kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Support service_agents_config.skip_iam in project-factory and fast stages (#4007)

Browse Source 
* Support service_agents_config.skip_iam in project-factory and fast stages

* Fix inventories

* Change service-agent creation/iam order
This commit is contained in:
Julio Castillo
2026-06-01 12:04:54 +02:00
committed by GitHub
parent e3e261442f
commit 008a3719ad
22 changed files with 303 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
GEMINI.md
View File

@@ -83,6 +83,7 @@ python3 tools/check_boilerplate.py --scan-files <files>
# Schema changes
# A schema change should be reflected in all the other places that use the same schema.
# These are documented in and can be checked via tools/duplicate-diff.py.
# Whenever you modify a `.schema.json` file, you MUST regenerate the corresponding `.schema.md` documentation file using `python3 tools/schema_docs.py`.
```
**Common gotcha — unsorted variables (`[SV]` error):** `check_documentation.py` requires variables in `variables.tf` to be in strict alphabetical order. When adding a new variable, insert it at the correct alphabetical position, not at the top of the file.

21
fast/stages/0-org-setup/schemas/project.schema.json
View File

@@ -819,6 +819,27 @@
}
}
},
"service_agents_config": {
"type": "object",
"additionalProperties": false,
"properties": {
"create_primary_agents": {
"type": "boolean"
},
"grant_default_roles": {
"type": "boolean"
},
"grant_service_agent_editor": {
"type": "boolean"
},
"skip_iam": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"service_encryption_key_ids": {
"type": "object",
"additionalProperties": false,

7
fast/stages/0-org-setup/schemas/project.schema.md
View File

@@ -253,6 +253,13 @@
- **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))*
- **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))*
- **tag_bindings**: *reference([tag_bindings](#refs-tag_bindings))*
- **service_agents_config**: *object*
<br>*additional properties: false*
- **create_primary_agents**: *boolean*
- **grant_default_roles**: *boolean*
- **grant_service_agent_editor**: *boolean*
- **skip_iam**: *array*
- items: *string*
- **service_encryption_key_ids**: *object*
<br>*additional properties: false*
- **`^[a-z-]+\.googleapis\.com$`**: *array*

21
fast/stages/2-networking/schemas/project.schema.json
View File

@@ -819,6 +819,27 @@
}
}
},
"service_agents_config": {
"type": "object",
"additionalProperties": false,
"properties": {
"create_primary_agents": {
"type": "boolean"
},
"grant_default_roles": {
"type": "boolean"
},
"grant_service_agent_editor": {
"type": "boolean"
},
"skip_iam": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"service_encryption_key_ids": {
"type": "object",
"additionalProperties": false,

7
fast/stages/2-networking/schemas/project.schema.md
View File

@@ -253,6 +253,13 @@
- **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))*
- **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))*
- **tag_bindings**: *reference([tag_bindings](#refs-tag_bindings))*
- **service_agents_config**: *object*
<br>*additional properties: false*
- **create_primary_agents**: *boolean*
- **grant_default_roles**: *boolean*
- **grant_service_agent_editor**: *boolean*
- **skip_iam**: *array*
- items: *string*
- **service_encryption_key_ids**: *object*
<br>*additional properties: false*
- **`^[a-z-]+\.googleapis\.com$`**: *array*

21
fast/stages/2-project-factory/schemas/project.schema.json
View File

@@ -819,6 +819,27 @@
}
}
},
"service_agents_config": {
"type": "object",
"additionalProperties": false,
"properties": {
"create_primary_agents": {
"type": "boolean"
},
"grant_default_roles": {
"type": "boolean"
},
"grant_service_agent_editor": {
"type": "boolean"
},
"skip_iam": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"service_encryption_key_ids": {
"type": "object",
"additionalProperties": false,

7
fast/stages/2-project-factory/schemas/project.schema.md
View File

@@ -253,6 +253,13 @@
- **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))*
- **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))*
- **tag_bindings**: *reference([tag_bindings](#refs-tag_bindings))*
- **service_agents_config**: *object*
<br>*additional properties: false*
- **create_primary_agents**: *boolean*
- **grant_default_roles**: *boolean*
- **grant_service_agent_editor**: *boolean*
- **skip_iam**: *array*
- items: *string*
- **service_encryption_key_ids**: *object*
<br>*additional properties: false*
- **`^[a-z-]+\.googleapis\.com$`**: *array*

21
fast/stages/2-security/schemas/project.schema.json
View File

@@ -819,6 +819,27 @@
}
}
},
"service_agents_config": {
"type": "object",
"additionalProperties": false,
"properties": {
"create_primary_agents": {
"type": "boolean"
},
"grant_default_roles": {
"type": "boolean"
},
"grant_service_agent_editor": {
"type": "boolean"
},
"skip_iam": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"service_encryption_key_ids": {
"type": "object",
"additionalProperties": false,

7
fast/stages/2-security/schemas/project.schema.md
View File

@@ -253,6 +253,13 @@
- **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))*
- **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))*
- **tag_bindings**: *reference([tag_bindings](#refs-tag_bindings))*
- **service_agents_config**: *object*
<br>*additional properties: false*
- **create_primary_agents**: *boolean*
- **grant_default_roles**: *boolean*
- **grant_service_agent_editor**: *boolean*
- **skip_iam**: *array*
- items: *string*
- **service_encryption_key_ids**: *object*
<br>*additional properties: false*
- **`^[a-z-]+\.googleapis\.com$`**: *array*

6
modules/project-factory/README.md
View File

@@ -898,11 +898,11 @@ compute.disableSerialPortAccess:
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [factories_config](variables.tf#L194) | Path to folder with YAML resource description data files. Exclusions match the start of file paths, relative to their containing folder. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [factories_config](variables.tf#L200) | Path to folder with YAML resource description data files. Exclusions match the start of file paths, relative to their containing folder. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [context](variables.tf#L17) | Context-specific interpolations. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [data_defaults](variables.tf#L47) | Optional default values used when corresponding project or folder data from files are missing. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [data_merges](variables.tf#L124) | Optional values that will be merged with corresponding data from files. Combines with `data_defaults`, file data, and `data_overrides`. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [data_overrides](variables.tf#L143) | Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [data_merges](variables.tf#L130) | Optional values that will be merged with corresponding data from files. Combines with `data_defaults`, file data, and `data_overrides`. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [data_overrides](variables.tf#L149) | Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [folders](variables-folders.tf#L17) | Folders data merged with factory data. | <code>map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [notification_channels](variables-billing.tf#L17) | Notification channels used by budget alerts. | <code>map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [projects](variables-projects.tf#L17) | Projects data merged with factory data. | <code>map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |

22
modules/project-factory/projects-defaults.tf
View File

@@ -158,6 +158,19 @@ locals {
try(v.service_encryption_key_ids, null),
local.data_defaults.defaults.service_encryption_key_ids
)
service_agents_config = (
try(v.service_agents_config, null) != null
? merge(
{
create_primary_agents = true
grant_default_roles = true
grant_service_agent_editor = true
skip_iam = []
},
v.service_agents_config
)
: local.data_defaults.defaults.service_agents_config
)
services = coalesce( # type: list(string)
local.data_defaults.overrides.services,
try(v.services, null),
@@ -291,6 +304,15 @@ locals {
}
)
)
service_agents_config = merge(
{
create_primary_agents = true
grant_default_roles = true
grant_service_agent_editor = true
skip_iam = []
},
try(local._data_defaults.defaults.service_agents_config, {})
)
service_encryption_key_ids = {}
services = []
shared_vpc_service_config = {

18
modules/project-factory/projects.tf
View File

@@ -162,6 +162,16 @@ module "projects" {
logging_sinks = try(each.value.logging_sinks, {})
notification_channels = try(each.value.notification_channels, null)
quotas = each.value.quotas
# Most service agent permissions must be granted in this first pass
# to ensure dependencies (like CMEK or Shared VPC) work correctly.
# We disable grant_service_agent_editor here because the authoritative
# IAM editor role is managed in the second pass (projects-iam).
service_agents_config = {
create_primary_agents = each.value.service_agents_config.create_primary_agents
grant_default_roles = each.value.service_agents_config.grant_default_roles
grant_service_agent_editor = false
skip_iam = each.value.service_agents_config.skip_iam
}
services = distinct(concat(
each.value.services,
var.data_merges.services
@@ -243,9 +253,13 @@ module "projects-iam" {
each.value.metric_scopes, var.data_merges.metric_scopes
))
pam_entitlements = try(each.value.pam_entitlements, {})
# The second pass handles the authoritative cloudservices editor binding.
# We disable primary agents creation and default roles here because they
# are already handled in the first pass, avoiding duplicate resource errors.
service_agents_config = {
create_primary_agents = false
grant_default_roles = false
create_primary_agents = false
grant_default_roles = false
grant_service_agent_editor = each.value.service_agents_config.grant_service_agent_editor
}
service_encryption_key_ids = merge(
each.value.service_encryption_key_ids,

21
modules/project-factory/schemas/project.schema.json
View File

@@ -819,6 +819,27 @@
}
}
},
"service_agents_config": {
"type": "object",
"additionalProperties": false,
"properties": {
"create_primary_agents": {
"type": "boolean"
},
"grant_default_roles": {
"type": "boolean"
},
"grant_service_agent_editor": {
"type": "boolean"
},
"skip_iam": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"service_encryption_key_ids": {
"type": "object",
"additionalProperties": false,

7
modules/project-factory/schemas/project.schema.md
View File

@@ -253,6 +253,13 @@
- **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))*
- **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))*
- **tag_bindings**: *reference([tag_bindings](#refs-tag_bindings))*
- **service_agents_config**: *object*
<br>*additional properties: false*
- **create_primary_agents**: *boolean*
- **grant_default_roles**: *boolean*
- **grant_service_agent_editor**: *boolean*
- **skip_iam**: *array*
- items: *string*
- **service_encryption_key_ids**: *object*
<br>*additional properties: false*
- **`^[a-z-]+\.googleapis\.com$`**: *array*

6
modules/project-factory/variables-projects.tf
View File

@@ -490,6 +490,12 @@ variable "projects" {
iam_self_roles = optional(list(string), [])
iam_project_roles = optional(map(list(string)), {})
})), {})
service_agents_config = optional(object({
create_primary_agents = optional(bool, true)
grant_default_roles = optional(bool, true)
grant_service_agent_editor = optional(bool, true)
skip_iam = optional(set(string), [])
}), {})
service_encryption_key_ids = optional(map(list(string)), {})
services = optional(list(string), [])
shared_vpc_host_config = optional(object({

6
modules/project-factory/variables.tf
View File

@@ -86,6 +86,12 @@ variable "data_defaults" {
display_name = optional(string, "Terraform-managed.")
iam_self_roles = optional(list(string))
})), {})
service_agents_config = optional(object({
create_primary_agents = optional(bool, true)
grant_default_roles = optional(bool, true)
grant_service_agent_editor = optional(bool, true)
skip_iam = optional(set(string), [])
}), {})
service_encryption_key_ids = optional(map(list(string)), {})
services = optional(list(string), [])
shared_vpc_service_config = optional(object({

3
tests/fast/stages/s0_org_setup/customizations.yaml
View File

@@ -118,7 +118,6 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/providers/0-org-setup-providers.tf
sensitive_content: null
source: null
local_file.tfvars["globals"]:
@@ -126,14 +125,12 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/tfvars/0-globals.auto.tfvars.json
sensitive_content: null
source: null
local_file.tfvars["org-setup"]:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/tfvars/0-org-setup.auto.tfvars.json
sensitive_content: null
source: null
module.factory.module.bigquery-datasets["iac-0/billing_export"].google_bigquery_dataset.default:

9
tests/fast/stages/s0_org_setup/hardened.yaml
View File

@@ -395,7 +395,6 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/providers/0-org-setup-providers.tf
sensitive_content: null
source: null
local_file.providers["0-org-setup-ro"]:
@@ -416,7 +415,6 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/providers/0-org-setup-ro-providers.tf
sensitive_content: null
source: null
local_file.providers["1-vpcsc"]:
@@ -438,7 +436,6 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/providers/1-vpcsc-providers.tf
sensitive_content: null
source: null
local_file.providers["2-networking"]:
@@ -460,7 +457,6 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/providers/2-networking-providers.tf
sensitive_content: null
source: null
local_file.providers["2-project-factory"]:
@@ -482,7 +478,6 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/providers/2-project-factory-providers.tf
sensitive_content: null
source: null
local_file.providers["2-security"]:
@@ -504,7 +499,6 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/providers/2-security-providers.tf
sensitive_content: null
source: null
local_file.tfvars["globals"]:
@@ -512,14 +506,12 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/tfvars/0-globals.auto.tfvars.json
sensitive_content: null
source: null
local_file.tfvars["org-setup"]:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/tfvars/0-org-setup.auto.tfvars.json
sensitive_content: null
source: null
local_file.workflows["org-setup"]:
@@ -621,7 +613,6 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/workflows/org-setup.yaml
sensitive_content: null
source: null
module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_admin_org_admins"]:

9
tests/fast/stages/s0_org_setup/simple.yaml
View File

@@ -395,7 +395,6 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/providers/0-org-setup-providers.tf
sensitive_content: null
source: null
local_file.providers["0-org-setup-ro"]:
@@ -416,7 +415,6 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/providers/0-org-setup-ro-providers.tf
sensitive_content: null
source: null
local_file.providers["1-vpcsc"]:
@@ -438,7 +436,6 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/providers/1-vpcsc-providers.tf
sensitive_content: null
source: null
local_file.providers["2-networking"]:
@@ -460,7 +457,6 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/providers/2-networking-providers.tf
sensitive_content: null
source: null
local_file.providers["2-project-factory"]:
@@ -482,7 +478,6 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/providers/2-project-factory-providers.tf
sensitive_content: null
source: null
local_file.providers["2-security"]:
@@ -504,7 +499,6 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/providers/2-security-providers.tf
sensitive_content: null
source: null
local_file.tfvars["globals"]:
@@ -512,14 +506,12 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/tfvars/0-globals.auto.tfvars.json
sensitive_content: null
source: null
local_file.tfvars["org-setup"]:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/tfvars/0-org-setup.auto.tfvars.json
sensitive_content: null
source: null
local_file.workflows["org-setup"]:
@@ -621,7 +613,6 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/workflows/org-setup.yaml
sensitive_content: null
source: null
module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_admin_org_admins"]:

4
tests/fast/stages/s0_org_setup/starter-gcd.yaml
View File

@@ -150,7 +150,6 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/providers/0-org-setup-providers.tf
sensitive_content: null
source: null
local_file.providers["0-org-setup-ro"]:
@@ -171,7 +170,6 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/providers/0-org-setup-ro-providers.tf
sensitive_content: null
source: null
local_file.tfvars["globals"]:
@@ -179,14 +177,12 @@ values:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/tfvars/0-globals.auto.tfvars.json
sensitive_content: null
source: null
local_file.tfvars["org-setup"]:
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/tfvars/0-org-setup.auto.tfvars.json
sensitive_content: null
source: null
module.factory.module.bigquery-datasets["iac-0/billing_export"].google_bigquery_dataset.default:

60
tests/fast/stages/s2_networking/vlan_attachments.yaml
View File

@@ -4,7 +4,7 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
@@ -14,6 +14,7 @@
values:
google_compute_ha_vpn_gateway.default["hub/to-onprem"]:
deletion_policy: DELETE
description: null
effective_labels:
goog-terraform-provisioned: 'true'
@@ -32,6 +33,7 @@ values:
attachments:
- name: to-onprem-vlan-0
- name: to-onprem-vlan-1
deletion_policy: DELETE
description: Terraform-managed.
intent:
- availability_sla: PRODUCTION_NON_CRITICAL
@@ -46,6 +48,7 @@ values:
advertised_ip_ranges: []
asn: 64514
keepalive_interval: 20
deletion_policy: DELETE
description: null
encrypted_interconnect_router: null
md5_authentication_keys: []
@@ -60,6 +63,7 @@ values:
- fast-prod-net-core-0
- $project_ids:net-prod-0
- $project_ids:net-dev-0
deletion_policy: DELETE
description: Terraform-managed
effective_labels:
goog-terraform-provisioned: 'true'
@@ -70,6 +74,7 @@ values:
goog-terraform-provisioned: 'true'
timeouts: null
google_network_connectivity_hub.default["hub"]:
deletion_policy: DELETE
description: Terraform-managed
effective_labels:
goog-terraform-provisioned: 'true'
@@ -82,6 +87,7 @@ values:
goog-terraform-provisioned: 'true'
timeouts: null
google_network_connectivity_spoke.tunnels["hub/to-onprem/hub"]:
deletion_policy: DELETE
description: Terraform-managed.
effective_labels:
goog-terraform-provisioned: 'true'
@@ -104,6 +110,7 @@ values:
goog-terraform-provisioned: 'true'
timeouts: null
google_network_connectivity_spoke.vlan_attachments["hub-onprem-0/hub"]:
deletion_policy: DELETE
description: Terraform-managed.
effective_labels:
goog-terraform-provisioned: 'true'
@@ -126,6 +133,7 @@ values:
goog-terraform-provisioned: 'true'
timeouts: null
google_network_connectivity_spoke.vlan_attachments["hub-onprem-1/hub"]:
deletion_policy: DELETE
description: Terraform-managed.
effective_labels:
goog-terraform-provisioned: 'true'
@@ -155,6 +163,7 @@ values:
content_language: null
contexts: []
customer_encryption: []
deletion_policy: DELETE
detect_md5hash: null
event_based_hold: null
force_empty_content_type: null
@@ -164,7 +173,26 @@ values:
source: null
temporary_hold: null
timeouts: null
google_storage_bucket_object.version[0]:
bucket: test
cache_control: null
content_disposition: null
content_encoding: null
content_language: null
contexts: []
customer_encryption: []
deletion_policy: DELETE
detect_md5hash: null
event_based_hold: null
force_empty_content_type: null
metadata: null
name: versions/2-networking-version.txt
retention: []
source: fast_version.txt
temporary_hold: null
timeouts: null
module.projects.module.projects-iam["net-core-0"].google_compute_shared_vpc_host_project.shared_vpc_host[0]:
deletion_policy: DELETE
project: fast-prod-net-core-0
timeouts: null
module.projects.module.projects["net-core-0"].data.google_logging_project_settings.logging_sa[0]:
@@ -172,6 +200,7 @@ values:
module.projects.module.projects["net-core-0"].google_project.project[0]:
auto_create_network: false
billing_account: 000000-111111-222222
deletion_policy: DELETE
effective_labels:
goog-terraform-provisioned: 'true'
folder_id: '12345678'
@@ -216,60 +245,70 @@ values:
project: fast-prod-net-core-0
role: roles/vpcaccess.serviceAgent
module.projects.module.projects["net-core-0"].google_project_service.project_services["compute.googleapis.com"]:
deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: fast-prod-net-core-0
service: compute.googleapis.com
timeouts: null
module.projects.module.projects["net-core-0"].google_project_service.project_services["container.googleapis.com"]:
deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: fast-prod-net-core-0
service: container.googleapis.com
timeouts: null
module.projects.module.projects["net-core-0"].google_project_service.project_services["dns.googleapis.com"]:
deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: fast-prod-net-core-0
service: dns.googleapis.com
timeouts: null
module.projects.module.projects["net-core-0"].google_project_service.project_services["iap.googleapis.com"]:
deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: fast-prod-net-core-0
service: iap.googleapis.com
timeouts: null
module.projects.module.projects["net-core-0"].google_project_service.project_services["logging.googleapis.com"]:
deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: fast-prod-net-core-0
service: logging.googleapis.com
timeouts: null
module.projects.module.projects["net-core-0"].google_project_service.project_services["monitoring.googleapis.com"]:
deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: fast-prod-net-core-0
service: monitoring.googleapis.com
timeouts: null
module.projects.module.projects["net-core-0"].google_project_service.project_services["networkmanagement.googleapis.com"]:
deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: fast-prod-net-core-0
service: networkmanagement.googleapis.com
timeouts: null
module.projects.module.projects["net-core-0"].google_project_service.project_services["networksecurity.googleapis.com"]:
deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: fast-prod-net-core-0
service: networksecurity.googleapis.com
timeouts: null
module.projects.module.projects["net-core-0"].google_project_service.project_services["servicenetworking.googleapis.com"]:
deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: fast-prod-net-core-0
service: servicenetworking.googleapis.com
timeouts: null
module.projects.module.projects["net-core-0"].google_project_service.project_services["vpcaccess.googleapis.com"]:
deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: fast-prod-net-core-0
@@ -324,6 +363,7 @@ values:
candidate_customer_router_ipv6_address: null
candidate_subnets:
- 169.254.0.0/29
deletion_policy: DELETE
description: Terraform managed.
effective_labels:
goog-terraform-provisioned: 'true'
@@ -345,6 +385,7 @@ values:
type: DEDICATED
vlan_tag8021q: 123
module.vlan-attachments["hub-onprem-0"].google_compute_router_interface.default[0]:
deletion_policy: DELETE
name: to-onprem-vlan-0-intf
private_ip_address: null
project: fast-prod-net-core-0
@@ -363,6 +404,7 @@ values:
advertised_route_priority: null
custom_learned_ip_ranges: []
custom_learned_route_priority: null
deletion_policy: DELETE
enable: true
enable_ipv6: false
export_policies: null
@@ -390,6 +432,7 @@ values:
candidate_customer_router_ip_address: null
candidate_customer_router_ipv6_address: null
candidate_subnets: null
deletion_policy: DELETE
description: Terraform managed.
effective_labels:
goog-terraform-provisioned: 'true'
@@ -411,6 +454,7 @@ values:
type: DEDICATED
vlan_tag8021q: 124
module.vlan-attachments["hub-onprem-1"].google_compute_router_interface.default[0]:
deletion_policy: DELETE
name: to-onprem-vlan-1-intf
private_ip_address: null
project: fast-prod-net-core-0
@@ -429,6 +473,7 @@ values:
advertised_route_priority: null
custom_learned_ip_ranges: []
custom_learned_route_priority: null
deletion_policy: DELETE
enable: true
enable_ipv6: false
export_policies: null
@@ -452,6 +497,7 @@ values:
auto_create_subnetworks: false
delete_bgp_always_compare_med: false
delete_default_routes_on_create: true
deletion_policy: DELETE
description: Terraform managed
enable_ula_internal_ipv6: null
mtu: 1500
@@ -463,6 +509,7 @@ values:
routing_mode: GLOBAL
timeouts: null
module.vpc-factory.module.vpcs["hub"].google_compute_route.gateway["directpath-googleapis"]:
deletion_policy: DELETE
description: Terraform-managed.
dest_range: 34.126.0.0/18
name: hub-0-directpath-googleapis
@@ -477,6 +524,7 @@ values:
tags: null
timeouts: null
module.vpc-factory.module.vpcs["hub"].google_compute_route.gateway["private-googleapis"]:
deletion_policy: DELETE
description: Terraform-managed.
dest_range: 199.36.153.8/30
name: hub-0-private-googleapis
@@ -491,6 +539,7 @@ values:
tags: null
timeouts: null
module.vpc-factory.module.vpcs["hub"].google_compute_route.gateway["restricted-googleapis"]:
deletion_policy: DELETE
description: Terraform-managed.
dest_range: 199.36.153.4/30
name: hub-0-restricted-googleapis
@@ -505,6 +554,7 @@ values:
tags: null
timeouts: null
module.vpc-factory.module.vpcs["hub"].google_compute_subnetwork.subnetwork["europe-west1/hub-default"]:
deletion_policy: DELETE
description: Default primary-region subnet for hub
ip_cidr_range: 10.71.0.0/24
ip_collection: null
@@ -522,6 +572,7 @@ values:
send_secondary_ip_range_if_empty: true
timeouts: null
module.vpc-routes["hub"].google_compute_route.gateway["default"]:
deletion_policy: DELETE
description: Terraform-managed.
dest_range: 0.0.0.0/0
name: hub-0-default
@@ -536,6 +587,7 @@ values:
tags: null
timeouts: null
module.vpn-ha["hub/to-onprem"].google_compute_external_vpn_gateway.external_gateway["default"]:
deletion_policy: DELETE
description: Terraform managed external VPN gateway
effective_labels:
goog-terraform-provisioned: 'true'
@@ -552,6 +604,7 @@ values:
goog-terraform-provisioned: 'true'
timeouts: null
module.vpn-ha["hub/to-onprem"].google_compute_router_interface.router_interface["remote-0"]:
deletion_policy: DELETE
interconnect_attachment: null
ip_range: 169.254.128.2/30
name: hub-to-onprem-remote-0
@@ -563,6 +616,7 @@ values:
timeouts: null
vpn_tunnel: hub-to-onprem-remote-0
module.vpn-ha["hub/to-onprem"].google_compute_router_interface.router_interface["remote-1"]:
deletion_policy: DELETE
interconnect_attachment: null
ip_range: 169.254.128.6/30
name: hub-to-onprem-remote-1
@@ -580,6 +634,7 @@ values:
advertised_route_priority: 1000
custom_learned_ip_ranges: []
custom_learned_route_priority: null
deletion_policy: DELETE
enable: true
enable_ipv6: false
export_policies: null
@@ -603,6 +658,7 @@ values:
advertised_route_priority: 1000
custom_learned_ip_ranges: []
custom_learned_route_priority: null
deletion_policy: DELETE
enable: true
enable_ipv6: false
export_policies: null
@@ -621,6 +677,7 @@ values:
zero_custom_learned_route_priority: false
module.vpn-ha["hub/to-onprem"].google_compute_vpn_tunnel.tunnels["remote-0"]:
cipher_suite: []
deletion_policy: DELETE
description: null
effective_labels:
goog-terraform-provisioned: 'true'
@@ -643,6 +700,7 @@ values:
vpn_gateway_interface: 0
module.vpn-ha["hub/to-onprem"].google_compute_vpn_tunnel.tunnels["remote-1"]:
cipher_suite: []
deletion_policy: DELETE
description: null
effective_labels:
goog-terraform-provisioned: 'true'

56
tests/modules/project_factory/examples/example.yaml
View File

@@ -14,6 +14,7 @@
values:
module.project-factory.google_network_security_dns_threat_detector.dns_threat_detector["dev-ta-app0-be"]:
deletion_policy: DELETE
effective_labels:
goog-terraform-provisioned: 'true'
excluded_networks: []
@@ -30,6 +31,7 @@ values:
cors: []
custom_placement_config: []
default_event_based_hold: null
deletion_policy: DELETE
effective_labels:
goog-terraform-provisioned: 'true'
enable_object_retention: null
@@ -74,6 +76,7 @@ values:
? module.project-factory.module.automation-service-accounts["dev-tb-app0-0/automation/ro"].google_service_account.service_account[0]
: account_id: dev-tb-app0-0-ro
create_ignore_already_exists: null
deletion_policy: DELETE
description: Team B app 0 read-only automation sa.
disabled: false
display_name: Service account ro for dev-tb-app0-0.
@@ -84,6 +87,7 @@ values:
? module.project-factory.module.automation-service-accounts["dev-tb-app0-0/automation/rw"].google_service_account.service_account[0]
: account_id: dev-tb-app0-0-rw
create_ignore_already_exists: null
deletion_policy: DELETE
description: Team B app 0 read/write automation sa.
disabled: false
display_name: Service account rw for dev-tb-app0-0.
@@ -97,6 +101,7 @@ values:
default_partition_expiration_ms: null
default_table_expiration_ms: null
delete_contents_on_destroy: false
deletion_policy: DELETE
description: Terraform managed.
effective_labels:
goog-terraform-provisioned: 'true'
@@ -147,6 +152,7 @@ values:
threshold_percent: 0.75
timeouts: null
module.project-factory.module.billing-budgets[0].google_monitoring_notification_channel.default["billing-default"]:
deletion_policy: DELETE
description: null
display_name: Budget email notification billing-default.
enabled: true
@@ -163,6 +169,7 @@ values:
cors: []
custom_placement_config: []
default_event_based_hold: null
deletion_policy: DELETE
effective_labels:
goog-terraform-provisioned: 'true'
enable_object_retention: null
@@ -186,6 +193,7 @@ values:
versioning:
- enabled: false
module.project-factory.module.buckets["dev-ta-app0-be/app-0-bucket-a"].google_tags_location_tag_binding.binding["context"]:
deletion_policy: DELETE
location: europe-west8
parent: //storage.googleapis.com/projects/_/buckets/test-pf-dev-ta-app0-be-app-0-bucket-a
tag_value: tagValues/654321
@@ -195,6 +203,7 @@ values:
cors: []
custom_placement_config: []
default_event_based_hold: null
deletion_policy: DELETE
effective_labels:
goog-terraform-provisioned: 'true'
enable_object_retention: null
@@ -232,18 +241,21 @@ values:
- group:team-a-admins@example.org
role: roles/viewer
module.project-factory.module.folder-1["team-a"].google_folder.folder[0]:
deletion_policy: DELETE
deletion_protection: false
display_name: Team A
parent: folders/5678901234
tags: null
timeouts: null
module.project-factory.module.folder-1["team-b"].google_folder.folder[0]:
deletion_policy: DELETE
deletion_protection: false
display_name: Team B
parent: folders/5678901234
tags: null
timeouts: null
module.project-factory.module.folder-1["team-c"].google_folder.folder[0]:
deletion_policy: DELETE
deletion_protection: false
display_name: Team C
parent: folders/5678901234
@@ -266,6 +278,7 @@ values:
tag_value: tagValues/123456
timeouts: null
module.project-factory.module.folder-2["team-a/app-0"].google_folder.folder[0]:
deletion_policy: DELETE
deletion_protection: false
display_name: App 0
tags: null
@@ -299,16 +312,19 @@ values:
- {}
timeouts: null
module.project-factory.module.folder-2["team-b/app-0"].google_folder.folder[0]:
deletion_policy: DELETE
deletion_protection: false
display_name: App 0
tags: null
timeouts: null
module.project-factory.module.folder-2["team-c/apps"].google_folder.folder[0]:
deletion_policy: DELETE
deletion_protection: false
display_name: Apps
tags: null
timeouts: null
module.project-factory.module.folder-3["team-c/apps/test"].google_folder.folder[0]:
deletion_policy: DELETE
deletion_protection: false
display_name: Test
tags: null
@@ -326,11 +342,13 @@ values:
- topic: projects/my-cai-feeds-project/topics/feed
timeouts: null
module.project-factory.module.folder-4["team-c/apps/test/app-x"].google_folder.folder[0]:
deletion_policy: DELETE
deletion_protection: false
display_name: App X
tags: null
timeouts: null
module.project-factory.module.kms["dev-ta-app0-be/my-keyring"].google_kms_crypto_key.default["my-key"]:
deletion_policy: DELETE
effective_labels:
goog-terraform-provisioned: 'true'
labels: null
@@ -347,6 +365,7 @@ values:
project: test-pf-dev-ta-app0-be
timeouts: null
module.project-factory.module.kms["dev-ta-app0-be/my-keyring"].google_tags_location_tag_binding.binding["context"]:
deletion_policy: DELETE
location: europe-west1
tag_value: $tag_values:context/project-factory
timeouts: null
@@ -428,6 +447,7 @@ values:
- user:user@example.com
role: roles/resourcemanager.tagUser
module.project-factory.module.projects-iam["dev-tb-app0-0"].google_compute_shared_vpc_host_project.shared_vpc_host[0]:
deletion_policy: DELETE
project: test-pf-dev-tb-app0-0
timeouts: null
? module.project-factory.module.projects-iam["dev-tb-app0-0"].google_project_iam_audit_config.default["storage.googleapis.com"]
@@ -542,30 +562,35 @@ values:
project: test-pf-dev-ta-app0-be
role: roles/pubsub.serviceAgent
module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["compute.googleapis.com"]:
deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: test-pf-dev-ta-app0-be
service: compute.googleapis.com
timeouts: null
? module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["container.googleapis.com"]
: disable_dependent_services: false
: deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: test-pf-dev-ta-app0-be
service: container.googleapis.com
timeouts: null
module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["pubsub.googleapis.com"]:
deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: test-pf-dev-ta-app0-be
service: pubsub.googleapis.com
timeouts: null
? module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["stackdriver.googleapis.com"]
: disable_dependent_services: false
: deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: test-pf-dev-ta-app0-be
service: stackdriver.googleapis.com
timeouts: null
module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["storage.googleapis.com"]:
deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: test-pf-dev-ta-app0-be
@@ -627,18 +652,21 @@ values:
project: test-pf-dev-tb-app0-0
role: roles/run.serviceAgent
module.project-factory.module.projects["dev-tb-app0-0"].google_project_service.project_services["run.googleapis.com"]:
deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: test-pf-dev-tb-app0-0
service: run.googleapis.com
timeouts: null
? module.project-factory.module.projects["dev-tb-app0-0"].google_project_service.project_services["stackdriver.googleapis.com"]
: disable_dependent_services: false
: deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: test-pf-dev-tb-app0-0
service: stackdriver.googleapis.com
timeouts: null
module.project-factory.module.projects["dev-tb-app0-0"].google_project_service.project_services["storage.googleapis.com"]:
deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: test-pf-dev-tb-app0-0
@@ -690,18 +718,21 @@ values:
project: test-pf-dev-tb-app0-1
role: roles/container.defaultNodeServiceAgent
? module.project-factory.module.projects["dev-tb-app0-1"].google_project_service.project_services["container.googleapis.com"]
: disable_dependent_services: false
: deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: test-pf-dev-tb-app0-1
service: container.googleapis.com
timeouts: null
? module.project-factory.module.projects["dev-tb-app0-1"].google_project_service.project_services["stackdriver.googleapis.com"]
: disable_dependent_services: false
: deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: test-pf-dev-tb-app0-1
service: stackdriver.googleapis.com
timeouts: null
module.project-factory.module.projects["dev-tb-app0-1"].google_project_service.project_services["storage.googleapis.com"]:
deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: test-pf-dev-tb-app0-1
@@ -723,6 +754,7 @@ values:
timeouts: null
module.project-factory.module.projects["teams-iac-0"].google_iam_workload_identity_pool.default["test-0"]:
attestation_rules: []
deletion_policy: DELETE
description: null
disabled: null
display_name: Test pool.
@@ -746,6 +778,7 @@ values:
attribute.workflow: assertion.workflow
google.subject: assertion.sub
aws: []
deletion_policy: DELETE
description: null
disabled: false
display_name: GitHub test provider.
@@ -786,18 +819,21 @@ values:
project: test-pf-teams-iac-0
role: roles/container.defaultNodeServiceAgent
module.project-factory.module.projects["teams-iac-0"].google_project_service.project_services["container.googleapis.com"]:
deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: test-pf-teams-iac-0
service: container.googleapis.com
timeouts: null
? module.project-factory.module.projects["teams-iac-0"].google_project_service.project_services["stackdriver.googleapis.com"]
: disable_dependent_services: false
: deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: test-pf-teams-iac-0
service: stackdriver.googleapis.com
timeouts: null
module.project-factory.module.projects["teams-iac-0"].google_project_service.project_services["storage.googleapis.com"]:
deletion_policy: DELETE
disable_dependent_services: false
disable_on_destroy: false
project: test-pf-teams-iac-0
@@ -808,6 +844,7 @@ values:
service: container.googleapis.com
timeouts: null
module.project-factory.module.pubsub["dev-ta-app0-be/app-0-topic-a"].google_pubsub_topic.default:
deletion_policy: DELETE
effective_labels:
goog-terraform-provisioned: 'true'
ingestion_data_source_settings: []
@@ -832,6 +869,7 @@ values:
: bigquery_config: []
cloud_storage_config: []
dead_letter_policy: []
deletion_policy: DELETE
effective_labels:
goog-terraform-provisioned: 'true'
enable_exactly_once_delivery: false
@@ -850,6 +888,7 @@ values:
goog-terraform-provisioned: 'true'
timeouts: null
module.project-factory.module.pubsub["dev-ta-app0-be/app-0-topic-b"].google_pubsub_topic.default:
deletion_policy: DELETE
effective_labels:
goog-terraform-provisioned: 'true'
ingestion_data_source_settings: []
@@ -895,6 +934,7 @@ values:
module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-be"].google_service_account.service_account[0]:
account_id: app-0-be
create_ignore_already_exists: null
deletion_policy: DELETE
description: null
disabled: false
display_name: Backend instances.
@@ -920,6 +960,7 @@ values:
module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-fe"].google_service_account.service_account[0]:
account_id: app-0-fe
create_ignore_already_exists: null
deletion_policy: DELETE
description: null
disabled: false
display_name: Frontend instances.
@@ -938,6 +979,7 @@ values:
module.project-factory.module.service-accounts["dev-tb-app0-0/vm-default"].google_service_account.service_account[0]:
account_id: vm-default
create_ignore_already_exists: null
deletion_policy: DELETE
description: null
disabled: false
display_name: VM default service account.
@@ -956,6 +998,7 @@ values:
module.project-factory.module.service-accounts["dev-tb-app0-1/app-0-be"].google_service_account.service_account[0]:
account_id: app-0-be
create_ignore_already_exists: null
deletion_policy: DELETE
description: null
disabled: false
display_name: Backend instances.
@@ -966,6 +1009,7 @@ values:
module.project-factory.module.taxonomies["dev-tb-app0-0"].google_data_catalog_taxonomy.default:
activated_policy_types:
- FINE_GRAINED_ACCESS_CONTROL
deletion_policy: DELETE
description: Taxonomy - Terraform managed
display_name: taxonomy
project: test-pf-dev-tb-app0-0