Add support for Shared VPC service IAM to project module (#525)
* project module changes * fix examples * add comments in module code * re-enable nullable on svpc variables * project factory * Tests still failing (#526) * fix pf * tfdoc * pf test boilerplate Co-authored-by: Simone Ruffilli <sruffilli@google.com>
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
c27b25c114
commit
40cb46e1cc
@@ -36,14 +36,46 @@ module "project" {
|
||||
name = "project-example"
|
||||
|
||||
iam_additive = {
|
||||
"roles/viewer" = ["group:one@example.org", "group:two@xample.org"],
|
||||
"roles/storage.objectAdmin" = ["group:two@example.org"],
|
||||
"roles/owner" = ["group:three@example.org"],
|
||||
"roles/viewer" = [
|
||||
"group:one@example.org", "group:two@xample.org"
|
||||
],
|
||||
"roles/storage.objectAdmin" = [
|
||||
"group:two@example.org"
|
||||
],
|
||||
"roles/owner" = [
|
||||
"group:three@example.org"
|
||||
],
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=5
|
||||
```
|
||||
|
||||
### Shared VPC service
|
||||
|
||||
```hcl
|
||||
module "project" {
|
||||
source = "./modules/project"
|
||||
name = "project-example"
|
||||
|
||||
shared_vpc_service_config = {
|
||||
attach = true
|
||||
host_project = "my-host-project"
|
||||
service_identity_iam = {
|
||||
"roles/compute.networkUser" = [
|
||||
"cloudservices", "container-engine"
|
||||
]
|
||||
"roles/vpcaccess.user" = [
|
||||
"cloudrun"
|
||||
]
|
||||
"roles/container.hostServiceAgentUser" = [
|
||||
"container-engine"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=6
|
||||
```
|
||||
|
||||
### Organization policies
|
||||
|
||||
```hcl
|
||||
@@ -74,6 +106,7 @@ module "project" {
|
||||
```
|
||||
|
||||
## Logging Sinks
|
||||
|
||||
```hcl
|
||||
module "gcs" {
|
||||
source = "./modules/gcs"
|
||||
@@ -187,7 +220,7 @@ module "project" {
|
||||
| [organization-policies.tf](./organization-policies.tf) | Project-level organization policies. | <code>google_project_organization_policy</code> |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | |
|
||||
| [service-accounts.tf](./service-accounts.tf) | Service identities and supporting resources. | <code>google_kms_crypto_key_iam_member</code> · <code>google_project_service_identity</code> |
|
||||
| [shared-vpc.tf](./shared-vpc.tf) | Shared VPC project-level configuration. | <code>google_compute_shared_vpc_host_project</code> · <code>google_compute_shared_vpc_service_project</code> |
|
||||
| [shared-vpc.tf](./shared-vpc.tf) | Shared VPC project-level configuration. | <code>google_compute_shared_vpc_host_project</code> · <code>google_compute_shared_vpc_service_project</code> · <code>google_project_iam_member</code> |
|
||||
| [variables.tf](./variables.tf) | Module variables. | |
|
||||
| [versions.tf](./versions.tf) | Version pins. | |
|
||||
| [vpc-sc.tf](./vpc-sc.tf) | VPC-SC project-level perimeter configuration. | <code>google_access_context_manager_service_perimeter_resource</code> |
|
||||
@@ -224,9 +257,9 @@ module "project" {
|
||||
| [service_perimeter_bridges](variables.tf#L211) | Name of VPC-SC Bridge perimeters to add project into. See comment in the variables file for format. | <code>list(string)</code> | | <code>null</code> |
|
||||
| [service_perimeter_standard](variables.tf#L218) | Name of VPC-SC Standard perimeter to add project into. See comment in the variables file for format. | <code>string</code> | | <code>null</code> |
|
||||
| [services](variables.tf#L224) | Service APIs to enable. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [shared_vpc_host_config](variables.tf#L230) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | <code title="object({ enabled = bool service_projects = list(string) })">object({…})</code> | | <code title="{ enabled = false service_projects = [] }">{…}</code> |
|
||||
| [shared_vpc_service_config](variables.tf#L243) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | <code title="object({ attach = bool host_project = string })">object({…})</code> | | <code title="{ attach = false host_project = "" }">{…}</code> |
|
||||
| [skip_delete](variables.tf#L256) | Allows the underlying resources to be destroyed without destroying the project itself. | <code>bool</code> | | <code>false</code> |
|
||||
| [shared_vpc_host_config](variables.tf#L230) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | <code title="object({ enabled = bool service_projects = list(string) })">object({…})</code> | | <code>null</code> |
|
||||
| [shared_vpc_service_config](variables.tf#L239) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | <code title="object({ host_project = string service_identity_iam = map(list(string)) })">object({…})</code> | | <code>null</code> |
|
||||
| [skip_delete](variables.tf#L249) | Allows the underlying resources to be destroyed without destroying the project itself. | <code>bool</code> | | <code>false</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
@@ -234,9 +267,9 @@ module "project" {
|
||||
|---|---|:---:|
|
||||
| [custom_roles](outputs.tf#L17) | Ids of the created custom roles. | |
|
||||
| [name](outputs.tf#L25) | Project name. | |
|
||||
| [number](outputs.tf#L37) | Project number. | |
|
||||
| [project_id](outputs.tf#L49) | Project id. | |
|
||||
| [service_accounts](outputs.tf#L63) | Product robot service accounts in project. | |
|
||||
| [sink_writer_identities](outputs.tf#L79) | Writer identities created for each sink. | |
|
||||
| [number](outputs.tf#L38) | Project number. | |
|
||||
| [project_id](outputs.tf#L51) | Project id. | |
|
||||
| [service_accounts](outputs.tf#L66) | Product robot service accounts in project. | |
|
||||
| [sink_writer_identities](outputs.tf#L82) | Writer identities created for each sink. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
Reference in New Issue
Block a user