Add support for non-destructive tag bindings to compute-vm module (#3004)
* wip * add support for tag bindings * tfdoc * improve example * tfdoc
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
8b774f1fba
commit
dde3c1abf2
@@ -36,8 +36,7 @@ In both modes, an optional service account can be created and assigned to either
|
||||
- [Instance group](#instance-group)
|
||||
- [Instance Schedule](#instance-schedule)
|
||||
- [Snapshot Schedules](#snapshot-schedules)
|
||||
- [Resource Manager Tags (non-firewall)](#resource-manager-tags-non-firewall)
|
||||
- [Resource Manager Tags (firewall)](#resource-manager-tags-firewall)
|
||||
- [Resource Manager Tags](#resource-manager-tags)
|
||||
- [Sole Tenancy](#sole-tenancy)
|
||||
- [Variables](#variables)
|
||||
- [Outputs](#outputs)
|
||||
@@ -824,43 +823,39 @@ module "instance" {
|
||||
# tftest inventory=snapshot-schedule-create.yaml e2e
|
||||
```
|
||||
|
||||
### Resource Manager Tags (non-firewall)
|
||||
### Resource Manager Tags
|
||||
|
||||
Resource manager tags bindings for use in IAM or org policy conditions are supported via the `tag_bindings` variable with the following limitations:
|
||||
Resource manager tags bindings for use in IAM or org policy conditions are supported via three different variables:
|
||||
|
||||
- tag bindings are not created for attached disks
|
||||
- tag bindings will not be created for the boot disk if the `use_independent_disk` flag is true
|
||||
- tag bindings are ignored for instance templates
|
||||
- `network_tag_bindings` associates tags to instances after creation, and is meant for use with network firewall policies
|
||||
- `tag_bindings` associates tags to instances and zonal disks after creation, and is meant for use with IAM or organization policy conditions
|
||||
- `tag_bindings_immutable` associates tags to instances and disks created as part of the instance, or instance templates; the binding is applied at creation time and triggers resource recreation on change
|
||||
|
||||
The current provider implementation is sub-optimal and forces
|
||||
The non-immutable variables follow our usual interface for tag bindings, and support specifying a map with arbitrary keys mapping to tag key or value ids. To prevent a provider permadiff also pass in the project number in the `project_number` variable.
|
||||
|
||||
- recreation of the instance on tag changes
|
||||
- specifying both the key and value where only the value is actually needed
|
||||
The immutable variable uses a different format enforced by the Compute API, where keys need to be tag key ids, and values tag value ids.
|
||||
|
||||
This is an example of setting tag bindings:
|
||||
This is an example of setting non-immutable tag bindings:
|
||||
|
||||
```hcl
|
||||
module "simple-vm-example" {
|
||||
source = "./fabric/modules/compute-vm"
|
||||
project_id = var.project_id
|
||||
zone = "${var.region}-b"
|
||||
name = "test"
|
||||
source = "./fabric/modules/compute-vm"
|
||||
project_id = var.project_id
|
||||
project_number = 12345678
|
||||
zone = "${var.region}-b"
|
||||
name = "test"
|
||||
network_interfaces = [{
|
||||
network = var.vpc.self_link
|
||||
subnetwork = var.subnet.self_link
|
||||
}]
|
||||
tag_bindings = {
|
||||
"tagKeys/1234567890" = "tagValues/7890123456"
|
||||
dev = "tagValues/1234567890"
|
||||
}
|
||||
}
|
||||
# tftest inventory=tag-bindings.yaml
|
||||
# tftest modules=1 resources=2
|
||||
```
|
||||
|
||||
### Resource Manager Tags (firewall)
|
||||
|
||||
Network-scoped resource manager tags (or "secure tags") bindings for use in firewall rules are supported with similar limitations as in the section above, via a separate `tag_bindings_firewall` variable that only applies bindings to the instance and not the boot disk.
|
||||
|
||||
This is an example of setting both types of tag bindings:
|
||||
This example uses immutable tag bindings, and will trigger recreation if those are changed.
|
||||
|
||||
```hcl
|
||||
module "simple-vm-example" {
|
||||
@@ -872,13 +867,9 @@ module "simple-vm-example" {
|
||||
network = var.vpc.self_link
|
||||
subnetwork = var.subnet.self_link
|
||||
}]
|
||||
tag_bindings = {
|
||||
tag_bindings_immutable = {
|
||||
"tagKeys/1234567890" = "tagValues/7890123456"
|
||||
}
|
||||
# tags here need to be scoped to a VPC
|
||||
tag_bindings_firewall = {
|
||||
"tagKeys/5678901234" = "tagValues/3456789012"
|
||||
}
|
||||
}
|
||||
# tftest inventory=tag-bindings.yaml
|
||||
```
|
||||
@@ -917,37 +908,39 @@ module "sole-tenancy" {
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [name](variables.tf#L270) | Instance name. | <code>string</code> | ✓ | |
|
||||
| [network_interfaces](variables.tf#L282) | Network interfaces configuration. Use self links for Shared VPC, set addresses to null if not needed. | <code title="list(object({ network = string subnetwork = string alias_ips = optional(map(string), {}) nat = optional(bool, false) nic_type = optional(string) stack_type = optional(string) addresses = optional(object({ internal = optional(string) external = optional(string) }), null) }))">list(object({…}))</code> | ✓ | |
|
||||
| [project_id](variables.tf#L355) | Project id. | <code>string</code> | ✓ | |
|
||||
| [zone](variables.tf#L453) | Compute zone. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L271) | Instance name. | <code>string</code> | ✓ | |
|
||||
| [network_interfaces](variables.tf#L283) | Network interfaces configuration. Use self links for Shared VPC, set addresses to null if not needed. | <code title="list(object({ network = string subnetwork = string alias_ips = optional(map(string), {}) nat = optional(bool, false) nic_type = optional(string) stack_type = optional(string) addresses = optional(object({ internal = optional(string) external = optional(string) }), null) }))">list(object({…}))</code> | ✓ | |
|
||||
| [project_id](variables.tf#L363) | Project id. | <code>string</code> | ✓ | |
|
||||
| [zone](variables.tf#L476) | Compute zone. | <code>string</code> | ✓ | |
|
||||
| [attached_disk_defaults](variables.tf#L17) | Defaults for attached disks options. | <code title="object({ auto_delete = optional(bool, false) mode = string replica_zone = string type = string })">object({…})</code> | | <code title="{ auto_delete = true mode = "READ_WRITE" replica_zone = null type = "pd-balanced" }">{…}</code> |
|
||||
| [attached_disks](variables.tf#L37) | Additional disks, if options is null defaults will be used in its place. Source type is one of 'image' (zonal disks in vms and template), 'snapshot' (vm), 'existing', and null. | <code title="list(object({ name = string device_name = optional(string) size = string snapshot_schedule = optional(list(string)) source = optional(string) source_type = optional(string) options = optional( object({ auto_delete = optional(bool, false) mode = optional(string, "READ_WRITE") replica_zone = optional(string) type = optional(string, "pd-balanced") }), { auto_delete = true mode = "READ_WRITE" replica_zone = null type = "pd-balanced" } ) }))">list(object({…}))</code> | | <code>[]</code> |
|
||||
| [boot_disk](variables.tf#L83) | Boot disk properties. | <code title="object({ auto_delete = optional(bool, true) snapshot_schedule = optional(list(string)) source = optional(string) initialize_params = optional(object({ image = optional(string, "projects/debian-cloud/global/images/family/debian-11") size = optional(number, 10) type = optional(string, "pd-balanced") })) use_independent_disk = optional(bool, false) })">object({…})</code> | | <code title="{ initialize_params = {} }">{…}</code> |
|
||||
| [boot_disk](variables.tf#L83) | Boot disk properties. | <code title="object({ auto_delete = optional(bool, true) snapshot_schedule = optional(list(string)) source = optional(string) initialize_params = optional(object({ image = optional(string, "projects/debian-cloud/global/images/family/debian-11") size = optional(number, 10) type = optional(string, "pd-balanced") }), {}) use_independent_disk = optional(bool, false) })">object({…})</code> | | <code title="{ initialize_params = {} }">{…}</code> |
|
||||
| [can_ip_forward](variables.tf#L117) | Enable IP forwarding. | <code>bool</code> | | <code>false</code> |
|
||||
| [confidential_compute](variables.tf#L123) | Enable Confidential Compute for these instances. | <code>bool</code> | | <code>false</code> |
|
||||
| [create_template](variables.tf#L129) | Create instance template instead of instances. | <code>bool</code> | | <code>false</code> |
|
||||
| [description](variables.tf#L134) | Description of a Compute Instance. | <code>string</code> | | <code>"Managed by the compute-vm Terraform module."</code> |
|
||||
| [enable_display](variables.tf#L140) | Enable virtual display on the instances. | <code>bool</code> | | <code>false</code> |
|
||||
| [encryption](variables.tf#L146) | Encryption options. Only one of kms_key_self_link and disk_encryption_key_raw may be set. If needed, you can specify to encrypt or not the boot disk. | <code title="object({ encrypt_boot = optional(bool, false) disk_encryption_key_raw = optional(string) kms_key_self_link = optional(string) })">object({…})</code> | | <code>null</code> |
|
||||
| [gpu](variables.tf#L156) | GPU information. Based on https://cloud.google.com/compute/docs/gpus. | <code title="object({ count = number type = string })">object({…})</code> | | <code>null</code> |
|
||||
| [group](variables.tf#L191) | Define this variable to create an instance group for instances. Disabled for template use. | <code title="object({ named_ports = map(number) })">object({…})</code> | | <code>null</code> |
|
||||
| [hostname](variables.tf#L199) | Instance FQDN name. | <code>string</code> | | <code>null</code> |
|
||||
| [iam](variables.tf#L205) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [instance_schedule](variables.tf#L211) | Assign or create and assign an instance schedule policy. Either resource policy id or create_config must be specified if not null. Set active to null to dtach a policy from vm before destroying. | <code title="object({ resource_policy_id = optional(string) create_config = optional(object({ active = optional(bool, true) description = optional(string) expiration_time = optional(string) start_time = optional(string) timezone = optional(string, "UTC") vm_start = optional(string) vm_stop = optional(string) })) })">object({…})</code> | | <code>null</code> |
|
||||
| [instance_type](variables.tf#L246) | Instance type. | <code>string</code> | | <code>"f1-micro"</code> |
|
||||
| [labels](variables.tf#L252) | Instance labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [metadata](variables.tf#L258) | Instance metadata. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [min_cpu_platform](variables.tf#L264) | Minimum CPU platform. | <code>string</code> | | <code>null</code> |
|
||||
| [network_attached_interfaces](variables.tf#L275) | Network interfaces using network attachments. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [options](variables.tf#L298) | Instance options. | <code title="object({ advanced_machine_features = optional(object({ enable_nested_virtualization = optional(bool) enable_turbo_mode = optional(bool) enable_uefi_networking = optional(bool) performance_monitoring_unit = optional(string) threads_per_core = optional(number) visible_core_count = optional(number) })) allow_stopping_for_update = optional(bool, true) deletion_protection = optional(bool, false) graceful_shutdown = optional(object({ enabled = optional(bool, false) max_duration_secs = optional(number) })) max_run_duration = optional(object({ nanos = optional(number) seconds = number })) node_affinities = optional(map(object({ values = list(string) in = optional(bool, true) })), {}) spot = optional(bool, false) termination_action = optional(string) })">object({…})</code> | | <code title="{ allow_stopping_for_update = true deletion_protection = false spot = false termination_action = null }">{…}</code> |
|
||||
| [scratch_disks](variables.tf#L360) | Scratch disks configuration. | <code title="object({ count = number interface = string })">object({…})</code> | | <code title="{ count = 0 interface = "NVME" }">{…}</code> |
|
||||
| [service_account](variables.tf#L372) | Service account email and scopes. If email is null, the default Compute service account will be used unless auto_create is true, in which case a service account will be created. Set the variable to null to avoid attaching a service account. | <code title="object({ auto_create = optional(bool, false) email = optional(string) scopes = optional(list(string)) })">object({…})</code> | | <code>{}</code> |
|
||||
| [shielded_config](variables.tf#L382) | Shielded VM configuration of the instances. | <code title="object({ enable_secure_boot = bool enable_vtpm = bool enable_integrity_monitoring = bool })">object({…})</code> | | <code>null</code> |
|
||||
| [snapshot_schedules](variables.tf#L392) | Snapshot schedule resource policies that can be attached to disks. | <code title="map(object({ schedule = object({ daily = optional(object({ days_in_cycle = number start_time = string })) hourly = optional(object({ hours_in_cycle = number start_time = string })) weekly = optional(list(object({ day = string start_time = string }))) }) description = optional(string) retention_policy = optional(object({ max_retention_days = number on_source_disk_delete_keep = optional(bool) })) snapshot_properties = optional(object({ chain_name = optional(string) guest_flush = optional(bool) labels = optional(map(string)) storage_locations = optional(list(string)) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tag_bindings](variables.tf#L435) | Resource manager tag bindings for this instance, in tag key => tag value format. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [tag_bindings_firewall](variables.tf#L441) | Firewall (network scoped) tag bindings for this instance, in tag key => tag value format. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [tags](variables.tf#L447) | Instance network tags for firewall rule targets. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [description](variables.tf#L135) | Description of a Compute Instance. | <code>string</code> | | <code>"Managed by the compute-vm Terraform module."</code> |
|
||||
| [enable_display](variables.tf#L141) | Enable virtual display on the instances. | <code>bool</code> | | <code>false</code> |
|
||||
| [encryption](variables.tf#L147) | Encryption options. Only one of kms_key_self_link and disk_encryption_key_raw may be set. If needed, you can specify to encrypt or not the boot disk. | <code title="object({ encrypt_boot = optional(bool, false) disk_encryption_key_raw = optional(string) kms_key_self_link = optional(string) })">object({…})</code> | | <code>null</code> |
|
||||
| [gpu](variables.tf#L157) | GPU information. Based on https://cloud.google.com/compute/docs/gpus. | <code title="object({ count = number type = string })">object({…})</code> | | <code>null</code> |
|
||||
| [group](variables.tf#L192) | Define this variable to create an instance group for instances. Disabled for template use. | <code title="object({ named_ports = map(number) })">object({…})</code> | | <code>null</code> |
|
||||
| [hostname](variables.tf#L200) | Instance FQDN name. | <code>string</code> | | <code>null</code> |
|
||||
| [iam](variables.tf#L206) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [instance_schedule](variables.tf#L212) | Assign or create and assign an instance schedule policy. Either resource policy id or create_config must be specified if not null. Set active to null to dtach a policy from vm before destroying. | <code title="object({ resource_policy_id = optional(string) create_config = optional(object({ active = optional(bool, true) description = optional(string) expiration_time = optional(string) start_time = optional(string) timezone = optional(string, "UTC") vm_start = optional(string) vm_stop = optional(string) })) })">object({…})</code> | | <code>null</code> |
|
||||
| [instance_type](variables.tf#L247) | Instance type. | <code>string</code> | | <code>"f1-micro"</code> |
|
||||
| [labels](variables.tf#L253) | Instance labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [metadata](variables.tf#L259) | Instance metadata. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [min_cpu_platform](variables.tf#L265) | Minimum CPU platform. | <code>string</code> | | <code>null</code> |
|
||||
| [network_attached_interfaces](variables.tf#L276) | Network interfaces using network attachments. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [network_tag_bindings](variables.tf#L299) | Resource manager tag bindings in arbitrary key => tag key or value id format. Set on both the instance only for networking purposes, and modifiable without impacting the main resource lifecycle. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [options](variables.tf#L306) | Instance options. | <code title="object({ advanced_machine_features = optional(object({ enable_nested_virtualization = optional(bool) enable_turbo_mode = optional(bool) enable_uefi_networking = optional(bool) performance_monitoring_unit = optional(string) threads_per_core = optional(number) visible_core_count = optional(number) })) allow_stopping_for_update = optional(bool, true) deletion_protection = optional(bool, false) graceful_shutdown = optional(object({ enabled = optional(bool, false) max_duration_secs = optional(number) })) max_run_duration = optional(object({ nanos = optional(number) seconds = number })) node_affinities = optional(map(object({ values = list(string) in = optional(bool, true) })), {}) spot = optional(bool, false) termination_action = optional(string) })">object({…})</code> | | <code title="{ allow_stopping_for_update = true deletion_protection = false spot = false termination_action = null }">{…}</code> |
|
||||
| [project_number](variables.tf#L368) | Project number. Used in tag bindings to avoid a permadiff. | <code>string</code> | | <code>null</code> |
|
||||
| [scratch_disks](variables.tf#L374) | Scratch disks configuration. | <code title="object({ count = number interface = string })">object({…})</code> | | <code title="{ count = 0 interface = "NVME" }">{…}</code> |
|
||||
| [service_account](variables.tf#L386) | Service account email and scopes. If email is null, the default Compute service account will be used unless auto_create is true, in which case a service account will be created. Set the variable to null to avoid attaching a service account. | <code title="object({ auto_create = optional(bool, false) email = optional(string) scopes = optional(list(string)) })">object({…})</code> | | <code>{}</code> |
|
||||
| [shielded_config](variables.tf#L396) | Shielded VM configuration of the instances. | <code title="object({ enable_secure_boot = bool enable_vtpm = bool enable_integrity_monitoring = bool })">object({…})</code> | | <code>null</code> |
|
||||
| [snapshot_schedules](variables.tf#L406) | Snapshot schedule resource policies that can be attached to disks. | <code title="map(object({ schedule = object({ daily = optional(object({ days_in_cycle = number start_time = string })) hourly = optional(object({ hours_in_cycle = number start_time = string })) weekly = optional(list(object({ day = string start_time = string }))) }) description = optional(string) retention_policy = optional(object({ max_retention_days = number on_source_disk_delete_keep = optional(bool) })) snapshot_properties = optional(object({ chain_name = optional(string) guest_flush = optional(bool) labels = optional(map(string)) storage_locations = optional(list(string)) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tag_bindings](variables.tf#L449) | Resource manager tag bindings in arbitrary key => tag key or value id format. Set on both the instance and zonal disks, and modifiable without impacting the main resource lifecycle. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [tag_bindings_immutable](variables.tf#L456) | Immutable resource manager tag bindings, in tagKeys/id => tagValues/id format. These are set on the instance or instance template at creation time, and trigger recreation if changed. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [tags](variables.tf#L470) | Instance network tags for firewall rule targets. | <code>list(string)</code> | | <code>[]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -60,14 +60,6 @@ locals {
|
||||
)
|
||||
)
|
||||
}
|
||||
tags_combined = (
|
||||
var.tag_bindings == null && var.tag_bindings_firewall == null
|
||||
? null
|
||||
: merge(
|
||||
coalesce(var.tag_bindings, {}),
|
||||
coalesce(var.tag_bindings_firewall, {})
|
||||
)
|
||||
)
|
||||
termination_action = (
|
||||
var.options.spot || var.options.max_run_duration != null ? coalesce(var.options.termination_action, "STOP") : null
|
||||
)
|
||||
@@ -245,7 +237,7 @@ resource "google_compute_instance" "default" {
|
||||
image = var.boot_disk.initialize_params.image
|
||||
size = var.boot_disk.initialize_params.size
|
||||
type = var.boot_disk.initialize_params.type
|
||||
resource_manager_tags = var.tag_bindings
|
||||
resource_manager_tags = var.tag_bindings_immutable
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -359,9 +351,9 @@ resource "google_compute_instance" "default" {
|
||||
}
|
||||
|
||||
dynamic "params" {
|
||||
for_each = local.tags_combined == null ? [] : [""]
|
||||
for_each = var.tag_bindings_immutable == null ? [] : [""]
|
||||
content {
|
||||
resource_manager_tags = local.tags_combined
|
||||
resource_manager_tags = var.tag_bindings_immutable
|
||||
}
|
||||
}
|
||||
|
||||
@@ -397,7 +389,7 @@ resource "google_compute_instance_template" "default" {
|
||||
can_ip_forward = var.can_ip_forward
|
||||
metadata = var.metadata
|
||||
labels = var.labels
|
||||
resource_manager_tags = local.tags_combined
|
||||
resource_manager_tags = var.tag_bindings_immutable
|
||||
|
||||
dynamic "advanced_machine_features" {
|
||||
for_each = local.advanced_mf != null ? [""] : []
|
||||
@@ -418,7 +410,7 @@ resource "google_compute_instance_template" "default" {
|
||||
boot = true
|
||||
disk_size_gb = var.boot_disk.initialize_params.size
|
||||
disk_type = var.boot_disk.initialize_params.type
|
||||
resource_manager_tags = var.tag_bindings
|
||||
resource_manager_tags = var.tag_bindings_immutable
|
||||
source_image = var.boot_disk.initialize_params.image
|
||||
|
||||
dynamic "disk_encryption_key" {
|
||||
@@ -467,7 +459,7 @@ resource "google_compute_instance_template" "default" {
|
||||
disk_name = (
|
||||
config.value.source_type != "attach" ? config.value.name : null
|
||||
)
|
||||
resource_manager_tags = var.tag_bindings
|
||||
resource_manager_tags = var.tag_bindings_immutable
|
||||
type = "PERSISTENT"
|
||||
dynamic "disk_encryption_key" {
|
||||
for_each = var.encryption != null ? [""] : []
|
||||
|
||||
@@ -16,21 +16,102 @@
|
||||
|
||||
# tfdoc:file:description Tag bindings.
|
||||
|
||||
# TODO: re-implement once the following have been addressed in the provider
|
||||
# - permadiff in google_tags_location_tag_binding which returns a project
|
||||
# number in the tag id even when a project id is set
|
||||
# - no numeric id exposed from the google_compute_disk resource making it
|
||||
# impossible to derive the tag binding parent
|
||||
# - google_compute_instance.params.resource_manager_tags and
|
||||
# google_compute_instance.boot_disk.initialize_params.resource_manager_tags
|
||||
# attributes need a map of tag key => tag value, while only the tag value
|
||||
# is really needed by the API
|
||||
locals {
|
||||
boot_disk_tags = flatten([
|
||||
for k, v in var.tag_bindings : [
|
||||
for dk, dv in google_compute_disk.boot : {
|
||||
disk_id = dv.disk_id
|
||||
key = "${dk}/${k}"
|
||||
tag_value = v
|
||||
}
|
||||
]
|
||||
])
|
||||
disk_tags = flatten([
|
||||
for k, v in var.tag_bindings : [
|
||||
for dk, dv in google_compute_disk.disks : {
|
||||
disk_id = dv.disk_id
|
||||
key = "${dk}/${k}"
|
||||
tag_value = v
|
||||
}
|
||||
]
|
||||
])
|
||||
# region_disk_tags = flatten([
|
||||
# for k, v in var.tag_bindings : [
|
||||
# for dk, dv in google_compute_region_disk.disks : {
|
||||
# disk_id = dv.disk_id
|
||||
# key = "${dk}/${k}"
|
||||
# tag_value = v
|
||||
# }
|
||||
# ]
|
||||
# ])
|
||||
tag_parent_base = format(
|
||||
"//compute.googleapis.com/projects/%s",
|
||||
coalesce(var.project_number, var.project_id)
|
||||
)
|
||||
}
|
||||
|
||||
# resource "google_tags_location_tag_binding" "instance" {
|
||||
# for_each = var.create_template ? {} : coalesce(var.tag_bindings, {})
|
||||
# use a different resource to avoid overlapping key issues
|
||||
|
||||
resource "google_tags_location_tag_binding" "network" {
|
||||
for_each = var.create_template ? {} : var.network_tag_bindings
|
||||
parent = (
|
||||
"${local.tag_parent_base}/zones/${var.zone}/instances/${google_compute_instance.default[0].instance_id}"
|
||||
)
|
||||
tag_value = each.value
|
||||
location = var.zone
|
||||
}
|
||||
|
||||
resource "google_tags_location_tag_binding" "instance" {
|
||||
for_each = var.create_template ? {} : var.tag_bindings
|
||||
parent = (
|
||||
"${local.tag_parent_base}/zones/${var.zone}/instances/${google_compute_instance.default[0].instance_id}"
|
||||
)
|
||||
tag_value = each.value
|
||||
location = var.zone
|
||||
}
|
||||
|
||||
resource "google_tags_location_tag_binding" "boot_disks" {
|
||||
for_each = (
|
||||
var.create_template ? {} : { for v in local.boot_disk_tags : v.key => v }
|
||||
)
|
||||
parent = (
|
||||
"${local.tag_parent_base}/zones/${var.zone}/disks/${each.value.disk_id}"
|
||||
)
|
||||
tag_value = each.value.tag_value
|
||||
location = var.zone
|
||||
}
|
||||
|
||||
resource "google_tags_location_tag_binding" "disks" {
|
||||
for_each = (
|
||||
var.create_template ? {} : { for v in local.disk_tags : v.key => v }
|
||||
)
|
||||
parent = (
|
||||
"${local.tag_parent_base}/zones/${var.zone}/disks/${each.value.disk_id}"
|
||||
)
|
||||
tag_value = each.value.tag_value
|
||||
location = var.zone
|
||||
}
|
||||
|
||||
# TODO: enable once regional disks support disk_id
|
||||
|
||||
# resource "google_tags_location_tag_binding" "disks_regional" {
|
||||
# for_each = (
|
||||
# var.create_template ? {} : { for v in local.region_disk_tags : v.key => v }
|
||||
# )
|
||||
# parent = (
|
||||
# "${local.tag_parent_base}/instances/${google_compute_instance.default[0].instance_id}"
|
||||
# "${local.tag_parent_base}/regions/${local.region}/disks/${each.value.disk_id}"
|
||||
# )
|
||||
# tag_value = each.value.tag_value
|
||||
# location = local.region
|
||||
# }
|
||||
|
||||
# TODO: enable once the template id is available
|
||||
|
||||
# resource "google_tags_location_tag_binding" "template" {
|
||||
# for_each = var.create_template ? var.tag_bindings : {}
|
||||
# parent = (
|
||||
# "${local.tag_parent_base}/regions/${local.region}/instanceTemplates/${google_compute_instance.default[0].instance_id}"
|
||||
# )
|
||||
# tag_value = each.value
|
||||
# location = var.zone
|
||||
# location = local.region
|
||||
# }
|
||||
|
||||
@@ -90,7 +90,7 @@ variable "boot_disk" {
|
||||
image = optional(string, "projects/debian-cloud/global/images/family/debian-11")
|
||||
size = optional(number, 10)
|
||||
type = optional(string, "pd-balanced")
|
||||
}))
|
||||
}), {})
|
||||
use_independent_disk = optional(bool, false)
|
||||
})
|
||||
default = {
|
||||
@@ -131,6 +131,7 @@ variable "create_template" {
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "description" {
|
||||
description = "Description of a Compute Instance."
|
||||
type = string
|
||||
@@ -295,6 +296,13 @@ variable "network_interfaces" {
|
||||
}))
|
||||
}
|
||||
|
||||
variable "network_tag_bindings" {
|
||||
description = "Resource manager tag bindings in arbitrary key => tag key or value id format. Set on both the instance only for networking purposes, and modifiable without impacting the main resource lifecycle."
|
||||
type = map(string)
|
||||
nullable = false
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "options" {
|
||||
description = "Instance options."
|
||||
type = object({
|
||||
@@ -357,6 +365,12 @@ variable "project_id" {
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "project_number" {
|
||||
description = "Project number. Used in tag bindings to avoid a permadiff."
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "scratch_disks" {
|
||||
description = "Scratch disks configuration."
|
||||
type = object({
|
||||
@@ -433,15 +447,24 @@ variable "snapshot_schedules" {
|
||||
}
|
||||
|
||||
variable "tag_bindings" {
|
||||
description = "Resource manager tag bindings for this instance, in tag key => tag value format."
|
||||
description = "Resource manager tag bindings in arbitrary key => tag key or value id format. Set on both the instance and zonal disks, and modifiable without impacting the main resource lifecycle."
|
||||
type = map(string)
|
||||
default = null
|
||||
nullable = false
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "tag_bindings_firewall" {
|
||||
description = "Firewall (network scoped) tag bindings for this instance, in tag key => tag value format."
|
||||
variable "tag_bindings_immutable" {
|
||||
description = "Immutable resource manager tag bindings, in tagKeys/id => tagValues/id format. These are set on the instance or instance template at creation time, and trigger recreation if changed."
|
||||
type = map(string)
|
||||
nullable = true
|
||||
default = null
|
||||
validation {
|
||||
condition = alltrue([
|
||||
for k, v in coalesce(var.tag_bindings_immutable, {}) :
|
||||
startswith(k, "tagKeys/") && startswith(v, "tagValues/")
|
||||
])
|
||||
error_message = "Incorrect format for immutable tag bindings."
|
||||
}
|
||||
}
|
||||
|
||||
variable "tags" {
|
||||
|
||||
Reference in New Issue
Block a user