Cloud Foundation project setup module

This module allows you to configure a Google Cloud Platform project.

Compatibility
Features
- VPC Network
- IAM
Usage
Inputs
Outputs
Requirements
License

Compatibility

This module requires terraform version >=1.3.1.

Features

VPC Network

A VPC network will be created in the requested regions. Private Google Access will be enabled, so you can connect to Google Services without public IPs. Private services access is also configured allowing you to run services like Cloud SQL with private IPs. It's also possible to configure Cloud NAT and Serverless VPC Access per region.

For more details please check docs/DEFAULT-VPC.md, especially if you plan to extend it by adding custom subnetworks or similar. Also all used IP address ranges are documented there.

IAM

This module acts "mostly" authoritative on IAM roles. It aims to configure all IAM and Service Account related resources in a central place for easy review and adjustments. All active roles are fetched initially and compared with the roles given via roles input. If a role shouldn't be set the module will create an empty resource for this role, means terraform will remove it. This will result in a module deletion on the next terraform run.

All roles listed for service agents (like for example roles/dataproc.serviceAgent) are ignored, so if a service gets enabled the default permissions granted automatically by Google Cloud Platform to the related service accounts will stay in place. This excludes are configured in data.tf - look for a local variable called role_excludes

Usage

module "project-cfg" {
  source      = "metro-digital/cf-projectcfg/google"
  project_id  = "metro-cf-example-ex1-e8v"

  roles = {
    "roles/bigquery.admin" = [
      "group:[email protected]",
      "user:[email protected]",
      "serviceAccount:[email protected]"
    ],
    "roles/cloudsql.admin" = [
      "group:[email protected]",
    ]
  }
}

Please also take a deeper look into the FAQ - there are additional examples available. Examples how to use Workload Identity Federation with GitHub and similar things are explained giving simple examples.

Inputs

Name	Description	Type	Default	Required
project_id	GCP project ID	`string`	n/a	yes
roles	IAM roles and their members. If you create a service account in this project via the `service_accounts` input, we recommend to use the `project_roles` attribute of the respective service account to grant it permissions on the project's IAM policy. This allows you to better re-use your code in staged environments. Example: roles = { "roles/bigquery.admin" = [ "group:[email protected]", "user:[email protected]", ], "roles/cloudsql.admin" = [ "group:[email protected]", ] }	`map(list(string))`	n/a	yes
custom_roles	Create custom roles and define who gains that role on project level Example: custom_roles = { "appengine.applicationsCreator" = { title = "AppEngine Creator", description = "Custom role to grant permissions for creating App Engine applications.", permissions = [ "appengine.applications.create", ] members = [ "group:[email protected]", ] } }	map(object({ title = string description = string permissions = list(string) members = list(string) }))	`{}`	no
deprivilege_compute_engine_sa	By default the compute engine service account (project-number[email protected]) is assigned `roles/editor` If you want to deprivilege the account set this to true, and grant needed permissions via roles variable. Otherwise the module will grant `roles/editor` to the service account.	`bool`	`false`	no
enabled_services	List of GCP enabled services / APIs to enable. Dependencies will be enabled automatically. Remark: Google sometimes changes (mostly adding) dependencies and will activate those automatically for your project. Therefore being authoritative on services usually causes a lot of trouble. The module doesn't provide any option to be authoritative for this reason. By default we are partly authoritative. This can can be controlled by the `enabled_services_disable_on_destroy` flag. Example: enabled_services = [ "bigquery.googleapis.com", "compute.googleapis.com", "cloudscheduler.googleapis.com", "iap.googleapis.com" ]	`list(string)`	`[]`	no
enabled_services_disable_on_destroy	If true, try to disable a service given via `enabled_services` after its removal from from the list. Defaults to true. May be useful in the event that a project is long-lived but the infrastructure running in that project changes frequently. Can result in failing terraform runs if the removed service is a dependency for any other active service.	`bool`	`true`	no
essential_contacts	Essential contacts receive configurable notifications from Google Cloud Platform based on selected categories. `language`: The preferred language for notifications, as an ISO 639-1 language code. See documentation for a list of supported languages. `categories`: The categories of notifications that the contact will receive communications for. See documentation for a list of supported categories. Remark: The module will enable the essential contacts API automatically once one contact is configured. You still need to grant the role `roles/essentialcontacts.admin` to the principle that is executing the terraform code (most likely your service account used in your pipeline) if you plan to use `github_action_repositories`. Example: essential_contacts = { "[email protected]" = { language = "en" categories = ["ALL"] } "[email protected]" = { language = "en" categories = [ "SUSPENSION", "TECHNICAL" ] } }	map(object({ language = string categories = list(string) }))	`{}`	no
non_authoritative_roles	List of roles (regex) to exclude from authoritative project IAM handling. Roles listed here can have bindings outside of this module. Example: non_authoritative_roles = [ "roles/container.hostServiceAgentUser" ]	`list(string)`	`[]`	no
service_accounts	Service accounts to create for this project. `display_name`: Human-readable name shown in Google Cloud Console `description` (optional): Human-readable description shown in Google Cloud Console `iam` (optional): IAM permissions assigned to this Service Account as a resource. This defines which principal can do something on this Service Account. An example: If you grant `roles/iam.serviceAccountKeyAdmin` to a group here, this group will be able to maintain Service Account keys for this specific SA. If you want to allow this SA to use BigQuery, you need to use the project-wide `roles` input or, even better, use the `project_roles` attribute to do so. `project_roles` (optional): IAM permissions assigned to this Service Account on project level. This parameter is merged with whatever is provided as the project's IAM policy via the `roles` input. `iam_non_authoritative_roles` (optional): Any role given in this list will be added to the authoritative policy with its current value as defined in the Google Cloud Platform. Example use case: Composer 2 adds values to `roles/iam.workloadIdentityUser` binding when an environment is created or updated. Thus, you might want to automatically import those permissions. `github_action_repositories` (optional): You can list GitHub repositories (format: `user/repo`) here. A Workload Identity Pool and a Workload Identity Pool provider needed for Workload Identity Federation will be created automatically. Each repository given gains permissions to authenticate as this service account using Workload Identity Federation. This allows any GitHub Action pipeline to use this service account without the need for service account keys. An example can be found within the FAQ. For more details, see the documentation for Google's GitHub action for authentication: `google-github-actions/auth`. Remark: If you configure `github_action_repositories`, the module binds a member for each repository to the role `roles/iam.workloadIdentityUser` inside the service account's IAM policy. This is done regardless of whether or not you list this role in the `iam_non_authoritative_roles` key. Remark: You need to grant the role `roles/iam.workloadIdentityPoolAdmin` to the principle that is executing the terraform code (most likely your service account used in your pipeline) if you plan to use `github_action_repositories`. Example: service_accounts = { deployments = { display_name = "Deployments" description = "Service Account to deploy application" # Grant this service account Cloud Run Admin on project level project_roles = [ "roles/run.admin" ] # Allow specific group to create keys for this Service Account only iam = { "roles/iam.serviceAccountKeyAdmin" = [ "group:[email protected]", ] } # This service account will be used by GitHub Action deployments in the given repository github_action_repositories = [ "my-user-or-organisation/my-great-repo" ] } bq-reader = { display_name = "BigQuery Reader" description = "Service Account for BigQuery Reader for App XYZ" iam = {} # No special Service Account resource IAM permissions } composer = { display_name = "Composer" description = "Service Account to run Composer 2" iam = {} # No special Service Account resource IAM permissions iam_non_authoritative_roles = [ # maintained by Composer service automatically - imports any existing value "roles/iam.workloadIdentityUser" ] } } }	map(object({ display_name = string description = optional(string) iam = map(list(string)) project_roles = optional(list(string)) iam_non_authoritative_roles = optional(list(string)) github_action_repositories = optional(list(string)) }))	`{}`	no
skip_default_vpc_creation	When set to true the module will not create the default VPC or any related resource like NAT Gateway or serverless VPC access configuration.	`bool`	`false`	no
vpc_regions	Enabled regions and configuration Example: vpc_regions = { europe-west1 = { # Create a subnetwork in europe-west1 vpcaccess = true # Enable serverless VPC access for this region nat = 2 # Create a Cloud NAT with 2 (static) external IP addresses (IPv4) in this region nat_min_ports_per_vm = 64 # Minimum number of ports allocated to a VM from the NAT defined above (Note: this option is optional, but must be defined for all the regions if it is set for at least one) gke_secondary_ranges = true # Create secondary IP ranges used by GKE with VPC-native clusters (gke-services & gke-pods) proxy_only = true # Create an additional "proxy-only" network in this region used by L7 load balancers }, europe-west4 = { # Create a subnetwork in europe-west4 vpcaccess = false # Disable serverless VPC access for this region nat = 0 # No Cloud NAT for this region nat_min_ports_per_vm = 0 # Since the `nat_min_ports_per_vm` was set for the region above, its definition is required here. gke_secondary_ranges = false # Since the `gke_secondary_ranges` was set for the region above, its definition is required here. proxy_only = false # Since the `proxy_only` was set for the region above, its definition is required here. }, } By default the module will create a subnetwork in europe-west1 but do not launch any additional features like NAT or VPC access. Secondary ranges for GKE are disabled, too.	map(object({ vpcaccess = bool nat = number nat_min_ports_per_vm = optional(number) gke_secondary_ranges = optional(bool) proxy_only = optional(bool) }))	{ "europe-west1": { "nat": 0, "vpcaccess": false } }	no
workload_identity_pool_attribute_mapping	Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes Note Teams must be cautious before modifying the attribute mapping as it may cause undesired permission issues. See documentation Example: { "google.subject" = "assertion.sub" "attribute.actor" = "assertion.actor" "attribute.aud" = "assertion.aud" "attribute.repository" = "assertion.repository" "attribute.repository_owner" = "assertion.repository_owner" }	`map(any)`	{ "attribute.repository": "assertion.repository", "google.subject": "assertion.sub" }	no

Outputs

Name	Description
project_id	GCP project ID
service_accounts	List of service accounts created

Requirements

This module needs some command line utils to be installed:

curl
jq
dig
xargs

License

This project is licensed under the terms of the Apache License 2.0

This terraform module depends on providers from HashiCorp, Inc. which are licensed under MPL-2.0. You can obtain the respective source code for these provider here:

This terraform module uses pre-commit hooks which are licensed under MPL-2.0. You can obtain the respective source code here:

mfmetro / terraform-google-cf-projectcfg Goto Github PK

terraform-google-cf-projectcfg's Introduction

Cloud Foundation project setup module

Table of Contents

Compatibility

Features

VPC Network

IAM

Usage

Inputs

Outputs

Requirements

License

terraform-google-cf-projectcfg's People

Contributors

Stargazers

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent