add network tags outputs and examples to project module (#2350)

2024-06-09 07:52:15 +02:00
parent 67754ca58e
commit 41e583ffc9
5 changed files with 296 additions and 13 deletions
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -490,7 +490,6 @@ module "org" {
 }
 # tftest modules=1 resources=10 inventory=tags.yaml
 ```
 <!-- TODO: reinstate e2e serial -->
 You can also define network tags, through a dedicated variable *network_tags*:
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -18,7 +18,8 @@ This module implements the creation and management of one GCP project including
 - [Log Sinks](#log-sinks)
 - [Data Access Logs](#data-access-logs)
 - [Cloud KMS Encryption Keys](#cloud-kms-encryption-keys)
- [Attaching Tags](#attaching-tags)
+- [Tags](#tags)
 - [Tag Bindings](#tag-bindings)
 - [Project-scoped Tags](#project-scoped-tags)
 - [Custom Roles](#custom-roles)
  - [Custom Roles Factory](#custom-roles-factory)
@@ -679,9 +680,113 @@ module "project" {
 # tftest modules=1 resources=6 e2e
 ```
-## Attaching Tags
+## Tags
-You can attach secure tags to a project with the `tag_bindings` attribute
+Refer to the [Creating and managing tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) documentation for details on usage.
 ```hcl
 module "project" {
  source          = "./fabric/modules/project"
  billing_account = var.billing_account_id
  name            = "project"
  prefix          = var.prefix
  parent          = var.folder_id
  services = [
    "compute.googleapis.com",
  ]
  tags = {
    environment = {
      description = "Environment specification."
      iam = {
        "roles/resourcemanager.tagAdmin" = ["group:${var.group_email}"]
      }
      iam_bindings = {
        viewer = {
          role    = "roles/resourcemanager.tagViewer"
          members = ["group:gcp-support@example.org"]
        }
      }
      iam_bindings_additive = {
        user_app1 = {
          role   = "roles/resourcemanager.tagUser"
          member = "group:app1-team@example.org"
        }
      }
      values = {
        dev = {
          iam_bindings_additive = {
            user_app2 = {
              role   = "roles/resourcemanager.tagUser"
              member = "group:app2-team@example.org"
            }
          }
        }
        prod = {
          description = "Environment: production."
          iam = {
            "roles/resourcemanager.tagViewer" = ["group:app1-team@example.org"]
          }
          iam_bindings = {
            admin = {
              role    = "roles/resourcemanager.tagAdmin"
              members = ["group:gcp-support@example.org"]
              condition = {
                title      = "gcp_support"
                expression = <<-END
                  request.time.getHours("Europe/Berlin") <= 9 &&
                  request.time.getHours("Europe/Berlin") >= 17
                END
              }
            }
          }
        }
      }
    }
  }
  tag_bindings = {
    env-prod = module.project.tag_values["environment/prod"].id
  }
 }
 # tftest modules=1 resources=12 inventory=tags.yaml
 ```
 You can also define network tags through the dedicated `network_tags` variable:
 ```hcl
 module "project" {
  source          = "./fabric/modules/project"
  billing_account = var.billing_account_id
  name            = "project"
  prefix          = var.prefix
  parent          = var.folder_id
  services = [
    "compute.googleapis.com"
  ]
  network_tags = {
    net-environment = {
      description = "This is a network tag."
      network     = "${var.project_id}/${var.vpc.name}"
      iam = {
        "roles/resourcemanager.tagAdmin" = ["group:${var.group_email}"]
      }
      values = {
        dev = {}
        prod = {
          description = "Environment: production."
          iam = {
            "roles/resourcemanager.tagUser" = ["group:${var.group_email}"]
          }
        }
      }
    }
  }
 }
 # tftest modules=1 resources=7 inventory=tags-network.yaml
 ```
 ## Tag Bindings
 You can bind secure tags to a project with the `tag_bindings` attribute
 ```hcl
 module "org" {
@@ -1230,13 +1335,15 @@ module "bucket" {
 | [custom_roles](outputs.tf#L27) | Map of custom roles resources created in the project. |  |
 | [id](outputs.tf#L32) | Project id. |  |
 | [name](outputs.tf#L51) | Project name. |  |
-| [number](outputs.tf#L63) | Project number. |  |
+| [network_tag_keys](outputs.tf#L63) | Tag key resources. |  |
-| [project_id](outputs.tf#L82) | Project id. |  |
+| [network_tag_values](outputs.tf#L72) | Tag value resources. |  |
-| [quota_configs](outputs.tf#L101) | Quota configurations. |  |
+| [number](outputs.tf#L80) | Project number. |  |
-| [quotas](outputs.tf#L112) | Quota resources. |  |
+| [project_id](outputs.tf#L99) | Project id. |  |
-| [service_accounts](outputs.tf#L117) | Product robot service accounts in project. |  |
+| [quota_configs](outputs.tf#L118) | Quota configurations. |  |
-| [services](outputs.tf#L133) | Service APIs to enabled in the project. |  |
+| [quotas](outputs.tf#L129) | Quota resources. |  |
-| [sink_writer_identities](outputs.tf#L142) | Writer identities created for each sink. |  |
+| [service_accounts](outputs.tf#L134) | Product robot service accounts in project. |  |
-| [tag_keys](outputs.tf#L149) | Tag key resources. |  |
+| [services](outputs.tf#L150) | Service APIs to enabled in the project. |  |
-| [tag_values](outputs.tf#L158) | Tag value resources. |  |
+| [sink_writer_identities](outputs.tf#L159) | Writer identities created for each sink. |  |
 | [tag_keys](outputs.tf#L166) | Tag key resources. |  |
 | [tag_values](outputs.tf#L175) | Tag value resources. |  |
 <!-- END TFDOC -->
--- a/modules/project/outputs.tf
+++ b/modules/project/outputs.tf
@@ -60,6 +60,23 @@ output "name" {
  ]
 }
 output "network_tag_keys" {
  description = "Tag key resources."
  value = {
    for k, v in google_tags_tag_key.default : k => v if(
      v.purpose != null && v.purpose != ""
    )
  }
 }
 output "network_tag_values" {
  description = "Tag value resources."
  value = {
    for k, v in google_tags_tag_value.default :
    k => v if local.tag_values[k].tag_network
  }
 }
 output "number" {
  description = "Project number."
  value       = local.project.number
--- a/tests/modules/project/examples/tags-network.yaml
+++ b/tests/modules/project/examples/tags-network.yaml
@@ -0,0 +1,69 @@
 # Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 values:
  module.project.google_project.project[0]:
    auto_create_network: false
    billing_account: 123456-123456-123456
    folder_id: '1122334455'
    labels: null
    name: test-project
    org_id: null
    project_id: test-project
    skip_delete: false
    timeouts: null
  module.project.google_project_service.project_services["compute.googleapis.com"]:
    disable_dependent_services: false
    disable_on_destroy: false
    project: test-project
    service: compute.googleapis.com
    timeouts: null
  module.project.google_tags_tag_key.default["net-environment"]:
    description: This is a network tag.
    parent: projects/test-project
    purpose: GCE_FIREWALL
    purpose_data:
      network: project-id/vpc-name
    short_name: net-environment
    timeouts: null
  module.project.google_tags_tag_key_iam_binding.default["net-environment:roles/resourcemanager.tagAdmin"]:
    condition: []
    members:
    - group:organization-admins@example.org
    role: roles/resourcemanager.tagAdmin
  module.project.google_tags_tag_value.default["net-environment/dev"]:
    description: Managed by the Terraform project module.
    short_name: dev
    timeouts: null
  module.project.google_tags_tag_value.default["net-environment/prod"]:
    description: 'Environment: production.'
    short_name: prod
    timeouts: null
  module.project.google_tags_tag_value_iam_binding.default["net-environment/prod:roles/resourcemanager.tagUser"]:
    condition: []
    members:
    - group:organization-admins@example.org
    role: roles/resourcemanager.tagUser
 counts:
  google_project: 1
  google_project_service: 1
  google_tags_tag_key: 1
  google_tags_tag_key_iam_binding: 1
  google_tags_tag_value: 2
  google_tags_tag_value_iam_binding: 1
  modules: 1
  resources: 7
 outputs: {}
--- a/tests/modules/project/examples/tags.yaml
+++ b/tests/modules/project/examples/tags.yaml
@@ -0,0 +1,91 @@
 # Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 values:
  module.project.google_project.project[0]:
    auto_create_network: false
    billing_account: 123456-123456-123456
    folder_id: '1122334455'
    labels: null
    name: test-project
    org_id: null
    project_id: test-project
    skip_delete: false
    timeouts: null
  module.project.google_project_service.project_services["compute.googleapis.com"]:
    disable_dependent_services: false
    disable_on_destroy: false
    project: test-project
    service: compute.googleapis.com
    timeouts: null
  module.project.google_tags_tag_binding.binding["env-prod"]:
    timeouts: null
  module.project.google_tags_tag_key.default["environment"]:
    description: Environment specification.
    parent: projects/test-project
    purpose: null
    purpose_data: null
    short_name: environment
    timeouts: null
  module.project.google_tags_tag_key_iam_binding.bindings["environment:viewer"]:
    condition: []
    members:
    - group:gcp-support@example.org
    role: roles/resourcemanager.tagViewer
  module.project.google_tags_tag_key_iam_binding.default["environment:roles/resourcemanager.tagAdmin"]:
    condition: []
    members:
    - group:organization-admins@example.org
    role: roles/resourcemanager.tagAdmin
  module.project.google_tags_tag_key_iam_member.bindings["environment:user_app1"]:
    condition: []
    member: group:app1-team@example.org
    role: roles/resourcemanager.tagUser
  module.project.google_tags_tag_value.default["environment/dev"]:
    description: Managed by the Terraform project module.
    short_name: dev
    timeouts: null
  module.project.google_tags_tag_value.default["environment/prod"]:
    description: 'Environment: production.'
    short_name: prod
    timeouts: null
  module.project.google_tags_tag_value_iam_binding.bindings["environment/prod:admin"]:
    condition: []
    members:
    - group:gcp-support@example.org
    role: roles/resourcemanager.tagAdmin
  module.project.google_tags_tag_value_iam_binding.default["environment/prod:roles/resourcemanager.tagViewer"]:
    condition: []
    members:
    - group:app1-team@example.org
    role: roles/resourcemanager.tagViewer
  module.project.google_tags_tag_value_iam_member.bindings["environment/dev:user_app2"]:
    condition: []
    member: group:app2-team@example.org
    role: roles/resourcemanager.tagUser
 counts:
  google_project: 1
  google_project_service: 1
  google_tags_tag_binding: 1
  google_tags_tag_key: 1
  google_tags_tag_key_iam_binding: 2
  google_tags_tag_key_iam_member: 1
  google_tags_tag_value: 2
  google_tags_tag_value_iam_binding: 2
  google_tags_tag_value_iam_member: 1
  modules: 1
  resources: 12
 outputs: {}