From c80af8de66fae18bef77625ace7e3a41e69429fc Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Sat, 25 May 2024 10:42:45 +0200 Subject: [PATCH] Extend support for tag bindings to more modules (#2307) * fix kms tag bindings * bigquery dataset * fix bigquery * cloud run * normalize variable type * rename gcs heading * kms example test * fix bigquery * fix cloud run * cloud run v2 --- modules/bigquery-dataset/README.md | 66 ++++++++++++--- modules/bigquery-dataset/tags.tf | 22 +++++ modules/bigquery-dataset/variables.tf | 7 ++ modules/cloud-run-v2/README.md | 111 ++++++++++++++++++-------- modules/cloud-run-v2/tags.tf | 24 ++++++ modules/cloud-run-v2/variables.tf | 7 ++ modules/cloud-run/README.md | 94 +++++++++++++++------- modules/cloud-run/tags.tf | 24 ++++++ modules/cloud-run/variables.tf | 7 ++ modules/gcs/README.md | 12 +-- modules/gcs/tags.tf | 2 +- modules/gcs/variables.tf | 3 +- modules/kms/README.md | 36 +++++++++ modules/kms/tags.tf | 2 +- modules/kms/variables.tf | 2 +- 15 files changed, 335 insertions(+), 84 deletions(-) create mode 100644 modules/bigquery-dataset/tags.tf create mode 100644 modules/cloud-run-v2/tags.tf create mode 100644 modules/cloud-run/tags.tf diff --git a/modules/bigquery-dataset/README.md b/modules/bigquery-dataset/README.md index c99c2ef96..c0f15289a 100644 --- a/modules/bigquery-dataset/README.md +++ b/modules/bigquery-dataset/README.md @@ -2,14 +2,19 @@ This module allows managing a single BigQuery dataset, including access configuration, tables and views. -## TODO + +- [Simple dataset with access configuration](#simple-dataset-with-access-configuration) +- [IAM roles](#iam-roles) +- [Authorized Views, Datasets, and Routines](#authorized-views-datasets-and-routines) +- [Dataset options](#dataset-options) +- [Tables and views](#tables-and-views) +- [Tag bindings](#tag-bindings) +- [TODO](#todo) +- [Variables](#variables) +- [Outputs](#outputs) + -- [ ] check for dynamic values in tables and views -- [ ] add support for external tables - -## Examples - -### Simple dataset with access configuration +## Simple dataset with access configuration Access configuration defaults to using the separate `google_bigquery_dataset_access` resource, so as to leave the default dataset access rules untouched. @@ -38,7 +43,7 @@ module "bigquery-dataset" { # tftest modules=1 resources=5 inventory=simple.yaml ``` -### IAM roles +## IAM roles Access configuration can also be specified via IAM instead of basic roles via the `iam` variable. When using IAM, basic roles cannot be used via the `access` family variables. @@ -54,7 +59,7 @@ module "bigquery-dataset" { # tftest modules=1 resources=2 inventory=iam.yaml ``` -### Authorized Views, Datasets, and Routines +## Authorized Views, Datasets, and Routines You can specify authorized [views](https://cloud.google.com/bigquery/docs/authorized-views), [datasets](https://cloud.google.com/bigquery/docs/authorized-datasets?hl=en), and [routines](https://cloud.google.com/bigquery/docs/authorized-routines) via the `authorized_views`, `authorized_datasets` and `authorized_routines` variables, respectively. @@ -168,7 +173,7 @@ module "bigquery-dataset" { # tftest modules=1 resources=4 inventory=authorized_resources_views.yaml ``` -### Dataset options +## Dataset options Dataset options are set via the `options` variable. all options must be specified, but a `null` value can be set to options that need to use defaults. @@ -187,7 +192,7 @@ module "bigquery-dataset" { # tftest modules=1 resources=1 inventory=options.yaml ``` -### Tables and views +## Tables and views Tables are created via the `tables` variable, or the `view` variable for views. Support for external tables will be added in a future release. @@ -275,6 +280,42 @@ module "bigquery-dataset" { # tftest modules=1 resources=3 inventory=views.yaml ``` + +## Tag bindings + +Refer to the [Creating and managing tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) documentation for details on usage. + +```hcl +module "org" { + source = "./fabric/modules/organization" + organization_id = var.organization_id + tags = { + environment = { + description = "Environment specification." + values = { + dev = {} + prod = {} + sandbox = {} + } + } + } +} + +module "bigquery-dataset" { + source = "./fabric/modules/bigquery-dataset" + project_id = "my-project" + id = "my_dataset" + tag_bindings = { + env-sandbox = module.org.tag_values["environment/sandbox"].id + } +} +# tftest modules=2 resources=6 +``` + +## TODO + +- [ ] check for dynamic values in tables and views +- [ ] add support for external tables ## Variables @@ -297,7 +338,8 @@ module "bigquery-dataset" { | [materialized_views](variables.tf#L115) | Materialized views definitions. | map(object({…})) | | {} | | [options](variables.tf#L148) | Dataset options. | object({…}) | | {} | | [tables](variables.tf#L167) | Table definitions. Options and partitioning default to null. Partitioning can only use `range` or `time`, set the unused one to null. | map(object({…})) | | {} | -| [views](variables.tf#L252) | View definitions. | map(object({…})) | | {} | +| [tag_bindings](variables.tf#L252) | Tag bindings for this dataset, in key => tag value id format. | map(string) | | {} | +| [views](variables.tf#L259) | View definitions. | map(object({…})) | | {} | ## Outputs diff --git a/modules/bigquery-dataset/tags.tf b/modules/bigquery-dataset/tags.tf new file mode 100644 index 000000000..55e9d33fe --- /dev/null +++ b/modules/bigquery-dataset/tags.tf @@ -0,0 +1,22 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "google_tags_location_tag_binding" "binding" { + for_each = var.tag_bindings + parent = "//bigquery.googleapis.com/${google_bigquery_dataset.default.id}" + tag_value = each.value + location = var.location +} diff --git a/modules/bigquery-dataset/variables.tf b/modules/bigquery-dataset/variables.tf index 5deb2d24c..2eaf308f1 100644 --- a/modules/bigquery-dataset/variables.tf +++ b/modules/bigquery-dataset/variables.tf @@ -249,6 +249,13 @@ variable "tables" { default = {} } +variable "tag_bindings" { + description = "Tag bindings for this dataset, in key => tag value id format." + type = map(string) + nullable = false + default = {} +} + variable "views" { description = "View definitions." type = map(object({ diff --git a/modules/cloud-run-v2/README.md b/modules/cloud-run-v2/README.md index d40fd4956..7218e9159 100644 --- a/modules/cloud-run-v2/README.md +++ b/modules/cloud-run-v2/README.md @@ -3,26 +3,24 @@ Cloud Run Services and Jobs, with support for IAM roles and Eventarc trigger creation. -- [Examples](#examples) - - [IAM and environment variables](#iam-and-environment-variables) - - [Mounting secrets as volumes](#mounting-secrets-as-volumes) - - [Beta features](#beta-features) - - [VPC Access Connector](#vpc-access-connector) - - [Using Customer-Managed Encryption Key](#using-customer-managed-encryption-key) - - [Eventarc triggers](#eventarc-triggers) - - [PubSub](#pubsub) - - [Audit logs](#audit-logs) - - [Using custom service accounts for triggers](#using-custom-service-accounts-for-triggers) - - [Cloud Run Service Account](#cloud-run-service-account) - - [Creating Cloud Run Jobs](#creating-cloud-run-jobs) +- [IAM and environment variables](#iam-and-environment-variables) +- [Mounting secrets as volumes](#mounting-secrets-as-volumes) +- [Beta features](#beta-features) +- [VPC Access Connector](#vpc-access-connector) +- [Using Customer-Managed Encryption Key](#using-customer-managed-encryption-key) +- [Eventarc triggers](#eventarc-triggers) + - [PubSub](#pubsub) + - [Audit logs](#audit-logs) + - [Using custom service accounts for triggers](#using-custom-service-accounts-for-triggers) +- [Cloud Run Service Account](#cloud-run-service-account) +- [Creating Cloud Run Jobs](#creating-cloud-run-jobs) +- [Tag bindings](#tag-bindings) - [Variables](#variables) - [Outputs](#outputs) - [Fixtures](#fixtures) -## Examples - -### IAM and environment variables +## IAM and environment variables IAM bindings support the usual syntax. Container environment values can be declared as key-value strings or as references to Secret Manager secrets. Both can be combined as long as there is no duplication of keys: @@ -54,7 +52,7 @@ module "cloud_run" { # tftest modules=2 resources=5 fixtures=fixtures/secret-credentials.tf inventory=service-iam-env.yaml e2e ``` -### Mounting secrets as volumes +## Mounting secrets as volumes ```hcl module "cloud_run" { @@ -83,7 +81,7 @@ module "cloud_run" { # tftest modules=2 resources=4 fixtures=fixtures/secret-credentials.tf inventory=service-volume-secretes.yaml e2e ``` -### Beta features +## Beta features To use beta features like Direct VPC Egress, set the launch stage to a preview stage. @@ -112,7 +110,7 @@ module "cloud_run" { # tftest modules=1 resources=1 inventory=service-beta-features.yaml ``` -### VPC Access Connector +## VPC Access Connector You can use an existing [VPC Access Connector](https://cloud.google.com/vpc/docs/serverless-vpc-access) to connect to a VPC from Cloud Run. @@ -186,7 +184,7 @@ module "cloud_run" { # tftest modules=4 resources=40 fixtures=fixtures/shared-vpc.tf inventory=service-vpc-access-connector-create-sharedvpc.yaml e2e ``` -### Using Customer-Managed Encryption Key +## Using Customer-Managed Encryption Key Deploy a Cloud Run service with environment variables encrypted using a Customer-Managed Encryption Key (CMEK). Ensure you specify the encryption_key with the full resource identifier of your Cloud KMS CryptoKey and that Cloud Run Service agent (`service-@serverless-robot-prod.iam.gserviceaccount.com`) has permission to use the key, for example `roles/cloudkms.cryptoKeyEncrypterDecrypter` IAM role. This setup adds an extra layer of security by utilizing your own encryption keys. @@ -206,9 +204,9 @@ module "cloud_run" { # tftest modules=1 resources=2 fixtures=fixtures/cloud-run-kms-iam-grant.tf e2e ``` -### Eventarc triggers +## Eventarc triggers -#### PubSub +### PubSub This deploys a Cloud Run service that will be triggered when messages are published to Pub/Sub topics. @@ -232,7 +230,7 @@ module "cloud_run" { # tftest modules=2 resources=4 fixtures=fixtures/pubsub.tf inventory=service-eventarc-pubsub.yaml e2e ``` -#### Audit logs +### Audit logs This deploys a Cloud Run service that will be triggered when specific log events are written to Google Cloud audit logs. @@ -260,7 +258,7 @@ module "cloud_run" { # tftest modules=1 resources=4 inventory=service-eventarc-auditlogs-sa-create.yaml ``` -#### Using custom service accounts for triggers +### Using custom service accounts for triggers By default `Compute default service account` is used to trigger Cloud Run. If you want to use custom Service Accounts you can either provide your own in `eventarc_triggers.service_account_email` or set `eventarc_triggers.service_account_create` to true and service account named `tf-cr-trigger-${var.name}` will be created with `roles/run.invoker` granted on this Cloud Run service. @@ -313,7 +311,7 @@ module "cloud_run" { # tftest modules=2 resources=6 fixtures=fixtures/pubsub.tf inventory=service-eventarc-pubsub-sa-create.yaml e2e ``` -### Cloud Run Service Account +## Cloud Run Service Account To use a custom service account managed by the module, set `service_account_create` to `true` and leave `service_account` set to `null` (default). @@ -351,17 +349,19 @@ module "cloud_run" { # tftest modules=2 resources=2 fixtures=fixtures/iam-service-account.tf inventory=service-external-sa.yaml e2e ``` -### Creating Cloud Run Jobs +## Creating Cloud Run Jobs + To create a job instead of service set `create_job` to `true`. Jobs support all functions above apart from triggers. Unsupported variables / attributes: -* ingress -* revision.gen2_execution_environment (they run by default in gen2) -* revision.name -* containers.liveness_probe -* containers.startup_probe -* containers.resources.cpu_idle -* containers.resources.startup_cpu_boost + +- ingress +- revision.gen2_execution_environment (they run by default in gen2) +- revision.name +- containers.liveness_probe +- containers.startup_probe +- containers.resources.cpu_idle +- containers.resources.startup_cpu_boost ```hcl module "cloud_run" { @@ -386,6 +386,50 @@ module "cloud_run" { # tftest modules=1 resources=2 inventory=job-iam-env.yaml e2e ``` + +## Tag bindings + +Tag bindings are not yet supported for jobs. Refer to the [Creating and managing tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) documentation for details on usage. + +```hcl +module "org" { + source = "./fabric/modules/organization" + organization_id = var.organization_id + tags = { + environment = { + description = "Environment specification." + values = { + dev = {} + prod = {} + sandbox = {} + } + } + } +} + +module "cloud_run" { + source = "./fabric/modules/cloud-run-v2" + project_id = var.project_id + name = "hello" + region = var.region + containers = { + hello = { + image = "us-docker.pkg.dev/cloudrun/container/hello" + env = { + VAR1 = "VALUE1" + VAR2 = "VALUE2" + } + } + } + iam = { + "roles/run.invoker" = ["allUsers"] + } + tag_bindings = { + env-sandbox = module.org.tag_values["environment/sandbox"].id + } +} +# tftest modules=2 resources=7 +``` ## Variables @@ -406,7 +450,8 @@ module "cloud_run" { | [revision](variables.tf#L178) | Revision template configurations. | object({…}) | | {} | | [service_account](variables.tf#L205) | Service account email. Unused if service account is auto-created. | string | | null | | [service_account_create](variables.tf#L211) | Auto-create service account. | bool | | false | -| [volumes](variables.tf#L217) | Named volumes in containers in name => attributes format. | map(object({…})) | | {} | +| [tag_bindings](variables.tf#L217) | Tag bindings for this service, in key => tag value id format. | map(string) | | {} | +| [volumes](variables.tf#L224) | Named volumes in containers in name => attributes format. | map(object({…})) | | {} | | [vpc_connector_create](variables-vpcconnector.tf#L17) | Populate this to create a Serverless VPC Access connector. | object({…}) | | null | ## Outputs diff --git a/modules/cloud-run-v2/tags.tf b/modules/cloud-run-v2/tags.tf new file mode 100644 index 000000000..52538ebf1 --- /dev/null +++ b/modules/cloud-run-v2/tags.tf @@ -0,0 +1,24 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "google_tags_location_tag_binding" "binding" { + for_each = var.create_job ? {} : var.tag_bindings + parent = ( + "//run.googleapis.com/projects/${var.project_id}/locations/europe-west1/services/${google_cloud_run_v2_service.service[0].name}" + ) + tag_value = each.value + location = var.region +} diff --git a/modules/cloud-run-v2/variables.tf b/modules/cloud-run-v2/variables.tf index 794a3c37e..ac67a5b73 100644 --- a/modules/cloud-run-v2/variables.tf +++ b/modules/cloud-run-v2/variables.tf @@ -214,6 +214,13 @@ variable "service_account_create" { default = false } +variable "tag_bindings" { + description = "Tag bindings for this service, in key => tag value id format." + type = map(string) + nullable = false + default = {} +} + variable "volumes" { description = "Named volumes in containers in name => attributes format." type = map(object({ diff --git a/modules/cloud-run/README.md b/modules/cloud-run/README.md index 490939139..c392a07b7 100644 --- a/modules/cloud-run/README.md +++ b/modules/cloud-run/README.md @@ -2,26 +2,24 @@ Cloud Run management, with support for IAM roles, revision annotations and optional Eventarc trigger creation. -## Examples - -- [Examples](#examples) - - [IAM and environment variables](#iam-and-environment-variables) - - [Mounting secrets as volumes](#mounting-secrets-as-volumes) - - [Revision annotations](#revision-annotations) - - [Second generation execution environment](#second-generation-execution-environment) - - [VPC Access Connector creation](#vpc-access-connector-creation) - - [Traffic split](#traffic-split) - - [Eventarc triggers](#eventarc-triggers) - - [PubSub](#pubsub) - - [Audit logs](#audit-logs) - - [Using custom service accounts for triggers](#using-custom-service-accounts-for-triggers) - - [Service account](#service-account) +- [IAM and environment variables](#iam-and-environment-variables) +- [Mounting secrets as volumes](#mounting-secrets-as-volumes) +- [Revision annotations](#revision-annotations) +- [Second generation execution environment](#second-generation-execution-environment) +- [VPC Access Connector creation](#vpc-access-connector-creation) +- [Traffic split](#traffic-split) +- [Eventarc triggers](#eventarc-triggers) + - [PubSub](#pubsub) + - [Audit logs](#audit-logs) + - [Using custom service accounts for triggers](#using-custom-service-accounts-for-triggers) +- [Service account](#service-account) +- [Tag bindings](#tag-bindings) - [Variables](#variables) - [Outputs](#outputs) -### IAM and environment variables +## IAM and environment variables IAM bindings support the usual syntax. Container environment values can be declared as key-value strings or as references to Secret Manager secrets. Both can be combined as long as there's no duplication of keys: @@ -68,7 +66,7 @@ module "cloud_run" { # tftest modules=2 resources=5 inventory=simple.yaml e2e ``` -### Mounting secrets as volumes +## Mounting secrets as volumes ```hcl module "secret-manager" { @@ -117,7 +115,7 @@ module "cloud_run" { # tftest modules=2 resources=5 inventory=secrets.yaml e2e ``` -### Revision annotations +## Revision annotations Annotations can be specified via the `revision_annotations` variable: @@ -145,7 +143,7 @@ module "cloud_run" { # tftest modules=1 resources=1 inventory=revision-annotations.yaml ``` -### Second generation execution environment +## Second generation execution environment Second generation execution environment (gen2) can be enabled by setting the `gen2_execution_environment` variable to true: @@ -165,7 +163,7 @@ module "cloud_run" { # tftest modules=1 resources=1 inventory=gen2.yaml e2e ``` -### VPC Access Connector creation +## VPC Access Connector creation If creation of a [VPC Access Connector](https://cloud.google.com/vpc/docs/serverless-vpc-access) is required, use the `vpc_connector_create` variable which also support optional attributes for number of instances, machine type, and throughput (not shown here). The annotation to use the connector will be added automatically. @@ -211,7 +209,7 @@ module "cloud_run" { # tftest modules=1 resources=2 inventory=connector-shared.yaml ``` -### Traffic split +## Traffic split This deploys a Cloud Run service with traffic split between two revisions. @@ -235,9 +233,9 @@ module "cloud_run" { # tftest modules=1 resources=1 inventory=traffic.yaml ``` -### Eventarc triggers +## Eventarc triggers -#### PubSub +### PubSub This deploys a Cloud Run service that will be triggered when messages are published to Pub/Sub topics. @@ -267,7 +265,7 @@ module "cloud_run" { # tftest modules=2 resources=3 inventory=eventarc.yaml e2e ``` -#### Audit logs +### Audit logs This deploys a Cloud Run service that will be triggered when specific log events are written to Google Cloud audit logs. @@ -307,7 +305,7 @@ module "cloud_run" { # tftest modules=2 resources=5 inventory=audit-logs.yaml ``` -#### Using custom service accounts for triggers +### Using custom service accounts for triggers By default `Compute default service account` is used to trigger Cloud Run. If you want to use custom Service Account you can either provide your own in `eventarc_triggers.service_account_email` or set `eventarc_triggers.service_account_create` to true and service account named `tf-cr-trigger-${var.name}` will be created with `roles/run.invoker` granted on this Cloud Run service. @@ -342,7 +340,7 @@ module "cloud_run" { # tftest modules=2 resources=5 inventory=trigger-service-account.yaml e2e ``` -### Service account +## Service account To use a custom service account managed by the module, set `service_account_create` to `true` and leave `service_account` set to `null` value (default). @@ -379,6 +377,43 @@ module "cloud_run" { } # tftest modules=1 resources=1 inventory=service-account-external.yaml e2e ``` + +## Tag bindings + +Refer to the [Creating and managing tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) documentation for details on usage. + +```hcl +module "org" { + source = "./fabric/modules/organization" + organization_id = var.organization_id + tags = { + environment = { + description = "Environment specification." + values = { + dev = {} + prod = {} + sandbox = {} + } + } + } +} + +module "cloud_run" { + source = "./fabric/modules/cloud-run" + project_id = var.project_id + region = var.region + name = "hello" + containers = { + hello = { + image = "us-docker.pkg.dev/cloudrun/container/hello" + } + } + tag_bindings = { + env-sandbox = module.org.tag_values["environment/sandbox"].id + } +} +# tftest modules=2 resources=6 +``` ## Variables @@ -400,10 +435,11 @@ module "cloud_run" { | [service_account](variables.tf#L190) | Service account email. Unused if service account is auto-created. | string | | null | | [service_account_create](variables.tf#L196) | Auto-create service account. | bool | | false | | [startup_cpu_boost](variables.tf#L202) | Enable startup cpu boost. | bool | | false | -| [timeout_seconds](variables.tf#L208) | Maximum duration the instance is allowed for responding to a request. | number | | null | -| [traffic](variables.tf#L214) | Traffic steering configuration. If revision name is null the latest revision will be used. | map(object({…})) | | {} | -| [volumes](variables.tf#L225) | Named volumes in containers in name => attributes format. | map(object({…})) | | {} | -| [vpc_connector_create](variables.tf#L239) | Populate this to create a VPC connector. You can then refer to it in the template annotations. | object({…}) | | null | +| [tag_bindings](variables.tf#L208) | Tag bindings for this service, in key => tag value id format. | map(string) | | {} | +| [timeout_seconds](variables.tf#L215) | Maximum duration the instance is allowed for responding to a request. | number | | null | +| [traffic](variables.tf#L221) | Traffic steering configuration. If revision name is null the latest revision will be used. | map(object({…})) | | {} | +| [volumes](variables.tf#L232) | Named volumes in containers in name => attributes format. | map(object({…})) | | {} | +| [vpc_connector_create](variables.tf#L246) | Populate this to create a VPC connector. You can then refer to it in the template annotations. | object({…}) | | null | ## Outputs diff --git a/modules/cloud-run/tags.tf b/modules/cloud-run/tags.tf new file mode 100644 index 000000000..c988ed650 --- /dev/null +++ b/modules/cloud-run/tags.tf @@ -0,0 +1,24 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "google_tags_location_tag_binding" "binding" { + for_each = var.tag_bindings + parent = ( + "//run.googleapis.com/projects/${var.project_id}/locations/europe-west1/services/${google_cloud_run_service.service.name}" + ) + tag_value = each.value + location = var.region +} diff --git a/modules/cloud-run/variables.tf b/modules/cloud-run/variables.tf index 421348481..197864505 100644 --- a/modules/cloud-run/variables.tf +++ b/modules/cloud-run/variables.tf @@ -205,6 +205,13 @@ variable "startup_cpu_boost" { default = false } +variable "tag_bindings" { + description = "Tag bindings for this service, in key => tag value id format." + type = map(string) + nullable = false + default = {} +} + variable "timeout_seconds" { description = "Maximum duration the instance is allowed for responding to a request." type = number diff --git a/modules/gcs/README.md b/modules/gcs/README.md index e05d4602f..a9a866b3b 100644 --- a/modules/gcs/README.md +++ b/modules/gcs/README.md @@ -8,7 +8,7 @@ - [GCS notifications](#gcs-notifications) - [Object upload](#object-upload) - [IAM](#iam) -- [Tags](#tags) +- [Tag Bindings](#tag-bindings) - [Variables](#variables) - [Outputs](#outputs) @@ -247,7 +247,7 @@ module "bucket" { # tftest modules=1 resources=2 inventory=iam-bindings-additive.yaml e2e ``` -## Tags +## Tag Bindings Refer to the [Creating and managing tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) documentation for details on usage. @@ -307,10 +307,10 @@ module "bucket" { | [retention_policy](variables.tf#L236) | Bucket retention policy. | object({…}) | | null | | [soft_delete_retention](variables.tf#L245) | The duration in seconds that soft-deleted objects in the bucket will be retained and cannot be permanently deleted. Set to 0 to override the default and disable. | number | | null | | [storage_class](variables.tf#L251) | Bucket storage class. | string | | "MULTI_REGIONAL" | -| [tag_bindings](variables.tf#L261) | Tag bindings for this folder, in key => tag value id format. | map(string) | | null | -| [uniform_bucket_level_access](variables.tf#L267) | Allow using object ACLs (false) or not (true, this is the recommended behavior) , defaults to true (which is the recommended practice, but not the behavior of storage API). | bool | | true | -| [versioning](variables.tf#L273) | Enable versioning, defaults to false. | bool | | false | -| [website](variables.tf#L279) | Bucket website. | object({…}) | | null | +| [tag_bindings](variables.tf#L261) | Tag bindings for this folder, in key => tag value id format. | map(string) | | {} | +| [uniform_bucket_level_access](variables.tf#L268) | Allow using object ACLs (false) or not (true, this is the recommended behavior) , defaults to true (which is the recommended practice, but not the behavior of storage API). | bool | | true | +| [versioning](variables.tf#L274) | Enable versioning, defaults to false. | bool | | false | +| [website](variables.tf#L280) | Bucket website. | object({…}) | | null | ## Outputs diff --git a/modules/gcs/tags.tf b/modules/gcs/tags.tf index b666d2f3c..895605432 100644 --- a/modules/gcs/tags.tf +++ b/modules/gcs/tags.tf @@ -15,7 +15,7 @@ */ resource "google_tags_location_tag_binding" "binding" { - for_each = coalesce(var.tag_bindings, {}) + for_each = var.tag_bindings parent = "//storage.googleapis.com/projects/_/buckets/${local.prefix}${lower(var.name)}" tag_value = each.value location = var.location diff --git a/modules/gcs/variables.tf b/modules/gcs/variables.tf index b33f2d5b0..d5b40f946 100644 --- a/modules/gcs/variables.tf +++ b/modules/gcs/variables.tf @@ -261,7 +261,8 @@ variable "storage_class" { variable "tag_bindings" { description = "Tag bindings for this folder, in key => tag value id format." type = map(string) - default = null + nullable = false + default = {} } variable "uniform_bucket_level_access" { diff --git a/modules/kms/README.md b/modules/kms/README.md index 90621bef3..5772fcacb 100644 --- a/modules/kms/README.md +++ b/modules/kms/README.md @@ -11,6 +11,7 @@ When using an existing keyring be mindful about applying IAM bindings, as all bi - [Using an existing keyring](#using-an-existing-keyring) - [Crypto key purpose](#crypto-key-purpose) - [Import job](#import-job) + - [Tag Bindings](#tag-bindings) - [Variables](#variables) - [Outputs](#outputs) @@ -114,6 +115,41 @@ module "kms" { } # tftest modules=1 resources=2 inventory=import-job.yaml e2e ``` + +### Tag Bindings + +Refer to the [Creating and managing tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) documentation for details on usage. + +```hcl +module "org" { + source = "./fabric/modules/organization" + organization_id = var.organization_id + tags = { + environment = { + description = "Environment specification." + values = { + dev = {} + prod = {} + sandbox = {} + } + } + } +} + +module "kms" { + source = "./fabric/modules/kms" + project_id = var.project_id + keyring = { + location = var.region + name = "test-3" + } + tag_bindings = { + env-sandbox = module.org.tag_values["environment/sandbox"].id + } +} +# tftest modules=2 resources=6 +``` + ## Variables diff --git a/modules/kms/tags.tf b/modules/kms/tags.tf index c0955c624..dee198154 100644 --- a/modules/kms/tags.tf +++ b/modules/kms/tags.tf @@ -16,6 +16,6 @@ resource "google_tags_tag_binding" "binding" { for_each = var.tag_bindings - parent = "//cloudresourcemanager.googleapis.com/${local.keyring.id}" + parent = "//cloudkms.googleapis.com/${local.keyring.id}" tag_value = each.value } diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf index d0d335674..fabaf0322 100644 --- a/modules/kms/variables.tf +++ b/modules/kms/variables.tf @@ -119,6 +119,6 @@ variable "project_id" { variable "tag_bindings" { description = "Tag bindings for this keyring, in key => tag value id format." type = map(string) - default = {} nullable = false + default = {} }