Project Module
Examples
Minimal example with IAM
module "project" {
source = "./modules/project"
billing_account = "123456-123456-123456"
name = "project-example"
parent = "folders/1234567890"
prefix = "foo"
services = [
"container.googleapis.com",
"stackdriver.googleapis.com"
]
iam_roles = ["roles/container.hostServiceAgentUser"]
iam_members = {
"roles/container.hostServiceAgentUser" = [
"serviceAccount:${var.gke_service_account}"
]
}
}
Minimal example with IAM additive roles
module "project" {
source = "./modules/project"
name = "project-example"
project_create = false
iam_additive_bindings = {
"group:usergroup_watermlon_experimentation@lemonadeinc.io" = [
"roles/viewer",
"roles/storage.objectAdmin"
],
"group:usergroup_gcp_admin@lemonadeinc.io" = [
"roles/owner",
],
"group:usergroup_gcp_privilege_access@lemonadeinc.io" = [
"roles/editor"
],
"group:engineering@lemonadeinc.io" = [
"roles/pubsub.subscriber",
"roles/storage.objectViewer"
],
}
}
Organization policies
module "project" {
source = "./modules/project"
billing_account = "123456-123456-123456"
name = "project-example"
parent = "folders/1234567890"
prefix = "foo"
services = [
"container.googleapis.com",
"stackdriver.googleapis.com"
]
policy_boolean = {
"constraints/compute.disableGuestAttributesAccess" = true
"constraints/compute.skipDefaultNetworkCreation" = true
}
policy_list = {
"constraints/compute.trustedImageProjects" = {
inherit_from_parent = null
suggested_value = null
status = true
values = ["projects/my-project"]
}
}
}
Variables
| name |
description |
type |
required |
default |
| name |
Project name and id suffix. |
string |
✓ |
|
| auto_create_network |
Whether to create the default network for the project |
bool |
|
false |
| billing_account |
Billing account id. |
string |
|
null |
| custom_roles |
Map of role name => list of permissions to create in this project. |
map(list(string)) |
|
{} |
| iam_additive_bindings |
Map of roles lists used to set non authoritative bindings, keyed by members |
map(list(string)) |
|
{} |
| iam_members |
Map of member lists used to set authoritative bindings, keyed by role. |
map(list(string)) |
|
{} |
| iam_roles |
List of roles used to set authoritative bindings. |
list(string) |
|
[] |
| labels |
Resource labels. |
map(string) |
|
{} |
| lien_reason |
If non-empty, creates a project lien with this description. |
string |
|
|
| oslogin |
Enable OS Login. |
bool |
|
false |
| oslogin_admins |
List of IAM-style identities that will be granted roles necessary for OS Login administrators. |
list(string) |
|
[] |
| oslogin_users |
List of IAM-style identities that will be granted roles necessary for OS Login users. |
list(string) |
|
[] |
| parent |
Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. |
string |
|
null |
| policy_boolean |
Map of boolean org policies and enforcement value, set value to null for policy restore. |
map(bool) |
|
{} |
| policy_list |
Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. |
map(object({...})) |
|
{} |
| prefix |
Prefix used to generate project id and name. |
string |
|
null |
| project_create |
Create project. When set to false, uses a data source to reference existing project. |
bool |
|
true |
| service_config |
Configure service API activation. |
object({...}) |
|
... |
| services |
Service APIs to enable. |
list(string) |
|
[] |
| shared_vpc_config |
Configure Shared VPC for project. |
object({...}) |
|
... |
Outputs
| name |
description |
sensitive |
| custom_roles |
Ids of the created custom roles. |
|
| name |
Project name. |
|
| number |
Project number. |
|
| project_id |
Project id. |
|
| service_accounts |
Product robot service accounts in project. |
|
67d03fd07c