kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into fast-dev

Browse Source
This commit is contained in:
Ludovico Magnocavallo
2025-12-09 17:14:59 +00:00
parent 66b9106e6e 0652ce84a0
commit dd6b1ea493
10 changed files with 103 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
GEMINI.md
View File

@@ -1,6 +1,7 @@
# Cloud Foundation Fabric (CFF)
## Project Overview
Cloud Foundation Fabric is a comprehensive suite of Terraform modules and end-to-end blueprints designed for Google Cloud Platform (GCP). It serves two primary purposes:
1. **Modules:** A library of composable, production-ready Terraform modules (e.g., `project`, `net-vpc`, `gke-cluster`).
@@ -9,28 +10,34 @@ Cloud Foundation Fabric is a comprehensive suite of Terraform modules and end-to
## Key Components
### 1. Modules (`/modules`)
* **Philosophy:** Lean, composable, and close to the underlying provider resources.
* **Structure:**
* Standardized interfaces for IAM, logging, and organization policies.
* Self-contained: Dependency injection is preferred over complex remote state lookups within modules.
* Standardized interfaces: IAM, logging, organization policies, etc.
* Self-contained: Dependency injection via context variables is preferred over complex remote state lookups within modules.
* Flat: avoid using sub-modules to reduce complexity and minimize layer traversals.
* **Naming:** Avoid random suffixes; use explicit `prefix` variables.
* **Usage:** Modules are designed to be forked/owned or referenced via Git tags (e.g., `source = "github.com/...//modules/project?ref=v30.0.0"`).
### 2. FAST (`/fast`)
* **Purpose:** Rapidly set up a secure, scalable GCP organization.
* **Architecture:** Divided into sequential "stages" (0-bootstrap, 1-resman, 2-networking, etc.).
* **Architecture:** Divided into sequential "stages" (0-org-setup, 1-vpcsc, 2-security, 2-networking, etc.).
* **Factories:** Uses YAML-based "factories" (e.g., Project Factory) to drive configuration at scale.
### 3. Tools (`/tools`)
* Python-based utility scripts for documentation, linting, and CI/CD tasks.
* **Key Scripts:**
* `tfdoc.py`: Auto-generates input/output tables in `README.md` files.
* `check_boilerplate.py`: Enforces license headers.
* `check_documentation.py`: Verifies README consistency.
* `changelog.py`: Generates CHANGELOG.md sections based on version diffs.
## Development Workflow
### Prerequisites
* **Terraform** (or OpenTofu)
* **Python 3.10+**
* **Dependencies:**
@@ -42,7 +49,9 @@ Cloud Foundation Fabric is a comprehensive suite of Terraform modules and end-to
### Common Tasks
#### 1. Formatting & Linting
Always format code and update documentation before committing.
```bash
# Format Terraform code
terraform fmt -recursive
@@ -55,7 +64,9 @@ terraform fmt -recursive
```
#### 2. Testing
Tests are written in Python using `pytest` and the `tftest` library.
Tests are written in Python using `pytest` and the [`tftest`](https://pypi.org/project/tftest/) library.
```bash
# Run all tests
pytest tests
@@ -66,14 +77,17 @@ pytest -k 'modules and <module-name>:' tests/examples
# Run tests from a specific file
pytest tests/examples/test_plan.py
```
**Note:** `TF_PLUGIN_CACHE_DIR` is recommended to speed up tests.
#### 3. Contributing
* **Branching:** Use `username/feature-name`.
* **Commits:** Atomic commits with clear messages.
* **Docs:** Do not manually edit the variables/outputs tables in READMEs; use `tfdoc.py`.
## Architecture & Conventions
* **Variables:** Prefer object variables (e.g., `iam = { ... }`) over many individual scalar variables.
* **IAM:** Implemented within resources (authoritative `_binding` or additive `_member`) via standard interfaces.
* **Outputs:** Explicitly depend on internal resources to ensure proper ordering (`depends_on`).

1
fast/stages/0-org-setup/datasets/classic/organization/.config.yaml
View File

@@ -42,6 +42,7 @@ iam_by_principals:
$iam_principals:gcp-organization-admins:
- roles/cloudasset.owner
- roles/cloudsupport.admin
- roles/cloudsupport.techSupportEditor
- roles/compute.osAdminLogin
- roles/compute.osLoginExternalUser
- roles/compute.xpnAdmin

1
fast/stages/0-org-setup/datasets/hardened/organization/.config.yaml
View File

@@ -42,6 +42,7 @@ iam_by_principals:
$iam_principals:gcp-organization-admins:
- roles/cloudasset.owner
- roles/cloudsupport.admin
- roles/cloudsupport.techSupportEditor
- roles/compute.osAdminLogin
- roles/compute.osLoginExternalUser
- roles/compute.xpnAdmin

31
fast/stages/README.md
View File

@@ -25,7 +25,7 @@ To destroy a previous FAST deployment follow the instructions detailed in [clean
- [Organization Setup](./0-org-setup/README.md)
This stage combines the legacy bootstrap and resource management stages described below, allowing easy configuration of all related resources via factories. Its flexibility supports any type of organizational design, while still supporting traditional FAST stages like VPC Service Controls, security, networking, and any stage 3.
## VPC Service Controls (1)
- [VPC Service Controls](./1-vpcsc/README.md)
@@ -33,13 +33,13 @@ To destroy a previous FAST deployment follow the instructions detailed in [clean
## Shared resources (2)
- [Security](2-security/README.md)
- [Security](2-security/README.md)
Manages centralized security configurations in a separate stage, and is typically owned by the security team. This stage implements VPC Security Controls via separate perimeters for environments and central services, and creates projects to host centralized KMS keys used by the whole organization. It's meant to be easily extended to include other security-related resources which are required, like Secret Manager.\
Exports: KMS key ids, CA ids
- Networking ([Networking factory](2-networking/README.md))
Manages centralized network resources in a separate stage, and is typically owned by the networking team. This stage provides several different design as YaML datasets, including hub-and-spoke with VPC Peerings, VPNs, NVAs and NCC.
Exports: host project ids and numbers, vpc self links
- [Project Factory](./2-project-factory/)
- [Project Factory](./2-project-factory/)
YAML-based factory to create and configure application or team-level projects. Configuration includes VPC-level settings for Shared VPC, service-level configuration for CMEK encryption via centralized keys, and service account creation for workloads and applications. This stage can be cloned if an org-wide or dedicated per-environment factories are needed.
## Environment-level resources (3)
@@ -47,3 +47,28 @@ To destroy a previous FAST deployment follow the instructions detailed in [clean
- [Data Platform](./3-data-platform-dev/)
- [GKE Multitenant](./3-gke-dev/)
- [Google Cloud VMware Engine](./3-gcve-dev/)
## Importing existing setup into FAST
For brownfield implementations you may need to import existing setting in the organization, folders, etc. These snippets can help you add existing settings into the YAML file
Scripts below require [yq](https://github.com/mikefarah/yq/) in at least version 4.
### IAM bindings
To create `iam:` part of the factory YAML file, you can use following snippet:
```shell
gcloud <resource> get-iam-policy <resource name> | yq '.bindings | map({"key": .role, "value": .members}) | from_entries'
```
For example use following code, to get IAM bindings on organization level to be used in `0-org-setup/dataset/.../organization/.config.yaml`
```shell
gcloud organizations get-iam-policy 12345 | yq '.bindings | map({"key": .role, "value": .members}) | from_entries'
```
To create `iam_by_principals:` part of the factory YAML file, you can use following snippet:
```shell
gcloud <resource> get-iam-policy <resource name> | yq '
[.bindings | .[] | .members[] as $member | { "member": $member, "role": .role}] |
group_by(.member) | sort_by(.[0].member) | .[] | { .[0].member: map(.role)}
'
```

60
modules/cloudsql-instance/README.md
View File

@@ -408,38 +408,38 @@ module "db" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [database_version](variables.tf#L75) | Database type and version to create. | <code>string</code> | ✓ | |
| [name](variables.tf#L189) | Name of primary instance. | <code>string</code> | ✓ | |
| [network_config](variables.tf#L194) | Network configuration for the instance. Only one between private_network and psc_config can be used. | <code title="object&#40;&#123;&#10; authorized_networks &#61; optional&#40;map&#40;string&#41;&#41;&#10; connectivity &#61; object&#40;&#123;&#10; public_ipv4 &#61; optional&#40;bool, false&#41;&#10; psa_config &#61; optional&#40;object&#40;&#123;&#10; private_network &#61; string&#10; allocated_ip_ranges &#61; optional&#40;object&#40;&#123;&#10; primary &#61; optional&#40;string&#41;&#10; replica &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; psc_allowed_consumer_projects &#61; optional&#40;list&#40;string&#41;&#41;&#10; enable_private_path_for_services &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [project_id](variables.tf#L237) | The ID of the project where this instances will be created. | <code>string</code> | ✓ | |
| [region](variables.tf#L242) | Region of the primary instance. | <code>string</code> | ✓ | |
| [tier](variables.tf#L294) | The machine type to use for the instances. | <code>string</code> | ✓ | |
| [database_version](variables.tf#L82) | Database type and version to create. | <code>string</code> | ✓ | |
| [name](variables.tf#L196) | Name of primary instance. | <code>string</code> | ✓ | |
| [network_config](variables.tf#L201) | Network configuration for the instance. Only one between private_network and psc_config can be used. | <code title="object&#40;&#123;&#10; authorized_networks &#61; optional&#40;map&#40;string&#41;&#41;&#10; connectivity &#61; object&#40;&#123;&#10; public_ipv4 &#61; optional&#40;bool, false&#41;&#10; psa_config &#61; optional&#40;object&#40;&#123;&#10; private_network &#61; string&#10; allocated_ip_ranges &#61; optional&#40;object&#40;&#123;&#10; primary &#61; optional&#40;string&#41;&#10; replica &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;&#10; psc_allowed_consumer_projects &#61; optional&#40;list&#40;string&#41;&#41;&#10; enable_private_path_for_services &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [project_id](variables.tf#L244) | The ID of the project where this instances will be created. | <code>string</code> | ✓ | |
| [region](variables.tf#L249) | Region of the primary instance. | <code>string</code> | ✓ | |
| [tier](variables.tf#L301) | The machine type to use for the instances. | <code>string</code> | ✓ | |
| [activation_policy](variables.tf#L16) | This variable specifies when the instance should be active. Can be either ALWAYS, NEVER or ON_DEMAND. Default is ALWAYS. | <code>string</code> | | <code>&#34;ALWAYS&#34;</code> |
| [availability_type](variables.tf#L27) | Availability type for the primary replica. Either `ZONAL` or `REGIONAL`. | <code>string</code> | | <code>&#34;ZONAL&#34;</code> |
| [backup_configuration](variables.tf#L33) | Backup settings for primary instance. Will be automatically enabled if using MySQL with one or more replicas. | <code title="object&#40;&#123;&#10; enabled &#61; optional&#40;bool, false&#41;&#10; binary_log_enabled &#61; optional&#40;bool, false&#41;&#10; start_time &#61; optional&#40;string, &#34;23:00&#34;&#41;&#10; location &#61; optional&#40;string&#41;&#10; log_retention_days &#61; optional&#40;number, 7&#41;&#10; point_in_time_recovery_enabled &#61; optional&#40;bool&#41;&#10; retention_count &#61; optional&#40;number, 7&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; enabled &#61; false&#10; binary_log_enabled &#61; false&#10; start_time &#61; &#34;23:00&#34;&#10; location &#61; null&#10; log_retention_days &#61; 7&#10; point_in_time_recovery_enabled &#61; null&#10; retention_count &#61; 7&#10;&#125;">&#123;&#8230;&#125;</code> |
| [collation](variables.tf#L56) | The name of server instance collation. | <code>string</code> | | <code>null</code> |
| [connector_enforcement](variables.tf#L62) | Specifies if connections must use Cloud SQL connectors. | <code>string</code> | | <code>null</code> |
| [data_cache](variables.tf#L68) | Enable data cache. Only used for Enterprise MYSQL and PostgreSQL. | <code>bool</code> | | <code>false</code> |
| [databases](variables.tf#L80) | Databases to create once the primary instance is created. | <code>list&#40;string&#41;</code> | | <code>null</code> |
| [disk_autoresize_limit](variables.tf#L86) | The maximum size to which storage capacity can be automatically increased. The default value is 0, which specifies that there is no limit. | <code>number</code> | | <code>0</code> |
| [disk_size](variables.tf#L92) | Disk size in GB. Set to null to enable autoresize. | <code>number</code> | | <code>null</code> |
| [disk_type](variables.tf#L98) | The type of data disk: `PD_SSD` or `PD_HDD`. | <code>string</code> | | <code>&#34;PD_SSD&#34;</code> |
| [edition](variables.tf#L104) | The edition of the instance, can be ENTERPRISE or ENTERPRISE_PLUS. | <code>string</code> | | <code>&#34;ENTERPRISE&#34;</code> |
| [encryption_key_name](variables.tf#L110) | The full path to the encryption key used for the CMEK disk encryption of the primary instance. | <code>string</code> | | <code>null</code> |
| [flags](variables.tf#L116) | Map FLAG_NAME=>VALUE for database-specific tuning. | <code>map&#40;string&#41;</code> | | <code>null</code> |
| [gcp_deletion_protection](variables.tf#L122) | Set Google's deletion protection attribute which applies across all surfaces (UI, API, & Terraform). | <code>bool</code> | | <code>true</code> |
| [insights_config](variables.tf#L129) | Query Insights configuration. Defaults to null which disables Query Insights. | <code title="object&#40;&#123;&#10; query_string_length &#61; optional&#40;number, 1024&#41;&#10; record_application_tags &#61; optional&#40;bool, false&#41;&#10; record_client_address &#61; optional&#40;bool, false&#41;&#10; query_plans_per_minute &#61; optional&#40;number, 5&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [labels](variables.tf#L140) | Labels to be attached to all instances. | <code>map&#40;string&#41;</code> | | <code>null</code> |
| [maintenance_config](variables.tf#L146) | Set maintenance window configuration and maintenance deny period (up to 90 days). Date format: 'yyyy-mm-dd'. | <code title="object&#40;&#123;&#10; maintenance_window &#61; optional&#40;object&#40;&#123;&#10; day &#61; number&#10; hour &#61; number&#10; update_track &#61; optional&#40;string, null&#41;&#10; &#125;&#41;, null&#41;&#10; deny_maintenance_period &#61; optional&#40;object&#40;&#123;&#10; start_date &#61; string&#10; end_date &#61; string&#10; start_time &#61; optional&#40;string, &#34;00:00:00&#34;&#41;&#10; &#125;&#41;, null&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [managed_connection_pooling_config](variables.tf#L179) | Configuration for Managed Connection Pooling. NOTE: This feature is only available for PostgreSQL on Enterprise Plus edition instances. | <code title="object&#40;&#123;&#10; enabled &#61; optional&#40;bool, false&#41;&#10; flags &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [password_validation_policy](variables.tf#L213) | Password validation policy configuration for instances. | <code title="object&#40;&#123;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; change_interval &#61; optional&#40;number&#41;&#10; default_complexity &#61; optional&#40;bool&#41;&#10; disallow_username_substring &#61; optional&#40;bool&#41;&#10; min_length &#61; optional&#40;number&#41;&#10; reuse_interval &#61; optional&#40;number&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [prefix](variables.tf#L227) | Optional prefix used to generate instance names. | <code>string</code> | | <code>null</code> |
| [replicas](variables.tf#L247) | Map of NAME=> {REGION, KMS_KEY, AVAILABILITY_TYPE} for additional read replicas. Set to null to disable replica creation. | <code title="map&#40;object&#40;&#123;&#10; region &#61; string&#10; encryption_key_name &#61; optional&#40;string&#41;&#10; availability_type &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [root_password](variables.tf#L258) | Root password of the Cloud SQL instance, or flag to create a random password. Required for MS SQL Server. | <code title="object&#40;&#123;&#10; password &#61; optional&#40;string&#41;&#10; random_password &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [ssl](variables.tf#L272) | Setting to enable SSL, set config and certificates. | <code title="object&#40;&#123;&#10; client_certificates &#61; optional&#40;list&#40;string&#41;&#41;&#10; mode &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [terraform_deletion_protection](variables.tf#L287) | Prevent terraform from deleting instances. | <code>bool</code> | | <code>true</code> |
| [time_zone](variables.tf#L299) | The time_zone to be used by the database engine (supported only for SQL Server), in SQL Server timezone format. | <code>string</code> | | <code>null</code> |
| [users](variables.tf#L305) | Map of users to create in the primary instance (and replicated to other replicas). For MySQL, anything after the first `@` (if present) will be used as the user's host. Set PASSWORD to null if you want to get an autogenerated password. The user types available are: 'BUILT_IN', 'CLOUD_IAM_USER' or 'CLOUD_IAM_SERVICE_ACCOUNT'. | <code title="map&#40;object&#40;&#123;&#10; password &#61; optional&#40;string&#41;&#10; password_version &#61; optional&#40;number&#41;&#10; type &#61; optional&#40;string, &#34;BUILT_IN&#34;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [backup_configuration](variables.tf#L33) | Backup settings for primary instance. Will be automatically enabled if using MySQL with one or more replicas. | <code title="object&#40;&#123;&#10; enabled &#61; optional&#40;bool, false&#41;&#10; binary_log_enabled &#61; optional&#40;bool, false&#41;&#10; start_time &#61; optional&#40;string, &#34;23:00&#34;&#41;&#10; location &#61; optional&#40;string&#41;&#10; log_retention_days &#61; optional&#40;number, 7&#41;&#10; point_in_time_recovery_enabled &#61; optional&#40;bool&#41;&#10; retention_count &#61; optional&#40;number, 7&#41;&#10; retain_backups_on_delete &#61; optional&#40;bool&#41;&#10; final_backup &#61; optional&#40;object&#40;&#123;&#10; enabled &#61; optional&#40;bool, false&#41;&#10; retention_days &#61; optional&#40;number, 7&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; enabled &#61; false&#10; binary_log_enabled &#61; false&#10; start_time &#61; &#34;23:00&#34;&#10; location &#61; null&#10; log_retention_days &#61; 7&#10; point_in_time_recovery_enabled &#61; null&#10; retention_count &#61; 7&#10; retain_backups_on_delete &#61; null&#10; final_backup &#61; null&#10;&#125;">&#123;&#8230;&#125;</code> |
| [collation](variables.tf#L63) | The name of server instance collation. | <code>string</code> | | <code>null</code> |
| [connector_enforcement](variables.tf#L69) | Specifies if connections must use Cloud SQL connectors. | <code>string</code> | | <code>null</code> |
| [data_cache](variables.tf#L75) | Enable data cache. Only used for Enterprise MYSQL and PostgreSQL. | <code>bool</code> | | <code>false</code> |
| [databases](variables.tf#L87) | Databases to create once the primary instance is created. | <code>list&#40;string&#41;</code> | | <code>null</code> |
| [disk_autoresize_limit](variables.tf#L93) | The maximum size to which storage capacity can be automatically increased. The default value is 0, which specifies that there is no limit. | <code>number</code> | | <code>0</code> |
| [disk_size](variables.tf#L99) | Disk size in GB. Set to null to enable autoresize. | <code>number</code> | | <code>null</code> |
| [disk_type](variables.tf#L105) | The type of data disk: `PD_SSD` or `PD_HDD`. | <code>string</code> | | <code>&#34;PD_SSD&#34;</code> |
| [edition](variables.tf#L111) | The edition of the instance, can be ENTERPRISE or ENTERPRISE_PLUS. | <code>string</code> | | <code>&#34;ENTERPRISE&#34;</code> |
| [encryption_key_name](variables.tf#L117) | The full path to the encryption key used for the CMEK disk encryption of the primary instance. | <code>string</code> | | <code>null</code> |
| [flags](variables.tf#L123) | Map FLAG_NAME=>VALUE for database-specific tuning. | <code>map&#40;string&#41;</code> | | <code>null</code> |
| [gcp_deletion_protection](variables.tf#L129) | Set Google's deletion protection attribute which applies across all surfaces (UI, API, & Terraform). | <code>bool</code> | | <code>true</code> |
| [insights_config](variables.tf#L136) | Query Insights configuration. Defaults to null which disables Query Insights. | <code title="object&#40;&#123;&#10; query_string_length &#61; optional&#40;number, 1024&#41;&#10; record_application_tags &#61; optional&#40;bool, false&#41;&#10; record_client_address &#61; optional&#40;bool, false&#41;&#10; query_plans_per_minute &#61; optional&#40;number, 5&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [labels](variables.tf#L147) | Labels to be attached to all instances. | <code>map&#40;string&#41;</code> | | <code>null</code> |
| [maintenance_config](variables.tf#L153) | Set maintenance window configuration and maintenance deny period (up to 90 days). Date format: 'yyyy-mm-dd'. | <code title="object&#40;&#123;&#10; maintenance_window &#61; optional&#40;object&#40;&#123;&#10; day &#61; number&#10; hour &#61; number&#10; update_track &#61; optional&#40;string, null&#41;&#10; &#125;&#41;, null&#41;&#10; deny_maintenance_period &#61; optional&#40;object&#40;&#123;&#10; start_date &#61; string&#10; end_date &#61; string&#10; start_time &#61; optional&#40;string, &#34;00:00:00&#34;&#41;&#10; &#125;&#41;, null&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [managed_connection_pooling_config](variables.tf#L186) | Configuration for Managed Connection Pooling. NOTE: This feature is only available for PostgreSQL on Enterprise Plus edition instances. | <code title="object&#40;&#123;&#10; enabled &#61; optional&#40;bool, false&#41;&#10; flags &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [password_validation_policy](variables.tf#L220) | Password validation policy configuration for instances. | <code title="object&#40;&#123;&#10; enabled &#61; optional&#40;bool, true&#41;&#10; change_interval &#61; optional&#40;number&#41;&#10; default_complexity &#61; optional&#40;bool&#41;&#10; disallow_username_substring &#61; optional&#40;bool&#41;&#10; min_length &#61; optional&#40;number&#41;&#10; reuse_interval &#61; optional&#40;number&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [prefix](variables.tf#L234) | Optional prefix used to generate instance names. | <code>string</code> | | <code>null</code> |
| [replicas](variables.tf#L254) | Map of NAME=> {REGION, KMS_KEY, AVAILABILITY_TYPE} for additional read replicas. Set to null to disable replica creation. | <code title="map&#40;object&#40;&#123;&#10; region &#61; string&#10; encryption_key_name &#61; optional&#40;string&#41;&#10; availability_type &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [root_password](variables.tf#L265) | Root password of the Cloud SQL instance, or flag to create a random password. Required for MS SQL Server. | <code title="object&#40;&#123;&#10; password &#61; optional&#40;string&#41;&#10; random_password &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [ssl](variables.tf#L279) | Setting to enable SSL, set config and certificates. | <code title="object&#40;&#123;&#10; client_certificates &#61; optional&#40;list&#40;string&#41;&#41;&#10; mode &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [terraform_deletion_protection](variables.tf#L294) | Prevent terraform from deleting instances. | <code>bool</code> | | <code>true</code> |
| [time_zone](variables.tf#L306) | The time_zone to be used by the database engine (supported only for SQL Server), in SQL Server timezone format. | <code>string</code> | | <code>null</code> |
| [users](variables.tf#L312) | Map of users to create in the primary instance (and replicated to other replicas). For MySQL, anything after the first `@` (if present) will be used as the user's host. Set PASSWORD to null if you want to get an autogenerated password. The user types available are: 'BUILT_IN', 'CLOUD_IAM_USER' or 'CLOUD_IAM_SERVICE_ACCOUNT'. | <code title="map&#40;object&#40;&#123;&#10; password &#61; optional&#40;string&#41;&#10; password_version &#61; optional&#40;number&#41;&#10; type &#61; optional&#40;string, &#34;BUILT_IN&#34;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
## Outputs

9
modules/cloudsql-instance/main.tf
View File

@@ -61,6 +61,7 @@ resource "google_sql_database_instance" "primary" {
collation = var.collation
connector_enforcement = var.connector_enforcement
time_zone = var.time_zone
retain_backups_on_delete = var.backup_configuration.retain_backups_on_delete
ip_configuration {
ipv4_enabled = var.network_config.connectivity.public_ipv4
@@ -127,6 +128,14 @@ resource "google_sql_database_instance" "primary" {
}
}
dynamic "final_backup_config" {
for_each = var.backup_configuration.final_backup != null ? [var.backup_configuration.final_backup] : []
content {
enabled = final_backup_config.value.enabled
retention_days = final_backup_config.value.retention_days
}
}
dynamic "connection_pool_config" {
# Only available for PostgreSQL on Enterprise Plus edition.
for_each = (var.managed_connection_pooling_config.enabled && local.is_postgres && var.edition == "ENTERPRISE_PLUS") ? [1] : []

7
modules/cloudsql-instance/variables.tf
View File

@@ -41,6 +41,11 @@ variable "backup_configuration" {
log_retention_days = optional(number, 7)
point_in_time_recovery_enabled = optional(bool)
retention_count = optional(number, 7)
retain_backups_on_delete = optional(bool)
final_backup = optional(object({
enabled = optional(bool, false)
retention_days = optional(number, 7)
}))
})
default = {
enabled = false
@@ -50,6 +55,8 @@ variable "backup_configuration" {
log_retention_days = 7
point_in_time_recovery_enabled = null
retention_count = 7
retain_backups_on_delete = null
final_backup = null
}
}

4
modules/project-factory/projects-service-accounts.tf
View File

@@ -20,6 +20,7 @@ locals {
for name, opts in lookup(project, "service_accounts", {}) : {
project_key = k
name = name
description = try(opts.description, null)
display_name = coalesce(
try(local.data_defaults.overrides.service_accounts.display_name, null),
try(opts.display_name, null),
@@ -78,6 +79,7 @@ module "service-accounts" {
}
project_id = module.projects[each.value.project_key].project_id
name = each.value.name
description = each.value.description
display_name = each.value.display_name
context = merge(local.ctx, {
project_ids = local.ctx_project_ids
@@ -119,4 +121,4 @@ module "service_accounts-iam" {
})
iam = each.value.iam
iam_sa_roles = each.value.iam_sa_roles
}
}

5
tests/fast/stages/s0_org_setup/hardened.yaml
View File

@@ -5767,7 +5767,8 @@ counts:
google_monitoring_alert_policy: 10
google_org_policy_custom_constraint: 80
google_org_policy_policy: 149
google_organization_iam_binding: 37
google_organization_iam_audit_config: 1
google_organization_iam_binding: 38
google_organization_iam_custom_role: 9
google_project: 3
google_project_iam_binding: 17
@@ -5790,5 +5791,5 @@ counts:
google_tags_tag_value_iam_binding: 4
local_file: 9
modules: 48
resources: 543
resources: 544
terraform_data: 4

5
tests/fast/stages/s0_org_setup/simple.yaml
View File

@@ -2783,7 +2783,8 @@ counts:
google_logging_project_bucket_config: 3
google_org_policy_custom_constraint: 1
google_org_policy_policy: 37
google_organization_iam_binding: 36
google_organization_iam_audit_config: 1
google_organization_iam_binding: 37
google_organization_iam_custom_role: 9
google_project: 3
google_project_iam_audit_config: 2
@@ -2806,5 +2807,5 @@ counts:
google_tags_tag_value_iam_binding: 4
local_file: 9
modules: 48
resources: 316
resources: 317
terraform_data: 4