Skip to content

extenda/tf-module-gcp-project

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

128 Commits
docs
docs
 
 
examples
examples
 
 
modules
modules
 
 
.gitignore
.gitignore
 
 
MIGRATION_8.x-9.0.md
MIGRATION_8.x-9.0.md
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
providers.tf
providers.tf
 
 
vars.tf
vars.tf
 
 

Repository files navigation

tf-module-gcp-project

Description

An Extenda Retail maintained Terraform Module, which is intended to create specific Project resources within the Google Cloud Platform and GSuite. It creates projects and configures aspects like Service Accounts, IAM access, API enablement, Workload Identity, GitHub Secrets.

Providers

Name Version
google ~> 3.8
gsuite ~> 0.1.62

GSuite Provider must be manually downloaded and installed in $HOME/.terraform.d/plugins. See GSuite Provider GitHub Repo for Installation instructions.

Inputs

Name Description Type Default Required
activate_apis The list of apis to activate within the project list(string) n/a yes
additional_user_access List of IAM Roles to assign to groups and users 
list(object({
    name      = string
    iam_roles = list(string)
    members   = list(string)
  }))
 [] no
billing_account The ID of the billing account to associate this project with any n/a yes
bucket_labels A map of key/value label pairs to assign to the bucket map {} no
bucket_name The name of the bucket that will contain terraform state - must be globally unique any n/a yes
ci_cd_sa Map of IAM Roles to assign to the CI/CD Pipeline Service Account 
list(object({
    name      = string
    iam_roles = list(string)
  }))
 
[
  {
    "iam_roles": [
      "roles/cloudsql.editor",
      "roles/iam.serviceAccountUser",
      "roles/run.admin",
      "roles/storage.admin",
      "roles/cloudfunctions.admin",
      "roles/secretmanager.secretAccessor",
      "roles/dataflow.admin",
      "roles/bigquery.admin",
      "roles/datastore.importExportAdmin",
      "roles/monitoring.admin",
      "roles/clouddeploy.operator"
    ],
    "name": "ci-cd-pipeline"
  }
]
 no
clan_gsuite_group The name of the clan group that needs to be added to the Service GSuite Group string "" no
clan_roles Roles to be added to the clan's group in the staging project list(string) [] no
cloudrun_sa Map of IAM Roles to assign to the CloudRun Runtime Service Account 
list(object({
    name      = string
    iam_roles = list(string)
  }))
 
[
  {
    "iam_roles": [
      "roles/editor",
      "roles/secretmanager.secretAccessor"
    ],
    "name": "cloudrun-runtime"
  }
]
 no
common_iam_roles Default list of IAM Roles to assign to every Services Service Account list(string) 
[
  "roles/monitoring.metricWriter",
  "roles/logging.logWriter",
  "roles/monitoring.viewer",
  "roles/cloudtrace.agent",
  "roles/secretmanager.secretAccessor"
]
 no
compute_project_iam_roles List of IAM Roles to add to default compute service account list(string) n/a yes
compute_sa Compute Engine default service account string n/a yes
compute_project_iam_roles List of IAM Roles to add to default compute service account list(string) 
[
  "roles/clouddeploy.jobRunner",
  "roles/container.developer",
  "roles/storage.objectViewer"
]
 no
create_ci_cd_group If the Service GSuite Group should be created for the CI/CD Service Account bool false no
create_ci_cd_service_account If the CI/CD Service Account should be created bool true no
create_cloudrun_group If the Service GSuite Group should be created for the CloudRun Runtime Service Account bool false no
create_cloudrun_service_account If the CloudRun Runtime Service Account should be created bool true no
create_custom_roles If the Custom Roles from the additioanl-use-access submodule should be created bool true no
create_jit_access If the eligible roles should be created bool false no
create_pact_secrets If the pact-broker secrets should be created bool false no
create_sa If the Service Account should be created bool true no
create_secret_manager_group If the Service GSuite Group should be created for the Secret Manager Access Service Account bool false no
create_secret_manager_service_account If the Secret Manager Access Service Account should be created bool false no
create_service_sa If the Service Account for new Services should be created bool true no
create_services_group If the Service GSuite Group should be created for the Services (services variable) bool true no
credentials JSON encoded service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fallback to GOOGLE_APPLICATION_CREDENTIALS env variable. any null no
custom_external_roles Map of service or service account to external projects to list of iam roles for add map(map(list(string))) {} no
default_service_account Project default service account setting: can be one of delete, deprivilege, disable, or keep. string "deprivilege" no
dns_project_iam_roles List of IAM Roles to add to DNS project list(string) 
[
  "roles/dns.admin"
]
 no
dns_project_id ID of the project hosting Google Cloud DNS string "" no
domain Domain name of the Organization string n/a yes
env_name Environment name (staging/prod). Creation of some resources depends on env_name string "" no
folder_id The ID of a folder to host this project any n/a yes
gcr_project_iam_roles List of IAM Roles to add GCR project list(string) 
[
  "roles/storage.admin",
  "roles/firebase.admin"
]
 no
gcr_project_id ID of the project hosting Google Container Registry string "" no
github_organization GitHub organization to use GitHub prodifer with string "extenda" no
github_token GitHub token value (instead request GCP secret) string "" no
github_token_gcp_project GCP project that contains Secret Manager for Github token string "tf-admin-90301274" no
github_token_gcp_secret SGP secret name for GitHub token string "github-token" no
gke_ca_certificate Kubernetes certificate string "" no
gke_host Kubernetes endpoint string "no-gke-host" no
impersonated_user_email Email account of GSuite Admin user to impersonate for creating GSuite Groups. If not provided, will default to terraform@<var.domain> string "" no
jit_access Map of IAM Roles to assign to the group 
list(object({
    group     = string
    iam_roles = list(string)
  }))
 [] no
labels Map of labels for the project map(string) {} no
name The name for the project any n/a yes
org_id The organization ID any n/a yes
pact_project_id GCP project that contains secrets for pact-broker string "platform-prod-2481" no
pactbroker_pass_secret GCP secret name for pact-broker password string "pactbroker_ro_password" no
pactbroker_user_secret GCP secret name for pact-broker user string "pactbroker_ro_username" no
parent_project_iam_roles List of IAM Roles to add to the parent project list(string) 
[
  "roles/monitoring.admin",
  "roles/iam.serviceAccountUser"
]
 no
parent_project_id ID of the project to which add additional IAM roles for current project's CI/CD service account. Ignore if empty string "" no
pipeline_project_id GCP project that contains secrets for webhook url string "pipeline-secrets-1136" no
platform_project_id ID of the project to which add IAM roles for Binary Auth. string "platform-prod-2481" no
project_type what type of project this is applied to string "clan_project" no
pubsub_dlq_sa Map of IAM Roles to assign to the CI/CD Pipeline Service Account 
list(object({
    name      = string
    iam_roles = list(string)
  }))
 
[
  {
    "iam_roles": [
      "roles/iam.serviceAccountTokenCreator",
      "roles/pubsub.subscriber"
    ],
    "name": "pubsub-dlq-handler"
  }
]
 no
pubsub_dlq_sa_project_id Project id where the cloud function resides ( where we need invoker permission ) string "sre-prod-5462" no
random_project_id Adds a suffix of 4 random characters to the project_id bool true no
repositories The GitHub repositories to update list(string) [] no
secret_manager_sa Map of IAM Roles to assign to the Secret Manager Access Service Account 
list(object({
    name      = string
    iam_roles = list(string)
  }))
 
[
  {
    "iam_roles": [
      "roles/secretmanager.secretAccessor"
    ],
    "name": "secret-accessor"
  }
]
 no
service_accounts Map of IAM Roles to assign to the Service Account 
list(object({
    name      = string
    iam_roles = list(string)
  }))
 [] no
service_group_name The name of the group that will be created for a service string "" no
services Map of IAM Roles to assign to the Services Service Account 
list(object({
    name      = string
    iam_roles = list(string)
  }))
 [] no
shared_vpc The ID of the host project which hosts the shared VPC string "" no
shared_vpc_subnets List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) list(string) [] no
slack_notify_secret GCP secret name for slack token string "slack_notify_token" no

Outputs

Name Description
ci_cd_service_account_email The CI/CD pipeline service account email
ci_cd_service_account_private_key_encoded The CI/CD pipeline service account base64 encoded JSON key
cloudrun_service_account_email The Cloud Run service account email
enabled_apis Enabled APIs in the project
gsuite_group_email The GSuite group emails created per each service
project_id The project ID
project_name The project name
project_number The project number
secret_manager_service_account_private_key_encoded The Cloud Run service account base64 encoded JSON key
service_account_email The default service acccount email
service_account_private_keys_encoded Service accounts base64 encoded JSON keys
service_emails Services service account emails
service_private_keys_encoded The Services service account base64 encoded JSON key
terraform_state_bucket Bucket for saving terraform state of project resources

About

Terraform module for deploying a GCP Project

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases 47

Add loadBalancer Admin to cicd account Latest
Sep 29, 2023
+ 46 releases

Packages

 
 
 

Contributors

Languages