Allow any VPC for (secure) network_tags (#3634)
* feat: allow all for VPC networks * feat: add examples * feat: add header * feat: module test * fix: update network testing data to pass validation --------- Co-authored-by: Julio Castillo <jccb@google.com>
This commit is contained in:
Eric Zhao
@@ -1107,6 +1107,40 @@ module "project" {
|
||||
# tftest modules=1 resources=8 inventory=tags-network.yaml
|
||||
```
|
||||
|
||||
If you want to create a Tag Key with `GCE_FIREWALL` purpose that is valid for the whole organization (allowing the binding on any network within it), use `"ALL"` as the network value:
|
||||
|
||||
```hcl
|
||||
module "project" {
|
||||
source = "./fabric/modules/project"
|
||||
billing_account = var.billing_account_id
|
||||
name = "project"
|
||||
prefix = var.prefix
|
||||
parent = var.folder_id
|
||||
services = [
|
||||
"compute.googleapis.com"
|
||||
]
|
||||
network_tags = {
|
||||
net-environment = {
|
||||
description = "This is a network tag."
|
||||
network = "ALL"
|
||||
iam = {
|
||||
"roles/resourcemanager.tagAdmin" = ["group:${var.group_email}"]
|
||||
}
|
||||
values = {
|
||||
dev = {}
|
||||
prod = {
|
||||
description = "Environment: production."
|
||||
iam = {
|
||||
"roles/resourcemanager.tagUser" = ["group:${var.group_email}"]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=8 inventory=tags-network-all.yaml
|
||||
```
|
||||
|
||||
### Tags Factory
|
||||
|
||||
Tags can also be specified via a factory in a similar way to organization policies and policy constraints. Each file is mapped to tag key, where
|
||||
@@ -2133,7 +2167,7 @@ module "project" {
|
||||
| [logging_metrics](variables-observability.tf#L145) | Log-based metrics. | <code title="map(object({ filter = string bucket_name = optional(string) description = optional(string) disabled = optional(bool) label_extractors = optional(map(string)) value_extractor = optional(string) bucket_options = optional(object({ explicit_buckets = optional(object({ bounds = list(number) })) exponential_buckets = optional(object({ num_finite_buckets = number growth_factor = number scale = number })) linear_buckets = optional(object({ num_finite_buckets = number width = number offset = number })) })) metric_descriptor = optional(object({ metric_kind = string value_type = string display_name = optional(string) unit = optional(string) labels = optional(list(object({ key = string description = optional(string) value_type = optional(string) })), []) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [logging_sinks](variables-observability.tf#L185) | Logging sinks to create for this project. | <code title="map(object({ bq_partitioned_table = optional(bool, false) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = optional(string) iam = optional(bool, true) type = string unique_writer = optional(bool, true) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [metric_scopes](variables-observability.tf#L216) | List of projects that will act as metric scopes for this project. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ id = optional(string) description = optional(string, "Managed by the Terraform project module.") network = string # project_id/vpc_name iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) values = optional(map(object({ description = optional(string, "Managed by the Terraform project module.") id = optional(string) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ id = optional(string) description = optional(string, "Managed by the Terraform project module.") network = string # project_id/vpc_name or "ALL" to toggle GCE_FIREWALL purpose iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) values = optional(map(object({ description = optional(string, "Managed by the Terraform project module.") id = optional(string) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [notification_channels](variables-observability.tf#L223) | Monitoring notification channels. | <code title="map(object({ type = string description = optional(string) display_name = optional(string) enabled = optional(bool) labels = optional(map(string)) user_labels = optional(map(string)) sensitive_labels = optional(object({ auth_token = optional(string) password = optional(string) service_key = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [org_policies](variables.tf#L205) | Organization policies applied to this project keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) parameters = optional(string) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [pam_entitlements](variables-pam.tf#L17) | Privileged Access Manager entitlements for this resource, keyed by entitlement ID. | <code title="map(object({ max_request_duration = string eligible_users = list(string) privileged_access = list(object({ role = string condition = optional(string) })) requester_justification_config = optional(object({ not_mandatory = optional(bool, true) unstructured = optional(bool, false) }), { not_mandatory = false, unstructured = true }) manual_approvals = optional(object({ require_approver_justification = bool steps = list(object({ approvers = list(string) approvals_needed = optional(number, 1) approver_email_recipients = optional(list(string)) })) })) additional_notification_targets = optional(object({ admin_email_recipients = optional(list(string)) requester_email_recipients = optional(list(string)) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
@@ -2149,9 +2183,9 @@ module "project" {
|
||||
| [shared_vpc_host_config](variables.tf#L313) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | <code title="object({ enabled = bool service_projects = optional(list(string), []) })">object({…})</code> | | <code>null</code> |
|
||||
| [shared_vpc_service_config](variables.tf#L323) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | <code title="object({ host_project = string iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) network_users = optional(list(string), []) service_agent_iam = optional(map(list(string)), {}) service_agent_subnet_iam = optional(map(list(string)), {}) service_iam_grants = optional(list(string), []) network_subnet_users = optional(map(list(string)), {}) })">object({…})</code> | | <code title="{ host_project = null }">{…}</code> |
|
||||
| [skip_delete](variables.tf#L360) | Deprecated. Use deletion_policy. | <code>bool</code> | | <code>null</code> |
|
||||
| [tag_bindings](variables-tags.tf#L82) | Tag bindings for this project, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [tags](variables-tags.tf#L89) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ id = optional(string) description = optional(string, "Managed by the Terraform project module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) values = optional(map(object({ id = optional(string) description = optional(string, "Managed by the Terraform project module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tags_config](variables-tags.tf#L154) | Fine-grained control on tag resource and IAM creation. | <code title="object({ force_context_ids = optional(bool, false) ignore_iam = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [tag_bindings](variables-tags.tf#L89) | Tag bindings for this project, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [tags](variables-tags.tf#L96) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ id = optional(string) description = optional(string, "Managed by the Terraform project module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) values = optional(map(object({ id = optional(string) description = optional(string, "Managed by the Terraform project module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tags_config](variables-tags.tf#L161) | Fine-grained control on tag resource and IAM creation. | <code title="object({ force_context_ids = optional(bool, false) ignore_iam = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [universe](variables.tf#L372) | GCP universe where to deploy the project. The prefix will be prepended to the project id. | <code title="object({ prefix = string forced_jit_service_identities = optional(list(string), []) unavailable_services = optional(list(string), []) unavailable_service_identities = optional(list(string), []) })">object({…})</code> | | <code>null</code> |
|
||||
| [vpc_sc](variables.tf#L383) | VPC-SC configuration for the project, use when `ignore_changes` for resources is set in the VPC-SC module. | <code title="object({ perimeter_name = string is_dry_run = optional(bool, false) })">object({…})</code> | | <code>null</code> |
|
||||
| [workload_identity_pools](variables-identity-providers.tf#L17) | Workload Identity Federation pools and providers. | <code title="map(object({ display_name = optional(string) description = optional(string) disabled = optional(bool) providers = optional(map(object({ description = optional(string) display_name = optional(string) attribute_condition = optional(string) attribute_mapping = optional(map(string), {}) disabled = optional(bool, false) identity_provider = object({ aws = optional(object({ account_id = string })) oidc = optional(object({ allowed_audiences = optional(list(string), []) issuer_uri = optional(string) jwks_json = optional(string) template = optional(string) })) saml = optional(object({ idp_metadata_xml = string })) }) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
Reference in New Issue
Block a user