Fix tests
This commit is contained in:
parent
73f89256ea
commit
c714952f39
|
@ -68,7 +68,7 @@ module "projects" {
|
||||||
iam = try(each.value.iam, {})
|
iam = try(each.value.iam, {})
|
||||||
kms_service_agents = try(each.value.kms, {})
|
kms_service_agents = try(each.value.kms, {})
|
||||||
labels = try(each.value.labels, {})
|
labels = try(each.value.labels, {})
|
||||||
org_policies = try(each.value.org_policies, null)
|
org_policies = try(each.value.org_policies, {})
|
||||||
service_accounts = try(each.value.service_accounts, {})
|
service_accounts = try(each.value.service_accounts, {})
|
||||||
services = try(each.value.services, [])
|
services = try(each.value.services, [])
|
||||||
service_identities_iam = try(each.value.service_identities_iam, {})
|
service_identities_iam = try(each.value.service_identities_iam, {})
|
||||||
|
@ -153,16 +153,13 @@ labels:
|
||||||
environment: prod
|
environment: prod
|
||||||
|
|
||||||
# [opt] Org policy overrides defined at project level
|
# [opt] Org policy overrides defined at project level
|
||||||
org_policies:
|
org_policies:
|
||||||
policy_boolean:
|
constraints/compute.disableGuestAttributesAccess:
|
||||||
constraints/compute.disableGuestAttributesAccess: true
|
enforce: true
|
||||||
policy_list:
|
constraints/compute.trustedImageProjects:
|
||||||
constraints/compute.trustedImageProjects:
|
allow:
|
||||||
inherit_from_parent: null
|
|
||||||
status: true
|
|
||||||
suggested_value: null
|
|
||||||
values:
|
values:
|
||||||
- projects/fast-prod-iac-core-0
|
- projects/fast-dev-iac-core-0
|
||||||
|
|
||||||
# [opt] Service account to create for the project and their roles on the project
|
# [opt] Service account to create for the project and their roles on the project
|
||||||
# in name => [roles] format
|
# in name => [roles] format
|
||||||
|
@ -221,7 +218,7 @@ vpc:
|
||||||
| name | description | type | required | default |
|
| name | description | type | required | default |
|
||||||
|---|---|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|
|
||||||
| [billing_account_id](variables.tf#L17) | Billing account id. | <code>string</code> | ✓ | |
|
| [billing_account_id](variables.tf#L17) | Billing account id. | <code>string</code> | ✓ | |
|
||||||
| [project_id](variables.tf#L119) | Project id. | <code>string</code> | ✓ | |
|
| [project_id](variables.tf#L145) | Project id. | <code>string</code> | ✓ | |
|
||||||
| [billing_alert](variables.tf#L22) | Billing alert configuration. | <code title="object({ amount = number thresholds = object({ current = list(number) forecasted = list(number) }) credit_treatment = string })">object({…})</code> | | <code>null</code> |
|
| [billing_alert](variables.tf#L22) | Billing alert configuration. | <code title="object({ amount = number thresholds = object({ current = list(number) forecasted = list(number) }) credit_treatment = string })">object({…})</code> | | <code>null</code> |
|
||||||
| [defaults](variables.tf#L35) | Project factory default values. | <code title="object({ billing_account_id = string billing_alert = object({ amount = number thresholds = object({ current = list(number) forecasted = list(number) }) credit_treatment = string }) environment_dns_zone = string essential_contacts = list(string) labels = map(string) notification_channels = list(string) shared_vpc_self_link = string vpc_host_project = string })">object({…})</code> | | <code>null</code> |
|
| [defaults](variables.tf#L35) | Project factory default values. | <code title="object({ billing_account_id = string billing_alert = object({ amount = number thresholds = object({ current = list(number) forecasted = list(number) }) credit_treatment = string }) environment_dns_zone = string essential_contacts = list(string) labels = map(string) notification_channels = list(string) shared_vpc_self_link = string vpc_host_project = string })">object({…})</code> | | <code>null</code> |
|
||||||
| [dns_zones](variables.tf#L57) | DNS private zones to create as child of var.defaults.environment_dns_zone. | <code>list(string)</code> | | <code>[]</code> |
|
| [dns_zones](variables.tf#L57) | DNS private zones to create as child of var.defaults.environment_dns_zone. | <code>list(string)</code> | | <code>[]</code> |
|
||||||
|
@ -231,13 +228,13 @@ vpc:
|
||||||
| [iam](variables.tf#L81) | Custom IAM settings in role => [principal] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
| [iam](variables.tf#L81) | Custom IAM settings in role => [principal] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||||
| [kms_service_agents](variables.tf#L87) | KMS IAM configuration in as service => [key]. | <code>map(list(string))</code> | | <code>{}</code> |
|
| [kms_service_agents](variables.tf#L87) | KMS IAM configuration in as service => [key]. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||||
| [labels](variables.tf#L93) | Labels to be assigned at project level. | <code>map(string)</code> | | <code>{}</code> |
|
| [labels](variables.tf#L93) | Labels to be assigned at project level. | <code>map(string)</code> | | <code>{}</code> |
|
||||||
| [org_policies](variables.tf#L99) | Org-policy overrides at project level. | <code title="object({ policy_boolean = map(bool) policy_list = map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) })) })">object({…})</code> | | <code>null</code> |
|
| [org_policies](variables.tf#L99) | Org-policy overrides at project level. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [prefix](variables.tf#L113) | Prefix used for the project id. | <code>string</code> | | <code>null</code> |
|
| [prefix](variables.tf#L139) | Prefix used for the project id. | <code>string</code> | | <code>null</code> |
|
||||||
| [service_accounts](variables.tf#L124) | Service accounts to be created, and roles assigned them on the project. | <code>map(list(string))</code> | | <code>{}</code> |
|
| [service_accounts](variables.tf#L150) | Service accounts to be created, and roles assigned them on the project. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||||
| [service_accounts_iam](variables.tf#L130) | IAM bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]} | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
| [service_accounts_iam](variables.tf#L156) | IAM bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]} | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||||
| [service_identities_iam](variables.tf#L144) | Custom IAM settings for service identities in service => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
| [service_identities_iam](variables.tf#L164) | Custom IAM settings for service identities in service => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||||
| [services](variables.tf#L137) | Services to be enabled for the project. | <code>list(string)</code> | | <code>[]</code> |
|
| [services](variables.tf#L171) | Services to be enabled for the project. | <code>list(string)</code> | | <code>[]</code> |
|
||||||
| [vpc](variables.tf#L151) | VPC configuration for the project. | <code title="object({ host_project = string gke_setup = object({ enable_security_admin = bool enable_host_service_agent = bool }) subnets_iam = map(list(string)) })">object({…})</code> | | <code>null</code> |
|
| [vpc](variables.tf#L178) | VPC configuration for the project. | <code title="object({ host_project = string gke_setup = object({ enable_security_admin = bool enable_host_service_agent = bool }) subnets_iam = map(list(string)) })">object({…})</code> | | <code>null</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -148,9 +148,8 @@ module "project" {
|
||||||
contacts = { for c in local.essential_contacts : c => ["ALL"] }
|
contacts = { for c in local.essential_contacts : c => ["ALL"] }
|
||||||
iam = local.iam
|
iam = local.iam
|
||||||
labels = local.labels
|
labels = local.labels
|
||||||
|
org_policies = try(var.org_policies, {})
|
||||||
parent = var.folder_id
|
parent = var.folder_id
|
||||||
policy_boolean = try(var.org_policies.policy_boolean, {})
|
|
||||||
policy_list = try(var.org_policies.policy_list, {})
|
|
||||||
service_encryption_key_ids = var.kms_service_agents
|
service_encryption_key_ids = var.kms_service_agents
|
||||||
services = local.services
|
services = local.services
|
||||||
shared_vpc_service_config = var.vpc == null ? null : {
|
shared_vpc_service_config = var.vpc == null ? null : {
|
||||||
|
|
|
@ -48,13 +48,10 @@ labels:
|
||||||
|
|
||||||
# [opt] Org policy overrides defined at project level
|
# [opt] Org policy overrides defined at project level
|
||||||
org_policies:
|
org_policies:
|
||||||
policy_boolean:
|
constraints/compute.disableGuestAttributesAccess:
|
||||||
constraints/compute.disableGuestAttributesAccess: true
|
enforce: true
|
||||||
policy_list:
|
constraints/compute.trustedImageProjects:
|
||||||
constraints/compute.trustedImageProjects:
|
allow:
|
||||||
inherit_from_parent: null
|
|
||||||
status: true
|
|
||||||
suggested_value: null
|
|
||||||
values:
|
values:
|
||||||
- projects/fast-dev-iac-core-0
|
- projects/fast-dev-iac-core-0
|
||||||
|
|
||||||
|
|
|
@ -98,16 +98,42 @@ variable "labels" {
|
||||||
|
|
||||||
variable "org_policies" {
|
variable "org_policies" {
|
||||||
description = "Org-policy overrides at project level."
|
description = "Org-policy overrides at project level."
|
||||||
type = object({
|
type = map(object({
|
||||||
policy_boolean = map(bool)
|
inherit_from_parent = optional(bool) # for list policies only.
|
||||||
policy_list = map(object({
|
reset = optional(bool)
|
||||||
inherit_from_parent = bool
|
|
||||||
suggested_value = string
|
# default (unconditional) values
|
||||||
status = bool
|
allow = optional(object({
|
||||||
values = list(string)
|
all = optional(bool)
|
||||||
|
values = optional(list(string))
|
||||||
}))
|
}))
|
||||||
})
|
deny = optional(object({
|
||||||
default = null
|
all = optional(bool)
|
||||||
|
values = optional(list(string))
|
||||||
|
}))
|
||||||
|
enforce = optional(bool, true) # for boolean policies only.
|
||||||
|
|
||||||
|
# conditional values
|
||||||
|
rules = optional(list(object({
|
||||||
|
allow = optional(object({
|
||||||
|
all = optional(bool)
|
||||||
|
values = optional(list(string))
|
||||||
|
}))
|
||||||
|
deny = optional(object({
|
||||||
|
all = optional(bool)
|
||||||
|
values = optional(list(string))
|
||||||
|
}))
|
||||||
|
enforce = optional(bool, true) # for boolean policies only.
|
||||||
|
condition = object({
|
||||||
|
description = optional(string)
|
||||||
|
expression = optional(string)
|
||||||
|
location = optional(string)
|
||||||
|
title = optional(string)
|
||||||
|
})
|
||||||
|
})), [])
|
||||||
|
}))
|
||||||
|
default = {}
|
||||||
|
nullable = false
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "prefix" {
|
variable "prefix" {
|
||||||
|
@ -134,12 +160,6 @@ variable "service_accounts_iam" {
|
||||||
nullable = false
|
nullable = false
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "services" {
|
|
||||||
description = "Services to be enabled for the project."
|
|
||||||
type = list(string)
|
|
||||||
default = []
|
|
||||||
nullable = false
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "service_identities_iam" {
|
variable "service_identities_iam" {
|
||||||
description = "Custom IAM settings for service identities in service => [role] format."
|
description = "Custom IAM settings for service identities in service => [role] format."
|
||||||
|
@ -148,6 +168,13 @@ variable "service_identities_iam" {
|
||||||
nullable = false
|
nullable = false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "services" {
|
||||||
|
description = "Services to be enabled for the project."
|
||||||
|
type = list(string)
|
||||||
|
default = []
|
||||||
|
nullable = false
|
||||||
|
}
|
||||||
|
|
||||||
variable "vpc" {
|
variable "vpc" {
|
||||||
description = "VPC configuration for the project."
|
description = "VPC configuration for the project."
|
||||||
type = object({
|
type = object({
|
||||||
|
@ -160,6 +187,3 @@ variable "vpc" {
|
||||||
})
|
})
|
||||||
default = null
|
default = null
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -48,13 +48,10 @@ labels:
|
||||||
|
|
||||||
# [opt] Org policy overrides defined at project level
|
# [opt] Org policy overrides defined at project level
|
||||||
org_policies:
|
org_policies:
|
||||||
policy_boolean:
|
constraints/compute.disableGuestAttributesAccess:
|
||||||
constraints/compute.disableGuestAttributesAccess: true
|
enforce: true
|
||||||
policy_list:
|
constraints/compute.trustedImageProjects:
|
||||||
constraints/compute.trustedImageProjects:
|
allow:
|
||||||
inherit_from_parent: null
|
|
||||||
status: true
|
|
||||||
suggested_value: null
|
|
||||||
values:
|
values:
|
||||||
- projects/fast-dev-iac-core-0
|
- projects/fast-dev-iac-core-0
|
||||||
|
|
||||||
|
|
|
@ -318,7 +318,7 @@ module "org" {
|
||||||
|
|
||||||
| name | description | type | required | default |
|
| name | description | type | required | default |
|
||||||
|---|---|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|
|
||||||
| [organization_id](variables.tf#L151) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
| [organization_id](variables.tf#L191) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
||||||
| [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> |
|
| [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||||
| [custom_roles](variables.tf#L24) | Map of role name => list of permissions to create in this project. | <code>map(list(string))</code> | | <code>{}</code> |
|
| [custom_roles](variables.tf#L24) | Map of role name => list of permissions to create in this project. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||||
| [firewall_policies](variables.tf#L31) | Hierarchical firewall policy rules created in the organization. | <code title="map(map(object({ action = string description = string direction = string logging = bool ports = map(list(string)) priority = number ranges = list(string) target_resources = list(string) target_service_accounts = list(string) })))">map(map(object({…})))</code> | | <code>{}</code> |
|
| [firewall_policies](variables.tf#L31) | Hierarchical firewall policy rules created in the organization. | <code title="map(map(object({ action = string description = string direction = string logging = bool ports = map(list(string)) priority = number ranges = list(string) target_resources = list(string) target_service_accounts = list(string) })))">map(map(object({…})))</code> | | <code>{}</code> |
|
||||||
|
@ -333,7 +333,7 @@ module "org" {
|
||||||
| [iam_bindings_authoritative](variables.tf#L116) | IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. | <code>map(list(string))</code> | | <code>null</code> |
|
| [iam_bindings_authoritative](variables.tf#L116) | IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. | <code>map(list(string))</code> | | <code>null</code> |
|
||||||
| [logging_exclusions](variables.tf#L122) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
| [logging_exclusions](variables.tf#L122) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||||
| [logging_sinks](variables.tf#L129) | Logging sinks to create for this organization. | <code title="map(object({ destination = string type = string filter = string include_children = bool bq_partitioned_table = bool exclusions = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [logging_sinks](variables.tf#L129) | Logging sinks to create for this organization. | <code title="map(object({ destination = string type = string filter = string include_children = bool bq_partitioned_table = bool exclusions = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [org_policies](variables.tf#L160) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [org_policies](variables.tf#L151) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [tag_bindings](variables.tf#L200) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
| [tag_bindings](variables.tf#L200) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||||
| [tags](variables.tf#L206) | Tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = string iam = map(list(string)) values = map(object({ description = string iam = map(list(string)) })) }))">map(object({…}))</code> | | <code>null</code> |
|
| [tags](variables.tf#L206) | Tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = string iam = map(list(string)) values = map(object({ description = string iam = map(list(string)) })) }))">map(object({…}))</code> | | <code>null</code> |
|
||||||
|
|
||||||
|
@ -346,8 +346,8 @@ module "org" {
|
||||||
| [firewall_policies](outputs.tf#L36) | Map of firewall policy resources created in the organization. | |
|
| [firewall_policies](outputs.tf#L36) | Map of firewall policy resources created in the organization. | |
|
||||||
| [firewall_policy_id](outputs.tf#L41) | Map of firewall policy ids created in the organization. | |
|
| [firewall_policy_id](outputs.tf#L41) | Map of firewall policy ids created in the organization. | |
|
||||||
| [organization_id](outputs.tf#L46) | Organization id dependent on module resources. | |
|
| [organization_id](outputs.tf#L46) | Organization id dependent on module resources. | |
|
||||||
| [sink_writer_identities](outputs.tf#L64) | Writer identities created for each sink. | |
|
| [sink_writer_identities](outputs.tf#L63) | Writer identities created for each sink. | |
|
||||||
| [tag_keys](outputs.tf#L72) | Tag key resources. | |
|
| [tag_keys](outputs.tf#L71) | Tag key resources. | |
|
||||||
| [tag_values](outputs.tf#L79) | Tag value resources. | |
|
| [tag_values](outputs.tf#L78) | Tag value resources. | |
|
||||||
|
|
||||||
<!-- END TFDOC -->
|
<!-- END TFDOC -->
|
||||||
|
|
|
@ -148,15 +148,6 @@ variable "logging_sinks" {
|
||||||
nullable = false
|
nullable = false
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "organization_id" {
|
|
||||||
description = "Organization id in organizations/nnnnnn format."
|
|
||||||
type = string
|
|
||||||
validation {
|
|
||||||
condition = can(regex("^organizations/[0-9]+", var.organization_id))
|
|
||||||
error_message = "The organization_id must in the form organizations/nnn."
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "org_policies" {
|
variable "org_policies" {
|
||||||
description = "Organization policies applied to this organization keyed by policy name."
|
description = "Organization policies applied to this organization keyed by policy name."
|
||||||
type = map(object({
|
type = map(object({
|
||||||
|
@ -197,6 +188,15 @@ variable "org_policies" {
|
||||||
nullable = false
|
nullable = false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "organization_id" {
|
||||||
|
description = "Organization id in organizations/nnnnnn format."
|
||||||
|
type = string
|
||||||
|
validation {
|
||||||
|
condition = can(regex("^organizations/[0-9]+", var.organization_id))
|
||||||
|
error_message = "The organization_id must in the form organizations/nnn."
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
variable "tag_bindings" {
|
variable "tag_bindings" {
|
||||||
description = "Tag bindings for this organization, in key => tag value id format."
|
description = "Tag bindings for this organization, in key => tag value id format."
|
||||||
type = map(string)
|
type = map(string)
|
||||||
|
|
Loading…
Reference in New Issue