# Project Module
## Examples
### Minimal example with IAM
```hcl
locals {
gke_service_account = "my_gke_service_account"
}
module "project" {
source = "./modules/project"
billing_account = "123456-123456-123456"
name = "project-example"
parent = "folders/1234567890"
prefix = "foo"
services = [
"container.googleapis.com",
"stackdriver.googleapis.com"
]
iam = {
"roles/container.hostServiceAgentUser" = [
"serviceAccount:${local.gke_service_account}"
]
}
}
# tftest:modules=1:resources=4
```
### Minimal example with IAM additive roles
```hcl
module "project" {
source = "./modules/project"
name = "project-example"
iam_additive = {
"roles/viewer" = ["group:one@example.org", "group:two@xample.org"],
"roles/storage.objectAdmin" = ["group:two@example.org"],
"roles/owner" = ["group:three@example.org"],
}
}
# tftest:modules=1:resources=5
```
### Organization policies
```hcl
module "project" {
source = "./modules/project"
billing_account = "123456-123456-123456"
name = "project-example"
parent = "folders/1234567890"
prefix = "foo"
services = [
"container.googleapis.com",
"stackdriver.googleapis.com"
]
policy_boolean = {
"constraints/compute.disableGuestAttributesAccess" = true
"constraints/compute.skipDefaultNetworkCreation" = true
}
policy_list = {
"constraints/compute.trustedImageProjects" = {
inherit_from_parent = null
suggested_value = null
status = true
values = ["projects/my-project"]
}
}
}
# tftest:modules=1:resources=6
```
## Logging Sinks
```hcl
module "gcs" {
source = "./modules/gcs"
project_id = var.project_id
name = "gcs_sink"
force_destroy = true
}
module "dataset" {
source = "./modules/bigquery-dataset"
project_id = var.project_id
id = "bq_sink"
}
module "pubsub" {
source = "./modules/pubsub"
project_id = var.project_id
name = "pubsub_sink"
}
module "bucket" {
source = "./modules/logging-bucket"
parent_type = "project"
parent = "my-project"
id = "bucket"
}
module "project-host" {
source = "./modules/project"
name = "my-project"
billing_account = "123456-123456-123456"
parent = "folders/1234567890"
logging_sinks = {
warnings = {
type = "gcs"
destination = module.gcs.name
filter = "severity=WARNING"
iam = false
unique_writer = false
exclusions = {}
}
info = {
type = "bigquery"
destination = module.dataset.id
filter = "severity=INFO"
iam = false
unique_writer = false
exclusions = {}
}
notice = {
type = "pubsub"
destination = module.pubsub.id
filter = "severity=NOTICE"
iam = true
unique_writer = false
exclusions = {}
}
debug = {
type = "logging"
destination = module.bucket.id
filter = "severity=DEBUG"
iam = true
unique_writer = false
exclusions = {
no-compute = "logName:compute"
}
}
}
logging_exclusions = {
no-gce-instances = "resource.type=gce_instance"
}
}
# tftest:modules=5:resources=12
```
## Cloud KMS encryption keys
```hcl
module "project" {
source = "./modules/project"
name = "my-project"
billing_account = "123456-123456-123456"
prefix = "foo"
services = [
"compute.googleapis.com",
"storage.googleapis.com"
]
service_encryption_key_ids = {
compute = [
"projects/kms-central-prj/locations/europe-west3/keyRings/my-keyring/cryptoKeys/europe3-gce",
"projects/kms-central-prj/locations/europe-west4/keyRings/my-keyring/cryptoKeys/europe4-gce"
]
storage = [
"projects/kms-central-prj/locations/europe/keyRings/my-keyring/cryptoKeys/europe-gcs"
]
}
}
# tftest:modules=1:resources=7
```
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| name | Project name and id suffix. | string | ✓ | |
| *auto_create_network* | Whether to create the default network for the project | bool | | false |
| *billing_account* | Billing account id. | string | | null |
| *contacts* | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES | map(list(string)) | | {} |
| *custom_roles* | Map of role name => list of permissions to create in this project. | map(list(string)) | | {} |
| *group_iam* | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | map(list(string)) | | {} |
| *iam* | IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} |
| *iam_additive* | IAM additive bindings in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} |
| *iam_additive_members* | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | map(list(string)) | | {} |
| *labels* | Resource labels. | map(string) | | {} |
| *lien_reason* | If non-empty, creates a project lien with this description. | string | | map(string) | | {} |
| *logging_sinks* | Logging sinks to create for this project. | map(object({...})) | | {} |
| *oslogin* | Enable OS Login. | bool | | false |
| *oslogin_admins* | List of IAM-style identities that will be granted roles necessary for OS Login administrators. | list(string) | | [] |
| *oslogin_users* | List of IAM-style identities that will be granted roles necessary for OS Login users. | list(string) | | [] |
| *parent* | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | string | | ... |
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | map(bool) | | {} |
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | map(object({...})) | | {} |
| *prefix* | Prefix used to generate project id and name. | string | | null |
| *project_create* | Create project. When set to false, uses a data source to reference existing project. | bool | | true |
| *service_config* | Configure service API activation. | object({...}) | | ... |
| *service_encryption_key_ids* | Cloud KMS encryption key in {SERVICE => [KEY_URL]} format. | map(list(string)) | | {} |
| *service_perimeter_bridges* | Name of VPC-SC Bridge perimeters to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. | list(string) | | null |
| *service_perimeter_standard* | Name of VPC-SC Standard perimeter to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. | string | | null |
| *services* | Service APIs to enable. | list(string) | | [] |
| *shared_vpc_host_config* | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | object({...}) | | ... |
| *shared_vpc_service_config* | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | object({...}) | | ... |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| custom_roles | Ids of the created custom roles. | |
| name | Project name. | |
| number | Project number. | |
| project_id | Project id. | |
| service_accounts | Product robot service accounts in project. | |
| sink_writer_identities | Writer identities created for each sink. | |