Merge pull request #451 from GoogleCloudPlatform/jccb/link-readme-vars
Link vars and outputs from README
This commit is contained in:
commit
b3e9d2cb6f
|
@ -50,30 +50,25 @@ Run the `subscription_pull` command until it returns nothing, then run the follo
|
|||
- the `tag_add` command
|
||||
- the `cf_logs` command until the logs show that the change has been picked up, verified, and the compliant tags have been force-set on the instance
|
||||
- the `tag_show` command to verify that the function output matches the resource state
|
||||
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| project_id | Project id that references existing project. | <code>string</code> | ✓ | |
|
||||
| bundle_path | Path used to write the intermediate Cloud Function code bundle. | <code>string</code> | | <code>"./bundle.zip"</code> |
|
||||
| name | Arbitrary string used to name created resources. | <code>string</code> | | <code>"asset-feed"</code> |
|
||||
| project_create | Create project instead of using an existing one. | <code>bool</code> | | <code>false</code> |
|
||||
| region | Compute region used in the example. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [project_id](variables.tf#L35) | Project id that references existing project. | <code>string</code> | ✓ | |
|
||||
| [bundle_path](variables.tf#L17) | Path used to write the intermediate Cloud Function code bundle. | <code>string</code> | | <code>"./bundle.zip"</code> |
|
||||
| [name](variables.tf#L23) | Arbitrary string used to name created resources. | <code>string</code> | | <code>"asset-feed"</code> |
|
||||
| [project_create](variables.tf#L29) | Create project instead of using an existing one. | <code>bool</code> | | <code>false</code> |
|
||||
| [region](variables.tf#L40) | Compute region used in the example. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| cf_logs | Cloud Function logs read command. | |
|
||||
| subscription_pull | Subscription pull command. | |
|
||||
| tag_add | Instance add tag command. | |
|
||||
| tag_show | Instance add tag command. | |
|
||||
| [cf_logs](outputs.tf#L17) | Cloud Function logs read command. | |
|
||||
| [subscription_pull](outputs.tf#L29) | Subscription pull command. | |
|
||||
| [tag_add](outputs.tf#L39) | Instance add tag command. | |
|
||||
| [tag_show](outputs.tf#L49) | Instance add tag command. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
||||
|
|
|
@ -98,26 +98,23 @@ dig app1.svc.example.org +short
|
|||
# 127.0.0.3
|
||||
# 127.0.0.7
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| project_id | Existing project id. | <code>string</code> | ✓ | |
|
||||
| name | Arbitrary string used to name created resources. | <code>string</code> | | <code>"dns-sd-test"</code> |
|
||||
| project_create | Create project instead ofusing an existing one. | <code>bool</code> | | <code>false</code> |
|
||||
| region | Compute region used in the example. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| zone_domain | Domain name used for the DNS zone. | <code>string</code> | | <code>"svc.example.org."</code> |
|
||||
| [project_id](variables.tf#L29) | Existing project id. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L17) | Arbitrary string used to name created resources. | <code>string</code> | | <code>"dns-sd-test"</code> |
|
||||
| [project_create](variables.tf#L23) | Create project instead ofusing an existing one. | <code>bool</code> | | <code>false</code> |
|
||||
| [region](variables.tf#L34) | Compute region used in the example. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [zone_domain](variables.tf#L40) | Domain name used for the DNS zone. | <code>string</code> | | <code>"svc.example.org."</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| gcloud_commands | Commands used to SSH to the VMs. | |
|
||||
| vms | VM names. | |
|
||||
| [gcloud_commands](outputs.tf#L17) | Commands used to SSH to the VMs. | |
|
||||
| [vms](outputs.tf#L25) | VM names. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -18,27 +18,24 @@ The resources created in this example are shown in the high level diagram below:
|
|||
<img src="diagram.png" width="640px">
|
||||
|
||||
Note that Terraform 0.13 at least is required due to the use of `for_each` with modules.
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| billing_account_id | Billing account associated with the GCP Projects that will be created for each team. | <code>string</code> | ✓ | |
|
||||
| folder_id | Folder ID in which DNS projects will be created. | <code>string</code> | ✓ | |
|
||||
| shared_vpc_link | Shared VPC self link, used for DNS peering. | <code>string</code> | ✓ | |
|
||||
| dns_domain | DNS domain under which each application team DNS domain will be created. | <code>string</code> | | <code>"example.org"</code> |
|
||||
| prefix | Customer name to use as prefix for resources' naming. | <code>string</code> | | <code>"test-dns"</code> |
|
||||
| project_services | Service APIs enabled by default. | <code>list(string)</code> | | <code title="[ "compute.googleapis.com", "dns.googleapis.com", ]">[…]</code> |
|
||||
| teams | List of application teams requiring their own Cloud DNS instance. | <code>list(string)</code> | | <code title="[ "team1", "team2", ]">[…]</code> |
|
||||
| [billing_account_id](variables.tf#L17) | Billing account associated with the GCP Projects that will be created for each team. | <code>string</code> | ✓ | |
|
||||
| [folder_id](variables.tf#L28) | Folder ID in which DNS projects will be created. | <code>string</code> | ✓ | |
|
||||
| [shared_vpc_link](variables.tf#L48) | Shared VPC self link, used for DNS peering. | <code>string</code> | ✓ | |
|
||||
| [dns_domain](variables.tf#L22) | DNS domain under which each application team DNS domain will be created. | <code>string</code> | | <code>"example.org"</code> |
|
||||
| [prefix](variables.tf#L33) | Customer name to use as prefix for resources' naming. | <code>string</code> | | <code>"test-dns"</code> |
|
||||
| [project_services](variables.tf#L39) | Service APIs enabled by default. | <code>list(string)</code> | | <code title="[ "compute.googleapis.com", "dns.googleapis.com", ]">[…]</code> |
|
||||
| [teams](variables.tf#L53) | List of application teams requiring their own Cloud DNS instance. | <code>list(string)</code> | | <code title="[ "team1", "team2", ]">[…]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| teams | Team resources | |
|
||||
| [teams](outputs.tf#L17) | Team resources | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -62,21 +62,17 @@ If you get any warnings, check the roles and remove any of them granting any of
|
|||
- `resourcemanager.projects.setIamPolicy`
|
||||
- `resourcemanager.folders.setIamPolicy`
|
||||
- `resourcemanager.organizations.setIamPolicy`
|
||||
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| project_administrators | List identities granted administrator permissions. | <code>list(string)</code> | ✓ | |
|
||||
| project_id | GCP project id where to grant direct and delegated roles to the users listed in project_administrators. | <code>string</code> | ✓ | |
|
||||
| delegated_role_grants | List of roles that project administrators will be allowed to grant/revoke. | <code>list(string)</code> | | <code title="[ "roles/storage.admin", "roles/storage.hmacKeyAdmin", "roles/storage.legacyBucketOwner", "roles/storage.objectAdmin", "roles/storage.objectCreator", "roles/storage.objectViewer", "roles/compute.admin", "roles/compute.imageUser", "roles/compute.instanceAdmin", "roles/compute.instanceAdmin.v1", "roles/compute.networkAdmin", "roles/compute.networkUser", "roles/compute.networkViewer", "roles/compute.orgFirewallPolicyAdmin", "roles/compute.orgFirewallPolicyUser", "roles/compute.orgSecurityPolicyAdmin", "roles/compute.orgSecurityPolicyUser", "roles/compute.orgSecurityResourceAdmin", "roles/compute.osAdminLogin", "roles/compute.osLogin", "roles/compute.osLoginExternalUser", "roles/compute.packetMirroringAdmin", "roles/compute.packetMirroringUser", "roles/compute.publicIpAdmin", "roles/compute.securityAdmin", "roles/compute.serviceAgent", "roles/compute.storageAdmin", "roles/compute.viewer", "roles/viewer" ]">[…]</code> |
|
||||
| direct_role_grants | List of roles granted directly to project administrators. | <code>list(string)</code> | | <code title="[ "roles/compute.admin", "roles/storage.admin", ]">[…]</code> |
|
||||
| project_create | Create project instead of using an existing one. | <code>bool</code> | | <code>false</code> |
|
||||
| restricted_role_grant | Role grant to which the restrictions will apply. | <code>string</code> | | <code>"roles/resourcemanager.projectIamAdmin"</code> |
|
||||
| [project_administrators](variables.tf#L62) | List identities granted administrator permissions. | <code>list(string)</code> | ✓ | |
|
||||
| [project_id](variables.tf#L73) | GCP project id where to grant direct and delegated roles to the users listed in project_administrators. | <code>string</code> | ✓ | |
|
||||
| [delegated_role_grants](variables.tf#L17) | List of roles that project administrators will be allowed to grant/revoke. | <code>list(string)</code> | | <code title="[ "roles/storage.admin", "roles/storage.hmacKeyAdmin", "roles/storage.legacyBucketOwner", "roles/storage.objectAdmin", "roles/storage.objectCreator", "roles/storage.objectViewer", "roles/compute.admin", "roles/compute.imageUser", "roles/compute.instanceAdmin", "roles/compute.instanceAdmin.v1", "roles/compute.networkAdmin", "roles/compute.networkUser", "roles/compute.networkViewer", "roles/compute.orgFirewallPolicyAdmin", "roles/compute.orgFirewallPolicyUser", "roles/compute.orgSecurityPolicyAdmin", "roles/compute.orgSecurityPolicyUser", "roles/compute.orgSecurityResourceAdmin", "roles/compute.osAdminLogin", "roles/compute.osLogin", "roles/compute.osLoginExternalUser", "roles/compute.packetMirroringAdmin", "roles/compute.packetMirroringUser", "roles/compute.publicIpAdmin", "roles/compute.securityAdmin", "roles/compute.serviceAgent", "roles/compute.storageAdmin", "roles/compute.viewer", "roles/viewer" ]">[…]</code> |
|
||||
| [direct_role_grants](variables.tf#L53) | List of roles granted directly to project administrators. | <code>list(string)</code> | | <code title="[ "roles/compute.admin", "roles/storage.admin", ]">[…]</code> |
|
||||
| [project_create](variables.tf#L67) | Create project instead of using an existing one. | <code>bool</code> | | <code>false</code> |
|
||||
| [restricted_role_grant](variables.tf#L78) | Role grant to which the restrictions will apply. | <code>string</code> | | <code>"roles/resourcemanager.projectIamAdmin"</code> |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -60,24 +60,21 @@ gcloud auth activate-service-account --key-file data-uploader.json
|
|||
```bash
|
||||
terraform destroy -var project_id=$GOOGLE_CLOUD_PROJECT
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| project_id | Project id. | <code>string</code> | ✓ | |
|
||||
| project_create | Create project instead of using an existing one. | <code>bool</code> | | <code>false</code> |
|
||||
| service_accounts | List of service accounts. | <code title="list(object({ name = string iam_project_roles = list(string) public_keys_path = string }))">list(object({…}))</code> | | <code title="[ { name = "data-uploader" iam_project_roles = [ "roles/bigquery.dataOwner", "roles/bigquery.jobUser", "roles/storage.objectAdmin" ] public_keys_path = "public-keys/data-uploader/" }, { name = "prisma-security" iam_project_roles = [ "roles/iam.securityReviewer" ] public_keys_path = "public-keys/prisma-security/" }, ]">[…]</code> |
|
||||
| services | Service APIs to enable. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [project_id](variables.tf#L23) | Project id. | <code>string</code> | ✓ | |
|
||||
| [project_create](variables.tf#L17) | Create project instead of using an existing one. | <code>bool</code> | | <code>false</code> |
|
||||
| [service_accounts](variables.tf#L28) | List of service accounts. | <code title="list(object({ name = string iam_project_roles = list(string) public_keys_path = string }))">list(object({…}))</code> | | <code title="[ { name = "data-uploader" iam_project_roles = [ "roles/bigquery.dataOwner", "roles/bigquery.jobUser", "roles/storage.objectAdmin" ] public_keys_path = "public-keys/data-uploader/" }, { name = "prisma-security" iam_project_roles = [ "roles/iam.securityReviewer" ] public_keys_path = "public-keys/prisma-security/" }, ]">[…]</code> |
|
||||
| [services](variables.tf#L56) | Service APIs to enable. | <code>list(string)</code> | | <code>[]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| sa-credentials | SA json key templates. | |
|
||||
| [sa-credentials](outputs.tf#L17) | SA json key templates. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -66,33 +66,30 @@ configurations respectively.
|
|||
The following example assumes that provisioning of a Compute Engine VM requires access to
|
||||
the resources over the Internet (i.e. to install OS packages). Since Compute VM has no public IP
|
||||
address for security reasons, Internet connectivity is done with [Cloud NAT](https://cloud.google.com/nat/docs/overview).
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| project_id | Project id that references existing project. | <code>string</code> | ✓ | |
|
||||
| billing_account | Billing account id used as default for new projects. | <code>string</code> | | <code>null</code> |
|
||||
| cidrs | CIDR ranges for subnets | <code>map(string)</code> | | <code title="{ image-builder = "10.0.0.0/24" }">{…}</code> |
|
||||
| create_packer_vars | Create packer variables file using template file and terraform output. | <code>bool</code> | | <code>false</code> |
|
||||
| packer_account_users | List of members that will be allowed to impersonate Packer image builder service account in IAM format, i.e. 'user:{emailid}'. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| packer_source_cidrs | List of CIDR ranges allowed to connect to the temporary VM for provisioning. | <code>list(string)</code> | | <code>["0.0.0.0/0"]</code> |
|
||||
| project_create | Create project instead of using an existing one. | <code>bool</code> | | <code>true</code> |
|
||||
| region | Default region for resources | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| root_node | The resource name of the parent folder or organization for project creation, in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> | | <code>null</code> |
|
||||
| use_iap | Use IAP tunnel to connect to Compute Engine instance for provisioning. | <code>bool</code> | | <code>true</code> |
|
||||
| [project_id](variables.tf#L55) | Project id that references existing project. | <code>string</code> | ✓ | |
|
||||
| [billing_account](variables.tf#L17) | Billing account id used as default for new projects. | <code>string</code> | | <code>null</code> |
|
||||
| [cidrs](variables.tf#L23) | CIDR ranges for subnets | <code>map(string)</code> | | <code title="{ image-builder = "10.0.0.0/24" }">{…}</code> |
|
||||
| [create_packer_vars](variables.tf#L31) | Create packer variables file using template file and terraform output. | <code>bool</code> | | <code>false</code> |
|
||||
| [packer_account_users](variables.tf#L37) | List of members that will be allowed to impersonate Packer image builder service account in IAM format, i.e. 'user:{emailid}'. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [packer_source_cidrs](variables.tf#L43) | List of CIDR ranges allowed to connect to the temporary VM for provisioning. | <code>list(string)</code> | | <code>["0.0.0.0/0"]</code> |
|
||||
| [project_create](variables.tf#L49) | Create project instead of using an existing one. | <code>bool</code> | | <code>true</code> |
|
||||
| [region](variables.tf#L60) | Default region for resources | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [root_node](variables.tf#L66) | The resource name of the parent folder or organization for project creation, in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> | | <code>null</code> |
|
||||
| [use_iap](variables.tf#L72) | Use IAP tunnel to connect to Compute Engine instance for provisioning. | <code>bool</code> | | <code>true</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| builder_sa | Packer's service account email. | |
|
||||
| compute_sa | Packer's temporary VM service account email. | |
|
||||
| compute_subnetwork | Name of a subnetwork for Packer's temporary VM. | |
|
||||
| compute_zone | Name of a compute engine zone for Packer's temporary VM. | |
|
||||
| [builder_sa](outputs.tf#L17) | Packer's service account email. | |
|
||||
| [compute_sa](outputs.tf#L22) | Packer's temporary VM service account email. | |
|
||||
| [compute_subnetwork](outputs.tf#L27) | Name of a subnetwork for Packer's temporary VM. | |
|
||||
| [compute_zone](outputs.tf#L32) | Name of a compute engine zone for Packer's temporary VM. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -22,22 +22,18 @@ Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/c
|
|||
|
||||
- `terraform init`
|
||||
- `terraform apply -var project_id=my-project-id`
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| project_id | Project id that references existing project. | <code>string</code> | ✓ | |
|
||||
| bundle_path | Path used to write the intermediate Cloud Function code bundle. | <code>string</code> | | <code>"./bundle.zip"</code> |
|
||||
| name | Arbitrary string used to name created resources. | <code>string</code> | | <code>"quota-monitor"</code> |
|
||||
| project_create | Create project instead ofusing an existing one. | <code>bool</code> | | <code>false</code> |
|
||||
| quota_config | Cloud function configuration. | <code title="object({ filters = list(string) projects = list(string) regions = list(string) })">object({…})</code> | | <code title="{ filters = null projects = null regions = null }">{…}</code> |
|
||||
| region | Compute region used in the example. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| schedule_config | Schedule timer configuration in crontab format | <code>string</code> | | <code>"0 * * * *"</code> |
|
||||
| [project_id](variables.tf#L35) | Project id that references existing project. | <code>string</code> | ✓ | |
|
||||
| [bundle_path](variables.tf#L17) | Path used to write the intermediate Cloud Function code bundle. | <code>string</code> | | <code>"./bundle.zip"</code> |
|
||||
| [name](variables.tf#L23) | Arbitrary string used to name created resources. | <code>string</code> | | <code>"quota-monitor"</code> |
|
||||
| [project_create](variables.tf#L29) | Create project instead ofusing an existing one. | <code>bool</code> | | <code>false</code> |
|
||||
| [quota_config](variables.tf#L40) | Cloud function configuration. | <code title="object({ filters = list(string) projects = list(string) regions = list(string) })">object({…})</code> | | <code title="{ filters = null projects = null regions = null }">{…}</code> |
|
||||
| [region](variables.tf#L54) | Compute region used in the example. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [schedule_config](variables.tf#L60) | Schedule timer configuration in crontab format | <code>string</code> | | <code>"0 * * * *"</code> |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
||||
|
|
|
@ -49,37 +49,31 @@ It helps to create custom [scheduled query](https://cloud.google.com/bigquery/do
|
|||
This is an optional part, created if `cai_gcs_export` is set to `true`. The high level diagram extends to the following:
|
||||
|
||||
<img src="diagram_optional.png" width="640px">
|
||||
|
||||
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| cai_config | Cloud Asset Inventory export config. | <code title="object({ bq_dataset = string bq_table = string bq_table_overwrite = bool target_node = string })">object({…})</code> | ✓ | |
|
||||
| project_id | Project id that references existing project. | <code>string</code> | ✓ | |
|
||||
| billing_account | Billing account id used as default for new projects. | <code>string</code> | | <code>null</code> |
|
||||
| bundle_path | Path used to write the intermediate Cloud Function code bundle. | <code>string</code> | | <code>"./bundle.zip"</code> |
|
||||
| bundle_path_cffile | Path used to write the intermediate Cloud Function code bundle. | <code>string</code> | | <code>"./bundle_cffile.zip"</code> |
|
||||
| cai_gcs_export | Enable optional part to export tables to GCS | <code>bool</code> | | <code>false</code> |
|
||||
| file_config | Optional BQ table as a file export function config. | <code title="object({ bucket = string filename = string format = string bq_dataset = string bq_table = string })">object({…})</code> | | <code title="{ bucket = null filename = null format = null bq_dataset = null bq_table = null }">{…}</code> |
|
||||
| location | Appe Engine location used in the example. | <code>string</code> | | <code>"europe-west"</code> |
|
||||
| name | Arbitrary string used to name created resources. | <code>string</code> | | <code>"asset-inventory"</code> |
|
||||
| name_cffile | Arbitrary string used to name created resources. | <code>string</code> | | <code>"cffile-exporter"</code> |
|
||||
| project_create | Create project instead ofusing an existing one. | <code>bool</code> | | <code>true</code> |
|
||||
| region | Compute region used in the example. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| root_node | The resource name of the parent folder or organization for project creation, in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> | | <code>null</code> |
|
||||
| [cai_config](variables.tf#L36) | Cloud Asset Inventory export config. | <code title="object({ bq_dataset = string bq_table = string bq_table_overwrite = bool target_node = string })">object({…})</code> | ✓ | |
|
||||
| [project_id](variables.tf#L101) | Project id that references existing project. | <code>string</code> | ✓ | |
|
||||
| [billing_account](variables.tf#L17) | Billing account id used as default for new projects. | <code>string</code> | | <code>null</code> |
|
||||
| [bundle_path](variables.tf#L23) | Path used to write the intermediate Cloud Function code bundle. | <code>string</code> | | <code>"./bundle.zip"</code> |
|
||||
| [bundle_path_cffile](variables.tf#L30) | Path used to write the intermediate Cloud Function code bundle. | <code>string</code> | | <code>"./bundle_cffile.zip"</code> |
|
||||
| [cai_gcs_export](variables.tf#L47) | Enable optional part to export tables to GCS | <code>bool</code> | | <code>false</code> |
|
||||
| [file_config](variables.tf#L54) | Optional BQ table as a file export function config. | <code title="object({ bucket = string filename = string format = string bq_dataset = string bq_table = string })">object({…})</code> | | <code title="{ bucket = null filename = null format = null bq_dataset = null bq_table = null }">{…}</code> |
|
||||
| [location](variables.tf#L73) | Appe Engine location used in the example. | <code>string</code> | | <code>"europe-west"</code> |
|
||||
| [name](variables.tf#L80) | Arbitrary string used to name created resources. | <code>string</code> | | <code>"asset-inventory"</code> |
|
||||
| [name_cffile](variables.tf#L88) | Arbitrary string used to name created resources. | <code>string</code> | | <code>"cffile-exporter"</code> |
|
||||
| [project_create](variables.tf#L95) | Create project instead ofusing an existing one. | <code>bool</code> | | <code>true</code> |
|
||||
| [region](variables.tf#L106) | Compute region used in the example. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [root_node](variables.tf#L112) | The resource name of the parent folder or organization for project creation, in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| bq-dataset | Bigquery instance details. | |
|
||||
| cloud-function | Cloud Function instance details. | |
|
||||
| [bq-dataset](outputs.tf#L17) | Bigquery instance details. | |
|
||||
| [cloud-function](outputs.tf#L22) | Cloud Function instance details. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
||||
|
|
|
@ -29,33 +29,30 @@ This sample creates several distinct groups of resources:
|
|||
- One instance encrypted with a CMEK Cryptokey hosted in Cloud KMS
|
||||
- GCS
|
||||
- One bucket encrypted with a CMEK Cryptokey hosted in Cloud KMS
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| billing_account | Billing account id used as default for new projects. | <code>string</code> | ✓ | |
|
||||
| root_node | The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. | <code>string</code> | ✓ | |
|
||||
| location | The location where resources will be deployed. | <code>string</code> | | <code>"europe"</code> |
|
||||
| project_kms_name | Name for the new KMS Project. | <code>string</code> | | <code>"my-project-kms-001"</code> |
|
||||
| project_service_name | Name for the new Service Project. | <code>string</code> | | <code>"my-project-service-001"</code> |
|
||||
| region | The region where resources will be deployed. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| vpc_ip_cidr_range | Ip range used in the subnet deployef in the Service Project. | <code>string</code> | | <code>"10.0.0.0/20"</code> |
|
||||
| vpc_name | Name of the VPC created in the Service Project. | <code>string</code> | | <code>"local"</code> |
|
||||
| vpc_subnet_name | Name of the subnet created in the Service Project. | <code>string</code> | | <code>"subnet"</code> |
|
||||
| [billing_account](variables.tf#L16) | Billing account id used as default for new projects. | <code>string</code> | ✓ | |
|
||||
| [root_node](variables.tf#L45) | The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. | <code>string</code> | ✓ | |
|
||||
| [location](variables.tf#L21) | The location where resources will be deployed. | <code>string</code> | | <code>"europe"</code> |
|
||||
| [project_kms_name](variables.tf#L27) | Name for the new KMS Project. | <code>string</code> | | <code>"my-project-kms-001"</code> |
|
||||
| [project_service_name](variables.tf#L33) | Name for the new Service Project. | <code>string</code> | | <code>"my-project-service-001"</code> |
|
||||
| [region](variables.tf#L39) | The region where resources will be deployed. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [vpc_ip_cidr_range](variables.tf#L50) | Ip range used in the subnet deployef in the Service Project. | <code>string</code> | | <code>"10.0.0.0/20"</code> |
|
||||
| [vpc_name](variables.tf#L56) | Name of the VPC created in the Service Project. | <code>string</code> | | <code>"local"</code> |
|
||||
| [vpc_subnet_name](variables.tf#L62) | Name of the subnet created in the Service Project. | <code>string</code> | | <code>"subnet"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| bucket | GCS Bucket URL. | |
|
||||
| bucket_keys | GCS Bucket Cloud KMS crypto keys. | |
|
||||
| projects | Project ids. | |
|
||||
| vm | GCE VM. | |
|
||||
| vm_keys | GCE VM Cloud KMS crypto keys. | |
|
||||
| [bucket](outputs.tf#L15) | GCS Bucket URL. | |
|
||||
| [bucket_keys](outputs.tf#L20) | GCS Bucket Cloud KMS crypto keys. | |
|
||||
| [projects](outputs.tf#L25) | Project ids. | |
|
||||
| [vm](outputs.tf#L33) | GCE VM. | |
|
||||
| [vm_keys](outputs.tf#L41) | GCE VM Cloud KMS crypto keys. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -45,31 +45,28 @@ You can assign projects to an existing VPC-SC standard perimeter configuring the
|
|||
gcloud access-context-manager perimeters list --format="json" | grep name
|
||||
'''
|
||||
|
||||
The script use 'google_access_context_manager_service_perimeter_resource' terraform resource. If this resource is used alongside the 'vpc-sc' module, remember to uncomment the lifecycle block in the 'vpc-sc' module so they don't fight over which resources should be in the perimeter.
|
||||
|
||||
|
||||
The script use 'google_access_context_manager_service_perimeter_resource' terraform resource. If this resource is used alongside the 'vpc-sc' module, remember to uncomment the lifecycle block in the 'vpc-sc' module so they don't fight over which resources should be in the perimeter.
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| billing_account_id | Billing account id. | <code>string</code> | ✓ | |
|
||||
| root_node | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> | ✓ | |
|
||||
| admins | List of users allowed to impersonate the service account | <code>list(string)</code> | | <code>null</code> |
|
||||
| prefix | Prefix used to generate project id and name. | <code>string</code> | | <code>null</code> |
|
||||
| project_names | Override this variable if you need non-standard names. | <code title="object({ datamart = string dwh = string landing = string services = string transformation = string })">object({…})</code> | | <code title="{ datamart = "datamart" dwh = "datawh" landing = "landing" services = "services" transformation = "transformation" }">{…}</code> |
|
||||
| service_account_names | Override this variable if you need non-standard names. | <code title="object({ main = string })">object({…})</code> | | <code title="{ main = "data-platform-main" }">{…}</code> |
|
||||
| service_encryption_key_ids | Cloud KMS encryption key in {LOCATION => [KEY_URL]} format. Keys belong to existing project. | <code title="object({ multiregional = string global = string })">object({…})</code> | | <code title="{ multiregional = null global = null }">{…}</code> |
|
||||
| service_perimeter_standard | VPC Service control standard perimeter name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. All projects will be added to the perimeter in enforced mode. | <code>string</code> | | <code>null</code> |
|
||||
| [billing_account_id](variables.tf#L21) | Billing account id. | <code>string</code> | ✓ | |
|
||||
| [root_node](variables.tf#L50) | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> | ✓ | |
|
||||
| [admins](variables.tf#L15) | List of users allowed to impersonate the service account | <code>list(string)</code> | | <code>null</code> |
|
||||
| [prefix](variables.tf#L26) | Prefix used to generate project id and name. | <code>string</code> | | <code>null</code> |
|
||||
| [project_names](variables.tf#L32) | Override this variable if you need non-standard names. | <code title="object({ datamart = string dwh = string landing = string services = string transformation = string })">object({…})</code> | | <code title="{ datamart = "datamart" dwh = "datawh" landing = "landing" services = "services" transformation = "transformation" }">{…}</code> |
|
||||
| [service_account_names](variables.tf#L55) | Override this variable if you need non-standard names. | <code title="object({ main = string })">object({…})</code> | | <code title="{ main = "data-platform-main" }">{…}</code> |
|
||||
| [service_encryption_key_ids](variables.tf#L65) | Cloud KMS encryption key in {LOCATION => [KEY_URL]} format. Keys belong to existing project. | <code title="object({ multiregional = string global = string })">object({…})</code> | | <code title="{ multiregional = null global = null }">{…}</code> |
|
||||
| [service_perimeter_standard](variables.tf#L78) | VPC Service control standard perimeter name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. All projects will be added to the perimeter in enforced mode. | <code>string</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| project_ids | Project ids for created projects. | |
|
||||
| service_account | Main service account. | |
|
||||
| service_encryption_key_ids | Cloud KMS encryption keys in {LOCATION => [KEY_URL]} format. | |
|
||||
| [project_ids](outputs.tf#L17) | Project ids for created projects. | |
|
||||
| [service_account](outputs.tf#L28) | Main service account. | |
|
||||
| [service_encryption_key_ids](outputs.tf#L33) | Cloud KMS encryption keys in {LOCATION => [KEY_URL]} format. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -50,37 +50,34 @@ Once done testing, you can clean up resources by running `terraform destroy`.
|
|||
|
||||
### CMEK configuration
|
||||
You can configure GCP resources to use existing CMEK keys configuring the 'service_encryption_key_ids' variable. You need to specify a 'global' and a 'multiregional' key.
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| project_ids | Project IDs. | <code title="object({ datamart = string dwh = string landing = string services = string transformation = string })">object({…})</code> | ✓ | |
|
||||
| admins | List of users allowed to impersonate the service account | <code>list(string)</code> | | <code>null</code> |
|
||||
| datamart_bq_datasets | Datamart Bigquery datasets | <code title="map(object({ iam = map(list(string)) location = string }))">map(object({…}))</code> | | <code title="{ bq_datamart_dataset = { location = "EU" iam = { } } }">{…}</code> |
|
||||
| dwh_bq_datasets | DWH Bigquery datasets | <code title="map(object({ location = string iam = map(list(string)) }))">map(object({…}))</code> | | <code title="{ bq_raw_dataset = { iam = {} location = "EU" } }">{…}</code> |
|
||||
| landing_buckets | List of landing buckets to create | <code title="map(object({ location = string name = string }))">map(object({…}))</code> | | <code title="{ raw-data = { location = "EU" name = "raw-data" } data-schema = { location = "EU" name = "data-schema" } }">{…}</code> |
|
||||
| landing_pubsub | List of landing pubsub topics and subscriptions to create | <code title="map(map(object({ iam = map(list(string)) labels = map(string) options = object({ ack_deadline_seconds = number message_retention_duration = number retain_acked_messages = bool expiration_policy_ttl = number }) })))">map(map(object({…})))</code> | | <code title="{ landing-1 = { sub1 = { iam = { } labels = {} options = null } sub2 = { iam = {} labels = {}, options = null }, } }">{…}</code> |
|
||||
| landing_service_account | landing service accounts list. | <code>string</code> | | <code>"sa-landing"</code> |
|
||||
| service_account_names | Project service accounts list. | <code title="object({ datamart = string dwh = string landing = string services = string transformation = string })">object({…})</code> | | <code title="{ datamart = "sa-datamart" dwh = "sa-datawh" landing = "sa-landing" services = "sa-services" transformation = "sa-transformation" }">{…}</code> |
|
||||
| service_encryption_key_ids | Cloud KMS encryption key in {LOCATION => [KEY_URL]} format. Keys belong to existing project. | <code title="object({ multiregional = string global = string })">object({…})</code> | | <code title="{ multiregional = null global = null }">{…}</code> |
|
||||
| transformation_buckets | List of transformation buckets to create | <code title="map(object({ location = string name = string }))">map(object({…}))</code> | | <code title="{ temp = { location = "EU" name = "temp" }, templates = { location = "EU" name = "templates" }, }">{…}</code> |
|
||||
| transformation_subnets | List of subnets to create in the transformation Project. | <code title="list(object({ ip_cidr_range = string name = string region = string secondary_ip_range = map(string) }))">list(object({…}))</code> | | <code title="[ { ip_cidr_range = "10.1.0.0/20" name = "transformation-subnet" region = "europe-west3" secondary_ip_range = {} }, ]">[…]</code> |
|
||||
| transformation_vpc_name | Name of the VPC created in the transformation Project. | <code>string</code> | | <code>"transformation-vpc"</code> |
|
||||
| [project_ids](variables.tf#L108) | Project IDs. | <code title="object({ datamart = string dwh = string landing = string services = string transformation = string })">object({…})</code> | ✓ | |
|
||||
| [admins](variables.tf#L16) | List of users allowed to impersonate the service account | <code>list(string)</code> | | <code>null</code> |
|
||||
| [datamart_bq_datasets](variables.tf#L22) | Datamart Bigquery datasets | <code title="map(object({ iam = map(list(string)) location = string }))">map(object({…}))</code> | | <code title="{ bq_datamart_dataset = { location = "EU" iam = { } } }">{…}</code> |
|
||||
| [dwh_bq_datasets](variables.tf#L40) | DWH Bigquery datasets | <code title="map(object({ location = string iam = map(list(string)) }))">map(object({…}))</code> | | <code title="{ bq_raw_dataset = { iam = {} location = "EU" } }">{…}</code> |
|
||||
| [landing_buckets](variables.tf#L54) | List of landing buckets to create | <code title="map(object({ location = string name = string }))">map(object({…}))</code> | | <code title="{ raw-data = { location = "EU" name = "raw-data" } data-schema = { location = "EU" name = "data-schema" } }">{…}</code> |
|
||||
| [landing_pubsub](variables.tf#L72) | List of landing pubsub topics and subscriptions to create | <code title="map(map(object({ iam = map(list(string)) labels = map(string) options = object({ ack_deadline_seconds = number message_retention_duration = number retain_acked_messages = bool expiration_policy_ttl = number }) })))">map(map(object({…})))</code> | | <code title="{ landing-1 = { sub1 = { iam = { } labels = {} options = null } sub2 = { iam = {} labels = {}, options = null }, } }">{…}</code> |
|
||||
| [landing_service_account](variables.tf#L102) | landing service accounts list. | <code>string</code> | | <code>"sa-landing"</code> |
|
||||
| [service_account_names](variables.tf#L119) | Project service accounts list. | <code title="object({ datamart = string dwh = string landing = string services = string transformation = string })">object({…})</code> | | <code title="{ datamart = "sa-datamart" dwh = "sa-datawh" landing = "sa-landing" services = "sa-services" transformation = "sa-transformation" }">{…}</code> |
|
||||
| [service_encryption_key_ids](variables.tf#L137) | Cloud KMS encryption key in {LOCATION => [KEY_URL]} format. Keys belong to existing project. | <code title="object({ multiregional = string global = string })">object({…})</code> | | <code title="{ multiregional = null global = null }">{…}</code> |
|
||||
| [transformation_buckets](variables.tf#L149) | List of transformation buckets to create | <code title="map(object({ location = string name = string }))">map(object({…}))</code> | | <code title="{ temp = { location = "EU" name = "temp" }, templates = { location = "EU" name = "templates" }, }">{…}</code> |
|
||||
| [transformation_subnets](variables.tf#L167) | List of subnets to create in the transformation Project. | <code title="list(object({ ip_cidr_range = string name = string region = string secondary_ip_range = map(string) }))">list(object({…}))</code> | | <code title="[ { ip_cidr_range = "10.1.0.0/20" name = "transformation-subnet" region = "europe-west3" secondary_ip_range = {} }, ]">[…]</code> |
|
||||
| [transformation_vpc_name](variables.tf#L185) | Name of the VPC created in the transformation Project. | <code>string</code> | | <code>"transformation-vpc"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| datamart-datasets | List of bigquery datasets created for the datamart project. | |
|
||||
| dwh-datasets | List of bigquery datasets created for the dwh project. | |
|
||||
| landing-buckets | List of buckets created for the landing project. | |
|
||||
| landing-pubsub | List of pubsub topics and subscriptions created for the landing project. | |
|
||||
| transformation-buckets | List of buckets created for the transformation project. | |
|
||||
| transformation-vpc | Transformation VPC details | |
|
||||
| [datamart-datasets](outputs.tf#L17) | List of bigquery datasets created for the datamart project. | |
|
||||
| [dwh-datasets](outputs.tf#L24) | List of bigquery datasets created for the dwh project. | |
|
||||
| [landing-buckets](outputs.tf#L29) | List of buckets created for the landing project. | |
|
||||
| [landing-pubsub](outputs.tf#L34) | List of pubsub topics and subscriptions created for the landing project. | |
|
||||
| [transformation-buckets](outputs.tf#L44) | List of buckets created for the transformation project. | |
|
||||
| [transformation-vpc](outputs.tf#L49) | Transformation VPC details | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -109,35 +109,26 @@ schema_bq_import.json
|
|||
```
|
||||
|
||||
You can check data imported into Google BigQuery from the Google Cloud Console UI.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| project_id | Project id, references existing project if `project_create` is null. | <code>string</code> | ✓ | |
|
||||
| prefix | Unique prefix used for resource names. Not used for project if 'project_create' is null. | <code>string</code> | | <code>null</code> |
|
||||
| project_create | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format | <code title="object({ billing_account_id = string parent = string })">object({…})</code> | | <code>null</code> |
|
||||
| region | The region where resources will be deployed. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| vpc_subnet_range | Ip range used for the VPC subnet created for the example. | <code>string</code> | | <code>"10.0.0.0/20"</code> |
|
||||
| [project_id](variables.tf#L31) | Project id, references existing project if `project_create` is null. | <code>string</code> | ✓ | |
|
||||
| [prefix](variables.tf#L16) | Unique prefix used for resource names. Not used for project if 'project_create' is null. | <code>string</code> | | <code>null</code> |
|
||||
| [project_create](variables.tf#L22) | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format | <code title="object({ billing_account_id = string parent = string })">object({…})</code> | | <code>null</code> |
|
||||
| [region](variables.tf#L36) | The region where resources will be deployed. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [vpc_subnet_range](variables.tf#L42) | Ip range used for the VPC subnet created for the example. | <code>string</code> | | <code>"10.0.0.0/20"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| bq_tables | Bigquery Tables. | |
|
||||
| buckets | GCS Bucket Cloud KMS crypto keys. | |
|
||||
| data_ingestion_command | | |
|
||||
| project_id | Project id. | |
|
||||
| vm | GCE VM. | |
|
||||
| [bq_tables](outputs.tf#L15) | Bigquery Tables. | |
|
||||
| [buckets](outputs.tf#L20) | GCS Bucket Cloud KMS crypto keys. | |
|
||||
| [data_ingestion_command](outputs.tf#L28) | | |
|
||||
| [project_id](outputs.tf#L48) | Project id. | |
|
||||
| [vm](outputs.tf#L53) | GCE VM. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -124,31 +124,30 @@ You can check data imported into Google BigQuery using the command returned in
|
|||
```
|
||||
bq query --use_legacy_sql=false 'SELECT * FROM `PROJECT.datalake.person` LIMIT 1000'
|
||||
```
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| prefix | Unique prefix used for resource names. Not used for project if 'project_create' is null. | <code>string</code> | ✓ | |
|
||||
| project_id | Project id, references existing project if `project_create` is null. | <code>string</code> | ✓ | |
|
||||
| cmek_encryption | Flag to enable CMEK on GCP resources created. | <code>bool</code> | | <code>false</code> |
|
||||
| data_eng_principals | Groups with Service Account Token creator role on service accounts in IAM format, eg 'group:group@domain.com'. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| project_create | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format | <code title="object({ billing_account_id = string parent = string })">object({…})</code> | | <code>null</code> |
|
||||
| region | The region where resources will be deployed. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| vpc_subnet_range | Ip range used for the VPC subnet created for the example. | <code>string</code> | | <code>"10.0.0.0/20"</code> |
|
||||
| [prefix](variables.tf#L26) | Unique prefix used for resource names. Not used for project if 'project_create' is null. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L40) | Project id, references existing project if `project_create` is null. | <code>string</code> | ✓ | |
|
||||
| [cmek_encryption](variables.tf#L15) | Flag to enable CMEK on GCP resources created. | <code>bool</code> | | <code>false</code> |
|
||||
| [data_eng_principals](variables.tf#L21) | Groups with Service Account Token creator role on service accounts in IAM format, eg 'group:group@domain.com'. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [project_create](variables.tf#L31) | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format | <code title="object({ billing_account_id = string parent = string })">object({…})</code> | | <code>null</code> |
|
||||
| [region](variables.tf#L45) | The region where resources will be deployed. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [vpc_subnet_range](variables.tf#L51) | Ip range used for the VPC subnet created for the example. | <code>string</code> | | <code>"10.0.0.0/20"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| bq_tables | Bigquery Tables. | |
|
||||
| buckets | GCS bucket Cloud KMS crypto keys. | |
|
||||
| command-01-gcs | gcloud command to copy data into the created bucket impersonating the service account. | |
|
||||
| command-02-dataflow | Command to run Dataflow template impersonating the service account. | |
|
||||
| command-03-bq | BigQuery command to query imported data. | |
|
||||
| project_id | Project id. | |
|
||||
| serviceaccount | Service account. | |
|
||||
| [bq_tables](outputs.tf#L15) | Bigquery Tables. | |
|
||||
| [buckets](outputs.tf#L20) | GCS bucket Cloud KMS crypto keys. | |
|
||||
| [command-01-gcs](outputs.tf#L43) | gcloud command to copy data into the created bucket impersonating the service account. | |
|
||||
| [command-02-dataflow](outputs.tf#L48) | Command to run Dataflow template impersonating the service account. | |
|
||||
| [command-03-bq](outputs.tf#L70) | BigQuery command to query imported data. | |
|
||||
| [project_id](outputs.tf#L28) | Project id. | |
|
||||
| [serviceaccount](outputs.tf#L33) | Service account. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -134,29 +134,24 @@ web-app-a-ingress:
|
|||
target_service_accounts:
|
||||
- web-app-a@myproject-id.iam.gserviceaccount.com
|
||||
```
|
||||
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| config_directories | List of paths to folders where firewall configs are stored in yaml format. Folder may include subfolders with configuration files. Files suffix must be `.yaml` | <code>list(string)</code> | ✓ | |
|
||||
| network | Name of the network this set of firewall rules applies to. | <code>string</code> | ✓ | |
|
||||
| project_id | Project Id. | <code>string</code> | ✓ | |
|
||||
| log_config | Log configuration. Possible values for `metadata` are `EXCLUDE_ALL_METADATA` and `INCLUDE_ALL_METADATA`. Set to `null` for disabling firewall logging. | <code title="object({ metadata = string })">object({…})</code> | | <code>null</code> |
|
||||
| [config_directories](variables.tf#L17) | List of paths to folders where firewall configs are stored in yaml format. Folder may include subfolders with configuration files. Files suffix must be `.yaml` | <code>list(string)</code> | ✓ | |
|
||||
| [network](variables.tf#L30) | Name of the network this set of firewall rules applies to. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L35) | Project Id. | <code>string</code> | ✓ | |
|
||||
| [log_config](variables.tf#L22) | Log configuration. Possible values for `metadata` are `EXCLUDE_ALL_METADATA` and `INCLUDE_ALL_METADATA`. Set to `null` for disabling firewall logging. | <code title="object({ metadata = string })">object({…})</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| egress_allow_rules | Egress rules with allow blocks. | |
|
||||
| egress_deny_rules | Egress rules with allow blocks. | |
|
||||
| ingress_allow_rules | Ingress rules with allow blocks. | |
|
||||
| ingress_deny_rules | Ingress rules with deny blocks. | |
|
||||
| [egress_allow_rules](outputs.tf#L17) | Egress rules with allow blocks. | |
|
||||
| [egress_deny_rules](outputs.tf#L25) | Egress rules with allow blocks. | |
|
||||
| [ingress_allow_rules](outputs.tf#L33) | Ingress rules with allow blocks. | |
|
||||
| [ingress_deny_rules](outputs.tf#L41) | Ingress rules with deny blocks. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
||||
|
|
|
@ -211,40 +211,33 @@ vpc:
|
|||
- user:foobar@example.com
|
||||
- serviceAccount:service-account1
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| billing_account_id | Billing account id. | <code>string</code> | ✓ | |
|
||||
| defaults | Project factory default values. | <code title="object({ billing_account_id = string billing_alert = object({ amount = number thresholds = object({ current = list(number) forecasted = list(number) }) credit_treatment = string }) environment_dns_zone = string essential_contacts = list(string) labels = map(string) notification_channels = list(string) shared_vpc_self_link = string vpc_host_project = string })">object({…})</code> | ✓ | |
|
||||
| folder_id | Folder ID for the folder where the project will be created. | <code>string</code> | ✓ | |
|
||||
| project_id | Project id. | <code>string</code> | ✓ | |
|
||||
| billing_alert | Billing alert configuration. | <code title="object({ amount = number thresholds = object({ current = list(number) forecasted = list(number) }) credit_treatment = string })">object({…})</code> | | <code>null</code> |
|
||||
| dns_zones | DNS private zones to create as child of var.defaults.environment_dns_zone. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| essential_contacts | Email contacts to be used for billing and GCP notifications | <code>list(string)</code> | | <code>[]</code> |
|
||||
| group_iam | Custom IAM settings in group => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| iam | Custom IAM settings in role => [principal] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| kms_service_agents | KMS IAM configuration in as service => [key]. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| labels | Labels to be assigned at project level. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| org_policies | Org-policy overrides at project level. | <code title="object({ policy_boolean = map(bool) policy_list = map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) })) })">object({…})</code> | | <code>null</code> |
|
||||
| service_accounts | Service accounts to be created, and roles to assign them. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| services | Services to be enabled for the project. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| services_iam | Custom IAM settings for robot ServiceAccounts in service => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| vpc | VPC configuration for the project. | <code title="object({ host_project = string gke_setup = object({ enable_security_admin = bool enable_host_service_agent = bool }) subnets_iam = map(list(string)) })">object({…})</code> | | <code>null</code> |
|
||||
| [billing_account_id](variables.tf#L17) | Billing account id. | <code>string</code> | ✓ | |
|
||||
| [defaults](variables.tf#L35) | Project factory default values. | <code title="object({ billing_account_id = string billing_alert = object({ amount = number thresholds = object({ current = list(number) forecasted = list(number) }) credit_treatment = string }) environment_dns_zone = string essential_contacts = list(string) labels = map(string) notification_channels = list(string) shared_vpc_self_link = string vpc_host_project = string })">object({…})</code> | ✓ | |
|
||||
| [folder_id](variables.tf#L68) | Folder ID for the folder where the project will be created. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L111) | Project id. | <code>string</code> | ✓ | |
|
||||
| [billing_alert](variables.tf#L22) | Billing alert configuration. | <code title="object({ amount = number thresholds = object({ current = list(number) forecasted = list(number) }) credit_treatment = string })">object({…})</code> | | <code>null</code> |
|
||||
| [dns_zones](variables.tf#L56) | DNS private zones to create as child of var.defaults.environment_dns_zone. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [essential_contacts](variables.tf#L62) | Email contacts to be used for billing and GCP notifications | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [group_iam](variables.tf#L73) | Custom IAM settings in group => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam](variables.tf#L79) | Custom IAM settings in role => [principal] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [kms_service_agents](variables.tf#L85) | KMS IAM configuration in as service => [key]. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [labels](variables.tf#L91) | Labels to be assigned at project level. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [org_policies](variables.tf#L97) | Org-policy overrides at project level. | <code title="object({ policy_boolean = map(bool) policy_list = map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) })) })">object({…})</code> | | <code>null</code> |
|
||||
| [service_accounts](variables.tf#L116) | Service accounts to be created, and roles to assign them. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [services](variables.tf#L122) | Services to be enabled for the project. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [services_iam](variables.tf#L128) | Custom IAM settings for robot ServiceAccounts in service => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [vpc](variables.tf#L134) | VPC configuration for the project. | <code title="object({ host_project = string gke_setup = object({ enable_security_admin = bool enable_host_service_agent = bool }) subnets_iam = map(list(string)) })">object({…})</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| project_id | Project ID. | |
|
||||
| [project_id](outputs.tf#L19) | Project ID. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -24,39 +24,36 @@ The number of resources in this sample is kept to a minimum so as to make it gen
|
|||
## Shared services
|
||||
|
||||
This sample uses a top-level folder to encapsulate projects that host resources that are not specific to a single environment. If no shared services are needed,the Terraform and audit modules can be easily attached to the root node, and the shared services folder and project removed from `main.tf`.
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| billing_account_id | Billing account id used as default for new projects. | <code>string</code> | ✓ | |
|
||||
| organization_id | Organization id in organizations/nnnnnnn format. | <code>string</code> | ✓ | |
|
||||
| prefix | Prefix used for resources that need unique names. | <code>string</code> | ✓ | |
|
||||
| root_node | Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. | <code>string</code> | ✓ | |
|
||||
| audit_filter | Audit log filter used for the log sink. | <code>string</code> | | <code title="" logName: "/logs/cloudaudit.googleapis.com%2Factivity" OR logName: "/logs/cloudaudit.googleapis.com%2Fsystem_event""">…</code> |
|
||||
| environments | Environment short names. | <code>map(string)</code> | | <code title="{ dev = "Development", test = "Testing", prod = "Production" }">{…}</code> |
|
||||
| gcs_defaults | Defaults use for the state GCS buckets. | <code>map(string)</code> | | <code title="{ location = "EU" storage_class = "MULTI_REGIONAL" }">{…}</code> |
|
||||
| iam_audit_viewers | Audit project viewers, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| iam_shared_owners | Shared services project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| iam_terraform_owners | Terraform project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| project_services | Service APIs enabled by default in new projects. | <code>list(string)</code> | | <code title="[ "container.googleapis.com", "stackdriver.googleapis.com", ]">[…]</code> |
|
||||
| [billing_account_id](variables.tf#L27) | Billing account id used as default for new projects. | <code>string</code> | ✓ | |
|
||||
| [organization_id](variables.tf#L69) | Organization id in organizations/nnnnnnn format. | <code>string</code> | ✓ | |
|
||||
| [prefix](variables.tf#L74) | Prefix used for resources that need unique names. | <code>string</code> | ✓ | |
|
||||
| [root_node](variables.tf#L88) | Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. | <code>string</code> | ✓ | |
|
||||
| [audit_filter](variables.tf#L17) | Audit log filter used for the log sink. | <code>string</code> | | <code title="" logName: "/logs/cloudaudit.googleapis.com%2Factivity" OR logName: "/logs/cloudaudit.googleapis.com%2Fsystem_event""">…</code> |
|
||||
| [environments](variables.tf#L32) | Environment short names. | <code>map(string)</code> | | <code title="{ dev = "Development", test = "Testing", prod = "Production" }">{…}</code> |
|
||||
| [gcs_defaults](variables.tf#L42) | Defaults use for the state GCS buckets. | <code>map(string)</code> | | <code title="{ location = "EU" storage_class = "MULTI_REGIONAL" }">{…}</code> |
|
||||
| [iam_audit_viewers](variables.tf#L51) | Audit project viewers, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [iam_shared_owners](variables.tf#L57) | Shared services project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [iam_terraform_owners](variables.tf#L63) | Terraform project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [project_services](variables.tf#L79) | Service APIs enabled by default in new projects. | <code>list(string)</code> | | <code title="[ "container.googleapis.com", "stackdriver.googleapis.com", ]">[…]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| audit_logs_project | Project that holds the audit logs export resources. | |
|
||||
| bootstrap_tf_gcs_bucket | GCS bucket used for the bootstrap Terraform state. | |
|
||||
| bu_business_intelligence | Business Intelligence attributes. | |
|
||||
| bu_business_intelligence_keys | Business Intelligence service account keys. | ✓ |
|
||||
| bu_machine_learning | Machine Learning attributes. | |
|
||||
| bu_machine_learning_keys | Machine Learning service account keys. | ✓ |
|
||||
| shared_folder_id | Shared folder id. | |
|
||||
| shared_resources_project | Project that holdes resources shared across business units. | |
|
||||
| terraform_project | Project that holds the base Terraform resources. | |
|
||||
| [audit_logs_project](outputs.tf#L17) | Project that holds the audit logs export resources. | |
|
||||
| [bootstrap_tf_gcs_bucket](outputs.tf#L22) | GCS bucket used for the bootstrap Terraform state. | |
|
||||
| [bu_business_intelligence](outputs.tf#L27) | Business Intelligence attributes. | |
|
||||
| [bu_business_intelligence_keys](outputs.tf#L37) | Business Intelligence service account keys. | ✓ |
|
||||
| [bu_machine_learning](outputs.tf#L43) | Machine Learning attributes. | |
|
||||
| [bu_machine_learning_keys](outputs.tf#L53) | Machine Learning service account keys. | ✓ |
|
||||
| [shared_folder_id](outputs.tf#L59) | Shared folder id. | |
|
||||
| [shared_resources_project](outputs.tf#L64) | Project that holdes resources shared across business units. | |
|
||||
| [terraform_project](outputs.tf#L69) | Project that holds the base Terraform resources. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -26,43 +26,40 @@ This sample contains a single, top-level project used to host services shared ac
|
|||
For more complex setups where multiple shared services projects are needed to encapsulate a larger number of resources, shared services should be treated as an extra environment so that they can be managed by a dedicated set of Terraform files, using a separate service account and GCS bucket, with a folder to contain shared projects.
|
||||
|
||||
If no shared services are needed, the shared service project module can of course be removed from `main.tf`.
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| billing_account_id | Billing account id used as to create projects. | <code>string</code> | ✓ | |
|
||||
| environments | Environment short names. | <code>set(string)</code> | ✓ | |
|
||||
| organization_id | Organization id in organizations/nnnnnnnn format. | <code>string</code> | ✓ | |
|
||||
| prefix | Prefix used for resources that need unique names. | <code>string</code> | ✓ | |
|
||||
| root_node | Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. | <code>string</code> | ✓ | |
|
||||
| audit_filter | Audit log filter used for the log sink. | <code>string</code> | | <code title="" logName: "/logs/cloudaudit.googleapis.com%2Factivity" OR logName: "/logs/cloudaudit.googleapis.com%2Fsystem_event""">…</code> |
|
||||
| gcs_location | GCS bucket location. | <code>string</code> | | <code>"EU"</code> |
|
||||
| iam_audit_viewers | Audit project viewers, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| iam_billing_config | Control granting billing user role to service accounts. Target the billing account by default. | <code title="object({ grant = bool target_org = bool })">object({…})</code> | | <code title="{ grant = true target_org = false }">{…}</code> |
|
||||
| iam_folder_roles | List of roles granted to each service account on its respective folder (excluding XPN roles). | <code>list(string)</code> | | <code title="[ "roles/compute.networkAdmin", "roles/owner", "roles/resourcemanager.folderViewer", "roles/resourcemanager.projectCreator", ]">[…]</code> |
|
||||
| iam_shared_owners | Shared services project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| iam_terraform_owners | Terraform project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| iam_xpn_config | Control granting Shared VPC creation roles to service accounts. Target the root node by default. | <code title="object({ grant = bool target_org = bool })">object({…})</code> | | <code title="{ grant = true target_org = true }">{…}</code> |
|
||||
| project_services | Service APIs enabled by default in new projects. | <code>list(string)</code> | | <code title="[ "container.googleapis.com", "stackdriver.googleapis.com", ]">[…]</code> |
|
||||
| service_account_keys | Generate and store service account keys in the state file. | <code>bool</code> | | <code>true</code> |
|
||||
| [billing_account_id](variables.tf#L25) | Billing account id used as to create projects. | <code>string</code> | ✓ | |
|
||||
| [environments](variables.tf#L30) | Environment short names. | <code>set(string)</code> | ✓ | |
|
||||
| [organization_id](variables.tf#L94) | Organization id in organizations/nnnnnnnn format. | <code>string</code> | ✓ | |
|
||||
| [prefix](variables.tf#L99) | Prefix used for resources that need unique names. | <code>string</code> | ✓ | |
|
||||
| [root_node](variables.tf#L113) | Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. | <code>string</code> | ✓ | |
|
||||
| [audit_filter](variables.tf#L15) | Audit log filter used for the log sink. | <code>string</code> | | <code title="" logName: "/logs/cloudaudit.googleapis.com%2Factivity" OR logName: "/logs/cloudaudit.googleapis.com%2Fsystem_event""">…</code> |
|
||||
| [gcs_location](variables.tf#L35) | GCS bucket location. | <code>string</code> | | <code>"EU"</code> |
|
||||
| [iam_audit_viewers](variables.tf#L41) | Audit project viewers, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [iam_billing_config](variables.tf#L47) | Control granting billing user role to service accounts. Target the billing account by default. | <code title="object({ grant = bool target_org = bool })">object({…})</code> | | <code title="{ grant = true target_org = false }">{…}</code> |
|
||||
| [iam_folder_roles](variables.tf#L59) | List of roles granted to each service account on its respective folder (excluding XPN roles). | <code>list(string)</code> | | <code title="[ "roles/compute.networkAdmin", "roles/owner", "roles/resourcemanager.folderViewer", "roles/resourcemanager.projectCreator", ]">[…]</code> |
|
||||
| [iam_shared_owners](variables.tf#L70) | Shared services project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [iam_terraform_owners](variables.tf#L76) | Terraform project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [iam_xpn_config](variables.tf#L82) | Control granting Shared VPC creation roles to service accounts. Target the root node by default. | <code title="object({ grant = bool target_org = bool })">object({…})</code> | | <code title="{ grant = true target_org = true }">{…}</code> |
|
||||
| [project_services](variables.tf#L104) | Service APIs enabled by default in new projects. | <code>list(string)</code> | | <code title="[ "container.googleapis.com", "stackdriver.googleapis.com", ]">[…]</code> |
|
||||
| [service_account_keys](variables.tf#L118) | Generate and store service account keys in the state file. | <code>bool</code> | | <code>true</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| audit_logs_bq_dataset | Bigquery dataset for the audit logs export. | |
|
||||
| audit_logs_project | Project that holds the audit logs export resources. | |
|
||||
| bootstrap_tf_gcs_bucket | GCS bucket used for the bootstrap Terraform state. | |
|
||||
| environment_folders | Top-level environment folders. | |
|
||||
| environment_service_account_keys | Service account keys used to run each environment Terraform modules. | ✓ |
|
||||
| environment_service_accounts | Service accounts used to run each environment Terraform modules. | |
|
||||
| environment_tf_gcs_buckets | GCS buckets used for each environment Terraform state. | |
|
||||
| shared_services_project | Project that holdes resources shared across environments. | |
|
||||
| terraform_project | Project that holds the base Terraform resources. | |
|
||||
| [audit_logs_bq_dataset](outputs.tf#L15) | Bigquery dataset for the audit logs export. | |
|
||||
| [audit_logs_project](outputs.tf#L20) | Project that holds the audit logs export resources. | |
|
||||
| [bootstrap_tf_gcs_bucket](outputs.tf#L25) | GCS bucket used for the bootstrap Terraform state. | |
|
||||
| [environment_folders](outputs.tf#L30) | Top-level environment folders. | |
|
||||
| [environment_service_account_keys](outputs.tf#L35) | Service account keys used to run each environment Terraform modules. | ✓ |
|
||||
| [environment_service_accounts](outputs.tf#L40) | Service accounts used to run each environment Terraform modules. | |
|
||||
| [environment_tf_gcs_buckets](outputs.tf#L45) | GCS buckets used for each environment Terraform state. | |
|
||||
| [shared_services_project](outputs.tf#L50) | Project that holdes resources shared across environments. | |
|
||||
| [terraform_project](outputs.tf#L55) | Project that holds the base Terraform resources. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -19,30 +19,25 @@ This is the high level diagram:
|
|||
The rules can be validated either using an automated process or a manual process (or a combination of
|
||||
the two). There is an example of a YAML-based validator using [Yamale](https://github.com/23andMe/Yamale)
|
||||
in the [`validator/`](validator/) subdirectory, which can be integrated as part of a CI/CD pipeline.
|
||||
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| billing_account_id | Billing account id used as default for new projects. | <code>string</code> | ✓ | |
|
||||
| prefix | Prefix used for resources that need unique names. | <code>string</code> | ✓ | |
|
||||
| root_node | Hierarchy node where projects will be created, 'organizations/org_id' or 'folders/folder_id'. | <code>string</code> | ✓ | |
|
||||
| ip_ranges | Subnet IP CIDR ranges. | <code>map(string)</code> | | <code title="{ prod = "10.0.16.0/24" dev = "10.0.32.0/24" }">{…}</code> |
|
||||
| project_services | Service APIs enabled by default in new projects. | <code>list(string)</code> | | <code title="[ "container.googleapis.com", "dns.googleapis.com", "stackdriver.googleapis.com", ]">[…]</code> |
|
||||
| region | Region used. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [billing_account_id](variables.tf#L15) | Billing account id used as default for new projects. | <code>string</code> | ✓ | |
|
||||
| [prefix](variables.tf#L29) | Prefix used for resources that need unique names. | <code>string</code> | ✓ | |
|
||||
| [root_node](variables.tf#L50) | Hierarchy node where projects will be created, 'organizations/org_id' or 'folders/folder_id'. | <code>string</code> | ✓ | |
|
||||
| [ip_ranges](variables.tf#L20) | Subnet IP CIDR ranges. | <code>map(string)</code> | | <code title="{ prod = "10.0.16.0/24" dev = "10.0.32.0/24" }">{…}</code> |
|
||||
| [project_services](variables.tf#L34) | Service APIs enabled by default in new projects. | <code>list(string)</code> | | <code title="[ "container.googleapis.com", "dns.googleapis.com", "stackdriver.googleapis.com", ]">[…]</code> |
|
||||
| [region](variables.tf#L44) | Region used. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| fw_rules | Firewall rules. | |
|
||||
| projects | Project ids. | |
|
||||
| vpc | Shared VPCs. | |
|
||||
| [fw_rules](outputs.tf#L15) | Firewall rules. | |
|
||||
| [projects](outputs.tf#L33) | Project ids. | |
|
||||
| [vpc](outputs.tf#L41) | Shared VPCs. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
||||
|
|
|
@ -14,28 +14,25 @@ To simplify the usage of the proxy, a Cloud DNS private zone is created and the
|
|||
You can optionally deploy the Squid server as [Managed Instance Group](https://cloud.google.com/compute/docs/instance-groups) by setting the `mig` option to `true`. This option defaults to `false` which results in a standalone VM.
|
||||
|
||||
![High-level diagram](squid.png "High-level diagram")
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| billing_account | Billing account id used as default for new projects. | <code>string</code> | ✓ | |
|
||||
| prefix | Prefix used for resources that need unique names. | <code>string</code> | ✓ | |
|
||||
| root_node | Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. | <code>string</code> | ✓ | |
|
||||
| allowed_domains | List of domains allowed by the squid proxy. | <code>list(string)</code> | | <code title="[ ".google.com", ".github.com" ]">[…]</code> |
|
||||
| cidrs | CIDR ranges for subnets | <code>map(string)</code> | | <code title="{ apps = "10.0.0.0/24" proxy = "10.0.1.0/28" }">{…}</code> |
|
||||
| mig | Enables the creation of an autoscaling managed instance group of squid instances. | <code>bool</code> | | <code>false</code> |
|
||||
| nat_logging | Enables Cloud NAT logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. | <code>string</code> | | <code>"ERRORS_ONLY"</code> |
|
||||
| region | Default region for resources | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [billing_account](variables.tf#L26) | Billing account id used as default for new projects. | <code>string</code> | ✓ | |
|
||||
| [prefix](variables.tf#L52) | Prefix used for resources that need unique names. | <code>string</code> | ✓ | |
|
||||
| [root_node](variables.tf#L63) | Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. | <code>string</code> | ✓ | |
|
||||
| [allowed_domains](variables.tf#L17) | List of domains allowed by the squid proxy. | <code>list(string)</code> | | <code title="[ ".google.com", ".github.com" ]">[…]</code> |
|
||||
| [cidrs](variables.tf#L31) | CIDR ranges for subnets | <code>map(string)</code> | | <code title="{ apps = "10.0.0.0/24" proxy = "10.0.1.0/28" }">{…}</code> |
|
||||
| [mig](variables.tf#L40) | Enables the creation of an autoscaling managed instance group of squid instances. | <code>bool</code> | | <code>false</code> |
|
||||
| [nat_logging](variables.tf#L46) | Enables Cloud NAT logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. | <code>string</code> | | <code>"ERRORS_ONLY"</code> |
|
||||
| [region](variables.tf#L57) | Default region for resources | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| squid-address | IP address of the Squid proxy. | |
|
||||
| [squid-address](outputs.tf#L17) | IP address of the Squid proxy. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -78,28 +78,25 @@ A single pre-existing project is used in this example to keep variables and comp
|
|||
A few APIs need to be enabled in the project, if `apply` fails due to a service not being enabled just click on the link in the error message to enable it for the project, then resume `apply`.
|
||||
|
||||
The VPN used to connect the GKE masters VPC does not account for HA, upgrading to use HA VPN is reasonably simple by using the relevant [module](../../../modules/net-vpn-ha).
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| project_id | Project id used for all resources. | <code>string</code> | ✓ | |
|
||||
| ip_ranges | IP CIDR ranges. | <code>map(string)</code> | | <code title="{ hub = "10.0.0.0/24" spoke-1 = "10.0.16.0/24" spoke-2 = "10.0.32.0/24" }">{…}</code> |
|
||||
| ip_secondary_ranges | Secondary IP CIDR ranges. | <code>map(string)</code> | | <code title="{ spoke-2-pods = "10.128.0.0/18" spoke-2-services = "172.16.0.0/24" }">{…}</code> |
|
||||
| prefix | Arbitrary string used to prefix resource names. | <code>string</code> | | <code>null</code> |
|
||||
| private_service_ranges | Private service IP CIDR ranges. | <code>map(string)</code> | | <code title="{ spoke-2-cluster-1 = "192.168.0.0/28" }">{…}</code> |
|
||||
| project_create | Set to non null if project needs to be created. | <code title="object({ billing_account = string oslogin = bool parent = string })">object({…})</code> | | <code>null</code> |
|
||||
| region | VPC region. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [project_id](variables.tf#L66) | Project id used for all resources. | <code>string</code> | ✓ | |
|
||||
| [ip_ranges](variables.tf#L15) | IP CIDR ranges. | <code>map(string)</code> | | <code title="{ hub = "10.0.0.0/24" spoke-1 = "10.0.16.0/24" spoke-2 = "10.0.32.0/24" }">{…}</code> |
|
||||
| [ip_secondary_ranges](variables.tf#L25) | Secondary IP CIDR ranges. | <code>map(string)</code> | | <code title="{ spoke-2-pods = "10.128.0.0/18" spoke-2-services = "172.16.0.0/24" }">{…}</code> |
|
||||
| [prefix](variables.tf#L34) | Arbitrary string used to prefix resource names. | <code>string</code> | | <code>null</code> |
|
||||
| [private_service_ranges](variables.tf#L40) | Private service IP CIDR ranges. | <code>map(string)</code> | | <code title="{ spoke-2-cluster-1 = "192.168.0.0/28" }">{…}</code> |
|
||||
| [project_create](variables.tf#L48) | Set to non null if project needs to be created. | <code title="object({ billing_account = string oslogin = bool parent = string })">object({…})</code> | | <code>null</code> |
|
||||
| [region](variables.tf#L71) | VPC region. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| project | Project id. | |
|
||||
| vms | GCE VMs. | |
|
||||
| [project](outputs.tf#L15) | Project id. | |
|
||||
| [vms](outputs.tf#L20) | GCE VMs. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -33,26 +33,23 @@ gcloud services enable --project=$MY_PROJECT_ID {compute,dns}.googleapis.com
|
|||
The example does not account for HA, but the VPN gateways can be easily upgraded to use HA VPN via the [net-vpn-ha module](../../../modules/net-vpn-ha).
|
||||
|
||||
If a single router and VPN gateway are used in the hub to manage all tunnels, particular care must be taken in announcing ranges from hub to spokes, as Cloud Router does not explicitly support transitivity and overlapping routes received from both sides create unintended side effects. The simple workaround is to announce a single aggregated route from hub to spokes so that it does not overlap with any of the ranges advertised by each spoke to the hub.
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| project_id | Project id for all resources. | <code>string</code> | ✓ | |
|
||||
| bgp_asn | BGP ASNs. | <code>map(number)</code> | | <code title="{ hub = 64513 spoke-1 = 64514 spoke-2 = 64515 }">{…}</code> |
|
||||
| bgp_custom_advertisements | BGP custom advertisement IP CIDR ranges. | <code>map(string)</code> | | <code title="{ hub-to-spoke-1 = "10.0.32.0/20" hub-to-spoke-2 = "10.0.16.0/20" }">{…}</code> |
|
||||
| bgp_interface_ranges | BGP interface IP CIDR ranges. | <code>map(string)</code> | | <code title="{ spoke-1 = "169.254.1.0/30" spoke-2 = "169.254.1.4/30" }">{…}</code> |
|
||||
| ip_ranges | IP CIDR ranges. | <code>map(string)</code> | | <code title="{ hub-a = "10.0.0.0/24" hub-b = "10.0.8.0/24" spoke-1-a = "10.0.16.0/24" spoke-1-b = "10.0.24.0/24" spoke-2-a = "10.0.32.0/24" spoke-2-b = "10.0.40.0/24" }">{…}</code> |
|
||||
| regions | VPC regions. | <code>map(string)</code> | | <code title="{ a = "europe-west1" b = "europe-west2" }">{…}</code> |
|
||||
| [project_id](variables.tf#L56) | Project id for all resources. | <code>string</code> | ✓ | |
|
||||
| [bgp_asn](variables.tf#L15) | BGP ASNs. | <code>map(number)</code> | | <code title="{ hub = 64513 spoke-1 = 64514 spoke-2 = 64515 }">{…}</code> |
|
||||
| [bgp_custom_advertisements](variables.tf#L25) | BGP custom advertisement IP CIDR ranges. | <code>map(string)</code> | | <code title="{ hub-to-spoke-1 = "10.0.32.0/20" hub-to-spoke-2 = "10.0.16.0/20" }">{…}</code> |
|
||||
| [bgp_interface_ranges](variables.tf#L34) | BGP interface IP CIDR ranges. | <code>map(string)</code> | | <code title="{ spoke-1 = "169.254.1.0/30" spoke-2 = "169.254.1.4/30" }">{…}</code> |
|
||||
| [ip_ranges](variables.tf#L43) | IP CIDR ranges. | <code>map(string)</code> | | <code title="{ hub-a = "10.0.0.0/24" hub-b = "10.0.8.0/24" spoke-1-a = "10.0.16.0/24" spoke-1-b = "10.0.24.0/24" spoke-2-a = "10.0.32.0/24" spoke-2-b = "10.0.40.0/24" }">{…}</code> |
|
||||
| [regions](variables.tf#L61) | VPC regions. | <code>map(string)</code> | | <code title="{ a = "europe-west1" b = "europe-west2" }">{…}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| vms | GCE VMs. | |
|
||||
| [vms](outputs.tf#L15) | GCE VMs. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -59,33 +59,30 @@ watch '\
|
|||
A sample testing session using `tmux`:
|
||||
|
||||
<a href="https://raw.githubusercontent.com/terraform-google-modules/cloud-foundation-fabric/master/networking/ilb-next-hop/test_session.png" title="Test session screenshot"><img src="./test_session.png" width="640px" alt="Test session screenshot"></img>
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| project_id | Existing project id. | <code>string</code> | ✓ | |
|
||||
| ilb_right_enable | Route right to left traffic through ILB. | <code>bool</code> | | <code>false</code> |
|
||||
| ilb_session_affinity | Session affinity configuration for ILBs. | <code>string</code> | | <code>"CLIENT_IP"</code> |
|
||||
| ip_ranges | IP CIDR ranges used for VPC subnets. | <code>map(string)</code> | | <code title="{ left = "10.0.0.0/24" right = "10.0.1.0/24" }">{…}</code> |
|
||||
| prefix | Prefix used for resource names. | <code>string</code> | | <code>"ilb-test"</code> |
|
||||
| project_create | Create project instead of using an existing one. | <code>bool</code> | | <code>false</code> |
|
||||
| region | Region used for resources. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| zones | Zone suffixes used for instances. | <code>list(string)</code> | | <code>["b", "c"]</code> |
|
||||
| [project_id](variables.tf#L50) | Existing project id. | <code>string</code> | ✓ | |
|
||||
| [ilb_right_enable](variables.tf#L17) | Route right to left traffic through ILB. | <code>bool</code> | | <code>false</code> |
|
||||
| [ilb_session_affinity](variables.tf#L23) | Session affinity configuration for ILBs. | <code>string</code> | | <code>"CLIENT_IP"</code> |
|
||||
| [ip_ranges](variables.tf#L29) | IP CIDR ranges used for VPC subnets. | <code>map(string)</code> | | <code title="{ left = "10.0.0.0/24" right = "10.0.1.0/24" }">{…}</code> |
|
||||
| [prefix](variables.tf#L38) | Prefix used for resource names. | <code>string</code> | | <code>"ilb-test"</code> |
|
||||
| [project_create](variables.tf#L44) | Create project instead of using an existing one. | <code>bool</code> | | <code>false</code> |
|
||||
| [region](variables.tf#L55) | Region used for resources. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [zones](variables.tf#L61) | Zone suffixes used for instances. | <code>list(string)</code> | | <code>["b", "c"]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| addresses | IP addresses. | |
|
||||
| backend_health_left | Command-line health status for left ILB backends. | |
|
||||
| backend_health_right | Command-line health status for right ILB backends. | |
|
||||
| ssh_gw | Command-line login to gateway VMs. | |
|
||||
| ssh_vm_left | Command-line login to left VMs. | |
|
||||
| ssh_vm_right | Command-line login to right VMs. | |
|
||||
| [addresses](outputs.tf#L17) | IP addresses. | |
|
||||
| [backend_health_left](outputs.tf#L28) | Command-line health status for left ILB backends. | |
|
||||
| [backend_health_right](outputs.tf#L38) | Command-line health status for right ILB backends. | |
|
||||
| [ssh_gw](outputs.tf#L48) | Command-line login to gateway VMs. | |
|
||||
| [ssh_vm_left](outputs.tf#L56) | Command-line login to left VMs. | |
|
||||
| [ssh_vm_right](outputs.tf#L64) | Command-line login to right VMs. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -200,30 +200,27 @@ curl www.onprem.example.org -s |grep h1
|
|||
A single pre-existing project is used in this example to keep variables and complexity to a minimum, in a real world scenarios each spoke would probably use a separate project.
|
||||
|
||||
The VPN-s used to connect to the on-premises environment do not account for HA, upgrading to use HA VPN is reasonably simple by using the relevant [module](../../../modules/net-vpn-ha).
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| project_id | Project id for all resources. | <code>string</code> | ✓ | |
|
||||
| bgp_asn | BGP ASNs. | <code>map(number)</code> | | <code title="{ gcp1 = 64513 gcp2 = 64520 onprem1 = 64514 onprem2 = 64514 }">{…}</code> |
|
||||
| bgp_interface_ranges | BGP interface IP CIDR ranges. | <code>map(string)</code> | | <code title="{ gcp1 = "169.254.1.0/30" gcp2 = "169.254.2.0/30" }">{…}</code> |
|
||||
| dns_forwarder_address | Address of the DNS server used to forward queries from on-premises. | <code>string</code> | | <code>"10.0.0.2"</code> |
|
||||
| forwarder_address | GCP DNS inbound policy forwarder address. | <code>string</code> | | <code>"10.0.0.2"</code> |
|
||||
| ip_ranges | IP CIDR ranges. | <code>map(string)</code> | | <code title="{ gcp1 = "10.0.0.0/24" gcp2 = "10.10.0.0/24" onprem = "10.0.16.0/24" }">{…}</code> |
|
||||
| region | VPC region. | <code>map(string)</code> | | <code title="{ gcp1 = "europe-west1" gcp2 = "europe-west2" }">{…}</code> |
|
||||
| ssh_source_ranges | IP CIDR ranges that will be allowed to connect via SSH to the onprem instance. | <code>list(string)</code> | | <code>["0.0.0.0/0"]</code> |
|
||||
| [project_id](variables.tf#L59) | Project id for all resources. | <code>string</code> | ✓ | |
|
||||
| [bgp_asn](variables.tf#L17) | BGP ASNs. | <code>map(number)</code> | | <code title="{ gcp1 = 64513 gcp2 = 64520 onprem1 = 64514 onprem2 = 64514 }">{…}</code> |
|
||||
| [bgp_interface_ranges](variables.tf#L28) | BGP interface IP CIDR ranges. | <code>map(string)</code> | | <code title="{ gcp1 = "169.254.1.0/30" gcp2 = "169.254.2.0/30" }">{…}</code> |
|
||||
| [dns_forwarder_address](variables.tf#L37) | Address of the DNS server used to forward queries from on-premises. | <code>string</code> | | <code>"10.0.0.2"</code> |
|
||||
| [forwarder_address](variables.tf#L43) | GCP DNS inbound policy forwarder address. | <code>string</code> | | <code>"10.0.0.2"</code> |
|
||||
| [ip_ranges](variables.tf#L49) | IP CIDR ranges. | <code>map(string)</code> | | <code title="{ gcp1 = "10.0.0.0/24" gcp2 = "10.10.0.0/24" onprem = "10.0.16.0/24" }">{…}</code> |
|
||||
| [region](variables.tf#L64) | VPC region. | <code>map(string)</code> | | <code title="{ gcp1 = "europe-west1" gcp2 = "europe-west2" }">{…}</code> |
|
||||
| [ssh_source_ranges](variables.tf#L73) | IP CIDR ranges that will be allowed to connect via SSH to the onprem instance. | <code>list(string)</code> | | <code>["0.0.0.0/0"]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| onprem-instance | Onprem instance details. | |
|
||||
| test-instance1 | Test instance details. | |
|
||||
| test-instance2 | Test instance details. | |
|
||||
| [onprem-instance](outputs.tf#L17) | Onprem instance details. | |
|
||||
| [test-instance1](outputs.tf#L26) | Test instance details. | |
|
||||
| [test-instance2](outputs.tf#L33) | Test instance details. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -13,25 +13,23 @@ curl https://YOUR_REGION-YOUR_PROJECT_ID.cloudfunctions.net/YOUR_FUNCTION_NAME
|
|||
```
|
||||
|
||||
![Cloud Function via Private Service Connect](diagram.png "High-level diagram")
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| project_id | Project id. | <code>string</code> | ✓ | |
|
||||
| ip_ranges | IP ranges used for the VPCs. | <code title="object({ onprem = string hub = string })">object({…})</code> | | <code title="{ onprem = "10.0.1.0/24", hub = "10.0.2.0/24" }">{…}</code> |
|
||||
| name | Name used for new resources. | <code>string</code> | | <code>"cf-via-psc"</code> |
|
||||
| project_create | If non null, creates project instead of using an existing one. | <code title="object({ billing_account_id = string parent = string })">object({…})</code> | | <code>null</code> |
|
||||
| psc_endpoint | IP used for the Private Service Connect endpoint, it must not overlap with the hub_ip_range. | <code>string</code> | | <code>"172.16.32.1"</code> |
|
||||
| region | Region where the resources will be created. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [project_id](variables.tf#L44) | Project id. | <code>string</code> | ✓ | |
|
||||
| [ip_ranges](variables.tf#L17) | IP ranges used for the VPCs. | <code title="object({ onprem = string hub = string })">object({…})</code> | | <code title="{ onprem = "10.0.1.0/24", hub = "10.0.2.0/24" }">{…}</code> |
|
||||
| [name](variables.tf#L29) | Name used for new resources. | <code>string</code> | | <code>"cf-via-psc"</code> |
|
||||
| [project_create](variables.tf#L35) | If non null, creates project instead of using an existing one. | <code title="object({ billing_account_id = string parent = string })">object({…})</code> | | <code>null</code> |
|
||||
| [psc_endpoint](variables.tf#L49) | IP used for the Private Service Connect endpoint, it must not overlap with the hub_ip_range. | <code>string</code> | | <code>"172.16.32.1"</code> |
|
||||
| [region](variables.tf#L55) | Region where the resources will be created. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| function_url | URL of the Cloud Function. | |
|
||||
| [function_url](outputs.tf#L17) | URL of the Cloud Function. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -41,35 +41,32 @@ alias k='HTTPS_PROXY=localhost:8888 kubectl $@'
|
|||
## Destroying
|
||||
|
||||
There's a minor glitch that can surface running `terraform destroy`, where the service project attachments to the Shared VPC will not get destroyed even with the relevant API call succeeding. We are investigating the issue, in the meantime just manually remove the attachment in the Cloud console or via the `gcloud beta compute shared-vpc associated-projects remove` command when `terraform destroy` fails, and then relaunch the command.
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| billing_account_id | Billing account id used as default for new projects. | <code>string</code> | ✓ | |
|
||||
| prefix | Prefix used for resources that need unique names. | <code>string</code> | ✓ | |
|
||||
| root_node | Hierarchy node where projects will be created, 'organizations/org_id' or 'folders/folder_id'. | <code>string</code> | ✓ | |
|
||||
| cluster_create | Create GKE cluster and nodepool. | <code>bool</code> | | <code>true</code> |
|
||||
| ip_ranges | Subnet IP CIDR ranges. | <code>map(string)</code> | | <code title="{ gce = "10.0.16.0/24" gke = "10.0.32.0/24" }">{…}</code> |
|
||||
| ip_secondary_ranges | Secondary IP CIDR ranges. | <code>map(string)</code> | | <code title="{ gke-pods = "10.128.0.0/18" gke-services = "172.16.0.0/24" }">{…}</code> |
|
||||
| owners_gce | GCE project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| owners_gke | GKE project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| owners_host | Host project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| private_service_ranges | Private service IP CIDR ranges. | <code>map(string)</code> | | <code title="{ cluster-1 = "192.168.0.0/28" }">{…}</code> |
|
||||
| project_services | Service APIs enabled by default in new projects. | <code>list(string)</code> | | <code title="[ "container.googleapis.com", "stackdriver.googleapis.com", ]">[…]</code> |
|
||||
| region | Region used. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [billing_account_id](variables.tf#L15) | Billing account id used as default for new projects. | <code>string</code> | ✓ | |
|
||||
| [prefix](variables.tf#L62) | Prefix used for resources that need unique names. | <code>string</code> | ✓ | |
|
||||
| [root_node](variables.tf#L90) | Hierarchy node where projects will be created, 'organizations/org_id' or 'folders/folder_id'. | <code>string</code> | ✓ | |
|
||||
| [cluster_create](variables.tf#L20) | Create GKE cluster and nodepool. | <code>bool</code> | | <code>true</code> |
|
||||
| [ip_ranges](variables.tf#L26) | Subnet IP CIDR ranges. | <code>map(string)</code> | | <code title="{ gce = "10.0.16.0/24" gke = "10.0.32.0/24" }">{…}</code> |
|
||||
| [ip_secondary_ranges](variables.tf#L35) | Secondary IP CIDR ranges. | <code>map(string)</code> | | <code title="{ gke-pods = "10.128.0.0/18" gke-services = "172.16.0.0/24" }">{…}</code> |
|
||||
| [owners_gce](variables.tf#L44) | GCE project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [owners_gke](variables.tf#L50) | GKE project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [owners_host](variables.tf#L56) | Host project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [private_service_ranges](variables.tf#L67) | Private service IP CIDR ranges. | <code>map(string)</code> | | <code title="{ cluster-1 = "192.168.0.0/28" }">{…}</code> |
|
||||
| [project_services](variables.tf#L75) | Service APIs enabled by default in new projects. | <code>list(string)</code> | | <code title="[ "container.googleapis.com", "stackdriver.googleapis.com", ]">[…]</code> |
|
||||
| [region](variables.tf#L84) | Region used. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| gke_clusters | GKE clusters information. | |
|
||||
| projects | Project ids. | |
|
||||
| vms | GCE VMs. | |
|
||||
| vpc | Shared VPC. | |
|
||||
| [gke_clusters](outputs.tf#L15) | GKE clusters information. | |
|
||||
| [projects](outputs.tf#L24) | Project ids. | |
|
||||
| [vms](outputs.tf#L33) | GCE VMs. | |
|
||||
| [vpc](outputs.tf#L40) | Shared VPC. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -1,35 +1,32 @@
|
|||
# OpenShift Cluster Bootstrap
|
||||
|
||||
This example is a companion setup to the Python script in the parent folder, and is used to bootstrap OpenShift clusters on GCP. Refer to the documentation in the parent folder for usage instructions.
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| cluster_name | Name used for the cluster and DNS zone. | <code>string</code> | ✓ | |
|
||||
| domain | Domain name used to derive the DNS zone. | <code>string</code> | ✓ | |
|
||||
| fs_paths | Filesystem paths for commands and data, supports home path expansion. | <code title="object({ credentials = string config_dir = string openshift_install = string pull_secret = string ssh_key = string })">object({…})</code> | ✓ | |
|
||||
| host_project | Shared VPC project and network configuration. | <code title="object({ default_subnet_name = string masters_subnet_name = string project_id = string vpc_name = string workers_subnet_name = string })">object({…})</code> | ✓ | |
|
||||
| service_project | Service project configuration. | <code title="object({ project_id = string })">object({…})</code> | ✓ | |
|
||||
| allowed_ranges | Ranges that can SSH to the boostrap VM and API endpoint. | <code>list(any)</code> | | <code>["10.0.0.0/8"]</code> |
|
||||
| disk_encryption_key | Optional CMEK for disk encryption. | <code title="object({ keyring = string location = string name = string project_id = string })">object({…})</code> | | <code>null</code> |
|
||||
| install_config_params | OpenShift cluster configuration. | <code title="object({ disk_size = number labels = map(string) network = object({ cluster = string host_prefix = number machine = string service = string }) proxy = object({ http = string https = string noproxy = string }) })">object({…})</code> | | <code title="{ disk_size = 16 labels = {} network = { cluster = "10.128.0.0/14" host_prefix = 23 machine = "10.0.0.0/16" service = "172.30.0.0/16" } proxy = null }">{…}</code> |
|
||||
| post_bootstrap_config | Name of the service account for the machine operator. Removes bootstrap resources when set. | <code title="object({ machine_op_sa_prefix = string })">object({…})</code> | | <code>null</code> |
|
||||
| region | Region where resources will be created. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| rhcos_gcp_image | RHCOS image used. | <code>string</code> | | <code>"projects/rhcos-cloud/global/images/rhcos-47-83-202102090044-0-gcp-x86-64"</code> |
|
||||
| tags | Additional tags for instances. | <code>list(string)</code> | | <code>["ssh"]</code> |
|
||||
| zones | Zones used for instances. | <code>list(string)</code> | | <code>["b", "c", "d"]</code> |
|
||||
| [cluster_name](variables.tf#L23) | Name used for the cluster and DNS zone. | <code>string</code> | ✓ | |
|
||||
| [domain](variables.tf#L28) | Domain name used to derive the DNS zone. | <code>string</code> | ✓ | |
|
||||
| [fs_paths](variables.tf#L87) | Filesystem paths for commands and data, supports home path expansion. | <code title="object({ credentials = string config_dir = string openshift_install = string pull_secret = string ssh_key = string })">object({…})</code> | ✓ | |
|
||||
| [host_project](variables.tf#L44) | Shared VPC project and network configuration. | <code title="object({ default_subnet_name = string masters_subnet_name = string project_id = string vpc_name = string workers_subnet_name = string })">object({…})</code> | ✓ | |
|
||||
| [service_project](variables.tf#L124) | Service project configuration. | <code title="object({ project_id = string })">object({…})</code> | ✓ | |
|
||||
| [allowed_ranges](variables.tf#L17) | Ranges that can SSH to the boostrap VM and API endpoint. | <code>list(any)</code> | | <code>["10.0.0.0/8"]</code> |
|
||||
| [disk_encryption_key](variables.tf#L33) | Optional CMEK for disk encryption. | <code title="object({ keyring = string location = string name = string project_id = string })">object({…})</code> | | <code>null</code> |
|
||||
| [install_config_params](variables.tf#L57) | OpenShift cluster configuration. | <code title="object({ disk_size = number labels = map(string) network = object({ cluster = string host_prefix = number machine = string service = string }) proxy = object({ http = string https = string noproxy = string }) })">object({…})</code> | | <code title="{ disk_size = 16 labels = {} network = { cluster = "10.128.0.0/14" host_prefix = 23 machine = "10.0.0.0/16" service = "172.30.0.0/16" } proxy = null }">{…}</code> |
|
||||
| [post_bootstrap_config](variables.tf#L102) | Name of the service account for the machine operator. Removes bootstrap resources when set. | <code title="object({ machine_op_sa_prefix = string })">object({…})</code> | | <code>null</code> |
|
||||
| [region](variables.tf#L110) | Region where resources will be created. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [rhcos_gcp_image](variables.tf#L116) | RHCOS image used. | <code>string</code> | | <code>"projects/rhcos-cloud/global/images/rhcos-47-83-202102090044-0-gcp-x86-64"</code> |
|
||||
| [tags](variables.tf#L131) | Additional tags for instances. | <code>list(string)</code> | | <code>["ssh"]</code> |
|
||||
| [zones](variables.tf#L137) | Zones used for instances. | <code>list(string)</code> | | <code>["b", "c", "d"]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| backend-health | Command to monitor API internal backend health. | |
|
||||
| bootstrap-ssh | Command to SSH to the bootstrap instance. | |
|
||||
| masters-ssh | Command to SSH to the master instances. | |
|
||||
| [backend-health](outputs.tf#L17) | Command to monitor API internal backend health. | |
|
||||
| [bootstrap-ssh](outputs.tf#L27) | Command to SSH to the bootstrap instance. | |
|
||||
| [masters-ssh](outputs.tf#L37) | Command to SSH to the master instances. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -283,23 +283,23 @@ Names used in internal references (e.g. `module.foo-prod.id`) are only used by T
|
|||
|
||||
| name | description | type | required | default | producer |
|
||||
|---|---|:---:|:---:|:---:|:---:|
|
||||
| billing_account | Billing account id and organization id ('nnnnnnnn' or null). | <code title="object({ id = string organization_id = number })">object({…})</code> | ✓ | | |
|
||||
| organization | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | |
|
||||
| prefix | Prefix used for resources that need unique names. | <code>string</code> | ✓ | | |
|
||||
| bootstrap_user | Email of the nominal user running this stage for the first time. | <code>string</code> | | <code>null</code> | |
|
||||
| groups | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | |
|
||||
| iam | Organization-level custom IAM settings in role => [principal] format. | <code>map(list(string))</code> | | <code>{}</code> | |
|
||||
| iam_additive | Organization-level custom IAM settings in role => [principal] format for non-authoritative bindings. | <code>map(list(string))</code> | | <code>{}</code> | |
|
||||
| log_sinks | Org-level log sinks, in name => {type, filter} format. | <code title="map(object({ filter = string type = string }))">map(object({…}))</code> | | <code title="{ audit-logs = { filter = "logName:\"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName:\"/logs/cloudaudit.googleapis.com%2Fsystem_event\"" type = "bigquery" } vpc-sc = { filter = "protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\"" type = "bigquery" } }">{…}</code> | |
|
||||
| outputs_location | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [billing_account](variables.tf#L17) | Billing account id and organization id ('nnnnnnnn' or null). | <code title="object({ id = string organization_id = number })">object({…})</code> | ✓ | | |
|
||||
| [organization](variables.tf#L82) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | |
|
||||
| [prefix](variables.tf#L97) | Prefix used for resources that need unique names. | <code>string</code> | ✓ | | |
|
||||
| [bootstrap_user](variables.tf#L25) | Email of the nominal user running this stage for the first time. | <code>string</code> | | <code>null</code> | |
|
||||
| [groups](variables.tf#L31) | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | |
|
||||
| [iam](variables.tf#L45) | Organization-level custom IAM settings in role => [principal] format. | <code>map(list(string))</code> | | <code>{}</code> | |
|
||||
| [iam_additive](variables.tf#L51) | Organization-level custom IAM settings in role => [principal] format for non-authoritative bindings. | <code>map(list(string))</code> | | <code>{}</code> | |
|
||||
| [log_sinks](variables.tf#L57) | Org-level log sinks, in name => {type, filter} format. | <code title="map(object({ filter = string type = string }))">map(object({…}))</code> | | <code title="{ audit-logs = { filter = "logName:\"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName:\"/logs/cloudaudit.googleapis.com%2Fsystem_event\"" type = "bigquery" } vpc-sc = { filter = "protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\"" type = "bigquery" } }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L91) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive | consumers |
|
||||
|---|---|:---:|---|
|
||||
| billing_dataset | BigQuery dataset prepared for billing export. | | |
|
||||
| project_ids | Projects created by this stage. | | |
|
||||
| providers | Terraform provider files for this stage and dependent stages. | ✓ | <code>stage-01</code> |
|
||||
| tfvars | Terraform variable files for the following stages. | ✓ | |
|
||||
| [billing_dataset](outputs.tf#L84) | BigQuery dataset prepared for billing export. | | |
|
||||
| [project_ids](outputs.tf#L89) | Projects created by this stage. | | |
|
||||
| [providers](outputs.tf#L100) | Terraform provider files for this stage and dependent stages. | ✓ | <code>stage-01</code> |
|
||||
| [tfvars](outputs.tf#L109) | Terraform variable files for the following stages. | ✓ | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -159,26 +159,26 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
|
|||
|
||||
| name | description | type | required | default | producer |
|
||||
|---|---|:---:|:---:|:---:|:---:|
|
||||
| automation_project_id | Project id for the automation project created by the bootstrap stage. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| billing_account | Billing account id and organization id ('nnnnnnnn' or null). | <code title="object({ id = string organization_id = number })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| organization | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| prefix | Prefix used for resources that need unique names. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| custom_roles | Custom roles defined at the org level, in key => id format. | <code>map(string)</code> | | <code>{}</code> | <code>00-bootstrap</code> |
|
||||
| groups | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| organization_policy_configs | Organization policies customization. | <code title="object({ allowed_policy_member_domains = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||
| outputs_location | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| team_folders | Team folders to be created. Format is described in a code comment. | <code title="map(object({ descriptive_name = string group_iam = map(list(string)) impersonation_groups = list(string) }))">map(object({…}))</code> | | <code>null</code> | |
|
||||
| [automation_project_id](variables.tf#L29) | Project id for the automation project created by the bootstrap stage. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [billing_account](variables.tf#L20) | Billing account id and organization id ('nnnnnnnn' or null). | <code title="object({ id = string organization_id = number })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [organization](variables.tf#L57) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [prefix](variables.tf#L81) | Prefix used for resources that need unique names. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [custom_roles](variables.tf#L35) | Custom roles defined at the org level, in key => id format. | <code>map(string)</code> | | <code>{}</code> | <code>00-bootstrap</code> |
|
||||
| [groups](variables.tf#L42) | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| [organization_policy_configs](variables.tf#L67) | Organization policies customization. | <code title="object({ allowed_policy_member_domains = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||
| [outputs_location](variables.tf#L75) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [team_folders](variables.tf#L87) | Team folders to be created. Format is described in a code comment. | <code title="map(object({ descriptive_name = string group_iam = map(list(string)) impersonation_groups = list(string) }))">map(object({…}))</code> | | <code>null</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive | consumers |
|
||||
|---|---|:---:|---|
|
||||
| networking | Data for the networking stage. | | <code>02-networking</code> |
|
||||
| project_factories | Data for the project factories stage. | | <code>xx-teams</code> |
|
||||
| providers | Terraform provider files for this stage and dependent stages. | ✓ | <code>02-networking</code> · <code>02-security</code> · <code>xx-sandbox</code> · <code>xx-teams</code> |
|
||||
| sandbox | Data for the sandbox stage. | | <code>xx-sandbox</code> |
|
||||
| security | Data for the networking stage. | | <code>02-security</code> |
|
||||
| teams | Data for the teams stage. | | |
|
||||
| tfvars | Terraform variable files for the following stages. | ✓ | |
|
||||
| [networking](outputs.tf#L79) | Data for the networking stage. | | <code>02-networking</code> |
|
||||
| [project_factories](outputs.tf#L89) | Data for the project factories stage. | | <code>xx-teams</code> |
|
||||
| [providers](outputs.tf#L106) | Terraform provider files for this stage and dependent stages. | ✓ | <code>02-networking</code> · <code>02-security</code> · <code>xx-sandbox</code> · <code>xx-teams</code> |
|
||||
| [sandbox](outputs.tf#L113) | Data for the sandbox stage. | | <code>xx-sandbox</code> |
|
||||
| [security](outputs.tf#L123) | Data for the networking stage. | | <code>02-security</code> |
|
||||
| [teams](outputs.tf#L133) | Data for the teams stage. | | |
|
||||
| [tfvars](outputs.tf#L146) | Terraform variable files for the following stages. | ✓ | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -308,32 +308,32 @@ DNS configurations are centralised in the `dns.tf` file. Spokes delegate DNS res
|
|||
|
||||
| name | description | type | required | default | producer |
|
||||
|---|---|:---:|:---:|:---:|:---:|
|
||||
| billing_account_id | Billing account id. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| organization | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| prefix | Prefix used for resources that need unique names. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| custom_adv | Custom advertisement definitions in name => range format. | <code>map(string)</code> | | <code title="{ cloud_dns = "35.199.192.0/19" googleapis_private = "199.36.153.8/30" googleapis_restricted = "199.36.153.4/30" rfc_1918_10 = "10.0.0.0/8" rfc_1918_172 = "172.16.0.0/16" rfc_1918_192 = "192.168.0.0/16" landing_ew1 = "10.128.0.0/16" landing_ew4 = "10.129.0.0/16" spoke_prod_ew1 = "10.136.0.0/16" spoke_prod_ew4 = "10.137.0.0/16" spoke_dev_ew1 = "10.144.0.0/16" spoke_dev_ew4 = "10.145.0.0/16" }">{…}</code> | |
|
||||
| data_dir | Relative path for the folder storing configuration data for network resources. | <code>string</code> | | <code>"data"</code> | |
|
||||
| dns | Onprem DNS resolvers | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
||||
| folder_id | Folder to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code>string</code> | | <code>null</code> | <code>01-resman</code> |
|
||||
| gke | | <code title="map(object({ folder_id = string sa = string gcs = string }))">map(object({…}))</code> | | <code>{}</code> | <code>01-resman</code> |
|
||||
| l7ilb_subnets | Subnets used for L7 ILBs. | <code title="map(list(object({ ip_cidr_range = string region = string })))">map(list(object({…})))</code> | | <code title="{ prod = [ { ip_cidr_range = "10.136.240.0/24", region = "europe-west1" }, { ip_cidr_range = "10.137.240.0/24", region = "europe-west4" } ] dev = [ { ip_cidr_range = "10.144.240.0/24", region = "europe-west1" }, { ip_cidr_range = "10.145.240.0/24", region = "europe-west4" } ] }">{…}</code> | |
|
||||
| outputs_location | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| project_factory_sa | IAM emails for project factory service accounts | <code>map(string)</code> | | <code>{}</code> | <code>01-resman</code> |
|
||||
| psa_ranges | IP ranges used for Private Service Access (e.g. CloudSQL). | <code>map(map(string))</code> | | <code title="{ prod = { cloudsql-mysql = "10.136.250.0/24" cloudsql-sqlserver = "10.136.251.0/24" } dev = { cloudsql-mysql = "10.144.250.0/24" cloudsql-sqlserver = "10.144.251.0/24" } }">{…}</code> | |
|
||||
| router_configs | Configurations for CRs and onprem routers. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ onprem-ew1 = { asn = "65534" adv = null } landing-ew1 = { asn = "64512", adv = null } landing-ew4 = { asn = "64512", adv = null } spoke-dev-ew1 = { asn = "64513", adv = null } spoke-dev-ew4 = { asn = "64513", adv = null } spoke-prod-ew1 = { asn = "64514", adv = null } spoke-prod-ew4 = { asn = "64514", adv = null } }">{…}</code> | |
|
||||
| vpn_onprem_configs | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) session_range = string peer = object({ address = string asn = number secret_id = string }) }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_restricted", "googleapis_private", "landing_ew1", "landing_ew4", "spoke_prod_ew1", "spoke_prod_ew4", "spoke_dev_ew1", "spoke_dev_ew4" ] } session_range = "169.254.1.0/29" peer = { address = "8.8.8.8" asn = 65534 secret_id = "foobar" } } }">{…}</code> | |
|
||||
| vpn_spoke_configs | VPN gateway configuration for spokes. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) session_range = string }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { adv = { default = false custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"] } session_range = null # values for the landing router are pulled from the spoke range } landing-ew4 = { adv = { default = false custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"] } session_range = null # values for the landing router are pulled from the spoke range } dev-ew1 = { adv = { default = false custom = ["spoke_dev_ew1", "spoke_dev_ew4"] } session_range = "169.254.0.0/27" # resize according to required number of tunnels } prod-ew1 = { adv = { default = false custom = ["spoke_prod_ew1", "spoke_prod_ew4"] } session_range = "169.254.0.64/27" # resize according to required number of tunnels } prod-ew4 = { adv = { default = false custom = ["spoke_prod_ew1", "spoke_prod_ew4"] } session_range = "169.254.0.96/27" # resize according to required number of tunnels } }">{…}</code> | |
|
||||
| [billing_account_id](variables.tf#L17) | Billing account id. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [organization](variables.tf#L99) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [prefix](variables.tf#L115) | Prefix used for resources that need unique names. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [custom_adv](variables.tf#L23) | Custom advertisement definitions in name => range format. | <code>map(string)</code> | | <code title="{ cloud_dns = "35.199.192.0/19" googleapis_private = "199.36.153.8/30" googleapis_restricted = "199.36.153.4/30" rfc_1918_10 = "10.0.0.0/8" rfc_1918_172 = "172.16.0.0/16" rfc_1918_192 = "192.168.0.0/16" landing_ew1 = "10.128.0.0/16" landing_ew4 = "10.129.0.0/16" spoke_prod_ew1 = "10.136.0.0/16" spoke_prod_ew4 = "10.137.0.0/16" spoke_dev_ew1 = "10.144.0.0/16" spoke_dev_ew4 = "10.145.0.0/16" }">{…}</code> | |
|
||||
| [data_dir](variables.tf#L42) | Relative path for the folder storing configuration data for network resources. | <code>string</code> | | <code>"data"</code> | |
|
||||
| [dns](variables.tf#L48) | Onprem DNS resolvers | <code>map(list(string))</code> | | <code title="{ onprem = ["10.0.200.3"] }">{…}</code> | |
|
||||
| [folder_id](variables.tf#L56) | Folder to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | <code>string</code> | | <code>null</code> | <code>01-resman</code> |
|
||||
| [gke](variables.tf#L70) | | <code title="map(object({ folder_id = string sa = string gcs = string }))">map(object({…}))</code> | | <code>{}</code> | <code>01-resman</code> |
|
||||
| [l7ilb_subnets](variables.tf#L81) | Subnets used for L7 ILBs. | <code title="map(list(object({ ip_cidr_range = string region = string })))">map(list(object({…})))</code> | | <code title="{ prod = [ { ip_cidr_range = "10.136.240.0/24", region = "europe-west1" }, { ip_cidr_range = "10.137.240.0/24", region = "europe-west4" } ] dev = [ { ip_cidr_range = "10.144.240.0/24", region = "europe-west1" }, { ip_cidr_range = "10.145.240.0/24", region = "europe-west4" } ] }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L109) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [project_factory_sa](variables.tf#L121) | IAM emails for project factory service accounts | <code>map(string)</code> | | <code>{}</code> | <code>01-resman</code> |
|
||||
| [psa_ranges](variables.tf#L128) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code>map(map(string))</code> | | <code title="{ prod = { cloudsql-mysql = "10.136.250.0/24" cloudsql-sqlserver = "10.136.251.0/24" } dev = { cloudsql-mysql = "10.144.250.0/24" cloudsql-sqlserver = "10.144.251.0/24" } }">{…}</code> | |
|
||||
| [router_configs](variables.tf#L143) | Configurations for CRs and onprem routers. | <code title="map(object({ adv = object({ custom = list(string) default = bool }) asn = number }))">map(object({…}))</code> | | <code title="{ onprem-ew1 = { asn = "65534" adv = null } landing-ew1 = { asn = "64512", adv = null } landing-ew4 = { asn = "64512", adv = null } spoke-dev-ew1 = { asn = "64513", adv = null } spoke-dev-ew4 = { asn = "64513", adv = null } spoke-prod-ew1 = { asn = "64514", adv = null } spoke-prod-ew4 = { asn = "64514", adv = null } }">{…}</code> | |
|
||||
| [vpn_onprem_configs](variables.tf#L167) | VPN gateway configuration for onprem interconnection. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) session_range = string peer = object({ address = string asn = number secret_id = string }) }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { adv = { default = false custom = [ "cloud_dns", "googleapis_restricted", "googleapis_private", "landing_ew1", "landing_ew4", "spoke_prod_ew1", "spoke_prod_ew4", "spoke_dev_ew1", "spoke_dev_ew4" ] } session_range = "169.254.1.0/29" peer = { address = "8.8.8.8" asn = 65534 secret_id = "foobar" } } }">{…}</code> | |
|
||||
| [vpn_spoke_configs](variables.tf#L207) | VPN gateway configuration for spokes. | <code title="map(object({ adv = object({ default = bool custom = list(string) }) session_range = string }))">map(object({…}))</code> | | <code title="{ landing-ew1 = { adv = { default = false custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"] } session_range = null # values for the landing router are pulled from the spoke range } landing-ew4 = { adv = { default = false custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"] } session_range = null # values for the landing router are pulled from the spoke range } dev-ew1 = { adv = { default = false custom = ["spoke_dev_ew1", "spoke_dev_ew4"] } session_range = "169.254.0.0/27" # resize according to required number of tunnels } prod-ew1 = { adv = { default = false custom = ["spoke_prod_ew1", "spoke_prod_ew4"] } session_range = "169.254.0.64/27" # resize according to required number of tunnels } prod-ew4 = { adv = { default = false custom = ["spoke_prod_ew1", "spoke_prod_ew4"] } session_range = "169.254.0.96/27" # resize according to required number of tunnels } }">{…}</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive | consumers |
|
||||
|---|---|:---:|---|
|
||||
| cloud_dns_inbound_policy | IP Addresses for Cloud DNS inbound policy. | | |
|
||||
| project_ids | Network project ids. | | |
|
||||
| project_numbers | Network project numbers. | | |
|
||||
| shared_vpc_host_projects | Shared VPC host projects. | | |
|
||||
| shared_vpc_self_links | Shared VPC host projects. | | |
|
||||
| tfvars | Network-related variables used in other stages. | ✓ | |
|
||||
| vpn_gateway_endpoints | External IP Addresses for the GCP VPN gateways. | | |
|
||||
| [cloud_dns_inbound_policy](outputs.tf#L41) | IP Addresses for Cloud DNS inbound policy. | | |
|
||||
| [project_ids](outputs.tf#L46) | Network project ids. | | |
|
||||
| [project_numbers](outputs.tf#L55) | Network project numbers. | | |
|
||||
| [shared_vpc_host_projects](outputs.tf#L64) | Shared VPC host projects. | | |
|
||||
| [shared_vpc_self_links](outputs.tf#L74) | Shared VPC host projects. | | |
|
||||
| [tfvars](outputs.tf#L91) | Network-related variables used in other stages. | ✓ | |
|
||||
| [vpn_gateway_endpoints](outputs.tf#L84) | External IP Addresses for the GCP VPN gateways. | | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -283,27 +283,27 @@ Some references that might be useful in setting up this stage:
|
|||
|
||||
| name | description | type | required | default | producer |
|
||||
|---|---|:---:|:---:|:---:|:---:|
|
||||
| billing_account_id | Billing account id. | <code>string</code> | ✓ | | <code>bootstrap</code> |
|
||||
| folder_id | Folder to be used for the networking resources in folders/nnnn format. | <code>string</code> | ✓ | | <code>resman</code> |
|
||||
| organization | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>bootstrap</code> |
|
||||
| prefix | Prefix used for resources that need unique names. | <code>string</code> | ✓ | | |
|
||||
| groups | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | <code>bootstrap</code> |
|
||||
| kms_defaults | Defaults used for KMS keys. | <code title="object({ locations = list(string) rotation_period = string })">object({…})</code> | | <code title="{ locations = ["europe", "europe-west1", "europe-west3", "global"] rotation_period = "7776000s" }">{…}</code> | |
|
||||
| kms_keys | KMS keys to create, keyed by name. Null attributes will be interpolated with defaults. | <code title="map(object({ iam = map(list(string)) labels = map(string) locations = list(string) rotation_period = string }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| kms_restricted_admins | Map of environment => [identities] who can assign the encrypt/decrypt roles on keys. | <code>map(list(string))</code> | | <code>{}</code> | |
|
||||
| outputs_location | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| vpc_sc_access_levels | VPC SC access level definitions. | <code title="map(object({ combining_function = string conditions = list(object({ ip_subnetworks = list(string) members = list(string) negate = bool regions = list(string) required_access_levels = list(string) })) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| vpc_sc_egress_policies | VPC SC egress policy defnitions. | <code title="map(object({ egress_from = object({ identity_type = string identities = list(string) }) egress_to = object({ operations = list(object({ method_selectors = list(string) service_name = string })) resources = list(string) }) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| vpc_sc_ingress_policies | VPC SC ingress policy defnitions. | <code title="map(object({ ingress_from = object({ identity_type = string identities = list(string) source_access_levels = list(string) source_resources = list(string) }) ingress_to = object({ operations = list(object({ method_selectors = list(string) service_name = string })) resources = list(string) }) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| vpc_sc_perimeter_access_levels | VPC SC perimeter access_levels. | <code title="object({ dev = list(string) landing = list(string) prod = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||
| vpc_sc_perimeter_egress_policies | VPC SC egress policies per perimeter, values reference keys defined in the `vpc_sc_ingress_policies` variable. | <code title="object({ dev = list(string) landing = list(string) prod = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||
| vpc_sc_perimeter_ingress_policies | VPC SC ingress policies per perimeter, values reference keys defined in the `vpc_sc_ingress_policies` variable. | <code title="object({ dev = list(string) landing = list(string) prod = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||
| vpc_sc_perimeter_projects | VPC SC perimeter resources. | <code title="object({ dev = list(string) landing = list(string) prod = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||
| [billing_account_id](variables.tf#L17) | Billing account id. | <code>string</code> | ✓ | | <code>bootstrap</code> |
|
||||
| [folder_id](variables.tf#L23) | Folder to be used for the networking resources in folders/nnnn format. | <code>string</code> | ✓ | | <code>resman</code> |
|
||||
| [organization](variables.tf#L73) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>bootstrap</code> |
|
||||
| [prefix](variables.tf#L89) | Prefix used for resources that need unique names. | <code>string</code> | ✓ | | |
|
||||
| [groups](variables.tf#L29) | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | <code>bootstrap</code> |
|
||||
| [kms_defaults](variables.tf#L44) | Defaults used for KMS keys. | <code title="object({ locations = list(string) rotation_period = string })">object({…})</code> | | <code title="{ locations = ["europe", "europe-west1", "europe-west3", "global"] rotation_period = "7776000s" }">{…}</code> | |
|
||||
| [kms_keys](variables.tf#L56) | KMS keys to create, keyed by name. Null attributes will be interpolated with defaults. | <code title="map(object({ iam = map(list(string)) labels = map(string) locations = list(string) rotation_period = string }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [kms_restricted_admins](variables.tf#L67) | Map of environment => [identities] who can assign the encrypt/decrypt roles on keys. | <code>map(list(string))</code> | | <code>{}</code> | |
|
||||
| [outputs_location](variables.tf#L83) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [vpc_sc_access_levels](variables.tf#L94) | VPC SC access level definitions. | <code title="map(object({ combining_function = string conditions = list(object({ ip_subnetworks = list(string) members = list(string) negate = bool regions = list(string) required_access_levels = list(string) })) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [vpc_sc_egress_policies](variables.tf#L109) | VPC SC egress policy defnitions. | <code title="map(object({ egress_from = object({ identity_type = string identities = list(string) }) egress_to = object({ operations = list(object({ method_selectors = list(string) service_name = string })) resources = list(string) }) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [vpc_sc_ingress_policies](variables.tf#L127) | VPC SC ingress policy defnitions. | <code title="map(object({ ingress_from = object({ identity_type = string identities = list(string) source_access_levels = list(string) source_resources = list(string) }) ingress_to = object({ operations = list(object({ method_selectors = list(string) service_name = string })) resources = list(string) }) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [vpc_sc_perimeter_access_levels](variables.tf#L147) | VPC SC perimeter access_levels. | <code title="object({ dev = list(string) landing = list(string) prod = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpc_sc_perimeter_egress_policies](variables.tf#L157) | VPC SC egress policies per perimeter, values reference keys defined in the `vpc_sc_ingress_policies` variable. | <code title="object({ dev = list(string) landing = list(string) prod = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpc_sc_perimeter_ingress_policies](variables.tf#L167) | VPC SC ingress policies per perimeter, values reference keys defined in the `vpc_sc_ingress_policies` variable. | <code title="object({ dev = list(string) landing = list(string) prod = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||
| [vpc_sc_perimeter_projects](variables.tf#L177) | VPC SC perimeter resources. | <code title="object({ dev = list(string) landing = list(string) prod = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive | consumers |
|
||||
|---|---|:---:|---|
|
||||
| stage_perimeter_projects | Security project numbers. They can be added to perimeter resources. | | |
|
||||
| [stage_perimeter_projects](outputs.tf#L37) | Security project numbers. They can be added to perimeter resources. | | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -109,17 +109,17 @@ terraform apply
|
|||
|
||||
| name | description | type | required | default | producer |
|
||||
|---|---|:---:|:---:|:---:|:---:|
|
||||
| billing_account_id | Billing account id. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| shared_vpc_self_link | Self link for the shared VPC. | <code>string</code> | ✓ | | <code>02-networking</code> |
|
||||
| vpc_host_project | Host project for the shared VPC. | <code>string</code> | ✓ | | <code>02-networking</code> |
|
||||
| data_dir | Relative path for the folder storing configuration data. | <code>string</code> | | <code>"data/projects"</code> | |
|
||||
| defaults_file | Relative path for the file storing the project factory configuration. | <code>string</code> | | <code>"data/defaults.yaml"</code> | |
|
||||
| environment_dns_zone | DNS zone suffix for environment. | <code>string</code> | | <code>null</code> | <code>02-networking</code> |
|
||||
| [billing_account_id](variables.tf#L19) | Billing account id. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [shared_vpc_self_link](variables.tf#L44) | Self link for the shared VPC. | <code>string</code> | ✓ | | <code>02-networking</code> |
|
||||
| [vpc_host_project](variables.tf#L50) | Host project for the shared VPC. | <code>string</code> | ✓ | | <code>02-networking</code> |
|
||||
| [data_dir](variables.tf#L25) | Relative path for the folder storing configuration data. | <code>string</code> | | <code>"data/projects"</code> | |
|
||||
| [defaults_file](variables.tf#L38) | Relative path for the file storing the project factory configuration. | <code>string</code> | | <code>"data/defaults.yaml"</code> | |
|
||||
| [environment_dns_zone](variables.tf#L31) | DNS zone suffix for environment. | <code>string</code> | | <code>null</code> | <code>02-networking</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive | consumers |
|
||||
|---|---|:---:|---|
|
||||
| projects | Created projects and service accounts. | | |
|
||||
| [projects](outputs.tf#L17) | Created projects and service accounts. | | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -23,28 +23,25 @@ module "neg" {
|
|||
]
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| endpoints | List of (instance, port, address) of the NEG | <code title="list(object({ instance = string port = number ip_address = string }))">list(object({…}))</code> | ✓ | |
|
||||
| name | NEG name | <code>string</code> | ✓ | |
|
||||
| network | Name or self link of the VPC used for the NEG. Use the self link for Shared VPC. | <code>string</code> | ✓ | |
|
||||
| project_id | NEG project id. | <code>string</code> | ✓ | |
|
||||
| subnetwork | VPC subnetwork name or self link. | <code>string</code> | ✓ | |
|
||||
| zone | NEG zone | <code>string</code> | ✓ | |
|
||||
| [endpoints](variables.tf#L42) | List of (instance, port, address) of the NEG | <code title="list(object({ instance = string port = number ip_address = string }))">list(object({…}))</code> | ✓ | |
|
||||
| [name](variables.tf#L22) | NEG name | <code>string</code> | ✓ | |
|
||||
| [network](variables.tf#L27) | Name or self link of the VPC used for the NEG. Use the self link for Shared VPC. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L17) | NEG project id. | <code>string</code> | ✓ | |
|
||||
| [subnetwork](variables.tf#L32) | VPC subnetwork name or self link. | <code>string</code> | ✓ | |
|
||||
| [zone](variables.tf#L37) | NEG zone | <code>string</code> | ✓ | |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| id | Network endpoint group ID | |
|
||||
| self_lnk | Network endpoint group self link | |
|
||||
| size | Size of the network endpoint group | |
|
||||
| [id](outputs.tf#L17) | Network endpoint group ID | |
|
||||
| [self_lnk](outputs.tf#L27) | Network endpoint group self link | |
|
||||
| [size](outputs.tf#L22) | Size of the network endpoint group | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -98,33 +98,30 @@ module "apigee-organization" {
|
|||
}
|
||||
# tftest:modules=1:resources=6
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| analytics_region | Analytics Region for the Apigee Organization (immutable). See https://cloud.google.com/apigee/docs/api-platform/get-started/install-cli. | <code>string</code> | ✓ | |
|
||||
| project_id | Project ID to host this Apigee organization (will also become the Apigee Org name). | <code>string</code> | ✓ | |
|
||||
| runtime_type | Apigee runtime type. Must be `CLOUD` or `HYBRID`. | <code>string</code> | ✓ | |
|
||||
| apigee_envgroups | Apigee Environment Groups. | <code title="map(object({ environments = list(string) hostnames = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| apigee_environments | Apigee Environment Names. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| authorized_network | VPC network self link (requires service network peering enabled (Used in Apigee X only). | <code>string</code> | | <code>null</code> |
|
||||
| database_encryption_key | Cloud KMS key self link (e.g. `projects/foo/locations/us/keyRings/bar/cryptoKeys/baz`) used for encrypting the data that is stored and replicated across runtime instances (immutable, used in Apigee X only). | <code>string</code> | | <code>null</code> |
|
||||
| description | Description of the Apigee Organization. | <code>string</code> | | <code>"Apigee Organization created by tf module"</code> |
|
||||
| display_name | Display Name of the Apigee Organization. | <code>string</code> | | <code>null</code> |
|
||||
| [analytics_region](variables.tf#L17) | Analytics Region for the Apigee Organization (immutable). See https://cloud.google.com/apigee/docs/api-platform/get-started/install-cli. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L61) | Project ID to host this Apigee organization (will also become the Apigee Org name). | <code>string</code> | ✓ | |
|
||||
| [runtime_type](variables.tf#L66) | Apigee runtime type. Must be `CLOUD` or `HYBRID`. | <code>string</code> | ✓ | |
|
||||
| [apigee_envgroups](variables.tf#L22) | Apigee Environment Groups. | <code title="map(object({ environments = list(string) hostnames = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [apigee_environments](variables.tf#L31) | Apigee Environment Names. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [authorized_network](variables.tf#L37) | VPC network self link (requires service network peering enabled (Used in Apigee X only). | <code>string</code> | | <code>null</code> |
|
||||
| [database_encryption_key](variables.tf#L43) | Cloud KMS key self link (e.g. `projects/foo/locations/us/keyRings/bar/cryptoKeys/baz`) used for encrypting the data that is stored and replicated across runtime instances (immutable, used in Apigee X only). | <code>string</code> | | <code>null</code> |
|
||||
| [description](variables.tf#L49) | Description of the Apigee Organization. | <code>string</code> | | <code>"Apigee Organization created by tf module"</code> |
|
||||
| [display_name](variables.tf#L55) | Display Name of the Apigee Organization. | <code>string</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| envs | Apigee Environments. | |
|
||||
| org | Apigee Organization. | |
|
||||
| org_ca_certificate | Apigee organization CA certificate. | |
|
||||
| org_id | Apigee Organization ID. | |
|
||||
| subscription_type | Apigee subscription type. | |
|
||||
| [envs](outputs.tf#L17) | Apigee Environments. | |
|
||||
| [org](outputs.tf#L22) | Apigee Organization. | |
|
||||
| [org_ca_certificate](outputs.tf#L27) | Apigee organization CA certificate. | |
|
||||
| [org_id](outputs.tf#L32) | Apigee Organization ID. | |
|
||||
| [subscription_type](outputs.tf#L37) | Apigee subscription type. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -42,30 +42,27 @@ module "apigee-x-instance" {
|
|||
}
|
||||
# tftest:modules=1:resources=5
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| apigee_org_id | Apigee Organization ID | <code>string</code> | ✓ | |
|
||||
| cidr_mask | CIDR mask for the Apigee instance | <code>number</code> | ✓ | |
|
||||
| name | Apigee instance name. | <code>string</code> | ✓ | |
|
||||
| region | Compute region. | <code>string</code> | ✓ | |
|
||||
| apigee_envgroups | Apigee Environment Groups. | <code title="map(object({ environments = list(string) hostnames = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| apigee_environments | Apigee Environment Names. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| disk_encryption_key | Customer Managed Encryption Key (CMEK) self link (e.g. `projects/foo/locations/us/keyRings/bar/cryptoKeys/baz`) used for disk and volume encryption (required for PAID Apigee Orgs only). | <code>string</code> | | <code>null</code> |
|
||||
| [apigee_org_id](variables.tf#L32) | Apigee Organization ID | <code>string</code> | ✓ | |
|
||||
| [cidr_mask](variables.tf#L37) | CIDR mask for the Apigee instance | <code>number</code> | ✓ | |
|
||||
| [name](variables.tf#L52) | Apigee instance name. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L57) | Compute region. | <code>string</code> | ✓ | |
|
||||
| [apigee_envgroups](variables.tf#L17) | Apigee Environment Groups. | <code title="map(object({ environments = list(string) hostnames = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [apigee_environments](variables.tf#L26) | Apigee Environment Names. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [disk_encryption_key](variables.tf#L46) | Customer Managed Encryption Key (CMEK) self link (e.g. `projects/foo/locations/us/keyRings/bar/cryptoKeys/baz`) used for disk and volume encryption (required for PAID Apigee Orgs only). | <code>string</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| endpoint | Internal endpoint of the Apigee instance. | |
|
||||
| id | Apigee instance ID. | |
|
||||
| instance | Apigee instance. | |
|
||||
| port | Port number of the internal endpoint of the Apigee instance. | |
|
||||
| [endpoint](outputs.tf#L17) | Internal endpoint of the Apigee instance. | |
|
||||
| [id](outputs.tf#L22) | Apigee instance ID. | |
|
||||
| [instance](outputs.tf#L27) | Apigee instance. | |
|
||||
| [port](outputs.tf#L32) | Port number of the internal endpoint of the Apigee instance. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -19,28 +19,25 @@ module "docker_artifact_registry" {
|
|||
}
|
||||
# tftest:modules=1:resources=2
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| id | Repository id | <code>string</code> | ✓ | |
|
||||
| project_id | Registry project id. | <code>string</code> | ✓ | |
|
||||
| description | An optional description for the repository | <code>string</code> | | <code>"Terraform-managed registry"</code> |
|
||||
| format | Repository format. One of DOCKER or UNSPECIFIED | <code>string</code> | | <code>"DOCKER"</code> |
|
||||
| iam | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| labels | Labels to be attached to the registry. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| location | Registry location. Use `gcloud beta artifacts locations list' to get valid values | <code>string</code> | | <code>null</code> |
|
||||
| [id](variables.tf#L35) | Repository id | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L52) | Registry project id. | <code>string</code> | ✓ | |
|
||||
| [description](variables.tf#L17) | An optional description for the repository | <code>string</code> | | <code>"Terraform-managed registry"</code> |
|
||||
| [format](variables.tf#L23) | Repository format. One of DOCKER or UNSPECIFIED | <code>string</code> | | <code>"DOCKER"</code> |
|
||||
| [iam](variables.tf#L29) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [labels](variables.tf#L40) | Labels to be attached to the registry. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [location](variables.tf#L46) | Registry location. Use `gcloud beta artifacts locations list' to get valid values | <code>string</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| id | Repository id | |
|
||||
| name | Repository name | |
|
||||
| [id](outputs.tf#L17) | Repository id | |
|
||||
| [name](outputs.tf#L22) | Repository name | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -173,42 +173,38 @@ module "bigquery-dataset" {
|
|||
|
||||
# tftest:modules=1:resources=3
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| id | Dataset id. | <code>string</code> | ✓ | |
|
||||
| project_id | Id of the project where datasets will be created. | <code>string</code> | ✓ | |
|
||||
| access | Map of access rules with role and identity type. Keys are arbitrary and must match those in the `access_identities` variable, types are `domain`, `group`, `special_group`, `user`, `view`. | <code title="map(object({ role = string type = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| access_identities | Map of access identities used for basic access roles. View identities have the format 'project_id|dataset_id|table_id'. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| dataset_access | Set access in the dataset resource instead of using separate resources. | <code>bool</code> | | <code>false</code> |
|
||||
| description | Optional description. | <code>string</code> | | <code>"Terraform managed."</code> |
|
||||
| encryption_key | Self link of the KMS key that will be used to protect destination table. | <code>string</code> | | <code>null</code> |
|
||||
| friendly_name | Dataset friendly name. | <code>string</code> | | <code>null</code> |
|
||||
| iam | IAM bindings in {ROLE => [MEMBERS]} format. Mutually exclusive with the access_* variables used for basic roles. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| labels | Dataset labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| location | Dataset location. | <code>string</code> | | <code>"EU"</code> |
|
||||
| options | Dataset options. | <code title="object({ default_table_expiration_ms = number default_partition_expiration_ms = number delete_contents_on_destroy = bool })">object({…})</code> | | <code title="{ default_table_expiration_ms = null default_partition_expiration_ms = null delete_contents_on_destroy = false }">{…}</code> |
|
||||
| tables | Table definitions. Options and partitioning default to null. Partitioning can only use `range` or `time`, set the unused one to null. | <code title="map(object({ friendly_name = string labels = map(string) options = object({ clustering = list(string) encryption_key = string expiration_time = number }) partitioning = object({ field = string range = object({ end = number interval = number start = number }) time = object({ expiration_ms = number type = string }) }) schema = string deletion_protection = bool }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| views | View definitions. | <code title="map(object({ friendly_name = string labels = map(string) query = string use_legacy_sql = bool deletion_protection = bool }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [id](variables.tf#L69) | Dataset id. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L100) | Id of the project where datasets will be created. | <code>string</code> | ✓ | |
|
||||
| [access](variables.tf#L17) | Map of access rules with role and identity type. Keys are arbitrary and must match those in the `access_identities` variable, types are `domain`, `group`, `special_group`, `user`, `view`. | <code title="map(object({ role = string type = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [access_identities](variables.tf#L33) | Map of access identities used for basic access roles. View identities have the format 'project_id|dataset_id|table_id'. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [dataset_access](variables.tf#L39) | Set access in the dataset resource instead of using separate resources. | <code>bool</code> | | <code>false</code> |
|
||||
| [description](variables.tf#L45) | Optional description. | <code>string</code> | | <code>"Terraform managed."</code> |
|
||||
| [encryption_key](variables.tf#L51) | Self link of the KMS key that will be used to protect destination table. | <code>string</code> | | <code>null</code> |
|
||||
| [friendly_name](variables.tf#L57) | Dataset friendly name. | <code>string</code> | | <code>null</code> |
|
||||
| [iam](variables.tf#L63) | IAM bindings in {ROLE => [MEMBERS]} format. Mutually exclusive with the access_* variables used for basic roles. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [labels](variables.tf#L74) | Dataset labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [location](variables.tf#L80) | Dataset location. | <code>string</code> | | <code>"EU"</code> |
|
||||
| [options](variables.tf#L86) | Dataset options. | <code title="object({ default_table_expiration_ms = number default_partition_expiration_ms = number delete_contents_on_destroy = bool })">object({…})</code> | | <code title="{ default_table_expiration_ms = null default_partition_expiration_ms = null delete_contents_on_destroy = false }">{…}</code> |
|
||||
| [tables](variables.tf#L105) | Table definitions. Options and partitioning default to null. Partitioning can only use `range` or `time`, set the unused one to null. | <code title="map(object({ friendly_name = string labels = map(string) options = object({ clustering = list(string) encryption_key = string expiration_time = number }) partitioning = object({ field = string range = object({ end = number interval = number start = number }) time = object({ expiration_ms = number type = string }) }) schema = string deletion_protection = bool }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [views](variables.tf#L133) | View definitions. | <code title="map(object({ friendly_name = string labels = map(string) query = string use_legacy_sql = bool deletion_protection = bool }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| dataset | Dataset resource. | |
|
||||
| dataset_id | Dataset id. | |
|
||||
| id | Fully qualified dataset id. | |
|
||||
| self_link | Dataset self link. | |
|
||||
| table_ids | Map of fully qualified table ids keyed by table ids. | |
|
||||
| tables | Table resources. | |
|
||||
| view_ids | Map of fully qualified view ids keyed by view ids. | |
|
||||
| views | View resources. | |
|
||||
| [dataset](outputs.tf#L17) | Dataset resource. | |
|
||||
| [dataset_id](outputs.tf#L22) | Dataset id. | |
|
||||
| [id](outputs.tf#L34) | Fully qualified dataset id. | |
|
||||
| [self_link](outputs.tf#L46) | Dataset self link. | |
|
||||
| [table_ids](outputs.tf#L58) | Map of fully qualified table ids keyed by table ids. | |
|
||||
| [tables](outputs.tf#L63) | Table resources. | |
|
||||
| [view_ids](outputs.tf#L68) | Map of fully qualified view ids keyed by view ids. | |
|
||||
| [views](outputs.tf#L73) | View resources. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
||||
|
|
|
@ -32,36 +32,32 @@ module "bigtable-instance" {
|
|||
}
|
||||
# tftest:modules=1:resources=4
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| name | The name of the Cloud Bigtable instance. | <code>string</code> | ✓ | |
|
||||
| project_id | Id of the project where datasets will be created. | <code>string</code> | ✓ | |
|
||||
| zone | The zone to create the Cloud Bigtable cluster in. | <code>string</code> | ✓ | |
|
||||
| cluster_id | The ID of the Cloud Bigtable cluster. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| deletion_protection | Whether or not to allow Terraform to destroy the instance. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the instance will fail. | <code></code> | | <code>true</code> |
|
||||
| display_name | The human-readable display name of the Bigtable instance. | <code></code> | | <code>null</code> |
|
||||
| iam | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| instance_type | (deprecated) The instance type to create. One of 'DEVELOPMENT' or 'PRODUCTION'. | <code>string</code> | | <code>null</code> |
|
||||
| num_nodes | The number of nodes in your Cloud Bigtable cluster. | <code>number</code> | | <code>1</code> |
|
||||
| storage_type | The storage type to use. | <code>string</code> | | <code>"SSD"</code> |
|
||||
| table_options_defaults | Default option of tables created in the BigTable instance. | <code title="object({ split_keys = list(string) column_family = string })">object({…})</code> | | <code title="{ split_keys = [] column_family = null }">{…}</code> |
|
||||
| tables | Tables to be created in the BigTable instance, options can be null. | <code title="map(object({ split_keys = list(string) column_family = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [name](variables.tf#L45) | The name of the Cloud Bigtable instance. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L56) | Id of the project where datasets will be created. | <code>string</code> | ✓ | |
|
||||
| [zone](variables.tf#L88) | The zone to create the Cloud Bigtable cluster in. | <code>string</code> | ✓ | |
|
||||
| [cluster_id](variables.tf#L17) | The ID of the Cloud Bigtable cluster. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [deletion_protection](variables.tf#L23) | Whether or not to allow Terraform to destroy the instance. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the instance will fail. | <code></code> | | <code>true</code> |
|
||||
| [display_name](variables.tf#L28) | The human-readable display name of the Bigtable instance. | <code></code> | | <code>null</code> |
|
||||
| [iam](variables.tf#L33) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [instance_type](variables.tf#L39) | (deprecated) The instance type to create. One of 'DEVELOPMENT' or 'PRODUCTION'. | <code>string</code> | | <code>null</code> |
|
||||
| [num_nodes](variables.tf#L50) | The number of nodes in your Cloud Bigtable cluster. | <code>number</code> | | <code>1</code> |
|
||||
| [storage_type](variables.tf#L61) | The storage type to use. | <code>string</code> | | <code>"SSD"</code> |
|
||||
| [table_options_defaults](variables.tf#L67) | Default option of tables created in the BigTable instance. | <code title="object({ split_keys = list(string) column_family = string })">object({…})</code> | | <code title="{ split_keys = [] column_family = null }">{…}</code> |
|
||||
| [tables](variables.tf#L79) | Tables to be created in the BigTable instance, options can be null. | <code title="map(object({ split_keys = list(string) column_family = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| id | An identifier for the resource with format projects/{{project}}/instances/{{name}}. | |
|
||||
| instance | BigTable intance. | |
|
||||
| table_ids | Map of fully qualified table ids keyed by table name. | |
|
||||
| tables | Table resources. | |
|
||||
| [id](outputs.tf#L17) | An identifier for the resource with format projects/{{project}}/instances/{{name}}. | |
|
||||
| [instance](outputs.tf#L26) | BigTable intance. | |
|
||||
| [table_ids](outputs.tf#L35) | Map of fully qualified table ids keyed by table name. | |
|
||||
| [tables](outputs.tf#L40) | Table resources. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
||||
|
|
|
@ -61,32 +61,29 @@ module "pubsub" {
|
|||
|
||||
# tftest:modules=2:resources=2
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| billing_account | Billing account id. | <code>string</code> | ✓ | |
|
||||
| name | Budget name. | <code>string</code> | ✓ | |
|
||||
| thresholds | Thresholds percentages at which alerts are sent. Must be a value between 0 and 1. | <code title="object({ current = list(number) forecasted = list(number) })">object({…})</code> | ✓ | |
|
||||
| amount | Amount in the billing account's currency for the budget. Use 0 to set budget to 100% of last period's spend. | <code>number</code> | | <code>0</code> |
|
||||
| credit_treatment | How credits should be treated when determining spend for threshold calculations. Only INCLUDE_ALL_CREDITS or EXCLUDE_ALL_CREDITS are supported | <code>string</code> | | <code>"INCLUDE_ALL_CREDITS"</code> |
|
||||
| email_recipients | Emails where budget notifications will be sent. Setting this will create a notification channel for each email in the specified project. | <code title="object({ project_id = string emails = list(string) })">object({…})</code> | | <code>null</code> |
|
||||
| notification_channels | Monitoring notification channels where to send updates. | <code>list(string)</code> | | <code>null</code> |
|
||||
| notify_default_recipients | Notify Billing Account Administrators and Billing Account Users IAM roles for the target account. | <code>bool</code> | | <code>false</code> |
|
||||
| projects | List of projects of the form projects/{project_number}, specifying that usage from only this set of projects should be included in the budget. Set to null to include all projects linked to the billing account. | <code>list(string)</code> | | <code>null</code> |
|
||||
| pubsub_topic | The ID of the Cloud Pub/Sub topic where budget related messages will be published. | <code>string</code> | | <code>null</code> |
|
||||
| services | List of services of the form services/{service_id}, specifying that usage from only this set of services should be included in the budget. Set to null to include usage for all services. | <code>list(string)</code> | | <code>null</code> |
|
||||
| [billing_account](variables.tf#L23) | Billing account id. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L50) | Budget name. | <code>string</code> | ✓ | |
|
||||
| [thresholds](variables.tf#L85) | Thresholds percentages at which alerts are sent. Must be a value between 0 and 1. | <code title="object({ current = list(number) forecasted = list(number) })">object({…})</code> | ✓ | |
|
||||
| [amount](variables.tf#L17) | Amount in the billing account's currency for the budget. Use 0 to set budget to 100% of last period's spend. | <code>number</code> | | <code>0</code> |
|
||||
| [credit_treatment](variables.tf#L28) | How credits should be treated when determining spend for threshold calculations. Only INCLUDE_ALL_CREDITS or EXCLUDE_ALL_CREDITS are supported | <code>string</code> | | <code>"INCLUDE_ALL_CREDITS"</code> |
|
||||
| [email_recipients](variables.tf#L41) | Emails where budget notifications will be sent. Setting this will create a notification channel for each email in the specified project. | <code title="object({ project_id = string emails = list(string) })">object({…})</code> | | <code>null</code> |
|
||||
| [notification_channels](variables.tf#L55) | Monitoring notification channels where to send updates. | <code>list(string)</code> | | <code>null</code> |
|
||||
| [notify_default_recipients](variables.tf#L61) | Notify Billing Account Administrators and Billing Account Users IAM roles for the target account. | <code>bool</code> | | <code>false</code> |
|
||||
| [projects](variables.tf#L67) | List of projects of the form projects/{project_number}, specifying that usage from only this set of projects should be included in the budget. Set to null to include all projects linked to the billing account. | <code>list(string)</code> | | <code>null</code> |
|
||||
| [pubsub_topic](variables.tf#L73) | The ID of the Cloud Pub/Sub topic where budget related messages will be published. | <code>string</code> | | <code>null</code> |
|
||||
| [services](variables.tf#L79) | List of services of the form services/{service_id}, specifying that usage from only this set of services should be included in the budget. Set to null to include usage for all services. | <code>list(string)</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| budget | Budget resource. | |
|
||||
| id | Budget ID. | |
|
||||
| [budget](outputs.tf#L17) | Budget resource. | |
|
||||
| [id](outputs.tf#L22) | Budget ID. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -68,25 +68,22 @@ module "cos-coredns" {
|
|||
}
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| cloud_config | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| config_variables | Additional variables used to render the cloud-config and CoreDNS templates. | <code>map(any)</code> | | <code>{}</code> |
|
||||
| coredns_config | CoreDNS configuration path, if null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| file_defaults | Default owner and permissions for files. | <code title="object({ owner = string permissions = string })">object({…})</code> | | <code title="{ owner = "root" permissions = "0644" }">{…}</code> |
|
||||
| files | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [cloud_config](variables.tf#L17) | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [config_variables](variables.tf#L23) | Additional variables used to render the cloud-config and CoreDNS templates. | <code>map(any)</code> | | <code>{}</code> |
|
||||
| [coredns_config](variables.tf#L29) | CoreDNS configuration path, if null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [file_defaults](variables.tf#L35) | Default owner and permissions for files. | <code title="object({ owner = string permissions = string })">object({…})</code> | | <code title="{ owner = "root" permissions = "0644" }">{…}</code> |
|
||||
| [files](variables.tf#L47) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| cloud_config | Rendered cloud-config file to be passed as user-data instance metadata. | |
|
||||
| [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -57,34 +57,31 @@ module "cos-envoy" {
|
|||
]
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| container_image | Container image. | <code>string</code> | ✓ | |
|
||||
| authenticate_gcr | Setup docker to pull images from private GCR. Requires at least one user since the token is stored in the home of the first user defined. | <code>bool</code> | | <code>false</code> |
|
||||
| boot_commands | List of cloud-init `bootcmd`s | <code>list(string)</code> | | <code>[]</code> |
|
||||
| cloud_config | Cloud config template path. If provided, takes precedence over all other arguments. | <code>string</code> | | <code>null</code> |
|
||||
| config_variables | Additional variables used to render the template passed via `cloud_config` | <code>map(any)</code> | | <code>{}</code> |
|
||||
| container_args | Arguments for container | <code>string</code> | | <code>""</code> |
|
||||
| container_name | Name of the container to be run | <code>string</code> | | <code>"container"</code> |
|
||||
| container_volumes | List of volumes | <code title="list(object({ host = string, container = string }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| docker_args | Extra arguments to be passed for docker | <code>string</code> | | <code>null</code> |
|
||||
| file_defaults | Default owner and permissions for files. | <code title="object({ owner = string permissions = string })">object({…})</code> | | <code title="{ owner = "root" permissions = "0644" }">{…}</code> |
|
||||
| files | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| gcp_logging | Should container logs be sent to Google Cloud Logging | <code>bool</code> | | <code>true</code> |
|
||||
| run_commands | List of cloud-init `runcmd`s | <code>list(string)</code> | | <code>[]</code> |
|
||||
| users | List of usernames to be created. If provided, first user will be used to run the container. | <code title="list(object({ username = string, uid = number, }))">list(object({…}))</code> | | <code title="[ ]">[…]</code> |
|
||||
| [container_image](variables.tf#L42) | Container image. | <code>string</code> | ✓ | |
|
||||
| [authenticate_gcr](variables.tf#L112) | Setup docker to pull images from private GCR. Requires at least one user since the token is stored in the home of the first user defined. | <code>bool</code> | | <code>false</code> |
|
||||
| [boot_commands](variables.tf#L17) | List of cloud-init `bootcmd`s | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [cloud_config](variables.tf#L23) | Cloud config template path. If provided, takes precedence over all other arguments. | <code>string</code> | | <code>null</code> |
|
||||
| [config_variables](variables.tf#L29) | Additional variables used to render the template passed via `cloud_config` | <code>map(any)</code> | | <code>{}</code> |
|
||||
| [container_args](variables.tf#L35) | Arguments for container | <code>string</code> | | <code>""</code> |
|
||||
| [container_name](variables.tf#L47) | Name of the container to be run | <code>string</code> | | <code>"container"</code> |
|
||||
| [container_volumes](variables.tf#L53) | List of volumes | <code title="list(object({ host = string, container = string }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [docker_args](variables.tf#L62) | Extra arguments to be passed for docker | <code>string</code> | | <code>null</code> |
|
||||
| [file_defaults](variables.tf#L68) | Default owner and permissions for files. | <code title="object({ owner = string permissions = string })">object({…})</code> | | <code title="{ owner = "root" permissions = "0644" }">{…}</code> |
|
||||
| [files](variables.tf#L80) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [gcp_logging](variables.tf#L90) | Should container logs be sent to Google Cloud Logging | <code>bool</code> | | <code>true</code> |
|
||||
| [run_commands](variables.tf#L96) | List of cloud-init `runcmd`s | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [users](variables.tf#L102) | List of usernames to be created. If provided, first user will be used to run the container. | <code title="list(object({ username = string, uid = number, }))">list(object({…}))</code> | | <code title="[ ]">[…]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| cloud_config | Rendered cloud-config file to be passed as user-data instance metadata. | |
|
||||
| [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -44,23 +44,19 @@ module "vm-cos" {
|
|||
service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| envoy_image | Envoy Proxy container image to use. | <code>string</code> | | <code>"envoyproxy/envoy:v1.14.1"</code> |
|
||||
| gcp_logging | Should container logs be sent to Google Cloud Logging | <code>bool</code> | | <code>true</code> |
|
||||
| [envoy_image](variables.tf#L17) | Envoy Proxy container image to use. | <code>string</code> | | <code>"envoyproxy/envoy:v1.14.1"</code> |
|
||||
| [gcp_logging](variables.tf#L23) | Should container logs be sent to Google Cloud Logging | <code>bool</code> | | <code>true</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| cloud_config | Rendered cloud-config file to be passed as user-data instance metadata. | |
|
||||
| [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -73,27 +73,24 @@ module "cos-mysql" {
|
|||
}
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| mysql_password | MySQL root password. If an encrypted password is set, use the kms_config variable to specify KMS configuration. | <code>string</code> | ✓ | |
|
||||
| cloud_config | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| config_variables | Additional variables used to render the cloud-config template. | <code>map(any)</code> | | <code>{}</code> |
|
||||
| image | MySQL container image. | <code>string</code> | | <code>"mysql:5.7"</code> |
|
||||
| kms_config | Optional KMS configuration to decrypt passed-in password. Leave null if a plaintext password is used. | <code title="object({ project_id = string keyring = string location = string key = string })">object({…})</code> | | <code>null</code> |
|
||||
| mysql_config | MySQL configuration file content, if null container default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| mysql_data_disk | MySQL data disk name in /dev/disk/by-id/ including the google- prefix. If null the boot disk will be used for data. | <code>string</code> | | <code>null</code> |
|
||||
| [mysql_password](variables.tf#L58) | MySQL root password. If an encrypted password is set, use the kms_config variable to specify KMS configuration. | <code>string</code> | ✓ | |
|
||||
| [cloud_config](variables.tf#L17) | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [config_variables](variables.tf#L23) | Additional variables used to render the cloud-config template. | <code>map(any)</code> | | <code>{}</code> |
|
||||
| [image](variables.tf#L29) | MySQL container image. | <code>string</code> | | <code>"mysql:5.7"</code> |
|
||||
| [kms_config](variables.tf#L35) | Optional KMS configuration to decrypt passed-in password. Leave null if a plaintext password is used. | <code title="object({ project_id = string keyring = string location = string key = string })">object({…})</code> | | <code>null</code> |
|
||||
| [mysql_config](variables.tf#L46) | MySQL configuration file content, if null container default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [mysql_data_disk](variables.tf#L52) | MySQL data disk name in /dev/disk/by-id/ including the google- prefix. If null the boot disk will be used for data. | <code>string</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| cloud_config | Rendered cloud-config file to be passed as user-data instance metadata. | |
|
||||
| [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -51,26 +51,23 @@ module "cos-nginx" {
|
|||
}
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| cloud_config | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| config_variables | Additional variables used to render the cloud-config and Nginx templates. | <code>map(any)</code> | | <code>{}</code> |
|
||||
| file_defaults | Default owner and permissions for files. | <code title="object({ owner = string permissions = string })">object({…})</code> | | <code title="{ owner = "root" permissions = "0644" }">{…}</code> |
|
||||
| files | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| image | Nginx container image. | <code>string</code> | | <code>"nginxdemos/hello:plain-text"</code> |
|
||||
| nginx_config | Nginx configuration path, if null container default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [cloud_config](variables.tf#L17) | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [config_variables](variables.tf#L23) | Additional variables used to render the cloud-config and Nginx templates. | <code>map(any)</code> | | <code>{}</code> |
|
||||
| [file_defaults](variables.tf#L41) | Default owner and permissions for files. | <code title="object({ owner = string permissions = string })">object({…})</code> | | <code title="{ owner = "root" permissions = "0644" }">{…}</code> |
|
||||
| [files](variables.tf#L53) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [image](variables.tf#L29) | Nginx container image. | <code>string</code> | | <code>"nginxdemos/hello:plain-text"</code> |
|
||||
| [nginx_config](variables.tf#L35) | Nginx configuration path, if null container default will be used. | <code>string</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| cloud_config | Rendered cloud-config file to be passed as user-data instance metadata. | |
|
||||
| [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -58,26 +58,23 @@ module "on-prem" {
|
|||
}
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| vpn_config | VPN configuration, type must be one of 'dynamic' or 'static'. | <code title="object({ peer_ip = string shared_secret = string type = string peer_ip2 = string shared_secret2 = string })">object({…})</code> | ✓ | |
|
||||
| config_variables | Additional variables used to render the cloud-config and CoreDNS templates. | <code>map(any)</code> | | <code>{}</code> |
|
||||
| coredns_config | CoreDNS configuration path, if null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| local_ip_cidr_range | IP CIDR range used for the Docker onprem network. | <code>string</code> | | <code>"192.168.192.0/24"</code> |
|
||||
| vpn_dynamic_config | BGP configuration for dynamic VPN, ignored if VPN type is 'static'. | <code title="object({ local_bgp_asn = number local_bgp_address = string peer_bgp_asn = number peer_bgp_address = string local_bgp_asn2 = number local_bgp_address2 = string peer_bgp_asn2 = number peer_bgp_address2 = string })">object({…})</code> | | <code title="{ local_bgp_asn = 64514 local_bgp_address = "169.254.1.2" peer_bgp_asn = 64513 peer_bgp_address = "169.254.1.1" local_bgp_asn2 = 64514 local_bgp_address2 = "169.254.2.2" peer_bgp_asn2 = 64520 peer_bgp_address2 = "169.254.2.1" }">{…}</code> |
|
||||
| vpn_static_ranges | Remote CIDR ranges for static VPN, ignored if VPN type is 'dynamic'. | <code>list(string)</code> | | <code>["10.0.0.0/8"]</code> |
|
||||
| [vpn_config](variables.tf#L35) | VPN configuration, type must be one of 'dynamic' or 'static'. | <code title="object({ peer_ip = string shared_secret = string type = string peer_ip2 = string shared_secret2 = string })">object({…})</code> | ✓ | |
|
||||
| [config_variables](variables.tf#L17) | Additional variables used to render the cloud-config and CoreDNS templates. | <code>map(any)</code> | | <code>{}</code> |
|
||||
| [coredns_config](variables.tf#L23) | CoreDNS configuration path, if null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [local_ip_cidr_range](variables.tf#L29) | IP CIDR range used for the Docker onprem network. | <code>string</code> | | <code>"192.168.192.0/24"</code> |
|
||||
| [vpn_dynamic_config](variables.tf#L46) | BGP configuration for dynamic VPN, ignored if VPN type is 'static'. | <code title="object({ local_bgp_asn = number local_bgp_address = string peer_bgp_asn = number peer_bgp_address = string local_bgp_asn2 = number local_bgp_address2 = string peer_bgp_asn2 = number peer_bgp_address2 = string })">object({…})</code> | | <code title="{ local_bgp_asn = 64514 local_bgp_address = "169.254.1.2" peer_bgp_asn = 64513 peer_bgp_address = "169.254.1.1" local_bgp_asn2 = 64514 local_bgp_address2 = "169.254.2.2" peer_bgp_asn2 = 64520 peer_bgp_address2 = "169.254.2.1" }">{…}</code> |
|
||||
| [vpn_static_ranges](variables.tf#L70) | Remote CIDR ranges for static VPN, ignored if VPN type is 'dynamic'. | <code>list(string)</code> | | <code>["10.0.0.0/8"]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| cloud_config | Rendered cloud-config file to be passed as user-data instance metadata. | |
|
||||
| [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -55,29 +55,26 @@ module "cos-squid" {
|
|||
}
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| allow | List of domains Squid will allow connections to. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| clients | List of CIDR ranges from which Squid will allow connections. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| cloud_config | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| config_variables | Additional variables used to render the cloud-config and Squid templates. | <code>map(any)</code> | | <code>{}</code> |
|
||||
| default_action | Default action for domains not matching neither the allow or deny lists | <code>string</code> | | <code>"deny"</code> |
|
||||
| deny | List of domains Squid will deny connections to. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| file_defaults | Default owner and permissions for files. | <code title="object({ owner = string permissions = string })">object({…})</code> | | <code title="{ owner = "root" permissions = "0644" }">{…}</code> |
|
||||
| files | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| squid_config | Squid configuration path, if null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [allow](variables.tf#L57) | List of domains Squid will allow connections to. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [clients](variables.tf#L69) | List of CIDR ranges from which Squid will allow connections. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [cloud_config](variables.tf#L17) | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
| [config_variables](variables.tf#L23) | Additional variables used to render the cloud-config and Squid templates. | <code>map(any)</code> | | <code>{}</code> |
|
||||
| [default_action](variables.tf#L75) | Default action for domains not matching neither the allow or deny lists | <code>string</code> | | <code>"deny"</code> |
|
||||
| [deny](variables.tf#L63) | List of domains Squid will deny connections to. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [file_defaults](variables.tf#L35) | Default owner and permissions for files. | <code title="object({ owner = string permissions = string })">object({…})</code> | | <code title="{ owner = "root" permissions = "0644" }">{…}</code> |
|
||||
| [files](variables.tf#L47) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map(object({ content = string owner = string permissions = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [squid_config](variables.tf#L29) | Squid configuration path, if null default will be used. | <code>string</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| cloud_config | Rendered cloud-config file to be passed as user-data instance metadata. | |
|
||||
| [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -154,45 +154,42 @@ module "cf-http" {
|
|||
}
|
||||
# tftest:skip
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| bucket_name | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | <code>string</code> | ✓ | |
|
||||
| bundle_config | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | <code title="object({ source_dir = string output_path = string excludes = list(string) })">object({…})</code> | ✓ | |
|
||||
| name | Name used for cloud function and associated resources. | <code>string</code> | ✓ | |
|
||||
| project_id | Project id used for all resources. | <code>string</code> | ✓ | |
|
||||
| bucket_config | Enable and configure auto-created bucket. Set fields to null to use defaults. | <code title="object({ location = string lifecycle_delete_age = number })">object({…})</code> | | <code>null</code> |
|
||||
| description | Optional description. | <code>string</code> | | <code>"Terraform managed."</code> |
|
||||
| environment_variables | Cloud function environment variables. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| function_config | Cloud function configuration. | <code title="object({ entry_point = string ingress_settings = string instances = number memory = number runtime = string timeout = number })">object({…})</code> | | <code title="{ entry_point = "main" ingress_settings = null instances = 1 memory = 256 runtime = "python37" timeout = 180 }">{…}</code> |
|
||||
| iam | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| ingress_settings | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL and ALLOW_INTERNAL_ONLY. | <code>string</code> | | <code>null</code> |
|
||||
| labels | Resource labels | <code>map(string)</code> | | <code>{}</code> |
|
||||
| prefix | Optional prefix used for resource names. | <code>string</code> | | <code>null</code> |
|
||||
| region | Region used for all resources. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| service_account | Service account email. Unused if service account is auto-created. | <code>string</code> | | <code>null</code> |
|
||||
| service_account_create | Auto-create service account. | <code>bool</code> | | <code>false</code> |
|
||||
| trigger_config | Function trigger configuration. Leave null for HTTP trigger. | <code title="object({ event = string resource = string retry = bool })">object({…})</code> | | <code>null</code> |
|
||||
| vpc_connector | VPC connector configuration. Set create to 'true' if a new connector needs to be created | <code title="object({ create = bool name = string egress_settings = string })">object({…})</code> | | <code>null</code> |
|
||||
| vpc_connector_config | VPC connector network configuration. Must be provided if new VPC connector is being created | <code title="object({ ip_cidr_range = string network = string })">object({…})</code> | | <code>null</code> |
|
||||
| [bucket_name](variables.tf#L26) | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | <code>string</code> | ✓ | |
|
||||
| [bundle_config](variables.tf#L31) | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | <code title="object({ source_dir = string output_path = string excludes = list(string) })">object({…})</code> | ✓ | |
|
||||
| [name](variables.tf#L90) | Name used for cloud function and associated resources. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L101) | Project id used for all resources. | <code>string</code> | ✓ | |
|
||||
| [bucket_config](variables.tf#L17) | Enable and configure auto-created bucket. Set fields to null to use defaults. | <code title="object({ location = string lifecycle_delete_age = number })">object({…})</code> | | <code>null</code> |
|
||||
| [description](variables.tf#L40) | Optional description. | <code>string</code> | | <code>"Terraform managed."</code> |
|
||||
| [environment_variables](variables.tf#L46) | Cloud function environment variables. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [function_config](variables.tf#L52) | Cloud function configuration. | <code title="object({ entry_point = string ingress_settings = string instances = number memory = number runtime = string timeout = number })">object({…})</code> | | <code title="{ entry_point = "main" ingress_settings = null instances = 1 memory = 256 runtime = "python37" timeout = 180 }">{…}</code> |
|
||||
| [iam](variables.tf#L72) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [ingress_settings](variables.tf#L78) | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL and ALLOW_INTERNAL_ONLY. | <code>string</code> | | <code>null</code> |
|
||||
| [labels](variables.tf#L84) | Resource labels | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [prefix](variables.tf#L95) | Optional prefix used for resource names. | <code>string</code> | | <code>null</code> |
|
||||
| [region](variables.tf#L106) | Region used for all resources. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [service_account](variables.tf#L112) | Service account email. Unused if service account is auto-created. | <code>string</code> | | <code>null</code> |
|
||||
| [service_account_create](variables.tf#L118) | Auto-create service account. | <code>bool</code> | | <code>false</code> |
|
||||
| [trigger_config](variables.tf#L124) | Function trigger configuration. Leave null for HTTP trigger. | <code title="object({ event = string resource = string retry = bool })">object({…})</code> | | <code>null</code> |
|
||||
| [vpc_connector](variables.tf#L134) | VPC connector configuration. Set create to 'true' if a new connector needs to be created | <code title="object({ create = bool name = string egress_settings = string })">object({…})</code> | | <code>null</code> |
|
||||
| [vpc_connector_config](variables.tf#L144) | VPC connector network configuration. Must be provided if new VPC connector is being created | <code title="object({ ip_cidr_range = string network = string })">object({…})</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| bucket | Bucket resource (only if auto-created). | |
|
||||
| bucket_name | Bucket name. | |
|
||||
| function | Cloud function resources. | |
|
||||
| function_name | Cloud function name. | |
|
||||
| service_account | Service account resource. | |
|
||||
| service_account_email | Service account email. | |
|
||||
| service_account_iam_email | Service account email. | |
|
||||
| vpc_connector | VPC connector resource if created. | |
|
||||
| [bucket](outputs.tf#L17) | Bucket resource (only if auto-created). | |
|
||||
| [bucket_name](outputs.tf#L24) | Bucket name. | |
|
||||
| [function](outputs.tf#L29) | Cloud function resources. | |
|
||||
| [function_name](outputs.tf#L34) | Cloud function name. | |
|
||||
| [service_account](outputs.tf#L39) | Service account resource. | |
|
||||
| [service_account_email](outputs.tf#L44) | Service account email. | |
|
||||
| [service_account_iam_email](outputs.tf#L49) | Service account email. | |
|
||||
| [vpc_connector](outputs.tf#L57) | VPC connector resource if created. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -31,26 +31,23 @@ module "group" {
|
|||
}
|
||||
# tftest:modules=1:resources=4
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| customer_id | Directory customer ID in the form customers/C0xxxxxxx. | <code>string</code> | ✓ | |
|
||||
| display_name | Group display name. | <code>string</code> | ✓ | |
|
||||
| name | Group ID (usually an email). | <code>string</code> | ✓ | |
|
||||
| description | Group description | <code>string</code> | | <code>null</code> |
|
||||
| members | List of group members. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [customer_id](variables.tf#L17) | Directory customer ID in the form customers/C0xxxxxxx. | <code>string</code> | ✓ | |
|
||||
| [display_name](variables.tf#L32) | Group display name. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L43) | Group ID (usually an email). | <code>string</code> | ✓ | |
|
||||
| [description](variables.tf#L26) | Group description | <code>string</code> | | <code>null</code> |
|
||||
| [members](variables.tf#L37) | List of group members. | <code>list(string)</code> | | <code>[]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| id | Group ID. | |
|
||||
| name | Group name. | |
|
||||
| [id](outputs.tf#L17) | Group ID. | |
|
||||
| [name](outputs.tf#L22) | Group name. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -206,42 +206,39 @@ module "cloud_run" {
|
|||
}
|
||||
# tftest:modules=1:resources=1
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| containers | Containers | <code title="list(object({ image = string options = object({ command = list(string) args = list(string) env = map(string) env_from = map(object({ key = string name = string })) }) resources = object({ limits = object({ cpu = string memory = string }) requests = object({ cpu = string memory = string }) }) ports = list(object({ name = string protocol = string container_port = string })) volume_mounts = map(string) }))">list(object({…}))</code> | ✓ | |
|
||||
| name | Name used for cloud run service | <code>string</code> | ✓ | |
|
||||
| project_id | Project id used for all resources. | <code>string</code> | ✓ | |
|
||||
| audit_log_triggers | Event arc triggers (Audit log) | <code title="list(object({ service_name = string method_name = string }))">list(object({…}))</code> | | <code>null</code> |
|
||||
| iam | IAM bindings for Cloud Run service in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| ingress_settings | Ingress settings | <code>string</code> | | <code>null</code> |
|
||||
| labels | Resource labels | <code>map(string)</code> | | <code>{}</code> |
|
||||
| prefix | Optional prefix used for resource names. | <code>string</code> | | <code>null</code> |
|
||||
| pubsub_triggers | Eventarc triggers (Pub/Sub) | <code>list(string)</code> | | <code>null</code> |
|
||||
| region | Region used for all resources. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| revision_name | Revision name | <code>string</code> | | <code>null</code> |
|
||||
| service_account | Service account email. Unused if service account is auto-created. | <code>string</code> | | <code>null</code> |
|
||||
| service_account_create | Auto-create service account. | <code>bool</code> | | <code>false</code> |
|
||||
| traffic | Traffic | <code>map(number)</code> | | <code>null</code> |
|
||||
| volumes | Volumes | <code title="list(object({ name = string secret_name = string items = list(object({ key = string path = string })) }))">list(object({…}))</code> | | <code>null</code> |
|
||||
| vpc_connector | VPC connector configuration. Set create to 'true' if a new connecto needs to be created | <code title="object({ create = bool name = string egress_settings = string })">object({…})</code> | | <code>null</code> |
|
||||
| vpc_connector_config | VPC connector network configuration. Must be provided if new VPC connector is being created | <code title="object({ ip_cidr_range = string network = string })">object({…})</code> | | <code>null</code> |
|
||||
| [containers](variables.tf#L27) | Containers | <code title="list(object({ image = string options = object({ command = list(string) args = list(string) env = map(string) env_from = map(object({ key = string name = string })) }) resources = object({ limits = object({ cpu = string memory = string }) requests = object({ cpu = string memory = string }) }) ports = list(object({ name = string protocol = string container_port = string })) volume_mounts = map(string) }))">list(object({…}))</code> | ✓ | |
|
||||
| [name](variables.tf#L77) | Name used for cloud run service | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L88) | Project id used for all resources. | <code>string</code> | ✓ | |
|
||||
| [audit_log_triggers](variables.tf#L18) | Event arc triggers (Audit log) | <code title="list(object({ service_name = string method_name = string }))">list(object({…}))</code> | | <code>null</code> |
|
||||
| [iam](variables.tf#L59) | IAM bindings for Cloud Run service in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [ingress_settings](variables.tf#L65) | Ingress settings | <code>string</code> | | <code>null</code> |
|
||||
| [labels](variables.tf#L71) | Resource labels | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [prefix](variables.tf#L82) | Optional prefix used for resource names. | <code>string</code> | | <code>null</code> |
|
||||
| [pubsub_triggers](variables.tf#L93) | Eventarc triggers (Pub/Sub) | <code>list(string)</code> | | <code>null</code> |
|
||||
| [region](variables.tf#L99) | Region used for all resources. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [revision_name](variables.tf#L105) | Revision name | <code>string</code> | | <code>null</code> |
|
||||
| [service_account](variables.tf#L111) | Service account email. Unused if service account is auto-created. | <code>string</code> | | <code>null</code> |
|
||||
| [service_account_create](variables.tf#L117) | Auto-create service account. | <code>bool</code> | | <code>false</code> |
|
||||
| [traffic](variables.tf#L123) | Traffic | <code>map(number)</code> | | <code>null</code> |
|
||||
| [volumes](variables.tf#L129) | Volumes | <code title="list(object({ name = string secret_name = string items = list(object({ key = string path = string })) }))">list(object({…}))</code> | | <code>null</code> |
|
||||
| [vpc_connector](variables.tf#L142) | VPC connector configuration. Set create to 'true' if a new connecto needs to be created | <code title="object({ create = bool name = string egress_settings = string })">object({…})</code> | | <code>null</code> |
|
||||
| [vpc_connector_config](variables.tf#L152) | VPC connector network configuration. Must be provided if new VPC connector is being created | <code title="object({ ip_cidr_range = string network = string })">object({…})</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| service | Cloud Run service | |
|
||||
| service_account | Service account resource. | |
|
||||
| service_account_email | Service account email. | |
|
||||
| service_account_iam_email | Service account email. | |
|
||||
| service_name | Cloud Run service name | |
|
||||
| vpc_connector | VPC connector resource if created. | |
|
||||
| [service](outputs.tf#L18) | Cloud Run service | |
|
||||
| [service_account](outputs.tf#L23) | Service account resource. | |
|
||||
| [service_account_email](outputs.tf#L28) | Service account email. | |
|
||||
| [service_account_iam_email](outputs.tf#L33) | Service account email. | |
|
||||
| [service_name](outputs.tf#L41) | Cloud Run service name | |
|
||||
| [vpc_connector](outputs.tf#L47) | VPC connector resource if created. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -90,47 +90,44 @@ module "db" {
|
|||
}
|
||||
# tftest:modules=1:resources=6
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| database_version | Database type and version to create. | <code>string</code> | ✓ | |
|
||||
| name | Name of primary replica. | <code>string</code> | ✓ | |
|
||||
| network | VPC self link where the instances will be deployed. Private Service Networking must be enabled and configured in this VPC. | <code>string</code> | ✓ | |
|
||||
| project_id | The ID of the project where this instances will be created. | <code>string</code> | ✓ | |
|
||||
| region | Region of the primary replica. | <code>string</code> | ✓ | |
|
||||
| tier | The machine type to use for the instances. | <code>string</code> | ✓ | |
|
||||
| authorized_networks | Map of NAME=>CIDR_RANGE to allow to connect to the database(s). | <code>map(string)</code> | | <code>null</code> |
|
||||
| availability_type | Availability type for the primary replica. Either `ZONAL` or `REGIONAL` | <code>string</code> | | <code>"ZONAL"</code> |
|
||||
| backup_configuration | Backup settings for primary instance. Will be automatically enabled if using MySQL with one or more replicas | <code title="object({ enabled = bool binary_log_enabled = bool start_time = string location = string log_retention_days = number retention_count = number })">object({…})</code> | | <code title="{ enabled = false binary_log_enabled = false start_time = "23:00" location = "EU" log_retention_days = 7 retention_count = 7 }">{…}</code> |
|
||||
| databases | Databases to create once the primary instance is created. | <code>list(string)</code> | | <code>null</code> |
|
||||
| deletion_protection | Allow terraform to delete instances. | <code>bool</code> | | <code>false</code> |
|
||||
| disk_size | Disk size in GB. Set to null to enable autoresize. | <code>number</code> | | <code>null</code> |
|
||||
| disk_type | The type of data disk: `PD_SSD` or `PD_HDD`. | <code>string</code> | | <code>"PD_SSD"</code> |
|
||||
| flags | Map FLAG_NAME=>VALUE for database-specific tuning. | <code>map(string)</code> | | <code>null</code> |
|
||||
| labels | Labels to be attached to all instances. | <code>map(string)</code> | | <code>null</code> |
|
||||
| prefix | Prefix used to generate instance names. | <code>string</code> | | <code>null</code> |
|
||||
| replicas | Map of NAME=>REGION for additional read replicas. Set to null to disable replica creation. | <code>map(any)</code> | | <code>null</code> |
|
||||
| users | Map of users to create in the primary instance (and replicated to other replicas) in the format USER=>PASSWORD. For MySQL, anything afterr the first `@` (if persent) will be used as the user's host. Set PASSWORD to null if you want to get an autogenerated password | <code>map(string)</code> | | <code>null</code> |
|
||||
| [database_version](variables.tf#L50) | Database type and version to create. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L91) | Name of primary replica. | <code>string</code> | ✓ | |
|
||||
| [network](variables.tf#L96) | VPC self link where the instances will be deployed. Private Service Networking must be enabled and configured in this VPC. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L107) | The ID of the project where this instances will be created. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L112) | Region of the primary replica. | <code>string</code> | ✓ | |
|
||||
| [tier](variables.tf#L123) | The machine type to use for the instances. | <code>string</code> | ✓ | |
|
||||
| [authorized_networks](variables.tf#L17) | Map of NAME=>CIDR_RANGE to allow to connect to the database(s). | <code>map(string)</code> | | <code>null</code> |
|
||||
| [availability_type](variables.tf#L23) | Availability type for the primary replica. Either `ZONAL` or `REGIONAL` | <code>string</code> | | <code>"ZONAL"</code> |
|
||||
| [backup_configuration](variables.tf#L29) | Backup settings for primary instance. Will be automatically enabled if using MySQL with one or more replicas | <code title="object({ enabled = bool binary_log_enabled = bool start_time = string location = string log_retention_days = number retention_count = number })">object({…})</code> | | <code title="{ enabled = false binary_log_enabled = false start_time = "23:00" location = "EU" log_retention_days = 7 retention_count = 7 }">{…}</code> |
|
||||
| [databases](variables.tf#L55) | Databases to create once the primary instance is created. | <code>list(string)</code> | | <code>null</code> |
|
||||
| [deletion_protection](variables.tf#L61) | Allow terraform to delete instances. | <code>bool</code> | | <code>false</code> |
|
||||
| [disk_size](variables.tf#L67) | Disk size in GB. Set to null to enable autoresize. | <code>number</code> | | <code>null</code> |
|
||||
| [disk_type](variables.tf#L73) | The type of data disk: `PD_SSD` or `PD_HDD`. | <code>string</code> | | <code>"PD_SSD"</code> |
|
||||
| [flags](variables.tf#L79) | Map FLAG_NAME=>VALUE for database-specific tuning. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [labels](variables.tf#L85) | Labels to be attached to all instances. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [prefix](variables.tf#L101) | Prefix used to generate instance names. | <code>string</code> | | <code>null</code> |
|
||||
| [replicas](variables.tf#L117) | Map of NAME=>REGION for additional read replicas. Set to null to disable replica creation. | <code>map(any)</code> | | <code>null</code> |
|
||||
| [users](variables.tf#L128) | Map of users to create in the primary instance (and replicated to other replicas) in the format USER=>PASSWORD. For MySQL, anything afterr the first `@` (if persent) will be used as the user's host. Set PASSWORD to null if you want to get an autogenerated password | <code>map(string)</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| connection_name | Connection name of the primary instance | |
|
||||
| connection_names | Connection names of all instances | |
|
||||
| id | ID of the primary instance | |
|
||||
| ids | IDs of all instances | |
|
||||
| instances | Cloud SQL instance resources | ✓ |
|
||||
| ip | IP address of the primary instance | |
|
||||
| ips | IP addresses of all instances | |
|
||||
| self_link | Self link of the primary instance | |
|
||||
| self_links | Self links of all instances | |
|
||||
| user_passwords | Map of containing the password of all users created through terraform. | ✓ |
|
||||
| [connection_name](outputs.tf#L24) | Connection name of the primary instance | |
|
||||
| [connection_names](outputs.tf#L29) | Connection names of all instances | |
|
||||
| [id](outputs.tf#L37) | ID of the primary instance | |
|
||||
| [ids](outputs.tf#L42) | IDs of all instances | |
|
||||
| [instances](outputs.tf#L50) | Cloud SQL instance resources | ✓ |
|
||||
| [ip](outputs.tf#L56) | IP address of the primary instance | |
|
||||
| [ips](outputs.tf#L61) | IP addresses of all instances | |
|
||||
| [self_link](outputs.tf#L69) | Self link of the primary instance | |
|
||||
| [self_links](outputs.tf#L74) | Self links of all instances | |
|
||||
| [user_passwords](outputs.tf#L82) | Map of containing the password of all users created through terraform. | ✓ |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -443,41 +443,37 @@ module "nginx-mig" {
|
|||
# tftest:modules=2:resources=4
|
||||
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| default_version | Default application version template. Additional versions can be specified via the `versions` variable. | <code title="object({ instance_template = string name = string })">object({…})</code> | ✓ | |
|
||||
| location | Compute zone, or region if `regional` is set to true. | <code>string</code> | ✓ | |
|
||||
| name | Managed group name. | <code>string</code> | ✓ | |
|
||||
| project_id | Project id. | <code>string</code> | ✓ | |
|
||||
| auto_healing_policies | Auto-healing policies for this group. | <code title="object({ health_check = string initial_delay_sec = number })">object({…})</code> | | <code>null</code> |
|
||||
| autoscaler_config | Optional autoscaler configuration. Only one of 'cpu_utilization_target' 'load_balancing_utilization_target' or 'metric' can be not null. | <code title="object({ max_replicas = number min_replicas = number cooldown_period = number cpu_utilization_target = number load_balancing_utilization_target = number metric = object({ name = string single_instance_assignment = number target = number type = string # GAUGE, DELTA_PER_SECOND, DELTA_PER_MINUTE filter = string }) })">object({…})</code> | | <code>null</code> |
|
||||
| health_check_config | Optional auto-created health check configuration, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | <code title="object({ type = string # http https tcp ssl http2 check = map(any) # actual health check block attributes config = map(number) # interval, thresholds, timeout logging = bool })">object({…})</code> | | <code>null</code> |
|
||||
| named_ports | Named ports. | <code>map(number)</code> | | <code>null</code> |
|
||||
| regional | Use regional instance group. When set, `location` should be set to the region. | <code>bool</code> | | <code>false</code> |
|
||||
| stateful_config | Stateful configuration can be done by individual instances or for all instances in the MIG. They key in per_instance_config is the name of the specific instance. The key of the stateful_disks is the 'device_name' field of the resource. Please note that device_name is defined at the OS mount level, unlike the disk name. | <code title="object({ per_instance_config = map(object({ stateful_disks = map(object({ source = string mode = string # READ_WRITE | READ_ONLY delete_rule = string # NEVER | ON_PERMANENT_INSTANCE_DELETION })) metadata = map(string) update_config = object({ minimal_action = string # NONE | REPLACE | RESTART | REFRESH most_disruptive_allowed_action = string # REPLACE | RESTART | REFRESH | NONE remove_instance_state_on_destroy = bool }) })) mig_config = object({ stateful_disks = map(object({ delete_rule = string # NEVER | ON_PERMANENT_INSTANCE_DELETION })) }) })">object({…})</code> | | <code>null</code> |
|
||||
| target_pools | Optional list of URLs for target pools to which new instances in the group are added. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| target_size | Group target size, leave null when using an autoscaler. | <code>number</code> | | <code>null</code> |
|
||||
| update_policy | Update policy. Type can be 'OPPORTUNISTIC' or 'PROACTIVE', action 'REPLACE' or 'restart', surge type 'fixed' or 'percent'. | <code title="object({ type = string # OPPORTUNISTIC | PROACTIVE minimal_action = string # REPLACE | RESTART min_ready_sec = number max_surge_type = string # fixed | percent max_surge = number max_unavailable_type = string max_unavailable = number })">object({…})</code> | | <code>null</code> |
|
||||
| versions | Additional application versions, target_type is either 'fixed' or 'percent'. | <code title="map(object({ instance_template = string target_type = string # fixed | percent target_size = number }))">map(object({…}))</code> | | <code>null</code> |
|
||||
| wait_for_instances | Wait for all instances to be created/updated before returning. | <code>bool</code> | | <code>null</code> |
|
||||
| [default_version](variables.tf#L45) | Default application version template. Additional versions can be specified via the `versions` variable. | <code title="object({ instance_template = string name = string })">object({…})</code> | ✓ | |
|
||||
| [location](variables.tf#L64) | Compute zone, or region if `regional` is set to true. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L68) | Managed group name. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L79) | Project id. | <code>string</code> | ✓ | |
|
||||
| [auto_healing_policies](variables.tf#L17) | Auto-healing policies for this group. | <code title="object({ health_check = string initial_delay_sec = number })">object({…})</code> | | <code>null</code> |
|
||||
| [autoscaler_config](variables.tf#L26) | Optional autoscaler configuration. Only one of 'cpu_utilization_target' 'load_balancing_utilization_target' or 'metric' can be not null. | <code title="object({ max_replicas = number min_replicas = number cooldown_period = number cpu_utilization_target = number load_balancing_utilization_target = number metric = object({ name = string single_instance_assignment = number target = number type = string # GAUGE, DELTA_PER_SECOND, DELTA_PER_MINUTE filter = string }) })">object({…})</code> | | <code>null</code> |
|
||||
| [health_check_config](variables.tf#L53) | Optional auto-created health check configuration, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | <code title="object({ type = string # http https tcp ssl http2 check = map(any) # actual health check block attributes config = map(number) # interval, thresholds, timeout logging = bool })">object({…})</code> | | <code>null</code> |
|
||||
| [named_ports](variables.tf#L73) | Named ports. | <code>map(number)</code> | | <code>null</code> |
|
||||
| [regional](variables.tf#L84) | Use regional instance group. When set, `location` should be set to the region. | <code>bool</code> | | <code>false</code> |
|
||||
| [stateful_config](variables.tf#L90) | Stateful configuration can be done by individual instances or for all instances in the MIG. They key in per_instance_config is the name of the specific instance. The key of the stateful_disks is the 'device_name' field of the resource. Please note that device_name is defined at the OS mount level, unlike the disk name. | <code title="object({ per_instance_config = map(object({ stateful_disks = map(object({ source = string mode = string # READ_WRITE | READ_ONLY delete_rule = string # NEVER | ON_PERMANENT_INSTANCE_DELETION })) metadata = map(string) update_config = object({ minimal_action = string # NONE | REPLACE | RESTART | REFRESH most_disruptive_allowed_action = string # REPLACE | RESTART | REFRESH | NONE remove_instance_state_on_destroy = bool }) })) mig_config = object({ stateful_disks = map(object({ delete_rule = string # NEVER | ON_PERMANENT_INSTANCE_DELETION })) }) })">object({…})</code> | | <code>null</code> |
|
||||
| [target_pools](variables.tf#L121) | Optional list of URLs for target pools to which new instances in the group are added. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [target_size](variables.tf#L127) | Group target size, leave null when using an autoscaler. | <code>number</code> | | <code>null</code> |
|
||||
| [update_policy](variables.tf#L133) | Update policy. Type can be 'OPPORTUNISTIC' or 'PROACTIVE', action 'REPLACE' or 'restart', surge type 'fixed' or 'percent'. | <code title="object({ type = string # OPPORTUNISTIC | PROACTIVE minimal_action = string # REPLACE | RESTART min_ready_sec = number max_surge_type = string # fixed | percent max_surge = number max_unavailable_type = string max_unavailable = number })">object({…})</code> | | <code>null</code> |
|
||||
| [versions](variables.tf#L147) | Additional application versions, target_type is either 'fixed' or 'percent'. | <code title="map(object({ instance_template = string target_type = string # fixed | percent target_size = number }))">map(object({…}))</code> | | <code>null</code> |
|
||||
| [wait_for_instances](variables.tf#L157) | Wait for all instances to be created/updated before returning. | <code>bool</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| autoscaler | Auto-created autoscaler resource. | |
|
||||
| group_manager | Instance group resource. | |
|
||||
| health_check | Auto-created health-check resource. | |
|
||||
| [autoscaler](outputs.tf#L17) | Auto-created autoscaler resource. | |
|
||||
| [group_manager](outputs.tf#L26) | Instance group resource. | |
|
||||
| [health_check](outputs.tf#L35) | Auto-created health-check resource. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
||||
## TODO
|
||||
|
||||
- [✓] add support for instance groups
|
||||
|
|
|
@ -292,62 +292,58 @@ module "instance-group" {
|
|||
}
|
||||
# tftest:modules=1:resources=2
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| name | Instance name. | <code>string</code> | ✓ | |
|
||||
| network_interfaces | Network interfaces configuration. Use self links for Shared VPC, set addresses to null if not needed. | <code title="list(object({ nat = bool network = string subnetwork = string addresses = object({ internal = string external = string }) }))">list(object({…}))</code> | ✓ | |
|
||||
| project_id | Project id. | <code>string</code> | ✓ | |
|
||||
| zone | Compute zone. | <code>string</code> | ✓ | |
|
||||
| attached_disk_defaults | Defaults for attached disks options. | <code title="object({ mode = string replica_zone = string type = string })">object({…})</code> | | <code title="{ auto_delete = true mode = "READ_WRITE" replica_zone = null type = "pd-balanced" }">{…}</code> |
|
||||
| attached_disks | Additional disks, if options is null defaults will be used in its place. Source type is one of 'image' (zonal disks in vms and template), 'snapshot' (vm), 'existing', and null. | <code title="list(object({ name = string size = string source = string source_type = string options = object({ mode = string replica_zone = string type = string }) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| boot_disk | Boot disk properties. | <code title="object({ image = string size = number type = string })">object({…})</code> | | <code title="{ image = "projects/debian-cloud/global/images/family/debian-11" type = "pd-balanced" size = 10 }">{…}</code> |
|
||||
| boot_disk_delete | Auto delete boot disk. | <code>bool</code> | | <code>true</code> |
|
||||
| can_ip_forward | Enable IP forwarding. | <code>bool</code> | | <code>false</code> |
|
||||
| confidential_compute | Enable Confidential Compute for these instances. | <code>bool</code> | | <code>false</code> |
|
||||
| create_template | Create instance template instead of instances. | <code>bool</code> | | <code>false</code> |
|
||||
| description | Description of a Compute Instance. | <code>string</code> | | <code>"Managed by the compute-vm Terraform module."</code> |
|
||||
| enable_display | Enable virtual display on the instances | <code>bool</code> | | <code>false</code> |
|
||||
| encryption | Encryption options. Only one of kms_key_self_link and disk_encryption_key_raw may be set. If needed, you can specify to encrypt or not the boot disk. | <code title="object({ encrypt_boot = bool disk_encryption_key_raw = string kms_key_self_link = string })">object({…})</code> | | <code>null</code> |
|
||||
| group | Define this variable to create an instance group for instances. Disabled for template use. | <code title="object({ named_ports = map(number) })">object({…})</code> | | <code>null</code> |
|
||||
| hostname | Instance FQDN name. | <code>string</code> | | <code>null</code> |
|
||||
| iam | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| instance_type | Instance type. | <code>string</code> | | <code>"f1-micro"</code> |
|
||||
| labels | Instance labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| metadata | Instance metadata. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| min_cpu_platform | Minimum CPU platform. | <code>string</code> | | <code>null</code> |
|
||||
| network_interface_options | Network interfaces extended options. The key is the index of the inteface to configure. The value is an object with alias_ips and nic_type. Set alias_ips or nic_type to null if you need only one of them. | <code title="map(object({ alias_ips = map(string) nic_type = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| options | Instance options. | <code title="object({ allow_stopping_for_update = bool deletion_protection = bool preemptible = bool })">object({…})</code> | | <code title="{ allow_stopping_for_update = true deletion_protection = false preemptible = false }">{…}</code> |
|
||||
| scratch_disks | Scratch disks configuration. | <code title="object({ count = number interface = string })">object({…})</code> | | <code title="{ count = 0 interface = "NVME" }">{…}</code> |
|
||||
| service_account | Service account email. Unused if service account is auto-created. | <code>string</code> | | <code>null</code> |
|
||||
| service_account_create | Auto-create service account. | <code>bool</code> | | <code>false</code> |
|
||||
| service_account_scopes | Scopes applied to service account. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| shielded_config | Shielded VM configuration of the instances. | <code title="object({ enable_secure_boot = bool enable_vtpm = bool enable_integrity_monitoring = bool })">object({…})</code> | | <code>null</code> |
|
||||
| tags | Instance tags. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [name](variables.tf#L160) | Instance name. | <code>string</code> | ✓ | |
|
||||
| [network_interfaces](variables.tf#L174) | Network interfaces configuration. Use self links for Shared VPC, set addresses to null if not needed. | <code title="list(object({ nat = bool network = string subnetwork = string addresses = object({ internal = string external = string }) }))">list(object({…}))</code> | ✓ | |
|
||||
| [project_id](variables.tf#L201) | Project id. | <code>string</code> | ✓ | |
|
||||
| [zone](variables.tf#L254) | Compute zone. | <code>string</code> | ✓ | |
|
||||
| [attached_disk_defaults](variables.tf#L17) | Defaults for attached disks options. | <code title="object({ mode = string replica_zone = string type = string })">object({…})</code> | | <code title="{ auto_delete = true mode = "READ_WRITE" replica_zone = null type = "pd-balanced" }">{…}</code> |
|
||||
| [attached_disks](variables.tf#L32) | Additional disks, if options is null defaults will be used in its place. Source type is one of 'image' (zonal disks in vms and template), 'snapshot' (vm), 'existing', and null. | <code title="list(object({ name = string size = string source = string source_type = string options = object({ mode = string replica_zone = string type = string }) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [boot_disk](variables.tf#L58) | Boot disk properties. | <code title="object({ image = string size = number type = string })">object({…})</code> | | <code title="{ image = "projects/debian-cloud/global/images/family/debian-11" type = "pd-balanced" size = 10 }">{…}</code> |
|
||||
| [boot_disk_delete](variables.tf#L72) | Auto delete boot disk. | <code>bool</code> | | <code>true</code> |
|
||||
| [can_ip_forward](variables.tf#L78) | Enable IP forwarding. | <code>bool</code> | | <code>false</code> |
|
||||
| [confidential_compute](variables.tf#L84) | Enable Confidential Compute for these instances. | <code>bool</code> | | <code>false</code> |
|
||||
| [create_template](variables.tf#L90) | Create instance template instead of instances. | <code>bool</code> | | <code>false</code> |
|
||||
| [description](variables.tf#L95) | Description of a Compute Instance. | <code>string</code> | | <code>"Managed by the compute-vm Terraform module."</code> |
|
||||
| [enable_display](variables.tf#L100) | Enable virtual display on the instances | <code>bool</code> | | <code>false</code> |
|
||||
| [encryption](variables.tf#L106) | Encryption options. Only one of kms_key_self_link and disk_encryption_key_raw may be set. If needed, you can specify to encrypt or not the boot disk. | <code title="object({ encrypt_boot = bool disk_encryption_key_raw = string kms_key_self_link = string })">object({…})</code> | | <code>null</code> |
|
||||
| [group](variables.tf#L116) | Define this variable to create an instance group for instances. Disabled for template use. | <code title="object({ named_ports = map(number) })">object({…})</code> | | <code>null</code> |
|
||||
| [hostname](variables.tf#L124) | Instance FQDN name. | <code>string</code> | | <code>null</code> |
|
||||
| [iam](variables.tf#L130) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [instance_type](variables.tf#L136) | Instance type. | <code>string</code> | | <code>"f1-micro"</code> |
|
||||
| [labels](variables.tf#L142) | Instance labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [metadata](variables.tf#L148) | Instance metadata. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [min_cpu_platform](variables.tf#L154) | Minimum CPU platform. | <code>string</code> | | <code>null</code> |
|
||||
| [network_interface_options](variables.tf#L165) | Network interfaces extended options. The key is the index of the inteface to configure. The value is an object with alias_ips and nic_type. Set alias_ips or nic_type to null if you need only one of them. | <code title="map(object({ alias_ips = map(string) nic_type = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [options](variables.tf#L187) | Instance options. | <code title="object({ allow_stopping_for_update = bool deletion_protection = bool preemptible = bool })">object({…})</code> | | <code title="{ allow_stopping_for_update = true deletion_protection = false preemptible = false }">{…}</code> |
|
||||
| [scratch_disks](variables.tf#L206) | Scratch disks configuration. | <code title="object({ count = number interface = string })">object({…})</code> | | <code title="{ count = 0 interface = "NVME" }">{…}</code> |
|
||||
| [service_account](variables.tf#L218) | Service account email. Unused if service account is auto-created. | <code>string</code> | | <code>null</code> |
|
||||
| [service_account_create](variables.tf#L224) | Auto-create service account. | <code>bool</code> | | <code>false</code> |
|
||||
| [service_account_scopes](variables.tf#L232) | Scopes applied to service account. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [shielded_config](variables.tf#L238) | Shielded VM configuration of the instances. | <code title="object({ enable_secure_boot = bool enable_vtpm = bool enable_integrity_monitoring = bool })">object({…})</code> | | <code>null</code> |
|
||||
| [tags](variables.tf#L248) | Instance tags. | <code>list(string)</code> | | <code>[]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| external_ip | Instance main interface external IP addresses. | |
|
||||
| group | Instance group resource. | |
|
||||
| instance | Instance resource. | |
|
||||
| internal_ip | Instance main interface internal IP address. | |
|
||||
| self_link | Instance self links. | |
|
||||
| service_account | Service account resource. | |
|
||||
| service_account_email | Service account email. | |
|
||||
| service_account_iam_email | Service account email. | |
|
||||
| template | Template resource. | |
|
||||
| template_name | Template name. | |
|
||||
| [external_ip](outputs.tf#L17) | Instance main interface external IP addresses. | |
|
||||
| [group](outputs.tf#L26) | Instance group resource. | |
|
||||
| [instance](outputs.tf#L31) | Instance resource. | |
|
||||
| [internal_ip](outputs.tf#L36) | Instance main interface internal IP address. | |
|
||||
| [self_link](outputs.tf#L44) | Instance self links. | |
|
||||
| [service_account](outputs.tf#L49) | Service account resource. | |
|
||||
| [service_account_email](outputs.tf#L56) | Service account email. | |
|
||||
| [service_account_iam_email](outputs.tf#L61) | Service account email. | |
|
||||
| [template](outputs.tf#L69) | Template resource. | |
|
||||
| [template_name](outputs.tf#L74) | Template name. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
||||
## TODO
|
||||
|
||||
- [ ] add support for instance groups
|
||||
|
|
|
@ -15,23 +15,20 @@ module "container_registry" {
|
|||
}
|
||||
# tftest:modules=1:resources=2
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| project_id | Registry project id. | <code>string</code> | ✓ | |
|
||||
| iam | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| location | Registry location. Can be US, EU, ASIA or empty | <code>string</code> | | <code>""</code> |
|
||||
| [project_id](variables.tf#L29) | Registry project id. | <code>string</code> | ✓ | |
|
||||
| [iam](variables.tf#L17) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [location](variables.tf#L23) | Registry location. Can be US, EU, ASIA or empty | <code>string</code> | | <code>""</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| bucket_id | ID of the GCS bucket created | |
|
||||
| [bucket_id](outputs.tf#L17) | ID of the GCS bucket created | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -33,39 +33,36 @@ module "datafusion" {
|
|||
}
|
||||
# tftest:modules=1:resources=3
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| name | Name of the DataFusion instance. | <code>string</code> | ✓ | |
|
||||
| network | Name of the network in the project with which the tenant project will be peered for executing pipelines in the form of projects/{project-id}/global/networks/{network} | <code>string</code> | ✓ | |
|
||||
| project_id | Project ID. | <code>string</code> | ✓ | |
|
||||
| region | DataFusion region. | <code>string</code> | ✓ | |
|
||||
| description | DataFuzion instance description. | <code>string</code> | | <code>"Terraform managed."</code> |
|
||||
| enable_stackdriver_logging | Option to enable Stackdriver Logging. | <code>bool</code> | | <code>false</code> |
|
||||
| enable_stackdriver_monitoring | Option to enable Stackdriver Monitorig. | <code>bool</code> | | <code>false</code> |
|
||||
| firewall_create | Create Network firewall rules to enable SSH. | <code>bool</code> | | <code>true</code> |
|
||||
| ip_allocation | Ip allocated for datafusion instance when not using the auto created one and created outside of the module. | <code>string</code> | | <code>null</code> |
|
||||
| ip_allocation_create | Create Ip range for datafusion instance. | <code>bool</code> | | <code>true</code> |
|
||||
| labels | The resource labels for instance to use to annotate any related underlying resources, such as Compute Engine VMs. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| network_peering | Create Network peering between project and DataFusion tenant project. | <code>bool</code> | | <code>true</code> |
|
||||
| private_instance | Create private instance. | <code>bool</code> | | <code>true</code> |
|
||||
| type | Datafusion Instance type. It can be BASIC or ENTERPRISE (default value). | <code>string</code> | | <code>"ENTERPRISE"</code> |
|
||||
| [name](variables.tf#L63) | Name of the DataFusion instance. | <code>string</code> | ✓ | |
|
||||
| [network](variables.tf#L68) | Name of the network in the project with which the tenant project will be peered for executing pipelines in the form of projects/{project-id}/global/networks/{network} | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L85) | Project ID. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L90) | DataFusion region. | <code>string</code> | ✓ | |
|
||||
| [description](variables.tf#L21) | DataFuzion instance description. | <code>string</code> | | <code>"Terraform managed."</code> |
|
||||
| [enable_stackdriver_logging](variables.tf#L27) | Option to enable Stackdriver Logging. | <code>bool</code> | | <code>false</code> |
|
||||
| [enable_stackdriver_monitoring](variables.tf#L33) | Option to enable Stackdriver Monitorig. | <code>bool</code> | | <code>false</code> |
|
||||
| [firewall_create](variables.tf#L39) | Create Network firewall rules to enable SSH. | <code>bool</code> | | <code>true</code> |
|
||||
| [ip_allocation](variables.tf#L45) | Ip allocated for datafusion instance when not using the auto created one and created outside of the module. | <code>string</code> | | <code>null</code> |
|
||||
| [ip_allocation_create](variables.tf#L51) | Create Ip range for datafusion instance. | <code>bool</code> | | <code>true</code> |
|
||||
| [labels](variables.tf#L57) | The resource labels for instance to use to annotate any related underlying resources, such as Compute Engine VMs. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [network_peering](variables.tf#L73) | Create Network peering between project and DataFusion tenant project. | <code>bool</code> | | <code>true</code> |
|
||||
| [private_instance](variables.tf#L79) | Create private instance. | <code>bool</code> | | <code>true</code> |
|
||||
| [type](variables.tf#L95) | Datafusion Instance type. It can be BASIC or ENTERPRISE (default value). | <code>string</code> | | <code>"ENTERPRISE"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| id | DataFusion instance ID. | |
|
||||
| ip_allocation | IP range reserved for Data Fusion instance in case of a private instance. | |
|
||||
| resource | DataFusion resource. | |
|
||||
| service_account | DataFusion Service Account. | |
|
||||
| service_endpoint | DataFusion Service Endpoint. | |
|
||||
| version | DataFusion version. | |
|
||||
| [id](outputs.tf#L17) | DataFusion instance ID. | |
|
||||
| [ip_allocation](outputs.tf#L22) | IP range reserved for Data Fusion instance in case of a private instance. | |
|
||||
| [resource](outputs.tf#L27) | DataFusion resource. | |
|
||||
| [service_account](outputs.tf#L32) | DataFusion Service Account. | |
|
||||
| [service_endpoint](outputs.tf#L37) | DataFusion Service Endpoint. | |
|
||||
| [version](outputs.tf#L42) | DataFusion version. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -52,39 +52,36 @@ module "private-dns" {
|
|||
}
|
||||
# tftest:modules=1:resources=1
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| domain | Zone domain, must end with a period. | <code>string</code> | ✓ | |
|
||||
| name | Zone name, must be unique within the project. | <code>string</code> | ✓ | |
|
||||
| project_id | Project id for the zone. | <code>string</code> | ✓ | |
|
||||
| client_networks | List of VPC self links that can see this zone. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| default_key_specs_key | DNSSEC default key signing specifications: algorithm, key_length, key_type, kind. | <code>any</code> | | <code>{}</code> |
|
||||
| default_key_specs_zone | DNSSEC default zone signing specifications: algorithm, key_length, key_type, kind. | <code>any</code> | | <code>{}</code> |
|
||||
| description | Domain description. | <code>string</code> | | <code>"Terraform managed."</code> |
|
||||
| dnssec_config | DNSSEC configuration: kind, non_existence, state. | <code>any</code> | | <code>{}</code> |
|
||||
| forwarders | Map of {IPV4_ADDRESS => FORWARDING_PATH} for 'forwarding' zone types. Path can be 'default', 'private', or null for provider default. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| peer_network | Peering network self link, only valid for 'peering' zone types. | <code>string</code> | | <code>null</code> |
|
||||
| recordsets | Map of DNS recordsets in \"type name\" => {ttl, [records]} format. | <code title="map(object({ ttl = number records = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| service_directory_namespace | Service directory namespace id (URL), only valid for 'service-directory' zone types. | <code>string</code> | | <code>null</code> |
|
||||
| type | Type of zone to create, valid values are 'public', 'private', 'forwarding', 'peering', 'service-directory'. | <code>string</code> | | <code>"private"</code> |
|
||||
| zone_create | Create zone. When set to false, uses a data source to reference existing zone. | <code>bool</code> | | <code>true</code> |
|
||||
| [domain](variables.tf#L51) | Zone domain, must end with a period. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L62) | Zone name, must be unique within the project. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L73) | Project id for the zone. | <code>string</code> | ✓ | |
|
||||
| [client_networks](variables.tf#L21) | List of VPC self links that can see this zone. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [default_key_specs_key](variables.tf#L27) | DNSSEC default key signing specifications: algorithm, key_length, key_type, kind. | <code>any</code> | | <code>{}</code> |
|
||||
| [default_key_specs_zone](variables.tf#L33) | DNSSEC default zone signing specifications: algorithm, key_length, key_type, kind. | <code>any</code> | | <code>{}</code> |
|
||||
| [description](variables.tf#L39) | Domain description. | <code>string</code> | | <code>"Terraform managed."</code> |
|
||||
| [dnssec_config](variables.tf#L45) | DNSSEC configuration: kind, non_existence, state. | <code>any</code> | | <code>{}</code> |
|
||||
| [forwarders](variables.tf#L56) | Map of {IPV4_ADDRESS => FORWARDING_PATH} for 'forwarding' zone types. Path can be 'default', 'private', or null for provider default. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [peer_network](variables.tf#L67) | Peering network self link, only valid for 'peering' zone types. | <code>string</code> | | <code>null</code> |
|
||||
| [recordsets](variables.tf#L78) | Map of DNS recordsets in \"type name\" => {ttl, [records]} format. | <code title="map(object({ ttl = number records = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [service_directory_namespace](variables.tf#L94) | Service directory namespace id (URL), only valid for 'service-directory' zone types. | <code>string</code> | | <code>null</code> |
|
||||
| [type](variables.tf#L100) | Type of zone to create, valid values are 'public', 'private', 'forwarding', 'peering', 'service-directory'. | <code>string</code> | | <code>"private"</code> |
|
||||
| [zone_create](variables.tf#L110) | Create zone. When set to false, uses a data source to reference existing zone. | <code>bool</code> | | <code>true</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| dns_keys | DNSKEY and DS records of DNSSEC-signed managed zones. | |
|
||||
| domain | The DNS zone domain. | |
|
||||
| name | The DNS zone name. | |
|
||||
| name_servers | The DNS zone name servers. | |
|
||||
| type | The DNS zone type. | |
|
||||
| zone | DNS zone resource. | |
|
||||
| [dns_keys](outputs.tf#L17) | DNSKEY and DS records of DNSSEC-signed managed zones. | |
|
||||
| [domain](outputs.tf#L22) | The DNS zone domain. | |
|
||||
| [name](outputs.tf#L27) | The DNS zone name. | |
|
||||
| [name_servers](outputs.tf#L32) | The DNS zone name servers. | |
|
||||
| [type](outputs.tf#L37) | The DNS zone type. | |
|
||||
| [zone](outputs.tf#L42) | DNS zone resource. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -22,27 +22,24 @@ module "endpoint" {
|
|||
```
|
||||
|
||||
[Here](https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/endpoints/getting-started/openapi.yaml) you can find an example of an openapi.yaml file. Once created the endpoint, remember to activate the service at project level.
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| openapi_config | The configuration for an OpenAPI endopoint. Either this or grpc_config must be specified. | <code title="object({ yaml_path = string })">object({…})</code> | ✓ | |
|
||||
| service_name | The name of the service. Usually of the form '$apiname.endpoints.$projectid.cloud.goog'. | <code>string</code> | ✓ | |
|
||||
| grpc_config | The configuration for a gRPC enpoint. Either this or openapi_config must be specified. | <code title="object({ yaml_path = string protoc_output_path = string })">object({…})</code> | | <code>null</code> |
|
||||
| iam | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| project_id | The project ID that the service belongs to. | <code>string</code> | | <code>null</code> |
|
||||
| [openapi_config](variables.tf#L32) | The configuration for an OpenAPI endopoint. Either this or grpc_config must be specified. | <code title="object({ yaml_path = string })">object({…})</code> | ✓ | |
|
||||
| [service_name](variables.tf#L45) | The name of the service. Usually of the form '$apiname.endpoints.$projectid.cloud.goog'. | <code>string</code> | ✓ | |
|
||||
| [grpc_config](variables.tf#L17) | The configuration for a gRPC enpoint. Either this or openapi_config must be specified. | <code title="object({ yaml_path = string protoc_output_path = string })">object({…})</code> | | <code>null</code> |
|
||||
| [iam](variables.tf#L26) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [project_id](variables.tf#L39) | The project ID that the service belongs to. | <code>string</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| endpoints | A list of Endpoint objects. | |
|
||||
| endpoints_service | The Endpoint service resource. | |
|
||||
| service_name | The name of the service.. | |
|
||||
| [endpoints](outputs.tf#L17) | A list of Endpoint objects. | |
|
||||
| [endpoints_service](outputs.tf#L22) | The Endpoint service resource. | |
|
||||
| [service_name](outputs.tf#L27) | The name of the service.. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -219,41 +219,36 @@ module "folder2" {
|
|||
}
|
||||
# tftest:modules=2:resources=6
|
||||
```
|
||||
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| contacts | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| firewall_policies | Hierarchical firewall policies created in this folder. | <code title="map(map(object({ action = string description = string direction = string logging = bool ports = map(list(string)) priority = number ranges = list(string) target_resources = list(string) target_service_accounts = list(string) })))">map(map(object({…})))</code> | | <code>{}</code> |
|
||||
| firewall_policy_association | The hierarchical firewall policy to associate to this folder. Must be either a key in the `firewall_policies` map or the id of a policy defined somewhere else. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| firewall_policy_factory | Configuration for the firewall policy factory. | <code title="object({ cidr_file = string policy_name = string rules_file = string })">object({…})</code> | | <code>null</code> |
|
||||
| folder_create | Create folder. When set to false, uses id to reference an existing folder. | <code>bool</code> | | <code>true</code> |
|
||||
| group_iam | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| iam | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| id | Folder ID in case you use folder_create=false | <code>string</code> | | <code>null</code> |
|
||||
| logging_exclusions | Logging exclusions for this folder in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| logging_sinks | Logging sinks to create for this folder. | <code title="map(object({ destination = string type = string filter = string iam = bool include_children = bool exclusions = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| name | Folder name. | <code>string</code> | | <code>null</code> |
|
||||
| parent | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> | | <code>null</code> |
|
||||
| policy_boolean | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code>map(bool)</code> | | <code>{}</code> |
|
||||
| policy_list | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [firewall_policies](variables.tf#L23) | Hierarchical firewall policies created in this folder. | <code title="map(map(object({ action = string description = string direction = string logging = bool ports = map(list(string)) priority = number ranges = list(string) target_resources = list(string) target_service_accounts = list(string) })))">map(map(object({…})))</code> | | <code>{}</code> |
|
||||
| [firewall_policy_association](variables.tf#L39) | The hierarchical firewall policy to associate to this folder. Must be either a key in the `firewall_policies` map or the id of a policy defined somewhere else. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [firewall_policy_factory](variables.tf#L45) | Configuration for the firewall policy factory. | <code title="object({ cidr_file = string policy_name = string rules_file = string })">object({…})</code> | | <code>null</code> |
|
||||
| [folder_create](variables.tf#L55) | Create folder. When set to false, uses id to reference an existing folder. | <code>bool</code> | | <code>true</code> |
|
||||
| [group_iam](variables.tf#L61) | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam](variables.tf#L67) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [id](variables.tf#L73) | Folder ID in case you use folder_create=false | <code>string</code> | | <code>null</code> |
|
||||
| [logging_exclusions](variables.tf#L79) | Logging exclusions for this folder in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_sinks](variables.tf#L85) | Logging sinks to create for this folder. | <code title="map(object({ destination = string type = string filter = string iam = bool include_children = bool exclusions = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [name](variables.tf#L99) | Folder name. | <code>string</code> | | <code>null</code> |
|
||||
| [parent](variables.tf#L105) | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> | | <code>null</code> |
|
||||
| [policy_boolean](variables.tf#L115) | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code>map(bool)</code> | | <code>{}</code> |
|
||||
| [policy_list](variables.tf#L121) | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| firewall_policies | Map of firewall policy resources created in this folder. | |
|
||||
| firewall_policy_id | Map of firewall policy ids created in this folder. | |
|
||||
| folder | Folder resource. | |
|
||||
| id | Folder id. | |
|
||||
| name | Folder name. | |
|
||||
| sink_writer_identities | Writer identities created for each sink. | |
|
||||
| [firewall_policies](outputs.tf#L16) | Map of firewall policy resources created in this folder. | |
|
||||
| [firewall_policy_id](outputs.tf#L21) | Map of firewall policy ids created in this folder. | |
|
||||
| [folder](outputs.tf#L26) | Folder resource. | |
|
||||
| [id](outputs.tf#L31) | Folder id. | |
|
||||
| [name](outputs.tf#L41) | Folder name. | |
|
||||
| [sink_writer_identities](outputs.tf#L46) | Writer identities created for each sink. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
||||
|
|
|
@ -23,38 +23,35 @@ module "folders-unit" {
|
|||
}
|
||||
# tftest:modules=1:resources=37
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| automation_project_id | Project id used for automation service accounts. | <code>string</code> | ✓ | |
|
||||
| billing_account_id | Country billing account account. | <code>string</code> | ✓ | |
|
||||
| name | Top folder name. | <code>string</code> | ✓ | |
|
||||
| organization_id | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
||||
| root_node | Root node in folders/folder_id or organizations/org_id format. | <code>string</code> | ✓ | |
|
||||
| short_name | Short name used as GCS bucket and service account prefixes, do not use capital letters or spaces. | <code>string</code> | ✓ | |
|
||||
| environments | Unit environments short names. | <code>map(string)</code> | | <code title="{ non-prod = "Non production" prod = "Production" }">{…}</code> |
|
||||
| gcs_defaults | Defaults use for the state GCS buckets. | <code>map(string)</code> | | <code title="{ location = "EU" storage_class = "MULTI_REGIONAL" }">{…}</code> |
|
||||
| iam | IAM bindings for the top-level folder in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| iam_billing_config | Grant billing user role to service accounts, defaults to granting on the billing account. | <code title="object({ grant = bool target_org = bool })">object({…})</code> | | <code title="{ grant = true target_org = false }">{…}</code> |
|
||||
| iam_enviroment_roles | IAM roles granted to the environment service account on the environment sub-folder. | <code>list(string)</code> | | <code title="[ "roles/compute.networkAdmin", "roles/owner", "roles/resourcemanager.folderAdmin", "roles/resourcemanager.projectCreator", ]">[…]</code> |
|
||||
| iam_xpn_config | Grant Shared VPC creation roles to service accounts, defaults to granting at folder level. | <code title="object({ grant = bool target_org = bool })">object({…})</code> | | <code title="{ grant = true target_org = false }">{…}</code> |
|
||||
| prefix | Optional prefix used for GCS bucket names to ensure uniqueness. | <code>string</code> | | <code>null</code> |
|
||||
| service_account_keys | Generate and store service account keys in the state file. | <code>bool</code> | | <code>false</code> |
|
||||
| [automation_project_id](variables.tf#L17) | Project id used for automation service accounts. | <code>string</code> | ✓ | |
|
||||
| [billing_account_id](variables.tf#L22) | Country billing account account. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L86) | Top folder name. | <code>string</code> | ✓ | |
|
||||
| [organization_id](variables.tf#L91) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
||||
| [root_node](variables.tf#L102) | Root node in folders/folder_id or organizations/org_id format. | <code>string</code> | ✓ | |
|
||||
| [short_name](variables.tf#L113) | Short name used as GCS bucket and service account prefixes, do not use capital letters or spaces. | <code>string</code> | ✓ | |
|
||||
| [environments](variables.tf#L27) | Unit environments short names. | <code>map(string)</code> | | <code title="{ non-prod = "Non production" prod = "Production" }">{…}</code> |
|
||||
| [gcs_defaults](variables.tf#L36) | Defaults use for the state GCS buckets. | <code>map(string)</code> | | <code title="{ location = "EU" storage_class = "MULTI_REGIONAL" }">{…}</code> |
|
||||
| [iam](variables.tf#L45) | IAM bindings for the top-level folder in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_billing_config](variables.tf#L51) | Grant billing user role to service accounts, defaults to granting on the billing account. | <code title="object({ grant = bool target_org = bool })">object({…})</code> | | <code title="{ grant = true target_org = false }">{…}</code> |
|
||||
| [iam_enviroment_roles](variables.tf#L63) | IAM roles granted to the environment service account on the environment sub-folder. | <code>list(string)</code> | | <code title="[ "roles/compute.networkAdmin", "roles/owner", "roles/resourcemanager.folderAdmin", "roles/resourcemanager.projectCreator", ]">[…]</code> |
|
||||
| [iam_xpn_config](variables.tf#L74) | Grant Shared VPC creation roles to service accounts, defaults to granting at folder level. | <code title="object({ grant = bool target_org = bool })">object({…})</code> | | <code title="{ grant = true target_org = false }">{…}</code> |
|
||||
| [prefix](variables.tf#L96) | Optional prefix used for GCS bucket names to ensure uniqueness. | <code>string</code> | | <code>null</code> |
|
||||
| [service_account_keys](variables.tf#L107) | Generate and store service account keys in the state file. | <code>bool</code> | | <code>false</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| env_folders | Unit environments folders. | |
|
||||
| env_gcs_buckets | Unit environments tfstate gcs buckets. | |
|
||||
| env_sa_keys | Unit environments service account keys. | ✓ |
|
||||
| env_service_accounts | Unit environments service accounts. | |
|
||||
| unit_folder | Unit top level folder. | |
|
||||
| [env_folders](outputs.tf#L17) | Unit environments folders. | |
|
||||
| [env_gcs_buckets](outputs.tf#L28) | Unit environments tfstate gcs buckets. | |
|
||||
| [env_sa_keys](outputs.tf#L36) | Unit environments service account keys. | ✓ |
|
||||
| [env_service_accounts](outputs.tf#L45) | Unit environments service accounts. | |
|
||||
| [unit_folder](outputs.tf#L53) | Unit top level folder. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -106,41 +106,38 @@ module "bucket-gcs-notification" {
|
|||
}
|
||||
# tftest:modules=1:resources=4
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| name | Bucket name suffix. | <code>string</code> | ✓ | |
|
||||
| project_id | Bucket project id. | <code>string</code> | ✓ | |
|
||||
| cors | CORS configuration for the bucket. Defaults to null. | <code title="object({ origin = list(string) method = list(string) response_header = list(string) max_age_seconds = number })">object({…})</code> | | <code>null</code> |
|
||||
| encryption_key | KMS key that will be used for encryption. | <code>string</code> | | <code>null</code> |
|
||||
| force_destroy | Optional map to set force destroy keyed by name, defaults to false. | <code>bool</code> | | <code>false</code> |
|
||||
| iam | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| labels | Labels to be attached to all buckets. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| lifecycle_rule | Bucket lifecycle rule | <code title="object({ action = object({ type = string storage_class = string }) condition = object({ age = number created_before = string with_state = string matches_storage_class = list(string) num_newer_versions = string custom_time_before = string days_since_custom_time = string days_since_noncurrent_time = string noncurrent_time_before = string }) })">object({…})</code> | | <code>null</code> |
|
||||
| location | Bucket location. | <code>string</code> | | <code>"EU"</code> |
|
||||
| logging_config | Bucket logging configuration. | <code title="object({ log_bucket = string log_object_prefix = string })">object({…})</code> | | <code>null</code> |
|
||||
| notification_config | GCS Notification configuration. | <code title="object({ enabled = bool payload_format = string topic_name = string sa_email = string event_types = list(string) custom_attributes = map(string) })">object({…})</code> | | <code>null</code> |
|
||||
| prefix | Prefix used to generate the bucket name. | <code>string</code> | | <code>null</code> |
|
||||
| retention_policy | Bucket retention policy. | <code title="object({ retention_period = number is_locked = bool })">object({…})</code> | | <code>null</code> |
|
||||
| storage_class | Bucket storage class. | <code>string</code> | | <code>"MULTI_REGIONAL"</code> |
|
||||
| uniform_bucket_level_access | Allow using object ACLs (false) or not (true, this is the recommended behavior) , defaults to true (which is the recommended practice, but not the behavior of storage API). | <code>bool</code> | | <code>true</code> |
|
||||
| versioning | Enable versioning, defaults to false. | <code>bool</code> | | <code>false</code> |
|
||||
| website | Bucket website. | <code title="object({ main_page_suffix = string not_found_page = string })">object({…})</code> | | <code>null</code> |
|
||||
| [name](variables.tf#L89) | Bucket name suffix. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L112) | Bucket project id. | <code>string</code> | ✓ | |
|
||||
| [cors](variables.tf#L17) | CORS configuration for the bucket. Defaults to null. | <code title="object({ origin = list(string) method = list(string) response_header = list(string) max_age_seconds = number })">object({…})</code> | | <code>null</code> |
|
||||
| [encryption_key](variables.tf#L28) | KMS key that will be used for encryption. | <code>string</code> | | <code>null</code> |
|
||||
| [force_destroy](variables.tf#L34) | Optional map to set force destroy keyed by name, defaults to false. | <code>bool</code> | | <code>false</code> |
|
||||
| [iam](variables.tf#L40) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [labels](variables.tf#L46) | Labels to be attached to all buckets. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [lifecycle_rule](variables.tf#L52) | Bucket lifecycle rule | <code title="object({ action = object({ type = string storage_class = string }) condition = object({ age = number created_before = string with_state = string matches_storage_class = list(string) num_newer_versions = string custom_time_before = string days_since_custom_time = string days_since_noncurrent_time = string noncurrent_time_before = string }) })">object({…})</code> | | <code>null</code> |
|
||||
| [location](variables.tf#L74) | Bucket location. | <code>string</code> | | <code>"EU"</code> |
|
||||
| [logging_config](variables.tf#L80) | Bucket logging configuration. | <code title="object({ log_bucket = string log_object_prefix = string })">object({…})</code> | | <code>null</code> |
|
||||
| [notification_config](variables.tf#L94) | GCS Notification configuration. | <code title="object({ enabled = bool payload_format = string topic_name = string sa_email = string event_types = list(string) custom_attributes = map(string) })">object({…})</code> | | <code>null</code> |
|
||||
| [prefix](variables.tf#L106) | Prefix used to generate the bucket name. | <code>string</code> | | <code>null</code> |
|
||||
| [retention_policy](variables.tf#L117) | Bucket retention policy. | <code title="object({ retention_period = number is_locked = bool })">object({…})</code> | | <code>null</code> |
|
||||
| [storage_class](variables.tf#L126) | Bucket storage class. | <code>string</code> | | <code>"MULTI_REGIONAL"</code> |
|
||||
| [uniform_bucket_level_access](variables.tf#L136) | Allow using object ACLs (false) or not (true, this is the recommended behavior) , defaults to true (which is the recommended practice, but not the behavior of storage API). | <code>bool</code> | | <code>true</code> |
|
||||
| [versioning](variables.tf#L142) | Enable versioning, defaults to false. | <code>bool</code> | | <code>false</code> |
|
||||
| [website](variables.tf#L148) | Bucket website. | <code title="object({ main_page_suffix = string not_found_page = string })">object({…})</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| bucket | Bucket resource. | |
|
||||
| name | Bucket name. | |
|
||||
| notification | GCS Notification self link. | |
|
||||
| topic | Topic ID used by GCS. | |
|
||||
| url | Bucket URL. | |
|
||||
| [bucket](outputs.tf#L17) | Bucket resource. | |
|
||||
| [name](outputs.tf#L22) | Bucket name. | |
|
||||
| [notification](outputs.tf#L26) | GCS Notification self link. | |
|
||||
| [topic](outputs.tf#L30) | Topic ID used by GCS. | |
|
||||
| [url](outputs.tf#L34) | Bucket URL. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -62,64 +62,61 @@ module "cluster-1" {
|
|||
}
|
||||
# tftest:modules=1:resources=1
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| location | Cluster zone or region. | <code>string</code> | ✓ | |
|
||||
| name | Cluster name. | <code>string</code> | ✓ | |
|
||||
| network | Name or self link of the VPC used for the cluster. Use the self link for Shared VPC. | <code>string</code> | ✓ | |
|
||||
| project_id | Cluster project id. | <code>string</code> | ✓ | |
|
||||
| secondary_range_pods | Subnet secondary range name used for pods. | <code>string</code> | ✓ | |
|
||||
| secondary_range_services | Subnet secondary range name used for services. | <code>string</code> | ✓ | |
|
||||
| subnetwork | VPC subnetwork name or self link. | <code>string</code> | ✓ | |
|
||||
| addons | Addons enabled in the cluster (true means enabled). | <code title="object({ cloudrun_config = bool dns_cache_config = bool horizontal_pod_autoscaling = bool http_load_balancing = bool istio_config = object({ enabled = bool tls = bool }) network_policy_config = bool gce_persistent_disk_csi_driver_config = bool })">object({…})</code> | | <code title="{ cloudrun_config = false dns_cache_config = false horizontal_pod_autoscaling = true http_load_balancing = true istio_config = { enabled = false tls = false } network_policy_config = false gce_persistent_disk_csi_driver_config = false }">{…}</code> |
|
||||
| authenticator_security_group | RBAC security group for Google Groups for GKE, format is gke-security-groups@yourdomain.com. | <code>string</code> | | <code>null</code> |
|
||||
| cluster_autoscaling | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object({ enabled = bool cpu_min = number cpu_max = number memory_min = number memory_max = number })">object({…})</code> | | <code title="{ enabled = false cpu_min = 0 cpu_max = 0 memory_min = 0 memory_max = 0 }">{…}</code> |
|
||||
| database_encryption | Enable and configure GKE application-layer secrets encryption. | <code title="object({ enabled = bool state = string key_name = string })">object({…})</code> | | <code title="{ enabled = false state = "DECRYPTED" key_name = null }">{…}</code> |
|
||||
| default_max_pods_per_node | Maximum number of pods per node in this cluster. | <code>number</code> | | <code>110</code> |
|
||||
| description | Cluster description. | <code>string</code> | | <code>null</code> |
|
||||
| dns_config | Configuration for Using Cloud DNS for GKE. | <code title="object({ cluster_dns = string cluster_dns_scope = string cluster_dns_domain = string })">object({…})</code> | | <code title="{ cluster_dns = "PROVIDER_UNSPECIFIED" cluster_dns_scope = "DNS_SCOPE_UNSPECIFIED" cluster_dns_domain = "" }">{…}</code> |
|
||||
| enable_autopilot | Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node) | <code>bool</code> | | <code>false</code> |
|
||||
| enable_binary_authorization | Enable Google Binary Authorization. | <code>bool</code> | | <code>null</code> |
|
||||
| enable_dataplane_v2 | Enable Dataplane V2 on the cluster, will disable network_policy addons config | <code>bool</code> | | <code>false</code> |
|
||||
| enable_intranode_visibility | Enable intra-node visibility to make same node pod to pod traffic visible. | <code>bool</code> | | <code>null</code> |
|
||||
| enable_l4_ilb_subsetting | Enable L4ILB Subsetting. | <code>bool</code> | | <code>null</code> |
|
||||
| enable_shielded_nodes | Enable Shielded Nodes features on all nodes in this cluster. | <code>bool</code> | | <code>null</code> |
|
||||
| enable_tpu | Enable Cloud TPU resources in this cluster. | <code>bool</code> | | <code>null</code> |
|
||||
| labels | Cluster resource labels. | <code>map(string)</code> | | <code>null</code> |
|
||||
| logging_config | Logging configuration (enabled components). | <code>list(string)</code> | | <code>null</code> |
|
||||
| logging_service | Logging service (disable with an empty string). | <code>string</code> | | <code>"logging.googleapis.com/kubernetes"</code> |
|
||||
| maintenance_config | Maintenance window configuration | <code title="object({ daily_maintenance_window = object({ start_time = string }) recurring_window = object({ start_time = string end_time = string recurrence = string }) maintenance_exclusion = list(object({ exclusion_name = string start_time = string end_time = string })) })">object({…})</code> | | <code title="{ daily_maintenance_window = { start_time = "03:00" } recurring_window = null maintenance_exclusion = [] }">{…}</code> |
|
||||
| master_authorized_ranges | External Ip address ranges that can access the Kubernetes cluster master through HTTPS. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| min_master_version | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
|
||||
| monitoring_config | Monitoring configuration (enabled components). | <code>list(string)</code> | | <code>null</code> |
|
||||
| monitoring_service | Monitoring service (disable with an empty string). | <code>string</code> | | <code>"monitoring.googleapis.com/kubernetes"</code> |
|
||||
| node_locations | Zones in which the cluster's nodes are located. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| notification_config | GKE Cluster upgrade notifications via PubSub. | <code>bool</code> | | <code>false</code> |
|
||||
| peering_config | Configure peering with the master VPC for private clusters. | <code title="object({ export_routes = bool import_routes = bool project_id = string })">object({…})</code> | | <code>null</code> |
|
||||
| pod_security_policy | Enable the PodSecurityPolicy feature. | <code>bool</code> | | <code>null</code> |
|
||||
| private_cluster_config | Enable and configure private cluster, private nodes must be true if used. | <code title="object({ enable_private_nodes = bool enable_private_endpoint = bool master_ipv4_cidr_block = string master_global_access = bool })">object({…})</code> | | <code>null</code> |
|
||||
| release_channel | Release channel for GKE upgrades. | <code>string</code> | | <code>null</code> |
|
||||
| resource_usage_export_config | Configure the ResourceUsageExportConfig feature. | <code title="object({ enabled = bool dataset = string })">object({…})</code> | | <code title="{ enabled = null dataset = null }">{…}</code> |
|
||||
| vertical_pod_autoscaling | Enable the Vertical Pod Autoscaling feature. | <code>bool</code> | | <code>null</code> |
|
||||
| workload_identity | Enable the Workload Identity feature. | <code>bool</code> | | <code>true</code> |
|
||||
| [location](variables.tf#L157) | Cluster zone or region. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L224) | Cluster name. | <code>string</code> | ✓ | |
|
||||
| [network](variables.tf#L229) | Name or self link of the VPC used for the cluster. Use the self link for Shared VPC. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L273) | Cluster project id. | <code>string</code> | ✓ | |
|
||||
| [secondary_range_pods](variables.tf#L296) | Subnet secondary range name used for pods. | <code>string</code> | ✓ | |
|
||||
| [secondary_range_services](variables.tf#L301) | Subnet secondary range name used for services. | <code>string</code> | ✓ | |
|
||||
| [subnetwork](variables.tf#L306) | VPC subnetwork name or self link. | <code>string</code> | ✓ | |
|
||||
| [addons](variables.tf#L17) | Addons enabled in the cluster (true means enabled). | <code title="object({ cloudrun_config = bool dns_cache_config = bool horizontal_pod_autoscaling = bool http_load_balancing = bool istio_config = object({ enabled = bool tls = bool }) network_policy_config = bool gce_persistent_disk_csi_driver_config = bool })">object({…})</code> | | <code title="{ cloudrun_config = false dns_cache_config = false horizontal_pod_autoscaling = true http_load_balancing = true istio_config = { enabled = false tls = false } network_policy_config = false gce_persistent_disk_csi_driver_config = false }">{…}</code> |
|
||||
| [authenticator_security_group](variables.tf#L45) | RBAC security group for Google Groups for GKE, format is gke-security-groups@yourdomain.com. | <code>string</code> | | <code>null</code> |
|
||||
| [cluster_autoscaling](variables.tf#L51) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object({ enabled = bool cpu_min = number cpu_max = number memory_min = number memory_max = number })">object({…})</code> | | <code title="{ enabled = false cpu_min = 0 cpu_max = 0 memory_min = 0 memory_max = 0 }">{…}</code> |
|
||||
| [database_encryption](variables.tf#L69) | Enable and configure GKE application-layer secrets encryption. | <code title="object({ enabled = bool state = string key_name = string })">object({…})</code> | | <code title="{ enabled = false state = "DECRYPTED" key_name = null }">{…}</code> |
|
||||
| [default_max_pods_per_node](variables.tf#L83) | Maximum number of pods per node in this cluster. | <code>number</code> | | <code>110</code> |
|
||||
| [description](variables.tf#L89) | Cluster description. | <code>string</code> | | <code>null</code> |
|
||||
| [dns_config](variables.tf#L95) | Configuration for Using Cloud DNS for GKE. | <code title="object({ cluster_dns = string cluster_dns_scope = string cluster_dns_domain = string })">object({…})</code> | | <code title="{ cluster_dns = "PROVIDER_UNSPECIFIED" cluster_dns_scope = "DNS_SCOPE_UNSPECIFIED" cluster_dns_domain = "" }">{…}</code> |
|
||||
| [enable_autopilot](variables.tf#L109) | Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node) | <code>bool</code> | | <code>false</code> |
|
||||
| [enable_binary_authorization](variables.tf#L115) | Enable Google Binary Authorization. | <code>bool</code> | | <code>null</code> |
|
||||
| [enable_dataplane_v2](variables.tf#L121) | Enable Dataplane V2 on the cluster, will disable network_policy addons config | <code>bool</code> | | <code>false</code> |
|
||||
| [enable_intranode_visibility](variables.tf#L127) | Enable intra-node visibility to make same node pod to pod traffic visible. | <code>bool</code> | | <code>null</code> |
|
||||
| [enable_l4_ilb_subsetting](variables.tf#L133) | Enable L4ILB Subsetting. | <code>bool</code> | | <code>null</code> |
|
||||
| [enable_shielded_nodes](variables.tf#L139) | Enable Shielded Nodes features on all nodes in this cluster. | <code>bool</code> | | <code>null</code> |
|
||||
| [enable_tpu](variables.tf#L145) | Enable Cloud TPU resources in this cluster. | <code>bool</code> | | <code>null</code> |
|
||||
| [labels](variables.tf#L151) | Cluster resource labels. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [logging_config](variables.tf#L162) | Logging configuration (enabled components). | <code>list(string)</code> | | <code>null</code> |
|
||||
| [logging_service](variables.tf#L168) | Logging service (disable with an empty string). | <code>string</code> | | <code>"logging.googleapis.com/kubernetes"</code> |
|
||||
| [maintenance_config](variables.tf#L174) | Maintenance window configuration | <code title="object({ daily_maintenance_window = object({ start_time = string }) recurring_window = object({ start_time = string end_time = string recurrence = string }) maintenance_exclusion = list(object({ exclusion_name = string start_time = string end_time = string })) })">object({…})</code> | | <code title="{ daily_maintenance_window = { start_time = "03:00" } recurring_window = null maintenance_exclusion = [] }">{…}</code> |
|
||||
| [master_authorized_ranges](variables.tf#L200) | External Ip address ranges that can access the Kubernetes cluster master through HTTPS. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [min_master_version](variables.tf#L206) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
|
||||
| [monitoring_config](variables.tf#L212) | Monitoring configuration (enabled components). | <code>list(string)</code> | | <code>null</code> |
|
||||
| [monitoring_service](variables.tf#L218) | Monitoring service (disable with an empty string). | <code>string</code> | | <code>"monitoring.googleapis.com/kubernetes"</code> |
|
||||
| [node_locations](variables.tf#L234) | Zones in which the cluster's nodes are located. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [notification_config](variables.tf#L240) | GKE Cluster upgrade notifications via PubSub. | <code>bool</code> | | <code>false</code> |
|
||||
| [peering_config](variables.tf#L246) | Configure peering with the master VPC for private clusters. | <code title="object({ export_routes = bool import_routes = bool project_id = string })">object({…})</code> | | <code>null</code> |
|
||||
| [pod_security_policy](variables.tf#L256) | Enable the PodSecurityPolicy feature. | <code>bool</code> | | <code>null</code> |
|
||||
| [private_cluster_config](variables.tf#L262) | Enable and configure private cluster, private nodes must be true if used. | <code title="object({ enable_private_nodes = bool enable_private_endpoint = bool master_ipv4_cidr_block = string master_global_access = bool })">object({…})</code> | | <code>null</code> |
|
||||
| [release_channel](variables.tf#L278) | Release channel for GKE upgrades. | <code>string</code> | | <code>null</code> |
|
||||
| [resource_usage_export_config](variables.tf#L284) | Configure the ResourceUsageExportConfig feature. | <code title="object({ enabled = bool dataset = string })">object({…})</code> | | <code title="{ enabled = null dataset = null }">{…}</code> |
|
||||
| [vertical_pod_autoscaling](variables.tf#L311) | Enable the Vertical Pod Autoscaling feature. | <code>bool</code> | | <code>null</code> |
|
||||
| [workload_identity](variables.tf#L317) | Enable the Workload Identity feature. | <code>bool</code> | | <code>true</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| ca_certificate | Public certificate of the cluster (base64-encoded). | ✓ |
|
||||
| cluster | Cluster resource. | ✓ |
|
||||
| endpoint | Cluster endpoint. | |
|
||||
| location | Cluster location. | |
|
||||
| master_version | Master version. | |
|
||||
| name | Cluster name. | |
|
||||
| notifications | GKE PubSub notifications topic. | |
|
||||
| [ca_certificate](outputs.tf#L17) | Public certificate of the cluster (base64-encoded). | ✓ |
|
||||
| [cluster](outputs.tf#L23) | Cluster resource. | ✓ |
|
||||
| [endpoint](outputs.tf#L29) | Cluster endpoint. | |
|
||||
| [location](outputs.tf#L34) | Cluster location. | |
|
||||
| [master_version](outputs.tf#L39) | Master version. | |
|
||||
| [name](outputs.tf#L44) | Cluster name. | |
|
||||
| [notifications](outputs.tf#L49) | GKE PubSub notifications topic. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -33,56 +33,53 @@ module "cluster-1-nodepool-1" {
|
|||
}
|
||||
# tftest:modules=1:resources=2
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| cluster_name | Cluster name. | <code>string</code> | ✓ | |
|
||||
| location | Cluster location. | <code>string</code> | ✓ | |
|
||||
| project_id | Cluster project id. | <code>string</code> | ✓ | |
|
||||
| autoscaling_config | Optional autoscaling configuration. | <code title="object({ min_node_count = number max_node_count = number })">object({…})</code> | | <code>null</code> |
|
||||
| gke_version | Kubernetes nodes version. Ignored if auto_upgrade is set in management_config. | <code>string</code> | | <code>null</code> |
|
||||
| initial_node_count | Initial number of nodes for the pool. | <code>number</code> | | <code>1</code> |
|
||||
| kubelet_config | Kubelet configuration. | <code title="object({ cpu_cfs_quota = string cpu_cfs_quota_period = string cpu_manager_policy = string })">object({…})</code> | | <code>null</code> |
|
||||
| linux_node_config_sysctls | Linux node configuration. | <code>map(string)</code> | | <code>null</code> |
|
||||
| management_config | Optional node management configuration. | <code title="object({ auto_repair = bool auto_upgrade = bool })">object({…})</code> | | <code>null</code> |
|
||||
| max_pods_per_node | Maximum number of pods per node. | <code>number</code> | | <code>null</code> |
|
||||
| name | Optional nodepool name. | <code>string</code> | | <code>null</code> |
|
||||
| node_boot_disk_kms_key | Customer Managed Encryption Key used to encrypt the boot disk attached to each node | <code>string</code> | | <code>null</code> |
|
||||
| node_count | Number of nodes per instance group, can be updated after creation. Ignored when autoscaling is set. | <code>number</code> | | <code>null</code> |
|
||||
| node_disk_size | Node disk size, defaults to 100GB. | <code>number</code> | | <code>100</code> |
|
||||
| node_disk_type | Node disk type, defaults to pd-standard. | <code>string</code> | | <code>"pd-standard"</code> |
|
||||
| node_guest_accelerator | Map of type and count of attached accelerator cards. | <code>map(number)</code> | | <code>{}</code> |
|
||||
| node_image_type | Nodes image type. | <code>string</code> | | <code>null</code> |
|
||||
| node_labels | Kubernetes labels attached to nodes. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| node_local_ssd_count | Number of local SSDs attached to nodes. | <code>number</code> | | <code>0</code> |
|
||||
| node_locations | Optional list of zones in which nodes should be located. Uses cluster locations if unset. | <code>list(string)</code> | | <code>null</code> |
|
||||
| node_machine_type | Nodes machine type. | <code>string</code> | | <code>"n1-standard-1"</code> |
|
||||
| node_metadata | Metadata key/value pairs assigned to nodes. Set disable-legacy-endpoints to true when using this variable. | <code>map(string)</code> | | <code>null</code> |
|
||||
| node_min_cpu_platform | Minimum CPU platform for nodes. | <code>string</code> | | <code>null</code> |
|
||||
| node_preemptible | Use preemptible VMs for nodes. | <code>bool</code> | | <code>null</code> |
|
||||
| node_sandbox_config | GKE Sandbox configuration. Needs image_type set to COS_CONTAINERD and node_version set to 1.12.7-gke.17 when using this variable. | <code>string</code> | | <code>null</code> |
|
||||
| node_service_account | Service account email. Unused if service account is auto-created. | <code>string</code> | | <code>null</code> |
|
||||
| node_service_account_create | Auto-create service account. | <code>bool</code> | | <code>false</code> |
|
||||
| node_service_account_scopes | Scopes applied to service account. Default to: 'cloud-platform' when creating a service account; 'devstorage.read_only', 'logging.write', 'monitoring.write' otherwise. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| node_shielded_instance_config | Shielded instance options. | <code title="object({ enable_secure_boot = bool enable_integrity_monitoring = bool })">object({…})</code> | | <code>null</code> |
|
||||
| node_tags | Network tags applied to nodes. | <code>list(string)</code> | | <code>null</code> |
|
||||
| node_taints | Kubernetes taints applied to nodes. E.g. type=blue:NoSchedule | <code>list(string)</code> | | <code>[]</code> |
|
||||
| upgrade_config | Optional node upgrade configuration. | <code title="object({ max_surge = number max_unavailable = number })">object({…})</code> | | <code>null</code> |
|
||||
| workload_metadata_config | Metadata configuration to expose to workloads on the node pool. | <code>string</code> | | <code>"GKE_METADATA"</code> |
|
||||
| [cluster_name](variables.tf#L26) | Cluster name. | <code>string</code> | ✓ | |
|
||||
| [location](variables.tf#L59) | Cluster location. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L210) | Cluster project id. | <code>string</code> | ✓ | |
|
||||
| [autoscaling_config](variables.tf#L17) | Optional autoscaling configuration. | <code title="object({ min_node_count = number max_node_count = number })">object({…})</code> | | <code>null</code> |
|
||||
| [gke_version](variables.tf#L31) | Kubernetes nodes version. Ignored if auto_upgrade is set in management_config. | <code>string</code> | | <code>null</code> |
|
||||
| [initial_node_count](variables.tf#L37) | Initial number of nodes for the pool. | <code>number</code> | | <code>1</code> |
|
||||
| [kubelet_config](variables.tf#L43) | Kubelet configuration. | <code title="object({ cpu_cfs_quota = string cpu_cfs_quota_period = string cpu_manager_policy = string })">object({…})</code> | | <code>null</code> |
|
||||
| [linux_node_config_sysctls](variables.tf#L53) | Linux node configuration. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [management_config](variables.tf#L64) | Optional node management configuration. | <code title="object({ auto_repair = bool auto_upgrade = bool })">object({…})</code> | | <code>null</code> |
|
||||
| [max_pods_per_node](variables.tf#L73) | Maximum number of pods per node. | <code>number</code> | | <code>null</code> |
|
||||
| [name](variables.tf#L79) | Optional nodepool name. | <code>string</code> | | <code>null</code> |
|
||||
| [node_boot_disk_kms_key](variables.tf#L85) | Customer Managed Encryption Key used to encrypt the boot disk attached to each node | <code>string</code> | | <code>null</code> |
|
||||
| [node_count](variables.tf#L91) | Number of nodes per instance group, can be updated after creation. Ignored when autoscaling is set. | <code>number</code> | | <code>null</code> |
|
||||
| [node_disk_size](variables.tf#L97) | Node disk size, defaults to 100GB. | <code>number</code> | | <code>100</code> |
|
||||
| [node_disk_type](variables.tf#L103) | Node disk type, defaults to pd-standard. | <code>string</code> | | <code>"pd-standard"</code> |
|
||||
| [node_guest_accelerator](variables.tf#L109) | Map of type and count of attached accelerator cards. | <code>map(number)</code> | | <code>{}</code> |
|
||||
| [node_image_type](variables.tf#L115) | Nodes image type. | <code>string</code> | | <code>null</code> |
|
||||
| [node_labels](variables.tf#L121) | Kubernetes labels attached to nodes. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [node_local_ssd_count](variables.tf#L127) | Number of local SSDs attached to nodes. | <code>number</code> | | <code>0</code> |
|
||||
| [node_locations](variables.tf#L132) | Optional list of zones in which nodes should be located. Uses cluster locations if unset. | <code>list(string)</code> | | <code>null</code> |
|
||||
| [node_machine_type](variables.tf#L138) | Nodes machine type. | <code>string</code> | | <code>"n1-standard-1"</code> |
|
||||
| [node_metadata](variables.tf#L144) | Metadata key/value pairs assigned to nodes. Set disable-legacy-endpoints to true when using this variable. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [node_min_cpu_platform](variables.tf#L150) | Minimum CPU platform for nodes. | <code>string</code> | | <code>null</code> |
|
||||
| [node_preemptible](variables.tf#L156) | Use preemptible VMs for nodes. | <code>bool</code> | | <code>null</code> |
|
||||
| [node_sandbox_config](variables.tf#L162) | GKE Sandbox configuration. Needs image_type set to COS_CONTAINERD and node_version set to 1.12.7-gke.17 when using this variable. | <code>string</code> | | <code>null</code> |
|
||||
| [node_service_account](variables.tf#L168) | Service account email. Unused if service account is auto-created. | <code>string</code> | | <code>null</code> |
|
||||
| [node_service_account_create](variables.tf#L174) | Auto-create service account. | <code>bool</code> | | <code>false</code> |
|
||||
| [node_service_account_scopes](variables.tf#L182) | Scopes applied to service account. Default to: 'cloud-platform' when creating a service account; 'devstorage.read_only', 'logging.write', 'monitoring.write' otherwise. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [node_shielded_instance_config](variables.tf#L188) | Shielded instance options. | <code title="object({ enable_secure_boot = bool enable_integrity_monitoring = bool })">object({…})</code> | | <code>null</code> |
|
||||
| [node_tags](variables.tf#L197) | Network tags applied to nodes. | <code>list(string)</code> | | <code>null</code> |
|
||||
| [node_taints](variables.tf#L203) | Kubernetes taints applied to nodes. E.g. type=blue:NoSchedule | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [upgrade_config](variables.tf#L215) | Optional node upgrade configuration. | <code title="object({ max_surge = number max_unavailable = number })">object({…})</code> | | <code>null</code> |
|
||||
| [workload_metadata_config](variables.tf#L224) | Metadata configuration to expose to workloads on the node pool. | <code>string</code> | | <code>"GKE_METADATA"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| name | Nodepool name. | |
|
||||
| service_account | Service account resource. | |
|
||||
| service_account_email | Service account email. | |
|
||||
| service_account_iam_email | Service account email. | |
|
||||
| [name](outputs.tf#L17) | Nodepool name. | |
|
||||
| [service_account](outputs.tf#L22) | Service account resource. | |
|
||||
| [service_account_email](outputs.tf#L31) | Service account email. | |
|
||||
| [service_account_iam_email](outputs.tf#L36) | Service account email. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -30,29 +30,29 @@ module "myproject-default-service-accounts" {
|
|||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| name | Name of the service account to create. | <code>string</code> | ✓ | |
|
||||
| project_id | Project id where service account will be created. | <code>string</code> | ✓ | |
|
||||
| description | Optional description. | <code>string</code> | | <code>null</code> |
|
||||
| display_name | Display name of the service account to create. | <code>string</code> | | <code>"Terraform-managed."</code> |
|
||||
| generate_key | Generate a key for service account. | <code>bool</code> | | <code>false</code> |
|
||||
| iam | IAM bindings on the service account in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| iam_billing_roles | Billing account roles granted to the service account, by billing account id. Non-authoritative. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| iam_folder_roles | Folder roles granted to the service account, by folder id. Non-authoritative. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| iam_organization_roles | Organization roles granted to the service account, by organization id. Non-authoritative. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| iam_project_roles | Project roles granted to the service account, by project id. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| iam_storage_roles | Storage roles granted to the service account, by bucket name. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| prefix | Prefix applied to service account names. | <code>string</code> | | <code>null</code> |
|
||||
| public_keys_directory | Path to public keys data files to upload to the service account (should have `.pem` extension). | <code>string</code> | | <code>""</code> |
|
||||
| service_account_create | Create service account. When set to false, uses a data source to reference an existing service account. | <code>bool</code> | | <code>true</code> |
|
||||
| [name](variables.tf#L71) | Name of the service account to create. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L82) | Project id where service account will be created. | <code>string</code> | ✓ | |
|
||||
| [description](variables.tf#L17) | Optional description. | <code>string</code> | | <code>null</code> |
|
||||
| [display_name](variables.tf#L23) | Display name of the service account to create. | <code>string</code> | | <code>"Terraform-managed."</code> |
|
||||
| [generate_key](variables.tf#L29) | Generate a key for service account. | <code>bool</code> | | <code>false</code> |
|
||||
| [iam](variables.tf#L35) | IAM bindings on the service account in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_billing_roles](variables.tf#L41) | Billing account roles granted to the service account, by billing account id. Non-authoritative. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_folder_roles](variables.tf#L47) | Folder roles granted to the service account, by folder id. Non-authoritative. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_organization_roles](variables.tf#L53) | Organization roles granted to the service account, by organization id. Non-authoritative. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_project_roles](variables.tf#L59) | Project roles granted to the service account, by project id. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_storage_roles](variables.tf#L65) | Storage roles granted to the service account, by bucket name. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [prefix](variables.tf#L76) | Prefix applied to service account names. | <code>string</code> | | <code>null</code> |
|
||||
| [public_keys_directory](variables.tf#L87) | Path to public keys data files to upload to the service account (should have `.pem` extension). | <code>string</code> | | <code>""</code> |
|
||||
| [service_account_create](variables.tf#L93) | Create service account. When set to false, uses a data source to reference an existing service account. | <code>bool</code> | | <code>true</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| email | Service account email. | |
|
||||
| iam_email | IAM-format service account email. | |
|
||||
| key | Service account key. | ✓ |
|
||||
| service_account | Service account resource. | |
|
||||
| service_account_credentials | Service account json credential templates for uploaded public keys data. | |
|
||||
| [email](outputs.tf#L17) | Service account email. | |
|
||||
| [iam_email](outputs.tf#L25) | IAM-format service account email. | |
|
||||
| [key](outputs.tf#L33) | Service account key. | ✓ |
|
||||
| [service_account](outputs.tf#L39) | Service account resource. | |
|
||||
| [service_account_credentials](outputs.tf#L44) | Service account json credential templates for uploaded public keys data. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -79,38 +79,32 @@ module "kms" {
|
|||
}
|
||||
# tftest:modules=1:resources=4
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| keyring | Keyring attributes. | <code title="object({ location = string name = string })">object({…})</code> | ✓ | |
|
||||
| project_id | Project id where the keyring will be created. | <code>string</code> | ✓ | |
|
||||
| iam | Keyring IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| iam_additive | Keyring IAM additive bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| key_iam | Key IAM bindings in {KEY => {ROLE => [MEMBERS]}} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| key_iam_additive | Key IAM additive bindings in {ROLE => [MEMBERS]} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| key_purpose | Per-key purpose, if not set defaults will be used. If purpose is not `ENCRYPT_DECRYPT` (the default), `version_template.algorithm` is required. | <code title="map(object({ purpose = string version_template = object({ algorithm = string protection_level = string }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| key_purpose_defaults | Defaults used for key purpose when not defined at the key level. If purpose is not `ENCRYPT_DECRYPT` (the default), `version_template.algorithm` is required. | <code title="object({ purpose = string version_template = object({ algorithm = string protection_level = string }) })">object({…})</code> | | <code title="{ purpose = null version_template = null }">{…}</code> |
|
||||
| keyring_create | Set to false to manage keys and IAM bindings in an existing keyring. | <code>bool</code> | | <code>true</code> |
|
||||
| keys | Key names and base attributes. Set attributes to null if not needed. | <code title="map(object({ rotation_period = string labels = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [keyring](variables.tf#L70) | Keyring attributes. | <code title="object({ location = string name = string })">object({…})</code> | ✓ | |
|
||||
| [project_id](variables.tf#L93) | Project id where the keyring will be created. | <code>string</code> | ✓ | |
|
||||
| [iam](variables.tf#L17) | Keyring IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_additive](variables.tf#L23) | Keyring IAM additive bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [key_iam](variables.tf#L29) | Key IAM bindings in {KEY => {ROLE => [MEMBERS]}} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [key_iam_additive](variables.tf#L35) | Key IAM additive bindings in {ROLE => [MEMBERS]} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [key_purpose](variables.tf#L41) | Per-key purpose, if not set defaults will be used. If purpose is not `ENCRYPT_DECRYPT` (the default), `version_template.algorithm` is required. | <code title="map(object({ purpose = string version_template = object({ algorithm = string protection_level = string }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [key_purpose_defaults](variables.tf#L53) | Defaults used for key purpose when not defined at the key level. If purpose is not `ENCRYPT_DECRYPT` (the default), `version_template.algorithm` is required. | <code title="object({ purpose = string version_template = object({ algorithm = string protection_level = string }) })">object({…})</code> | | <code title="{ purpose = null version_template = null }">{…}</code> |
|
||||
| [keyring_create](variables.tf#L78) | Set to false to manage keys and IAM bindings in an existing keyring. | <code>bool</code> | | <code>true</code> |
|
||||
| [keys](variables.tf#L84) | Key names and base attributes. Set attributes to null if not needed. | <code title="map(object({ rotation_period = string labels = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| id | Keyring self link. | |
|
||||
| key_ids | Key self links. | |
|
||||
| keyring | Keyring resource. | |
|
||||
| keys | Key resources. | |
|
||||
| location | Keyring location. | |
|
||||
| name | Keyring name. | |
|
||||
| [id](outputs.tf#L17) | Keyring self link. | |
|
||||
| [key_ids](outputs.tf#L25) | Key self links. | |
|
||||
| [keyring](outputs.tf#L36) | Keyring resource. | |
|
||||
| [keys](outputs.tf#L44) | Key resources. | |
|
||||
| [location](outputs.tf#L52) | Keyring location. | |
|
||||
| [name](outputs.tf#L60) | Keyring name. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -39,27 +39,23 @@ module "bucket-default" {
|
|||
}
|
||||
# tftest:modules=2:resources=2
|
||||
```
|
||||
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| id | Name of the logging bucket. | <code>string</code> | ✓ | |
|
||||
| parent | ID of the parentresource containing the bucket in the format 'project_id' 'folders/folder_id', 'organizations/organization_id' or 'billing_account_id'. | <code>string</code> | ✓ | |
|
||||
| parent_type | Parent object type for the bucket (project, folder, organization, billing_account). | <code>string</code> | ✓ | |
|
||||
| description | Human-readable description for the logging bucket. | <code>string</code> | | <code>null</code> |
|
||||
| location | Location of the bucket. | <code>string</code> | | <code>"global"</code> |
|
||||
| retention | Retention time in days for the logging bucket. | <code>number</code> | | <code>30</code> |
|
||||
| [id](variables.tf#L23) | Name of the logging bucket. | <code>string</code> | ✓ | |
|
||||
| [parent](variables.tf#L34) | ID of the parentresource containing the bucket in the format 'project_id' 'folders/folder_id', 'organizations/organization_id' or 'billing_account_id'. | <code>string</code> | ✓ | |
|
||||
| [parent_type](variables.tf#L39) | Parent object type for the bucket (project, folder, organization, billing_account). | <code>string</code> | ✓ | |
|
||||
| [description](variables.tf#L17) | Human-readable description for the logging bucket. | <code>string</code> | | <code>null</code> |
|
||||
| [location](variables.tf#L28) | Location of the bucket. | <code>string</code> | | <code>"global"</code> |
|
||||
| [retention](variables.tf#L44) | Retention time in days for the logging bucket. | <code>number</code> | | <code>30</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| id | ID of the created bucket. | |
|
||||
| [id](outputs.tf#L17) | ID of the created bucket. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -64,29 +64,26 @@ module "project-tf" {
|
|||
name = module.names-org.names.prj.tf
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| environment | Environment abbreviation used in names and labels. | <code>string</code> | ✓ | |
|
||||
| resources | Short resource names by type. | <code>map(list(string))</code> | ✓ | |
|
||||
| team | Team name. | <code>string</code> | ✓ | |
|
||||
| labels | Per-resource labels. | <code>map(map(map(string)))</code> | | <code>{}</code> |
|
||||
| prefix | Optional name prefix. | <code>string</code> | | <code>null</code> |
|
||||
| separator_override | Optional separator override for specific resource types. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| suffix | Optional name suffix. | <code>string</code> | | <code>null</code> |
|
||||
| use_resource_prefixes | Prefix names with the resource type. | <code>bool</code> | | <code>false</code> |
|
||||
| [environment](variables.tf#L17) | Environment abbreviation used in names and labels. | <code>string</code> | ✓ | |
|
||||
| [resources](variables.tf#L34) | Short resource names by type. | <code>map(list(string))</code> | ✓ | |
|
||||
| [team](variables.tf#L51) | Team name. | <code>string</code> | ✓ | |
|
||||
| [labels](variables.tf#L22) | Per-resource labels. | <code>map(map(map(string)))</code> | | <code>{}</code> |
|
||||
| [prefix](variables.tf#L28) | Optional name prefix. | <code>string</code> | | <code>null</code> |
|
||||
| [separator_override](variables.tf#L39) | Optional separator override for specific resource types. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [suffix](variables.tf#L45) | Optional name suffix. | <code>string</code> | | <code>null</code> |
|
||||
| [use_resource_prefixes](variables.tf#L56) | Prefix names with the resource type. | <code>bool</code> | | <code>false</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| labels | Per resource labels. | |
|
||||
| names | Per resource names. | |
|
||||
| [labels](outputs.tf#L17) | Per resource labels. | |
|
||||
| [names](outputs.tf#L22) | Per resource names. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -83,31 +83,28 @@ module "addresses" {
|
|||
}
|
||||
# tftest:modules=1:resources=2
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| project_id | Project where the addresses will be created. | <code>string</code> | ✓ | |
|
||||
| external_addresses | Map of external address regions, keyed by name. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| global_addresses | List of global addresses to create. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| internal_addresses | Map of internal addresses to create, keyed by name. | <code title="map(object({ region = string subnetwork = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| internal_addresses_config | Optional configuration for internal addresses, keyed by name. Unused options can be set to null. | <code title="map(object({ address = string purpose = string tier = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| psa_addresses | Map of internal addresses used for Private Service Access. | <code title="map(object({ address = string network = string prefix_length = number }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| psc_addresses | Map of internal addresses used for Private Service Connect. | <code title="map(object({ address = string network = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [project_id](variables.tf#L60) | Project where the addresses will be created. | <code>string</code> | ✓ | |
|
||||
| [external_addresses](variables.tf#L17) | Map of external address regions, keyed by name. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [global_addresses](variables.tf#L29) | List of global addresses to create. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [internal_addresses](variables.tf#L35) | Map of internal addresses to create, keyed by name. | <code title="map(object({ region = string subnetwork = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [internal_addresses_config](variables.tf#L44) | Optional configuration for internal addresses, keyed by name. Unused options can be set to null. | <code title="map(object({ address = string purpose = string tier = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [psa_addresses](variables.tf#L65) | Map of internal addresses used for Private Service Access. | <code title="map(object({ address = string network = string prefix_length = number }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [psc_addresses](variables.tf#L75) | Map of internal addresses used for Private Service Connect. | <code title="map(object({ address = string network = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| external_addresses | Allocated external addresses. | |
|
||||
| global_addresses | Allocated global external addresses. | |
|
||||
| internal_addresses | Allocated internal addresses. | |
|
||||
| psa_addresses | Allocated internal addresses for PSA endpoints. | |
|
||||
| psc_addresses | Allocated internal addresses for PSC endpoints. | |
|
||||
| [external_addresses](outputs.tf#L17) | Allocated external addresses. | |
|
||||
| [global_addresses](outputs.tf#L28) | Allocated global external addresses. | |
|
||||
| [internal_addresses](outputs.tf#L39) | Allocated internal addresses. | |
|
||||
| [psa_addresses](outputs.tf#L50) | Allocated internal addresses for PSA endpoints. | |
|
||||
| [psc_addresses](outputs.tf#L62) | Allocated internal addresses for PSC endpoints. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -14,37 +14,34 @@ module "nat" {
|
|||
}
|
||||
# tftest:modules=1:resources=2
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| name | Name of the Cloud NAT resource. | <code>string</code> | ✓ | |
|
||||
| project_id | Project where resources will be created. | <code>string</code> | ✓ | |
|
||||
| region | Region where resources will be created. | <code>string</code> | ✓ | |
|
||||
| addresses | Optional list of external address self links. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| config_min_ports_per_vm | Minimum number of ports allocated to a VM from this NAT config. | <code>number</code> | | <code>64</code> |
|
||||
| config_source_subnets | Subnetwork configuration (ALL_SUBNETWORKS_ALL_IP_RANGES, ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES, LIST_OF_SUBNETWORKS). | <code>string</code> | | <code>"ALL_SUBNETWORKS_ALL_IP_RANGES"</code> |
|
||||
| config_timeouts | Timeout configurations. | <code title="object({ icmp = number tcp_established = number tcp_transitory = number udp = number })">object({…})</code> | | <code title="{ icmp = 30 tcp_established = 1200 tcp_transitory = 30 udp = 30 }">{…}</code> |
|
||||
| logging_filter | Enables logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. | <code>string</code> | | <code>null</code> |
|
||||
| router_asn | Router ASN used for auto-created router. | <code>number</code> | | <code>64514</code> |
|
||||
| router_create | Create router. | <code>bool</code> | | <code>true</code> |
|
||||
| router_name | Router name, leave blank if router will be created to use auto generated name. | <code>string</code> | | <code>null</code> |
|
||||
| router_network | Name of the VPC used for auto-created router. | <code>string</code> | | <code>null</code> |
|
||||
| subnetworks | Subnetworks to NAT, only used when config_source_subnets equals LIST_OF_SUBNETWORKS. | <code title="list(object({ self_link = string, config_source_ranges = list(string) secondary_ranges = list(string) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [name](variables.tf#L57) | Name of the Cloud NAT resource. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L62) | Project where resources will be created. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L67) | Region where resources will be created. | <code>string</code> | ✓ | |
|
||||
| [addresses](variables.tf#L17) | Optional list of external address self links. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [config_min_ports_per_vm](variables.tf#L23) | Minimum number of ports allocated to a VM from this NAT config. | <code>number</code> | | <code>64</code> |
|
||||
| [config_source_subnets](variables.tf#L29) | Subnetwork configuration (ALL_SUBNETWORKS_ALL_IP_RANGES, ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES, LIST_OF_SUBNETWORKS). | <code>string</code> | | <code>"ALL_SUBNETWORKS_ALL_IP_RANGES"</code> |
|
||||
| [config_timeouts](variables.tf#L35) | Timeout configurations. | <code title="object({ icmp = number tcp_established = number tcp_transitory = number udp = number })">object({…})</code> | | <code title="{ icmp = 30 tcp_established = 1200 tcp_transitory = 30 udp = 30 }">{…}</code> |
|
||||
| [logging_filter](variables.tf#L51) | Enables logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. | <code>string</code> | | <code>null</code> |
|
||||
| [router_asn](variables.tf#L72) | Router ASN used for auto-created router. | <code>number</code> | | <code>64514</code> |
|
||||
| [router_create](variables.tf#L78) | Create router. | <code>bool</code> | | <code>true</code> |
|
||||
| [router_name](variables.tf#L84) | Router name, leave blank if router will be created to use auto generated name. | <code>string</code> | | <code>null</code> |
|
||||
| [router_network](variables.tf#L90) | Name of the VPC used for auto-created router. | <code>string</code> | | <code>null</code> |
|
||||
| [subnetworks](variables.tf#L96) | Subnetworks to NAT, only used when config_source_subnets equals LIST_OF_SUBNETWORKS. | <code title="list(object({ self_link = string, config_source_ranges = list(string) secondary_ranges = list(string) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| name | Name of the Cloud NAT. | |
|
||||
| nat_ip_allocate_option | NAT IP allocation mode. | |
|
||||
| region | Cloud NAT region. | |
|
||||
| router | Cloud NAT router resources (if auto created). | |
|
||||
| router_name | Cloud NAT router name. | |
|
||||
| [name](outputs.tf#L17) | Name of the Cloud NAT. | |
|
||||
| [nat_ip_allocate_option](outputs.tf#L22) | NAT IP allocation mode. | |
|
||||
| [region](outputs.tf#L27) | Cloud NAT region. | |
|
||||
| [router](outputs.tf#L32) | Cloud NAT router resources (if auto created). | |
|
||||
| [router_name](outputs.tf#L41) | Cloud NAT router name. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -107,48 +107,45 @@ module "ilb" {
|
|||
}
|
||||
# tftest:modules=3:resources=7
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| backends | Load balancer backends, balancing mode is one of 'CONNECTION' or 'UTILIZATION'. | <code title="list(object({ failover = bool group = string balancing_mode = string }))">list(object({…}))</code> | ✓ | |
|
||||
| name | Name used for all resources. | <code>string</code> | ✓ | |
|
||||
| network | Network used for resources. | <code>string</code> | ✓ | |
|
||||
| project_id | Project id where resources will be created. | <code>string</code> | ✓ | |
|
||||
| region | GCP region. | <code>string</code> | ✓ | |
|
||||
| subnetwork | Subnetwork used for the forwarding rule. | <code>string</code> | ✓ | |
|
||||
| address | Optional IP address used for the forwarding rule. | <code>string</code> | | <code>null</code> |
|
||||
| backend_config | Optional backend configuration. | <code title="object({ session_affinity = string timeout_sec = number connection_draining_timeout_sec = number })">object({…})</code> | | <code>null</code> |
|
||||
| failover_config | Optional failover configuration. | <code title="object({ disable_connection_drain = bool drop_traffic_if_unhealthy = bool ratio = number })">object({…})</code> | | <code>null</code> |
|
||||
| global_access | Global access, defaults to false if not set. | <code>bool</code> | | <code>null</code> |
|
||||
| group_configs | Optional unmanaged groups to create. Can be referenced in backends via outputs. | <code title="map(object({ instances = list(string) named_ports = map(number) zone = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| health_check | Name of existing health check to use, disables auto-created health check. | <code>string</code> | | <code>null</code> |
|
||||
| health_check_config | Configuration of the auto-created helth check. | <code title="object({ type = string # http https tcp ssl http2 check = map(any) # actual health check block attributes config = map(number) # interval, thresholds, timeout logging = bool })">object({…})</code> | | <code title="{ type = "http" check = { port_specification = "USE_SERVING_PORT" } config = {} logging = false }">{…}</code> |
|
||||
| labels | Labels set on resources. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| ports | Comma-separated ports, leave null to use all ports. | <code>list(string)</code> | | <code>null</code> |
|
||||
| protocol | IP protocol used, defaults to TCP. | <code>string</code> | | <code>"TCP"</code> |
|
||||
| service_label | Optional prefix of the fully qualified forwarding rule name. | <code>string</code> | | <code>null</code> |
|
||||
| [backends](variables.tf#L33) | Load balancer backends, balancing mode is one of 'CONNECTION' or 'UTILIZATION'. | <code title="list(object({ failover = bool group = string balancing_mode = string }))">list(object({…}))</code> | ✓ | |
|
||||
| [name](variables.tf#L98) | Name used for all resources. | <code>string</code> | ✓ | |
|
||||
| [network](variables.tf#L103) | Network used for resources. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L114) | Project id where resources will be created. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L125) | GCP region. | <code>string</code> | ✓ | |
|
||||
| [subnetwork](variables.tf#L136) | Subnetwork used for the forwarding rule. | <code>string</code> | ✓ | |
|
||||
| [address](variables.tf#L17) | Optional IP address used for the forwarding rule. | <code>string</code> | | <code>null</code> |
|
||||
| [backend_config](variables.tf#L23) | Optional backend configuration. | <code title="object({ session_affinity = string timeout_sec = number connection_draining_timeout_sec = number })">object({…})</code> | | <code>null</code> |
|
||||
| [failover_config](variables.tf#L42) | Optional failover configuration. | <code title="object({ disable_connection_drain = bool drop_traffic_if_unhealthy = bool ratio = number })">object({…})</code> | | <code>null</code> |
|
||||
| [global_access](variables.tf#L52) | Global access, defaults to false if not set. | <code>bool</code> | | <code>null</code> |
|
||||
| [group_configs](variables.tf#L58) | Optional unmanaged groups to create. Can be referenced in backends via outputs. | <code title="map(object({ instances = list(string) named_ports = map(number) zone = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [health_check](variables.tf#L68) | Name of existing health check to use, disables auto-created health check. | <code>string</code> | | <code>null</code> |
|
||||
| [health_check_config](variables.tf#L74) | Configuration of the auto-created helth check. | <code title="object({ type = string # http https tcp ssl http2 check = map(any) # actual health check block attributes config = map(number) # interval, thresholds, timeout logging = bool })">object({…})</code> | | <code title="{ type = "http" check = { port_specification = "USE_SERVING_PORT" } config = {} logging = false }">{…}</code> |
|
||||
| [labels](variables.tf#L92) | Labels set on resources. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [ports](variables.tf#L108) | Comma-separated ports, leave null to use all ports. | <code>list(string)</code> | | <code>null</code> |
|
||||
| [protocol](variables.tf#L119) | IP protocol used, defaults to TCP. | <code>string</code> | | <code>"TCP"</code> |
|
||||
| [service_label](variables.tf#L130) | Optional prefix of the fully qualified forwarding rule name. | <code>string</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| backend | Backend resource. | |
|
||||
| backend_id | Backend id. | |
|
||||
| backend_self_link | Backend self link. | |
|
||||
| forwarding_rule | Forwarding rule resource. | |
|
||||
| forwarding_rule_address | Forwarding rule address. | |
|
||||
| forwarding_rule_id | Forwarding rule id. | |
|
||||
| forwarding_rule_self_link | Forwarding rule self link. | |
|
||||
| group_self_links | Optional unmanaged instance group self links. | |
|
||||
| groups | Optional unmanaged instance group resources. | |
|
||||
| health_check | Auto-created health-check resource. | |
|
||||
| health_check_self_id | Auto-created health-check self id. | |
|
||||
| health_check_self_link | Auto-created health-check self link. | |
|
||||
| [backend](outputs.tf#L17) | Backend resource. | |
|
||||
| [backend_id](outputs.tf#L22) | Backend id. | |
|
||||
| [backend_self_link](outputs.tf#L27) | Backend self link. | |
|
||||
| [forwarding_rule](outputs.tf#L32) | Forwarding rule resource. | |
|
||||
| [forwarding_rule_address](outputs.tf#L37) | Forwarding rule address. | |
|
||||
| [forwarding_rule_id](outputs.tf#L42) | Forwarding rule id. | |
|
||||
| [forwarding_rule_self_link](outputs.tf#L47) | Forwarding rule self link. | |
|
||||
| [group_self_links](outputs.tf#L52) | Optional unmanaged instance group self links. | |
|
||||
| [groups](outputs.tf#L59) | Optional unmanaged instance group resources. | |
|
||||
| [health_check](outputs.tf#L64) | Auto-created health-check resource. | |
|
||||
| [health_check_self_id](outputs.tf#L69) | Auto-created health-check self id. | |
|
||||
| [health_check_self_link](outputs.tf#L74) | Auto-created health-check self link. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -103,33 +103,30 @@ module "vlan-attachment-2" {
|
|||
}
|
||||
# tftest:modules=2:resources=8
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| interconnect | URL of the underlying Interconnect object that this attachment's traffic will traverse through. | <code>string</code> | ✓ | |
|
||||
| peer | Peer Ip address and asn. Only IPv4 supported | <code title="object({ ip_address = string asn = number })">object({…})</code> | ✓ | |
|
||||
| project_id | The project containing the resources | <code>string</code> | ✓ | |
|
||||
| router_config | Router asn and custom advertisement configuration, ip_ranges is a map of address ranges and descriptions.. | <code title="object({ description = string asn = number advertise_config = object({ groups = list(string) ip_ranges = map(string) mode = string }) }) default = { description = null asn = 64514 advertise_config = null }">object({…}</code> | ✓ | |
|
||||
| bgp | Bgp session parameters | <code title="object({ session_range = string candidate_ip_ranges = list(string) advertised_route_priority = number })">object({…})</code> | | <code>null</code> |
|
||||
| config | VLAN attachment parameters: description, vlan_id, bandwidth, admin_enabled, interconnect | <code title="object({ description = string vlan_id = number bandwidth = string admin_enabled = bool mtu = number })">object({…})</code> | | <code title="{ description = null vlan_id = null bandwidth = "BPS_10G" admin_enabled = true mtu = 1440 }">{…}</code> |
|
||||
| name | The name of the vlan attachment | <code>string</code> | | <code>"vlan-attachment"</code> |
|
||||
| region | Region where the router resides | <code>string</code> | | <code>"europe-west1-b"</code> |
|
||||
| router_create | Create router. | <code>bool</code> | | <code>true</code> |
|
||||
| router_name | Router name used for auto created router, or to specify an existing router to use if `router_create` is set to `true`. Leave blank to use vlan attachment name for auto created router. | <code>string</code> | | <code>"router-vlan-attachment"</code> |
|
||||
| router_network | A reference to the network to which this router belongs | <code>string</code> | | <code>null</code> |
|
||||
| [interconnect](variables.tf#L46) | URL of the underlying Interconnect object that this attachment's traffic will traverse through. | <code>string</code> | ✓ | |
|
||||
| [peer](variables.tf#L57) | Peer Ip address and asn. Only IPv4 supported | <code title="object({ ip_address = string asn = number })">object({…})</code> | ✓ | |
|
||||
| [project_id](variables.tf#L65) | The project containing the resources | <code>string</code> | ✓ | |
|
||||
| [router_config](variables.tf#L76) | Router asn and custom advertisement configuration, ip_ranges is a map of address ranges and descriptions.. | <code title="object({ description = string asn = number advertise_config = object({ groups = list(string) ip_ranges = map(string) mode = string }) }) default = { description = null asn = 64514 advertise_config = null }">object({…}</code> | ✓ | |
|
||||
| [bgp](variables.tf#L17) | Bgp session parameters | <code title="object({ session_range = string candidate_ip_ranges = list(string) advertised_route_priority = number })">object({…})</code> | | <code>null</code> |
|
||||
| [config](variables.tf#L28) | VLAN attachment parameters: description, vlan_id, bandwidth, admin_enabled, interconnect | <code title="object({ description = string vlan_id = number bandwidth = string admin_enabled = bool mtu = number })">object({…})</code> | | <code title="{ description = null vlan_id = null bandwidth = "BPS_10G" admin_enabled = true mtu = 1440 }">{…}</code> |
|
||||
| [name](variables.tf#L51) | The name of the vlan attachment | <code>string</code> | | <code>"vlan-attachment"</code> |
|
||||
| [region](variables.tf#L70) | Region where the router resides | <code>string</code> | | <code>"europe-west1-b"</code> |
|
||||
| [router_create](variables.tf#L95) | Create router. | <code>bool</code> | | <code>true</code> |
|
||||
| [router_name](variables.tf#L101) | Router name used for auto created router, or to specify an existing router to use if `router_create` is set to `true`. Leave blank to use vlan attachment name for auto created router. | <code>string</code> | | <code>"router-vlan-attachment"</code> |
|
||||
| [router_network](variables.tf#L107) | A reference to the network to which this router belongs | <code>string</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| bgpsession | bgp session | |
|
||||
| interconnect_attachment | interconnect attachment | |
|
||||
| router | Router resource (only if auto-created). | |
|
||||
| [bgpsession](outputs.tf#L16) | bgp session | |
|
||||
| [interconnect_attachment](outputs.tf#L21) | interconnect attachment | |
|
||||
| [router](outputs.tf#L26) | Router resource (only if auto-created). | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -123,36 +123,33 @@ healthchecks:
|
|||
- 209.85.204.0/22
|
||||
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| network | Name of the network this set of firewall rules applies to. | <code>string</code> | ✓ | |
|
||||
| project_id | Project id of the project that holds the network. | <code>string</code> | ✓ | |
|
||||
| admin_ranges | IP CIDR ranges that have complete access to all subnets. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| cidr_template_file | Path for optional file containing name->cidr_list map to be used by the rules factory. | <code>string</code> | | <code>null</code> |
|
||||
| custom_rules | List of custom rule definitions (refer to variables file for syntax). | <code title="map(object({ description = string direction = string action = string # (allow|deny) ranges = list(string) sources = list(string) targets = list(string) use_service_accounts = bool rules = list(object({ protocol = string ports = list(string) })) extra_attributes = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| data_folder | Path for optional folder containing firewall rules defined as YaML objects used by the rules factory. | <code>string</code> | | <code>null</code> |
|
||||
| http_source_ranges | List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges. | <code>list(string)</code> | | <code>["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]</code> |
|
||||
| https_source_ranges | List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges. | <code>list(string)</code> | | <code>["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]</code> |
|
||||
| named_ranges | Names that can be used of valid values for the `ranges` field of `custom_rules` | <code>map(list(string))</code> | | <code title="{ any = ["0.0.0.0/0"] dns-forwarders = ["35.199.192.0/19"] health-checkers = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] iap-forwarders = ["35.235.240.0/20"] private-googleapis = ["199.36.153.8/30"] restricted-googleapis = ["199.36.153.4/30"] rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }">{…}</code> |
|
||||
| ssh_source_ranges | List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range. | <code>list(string)</code> | | <code>["35.235.240.0/20"]</code> |
|
||||
| [network](variables.tf#L80) | Name of the network this set of firewall rules applies to. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L85) | Project id of the project that holds the network. | <code>string</code> | ✓ | |
|
||||
| [admin_ranges](variables.tf#L17) | IP CIDR ranges that have complete access to all subnets. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [cidr_template_file](variables.tf#L23) | Path for optional file containing name->cidr_list map to be used by the rules factory. | <code>string</code> | | <code>null</code> |
|
||||
| [custom_rules](variables.tf#L29) | List of custom rule definitions (refer to variables file for syntax). | <code title="map(object({ description = string direction = string action = string # (allow|deny) ranges = list(string) sources = list(string) targets = list(string) use_service_accounts = bool rules = list(object({ protocol = string ports = list(string) })) extra_attributes = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [data_folder](variables.tf#L48) | Path for optional folder containing firewall rules defined as YaML objects used by the rules factory. | <code>string</code> | | <code>null</code> |
|
||||
| [http_source_ranges](variables.tf#L54) | List of IP CIDR ranges for tag-based HTTP rule, defaults to the health checkers ranges. | <code>list(string)</code> | | <code>["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]</code> |
|
||||
| [https_source_ranges](variables.tf#L60) | List of IP CIDR ranges for tag-based HTTPS rule, defaults to the health checkers ranges. | <code>list(string)</code> | | <code>["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]</code> |
|
||||
| [named_ranges](variables.tf#L66) | Names that can be used of valid values for the `ranges` field of `custom_rules` | <code>map(list(string))</code> | | <code title="{ any = ["0.0.0.0/0"] dns-forwarders = ["35.199.192.0/19"] health-checkers = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"] iap-forwarders = ["35.235.240.0/20"] private-googleapis = ["199.36.153.8/30"] restricted-googleapis = ["199.36.153.4/30"] rfc1918 = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }">{…}</code> |
|
||||
| [ssh_source_ranges](variables.tf#L90) | List of IP CIDR ranges for tag-based SSH rule, defaults to the IAP forwarders range. | <code>list(string)</code> | | <code>["35.235.240.0/20"]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| admin_ranges | Admin ranges data.
|
||||
| [admin_ranges](outputs.tf#L17) | Admin ranges data.
|
||||
value = { enabled = length(var.admin_ranges) > 0 ranges = join(",", var.admin_ranges) } | |
|
||||
| custom_egress_allow_rules | Custom egress rules with allow blocks. | |
|
||||
| custom_egress_deny_rules | Custom egress rules with allow blocks. | |
|
||||
| custom_ingress_allow_rules | Custom ingress rules with allow blocks. | |
|
||||
| custom_ingress_deny_rules | Custom ingress rules with deny blocks. | |
|
||||
| rules | All google_compute_firewall resources created. | |
|
||||
| [custom_egress_allow_rules](outputs.tf#L26) | Custom egress rules with allow blocks. | |
|
||||
| [custom_egress_deny_rules](outputs.tf#L34) | Custom egress rules with allow blocks. | |
|
||||
| [custom_ingress_allow_rules](outputs.tf#L42) | Custom ingress rules with allow blocks. | |
|
||||
| [custom_ingress_deny_rules](outputs.tf#L50) | Custom ingress rules with deny blocks. | |
|
||||
| [rules](outputs.tf#L58) | All google_compute_firewall resources created. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -40,27 +40,24 @@ module "peering-a-c" {
|
|||
}
|
||||
# tftest:modules=2:resources=4
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| local_network | Resource link of the network to add a peering to. | <code>string</code> | ✓ | |
|
||||
| peer_network | Resource link of the peer network. | <code>string</code> | ✓ | |
|
||||
| export_local_custom_routes | Export custom routes to peer network from local network. | <code>bool</code> | | <code>false</code> |
|
||||
| export_peer_custom_routes | Export custom routes to local network from peer network. | <code>bool</code> | | <code>false</code> |
|
||||
| peer_create_peering | Create the peering on the remote side. If false, only the peering from this network to the remote network is created. | <code>bool</code> | | <code>true</code> |
|
||||
| prefix | Name prefix for the network peerings. | <code>string</code> | | <code>"network-peering"</code> |
|
||||
| [local_network](variables.tf#L30) | Resource link of the network to add a peering to. | <code>string</code> | ✓ | |
|
||||
| [peer_network](variables.tf#L41) | Resource link of the peer network. | <code>string</code> | ✓ | |
|
||||
| [export_local_custom_routes](variables.tf#L18) | Export custom routes to peer network from local network. | <code>bool</code> | | <code>false</code> |
|
||||
| [export_peer_custom_routes](variables.tf#L24) | Export custom routes to local network from peer network. | <code>bool</code> | | <code>false</code> |
|
||||
| [peer_create_peering](variables.tf#L35) | Create the peering on the remote side. If false, only the peering from this network to the remote network is created. | <code>bool</code> | | <code>true</code> |
|
||||
| [prefix](variables.tf#L46) | Name prefix for the network peerings. | <code>string</code> | | <code>"network-peering"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| local_network_peering | Network peering resource. | |
|
||||
| peer_network_peering | Peer network peering resource. | |
|
||||
| [local_network_peering](outputs.tf#L17) | Network peering resource. | |
|
||||
| [peer_network_peering](outputs.tf#L22) | Peer network peering resource. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -201,56 +201,52 @@ flow_logs: # enable, set to empty map to use defaults
|
|||
- flow_sampling: 0.5
|
||||
- metadata: "INCLUDE_ALL_METADATA"
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| name | The name of the network being created | <code>string</code> | ✓ | |
|
||||
| project_id | The ID of the project where this VPC will be created | <code>string</code> | ✓ | |
|
||||
| auto_create_subnetworks | Set to true to create an auto mode subnet, defaults to custom mode. | <code>bool</code> | | <code>false</code> |
|
||||
| data_folder | An optional folder containing the subnet configurations in YaML format. | <code>string</code> | | <code>null</code> |
|
||||
| delete_default_routes_on_create | Set to true to delete the default routes at creation time. | <code>bool</code> | | <code>false</code> |
|
||||
| description | An optional description of this resource (triggers recreation on change). | <code>string</code> | | <code>"Terraform-managed."</code> |
|
||||
| dns_policy | DNS policy setup for the VPC. | <code title="object({ inbound = bool logging = bool outbound = object({ private_ns = list(string) public_ns = list(string) }) })">object({…})</code> | | <code>null</code> |
|
||||
| iam | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| log_config_defaults | Default configuration for flow logs when enabled. | <code title="object({ aggregation_interval = string flow_sampling = number metadata = string })">object({…})</code> | | <code title="{ aggregation_interval = "INTERVAL_5_SEC" flow_sampling = 0.5 metadata = "INCLUDE_ALL_METADATA" }">{…}</code> |
|
||||
| log_configs | Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled. | <code>map(map(string))</code> | | <code>{}</code> |
|
||||
| mtu | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. | <code></code> | | <code>null</code> |
|
||||
| peering_config | VPC peering configuration. | <code title="object({ peer_vpc_self_link = string export_routes = bool import_routes = bool })">object({…})</code> | | <code>null</code> |
|
||||
| peering_create_remote_end | Skip creation of peering on the remote end when using peering_config | <code>bool</code> | | <code>true</code> |
|
||||
| psn_ranges | CIDR ranges used for Google services that support Private Service Networking. | <code>list(string)</code> | | <code>null</code> |
|
||||
| routes | Network routes, keyed by name. | <code title="map(object({ dest_range = string priority = number tags = list(string) next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb next_hop = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| routing_mode | The network routing mode (default 'GLOBAL') | <code>string</code> | | <code>"GLOBAL"</code> |
|
||||
| shared_vpc_host | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
|
||||
| shared_vpc_service_projects | Shared VPC service projects to register with this host | <code>list(string)</code> | | <code>[]</code> |
|
||||
| subnet_descriptions | Optional map of subnet descriptions, keyed by subnet 'region/name'. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| subnet_flow_logs | Optional map of boolean to control flow logs (default is disabled), keyed by subnet 'region/name'. | <code>map(bool)</code> | | <code>{}</code> |
|
||||
| subnet_private_access | Optional map of boolean to control private Google access (default is enabled), keyed by subnet 'region/name'. | <code>map(bool)</code> | | <code>{}</code> |
|
||||
| subnets | List of subnets being created. | <code title="list(object({ name = string ip_cidr_range = string region = string secondary_ip_range = map(string) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| subnets_l7ilb | List of subnets for private HTTPS load balancer. | <code title="list(object({ active = bool name = string ip_cidr_range = string region = string }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| vpc_create | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> | | <code>true</code> |
|
||||
| [name](variables.tf#L85) | The name of the network being created | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L106) | The ID of the project where this VPC will be created | <code>string</code> | ✓ | |
|
||||
| [auto_create_subnetworks](variables.tf#L17) | Set to true to create an auto mode subnet, defaults to custom mode. | <code>bool</code> | | <code>false</code> |
|
||||
| [data_folder](variables.tf#L23) | An optional folder containing the subnet configurations in YaML format. | <code>string</code> | | <code>null</code> |
|
||||
| [delete_default_routes_on_create](variables.tf#L29) | Set to true to delete the default routes at creation time. | <code>bool</code> | | <code>false</code> |
|
||||
| [description](variables.tf#L35) | An optional description of this resource (triggers recreation on change). | <code>string</code> | | <code>"Terraform-managed."</code> |
|
||||
| [dns_policy](variables.tf#L41) | DNS policy setup for the VPC. | <code title="object({ inbound = bool logging = bool outbound = object({ private_ns = list(string) public_ns = list(string) }) })">object({…})</code> | | <code>null</code> |
|
||||
| [iam](variables.tf#L54) | Subnet IAM bindings in {REGION/NAME => {ROLE => [MEMBERS]} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [log_config_defaults](variables.tf#L60) | Default configuration for flow logs when enabled. | <code title="object({ aggregation_interval = string flow_sampling = number metadata = string })">object({…})</code> | | <code title="{ aggregation_interval = "INTERVAL_5_SEC" flow_sampling = 0.5 metadata = "INCLUDE_ALL_METADATA" }">{…}</code> |
|
||||
| [log_configs](variables.tf#L74) | Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled. | <code>map(map(string))</code> | | <code>{}</code> |
|
||||
| [mtu](variables.tf#L80) | Maximum Transmission Unit in bytes. The minimum value for this field is 1460 and the maximum value is 1500 bytes. | <code></code> | | <code>null</code> |
|
||||
| [peering_config](variables.tf#L90) | VPC peering configuration. | <code title="object({ peer_vpc_self_link = string export_routes = bool import_routes = bool })">object({…})</code> | | <code>null</code> |
|
||||
| [peering_create_remote_end](variables.tf#L100) | Skip creation of peering on the remote end when using peering_config | <code>bool</code> | | <code>true</code> |
|
||||
| [psn_ranges](variables.tf#L111) | CIDR ranges used for Google services that support Private Service Networking. | <code>list(string)</code> | | <code>null</code> |
|
||||
| [routes](variables.tf#L124) | Network routes, keyed by name. | <code title="map(object({ dest_range = string priority = number tags = list(string) next_hop_type = string # gateway, instance, ip, vpn_tunnel, ilb next_hop = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [routing_mode](variables.tf#L136) | The network routing mode (default 'GLOBAL') | <code>string</code> | | <code>"GLOBAL"</code> |
|
||||
| [shared_vpc_host](variables.tf#L146) | Enable shared VPC for this project. | <code>bool</code> | | <code>false</code> |
|
||||
| [shared_vpc_service_projects](variables.tf#L152) | Shared VPC service projects to register with this host | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [subnet_descriptions](variables.tf#L158) | Optional map of subnet descriptions, keyed by subnet 'region/name'. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [subnet_flow_logs](variables.tf#L164) | Optional map of boolean to control flow logs (default is disabled), keyed by subnet 'region/name'. | <code>map(bool)</code> | | <code>{}</code> |
|
||||
| [subnet_private_access](variables.tf#L170) | Optional map of boolean to control private Google access (default is enabled), keyed by subnet 'region/name'. | <code>map(bool)</code> | | <code>{}</code> |
|
||||
| [subnets](variables.tf#L176) | List of subnets being created. | <code title="list(object({ name = string ip_cidr_range = string region = string secondary_ip_range = map(string) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [subnets_l7ilb](variables.tf#L187) | List of subnets for private HTTPS load balancer. | <code title="list(object({ active = bool name = string ip_cidr_range = string region = string }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [vpc_create](variables.tf#L198) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> | | <code>true</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| bindings | Subnet IAM bindings. | |
|
||||
| name | The name of the VPC being created. | |
|
||||
| network | Network resource. | |
|
||||
| project_id | Project ID containing the network. Use this when you need to create resources *after* the VPC is fully set up (e.g. subnets created, shared VPC service projects attached, Private Service Networking configured). | |
|
||||
| self_link | The URI of the VPC being created. | |
|
||||
| subnet_ips | Map of subnet address ranges keyed by name. | |
|
||||
| subnet_regions | Map of subnet regions keyed by name. | |
|
||||
| subnet_secondary_ranges | Map of subnet secondary ranges keyed by name. | |
|
||||
| subnet_self_links | Map of subnet self links keyed by name. | |
|
||||
| subnets | Subnet resources. | |
|
||||
| subnets_l7ilb | L7 ILB subnet resources. | |
|
||||
| [bindings](outputs.tf#L17) | Subnet IAM bindings. | |
|
||||
| [name](outputs.tf#L22) | The name of the VPC being created. | |
|
||||
| [network](outputs.tf#L34) | Network resource. | |
|
||||
| [project_id](outputs.tf#L46) | Project ID containing the network. Use this when you need to create resources *after* the VPC is fully set up (e.g. subnets created, shared VPC service projects attached, Private Service Networking configured). | |
|
||||
| [self_link](outputs.tf#L59) | The URI of the VPC being created. | |
|
||||
| [subnet_ips](outputs.tf#L71) | Map of subnet address ranges keyed by name. | |
|
||||
| [subnet_regions](outputs.tf#L78) | Map of subnet regions keyed by name. | |
|
||||
| [subnet_secondary_ranges](outputs.tf#L85) | Map of subnet secondary ranges keyed by name. | |
|
||||
| [subnet_self_links](outputs.tf#L96) | Map of subnet self links keyed by name. | |
|
||||
| [subnets](outputs.tf#L102) | Subnet resources. | |
|
||||
| [subnets_l7ilb](outputs.tf#L107) | L7 ILB subnet resources. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
||||
The key format is `subnet_region/subnet_name`. For example `europe-west1/my_subnet`.
|
||||
|
|
|
@ -38,41 +38,38 @@ module "vpn-dynamic" {
|
|||
}
|
||||
# tftest:modules=1:resources=10
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| name | VPN gateway name, and prefix used for dependent resources. | <code>string</code> | ✓ | |
|
||||
| network | VPC used for the gateway and routes. | <code>string</code> | ✓ | |
|
||||
| project_id | Project where resources will be created. | <code>string</code> | ✓ | |
|
||||
| region | Region used for resources. | <code>string</code> | ✓ | |
|
||||
| gateway_address | Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false. | <code>string</code> | | <code>""</code> |
|
||||
| gateway_address_create | Create external address assigned to the VPN gateway. Needs to be explicitly set to false to use address in gateway_address variable. | <code>bool</code> | | <code>true</code> |
|
||||
| route_priority | Route priority, defaults to 1000. | <code>number</code> | | <code>1000</code> |
|
||||
| router_advertise_config | Router custom advertisement configuration, ip_ranges is a map of address ranges and descriptions. | <code title="object({ groups = list(string) ip_ranges = map(string) mode = string })">object({…})</code> | | <code>null</code> |
|
||||
| router_asn | Router ASN used for auto-created router. | <code>number</code> | | <code>64514</code> |
|
||||
| router_create | Create router. | <code>bool</code> | | <code>true</code> |
|
||||
| router_name | Router name used for auto created router, or to specify existing router to use. Leave blank to use VPN name for auto created router. | <code>string</code> | | <code>""</code> |
|
||||
| tunnels | VPN tunnel configurations, bgp_peer_options is usually null. | <code title="map(object({ bgp_peer = object({ address = string asn = number }) bgp_peer_options = object({ advertise_groups = list(string) advertise_ip_ranges = map(string) advertise_mode = string route_priority = number }) bgp_session_range = string ike_version = number peer_ip = string router = string shared_secret = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [name](variables.tf#L29) | VPN gateway name, and prefix used for dependent resources. | <code>string</code> | ✓ | |
|
||||
| [network](variables.tf#L34) | VPC used for the gateway and routes. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L39) | Project where resources will be created. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L44) | Region used for resources. | <code>string</code> | ✓ | |
|
||||
| [gateway_address](variables.tf#L17) | Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false. | <code>string</code> | | <code>""</code> |
|
||||
| [gateway_address_create](variables.tf#L23) | Create external address assigned to the VPN gateway. Needs to be explicitly set to false to use address in gateway_address variable. | <code>bool</code> | | <code>true</code> |
|
||||
| [route_priority](variables.tf#L49) | Route priority, defaults to 1000. | <code>number</code> | | <code>1000</code> |
|
||||
| [router_advertise_config](variables.tf#L55) | Router custom advertisement configuration, ip_ranges is a map of address ranges and descriptions. | <code title="object({ groups = list(string) ip_ranges = map(string) mode = string })">object({…})</code> | | <code>null</code> |
|
||||
| [router_asn](variables.tf#L65) | Router ASN used for auto-created router. | <code>number</code> | | <code>64514</code> |
|
||||
| [router_create](variables.tf#L71) | Create router. | <code>bool</code> | | <code>true</code> |
|
||||
| [router_name](variables.tf#L77) | Router name used for auto created router, or to specify existing router to use. Leave blank to use VPN name for auto created router. | <code>string</code> | | <code>""</code> |
|
||||
| [tunnels](variables.tf#L83) | VPN tunnel configurations, bgp_peer_options is usually null. | <code title="map(object({ bgp_peer = object({ address = string asn = number }) bgp_peer_options = object({ advertise_groups = list(string) advertise_ip_ranges = map(string) advertise_mode = string route_priority = number }) bgp_session_range = string ike_version = number peer_ip = string router = string shared_secret = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| address | VPN gateway address. | |
|
||||
| gateway | VPN gateway resource. | |
|
||||
| name | VPN gateway name. | |
|
||||
| random_secret | Generated secret. | |
|
||||
| router | Router resource (only if auto-created). | |
|
||||
| router_name | Router name. | |
|
||||
| self_link | VPN gateway self link. | |
|
||||
| tunnel_names | VPN tunnel names. | |
|
||||
| tunnel_self_links | VPN tunnel self links. | |
|
||||
| tunnels | VPN tunnel resources. | |
|
||||
| [address](outputs.tf#L17) | VPN gateway address. | |
|
||||
| [gateway](outputs.tf#L22) | VPN gateway resource. | |
|
||||
| [name](outputs.tf#L27) | VPN gateway name. | |
|
||||
| [random_secret](outputs.tf#L32) | Generated secret. | |
|
||||
| [router](outputs.tf#L38) | Router resource (only if auto-created). | |
|
||||
| [router_name](outputs.tf#L43) | Router name. | |
|
||||
| [self_link](outputs.tf#L48) | VPN gateway self link. | |
|
||||
| [tunnel_names](outputs.tf#L53) | VPN tunnel names. | |
|
||||
| [tunnel_self_links](outputs.tf#L61) | VPN tunnel self links. | |
|
||||
| [tunnels](outputs.tf#L69) | VPN tunnel resources. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -138,44 +138,41 @@ module "vpn_ha" {
|
|||
}
|
||||
# tftest:modules=1:resources=10
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| name | VPN Gateway name (if an existing VPN Gateway is not used), and prefix used for dependent resources. | <code>string</code> | ✓ | |
|
||||
| network | VPC used for the gateway and routes. | <code>string</code> | ✓ | |
|
||||
| project_id | Project where resources will be created. | <code>string</code> | ✓ | |
|
||||
| region | Region used for resources. | <code>string</code> | ✓ | |
|
||||
| peer_external_gateway | Configuration of an external VPN gateway to which this VPN is connected. | <code title="object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) })">object({…})</code> | | <code>null</code> |
|
||||
| peer_gcp_gateway | Self Link URL of the peer side HA GCP VPN gateway to which this VPN tunnel is connected. | <code>string</code> | | <code>null</code> |
|
||||
| route_priority | Route priority, defaults to 1000. | <code>number</code> | | <code>1000</code> |
|
||||
| router_advertise_config | Router custom advertisement configuration, ip_ranges is a map of address ranges and descriptions. | <code title="object({ groups = list(string) ip_ranges = map(string) mode = string })">object({…})</code> | | <code>null</code> |
|
||||
| router_asn | Router ASN used for auto-created router. | <code>number</code> | | <code>64514</code> |
|
||||
| router_create | Create router. | <code>bool</code> | | <code>true</code> |
|
||||
| router_name | Router name used for auto created router, or to specify an existing router to use if `router_create` is set to `true`. Leave blank to use VPN name for auto created router. | <code>string</code> | | <code>""</code> |
|
||||
| tunnels | VPN tunnel configurations, bgp_peer_options is usually null. | <code title="map(object({ bgp_peer = object({ address = string asn = number }) bgp_peer_options = object({ advertise_groups = list(string) advertise_ip_ranges = map(string) advertise_mode = string route_priority = number }) bgp_session_range = string ike_version = number peer_external_gateway_interface = number router = string shared_secret = string vpn_gateway_interface = number }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| vpn_gateway | HA VPN Gateway Self Link for using an existing HA VPN Gateway, leave empty if `vpn_gateway_create` is set to `true`. | <code>string</code> | | <code>null</code> |
|
||||
| vpn_gateway_create | Create HA VPN Gateway. | <code>bool</code> | | <code>true</code> |
|
||||
| [name](variables.tf#L17) | VPN Gateway name (if an existing VPN Gateway is not used), and prefix used for dependent resources. | <code>string</code> | ✓ | |
|
||||
| [network](variables.tf#L22) | VPC used for the gateway and routes. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L45) | Project where resources will be created. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L50) | Region used for resources. | <code>string</code> | ✓ | |
|
||||
| [peer_external_gateway](variables.tf#L27) | Configuration of an external VPN gateway to which this VPN is connected. | <code title="object({ redundancy_type = string interfaces = list(object({ id = number ip_address = string })) })">object({…})</code> | | <code>null</code> |
|
||||
| [peer_gcp_gateway](variables.tf#L39) | Self Link URL of the peer side HA GCP VPN gateway to which this VPN tunnel is connected. | <code>string</code> | | <code>null</code> |
|
||||
| [route_priority](variables.tf#L55) | Route priority, defaults to 1000. | <code>number</code> | | <code>1000</code> |
|
||||
| [router_advertise_config](variables.tf#L61) | Router custom advertisement configuration, ip_ranges is a map of address ranges and descriptions. | <code title="object({ groups = list(string) ip_ranges = map(string) mode = string })">object({…})</code> | | <code>null</code> |
|
||||
| [router_asn](variables.tf#L71) | Router ASN used for auto-created router. | <code>number</code> | | <code>64514</code> |
|
||||
| [router_create](variables.tf#L77) | Create router. | <code>bool</code> | | <code>true</code> |
|
||||
| [router_name](variables.tf#L83) | Router name used for auto created router, or to specify an existing router to use if `router_create` is set to `true`. Leave blank to use VPN name for auto created router. | <code>string</code> | | <code>""</code> |
|
||||
| [tunnels](variables.tf#L89) | VPN tunnel configurations, bgp_peer_options is usually null. | <code title="map(object({ bgp_peer = object({ address = string asn = number }) bgp_peer_options = object({ advertise_groups = list(string) advertise_ip_ranges = map(string) advertise_mode = string route_priority = number }) bgp_session_range = string ike_version = number peer_external_gateway_interface = number router = string shared_secret = string vpn_gateway_interface = number }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [vpn_gateway](variables.tf#L114) | HA VPN Gateway Self Link for using an existing HA VPN Gateway, leave empty if `vpn_gateway_create` is set to `true`. | <code>string</code> | | <code>null</code> |
|
||||
| [vpn_gateway_create](variables.tf#L120) | Create HA VPN Gateway. | <code>bool</code> | | <code>true</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| bgp_peers | BGP peer resources. | |
|
||||
| external_gateway | External VPN gateway resource. | |
|
||||
| gateway | VPN gateway resource (only if auto-created). | |
|
||||
| name | VPN gateway name (only if auto-created). | |
|
||||
| random_secret | Generated secret. | |
|
||||
| router | Router resource (only if auto-created). | |
|
||||
| router_name | Router name. | |
|
||||
| self_link | HA VPN gateway self link. | |
|
||||
| tunnel_names | VPN tunnel names. | |
|
||||
| tunnel_self_links | VPN tunnel self links. | |
|
||||
| tunnels | VPN tunnel resources. | |
|
||||
| [bgp_peers](outputs.tf#L18) | BGP peer resources. | |
|
||||
| [external_gateway](outputs.tf#L25) | External VPN gateway resource. | |
|
||||
| [gateway](outputs.tf#L34) | VPN gateway resource (only if auto-created). | |
|
||||
| [name](outputs.tf#L43) | VPN gateway name (only if auto-created). | |
|
||||
| [random_secret](outputs.tf#L52) | Generated secret. | |
|
||||
| [router](outputs.tf#L57) | Router resource (only if auto-created). | |
|
||||
| [router_name](outputs.tf#L66) | Router name. | |
|
||||
| [self_link](outputs.tf#L71) | HA VPN gateway self link. | |
|
||||
| [tunnel_names](outputs.tf#L76) | VPN tunnel names. | |
|
||||
| [tunnel_self_links](outputs.tf#L84) | VPN tunnel self links. | |
|
||||
| [tunnels](outputs.tf#L92) | VPN tunnel resources. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -31,36 +31,33 @@ module "vpn" {
|
|||
}
|
||||
# tftest:modules=2:resources=8
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| name | VPN gateway name, and prefix used for dependent resources. | <code>string</code> | ✓ | |
|
||||
| network | VPC used for the gateway and routes. | <code>string</code> | ✓ | |
|
||||
| project_id | Project where resources will be created. | <code>string</code> | ✓ | |
|
||||
| region | Region used for resources. | <code>string</code> | ✓ | |
|
||||
| gateway_address | Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false. | <code>string</code> | | <code>""</code> |
|
||||
| gateway_address_create | Create external address assigned to the VPN gateway. Needs to be explicitly set to false to use address in gateway_address variable. | <code>bool</code> | | <code>true</code> |
|
||||
| remote_ranges | Remote IP CIDR ranges. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| route_priority | Route priority, defaults to 1000. | <code>number</code> | | <code>1000</code> |
|
||||
| tunnels | VPN tunnel configurations. | <code title="map(object({ ike_version = number peer_ip = string shared_secret = string traffic_selectors = object({ local = list(string) remote = list(string) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [name](variables.tf#L29) | VPN gateway name, and prefix used for dependent resources. | <code>string</code> | ✓ | |
|
||||
| [network](variables.tf#L34) | VPC used for the gateway and routes. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L39) | Project where resources will be created. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L44) | Region used for resources. | <code>string</code> | ✓ | |
|
||||
| [gateway_address](variables.tf#L17) | Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false. | <code>string</code> | | <code>""</code> |
|
||||
| [gateway_address_create](variables.tf#L23) | Create external address assigned to the VPN gateway. Needs to be explicitly set to false to use address in gateway_address variable. | <code>bool</code> | | <code>true</code> |
|
||||
| [remote_ranges](variables.tf#L49) | Remote IP CIDR ranges. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [route_priority](variables.tf#L55) | Route priority, defaults to 1000. | <code>number</code> | | <code>1000</code> |
|
||||
| [tunnels](variables.tf#L61) | VPN tunnel configurations. | <code title="map(object({ ike_version = number peer_ip = string shared_secret = string traffic_selectors = object({ local = list(string) remote = list(string) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| address | VPN gateway address. | |
|
||||
| gateway | VPN gateway resource. | |
|
||||
| name | VPN gateway name. | |
|
||||
| random_secret | Generated secret. | |
|
||||
| self_link | VPN gateway self link. | |
|
||||
| tunnel_names | VPN tunnel names. | |
|
||||
| tunnel_self_links | VPN tunnel self links. | |
|
||||
| tunnels | VPN tunnel resources. | |
|
||||
| [address](outputs.tf#L17) | VPN gateway address. | |
|
||||
| [gateway](outputs.tf#L22) | VPN gateway resource. | |
|
||||
| [name](outputs.tf#L27) | VPN gateway name. | |
|
||||
| [random_secret](outputs.tf#L32) | Generated secret. | |
|
||||
| [self_link](outputs.tf#L37) | VPN gateway self link. | |
|
||||
| [tunnel_names](outputs.tf#L42) | VPN tunnel names. | |
|
||||
| [tunnel_self_links](outputs.tf#L50) | VPN tunnel self links. | |
|
||||
| [tunnels](outputs.tf#L58) | VPN tunnel resources. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -237,44 +237,39 @@ module "org" {
|
|||
}
|
||||
# tftest:modules=1:resources=2
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| organization_id | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
||||
| contacts | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| custom_roles | Map of role name => list of permissions to create in this project. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| firewall_policies | Hierarchical firewall policy rules created in the organization. | <code title="map(map(object({ action = string description = string direction = string logging = bool ports = map(list(string)) priority = number ranges = list(string) target_resources = list(string) target_service_accounts = list(string) })))">map(map(object({…})))</code> | | <code>{}</code> |
|
||||
| firewall_policy_association | The hierarchical firewall policy to associate to this folder. Must be either a key in the `firewall_policies` map or the id of a policy defined somewhere else. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| firewall_policy_factory | Configuration for the firewall policy factory. | <code title="object({ cidr_file = string policy_name = string rules_file = string })">object({…})</code> | | <code>null</code> |
|
||||
| group_iam | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| iam | IAM bindings, in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| iam_additive | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| iam_additive_members | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| iam_audit_config | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| iam_audit_config_authoritative | IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution. | <code>map(map(list(string)))</code> | | <code>null</code> |
|
||||
| iam_bindings_authoritative | IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. | <code>map(list(string))</code> | | <code>null</code> |
|
||||
| logging_exclusions | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| logging_sinks | Logging sinks to create for this organization. | <code title="map(object({ destination = string type = string filter = string iam = bool include_children = bool bq_partitioned_table = bool exclusions = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| policy_boolean | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code>map(bool)</code> | | <code>{}</code> |
|
||||
| policy_list | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [organization_id](variables.tf#L142) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
||||
| [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [custom_roles](variables.tf#L23) | Map of role name => list of permissions to create in this project. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [firewall_policies](variables.tf#L29) | Hierarchical firewall policy rules created in the organization. | <code title="map(map(object({ action = string description = string direction = string logging = bool ports = map(list(string)) priority = number ranges = list(string) target_resources = list(string) target_service_accounts = list(string) })))">map(map(object({…})))</code> | | <code>{}</code> |
|
||||
| [firewall_policy_association](variables.tf#L46) | The hierarchical firewall policy to associate to this folder. Must be either a key in the `firewall_policies` map or the id of a policy defined somewhere else. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [firewall_policy_factory](variables.tf#L52) | Configuration for the firewall policy factory. | <code title="object({ cidr_file = string policy_name = string rules_file = string })">object({…})</code> | | <code>null</code> |
|
||||
| [group_iam](variables.tf#L62) | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam](variables.tf#L68) | IAM bindings, in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_additive](variables.tf#L74) | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_additive_members](variables.tf#L80) | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_audit_config](variables.tf#L86) | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [iam_audit_config_authoritative](variables.tf#L97) | IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution. | <code>map(map(list(string)))</code> | | <code>null</code> |
|
||||
| [iam_bindings_authoritative](variables.tf#L108) | IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. | <code>map(list(string))</code> | | <code>null</code> |
|
||||
| [logging_exclusions](variables.tf#L114) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_sinks](variables.tf#L120) | Logging sinks to create for this organization. | <code title="map(object({ destination = string type = string filter = string iam = bool include_children = bool bq_partitioned_table = bool exclusions = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [policy_boolean](variables.tf#L151) | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code>map(bool)</code> | | <code>{}</code> |
|
||||
| [policy_list](variables.tf#L157) | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| custom_role_id | Map of custom role IDs created in the organization. | |
|
||||
| custom_roles | Map of custom roles resources created in the organization. | |
|
||||
| firewall_policies | Map of firewall policy resources created in the organization. | |
|
||||
| firewall_policy_id | Map of firewall policy ids created in the organization. | |
|
||||
| organization_id | Organization id dependent on module resources. | |
|
||||
| sink_writer_identities | Writer identities created for each sink. | |
|
||||
| [custom_role_id](outputs.tf#L18) | Map of custom role IDs created in the organization. | |
|
||||
| [custom_roles](outputs.tf#L31) | Map of custom roles resources created in the organization. | |
|
||||
| [firewall_policies](outputs.tf#L36) | Map of firewall policy resources created in the organization. | |
|
||||
| [firewall_policy_id](outputs.tf#L41) | Map of firewall policy ids created in the organization. | |
|
||||
| [organization_id](outputs.tf#L46) | Organization id dependent on module resources. | |
|
||||
| [sink_writer_identities](outputs.tf#L60) | Writer identities created for each sink. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -196,47 +196,47 @@ module "project" {
|
|||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| name | Project name and id suffix. | <code>string</code> | ✓ | |
|
||||
| auto_create_network | Whether to create the default network for the project | <code>bool</code> | | <code>false</code> |
|
||||
| billing_account | Billing account id. | <code>string</code> | | <code>null</code> |
|
||||
| contacts | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| custom_roles | Map of role name => list of permissions to create in this project. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| descriptive_name | Name of the project name. Used for project name instead of `name` variable | <code>string</code> | | <code>null</code> |
|
||||
| group_iam | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| iam | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| iam_additive | IAM additive bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| iam_additive_members | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| labels | Resource labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| lien_reason | If non-empty, creates a project lien with this description. | <code>string</code> | | <code>""</code> |
|
||||
| logging_exclusions | Logging exclusions for this project in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| logging_sinks | Logging sinks to create for this project. | <code title="map(object({ destination = string type = string filter = string iam = bool unique_writer = bool exclusions = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| metric_scopes | List of projects that will act as metric scopes for this project. | <code>list(string)</code> | | <code>null</code> |
|
||||
| oslogin | Enable OS Login. | <code>bool</code> | | <code>false</code> |
|
||||
| oslogin_admins | List of IAM-style identities that will be granted roles necessary for OS Login administrators. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| oslogin_users | List of IAM-style identities that will be granted roles necessary for OS Login users. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| parent | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> | | <code>null</code> |
|
||||
| policy_boolean | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code>map(bool)</code> | | <code>{}</code> |
|
||||
| policy_list | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| prefix | Prefix used to generate project id and name. | <code>string</code> | | <code>null</code> |
|
||||
| project_create | Create project. When set to false, uses a data source to reference existing project. | <code>bool</code> | | <code>true</code> |
|
||||
| service_config | Configure service API activation. | <code title="object({ disable_on_destroy = bool disable_dependent_services = bool })">object({…})</code> | | <code title="{ disable_on_destroy = true disable_dependent_services = true }">{…}</code> |
|
||||
| service_encryption_key_ids | Cloud KMS encryption key in {SERVICE => [KEY_URL]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| service_perimeter_bridges | Name of VPC-SC Bridge perimeters to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. | <code>list(string)</code> | | <code>null</code> |
|
||||
| service_perimeter_standard | Name of VPC-SC Standard perimeter to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. | <code>string</code> | | <code>null</code> |
|
||||
| services | Service APIs to enable. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| shared_vpc_host_config | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | <code title="object({ enabled = bool service_projects = list(string) })">object({…})</code> | | <code title="{ enabled = false service_projects = [] }">{…}</code> |
|
||||
| shared_vpc_service_config | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | <code title="object({ attach = bool host_project = string })">object({…})</code> | | <code title="{ attach = false host_project = "" }">{…}</code> |
|
||||
| skip_delete | Allows the underlying resources to be destroyed without destroying the project itself. | <code>bool</code> | | <code>false</code> |
|
||||
| [name](variables.tf#L109) | Project name and id suffix. | <code>string</code> | ✓ | |
|
||||
| [auto_create_network](variables.tf#L17) | Whether to create the default network for the project | <code>bool</code> | | <code>false</code> |
|
||||
| [billing_account](variables.tf#L23) | Billing account id. | <code>string</code> | | <code>null</code> |
|
||||
| [contacts](variables.tf#L29) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [custom_roles](variables.tf#L35) | Map of role name => list of permissions to create in this project. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [descriptive_name](variables.tf#L41) | Name of the project name. Used for project name instead of `name` variable | <code>string</code> | | <code>null</code> |
|
||||
| [group_iam](variables.tf#L47) | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam](variables.tf#L53) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_additive](variables.tf#L59) | IAM additive bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_additive_members](variables.tf#L65) | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [labels](variables.tf#L71) | Resource labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [lien_reason](variables.tf#L77) | If non-empty, creates a project lien with this description. | <code>string</code> | | <code>""</code> |
|
||||
| [logging_exclusions](variables.tf#L83) | Logging exclusions for this project in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_sinks](variables.tf#L89) | Logging sinks to create for this project. | <code title="map(object({ destination = string type = string filter = string iam = bool unique_writer = bool exclusions = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [metric_scopes](variables.tf#L103) | List of projects that will act as metric scopes for this project. | <code>list(string)</code> | | <code>null</code> |
|
||||
| [oslogin](variables.tf#L114) | Enable OS Login. | <code>bool</code> | | <code>false</code> |
|
||||
| [oslogin_admins](variables.tf#L120) | List of IAM-style identities that will be granted roles necessary for OS Login administrators. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [oslogin_users](variables.tf#L126) | List of IAM-style identities that will be granted roles necessary for OS Login users. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [parent](variables.tf#L132) | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> | | <code>null</code> |
|
||||
| [policy_boolean](variables.tf#L142) | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code>map(bool)</code> | | <code>{}</code> |
|
||||
| [policy_list](variables.tf#L148) | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [prefix](variables.tf#L159) | Prefix used to generate project id and name. | <code>string</code> | | <code>null</code> |
|
||||
| [project_create](variables.tf#L165) | Create project. When set to false, uses a data source to reference existing project. | <code>bool</code> | | <code>true</code> |
|
||||
| [service_config](variables.tf#L171) | Configure service API activation. | <code title="object({ disable_on_destroy = bool disable_dependent_services = bool })">object({…})</code> | | <code title="{ disable_on_destroy = true disable_dependent_services = true }">{…}</code> |
|
||||
| [service_encryption_key_ids](variables.tf#L183) | Cloud KMS encryption key in {SERVICE => [KEY_URL]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [service_perimeter_bridges](variables.tf#L189) | Name of VPC-SC Bridge perimeters to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. | <code>list(string)</code> | | <code>null</code> |
|
||||
| [service_perimeter_standard](variables.tf#L195) | Name of VPC-SC Standard perimeter to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. | <code>string</code> | | <code>null</code> |
|
||||
| [services](variables.tf#L201) | Service APIs to enable. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [shared_vpc_host_config](variables.tf#L207) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | <code title="object({ enabled = bool service_projects = list(string) })">object({…})</code> | | <code title="{ enabled = false service_projects = [] }">{…}</code> |
|
||||
| [shared_vpc_service_config](variables.tf#L219) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | <code title="object({ attach = bool host_project = string })">object({…})</code> | | <code title="{ attach = false host_project = "" }">{…}</code> |
|
||||
| [skip_delete](variables.tf#L231) | Allows the underlying resources to be destroyed without destroying the project itself. | <code>bool</code> | | <code>false</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| custom_roles | Ids of the created custom roles. | |
|
||||
| name | Project name. | |
|
||||
| number | Project number. | |
|
||||
| project_id | Project id. | |
|
||||
| service_accounts | Product robot service accounts in project. | |
|
||||
| sink_writer_identities | Writer identities created for each sink. | |
|
||||
| [custom_roles](outputs.tf#L17) | Ids of the created custom roles. | |
|
||||
| [name](outputs.tf#L25) | Project name. | |
|
||||
| [number](outputs.tf#L37) | Project number. | |
|
||||
| [project_id](outputs.tf#L49) | Project id. | |
|
||||
| [service_accounts](outputs.tf#L63) | Product robot service accounts in project. | |
|
||||
| [sink_writer_identities](outputs.tf#L79) | Writer identities created for each sink. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -87,34 +87,31 @@ module "pubsub" {
|
|||
}
|
||||
# tftest:modules=1:resources=3
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| name | PubSub topic name. | <code>string</code> | ✓ | |
|
||||
| project_id | Project used for resources. | <code>string</code> | ✓ | |
|
||||
| dead_letter_configs | Per-subscription dead letter policy configuration. | <code title="map(object({ topic = string max_delivery_attempts = number }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| defaults | Subscription defaults for options. | <code title="object({ ack_deadline_seconds = number message_retention_duration = string retain_acked_messages = bool expiration_policy_ttl = string })">object({…})</code> | | <code title="{ ack_deadline_seconds = null message_retention_duration = null retain_acked_messages = null expiration_policy_ttl = null }">{…}</code> |
|
||||
| iam | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| kms_key | KMS customer managed encryption key. | <code>string</code> | | <code>null</code> |
|
||||
| labels | Labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| push_configs | Push subscription configurations. | <code title="map(object({ attributes = map(string) endpoint = string oidc_token = object({ audience = string service_account_email = string }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| regions | List of regions used to set persistence policy. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| subscription_iam | IAM bindings for subscriptions in {SUBSCRIPTION => {ROLE => [MEMBERS]}} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| subscriptions | Topic subscriptions. Also define push configs for push subscriptions. If options is set to null subscription defaults will be used. Labels default to topic labels if set to null. | <code title="map(object({ labels = map(string) options = object({ ack_deadline_seconds = number message_retention_duration = string retain_acked_messages = bool expiration_policy_ttl = string }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [name](variables.tf#L60) | PubSub topic name. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L65) | Project used for resources. | <code>string</code> | ✓ | |
|
||||
| [dead_letter_configs](variables.tf#L17) | Per-subscription dead letter policy configuration. | <code title="map(object({ topic = string max_delivery_attempts = number }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [defaults](variables.tf#L26) | Subscription defaults for options. | <code title="object({ ack_deadline_seconds = number message_retention_duration = string retain_acked_messages = bool expiration_policy_ttl = string })">object({…})</code> | | <code title="{ ack_deadline_seconds = null message_retention_duration = null retain_acked_messages = null expiration_policy_ttl = null }">{…}</code> |
|
||||
| [iam](variables.tf#L42) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [kms_key](variables.tf#L48) | KMS customer managed encryption key. | <code>string</code> | | <code>null</code> |
|
||||
| [labels](variables.tf#L54) | Labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [push_configs](variables.tf#L70) | Push subscription configurations. | <code title="map(object({ attributes = map(string) endpoint = string oidc_token = object({ audience = string service_account_email = string }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [regions](variables.tf#L83) | List of regions used to set persistence policy. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [subscription_iam](variables.tf#L89) | IAM bindings for subscriptions in {SUBSCRIPTION => {ROLE => [MEMBERS]}} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [subscriptions](variables.tf#L95) | Topic subscriptions. Also define push configs for push subscriptions. If options is set to null subscription defaults will be used. Labels default to topic labels if set to null. | <code title="map(object({ labels = map(string) options = object({ ack_deadline_seconds = number message_retention_duration = string retain_acked_messages = bool expiration_policy_ttl = string }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| id | Topic id. | |
|
||||
| subscription_id | Subscription ids. | |
|
||||
| subscriptions | Subscription resources. | |
|
||||
| topic | Topic resource. | |
|
||||
| [id](outputs.tf#L17) | Topic id. | |
|
||||
| [subscription_id](outputs.tf#L25) | Subscription ids. | |
|
||||
| [subscriptions](outputs.tf#L35) | Subscription resources. | |
|
||||
| [topic](outputs.tf#L43) | Topic resource. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -72,32 +72,28 @@ module "secret-manager" {
|
|||
}
|
||||
# tftest:modules=1:resources=5
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| project_id | Project id where the keyring will be created. | <code>string</code> | ✓ | |
|
||||
| iam | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| labels | Optional labels for each secret. | <code>map(map(string))</code> | | <code>{}</code> |
|
||||
| secrets | Map of secrets to manage and their locations. If locations is null, automatic management will be set. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| versions | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | <code title="map(map(object({ enabled = bool data = string })))">map(map(object({…})))</code> | | <code>{}</code> |
|
||||
| [project_id](variables.tf#L29) | Project id where the keyring will be created. | <code>string</code> | ✓ | |
|
||||
| [iam](variables.tf#L17) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [labels](variables.tf#L23) | Optional labels for each secret. | <code>map(map(string))</code> | | <code>{}</code> |
|
||||
| [secrets](variables.tf#L34) | Map of secrets to manage and their locations. If locations is null, automatic management will be set. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [versions](variables.tf#L40) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | <code title="map(map(object({ enabled = bool data = string })))">map(map(object({…})))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| ids | Secret ids keyed by secret_ids (names). | |
|
||||
| secrets | Secret resources. | |
|
||||
| version_ids | Version ids keyed by secret name : version name. | |
|
||||
| versions | Secret versions. | |
|
||||
| [ids](outputs.tf#L17) | Secret ids keyed by secret_ids (names). | |
|
||||
| [secrets](outputs.tf#L24) | Secret resources. | |
|
||||
| [version_ids](outputs.tf#L29) | Version ids keyed by secret name : version name. | |
|
||||
| [versions](outputs.tf#L36) | Secret versions. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
||||
## Requirements
|
||||
|
||||
These sections describe requirements for using this module.
|
||||
|
|
|
@ -87,34 +87,31 @@ module "dns-sd" {
|
|||
}
|
||||
# tftest:modules=2:resources=5
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| location | Namespace location. | <code>string</code> | ✓ | |
|
||||
| name | Namespace name. | <code>string</code> | ✓ | |
|
||||
| project_id | Project used for resources. | <code>string</code> | ✓ | |
|
||||
| endpoint_config | Map of endpoint attributes, keys are in service/endpoint format. | <code title="map(object({ address = string port = number metadata = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| iam | IAM bindings for namespace, in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| labels | Labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| service_iam | IAM bindings for services, in {SERVICE => {ROLE => [MEMBERS]}} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| services | Service configuration, using service names as keys. | <code title="map(object({ endpoints = list(string) metadata = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [location](variables.tf#L40) | Namespace location. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L45) | Namespace name. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L50) | Project used for resources. | <code>string</code> | ✓ | |
|
||||
| [endpoint_config](variables.tf#L18) | Map of endpoint attributes, keys are in service/endpoint format. | <code title="map(object({ address = string port = number metadata = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [iam](variables.tf#L28) | IAM bindings for namespace, in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [labels](variables.tf#L34) | Labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [service_iam](variables.tf#L55) | IAM bindings for services, in {SERVICE => {ROLE => [MEMBERS]}} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [services](variables.tf#L61) | Service configuration, using service names as keys. | <code title="map(object({ endpoints = list(string) metadata = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| endpoints | Endpoint resources. | |
|
||||
| id | Namespace id (short name). | |
|
||||
| name | Namespace name (long name). | |
|
||||
| namespace | Namespace resource. | |
|
||||
| service_id | Service ids (short names). | |
|
||||
| service_names | Service ids (long names). | |
|
||||
| services | Service resources. | |
|
||||
| [endpoints](outputs.tf#L17) | Endpoint resources. | |
|
||||
| [id](outputs.tf#L22) | Namespace id (short name). | |
|
||||
| [name](outputs.tf#L27) | Namespace name (long name). | |
|
||||
| [namespace](outputs.tf#L32) | Namespace resource. | |
|
||||
| [service_id](outputs.tf#L40) | Service ids (short names). | |
|
||||
| [service_names](outputs.tf#L50) | Service ids (long names). | |
|
||||
| [services](outputs.tf#L60) | Service resources. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -18,24 +18,21 @@ module "repo" {
|
|||
}
|
||||
# tftest:modules=1:resources=2
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| name | Repository name. | <code>string</code> | ✓ | |
|
||||
| project_id | Project used for resources. | <code>string</code> | ✓ | |
|
||||
| iam | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [name](variables.tf#L23) | Repository name. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L28) | Project used for resources. | <code>string</code> | ✓ | |
|
||||
| [iam](variables.tf#L17) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| id | Repository id. | |
|
||||
| url | Repository URL. | |
|
||||
| [id](outputs.tf#L17) | Repository id. | |
|
||||
| [url](outputs.tf#L22) | Repository URL. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
|
|
@ -145,33 +145,27 @@ module "test" {
|
|||
## TODO
|
||||
|
||||
- [ ] implement support for the `google_access_context_manager_gcp_user_access_binding` resource
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| access_policy | Access Policy name, leave null to use auto-created one. | <code>string</code> | ✓ | |
|
||||
| access_levels | Map of access levels in name => [conditions] format. | <code title="map(object({ combining_function = string conditions = list(object({ ip_subnetworks = list(string) members = list(string) negate = bool regions = list(string) required_access_levels = list(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| access_policy_create | Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format. | <code title="object({ parent = string title = string })">object({…})</code> | | <code>null</code> |
|
||||
| service_perimeters_bridge | Bridge service perimeters. | <code title="map(object({ spec_resources = list(string) status_resources = list(string) use_explicit_dry_run_spec = bool }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| service_perimeters_regular | Regular service perimeters. | <code title="map(object({ spec = object({ access_levels = list(string) resources = list(string) restricted_services = list(string) egress_policies = list(object({ egress_from = object({ identity_type = string identities = list(string) }) egress_to = object({ operations = list(object({ method_selectors = list(string) service_name = string })) resources = list(string) }) })) ingress_policies = list(object({ ingress_from = object({ identity_type = string identities = list(string) source_access_levels = list(string) source_resources = list(string) }) ingress_to = object({ operations = list(object({ method_selectors = list(string) service_name = string })) resources = list(string) }) })) vpc_accessible_services = object({ allowed_services = list(string) enable_restriction = bool }) }) status = object({ access_levels = list(string) resources = list(string) restricted_services = list(string) egress_policies = list(object({ egress_from = object({ identity_type = string identities = list(string) }) egress_to = object({ operations = list(object({ method_selectors = list(string) service_name = string })) resources = list(string) }) })) ingress_policies = list(object({ ingress_from = object({ identity_type = string identities = list(string) source_access_levels = list(string) source_resources = list(string) }) ingress_to = object({ operations = list(object({ method_selectors = list(string) service_name = string })) resources = list(string) }) })) vpc_accessible_services = object({ allowed_services = list(string) enable_restriction = bool }) }) use_explicit_dry_run_spec = bool }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [access_policy](variables.tf#L55) | Access Policy name, leave null to use auto-created one. | <code>string</code> | ✓ | |
|
||||
| [access_levels](variables.tf#L17) | Map of access levels in name => [conditions] format. | <code title="map(object({ combining_function = string conditions = list(object({ ip_subnetworks = list(string) members = list(string) negate = bool regions = list(string) required_access_levels = list(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [access_policy_create](variables.tf#L60) | Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format. | <code title="object({ parent = string title = string })">object({…})</code> | | <code>null</code> |
|
||||
| [service_perimeters_bridge](variables.tf#L69) | Bridge service perimeters. | <code title="map(object({ spec_resources = list(string) status_resources = list(string) use_explicit_dry_run_spec = bool }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [service_perimeters_regular](variables.tf#L79) | Regular service perimeters. | <code title="map(object({ spec = object({ access_levels = list(string) resources = list(string) restricted_services = list(string) egress_policies = list(object({ egress_from = object({ identity_type = string identities = list(string) }) egress_to = object({ operations = list(object({ method_selectors = list(string) service_name = string })) resources = list(string) }) })) ingress_policies = list(object({ ingress_from = object({ identity_type = string identities = list(string) source_access_levels = list(string) source_resources = list(string) }) ingress_to = object({ operations = list(object({ method_selectors = list(string) service_name = string })) resources = list(string) }) })) vpc_accessible_services = object({ allowed_services = list(string) enable_restriction = bool }) }) status = object({ access_levels = list(string) resources = list(string) restricted_services = list(string) egress_policies = list(object({ egress_from = object({ identity_type = string identities = list(string) }) egress_to = object({ operations = list(object({ method_selectors = list(string) service_name = string })) resources = list(string) }) })) ingress_policies = list(object({ ingress_from = object({ identity_type = string identities = list(string) source_access_levels = list(string) source_resources = list(string) }) ingress_to = object({ operations = list(object({ method_selectors = list(string) service_name = string })) resources = list(string) }) })) vpc_accessible_services = object({ allowed_services = list(string) enable_restriction = bool }) }) use_explicit_dry_run_spec = bool }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| access_level_names | Access level resources. | |
|
||||
| access_levels | Access level resources. | |
|
||||
| access_policy | Access policy resource, if autocreated. | |
|
||||
| access_policy_name | Access policy name. | |
|
||||
| service_perimeters_bridge | Bridge service perimeter resources. | |
|
||||
| service_perimeters_regular | Regular service perimeter resources. | |
|
||||
| [access_level_names](outputs.tf#L17) | Access level resources. | |
|
||||
| [access_levels](outputs.tf#L25) | Access level resources. | |
|
||||
| [access_policy](outputs.tf#L30) | Access policy resource, if autocreated. | |
|
||||
| [access_policy_name](outputs.tf#L35) | Access policy name. | |
|
||||
| [service_perimeters_bridge](outputs.tf#L40) | Bridge service perimeter resources. | |
|
||||
| [service_perimeters_regular](outputs.tf#L45) | Regular service perimeter resources. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -110,9 +110,9 @@ VAR_TEMPLATE = ('default', 'description', 'type')
|
|||
|
||||
File = collections.namedtuple('File', 'name description modules resources')
|
||||
Output = collections.namedtuple('Output',
|
||||
'name description sensitive consumers')
|
||||
'name description sensitive consumers line')
|
||||
Variable = collections.namedtuple(
|
||||
'Variable', 'name description type default required source')
|
||||
'Variable', 'name description type default required source line')
|
||||
|
||||
|
||||
# parsing functions
|
||||
|
@ -131,7 +131,11 @@ def _parse(body, enum=VAR_ENUM, re=VAR_RE, template=VAR_TEMPLATE):
|
|||
data = m.group(m.lastindex)
|
||||
# print(token, m.groups())
|
||||
if token == enum.OPEN:
|
||||
item = {'name': data, 'tags': {}}
|
||||
match = m.group(0)
|
||||
leading_lines = len(match) - len(match.lstrip("\n"))
|
||||
start = m.span()[0]
|
||||
line = body[:start].count('\n') + leading_lines + 1
|
||||
item = {'name': data, 'tags': {}, 'line': line}
|
||||
item.update({k: [] for k in template})
|
||||
context = None
|
||||
elif token == enum.CLOSE:
|
||||
|
@ -187,7 +191,8 @@ def parse_outputs(basepath):
|
|||
for item in _parse(body, enum=OUT_ENUM, re=OUT_RE, template=OUT_TEMPLATE):
|
||||
yield Output(name=item['name'], description=''.join(item['description']),
|
||||
sensitive=item['sensitive'] != [],
|
||||
consumers=item['tags'].get('output:consumers', ''))
|
||||
consumers=item['tags'].get('output:consumers', ''),
|
||||
line=item['line'])
|
||||
|
||||
|
||||
def parse_variables(basepath):
|
||||
|
@ -207,7 +212,8 @@ def parse_variables(basepath):
|
|||
yield Variable(name=item['name'], description=''.join(item['description']),
|
||||
type=vtype, default=default,
|
||||
required=required,
|
||||
source=item['tags'].get('variable:source', ''))
|
||||
source=item['tags'].get('variable:source', ''),
|
||||
line=item['line'])
|
||||
|
||||
|
||||
# formatting functions
|
||||
|
@ -280,7 +286,7 @@ def format_outputs(items, show_extra=True):
|
|||
consumers = '<code>%s</code>' % '</code> · <code>'.join(
|
||||
consumers.split())
|
||||
sensitive = '✓' if i.sensitive else ''
|
||||
format = f'| {i.name} | {i.description or ""} | {sensitive} |'
|
||||
format = f'| [{i.name}](outputs.tf#L{i.line}) | {i.description or ""} | {sensitive} |'
|
||||
format += f' {consumers} |' if show_extra else ''
|
||||
yield format
|
||||
|
||||
|
@ -316,7 +322,7 @@ def format_variables(items, show_extra=True):
|
|||
value = f'{value[0]}…{value[-1].strip()}'
|
||||
vars[k] = f'<code title="{_escape(title)}">{_escape(value)}</code>'
|
||||
format = (
|
||||
f'| {i.name} | {i.description or ""} | {vars["type"]} '
|
||||
f'| [{i.name}](variables.tf#L{i.line}) | {i.description or ""} | {vars["type"]} '
|
||||
f'| {vars["required"]} | {vars["default"]} |'
|
||||
)
|
||||
format += f' {vars["source"]} |' if show_extra else ''
|
||||
|
|
Loading…
Reference in New Issue