ce09c07ced
The TF 1.8 has introduced a new feature that makes the move failing: > Providers can now transfer the ownership of a remote object between resources of different types, for situations where there are two different resource types that represent the same remote object type. > This extends the moved block behavior to support moving between two resources of different types only if the provider for the target resource type declares that it can convert from the source resource type. Refer to provider documentation for details on which pairs of resource types are supported. https://github.com/hashicorp/terraform/blob/v1.8/CHANGELOG.md#180-april-10-2024
Google Cloud Artifact Registry Module
This module simplifies the creation of repositories using Google Cloud Artifact Registry.
- Simple Docker Repository
- Remote and Virtual Repositories
- Additional Docker and Maven Options
- Other Formats
- Cleanup Policies
- IAM
- Variables
- Outputs
Simple Docker Repository
module "docker_artifact_registry" {
source = "./fabric/modules/artifact-registry"
project_id = "myproject"
location = "europe-west1"
name = "myregistry"
format = { docker = { standard = {} } }
iam = {
"roles/artifactregistry.admin" = ["group:cicd@example.com"]
}
}
# tftest modules=1 resources=2
Remote and Virtual Repositories
module "registry-local" {
source = "./fabric/modules/artifact-registry"
project_id = var.project_id
location = "europe-west1"
name = "local"
format = {
python = {
standard = true
}
}
}
module "registry-remote" {
source = "./fabric/modules/artifact-registry"
project_id = var.project_id
location = "europe-west1"
name = "remote"
format = {
python = {
remote = {
public_repository = "PYPI"
}
}
}
}
module "registry-virtual" {
source = "./fabric/modules/artifact-registry"
project_id = var.project_id
location = "europe-west1"
name = "virtual"
format = {
python = {
virtual = {
remote = {
repository = module.registry-remote.id
priority = 1
}
local = {
repository = module.registry-local.id
priority = 10
}
}
}
}
}
# tftest modules=3 resources=3 inventory=remote-virtual.yaml
Additional Docker and Maven Options
module "registry-docker" {
source = "./fabric/modules/artifact-registry"
project_id = var.project_id
location = "europe-west1"
name = "docker"
format = {
docker = {
standard = {
immutable_tags = true
}
}
}
}
module "registry-maven" {
source = "./fabric/modules/artifact-registry"
project_id = var.project_id
location = "europe-west1"
name = "maven"
format = {
maven = {
standard = {
allow_snapshot_overwrites = true
version_policy = "RELEASE"
}
}
}
}
# tftest modules=2 resources=2
Other Formats
module "apt-registry" {
source = "./fabric/modules/artifact-registry"
project_id = var.project_id
location = var.region
name = "apt-registry"
format = { apt = { standard = true } }
}
module "generic-registry" {
source = "./fabric/modules/artifact-registry"
project_id = var.project_id
location = var.region
name = "generic-registry"
format = { generic = { standard = true } }
}
module "go-registry" {
source = "./fabric/modules/artifact-registry"
project_id = var.project_id
location = var.region
name = "go-registry"
format = { go = { standard = true } }
}
module "googet-registry" {
source = "./fabric/modules/artifact-registry"
project_id = var.project_id
location = var.region
name = "googet-registry"
format = { googet = { standard = true } }
}
module "kfp-registry" {
source = "./fabric/modules/artifact-registry"
project_id = var.project_id
location = var.region
name = "kfp-registry"
format = { kfp = { standard = true } }
}
module "npm-registry" {
source = "./fabric/modules/artifact-registry"
project_id = var.project_id
location = var.region
name = "npm-registry"
format = { npm = { standard = true } }
}
module "yum-registry" {
source = "./fabric/modules/artifact-registry"
project_id = var.project_id
location = var.region
name = "yum-registry"
format = { yum = { standard = true } }
}
# tftest modules=7 resources=7 inventory=other-formats.yaml
Cleanup Policies
module "registry-docker" {
source = "./fabric/modules/artifact-registry"
project_id = var.project_id
location = "europe-west1"
name = "docker-cleanup-policies"
format = { docker = { standard = {} } }
cleanup_policy_dry_run = false
cleanup_policies = {
keep-5-versions = {
action = "KEEP"
most_recent_versions = {
package_name_prefixes = ["test"]
keep_count = 5
}
}
keep-tagged-release = {
action = "KEEP"
condition = {
tag_state = "TAGGED"
tag_prefixes = ["release"]
package_name_prefixes = ["webapp", "mobile"]
}
}
}
}
# tftest modules=1 resources=1 inventory=cleanup-policies.yaml
IAM
This module implements the same IAM interface than the other modules. You can choose one (and only one) of the three options below:
# Authoritative IAM bindings
module "authoritative_iam" {
source = "./fabric/modules/artifact-registry"
project_id = "myproject"
location = "europe-west1"
name = "myregistry"
format = { docker = { standard = {} } }
iam = {
"roles/artifactregistry.admin" = ["group:cicd@example.com"]
}
}
# Authoritative IAM bindings (with conditions)
module "authoritative_iam_conditions" {
source = "./fabric/modules/artifact-registry"
project_id = "myproject"
location = "europe-west1"
name = "myregistry"
format = { docker = { standard = {} } }
iam_bindings = {
"ci-admin" = {
members = ["group:cicd@example.com"]
role = "roles/artifactregistry.admin"
// condition = {
// expression = string
// title = string
// description = optional(string)
// }
}
}
}
# Additive IAM bindings
module "additive_iam" {
source = "./fabric/modules/artifact-registry"
project_id = "myproject"
location = "europe-west1"
name = "myregistry"
format = { docker = { standard = {} } }
iam_bindings_additive = {
"ci-admin" = {
member = "group:cicd@example.com"
role = "roles/artifactregistry.admin"
// condition = {
// expression = string
// title = string
// description = optional(string)
// }
}
"ci-read" = {
member = "group:cicd-read@example.com"
role = "roles/artifactregistry.reader"
// condition = {
// expression = string
// title = string
// description = optional(string)
// }
}
}
}
# tftest modules=3 resources=7
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| cleanup_policies | Object containing details about the cleanup policies for an Artifact Registry repository. | map(object({…default = null |
✓ | |
| format | Repository format. | object({…}) |
✓ | |
| location | Registry location. Use `gcloud beta artifacts locations list' to get valid values. | string |
✓ | |
| name | Registry name. | string |
✓ | |
| project_id | Registry project id. | string |
✓ | |
| cleanup_policy_dry_run | If true, the cleanup pipeline is prevented from deleting versions in this repository. | bool |
null |
|
| description | An optional description for the repository. | string |
"Terraform-managed registry" |
|
| encryption_key | The KMS key name to use for encryption at rest. | string |
null |
|
| iam | IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
| iam_bindings | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…})) |
{} |
|
| iam_bindings_additive | Individual additive IAM bindings. Keys are arbitrary. | map(object({…})) |
{} |
|
| iam_by_principals | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the iam variable. |
map(list(string)) |
{} |
|
| labels | Labels to be attached to the registry. | map(string) |
{} |
Outputs
| name | description | sensitive |
|---|---|---|
| id | Fully qualified repository id. | |
| name | Repository name. | |
| repository | Repository object. | |
| url | Repository URL. |