member)
|
||||||
|
}
|
|
@ -0,0 +1,25 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2022 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
output "composer_dag_gcs" {
|
||||||
|
description = "The Cloud Storage prefix of the DAGs for the Cloud Composer environment."
|
||||||
|
value = google_composer_environment.env.config[0].dag_gcs_prefix
|
||||||
|
}
|
||||||
|
|
||||||
|
output "composer_airflow_uri" {
|
||||||
|
description = "The URI of the Apache Airflow Web UI hosted within the Cloud Composer environment.."
|
||||||
|
value = google_composer_environment.env.config[0].airflow_uri
|
||||||
|
}
|
|
@ -0,0 +1,107 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2022 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
variable "composer_config" {
|
||||||
|
description = "Composer environment configuration. It accepts only following attributes: `environment_size`, `software_config` and `workloads_config`. See [attribute reference](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/composer_environment#argument-reference---cloud-composer-2) for details on settings variables."
|
||||||
|
type = object({
|
||||||
|
environment_size = string
|
||||||
|
software_config = any
|
||||||
|
workloads_config = object({
|
||||||
|
scheduler = object(
|
||||||
|
{
|
||||||
|
cpu = number
|
||||||
|
memory_gb = number
|
||||||
|
storage_gb = number
|
||||||
|
count = number
|
||||||
|
}
|
||||||
|
)
|
||||||
|
web_server = object(
|
||||||
|
{
|
||||||
|
cpu = number
|
||||||
|
memory_gb = number
|
||||||
|
storage_gb = number
|
||||||
|
}
|
||||||
|
)
|
||||||
|
worker = object(
|
||||||
|
{
|
||||||
|
cpu = number
|
||||||
|
memory_gb = number
|
||||||
|
storage_gb = number
|
||||||
|
min_count = number
|
||||||
|
max_count = number
|
||||||
|
}
|
||||||
|
)
|
||||||
|
})
|
||||||
|
})
|
||||||
|
default = {
|
||||||
|
environment_size = "ENVIRONMENT_SIZE_SMALL"
|
||||||
|
software_config = {
|
||||||
|
image_version = "composer-2-airflow-2"
|
||||||
|
}
|
||||||
|
workloads_config = null
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "iam_groups_map" {
|
||||||
|
description = "Map of Role => groups to be added on the project. Example: { \"roles/composer.admin\" = [\"group:gcp-data-engineers@example.com\"]}."
|
||||||
|
type = map(list(string))
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "network_config" {
|
||||||
|
description = "Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values."
|
||||||
|
type = object({
|
||||||
|
host_project = string
|
||||||
|
network_self_link = string
|
||||||
|
subnet_self_link = string
|
||||||
|
composer_secondary_ranges = object({
|
||||||
|
pods = string
|
||||||
|
services = string
|
||||||
|
})
|
||||||
|
})
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "prefix" {
|
||||||
|
description = "Unique prefix used for resource names. Not used for project if 'project_create' is null."
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "project_create" {
|
||||||
|
description = "Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format."
|
||||||
|
type = object({
|
||||||
|
billing_account_id = string
|
||||||
|
parent = string
|
||||||
|
})
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "project_id" {
|
||||||
|
description = "Project id, references existing project if `project_create` is null."
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "region" {
|
||||||
|
description = "Reagion where instances will be deployed."
|
||||||
|
type = string
|
||||||
|
default = "europe-west1"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "service_encryption_keys" {
|
||||||
|
description = "Cloud KMS keys to use to encrypt resources. Provide a key for each reagion in use."
|
||||||
|
type = map(string)
|
||||||
|
default = null
|
||||||
|
}
|
|
@ -222,7 +222,7 @@ module "data-platform" {
|
||||||
prefix = "myprefix"
|
prefix = "myprefix"
|
||||||
}
|
}
|
||||||
|
|
||||||
# tftest modules=42 resources=314
|
# tftest modules=42 resources=315
|
||||||
```
|
```
|
||||||
|
|
||||||
## Customizations
|
## Customizations
|
||||||
|
|
|
@ -28,7 +28,7 @@ variable "composer_config" {
|
||||||
})
|
})
|
||||||
default = {
|
default = {
|
||||||
node_count = 3
|
node_count = 3
|
||||||
airflow_version = "composer-1.17.5-airflow-2.1.4"
|
airflow_version = "composer-1-airflow-2"
|
||||||
env_variables = {}
|
env_variables = {}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
|
|
||||||
default:
|
default:
|
||||||
before_script:
|
before_script:
|
||||||
- echo "${CI_JOB_JWT_V2}" > token.txt
|
- echo "$${CI_JOB_JWT_V2}" > token.txt
|
||||||
image:
|
image:
|
||||||
name: hashicorp/terraform
|
name: hashicorp/terraform
|
||||||
entrypoint:
|
entrypoint:
|
||||||
|
@ -49,10 +49,10 @@ gcp-auth:
|
||||||
script:
|
script:
|
||||||
- |
|
- |
|
||||||
gcloud iam workload-identity-pools create-cred-config \
|
gcloud iam workload-identity-pools create-cred-config \
|
||||||
${FAST_WIF_PROVIDER} \
|
$${FAST_WIF_PROVIDER} \
|
||||||
--service-account=${FAST_SERVICE_ACCOUNT} \
|
--service-account=$${FAST_SERVICE_ACCOUNT} \
|
||||||
--service-account-token-lifetime-seconds=3600 \
|
--service-account-token-lifetime-seconds=3600 \
|
||||||
--output-file=${GOOGLE_CREDENTIALS} \
|
--output-file=$${GOOGLE_CREDENTIALS} \
|
||||||
--credential-source-file=token.txt
|
--credential-source-file=token.txt
|
||||||
tf-files:
|
tf-files:
|
||||||
dependencies:
|
dependencies:
|
||||||
|
@ -62,14 +62,14 @@ tf-files:
|
||||||
stage: tf-files
|
stage: tf-files
|
||||||
script:
|
script:
|
||||||
# - gcloud components install -q alpha
|
# - gcloud components install -q alpha
|
||||||
- gcloud config set auth/credential_file_override ${GOOGLE_CREDENTIALS}
|
- gcloud config set auth/credential_file_override $${GOOGLE_CREDENTIALS}
|
||||||
- mkdir -p .tf-setup
|
- mkdir -p .tf-setup
|
||||||
- |
|
- |
|
||||||
gcloud alpha storage cp -r \
|
gcloud alpha storage cp -r \
|
||||||
"gs://${FAST_OUTPUTS_BUCKET}/providers/${TF_PROVIDERS_FILE}" .tf-setup/
|
"gs://$${FAST_OUTPUTS_BUCKET}/providers/$${TF_PROVIDERS_FILE}" .tf-setup/
|
||||||
- |
|
- |
|
||||||
gcloud alpha storage cp -r \
|
gcloud alpha storage cp -r \
|
||||||
"gs://${FAST_OUTPUTS_BUCKET}/tfvars" .tf-setup/
|
"gs://$${FAST_OUTPUTS_BUCKET}/tfvars" .tf-setup/
|
||||||
|
|
||||||
tf-plan:
|
tf-plan:
|
||||||
# uncomment the following lines and set the SSH key secret for private modules repo
|
# uncomment the following lines and set the SSH key secret for private modules repo
|
||||||
|
@ -82,9 +82,9 @@ tf-plan:
|
||||||
# ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
# ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
||||||
stage: tf-plan
|
stage: tf-plan
|
||||||
script:
|
script:
|
||||||
- cp .tf-setup/${TF_PROVIDERS_FILE} ./
|
- cp .tf-setup/$${TF_PROVIDERS_FILE} ./
|
||||||
- |
|
- |
|
||||||
for f in ${TF_VAR_FILES}; do
|
for f in $${TF_VAR_FILES}; do
|
||||||
ln -s ".tf-setup/tfvars/$f" ./
|
ln -s ".tf-setup/tfvars/$f" ./
|
||||||
done
|
done
|
||||||
- terraform init
|
- terraform init
|
||||||
|
@ -104,9 +104,9 @@ tf-apply:
|
||||||
# ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
# ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
||||||
stage: tf-apply
|
stage: tf-apply
|
||||||
script:
|
script:
|
||||||
- cp .tf-setup/${TF_PROVIDERS_FILE} ./
|
- cp .tf-setup/$${TF_PROVIDERS_FILE} ./
|
||||||
- |
|
- |
|
||||||
for f in ${TF_VAR_FILES}; do
|
for f in $${TF_VAR_FILES}; do
|
||||||
ln -s ".tf-setup/tfvars/$f" ./
|
ln -s ".tf-setup/tfvars/$f" ./
|
||||||
done
|
done
|
||||||
- terraform init
|
- terraform init
|
||||||
|
|
|
@ -6,13 +6,13 @@ Legend: <code>+</code> additive, <code>•</code> conditional.
|
||||||
|
|
||||||
| members | roles |
|
| members | roles |
|
||||||
|---|---|
|
|---|---|
|
||||||
|<b>GCP organization domain</b><br><small><i>domain</i></small>|[roles/browser](https://cloud.google.com/iam/docs/understanding-roles#browser) <br>[roles/resourcemanager.organizationViewer](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationViewer) |
|
|<b>GCP organization domain</b><br><small><i>domain</i></small>|[roles/browser](https://cloud.google.com/iam/docs/understanding-roles#browser) |
|
||||||
|<b>gcp-billing-admins</b><br><small><i>group</i></small>|[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) <code>+</code><br>[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) <code>+</code>|
|
|<b>gcp-billing-admins</b><br><small><i>group</i></small>|[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) <code>+</code><br>[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) <code>+</code>|
|
||||||
|<b>gcp-network-admins</b><br><small><i>group</i></small>|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner) <br>[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor) <br>[roles/compute.orgFirewallPolicyAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.orgFirewallPolicyAdmin) <code>+</code><br>[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) <code>+</code>|
|
|<b>gcp-network-admins</b><br><small><i>group</i></small>|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner) <br>[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor) <br>[roles/compute.orgFirewallPolicyAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.orgFirewallPolicyAdmin) <code>+</code><br>[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) <code>+</code>|
|
||||||
|<b>gcp-organization-admins</b><br><small><i>group</i></small>|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner) <br>[roles/cloudsupport.admin](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.admin) <br>[roles/compute.osAdminLogin](https://cloud.google.com/iam/docs/understanding-roles#compute.osAdminLogin) <br>[roles/compute.osLoginExternalUser](https://cloud.google.com/iam/docs/understanding-roles#compute.osLoginExternalUser) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) <br>[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) <code>+</code><br>[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) <code>+</code><br>[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code>|
|
|<b>gcp-organization-admins</b><br><small><i>group</i></small>|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner) <br>[roles/cloudsupport.admin](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.admin) <br>[roles/compute.osAdminLogin](https://cloud.google.com/iam/docs/understanding-roles#compute.osAdminLogin) <br>[roles/compute.osLoginExternalUser](https://cloud.google.com/iam/docs/understanding-roles#compute.osLoginExternalUser) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) <br>[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) <code>+</code><br>[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) <code>+</code><br>[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code>|
|
||||||
|<b>gcp-security-admins</b><br><small><i>group</i></small>|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner) <br>[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor) <br>[roles/iam.securityReviewer](https://cloud.google.com/iam/docs/understanding-roles#iam.securityReviewer) <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/securitycenter.admin](https://cloud.google.com/iam/docs/understanding-roles#securitycenter.admin) <br>[roles/accesscontextmanager.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#accesscontextmanager.policyAdmin) <code>+</code><br>[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) <code>+</code><br>[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code>|
|
|<b>gcp-security-admins</b><br><small><i>group</i></small>|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner) <br>[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor) <br>[roles/iam.securityReviewer](https://cloud.google.com/iam/docs/understanding-roles#iam.securityReviewer) <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/securitycenter.admin](https://cloud.google.com/iam/docs/understanding-roles#securitycenter.admin) <br>[roles/accesscontextmanager.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#accesscontextmanager.policyAdmin) <code>+</code><br>[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) <code>+</code><br>[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code>|
|
||||||
|<b>gcp-support</b><br><small><i>group</i></small>|[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor) <br>[roles/logging.viewer](https://cloud.google.com/iam/docs/understanding-roles#logging.viewer) <br>[roles/monitoring.viewer](https://cloud.google.com/iam/docs/understanding-roles#monitoring.viewer) |
|
|<b>gcp-support</b><br><small><i>group</i></small>|[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor) <br>[roles/logging.viewer](https://cloud.google.com/iam/docs/understanding-roles#logging.viewer) <br>[roles/monitoring.viewer](https://cloud.google.com/iam/docs/understanding-roles#monitoring.viewer) |
|
||||||
|<b>prod-bootstrap-0</b><br><small><i>serviceAccount</i></small>|[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) <br>[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) <code>+</code><br>[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) <code>+</code><br>[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) <code>+</code>|
|
|<b>prod-bootstrap-0</b><br><small><i>serviceAccount</i></small>|[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) <br>[roles/resourcemanager.projectMover](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectMover) <br>[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) <code>+</code><br>[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) <code>+</code><br>[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) <code>+</code>|
|
||||||
|<b>prod-resman-0</b><br><small><i>serviceAccount</i></small>|organizations/[org_id #0]/roles/organizationIamAdmin <code>•</code><br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.tagAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagAdmin) <br>[roles/resourcemanager.tagUser](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagUser) <br>[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) <code>+</code><br>[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) <code>+</code><br>[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code>|
|
|<b>prod-resman-0</b><br><small><i>serviceAccount</i></small>|organizations/[org_id #0]/roles/organizationIamAdmin <code>•</code><br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.tagAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagAdmin) <br>[roles/resourcemanager.tagUser](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagUser) <br>[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) <code>+</code><br>[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) <code>+</code><br>[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code>|
|
||||||
|
|
||||||
## Project <i>prod-audit-logs-0</i>
|
## Project <i>prod-audit-logs-0</i>
|
||||||
|
|
|
@ -34,9 +34,10 @@ locals {
|
||||||
[module.automation-tf-bootstrap-sa.iam_email],
|
[module.automation-tf-bootstrap-sa.iam_email],
|
||||||
local._iam_bootstrap_user
|
local._iam_bootstrap_user
|
||||||
)
|
)
|
||||||
"roles/resourcemanager.organizationViewer" = [
|
# the following is useful if roles/browser is not desirable
|
||||||
"domain:${var.organization.domain}"
|
# "roles/resourcemanager.organizationViewer" = [
|
||||||
]
|
# "domain:${var.organization.domain}"
|
||||||
|
# ]
|
||||||
"roles/resourcemanager.projectCreator" = concat(
|
"roles/resourcemanager.projectCreator" = concat(
|
||||||
[module.automation-tf-bootstrap-sa.iam_email],
|
[module.automation-tf-bootstrap-sa.iam_email],
|
||||||
local._iam_bootstrap_user
|
local._iam_bootstrap_user
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
@ -24,6 +24,14 @@ terraform {
|
||||||
version = ">= 4.32.0" # tftest
|
version = ">= 4.32.0" # tftest
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
github = {
|
||||||
|
source = "integrations/github"
|
||||||
|
version = "~> 4.0"
|
||||||
|
}
|
||||||
|
gitlab = {
|
||||||
|
source = "gitlabhq/gitlab"
|
||||||
|
version = ">= 3.16.1"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -7,18 +7,45 @@ Legend: <code>+</code> additive, <code>•</code> conditional.
|
||||||
| members | roles |
|
| members | roles |
|
||||||
|---|---|
|
|---|---|
|
||||||
|<b>dev-resman-dp-0</b><br><small><i>serviceAccount</i></small>|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code><code>•</code><br>[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code>|
|
|<b>dev-resman-dp-0</b><br><small><i>serviceAccount</i></small>|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code><code>•</code><br>[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code>|
|
||||||
|
|<b>dev-resman-gke-0</b><br><small><i>serviceAccount</i></small>|[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code>|
|
||||||
|<b>dev-resman-pf-0</b><br><small><i>serviceAccount</i></small>|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code><code>•</code><br>[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) <code>+</code><br>[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code>|
|
|<b>dev-resman-pf-0</b><br><small><i>serviceAccount</i></small>|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code><code>•</code><br>[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) <code>+</code><br>[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code>|
|
||||||
|<b>prod-resman-dp-0</b><br><small><i>serviceAccount</i></small>|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code><code>•</code><br>[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code>|
|
|<b>prod-resman-dp-0</b><br><small><i>serviceAccount</i></small>|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code><code>•</code><br>[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code>|
|
||||||
|
|<b>prod-resman-gke-0</b><br><small><i>serviceAccount</i></small>|[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code>|
|
||||||
|<b>prod-resman-net-0</b><br><small><i>serviceAccount</i></small>|[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code><br>[roles/compute.orgFirewallPolicyAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.orgFirewallPolicyAdmin) <code>+</code><br>[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) <code>+</code>|
|
|<b>prod-resman-net-0</b><br><small><i>serviceAccount</i></small>|[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code><br>[roles/compute.orgFirewallPolicyAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.orgFirewallPolicyAdmin) <code>+</code><br>[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) <code>+</code>|
|
||||||
|<b>prod-resman-pf-0</b><br><small><i>serviceAccount</i></small>|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code><code>•</code><br>[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) <code>+</code><br>[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code>|
|
|<b>prod-resman-pf-0</b><br><small><i>serviceAccount</i></small>|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code><code>•</code><br>[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) <code>+</code><br>[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code>|
|
||||||
|<b>prod-resman-sec-0</b><br><small><i>serviceAccount</i></small>|[roles/accesscontextmanager.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#accesscontextmanager.policyAdmin) <code>+</code><br>[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code>|
|
|<b>prod-resman-sec-0</b><br><small><i>serviceAccount</i></small>|[roles/accesscontextmanager.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#accesscontextmanager.policyAdmin) <code>+</code><br>[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code>|
|
||||||
|
|
||||||
## Folder <i>development</i>
|
## Folder <i>development [#0]</i>
|
||||||
|
|
||||||
| members | roles |
|
| members | roles |
|
||||||
|---|---|
|
|---|---|
|
||||||
|<b>dev-resman-dp-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) <br>[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) |
|
|<b>dev-resman-dp-0</b><br><small><i>serviceAccount</i></small>|organizations/[org_id #0]/roles/serviceProjectNetworkAdmin <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
|
||||||
|<b>dev-resman-pf-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) |
|
|
||||||
|
## Folder <i>development [#1]</i>
|
||||||
|
|
||||||
|
| members | roles |
|
||||||
|
|---|---|
|
||||||
|
|<b>dev-resman-gke-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
|
||||||
|
|
||||||
|
## Folder <i>development [#2]</i>
|
||||||
|
|
||||||
|
| members | roles |
|
||||||
|
|---|---|
|
||||||
|
|<b>dev-resman-dp-0</b><br><small><i>serviceAccount</i></small>|organizations/[org_id #0]/roles/serviceProjectNetworkAdmin |
|
||||||
|
|<b>dev-resman-gke-0</b><br><small><i>serviceAccount</i></small>|organizations/[org_id #0]/roles/serviceProjectNetworkAdmin |
|
||||||
|
|<b>dev-resman-pf-0</b><br><small><i>serviceAccount</i></small>|organizations/[org_id #0]/roles/serviceProjectNetworkAdmin |
|
||||||
|
|
||||||
|
## Folder <i>development [#3]</i>
|
||||||
|
|
||||||
|
| members | roles |
|
||||||
|
|---|---|
|
||||||
|
|<b>dev-resman-pf-0</b><br><small><i>serviceAccount</i></small>|organizations/[org_id #0]/roles/serviceProjectNetworkAdmin <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
|
||||||
|
|
||||||
|
## Folder <i>development [#4]</i>
|
||||||
|
|
||||||
|
| members | roles |
|
||||||
|
|---|---|
|
||||||
|
|<b>dev-resman-pf-0</b><br><small><i>serviceAccount</i></small>|organizations/[org_id #0]/roles/serviceProjectNetworkAdmin <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
|
||||||
|
|
||||||
## Folder <i>networking</i>
|
## Folder <i>networking</i>
|
||||||
|
|
||||||
|
@ -27,12 +54,37 @@ Legend: <code>+</code> additive, <code>•</code> conditional.
|
||||||
|<b>gcp-network-admins</b><br><small><i>group</i></small>|[roles/editor](https://cloud.google.com/iam/docs/understanding-roles#editor) |
|
|<b>gcp-network-admins</b><br><small><i>group</i></small>|[roles/editor](https://cloud.google.com/iam/docs/understanding-roles#editor) |
|
||||||
|<b>prod-resman-net-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
|
|<b>prod-resman-net-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
|
||||||
|
|
||||||
## Folder <i>production</i>
|
## Folder <i>production [#0]</i>
|
||||||
|
|
||||||
| members | roles |
|
| members | roles |
|
||||||
|---|---|
|
|---|---|
|
||||||
|<b>prod-resman-dp-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) <br>[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) |
|
|<b>prod-resman-dp-0</b><br><small><i>serviceAccount</i></small>|organizations/[org_id #0]/roles/serviceProjectNetworkAdmin <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
|
||||||
|<b>prod-resman-pf-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) |
|
|
||||||
|
## Folder <i>production [#1]</i>
|
||||||
|
|
||||||
|
| members | roles |
|
||||||
|
|---|---|
|
||||||
|
|<b>prod-resman-gke-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
|
||||||
|
|
||||||
|
## Folder <i>production [#2]</i>
|
||||||
|
|
||||||
|
| members | roles |
|
||||||
|
|---|---|
|
||||||
|
|<b>prod-resman-dp-0</b><br><small><i>serviceAccount</i></small>|organizations/[org_id #0]/roles/serviceProjectNetworkAdmin |
|
||||||
|
|<b>prod-resman-gke-0</b><br><small><i>serviceAccount</i></small>|organizations/[org_id #0]/roles/serviceProjectNetworkAdmin |
|
||||||
|
|<b>prod-resman-pf-0</b><br><small><i>serviceAccount</i></small>|organizations/[org_id #0]/roles/serviceProjectNetworkAdmin |
|
||||||
|
|
||||||
|
## Folder <i>production [#3]</i>
|
||||||
|
|
||||||
|
| members | roles |
|
||||||
|
|---|---|
|
||||||
|
|<b>prod-resman-pf-0</b><br><small><i>serviceAccount</i></small>|organizations/[org_id #0]/roles/serviceProjectNetworkAdmin <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
|
||||||
|
|
||||||
|
## Folder <i>production [#4]</i>
|
||||||
|
|
||||||
|
| members | roles |
|
||||||
|
|---|---|
|
||||||
|
|<b>prod-resman-pf-0</b><br><small><i>serviceAccount</i></small>|organizations/[org_id #0]/roles/serviceProjectNetworkAdmin <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
|
||||||
|
|
||||||
## Folder <i>sandbox</i>
|
## Folder <i>sandbox</i>
|
||||||
|
|
||||||
|
@ -46,3 +98,31 @@ Legend: <code>+</code> additive, <code>•</code> conditional.
|
||||||
|---|---|
|
|---|---|
|
||||||
|<b>gcp-security-admins</b><br><small><i>group</i></small>|[roles/viewer](https://cloud.google.com/iam/docs/understanding-roles#viewer) |
|
|<b>gcp-security-admins</b><br><small><i>group</i></small>|[roles/viewer](https://cloud.google.com/iam/docs/understanding-roles#viewer) |
|
||||||
|<b>prod-resman-sec-0</b><br><small><i>serviceAccount</i></small>|[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
|
|<b>prod-resman-sec-0</b><br><small><i>serviceAccount</i></small>|[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
|
||||||
|
|
||||||
|
## Folder <i>team a</i>
|
||||||
|
|
||||||
|
| members | roles |
|
||||||
|
|---|---|
|
||||||
|
|<b>team-a</b><br><small><i>group</i></small>|[roles/viewer](https://cloud.google.com/iam/docs/understanding-roles#viewer) |
|
||||||
|
|<b>prod-teams-team-a-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
|
||||||
|
|
||||||
|
## Folder <i>team b</i>
|
||||||
|
|
||||||
|
| members | roles |
|
||||||
|
|---|---|
|
||||||
|
|<b>prod-teams-team-b-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
|
||||||
|
|
||||||
|
## Folder <i>teams</i>
|
||||||
|
|
||||||
|
| members | roles |
|
||||||
|
|---|---|
|
||||||
|
|<b>prod-resman-teams-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
|
||||||
|
|
||||||
|
## Project <i>prod-iac-core-0</i>
|
||||||
|
|
||||||
|
| members | roles |
|
||||||
|
|---|---|
|
||||||
|
|<b>dev-resman-dp-1</b><br><small><i>serviceAccount</i></small>|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) <code>+</code>|
|
||||||
|
|<b>dev-resman-gke-1</b><br><small><i>serviceAccount</i></small>|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) <code>+</code>|
|
||||||
|
|<b>prod-resman-gke-1</b><br><small><i>serviceAccount</i></small>|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) <code>+</code>|
|
||||||
|
|<b>prod-resman-net-1</b><br><small><i>serviceAccount</i></small>|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) <code>+</code>|
|
||||||
|
|
|
@ -4,8 +4,8 @@ ingress-allow-composer-nodes:
|
||||||
description: "Allow traffic to Composer nodes."
|
description: "Allow traffic to Composer nodes."
|
||||||
direction: INGRESS
|
direction: INGRESS
|
||||||
action: allow
|
action: allow
|
||||||
sources: []
|
sources:
|
||||||
ranges: ["0.0.0.0/0"]
|
- composer-worker
|
||||||
targets:
|
targets:
|
||||||
- composer-worker
|
- composer-worker
|
||||||
use_service_accounts: false
|
use_service_accounts: false
|
||||||
|
@ -17,8 +17,8 @@ ingress-allow-dataflow-load:
|
||||||
description: "Allow traffic to Dataflow nodes."
|
description: "Allow traffic to Dataflow nodes."
|
||||||
direction: INGRESS
|
direction: INGRESS
|
||||||
action: allow
|
action: allow
|
||||||
sources: []
|
sources:
|
||||||
ranges: ["0.0.0.0/0"]
|
- dataflow
|
||||||
targets:
|
targets:
|
||||||
- dataflow
|
- dataflow
|
||||||
use_service_accounts: false
|
use_service_accounts: false
|
||||||
|
|
|
@ -4,8 +4,8 @@ ingress-allow-composer-nodes:
|
||||||
description: "Allow traffic to Composer nodes."
|
description: "Allow traffic to Composer nodes."
|
||||||
direction: INGRESS
|
direction: INGRESS
|
||||||
action: allow
|
action: allow
|
||||||
sources: []
|
sources:
|
||||||
ranges: ["0.0.0.0/0"]
|
- composer-worker
|
||||||
targets:
|
targets:
|
||||||
- composer-worker
|
- composer-worker
|
||||||
use_service_accounts: false
|
use_service_accounts: false
|
||||||
|
@ -17,8 +17,8 @@ ingress-allow-dataflow-load:
|
||||||
description: "Allow traffic to Dataflow nodes."
|
description: "Allow traffic to Dataflow nodes."
|
||||||
direction: INGRESS
|
direction: INGRESS
|
||||||
action: allow
|
action: allow
|
||||||
sources: []
|
sources:
|
||||||
ranges: ["0.0.0.0/0"]
|
- dataflow
|
||||||
targets:
|
targets:
|
||||||
- dataflow
|
- dataflow
|
||||||
use_service_accounts: false
|
use_service_accounts: false
|
||||||
|
|
|
@ -4,8 +4,8 @@ ingress-allow-composer-nodes:
|
||||||
description: "Allow traffic to Composer nodes."
|
description: "Allow traffic to Composer nodes."
|
||||||
direction: INGRESS
|
direction: INGRESS
|
||||||
action: allow
|
action: allow
|
||||||
sources: []
|
sources:
|
||||||
ranges: ["0.0.0.0/0"]
|
- composer-worker
|
||||||
targets:
|
targets:
|
||||||
- composer-worker
|
- composer-worker
|
||||||
use_service_accounts: false
|
use_service_accounts: false
|
||||||
|
@ -17,8 +17,8 @@ ingress-allow-dataflow-load:
|
||||||
description: "Allow traffic to Dataflow nodes."
|
description: "Allow traffic to Dataflow nodes."
|
||||||
direction: INGRESS
|
direction: INGRESS
|
||||||
action: allow
|
action: allow
|
||||||
sources: []
|
sources:
|
||||||
ranges: ["0.0.0.0/0"]
|
- dataflow
|
||||||
targets:
|
targets:
|
||||||
- dataflow
|
- dataflow
|
||||||
use_service_accounts: false
|
use_service_accounts: false
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
../../../../blueprints/data-solutions/data-platform-foundations/demo/
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -151,7 +151,7 @@ module "db" {
|
||||||
| [network](variables.tf#L102) | VPC self link where the instances will be deployed. Private Service Networking must be enabled and configured in this VPC. | <code>string</code> | ✓ | |
|
| [network](variables.tf#L102) | VPC self link where the instances will be deployed. Private Service Networking must be enabled and configured in this VPC. | <code>string</code> | ✓ | |
|
||||||
| [project_id](variables.tf#L113) | The ID of the project where this instances will be created. | <code>string</code> | ✓ | |
|
| [project_id](variables.tf#L113) | The ID of the project where this instances will be created. | <code>string</code> | ✓ | |
|
||||||
| [region](variables.tf#L118) | Region of the primary instance. | <code>string</code> | ✓ | |
|
| [region](variables.tf#L118) | Region of the primary instance. | <code>string</code> | ✓ | |
|
||||||
| [tier](variables.tf#L132) | The machine type to use for the instances. | <code>string</code> | ✓ | |
|
| [tier](variables.tf#L138) | The machine type to use for the instances. | <code>string</code> | ✓ | |
|
||||||
| [authorized_networks](variables.tf#L17) | Map of NAME=>CIDR_RANGE to allow to connect to the database(s). | <code>map(string)</code> | | <code>null</code> |
|
| [authorized_networks](variables.tf#L17) | Map of NAME=>CIDR_RANGE to allow to connect to the database(s). | <code>map(string)</code> | | <code>null</code> |
|
||||||
| [availability_type](variables.tf#L23) | Availability type for the primary replica. Either `ZONAL` or `REGIONAL`. | <code>string</code> | | <code>"ZONAL"</code> |
|
| [availability_type](variables.tf#L23) | Availability type for the primary replica. Either `ZONAL` or `REGIONAL`. | <code>string</code> | | <code>"ZONAL"</code> |
|
||||||
| [backup_configuration](variables.tf#L29) | Backup settings for primary instance. Will be automatically enabled if using MySQL with one or more replicas. | <code title="object({ enabled = bool binary_log_enabled = bool start_time = string location = string log_retention_days = number retention_count = number })">object({…})</code> | | <code title="{ enabled = false binary_log_enabled = false start_time = "23:00" location = null log_retention_days = 7 retention_count = 7 }">{…}</code> |
|
| [backup_configuration](variables.tf#L29) | Backup settings for primary instance. Will be automatically enabled if using MySQL with one or more replicas. | <code title="object({ enabled = bool binary_log_enabled = bool start_time = string location = string log_retention_days = number retention_count = number })">object({…})</code> | | <code title="{ enabled = false binary_log_enabled = false start_time = "23:00" location = null log_retention_days = 7 retention_count = 7 }">{…}</code> |
|
||||||
|
@ -161,11 +161,12 @@ module "db" {
|
||||||
| [disk_type](variables.tf#L73) | The type of data disk: `PD_SSD` or `PD_HDD`. | <code>string</code> | | <code>"PD_SSD"</code> |
|
| [disk_type](variables.tf#L73) | The type of data disk: `PD_SSD` or `PD_HDD`. | <code>string</code> | | <code>"PD_SSD"</code> |
|
||||||
| [encryption_key_name](variables.tf#L79) | The full path to the encryption key used for the CMEK disk encryption of the primary instance. | <code>string</code> | | <code>null</code> |
|
| [encryption_key_name](variables.tf#L79) | The full path to the encryption key used for the CMEK disk encryption of the primary instance. | <code>string</code> | | <code>null</code> |
|
||||||
| [flags](variables.tf#L85) | Map FLAG_NAME=>VALUE for database-specific tuning. | <code>map(string)</code> | | <code>null</code> |
|
| [flags](variables.tf#L85) | Map FLAG_NAME=>VALUE for database-specific tuning. | <code>map(string)</code> | | <code>null</code> |
|
||||||
| [ipv4_enabled](variables.tf#L143) | Add a public IP address to database instance. | <code>bool</code> | | <code>false</code> |
|
| [ipv4_enabled](variables.tf#L149) | Add a public IP address to database instance. | <code>bool</code> | | <code>false</code> |
|
||||||
| [labels](variables.tf#L91) | Labels to be attached to all instances. | <code>map(string)</code> | | <code>null</code> |
|
| [labels](variables.tf#L91) | Labels to be attached to all instances. | <code>map(string)</code> | | <code>null</code> |
|
||||||
| [prefix](variables.tf#L107) | Prefix used to generate instance names. | <code>string</code> | | <code>null</code> |
|
| [prefix](variables.tf#L107) | Prefix used to generate instance names. | <code>string</code> | | <code>null</code> |
|
||||||
| [replicas](variables.tf#L123) | Map of NAME=> {REGION, KMS_KEY} for additional read replicas. Set to null to disable replica creation. | <code title="map(object({ region = string encryption_key_name = string }))">map(object({…}))</code> | | <code>{}</code> |
|
| [replicas](variables.tf#L123) | Map of NAME=> {REGION, KMS_KEY} for additional read replicas. Set to null to disable replica creation. | <code title="map(object({ region = string encryption_key_name = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [users](variables.tf#L137) | Map of users to create in the primary instance (and replicated to other replicas) in the format USER=>PASSWORD. For MySQL, anything afterr the first `@` (if persent) will be used as the user's host. Set PASSWORD to null if you want to get an autogenerated password. | <code>map(string)</code> | | <code>null</code> |
|
| [root_password](variables.tf#L132) | Root password of the Cloud SQL instance. Required for MS SQL Server | <code>string</code> | | <code>null</code> |
|
||||||
|
| [users](variables.tf#L143) | Map of users to create in the primary instance (and replicated to other replicas) in the format USER=>PASSWORD. For MySQL, anything afterr the first `@` (if persent) will be used as the user's host. Set PASSWORD to null if you want to get an autogenerated password. | <code>map(string)</code> | | <code>null</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -18,10 +18,11 @@ locals {
|
||||||
prefix = var.prefix == null ? "" : "${var.prefix}-"
|
prefix = var.prefix == null ? "" : "${var.prefix}-"
|
||||||
is_mysql = can(regex("^MYSQL", var.database_version))
|
is_mysql = can(regex("^MYSQL", var.database_version))
|
||||||
has_replicas = try(length(var.replicas) > 0, false)
|
has_replicas = try(length(var.replicas) > 0, false)
|
||||||
|
is_regional = var.availability_type == "REGIONAL" ? true : false
|
||||||
|
|
||||||
// Enable backup if the user asks for it or if the user is deploying
|
// Enable backup if the user asks for it or if the user is deploying
|
||||||
// MySQL with replicas
|
// MySQL in HA configuration (regional or with specified replicas)
|
||||||
enable_backup = var.backup_configuration.enabled || (local.is_mysql && local.has_replicas)
|
enable_backup = var.backup_configuration.enabled || (local.is_mysql && local.has_replicas) || (local.is_mysql && local.is_regional)
|
||||||
|
|
||||||
users = {
|
users = {
|
||||||
for user, password in coalesce(var.users, {}) :
|
for user, password in coalesce(var.users, {}) :
|
||||||
|
@ -49,6 +50,7 @@ resource "google_sql_database_instance" "primary" {
|
||||||
region = var.region
|
region = var.region
|
||||||
database_version = var.database_version
|
database_version = var.database_version
|
||||||
encryption_key_name = var.encryption_key_name
|
encryption_key_name = var.encryption_key_name
|
||||||
|
root_password = var.root_password
|
||||||
|
|
||||||
settings {
|
settings {
|
||||||
tier = var.tier
|
tier = var.tier
|
||||||
|
@ -76,11 +78,11 @@ resource "google_sql_database_instance" "primary" {
|
||||||
content {
|
content {
|
||||||
enabled = true
|
enabled = true
|
||||||
|
|
||||||
// enable binary log if the user asks for it or we have replicas,
|
// enable binary log if the user asks for it or we have replicas (default in regional),
|
||||||
// but only for MySQL
|
// but only for MySQL
|
||||||
binary_log_enabled = (
|
binary_log_enabled = (
|
||||||
local.is_mysql
|
local.is_mysql
|
||||||
? var.backup_configuration.binary_log_enabled || local.has_replicas
|
? var.backup_configuration.binary_log_enabled || local.has_replicas || local.is_regional
|
||||||
: null
|
: null
|
||||||
)
|
)
|
||||||
start_time = var.backup_configuration.start_time
|
start_time = var.backup_configuration.start_time
|
||||||
|
|
|
@ -129,6 +129,12 @@ variable "replicas" {
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "root_password" {
|
||||||
|
description = "Root password of the Cloud SQL instance. Required for MS SQL Server"
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
variable "tier" {
|
variable "tier" {
|
||||||
description = "The machine type to use for the instances."
|
description = "The machine type to use for the instances."
|
||||||
type = string
|
type = string
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -311,6 +311,12 @@ resource "google_compute_instance_template" "default" {
|
||||||
config.value.source_type != "attach" ? config.value.name : null
|
config.value.source_type != "attach" ? config.value.name : null
|
||||||
)
|
)
|
||||||
type = "PERSISTENT"
|
type = "PERSISTENT"
|
||||||
|
dynamic "disk_encryption_key" {
|
||||||
|
for_each = var.encryption != null ? [""] : []
|
||||||
|
content {
|
||||||
|
kms_key_self_link = var.encryption.kms_key_self_link
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -68,13 +68,13 @@ module "cluster-1" {
|
||||||
|
|
||||||
| name | description | type | required | default |
|
| name | description | type | required | default |
|
||||||
|---|---|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|
|
||||||
| [location](variables.tf#L155) | Cluster zone or region. | <code>string</code> | ✓ | |
|
| [location](variables.tf#L161) | Cluster zone or region. | <code>string</code> | ✓ | |
|
||||||
| [name](variables.tf#L222) | Cluster name. | <code>string</code> | ✓ | |
|
| [name](variables.tf#L228) | Cluster name. | <code>string</code> | ✓ | |
|
||||||
| [network](variables.tf#L227) | Name or self link of the VPC used for the cluster. Use the self link for Shared VPC. | <code>string</code> | ✓ | |
|
| [network](variables.tf#L233) | Name or self link of the VPC used for the cluster. Use the self link for Shared VPC. | <code>string</code> | ✓ | |
|
||||||
| [project_id](variables.tf#L271) | Cluster project id. | <code>string</code> | ✓ | |
|
| [project_id](variables.tf#L277) | Cluster project id. | <code>string</code> | ✓ | |
|
||||||
| [secondary_range_pods](variables.tf#L294) | Subnet secondary range name used for pods. | <code>string</code> | ✓ | |
|
| [secondary_range_pods](variables.tf#L300) | Subnet secondary range name used for pods. | <code>string</code> | ✓ | |
|
||||||
| [secondary_range_services](variables.tf#L299) | Subnet secondary range name used for services. | <code>string</code> | ✓ | |
|
| [secondary_range_services](variables.tf#L305) | Subnet secondary range name used for services. | <code>string</code> | ✓ | |
|
||||||
| [subnetwork](variables.tf#L304) | VPC subnetwork name or self link. | <code>string</code> | ✓ | |
|
| [subnetwork](variables.tf#L310) | VPC subnetwork name or self link. | <code>string</code> | ✓ | |
|
||||||
| [addons](variables.tf#L17) | Addons enabled in the cluster (true means enabled). | <code title="object({ cloudrun_config = bool dns_cache_config = bool horizontal_pod_autoscaling = bool http_load_balancing = bool istio_config = object({ enabled = bool tls = bool }) network_policy_config = bool gce_persistent_disk_csi_driver_config = bool gcp_filestore_csi_driver_config = bool config_connector_config = bool kalm_config = bool gke_backup_agent_config = bool })">object({…})</code> | | <code title="{ cloudrun_config = false dns_cache_config = false horizontal_pod_autoscaling = true http_load_balancing = true istio_config = { enabled = false tls = false } network_policy_config = false gce_persistent_disk_csi_driver_config = false gcp_filestore_csi_driver_config = false config_connector_config = false kalm_config = false gke_backup_agent_config = false }">{…}</code> |
|
| [addons](variables.tf#L17) | Addons enabled in the cluster (true means enabled). | <code title="object({ cloudrun_config = bool dns_cache_config = bool horizontal_pod_autoscaling = bool http_load_balancing = bool istio_config = object({ enabled = bool tls = bool }) network_policy_config = bool gce_persistent_disk_csi_driver_config = bool gcp_filestore_csi_driver_config = bool config_connector_config = bool kalm_config = bool gke_backup_agent_config = bool })">object({…})</code> | | <code title="{ cloudrun_config = false dns_cache_config = false horizontal_pod_autoscaling = true http_load_balancing = true istio_config = { enabled = false tls = false } network_policy_config = false gce_persistent_disk_csi_driver_config = false gcp_filestore_csi_driver_config = false config_connector_config = false kalm_config = false gke_backup_agent_config = false }">{…}</code> |
|
||||||
| [authenticator_security_group](variables.tf#L53) | RBAC security group for Google Groups for GKE, format is gke-security-groups@yourdomain.com. | <code>string</code> | | <code>null</code> |
|
| [authenticator_security_group](variables.tf#L53) | RBAC security group for Google Groups for GKE, format is gke-security-groups@yourdomain.com. | <code>string</code> | | <code>null</code> |
|
||||||
| [cluster_autoscaling](variables.tf#L59) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object({ enabled = bool cpu_min = number cpu_max = number memory_min = number memory_max = number })">object({…})</code> | | <code title="{ enabled = false cpu_min = 0 cpu_max = 0 memory_min = 0 memory_max = 0 }">{…}</code> |
|
| [cluster_autoscaling](variables.tf#L59) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object({ enabled = bool cpu_min = number cpu_max = number memory_min = number memory_max = number })">object({…})</code> | | <code title="{ enabled = false cpu_min = 0 cpu_max = 0 memory_min = 0 memory_max = 0 }">{…}</code> |
|
||||||
|
@ -83,28 +83,29 @@ module "cluster-1" {
|
||||||
| [description](variables.tf#L97) | Cluster description. | <code>string</code> | | <code>null</code> |
|
| [description](variables.tf#L97) | Cluster description. | <code>string</code> | | <code>null</code> |
|
||||||
| [dns_config](variables.tf#L103) | Configuration for Using Cloud DNS for GKE. | <code title="object({ cluster_dns = string cluster_dns_scope = string cluster_dns_domain = string })">object({…})</code> | | <code>null</code> |
|
| [dns_config](variables.tf#L103) | Configuration for Using Cloud DNS for GKE. | <code title="object({ cluster_dns = string cluster_dns_scope = string cluster_dns_domain = string })">object({…})</code> | | <code>null</code> |
|
||||||
| [enable_autopilot](variables.tf#L113) | Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node). | <code>bool</code> | | <code>false</code> |
|
| [enable_autopilot](variables.tf#L113) | Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node). | <code>bool</code> | | <code>false</code> |
|
||||||
| [enable_dataplane_v2](variables.tf#L119) | Enable Dataplane V2 on the cluster, will disable network_policy addons config. | <code>bool</code> | | <code>false</code> |
|
| [enable_binary_authorization](variables.tf#L119) | Enable Google Binary Authorization. | <code>bool</code> | | <code>false</code> |
|
||||||
| [enable_intranode_visibility](variables.tf#L125) | Enable intra-node visibility to make same node pod to pod traffic visible. | <code>bool</code> | | <code>null</code> |
|
| [enable_dataplane_v2](variables.tf#L125) | Enable Dataplane V2 on the cluster, will disable network_policy addons config. | <code>bool</code> | | <code>false</code> |
|
||||||
| [enable_l4_ilb_subsetting](variables.tf#L131) | Enable L4ILB Subsetting. | <code>bool</code> | | <code>null</code> |
|
| [enable_intranode_visibility](variables.tf#L131) | Enable intra-node visibility to make same node pod to pod traffic visible. | <code>bool</code> | | <code>null</code> |
|
||||||
| [enable_shielded_nodes](variables.tf#L137) | Enable Shielded Nodes features on all nodes in this cluster. | <code>bool</code> | | <code>null</code> |
|
| [enable_l4_ilb_subsetting](variables.tf#L137) | Enable L4ILB Subsetting. | <code>bool</code> | | <code>null</code> |
|
||||||
| [enable_tpu](variables.tf#L143) | Enable Cloud TPU resources in this cluster. | <code>bool</code> | | <code>null</code> |
|
| [enable_shielded_nodes](variables.tf#L143) | Enable Shielded Nodes features on all nodes in this cluster. | <code>bool</code> | | <code>null</code> |
|
||||||
| [labels](variables.tf#L149) | Cluster resource labels. | <code>map(string)</code> | | <code>null</code> |
|
| [enable_tpu](variables.tf#L149) | Enable Cloud TPU resources in this cluster. | <code>bool</code> | | <code>null</code> |
|
||||||
| [logging_config](variables.tf#L160) | Logging configuration (enabled components). | <code>list(string)</code> | | <code>null</code> |
|
| [labels](variables.tf#L155) | Cluster resource labels. | <code>map(string)</code> | | <code>null</code> |
|
||||||
| [logging_service](variables.tf#L166) | Logging service (disable with an empty string). | <code>string</code> | | <code>"logging.googleapis.com/kubernetes"</code> |
|
| [logging_config](variables.tf#L166) | Logging configuration (enabled components). | <code>list(string)</code> | | <code>null</code> |
|
||||||
| [maintenance_config](variables.tf#L172) | Maintenance window configuration. | <code title="object({ daily_maintenance_window = object({ start_time = string }) recurring_window = object({ start_time = string end_time = string recurrence = string }) maintenance_exclusion = list(object({ exclusion_name = string start_time = string end_time = string })) })">object({…})</code> | | <code title="{ daily_maintenance_window = { start_time = "03:00" } recurring_window = null maintenance_exclusion = [] }">{…}</code> |
|
| [logging_service](variables.tf#L172) | Logging service (disable with an empty string). | <code>string</code> | | <code>"logging.googleapis.com/kubernetes"</code> |
|
||||||
| [master_authorized_ranges](variables.tf#L198) | External Ip address ranges that can access the Kubernetes cluster master through HTTPS. | <code>map(string)</code> | | <code>{}</code> |
|
| [maintenance_config](variables.tf#L178) | Maintenance window configuration. | <code title="object({ daily_maintenance_window = object({ start_time = string }) recurring_window = object({ start_time = string end_time = string recurrence = string }) maintenance_exclusion = list(object({ exclusion_name = string start_time = string end_time = string })) })">object({…})</code> | | <code title="{ daily_maintenance_window = { start_time = "03:00" } recurring_window = null maintenance_exclusion = [] }">{…}</code> |
|
||||||
| [min_master_version](variables.tf#L204) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
|
| [master_authorized_ranges](variables.tf#L204) | External Ip address ranges that can access the Kubernetes cluster master through HTTPS. | <code>map(string)</code> | | <code>{}</code> |
|
||||||
| [monitoring_config](variables.tf#L210) | Monitoring configuration (enabled components). | <code>list(string)</code> | | <code>null</code> |
|
| [min_master_version](variables.tf#L210) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
|
||||||
| [monitoring_service](variables.tf#L216) | Monitoring service (disable with an empty string). | <code>string</code> | | <code>"monitoring.googleapis.com/kubernetes"</code> |
|
| [monitoring_config](variables.tf#L216) | Monitoring configuration (enabled components). | <code>list(string)</code> | | <code>null</code> |
|
||||||
| [node_locations](variables.tf#L232) | Zones in which the cluster's nodes are located. | <code>list(string)</code> | | <code>[]</code> |
|
| [monitoring_service](variables.tf#L222) | Monitoring service (disable with an empty string). | <code>string</code> | | <code>"monitoring.googleapis.com/kubernetes"</code> |
|
||||||
| [notification_config](variables.tf#L238) | GKE Cluster upgrade notifications via PubSub. | <code>bool</code> | | <code>false</code> |
|
| [node_locations](variables.tf#L238) | Zones in which the cluster's nodes are located. | <code>list(string)</code> | | <code>[]</code> |
|
||||||
| [peering_config](variables.tf#L244) | Configure peering with the master VPC for private clusters. | <code title="object({ export_routes = bool import_routes = bool project_id = string })">object({…})</code> | | <code>null</code> |
|
| [notification_config](variables.tf#L244) | GKE Cluster upgrade notifications via PubSub. | <code>bool</code> | | <code>false</code> |
|
||||||
| [pod_security_policy](variables.tf#L254) | Enable the PodSecurityPolicy feature. | <code>bool</code> | | <code>null</code> |
|
| [peering_config](variables.tf#L250) | Configure peering with the master VPC for private clusters. | <code title="object({ export_routes = bool import_routes = bool project_id = string })">object({…})</code> | | <code>null</code> |
|
||||||
| [private_cluster_config](variables.tf#L260) | Enable and configure private cluster, private nodes must be true if used. | <code title="object({ enable_private_nodes = bool enable_private_endpoint = bool master_ipv4_cidr_block = string master_global_access = bool })">object({…})</code> | | <code>null</code> |
|
| [pod_security_policy](variables.tf#L260) | Enable the PodSecurityPolicy feature. | <code>bool</code> | | <code>null</code> |
|
||||||
| [release_channel](variables.tf#L276) | Release channel for GKE upgrades. | <code>string</code> | | <code>null</code> |
|
| [private_cluster_config](variables.tf#L266) | Enable and configure private cluster, private nodes must be true if used. | <code title="object({ enable_private_nodes = bool enable_private_endpoint = bool master_ipv4_cidr_block = string master_global_access = bool })">object({…})</code> | | <code>null</code> |
|
||||||
| [resource_usage_export_config](variables.tf#L282) | Configure the ResourceUsageExportConfig feature. | <code title="object({ enabled = bool dataset = string })">object({…})</code> | | <code title="{ enabled = null dataset = null }">{…}</code> |
|
| [release_channel](variables.tf#L282) | Release channel for GKE upgrades. | <code>string</code> | | <code>null</code> |
|
||||||
| [vertical_pod_autoscaling](variables.tf#L309) | Enable the Vertical Pod Autoscaling feature. | <code>bool</code> | | <code>null</code> |
|
| [resource_usage_export_config](variables.tf#L288) | Configure the ResourceUsageExportConfig feature. | <code title="object({ enabled = bool dataset = string })">object({…})</code> | | <code title="{ enabled = null dataset = null }">{…}</code> |
|
||||||
| [workload_identity](variables.tf#L315) | Enable the Workload Identity feature. | <code>bool</code> | | <code>true</code> |
|
| [vertical_pod_autoscaling](variables.tf#L315) | Enable the Vertical Pod Autoscaling feature. | <code>bool</code> | | <code>null</code> |
|
||||||
|
| [workload_identity](variables.tf#L321) | Enable the Workload Identity feature. | <code>bool</code> | | <code>true</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -292,6 +292,13 @@ resource "google_container_cluster" "cluster" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
dynamic "binary_authorization" {
|
||||||
|
for_each = var.enable_binary_authorization ? [""] : []
|
||||||
|
content {
|
||||||
|
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
dynamic "dns_config" {
|
dynamic "dns_config" {
|
||||||
for_each = var.dns_config != null ? [""] : []
|
for_each = var.dns_config != null ? [""] : []
|
||||||
content {
|
content {
|
||||||
|
|
|
@ -116,6 +116,12 @@ variable "enable_autopilot" {
|
||||||
default = false
|
default = false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "enable_binary_authorization" {
|
||||||
|
description = "Enable Google Binary Authorization."
|
||||||
|
type = bool
|
||||||
|
default = false
|
||||||
|
}
|
||||||
|
|
||||||
variable "enable_dataplane_v2" {
|
variable "enable_dataplane_v2" {
|
||||||
description = "Enable Dataplane V2 on the cluster, will disable network_policy addons config."
|
description = "Enable Dataplane V2 on the cluster, will disable network_policy addons config."
|
||||||
type = bool
|
type = bool
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -27,22 +27,16 @@ module "addresses" {
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
internal_addresses = {
|
internal_addresses = {
|
||||||
ilb-1 = {
|
ilb-1 = {
|
||||||
|
purpose = "SHARED_LOADBALANCER_VIP"
|
||||||
region = var.region
|
region = var.region
|
||||||
subnetwork = var.subnet.self_link
|
subnetwork = var.subnet.self_link
|
||||||
}
|
}
|
||||||
ilb-2 = {
|
ilb-2 = {
|
||||||
|
address = "10.0.0.2"
|
||||||
region = var.region
|
region = var.region
|
||||||
subnetwork = var.subnet.self_link
|
subnetwork = var.subnet.self_link
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# optional configuration
|
|
||||||
internal_addresses_config = {
|
|
||||||
ilb-1 = {
|
|
||||||
address = null
|
|
||||||
purpose = "SHARED_LOADBALANCER_VIP"
|
|
||||||
tier = null
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=2
|
# tftest modules=1 resources=2
|
||||||
```
|
```
|
||||||
|
@ -89,13 +83,12 @@ module "addresses" {
|
||||||
|
|
||||||
| name | description | type | required | default |
|
| name | description | type | required | default |
|
||||||
|---|---|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|
|
||||||
| [project_id](variables.tf#L60) | Project where the addresses will be created. | <code>string</code> | ✓ | |
|
| [project_id](variables.tf#L54) | Project where the addresses will be created. | <code>string</code> | ✓ | |
|
||||||
| [external_addresses](variables.tf#L17) | Map of external address regions, keyed by name. | <code>map(string)</code> | | <code>{}</code> |
|
| [external_addresses](variables.tf#L17) | Map of external address regions, keyed by name. | <code>map(string)</code> | | <code>{}</code> |
|
||||||
| [global_addresses](variables.tf#L29) | List of global addresses to create. | <code>list(string)</code> | | <code>[]</code> |
|
| [global_addresses](variables.tf#L29) | List of global addresses to create. | <code>list(string)</code> | | <code>[]</code> |
|
||||||
| [internal_addresses](variables.tf#L35) | Map of internal addresses to create, keyed by name. | <code title="map(object({ region = string subnetwork = string }))">map(object({…}))</code> | | <code>{}</code> |
|
| [internal_addresses](variables.tf#L35) | Map of internal addresses to create, keyed by name. | <code title="map(object({ region = string subnetwork = string address = optional(string) labels = optional(map(string)) purpose = optional(string) tier = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [internal_addresses_config](variables.tf#L44) | Optional configuration for internal addresses, keyed by name. Unused options can be set to null. | <code title="map(object({ address = string purpose = string tier = string }))">map(object({…}))</code> | | <code>{}</code> |
|
| [psa_addresses](variables.tf#L59) | Map of internal addresses used for Private Service Access. | <code title="map(object({ address = string network = string prefix_length = number }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [psa_addresses](variables.tf#L65) | Map of internal addresses used for Private Service Access. | <code title="map(object({ address = string network = string prefix_length = number }))">map(object({…}))</code> | | <code>{}</code> |
|
| [psc_addresses](variables.tf#L69) | Map of internal addresses used for Private Service Connect. | <code title="map(object({ address = string network = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [psc_addresses](variables.tf#L75) | Map of internal addresses used for Private Service Connect. | <code title="map(object({ address = string network = string }))">map(object({…}))</code> | | <code>{}</code> |
|
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -39,10 +39,10 @@ resource "google_compute_address" "internal" {
|
||||||
address_type = "INTERNAL"
|
address_type = "INTERNAL"
|
||||||
region = each.value.region
|
region = each.value.region
|
||||||
subnetwork = each.value.subnetwork
|
subnetwork = each.value.subnetwork
|
||||||
address = try(var.internal_addresses_config[each.key].address, null)
|
address = each.value.address
|
||||||
network_tier = try(var.internal_addresses_config[each.key].tier, null)
|
network_tier = each.value.tier
|
||||||
purpose = try(var.internal_addresses_config[each.key].purpose, null)
|
purpose = each.value.purpose
|
||||||
# labels = lookup(var.internal_address_labels, each.key, {})
|
labels = coalesce(each.value.labels, {})
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_global_address" "psc" {
|
resource "google_compute_global_address" "psc" {
|
||||||
|
|
|
@ -37,16 +37,10 @@ variable "internal_addresses" {
|
||||||
type = map(object({
|
type = map(object({
|
||||||
region = string
|
region = string
|
||||||
subnetwork = string
|
subnetwork = string
|
||||||
}))
|
address = optional(string)
|
||||||
default = {}
|
labels = optional(map(string))
|
||||||
}
|
purpose = optional(string)
|
||||||
|
tier = optional(string)
|
||||||
variable "internal_addresses_config" {
|
|
||||||
description = "Optional configuration for internal addresses, keyed by name. Unused options can be set to null."
|
|
||||||
type = map(object({
|
|
||||||
address = string
|
|
||||||
purpose = string
|
|
||||||
tier = string
|
|
||||||
}))
|
}))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -403,18 +403,18 @@ An Internal HTTP Load Balancer is made of multiple components, that change depen
|
||||||
|---|---|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|
|
||||||
| [name](variables.tf#L17) | Load balancer name. | <code>string</code> | ✓ | |
|
| [name](variables.tf#L17) | Load balancer name. | <code>string</code> | ✓ | |
|
||||||
| [project_id](variables.tf#L22) | Project id. | <code>string</code> | ✓ | |
|
| [project_id](variables.tf#L22) | Project id. | <code>string</code> | ✓ | |
|
||||||
| [region](variables.tf#L157) | The region where to allocate the ILB resources. | <code>string</code> | ✓ | |
|
| [region](variables.tf#L159) | The region where to allocate the ILB resources. | <code>string</code> | ✓ | |
|
||||||
| [subnetwork](variables.tf#L187) | The subnetwork where the ILB VIP is allocated. | <code>string</code> | ✓ | |
|
| [subnetwork](variables.tf#L189) | The subnetwork where the ILB VIP is allocated. | <code>string</code> | ✓ | |
|
||||||
| [backend_services_config](variables.tf#L27) | The backends services configuration. | <code title="map(object({ backends = list(object({ group = string # The instance group link id options = object({ balancing_mode = string # Can be UTILIZATION, RATE capacity_scaler = number # Valid range is [0.0,1.0] max_connections = number max_connections_per_instance = number max_connections_per_endpoint = number max_rate = number max_rate_per_instance = number max_rate_per_endpoint = number max_utilization = number }) })) health_checks = list(string) log_config = object({ enable = bool sample_rate = number # must be in [0, 1] }) options = object({ affinity_cookie_ttl_sec = number custom_request_headers = list(string) custom_response_headers = list(string) connection_draining_timeout_sec = number locality_lb_policy = string port_name = string protocol = string session_affinity = string timeout_sec = number circuits_breakers = object({ max_requests_per_connection = number # Set to 1 to disable keep-alive max_connections = number # Defaults to 1024 max_pending_requests = number # Defaults to 1024 max_requests = number # Defaults to 1024 max_retries = number # Defaults to 3 }) consistent_hash = object({ http_header_name = string minimum_ring_size = string http_cookie = object({ name = string path = string ttl = object({ seconds = number nanos = number }) }) }) iap = object({ oauth2_client_id = string oauth2_client_secret = string oauth2_client_secret_sha256 = string }) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [backend_services_config](variables.tf#L27) | The backends services configuration. | <code title="map(object({ backends = list(object({ group = string # The instance group link id options = object({ balancing_mode = string # Can be UTILIZATION, RATE capacity_scaler = number # Valid range is [0.0,1.0] max_connections = number max_connections_per_instance = number max_connections_per_endpoint = number max_rate = number max_rate_per_instance = number max_rate_per_endpoint = number max_utilization = number }) })) health_checks = list(string) log_config = object({ enable = bool sample_rate = number # must be in [0, 1] }) options = object({ affinity_cookie_ttl_sec = number custom_request_headers = list(string) custom_response_headers = list(string) connection_draining_timeout_sec = number locality_lb_policy = string port_name = string protocol = string session_affinity = string timeout_sec = number circuits_breakers = object({ max_requests_per_connection = number # Set to 1 to disable keep-alive max_connections = number # Defaults to 1024 max_pending_requests = number # Defaults to 1024 max_requests = number # Defaults to 1024 max_retries = number # Defaults to 3 }) consistent_hash = object({ http_header_name = string minimum_ring_size = string http_cookie = object({ name = string path = string ttl = object({ seconds = number nanos = number }) }) }) iap = object({ oauth2_client_id = string oauth2_client_secret = string oauth2_client_secret_sha256 = string }) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [forwarding_rule_config](variables.tf#L98) | Forwarding rule configurations. | <code title="object({ ip_version = string labels = map(string) network_tier = string port_range = string })">object({…})</code> | | <code title="{ allow_global_access = true ip_version = "IPV4" labels = {} network_tier = "PREMIUM" port_range = null }">{…}</code> |
|
| [forwarding_rule_config](variables.tf#L98) | Forwarding rule configurations. | <code title="object({ ip_version = string labels = map(string) network_tier = string port_range = string service_label = string })">object({…})</code> | | <code title="{ allow_global_access = true ip_version = "IPV4" labels = {} network_tier = "PREMIUM" port_range = null service_label = null }">{…}</code> |
|
||||||
| [health_checks_config](variables.tf#L116) | Custom health checks configuration. | <code title="map(object({ type = string # http https tcp ssl http2 check = map(any) # actual health check block attributes options = map(number) # interval, thresholds, timeout logging = bool }))">map(object({…}))</code> | | <code>{}</code> |
|
| [health_checks_config](variables.tf#L118) | Custom health checks configuration. | <code title="map(object({ type = string # http https tcp ssl http2 check = map(any) # actual health check block attributes options = map(number) # interval, thresholds, timeout logging = bool }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [health_checks_config_defaults](variables.tf#L127) | Auto-created health check default configuration. | <code title="object({ check = map(any) # actual health check block attributes logging = bool options = map(number) # interval, thresholds, timeout type = string # http https tcp ssl http2 })">object({…})</code> | | <code title="{ type = "http" logging = false options = {} check = { port_specification = "USE_SERVING_PORT" } }">{…}</code> |
|
| [health_checks_config_defaults](variables.tf#L129) | Auto-created health check default configuration. | <code title="object({ check = map(any) # actual health check block attributes logging = bool options = map(number) # interval, thresholds, timeout type = string # http https tcp ssl http2 })">object({…})</code> | | <code title="{ type = "http" logging = false options = {} check = { port_specification = "USE_SERVING_PORT" } }">{…}</code> |
|
||||||
| [https](variables.tf#L145) | Whether to enable HTTPS. | <code>bool</code> | | <code>false</code> |
|
| [https](variables.tf#L147) | Whether to enable HTTPS. | <code>bool</code> | | <code>false</code> |
|
||||||
| [network](variables.tf#L151) | The network where the ILB is created. | <code>string</code> | | <code>"default"</code> |
|
| [network](variables.tf#L153) | The network where the ILB is created. | <code>string</code> | | <code>"default"</code> |
|
||||||
| [ssl_certificates_config](variables.tf#L162) | The SSL certificates configuration. | <code title="map(object({ domains = list(string) tls_private_key = string tls_self_signed_cert = string }))">map(object({…}))</code> | | <code>{}</code> |
|
| [ssl_certificates_config](variables.tf#L164) | The SSL certificates configuration. | <code title="map(object({ domains = list(string) tls_private_key = string tls_self_signed_cert = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [static_ip_config](variables.tf#L172) | Static IP address configuration. | <code title="object({ reserve = bool options = object({ address = string subnetwork = string # The subnet id }) })">object({…})</code> | | <code title="{ reserve = false options = null }">{…}</code> |
|
| [static_ip_config](variables.tf#L174) | Static IP address configuration. | <code title="object({ reserve = bool options = object({ address = string subnetwork = string # The subnet id }) })">object({…})</code> | | <code title="{ reserve = false options = null }">{…}</code> |
|
||||||
| [target_proxy_https_config](variables.tf#L192) | The HTTPS target proxy configuration. | <code title="object({ ssl_certificates = list(string) })">object({…})</code> | | <code>null</code> |
|
| [target_proxy_https_config](variables.tf#L194) | The HTTPS target proxy configuration. | <code title="object({ ssl_certificates = list(string) })">object({…})</code> | | <code>null</code> |
|
||||||
| [url_map_config](variables.tf#L200) | The url-map configuration. | <code title="object({ default_service = string default_url_redirect = map(any) host_rules = list(any) path_matchers = list(any) tests = list(map(string)) })">object({…})</code> | | <code>null</code> |
|
| [url_map_config](variables.tf#L202) | The url-map configuration. | <code title="object({ default_service = string default_url_redirect = map(any) host_rules = list(any) path_matchers = list(any) tests = list(map(string)) })">object({…})</code> | | <code>null</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -62,6 +62,7 @@ resource "google_compute_forwarding_rule" "forwarding_rule" {
|
||||||
port_range = local.port_range
|
port_range = local.port_range
|
||||||
ports = []
|
ports = []
|
||||||
region = try(var.region, null)
|
region = try(var.region, null)
|
||||||
|
service_label = try(var.forwarding_rule_config.service_label, null)
|
||||||
subnetwork = try(var.subnetwork, null)
|
subnetwork = try(var.subnetwork, null)
|
||||||
target = local.target
|
target = local.target
|
||||||
}
|
}
|
||||||
|
|
|
@ -98,10 +98,11 @@ variable "backend_services_config" {
|
||||||
variable "forwarding_rule_config" {
|
variable "forwarding_rule_config" {
|
||||||
description = "Forwarding rule configurations."
|
description = "Forwarding rule configurations."
|
||||||
type = object({
|
type = object({
|
||||||
ip_version = string
|
ip_version = string
|
||||||
labels = map(string)
|
labels = map(string)
|
||||||
network_tier = string
|
network_tier = string
|
||||||
port_range = string
|
port_range = string
|
||||||
|
service_label = string
|
||||||
})
|
})
|
||||||
default = {
|
default = {
|
||||||
allow_global_access = true
|
allow_global_access = true
|
||||||
|
@ -109,7 +110,8 @@ variable "forwarding_rule_config" {
|
||||||
labels = {}
|
labels = {}
|
||||||
network_tier = "PREMIUM"
|
network_tier = "PREMIUM"
|
||||||
# If not specified, 443 if var.https = true; 80 otherwise
|
# If not specified, 443 if var.https = true; 80 otherwise
|
||||||
port_range = null
|
port_range = null
|
||||||
|
service_label = null
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 1.1.0"
|
required_version = ">= 1.3.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
google = {
|
google = {
|
||||||
source = "hashicorp/google"
|
source = "hashicorp/google"
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue