6.6 KiB
6.6 KiB
Project Factory
This is a working example of how to manage project creation at scale, by wrapping the project module and driving it via external data, either directly provided or parsed via YAML files.
The wrapping layer around the project module is intentionally thin, so that
- all the features of the project module are available
- no "magic" or hidden side effects are implemented in code
- debugging and integration of new features is simple
The code is meant to be executed by a high level service accounts with powerful permissions:
- Shared VPC connection if service project attachment is desired
- project creation on the nodes (folder or org) where projects will be defined
The module also supports optional creation of specific resources that usually part of the project creation flow:
- service accounts used for VM instances, and associated basic roles
- KMS key encrypt/decrypt permissions for service identities in the project
- membership in VPC SC standard or bridge perimeters
Compared to the previous version of this code, network-related resources (DNS zones, VPC subnets, etc.) have been removed as they are not typically in scope for the team who manages project creation, and adding them when needed requires just a few trivial code changes.
Example
module "project-factory" {
source = "./fabric/blueprints/factories/project-factory"
data_defaults = {
billing_account = "012345-67890A-ABCDEF"
}
data_merges = {
labels = {
environment = "test"
}
services = [
"stackdriver.googleapis.com"
]
}
data_overrides = {
contacts = {
"admin@example.com" = ["ALL"]
}
prefix = "test-pf"
}
factory_data = {
data_path = "data"
}
}
# tftest modules=6 resources=12 files=prj-app-1,prj-app-2 inventory=example.yaml
billing_account: 012345-67890A-BCDEF0
labels:
app: app-1
team: foo
service_encryption_key_ids:
compute:
- projects/kms-central-prj/locations/europe-west3/keyRings/my-keyring/cryptoKeys/europe3-gce
services:
- storage.googleapis.com
service_accounts:
app-1-be: {}
app-1-fe: {}
# tftest-file id=prj-app-1 path=data/prj-app-1.yaml
labels:
app: app-1
team: foo
service_accounts:
app-2-be: {}
# tftest-file id=prj-app-2 path=data/prj-app-2.yaml
Variables
name | description | type | required | default |
---|---|---|---|---|
factory_data | Project data from either YAML files or externally parsed data. | object({…}) |
✓ | |
data_defaults | Optional default values used when corresponding project data from files are missing. | object({…}) |
{} |
|
data_merges | Optional values that will be merged with corresponding data from files. Combines with data_defaults , file data, and data_overrides . |
object({…}) |
{} |
|
data_overrides | Optional values that override corresponding data from files. Takes precedence over file data and data_defaults . |
object({…}) |
{} |
Outputs
name | description | sensitive |
---|---|---|
projects | Project module outputs. | |
service_accounts | Service account emails. |