zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into yuryninog-patch-1

This commit is contained in:
yuryninog 2022-01-03 10:47:27 -05:00 committed by GitHub
parent a22169dcd2 98ac4d8f02
commit a3da60bc71
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
765 changed files with 5038 additions and 3475 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.ci/cloudbuild.lint.yaml
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -50,7 +50,7 @@ steps:
"factories/firewall-vpc-rules",
"foundations",
"modules",
"networking"
"networking",
]
substitutions:

2
.ci/cloudbuild.test.environments.yaml
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
.ci/cloudbuild.test.examples.yaml
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
.ci/cloudbuild.test.modules.yaml
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

6
.github/workflows/daily-tag.yml vendored
View File

@ -1,5 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -19,7 +18,7 @@ name: |
on:
workflow_dispatch:
schedule:
- cron: '0 2 * * *'
- cron: "0 2 * * *"
permissions:
contents: write
@ -44,4 +43,3 @@ jobs:
else
echo "No changes in last 24 hours"
fi

14
.github/workflows/linting.yml vendored
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
name: 'Linting'
name: "Linting"
on:
pull_request:
branches:
@ -30,7 +30,7 @@ jobs:
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: '3.9'
python-version: "3.9"
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1
@ -54,4 +54,10 @@ jobs:
- name: Check documentation
id: documentation
run: |
python3 tools/check_documentation.py cloud-operations/ data-solutions/ data-solutions/data-platform-foundations/ factories/ factories/firewall-vpc-rules/ foundations/ modules/ networking/
python3 tools/check_documentation.py \
cloud-operations \
data-solutions \
factories \
foundations \
modules \
networking

12
.github/workflows/tests.yml vendored
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -12,10 +12,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
name: 'Tests'
name: "Tests"
on:
schedule:
- cron: '45 2 * * *'
- cron: "45 2 * * *"
pull_request:
branches:
- master
@ -35,7 +35,7 @@ jobs:
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: '3.9'
python-version: "3.9"
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1
@ -64,7 +64,7 @@ jobs:
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: '3.9'
python-version: "3.9"
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1
@ -93,7 +93,7 @@ jobs:
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: '3.9'
python-version: "3.9"
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1

36
CHANGELOG.md
View File

@ -3,13 +3,40 @@
All notable changes to this project will be documented in this file.
## [Unreleased]
## [1.0.1] - 2022-01-03
- remove lifecycle block from vpc sc perimeter resources
## [10.0.0] - 2021-12-31
- fix cases where bridge perimeter status resources are `null` in `vpc-sc` module
- re-release 9.0.3 as a major release as it contains breaking changes
- update hierarchical firewall resources to use the newer `google_compute_firewall_*` resources
- **incompatible change** rename `firewall_policy_attachments` to `firewall_policy_association` in the `organization` and `folder` modules
- **incompatible change** updated API for the `net-vpc-sc` module
## [9.0.3] - 2021-12-31
- update hierarchical firewall resources to use the newer `google_compute_firewall_*` resources
- **incompatible change** rename `firewall_policy_attachments` to `firewall_policy_association` in the `organization` and `folder` modules
- **incompatible change** updated API for the `net-vpc-sc` module
## [9.0.2] - 2021-12-22
- ignore description changes in firewall policy rule to avoid permadiff, add factory example to `folder` module documentation
## [9.0.0] - 2021-12-22
- new `cloud-run` module
- added gVNIC support to `compute-vm` module
- added a rule factory to `net-vpc-firewall` module
- added a subnet factory to `net-vpc` module
- **incompatible change** added support for partitioned tables to `organization` module sinks
- **incompatible change** renamed `private_service_networking_range` variable to `psc_ranges` in `net-vpc`module, and changed its type to `list(string)`
- added a firewall policy factory to `organization` module
- added a firewall policy factory to `organization` and `firewall` module
- refactored `tfdoc`
- added support for metric scopes to the `project` module
## [8.0.0] - 2021-10-21
@ -381,7 +408,12 @@ All notable changes to this project will be documented in this file.
- merge development branch with suite of new modules and end-to-end examples
[Unreleased]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v8.0.0...HEAD
[Unreleased]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v10.0.1...HEAD
[10.0.1]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v10.0.0...v10.0.1
[10.0.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v9.0.3...v10.0.0
[9.0.3]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v9.0.2...v9.0.3
[9.0.2]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v9.0.0...v9.0.2
[9.0.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v8.0.0...v9.0.0
[8.0.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v7.0.0...v8.0.0
[7.0.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v6.0.0...v7.0.0
[6.0.0]: https://github.com/terraform-google-modules/cloud-foundation-fabric/compare/v5.1.0...v6.0.0

2
README.md
View File

@ -23,7 +23,7 @@ Currently available examples:
- **foundations** - [single level hierarchy](./foundations/environments/) (environments), [multiple level hierarchy](./foundations/business-units/) (business units + environments)
- **networking** - [hub and spoke via peering](./networking/hub-and-spoke-peering/), [hub and spoke via VPN](./networking/hub-and-spoke-vpn/), [DNS and Google Private Access for on-premises](./networking/onprem-google-access-dns/), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [ILB as next hop](./networking/ilb-next-hop), [PSC for on-premises Cloud Function invocation](./networking/private-cloud-function-from-onprem/), [decentralized firewall](./networking/decentralized-firewall)
- **data solutions** - [GCE/GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms/), [Cloud Storage to Bigquery with Cloud Dataflow](./data-solutions/gcs-to-bq-with-dataflow/)
- **cloud operations** - [Resource tracking and remediation via Cloud Asset feeds](.//cloud-operations/asset-inventory-feed-remediation), [Granular Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Granular Cloud DNS IAM for Shared VPC](./cloud-operations/dns-shared-vpc), [Compute Engine quota monitoring](./cloud-operations/quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Packer image builder](./cloud-operations/packer-image-builder)
- **cloud operations** - [Resource tracking and remediation via Cloud Asset feeds](.//cloud-operations/asset-inventory-feed-remediation), [Granular Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Granular Cloud DNS IAM for Shared VPC](./cloud-operations/dns-shared-vpc), [Compute Engine quota monitoring](./cloud-operations/quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Packer image builder](./cloud-operations/packer-image-builder), [On-prem SA key management](./cloud-operations/onprem-sa-key-management)
- **third party solutions** - [OpenShift cluster on Shared VPC](./third-party-solutions/openshift)
- **factories** - [Example environments](./factories/example-environments), [Hierarchical Firewall Policies](./factories/firewall-hierarchical-policies), [VPC Firewall Rules](./factories/firewall-vpc-rules), [Subnets](./factories/subnets)

7
cloud-operations/README.md
View File

@ -45,3 +45,10 @@ The example's feed tracks changes to Google Compute instances, and the Cloud Fun
<a href="./packer-image-builder" title="Packer image builder"><img src="./packer-image-builder/diagram.png" align="left" width="280px"></a> This [example](./packer-image-builder) shows how to deploy infrastructure for a Compute Engine image builder based on [Hashicorp's Packer tool](https://www.packer.io).
<br clear="left">
## On-prem Service Account key management
This [example](./onprem-sa-key-management) shows how to manage IAM Service Account Keys by manually generating a key pair and uploading the public part of the key to GCP.
s
<br clear="left">

16
cloud-operations/asset-inventory-feed-remediation/README.md
View File

@ -52,16 +52,18 @@ Run the `subscription_pull` command until it returns nothing, then run the follo
- the `tag_show` command to verify that the function output matches the resource state
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| project_id | Project id that references existing project. | <code title="">string</code> | ✓ | |
| *bundle_path* | Path used to write the intermediate Cloud Function code bundle. | <code title="">string</code> | | <code title="">./bundle.zip</code> |
| *name* | Arbitrary string used to name created resources. | <code title="">string</code> | | <code title="">asset-feed</code> |
| *project_create* | Create project instead of using an existing one. | <code title="">bool</code> | | <code title="">false</code> |
| *region* | Compute region used in the example. | <code title="">string</code> | | <code title="">europe-west1</code> |
|---|---|:---:|:---:|:---:|
| project_id | Project id that references existing project. | <code>string</code> | ✓ | |
| bundle_path | Path used to write the intermediate Cloud Function code bundle. | <code>string</code> | | <code>&#34;.&#47;bundle.zip&#34;</code> |
| name | Arbitrary string used to name created resources. | <code>string</code> | | <code>&#34;asset-feed&#34;</code> |
| project_create | Create project instead of using an existing one. | <code>bool</code> | | <code>false</code> |
| region | Compute region used in the example. | <code>string</code> | | <code>&#34;europe-west1&#34;</code> |
## Outputs
@ -71,5 +73,7 @@ Run the `subscription_pull` command until it returns nothing, then run the follo
| subscription_pull | Subscription pull command. | |
| tag_add | Instance add tag command. | |
| tag_show | Instance add tag command. | |
<!-- END TFDOC -->

2
cloud-operations/asset-inventory-feed-remediation/backend.tf.sample
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
cloud-operations/asset-inventory-feed-remediation/cf/main.py
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
cloud-operations/asset-inventory-feed-remediation/main.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/asset-inventory-feed-remediation/outputs.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/asset-inventory-feed-remediation/variables.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/asset-inventory-feed-remediation/versions.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

16
cloud-operations/dns-fine-grained-iam/README.md
View File

@ -99,16 +99,18 @@ dig app1.svc.example.org +short
# 127.0.0.7
```
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| project_id | Existing project id. | <code title="">string</code> | ✓ | |
| *name* | Arbitrary string used to name created resources. | <code title="">string</code> | | <code title="">dns-sd-test</code> |
| *project_create* | Create project instead ofusing an existing one. | <code title="">bool</code> | | <code title="">false</code> |
| *region* | Compute region used in the example. | <code title="">string</code> | | <code title="">europe-west1</code> |
| *zone_domain* | Domain name used for the DNS zone. | <code title="">string</code> | | <code title="">svc.example.org.</code> |
|---|---|:---:|:---:|:---:|
| project_id | Existing project id. | <code>string</code> | ✓ | |
| name | Arbitrary string used to name created resources. | <code>string</code> | | <code>&#34;dns-sd-test&#34;</code> |
| project_create | Create project instead ofusing an existing one. | <code>bool</code> | | <code>false</code> |
| region | Compute region used in the example. | <code>string</code> | | <code>&#34;europe-west1&#34;</code> |
| zone_domain | Domain name used for the DNS zone. | <code>string</code> | | <code>&#34;svc.example.org.&#34;</code> |
## Outputs
@ -116,4 +118,6 @@ dig app1.svc.example.org +short
|---|---|:---:|
| gcloud_commands | Commands used to SSH to the VMs. | |
| vms | VM names. | |
<!-- END TFDOC -->

2
cloud-operations/dns-fine-grained-iam/backend.tf.sample
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
cloud-operations/dns-fine-grained-iam/main.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/dns-fine-grained-iam/outputs.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/dns-fine-grained-iam/variables.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/dns-fine-grained-iam/versions.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

20
cloud-operations/dns-shared-vpc/README.md
View File

@ -19,22 +19,26 @@ The resources created in this example are shown in the high level diagram below:
Note that Terraform 0.13 at least is required due to the use of `for_each` with modules.
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| billing_account_id | Billing account associated with the GCP Projects that will be created for each team. | <code title="">string</code> | ✓ | |
| folder_id | Folder ID in which DNS projects will be created. | <code title="">string</code> | ✓ | |
| shared_vpc_link | Shared VPC self link, used for DNS peering. | <code title="">string</code> | ✓ | |
| *dns_domain* | DNS domain under which each application team DNS domain will be created. | <code title="">string</code> | | <code title="">example.org</code> |
| *prefix* | Customer name to use as prefix for resources' naming. | <code title="">string</code> | | <code title="">test-dns</code> |
| *project_services* | Service APIs enabled by default. | <code title="list&#40;string&#41;">list(string)</code> | | <code title="&#91;&#10;&#34;compute.googleapis.com&#34;,&#10;&#34;dns.googleapis.com&#34;,&#10;&#93;">...</code> |
| *teams* | List of application teams requiring their own Cloud DNS instance. | <code title="list&#40;string&#41;">list(string)</code> | | <code title="&#91;&#10;&#34;team1&#34;,&#10;&#34;team2&#34;,&#10;&#93;">...</code> |
|---|---|:---:|:---:|:---:|
| billing_account_id | Billing account associated with the GCP Projects that will be created for each team. | <code>string</code> | ✓ | |
| folder_id | Folder ID in which DNS projects will be created. | <code>string</code> | ✓ | |
| shared_vpc_link | Shared VPC self link, used for DNS peering. | <code>string</code> | ✓ | |
| dns_domain | DNS domain under which each application team DNS domain will be created. | <code>string</code> | | <code>&#34;example.org&#34;</code> |
| prefix | Customer name to use as prefix for resources' naming. | <code>string</code> | | <code>&#34;test-dns&#34;</code> |
| project_services | Service APIs enabled by default. | <code>list&#40;string&#41;</code> | | <code title="&#91;&#10; &#34;compute.googleapis.com&#34;,&#10; &#34;dns.googleapis.com&#34;,&#10;&#93;">&#91;&#8230;&#93;</code> |
| teams | List of application teams requiring their own Cloud DNS instance. | <code>list&#40;string&#41;</code> | | <code title="&#91;&#10; &#34;team1&#34;,&#10; &#34;team2&#34;,&#10;&#93;">&#91;&#8230;&#93;</code> |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| teams | Team resources | |
<!-- END TFDOC -->

2
cloud-operations/dns-shared-vpc/examples/shared-vpc-example/network.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/dns-shared-vpc/examples/shared-vpc-example/outputs.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/dns-shared-vpc/examples/shared-vpc-example/projects.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/dns-shared-vpc/examples/shared-vpc-example/test.example
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/dns-shared-vpc/examples/shared-vpc-example/variables.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/dns-shared-vpc/main.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/dns-shared-vpc/outputs.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/dns-shared-vpc/variables.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/dns-shared-vpc/versions.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

19
cloud-operations/iam-delegated-role-grants/README.md
View File

@ -64,18 +64,19 @@ If you get any warnings, check the roles and remove any of them granting any of
- `resourcemanager.organizations.setIamPolicy`
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| project_administrators | List identities granted administrator permissions. | <code title="list&#40;string&#41;">list(string)</code> | ✓ | |
| project_id | GCP project id where to grant direct and delegated roles to the users listed in project_administrators. | <code title="">string</code> | ✓ | |
| *delegated_role_grants* | List of roles that project administrators will be allowed to grant/revoke. | <code title="list&#40;string&#41;">list(string)</code> | | <code title="&#91;&#10;&#34;roles&#47;storage.admin&#34;,&#10;&#34;roles&#47;storage.hmacKeyAdmin&#34;,&#10;&#34;roles&#47;storage.legacyBucketOwner&#34;,&#10;&#34;roles&#47;storage.objectAdmin&#34;,&#10;&#34;roles&#47;storage.objectCreator&#34;,&#10;&#34;roles&#47;storage.objectViewer&#34;,&#10;&#34;roles&#47;compute.admin&#34;,&#10;&#34;roles&#47;compute.imageUser&#34;,&#10;&#34;roles&#47;compute.instanceAdmin&#34;,&#10;&#34;roles&#47;compute.instanceAdmin.v1&#34;,&#10;&#34;roles&#47;compute.networkAdmin&#34;,&#10;&#34;roles&#47;compute.networkUser&#34;,&#10;&#34;roles&#47;compute.networkViewer&#34;,&#10;&#34;roles&#47;compute.orgFirewallPolicyAdmin&#34;,&#10;&#34;roles&#47;compute.orgFirewallPolicyUser&#34;,&#10;&#34;roles&#47;compute.orgSecurityPolicyAdmin&#34;,&#10;&#34;roles&#47;compute.orgSecurityPolicyUser&#34;,&#10;&#34;roles&#47;compute.orgSecurityResourceAdmin&#34;,&#10;&#34;roles&#47;compute.osAdminLogin&#34;,&#10;&#34;roles&#47;compute.osLogin&#34;,&#10;&#34;roles&#47;compute.osLoginExternalUser&#34;,&#10;&#34;roles&#47;compute.packetMirroringAdmin&#34;,&#10;&#34;roles&#47;compute.packetMirroringUser&#34;,&#10;&#34;roles&#47;compute.publicIpAdmin&#34;,&#10;&#34;roles&#47;compute.securityAdmin&#34;,&#10;&#34;roles&#47;compute.serviceAgent&#34;,&#10;&#34;roles&#47;compute.storageAdmin&#34;,&#10;&#34;roles&#47;compute.viewer&#34;,&#10;&#34;roles&#47;viewer&#34;&#10;&#93;">...</code> |
| *direct_role_grants* | List of roles granted directly to project administrators. | <code title="list&#40;string&#41;">list(string)</code> | | <code title="&#91;&#10;&#34;roles&#47;compute.admin&#34;,&#10;&#34;roles&#47;storage.admin&#34;,&#10;&#93;">...</code> |
| *project_create* | Create project instead of using an existing one. | <code title="">bool</code> | | <code title="">false</code> |
| *restricted_role_grant* | Role grant to which the restrictions will apply. | <code title="">string</code> | | <code title="">roles/resourcemanager.projectIamAdmin</code> |
## Outputs
|---|---|:---:|:---:|:---:|
| project_administrators | List identities granted administrator permissions. | <code>list&#40;string&#41;</code> | ✓ | |
| project_id | GCP project id where to grant direct and delegated roles to the users listed in project_administrators. | <code>string</code> | ✓ | |
| delegated_role_grants | List of roles that project administrators will be allowed to grant/revoke. | <code>list&#40;string&#41;</code> | | <code title="&#91;&#10; &#34;roles&#47;storage.admin&#34;,&#10; &#34;roles&#47;storage.hmacKeyAdmin&#34;,&#10; &#34;roles&#47;storage.legacyBucketOwner&#34;,&#10; &#34;roles&#47;storage.objectAdmin&#34;,&#10; &#34;roles&#47;storage.objectCreator&#34;,&#10; &#34;roles&#47;storage.objectViewer&#34;,&#10; &#34;roles&#47;compute.admin&#34;,&#10; &#34;roles&#47;compute.imageUser&#34;,&#10; &#34;roles&#47;compute.instanceAdmin&#34;,&#10; &#34;roles&#47;compute.instanceAdmin.v1&#34;,&#10; &#34;roles&#47;compute.networkAdmin&#34;,&#10; &#34;roles&#47;compute.networkUser&#34;,&#10; &#34;roles&#47;compute.networkViewer&#34;,&#10; &#34;roles&#47;compute.orgFirewallPolicyAdmin&#34;,&#10; &#34;roles&#47;compute.orgFirewallPolicyUser&#34;,&#10; &#34;roles&#47;compute.orgSecurityPolicyAdmin&#34;,&#10; &#34;roles&#47;compute.orgSecurityPolicyUser&#34;,&#10; &#34;roles&#47;compute.orgSecurityResourceAdmin&#34;,&#10; &#34;roles&#47;compute.osAdminLogin&#34;,&#10; &#34;roles&#47;compute.osLogin&#34;,&#10; &#34;roles&#47;compute.osLoginExternalUser&#34;,&#10; &#34;roles&#47;compute.packetMirroringAdmin&#34;,&#10; &#34;roles&#47;compute.packetMirroringUser&#34;,&#10; &#34;roles&#47;compute.publicIpAdmin&#34;,&#10; &#34;roles&#47;compute.securityAdmin&#34;,&#10; &#34;roles&#47;compute.serviceAgent&#34;,&#10; &#34;roles&#47;compute.storageAdmin&#34;,&#10; &#34;roles&#47;compute.viewer&#34;,&#10; &#34;roles&#47;viewer&#34;&#10;&#93;">&#91;&#8230;&#93;</code> |
| direct_role_grants | List of roles granted directly to project administrators. | <code>list&#40;string&#41;</code> | | <code title="&#91;&#10; &#34;roles&#47;compute.admin&#34;,&#10; &#34;roles&#47;storage.admin&#34;,&#10;&#93;">&#91;&#8230;&#93;</code> |
| project_create | Create project instead of using an existing one. | <code>bool</code> | | <code>false</code> |
| restricted_role_grant | Role grant to which the restrictions will apply. | <code>string</code> | | <code>&#34;roles&#47;resourcemanager.projectIamAdmin&#34;</code> |
<!-- END TFDOC -->

70
cloud-operations/iam-delegated-role-grants/audit.py
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -28,50 +28,50 @@ SENSITIVE_PERMISSIONS = {
def get_role_permissions(role):
if role.startswith("roles/"):
endpoint = iam_service.roles()
elif role.startswith("projects/"):
endpoint = iam_service.projects().roles()
elif role.startswith("organizations/"):
endpoint = iam_service.organizations().roles()
else:
raise Exception(f"Invalid role {role}")
if role.startswith("roles/"):
endpoint = iam_service.roles()
elif role.startswith("projects/"):
endpoint = iam_service.projects().roles()
elif role.startswith("organizations/"):
endpoint = iam_service.organizations().roles()
else:
raise Exception(f"Invalid role {role}")
response = endpoint.get(name=role).execute()
permissions = response.get("includedPermissions")
return permissions
response = endpoint.get(name=role).execute()
permissions = response.get("includedPermissions")
return permissions
@click.command()
@click.argument("file", type=click.File("r"))
def main(file):
"""Verify that the set of GCP roles in FILE does not include the
permission setIamPolicy at project, folder or organization level
"""Verify that the set of GCP roles in FILE does not include the
permission setIamPolicy at project, folder or organization level
This program authenticates against GCP using default application
credentials to query project and organization level roles.
This program authenticates against GCP using default application
credentials to query project and organization level roles.
"""
clean_roles = [x.rstrip(" \n") for x in file]
roles = (x for x in clean_roles if x)
"""
clean_roles = [x.rstrip(" \n") for x in file]
roles = (x for x in clean_roles if x)
allok = True
for role in roles:
try:
permissions = set(get_role_permissions(role))
except Error as e:
print(f"WARNING: can't read {role}: {e}")
allok = False
else:
matched_sensitive_permissions = SENSITIVE_PERMISSIONS & permissions
if matched_sensitive_permissions:
print(f"WARNING: {role} contains {matched_sensitive_permissions}")
allok = False
else:
print(f"{role} ok")
allok = True
for role in roles:
try:
permissions = set(get_role_permissions(role))
except Error as e:
print(f"WARNING: can't read {role}: {e}")
allok = False
else:
matched_sensitive_permissions = SENSITIVE_PERMISSIONS & permissions
if matched_sensitive_permissions:
print(f"WARNING: {role} contains {matched_sensitive_permissions}")
allok = False
else:
print(f"{role} ok")
exit(0 if allok else 1)
exit(0 if allok else 1)
if __name__ == "__main__":
main()
main()

2
cloud-operations/iam-delegated-role-grants/main.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/iam-delegated-role-grants/outputs.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/iam-delegated-role-grants/variables.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/iam-delegated-role-grants/versions.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

83
cloud-operations/onprem-sa-key-management/README.md Normal file
View File

@ -0,0 +1,83 @@
# Managing on-prem service account keys by uploading public keys
When managing GCP Service Accounts with terraform, it's often a question on **how to avoid Service Account Key in the terraform state?**
This example shows how to manage IAM Service Account Keys by manually generating a key pair and uploading the public part of the key to GCP. It has the following benefits:
- no [passing keys between users](https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#pass-between-users) or systems
- no private keys stored in the terraform state (only public part of the key is in the state)
- let keys [expire automatically](https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#key-expiryhaving)
## Running the example
Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fcloud-foundation-fabric&cloudshell_print=cloud-shell-readme.txt&cloudshell_working_dir=cloud-operations%2Fonprem-sa-key-management&cloudshell_open_in_editor=cloudshell_open%2Fcloud-foundation-fabric%2Fcloud-operations%2Fonprem-sa-key-management%2Fvariables.tf), then go through the following steps to create resources:
Cleaning up example keys
```bash
rm -f /public-keys/data-uploader/
rm -f /public-keys/prisma-security/
```
Generate keys for service accounts
```bash
mkdir keys && cd keys
openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
-keyout data_uploader_private_key.pem \
-out ../public-keys/data-uploader/public_key.pem \
-subj "/CN=unused"
openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
-keyout prisma_security_private_key.pem \
-out ../public-keys/prisma-security/public_key.pem \
-subj "/CN=unused"
```
Deploy service accounts and keys
```bash
cd ..
terraform init
terraform apply -var project_id=$GOOGLE_CLOUD_PROJECT
```
Extract JSON credentials templates from terraform output and put the private part of the keys into templates
```bash
terraform show -json | jq '.values.outputs."sa-credentials".value."data-uploader"."public_key.pem" | fromjson' > data-uploader.json
terraform show -json | jq '.values.outputs."sa-credentials".value."prisma-security"."public_key.pem" | fromjson' > prisma-security.json
contents=$(jq --arg key "$(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json
contents=$(jq --arg key "$(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json
```
## Testing the example
Validate that service accounts json credentials are valid
```bash
gcloud auth activate-service-account --key-file prisma-security.json
gcloud auth activate-service-account --key-file data-uploader.json
```
## Cleaning up
```bash
terraform destroy -var project_id=$GOOGLE_CLOUD_PROJECT
```
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| project_id | Project id. | <code>string</code> | ✓ | |
| project_create | Create project instead of using an existing one. | <code>bool</code> | | <code>false</code> |
| service_accounts | List of service accounts. | <code title="list&#40;object&#40;&#123;&#10; name &#61; string&#10; iam_project_roles &#61; list&#40;string&#41;&#10; public_keys_path &#61; string&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#91;&#10; &#123;&#10; name &#61; &#34;data-uploader&#34;&#10; iam_project_roles &#61; &#91;&#10; &#34;roles&#47;bigquery.dataOwner&#34;,&#10; &#34;roles&#47;bigquery.jobUser&#34;,&#10; &#34;roles&#47;storage.objectAdmin&#34;&#10; &#93;&#10; public_keys_path &#61; &#34;public-keys&#47;data-uploader&#47;&#34;&#10; &#125;,&#10; &#123;&#10; name &#61; &#34;prisma-security&#34;&#10; iam_project_roles &#61; &#91;&#10; &#34;roles&#47;iam.securityReviewer&#34;&#10; &#93;&#10; public_keys_path &#61; &#34;public-keys&#47;prisma-security&#47;&#34;&#10; &#125;,&#10;&#93;">&#91;&#8230;&#93;</code> |
| services | Service APIs to enable. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| sa-credentials | SA json key templates. | |
<!-- END TFDOC -->

23
cloud-operations/onprem-sa-key-management/backend.tf.sample Normal file
View File

@ -0,0 +1,23 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# set a valid bucket below and rename this file to backend.tf
terraform {
backend "gcs" {
bucket = ""
prefix = "fabric/operations/onprem-sa-key-management"
}
}

46
cloud-operations/onprem-sa-key-management/cloud-shell-readme.txt Normal file
View File

@ -0,0 +1,46 @@
################################# Quickstart #################################
# cleaning up example keys
- rm -f /public-keys/data-uploader/
- rm -f /public-keys/prisma-security/
# generate keys for service accounts
- mkdir keys && cd keys
- openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
-keyout data_uploader_private_key.pem \
-out ../public-keys/data-uploader/public_key.pem \
-subj "/CN=unused"
- openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
-keyout prisma_security_private_key.pem \
-out ../public-keys/prisma-security/public_key.pem \
-subj "/CN=unused"
# deploy service accounts and keys
- cd ..
- terraform init
- terraform apply -var project_id=$GOOGLE_CLOUD_PROJECT
# extract JSON credentials templates from terraform output and put the private part of the keys into templates
- terraform show -json | jq '.values.outputs."sa-credentials".value."data-uploader"."public_key.pem" | fromjson' > data-uploader.json
- terraform show -json | jq '.values.outputs."sa-credentials".value."prisma-security"."public_key.pem" | fromjson' > prisma-security.json
- contents=$(jq --arg key "$(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json
- contents=$(jq --arg key "$(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json
# validate that service accounts json credentials are valid
- gcloud auth activate-service-account --key-file prisma-security.json
- gcloud auth activate-service-account --key-file data-uploader.json
# cleaning up
- terraform destroy -var project_id=$GOOGLE_CLOUD_PROJECT

37
cloud-operations/onprem-sa-key-management/main.tf Normal file
View File

@ -0,0 +1,37 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
locals {
service_accounts = { for sa in var.service_accounts : sa.name => sa }
}
module "project" {
source = "../../modules/project"
name = var.project_id
project_create = var.project_create
services = var.services
}
module "integration-sa" {
source = "../../modules/iam-service-account"
for_each = local.service_accounts
project_id = module.project.project_id
name = each.value.name
iam_project_roles = {
(module.project.project_id) = each.value.iam_project_roles
}
public_keys_directory = each.value.public_keys_path
}

20
cloud-operations/onprem-sa-key-management/outputs.tf Normal file
View File

@ -0,0 +1,20 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "sa-credentials" {
description = "SA json key templates."
value = { for key, value in module.integration-sa : key => value.service_account_credentials }
}

17
cloud-operations/onprem-sa-key-management/public-keys/data-uploader/public_key.pem Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICnjCCAYYCCQDhgw8htVCGmTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZ1
bnVzZWQwHhcNMjExMjA2MDgwNTAyWhcNMzExMjA0MDgwNTAyWjARMQ8wDQYDVQQD
DAZ1bnVzZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0xlwdjkBS
1ovANJ1RXKpFdbPQWYlqKUUo+/KLClNYC9KxRqrc+u5FtPIdCPv5WRH5sz+z8gcf
3zJMht0dO7fOwJ9wSDKzvHkMUdXTGBPbm2i9PNA6f+YEwJQjWJlAHFH4Lp3x6ddT
4KO4FRQEkN/5V1+sfmyGGFaSXaoi+PcDcQHvfUUlp5iyX4I+8tqwh1kdg1M5orkE
7iBG0wHWzfOSmZq5in6t9+lWzOZeYapi8bVBm7Vz+dmHZPKS6EGmAXS1wpLCSKHB
uv23KXY4gAXOPHiDI70JpeNiSJBE9WgXs+nL78vNjLTvDhpC10b9nOxLjRc6wA5b
3q2Am0dW1DPRAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJqyTIibNZM/q30Fn+vR
V9q++19CIervZig1uCarH1M86cpPYRfKcYHOi6tnoCTL9VG8Ky8pbmkZNkET7vnN
OQirpsPmqu3d+FBoqXUt8w1mT1JVr0YiTo3i07zTH8rvQKHjEfPxR73IAyYNvJ3D
k3SdUvU3xXOa+otOQcBKIxX6mJPLhzXgZd144KCfD95qOvpoQOsNW4UWXZ3sPC0k
VcMlN5O8/+D65y63nNtyECXvLicLdn/cdpA2H7Tqhz2ZZR+6tLcDW1kSsA8b6+rQ
1IaKpF+TYo0jMD+WLatRrOHXOWije8871zooAXq9MLVJrT889TdsmEIYT7YPWIeJ
Jcg=
-----END CERTIFICATE-----

17
cloud-operations/onprem-sa-key-management/public-keys/prisma-security/public_key.pem Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICnjCCAYYCCQDXMv59IiZqfTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZ1
bnVzZWQwHhcNMjExMjA2MDgwNjE3WhcNMzExMjA0MDgwNjE3WjARMQ8wDQYDVQQD
DAZ1bnVzZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOK6XwgTzL
icSITBrQBmhnYNOuggDhQr40j8/pIuTOiFZbd+ne3MhcFxpE58T9cOXgR0i/S4ok
+kcGE74H2U7RsRpNi7fJhi62T9e2CXpibURQNJD6y0lXBQkfx6kCrhyvXqHbTxm5
J0f5mpLlze+w7ATikmYI0mrU9XjtnRJOdxtGfiIaQ/suGTaZ0z4tZgAXy9RnwUAb
LPXn0BD1+GYpCs82+1q7HpMIf343VRH0AdsQJteQSj5LKfaZZTNUF9NIgKtMylck
z0Pt8TmBU0GtJX/XkSWCwMUdqdedXkvhY1XoAZPjaEBSSwq6P15PmdpDq9q2TYjD
8U3kuCX0AlWjAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADAmjI1sg150MK97DCSl
d5OpEShCypaEZSLb/mFONW6mTX2OSdF9ipd9B07BQ2DrL8Xou2/V1aDtQZOWPIGu
Hlm1LKw8sZY2rWX0Rq/v/NxY5iGRlwPMh7Rn9fnpHgaC1PktoDJEcvNMpzBjtfKn
beKP9MNSChAFTTbJVWO5xT/ljE/yoPL3jyJKzKHH7y7AfbonrbQjAENbX/WCRYh3
zOEWZG/fusRcKkZ/cO7wFFP1gzJFE9wFRu7LOA/FntCixtVSnclsOnunQfqQEVmp
Y0IjfceIerJysCTo0I5HfRw0DOFfZimallOa4Mv5BDmzMWWyX9TvppHCnmqvM2El
ISY=
-----END CERTIFICATE-----

60
cloud-operations/onprem-sa-key-management/variables.tf Normal file
View File

@ -0,0 +1,60 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "project_create" {
description = "Create project instead of using an existing one."
type = bool
default = false
}
variable "project_id" {
description = "Project id."
type = string
}
variable "service_accounts" {
description = "List of service accounts."
type = list(object({
name = string
iam_project_roles = list(string)
public_keys_path = string
}))
default = [
{
name = "data-uploader"
iam_project_roles = [
"roles/bigquery.dataOwner",
"roles/bigquery.jobUser",
"roles/storage.objectAdmin"
]
public_keys_path = "public-keys/data-uploader/"
},
{
name = "prisma-security"
iam_project_roles = [
"roles/iam.securityReviewer"
]
public_keys_path = "public-keys/prisma-security/"
},
]
}
variable "services" {
description = "Service APIs to enable."
type = list(string)
default = []
}

2
modules/vpc-sc/versions.tf → cloud-operations/onprem-sa-key-management/versions.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

26
cloud-operations/packer-image-builder/README.md
View File

@ -67,21 +67,23 @@ The following example assumes that provisioning of a Compute Engine VM requires
the resources over the Internet (i.e. to install OS packages). Since Compute VM has no public IP
address for security reasons, Internet connectivity is done with [Cloud NAT](https://cloud.google.com/nat/docs/overview).
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| project_id | Project id that references existing project. | <code title="">string</code> | ✓ | |
| *billing_account* | Billing account id used as default for new projects. | <code title="">string</code> | | <code title="">null</code> |
| *cidrs* | CIDR ranges for subnets | <code title="map&#40;string&#41;">map(string)</code> | | <code title="&#123;&#10;image-builder &#61; &#34;10.0.0.0&#47;24&#34;&#10;&#125;">...</code> |
| *create_packer_vars* | Create packer variables file using template file and terraform output. | <code title="">bool</code> | | <code title="">false</code> |
| *packer_account_users* | List of members that will be allowed to impersonate Packer image builder service account in IAM format, i.e. 'user:{emailid}'. | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">[]</code> |
| *packer_source_cidrs* | List of CIDR ranges allowed to connect to the temporary VM for provisioning. | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">["0.0.0.0/0"]</code> |
| *project_create* | Create project instead of using an existing one. | <code title="">bool</code> | | <code title="">true</code> |
| *region* | Default region for resources | <code title="">string</code> | | <code title="">europe-west1</code> |
| *root_node* | The resource name of the parent folder or organization for project creation, in 'folders/folder_id' or 'organizations/org_id' format. | <code title="">string</code> | | <code title="">null</code> |
| *use_iap* | Use IAP tunnel to connect to Compute Engine instance for provisioning. | <code title="">bool</code> | | <code title="">true</code> |
|---|---|:---:|:---:|:---:|
| project_id | Project id that references existing project. | <code>string</code> | ✓ | |
| billing_account | Billing account id used as default for new projects. | <code>string</code> | | <code>null</code> |
| cidrs | CIDR ranges for subnets | <code>map&#40;string&#41;</code> | | <code title="&#123;&#10; image-builder &#61; &#34;10.0.0.0&#47;24&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
| create_packer_vars | Create packer variables file using template file and terraform output. | <code>bool</code> | | <code>false</code> |
| packer_account_users | List of members that will be allowed to impersonate Packer image builder service account in IAM format, i.e. 'user:{emailid}'. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| packer_source_cidrs | List of CIDR ranges allowed to connect to the temporary VM for provisioning. | <code>list&#40;string&#41;</code> | | <code>&#91;&#34;0.0.0.0&#47;0&#34;&#93;</code> |
| project_create | Create project instead of using an existing one. | <code>bool</code> | | <code>true</code> |
| region | Default region for resources | <code>string</code> | | <code>&#34;europe-west1&#34;</code> |
| root_node | The resource name of the parent folder or organization for project creation, in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> | | <code>null</code> |
| use_iap | Use IAP tunnel to connect to Compute Engine instance for provisioning. | <code>bool</code> | | <code>true</code> |
## Outputs
@ -91,4 +93,6 @@ address for security reasons, Internet connectivity is done with [Cloud NAT](htt
| compute_sa | Packer's temporary VM service account email. | |
| compute_subnetwork | Name of a subnetwork for Packer's temporary VM. | |
| compute_zone | Name of a compute engine zone for Packer's temporary VM. | |
<!-- END TFDOC -->

2
cloud-operations/packer-image-builder/main.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/packer-image-builder/outputs.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/packer-image-builder/packer/build.pkr.hcl
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/packer-image-builder/packer/install_httpd.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
cloud-operations/packer-image-builder/packer/variables.pkr.hcl
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/packer-image-builder/variables.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/packer-image-builder/versions.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

21
cloud-operations/quota-monitoring/README.md
View File

@ -23,20 +23,21 @@ Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/c
- `terraform init`
- `terraform apply -var project_id=my-project-id`
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| project_id | Project id that references existing project. | <code title="">string</code> | ✓ | |
| *bundle_path* | Path used to write the intermediate Cloud Function code bundle. | <code title="">string</code> | | <code title="">./bundle.zip</code> |
| *name* | Arbitrary string used to name created resources. | <code title="">string</code> | | <code title="">quota-monitor</code> |
| *project_create* | Create project instead ofusing an existing one. | <code title="">bool</code> | | <code title="">false</code> |
| *quota_config* | Cloud function configuration. | <code title="object&#40;&#123;&#10;filters &#61; list&#40;string&#41;&#10;projects &#61; list&#40;string&#41;&#10;regions &#61; list&#40;string&#41;&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;filters &#61; null&#10;projects &#61; null&#10;regions &#61; null&#10;&#125;">...</code> |
| *region* | Compute region used in the example. | <code title="">string</code> | | <code title="">europe-west1</code> |
| *schedule_config* | Schedule timer configuration in crontab format | <code title="">string</code> | | <code title="">0 * * * *</code> |
## Outputs
|---|---|:---:|:---:|:---:|
| project_id | Project id that references existing project. | <code>string</code> | ✓ | |
| bundle_path | Path used to write the intermediate Cloud Function code bundle. | <code>string</code> | | <code>&#34;.&#47;bundle.zip&#34;</code> |
| name | Arbitrary string used to name created resources. | <code>string</code> | | <code>&#34;quota-monitor&#34;</code> |
| project_create | Create project instead ofusing an existing one. | <code>bool</code> | | <code>false</code> |
| quota_config | Cloud function configuration. | <code title="object&#40;&#123;&#10; filters &#61; list&#40;string&#41;&#10; projects &#61; list&#40;string&#41;&#10; regions &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; filters &#61; null&#10; projects &#61; null&#10; regions &#61; null&#10;&#125;">&#123;&#8230;&#125;</code> |
| region | Compute region used in the example. | <code>string</code> | | <code>&#34;europe-west1&#34;</code> |
| schedule_config | Schedule timer configuration in crontab format | <code>string</code> | | <code>&#34;0 &#42; &#42; &#42; &#42;&#34;</code> |
<!-- END TFDOC -->

2
cloud-operations/quota-monitoring/backend.tf.sample
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
cloud-operations/quota-monitoring/cf/main.py
View File

@ -1,5 +1,5 @@
#! /usr/bin/env python3
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
cloud-operations/quota-monitoring/main.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/quota-monitoring/outputs.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/quota-monitoring/variables.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
cloud-operations/quota-monitoring/versions.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

45
cloud-operations/scheduled-asset-inventory-export-bq/README.md
View File

@ -36,22 +36,42 @@ Once done testing, you can clean up resources by running `terraform destroy`. To
Once resources are created, you can run queries on the data you exported on Bigquery. [Here](https://cloud.google.com/asset-inventory/docs/exporting-to-bigquery#querying_an_asset_snapshot) you can find some example of queries you can run.
You can also create a dashboard connecting [Datalab](https://datastudio.google.com/) or any other BI tools of your choice to your Bigquery datase.
You can also create a dashboard connecting [Datalab](https://datastudio.google.com/) or any other BI tools of your choice to your Bigquery dataset.
## File exporter for JSON, CSV (optional).
This is an optional part.
Regular file-based exports of data from Cloud Asset Inventory may be useful for e.g. scale-out network dependencies discovery tools like [Planet Exporter](https://github.com/williamchanrico/planet-exporter), or to update legacy workloads tracking or configuration management systems. Bigquery supports multiple [export formats](https://cloud.google.com/bigquery/docs/exporting-data#export_formats_and_compression_types) and one may upload objects to Storage Bucket using provided Cloud Function. Specify `job.DestinationFormat` as defined in [documentation](https://googleapis.dev/python/bigquery/latest/generated/google.cloud.bigquery.job.DestinationFormat.html), e.g. `NEWLINE_DELIMITED_JSON`.
It helps to create custom [scheduled query](https://cloud.google.com/bigquery/docs/scheduling-queries#console) from CAI export tables, and to write out results in to dedicated table (with overwrites). Define such query's output columns to comply with downstream systems' fields requirements, and time query execution after CAI export into BQ for freshness. See [sample queries](https://cloud.google.com/asset-inventory/docs/exporting-to-bigquery-sample-queries).
This is an optional part, created if `cai_gcs_export` is set to `true`. The high level diagram extends to the following:
<img src="diagram_optional.png" width="640px">
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| cai_config | Cloud Asset inventory export config. | <code title="object&#40;&#123;&#10;bq_dataset &#61; string&#10;bq_table &#61; string&#10;target_node &#61; string&#10;&#125;&#41;">object({...})</code> | ✓ | |
| project_id | Project id that references existing project. | <code title="">string</code> | ✓ | |
| *billing_account* | Billing account id used as default for new projects. | <code title="">string</code> | | <code title="">null</code> |
| *bundle_path* | Path used to write the intermediate Cloud Function code bundle. | <code title="">string</code> | | <code title="">./bundle.zip</code> |
| *location* | Appe Engine location used in the example. | <code title="">string</code> | | <code title="">europe-west</code> |
| *name* | Arbitrary string used to name created resources. | <code title="">string</code> | | <code title="">asset-inventory</code> |
| *project_create* | Create project instead ofusing an existing one. | <code title="">bool</code> | | <code title="">true</code> |
| *region* | Compute region used in the example. | <code title="">string</code> | | <code title="">europe-west1</code> |
| *root_node* | The resource name of the parent folder or organization for project creation, in 'folders/folder_id' or 'organizations/org_id' format. | <code title="">string</code> | | <code title="">null</code> |
|---|---|:---:|:---:|:---:|
| cai_config | Cloud Asset Inventory export config. | <code title="object&#40;&#123;&#10; bq_dataset &#61; string&#10; bq_table &#61; string&#10; bq_table_overwrite &#61; bool&#10; target_node &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| project_id | Project id that references existing project. | <code>string</code> | ✓ | |
| billing_account | Billing account id used as default for new projects. | <code>string</code> | | <code>null</code> |
| bundle_path | Path used to write the intermediate Cloud Function code bundle. | <code>string</code> | | <code>&#34;.&#47;bundle.zip&#34;</code> |
| bundle_path_cffile | Path used to write the intermediate Cloud Function code bundle. | <code>string</code> | | <code>&#34;.&#47;bundle_cffile.zip&#34;</code> |
| cai_gcs_export | Enable optional part to export tables to GCS | <code>bool</code> | | <code>false</code> |
| file_config | Optional BQ table as a file export function config. | <code title="object&#40;&#123;&#10; bucket &#61; string&#10; filename &#61; string&#10; format &#61; string&#10; bq_dataset &#61; string&#10; bq_table &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; bucket &#61; null&#10; filename &#61; null&#10; format &#61; null&#10; bq_dataset &#61; null&#10; bq_table &#61; null&#10;&#125;">&#123;&#8230;&#125;</code> |
| location | Appe Engine location used in the example. | <code>string</code> | | <code>&#34;europe-west&#34;</code> |
| name | Arbitrary string used to name created resources. | <code>string</code> | | <code>&#34;asset-inventory&#34;</code> |
| name_cffile | Arbitrary string used to name created resources. | <code>string</code> | | <code>&#34;cffile-exporter&#34;</code> |
| project_create | Create project instead ofusing an existing one. | <code>bool</code> | | <code>true</code> |
| region | Compute region used in the example. | <code>string</code> | | <code>&#34;europe-west1&#34;</code> |
| root_node | The resource name of the parent folder or organization for project creation, in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> | | <code>null</code> |
## Outputs
@ -59,4 +79,7 @@ You can also create a dashboard connecting [Datalab](https://datastudio.google.c
|---|---|:---:|
| bq-dataset | Bigquery instance details. | |
| cloud-function | Cloud Function instance details. | |
<!-- END TFDOC -->

2
cloud-operations/scheduled-asset-inventory-export-bq/backend.tf.sample
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

25
cloud-operations/scheduled-asset-inventory-export-bq/cf/main.py
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -50,18 +50,20 @@ def _configure_logging(verbose=True):
@click.option('--bq-project', required=True, help='Bigquery project to use.')
@click.option('--bq-dataset', required=True, help='Bigquery dataset to use.')
@click.option('--bq-table', required=True, help='Bigquery table name to use.')
@click.option('--bq-table-overwrite', required=True, help='Overwrite existing BQ table or create new datetime() one.')
@click.option('--target-node', required=True, help='Node in Google Cloud resource hierarchy.')
@click.option('--read-time', required=False, help=(
'Day to take an asset snapshot in \'YYYYMMDD\' format, uses current day '
' as default. Export will run at midnight of the specified day.'))
@click.option('--verbose', is_flag=True, help='Verbose output')
def main_cli(project=None, bq_project=None, bq_dataset=None, bq_table=None, target_node=None,
def main_cli(project=None, bq_project=None, bq_dataset=None, bq_table=None, bq_table_overwrite=None, target_node=None,
read_time=None, verbose=False):
'''Trigger Cloud Asset inventory export to Bigquery. Data will be stored in
the dataset specified on a dated table with the name specified.
'''
try:
_main(project, bq_project, bq_dataset, bq_table, target_node, read_time, verbose)
_main(project, bq_project, bq_dataset, bq_table,
bq_table_overwrite, target_node, read_time, verbose)
except RuntimeError:
logging.exception('exception raised')
@ -79,19 +81,22 @@ def main(event, context):
logging.exception('exception in cloud function entry point')
def _main(project=None, bq_project=None, bq_dataset=None, bq_table=None, target_node=None, read_time=None, verbose=False):
def _main(project=None, bq_project=None, bq_dataset=None, bq_table=None, bq_table_overwrite=None, target_node=None, read_time=None, verbose=False):
'Module entry point used by cli and cloud function wrappers.'
_configure_logging(verbose)
if not read_time:
read_time = datetime.datetime.now()
client = asset_v1.AssetServiceClient()
content_type = asset_v1.ContentType.RESOURCE
output_config = asset_v1.OutputConfig()
client = asset_v1.AssetServiceClient()
if bq_table_overwrite == False:
read_time = datetime.datetime.now()
output_config.bigquery_destination.table = '%s_%s' % (
bq_table, read_time.strftime('%Y%m%d'))
else:
output_config.bigquery_destination.table = '%s_latest' % (
bq_table)
content_type = asset_v1.ContentType.RESOURCE
output_config.bigquery_destination.dataset = 'projects/%s/datasets/%s' % (
bq_project, bq_dataset)
output_config.bigquery_destination.table = '%s_%s' % (
bq_table, read_time.strftime('%Y%m%d'))
output_config.bigquery_destination.separate_tables_per_asset_type = True
output_config.bigquery_destination.force = True
try:

101
cloud-operations/scheduled-asset-inventory-export-bq/cffile/main.py Executable file
View File

@ -0,0 +1,101 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
'''Cloud Function module to export BQ table as JSON.
This module is designed to be plugged in a Cloud Function, attached to Cloud
Scheduler trigger to create a JSON of IP to hostname mappings from BigQuery.
'''
import base64
import datetime
import json
import logging
import os
import warnings
from google.api_core.exceptions import GoogleAPIError
from google.cloud import bigquery
import click
import googleapiclient.discovery
import googleapiclient.errors
def _configure_logging(verbose=True):
'''Basic logging configuration.
Args:
verbose: enable verbose logging
'''
level = logging.DEBUG if verbose else logging.INFO
logging.basicConfig(level=level)
warnings.filterwarnings('ignore', r'.*end user credentials.*', UserWarning)
@click.command()
@click.option('--bucket', required=True, help='GCS bucket for export')
@click.option('--filename', required=True, help='Path and filename with extension to export e.g. folder/export.json .')
@click.option('--format', required=True, help='The exported file format, e.g. NEWLINE_DELIMITED_JSON or CSV.')
@click.option('--bq-dataset', required=True, help='Bigquery dataset where table for export is located.')
@click.option('--bq-table', required=True, help='Bigquery table to export.')
@click.option('--verbose', is_flag=True, help='Verbose output')
def main_cli(bucket=None, filename=None, format=None, bq_dataset=None, bq_table=None, verbose=False):
'''Trigger Cloud Asset inventory export from Bigquery to file. Data will be stored in
the dataset specified on a dated table with the name specified.
'''
try:
_main(bucket, filename, format, bq_dataset, bq_table, verbose)
except RuntimeError:
logging.exception('exception raised')
def main(event, context):
'Cloud Function entry point.'
try:
data = json.loads(base64.b64decode(event['data']).decode('utf-8'))
print(data)
_main(**data)
# uncomment once https://issuetracker.google.com/issues/155215191 is fixed
# except RuntimeError:
# raise
except Exception:
logging.exception('exception in cloud function entry point')
def _main(bucket=None, filename=None, format=None, bq_dataset=None, bq_table=None, verbose=False):
'Module entry point used by cli and cloud function wrappers.'
_configure_logging(verbose)
client = bigquery.Client()
destination_uri = 'gs://{}/{}'.format(bucket, filename)
dataset_ref = client.dataset(bq_dataset)
table_ref = dataset_ref.table(bq_table)
job_config = bigquery.job.ExtractJobConfig()
job_config.destination_format = (
getattr(bigquery.DestinationFormat, format))
extract_job = client.extract_table(
table_ref, destination_uri, job_config=job_config
)
try:
extract_job.result()
except (GoogleAPIError, googleapiclient.errors.HttpError) as e:
logging.debug('API Error: %s', e, exc_info=True)
raise RuntimeError(
'Error exporting BQ table %s as a file' % bq_table, e)
if __name__ == '__main__':
main_cli()

3
cloud-operations/scheduled-asset-inventory-export-bq/cffile/requirements.txt Normal file
View File

@ -0,0 +1,3 @@
google-api-python-client>=1.10.1
google-cloud-monitoring>=1.1.0
google-cloud-bigquery

BIN
cloud-operations/scheduled-asset-inventory-export-bq/diagram_optional.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

73
cloud-operations/scheduled-asset-inventory-export-bq/main.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -14,6 +14,8 @@
* limitations under the License.
*/
###############################################################################
# Projects #
###############################################################################
@ -47,6 +49,7 @@ module "service-account" {
iam_project_roles = {
(var.project_id) = [
"roles/cloudasset.owner",
"roles/bigquery.jobUser"
]
}
}
@ -66,6 +69,17 @@ module "pubsub" {
# at the project level via roles/cloudscheduler.serviceAgent
}
module "pubsub_file" {
source = "../../modules/pubsub"
project_id = module.project.project_id
name = var.name_cffile
subscriptions = {
"${var.name_cffile}-default" = null
}
# the Cloud Scheduler robot service account already has pubsub.topics.publish
# at the project level via roles/cloudscheduler.serviceAgent
}
###############################################################################
# Cloud Function #
###############################################################################
@ -93,6 +107,30 @@ module "cf" {
}
}
module "cffile" {
count = var.cai_gcs_export ? 1 : 0
source = "../../modules/cloud-function"
project_id = module.project.project_id
region = var.region
name = var.name_cffile
bucket_name = "${var.name_cffile}-${random_pet.random.id}"
bucket_config = {
location = var.region
lifecycle_delete_age = null
}
bundle_config = {
source_dir = "cffile"
output_path = var.bundle_path_cffile
excludes = null
}
service_account = module.service-account.email
trigger_config = {
event = "google.pubsub.topic.publish"
resource = module.pubsub_file.topic.id
retry = null
}
}
resource "random_pet" "random" {
length = 1
}
@ -118,11 +156,34 @@ resource "google_cloud_scheduler_job" "job" {
attributes = {}
topic_name = module.pubsub.topic.id
data = base64encode(jsonencode({
project = module.project.project_id
bq_project = module.project.project_id
bq_dataset = var.cai_config.bq_dataset
bq_table = var.cai_config.bq_table
target_node = var.cai_config.target_node
project = module.project.project_id
bq_project = module.project.project_id
bq_dataset = var.cai_config.bq_dataset
bq_table = var.cai_config.bq_table
bq_table_overwrite = var.cai_config.bq_table_overwrite
target_node = var.cai_config.target_node
}))
}
}
resource "google_cloud_scheduler_job" "job_file" {
count = var.cai_gcs_export ? 1 : 0
project = google_app_engine_application.app.project
region = var.region
name = "file-export-job"
description = "File export from BQ Job"
schedule = "* 9 * * 1"
time_zone = "Etc/UTC"
pubsub_target {
attributes = {}
topic_name = module.pubsub_file.topic.id
data = base64encode(jsonencode({
bucket = var.file_config.bucket
filename = var.file_config.filename
format = var.file_config.format
bq_dataset = var.file_config.bq_dataset
bq_table = var.file_config.bq_table
}))
}
}

2
cloud-operations/scheduled-asset-inventory-export-bq/outputs.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

54
cloud-operations/scheduled-asset-inventory-export-bq/variables.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -26,15 +26,50 @@ variable "bundle_path" {
default = "./bundle.zip"
}
variable "bundle_path_cffile" {
description = "Path used to write the intermediate Cloud Function code bundle."
type = string
default = "./bundle_cffile.zip"
}
variable "cai_config" {
description = "Cloud Asset inventory export config."
description = "Cloud Asset Inventory export config."
type = object({
bq_dataset = string
bq_table = string
target_node = string
bq_dataset = string
bq_table = string
bq_table_overwrite = bool
target_node = string
})
}
variable "cai_gcs_export" {
description = "Enable optional part to export tables to GCS"
type = bool
default = false
}
variable "file_config" {
description = "Optional BQ table as a file export function config."
type = object({
bucket = string
filename = string
format = string
bq_dataset = string
bq_table = string
})
default = {
bucket = null
filename = null
format = null
bq_dataset = null
bq_table = null
}
}
variable "location" {
description = "Appe Engine location used in the example."
type = string
@ -48,6 +83,15 @@ variable "name" {
default = "asset-inventory"
}
variable "name_cffile" {
description = "Arbitrary string used to name created resources."
type = string
default = "cffile-exporter"
}
variable "project_create" {
description = "Create project instead ofusing an existing one."
type = bool

2
cloud-operations/scheduled-asset-inventory-export-bq/versions.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

24
data-solutions/cmek-via-centralized-kms/README.md
View File

@ -30,20 +30,22 @@ This sample creates several distinct groups of resources:
- GCS
- One bucket encrypted with a CMEK Cryptokey hosted in Cloud KMS
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| billing_account | Billing account id used as default for new projects. | <code title="">string</code> | ✓ | |
| root_node | The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. | <code title="">string</code> | ✓ | |
| *location* | The location where resources will be deployed. | <code title="">string</code> | | <code title="">europe</code> |
| *project_kms_name* | Name for the new KMS Project. | <code title="">string</code> | | <code title="">my-project-kms-001</code> |
| *project_service_name* | Name for the new Service Project. | <code title="">string</code> | | <code title="">my-project-service-001</code> |
| *region* | The region where resources will be deployed. | <code title="">string</code> | | <code title="">europe-west1</code> |
| *vpc_ip_cidr_range* | Ip range used in the subnet deployef in the Service Project. | <code title="">string</code> | | <code title="">10.0.0.0/20</code> |
| *vpc_name* | Name of the VPC created in the Service Project. | <code title="">string</code> | | <code title="">local</code> |
| *vpc_subnet_name* | Name of the subnet created in the Service Project. | <code title="">string</code> | | <code title="">subnet</code> |
|---|---|:---:|:---:|:---:|
| billing_account | Billing account id used as default for new projects. | <code>string</code> | ✓ | |
| root_node | The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. | <code>string</code> | ✓ | |
| location | The location where resources will be deployed. | <code>string</code> | | <code>&#34;europe&#34;</code> |
| project_kms_name | Name for the new KMS Project. | <code>string</code> | | <code>&#34;my-project-kms-001&#34;</code> |
| project_service_name | Name for the new Service Project. | <code>string</code> | | <code>&#34;my-project-service-001&#34;</code> |
| region | The region where resources will be deployed. | <code>string</code> | | <code>&#34;europe-west1&#34;</code> |
| vpc_ip_cidr_range | Ip range used in the subnet deployef in the Service Project. | <code>string</code> | | <code>&#34;10.0.0.0&#47;20&#34;</code> |
| vpc_name | Name of the VPC created in the Service Project. | <code>string</code> | | <code>&#34;local&#34;</code> |
| vpc_subnet_name | Name of the subnet created in the Service Project. | <code>string</code> | | <code>&#34;subnet&#34;</code> |
## Outputs
@ -54,4 +56,6 @@ This sample creates several distinct groups of resources:
| projects | Project ids. | |
| vm | GCE VM. | |
| vm_keys | GCE VM Cloud KMS crypto keys. | |
<!-- END TFDOC -->

2
data-solutions/cmek-via-centralized-kms/backend.tf.sample
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
data-solutions/cmek-via-centralized-kms/main.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
data-solutions/cmek-via-centralized-kms/outputs.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
data-solutions/cmek-via-centralized-kms/variables.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
data-solutions/cmek-via-centralized-kms/versions.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

22
data-solutions/data-platform-foundations/01-environment/README.md
View File

@ -47,19 +47,21 @@ gcloud access-context-manager perimeters list --format="json" | grep name
The script use 'google_access_context_manager_service_perimeter_resource' terraform resource. If this resource is used alongside the 'vpc-sc' module, remember to uncomment the lifecycle block in the 'vpc-sc' module so they don't fight over which resources should be in the perimeter.
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| billing_account_id | Billing account id. | <code title="">string</code> | ✓ | |
| root_node | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | <code title="">string</code> | ✓ | |
| *admins* | List of users allowed to impersonate the service account | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">null</code> |
| *prefix* | Prefix used to generate project id and name. | <code title="">string</code> | | <code title="">null</code> |
| *project_names* | Override this variable if you need non-standard names. | <code title="object&#40;&#123;&#10;datamart &#61; string&#10;dwh &#61; string&#10;landing &#61; string&#10;services &#61; string&#10;transformation &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;datamart &#61; &#34;datamart&#34;&#10;dwh &#61; &#34;datawh&#34;&#10;landing &#61; &#34;landing&#34;&#10;services &#61; &#34;services&#34;&#10;transformation &#61; &#34;transformation&#34;&#10;&#125;">...</code> |
| *service_account_names* | Override this variable if you need non-standard names. | <code title="object&#40;&#123;&#10;main &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;main &#61; &#34;data-platform-main&#34;&#10;&#125;">...</code> |
| *service_encryption_key_ids* | Cloud KMS encryption key in {LOCATION => [KEY_URL]} format. Keys belong to existing project. | <code title="object&#40;&#123;&#10;multiregional &#61; string&#10;global &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;multiregional &#61; null&#10;global &#61; null&#10;&#125;">...</code> |
| *service_perimeter_standard* | VPC Service control standard perimeter name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. All projects will be added to the perimeter in enforced mode. | <code title="">string</code> | | <code title="">null</code> |
|---|---|:---:|:---:|:---:|
| billing_account_id | Billing account id. | <code>string</code> | ✓ | |
| root_node | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> | ✓ | |
| admins | List of users allowed to impersonate the service account | <code>list&#40;string&#41;</code> | | <code>null</code> |
| prefix | Prefix used to generate project id and name. | <code>string</code> | | <code>null</code> |
| project_names | Override this variable if you need non-standard names. | <code title="object&#40;&#123;&#10; datamart &#61; string&#10; dwh &#61; string&#10; landing &#61; string&#10; services &#61; string&#10; transformation &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; datamart &#61; &#34;datamart&#34;&#10; dwh &#61; &#34;datawh&#34;&#10; landing &#61; &#34;landing&#34;&#10; services &#61; &#34;services&#34;&#10; transformation &#61; &#34;transformation&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
| service_account_names | Override this variable if you need non-standard names. | <code title="object&#40;&#123;&#10; main &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; main &#61; &#34;data-platform-main&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
| service_encryption_key_ids | Cloud KMS encryption key in {LOCATION => [KEY_URL]} format. Keys belong to existing project. | <code title="object&#40;&#123;&#10; multiregional &#61; string&#10; global &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; multiregional &#61; null&#10; global &#61; null&#10;&#125;">&#123;&#8230;&#125;</code> |
| service_perimeter_standard | VPC Service control standard perimeter name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. All projects will be added to the perimeter in enforced mode. | <code>string</code> | | <code>null</code> |
## Outputs
@ -68,4 +70,6 @@ The script use 'google_access_context_manager_service_perimeter_resource' terraf
| project_ids | Project ids for created projects. | |
| service_account | Main service account. | |
| service_encryption_key_ids | Cloud KMS encryption keys in {LOCATION => [KEY_URL]} format. | |
<!-- END TFDOC -->

2
data-solutions/data-platform-foundations/01-environment/versions.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

30
data-solutions/data-platform-foundations/02-resources/README.md
View File

@ -51,23 +51,25 @@ Once done testing, you can clean up resources by running `terraform destroy`.
### CMEK configuration
You can configure GCP resources to use existing CMEK keys configuring the 'service_encryption_key_ids' variable. You need to specify a 'global' and a 'multiregional' key.
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| project_ids | Project IDs. | <code title="object&#40;&#123;&#10;datamart &#61; string&#10;dwh &#61; string&#10;landing &#61; string&#10;services &#61; string&#10;transformation &#61; string&#10;&#125;&#41;">object({...})</code> | ✓ | |
| *admins* | List of users allowed to impersonate the service account | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">null</code> |
| *datamart_bq_datasets* | Datamart Bigquery datasets | <code title="map&#40;object&#40;&#123;&#10;iam &#61; map&#40;list&#40;string&#41;&#41;&#10;location &#61; string&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="&#123;&#10;bq_datamart_dataset &#61; &#123;&#10;location &#61; &#34;EU&#34;&#10;iam &#61; &#123;&#10;&#125;&#10;&#125;&#10;&#125;">...</code> |
| *dwh_bq_datasets* | DWH Bigquery datasets | <code title="map&#40;object&#40;&#123;&#10;location &#61; string&#10;iam &#61; map&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="&#123;&#10;bq_raw_dataset &#61; &#123;&#10;iam &#61; &#123;&#125;&#10;location &#61; &#34;EU&#34;&#10;&#125;&#10;&#125;">...</code> |
| *landing_buckets* | List of landing buckets to create | <code title="map&#40;object&#40;&#123;&#10;location &#61; string&#10;name &#61; string&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="&#123;&#10;raw-data &#61; &#123;&#10;location &#61; &#34;EU&#34;&#10;name &#61; &#34;raw-data&#34;&#10;&#125;&#10;data-schema &#61; &#123;&#10;location &#61; &#34;EU&#34;&#10;name &#61; &#34;data-schema&#34;&#10;&#125;&#10;&#125;">...</code> |
| *landing_pubsub* | List of landing pubsub topics and subscriptions to create | <code title="map&#40;map&#40;object&#40;&#123;&#10;iam &#61; map&#40;list&#40;string&#41;&#41;&#10;labels &#61; map&#40;string&#41;&#10;options &#61; object&#40;&#123;&#10;ack_deadline_seconds &#61; number&#10;message_retention_duration &#61; number&#10;retain_acked_messages &#61; bool&#10;expiration_policy_ttl &#61; number&#10;&#125;&#41;&#10;&#125;&#41;&#41;&#41;">map(map(object({...})))</code> | | <code title="&#123;&#10;landing-1 &#61; &#123;&#10;sub1 &#61; &#123;&#10;iam &#61; &#123;&#10;&#125;&#10;labels &#61; &#123;&#125;&#10;options &#61; null&#10;&#125;&#10;sub2 &#61; &#123;&#10;iam &#61; &#123;&#125;&#10;labels &#61; &#123;&#125;,&#10;options &#61; null&#10;&#125;,&#10;&#125;&#10;&#125;">...</code> |
| *landing_service_account* | landing service accounts list. | <code title="">string</code> | | <code title="">sa-landing</code> |
| *service_account_names* | Project service accounts list. | <code title="object&#40;&#123;&#10;datamart &#61; string&#10;dwh &#61; string&#10;landing &#61; string&#10;services &#61; string&#10;transformation &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;datamart &#61; &#34;sa-datamart&#34;&#10;dwh &#61; &#34;sa-datawh&#34;&#10;landing &#61; &#34;sa-landing&#34;&#10;services &#61; &#34;sa-services&#34;&#10;transformation &#61; &#34;sa-transformation&#34;&#10;&#125;">...</code> |
| *service_encryption_key_ids* | Cloud KMS encryption key in {LOCATION => [KEY_URL]} format. Keys belong to existing project. | <code title="object&#40;&#123;&#10;multiregional &#61; string&#10;global &#61; string&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;multiregional &#61; null&#10;global &#61; null&#10;&#125;">...</code> |
| *transformation_buckets* | List of transformation buckets to create | <code title="map&#40;object&#40;&#123;&#10;location &#61; string&#10;name &#61; string&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="&#123;&#10;temp &#61; &#123;&#10;location &#61; &#34;EU&#34;&#10;name &#61; &#34;temp&#34;&#10;&#125;,&#10;templates &#61; &#123;&#10;location &#61; &#34;EU&#34;&#10;name &#61; &#34;templates&#34;&#10;&#125;,&#10;&#125;">...</code> |
| *transformation_subnets* | List of subnets to create in the transformation Project. | <code title="list&#40;object&#40;&#123;&#10;ip_cidr_range &#61; string&#10;name &#61; string&#10;region &#61; string&#10;secondary_ip_range &#61; map&#40;string&#41;&#10;&#125;&#41;&#41;">list(object({...}))</code> | | <code title="&#91;&#10;&#123;&#10;ip_cidr_range &#61; &#34;10.1.0.0&#47;20&#34;&#10;name &#61; &#34;transformation-subnet&#34;&#10;region &#61; &#34;europe-west3&#34;&#10;secondary_ip_range &#61; &#123;&#125;&#10;&#125;,&#10;&#93;">...</code> |
| *transformation_vpc_name* | Name of the VPC created in the transformation Project. | <code title="">string</code> | | <code title="">transformation-vpc</code> |
|---|---|:---:|:---:|:---:|
| project_ids | Project IDs. | <code title="object&#40;&#123;&#10; datamart &#61; string&#10; dwh &#61; string&#10; landing &#61; string&#10; services &#61; string&#10; transformation &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| admins | List of users allowed to impersonate the service account | <code>list&#40;string&#41;</code> | | <code>null</code> |
| datamart_bq_datasets | Datamart Bigquery datasets | <code title="map&#40;object&#40;&#123;&#10; iam &#61; map&#40;list&#40;string&#41;&#41;&#10; location &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; bq_datamart_dataset &#61; &#123;&#10; location &#61; &#34;EU&#34;&#10; iam &#61; &#123;&#10; &#125;&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |
| dwh_bq_datasets | DWH Bigquery datasets | <code title="map&#40;object&#40;&#123;&#10; location &#61; string&#10; iam &#61; map&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; bq_raw_dataset &#61; &#123;&#10; iam &#61; &#123;&#125;&#10; location &#61; &#34;EU&#34;&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |
| landing_buckets | List of landing buckets to create | <code title="map&#40;object&#40;&#123;&#10; location &#61; string&#10; name &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; raw-data &#61; &#123;&#10; location &#61; &#34;EU&#34;&#10; name &#61; &#34;raw-data&#34;&#10; &#125;&#10; data-schema &#61; &#123;&#10; location &#61; &#34;EU&#34;&#10; name &#61; &#34;data-schema&#34;&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |
| landing_pubsub | List of landing pubsub topics and subscriptions to create | <code title="map&#40;map&#40;object&#40;&#123;&#10; iam &#61; map&#40;list&#40;string&#41;&#41;&#10; labels &#61; map&#40;string&#41;&#10; options &#61; object&#40;&#123;&#10; ack_deadline_seconds &#61; number&#10; message_retention_duration &#61; number&#10; retain_acked_messages &#61; bool&#10; expiration_policy_ttl &#61; number&#10; &#125;&#41;&#10;&#125;&#41;&#41;&#41;">map&#40;map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;&#41;</code> | | <code title="&#123;&#10; landing-1 &#61; &#123;&#10; sub1 &#61; &#123;&#10; iam &#61; &#123;&#10; &#125;&#10; labels &#61; &#123;&#125;&#10; options &#61; null&#10; &#125;&#10; sub2 &#61; &#123;&#10; iam &#61; &#123;&#125;&#10; labels &#61; &#123;&#125;,&#10; options &#61; null&#10; &#125;,&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |
| landing_service_account | landing service accounts list. | <code>string</code> | | <code>&#34;sa-landing&#34;</code> |
| service_account_names | Project service accounts list. | <code title="object&#40;&#123;&#10; datamart &#61; string&#10; dwh &#61; string&#10; landing &#61; string&#10; services &#61; string&#10; transformation &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; datamart &#61; &#34;sa-datamart&#34;&#10; dwh &#61; &#34;sa-datawh&#34;&#10; landing &#61; &#34;sa-landing&#34;&#10; services &#61; &#34;sa-services&#34;&#10; transformation &#61; &#34;sa-transformation&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
| service_encryption_key_ids | Cloud KMS encryption key in {LOCATION => [KEY_URL]} format. Keys belong to existing project. | <code title="object&#40;&#123;&#10; multiregional &#61; string&#10; global &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; multiregional &#61; null&#10; global &#61; null&#10;&#125;">&#123;&#8230;&#125;</code> |
| transformation_buckets | List of transformation buckets to create | <code title="map&#40;object&#40;&#123;&#10; location &#61; string&#10; name &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; temp &#61; &#123;&#10; location &#61; &#34;EU&#34;&#10; name &#61; &#34;temp&#34;&#10; &#125;,&#10; templates &#61; &#123;&#10; location &#61; &#34;EU&#34;&#10; name &#61; &#34;templates&#34;&#10; &#125;,&#10;&#125;">&#123;&#8230;&#125;</code> |
| transformation_subnets | List of subnets to create in the transformation Project. | <code title="list&#40;object&#40;&#123;&#10; ip_cidr_range &#61; string&#10; name &#61; string&#10; region &#61; string&#10; secondary_ip_range &#61; map&#40;string&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#91;&#10; &#123;&#10; ip_cidr_range &#61; &#34;10.1.0.0&#47;20&#34;&#10; name &#61; &#34;transformation-subnet&#34;&#10; region &#61; &#34;europe-west3&#34;&#10; secondary_ip_range &#61; &#123;&#125;&#10; &#125;,&#10;&#93;">&#91;&#8230;&#93;</code> |
| transformation_vpc_name | Name of the VPC created in the transformation Project. | <code>string</code> | | <code>&#34;transformation-vpc&#34;</code> |
## Outputs
@ -79,4 +81,6 @@ You can configure GCP resources to use existing CMEK keys configuring the 'servi
| landing-pubsub | List of pubsub topics and subscriptions created for the landing project. | |
| transformation-buckets | List of buckets created for the transformation project. | |
| transformation-vpc | Transformation VPC details | |
<!-- END TFDOC -->

2
data-solutions/data-platform-foundations/02-resources/providers.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
data-solutions/data-platform-foundations/02-resources/versions.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

26
data-solutions/gcs-to-bq-with-dataflow/README.md
View File

@ -110,21 +110,23 @@ schema_bq_import.json
You can check data imported into Google BigQuery from the Google Cloud Console UI.
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| billing_account | Billing account id used as default for new projects. | <code title="">string</code> | ✓ | |
| project_kms_name | Name for the new KMS Project. | <code title="">string</code> | ✓ | |
| project_service_name | Name for the new Service Project. | <code title="">string</code> | ✓ | |
| root_node | The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. | <code title="">string</code> | ✓ | |
| *location* | The location where resources will be deployed. | <code title="">string</code> | | <code title="">europe</code> |
| *region* | The region where resources will be deployed. | <code title="">string</code> | | <code title="">europe-west1</code> |
| *ssh_source_ranges* | IP CIDR ranges that will be allowed to connect via SSH to the onprem instance. | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">["0.0.0.0/0"]</code> |
| *vpc_ip_cidr_range* | Ip range used in the subnet deployef in the Service Project. | <code title="">string</code> | | <code title="">10.0.0.0/20</code> |
| *vpc_name* | Name of the VPC created in the Service Project. | <code title="">string</code> | | <code title="">local</code> |
| *vpc_subnet_name* | Name of the subnet created in the Service Project. | <code title="">string</code> | | <code title="">subnet</code> |
|---|---|:---:|:---:|:---:|
| billing_account | Billing account id used as default for new projects. | <code>string</code> | ✓ | |
| project_kms_name | Name for the new KMS Project. | <code>string</code> | ✓ | |
| project_service_name | Name for the new Service Project. | <code>string</code> | ✓ | |
| root_node | The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. | <code>string</code> | ✓ | |
| location | The location where resources will be deployed. | <code>string</code> | | <code>&#34;europe&#34;</code> |
| region | The region where resources will be deployed. | <code>string</code> | | <code>&#34;europe-west1&#34;</code> |
| ssh_source_ranges | IP CIDR ranges that will be allowed to connect via SSH to the onprem instance. | <code>list&#40;string&#41;</code> | | <code>&#91;&#34;0.0.0.0&#47;0&#34;&#93;</code> |
| vpc_ip_cidr_range | Ip range used in the subnet deployef in the Service Project. | <code>string</code> | | <code>&#34;10.0.0.0&#47;20&#34;</code> |
| vpc_name | Name of the VPC created in the Service Project. | <code>string</code> | | <code>&#34;local&#34;</code> |
| vpc_subnet_name | Name of the subnet created in the Service Project. | <code>string</code> | | <code>&#34;subnet&#34;</code> |
## Outputs
@ -134,4 +136,6 @@ You can check data imported into Google BigQuery from the Google Cloud Console U
| buckets | GCS Bucket Cloud KMS crypto keys. | |
| projects | Project ids. | |
| vm | GCE VM. | |
<!-- END TFDOC -->

2
data-solutions/gcs-to-bq-with-dataflow/backend.tf.sample
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
data-solutions/gcs-to-bq-with-dataflow/main.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
data-solutions/gcs-to-bq-with-dataflow/outputs.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
data-solutions/gcs-to-bq-with-dataflow/scripts/data_ingestion/data_ingestion.py
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
data-solutions/gcs-to-bq-with-dataflow/scripts/person_details_generator/person_details_generator.py
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
data-solutions/gcs-to-bq-with-dataflow/variables.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
data-solutions/gcs-to-bq-with-dataflow/versions.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
default-versions.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
factories/example-environments/dev/main.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
factories/example-environments/dev/versions.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

2
factories/example-environments/prod/main.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
factories/example-environments/prod/versions.tf
View File

@ -1,4 +1,4 @@
# Copyright 2021 Google LLC
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

10
factories/firewall-hierarchical-policies/README.md
View File

@ -148,17 +148,21 @@ web_frontends:
- web-frontends@project-wf2.iam.gserviceaccount.com
```
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| config_folder | Relative path of the folder containing the hierarchical firewall configuration | <code title="">string</code> | ✓ | |
| templates_folder | Relative path of the folder containing the cidr/service account templates | <code title="">string</code> | ✓ | |
|---|---|:---:|:---:|:---:|
| config_folder | Relative path of the folder containing the hierarchical firewall configuration | <code>string</code> | ✓ | |
| templates_folder | Relative path of the folder containing the cidr/service account templates | <code>string</code> | ✓ | |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| hierarchical-firewall-rules | Generated Hierarchical Firewall Rules | |
<!-- END TFDOC -->

2
factories/firewall-hierarchical-policies/main.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

2
factories/firewall-hierarchical-policies/outputs.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2021 Google LLC
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

Some files were not shown because too many files have changed in this diff Show More