From 9c75aa469cc92784dd33f4ec2db3f4d44e26bdbf Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Sun, 6 Aug 2023 11:25:45 +0200 Subject: [PATCH] More module descriptions (#1572) * bigquery dataset * data catalog policy tag * net-address * fix data catalog callers * bigquery dataset views * fix data catalog callers * logging bucket * net vpn ha --- .../data-platform-foundations/README.md | 26 ++++++------ .../data-platform-foundations/variables.tf | 13 +++--- .../data-platform-minimal/README.md | 26 ++++++------ .../data-platform-minimal/variables.tf | 13 +++--- fast/stages/3-data-platform/dev/README.md | 32 +++++++------- fast/stages/3-data-platform/dev/variables.tf | 13 +++--- modules/bigquery-dataset/README.md | 27 ++++-------- modules/bigquery-dataset/main.tf | 10 ++--- modules/bigquery-dataset/variables.tf | 42 ++++++++++--------- modules/data-catalog-policy-tag/README.md | 22 ++++++---- modules/data-catalog-policy-tag/iam.tf | 8 ++-- modules/data-catalog-policy-tag/main.tf | 6 ++- modules/data-catalog-policy-tag/variables.tf | 9 ++-- modules/logging-bucket/README.md | 10 ++--- modules/logging-bucket/main.tf | 2 +- modules/logging-bucket/variables.tf | 1 + modules/net-address/README.md | 18 ++++---- modules/net-address/main.tf | 7 ++-- modules/net-address/variables.tf | 18 ++++---- modules/net-cloudnat/README.md | 15 +++++-- modules/net-vpn-ha/README.md | 16 ++++--- modules/net-vpn-ha/main.tf | 6 +-- modules/net-vpn-ha/variables.tf | 9 ++-- modules/net-vpn-static/README.md | 2 +- 24 files changed, 181 insertions(+), 170 deletions(-) diff --git a/blueprints/data-solutions/data-platform-foundations/README.md b/blueprints/data-solutions/data-platform-foundations/README.md index 427d6b29f..7f8bcd049 100644 --- a/blueprints/data-solutions/data-platform-foundations/README.md +++ b/blueprints/data-solutions/data-platform-foundations/README.md @@ -254,24 +254,23 @@ The application layer is out of scope of this script. As a demo purpuse only, se You can find examples in the `[demo](./demo)` folder. - ## Variables | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [organization_domain](variables.tf#L156) | Organization domain. | string | ✓ | | -| [prefix](variables.tf#L161) | Prefix used for resource names. | string | ✓ | | -| [project_config](variables.tf#L170) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | ✓ | | +| [organization_domain](variables.tf#L159) | Organization domain. | string | ✓ | | +| [prefix](variables.tf#L164) | Prefix used for resource names. | string | ✓ | | +| [project_config](variables.tf#L173) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | ✓ | | | [composer_config](variables.tf#L17) | Cloud Composer config. | object({…}) | | {…} | -| [data_catalog_tags](variables.tf#L100) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {…} | -| [data_force_destroy](variables.tf#L111) | Flag to set 'force_destroy' on data services like BiguQery or Cloud Storage. | bool | | false | -| [groups](variables.tf#L117) | User groups. | map(string) | | {…} | -| [location](variables.tf#L127) | Location used for multi-regional resources. | string | | "eu" | -| [network_config](variables.tf#L133) | Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values. | object({…}) | | null | -| [project_services](variables.tf#L204) | List of core services enabled on all projects. | list(string) | | […] | -| [project_suffix](variables.tf#L215) | Suffix used only for project ids. | string | | null | -| [region](variables.tf#L221) | Region used for regional resources. | string | | "europe-west1" | -| [service_encryption_keys](variables.tf#L227) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | null | +| [data_catalog_tags](variables.tf#L100) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(object({…})) | | {…} | +| [data_force_destroy](variables.tf#L114) | Flag to set 'force_destroy' on data services like BiguQery or Cloud Storage. | bool | | false | +| [groups](variables.tf#L120) | User groups. | map(string) | | {…} | +| [location](variables.tf#L130) | Location used for multi-regional resources. | string | | "eu" | +| [network_config](variables.tf#L136) | Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values. | object({…}) | | null | +| [project_services](variables.tf#L207) | List of core services enabled on all projects. | list(string) | | […] | +| [project_suffix](variables.tf#L218) | Suffix used only for project ids. | string | | null | +| [region](variables.tf#L224) | Region used for regional resources. | string | | "europe-west1" | +| [service_encryption_keys](variables.tf#L230) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | null | ## Outputs @@ -285,7 +284,6 @@ You can find examples in the `[demo](./demo)` folder. | [projects](outputs.tf#L76) | GCP Projects information. | | | [vpc_network](outputs.tf#L102) | VPC network. | | | [vpc_subnet](outputs.tf#L111) | VPC subnetworks. | | - ## TODOs diff --git a/blueprints/data-solutions/data-platform-foundations/variables.tf b/blueprints/data-solutions/data-platform-foundations/variables.tf index 4ec2fd7e1..9bb92e73d 100644 --- a/blueprints/data-solutions/data-platform-foundations/variables.tf +++ b/blueprints/data-solutions/data-platform-foundations/variables.tf @@ -99,12 +99,15 @@ variable "composer_config" { variable "data_catalog_tags" { description = "List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format." - type = map(map(list(string))) - nullable = false + type = map(object({ + description = optional(string) + iam = optional(map(list(string)), {}) + })) + nullable = false default = { - "3_Confidential" = null - "2_Private" = null - "1_Sensitive" = null + "3_Confidential" = {} + "2_Private" = {} + "1_Sensitive" = {} } } diff --git a/blueprints/data-solutions/data-platform-minimal/README.md b/blueprints/data-solutions/data-platform-minimal/README.md index 7072f717b..32622abe2 100644 --- a/blueprints/data-solutions/data-platform-minimal/README.md +++ b/blueprints/data-solutions/data-platform-minimal/README.md @@ -272,24 +272,23 @@ The application layer is out of scope of this script. As a demo purpuse only, on | [outputs.tf](./outputs.tf) | Output variables. | | | | [variables.tf](./variables.tf) | Terraform Variables. | | | - ## Variables | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [organization_domain](variables.tf#L119) | Organization domain. | string | ✓ | | -| [prefix](variables.tf#L124) | Prefix used for resource names. | string | ✓ | | -| [project_config](variables.tf#L133) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | ✓ | | +| [organization_domain](variables.tf#L122) | Organization domain. | string | ✓ | | +| [prefix](variables.tf#L127) | Prefix used for resource names. | string | ✓ | | +| [project_config](variables.tf#L136) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | ✓ | | | [composer_config](variables.tf#L17) | Cloud Composer config. | object({…}) | | {} | -| [data_catalog_tags](variables.tf#L55) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {…} | -| [data_force_destroy](variables.tf#L66) | Flag to set 'force_destroy' on data services like BiguQery or Cloud Storage. | bool | | false | -| [enable_services](variables.tf#L72) | Flag to enable or disable services in the Data Platform. | object({…}) | | {} | -| [groups](variables.tf#L81) | User groups. | map(string) | | {…} | -| [location](variables.tf#L91) | Location used for multi-regional resources. | string | | "eu" | -| [network_config](variables.tf#L97) | Shared VPC network configurations to use. If null networks will be created in projects. | object({…}) | | {} | -| [project_suffix](variables.tf#L157) | Suffix used only for project ids. | string | | null | -| [region](variables.tf#L163) | Region used for regional resources. | string | | "europe-west1" | -| [service_encryption_keys](variables.tf#L169) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | {} | +| [data_catalog_tags](variables.tf#L55) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(object({…})) | | {…} | +| [data_force_destroy](variables.tf#L69) | Flag to set 'force_destroy' on data services like BiguQery or Cloud Storage. | bool | | false | +| [enable_services](variables.tf#L75) | Flag to enable or disable services in the Data Platform. | object({…}) | | {} | +| [groups](variables.tf#L84) | User groups. | map(string) | | {…} | +| [location](variables.tf#L94) | Location used for multi-regional resources. | string | | "eu" | +| [network_config](variables.tf#L100) | Shared VPC network configurations to use. If null networks will be created in projects. | object({…}) | | {} | +| [project_suffix](variables.tf#L160) | Suffix used only for project ids. | string | | null | +| [region](variables.tf#L166) | Region used for regional resources. | string | | "europe-west1" | +| [service_encryption_keys](variables.tf#L172) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | {} | ## Outputs @@ -303,5 +302,4 @@ The application layer is out of scope of this script. As a demo purpuse only, on | [network](outputs.tf#L52) | VPC network. | | | [projects](outputs.tf#L60) | GCP Projects information. | | | [service_accounts](outputs.tf#L78) | Service account created. | | - diff --git a/blueprints/data-solutions/data-platform-minimal/variables.tf b/blueprints/data-solutions/data-platform-minimal/variables.tf index a5f5143ea..0dc290032 100644 --- a/blueprints/data-solutions/data-platform-minimal/variables.tf +++ b/blueprints/data-solutions/data-platform-minimal/variables.tf @@ -54,12 +54,15 @@ variable "composer_config" { variable "data_catalog_tags" { description = "List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format." - type = map(map(list(string))) - nullable = false + type = map(object({ + description = optional(string) + iam = optional(map(list(string)), {}) + })) + nullable = false default = { - "3_Confidential" = null - "2_Private" = null - "1_Sensitive" = null + "3_Confidential" = {} + "2_Private" = {} + "1_Sensitive" = {} } } diff --git a/fast/stages/3-data-platform/dev/README.md b/fast/stages/3-data-platform/dev/README.md index 8f8154c72..2d1e55977 100644 --- a/fast/stages/3-data-platform/dev/README.md +++ b/fast/stages/3-data-platform/dev/README.md @@ -171,7 +171,6 @@ You can find examples in the `[demo](../../../../blueprints/data-solutions/data- - ## Files | name | description | modules | resources | @@ -186,22 +185,22 @@ You can find examples in the `[demo](../../../../blueprints/data-solutions/data- |---|---|:---:|:---:|:---:|:---:| | [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables.tf#L102) | Folder to be used for the networking resources in folders/nnnn format. | object({…}) | ✓ | | 1-resman | -| [host_project_ids](variables.tf#L120) | Shared VPC project ids. | object({…}) | ✓ | | 2-networking | -| [organization](variables.tf#L150) | Organization details. | object({…}) | ✓ | | 00-globals | -| [prefix](variables.tf#L166) | Unique prefix used for resource names. Not used for projects if 'project_create' is null. | string | ✓ | | 00-globals | +| [folder_ids](variables.tf#L105) | Folder to be used for the networking resources in folders/nnnn format. | object({…}) | ✓ | | 1-resman | +| [host_project_ids](variables.tf#L123) | Shared VPC project ids. | object({…}) | ✓ | | 2-networking | +| [organization](variables.tf#L153) | Organization details. | object({…}) | ✓ | | 00-globals | +| [prefix](variables.tf#L169) | Unique prefix used for resource names. Not used for projects if 'project_create' is null. | string | ✓ | | 00-globals | | [composer_config](variables.tf#L38) | Cloud Composer configuration options. | object({…}) | | {…} | | -| [data_catalog_tags](variables.tf#L85) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {…} | | -| [data_force_destroy](variables.tf#L96) | Flag to set 'force_destroy' on data services like BigQery or Cloud Storage. | bool | | false | | -| [groups](variables.tf#L110) | Groups. | map(string) | | {…} | | -| [location](variables.tf#L128) | Location used for multi-regional resources. | string | | "eu" | | -| [network_config_composer](variables.tf#L134) | Network configurations to use for Composer. | object({…}) | | {…} | | -| [outputs_location](variables.tf#L160) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | -| [project_services](variables.tf#L176) | List of core services enabled on all projects. | list(string) | | […] | | -| [region](variables.tf#L187) | Region used for regional resources. | string | | "europe-west1" | | -| [service_encryption_keys](variables.tf#L193) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | null | | -| [subnet_self_links](variables.tf#L205) | Shared VPC subnet self links. | object({…}) | | null | 2-networking | -| [vpc_self_links](variables.tf#L214) | Shared VPC self links. | object({…}) | | null | 2-networking | +| [data_catalog_tags](variables.tf#L85) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(object({…})) | | {…} | | +| [data_force_destroy](variables.tf#L99) | Flag to set 'force_destroy' on data services like BigQery or Cloud Storage. | bool | | false | | +| [groups](variables.tf#L113) | Groups. | map(string) | | {…} | | +| [location](variables.tf#L131) | Location used for multi-regional resources. | string | | "eu" | | +| [network_config_composer](variables.tf#L137) | Network configurations to use for Composer. | object({…}) | | {…} | | +| [outputs_location](variables.tf#L163) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | +| [project_services](variables.tf#L179) | List of core services enabled on all projects. | list(string) | | […] | | +| [region](variables.tf#L190) | Region used for regional resources. | string | | "europe-west1" | | +| [service_encryption_keys](variables.tf#L196) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | null | | +| [subnet_self_links](variables.tf#L208) | Shared VPC subnet self links. | object({…}) | | null | 2-networking | +| [vpc_self_links](variables.tf#L217) | Shared VPC self links. | object({…}) | | null | 2-networking | ## Outputs @@ -214,5 +213,4 @@ You can find examples in the `[demo](../../../../blueprints/data-solutions/data- | [projects](outputs.tf#L62) | GCP Projects information. | | | | [vpc_network](outputs.tf#L67) | VPC network. | | | | [vpc_subnet](outputs.tf#L72) | VPC subnetworks. | | | - diff --git a/fast/stages/3-data-platform/dev/variables.tf b/fast/stages/3-data-platform/dev/variables.tf index 1a04011d5..940c12b68 100644 --- a/fast/stages/3-data-platform/dev/variables.tf +++ b/fast/stages/3-data-platform/dev/variables.tf @@ -84,12 +84,15 @@ variable "composer_config" { variable "data_catalog_tags" { description = "List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format." - type = map(map(list(string))) - nullable = false + type = map(object({ + description = optional(string) + iam = optional(map(list(string)), {}) + })) + nullable = false default = { - "3_Confidential" = null - "2_Private" = null - "1_Sensitive" = null + "3_Confidential" = {} + "2_Private" = {} + "1_Sensitive" = {} } } diff --git a/modules/bigquery-dataset/README.md b/modules/bigquery-dataset/README.md index b440859bc..48bc50a5c 100644 --- a/modules/bigquery-dataset/README.md +++ b/modules/bigquery-dataset/README.md @@ -205,9 +205,6 @@ module "bigquery-dataset" { tables = { countries = { friendly_name = "Countries" - labels = {} - options = null - partitioning = null schema = local.countries_schema deletion_protection = true } @@ -232,16 +229,12 @@ module "bigquery-dataset" { id = "my-dataset" tables = { table_a = { - friendly_name = "Table a" - labels = {} - options = null - partitioning = { - field = null - range = null # use start/end/interval for range - time = { type = "DAY", expiration_ms = null } - } - schema = local.countries_schema deletion_protection = true + friendly_name = "Table a" + schema = local.countries_schema + partitioning = { + time = { type = "DAY", expiration_ms = null } + } } } } @@ -265,9 +258,6 @@ module "bigquery-dataset" { tables = { countries = { friendly_name = "Countries" - labels = {} - options = null - partitioning = null schema = local.countries_schema deletion_protection = true } @@ -275,7 +265,6 @@ module "bigquery-dataset" { views = { population = { friendly_name = "Population" - labels = {} query = "SELECT SUM(population) FROM my_dataset.countries" use_legacy_sql = false deletion_protection = true @@ -286,7 +275,6 @@ module "bigquery-dataset" { # tftest modules=1 resources=3 inventory=views.yaml ``` - ## Variables | name | description | type | required | default | @@ -306,8 +294,8 @@ module "bigquery-dataset" { | [labels](variables.tf#L103) | Dataset labels. | map(string) | | {} | | [location](variables.tf#L109) | Dataset location. | string | | "EU" | | [options](variables.tf#L115) | Dataset options. | object({…}) | | {} | -| [tables](variables.tf#L133) | Table definitions. Options and partitioning default to null. Partitioning can only use `range` or `time`, set the unused one to null. | map(object({…})) | | {} | -| [views](variables.tf#L161) | View definitions. | map(object({…})) | | {} | +| [tables](variables.tf#L133) | Table definitions. Options and partitioning default to null. Partitioning can only use `range` or `time`, set the unused one to null. | map(object({…})) | | {} | +| [views](variables.tf#L162) | View definitions. | map(object({…})) | | {} | ## Outputs @@ -321,5 +309,4 @@ module "bigquery-dataset" { | [tables](outputs.tf#L69) | Table resources. | | | [view_ids](outputs.tf#L74) | Map of fully qualified view ids keyed by view ids. | | | [views](outputs.tf#L79) | View resources. | | - diff --git a/modules/bigquery-dataset/main.tf b/modules/bigquery-dataset/main.tf index 0a66b8292..fafd75f48 100644 --- a/modules/bigquery-dataset/main.tf +++ b/modules/bigquery-dataset/main.tf @@ -214,15 +214,15 @@ resource "google_bigquery_table" "default" { dataset_id = google_bigquery_dataset.default.dataset_id table_id = each.key friendly_name = each.value.friendly_name - description = "Terraform managed." - clustering = try(each.value.options.clustering, null) - expiration_time = try(each.value.options.expiration_time, null) + description = each.value.description + clustering = each.value.options.clustering + expiration_time = each.value.options.expiration_time labels = each.value.labels schema = each.value.schema deletion_protection = each.value.deletion_protection dynamic "encryption_configuration" { - for_each = try(each.value.options.encryption_key, null) != null ? [""] : [] + for_each = each.value.options.encryption_key != null ? [""] : [] content { kms_key_name = each.value.options.encryption_key } @@ -257,7 +257,7 @@ resource "google_bigquery_table" "views" { dataset_id = google_bigquery_dataset.default.dataset_id table_id = each.key friendly_name = each.value.friendly_name - description = "Terraform managed." + description = each.value.description labels = each.value.labels deletion_protection = each.value.deletion_protection diff --git a/modules/bigquery-dataset/variables.tf b/modules/bigquery-dataset/variables.tf index 66eb89348..cb13effa8 100644 --- a/modules/bigquery-dataset/variables.tf +++ b/modules/bigquery-dataset/variables.tf @@ -133,27 +133,28 @@ variable "project_id" { variable "tables" { description = "Table definitions. Options and partitioning default to null. Partitioning can only use `range` or `time`, set the unused one to null." type = map(object({ - friendly_name = string - labels = map(string) - options = object({ - clustering = list(string) - encryption_key = string - expiration_time = number - }) - partitioning = object({ - field = string - range = object({ + deletion_protection = optional(bool) + description = optional(string, "Terraform managed.") + friendly_name = optional(string) + labels = optional(map(string), {}) + schema = optional(string) + options = optional(object({ + clustering = optional(list(string)) + encryption_key = optional(string) + expiration_time = optional(number) + }), {}) + partitioning = optional(object({ + field = optional(string) + range = optional(object({ end = number interval = number start = number - }) - time = object({ + })) + time = optional(object({ expiration_ms = number type = string - }) - }) - schema = string - deletion_protection = bool + })) + })) })) default = {} } @@ -161,11 +162,12 @@ variable "tables" { variable "views" { description = "View definitions." type = map(object({ - friendly_name = string - labels = map(string) query = string - use_legacy_sql = bool - deletion_protection = bool + deletion_protection = optional(bool) + description = optional(string, "Terraform managed.") + friendly_name = optional(string) + labels = optional(map(string), {}) + use_legacy_sql = optional(bool) })) default = {} } diff --git a/modules/data-catalog-policy-tag/README.md b/modules/data-catalog-policy-tag/README.md index 570bfbf5d..99f2c08c2 100644 --- a/modules/data-catalog-policy-tag/README.md +++ b/modules/data-catalog-policy-tag/README.md @@ -3,6 +3,7 @@ This module simplifies the creation of [Data Catalog](https://cloud.google.com/data-catalog) Policy Tags. Policy Tags can be used to configure [Bigquery column-level access](https://cloud.google.com/bigquery/docs/best-practices-policy-tags). Note: Data Catalog is still in beta, hence this module currently uses the beta provider. + ## Examples ### Simple Taxonomy with policy tags @@ -13,7 +14,9 @@ module "cmn-dc" { name = "my-datacatalog-policy-tags" project_id = "my-project" tags = { - low = null, medium = null, high = null + low = {} + medium = {} + high = {} } } # tftest modules=1 resources=4 @@ -27,9 +30,15 @@ module "cmn-dc" { name = "my-datacatalog-policy-tags" project_id = "my-project" tags = { - low = null - medium = null - high = { "roles/datacatalog.categoryFineGrainedReader" = ["group:GROUP_NAME@example.com"] } + low = {} + medium = {} + high = { + iam = { + "roles/datacatalog.categoryFineGrainedReader" = [ + "group:GROUP_NAME@example.com" + ] + } + } } iam = { "roles/datacatalog.categoryAdmin" = ["group:GROUP_NAME@example.com"] @@ -38,7 +47,6 @@ module "cmn-dc" { # tftest modules=1 resources=6 ``` - ## Variables | name | description | type | required | default | @@ -53,7 +61,7 @@ module "cmn-dc" { | [iam_additive_members](variables.tf#L47) | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | map(list(string)) | | {} | | [location](variables.tf#L53) | Data Catalog Taxonomy location. | string | | "eu" | | [prefix](variables.tf#L64) | Optional prefix used to generate project id and name. | string | | null | -| [tags](variables.tf#L78) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} | +| [tags](variables.tf#L78) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(object({…})) | | {} | ## Outputs @@ -61,8 +69,8 @@ module "cmn-dc" { |---|---|:---:| | [id](outputs.tf#L17) | Fully qualified taxonomy id. | | | [tags](outputs.tf#L22) | Policy Tags. | | - ## TODO + - Support IAM at tag level. - Support Child policy tags diff --git a/modules/data-catalog-policy-tag/iam.tf b/modules/data-catalog-policy-tag/iam.tf index bea15ff45..d682e6e86 100644 --- a/modules/data-catalog-policy-tag/iam.tf +++ b/modules/data-catalog-policy-tag/iam.tf @@ -45,13 +45,13 @@ locals { "${pair.role}-${pair.member}" => pair } tags_iam = flatten([ - for tag, roles in var.tags : [ - for role, members in roles : { - tag = tag + for k, v in var.tags : [ + for role, members in v.iam : { + tag = k role = role members = members } - ] if roles != null + ] ]) } diff --git a/modules/data-catalog-policy-tag/main.tf b/modules/data-catalog-policy-tag/main.tf index 02572bf29..0ccd9235f 100644 --- a/modules/data-catalog-policy-tag/main.tf +++ b/modules/data-catalog-policy-tag/main.tf @@ -33,9 +33,11 @@ resource "google_data_catalog_taxonomy" "default" { } resource "google_data_catalog_policy_tag" "default" { - for_each = toset(keys(var.tags)) + for_each = var.tags provider = google-beta taxonomy = google_data_catalog_taxonomy.default.id display_name = each.key - description = "${each.key} - Terraform managed. " + description = coalesce( + each.value.description, "${each.key} - Terraform managed." + ) } diff --git a/modules/data-catalog-policy-tag/variables.tf b/modules/data-catalog-policy-tag/variables.tf index 2342e9474..70ba24bfc 100644 --- a/modules/data-catalog-policy-tag/variables.tf +++ b/modules/data-catalog-policy-tag/variables.tf @@ -77,7 +77,10 @@ variable "project_id" { variable "tags" { description = "List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format." - type = map(map(list(string))) - nullable = false - default = {} + type = map(object({ + description = optional(string) + iam = optional(map(list(string)), {}) + })) + nullable = false + default = {} } diff --git a/modules/logging-bucket/README.md b/modules/logging-bucket/README.md index 9923a7e3c..8ace8a103 100644 --- a/modules/logging-bucket/README.md +++ b/modules/logging-bucket/README.md @@ -74,24 +74,22 @@ module "bucket-billing-account" { # tftest modules=2 resources=2 inventory=org-ba.yaml ``` - ## Variables | name | description | type | required | default | |---|---|:---:|:---:|:---:| | [id](variables.tf#L23) | Name of the logging bucket. | string | ✓ | | -| [parent](variables.tf#L50) | ID of the parentresource containing the bucket in the format 'project_id' 'folders/folder_id', 'organizations/organization_id' or 'billing_account_id'. | string | ✓ | | -| [parent_type](variables.tf#L55) | Parent object type for the bucket (project, folder, organization, billing_account). | string | ✓ | | +| [parent](variables.tf#L51) | ID of the parentresource containing the bucket in the format 'project_id' 'folders/folder_id', 'organizations/organization_id' or 'billing_account_id'. | string | ✓ | | +| [parent_type](variables.tf#L56) | Parent object type for the bucket (project, folder, organization, billing_account). | string | ✓ | | | [description](variables.tf#L17) | Human-readable description for the logging bucket. | string | | null | | [kms_key_name](variables.tf#L28) | To enable CMEK for a project logging bucket, set this field to a valid name. The associated service account requires cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key. | string | | null | | [location](variables.tf#L34) | Location of the bucket. | string | | "global" | -| [log_analytics](variables.tf#L40) | Enable and configure Analytics Log. | object({…}) | | {} | -| [retention](variables.tf#L60) | Retention time in days for the logging bucket. | number | | 30 | +| [log_analytics](variables.tf#L40) | Enable and configure Analytics Log. | object({…}) | | {} | +| [retention](variables.tf#L61) | Retention time in days for the logging bucket. | number | | 30 | ## Outputs | name | description | sensitive | |---|---|:---:| | [id](outputs.tf#L17) | Fully qualified logging bucket id. | | - diff --git a/modules/logging-bucket/main.tf b/modules/logging-bucket/main.tf index f534af5c3..697eb4306 100644 --- a/modules/logging-bucket/main.tf +++ b/modules/logging-bucket/main.tf @@ -46,7 +46,7 @@ resource "google_logging_linked_dataset" "dataset" { parent = "projects/${google_logging_project_bucket_config.bucket[0].project}" bucket = google_logging_project_bucket_config.bucket[0].id location = var.location - description = "Log Analytics Dataset" + description = var.log_analytics.description } resource "google_logging_organization_bucket_config" "bucket" { diff --git a/modules/logging-bucket/variables.tf b/modules/logging-bucket/variables.tf index fcd318436..1720ac405 100644 --- a/modules/logging-bucket/variables.tf +++ b/modules/logging-bucket/variables.tf @@ -42,6 +42,7 @@ variable "log_analytics" { type = object({ enable = optional(bool, false) dataset_link_id = optional(string) + description = optional(string, "Log Analytics Dataset") }) nullable = false default = {} diff --git a/modules/net-address/README.md b/modules/net-address/README.md index d8d448244..9f122352b 100644 --- a/modules/net-address/README.md +++ b/modules/net-address/README.md @@ -11,8 +11,8 @@ module "addresses" { source = "./fabric/modules/net-address" project_id = var.project_id external_addresses = { - one = "europe-west1" - two = "europe-west2" + one = { region = "europe-west1" } + two = { region = "europe-west2" } } global_addresses = ["app-1", "app-2"] } @@ -106,13 +106,13 @@ module "addresses" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [project_id](variables.tf#L67) | Project where the addresses will be created. | string | ✓ | | -| [external_addresses](variables.tf#L17) | Map of external address regions, keyed by name. | map(string) | | {} | -| [global_addresses](variables.tf#L29) | List of global addresses to create. | list(string) | | [] | -| [internal_addresses](variables.tf#L35) | Map of internal addresses to create, keyed by name. | map(object({…})) | | {} | -| [ipsec_interconnect_addresses](variables.tf#L49) | Map of internal addresses used for HPA VPN over Cloud Interconnect. | map(object({…})) | | {} | -| [psa_addresses](variables.tf#L72) | Map of internal addresses used for Private Service Access. | map(object({…})) | | {} | -| [psc_addresses](variables.tf#L83) | Map of internal addresses used for Private Service Connect. | map(object({…})) | | {} | +| [project_id](variables.tf#L65) | Project where the addresses will be created. | string | ✓ | | +| [external_addresses](variables.tf#L17) | Map of external addresses, keyed by name. | map(object({…})) | | {} | +| [global_addresses](variables.tf#L27) | List of global addresses to create. | list(string) | | [] | +| [internal_addresses](variables.tf#L33) | Map of internal addresses to create, keyed by name. | map(object({…})) | | {} | +| [ipsec_interconnect_addresses](variables.tf#L47) | Map of internal addresses used for HPA VPN over Cloud Interconnect. | map(object({…})) | | {} | +| [psa_addresses](variables.tf#L70) | Map of internal addresses used for Private Service Access. | map(object({…})) | | {} | +| [psc_addresses](variables.tf#L81) | Map of internal addresses used for Private Service Connect. | map(object({…})) | | {} | ## Outputs diff --git a/modules/net-address/main.tf b/modules/net-address/main.tf index 46705d703..b09ba231a 100644 --- a/modules/net-address/main.tf +++ b/modules/net-address/main.tf @@ -21,13 +21,14 @@ resource "google_compute_global_address" "global" { } resource "google_compute_address" "external" { + provider = google-beta for_each = var.external_addresses project = var.project_id name = each.key - description = "Terraform managed." + description = each.value.description address_type = "EXTERNAL" - region = each.value - # labels = lookup(var.external_address_labels, each.key, {}) + region = each.value.region + labels = each.value.labels } resource "google_compute_address" "internal" { diff --git a/modules/net-address/variables.tf b/modules/net-address/variables.tf index 87b9fc7d7..ebcfa5b66 100644 --- a/modules/net-address/variables.tf +++ b/modules/net-address/variables.tf @@ -15,17 +15,15 @@ */ variable "external_addresses" { - description = "Map of external address regions, keyed by name." - type = map(string) - default = {} + description = "Map of external addresses, keyed by name." + type = map(object({ + region = string + description = optional(string, "Terraform managed.") + labels = optional(map(string), {}) + })) + default = {} } -# variable "external_address_labels" { -# description = "Optional labels for external addresses, keyed by address name." -# type = map(map(string)) -# default = {} -# } - variable "global_addresses" { description = "List of global addresses to create." type = list(string) @@ -88,4 +86,4 @@ variable "psc_addresses" { description = optional(string, "Terraform managed.") })) default = {} -} \ No newline at end of file +} diff --git a/modules/net-cloudnat/README.md b/modules/net-cloudnat/README.md index 19b56ac8c..64342ad33 100644 --- a/modules/net-cloudnat/README.md +++ b/modules/net-cloudnat/README.md @@ -2,6 +2,13 @@ Simple Cloud NAT management, with optional router creation. + +- [Basic Example](#basic-example) +- [Reserved IPs and custom rules](#reserved-ips-and-custom-rules) +- [Variables](#variables) +- [Outputs](#outputs) + + ## Basic Example ```hcl @@ -15,16 +22,16 @@ module "nat" { # tftest modules=1 resources=2 ``` -# Reserved IPs and custom rules +## Reserved IPs and custom rules ```hcl module "addresses" { source = "./fabric/modules/net-address" project_id = "my-project" external_addresses = { - a1 = "europe-west1" - a2 = "europe-west1" - a3 = "europe-west1" + a1 = { region = "europe-west1" } + a2 = { region = "europe-west1" } + a3 = { region = "europe-west1" } } } diff --git a/modules/net-vpn-ha/README.md b/modules/net-vpn-ha/README.md index b22a48181..d2769cd05 100644 --- a/modules/net-vpn-ha/README.md +++ b/modules/net-vpn-ha/README.md @@ -125,20 +125,19 @@ module "vpn_ha" { # tftest modules=1 resources=10 ``` - ## Variables | name | description | type | required | default | |---|---|:---:|:---:|:---:| | [name](variables.tf#L17) | VPN Gateway name (if an existing VPN Gateway is not used), and prefix used for dependent resources. | string | ✓ | | | [network](variables.tf#L22) | VPC used for the gateway and routes. | string | ✓ | | -| [project_id](variables.tf#L46) | Project where resources will be created. | string | ✓ | | -| [region](variables.tf#L51) | Region used for resources. | string | ✓ | | -| [router_config](variables.tf#L56) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | object({…}) | ✓ | | -| [peer_gateways](variables.tf#L27) | Configuration of the (external or GCP) peer gateway. | map(object({…})) | | {} | -| [tunnels](variables.tf#L71) | VPN tunnel configurations. | map(object({…})) | | {} | -| [vpn_gateway](variables.tf#L99) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | string | | null | -| [vpn_gateway_create](variables.tf#L105) | Create HA VPN Gateway. | bool | | true | +| [project_id](variables.tf#L47) | Project where resources will be created. | string | ✓ | | +| [region](variables.tf#L52) | Region used for resources. | string | ✓ | | +| [router_config](variables.tf#L57) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | object({…}) | ✓ | | +| [peer_gateways](variables.tf#L27) | Configuration of the (external or GCP) peer gateway. | map(object({…})) | | {} | +| [tunnels](variables.tf#L72) | VPN tunnel configurations. | map(object({…})) | | {} | +| [vpn_gateway](variables.tf#L100) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | string | | null | +| [vpn_gateway_create](variables.tf#L106) | Create HA VPN Gateway. Set to null to avoid creation. | object({…}) | | {} | ## Outputs @@ -156,5 +155,4 @@ module "vpn_ha" { | [tunnel_names](outputs.tf#L67) | VPN tunnel names. | | | [tunnel_self_links](outputs.tf#L75) | VPN tunnel self links. | | | [tunnels](outputs.tf#L83) | VPN tunnel resources. | | - diff --git a/modules/net-vpn-ha/main.tf b/modules/net-vpn-ha/main.tf index 31bc0ddc9..d1a555ece 100644 --- a/modules/net-vpn-ha/main.tf +++ b/modules/net-vpn-ha/main.tf @@ -28,7 +28,7 @@ locals { : var.router_config.name ) vpn_gateway = ( - var.vpn_gateway_create + var.vpn_gateway_create != null ? try(google_compute_ha_vpn_gateway.ha_gateway[0].self_link, null) : var.vpn_gateway ) @@ -36,7 +36,7 @@ locals { } resource "google_compute_ha_vpn_gateway" "ha_gateway" { - count = var.vpn_gateway_create ? 1 : 0 + count = var.vpn_gateway_create != null ? 1 : 0 name = var.name project = var.project_id region = var.region @@ -48,7 +48,7 @@ resource "google_compute_external_vpn_gateway" "external_gateway" { name = "${var.name}-${each.key}" project = var.project_id redundancy_type = each.value.redundancy_type - description = "Terraform managed external VPN gateway" + description = each.value.description dynamic "interface" { for_each = each.value.interfaces content { diff --git a/modules/net-vpn-ha/variables.tf b/modules/net-vpn-ha/variables.tf index b12c4cdca..50a123a76 100644 --- a/modules/net-vpn-ha/variables.tf +++ b/modules/net-vpn-ha/variables.tf @@ -30,6 +30,7 @@ variable "peer_gateways" { external = optional(object({ redundancy_type = string interfaces = list(string) + description = optional(string, "Terraform managed external VPN gateway") })) gcp = optional(string) })) @@ -103,7 +104,9 @@ variable "vpn_gateway" { } variable "vpn_gateway_create" { - description = "Create HA VPN Gateway." - type = bool - default = true + description = "Create HA VPN Gateway. Set to null to avoid creation." + type = object({ + description = optional(string, "Terraform managed external VPN gateway") + }) + default = {} } diff --git a/modules/net-vpn-static/README.md b/modules/net-vpn-static/README.md index 64840740e..902fc1e46 100644 --- a/modules/net-vpn-static/README.md +++ b/modules/net-vpn-static/README.md @@ -7,7 +7,7 @@ module "addresses" { source = "./fabric/modules/net-address" project_id = var.project_id external_addresses = { - vpn = "europe-west1" + vpn = { region = "europe-west1" } } }