diff --git a/blueprints/factories/project-factory/README.md b/blueprints/factories/project-factory/README.md
index 3a1219b2f..d2d07c43d 100644
--- a/blueprints/factories/project-factory/README.md
+++ b/blueprints/factories/project-factory/README.md
@@ -59,7 +59,7 @@ module "project-factory" {
data_path = "data"
}
}
-# tftest modules=6 resources=15 files=prj-app-1,prj-app-2
+# tftest modules=6 resources=17 files=prj-app-1,prj-app-2
```
```yaml
@@ -74,8 +74,12 @@ service_encryption_key_ids:
services:
- storage.googleapis.com
service_accounts:
- app-1-be: {}
- app-1-fe: {}
+ app-1-be:
+ iam_project_roles:
+ - roles/logging.logWriter
+ - roles/monitoring.metricWriter
+ app-1-fe:
+ display_name: "Test app 1 frontend."
# tftest-file id=prj-app-1 path=data/prj-app-1.yaml
```
@@ -104,10 +108,10 @@ shared_vpc_service_config:
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [factory_data](variables.tf#L85) | Project data from either YAML files or externally parsed data. | object({…}) | ✓ | |
-| [data_defaults](variables.tf#L17) | Optional default values used when corresponding project data from files are missing. | object({…}) | | {} |
-| [data_merges](variables.tf#L45) | Optional values that will be merged with corresponding data from files. Combines with `data_defaults`, file data, and `data_overrides`. | object({…}) | | {} |
-| [data_overrides](variables.tf#L64) | Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`. | object({…}) | | {} |
+| [factory_data](variables.tf#L88) | Project data from either YAML files or externally parsed data. | object({…}) | ✓ | |
+| [data_defaults](variables.tf#L17) | Optional default values used when corresponding project data from files are missing. | object({…}) | | {} |
+| [data_merges](variables.tf#L46) | Optional values that will be merged with corresponding data from files. Combines with `data_defaults`, file data, and `data_overrides`. | object({…}) | | {} |
+| [data_overrides](variables.tf#L66) | Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`. | object({…}) | | {} |
## Outputs
diff --git a/blueprints/factories/project-factory/factory.tf b/blueprints/factories/project-factory/factory.tf
index d966d6d80..e0351a0aa 100644
--- a/blueprints/factories/project-factory/factory.tf
+++ b/blueprints/factories/project-factory/factory.tf
@@ -101,9 +101,10 @@ locals {
service_accounts = flatten([
for k, v in local.projects : [
for name, opts in v.service_accounts : {
- project = k
- name = name
- options = opts
+ project = k
+ name = name
+ display_name = try(opts.display_name, "Terraform-managed.")
+ iam_project_roles = try(opts.iam_project_roles, null)
}
]
])
diff --git a/blueprints/factories/project-factory/main.tf b/blueprints/factories/project-factory/main.tf
index eb8833a47..81f1d3165 100644
--- a/blueprints/factories/project-factory/main.tf
+++ b/blueprints/factories/project-factory/main.tf
@@ -69,16 +69,10 @@ module "service-accounts" {
for_each = {
for k in local.service_accounts : "${k.project}-${k.name}" => k
}
- name = each.value.name
- project_id = module.projects[each.value.project].project_id
- iam_project_roles = (
- try(each.value.options.default_roles, null) == null
- ? {}
- : {
- (module.projects[each.value.project].project_id) = [
- "roles/logging.logWriter",
- "roles/monitoring.metricWriter"
- ]
- }
- )
+ project_id = module.projects[each.value.project].project_id
+ name = each.value.name
+ display_name = each.value.display_name
+ iam_project_roles = each.value.iam_project_roles == null ? {} : {
+ (module.projects[each.value.project].project_id) = each.value.iam_project_roles
+ }
}
diff --git a/blueprints/factories/project-factory/variables.tf b/blueprints/factories/project-factory/variables.tf
index d71764740..55578562f 100644
--- a/blueprints/factories/project-factory/variables.tf
+++ b/blueprints/factories/project-factory/variables.tf
@@ -35,7 +35,8 @@ variable "data_defaults" {
tag_bindings = optional(map(string), {})
# non-project resources
service_accounts = optional(map(object({
- default_roles = optional(bool, true)
+ display_name = optional(string, "Terraform-managed.")
+ iam_project_roles = optional(list(string))
})), {})
})
nullable = false
@@ -54,7 +55,8 @@ variable "data_merges" {
tag_bindings = optional(map(string), {})
# non-project resources
service_accounts = optional(map(object({
- default_roles = optional(bool, true)
+ display_name = optional(string, "Terraform-managed.")
+ iam_project_roles = optional(list(string))
})), {})
})
nullable = false
@@ -75,7 +77,8 @@ variable "data_overrides" {
services = optional(list(string))
# non-project resources
service_accounts = optional(map(object({
- default_roles = optional(bool, true)
+ display_name = optional(string, "Terraform-managed.")
+ iam_project_roles = optional(list(string))
})))
})
nullable = false
diff --git a/modules/net-vpc-firewall/README.md b/modules/net-vpc-firewall/README.md
index 235f1ebc4..8198b100e 100644
--- a/modules/net-vpc-firewall/README.md
+++ b/modules/net-vpc-firewall/README.md
@@ -7,6 +7,19 @@ This module allows creation and management of different types of firewall rules
The predefined rules are enabled by default and set to the ranges of the GCP health checkers for HTTP/HTTPS, and the IAP forwarders for SSH. See the relevant section below on how to configure or disable them.
+
+- [Examples](#examples)
+ - [Minimal open firewall](#minimal-open-firewall)
+ - [Custom rules](#custom-rules)
+ - [Controlling or turning off default rules](#controlling-or-turning-off-default-rules)
+ - [Overriding default tags and ranges](#overriding-default-tags-and-ranges)
+ - [Disabling predefined rules](#disabling-predefined-rules)
+ - [Including source & destination ranges](#including-source-destination-ranges)
+ - [Rules Factory](#rules-factory)
+- [Variables](#variables)
+- [Outputs](#outputs)
+
+
## Examples
### Minimal open firewall
diff --git a/modules/net-vpc-firewall/main.tf b/modules/net-vpc-firewall/main.tf
index 5f7a95b54..f3faac9f0 100644
--- a/modules/net-vpc-firewall/main.tf
+++ b/modules/net-vpc-firewall/main.tf
@@ -97,7 +97,7 @@ resource "google_compute_firewall" "custom-rules" {
source_ranges = (
each.value.direction == "INGRESS"
? (
- each.value.source_ranges == null
+ each.value.source_ranges == null && each.value.sources == null
? ["0.0.0.0/0"]
: each.value.source_ranges
)
diff --git a/tests/modules/net_vpc_firewall/examples/factory.yaml b/tests/modules/net_vpc_firewall/examples/factory.yaml
index 389fb52a2..73a095dd0 100644
--- a/tests/modules/net_vpc_firewall/examples/factory.yaml
+++ b/tests/modules/net_vpc_firewall/examples/factory.yaml
@@ -53,8 +53,6 @@ values:
network: my-network
priority: 1000
project: my-project
- source_ranges:
- - 0.0.0.0/0
source_service_accounts:
- service-1@my-project.iam.gserviceaccount.com
source_tags: null