History

Ludovico Magnocavallo 7e429425fe Fix IAM additive (#200 ) * Fix wrong iam_addictive variable input (#197) iam_additive variable from Project module expect { "roles" = list(string) } input Co-authored-by: Emre Turan <emre@unl.global> * fix project example Co-authored-by: Emre Turan <turan.emre@gmail.com> Co-authored-by: Emre Turan <emre@unl.global>		2021-02-16 20:01:18 +01:00
..
README.md	Fix IAM additive (#200 )	2021-02-16 20:01:18 +01:00
main.tf	Update copyright to 2021	2021-02-15 09:38:10 +01:00
outputs.tf	Update copyright to 2021	2021-02-15 09:38:10 +01:00
service_accounts.tf	Update copyright to 2021	2021-02-15 09:38:10 +01:00
variables.tf	Update copyright to 2021	2021-02-15 09:38:10 +01:00
versions.tf	Update copyright to 2021	2021-02-15 09:38:10 +01:00

README.md

Project Module

Examples

Minimal example with IAM

locals {
  gke_service_account = "my_gke_service_account"
}

module "project" {
  source          = "./modules/project"
  billing_account = "123456-123456-123456"
  name            = "project-example"
  parent          = "folders/1234567890"
  prefix          = "foo"
  services        = [
    "container.googleapis.com",
    "stackdriver.googleapis.com"
  ]
  iam = {
    "roles/container.hostServiceAgentUser" = [
      "serviceAccount:${local.gke_service_account}"
    ]
  }
}
# tftest:modules=1:resources=4

Minimal example with IAM additive roles

module "project" {
  source          = "./modules/project"
  name            = "project-example"

  iam_additive = {
    "roles/viewer"               = ["group:one@example.org", "group:two@xample.org"],
    "roles/storage.objectAdmin"  = ["group:two@example.org"],
    "roles/owner"                = ["group:three@example.org"],
  }
}
# tftest:modules=1:resources=5

Organization policies

module "project" {
  source          = "./modules/project"
  billing_account = "123456-123456-123456"
  name            = "project-example"
  parent          = "folders/1234567890"
  prefix          = "foo"
  services        = [
    "container.googleapis.com",
    "stackdriver.googleapis.com"
  ]
  policy_boolean = {
    "constraints/compute.disableGuestAttributesAccess" = true
    "constraints/compute.skipDefaultNetworkCreation" = true
  }
  policy_list = {
    "constraints/compute.trustedImageProjects" = {
      inherit_from_parent = null
      suggested_value = null
      status = true
      values = ["projects/my-project"]
    }
  }
}
# tftest:modules=1:resources=6

Logging Sinks

module "gcs" {
  source        = "./modules/gcs"
  project_id    = var.project_id
  name          = "gcs_sink"
  force_destroy = true
}

module "dataset" {
  source     = "./modules/bigquery-dataset"
  project_id = var.project_id
  id         = "bq_sink"
}

module "pubsub" {
  source     = "./modules/pubsub"
  project_id = var.project_id
  name       = "pubsub_sink"
}

module "project-host" {
  source          = "./modules/project"
  name            = "my-project"
  billing_account = "123456-123456-123456"
  parent          = "folders/1234567890"
  logging_sinks = {
    warnings = {
      type        = "gcs"
      destination = module.gcs.name
      filter      = "severity=WARNING"
      iam         = false
    }
    info = {
      type        = "bigquery"
      destination = module.dataset.id
      filter      = "severity=INFO"
      iam         = false
    }
    notice = {
      type        = "pubsub"
      destination = module.pubsub.id
      filter      = "severity=NOTICE"
      iam         = true
    }
  }
  logging_exclusions = {
    no-gce-instances = "resource.type=gce_instance"
  }
}
# tftest:modules=4:resources=9

Variables

name	description	type	required	default
name	Project name and id suffix.	`string`	✓
auto_create_network	Whether to create the default network for the project	`bool`		`false`
billing_account	Billing account id.	`string`		`null`
custom_roles	Map of role name => list of permissions to create in this project.	`map(list(string))`		`{}`
iam	IAM bindings in {ROLE => [MEMBERS]} format.	`map(set(string))`		`{}`
iam_additive	IAM additive bindings in {ROLE => [MEMBERS]} format.	`map(list(string))`		`{}`
iam_additive_members	IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values.	`map(list(string))`		`{}`
labels	Resource labels.	`map(string)`		`{}`
lien_reason	If non-empty, creates a project lien with this description.	`string`
logging_exclusions	Logging exclusions for this project in the form {NAME -> FILTER}.	`map(string)`		`{}`
logging_sinks	Logging sinks to create for this project.	`map(object({...}))`		`{}`
oslogin	Enable OS Login.	`bool`		`false`
oslogin_admins	List of IAM-style identities that will be granted roles necessary for OS Login administrators.	`list(string)`		`[]`
oslogin_users	List of IAM-style identities that will be granted roles necessary for OS Login users.	`list(string)`		`[]`
parent	Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format.	`string`		`...`
policy_boolean	Map of boolean org policies and enforcement value, set value to null for policy restore.	`map(bool)`		`{}`
policy_list	Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny.	`map(object({...}))`		`{}`
prefix	Prefix used to generate project id and name.	`string`		`null`
project_create	Create project. When set to false, uses a data source to reference existing project.	`bool`		`true`
service_config	Configure service API activation.	`object({...})`		`...`
services	Service APIs to enable.	`list(string)`		`[]`
shared_vpc_host_config	Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project).	`object({...})`		`...`
shared_vpc_service_config	Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config).	`object({...})`		`...`

Outputs

name	description	sensitive
custom_roles	Ids of the created custom roles.
name	Project name.
number	Project number.
project_id	Project id.
service_accounts	Product robot service accounts in project.
sink_writer_identities	None