b3df6598d4
|
||
|---|---|---|
| .. | ||
| README.md | ||
| backend.tf.sample | ||
| diagram.png | ||
| locals.tf | ||
| main.tf | ||
| outputs.tf | ||
| providers.tf | ||
| variables.tf | ||
| versions.tf | ||
README.md
Environment-based organizational sample
This sample creates an organizational layout with a single level, where each folder is usually mapped to one infrastructure environment (test, dev, etc.). It also sets up all prerequisites for automation (GCS state buckets, service accounts, etc.), and the correct roles on those to enforce separation of duties at the environment level.
This layout is well suited for medium-sized infrastructures managed by a small set of teams, where the complexity in application resource ownership and access roles is mostly dealt with at the project level, and/or in the individual services (GKE, Cloud SQL, etc.). Its simplicity also makes it a good starting point for more complex or specialized layouts.
Refer to the section-level README for general considerations about this type of samples, and usage instructions.
Managed resources and services
This sample creates several distinct groups of resources:
- one folder per environment
- one top-level project to hold Terraform-related resources
- one top-level project to set up and host centralized audit log exports (optional)
- one top-level shared services project
The number of resources in this sample is kept to a minimum so as to make it generally applicable, more resources can be easily added by leveraging other modules from our bundle, or from other sources like the CFT suite.
Shared services project
This sample contains a single, top-level project used to host services shared across environments (eg GCS, GCR, KMS, Cloud Build, etc.). In our experience, that is enough for many customers, especially those using this organizational layout.
For more complex setups where multiple shared services projects are needed to encapsulate a larger number of resources, shared services should be treated as an extra environment so that they can be managed by a dedicated set of Terraform files, using a separate service account and GCS bucket, with a folder to contain shared projects.
If no shared services are needed, the shared service project module can of course be removed from main.tf.
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| billing_account_id | Billing account id used as to create projects. | string |
✓ | |
| environments | Environment short names. | list(string) |
✓ | |
| organization_id | Organization id in organizations/nnnnnnnn format. | string |
✓ | |
| prefix | Prefix used for resources that need unique names. | string |
✓ | |
| root_node | Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. | string |
✓ | |
| audit_filter | Audit log filter used for the log sink. | string |
... |
|
| gcs_location | GCS bucket location. | string |
EU |
|
| iam_assets_editors | Shared assets project editors, in IAM format. | list(string) |
[] |
|
| iam_assets_owners | Shared assets project owners, in IAM format. | list(string) |
[] |
|
| iam_audit_viewers | Audit project viewers, in IAM format. | list(string) |
[] |
|
| iam_billing_config | Control granting billing user role to service accounts. Target the billing account by default. | object({...}) |
... |
|
| iam_folder_roles | List of roles granted to each service account on its respective folder (excluding XPN roles). | list(string) |
... |
|
| iam_sharedsvc_owners | Shared services project owners, in IAM format. | list(string) |
[] |
|
| iam_terraform_owners | Terraform project owners, in IAM format. | list(string) |
[] |
|
| iam_xpn_config | Control granting Shared VPC creation roles to service accounts. Target the root node by default. | object({...}) |
... |
|
| project_services | Service APIs enabled by default in new projects. | list(string) |
... |
|
| service_account_keys | Generate and store service account keys in the state file. | bool |
true |
Outputs
| name | description | sensitive |
|---|---|---|
| audit_logs_bq_dataset | Bigquery dataset for the audit logs export. | |
| audit_logs_project | Project that holds the audit logs export resources. | |
| bootstrap_tf_gcs_bucket | GCS bucket used for the bootstrap Terraform state. | |
| environment_folders | Top-level environment folders. | |
| environment_service_account_keys | Service account keys used to run each environment Terraform modules. | ✓ |
| environment_service_accounts | Service accounts used to run each environment Terraform modules. | |
| environment_tf_gcs_buckets | GCS buckets used for each environment Terraform state. | |
| shared_services_project | Project that holdes resources shared across environments. | |
| terraform_project | Project that holds the base Terraform resources. |