Skip to content

Latest commit

 

History

History
131 lines (109 loc) · 13.4 KB

README.md

File metadata and controls

131 lines (109 loc) · 13.4 KB
Raw

Description

This module allows you to create opinionated Google Cloud Platform projects. It creates projects and configures aspects like Shared VPC connectivity, IAM access, Service Accounts, and API enablement to follow best practices.

This module is meant for use with Terraform 0.13.

Example

- id: project
  source: community/modules/project/new-project
  settings:
    project_id: test_project
    folder_id: 334688113020 # random number
    billing_account: "111110-M2N704-854685" # random billing number
    org_id: 123456789 # random org id

This creates a new project with pre-defined project ID, a designated folder and organization and associated billing account which will be used to pay for services consumed.

License

Copyright 2022 Google LLC

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

 http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Requirements

Name Version
terraform >= 0.14.0

Providers

No providers.

Modules

Name Source Version
project_factory terraform-google-modules/project-factory/google ~> 11.3

Resources

No resources.

Inputs

Name Description Type Default Required
activate_api_identities The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles).
APIs in this list will automatically be appended to activate_apis.
Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created).
Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles.		 
list(object({
    api   = string
    roles = list(string)
  }))
 [] no
activate_apis The list of apis to activate within the project list(string) 
[
  "compute.googleapis.com",
  "serviceusage.googleapis.com",
  "storage.googleapis.com"
]
 no
auto_create_network Create the default network bool false no
billing_account The ID of the billing account to associate this project with string n/a yes
bucket_force_destroy Force the deletion of all objects within the GCS bucket when deleting the bucket (optional) bool false no
bucket_labels A map of key/value label pairs to assign to the bucket (optional) map(string) {} no
bucket_location The location for a GCS bucket to create (optional) string "US" no
bucket_name A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) string "" no
bucket_project A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) string "" no
bucket_ula Enable Uniform Bucket Level Access bool true no
bucket_versioning Enable versioning for a GCS bucket to create (optional) bool false no
budget_alert_pubsub_topic The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of projects/{project_id}/topics/{topic_id} string null no
budget_alert_spent_percents A list of percentages of the budget to alert on when threshold is exceeded list(number) 
[
  0.5,
  0.7,
  1
]
 no
budget_amount The amount to use for a budget alert number null no
budget_display_name The display name of the budget. If not set defaults to `Budget For <projects[0] All Projects>` string null
budget_monitoring_notification_channels A list of monitoring notification channels in the form [projects/{project_id}/notificationChannels/{channel_id}]. A maximum of 5 channels are allowed. list(string) [] no
consumer_quotas The quotas configuration you want to override for the project. 
list(object({
    service = string,
    metric  = string,
    limit   = string,
    value   = string,
  }))
 [] no
create_project_sa Whether the default service account for the project shall be created bool true no
default_network_tier Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. string "" no
default_service_account Project default service account setting: can be one of delete, deprivilege, disable, or keep. string "keep" no
disable_dependent_services Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. bool true no
disable_services_on_destroy Whether project services will be disabled when the resources are destroyed bool true no
domain The domain name (optional). string "" no
enable_shared_vpc_host_project If this project is a shared VPC host project. If true, you must not set svpc_host_project_id variable. Default is false. bool false no
folder_id The ID of a folder to host this project string "" no
grant_services_network_role Whether or not to grant service agents the network roles on the host project bool true no
grant_services_security_admin_role Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules bool false no
group_name A group to control the project by being assigned group_role (defaults to project editor) string "" no
group_role The role to give the controlling group (group_name) over the project (defaults to project editor) string "roles/editor" no
labels Map of labels for project map(string) {} no
lien Add a lien on the project to prevent accidental deletion bool false no
name The name for the project string null no
org_id The organization ID. string n/a yes
project_id The ID to give the project. If not provided, the name will be used. string "" no
project_sa_name Default service account name for the project. string "project-service-account" no
random_project_id Adds a suffix of 4 random characters to the project_id bool false no
sa_role A role to give the default Service Account for the project (defaults to none) string "" no
shared_vpc_subnets List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) list(string) [] no
svpc_host_project_id The ID of the host project which hosts the shared VPC string "" no
usage_bucket_name Name of a GCS bucket to store GCE usage reports in (optional) string "" no
usage_bucket_prefix Prefix in the GCS bucket to store GCE usage reports in (optional) string "" no
vpc_service_control_attach_enabled Whether the project will be attached to a VPC Service Control Perimeter bool false no
vpc_service_control_perimeter_name The name of a VPC Service Control Perimeter to add the created project to string null no

Outputs

Name Description
api_s_account API service account email
api_s_account_fmt API service account email formatted for terraform use
budget_name The name of the budget if created
domain The organization's domain
enabled_api_identities Enabled API identities in the project
enabled_apis Enabled APIs in the project
group_email The email of the G Suite group with group_name
project_bucket_self_link Project's bucket selfLink
project_bucket_url Project's bucket url
project_id ID of the project that was created
project_name Name of the project that was created
project_number Number of the project that was created
service_account_display_name The display name of the default service account
service_account_email The email of the default service account
service_account_id The id of the default service account
service_account_name The fully-qualified name of the default service account
service_account_unique_id The unique id of the default service account