diff --git a/blueprints/data-solutions/data-platform-foundations/README.md b/blueprints/data-solutions/data-platform-foundations/README.md
index 427d6b29f..7f8bcd049 100644
--- a/blueprints/data-solutions/data-platform-foundations/README.md
+++ b/blueprints/data-solutions/data-platform-foundations/README.md
@@ -254,24 +254,23 @@ The application layer is out of scope of this script. As a demo purpuse only, se
You can find examples in the `[demo](./demo)` folder.
-
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [organization_domain](variables.tf#L156) | Organization domain. | string | ✓ | |
-| [prefix](variables.tf#L161) | Prefix used for resource names. | string | ✓ | |
-| [project_config](variables.tf#L170) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | ✓ | |
+| [organization_domain](variables.tf#L159) | Organization domain. | string | ✓ | |
+| [prefix](variables.tf#L164) | Prefix used for resource names. | string | ✓ | |
+| [project_config](variables.tf#L173) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | ✓ | |
| [composer_config](variables.tf#L17) | Cloud Composer config. | object({…}) | | {…} |
-| [data_catalog_tags](variables.tf#L100) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {…} |
-| [data_force_destroy](variables.tf#L111) | Flag to set 'force_destroy' on data services like BiguQery or Cloud Storage. | bool | | false |
-| [groups](variables.tf#L117) | User groups. | map(string) | | {…} |
-| [location](variables.tf#L127) | Location used for multi-regional resources. | string | | "eu" |
-| [network_config](variables.tf#L133) | Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values. | object({…}) | | null |
-| [project_services](variables.tf#L204) | List of core services enabled on all projects. | list(string) | | […] |
-| [project_suffix](variables.tf#L215) | Suffix used only for project ids. | string | | null |
-| [region](variables.tf#L221) | Region used for regional resources. | string | | "europe-west1" |
-| [service_encryption_keys](variables.tf#L227) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | null |
+| [data_catalog_tags](variables.tf#L100) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(object({…})) | | {…} |
+| [data_force_destroy](variables.tf#L114) | Flag to set 'force_destroy' on data services like BiguQery or Cloud Storage. | bool | | false |
+| [groups](variables.tf#L120) | User groups. | map(string) | | {…} |
+| [location](variables.tf#L130) | Location used for multi-regional resources. | string | | "eu" |
+| [network_config](variables.tf#L136) | Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values. | object({…}) | | null |
+| [project_services](variables.tf#L207) | List of core services enabled on all projects. | list(string) | | […] |
+| [project_suffix](variables.tf#L218) | Suffix used only for project ids. | string | | null |
+| [region](variables.tf#L224) | Region used for regional resources. | string | | "europe-west1" |
+| [service_encryption_keys](variables.tf#L230) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | null |
## Outputs
@@ -285,7 +284,6 @@ You can find examples in the `[demo](./demo)` folder.
| [projects](outputs.tf#L76) | GCP Projects information. | |
| [vpc_network](outputs.tf#L102) | VPC network. | |
| [vpc_subnet](outputs.tf#L111) | VPC subnetworks. | |
-
## TODOs
diff --git a/blueprints/data-solutions/data-platform-foundations/variables.tf b/blueprints/data-solutions/data-platform-foundations/variables.tf
index 4ec2fd7e1..9bb92e73d 100644
--- a/blueprints/data-solutions/data-platform-foundations/variables.tf
+++ b/blueprints/data-solutions/data-platform-foundations/variables.tf
@@ -99,12 +99,15 @@ variable "composer_config" {
variable "data_catalog_tags" {
description = "List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format."
- type = map(map(list(string)))
- nullable = false
+ type = map(object({
+ description = optional(string)
+ iam = optional(map(list(string)), {})
+ }))
+ nullable = false
default = {
- "3_Confidential" = null
- "2_Private" = null
- "1_Sensitive" = null
+ "3_Confidential" = {}
+ "2_Private" = {}
+ "1_Sensitive" = {}
}
}
diff --git a/blueprints/data-solutions/data-platform-minimal/README.md b/blueprints/data-solutions/data-platform-minimal/README.md
index 7072f717b..32622abe2 100644
--- a/blueprints/data-solutions/data-platform-minimal/README.md
+++ b/blueprints/data-solutions/data-platform-minimal/README.md
@@ -272,24 +272,23 @@ The application layer is out of scope of this script. As a demo purpuse only, on
| [outputs.tf](./outputs.tf) | Output variables. | | |
| [variables.tf](./variables.tf) | Terraform Variables. | | |
-
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [organization_domain](variables.tf#L119) | Organization domain. | string | ✓ | |
-| [prefix](variables.tf#L124) | Prefix used for resource names. | string | ✓ | |
-| [project_config](variables.tf#L133) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | ✓ | |
+| [organization_domain](variables.tf#L122) | Organization domain. | string | ✓ | |
+| [prefix](variables.tf#L127) | Prefix used for resource names. | string | ✓ | |
+| [project_config](variables.tf#L136) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | ✓ | |
| [composer_config](variables.tf#L17) | Cloud Composer config. | object({…}) | | {} |
-| [data_catalog_tags](variables.tf#L55) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {…} |
-| [data_force_destroy](variables.tf#L66) | Flag to set 'force_destroy' on data services like BiguQery or Cloud Storage. | bool | | false |
-| [enable_services](variables.tf#L72) | Flag to enable or disable services in the Data Platform. | object({…}) | | {} |
-| [groups](variables.tf#L81) | User groups. | map(string) | | {…} |
-| [location](variables.tf#L91) | Location used for multi-regional resources. | string | | "eu" |
-| [network_config](variables.tf#L97) | Shared VPC network configurations to use. If null networks will be created in projects. | object({…}) | | {} |
-| [project_suffix](variables.tf#L157) | Suffix used only for project ids. | string | | null |
-| [region](variables.tf#L163) | Region used for regional resources. | string | | "europe-west1" |
-| [service_encryption_keys](variables.tf#L169) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | {} |
+| [data_catalog_tags](variables.tf#L55) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(object({…})) | | {…} |
+| [data_force_destroy](variables.tf#L69) | Flag to set 'force_destroy' on data services like BiguQery or Cloud Storage. | bool | | false |
+| [enable_services](variables.tf#L75) | Flag to enable or disable services in the Data Platform. | object({…}) | | {} |
+| [groups](variables.tf#L84) | User groups. | map(string) | | {…} |
+| [location](variables.tf#L94) | Location used for multi-regional resources. | string | | "eu" |
+| [network_config](variables.tf#L100) | Shared VPC network configurations to use. If null networks will be created in projects. | object({…}) | | {} |
+| [project_suffix](variables.tf#L160) | Suffix used only for project ids. | string | | null |
+| [region](variables.tf#L166) | Region used for regional resources. | string | | "europe-west1" |
+| [service_encryption_keys](variables.tf#L172) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | {} |
## Outputs
@@ -303,5 +302,4 @@ The application layer is out of scope of this script. As a demo purpuse only, on
| [network](outputs.tf#L52) | VPC network. | |
| [projects](outputs.tf#L60) | GCP Projects information. | |
| [service_accounts](outputs.tf#L78) | Service account created. | |
-
diff --git a/blueprints/data-solutions/data-platform-minimal/variables.tf b/blueprints/data-solutions/data-platform-minimal/variables.tf
index a5f5143ea..0dc290032 100644
--- a/blueprints/data-solutions/data-platform-minimal/variables.tf
+++ b/blueprints/data-solutions/data-platform-minimal/variables.tf
@@ -54,12 +54,15 @@ variable "composer_config" {
variable "data_catalog_tags" {
description = "List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format."
- type = map(map(list(string)))
- nullable = false
+ type = map(object({
+ description = optional(string)
+ iam = optional(map(list(string)), {})
+ }))
+ nullable = false
default = {
- "3_Confidential" = null
- "2_Private" = null
- "1_Sensitive" = null
+ "3_Confidential" = {}
+ "2_Private" = {}
+ "1_Sensitive" = {}
}
}
diff --git a/fast/stages/3-data-platform/dev/README.md b/fast/stages/3-data-platform/dev/README.md
index 8f8154c72..2d1e55977 100644
--- a/fast/stages/3-data-platform/dev/README.md
+++ b/fast/stages/3-data-platform/dev/README.md
@@ -171,7 +171,6 @@ You can find examples in the `[demo](../../../../blueprints/data-solutions/data-
-
## Files
| name | description | modules | resources |
@@ -186,22 +185,22 @@ You can find examples in the `[demo](../../../../blueprints/data-solutions/data-
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap |
| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap |
-| [folder_ids](variables.tf#L102) | Folder to be used for the networking resources in folders/nnnn format. | object({…}) | ✓ | | 1-resman |
-| [host_project_ids](variables.tf#L120) | Shared VPC project ids. | object({…}) | ✓ | | 2-networking |
-| [organization](variables.tf#L150) | Organization details. | object({…}) | ✓ | | 00-globals |
-| [prefix](variables.tf#L166) | Unique prefix used for resource names. Not used for projects if 'project_create' is null. | string | ✓ | | 00-globals |
+| [folder_ids](variables.tf#L105) | Folder to be used for the networking resources in folders/nnnn format. | object({…}) | ✓ | | 1-resman |
+| [host_project_ids](variables.tf#L123) | Shared VPC project ids. | object({…}) | ✓ | | 2-networking |
+| [organization](variables.tf#L153) | Organization details. | object({…}) | ✓ | | 00-globals |
+| [prefix](variables.tf#L169) | Unique prefix used for resource names. Not used for projects if 'project_create' is null. | string | ✓ | | 00-globals |
| [composer_config](variables.tf#L38) | Cloud Composer configuration options. | object({…}) | | {…} | |
-| [data_catalog_tags](variables.tf#L85) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {…} | |
-| [data_force_destroy](variables.tf#L96) | Flag to set 'force_destroy' on data services like BigQery or Cloud Storage. | bool | | false | |
-| [groups](variables.tf#L110) | Groups. | map(string) | | {…} | |
-| [location](variables.tf#L128) | Location used for multi-regional resources. | string | | "eu" | |
-| [network_config_composer](variables.tf#L134) | Network configurations to use for Composer. | object({…}) | | {…} | |
-| [outputs_location](variables.tf#L160) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | |
-| [project_services](variables.tf#L176) | List of core services enabled on all projects. | list(string) | | […] | |
-| [region](variables.tf#L187) | Region used for regional resources. | string | | "europe-west1" | |
-| [service_encryption_keys](variables.tf#L193) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | null | |
-| [subnet_self_links](variables.tf#L205) | Shared VPC subnet self links. | object({…}) | | null | 2-networking |
-| [vpc_self_links](variables.tf#L214) | Shared VPC self links. | object({…}) | | null | 2-networking |
+| [data_catalog_tags](variables.tf#L85) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(object({…})) | | {…} | |
+| [data_force_destroy](variables.tf#L99) | Flag to set 'force_destroy' on data services like BigQery or Cloud Storage. | bool | | false | |
+| [groups](variables.tf#L113) | Groups. | map(string) | | {…} | |
+| [location](variables.tf#L131) | Location used for multi-regional resources. | string | | "eu" | |
+| [network_config_composer](variables.tf#L137) | Network configurations to use for Composer. | object({…}) | | {…} | |
+| [outputs_location](variables.tf#L163) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | |
+| [project_services](variables.tf#L179) | List of core services enabled on all projects. | list(string) | | […] | |
+| [region](variables.tf#L190) | Region used for regional resources. | string | | "europe-west1" | |
+| [service_encryption_keys](variables.tf#L196) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | null | |
+| [subnet_self_links](variables.tf#L208) | Shared VPC subnet self links. | object({…}) | | null | 2-networking |
+| [vpc_self_links](variables.tf#L217) | Shared VPC self links. | object({…}) | | null | 2-networking |
## Outputs
@@ -214,5 +213,4 @@ You can find examples in the `[demo](../../../../blueprints/data-solutions/data-
| [projects](outputs.tf#L62) | GCP Projects information. | | |
| [vpc_network](outputs.tf#L67) | VPC network. | | |
| [vpc_subnet](outputs.tf#L72) | VPC subnetworks. | | |
-
diff --git a/fast/stages/3-data-platform/dev/variables.tf b/fast/stages/3-data-platform/dev/variables.tf
index 1a04011d5..940c12b68 100644
--- a/fast/stages/3-data-platform/dev/variables.tf
+++ b/fast/stages/3-data-platform/dev/variables.tf
@@ -84,12 +84,15 @@ variable "composer_config" {
variable "data_catalog_tags" {
description = "List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format."
- type = map(map(list(string)))
- nullable = false
+ type = map(object({
+ description = optional(string)
+ iam = optional(map(list(string)), {})
+ }))
+ nullable = false
default = {
- "3_Confidential" = null
- "2_Private" = null
- "1_Sensitive" = null
+ "3_Confidential" = {}
+ "2_Private" = {}
+ "1_Sensitive" = {}
}
}
diff --git a/modules/bigquery-dataset/README.md b/modules/bigquery-dataset/README.md
index b440859bc..48bc50a5c 100644
--- a/modules/bigquery-dataset/README.md
+++ b/modules/bigquery-dataset/README.md
@@ -205,9 +205,6 @@ module "bigquery-dataset" {
tables = {
countries = {
friendly_name = "Countries"
- labels = {}
- options = null
- partitioning = null
schema = local.countries_schema
deletion_protection = true
}
@@ -232,16 +229,12 @@ module "bigquery-dataset" {
id = "my-dataset"
tables = {
table_a = {
- friendly_name = "Table a"
- labels = {}
- options = null
- partitioning = {
- field = null
- range = null # use start/end/interval for range
- time = { type = "DAY", expiration_ms = null }
- }
- schema = local.countries_schema
deletion_protection = true
+ friendly_name = "Table a"
+ schema = local.countries_schema
+ partitioning = {
+ time = { type = "DAY", expiration_ms = null }
+ }
}
}
}
@@ -265,9 +258,6 @@ module "bigquery-dataset" {
tables = {
countries = {
friendly_name = "Countries"
- labels = {}
- options = null
- partitioning = null
schema = local.countries_schema
deletion_protection = true
}
@@ -275,7 +265,6 @@ module "bigquery-dataset" {
views = {
population = {
friendly_name = "Population"
- labels = {}
query = "SELECT SUM(population) FROM my_dataset.countries"
use_legacy_sql = false
deletion_protection = true
@@ -286,7 +275,6 @@ module "bigquery-dataset" {
# tftest modules=1 resources=3 inventory=views.yaml
```
-
## Variables
| name | description | type | required | default |
@@ -306,8 +294,8 @@ module "bigquery-dataset" {
| [labels](variables.tf#L103) | Dataset labels. | map(string) | | {} |
| [location](variables.tf#L109) | Dataset location. | string | | "EU" |
| [options](variables.tf#L115) | Dataset options. | object({…}) | | {} |
-| [tables](variables.tf#L133) | Table definitions. Options and partitioning default to null. Partitioning can only use `range` or `time`, set the unused one to null. | map(object({…})) | | {} |
-| [views](variables.tf#L161) | View definitions. | map(object({…})) | | {} |
+| [tables](variables.tf#L133) | Table definitions. Options and partitioning default to null. Partitioning can only use `range` or `time`, set the unused one to null. | map(object({…})) | | {} |
+| [views](variables.tf#L162) | View definitions. | map(object({…})) | | {} |
## Outputs
@@ -321,5 +309,4 @@ module "bigquery-dataset" {
| [tables](outputs.tf#L69) | Table resources. | |
| [view_ids](outputs.tf#L74) | Map of fully qualified view ids keyed by view ids. | |
| [views](outputs.tf#L79) | View resources. | |
-
diff --git a/modules/bigquery-dataset/main.tf b/modules/bigquery-dataset/main.tf
index 0a66b8292..fafd75f48 100644
--- a/modules/bigquery-dataset/main.tf
+++ b/modules/bigquery-dataset/main.tf
@@ -214,15 +214,15 @@ resource "google_bigquery_table" "default" {
dataset_id = google_bigquery_dataset.default.dataset_id
table_id = each.key
friendly_name = each.value.friendly_name
- description = "Terraform managed."
- clustering = try(each.value.options.clustering, null)
- expiration_time = try(each.value.options.expiration_time, null)
+ description = each.value.description
+ clustering = each.value.options.clustering
+ expiration_time = each.value.options.expiration_time
labels = each.value.labels
schema = each.value.schema
deletion_protection = each.value.deletion_protection
dynamic "encryption_configuration" {
- for_each = try(each.value.options.encryption_key, null) != null ? [""] : []
+ for_each = each.value.options.encryption_key != null ? [""] : []
content {
kms_key_name = each.value.options.encryption_key
}
@@ -257,7 +257,7 @@ resource "google_bigquery_table" "views" {
dataset_id = google_bigquery_dataset.default.dataset_id
table_id = each.key
friendly_name = each.value.friendly_name
- description = "Terraform managed."
+ description = each.value.description
labels = each.value.labels
deletion_protection = each.value.deletion_protection
diff --git a/modules/bigquery-dataset/variables.tf b/modules/bigquery-dataset/variables.tf
index 66eb89348..cb13effa8 100644
--- a/modules/bigquery-dataset/variables.tf
+++ b/modules/bigquery-dataset/variables.tf
@@ -133,27 +133,28 @@ variable "project_id" {
variable "tables" {
description = "Table definitions. Options and partitioning default to null. Partitioning can only use `range` or `time`, set the unused one to null."
type = map(object({
- friendly_name = string
- labels = map(string)
- options = object({
- clustering = list(string)
- encryption_key = string
- expiration_time = number
- })
- partitioning = object({
- field = string
- range = object({
+ deletion_protection = optional(bool)
+ description = optional(string, "Terraform managed.")
+ friendly_name = optional(string)
+ labels = optional(map(string), {})
+ schema = optional(string)
+ options = optional(object({
+ clustering = optional(list(string))
+ encryption_key = optional(string)
+ expiration_time = optional(number)
+ }), {})
+ partitioning = optional(object({
+ field = optional(string)
+ range = optional(object({
end = number
interval = number
start = number
- })
- time = object({
+ }))
+ time = optional(object({
expiration_ms = number
type = string
- })
- })
- schema = string
- deletion_protection = bool
+ }))
+ }))
}))
default = {}
}
@@ -161,11 +162,12 @@ variable "tables" {
variable "views" {
description = "View definitions."
type = map(object({
- friendly_name = string
- labels = map(string)
query = string
- use_legacy_sql = bool
- deletion_protection = bool
+ deletion_protection = optional(bool)
+ description = optional(string, "Terraform managed.")
+ friendly_name = optional(string)
+ labels = optional(map(string), {})
+ use_legacy_sql = optional(bool)
}))
default = {}
}
diff --git a/modules/data-catalog-policy-tag/README.md b/modules/data-catalog-policy-tag/README.md
index 570bfbf5d..99f2c08c2 100644
--- a/modules/data-catalog-policy-tag/README.md
+++ b/modules/data-catalog-policy-tag/README.md
@@ -3,6 +3,7 @@
This module simplifies the creation of [Data Catalog](https://cloud.google.com/data-catalog) Policy Tags. Policy Tags can be used to configure [Bigquery column-level access](https://cloud.google.com/bigquery/docs/best-practices-policy-tags).
Note: Data Catalog is still in beta, hence this module currently uses the beta provider.
+
## Examples
### Simple Taxonomy with policy tags
@@ -13,7 +14,9 @@ module "cmn-dc" {
name = "my-datacatalog-policy-tags"
project_id = "my-project"
tags = {
- low = null, medium = null, high = null
+ low = {}
+ medium = {}
+ high = {}
}
}
# tftest modules=1 resources=4
@@ -27,9 +30,15 @@ module "cmn-dc" {
name = "my-datacatalog-policy-tags"
project_id = "my-project"
tags = {
- low = null
- medium = null
- high = { "roles/datacatalog.categoryFineGrainedReader" = ["group:GROUP_NAME@example.com"] }
+ low = {}
+ medium = {}
+ high = {
+ iam = {
+ "roles/datacatalog.categoryFineGrainedReader" = [
+ "group:GROUP_NAME@example.com"
+ ]
+ }
+ }
}
iam = {
"roles/datacatalog.categoryAdmin" = ["group:GROUP_NAME@example.com"]
@@ -38,7 +47,6 @@ module "cmn-dc" {
# tftest modules=1 resources=6
```
-
## Variables
| name | description | type | required | default |
@@ -53,7 +61,7 @@ module "cmn-dc" {
| [iam_additive_members](variables.tf#L47) | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | map(list(string)) | | {} |
| [location](variables.tf#L53) | Data Catalog Taxonomy location. | string | | "eu" |
| [prefix](variables.tf#L64) | Optional prefix used to generate project id and name. | string | | null |
-| [tags](variables.tf#L78) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} |
+| [tags](variables.tf#L78) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(object({…})) | | {} |
## Outputs
@@ -61,8 +69,8 @@ module "cmn-dc" {
|---|---|:---:|
| [id](outputs.tf#L17) | Fully qualified taxonomy id. | |
| [tags](outputs.tf#L22) | Policy Tags. | |
-
## TODO
+
- Support IAM at tag level.
- Support Child policy tags
diff --git a/modules/data-catalog-policy-tag/iam.tf b/modules/data-catalog-policy-tag/iam.tf
index bea15ff45..d682e6e86 100644
--- a/modules/data-catalog-policy-tag/iam.tf
+++ b/modules/data-catalog-policy-tag/iam.tf
@@ -45,13 +45,13 @@ locals {
"${pair.role}-${pair.member}" => pair
}
tags_iam = flatten([
- for tag, roles in var.tags : [
- for role, members in roles : {
- tag = tag
+ for k, v in var.tags : [
+ for role, members in v.iam : {
+ tag = k
role = role
members = members
}
- ] if roles != null
+ ]
])
}
diff --git a/modules/data-catalog-policy-tag/main.tf b/modules/data-catalog-policy-tag/main.tf
index 02572bf29..0ccd9235f 100644
--- a/modules/data-catalog-policy-tag/main.tf
+++ b/modules/data-catalog-policy-tag/main.tf
@@ -33,9 +33,11 @@ resource "google_data_catalog_taxonomy" "default" {
}
resource "google_data_catalog_policy_tag" "default" {
- for_each = toset(keys(var.tags))
+ for_each = var.tags
provider = google-beta
taxonomy = google_data_catalog_taxonomy.default.id
display_name = each.key
- description = "${each.key} - Terraform managed. "
+ description = coalesce(
+ each.value.description, "${each.key} - Terraform managed."
+ )
}
diff --git a/modules/data-catalog-policy-tag/variables.tf b/modules/data-catalog-policy-tag/variables.tf
index 2342e9474..70ba24bfc 100644
--- a/modules/data-catalog-policy-tag/variables.tf
+++ b/modules/data-catalog-policy-tag/variables.tf
@@ -77,7 +77,10 @@ variable "project_id" {
variable "tags" {
description = "List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format."
- type = map(map(list(string)))
- nullable = false
- default = {}
+ type = map(object({
+ description = optional(string)
+ iam = optional(map(list(string)), {})
+ }))
+ nullable = false
+ default = {}
}
diff --git a/modules/logging-bucket/README.md b/modules/logging-bucket/README.md
index 9923a7e3c..8ace8a103 100644
--- a/modules/logging-bucket/README.md
+++ b/modules/logging-bucket/README.md
@@ -74,24 +74,22 @@ module "bucket-billing-account" {
# tftest modules=2 resources=2 inventory=org-ba.yaml
```
-
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [id](variables.tf#L23) | Name of the logging bucket. | string | ✓ | |
-| [parent](variables.tf#L50) | ID of the parentresource containing the bucket in the format 'project_id' 'folders/folder_id', 'organizations/organization_id' or 'billing_account_id'. | string | ✓ | |
-| [parent_type](variables.tf#L55) | Parent object type for the bucket (project, folder, organization, billing_account). | string | ✓ | |
+| [parent](variables.tf#L51) | ID of the parentresource containing the bucket in the format 'project_id' 'folders/folder_id', 'organizations/organization_id' or 'billing_account_id'. | string | ✓ | |
+| [parent_type](variables.tf#L56) | Parent object type for the bucket (project, folder, organization, billing_account). | string | ✓ | |
| [description](variables.tf#L17) | Human-readable description for the logging bucket. | string | | null |
| [kms_key_name](variables.tf#L28) | To enable CMEK for a project logging bucket, set this field to a valid name. The associated service account requires cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key. | string | | null |
| [location](variables.tf#L34) | Location of the bucket. | string | | "global" |
-| [log_analytics](variables.tf#L40) | Enable and configure Analytics Log. | object({…}) | | {} |
-| [retention](variables.tf#L60) | Retention time in days for the logging bucket. | number | | 30 |
+| [log_analytics](variables.tf#L40) | Enable and configure Analytics Log. | object({…}) | | {} |
+| [retention](variables.tf#L61) | Retention time in days for the logging bucket. | number | | 30 |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| [id](outputs.tf#L17) | Fully qualified logging bucket id. | |
-
diff --git a/modules/logging-bucket/main.tf b/modules/logging-bucket/main.tf
index f534af5c3..697eb4306 100644
--- a/modules/logging-bucket/main.tf
+++ b/modules/logging-bucket/main.tf
@@ -46,7 +46,7 @@ resource "google_logging_linked_dataset" "dataset" {
parent = "projects/${google_logging_project_bucket_config.bucket[0].project}"
bucket = google_logging_project_bucket_config.bucket[0].id
location = var.location
- description = "Log Analytics Dataset"
+ description = var.log_analytics.description
}
resource "google_logging_organization_bucket_config" "bucket" {
diff --git a/modules/logging-bucket/variables.tf b/modules/logging-bucket/variables.tf
index fcd318436..1720ac405 100644
--- a/modules/logging-bucket/variables.tf
+++ b/modules/logging-bucket/variables.tf
@@ -42,6 +42,7 @@ variable "log_analytics" {
type = object({
enable = optional(bool, false)
dataset_link_id = optional(string)
+ description = optional(string, "Log Analytics Dataset")
})
nullable = false
default = {}
diff --git a/modules/net-address/README.md b/modules/net-address/README.md
index d8d448244..9f122352b 100644
--- a/modules/net-address/README.md
+++ b/modules/net-address/README.md
@@ -11,8 +11,8 @@ module "addresses" {
source = "./fabric/modules/net-address"
project_id = var.project_id
external_addresses = {
- one = "europe-west1"
- two = "europe-west2"
+ one = { region = "europe-west1" }
+ two = { region = "europe-west2" }
}
global_addresses = ["app-1", "app-2"]
}
@@ -106,13 +106,13 @@ module "addresses" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [project_id](variables.tf#L67) | Project where the addresses will be created. | string | ✓ | |
-| [external_addresses](variables.tf#L17) | Map of external address regions, keyed by name. | map(string) | | {} |
-| [global_addresses](variables.tf#L29) | List of global addresses to create. | list(string) | | [] |
-| [internal_addresses](variables.tf#L35) | Map of internal addresses to create, keyed by name. | map(object({…})) | | {} |
-| [ipsec_interconnect_addresses](variables.tf#L49) | Map of internal addresses used for HPA VPN over Cloud Interconnect. | map(object({…})) | | {} |
-| [psa_addresses](variables.tf#L72) | Map of internal addresses used for Private Service Access. | map(object({…})) | | {} |
-| [psc_addresses](variables.tf#L83) | Map of internal addresses used for Private Service Connect. | map(object({…})) | | {} |
+| [project_id](variables.tf#L65) | Project where the addresses will be created. | string | ✓ | |
+| [external_addresses](variables.tf#L17) | Map of external addresses, keyed by name. | map(object({…})) | | {} |
+| [global_addresses](variables.tf#L27) | List of global addresses to create. | list(string) | | [] |
+| [internal_addresses](variables.tf#L33) | Map of internal addresses to create, keyed by name. | map(object({…})) | | {} |
+| [ipsec_interconnect_addresses](variables.tf#L47) | Map of internal addresses used for HPA VPN over Cloud Interconnect. | map(object({…})) | | {} |
+| [psa_addresses](variables.tf#L70) | Map of internal addresses used for Private Service Access. | map(object({…})) | | {} |
+| [psc_addresses](variables.tf#L81) | Map of internal addresses used for Private Service Connect. | map(object({…})) | | {} |
## Outputs
diff --git a/modules/net-address/main.tf b/modules/net-address/main.tf
index 46705d703..b09ba231a 100644
--- a/modules/net-address/main.tf
+++ b/modules/net-address/main.tf
@@ -21,13 +21,14 @@ resource "google_compute_global_address" "global" {
}
resource "google_compute_address" "external" {
+ provider = google-beta
for_each = var.external_addresses
project = var.project_id
name = each.key
- description = "Terraform managed."
+ description = each.value.description
address_type = "EXTERNAL"
- region = each.value
- # labels = lookup(var.external_address_labels, each.key, {})
+ region = each.value.region
+ labels = each.value.labels
}
resource "google_compute_address" "internal" {
diff --git a/modules/net-address/variables.tf b/modules/net-address/variables.tf
index 87b9fc7d7..ebcfa5b66 100644
--- a/modules/net-address/variables.tf
+++ b/modules/net-address/variables.tf
@@ -15,17 +15,15 @@
*/
variable "external_addresses" {
- description = "Map of external address regions, keyed by name."
- type = map(string)
- default = {}
+ description = "Map of external addresses, keyed by name."
+ type = map(object({
+ region = string
+ description = optional(string, "Terraform managed.")
+ labels = optional(map(string), {})
+ }))
+ default = {}
}
-# variable "external_address_labels" {
-# description = "Optional labels for external addresses, keyed by address name."
-# type = map(map(string))
-# default = {}
-# }
-
variable "global_addresses" {
description = "List of global addresses to create."
type = list(string)
@@ -88,4 +86,4 @@ variable "psc_addresses" {
description = optional(string, "Terraform managed.")
}))
default = {}
-}
\ No newline at end of file
+}
diff --git a/modules/net-cloudnat/README.md b/modules/net-cloudnat/README.md
index 19b56ac8c..64342ad33 100644
--- a/modules/net-cloudnat/README.md
+++ b/modules/net-cloudnat/README.md
@@ -2,6 +2,13 @@
Simple Cloud NAT management, with optional router creation.
+
+- [Basic Example](#basic-example)
+- [Reserved IPs and custom rules](#reserved-ips-and-custom-rules)
+- [Variables](#variables)
+- [Outputs](#outputs)
+
+
## Basic Example
```hcl
@@ -15,16 +22,16 @@ module "nat" {
# tftest modules=1 resources=2
```
-# Reserved IPs and custom rules
+## Reserved IPs and custom rules
```hcl
module "addresses" {
source = "./fabric/modules/net-address"
project_id = "my-project"
external_addresses = {
- a1 = "europe-west1"
- a2 = "europe-west1"
- a3 = "europe-west1"
+ a1 = { region = "europe-west1" }
+ a2 = { region = "europe-west1" }
+ a3 = { region = "europe-west1" }
}
}
diff --git a/modules/net-vpn-ha/README.md b/modules/net-vpn-ha/README.md
index b22a48181..d2769cd05 100644
--- a/modules/net-vpn-ha/README.md
+++ b/modules/net-vpn-ha/README.md
@@ -125,20 +125,19 @@ module "vpn_ha" {
# tftest modules=1 resources=10
```
-
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [name](variables.tf#L17) | VPN Gateway name (if an existing VPN Gateway is not used), and prefix used for dependent resources. | string | ✓ | |
| [network](variables.tf#L22) | VPC used for the gateway and routes. | string | ✓ | |
-| [project_id](variables.tf#L46) | Project where resources will be created. | string | ✓ | |
-| [region](variables.tf#L51) | Region used for resources. | string | ✓ | |
-| [router_config](variables.tf#L56) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | object({…}) | ✓ | |
-| [peer_gateways](variables.tf#L27) | Configuration of the (external or GCP) peer gateway. | map(object({…})) | | {} |
-| [tunnels](variables.tf#L71) | VPN tunnel configurations. | map(object({…})) | | {} |
-| [vpn_gateway](variables.tf#L99) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | string | | null |
-| [vpn_gateway_create](variables.tf#L105) | Create HA VPN Gateway. | bool | | true |
+| [project_id](variables.tf#L47) | Project where resources will be created. | string | ✓ | |
+| [region](variables.tf#L52) | Region used for resources. | string | ✓ | |
+| [router_config](variables.tf#L57) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | object({…}) | ✓ | |
+| [peer_gateways](variables.tf#L27) | Configuration of the (external or GCP) peer gateway. | map(object({…})) | | {} |
+| [tunnels](variables.tf#L72) | VPN tunnel configurations. | map(object({…})) | | {} |
+| [vpn_gateway](variables.tf#L100) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | string | | null |
+| [vpn_gateway_create](variables.tf#L106) | Create HA VPN Gateway. Set to null to avoid creation. | object({…}) | | {} |
## Outputs
@@ -156,5 +155,4 @@ module "vpn_ha" {
| [tunnel_names](outputs.tf#L67) | VPN tunnel names. | |
| [tunnel_self_links](outputs.tf#L75) | VPN tunnel self links. | |
| [tunnels](outputs.tf#L83) | VPN tunnel resources. | |
-
diff --git a/modules/net-vpn-ha/main.tf b/modules/net-vpn-ha/main.tf
index 31bc0ddc9..d1a555ece 100644
--- a/modules/net-vpn-ha/main.tf
+++ b/modules/net-vpn-ha/main.tf
@@ -28,7 +28,7 @@ locals {
: var.router_config.name
)
vpn_gateway = (
- var.vpn_gateway_create
+ var.vpn_gateway_create != null
? try(google_compute_ha_vpn_gateway.ha_gateway[0].self_link, null)
: var.vpn_gateway
)
@@ -36,7 +36,7 @@ locals {
}
resource "google_compute_ha_vpn_gateway" "ha_gateway" {
- count = var.vpn_gateway_create ? 1 : 0
+ count = var.vpn_gateway_create != null ? 1 : 0
name = var.name
project = var.project_id
region = var.region
@@ -48,7 +48,7 @@ resource "google_compute_external_vpn_gateway" "external_gateway" {
name = "${var.name}-${each.key}"
project = var.project_id
redundancy_type = each.value.redundancy_type
- description = "Terraform managed external VPN gateway"
+ description = each.value.description
dynamic "interface" {
for_each = each.value.interfaces
content {
diff --git a/modules/net-vpn-ha/variables.tf b/modules/net-vpn-ha/variables.tf
index b12c4cdca..50a123a76 100644
--- a/modules/net-vpn-ha/variables.tf
+++ b/modules/net-vpn-ha/variables.tf
@@ -30,6 +30,7 @@ variable "peer_gateways" {
external = optional(object({
redundancy_type = string
interfaces = list(string)
+ description = optional(string, "Terraform managed external VPN gateway")
}))
gcp = optional(string)
}))
@@ -103,7 +104,9 @@ variable "vpn_gateway" {
}
variable "vpn_gateway_create" {
- description = "Create HA VPN Gateway."
- type = bool
- default = true
+ description = "Create HA VPN Gateway. Set to null to avoid creation."
+ type = object({
+ description = optional(string, "Terraform managed external VPN gateway")
+ })
+ default = {}
}
diff --git a/modules/net-vpn-static/README.md b/modules/net-vpn-static/README.md
index 64840740e..902fc1e46 100644
--- a/modules/net-vpn-static/README.md
+++ b/modules/net-vpn-static/README.md
@@ -7,7 +7,7 @@ module "addresses" {
source = "./fabric/modules/net-address"
project_id = var.project_id
external_addresses = {
- vpn = "europe-west1"
+ vpn = { region = "europe-west1" }
}
}