cloud-foundation-fabric/modules

Terraform modules suite for Google Cloud

The modules collected in this folder are designed as a suite: they are meant to be composed together, and are designed to be forked and modified where use of third party code and sources is not allowed.

Modules try to stay close to the low level provider resources they encapsulate, and they all share a similar interface that combines management of one resource or set or resources, and the corresponding IAM bindings.

Authoritative IAM bindings are primarily used (e.g. google_storage_bucket_iam_binding for GCS buckets) so that each module is authoritative for specific roles on the resources it manages, and can neutralize or reconcile IAM changes made elsewhere.

Specific modules also offer support for non-authoritative bindings (e.g. google_storage_bucket_iam_member for service accounts), to allow granular permission management on resources that they don't manage directly.

These modules are not necessarily backward compatible. Changes breaking compatibility in modules are marked by major releases (but not all major releases contain breaking changes). Please be mindful when upgrading Fabric modules in existing Terraform setups, and always try to use versioned references in module sources so you can easily revert back to a previous version. Since the introduction of the moved block in Terraform we try to use it whenever possible to make updates non-breaking, but that does not cover all changes we might need to make.

These modules are used in the examples included in this repository. If you are using any of those examples in your own Terraform configuration, make sure that you are using the same version for all the modules, and switch module sources to GitHub format using references. The recommended approach to working with Fabric modules is the following:

• Fork the repository and own the fork. This will allow you to:

  • Evolve the existing modules.
  • Create your own modules.
  • Sync from the upstream repository to get all the updates.

• Use GitHub sources with refs to reference the modules. See an example below:

  module "project" {
      source              = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/project?ref=v13.0.0&depth=1"
      name                = "my-project"
      billing_account     = "123456-123456-123456"
      parent              = "organizations/123456"
  }
  

Foundational modules

• Billing account
• Cloud Identity group
• Folder
• Service accounts
• Logging bucket
• Organization
• Project
• Projects (data source)

Networking modules

• Address reservation
• Cloud Endpoints
• DNS
• DNS Response Policy
• Firewall policy
• External Application Load Balancer
• External Passthrough Network Load Balancer
• Internal Application Load Balancer
• Internal Passthrough Network Load Balancer
• Internal Proxy Network Load Balancer
• [Internal ]
• NAT
• Service Directory
• VPC
• VPC firewall
• VPN dynamic
• VPC peering
• VPN HA
• VPN static

Compute/Container

• VM/VM group
• MIG
• COS container (coredns/mysql/nva/onprem/squid)
• GKE autopilot cluster
• GKE standard cluster
• GKE hub
• GKE nodepool
• GCVE private cloud

Data

• BigQuery dataset
• Bigtable instance
• Dataplex
• Dataplex DataScan
• Cloud SQL instance
• Data Catalog Policy Tag
• Datafusion
• Dataproc
• GCS
• Pub/Sub

Development

• API Gateway
• Apigee
• Artifact Registry
• Container Registry
• Cloud Source Repository
• Workstation cluster

Security

• Binauthz
• KMS
• SecretManager
• VPC Service Control
• Secure Web Proxy

Serverless

• Cloud Functions v1
• Cloud Functions v2
• Cloud Run
• Cloud Run v2