zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/blueprints/factories/project-factory
History
Pierre Formont e141b86f79
merge labels from data_merges in project factory (#1662) 
* merge labels from data_merges in project factory

* fix project factory test for labels
 		2023-09-08 10:27:46 +00:00
..
README.md Fix project factory blueprint and fast stage (#1654) 2023-09-07 12:48:39 +00:00
factory.tf Fix project factory blueprint and fast stage (#1654) 2023-09-07 12:48:39 +00:00
main.tf merge labels from data_merges in project factory (#1662) 2023-09-08 10:27:46 +00:00
outputs.tf IAM interface refactor (#1595) 2023-08-20 09:44:20 +02:00
variables.tf Fix project factory blueprint and fast stage (#1654) 2023-09-07 12:48:39 +00:00

README.md

Project Factory

This is a working example of how to manage project creation at scale, by wrapping the project module and driving it via external data, either directly provided or parsed via YAML files.

The wrapping layer around the project module is intentionally thin, so that

  • all the features of the project module are available
  • no "magic" or hidden side effects are implemented in code
  • debugging and integration of new features is simple

The code is meant to be executed by a high level service accounts with powerful permissions:

  • Shared VPC connection if service project attachment is desired
  • project creation on the nodes (folder or org) where projects will be defined

The module also supports optional creation of specific resources that usually part of the project creation flow:

  • service accounts used for VM instances, and associated basic roles
  • KMS key encrypt/decrypt permissions for service identities in the project
  • membership in VPC SC standard or bridge perimeters

Compared to the previous version of this code, network-related resources (DNS zones, VPC subnets, etc.) have been removed as they are not typically in scope for the team who manages project creation, and adding them when needed requires just a few trivial code changes.

Example

module "project-factory" {
  source = "./fabric/blueprints/factories/project-factory"
  data_defaults = {
    billing_account = "012345-67890A-ABCDEF"
  }
  data_merges = {
    labels = {
      environment = "test"
    }
    services = [
      "stackdriver.googleapis.com"
    ]
  }
  data_overrides = {
    contacts = {
      "admin@example.com" = ["ALL"]
    }
    prefix = "test-pf"
  }
  factory_data = {
    data_path = "data"
  }
}
# tftest modules=6 resources=12 files=prj-app-1,prj-app-2 inventory=example.yaml

billing_account: 012345-67890A-BCDEF0
labels:
 app: app-1
 team: foo
parent: folders/12345678
service_encryption_key_ids:
 compute:
 - projects/kms-central-prj/locations/europe-west3/keyRings/my-keyring/cryptoKeys/europe3-gce
services:
- storage.googleapis.com
service_accounts:
  app-1-be: {}
  app-1-fe: {}

# tftest-file id=prj-app-1 path=data/prj-app-1.yaml

labels:
 app: app-1
 team: foo
parent: folders/12345678
service_accounts:
  app-2-be: {}

# tftest-file id=prj-app-2 path=data/prj-app-2.yaml

Variables

name description type required default
factory_data Project data from either YAML files or externally parsed data. object({…})
data_defaults Optional default values used when corresponding project data from files are missing. object({…}) {}
data_merges Optional values that will be merged with corresponding data from files. Combines with data_defaults, file data, and data_overrides. object({…}) {}
data_overrides Optional values that override corresponding data from files. Takes precedence over file data and data_defaults. object({…}) {}

Outputs

name description sensitive
projects Project module outputs.
service_accounts Service account emails.