Add support for Shared VPC service IAM to project module (#525)

* project module changes

* fix examples

* add comments in module code

* re-enable nullable on svpc variables

* project factory

* Tests still failing (#526)

* fix pf

* tfdoc

* pf test boilerplate

Co-authored-by: Simone Ruffilli <sruffilli@google.com>

tests/examples/factories/project_factory/__init__.py

@@ -0,0 +1,13 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

tests/examples/factories/project_factory/fixture/defaults.yaml

@@ -0,0 +1,24 @@
+# skip boilerplate check
+
+billing_account_id: 012345-67890A-BCDEF0
+
+# [opt] Setup for billing alerts
+billing_alert:
+  amount: 1000
+  thresholds:
+    current: [0.5, 0.8]
+    forecasted: [0.5, 0.8]
+  credit_treatment: INCLUDE_ALL_CREDITS
+
+# [opt] Contacts for billing alerts and important notifications
+essential_contacts: ["team-contacts@example.com"]
+
+# [opt] Labels set for all projects
+labels:
+  environment: prod
+  department: accounting
+  application: example-app
+  foo: bar
+
+# [opt] Additional notification channels for billing
+notification_channels: []

tests/examples/factories/project_factory/fixture/main.tf

@@ -0,0 +1,51 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  _defaults = yamldecode(file(var.defaults_file))
+  _defaults_net = {
+    billing_account_id   = var.billing_account_id
+    environment_dns_zone = var.environment_dns_zone
+    shared_vpc_self_link = var.shared_vpc_self_link
+    vpc_host_project     = var.vpc_host_project
+  }
+  defaults = merge(local._defaults, local._defaults_net)
+  projects = {
+    for f in fileset("${var.data_dir}", "**/*.yaml") :
+    trimsuffix(f, ".yaml") => yamldecode(file("${var.data_dir}/${f}"))
+  }
+}
+
+module "projects" {
+  source                 = "../../../../../examples/factories/project-factory"
+  for_each               = local.projects
+  defaults               = local.defaults
+  project_id             = each.key
+  billing_account_id     = try(each.value.billing_account_id, null)
+  billing_alert          = try(each.value.billing_alert, null)
+  dns_zones              = try(each.value.dns_zones, [])
+  essential_contacts     = try(each.value.essential_contacts, [])
+  folder_id              = each.value.folder_id
+  group_iam              = try(each.value.group_iam, {})
+  iam                    = try(each.value.iam, {})
+  kms_service_agents     = try(each.value.kms, {})
+  labels                 = try(each.value.labels, {})
+  org_policies           = try(each.value.org_policies, null)
+  service_accounts       = try(each.value.service_accounts, {})
+  services               = try(each.value.services, [])
+  service_identities_iam = try(each.value.service_identities_iam, {})
+  vpc                    = try(each.value.vpc, null)
+}

tests/examples/factories/project_factory/fixture/projects/project.yaml

@@ -0,0 +1,100 @@
+# skip boilerplate check
+
+# [opt] Billing account id - overrides default if set
+billing_account_id: 012345-67890A-BCDEF0
+
+# [opt] Billing alerts config - overrides default if set
+billing_alert:
+  amount: 10
+  thresholds:
+    current:
+      - 0.5
+      - 0.8
+    forecasted: []
+  credit_treatment: INCLUDE_ALL_CREDITS
+
+# [opt] DNS zones to be created as children of the environment_dns_zone defined in defaults
+dns_zones:
+  - lorem
+  - ipsum
+
+# [opt] Contacts for billing alerts and important notifications
+essential_contacts:
+  - team-a-contacts@example.com
+
+# Folder the project will be created as children of
+folder_id: folders/012345678901
+
+# [opt] Authoritative IAM bindings in group => [roles] format
+group_iam:
+  test-team-foobar@fast-lab-0.gcp-pso-italy.net:
+    - roles/compute.admin
+
+# [opt] Authoritative IAM bindings in role => [principals] format
+# Generally used to grant roles to service accounts external to the project
+iam:
+  roles/compute.admin:
+    - serviceAccount:service-account
+
+# [opt] Service robots and keys they will be assigned as cryptoKeyEncrypterDecrypter
+# in service => [keys] format
+kms_service_agents:
+  compute: [key1, key2]
+  storage: [key1, key2]
+
+# [opt] Labels for the project - merged with the ones defined in defaults
+labels:
+  environment: prod
+
+# [opt] Org policy overrides defined at project level
+org_policies:
+  policy_boolean:
+    constraints/compute.disableGuestAttributesAccess: true
+  policy_list:
+    constraints/compute.trustedImageProjects:
+      inherit_from_parent: null
+      status: true
+      suggested_value: null
+      values:
+        - projects/fast-prod-iac-core-0
+
+# [opt] Service account to create for the project and their roles on the project
+# in name => [roles] format
+service_accounts:
+  another-service-account:
+    - roles/compute.admin
+  my-service-account:
+    - roles/compute.admin
+
+# [opt] APIs to enable on the project.
+services:
+  - storage.googleapis.com
+  - stackdriver.googleapis.com
+  - compute.googleapis.com
+
+# [opt] Roles to assign to the service identities in service => [roles] format
+service_identities_iam:
+  compute:
+    - roles/storage.objectViewer
+
+  # [opt] VPC setup.
+  # If set enables the `compute.googleapis.com` service and configures
+  # service project attachment
+vpc:
+  # [opt] If set, enables the container API
+  gke_setup:
+    # Grants "roles/container.hostServiceAgentUser" to the container robot if set
+    enable_host_service_agent: false
+
+    # Grants  "roles/compute.securityAdmin" to the container robot if set
+    enable_security_admin: true
+
+  # Host project the project will be service project of
+  host_project: fast-prod-net-spoke-0
+
+  # [opt] Subnets in the host project where principals will be granted networkUser
+  # in region/subnet-name => [principals]
+  subnets_iam:
+    europe-west1/prod-default-ew1:
+      - user:foobar@example.com
+      - serviceAccount:service-account1

tests/examples/factories/project_factory/fixture/variables.tf

@@ -0,0 +1,52 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "billing_account_id" {
+  description = "Billing account id."
+  type        = string
+  default     = "012345-67890A-BCDEF0"
+}
+
+variable "data_dir" {
+  description = "Relative path for the folder storing configuration data."
+  type        = string
+  default     = "./projects/"
+}
+
+variable "environment_dns_zone" {
+  description = "DNS zone suffix for environment."
+  type        = string
+  default     = "prod.gcp.example.com"
+}
+
+variable "defaults_file" {
+  description = "Relative path for the file storing the project factory configuration."
+  type        = string
+  default     = "./defaults.yaml"
+}
+
+variable "shared_vpc_self_link" {
+  description = "Self link for the shared VPC."
+  type        = string
+  default     = "self-link"
+}
+
+variable "vpc_host_project" {
+  # tfdoc:variable:source 02-networking
+  description = "Host project for the shared VPC."
+  type        = string
+  default     = "host-project"
+}

tests/examples/factories/project_factory/test_plan.py

@@ -0,0 +1,18 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+def test_counts(e2e_plan_runner):
+  "Check for a clean plan"
+  modules, resources = e2e_plan_runner()
+  assert len(modules) > 0 and len(resources) > 0

tests/examples/networking/filtering_proxy/test_plan.py

@@ -16,8 +16,8 @@ def test_resources(e2e_plan_runner):
   "Test that plan works and the numbers of resources is as expected."
   modules, resources = e2e_plan_runner()
   assert len(modules) == 11
-  assert len(resources) == 29
+  assert len(resources) == 30
 
   modules, resources = e2e_plan_runner(mig="true")
   assert len(modules) == 13
-  assert len(resources) == 35
+  assert len(resources) == 36

tests/examples/networking/shared_vpc_gke/test_plan.py

@@ -16,4 +16,4 @@ def test_resources(e2e_plan_runner):
   "Test that plan works and the numbers of resources is as expected."
   modules, resources = e2e_plan_runner()
   assert len(modules) == 10
-  assert len(resources) == 41
+  assert len(resources) == 43