diff --git a/blueprints/apigee/hybrid-gke/mgmt.tf b/blueprints/apigee/hybrid-gke/mgmt.tf
index 1d4f42e1c..76bb22faa 100644
--- a/blueprints/apigee/hybrid-gke/mgmt.tf
+++ b/blueprints/apigee/hybrid-gke/mgmt.tf
@@ -28,7 +28,9 @@ module "mgmt_server" {
nat = false
addresses = null
}]
- service_account_create = true
+ service_account = {
+ auto_create = true
+ }
boot_disk = {
initialize_params = {
image = var.mgmt_server_config.image
diff --git a/blueprints/cloud-operations/adfs/main.tf b/blueprints/cloud-operations/adfs/main.tf
index 686e9fc6e..d6d31f849 100644
--- a/blueprints/cloud-operations/adfs/main.tf
+++ b/blueprints/cloud-operations/adfs/main.tf
@@ -79,7 +79,9 @@ module "server" {
-Force
EOT
}
- service_account_create = true
+ service_account = {
+ auto_create = true
+ }
boot_disk = {
initialize_params = {
image = var.image
diff --git a/blueprints/cloud-operations/dns-fine-grained-iam/main.tf b/blueprints/cloud-operations/dns-fine-grained-iam/main.tf
index 55e25e776..fc25b257a 100644
--- a/blueprints/cloud-operations/dns-fine-grained-iam/main.tf
+++ b/blueprints/cloud-operations/dns-fine-grained-iam/main.tf
@@ -110,9 +110,11 @@ module "vm-ns-editor" {
nat = false
addresses = null
}]
- metadata = { startup-script = local.startup-script }
- service_account_create = true
- tags = ["ssh"]
+ metadata = { startup-script = local.startup-script }
+ service_account = {
+ auto_create = true
+ }
+ tags = ["ssh"]
}
module "vm-svc-editor" {
@@ -126,7 +128,9 @@ module "vm-svc-editor" {
nat = false
addresses = null
}]
- metadata = { startup-script = local.startup-script }
- service_account_create = true
- tags = ["ssh"]
+ metadata = { startup-script = local.startup-script }
+ service_account = {
+ auto_create = true
+ }
+ tags = ["ssh"]
}
diff --git a/blueprints/data-solutions/cloudsql-multiregion/gce.tf b/blueprints/data-solutions/cloudsql-multiregion/gce.tf
index f5e8cd1d0..07c48706e 100644
--- a/blueprints/data-solutions/cloudsql-multiregion/gce.tf
+++ b/blueprints/data-solutions/cloudsql-multiregion/gce.tf
@@ -43,8 +43,9 @@ module "test-vm" {
options = null
}
]
- service_account = module.service-account-sql.email
- service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
+ service_account = {
+ email = module.service-account-sql.email
+ }
boot_disk = {
initialize_params = {
image = "projects/debian-cloud/global/images/family/debian-10"
diff --git a/blueprints/data-solutions/sqlserver-alwayson/instances.tf b/blueprints/data-solutions/sqlserver-alwayson/instances.tf
index ab9f12171..33eabd8f0 100644
--- a/blueprints/data-solutions/sqlserver-alwayson/instances.tf
+++ b/blueprints/data-solutions/sqlserver-alwayson/instances.tf
@@ -53,15 +53,12 @@ locals {
# Nodes
module "nodes" {
- source = "../../../modules/compute-vm"
- for_each = toset(local.node_netbios_names)
-
- project_id = var.project_id
- zone = local.node_zones[each.value]
- name = each.value
-
+ source = "../../../modules/compute-vm"
+ for_each = toset(local.node_netbios_names)
+ project_id = var.project_id
+ zone = local.node_zones[each.value]
+ name = each.value
instance_type = var.node_instance_type
-
network_interfaces = [{
network = local.network
subnetwork = local.subnetwork
@@ -70,7 +67,6 @@ module "nodes" {
internal = module.ip-addresses.internal_addresses[each.value].address
}
}]
-
boot_disk = {
initialize_params = {
image = var.node_image
@@ -78,7 +74,6 @@ module "nodes" {
size = var.boot_disk_size
}
}
-
attached_disks = [{
name = "${each.value}-datadisk"
size = var.data_disk_size
@@ -86,35 +81,28 @@ module "nodes" {
source = null
options = null
}]
-
- service_account = module.compute-service-account.email
- service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
+ service_account = {
+ email = module.compute-service-account.email
+ }
metadata = {
enable-wsfc = "true"
sysprep-specialize-script-ps1 = local.scripts["specialize-node"]
windows-startup-script-ps1 = local.scripts["windows-startup-node"]
}
-
group = {
named_ports = {
}
}
-
- service_account_create = false
- create_template = false
}
# Witness
module "witness" {
- source = "../../../modules/compute-vm"
- for_each = toset([local.witness_netbios_name])
-
- project_id = var.project_id
- zone = local.node_zones[each.value]
- name = each.value
-
+ source = "../../../modules/compute-vm"
+ for_each = toset([local.witness_netbios_name])
+ project_id = var.project_id
+ zone = local.node_zones[each.value]
+ name = each.value
instance_type = var.witness_instance_type
-
network_interfaces = [{
network = local.network
subnetwork = local.subnetwork
@@ -123,20 +111,16 @@ module "witness" {
internal = module.ip-addresses.internal_addresses[each.value].address
}
}]
-
boot_disk = {
image = var.witness_image
type = "pd-ssd"
size = var.boot_disk_size
}
-
- service_account = module.witness-service-account.email
- service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
+ service_account = {
+ email = module.witness-service-account.email
+ }
metadata = {
sysprep-specialize-script-ps1 = local.scripts["specialize-witness"]
windows-startup-script-ps1 = local.scripts["windows-startup-witness"]
}
-
- service_account_create = false
- create_template = false
}
diff --git a/blueprints/gke/autopilot/mgmt.tf b/blueprints/gke/autopilot/mgmt.tf
index 35ff760ad..15a8ccb2e 100644
--- a/blueprints/gke/autopilot/mgmt.tf
+++ b/blueprints/gke/autopilot/mgmt.tf
@@ -30,7 +30,9 @@ module "mgmt_server" {
nat = false
addresses = null
}]
- service_account_create = true
+ service_account = {
+ auto_create = true
+ }
boot_disk = {
initialize_params = {
image = var.mgmt_server_config.image
diff --git a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/vm.tf b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/vm.tf
index 8c6a19f3c..033473987 100644
--- a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/vm.tf
+++ b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/vm.tf
@@ -28,7 +28,9 @@ module "mgmt_server" {
nat = false
addresses = null
}]
- service_account_create = true
+ service_account = {
+ auto_create = true
+ }
boot_disk = {
initialize_params = {
image = var.mgmt_server_config.image
diff --git a/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/main.tf b/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/main.tf
index 2d40721bf..c9a7614ba 100644
--- a/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/main.tf
+++ b/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/main.tf
@@ -298,8 +298,9 @@ module "proxy-vm" {
user-data = !var.tls ? module.cos-nginx.0.cloud_config : module.cos-nginx-tls.0.cloud_config
google-logging-enabled = true
}
- service_account = module.service-account-proxy.email
- service_account_create = false
+ service_account = {
+ email = module.service-account-proxy.email
+ }
}
module "glb" {
diff --git a/blueprints/networking/__need_fixing/onprem-google-access-dns/main.tf b/blueprints/networking/__need_fixing/onprem-google-access-dns/main.tf
index c122e4545..f687ff2b1 100644
--- a/blueprints/networking/__need_fixing/onprem-google-access-dns/main.tf
+++ b/blueprints/networking/__need_fixing/onprem-google-access-dns/main.tf
@@ -240,10 +240,11 @@ module "vm-test1" {
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["${var.region.gcp1}/subnet1"]
}]
- metadata = { startup-script = local.vm-startup-script }
- service_account = module.service-account-gce.email
- service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
- tags = ["ssh"]
+ metadata = { startup-script = local.vm-startup-script }
+ service_account = {
+ email = module.service-account-gce.email
+ }
+ tags = ["ssh"]
}
module "vm-test2" {
@@ -257,10 +258,11 @@ module "vm-test2" {
nat = false
addresses = null
}]
- metadata = { startup-script = local.vm-startup-script }
- service_account = module.service-account-gce.email
- service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
- tags = ["ssh"]
+ metadata = { startup-script = local.vm-startup-script }
+ service_account = {
+ email = module.service-account-gce.email
+ }
+ tags = ["ssh"]
}
################################################################################
@@ -322,7 +324,8 @@ module "vm-onprem" {
network = module.vpc.name
subnetwork = module.vpc.subnet_self_links["${var.region.gcp1}/subnet1"]
}]
- service_account = module.service-account-onprem.email
- service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
- tags = ["ssh"]
+ service_account = {
+ email = module.service-account-onprem.email
+ }
+ tags = ["ssh"]
}
diff --git a/blueprints/networking/filtering-proxy-psc/consumer.tf b/blueprints/networking/filtering-proxy-psc/consumer.tf
index 6668afb72..08f5b4138 100644
--- a/blueprints/networking/filtering-proxy-psc/consumer.tf
+++ b/blueprints/networking/filtering-proxy-psc/consumer.tf
@@ -48,7 +48,9 @@ module "test-vm-consumer" {
nat = false
addresses = null
}]
- service_account_create = true
+ service_account = {
+ auto_create = true
+ }
metadata = {
startup-script = templatefile("${path.module}/startup.sh", { proxy_url = "http://proxy.internal:3128" })
}
diff --git a/blueprints/networking/filtering-proxy-psc/main.tf b/blueprints/networking/filtering-proxy-psc/main.tf
index 457522a4d..319217cd1 100644
--- a/blueprints/networking/filtering-proxy-psc/main.tf
+++ b/blueprints/networking/filtering-proxy-psc/main.tf
@@ -155,8 +155,9 @@ module "squid-vm" {
image = "cos-cloud/cos-stable"
}
}
- service_account = module.service-account-squid.email
- service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
+ service_account = {
+ email = module.service-account-squid.email
+ }
metadata = {
user-data = module.cos-squid.cloud_config
google-logging-enabled = true
diff --git a/blueprints/networking/filtering-proxy/main.tf b/blueprints/networking/filtering-proxy/main.tf
index d6fce6d0a..b9072a21d 100644
--- a/blueprints/networking/filtering-proxy/main.tf
+++ b/blueprints/networking/filtering-proxy/main.tf
@@ -167,8 +167,9 @@ module "squid-vm" {
image = "cos-cloud/cos-stable"
}
}
- service_account = module.service-account-squid.email
- service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
+ service_account = {
+ email = module.service-account-squid.email
+ }
metadata = {
user-data = module.cos-squid.cloud_config
}
@@ -270,5 +271,7 @@ module "test-vm" {
nat = false
addresses = null
}]
- service_account_create = true
+ service_account = {
+ auto_create = true
+ }
}
diff --git a/blueprints/networking/glb-hybrid-neg-internal/nva.tf b/blueprints/networking/glb-hybrid-neg-internal/nva.tf
index 5db9b5488..3f61fa563 100644
--- a/blueprints/networking/glb-hybrid-neg-internal/nva.tf
+++ b/blueprints/networking/glb-hybrid-neg-internal/nva.tf
@@ -17,15 +17,16 @@
# tfdoc:file:description Network Virtual Appliances (NVAs).
module "nva_instance_templates" {
- for_each = var.regions
- source = "../../../modules/compute-vm"
- project_id = module.project_landing.project_id
- can_ip_forward = true
- create_template = true
- name = "nva-${each.value}"
- service_account_create = true
- zone = local.zones[each.key]
-
+ for_each = var.regions
+ source = "../../../modules/compute-vm"
+ project_id = module.project_landing.project_id
+ can_ip_forward = true
+ create_template = true
+ name = "nva-${each.value}"
+ service_account = {
+ auto_create = true
+ }
+ zone = local.zones[each.key]
metadata = {
startup-script = templatefile(
"${path.module}/data/nva-startup-script.tftpl",
@@ -36,7 +37,6 @@ module "nva_instance_templates" {
}
)
}
-
network_interfaces = [
{
network = module.vpc_landing_untrusted.self_link
@@ -47,7 +47,6 @@ module "nva_instance_templates" {
subnetwork = module.vpc_landing_trusted.subnet_self_links["${each.value}/trusted-${each.value}"]
}
]
-
tags = [
"http-server",
"https-server",
diff --git a/blueprints/networking/glb-hybrid-neg-internal/spoke.tf b/blueprints/networking/glb-hybrid-neg-internal/spoke.tf
index ceaa2b181..b54f402f2 100644
--- a/blueprints/networking/glb-hybrid-neg-internal/spoke.tf
+++ b/blueprints/networking/glb-hybrid-neg-internal/spoke.tf
@@ -90,28 +90,27 @@ module "nats_spoke_01" {
}
module "test_vms" {
- for_each = var.regions
- source = "../../../modules/compute-vm"
- name = "spoke-01-${each.value}"
- project_id = module.project_spoke_01.project_id
- create_template = var.ilb_create
- service_account_create = true
- zone = local.zones[each.key]
-
+ for_each = var.regions
+ source = "../../../modules/compute-vm"
+ name = "spoke-01-${each.value}"
+ project_id = module.project_spoke_01.project_id
+ zone = local.zones[each.key]
+ service_account = {
+ auto_create = true
+ }
metadata = {
startup-script = "apt update && apt install -y nginx"
}
-
network_interfaces = [{
network = module.vpc_spoke_01.self_link
subnetwork = module.vpc_spoke_01.subnet_self_links["${each.value}/spoke-01-${each.value}"]
}]
-
tags = [
"http-server",
"https-server",
"ssh"
]
+ create_template = var.ilb_create
}
module "test_vm_migs" {
diff --git a/blueprints/networking/hub-and-spoke-peering/main.tf b/blueprints/networking/hub-and-spoke-peering/main.tf
index 98aac6fbe..0a5be1195 100644
--- a/blueprints/networking/hub-and-spoke-peering/main.tf
+++ b/blueprints/networking/hub-and-spoke-peering/main.tf
@@ -188,10 +188,11 @@ module "vm-hub" {
nat = false
addresses = null
}]
- metadata = { startup-script = local.vm-startup-script }
- service_account = module.service-account-gce.email
- service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
- tags = ["ssh"]
+ metadata = { startup-script = local.vm-startup-script }
+ service_account = {
+ email = module.service-account-gce.email
+ }
+ tags = ["ssh"]
}
module "vm-spoke-1" {
@@ -205,10 +206,11 @@ module "vm-spoke-1" {
nat = false
addresses = null
}]
- metadata = { startup-script = local.vm-startup-script }
- service_account = module.service-account-gce.email
- service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
- tags = ["ssh"]
+ metadata = { startup-script = local.vm-startup-script }
+ service_account = {
+ email = module.service-account-gce.email
+ }
+ tags = ["ssh"]
}
module "vm-spoke-2" {
@@ -222,10 +224,11 @@ module "vm-spoke-2" {
nat = false
addresses = null
}]
- metadata = { startup-script = local.vm-startup-script }
- service_account = module.service-account-gce.email
- service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
- tags = ["ssh"]
+ metadata = { startup-script = local.vm-startup-script }
+ service_account = {
+ email = module.service-account-gce.email
+ }
+ tags = ["ssh"]
}
diff --git a/blueprints/networking/ilb-next-hop/gateways.tf b/blueprints/networking/ilb-next-hop/gateways.tf
index e57e83c8e..458b995de 100644
--- a/blueprints/networking/ilb-next-hop/gateways.tf
+++ b/blueprints/networking/ilb-next-hop/gateways.tf
@@ -21,7 +21,6 @@ module "gw" {
zone = each.value
name = "${var.prefix}-gw-${each.key}"
instance_type = "f1-micro"
-
boot_disk = {
initialize_params = {
image = "projects/ubuntu-os-cloud/global/images/family/ubuntu-2004-lts",
@@ -29,7 +28,6 @@ module "gw" {
size = 10
}
}
-
network_interfaces = [
{
network = module.vpc-left.self_link
@@ -52,11 +50,12 @@ module "gw" {
ip_cidr_right = var.ip_ranges.right
})
}
- service_account = try(
- module.service-accounts.emails["${var.prefix}-gce-vm"], null
- )
- service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
- group = { named_ports = null }
+ service_account = {
+ email = try(
+ module.service-accounts.emails["${var.prefix}-gce-vm"], null
+ )
+ }
+ group = { named_ports = null }
}
module "ilb-left" {
diff --git a/blueprints/networking/ilb-next-hop/vms.tf b/blueprints/networking/ilb-next-hop/vms.tf
index a71a60a07..259eacb09 100644
--- a/blueprints/networking/ilb-next-hop/vms.tf
+++ b/blueprints/networking/ilb-next-hop/vms.tf
@@ -39,10 +39,9 @@ module "vm-left" {
metadata = {
startup-script = local.vm_startup_script
}
- service_account = try(
- module.service-accounts.email, null
- )
- service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
+ service_account = {
+ email = try(module.service-accounts.email, null)
+ }
}
module "vm-right" {
@@ -62,8 +61,7 @@ module "vm-right" {
metadata = {
startup-script = local.vm_startup_script
}
- service_account = try(
- module.service-accounts.email, null
- )
- service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
+ service_account = {
+ email = try(module.service-accounts.email, null)
+ }
}
diff --git a/blueprints/networking/shared-vpc-gke/main.tf b/blueprints/networking/shared-vpc-gke/main.tf
index 88f484630..3e13f28b2 100644
--- a/blueprints/networking/shared-vpc-gke/main.tf
+++ b/blueprints/networking/shared-vpc-gke/main.tf
@@ -192,7 +192,9 @@ module "vm-bastion" {
"service tinyproxy restart"
])
}
- service_account_create = true
+ service_account = {
+ auto_create = true
+ }
}
################################################################################
diff --git a/modules/compute-vm/README.md b/modules/compute-vm/README.md
index 92a5e3c30..69a68447f 100644
--- a/modules/compute-vm/README.md
+++ b/modules/compute-vm/README.md
@@ -9,11 +9,14 @@ In both modes, an optional service account can be created and assigned to either
## Examples
-
- [Examples](#examples)
- [Instance using defaults](#instance-using-defaults)
- [Service account management](#service-account-management)
+ - [Compute default service account](#compute-default-service-account)
+ - [Custom service account](#custom-service-account)
+ - [Custom service account, auto created](#custom-service-account-auto-created)
+ - [No service account](#no-service-account)
- [Disk management](#disk-management)
- [Disk sources](#disk-sources)
- [Disk types and options](#disk-types-and-options)
@@ -50,18 +53,22 @@ module "simple-vm-example" {
network = var.vpc.self_link
subnetwork = var.subnet.self_link
}]
- service_account_create = true
}
-# tftest modules=1 resources=2 inventory=simple.yaml
+# tftest modules=1 resources=1 inventory=defaults.yaml
```
### Service account management
-VM service accounts can be managed in three different ways:
+VM service accounts can be managed in four different ways:
-- You can let the module create a service account for you by setting `service_account_create = true`
-- You can use an existing service account by setting `service_account_create = false` (the default value) and passing the full email address of the service account to the `service_account` variable. This is useful, for example, if you want to reuse the service account from another previously created instance, or if you want to create the service account manually with the `iam-service-account` module. In this case, you probably also want to set `service_account_scopes` to `cloud-platform`.
-- Lastly, you can use the default compute service account by setting `service_account_crate = false`. Please note that using the default compute service account is not recommended.
+- in its default configuration, the module uses the Compute default service account with a basic set of scopes (`devstorage.read_only`, `logging.write`, `monitoring.write`)
+- a custom service account can be used by passing its email in the `service_account.email` variable
+- a custom service account can be created by the module and used by setting the `service_account.auto_create` variable to `true`
+- the instance can be created with no service account by setting the `service_account` variable to `null`
+
+Scopes for custom service accounts are set by default to `cloud-platform` and `userinfo.email`, and can be further customized regardless of which service account is used by directly setting the `service_account.scopes` variable.
+
+#### Compute default service account
```hcl
module "vm-managed-sa-example" {
@@ -73,9 +80,13 @@ module "vm-managed-sa-example" {
network = var.vpc.self_link
subnetwork = var.subnet.self_link
}]
- service_account_create = true
}
+# tftest modules=1 resources=1 inventory=sa-default.yaml
+```
+#### Custom service account
+
+```hcl
module "vm-managed-sa-example2" {
source = "./fabric/modules/compute-vm"
project_id = var.project_id
@@ -85,24 +96,47 @@ module "vm-managed-sa-example2" {
network = var.vpc.self_link
subnetwork = var.subnet.self_link
}]
- service_account = module.vm-managed-sa-example.service_account_email
- service_account_scopes = ["cloud-platform"]
+ service_account = {
+ email = "sa-0@myproj.iam.gserviceaccount.com"
+ }
}
+# tftest modules=1 resources=1 inventory=sa-custom.yaml
+```
-# not recommended
-module "vm-default-sa-example2" {
+#### Custom service account, auto created
+
+```hcl
+module "vm-managed-sa-example2" {
source = "./fabric/modules/compute-vm"
project_id = var.project_id
zone = "europe-west1-b"
- name = "test3"
+ name = "test2"
network_interfaces = [{
network = var.vpc.self_link
subnetwork = var.subnet.self_link
}]
- service_account_create = false
+ service_account = {
+ auto_create = true
+ }
}
+# tftest modules=1 resources=2 inventory=sa-managed.yaml
+```
-# tftest modules=3 resources=4 inventory=sas.yaml
+#### No service account
+
+```hcl
+module "vm-managed-sa-example2" {
+ source = "./fabric/modules/compute-vm"
+ project_id = var.project_id
+ zone = "europe-west1-b"
+ name = "test2"
+ network_interfaces = [{
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ }]
+ service_account = null
+}
+# tftest modules=1 resources=1 inventory=sa-none.yaml
```
### Disk management
@@ -137,7 +171,9 @@ module "vm-disks-example" {
replica_zone = "${var.region}-c"
}
}]
- service_account_create = true
+ service_account = {
+ auto_create = true
+ }
}
# tftest modules=1 resources=2
```
@@ -163,8 +199,10 @@ module "vm-disks-example" {
replica_zone = "${var.region}-c"
}
}]
- service_account_create = true
- create_template = true
+ service_account = {
+ auto_create = true
+ }
+ create_template = true
}
# tftest modules=1 resources=2
```
@@ -205,7 +243,9 @@ module "vm-disk-options-example" {
}
}
]
- service_account_create = true
+ service_account = {
+ auto_create = true
+ }
}
# tftest modules=1 resources=4 inventory=disk-options.yaml
```
@@ -230,7 +270,9 @@ module "simple-vm-example" {
network = var.vpc.self_link
subnetwork = var.subnet.self_link
}]
- service_account_create = true
+ service_account = {
+ auto_create = true
+ }
}
# tftest modules=1 resources=3 inventory=independent-boot-disk.yaml
```
@@ -331,7 +373,9 @@ module "vm-with-gvnic" {
subnetwork = var.subnet.self_link
nic_type = "GVNIC"
}]
- service_account_create = true
+ service_account = {
+ auto_create = true
+ }
}
# tftest modules=1 resources=3 inventory=gvnic.yaml
```
@@ -361,7 +405,9 @@ module "vm-metadata-example" {
apt-get install -y nginx
EOF
}
- service_account_create = true
+ service_account = {
+ auto_create = true
+ }
}
# tftest modules=1 resources=2 inventory=metadata.yaml
```
@@ -465,7 +511,9 @@ module "kms-vm-example" {
name = "attached-disk"
size = 10
}]
- service_account_create = true
+ service_account = {
+ auto_create = true
+ }
encryption = {
encrypt_boot = true
kms_key_self_link = var.kms_key.self_link
@@ -499,7 +547,9 @@ module "cos-test" {
size = 10
}
]
- service_account = "vm-default@my-project.iam.gserviceaccount.com"
+ service_account = {
+ email = "vm-default@my-project.iam.gserviceaccount.com"
+ }
create_template = true
}
# tftest modules=1 resources=1 inventory=template.yaml
@@ -526,8 +576,10 @@ module "instance-group" {
boot_disk = {
image = "projects/cos-cloud/global/images/family/cos-stable"
}
- service_account = var.service_account.email
- service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
+ service_account = {
+ email = var.service_account.email
+ scopes = ["https://www.googleapis.com/auth/cloud-platform"]
+ }
metadata = {
user-data = local.cloud_config
}
@@ -633,7 +685,7 @@ module "instance" {
| [name](variables.tf#L235) | Instance name. | string | ✓ | |
| [network_interfaces](variables.tf#L240) | Network interfaces configuration. Use self links for Shared VPC, set addresses to null if not needed. | list(object({…})) | ✓ | |
| [project_id](variables.tf#L277) | Project id. | string | ✓ | |
-| [zone](variables.tf#L379) | Compute zone. | string | ✓ | |
+| [zone](variables.tf#L369) | Compute zone. | string | ✓ | |
| [attached_disk_defaults](variables.tf#L17) | Defaults for attached disks options. | object({…}) | | {…} |
| [attached_disks](variables.tf#L37) | Additional disks, if options is null defaults will be used in its place. Source type is one of 'image' (zonal disks in vms and template), 'snapshot' (vm), 'existing', and null. | list(object({…})) | | [] |
| [boot_disk](variables.tf#L83) | Boot disk properties. | object({…}) | | {…} |
@@ -653,13 +705,11 @@ module "instance" {
| [min_cpu_platform](variables.tf#L229) | Minimum CPU platform. | string | | null |
| [options](variables.tf#L255) | Instance options. | object({…}) | | {…} |
| [scratch_disks](variables.tf#L282) | Scratch disks configuration. | object({…}) | | {…} |
-| [service_account](variables.tf#L294) | Service account email. Unused if service account is auto-created. | string | | null |
-| [service_account_create](variables.tf#L300) | Auto-create service account. | bool | | false |
-| [service_account_scopes](variables.tf#L308) | Scopes applied to service account. | list(string) | | [] |
-| [shielded_config](variables.tf#L314) | Shielded VM configuration of the instances. | object({…}) | | null |
-| [snapshot_schedules](variables.tf#L324) | Snapshot schedule resource policies that can be attached to disks. | map(object({…})) | | {} |
-| [tag_bindings](variables.tf#L367) | Tag bindings for this instance, in key => tag value id format. | map(string) | | null |
-| [tags](variables.tf#L373) | Instance network tags for firewall rule targets. | list(string) | | [] |
+| [service_account](variables.tf#L294) | Service account email and scopes. If email is null, the default Compute service account will be used unless auto_create is true, in which case a service account will be created. Set the variable to null to avoid attaching a service account. | object({…}) | | {} |
+| [shielded_config](variables.tf#L304) | Shielded VM configuration of the instances. | object({…}) | | null |
+| [snapshot_schedules](variables.tf#L314) | Snapshot schedule resource policies that can be attached to disks. | map(object({…})) | | {} |
+| [tag_bindings](variables.tf#L357) | Tag bindings for this instance, in key => tag value id format. | map(string) | | null |
+| [tags](variables.tf#L363) | Instance network tags for firewall rule targets. | list(string) | | [] |
## Outputs
@@ -668,13 +718,13 @@ module "instance" {
| [external_ip](outputs.tf#L17) | Instance main interface external IP addresses. | |
| [group](outputs.tf#L26) | Instance group resource. | |
| [id](outputs.tf#L31) | Fully qualified instance id. | |
-| [instance](outputs.tf#L36) | Instance resource. | |
-| [internal_ip](outputs.tf#L41) | Instance main interface internal IP address. | |
-| [internal_ips](outputs.tf#L49) | Instance interfaces internal IP addresses. | |
-| [self_link](outputs.tf#L57) | Instance self links. | |
-| [service_account](outputs.tf#L62) | Service account resource. | |
-| [service_account_email](outputs.tf#L69) | Service account email. | |
-| [service_account_iam_email](outputs.tf#L74) | Service account email. | |
+| [instance](outputs.tf#L36) | Instance resource. | ✓ |
+| [internal_ip](outputs.tf#L42) | Instance main interface internal IP address. | |
+| [internal_ips](outputs.tf#L50) | Instance interfaces internal IP addresses. | |
+| [self_link](outputs.tf#L58) | Instance self links. | |
+| [service_account](outputs.tf#L63) | Service account resource. | |
+| [service_account_email](outputs.tf#L68) | Service account email. | |
+| [service_account_iam_email](outputs.tf#L73) | Service account email. | |
| [template](outputs.tf#L82) | Template resource. | |
| [template_name](outputs.tf#L87) | Template name. | |
diff --git a/modules/compute-vm/main.tf b/modules/compute-vm/main.tf
index e79cc18cd..6d20a3238 100644
--- a/modules/compute-vm/main.tf
+++ b/modules/compute-vm/main.tf
@@ -35,31 +35,29 @@ locals {
: "MIGRATE"
)
region = join("-", slice(split("-", var.zone), 0, 2))
- service_account_email = (
- var.service_account_create
- ? (
- length(google_service_account.service_account) > 0
+ service_account = var.service_account == null ? null : {
+ email = (
+ var.service_account.auto_create
? google_service_account.service_account[0].email
- : null
+ : var.service_account.email
)
- : var.service_account
- )
- service_account_scopes = (
- length(var.service_account_scopes) > 0
- ? var.service_account_scopes
- : (
- var.service_account_create
- ? [
- "https://www.googleapis.com/auth/cloud-platform",
- "https://www.googleapis.com/auth/userinfo.email"
- ]
- : [
- "https://www.googleapis.com/auth/devstorage.read_only",
- "https://www.googleapis.com/auth/logging.write",
- "https://www.googleapis.com/auth/monitoring.write"
- ]
+ scopes = (
+ var.service_account.scopes != null ? var.service_account.scopes : (
+ var.service_account.email == null && !var.service_account.auto_create
+ # default scopes for Compute default SA
+ ? [
+ "https://www.googleapis.com/auth/devstorage.read_only",
+ "https://www.googleapis.com/auth/logging.write",
+ "https://www.googleapis.com/auth/monitoring.write"
+ ]
+ # default scopes for own SA
+ : [
+ "https://www.googleapis.com/auth/cloud-platform",
+ "https://www.googleapis.com/auth/userinfo.email"
+ ]
+ )
)
- )
+ }
termination_action = var.options.spot ? coalesce(var.options.termination_action, "STOP") : null
}
@@ -275,9 +273,12 @@ resource "google_compute_instance" "default" {
}
}
- service_account {
- email = local.service_account_email
- scopes = local.service_account_scopes
+ dynamic "service_account" {
+ for_each = var.service_account == null ? [] : [""]
+ content {
+ email = local.service_account.email
+ scopes = local.service_account.scopes
+ }
}
dynamic "shielded_instance_config" {
@@ -399,9 +400,12 @@ resource "google_compute_instance_template" "default" {
provisioning_model = var.options.spot ? "SPOT" : "STANDARD"
}
- service_account {
- email = local.service_account_email
- scopes = local.service_account_scopes
+ dynamic "service_account" {
+ for_each = var.service_account == null ? [] : [""]
+ content {
+ email = local.service_account.email
+ scopes = local.service_account.scopes
+ }
}
dynamic "shielded_instance_config" {
@@ -442,7 +446,7 @@ resource "google_compute_instance_group" "unmanaged" {
}
resource "google_service_account" "service_account" {
- count = var.service_account_create ? 1 : 0
+ count = try(var.service_account.auto_create, null) == true ? 1 : 0
project = var.project_id
account_id = "tf-vm-${var.name}"
display_name = "Terraform VM ${var.name}."
diff --git a/modules/compute-vm/outputs.tf b/modules/compute-vm/outputs.tf
index a08f24847..f1df0a377 100644
--- a/modules/compute-vm/outputs.tf
+++ b/modules/compute-vm/outputs.tf
@@ -35,6 +35,7 @@ output "id" {
output "instance" {
description = "Instance resource."
+ sensitive = true
value = try(google_compute_instance.default.0, null)
}
@@ -61,22 +62,21 @@ output "self_link" {
output "service_account" {
description = "Service account resource."
- value = (
- var.service_account_create ? google_service_account.service_account.0 : null
- )
+ value = try(google_service_account.service_account.0, null)
}
output "service_account_email" {
description = "Service account email."
- value = local.service_account_email
+ value = try(local.service_account.email, null)
}
output "service_account_iam_email" {
description = "Service account email."
- value = join("", [
- "serviceAccount:",
- local.service_account_email == null ? "" : local.service_account_email
- ])
+ value = (
+ try(local.service_account.email, null) == null
+ ? null
+ : "serviceAccount:${local.service_account.email}"
+ )
}
output "template" {
diff --git a/modules/compute-vm/test.tfvars b/modules/compute-vm/test.tfvars
new file mode 100644
index 000000000..5c60eab21
--- /dev/null
+++ b/modules/compute-vm/test.tfvars
@@ -0,0 +1,9 @@
+project_id = "tf-playground-svpc-gce"
+zone = "europe-west8-b"
+name = "test-sa"
+instance_type = "e2-small"
+network_interfaces = [{
+ network = "https://www.googleapis.com/compute/v1/projects/ldj-dev-net-spoke-0/global/networks/dev-spoke-0"
+ subnetwork = "https://www.googleapis.com/compute/v1/projects/ldj-dev-net-spoke-0/regions/europe-west8/subnetworks/gce"
+}]
+# service_account = null
diff --git a/modules/compute-vm/variables.tf b/modules/compute-vm/variables.tf
index bf33e5172..e6a0a4c36 100644
--- a/modules/compute-vm/variables.tf
+++ b/modules/compute-vm/variables.tf
@@ -292,23 +292,13 @@ variable "scratch_disks" {
}
variable "service_account" {
- description = "Service account email. Unused if service account is auto-created."
- type = string
- default = null
-}
-
-variable "service_account_create" {
- description = "Auto-create service account."
- type = bool
- default = false
-}
-
-# scopes and scope aliases list
-# https://cloud.google.com/sdk/gcloud/reference/compute/instances/create#--scopes
-variable "service_account_scopes" {
- description = "Scopes applied to service account."
- type = list(string)
- default = []
+ description = "Service account email and scopes. If email is null, the default Compute service account will be used unless auto_create is true, in which case a service account will be created. Set the variable to null to avoid attaching a service account."
+ type = object({
+ auto_create = optional(bool, false)
+ email = optional(string)
+ scopes = optional(list(string))
+ })
+ default = {}
}
variable "shielded_config" {
diff --git a/modules/net-lb-ext/README.md b/modules/net-lb-ext/README.md
index faea7c73b..c63f3ac5f 100644
--- a/modules/net-lb-ext/README.md
+++ b/modules/net-lb-ext/README.md
@@ -14,20 +14,20 @@ This example shows how to reference existing Managed Infrastructure Groups (MIGs
```hcl
module "instance_template" {
- source = "./fabric/modules/compute-vm"
- project_id = var.project_id
- create_template = true
- name = "vm-test"
- service_account_create = true
- zone = "europe-west1-b"
-
+ source = "./fabric/modules/compute-vm"
+ project_id = var.project_id
+ zone = "europe-west1-b"
+ name = "vm-test"
+ create_template = true
+ service_account = {
+ auto_create = true
+ }
network_interfaces = [
{
network = var.vpc.self_link
subnetwork = var.subnet.self_link
}
]
-
tags = [
"http-server"
]
diff --git a/modules/net-lb-int/README.md b/modules/net-lb-int/README.md
index 52a951f46..c5773883c 100644
--- a/modules/net-lb-int/README.md
+++ b/modules/net-lb-int/README.md
@@ -22,20 +22,20 @@ This example shows how to reference existing Managed Infrastructure Groups (MIGs
```hcl
module "instance_template" {
- source = "./fabric/modules/compute-vm"
- project_id = var.project_id
- create_template = true
- name = "vm-test"
- service_account_create = true
- zone = "europe-west1-b"
-
+ source = "./fabric/modules/compute-vm"
+ project_id = var.project_id
+ zone = "europe-west1-b"
+ name = "vm-test"
+ create_template = true
+ service_account = {
+ auto_create = true
+ }
network_interfaces = [
{
network = var.vpc.self_link
subnetwork = var.subnet.self_link
}
]
-
tags = [
"http-server"
]
diff --git a/modules/net-vpn-dynamic/README.md b/modules/net-vpn-dynamic/README.md
index 3a0ea1a3a..5f79ffaaa 100644
--- a/modules/net-vpn-dynamic/README.md
+++ b/modules/net-vpn-dynamic/README.md
@@ -4,7 +4,7 @@
This example shows how to configure a single VPN tunnel using a couple of extra features
-- custom advertisement on the tunnel's BGP session; if custom advertisement is not needed, simply set the `bgp_peer_options` attribute to `null`
+- custom advertisement on the tunnel's BGP session; if custom advertisement is not needed, simply set the `bgp_peer_options` attribute to `null`
- internally generated shared secret, which can be fetched from the module's `random_secret` output for reuse; a predefined secret can be used instead by assigning it to the `shared_secret` attribute
```hcl
@@ -18,10 +18,11 @@ module "vm" {
network = var.vpc.self_link
subnetwork = var.subnet.self_link
}]
- service_account_create = true
+ service_account = {
+ auto_create = true
+ }
}
-
module "vpn-dynamic" {
source = "./fabric/modules/net-vpn-dynamic"
project_id = "my-project"
@@ -31,7 +32,6 @@ module "vpn-dynamic" {
router_config = {
asn = 64514
}
-
tunnels = {
remote-1 = {
bgp_peer = {
diff --git a/tests/modules/compute_vm/examples/defaults.yaml b/tests/modules/compute_vm/examples/defaults.yaml
new file mode 100644
index 000000000..a5a9bfade
--- /dev/null
+++ b/tests/modules/compute_vm/examples/defaults.yaml
@@ -0,0 +1,79 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.simple-vm-example.google_compute_instance.default[0]:
+ advanced_machine_features: []
+ allow_stopping_for_update: true
+ attached_disk: []
+ boot_disk:
+ - auto_delete: true
+ disk_encryption_key_raw: null
+ initialize_params:
+ - image: projects/debian-cloud/global/images/family/debian-11
+ resource_manager_tags: null
+ size: 10
+ type: pd-balanced
+ mode: READ_WRITE
+ can_ip_forward: false
+ deletion_protection: false
+ description: Managed by the compute-vm Terraform module.
+ desired_status: null
+ enable_display: false
+ hostname: null
+ labels: null
+ machine_type: f1-micro
+ metadata: null
+ metadata_startup_script: null
+ name: test
+ network_interface:
+ - access_config: []
+ alias_ip_range: []
+ ipv6_access_config: []
+ network: projects/xxx/global/networks/aaa
+ nic_type: null
+ queue_count: null
+ subnetwork: subnet_self_link
+ network_performance_config: []
+ params: []
+ project: project-id
+ resource_policies: null
+ scheduling:
+ - automatic_restart: true
+ instance_termination_action: null
+ local_ssd_recovery_timeout: []
+ maintenance_interval: null
+ max_run_duration: []
+ min_node_cpus: null
+ node_affinities: []
+ on_host_maintenance: MIGRATE
+ preemptible: false
+ provisioning_model: STANDARD
+ scratch_disk: []
+ service_account:
+ - scopes:
+ - https://www.googleapis.com/auth/devstorage.read_only
+ - https://www.googleapis.com/auth/logging.write
+ - https://www.googleapis.com/auth/monitoring.write
+ shielded_instance_config: []
+ tags: null
+ timeouts: null
+ zone: europe-west1-b
+
+counts:
+ google_compute_instance: 1
+ modules: 1
+ resources: 1
+
+outputs: {}
diff --git a/tests/modules/compute_vm/examples/simple.yaml b/tests/modules/compute_vm/examples/sa-custom.yaml
similarity index 85%
rename from tests/modules/compute_vm/examples/simple.yaml
rename to tests/modules/compute_vm/examples/sa-custom.yaml
index cfeaa4225..070457fd1 100644
--- a/tests/modules/compute_vm/examples/simple.yaml
+++ b/tests/modules/compute_vm/examples/sa-custom.yaml
@@ -13,7 +13,7 @@
# limitations under the License.
values:
- module.simple-vm-example.google_compute_instance.default[0]:
+ module.vm-managed-sa-example2.google_compute_instance.default[0]:
advanced_machine_features: []
allow_stopping_for_update: true
attached_disk: []
@@ -22,20 +22,21 @@ values:
disk_encryption_key_raw: null
initialize_params:
- image: projects/debian-cloud/global/images/family/debian-11
- resource_manager_tags:
+ resource_manager_tags: null
size: 10
type: pd-balanced
mode: READ_WRITE
can_ip_forward: false
deletion_protection: false
description: Managed by the compute-vm Terraform module.
+ desired_status: null
enable_display: false
hostname: null
labels: null
machine_type: f1-micro
metadata: null
metadata_startup_script: null
- name: test
+ name: test2
network_interface:
- access_config: []
alias_ip_range: []
@@ -44,7 +45,10 @@ values:
nic_type: null
queue_count: null
subnetwork: subnet_self_link
+ network_performance_config: []
+ params: []
project: project-id
+ resource_policies: null
scheduling:
- automatic_restart: true
instance_termination_action: null
@@ -58,18 +62,18 @@ values:
provisioning_model: STANDARD
scratch_disk: []
service_account:
- - scopes:
+ - email: sa-0@myproj.iam.gserviceaccount.com
+ scopes:
- https://www.googleapis.com/auth/cloud-platform
- https://www.googleapis.com/auth/userinfo.email
shielded_instance_config: []
tags: null
+ timeouts: null
zone: europe-west1-b
- module.simple-vm-example.google_service_account.service_account[0]:
- account_id: tf-vm-test
- display_name: Terraform VM test.
- project: project-id
-
counts:
google_compute_instance: 1
- google_service_account: 1
+ modules: 1
+ resources: 1
+
+outputs: {}
diff --git a/tests/modules/compute_vm/examples/sa-default.yaml b/tests/modules/compute_vm/examples/sa-default.yaml
new file mode 100644
index 000000000..0879b1dce
--- /dev/null
+++ b/tests/modules/compute_vm/examples/sa-default.yaml
@@ -0,0 +1,79 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.vm-managed-sa-example.google_compute_instance.default[0]:
+ advanced_machine_features: []
+ allow_stopping_for_update: true
+ attached_disk: []
+ boot_disk:
+ - auto_delete: true
+ disk_encryption_key_raw: null
+ initialize_params:
+ - image: projects/debian-cloud/global/images/family/debian-11
+ resource_manager_tags: null
+ size: 10
+ type: pd-balanced
+ mode: READ_WRITE
+ can_ip_forward: false
+ deletion_protection: false
+ description: Managed by the compute-vm Terraform module.
+ desired_status: null
+ enable_display: false
+ hostname: null
+ labels: null
+ machine_type: f1-micro
+ metadata: null
+ metadata_startup_script: null
+ name: test1
+ network_interface:
+ - access_config: []
+ alias_ip_range: []
+ ipv6_access_config: []
+ network: projects/xxx/global/networks/aaa
+ nic_type: null
+ queue_count: null
+ subnetwork: subnet_self_link
+ network_performance_config: []
+ params: []
+ project: project-id
+ resource_policies: null
+ scheduling:
+ - automatic_restart: true
+ instance_termination_action: null
+ local_ssd_recovery_timeout: []
+ maintenance_interval: null
+ max_run_duration: []
+ min_node_cpus: null
+ node_affinities: []
+ on_host_maintenance: MIGRATE
+ preemptible: false
+ provisioning_model: STANDARD
+ scratch_disk: []
+ service_account:
+ - scopes:
+ - https://www.googleapis.com/auth/devstorage.read_only
+ - https://www.googleapis.com/auth/logging.write
+ - https://www.googleapis.com/auth/monitoring.write
+ shielded_instance_config: []
+ tags: null
+ timeouts: null
+ zone: europe-west1-b
+
+counts:
+ google_compute_instance: 1
+ modules: 1
+ resources: 1
+
+outputs: {}
diff --git a/tests/modules/compute_vm/examples/sa-managed.yaml b/tests/modules/compute_vm/examples/sa-managed.yaml
new file mode 100644
index 000000000..a87182d33
--- /dev/null
+++ b/tests/modules/compute_vm/examples/sa-managed.yaml
@@ -0,0 +1,86 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.vm-managed-sa-example2.google_compute_instance.default[0]:
+ advanced_machine_features: []
+ allow_stopping_for_update: true
+ attached_disk: []
+ boot_disk:
+ - auto_delete: true
+ disk_encryption_key_raw: null
+ initialize_params:
+ - image: projects/debian-cloud/global/images/family/debian-11
+ resource_manager_tags: null
+ size: 10
+ type: pd-balanced
+ mode: READ_WRITE
+ can_ip_forward: false
+ deletion_protection: false
+ description: Managed by the compute-vm Terraform module.
+ desired_status: null
+ enable_display: false
+ hostname: null
+ labels: null
+ machine_type: f1-micro
+ metadata: null
+ metadata_startup_script: null
+ name: test2
+ network_interface:
+ - access_config: []
+ alias_ip_range: []
+ ipv6_access_config: []
+ network: projects/xxx/global/networks/aaa
+ nic_type: null
+ queue_count: null
+ subnetwork: subnet_self_link
+ network_performance_config: []
+ params: []
+ project: project-id
+ resource_policies: null
+ scheduling:
+ - automatic_restart: true
+ instance_termination_action: null
+ local_ssd_recovery_timeout: []
+ maintenance_interval: null
+ max_run_duration: []
+ min_node_cpus: null
+ node_affinities: []
+ on_host_maintenance: MIGRATE
+ preemptible: false
+ provisioning_model: STANDARD
+ scratch_disk: []
+ service_account:
+ - scopes:
+ - https://www.googleapis.com/auth/cloud-platform
+ - https://www.googleapis.com/auth/userinfo.email
+ shielded_instance_config: []
+ tags: null
+ timeouts: null
+ zone: europe-west1-b
+ module.vm-managed-sa-example2.google_service_account.service_account[0]:
+ account_id: tf-vm-test2
+ description: null
+ disabled: false
+ display_name: Terraform VM test2.
+ project: project-id
+ timeouts: null
+
+counts:
+ google_compute_instance: 1
+ google_service_account: 1
+ modules: 1
+ resources: 2
+
+outputs: {}
diff --git a/tests/modules/compute_vm/examples/sa-none.yaml b/tests/modules/compute_vm/examples/sa-none.yaml
new file mode 100644
index 000000000..f9365e43a
--- /dev/null
+++ b/tests/modules/compute_vm/examples/sa-none.yaml
@@ -0,0 +1,75 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.vm-managed-sa-example2.google_compute_instance.default[0]:
+ advanced_machine_features: []
+ allow_stopping_for_update: true
+ attached_disk: []
+ boot_disk:
+ - auto_delete: true
+ disk_encryption_key_raw: null
+ initialize_params:
+ - image: projects/debian-cloud/global/images/family/debian-11
+ resource_manager_tags: null
+ size: 10
+ type: pd-balanced
+ mode: READ_WRITE
+ can_ip_forward: false
+ deletion_protection: false
+ description: Managed by the compute-vm Terraform module.
+ desired_status: null
+ enable_display: false
+ hostname: null
+ labels: null
+ machine_type: f1-micro
+ metadata: null
+ metadata_startup_script: null
+ name: test2
+ network_interface:
+ - access_config: []
+ alias_ip_range: []
+ ipv6_access_config: []
+ network: projects/xxx/global/networks/aaa
+ nic_type: null
+ queue_count: null
+ subnetwork: subnet_self_link
+ network_performance_config: []
+ params: []
+ project: project-id
+ resource_policies: null
+ scheduling:
+ - automatic_restart: true
+ instance_termination_action: null
+ local_ssd_recovery_timeout: []
+ maintenance_interval: null
+ max_run_duration: []
+ min_node_cpus: null
+ node_affinities: []
+ on_host_maintenance: MIGRATE
+ preemptible: false
+ provisioning_model: STANDARD
+ scratch_disk: []
+ service_account: []
+ shielded_instance_config: []
+ tags: null
+ timeouts: null
+ zone: europe-west1-b
+
+counts:
+ google_compute_instance: 1
+ modules: 1
+ resources: 1
+
+outputs: {}
diff --git a/tests/modules/compute_vm/examples/sas.yaml b/tests/modules/compute_vm/examples/sas.yaml
deleted file mode 100644
index 96a948317..000000000
--- a/tests/modules/compute_vm/examples/sas.yaml
+++ /dev/null
@@ -1,49 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-values:
- module.vm-default-sa-example2.google_compute_instance.default[0]:
- name: test3
- project: project-id
- service_account:
- - scopes:
- - https://www.googleapis.com/auth/devstorage.read_only
- - https://www.googleapis.com/auth/logging.write
- - https://www.googleapis.com/auth/monitoring.write
- zone: europe-west1-b
- module.vm-managed-sa-example.google_compute_instance.default[0]:
- name: test1
- project: project-id
- service_account:
- - scopes:
- - https://www.googleapis.com/auth/cloud-platform
- - https://www.googleapis.com/auth/userinfo.email
- zone: europe-west1-b
- module.vm-managed-sa-example.google_service_account.service_account[0]:
- account_id: tf-vm-test1
- display_name: Terraform VM test1.
- project: project-id
- module.vm-managed-sa-example2.google_compute_instance.default[0]:
- name: test2
- project: project-id
- service_account:
- - scopes:
- - https://www.googleapis.com/auth/cloud-platform
- zone: europe-west1-b
-
-counts:
- google_compute_instance: 3
- google_service_account: 1
- modules: 3
- resources: 4
diff --git a/tests/modules/compute_vm/examples/template.yaml b/tests/modules/compute_vm/examples/template.yaml
index 1f1888bfc..38e21cf03 100644
--- a/tests/modules/compute_vm/examples/template.yaml
+++ b/tests/modules/compute_vm/examples/template.yaml
@@ -57,9 +57,8 @@ values:
service_account:
- email: vm-default@my-project.iam.gserviceaccount.com
scopes:
- - https://www.googleapis.com/auth/devstorage.read_only
- - https://www.googleapis.com/auth/logging.write
- - https://www.googleapis.com/auth/monitoring.write
+ - https://www.googleapis.com/auth/cloud-platform
+ - https://www.googleapis.com/auth/userinfo.email
counts:
google_compute_instance_template: 1