Project Module
Examples
Minimal example with IAM
locals {
gke_service_account = "my_gke_service_account"
}
module "project" {
source = "./modules/project"
billing_account = "123456-123456-123456"
name = "project-example"
parent = "folders/1234567890"
prefix = "foo"
services = [
"container.googleapis.com",
"stackdriver.googleapis.com"
]
iam = {
"roles/container.hostServiceAgentUser" = [
"serviceAccount:${local.gke_service_account}"
]
}
}
# tftest modules=1 resources=4
Minimal example with IAM additive roles
module "project" {
source = "./modules/project"
name = "project-example"
iam_additive = {
"roles/viewer" = [
"group:one@example.org", "group:two@xample.org"
],
"roles/storage.objectAdmin" = [
"group:two@example.org"
],
"roles/owner" = [
"group:three@example.org"
],
}
}
# tftest modules=1 resources=5
Shared VPC service
module "project" {
source = "./modules/project"
name = "project-example"
shared_vpc_service_config = {
attach = true
host_project = "my-host-project"
service_identity_iam = {
"roles/compute.networkUser" = [
"cloudservices", "container-engine"
]
"roles/vpcaccess.user" = [
"cloudrun"
]
"roles/container.hostServiceAgentUser" = [
"container-engine"
]
}
}
}
# tftest modules=1 resources=6
Organization policies
module "project" {
source = "./modules/project"
billing_account = "123456-123456-123456"
name = "project-example"
parent = "folders/1234567890"
prefix = "foo"
services = [
"container.googleapis.com",
"stackdriver.googleapis.com"
]
policy_boolean = {
"constraints/compute.disableGuestAttributesAccess" = true
"constraints/compute.skipDefaultNetworkCreation" = true
}
policy_list = {
"constraints/compute.trustedImageProjects" = {
inherit_from_parent = null
suggested_value = null
status = true
values = ["projects/my-project"]
}
}
}
# tftest modules=1 resources=6
Logging Sinks
module "gcs" {
source = "./modules/gcs"
project_id = var.project_id
name = "gcs_sink"
force_destroy = true
}
module "dataset" {
source = "./modules/bigquery-dataset"
project_id = var.project_id
id = "bq_sink"
}
module "pubsub" {
source = "./modules/pubsub"
project_id = var.project_id
name = "pubsub_sink"
}
module "bucket" {
source = "./modules/logging-bucket"
parent_type = "project"
parent = "my-project"
id = "bucket"
}
module "project-host" {
source = "./modules/project"
name = "my-project"
billing_account = "123456-123456-123456"
parent = "folders/1234567890"
logging_sinks = {
warnings = {
type = "storage"
destination = module.gcs.name
filter = "severity=WARNING"
iam = false
unique_writer = false
exclusions = {}
}
info = {
type = "bigquery"
destination = module.dataset.id
filter = "severity=INFO"
iam = false
unique_writer = false
exclusions = {}
}
notice = {
type = "pubsub"
destination = module.pubsub.id
filter = "severity=NOTICE"
iam = true
unique_writer = false
exclusions = {}
}
debug = {
type = "logging"
destination = module.bucket.id
filter = "severity=DEBUG"
iam = true
unique_writer = false
exclusions = {
no-compute = "logName:compute"
}
}
}
logging_exclusions = {
no-gce-instances = "resource.type=gce_instance"
}
}
# tftest modules=5 resources=12
Cloud KMS encryption keys
module "project" {
source = "./modules/project"
name = "my-project"
billing_account = "123456-123456-123456"
prefix = "foo"
services = [
"compute.googleapis.com",
"storage.googleapis.com"
]
service_encryption_key_ids = {
compute = [
"projects/kms-central-prj/locations/europe-west3/keyRings/my-keyring/cryptoKeys/europe3-gce",
"projects/kms-central-prj/locations/europe-west4/keyRings/my-keyring/cryptoKeys/europe4-gce"
]
storage = [
"projects/kms-central-prj/locations/europe/keyRings/my-keyring/cryptoKeys/europe-gcs"
]
}
}
# tftest modules=1 resources=7
Tags
Refer to the Creating and managing tags documentation for details on usage.
module "org" {
source = "./modules/organization"
organization_id = var.organization_id
tags = {
environment = {
description = "Environment specification."
iam = null
values = {
dev = null
prod = null
}
}
}
}
module "project" {
source = "./modules/project"
name = "test-project"
tag_bindings = {
env-prod = module.org.tag_values["environment/prod"].id
foo = "tagValues/12345678"
}
}
# tftest modules=2 resources=6
Files
name |
description |
resources |
iam.tf |
Generic and OSLogin-specific IAM bindings and roles. |
google_project_iam_binding · google_project_iam_custom_role · google_project_iam_member |
logging.tf |
Log sinks and supporting resources. |
google_bigquery_dataset_iam_member · google_logging_project_exclusion · google_logging_project_sink · google_project_iam_member · google_pubsub_topic_iam_member · google_storage_bucket_iam_member |
main.tf |
Module-level locals and resources. |
google_compute_project_metadata_item · google_essential_contacts_contact · google_monitoring_monitored_project · google_project · google_project_service · google_resource_manager_lien |
organization-policies.tf |
Project-level organization policies. |
google_project_organization_policy |
outputs.tf |
Module outputs. |
|
service-accounts.tf |
Service identities and supporting resources. |
google_kms_crypto_key_iam_member · google_project_iam_member · google_project_service_identity |
shared-vpc.tf |
Shared VPC project-level configuration. |
google_compute_shared_vpc_host_project · google_compute_shared_vpc_service_project · google_project_iam_member |
tags.tf |
None |
google_tags_tag_binding |
variables.tf |
Module variables. |
|
versions.tf |
Version pins. |
|
vpc-sc.tf |
VPC-SC project-level perimeter configuration. |
google_access_context_manager_service_perimeter_resource |
Variables
name |
description |
type |
required |
default |
name |
Project name and id suffix. |
string |
✓ |
|
auto_create_network |
Whether to create the default network for the project. |
bool |
|
false |
billing_account |
Billing account id. |
string |
|
null |
contacts |
List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. |
map(list(string)) |
|
{} |
custom_roles |
Map of role name => list of permissions to create in this project. |
map(list(string)) |
|
{} |
descriptive_name |
Name of the project name. Used for project name instead of name variable. |
string |
|
null |
group_iam |
Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the iam variable. |
map(list(string)) |
|
{} |
iam |
IAM bindings in {ROLE => [MEMBERS]} format. |
map(list(string)) |
|
{} |
iam_additive |
IAM additive bindings in {ROLE => [MEMBERS]} format. |
map(list(string)) |
|
{} |
iam_additive_members |
IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. |
map(list(string)) |
|
{} |
labels |
Resource labels. |
map(string) |
|
{} |
lien_reason |
If non-empty, creates a project lien with this description. |
string |
|
"" |
logging_exclusions |
Logging exclusions for this project in the form {NAME -> FILTER}. |
map(string) |
|
{} |
logging_sinks |
Logging sinks to create for this project. |
map(object({…})) |
|
{} |
metric_scopes |
List of projects that will act as metric scopes for this project. |
list(string) |
|
[] |
oslogin |
Enable OS Login. |
bool |
|
false |
oslogin_admins |
List of IAM-style identities that will be granted roles necessary for OS Login administrators. |
list(string) |
|
[] |
oslogin_users |
List of IAM-style identities that will be granted roles necessary for OS Login users. |
list(string) |
|
[] |
parent |
Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. |
string |
|
null |
policy_boolean |
Map of boolean org policies and enforcement value, set value to null for policy restore. |
map(bool) |
|
{} |
policy_list |
Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. |
map(object({…})) |
|
{} |
prefix |
Prefix used to generate project id and name. |
string |
|
null |
project_create |
Create project. When set to false, uses a data source to reference existing project. |
bool |
|
true |
service_config |
Configure service API activation. |
object({…}) |
|
{…} |
service_encryption_key_ids |
Cloud KMS encryption key in {SERVICE => [KEY_URL]} format. |
map(list(string)) |
|
{} |
service_perimeter_bridges |
Name of VPC-SC Bridge perimeters to add project into. See comment in the variables file for format. |
list(string) |
|
null |
service_perimeter_standard |
Name of VPC-SC Standard perimeter to add project into. See comment in the variables file for format. |
string |
|
null |
services |
Service APIs to enable. |
list(string) |
|
[] |
shared_vpc_host_config |
Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). |
object({…}) |
|
null |
shared_vpc_service_config |
Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). |
object({…}) |
|
null |
skip_delete |
Allows the underlying resources to be destroyed without destroying the project itself. |
bool |
|
false |
tag_bindings |
Tag bindings for this project, in key => tag value id format. |
map(string) |
|
null |
Outputs