From 67c031c41cd6ab9ef00b575a58e6a40cad671571 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Fri, 9 Sep 2022 09:03:38 +0200 Subject: [PATCH 1/2] Change `modules/project` service_config default --- modules/project/README.md | 8 ++++---- modules/project/outputs.tf | 8 +++++++- modules/project/variables.tf | 4 ++-- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/modules/project/README.md b/modules/project/README.md index b30ff2eb..8ce143bb 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -386,7 +386,7 @@ output "compute_robot" { | [policy_list](variables.tf#L168) | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | map(object({…})) | | {} | | [prefix](variables.tf#L180) | Prefix used to generate project id and name. | string | | null | | [project_create](variables.tf#L186) | Create project. When set to false, uses a data source to reference existing project. | bool | | true | -| [service_config](variables.tf#L192) | Configure service API activation. | object({…}) | | {…} | +| [service_config](variables.tf#L192) | Configure service API activation. | object({…}) | | {…} | | [service_encryption_key_ids](variables.tf#L204) | Cloud KMS encryption key in {SERVICE => [KEY_URL]} format. | map(list(string)) | | {} | | [service_perimeter_bridges](variables.tf#L211) | Name of VPC-SC Bridge perimeters to add project into. See comment in the variables file for format. | list(string) | | null | | [service_perimeter_standard](variables.tf#L218) | Name of VPC-SC Standard perimeter to add project into. See comment in the variables file for format. | string | | null | @@ -403,8 +403,8 @@ output "compute_robot" { | [custom_roles](outputs.tf#L17) | Ids of the created custom roles. | | | [name](outputs.tf#L25) | Project name. | | | [number](outputs.tf#L38) | Project number. | | -| [project_id](outputs.tf#L51) | Project id. | | -| [service_accounts](outputs.tf#L70) | Product robot service accounts in project. | | -| [sink_writer_identities](outputs.tf#L86) | Writer identities created for each sink. | | +| [project_id](outputs.tf#L56) | Project id. | | +| [service_accounts](outputs.tf#L76) | Product robot service accounts in project. | | +| [sink_writer_identities](outputs.tf#L92) | Writer identities created for each sink. | | diff --git a/modules/project/outputs.tf b/modules/project/outputs.tf index 4bd28aa0..3b7efc90 100644 --- a/modules/project/outputs.tf +++ b/modules/project/outputs.tf @@ -42,9 +42,14 @@ output "number" { google_project_organization_policy.boolean, google_project_organization_policy.list, google_project_service.project_services, + google_compute_shared_vpc_host_project.shared_vpc_host, + google_compute_shared_vpc_service_project.shared_vpc_service, google_compute_shared_vpc_service_project.service_projects, google_project_iam_member.shared_vpc_host_robots, - google_kms_crypto_key_iam_member.service_identity_cmek + google_kms_crypto_key_iam_member.service_identity_cmek, + google_project_service_identity.jit_si, + google_project_service_identity.servicenetworking, + google_project_iam_member.servicenetworking ] } @@ -62,6 +67,7 @@ output "project_id" { google_compute_shared_vpc_service_project.service_projects, google_project_iam_member.shared_vpc_host_robots, google_kms_crypto_key_iam_member.service_identity_cmek, + google_project_service_identity.jit_si, google_project_service_identity.servicenetworking, google_project_iam_member.servicenetworking ] diff --git a/modules/project/variables.tf b/modules/project/variables.tf index 578f9d23..9268deb2 100644 --- a/modules/project/variables.tf +++ b/modules/project/variables.tf @@ -196,8 +196,8 @@ variable "service_config" { disable_dependent_services = bool }) default = { - disable_on_destroy = true - disable_dependent_services = true + disable_on_destroy = false + disable_dependent_services = false } } From f8e2fdaf1928457adcf5a2c3fc4e4c8263c88347 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Fri, 9 Sep 2022 09:38:09 +0200 Subject: [PATCH 2/2] Remove project.service_config instances using the new default --- .../asset-inventory-feed-remediation/main.tf | 4 ---- examples/cloud-operations/dns-fine-grained-iam/main.tf | 4 ---- examples/cloud-operations/dns-shared-vpc/main.tf | 4 ---- examples/cloud-operations/glb_and_armor/main.tf | 4 ---- examples/cloud-operations/packer-image-builder/main.tf | 4 ---- examples/cloud-operations/quota-monitoring/main.tf | 4 ---- examples/data-solutions/cloudsql-multiregion/main.tf | 3 --- examples/data-solutions/data-playground/main.tf | 5 ----- .../data-solutions/gcs-to-bq-with-least-privileges/main.tf | 3 --- examples/data-solutions/sqlserver-alwayson/main.tf | 5 +---- examples/gke-serverless/multitenant-fleet/main.tf | 4 ---- examples/networking/hub-and-spoke-peering/main.tf | 4 ---- examples/networking/hub-and-spoke-vpn/README.md | 4 ---- examples/networking/hub-and-spoke-vpn/main.tf | 4 ---- examples/networking/ilb-next-hop/main.tf | 4 ---- .../networking/private-cloud-function-from-onprem/main.tf | 4 ---- fast/stages/02-networking-nva/landing.tf | 4 ---- fast/stages/02-networking-nva/spoke-dev.tf | 4 ---- fast/stages/02-networking-nva/spoke-prod.tf | 4 ---- fast/stages/02-networking-peering/landing.tf | 4 ---- fast/stages/02-networking-peering/spoke-dev.tf | 4 ---- fast/stages/02-networking-peering/spoke-prod.tf | 4 ---- fast/stages/02-networking-vpn/landing.tf | 4 ---- fast/stages/02-networking-vpn/spoke-dev.tf | 4 ---- fast/stages/02-networking-vpn/spoke-prod.tf | 4 ---- 25 files changed, 1 insertion(+), 99 deletions(-) diff --git a/examples/cloud-operations/asset-inventory-feed-remediation/main.tf b/examples/cloud-operations/asset-inventory-feed-remediation/main.tf index 1569ee1b..e25fe11f 100644 --- a/examples/cloud-operations/asset-inventory-feed-remediation/main.tf +++ b/examples/cloud-operations/asset-inventory-feed-remediation/main.tf @@ -29,10 +29,6 @@ module "project" { "cloudfunctions.googleapis.com", "compute.googleapis.com" ] - service_config = { - disable_on_destroy = false, - disable_dependent_services = false - } custom_roles = { (local.role_name) = [ "compute.instances.list", diff --git a/examples/cloud-operations/dns-fine-grained-iam/main.tf b/examples/cloud-operations/dns-fine-grained-iam/main.tf index 773bbd56..612e76e6 100644 --- a/examples/cloud-operations/dns-fine-grained-iam/main.tf +++ b/examples/cloud-operations/dns-fine-grained-iam/main.tf @@ -30,10 +30,6 @@ module "project" { "dns.googleapis.com", "servicedirectory.googleapis.com" ] - service_config = { - disable_on_destroy = false, - disable_dependent_services = false - } } module "vpc" { diff --git a/examples/cloud-operations/dns-shared-vpc/main.tf b/examples/cloud-operations/dns-shared-vpc/main.tf index b13e7595..4ade9476 100644 --- a/examples/cloud-operations/dns-shared-vpc/main.tf +++ b/examples/cloud-operations/dns-shared-vpc/main.tf @@ -29,10 +29,6 @@ module "project" { parent = var.folder_id prefix = var.prefix services = var.project_services - service_config = { - disable_on_destroy = false, - disable_dependent_services = false - } } module "vpc" { diff --git a/examples/cloud-operations/glb_and_armor/main.tf b/examples/cloud-operations/glb_and_armor/main.tf index 56dfac6f..8f4e97f6 100644 --- a/examples/cloud-operations/glb_and_armor/main.tf +++ b/examples/cloud-operations/glb_and_armor/main.tf @@ -33,10 +33,6 @@ module "project" { services = [ "compute.googleapis.com" ] - service_config = { - disable_on_destroy = false - disable_dependent_services = false - } project_create = var.project_create != null } diff --git a/examples/cloud-operations/packer-image-builder/main.tf b/examples/cloud-operations/packer-image-builder/main.tf index 1e4fd007..084e26c5 100644 --- a/examples/cloud-operations/packer-image-builder/main.tf +++ b/examples/cloud-operations/packer-image-builder/main.tf @@ -30,10 +30,6 @@ module "project" { services = [ "compute.googleapis.com" ] - service_config = { - disable_on_destroy = false - disable_dependent_services = false - } } module "service-account-image-builder" { diff --git a/examples/cloud-operations/quota-monitoring/main.tf b/examples/cloud-operations/quota-monitoring/main.tf index 5612e5b9..be0d5e82 100644 --- a/examples/cloud-operations/quota-monitoring/main.tf +++ b/examples/cloud-operations/quota-monitoring/main.tf @@ -30,10 +30,6 @@ module "project" { "compute.googleapis.com", "cloudfunctions.googleapis.com" ] - service_config = { - disable_on_destroy = false, - disable_dependent_services = false - } iam = { "roles/monitoring.metricWriter" = [module.cf.service_account_iam_email] } diff --git a/examples/data-solutions/cloudsql-multiregion/main.tf b/examples/data-solutions/cloudsql-multiregion/main.tf index da4e076f..634b6f79 100644 --- a/examples/data-solutions/cloudsql-multiregion/main.tf +++ b/examples/data-solutions/cloudsql-multiregion/main.tf @@ -77,9 +77,6 @@ module "project" { "storage.googleapis.com", "storage-component.googleapis.com", ] - service_config = { - disable_on_destroy = false, disable_dependent_services = false - } } module "vpc" { diff --git a/examples/data-solutions/data-playground/main.tf b/examples/data-solutions/data-playground/main.tf index b6b23d97..fa5164a6 100644 --- a/examples/data-solutions/data-playground/main.tf +++ b/examples/data-solutions/data-playground/main.tf @@ -49,11 +49,6 @@ module "project" { bq = [try(local.service_encryption_keys.bq, null)] storage = [try(local.service_encryption_keys.storage, null)] } - - service_config = { - disable_on_destroy = false, - disable_dependent_services = false - } } ############################################################################### diff --git a/examples/data-solutions/gcs-to-bq-with-least-privileges/main.tf b/examples/data-solutions/gcs-to-bq-with-least-privileges/main.tf index 37bf52de..a70b83ad 100644 --- a/examples/data-solutions/gcs-to-bq-with-least-privileges/main.tf +++ b/examples/data-solutions/gcs-to-bq-with-least-privileges/main.tf @@ -129,9 +129,6 @@ module "project" { host_project = local.shared_vpc_project service_identity_iam = {} } - service_config = { - disable_on_destroy = false, disable_dependent_services = false - } } resource "google_project_iam_member" "shared_vpc" { diff --git a/examples/data-solutions/sqlserver-alwayson/main.tf b/examples/data-solutions/sqlserver-alwayson/main.tf index 999e7eef..88622ca9 100644 --- a/examples/data-solutions/sqlserver-alwayson/main.tf +++ b/examples/data-solutions/sqlserver-alwayson/main.tf @@ -53,7 +53,4 @@ module "project" { host_project = var.shared_vpc_project_id service_identity_iam = {} } - service_config = { - disable_on_destroy = false, disable_dependent_services = false - } -} \ No newline at end of file +} diff --git a/examples/gke-serverless/multitenant-fleet/main.tf b/examples/gke-serverless/multitenant-fleet/main.tf index 912ae4a7..3df2b663 100644 --- a/examples/gke-serverless/multitenant-fleet/main.tf +++ b/examples/gke-serverless/multitenant-fleet/main.tf @@ -44,10 +44,6 @@ module "gke-project-0" { ], var.project_services ) - service_config = { - disable_on_destroy = false - disable_dependent_services = false - } shared_vpc_service_config = { attach = true host_project = var.vpc_config.host_project_id diff --git a/examples/networking/hub-and-spoke-peering/main.tf b/examples/networking/hub-and-spoke-peering/main.tf index f2109b83..eefc8049 100644 --- a/examples/networking/hub-and-spoke-peering/main.tf +++ b/examples/networking/hub-and-spoke-peering/main.tf @@ -40,10 +40,6 @@ module "project" { "compute.googleapis.com", "container.googleapis.com" ] - service_config = { - disable_on_destroy = false, - disable_dependent_services = false - } } ################################################################################ diff --git a/examples/networking/hub-and-spoke-vpn/README.md b/examples/networking/hub-and-spoke-vpn/README.md index 5a524160..e72e2db7 100644 --- a/examples/networking/hub-and-spoke-vpn/README.md +++ b/examples/networking/hub-and-spoke-vpn/README.md @@ -45,10 +45,6 @@ module "project" { "compute.googleapis.com", "dns.googleapis.com" ] - service_config = { - disable_on_destroy = false - disable_dependent_services = false - } } # tftest skip diff --git a/examples/networking/hub-and-spoke-vpn/main.tf b/examples/networking/hub-and-spoke-vpn/main.tf index f448ca79..d3fbc899 100644 --- a/examples/networking/hub-and-spoke-vpn/main.tf +++ b/examples/networking/hub-and-spoke-vpn/main.tf @@ -28,10 +28,6 @@ module "project" { "compute.googleapis.com", "dns.googleapis.com" ] - service_config = { - disable_on_destroy = false - disable_dependent_services = false - } } # test VM in landing region 1 diff --git a/examples/networking/ilb-next-hop/main.tf b/examples/networking/ilb-next-hop/main.tf index 80f479ff..e6e0682e 100644 --- a/examples/networking/ilb-next-hop/main.tf +++ b/examples/networking/ilb-next-hop/main.tf @@ -31,10 +31,6 @@ module "project" { "compute.googleapis.com", "dns.googleapis.com", ] - service_config = { - disable_on_destroy = false - disable_dependent_services = false - } } module "service-accounts" { diff --git a/examples/networking/private-cloud-function-from-onprem/main.tf b/examples/networking/private-cloud-function-from-onprem/main.tf index e7187180..62a59270 100644 --- a/examples/networking/private-cloud-function-from-onprem/main.tf +++ b/examples/networking/private-cloud-function-from-onprem/main.tf @@ -24,10 +24,6 @@ module "project" { project_create = var.project_create == null ? false : true billing_account = try(var.project_create.billing_account_id, null) parent = try(var.project_create.parent, null) - service_config = { - disable_dependent_services = false - disable_on_destroy = false - } services = [ "cloudfunctions.googleapis.com", "cloudbuild.googleapis.com", diff --git a/fast/stages/02-networking-nva/landing.tf b/fast/stages/02-networking-nva/landing.tf index be5f5197..2738bdc0 100644 --- a/fast/stages/02-networking-nva/landing.tf +++ b/fast/stages/02-networking-nva/landing.tf @@ -22,10 +22,6 @@ module "landing-project" { name = "prod-net-landing-0" parent = var.folder_ids.networking-prod prefix = var.prefix - service_config = { - disable_on_destroy = false - disable_dependent_services = false - } services = [ "compute.googleapis.com", "dns.googleapis.com", diff --git a/fast/stages/02-networking-nva/spoke-dev.tf b/fast/stages/02-networking-nva/spoke-dev.tf index 225c2829..c7765d51 100644 --- a/fast/stages/02-networking-nva/spoke-dev.tf +++ b/fast/stages/02-networking-nva/spoke-dev.tf @@ -22,10 +22,6 @@ module "dev-spoke-project" { name = "dev-net-spoke-0" parent = var.folder_ids.networking-dev prefix = var.prefix - service_config = { - disable_on_destroy = false - disable_dependent_services = false - } services = [ "compute.googleapis.com", "dns.googleapis.com", diff --git a/fast/stages/02-networking-nva/spoke-prod.tf b/fast/stages/02-networking-nva/spoke-prod.tf index e3fa7c8c..b3fe6acd 100644 --- a/fast/stages/02-networking-nva/spoke-prod.tf +++ b/fast/stages/02-networking-nva/spoke-prod.tf @@ -22,10 +22,6 @@ module "prod-spoke-project" { name = "prod-net-spoke-0" parent = var.folder_ids.networking-prod prefix = var.prefix - service_config = { - disable_on_destroy = false - disable_dependent_services = false - } services = [ "compute.googleapis.com", "dns.googleapis.com", diff --git a/fast/stages/02-networking-peering/landing.tf b/fast/stages/02-networking-peering/landing.tf index 45189ae9..77417d47 100644 --- a/fast/stages/02-networking-peering/landing.tf +++ b/fast/stages/02-networking-peering/landing.tf @@ -22,10 +22,6 @@ module "landing-project" { name = "prod-net-landing-0" parent = var.folder_ids.networking-prod prefix = var.prefix - service_config = { - disable_on_destroy = false - disable_dependent_services = false - } services = [ "compute.googleapis.com", "dns.googleapis.com", diff --git a/fast/stages/02-networking-peering/spoke-dev.tf b/fast/stages/02-networking-peering/spoke-dev.tf index 5b6f5d92..586ccf5d 100644 --- a/fast/stages/02-networking-peering/spoke-dev.tf +++ b/fast/stages/02-networking-peering/spoke-dev.tf @@ -22,10 +22,6 @@ module "dev-spoke-project" { name = "dev-net-spoke-0" parent = var.folder_ids.networking-dev prefix = var.prefix - service_config = { - disable_on_destroy = false - disable_dependent_services = false - } services = [ "container.googleapis.com", "compute.googleapis.com", diff --git a/fast/stages/02-networking-peering/spoke-prod.tf b/fast/stages/02-networking-peering/spoke-prod.tf index d58bfebc..12385d3e 100644 --- a/fast/stages/02-networking-peering/spoke-prod.tf +++ b/fast/stages/02-networking-peering/spoke-prod.tf @@ -22,10 +22,6 @@ module "prod-spoke-project" { name = "prod-net-spoke-0" parent = var.folder_ids.networking-prod prefix = var.prefix - service_config = { - disable_on_destroy = false - disable_dependent_services = false - } services = [ "container.googleapis.com", "compute.googleapis.com", diff --git a/fast/stages/02-networking-vpn/landing.tf b/fast/stages/02-networking-vpn/landing.tf index 45189ae9..77417d47 100644 --- a/fast/stages/02-networking-vpn/landing.tf +++ b/fast/stages/02-networking-vpn/landing.tf @@ -22,10 +22,6 @@ module "landing-project" { name = "prod-net-landing-0" parent = var.folder_ids.networking-prod prefix = var.prefix - service_config = { - disable_on_destroy = false - disable_dependent_services = false - } services = [ "compute.googleapis.com", "dns.googleapis.com", diff --git a/fast/stages/02-networking-vpn/spoke-dev.tf b/fast/stages/02-networking-vpn/spoke-dev.tf index 5b6f5d92..586ccf5d 100644 --- a/fast/stages/02-networking-vpn/spoke-dev.tf +++ b/fast/stages/02-networking-vpn/spoke-dev.tf @@ -22,10 +22,6 @@ module "dev-spoke-project" { name = "dev-net-spoke-0" parent = var.folder_ids.networking-dev prefix = var.prefix - service_config = { - disable_on_destroy = false - disable_dependent_services = false - } services = [ "container.googleapis.com", "compute.googleapis.com", diff --git a/fast/stages/02-networking-vpn/spoke-prod.tf b/fast/stages/02-networking-vpn/spoke-prod.tf index d58bfebc..12385d3e 100644 --- a/fast/stages/02-networking-vpn/spoke-prod.tf +++ b/fast/stages/02-networking-vpn/spoke-prod.tf @@ -22,10 +22,6 @@ module "prod-spoke-project" { name = "prod-net-spoke-0" parent = var.folder_ids.networking-prod prefix = var.prefix - service_config = { - disable_on_destroy = false - disable_dependent_services = false - } services = [ "container.googleapis.com", "compute.googleapis.com",