From df5daab6cc6098fe89cb7c3d692ef7d0308c7bc6 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Tue, 19 Sep 2023 18:56:51 +0200 Subject: [PATCH] Allow using no service account in compute-vm (#1692) * module and tests * align blueprints * tfdoc * remove stale variables * fix blueprint * variable description --- blueprints/apigee/hybrid-gke/mgmt.tf | 4 +- blueprints/cloud-operations/adfs/main.tf | 4 +- .../dns-fine-grained-iam/main.tf | 16 ++- .../cloudsql-multiregion/gce.tf | 5 +- .../sqlserver-alwayson/instances.tf | 48 +++---- blueprints/gke/autopilot/mgmt.tf | 4 +- .../multi-cluster-mesh-gke-fleet-api/vm.tf | 4 +- .../nginx-reverse-proxy-cluster/main.tf | 5 +- .../onprem-google-access-dns/main.tf | 25 ++-- .../filtering-proxy-psc/consumer.tf | 4 +- .../networking/filtering-proxy-psc/main.tf | 5 +- blueprints/networking/filtering-proxy/main.tf | 9 +- .../networking/glb-hybrid-neg-internal/nva.tf | 21 ++- .../glb-hybrid-neg-internal/spoke.tf | 19 ++- .../networking/hub-and-spoke-peering/main.tf | 27 ++-- .../networking/ilb-next-hop/gateways.tf | 13 +- blueprints/networking/ilb-next-hop/vms.tf | 14 +- blueprints/networking/shared-vpc-gke/main.tf | 4 +- modules/compute-vm/README.md | 132 ++++++++++++------ modules/compute-vm/main.tf | 62 ++++---- modules/compute-vm/outputs.tf | 16 +-- modules/compute-vm/test.tfvars | 9 ++ modules/compute-vm/variables.tf | 24 +--- modules/net-lb-ext/README.md | 16 +-- modules/net-lb-int/README.md | 16 +-- modules/net-vpn-dynamic/README.md | 8 +- .../modules/compute_vm/examples/defaults.yaml | 79 +++++++++++ .../examples/{simple.yaml => sa-custom.yaml} | 24 ++-- .../compute_vm/examples/sa-default.yaml | 79 +++++++++++ .../compute_vm/examples/sa-managed.yaml | 86 ++++++++++++ .../modules/compute_vm/examples/sa-none.yaml | 75 ++++++++++ tests/modules/compute_vm/examples/sas.yaml | 49 ------- .../modules/compute_vm/examples/template.yaml | 5 +- 33 files changed, 622 insertions(+), 289 deletions(-) create mode 100644 modules/compute-vm/test.tfvars create mode 100644 tests/modules/compute_vm/examples/defaults.yaml rename tests/modules/compute_vm/examples/{simple.yaml => sa-custom.yaml} (85%) create mode 100644 tests/modules/compute_vm/examples/sa-default.yaml create mode 100644 tests/modules/compute_vm/examples/sa-managed.yaml create mode 100644 tests/modules/compute_vm/examples/sa-none.yaml delete mode 100644 tests/modules/compute_vm/examples/sas.yaml diff --git a/blueprints/apigee/hybrid-gke/mgmt.tf b/blueprints/apigee/hybrid-gke/mgmt.tf index 1d4f42e1c..76bb22faa 100644 --- a/blueprints/apigee/hybrid-gke/mgmt.tf +++ b/blueprints/apigee/hybrid-gke/mgmt.tf @@ -28,7 +28,9 @@ module "mgmt_server" { nat = false addresses = null }] - service_account_create = true + service_account = { + auto_create = true + } boot_disk = { initialize_params = { image = var.mgmt_server_config.image diff --git a/blueprints/cloud-operations/adfs/main.tf b/blueprints/cloud-operations/adfs/main.tf index 686e9fc6e..d6d31f849 100644 --- a/blueprints/cloud-operations/adfs/main.tf +++ b/blueprints/cloud-operations/adfs/main.tf @@ -79,7 +79,9 @@ module "server" { -Force EOT } - service_account_create = true + service_account = { + auto_create = true + } boot_disk = { initialize_params = { image = var.image diff --git a/blueprints/cloud-operations/dns-fine-grained-iam/main.tf b/blueprints/cloud-operations/dns-fine-grained-iam/main.tf index 55e25e776..fc25b257a 100644 --- a/blueprints/cloud-operations/dns-fine-grained-iam/main.tf +++ b/blueprints/cloud-operations/dns-fine-grained-iam/main.tf @@ -110,9 +110,11 @@ module "vm-ns-editor" { nat = false addresses = null }] - metadata = { startup-script = local.startup-script } - service_account_create = true - tags = ["ssh"] + metadata = { startup-script = local.startup-script } + service_account = { + auto_create = true + } + tags = ["ssh"] } module "vm-svc-editor" { @@ -126,7 +128,9 @@ module "vm-svc-editor" { nat = false addresses = null }] - metadata = { startup-script = local.startup-script } - service_account_create = true - tags = ["ssh"] + metadata = { startup-script = local.startup-script } + service_account = { + auto_create = true + } + tags = ["ssh"] } diff --git a/blueprints/data-solutions/cloudsql-multiregion/gce.tf b/blueprints/data-solutions/cloudsql-multiregion/gce.tf index f5e8cd1d0..07c48706e 100644 --- a/blueprints/data-solutions/cloudsql-multiregion/gce.tf +++ b/blueprints/data-solutions/cloudsql-multiregion/gce.tf @@ -43,8 +43,9 @@ module "test-vm" { options = null } ] - service_account = module.service-account-sql.email - service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + service_account = { + email = module.service-account-sql.email + } boot_disk = { initialize_params = { image = "projects/debian-cloud/global/images/family/debian-10" diff --git a/blueprints/data-solutions/sqlserver-alwayson/instances.tf b/blueprints/data-solutions/sqlserver-alwayson/instances.tf index ab9f12171..33eabd8f0 100644 --- a/blueprints/data-solutions/sqlserver-alwayson/instances.tf +++ b/blueprints/data-solutions/sqlserver-alwayson/instances.tf @@ -53,15 +53,12 @@ locals { # Nodes module "nodes" { - source = "../../../modules/compute-vm" - for_each = toset(local.node_netbios_names) - - project_id = var.project_id - zone = local.node_zones[each.value] - name = each.value - + source = "../../../modules/compute-vm" + for_each = toset(local.node_netbios_names) + project_id = var.project_id + zone = local.node_zones[each.value] + name = each.value instance_type = var.node_instance_type - network_interfaces = [{ network = local.network subnetwork = local.subnetwork @@ -70,7 +67,6 @@ module "nodes" { internal = module.ip-addresses.internal_addresses[each.value].address } }] - boot_disk = { initialize_params = { image = var.node_image @@ -78,7 +74,6 @@ module "nodes" { size = var.boot_disk_size } } - attached_disks = [{ name = "${each.value}-datadisk" size = var.data_disk_size @@ -86,35 +81,28 @@ module "nodes" { source = null options = null }] - - service_account = module.compute-service-account.email - service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + service_account = { + email = module.compute-service-account.email + } metadata = { enable-wsfc = "true" sysprep-specialize-script-ps1 = local.scripts["specialize-node"] windows-startup-script-ps1 = local.scripts["windows-startup-node"] } - group = { named_ports = { } } - - service_account_create = false - create_template = false } # Witness module "witness" { - source = "../../../modules/compute-vm" - for_each = toset([local.witness_netbios_name]) - - project_id = var.project_id - zone = local.node_zones[each.value] - name = each.value - + source = "../../../modules/compute-vm" + for_each = toset([local.witness_netbios_name]) + project_id = var.project_id + zone = local.node_zones[each.value] + name = each.value instance_type = var.witness_instance_type - network_interfaces = [{ network = local.network subnetwork = local.subnetwork @@ -123,20 +111,16 @@ module "witness" { internal = module.ip-addresses.internal_addresses[each.value].address } }] - boot_disk = { image = var.witness_image type = "pd-ssd" size = var.boot_disk_size } - - service_account = module.witness-service-account.email - service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + service_account = { + email = module.witness-service-account.email + } metadata = { sysprep-specialize-script-ps1 = local.scripts["specialize-witness"] windows-startup-script-ps1 = local.scripts["windows-startup-witness"] } - - service_account_create = false - create_template = false } diff --git a/blueprints/gke/autopilot/mgmt.tf b/blueprints/gke/autopilot/mgmt.tf index 35ff760ad..15a8ccb2e 100644 --- a/blueprints/gke/autopilot/mgmt.tf +++ b/blueprints/gke/autopilot/mgmt.tf @@ -30,7 +30,9 @@ module "mgmt_server" { nat = false addresses = null }] - service_account_create = true + service_account = { + auto_create = true + } boot_disk = { initialize_params = { image = var.mgmt_server_config.image diff --git a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/vm.tf b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/vm.tf index 8c6a19f3c..033473987 100644 --- a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/vm.tf +++ b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/vm.tf @@ -28,7 +28,9 @@ module "mgmt_server" { nat = false addresses = null }] - service_account_create = true + service_account = { + auto_create = true + } boot_disk = { initialize_params = { image = var.mgmt_server_config.image diff --git a/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/main.tf b/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/main.tf index 2d40721bf..c9a7614ba 100644 --- a/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/main.tf +++ b/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/main.tf @@ -298,8 +298,9 @@ module "proxy-vm" { user-data = !var.tls ? module.cos-nginx.0.cloud_config : module.cos-nginx-tls.0.cloud_config google-logging-enabled = true } - service_account = module.service-account-proxy.email - service_account_create = false + service_account = { + email = module.service-account-proxy.email + } } module "glb" { diff --git a/blueprints/networking/__need_fixing/onprem-google-access-dns/main.tf b/blueprints/networking/__need_fixing/onprem-google-access-dns/main.tf index c122e4545..f687ff2b1 100644 --- a/blueprints/networking/__need_fixing/onprem-google-access-dns/main.tf +++ b/blueprints/networking/__need_fixing/onprem-google-access-dns/main.tf @@ -240,10 +240,11 @@ module "vm-test1" { network = module.vpc.self_link subnetwork = module.vpc.subnet_self_links["${var.region.gcp1}/subnet1"] }] - metadata = { startup-script = local.vm-startup-script } - service_account = module.service-account-gce.email - service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] - tags = ["ssh"] + metadata = { startup-script = local.vm-startup-script } + service_account = { + email = module.service-account-gce.email + } + tags = ["ssh"] } module "vm-test2" { @@ -257,10 +258,11 @@ module "vm-test2" { nat = false addresses = null }] - metadata = { startup-script = local.vm-startup-script } - service_account = module.service-account-gce.email - service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] - tags = ["ssh"] + metadata = { startup-script = local.vm-startup-script } + service_account = { + email = module.service-account-gce.email + } + tags = ["ssh"] } ################################################################################ @@ -322,7 +324,8 @@ module "vm-onprem" { network = module.vpc.name subnetwork = module.vpc.subnet_self_links["${var.region.gcp1}/subnet1"] }] - service_account = module.service-account-onprem.email - service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] - tags = ["ssh"] + service_account = { + email = module.service-account-onprem.email + } + tags = ["ssh"] } diff --git a/blueprints/networking/filtering-proxy-psc/consumer.tf b/blueprints/networking/filtering-proxy-psc/consumer.tf index 6668afb72..08f5b4138 100644 --- a/blueprints/networking/filtering-proxy-psc/consumer.tf +++ b/blueprints/networking/filtering-proxy-psc/consumer.tf @@ -48,7 +48,9 @@ module "test-vm-consumer" { nat = false addresses = null }] - service_account_create = true + service_account = { + auto_create = true + } metadata = { startup-script = templatefile("${path.module}/startup.sh", { proxy_url = "http://proxy.internal:3128" }) } diff --git a/blueprints/networking/filtering-proxy-psc/main.tf b/blueprints/networking/filtering-proxy-psc/main.tf index 457522a4d..319217cd1 100644 --- a/blueprints/networking/filtering-proxy-psc/main.tf +++ b/blueprints/networking/filtering-proxy-psc/main.tf @@ -155,8 +155,9 @@ module "squid-vm" { image = "cos-cloud/cos-stable" } } - service_account = module.service-account-squid.email - service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + service_account = { + email = module.service-account-squid.email + } metadata = { user-data = module.cos-squid.cloud_config google-logging-enabled = true diff --git a/blueprints/networking/filtering-proxy/main.tf b/blueprints/networking/filtering-proxy/main.tf index d6fce6d0a..b9072a21d 100644 --- a/blueprints/networking/filtering-proxy/main.tf +++ b/blueprints/networking/filtering-proxy/main.tf @@ -167,8 +167,9 @@ module "squid-vm" { image = "cos-cloud/cos-stable" } } - service_account = module.service-account-squid.email - service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + service_account = { + email = module.service-account-squid.email + } metadata = { user-data = module.cos-squid.cloud_config } @@ -270,5 +271,7 @@ module "test-vm" { nat = false addresses = null }] - service_account_create = true + service_account = { + auto_create = true + } } diff --git a/blueprints/networking/glb-hybrid-neg-internal/nva.tf b/blueprints/networking/glb-hybrid-neg-internal/nva.tf index 5db9b5488..3f61fa563 100644 --- a/blueprints/networking/glb-hybrid-neg-internal/nva.tf +++ b/blueprints/networking/glb-hybrid-neg-internal/nva.tf @@ -17,15 +17,16 @@ # tfdoc:file:description Network Virtual Appliances (NVAs). module "nva_instance_templates" { - for_each = var.regions - source = "../../../modules/compute-vm" - project_id = module.project_landing.project_id - can_ip_forward = true - create_template = true - name = "nva-${each.value}" - service_account_create = true - zone = local.zones[each.key] - + for_each = var.regions + source = "../../../modules/compute-vm" + project_id = module.project_landing.project_id + can_ip_forward = true + create_template = true + name = "nva-${each.value}" + service_account = { + auto_create = true + } + zone = local.zones[each.key] metadata = { startup-script = templatefile( "${path.module}/data/nva-startup-script.tftpl", @@ -36,7 +37,6 @@ module "nva_instance_templates" { } ) } - network_interfaces = [ { network = module.vpc_landing_untrusted.self_link @@ -47,7 +47,6 @@ module "nva_instance_templates" { subnetwork = module.vpc_landing_trusted.subnet_self_links["${each.value}/trusted-${each.value}"] } ] - tags = [ "http-server", "https-server", diff --git a/blueprints/networking/glb-hybrid-neg-internal/spoke.tf b/blueprints/networking/glb-hybrid-neg-internal/spoke.tf index ceaa2b181..b54f402f2 100644 --- a/blueprints/networking/glb-hybrid-neg-internal/spoke.tf +++ b/blueprints/networking/glb-hybrid-neg-internal/spoke.tf @@ -90,28 +90,27 @@ module "nats_spoke_01" { } module "test_vms" { - for_each = var.regions - source = "../../../modules/compute-vm" - name = "spoke-01-${each.value}" - project_id = module.project_spoke_01.project_id - create_template = var.ilb_create - service_account_create = true - zone = local.zones[each.key] - + for_each = var.regions + source = "../../../modules/compute-vm" + name = "spoke-01-${each.value}" + project_id = module.project_spoke_01.project_id + zone = local.zones[each.key] + service_account = { + auto_create = true + } metadata = { startup-script = "apt update && apt install -y nginx" } - network_interfaces = [{ network = module.vpc_spoke_01.self_link subnetwork = module.vpc_spoke_01.subnet_self_links["${each.value}/spoke-01-${each.value}"] }] - tags = [ "http-server", "https-server", "ssh" ] + create_template = var.ilb_create } module "test_vm_migs" { diff --git a/blueprints/networking/hub-and-spoke-peering/main.tf b/blueprints/networking/hub-and-spoke-peering/main.tf index 98aac6fbe..0a5be1195 100644 --- a/blueprints/networking/hub-and-spoke-peering/main.tf +++ b/blueprints/networking/hub-and-spoke-peering/main.tf @@ -188,10 +188,11 @@ module "vm-hub" { nat = false addresses = null }] - metadata = { startup-script = local.vm-startup-script } - service_account = module.service-account-gce.email - service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] - tags = ["ssh"] + metadata = { startup-script = local.vm-startup-script } + service_account = { + email = module.service-account-gce.email + } + tags = ["ssh"] } module "vm-spoke-1" { @@ -205,10 +206,11 @@ module "vm-spoke-1" { nat = false addresses = null }] - metadata = { startup-script = local.vm-startup-script } - service_account = module.service-account-gce.email - service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] - tags = ["ssh"] + metadata = { startup-script = local.vm-startup-script } + service_account = { + email = module.service-account-gce.email + } + tags = ["ssh"] } module "vm-spoke-2" { @@ -222,10 +224,11 @@ module "vm-spoke-2" { nat = false addresses = null }] - metadata = { startup-script = local.vm-startup-script } - service_account = module.service-account-gce.email - service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] - tags = ["ssh"] + metadata = { startup-script = local.vm-startup-script } + service_account = { + email = module.service-account-gce.email + } + tags = ["ssh"] } diff --git a/blueprints/networking/ilb-next-hop/gateways.tf b/blueprints/networking/ilb-next-hop/gateways.tf index e57e83c8e..458b995de 100644 --- a/blueprints/networking/ilb-next-hop/gateways.tf +++ b/blueprints/networking/ilb-next-hop/gateways.tf @@ -21,7 +21,6 @@ module "gw" { zone = each.value name = "${var.prefix}-gw-${each.key}" instance_type = "f1-micro" - boot_disk = { initialize_params = { image = "projects/ubuntu-os-cloud/global/images/family/ubuntu-2004-lts", @@ -29,7 +28,6 @@ module "gw" { size = 10 } } - network_interfaces = [ { network = module.vpc-left.self_link @@ -52,11 +50,12 @@ module "gw" { ip_cidr_right = var.ip_ranges.right }) } - service_account = try( - module.service-accounts.emails["${var.prefix}-gce-vm"], null - ) - service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] - group = { named_ports = null } + service_account = { + email = try( + module.service-accounts.emails["${var.prefix}-gce-vm"], null + ) + } + group = { named_ports = null } } module "ilb-left" { diff --git a/blueprints/networking/ilb-next-hop/vms.tf b/blueprints/networking/ilb-next-hop/vms.tf index a71a60a07..259eacb09 100644 --- a/blueprints/networking/ilb-next-hop/vms.tf +++ b/blueprints/networking/ilb-next-hop/vms.tf @@ -39,10 +39,9 @@ module "vm-left" { metadata = { startup-script = local.vm_startup_script } - service_account = try( - module.service-accounts.email, null - ) - service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + service_account = { + email = try(module.service-accounts.email, null) + } } module "vm-right" { @@ -62,8 +61,7 @@ module "vm-right" { metadata = { startup-script = local.vm_startup_script } - service_account = try( - module.service-accounts.email, null - ) - service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + service_account = { + email = try(module.service-accounts.email, null) + } } diff --git a/blueprints/networking/shared-vpc-gke/main.tf b/blueprints/networking/shared-vpc-gke/main.tf index 88f484630..3e13f28b2 100644 --- a/blueprints/networking/shared-vpc-gke/main.tf +++ b/blueprints/networking/shared-vpc-gke/main.tf @@ -192,7 +192,9 @@ module "vm-bastion" { "service tinyproxy restart" ]) } - service_account_create = true + service_account = { + auto_create = true + } } ################################################################################ diff --git a/modules/compute-vm/README.md b/modules/compute-vm/README.md index 92a5e3c30..69a68447f 100644 --- a/modules/compute-vm/README.md +++ b/modules/compute-vm/README.md @@ -9,11 +9,14 @@ In both modes, an optional service account can be created and assigned to either ## Examples - - [Examples](#examples) - [Instance using defaults](#instance-using-defaults) - [Service account management](#service-account-management) + - [Compute default service account](#compute-default-service-account) + - [Custom service account](#custom-service-account) + - [Custom service account, auto created](#custom-service-account-auto-created) + - [No service account](#no-service-account) - [Disk management](#disk-management) - [Disk sources](#disk-sources) - [Disk types and options](#disk-types-and-options) @@ -50,18 +53,22 @@ module "simple-vm-example" { network = var.vpc.self_link subnetwork = var.subnet.self_link }] - service_account_create = true } -# tftest modules=1 resources=2 inventory=simple.yaml +# tftest modules=1 resources=1 inventory=defaults.yaml ``` ### Service account management -VM service accounts can be managed in three different ways: +VM service accounts can be managed in four different ways: -- You can let the module create a service account for you by setting `service_account_create = true` -- You can use an existing service account by setting `service_account_create = false` (the default value) and passing the full email address of the service account to the `service_account` variable. This is useful, for example, if you want to reuse the service account from another previously created instance, or if you want to create the service account manually with the `iam-service-account` module. In this case, you probably also want to set `service_account_scopes` to `cloud-platform`. -- Lastly, you can use the default compute service account by setting `service_account_crate = false`. Please note that using the default compute service account is not recommended. +- in its default configuration, the module uses the Compute default service account with a basic set of scopes (`devstorage.read_only`, `logging.write`, `monitoring.write`) +- a custom service account can be used by passing its email in the `service_account.email` variable +- a custom service account can be created by the module and used by setting the `service_account.auto_create` variable to `true` +- the instance can be created with no service account by setting the `service_account` variable to `null` + +Scopes for custom service accounts are set by default to `cloud-platform` and `userinfo.email`, and can be further customized regardless of which service account is used by directly setting the `service_account.scopes` variable. + +#### Compute default service account ```hcl module "vm-managed-sa-example" { @@ -73,9 +80,13 @@ module "vm-managed-sa-example" { network = var.vpc.self_link subnetwork = var.subnet.self_link }] - service_account_create = true } +# tftest modules=1 resources=1 inventory=sa-default.yaml +``` +#### Custom service account + +```hcl module "vm-managed-sa-example2" { source = "./fabric/modules/compute-vm" project_id = var.project_id @@ -85,24 +96,47 @@ module "vm-managed-sa-example2" { network = var.vpc.self_link subnetwork = var.subnet.self_link }] - service_account = module.vm-managed-sa-example.service_account_email - service_account_scopes = ["cloud-platform"] + service_account = { + email = "sa-0@myproj.iam.gserviceaccount.com" + } } +# tftest modules=1 resources=1 inventory=sa-custom.yaml +``` -# not recommended -module "vm-default-sa-example2" { +#### Custom service account, auto created + +```hcl +module "vm-managed-sa-example2" { source = "./fabric/modules/compute-vm" project_id = var.project_id zone = "europe-west1-b" - name = "test3" + name = "test2" network_interfaces = [{ network = var.vpc.self_link subnetwork = var.subnet.self_link }] - service_account_create = false + service_account = { + auto_create = true + } } +# tftest modules=1 resources=2 inventory=sa-managed.yaml +``` -# tftest modules=3 resources=4 inventory=sas.yaml +#### No service account + +```hcl +module "vm-managed-sa-example2" { + source = "./fabric/modules/compute-vm" + project_id = var.project_id + zone = "europe-west1-b" + name = "test2" + network_interfaces = [{ + network = var.vpc.self_link + subnetwork = var.subnet.self_link + }] + service_account = null +} +# tftest modules=1 resources=1 inventory=sa-none.yaml ``` ### Disk management @@ -137,7 +171,9 @@ module "vm-disks-example" { replica_zone = "${var.region}-c" } }] - service_account_create = true + service_account = { + auto_create = true + } } # tftest modules=1 resources=2 ``` @@ -163,8 +199,10 @@ module "vm-disks-example" { replica_zone = "${var.region}-c" } }] - service_account_create = true - create_template = true + service_account = { + auto_create = true + } + create_template = true } # tftest modules=1 resources=2 ``` @@ -205,7 +243,9 @@ module "vm-disk-options-example" { } } ] - service_account_create = true + service_account = { + auto_create = true + } } # tftest modules=1 resources=4 inventory=disk-options.yaml ``` @@ -230,7 +270,9 @@ module "simple-vm-example" { network = var.vpc.self_link subnetwork = var.subnet.self_link }] - service_account_create = true + service_account = { + auto_create = true + } } # tftest modules=1 resources=3 inventory=independent-boot-disk.yaml ``` @@ -331,7 +373,9 @@ module "vm-with-gvnic" { subnetwork = var.subnet.self_link nic_type = "GVNIC" }] - service_account_create = true + service_account = { + auto_create = true + } } # tftest modules=1 resources=3 inventory=gvnic.yaml ``` @@ -361,7 +405,9 @@ module "vm-metadata-example" { apt-get install -y nginx EOF } - service_account_create = true + service_account = { + auto_create = true + } } # tftest modules=1 resources=2 inventory=metadata.yaml ``` @@ -465,7 +511,9 @@ module "kms-vm-example" { name = "attached-disk" size = 10 }] - service_account_create = true + service_account = { + auto_create = true + } encryption = { encrypt_boot = true kms_key_self_link = var.kms_key.self_link @@ -499,7 +547,9 @@ module "cos-test" { size = 10 } ] - service_account = "vm-default@my-project.iam.gserviceaccount.com" + service_account = { + email = "vm-default@my-project.iam.gserviceaccount.com" + } create_template = true } # tftest modules=1 resources=1 inventory=template.yaml @@ -526,8 +576,10 @@ module "instance-group" { boot_disk = { image = "projects/cos-cloud/global/images/family/cos-stable" } - service_account = var.service_account.email - service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + service_account = { + email = var.service_account.email + scopes = ["https://www.googleapis.com/auth/cloud-platform"] + } metadata = { user-data = local.cloud_config } @@ -633,7 +685,7 @@ module "instance" { | [name](variables.tf#L235) | Instance name. | string | ✓ | | | [network_interfaces](variables.tf#L240) | Network interfaces configuration. Use self links for Shared VPC, set addresses to null if not needed. | list(object({…})) | ✓ | | | [project_id](variables.tf#L277) | Project id. | string | ✓ | | -| [zone](variables.tf#L379) | Compute zone. | string | ✓ | | +| [zone](variables.tf#L369) | Compute zone. | string | ✓ | | | [attached_disk_defaults](variables.tf#L17) | Defaults for attached disks options. | object({…}) | | {…} | | [attached_disks](variables.tf#L37) | Additional disks, if options is null defaults will be used in its place. Source type is one of 'image' (zonal disks in vms and template), 'snapshot' (vm), 'existing', and null. | list(object({…})) | | [] | | [boot_disk](variables.tf#L83) | Boot disk properties. | object({…}) | | {…} | @@ -653,13 +705,11 @@ module "instance" { | [min_cpu_platform](variables.tf#L229) | Minimum CPU platform. | string | | null | | [options](variables.tf#L255) | Instance options. | object({…}) | | {…} | | [scratch_disks](variables.tf#L282) | Scratch disks configuration. | object({…}) | | {…} | -| [service_account](variables.tf#L294) | Service account email. Unused if service account is auto-created. | string | | null | -| [service_account_create](variables.tf#L300) | Auto-create service account. | bool | | false | -| [service_account_scopes](variables.tf#L308) | Scopes applied to service account. | list(string) | | [] | -| [shielded_config](variables.tf#L314) | Shielded VM configuration of the instances. | object({…}) | | null | -| [snapshot_schedules](variables.tf#L324) | Snapshot schedule resource policies that can be attached to disks. | map(object({…})) | | {} | -| [tag_bindings](variables.tf#L367) | Tag bindings for this instance, in key => tag value id format. | map(string) | | null | -| [tags](variables.tf#L373) | Instance network tags for firewall rule targets. | list(string) | | [] | +| [service_account](variables.tf#L294) | Service account email and scopes. If email is null, the default Compute service account will be used unless auto_create is true, in which case a service account will be created. Set the variable to null to avoid attaching a service account. | object({…}) | | {} | +| [shielded_config](variables.tf#L304) | Shielded VM configuration of the instances. | object({…}) | | null | +| [snapshot_schedules](variables.tf#L314) | Snapshot schedule resource policies that can be attached to disks. | map(object({…})) | | {} | +| [tag_bindings](variables.tf#L357) | Tag bindings for this instance, in key => tag value id format. | map(string) | | null | +| [tags](variables.tf#L363) | Instance network tags for firewall rule targets. | list(string) | | [] | ## Outputs @@ -668,13 +718,13 @@ module "instance" { | [external_ip](outputs.tf#L17) | Instance main interface external IP addresses. | | | [group](outputs.tf#L26) | Instance group resource. | | | [id](outputs.tf#L31) | Fully qualified instance id. | | -| [instance](outputs.tf#L36) | Instance resource. | | -| [internal_ip](outputs.tf#L41) | Instance main interface internal IP address. | | -| [internal_ips](outputs.tf#L49) | Instance interfaces internal IP addresses. | | -| [self_link](outputs.tf#L57) | Instance self links. | | -| [service_account](outputs.tf#L62) | Service account resource. | | -| [service_account_email](outputs.tf#L69) | Service account email. | | -| [service_account_iam_email](outputs.tf#L74) | Service account email. | | +| [instance](outputs.tf#L36) | Instance resource. | ✓ | +| [internal_ip](outputs.tf#L42) | Instance main interface internal IP address. | | +| [internal_ips](outputs.tf#L50) | Instance interfaces internal IP addresses. | | +| [self_link](outputs.tf#L58) | Instance self links. | | +| [service_account](outputs.tf#L63) | Service account resource. | | +| [service_account_email](outputs.tf#L68) | Service account email. | | +| [service_account_iam_email](outputs.tf#L73) | Service account email. | | | [template](outputs.tf#L82) | Template resource. | | | [template_name](outputs.tf#L87) | Template name. | | diff --git a/modules/compute-vm/main.tf b/modules/compute-vm/main.tf index e79cc18cd..6d20a3238 100644 --- a/modules/compute-vm/main.tf +++ b/modules/compute-vm/main.tf @@ -35,31 +35,29 @@ locals { : "MIGRATE" ) region = join("-", slice(split("-", var.zone), 0, 2)) - service_account_email = ( - var.service_account_create - ? ( - length(google_service_account.service_account) > 0 + service_account = var.service_account == null ? null : { + email = ( + var.service_account.auto_create ? google_service_account.service_account[0].email - : null + : var.service_account.email ) - : var.service_account - ) - service_account_scopes = ( - length(var.service_account_scopes) > 0 - ? var.service_account_scopes - : ( - var.service_account_create - ? [ - "https://www.googleapis.com/auth/cloud-platform", - "https://www.googleapis.com/auth/userinfo.email" - ] - : [ - "https://www.googleapis.com/auth/devstorage.read_only", - "https://www.googleapis.com/auth/logging.write", - "https://www.googleapis.com/auth/monitoring.write" - ] + scopes = ( + var.service_account.scopes != null ? var.service_account.scopes : ( + var.service_account.email == null && !var.service_account.auto_create + # default scopes for Compute default SA + ? [ + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write" + ] + # default scopes for own SA + : [ + "https://www.googleapis.com/auth/cloud-platform", + "https://www.googleapis.com/auth/userinfo.email" + ] + ) ) - ) + } termination_action = var.options.spot ? coalesce(var.options.termination_action, "STOP") : null } @@ -275,9 +273,12 @@ resource "google_compute_instance" "default" { } } - service_account { - email = local.service_account_email - scopes = local.service_account_scopes + dynamic "service_account" { + for_each = var.service_account == null ? [] : [""] + content { + email = local.service_account.email + scopes = local.service_account.scopes + } } dynamic "shielded_instance_config" { @@ -399,9 +400,12 @@ resource "google_compute_instance_template" "default" { provisioning_model = var.options.spot ? "SPOT" : "STANDARD" } - service_account { - email = local.service_account_email - scopes = local.service_account_scopes + dynamic "service_account" { + for_each = var.service_account == null ? [] : [""] + content { + email = local.service_account.email + scopes = local.service_account.scopes + } } dynamic "shielded_instance_config" { @@ -442,7 +446,7 @@ resource "google_compute_instance_group" "unmanaged" { } resource "google_service_account" "service_account" { - count = var.service_account_create ? 1 : 0 + count = try(var.service_account.auto_create, null) == true ? 1 : 0 project = var.project_id account_id = "tf-vm-${var.name}" display_name = "Terraform VM ${var.name}." diff --git a/modules/compute-vm/outputs.tf b/modules/compute-vm/outputs.tf index a08f24847..f1df0a377 100644 --- a/modules/compute-vm/outputs.tf +++ b/modules/compute-vm/outputs.tf @@ -35,6 +35,7 @@ output "id" { output "instance" { description = "Instance resource." + sensitive = true value = try(google_compute_instance.default.0, null) } @@ -61,22 +62,21 @@ output "self_link" { output "service_account" { description = "Service account resource." - value = ( - var.service_account_create ? google_service_account.service_account.0 : null - ) + value = try(google_service_account.service_account.0, null) } output "service_account_email" { description = "Service account email." - value = local.service_account_email + value = try(local.service_account.email, null) } output "service_account_iam_email" { description = "Service account email." - value = join("", [ - "serviceAccount:", - local.service_account_email == null ? "" : local.service_account_email - ]) + value = ( + try(local.service_account.email, null) == null + ? null + : "serviceAccount:${local.service_account.email}" + ) } output "template" { diff --git a/modules/compute-vm/test.tfvars b/modules/compute-vm/test.tfvars new file mode 100644 index 000000000..5c60eab21 --- /dev/null +++ b/modules/compute-vm/test.tfvars @@ -0,0 +1,9 @@ +project_id = "tf-playground-svpc-gce" +zone = "europe-west8-b" +name = "test-sa" +instance_type = "e2-small" +network_interfaces = [{ + network = "https://www.googleapis.com/compute/v1/projects/ldj-dev-net-spoke-0/global/networks/dev-spoke-0" + subnetwork = "https://www.googleapis.com/compute/v1/projects/ldj-dev-net-spoke-0/regions/europe-west8/subnetworks/gce" +}] +# service_account = null diff --git a/modules/compute-vm/variables.tf b/modules/compute-vm/variables.tf index bf33e5172..e6a0a4c36 100644 --- a/modules/compute-vm/variables.tf +++ b/modules/compute-vm/variables.tf @@ -292,23 +292,13 @@ variable "scratch_disks" { } variable "service_account" { - description = "Service account email. Unused if service account is auto-created." - type = string - default = null -} - -variable "service_account_create" { - description = "Auto-create service account." - type = bool - default = false -} - -# scopes and scope aliases list -# https://cloud.google.com/sdk/gcloud/reference/compute/instances/create#--scopes -variable "service_account_scopes" { - description = "Scopes applied to service account." - type = list(string) - default = [] + description = "Service account email and scopes. If email is null, the default Compute service account will be used unless auto_create is true, in which case a service account will be created. Set the variable to null to avoid attaching a service account." + type = object({ + auto_create = optional(bool, false) + email = optional(string) + scopes = optional(list(string)) + }) + default = {} } variable "shielded_config" { diff --git a/modules/net-lb-ext/README.md b/modules/net-lb-ext/README.md index faea7c73b..c63f3ac5f 100644 --- a/modules/net-lb-ext/README.md +++ b/modules/net-lb-ext/README.md @@ -14,20 +14,20 @@ This example shows how to reference existing Managed Infrastructure Groups (MIGs ```hcl module "instance_template" { - source = "./fabric/modules/compute-vm" - project_id = var.project_id - create_template = true - name = "vm-test" - service_account_create = true - zone = "europe-west1-b" - + source = "./fabric/modules/compute-vm" + project_id = var.project_id + zone = "europe-west1-b" + name = "vm-test" + create_template = true + service_account = { + auto_create = true + } network_interfaces = [ { network = var.vpc.self_link subnetwork = var.subnet.self_link } ] - tags = [ "http-server" ] diff --git a/modules/net-lb-int/README.md b/modules/net-lb-int/README.md index 52a951f46..c5773883c 100644 --- a/modules/net-lb-int/README.md +++ b/modules/net-lb-int/README.md @@ -22,20 +22,20 @@ This example shows how to reference existing Managed Infrastructure Groups (MIGs ```hcl module "instance_template" { - source = "./fabric/modules/compute-vm" - project_id = var.project_id - create_template = true - name = "vm-test" - service_account_create = true - zone = "europe-west1-b" - + source = "./fabric/modules/compute-vm" + project_id = var.project_id + zone = "europe-west1-b" + name = "vm-test" + create_template = true + service_account = { + auto_create = true + } network_interfaces = [ { network = var.vpc.self_link subnetwork = var.subnet.self_link } ] - tags = [ "http-server" ] diff --git a/modules/net-vpn-dynamic/README.md b/modules/net-vpn-dynamic/README.md index 3a0ea1a3a..5f79ffaaa 100644 --- a/modules/net-vpn-dynamic/README.md +++ b/modules/net-vpn-dynamic/README.md @@ -4,7 +4,7 @@ This example shows how to configure a single VPN tunnel using a couple of extra features -- custom advertisement on the tunnel's BGP session; if custom advertisement is not needed, simply set the `bgp_peer_options` attribute to `null` +- custom advertisement on the tunnel's BGP session; if custom advertisement is not needed, simply set the `bgp_peer_options` attribute to `null` - internally generated shared secret, which can be fetched from the module's `random_secret` output for reuse; a predefined secret can be used instead by assigning it to the `shared_secret` attribute ```hcl @@ -18,10 +18,11 @@ module "vm" { network = var.vpc.self_link subnetwork = var.subnet.self_link }] - service_account_create = true + service_account = { + auto_create = true + } } - module "vpn-dynamic" { source = "./fabric/modules/net-vpn-dynamic" project_id = "my-project" @@ -31,7 +32,6 @@ module "vpn-dynamic" { router_config = { asn = 64514 } - tunnels = { remote-1 = { bgp_peer = { diff --git a/tests/modules/compute_vm/examples/defaults.yaml b/tests/modules/compute_vm/examples/defaults.yaml new file mode 100644 index 000000000..a5a9bfade --- /dev/null +++ b/tests/modules/compute_vm/examples/defaults.yaml @@ -0,0 +1,79 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.simple-vm-example.google_compute_instance.default[0]: + advanced_machine_features: [] + allow_stopping_for_update: true + attached_disk: [] + boot_disk: + - auto_delete: true + disk_encryption_key_raw: null + initialize_params: + - image: projects/debian-cloud/global/images/family/debian-11 + resource_manager_tags: null + size: 10 + type: pd-balanced + mode: READ_WRITE + can_ip_forward: false + deletion_protection: false + description: Managed by the compute-vm Terraform module. + desired_status: null + enable_display: false + hostname: null + labels: null + machine_type: f1-micro + metadata: null + metadata_startup_script: null + name: test + network_interface: + - access_config: [] + alias_ip_range: [] + ipv6_access_config: [] + network: projects/xxx/global/networks/aaa + nic_type: null + queue_count: null + subnetwork: subnet_self_link + network_performance_config: [] + params: [] + project: project-id + resource_policies: null + scheduling: + - automatic_restart: true + instance_termination_action: null + local_ssd_recovery_timeout: [] + maintenance_interval: null + max_run_duration: [] + min_node_cpus: null + node_affinities: [] + on_host_maintenance: MIGRATE + preemptible: false + provisioning_model: STANDARD + scratch_disk: [] + service_account: + - scopes: + - https://www.googleapis.com/auth/devstorage.read_only + - https://www.googleapis.com/auth/logging.write + - https://www.googleapis.com/auth/monitoring.write + shielded_instance_config: [] + tags: null + timeouts: null + zone: europe-west1-b + +counts: + google_compute_instance: 1 + modules: 1 + resources: 1 + +outputs: {} diff --git a/tests/modules/compute_vm/examples/simple.yaml b/tests/modules/compute_vm/examples/sa-custom.yaml similarity index 85% rename from tests/modules/compute_vm/examples/simple.yaml rename to tests/modules/compute_vm/examples/sa-custom.yaml index cfeaa4225..070457fd1 100644 --- a/tests/modules/compute_vm/examples/simple.yaml +++ b/tests/modules/compute_vm/examples/sa-custom.yaml @@ -13,7 +13,7 @@ # limitations under the License. values: - module.simple-vm-example.google_compute_instance.default[0]: + module.vm-managed-sa-example2.google_compute_instance.default[0]: advanced_machine_features: [] allow_stopping_for_update: true attached_disk: [] @@ -22,20 +22,21 @@ values: disk_encryption_key_raw: null initialize_params: - image: projects/debian-cloud/global/images/family/debian-11 - resource_manager_tags: + resource_manager_tags: null size: 10 type: pd-balanced mode: READ_WRITE can_ip_forward: false deletion_protection: false description: Managed by the compute-vm Terraform module. + desired_status: null enable_display: false hostname: null labels: null machine_type: f1-micro metadata: null metadata_startup_script: null - name: test + name: test2 network_interface: - access_config: [] alias_ip_range: [] @@ -44,7 +45,10 @@ values: nic_type: null queue_count: null subnetwork: subnet_self_link + network_performance_config: [] + params: [] project: project-id + resource_policies: null scheduling: - automatic_restart: true instance_termination_action: null @@ -58,18 +62,18 @@ values: provisioning_model: STANDARD scratch_disk: [] service_account: - - scopes: + - email: sa-0@myproj.iam.gserviceaccount.com + scopes: - https://www.googleapis.com/auth/cloud-platform - https://www.googleapis.com/auth/userinfo.email shielded_instance_config: [] tags: null + timeouts: null zone: europe-west1-b - module.simple-vm-example.google_service_account.service_account[0]: - account_id: tf-vm-test - display_name: Terraform VM test. - project: project-id - counts: google_compute_instance: 1 - google_service_account: 1 + modules: 1 + resources: 1 + +outputs: {} diff --git a/tests/modules/compute_vm/examples/sa-default.yaml b/tests/modules/compute_vm/examples/sa-default.yaml new file mode 100644 index 000000000..0879b1dce --- /dev/null +++ b/tests/modules/compute_vm/examples/sa-default.yaml @@ -0,0 +1,79 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.vm-managed-sa-example.google_compute_instance.default[0]: + advanced_machine_features: [] + allow_stopping_for_update: true + attached_disk: [] + boot_disk: + - auto_delete: true + disk_encryption_key_raw: null + initialize_params: + - image: projects/debian-cloud/global/images/family/debian-11 + resource_manager_tags: null + size: 10 + type: pd-balanced + mode: READ_WRITE + can_ip_forward: false + deletion_protection: false + description: Managed by the compute-vm Terraform module. + desired_status: null + enable_display: false + hostname: null + labels: null + machine_type: f1-micro + metadata: null + metadata_startup_script: null + name: test1 + network_interface: + - access_config: [] + alias_ip_range: [] + ipv6_access_config: [] + network: projects/xxx/global/networks/aaa + nic_type: null + queue_count: null + subnetwork: subnet_self_link + network_performance_config: [] + params: [] + project: project-id + resource_policies: null + scheduling: + - automatic_restart: true + instance_termination_action: null + local_ssd_recovery_timeout: [] + maintenance_interval: null + max_run_duration: [] + min_node_cpus: null + node_affinities: [] + on_host_maintenance: MIGRATE + preemptible: false + provisioning_model: STANDARD + scratch_disk: [] + service_account: + - scopes: + - https://www.googleapis.com/auth/devstorage.read_only + - https://www.googleapis.com/auth/logging.write + - https://www.googleapis.com/auth/monitoring.write + shielded_instance_config: [] + tags: null + timeouts: null + zone: europe-west1-b + +counts: + google_compute_instance: 1 + modules: 1 + resources: 1 + +outputs: {} diff --git a/tests/modules/compute_vm/examples/sa-managed.yaml b/tests/modules/compute_vm/examples/sa-managed.yaml new file mode 100644 index 000000000..a87182d33 --- /dev/null +++ b/tests/modules/compute_vm/examples/sa-managed.yaml @@ -0,0 +1,86 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.vm-managed-sa-example2.google_compute_instance.default[0]: + advanced_machine_features: [] + allow_stopping_for_update: true + attached_disk: [] + boot_disk: + - auto_delete: true + disk_encryption_key_raw: null + initialize_params: + - image: projects/debian-cloud/global/images/family/debian-11 + resource_manager_tags: null + size: 10 + type: pd-balanced + mode: READ_WRITE + can_ip_forward: false + deletion_protection: false + description: Managed by the compute-vm Terraform module. + desired_status: null + enable_display: false + hostname: null + labels: null + machine_type: f1-micro + metadata: null + metadata_startup_script: null + name: test2 + network_interface: + - access_config: [] + alias_ip_range: [] + ipv6_access_config: [] + network: projects/xxx/global/networks/aaa + nic_type: null + queue_count: null + subnetwork: subnet_self_link + network_performance_config: [] + params: [] + project: project-id + resource_policies: null + scheduling: + - automatic_restart: true + instance_termination_action: null + local_ssd_recovery_timeout: [] + maintenance_interval: null + max_run_duration: [] + min_node_cpus: null + node_affinities: [] + on_host_maintenance: MIGRATE + preemptible: false + provisioning_model: STANDARD + scratch_disk: [] + service_account: + - scopes: + - https://www.googleapis.com/auth/cloud-platform + - https://www.googleapis.com/auth/userinfo.email + shielded_instance_config: [] + tags: null + timeouts: null + zone: europe-west1-b + module.vm-managed-sa-example2.google_service_account.service_account[0]: + account_id: tf-vm-test2 + description: null + disabled: false + display_name: Terraform VM test2. + project: project-id + timeouts: null + +counts: + google_compute_instance: 1 + google_service_account: 1 + modules: 1 + resources: 2 + +outputs: {} diff --git a/tests/modules/compute_vm/examples/sa-none.yaml b/tests/modules/compute_vm/examples/sa-none.yaml new file mode 100644 index 000000000..f9365e43a --- /dev/null +++ b/tests/modules/compute_vm/examples/sa-none.yaml @@ -0,0 +1,75 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.vm-managed-sa-example2.google_compute_instance.default[0]: + advanced_machine_features: [] + allow_stopping_for_update: true + attached_disk: [] + boot_disk: + - auto_delete: true + disk_encryption_key_raw: null + initialize_params: + - image: projects/debian-cloud/global/images/family/debian-11 + resource_manager_tags: null + size: 10 + type: pd-balanced + mode: READ_WRITE + can_ip_forward: false + deletion_protection: false + description: Managed by the compute-vm Terraform module. + desired_status: null + enable_display: false + hostname: null + labels: null + machine_type: f1-micro + metadata: null + metadata_startup_script: null + name: test2 + network_interface: + - access_config: [] + alias_ip_range: [] + ipv6_access_config: [] + network: projects/xxx/global/networks/aaa + nic_type: null + queue_count: null + subnetwork: subnet_self_link + network_performance_config: [] + params: [] + project: project-id + resource_policies: null + scheduling: + - automatic_restart: true + instance_termination_action: null + local_ssd_recovery_timeout: [] + maintenance_interval: null + max_run_duration: [] + min_node_cpus: null + node_affinities: [] + on_host_maintenance: MIGRATE + preemptible: false + provisioning_model: STANDARD + scratch_disk: [] + service_account: [] + shielded_instance_config: [] + tags: null + timeouts: null + zone: europe-west1-b + +counts: + google_compute_instance: 1 + modules: 1 + resources: 1 + +outputs: {} diff --git a/tests/modules/compute_vm/examples/sas.yaml b/tests/modules/compute_vm/examples/sas.yaml deleted file mode 100644 index 96a948317..000000000 --- a/tests/modules/compute_vm/examples/sas.yaml +++ /dev/null @@ -1,49 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - module.vm-default-sa-example2.google_compute_instance.default[0]: - name: test3 - project: project-id - service_account: - - scopes: - - https://www.googleapis.com/auth/devstorage.read_only - - https://www.googleapis.com/auth/logging.write - - https://www.googleapis.com/auth/monitoring.write - zone: europe-west1-b - module.vm-managed-sa-example.google_compute_instance.default[0]: - name: test1 - project: project-id - service_account: - - scopes: - - https://www.googleapis.com/auth/cloud-platform - - https://www.googleapis.com/auth/userinfo.email - zone: europe-west1-b - module.vm-managed-sa-example.google_service_account.service_account[0]: - account_id: tf-vm-test1 - display_name: Terraform VM test1. - project: project-id - module.vm-managed-sa-example2.google_compute_instance.default[0]: - name: test2 - project: project-id - service_account: - - scopes: - - https://www.googleapis.com/auth/cloud-platform - zone: europe-west1-b - -counts: - google_compute_instance: 3 - google_service_account: 1 - modules: 3 - resources: 4 diff --git a/tests/modules/compute_vm/examples/template.yaml b/tests/modules/compute_vm/examples/template.yaml index 1f1888bfc..38e21cf03 100644 --- a/tests/modules/compute_vm/examples/template.yaml +++ b/tests/modules/compute_vm/examples/template.yaml @@ -57,9 +57,8 @@ values: service_account: - email: vm-default@my-project.iam.gserviceaccount.com scopes: - - https://www.googleapis.com/auth/devstorage.read_only - - https://www.googleapis.com/auth/logging.write - - https://www.googleapis.com/auth/monitoring.write + - https://www.googleapis.com/auth/cloud-platform + - https://www.googleapis.com/auth/userinfo.email counts: google_compute_instance_template: 1