diff --git a/modules/project/README.md b/modules/project/README.md
index eb7b37aa5..ce194ecb8 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -1621,8 +1621,8 @@ alerts:
| [skip_delete](variables.tf#L240) | Deprecated. Use deletion_policy. | bool | | null |
| [tag_bindings](variables-tags.tf#L81) | Tag bindings for this project, in key => tag value id format. | map(string) | | null |
| [tags](variables-tags.tf#L88) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} |
-| [universe](variables.tf#L252) | GCP universe where deploy the project. This will be prepended to the project id. | string | | "" |
-| [vpc_sc](variables.tf#L259) | VPC-SC configuration for the project, use when `ignore_changes` for resources is set in the VPC-SC module. | object({…}) | | null |
+| [universe](variables.tf#L252) | GCP universe where to deploy the project. The prefix will be prepended to the project id. | object({…}) | | null |
+| [vpc_sc](variables.tf#L261) | VPC-SC configuration for the project, use when `ignore_changes` for resources is set in the VPC-SC module. | object({…}) | | null |
## Outputs
@@ -1643,7 +1643,7 @@ alerts:
| [quota_configs](outputs.tf#L144) | Quota configurations. | |
| [quotas](outputs.tf#L155) | Quota resources. | |
| [service_agents](outputs.tf#L160) | List of all (active) service agents for this project. | |
-| [services](outputs.tf#L169) | Service APIs to enabled in the project. | |
+| [services](outputs.tf#L169) | Service APIs to enable in the project. | |
| [sink_writer_identities](outputs.tf#L178) | Writer identities created for each sink. | |
| [tag_keys](outputs.tf#L185) | Tag key resources. | |
| [tag_values](outputs.tf#L194) | Tag value resources. | |
diff --git a/modules/project/main.tf b/modules/project/main.tf
index fa22a75bc..8cf3106e9 100644
--- a/modules/project/main.tf
+++ b/modules/project/main.tf
@@ -26,7 +26,7 @@ locals {
parent_type = var.parent == null ? null : split("/", var.parent)[0]
parent_id = var.parent == null ? null : split("/", var.parent)[1]
prefix = var.prefix == null ? "" : "${var.prefix}-"
- project_id = "${local.universe}${local.prefix}${var.name}"
+ project_id = "${local.universe_prefix}${local.prefix}${var.name}"
project = (
var.project_create ?
{
@@ -40,7 +40,8 @@ locals {
name = try(data.google_project.project[0].name, null)
}
)
- universe = var.universe == "" ? "" : "${var.universe}:"
+ universe_prefix = var.universe == null ? "" : "${var.universe.prefix}:"
+ available_services = tolist(setsubtract(var.services, try(var.universe.unavailable_services, [])))
}
data "google_project" "project" {
@@ -68,7 +69,7 @@ resource "google_project" "project" {
}
resource "google_project_service" "project_services" {
- for_each = toset(var.services)
+ for_each = toset(local.available_services)
project = local.project.project_id
service = each.value
disable_on_destroy = var.service_config.disable_on_destroy
@@ -78,7 +79,7 @@ resource "google_project_service" "project_services" {
resource "google_compute_project_metadata_item" "default" {
for_each = (
- contains(var.services, "compute.googleapis.com") ? var.compute_metadata : {}
+ contains(local.available_services, "compute.googleapis.com") ? var.compute_metadata : {}
)
project = local.project.project_id
key = each.key
diff --git a/modules/project/outputs.tf b/modules/project/outputs.tf
index 6946164ff..635518eb9 100644
--- a/modules/project/outputs.tf
+++ b/modules/project/outputs.tf
@@ -167,8 +167,8 @@ output "service_agents" {
}
output "services" {
- description = "Service APIs to enabled in the project."
- value = var.services
+ description = "Service APIs to enable in the project."
+ value = local.available_services
depends_on = [
google_project_service.project_services,
google_project_service_identity.default,
diff --git a/modules/project/service-agents.tf b/modules/project/service-agents.tf
index 00ca3cb49..0dee2b2ad 100644
--- a/modules/project/service-agents.tf
+++ b/modules/project/service-agents.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2024 Google LLC
+ * Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -18,7 +18,7 @@
locals {
services = distinct(concat(
- var.services, var.service_agents_config.services_enabled
+ local.available_services, var.service_agents_config.services_enabled
))
_service_agents_data = yamldecode(file("${path.module}/service-agents.yaml"))
# map of api => list of agents
@@ -33,7 +33,7 @@ locals {
(agent.name) => merge(agent, {
email = format(agent.identity, local.project.number)
iam_email = "serviceAccount:${format(agent.identity, local.project.number)}"
- create_jit = api == "cloudservices" || contains(var.services, api)
+ create_jit = api == "cloudservices" || contains(local.available_services, api)
})
}
]...)
diff --git a/modules/project/variables.tf b/modules/project/variables.tf
index 6dee667ad..0342a58db 100644
--- a/modules/project/variables.tf
+++ b/modules/project/variables.tf
@@ -250,10 +250,12 @@ variable "skip_delete" {
}
variable "universe" {
- description = "GCP universe where deploy the project. This will be prepended to the project id."
- type = string
- default = ""
- nullable = false
+ description = "GCP universe where to deploy the project. The prefix will be prepended to the project id."
+ type = object({
+ prefix = string
+ unavailable_services = optional(list(string), [])
+ })
+ default = null
}
variable "vpc_sc" {
diff --git a/tests/modules/project/universe.tfvars b/tests/modules/project/universe.tfvars
index ae61d499c..48524f3bd 100644
--- a/tests/modules/project/universe.tfvars
+++ b/tests/modules/project/universe.tfvars
@@ -1,2 +1,13 @@
-prefix = "foo"
-universe = "alpha"
+prefix = "foo"
+universe = {
+ prefix = "alpha"
+ unavailable_services = [
+ "xxx.googleapis.com",
+ "yyy.googleapis.com"
+ ]
+}
+services = [
+ "aaa.googleapis.com",
+ "bbb.googleapis.com",
+ "xxx.googleapis.com"
+]
diff --git a/tests/modules/project/universe.yaml b/tests/modules/project/universe.yaml
index 5f0c8c840..c35fac01b 100644
--- a/tests/modules/project/universe.yaml
+++ b/tests/modules/project/universe.yaml
@@ -16,11 +16,22 @@ values:
google_project.project[0]:
name: foo-my-project
project_id: alpha:foo-my-project
+ google_project_service.project_services["aaa.googleapis.com"]:
+ project: alpha:foo-my-project
+ service: aaa.googleapis.com
+ google_project_service.project_services["bbb.googleapis.com"]:
+ project: alpha:foo-my-project
+ service: bbb.googleapis.com
counts:
google_project: 1
+ google_project_service: 2
+ resources: 3
outputs:
id: alpha:foo-my-project
name: foo-my-project
project_id: foo-my-project
+ services:
+ - aaa.googleapis.com
+ - bbb.googleapis.com