From 427fb23365b4793b74c620bacbf801dc5ddb042e Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Thu, 9 May 2024 08:52:24 -0300 Subject: [PATCH 01/35] first commit --- .../shared/ml_infra_projects.tf | 32 ++++ 4-projects/modules/composer_env/main.tf | 2 +- 4-projects/modules/ml_env/example_vertex.tf | 2 +- .../ml_infra_projects/artifacts_project.tf} | 48 ++--- .../service_catalog_project.tf} | 65 +++---- .../modules/ml_infra_projects/variables.tf | 166 +++++++++++++++++ .../modules/ml_infra_projects/versions.tf | 19 ++ .../modules/ml_single_project/README.md | 44 +++++ 4-projects/modules/ml_single_project/main.tf | 142 +++++++++++++++ .../modules/ml_single_project/outputs.tf | 45 +++++ .../modules/ml_single_project/remote.tf | 29 +++ .../modules/ml_single_project/variables.tf | 172 ++++++++++++++++++ .../modules/ml_single_project/versions.tf | 29 +++ 13 files changed, 724 insertions(+), 71 deletions(-) create mode 100644 4-projects/business_unit_3/shared/ml_infra_projects.tf rename 4-projects/{business_unit_3/shared/example_artifacts.tf => modules/ml_infra_projects/artifacts_project.tf} (60%) rename 4-projects/{business_unit_3/shared/example_service_catalog.tf => modules/ml_infra_projects/service_catalog_project.tf} (60%) create mode 100644 4-projects/modules/ml_infra_projects/variables.tf create mode 100644 4-projects/modules/ml_infra_projects/versions.tf create mode 100644 4-projects/modules/ml_single_project/README.md create mode 100644 4-projects/modules/ml_single_project/main.tf create mode 100644 4-projects/modules/ml_single_project/outputs.tf create mode 100644 4-projects/modules/ml_single_project/remote.tf create mode 100644 4-projects/modules/ml_single_project/variables.tf create mode 100644 4-projects/modules/ml_single_project/versions.tf diff --git a/4-projects/business_unit_3/shared/ml_infra_projects.tf b/4-projects/business_unit_3/shared/ml_infra_projects.tf new file mode 100644 index 00000000..e696300c --- /dev/null +++ b/4-projects/business_unit_3/shared/ml_infra_projects.tf @@ -0,0 +1,32 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "ml_infra_project" { + source = "../../modules/ml_infra_projects" + + org_id = local.org_id + folder_id = local.common_folder_name + billing_account = local.billing_account + environment = "common" + key_rings = local.shared_kms_key_ring + business_code = "bu3" + billing_code = "1234" + primary_contact = "example@example.com" + secondary_contact = "example2@example.com" + cloud_source_artifacts_repo_name = var.cloud_source_artifacts_repo_name + cloud_source_service_catalog_repo_name = var.cloud_source_service_catalog_repo_name + remote_state_bucket = var.remote_state_bucket +} diff --git a/4-projects/modules/composer_env/main.tf b/4-projects/modules/composer_env/main.tf index e83cf8cd..7701427e 100644 --- a/4-projects/modules/composer_env/main.tf +++ b/4-projects/modules/composer_env/main.tf @@ -23,7 +23,7 @@ # ] # } module "app_cloudbuild_project" { - source = "../single_project" + source = "../ml_single_project" org_id = local.org_id billing_account = local.billing_account diff --git a/4-projects/modules/ml_env/example_vertex.tf b/4-projects/modules/ml_env/example_vertex.tf index 547bc932..1fdd5dc1 100644 --- a/4-projects/modules/ml_env/example_vertex.tf +++ b/4-projects/modules/ml_env/example_vertex.tf @@ -31,7 +31,7 @@ locals { } module "machine_learning_project" { - source = "../single_project" + source = "../ml_single_project" org_id = local.org_id billing_account = local.billing_account diff --git a/4-projects/business_unit_3/shared/example_artifacts.tf b/4-projects/modules/ml_infra_projects/artifacts_project.tf similarity index 60% rename from 4-projects/business_unit_3/shared/example_artifacts.tf rename to 4-projects/modules/ml_infra_projects/artifacts_project.tf index a24433bc..0cfe904b 100644 --- a/4-projects/business_unit_3/shared/example_artifacts.tf +++ b/4-projects/modules/ml_infra_projects/artifacts_project.tf @@ -27,16 +27,15 @@ locals { } module "app_infra_artifacts_project" { - source = "../../modules/single_project" - # count = local.enable_cloudbuild_deploy ? 1 : 0 + source = "../ml_single_project" - org_id = local.org_id - billing_account = local.billing_account - folder_id = local.common_folder_name - environment = "common" + org_id = var.org_id + billing_account = var.billing_account + folder_id = var.folder_id + environment = var.environment project_budget = var.project_budget - project_prefix = local.project_prefix - key_rings = local.shared_kms_key_ring + project_prefix = var.project_prefix + key_rings = var.key_rings remote_state_bucket = var.remote_state_bucket activate_apis = [ "artifactregistry.googleapis.com", @@ -51,46 +50,35 @@ module "app_infra_artifacts_project" { # Metadata project_suffix = "artifacts" application_name = "app-infra-artifacts" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu3" + billing_code = var.billing_code + primary_contact = var.primary_contact + secondary_contact = var.secondary_contact + business_code = var.business_code } -# resource "google_kms_crypto_key" "ml_key" { -# for_each = toset(local.shared_kms_key_ring) -# name = module.app_infra_artifacts_project[0].project_name -# key_ring = each.key -# rotation_period = var.key_rotation_period -# lifecycle { -# prevent_destroy = false -# } -# } - resource "google_kms_crypto_key_iam_member" "ml_key" { - for_each = module.app_infra_cloudbuild_project[0].kms_keys + for_each = module.app_infra_artifacts_project.kms_keys crypto_key_id = each.value.id role = "roles/cloudkms.admin" - member = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-artifact-publish"]}" + member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-artifact-publish"]}" } resource "google_project_iam_member" "artifact_tf_sa_roles" { for_each = toset(local.artifact_tf_sa_roles) - project = module.app_infra_artifacts_project[0].project_id + project = module.app_infra_artifacts_project.project_id role = each.key - member = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-artifact-publish"]}" + member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-artifact-publish"]}" } // Add Service Agent for Cloud Build resource "google_project_iam_member" "artifact_cloudbuild_agent" { - project = module.app_infra_artifacts_project[0].project_id + project = module.app_infra_artifacts_project.project_id role = "roles/secretmanager.secretAccessor" - member = "serviceAccount:${module.app_infra_artifacts_project[0].project_number}@cloudbuild.gserviceaccount.com" + member = "serviceAccount:${module.app_infra_artifacts_project.project_number}@cloudbuild.gserviceaccount.com" } // Add Repository for Artifact repo - resource "google_sourcerepo_repository" "artifact_repo" { - project = module.app_infra_artifacts_project[0].project_id + project = module.app_infra_artifacts_project.project_id name = var.cloud_source_artifacts_repo_name } diff --git a/4-projects/business_unit_3/shared/example_service_catalog.tf b/4-projects/modules/ml_infra_projects/service_catalog_project.tf similarity index 60% rename from 4-projects/business_unit_3/shared/example_service_catalog.tf rename to 4-projects/modules/ml_infra_projects/service_catalog_project.tf index 46cae7ab..7f1f45c9 100644 --- a/4-projects/business_unit_3/shared/example_service_catalog.tf +++ b/4-projects/modules/ml_infra_projects/service_catalog_project.tf @@ -26,16 +26,15 @@ locals { } module "app_service_catalog_project" { - source = "../../modules/single_project" - # count = local.enable_cloudbuild_deploy ? 1 : 0 + source = "../ml_single_project" - org_id = local.org_id - billing_account = local.billing_account - folder_id = local.common_folder_name - environment = "common" + org_id = var.org_id + billing_account = var.billing_account + folder_id = var.folder_id + environment = var.environment project_budget = var.project_budget - project_prefix = local.project_prefix - key_rings = local.shared_kms_key_ring + project_prefix = var.project_prefix + key_rings = var.key_rings remote_state_bucket = var.remote_state_bucket activate_apis = [ "logging.googleapis.com", @@ -47,31 +46,31 @@ module "app_service_catalog_project" { "sourcerepo.googleapis.com", ] # Metadata - project_suffix = var.cloud_source_service_catalog_repo_name + project_suffix = "service-catalog" application_name = "app-infra-ml" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu3" + billing_code = var.billing_code + primary_contact = var.primary_contact + secondary_contact = var.secondary_contact + business_code = var.business_code } resource "google_kms_crypto_key_iam_member" "sc_key" { - for_each = module.app_service_catalog_project[0].kms_keys + for_each = module.app_service_catalog_project.kms_keys crypto_key_id = each.value.id role = "roles/cloudkms.admin" - member = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"]}" + member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-service-catalog"]}" } // Grab Service Agent for Secret Manager resource "google_project_service_identity" "secretmanager_agent" { provider = google-beta - project = module.app_service_catalog_project[0].project_id + project = module.app_service_catalog_project.project_id service = "secretmanager.googleapis.com" } // Add Secret Manager Service Agent to key with encrypt/decrypt permissions resource "google_kms_crypto_key_iam_member" "secretmanager_agent" { - for_each = module.app_service_catalog_project[0].kms_keys + for_each = module.app_service_catalog_project.kms_keys crypto_key_id = each.value.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" member = "serviceAccount:${google_project_service_identity.secretmanager_agent.email}" @@ -80,55 +79,43 @@ resource "google_kms_crypto_key_iam_member" "secretmanager_agent" { // Grab Service Agent for Storage resource "google_project_service_identity" "storage" { provider = google-beta - project = module.app_service_catalog_project[0].project_id + project = module.app_service_catalog_project.project_id service = "storage.googleapis.com" } // Add Service Agent for Storage resource "google_kms_crypto_key_iam_member" "storage_agent" { - for_each = module.app_service_catalog_project[0].kms_keys + for_each = module.app_service_catalog_project.kms_keys crypto_key_id = each.value.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - member = "serviceAccount:service-${module.app_service_catalog_project[0].project_number}@gs-project-accounts.iam.gserviceaccount.com" + member = "serviceAccount:service-${module.app_service_catalog_project.project_number}@gs-project-accounts.iam.gserviceaccount.com" depends_on = [google_project_service_identity.storage] } // Add infra pipeline SA encrypt/decrypt permissions resource "google_kms_crypto_key_iam_member" "storage-kms-key-binding" { - for_each = module.app_service_catalog_project[0].kms_keys + for_each = module.app_service_catalog_project.kms_keys crypto_key_id = each.value.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - member = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"]}" + member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-service-catalog"]}" } resource "google_project_iam_member" "service_catalog_tf_sa_roles" { for_each = toset(local.service_catalog_tf_sa_roles) - project = module.app_service_catalog_project[0].project_id + project = module.app_service_catalog_project.project_id role = each.key - member = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"]}" + member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-service-catalog"]}" } // Add Service Agent for Cloud Build resource "google_project_iam_member" "cloudbuild_agent" { - project = module.app_service_catalog_project[0].project_id + project = module.app_service_catalog_project.project_id role = "roles/secretmanager.secretAccessor" - member = "serviceAccount:${module.app_service_catalog_project[0].project_number}@cloudbuild.gserviceaccount.com" + member = "serviceAccount:${module.app_service_catalog_project.project_number}@cloudbuild.gserviceaccount.com" } // Add Service Catalog Source Repository - resource "google_sourcerepo_repository" "service_catalog" { - project = module.app_service_catalog_project[0].project_id + project = module.app_service_catalog_project.project_id name = var.cloud_source_service_catalog_repo_name } - -/** - * When Jenkins CICD is used for deployment this resource - * is created to terraform validation works. - * Without this resource, this module creates zero resources - * and it breaks terraform validation throwing the error below: - * ERROR: [Terraform plan json does not contain resource_changes key] - */ -resource "null_resource" "jenkins_cicd_service_catalog" { - count = !local.enable_cloudbuild_deploy ? 1 : 0 -} diff --git a/4-projects/modules/ml_infra_projects/variables.tf b/4-projects/modules/ml_infra_projects/variables.tf new file mode 100644 index 00000000..1feccad5 --- /dev/null +++ b/4-projects/modules/ml_infra_projects/variables.tf @@ -0,0 +1,166 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "org_id" { + description = "The organization id for the associated services" + type = string +} + +variable "billing_account" { + description = "The ID of the billing account to associated this project with" + type = string +} + +variable "folder_id" { + description = "The folder id where project will be created" + type = string +} + +variable "environment" { + description = "The environment the single project belongs to" + type = string +} + +variable "project_budget" { + description = < +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| activate\_apis | The api to activate for the GCP project | `list(string)` | `[]` | no | +| app\_infra\_pipeline\_service\_accounts | The Service Accounts from App Infra Pipeline. | `map(string)` | `{}` | no | +| application\_name | The name of application where GCP resources relate | `string` | n/a | yes | +| billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | +| billing\_code | The code that's used to provide chargeback information | `string` | n/a | yes | +| business\_code | The code that describes which business unit owns the project | `string` | `"abcd"` | no | +| default\_service\_account | Project default service account setting: can be one of `delete`, `depriviledge`, or `keep`. | `string` | `"disable"` | no | +| enable\_cloudbuild\_deploy | Enable infra deployment using Cloud Build | `bool` | `false` | no | +| environment | The environment the single project belongs to | `string` | n/a | yes | +| folder\_id | The folder id where project will be created | `string` | n/a | yes | +| key\_rings | Keyrings to attach project key to | `list(string)` | n/a | yes | +| key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no | +| org\_id | The organization id for the associated services | `string` | n/a | yes | +| primary\_contact | The primary email contact for the project | `string` | n/a | yes | +| project\_budget | Budget configuration.
budget\_amount: The amount to use as the budget.
alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.
alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | 
object({
    budget_amount        = optional(number, 1000)
    alert_spent_percents = optional(list(number), [1.2])
    alert_pubsub_topic   = optional(string, null)
    alert_spend_basis    = optional(string, "FORECASTED_SPEND")
  })
| `{}` | no | +| project\_prefix | Name prefix to use for projects created. | `string` | `"prj"` | no | +| project\_suffix | The name of the GCP project. Max 16 characters with 3 character business unit code. | `string` | n/a | yes | +| remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | +| sa\_roles | A list of roles to give the Service Account from App Infra Pipeline. | `map(list(string))` | `{}` | no | +| secondary\_contact | The secondary email contact for the project | `string` | `""` | no | +| shared\_vpc\_host\_project\_id | Shared VPC host project ID | `string` | `""` | no | +| shared\_vpc\_subnets | List of the shared vpc subnets self links. | `list(string)` | `[]` | no | +| vpc\_service\_control\_attach\_enabled | Whether the project will be attached to a VPC Service Control Perimeter | `bool` | `false` | no | +| vpc\_service\_control\_perimeter\_name | The name of a VPC Service Control Perimeter to add the created project to | `string` | `null` | no | +| vpc\_service\_control\_sleep\_duration | The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter | `string` | `"5s"` | no | +| vpc\_type | The type of VPC to attach the project to. Possible options are base or restricted. | `string` | `""` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| enabled\_apis | VPC Service Control services. | +| kms\_keys | keys created for the project | +| project\_id | Project sample project id. | +| project\_name | Name of the Project. | +| project\_number | Project sample project number. | +| sa | Project SA email | + + diff --git a/4-projects/modules/ml_single_project/main.tf b/4-projects/modules/ml_single_project/main.tf new file mode 100644 index 00000000..e493ef2a --- /dev/null +++ b/4-projects/modules/ml_single_project/main.tf @@ -0,0 +1,142 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + env_code = element(split("", var.environment), 0) + source_repos = setintersection( + toset(keys(var.app_infra_pipeline_service_accounts)), + toset(keys(var.sa_roles)) + ) + pipeline_roles = var.enable_cloudbuild_deploy ? flatten([ + for repo in local.source_repos : [ + for role in var.sa_roles[repo] : + { + repo = repo + role = role + sa = var.app_infra_pipeline_service_accounts[repo] + } + ] + ]) : [] + + pipeline_kms_sas = var.enable_cloudbuild_deploy ? flatten([ + for repo in keys(var.sa_roles) : [ + var.app_infra_pipeline_service_accounts[repo] + ] + ]) : [] + + network_user_role = var.enable_cloudbuild_deploy ? flatten([ + for repo in local.source_repos : [ + for subnet in var.shared_vpc_subnets : + { + repo = repo + subnet = element(split("/", subnet), index(split("/", subnet), "subnetworks", ) + 1, ) + region = element(split("/", subnet), index(split("/", subnet), "regions") + 1, ) + sa = var.app_infra_pipeline_service_accounts[repo] + } + ] + ]) : [] +} + +module "project" { + source = "terraform-google-modules/project-factory/google" + version = "~> 14.1" + + random_project_id = true + random_project_id_length = 4 + activate_apis = distinct(concat(var.activate_apis, ["billingbudgets.googleapis.com"])) + name = "${var.project_prefix}-${local.env_code}-${var.business_code}${var.project_suffix}" + org_id = var.org_id + billing_account = var.billing_account + folder_id = var.folder_id + default_service_account = var.default_service_account + + svpc_host_project_id = var.shared_vpc_host_project_id + shared_vpc_subnets = var.shared_vpc_subnets # Optional: To enable subnetting, replace to "module.networking_project.subnetwork_self_link" + + vpc_service_control_attach_enabled = var.vpc_service_control_attach_enabled + vpc_service_control_perimeter_name = var.vpc_service_control_perimeter_name + vpc_service_control_sleep_duration = var.vpc_service_control_sleep_duration + + labels = { + environment = var.environment + application_name = var.application_name + billing_code = var.billing_code + primary_contact = element(split("@", var.primary_contact), 0) + secondary_contact = element(split("@", var.secondary_contact), 0) + business_code = var.business_code + env_code = local.env_code + vpc_type = var.vpc_type + } + budget_alert_pubsub_topic = var.project_budget.alert_pubsub_topic + budget_alert_spent_percents = var.project_budget.alert_spent_percents + budget_amount = var.project_budget.budget_amount + budget_alert_spend_basis = var.project_budget.alert_spend_basis +} + +# Additional roles to the App Infra Pipeline service account +resource "google_project_iam_member" "app_infra_pipeline_sa_roles" { + for_each = { for pr in local.pipeline_roles : "${pr.repo}-${pr.sa}-${pr.role}" => pr } + + project = module.project.project_id + role = each.value.role + member = "serviceAccount:${each.value.sa}" +} + +resource "google_folder_iam_member" "folder_network_viewer" { + for_each = var.app_infra_pipeline_service_accounts + + folder = var.folder_id + role = "roles/compute.networkViewer" + member = "serviceAccount:${each.value}" +} + +resource "google_project_iam_member" "shared_vpc_network_viewer" { + for_each = var.shared_vpc_host_project_id != "" ? toset(local.pipeline_kms_sas) : toset([]) + + project = var.shared_vpc_host_project_id + role = "roles/compute.networkViewer" + member = "serviceAccount:${each.key}" +} + +resource "google_compute_subnetwork_iam_member" "account_role_to_vpc_subnets" { + provider = google-beta + for_each = { for nr in local.network_user_role : "${nr.repo}-${nr.subnet}-${nr.sa}" => nr } + + subnetwork = each.value.subnet + role = "roles/compute.networkUser" + region = each.value.region + project = var.shared_vpc_host_project_id + member = "serviceAccount:${each.value.sa}" +} + +// Add key for project +resource "google_kms_crypto_key" "kms_keys" { + for_each = toset(var.key_rings) + name = module.project.project_name + key_ring = each.key + rotation_period = var.key_rotation_period + lifecycle { + prevent_destroy = false + } +} + +// Add crypto key viewer role to kms environment project +resource "google_project_iam_member" "kms_viewer" { + for_each = var.environment != "common" ? toset(local.pipeline_kms_sas) : toset([]) + project = local.environment_kms_project_id + role = "roles/cloudkms.viewer" + member = "serviceAccount:${each.key}" +} diff --git a/4-projects/modules/ml_single_project/outputs.tf b/4-projects/modules/ml_single_project/outputs.tf new file mode 100644 index 00000000..cafb196b --- /dev/null +++ b/4-projects/modules/ml_single_project/outputs.tf @@ -0,0 +1,45 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "project_id" { + description = "Project sample project id." + value = module.project.project_id +} + +output "sa" { + description = "Project SA email" + value = module.project.service_account_email +} + +output "project_number" { + description = "Project sample project number." + value = module.project.project_number +} + +output "enabled_apis" { + description = "VPC Service Control services." + value = distinct(concat(var.activate_apis, ["billingbudgets.googleapis.com"])) +} + +output "project_name" { + description = "Name of the Project." + value = module.project.project_name +} + +output "kms_keys" { + description = "keys created for the project" + value = { for k, v in google_kms_crypto_key.kms_keys : split("/", k)[3] => v } +} diff --git a/4-projects/modules/ml_single_project/remote.tf b/4-projects/modules/ml_single_project/remote.tf new file mode 100644 index 00000000..1b2d3c5e --- /dev/null +++ b/4-projects/modules/ml_single_project/remote.tf @@ -0,0 +1,29 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + environment_kms_project_id = try(data.terraform_remote_state.environments_env.outputs.env_kms_project_id, "") +} + +data "terraform_remote_state" "environments_env" { + backend = "gcs" + + config = { + bucket = var.remote_state_bucket + prefix = "terraform/environments/${var.environment}" + } +} + diff --git a/4-projects/modules/ml_single_project/variables.tf b/4-projects/modules/ml_single_project/variables.tf new file mode 100644 index 00000000..751bba9d --- /dev/null +++ b/4-projects/modules/ml_single_project/variables.tf @@ -0,0 +1,172 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "org_id" { + description = "The organization id for the associated services" + type = string +} + +variable "folder_id" { + description = "The folder id where project will be created" + type = string +} + +variable "billing_account" { + description = "The ID of the billing account to associated this project with" + type = string +} + +variable "project_suffix" { + description = "The name of the GCP project. Max 16 characters with 3 character business unit code." + type = string +} + +variable "application_name" { + description = "The name of application where GCP resources relate" + type = string +} + +variable "billing_code" { + description = "The code that's used to provide chargeback information" + type = string +} + +variable "primary_contact" { + description = "The primary email contact for the project" + type = string +} + +variable "secondary_contact" { + description = "The secondary email contact for the project" + type = string + default = "" +} + +variable "business_code" { + description = "The code that describes which business unit owns the project" + type = string + default = "abcd" +} + +variable "activate_apis" { + description = "The api to activate for the GCP project" + type = list(string) + default = [] +} + +variable "environment" { + description = "The environment the single project belongs to" + type = string +} + +variable "vpc_type" { + description = "The type of VPC to attach the project to. Possible options are base or restricted." + type = string + default = "" +} + +variable "shared_vpc_host_project_id" { + description = "Shared VPC host project ID" + type = string + default = "" +} + +variable "shared_vpc_subnets" { + description = "List of the shared vpc subnets self links." + type = list(string) + default = [] +} + +variable "vpc_service_control_attach_enabled" { + description = "Whether the project will be attached to a VPC Service Control Perimeter" + type = bool + default = false +} + +variable "vpc_service_control_perimeter_name" { + description = "The name of a VPC Service Control Perimeter to add the created project to" + type = string + default = null +} + +variable "vpc_service_control_sleep_duration" { + description = "The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter" + type = string + default = "5s" +} + +variable "project_budget" { + description = < Date: Thu, 9 May 2024 09:11:13 -0300 Subject: [PATCH 02/35] restore files --- 4-projects/modules/composer_env/main.tf | 2 +- 4-projects/modules/ml_env/example_vertex.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/4-projects/modules/composer_env/main.tf b/4-projects/modules/composer_env/main.tf index 7701427e..e83cf8cd 100644 --- a/4-projects/modules/composer_env/main.tf +++ b/4-projects/modules/composer_env/main.tf @@ -23,7 +23,7 @@ # ] # } module "app_cloudbuild_project" { - source = "../ml_single_project" + source = "../single_project" org_id = local.org_id billing_account = local.billing_account diff --git a/4-projects/modules/ml_env/example_vertex.tf b/4-projects/modules/ml_env/example_vertex.tf index 1fdd5dc1..547bc932 100644 --- a/4-projects/modules/ml_env/example_vertex.tf +++ b/4-projects/modules/ml_env/example_vertex.tf @@ -31,7 +31,7 @@ locals { } module "machine_learning_project" { - source = "../ml_single_project" + source = "../single_project" org_id = local.org_id billing_account = local.billing_account From f81d4cf4f116689b453981ff910fadc7babd5193 Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Thu, 9 May 2024 09:13:28 -0300 Subject: [PATCH 03/35] add new files --- .../{artifacts_project.tf => example_artifacts.tf} | 0 .../{service_catalog_project.tf => example_service_catalog.tf} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename 4-projects/modules/ml_infra_projects/{artifacts_project.tf => example_artifacts.tf} (100%) rename 4-projects/modules/ml_infra_projects/{service_catalog_project.tf => example_service_catalog.tf} (100%) diff --git a/4-projects/modules/ml_infra_projects/artifacts_project.tf b/4-projects/modules/ml_infra_projects/example_artifacts.tf similarity index 100% rename from 4-projects/modules/ml_infra_projects/artifacts_project.tf rename to 4-projects/modules/ml_infra_projects/example_artifacts.tf diff --git a/4-projects/modules/ml_infra_projects/service_catalog_project.tf b/4-projects/modules/ml_infra_projects/example_service_catalog.tf similarity index 100% rename from 4-projects/modules/ml_infra_projects/service_catalog_project.tf rename to 4-projects/modules/ml_infra_projects/example_service_catalog.tf From 0cd451f29cfab733931526c5c3b30d2f362d55ee Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Thu, 9 May 2024 09:14:54 -0300 Subject: [PATCH 04/35] add copies --- .../ml_infra_projects/artifacts_project.tf | 84 ++++++++++++ .../service_catalog_project.tf | 121 ++++++++++++++++++ 2 files changed, 205 insertions(+) create mode 100644 4-projects/modules/ml_infra_projects/artifacts_project.tf create mode 100644 4-projects/modules/ml_infra_projects/service_catalog_project.tf diff --git a/4-projects/modules/ml_infra_projects/artifacts_project.tf b/4-projects/modules/ml_infra_projects/artifacts_project.tf new file mode 100644 index 00000000..0cfe904b --- /dev/null +++ b/4-projects/modules/ml_infra_projects/artifacts_project.tf @@ -0,0 +1,84 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + artifact_tf_sa_roles = [ + "roles/artifactregistry.admin", + "roles/cloudbuild.builds.editor", + "roles/cloudbuild.connectionAdmin", + "roles/iam.serviceAccountAdmin", + "roles/secretmanager.admin", + "roles/source.admin", + "roles/storage.admin", + ] + +} +module "app_infra_artifacts_project" { + source = "../ml_single_project" + + org_id = var.org_id + billing_account = var.billing_account + folder_id = var.folder_id + environment = var.environment + project_budget = var.project_budget + project_prefix = var.project_prefix + key_rings = var.key_rings + remote_state_bucket = var.remote_state_bucket + activate_apis = [ + "artifactregistry.googleapis.com", + "logging.googleapis.com", + "billingbudgets.googleapis.com", + "serviceusage.googleapis.com", + "storage.googleapis.com", + "cloudbuild.googleapis.com", + "secretmanager.googleapis.com", + "sourcerepo.googleapis.com", + ] + # Metadata + project_suffix = "artifacts" + application_name = "app-infra-artifacts" + billing_code = var.billing_code + primary_contact = var.primary_contact + secondary_contact = var.secondary_contact + business_code = var.business_code +} + +resource "google_kms_crypto_key_iam_member" "ml_key" { + for_each = module.app_infra_artifacts_project.kms_keys + crypto_key_id = each.value.id + role = "roles/cloudkms.admin" + member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-artifact-publish"]}" +} + +resource "google_project_iam_member" "artifact_tf_sa_roles" { + for_each = toset(local.artifact_tf_sa_roles) + project = module.app_infra_artifacts_project.project_id + role = each.key + member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-artifact-publish"]}" +} + +// Add Service Agent for Cloud Build +resource "google_project_iam_member" "artifact_cloudbuild_agent" { + project = module.app_infra_artifacts_project.project_id + role = "roles/secretmanager.secretAccessor" + member = "serviceAccount:${module.app_infra_artifacts_project.project_number}@cloudbuild.gserviceaccount.com" +} + +// Add Repository for Artifact repo +resource "google_sourcerepo_repository" "artifact_repo" { + project = module.app_infra_artifacts_project.project_id + name = var.cloud_source_artifacts_repo_name +} diff --git a/4-projects/modules/ml_infra_projects/service_catalog_project.tf b/4-projects/modules/ml_infra_projects/service_catalog_project.tf new file mode 100644 index 00000000..7f1f45c9 --- /dev/null +++ b/4-projects/modules/ml_infra_projects/service_catalog_project.tf @@ -0,0 +1,121 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + service_catalog_tf_sa_roles = [ + "roles/cloudbuild.builds.editor", + "roles/iam.serviceAccountAdmin", + "roles/cloudbuild.connectionAdmin", + "roles/secretmanager.admin", + "roles/storage.admin", + "roles/source.admin", + ] +} + +module "app_service_catalog_project" { + source = "../ml_single_project" + + org_id = var.org_id + billing_account = var.billing_account + folder_id = var.folder_id + environment = var.environment + project_budget = var.project_budget + project_prefix = var.project_prefix + key_rings = var.key_rings + remote_state_bucket = var.remote_state_bucket + activate_apis = [ + "logging.googleapis.com", + "storage.googleapis.com", + "serviceusage.googleapis.com", + "secretmanager.googleapis.com", + "cloudbuild.googleapis.com", + "cloudresourcemanager.googleapis.com", + "sourcerepo.googleapis.com", + ] + # Metadata + project_suffix = "service-catalog" + application_name = "app-infra-ml" + billing_code = var.billing_code + primary_contact = var.primary_contact + secondary_contact = var.secondary_contact + business_code = var.business_code +} + +resource "google_kms_crypto_key_iam_member" "sc_key" { + for_each = module.app_service_catalog_project.kms_keys + crypto_key_id = each.value.id + role = "roles/cloudkms.admin" + member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-service-catalog"]}" +} + +// Grab Service Agent for Secret Manager +resource "google_project_service_identity" "secretmanager_agent" { + provider = google-beta + project = module.app_service_catalog_project.project_id + service = "secretmanager.googleapis.com" +} + +// Add Secret Manager Service Agent to key with encrypt/decrypt permissions +resource "google_kms_crypto_key_iam_member" "secretmanager_agent" { + for_each = module.app_service_catalog_project.kms_keys + crypto_key_id = each.value.id + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:${google_project_service_identity.secretmanager_agent.email}" +} + +// Grab Service Agent for Storage +resource "google_project_service_identity" "storage" { + provider = google-beta + project = module.app_service_catalog_project.project_id + service = "storage.googleapis.com" +} +// Add Service Agent for Storage +resource "google_kms_crypto_key_iam_member" "storage_agent" { + for_each = module.app_service_catalog_project.kms_keys + crypto_key_id = each.value.id + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:service-${module.app_service_catalog_project.project_number}@gs-project-accounts.iam.gserviceaccount.com" + + depends_on = [google_project_service_identity.storage] +} + +// Add infra pipeline SA encrypt/decrypt permissions +resource "google_kms_crypto_key_iam_member" "storage-kms-key-binding" { + for_each = module.app_service_catalog_project.kms_keys + crypto_key_id = each.value.id + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-service-catalog"]}" +} + +resource "google_project_iam_member" "service_catalog_tf_sa_roles" { + for_each = toset(local.service_catalog_tf_sa_roles) + project = module.app_service_catalog_project.project_id + role = each.key + member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-service-catalog"]}" +} + +// Add Service Agent for Cloud Build +resource "google_project_iam_member" "cloudbuild_agent" { + project = module.app_service_catalog_project.project_id + role = "roles/secretmanager.secretAccessor" + member = "serviceAccount:${module.app_service_catalog_project.project_number}@cloudbuild.gserviceaccount.com" +} + +// Add Service Catalog Source Repository +resource "google_sourcerepo_repository" "service_catalog" { + project = module.app_service_catalog_project.project_id + name = var.cloud_source_service_catalog_repo_name +} From 29e6e70e079e0533eceb9ff8e227a530fa6eedf9 Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Thu, 9 May 2024 09:15:19 -0300 Subject: [PATCH 05/35] remove old files --- .../ml_infra_projects/example_artifacts.tf | 84 ------------ .../example_service_catalog.tf | 121 ------------------ 2 files changed, 205 deletions(-) delete mode 100644 4-projects/modules/ml_infra_projects/example_artifacts.tf delete mode 100644 4-projects/modules/ml_infra_projects/example_service_catalog.tf diff --git a/4-projects/modules/ml_infra_projects/example_artifacts.tf b/4-projects/modules/ml_infra_projects/example_artifacts.tf deleted file mode 100644 index 0cfe904b..00000000 --- a/4-projects/modules/ml_infra_projects/example_artifacts.tf +++ /dev/null @@ -1,84 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - artifact_tf_sa_roles = [ - "roles/artifactregistry.admin", - "roles/cloudbuild.builds.editor", - "roles/cloudbuild.connectionAdmin", - "roles/iam.serviceAccountAdmin", - "roles/secretmanager.admin", - "roles/source.admin", - "roles/storage.admin", - ] - -} -module "app_infra_artifacts_project" { - source = "../ml_single_project" - - org_id = var.org_id - billing_account = var.billing_account - folder_id = var.folder_id - environment = var.environment - project_budget = var.project_budget - project_prefix = var.project_prefix - key_rings = var.key_rings - remote_state_bucket = var.remote_state_bucket - activate_apis = [ - "artifactregistry.googleapis.com", - "logging.googleapis.com", - "billingbudgets.googleapis.com", - "serviceusage.googleapis.com", - "storage.googleapis.com", - "cloudbuild.googleapis.com", - "secretmanager.googleapis.com", - "sourcerepo.googleapis.com", - ] - # Metadata - project_suffix = "artifacts" - application_name = "app-infra-artifacts" - billing_code = var.billing_code - primary_contact = var.primary_contact - secondary_contact = var.secondary_contact - business_code = var.business_code -} - -resource "google_kms_crypto_key_iam_member" "ml_key" { - for_each = module.app_infra_artifacts_project.kms_keys - crypto_key_id = each.value.id - role = "roles/cloudkms.admin" - member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-artifact-publish"]}" -} - -resource "google_project_iam_member" "artifact_tf_sa_roles" { - for_each = toset(local.artifact_tf_sa_roles) - project = module.app_infra_artifacts_project.project_id - role = each.key - member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-artifact-publish"]}" -} - -// Add Service Agent for Cloud Build -resource "google_project_iam_member" "artifact_cloudbuild_agent" { - project = module.app_infra_artifacts_project.project_id - role = "roles/secretmanager.secretAccessor" - member = "serviceAccount:${module.app_infra_artifacts_project.project_number}@cloudbuild.gserviceaccount.com" -} - -// Add Repository for Artifact repo -resource "google_sourcerepo_repository" "artifact_repo" { - project = module.app_infra_artifacts_project.project_id - name = var.cloud_source_artifacts_repo_name -} diff --git a/4-projects/modules/ml_infra_projects/example_service_catalog.tf b/4-projects/modules/ml_infra_projects/example_service_catalog.tf deleted file mode 100644 index 7f1f45c9..00000000 --- a/4-projects/modules/ml_infra_projects/example_service_catalog.tf +++ /dev/null @@ -1,121 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - service_catalog_tf_sa_roles = [ - "roles/cloudbuild.builds.editor", - "roles/iam.serviceAccountAdmin", - "roles/cloudbuild.connectionAdmin", - "roles/secretmanager.admin", - "roles/storage.admin", - "roles/source.admin", - ] -} - -module "app_service_catalog_project" { - source = "../ml_single_project" - - org_id = var.org_id - billing_account = var.billing_account - folder_id = var.folder_id - environment = var.environment - project_budget = var.project_budget - project_prefix = var.project_prefix - key_rings = var.key_rings - remote_state_bucket = var.remote_state_bucket - activate_apis = [ - "logging.googleapis.com", - "storage.googleapis.com", - "serviceusage.googleapis.com", - "secretmanager.googleapis.com", - "cloudbuild.googleapis.com", - "cloudresourcemanager.googleapis.com", - "sourcerepo.googleapis.com", - ] - # Metadata - project_suffix = "service-catalog" - application_name = "app-infra-ml" - billing_code = var.billing_code - primary_contact = var.primary_contact - secondary_contact = var.secondary_contact - business_code = var.business_code -} - -resource "google_kms_crypto_key_iam_member" "sc_key" { - for_each = module.app_service_catalog_project.kms_keys - crypto_key_id = each.value.id - role = "roles/cloudkms.admin" - member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-service-catalog"]}" -} - -// Grab Service Agent for Secret Manager -resource "google_project_service_identity" "secretmanager_agent" { - provider = google-beta - project = module.app_service_catalog_project.project_id - service = "secretmanager.googleapis.com" -} - -// Add Secret Manager Service Agent to key with encrypt/decrypt permissions -resource "google_kms_crypto_key_iam_member" "secretmanager_agent" { - for_each = module.app_service_catalog_project.kms_keys - crypto_key_id = each.value.id - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - member = "serviceAccount:${google_project_service_identity.secretmanager_agent.email}" -} - -// Grab Service Agent for Storage -resource "google_project_service_identity" "storage" { - provider = google-beta - project = module.app_service_catalog_project.project_id - service = "storage.googleapis.com" -} -// Add Service Agent for Storage -resource "google_kms_crypto_key_iam_member" "storage_agent" { - for_each = module.app_service_catalog_project.kms_keys - crypto_key_id = each.value.id - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - member = "serviceAccount:service-${module.app_service_catalog_project.project_number}@gs-project-accounts.iam.gserviceaccount.com" - - depends_on = [google_project_service_identity.storage] -} - -// Add infra pipeline SA encrypt/decrypt permissions -resource "google_kms_crypto_key_iam_member" "storage-kms-key-binding" { - for_each = module.app_service_catalog_project.kms_keys - crypto_key_id = each.value.id - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-service-catalog"]}" -} - -resource "google_project_iam_member" "service_catalog_tf_sa_roles" { - for_each = toset(local.service_catalog_tf_sa_roles) - project = module.app_service_catalog_project.project_id - role = each.key - member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-service-catalog"]}" -} - -// Add Service Agent for Cloud Build -resource "google_project_iam_member" "cloudbuild_agent" { - project = module.app_service_catalog_project.project_id - role = "roles/secretmanager.secretAccessor" - member = "serviceAccount:${module.app_service_catalog_project.project_number}@cloudbuild.gserviceaccount.com" -} - -// Add Service Catalog Source Repository -resource "google_sourcerepo_repository" "service_catalog" { - project = module.app_service_catalog_project.project_id - name = var.cloud_source_service_catalog_repo_name -} From 5c13ce88bc69921c07f0d35ebcb454d73db8da7c Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Thu, 9 May 2024 12:22:42 -0300 Subject: [PATCH 06/35] add sa --- 4-projects/business_unit_3/shared/ml_infra_projects.tf | 2 ++ .../modules/ml_infra_projects/artifacts_project.tf | 4 ++-- .../ml_infra_projects/service_catalog_project.tf | 6 +++--- 4-projects/modules/ml_infra_projects/variables.tf | 10 ++++++++++ 4 files changed, 17 insertions(+), 5 deletions(-) diff --git a/4-projects/business_unit_3/shared/ml_infra_projects.tf b/4-projects/business_unit_3/shared/ml_infra_projects.tf index e696300c..72c1f76d 100644 --- a/4-projects/business_unit_3/shared/ml_infra_projects.tf +++ b/4-projects/business_unit_3/shared/ml_infra_projects.tf @@ -29,4 +29,6 @@ module "ml_infra_project" { cloud_source_artifacts_repo_name = var.cloud_source_artifacts_repo_name cloud_source_service_catalog_repo_name = var.cloud_source_service_catalog_repo_name remote_state_bucket = var.remote_state_bucket + artifacts_infra_pipeline_sa = module.infra_pipelines[0].terraform_service_accounts["bu3-artifact-publish"] + service_catalog_infra_pipeline_sa = module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"] } diff --git a/4-projects/modules/ml_infra_projects/artifacts_project.tf b/4-projects/modules/ml_infra_projects/artifacts_project.tf index 0cfe904b..c565f478 100644 --- a/4-projects/modules/ml_infra_projects/artifacts_project.tf +++ b/4-projects/modules/ml_infra_projects/artifacts_project.tf @@ -60,14 +60,14 @@ resource "google_kms_crypto_key_iam_member" "ml_key" { for_each = module.app_infra_artifacts_project.kms_keys crypto_key_id = each.value.id role = "roles/cloudkms.admin" - member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-artifact-publish"]}" + member = "serviceAccount:${var.artifacts_infra_pipeline_sa}" } resource "google_project_iam_member" "artifact_tf_sa_roles" { for_each = toset(local.artifact_tf_sa_roles) project = module.app_infra_artifacts_project.project_id role = each.key - member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-artifact-publish"]}" + member = "serviceAccount:${var.artifacts_infra_pipeline_sa}" } // Add Service Agent for Cloud Build diff --git a/4-projects/modules/ml_infra_projects/service_catalog_project.tf b/4-projects/modules/ml_infra_projects/service_catalog_project.tf index 7f1f45c9..672e5ed0 100644 --- a/4-projects/modules/ml_infra_projects/service_catalog_project.tf +++ b/4-projects/modules/ml_infra_projects/service_catalog_project.tf @@ -58,7 +58,7 @@ resource "google_kms_crypto_key_iam_member" "sc_key" { for_each = module.app_service_catalog_project.kms_keys crypto_key_id = each.value.id role = "roles/cloudkms.admin" - member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-service-catalog"]}" + member = "serviceAccount:${var.service_catalog_infra_pipeline_sa}" } // Grab Service Agent for Secret Manager @@ -97,14 +97,14 @@ resource "google_kms_crypto_key_iam_member" "storage-kms-key-binding" { for_each = module.app_service_catalog_project.kms_keys crypto_key_id = each.value.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-service-catalog"]}" + member = "serviceAccount:${var.service_catalog_infra_pipeline_sa}" } resource "google_project_iam_member" "service_catalog_tf_sa_roles" { for_each = toset(local.service_catalog_tf_sa_roles) project = module.app_service_catalog_project.project_id role = each.key - member = "serviceAccount:${module.infra_pipelines.terraform_service_accounts["bu3-service-catalog"]}" + member = "serviceAccount:${var.service_catalog_infra_pipeline_sa}" } // Add Service Agent for Cloud Build diff --git a/4-projects/modules/ml_infra_projects/variables.tf b/4-projects/modules/ml_infra_projects/variables.tf index 1feccad5..d0675b43 100644 --- a/4-projects/modules/ml_infra_projects/variables.tf +++ b/4-projects/modules/ml_infra_projects/variables.tf @@ -164,3 +164,13 @@ variable "cloud_source_artifacts_repo_name" { description = "Name to give the could source repository for Artifacts" type = string } + +variable "artifacts_infra_pipeline_sa" { + description = "Artifacts SA to be used by the Infra Pipeline CloudBuild trigger" + type = string +} + +variable "service_catalog_infra_pipeline_sa" { + description = "Service Catalog SA to be used by the Infra Pipeline CloudBuild trigger" + type = string +} From 03cc68e05368b8616f19d60208af1ab79e2cab56 Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Fri, 10 May 2024 13:47:52 -0300 Subject: [PATCH 07/35] add newline to EOF --- 4-projects/modules/ml_infra_projects/versions.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/4-projects/modules/ml_infra_projects/versions.tf b/4-projects/modules/ml_infra_projects/versions.tf index a350e2ea..768ad3c2 100644 --- a/4-projects/modules/ml_infra_projects/versions.tf +++ b/4-projects/modules/ml_infra_projects/versions.tf @@ -16,4 +16,5 @@ terraform { required_version = ">= 1.3" -} \ No newline at end of file +} + From b5b1cf10be2d0eb63856ded62e06315d431f4ba6 Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Fri, 10 May 2024 14:07:09 -0300 Subject: [PATCH 08/35] add outputs.tf --- 4-projects/business_unit_3/shared/outputs.tf | 12 ++--- .../modules/ml_infra_projects/outputs.tf | 45 +++++++++++++++++++ 2 files changed, 51 insertions(+), 6 deletions(-) create mode 100644 4-projects/modules/ml_infra_projects/outputs.tf diff --git a/4-projects/business_unit_3/shared/outputs.tf b/4-projects/business_unit_3/shared/outputs.tf index f4dfe92d..2d0e696d 100644 --- a/4-projects/business_unit_3/shared/outputs.tf +++ b/4-projects/business_unit_3/shared/outputs.tf @@ -65,30 +65,30 @@ output "enable_cloudbuild_deploy" { output "service_catalog_project_id" { description = "Service Catalog Project ID." - value = try(module.app_service_catalog_project[0].project_id, "") + value = module.ml_infra_project.service_catalog_project_id } output "common_artifacts_project_id" { description = "App Infra Artifacts Project ID" - value = try(module.app_infra_artifacts_project[0].project_id, "") + value = module.ml_infra_project.common_artifacts_project_id } output "service_catalog_repo_name" { description = "The name of the Service Catalog repository" - value = google_sourcerepo_repository.service_catalog.name + value = module.ml_infra_project.service_catalog_repo_name } output "service_catalog_repo_id" { description = "ID of the Service Catalog repository" - value = google_sourcerepo_repository.service_catalog.id + value = module.ml_infra_project.service_catalog_repo_id } output "artifacts_repo_name" { description = "The name of the Artifacts repository" - value = google_sourcerepo_repository.artifact_repo.name + value = module.ml_infra_project.artifacts_repo_name } output "artifacts_repo_id" { description = "ID of the Artifacts repository" - value = google_sourcerepo_repository.artifact_repo.id + value = module.ml_infra_project.artifacts_repo_id } diff --git a/4-projects/modules/ml_infra_projects/outputs.tf b/4-projects/modules/ml_infra_projects/outputs.tf new file mode 100644 index 00000000..ce0fabef --- /dev/null +++ b/4-projects/modules/ml_infra_projects/outputs.tf @@ -0,0 +1,45 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "service_catalog_project_id" { + description = "Service Catalog Project ID." + value = try(module.app_service_catalog_project.project_id, "") +} + +output "common_artifacts_project_id" { + description = "App Infra Artifacts Project ID" + value = try(module.app_infra_artifacts_project.project_id, "") +} + +output "service_catalog_repo_name" { + description = "The name of the Service Catalog repository" + value = google_sourcerepo_repository.service_catalog.name +} + +output "service_catalog_repo_id" { + description = "ID of the Service Catalog repository" + value = google_sourcerepo_repository.service_catalog.id +} + +output "artifacts_repo_name" { + description = "The name of the Artifacts repository" + value = google_sourcerepo_repository.artifact_repo.name +} + +output "artifacts_repo_id" { + description = "ID of the Artifacts repository" + value = google_sourcerepo_repository.artifact_repo.id +} From a3bab225ef91ce16f495cd42fcf91ba8e77f0c1e Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Mon, 13 May 2024 16:58:31 -0300 Subject: [PATCH 09/35] remove remote.tff from inside module --- .../modules/ml_single_project/remote.tf | 29 ------------------- 1 file changed, 29 deletions(-) delete mode 100644 4-projects/modules/ml_single_project/remote.tf diff --git a/4-projects/modules/ml_single_project/remote.tf b/4-projects/modules/ml_single_project/remote.tf deleted file mode 100644 index 1b2d3c5e..00000000 --- a/4-projects/modules/ml_single_project/remote.tf +++ /dev/null @@ -1,29 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - environment_kms_project_id = try(data.terraform_remote_state.environments_env.outputs.env_kms_project_id, "") -} - -data "terraform_remote_state" "environments_env" { - backend = "gcs" - - config = { - bucket = var.remote_state_bucket - prefix = "terraform/environments/${var.environment}" - } -} - From ca7c7d26dcde2f86b13d4db4aa1de2406d7b5104 Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Mon, 13 May 2024 17:14:50 -0300 Subject: [PATCH 10/35] chore(format): terraform fmt on dns module --- 3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf b/3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf index 75e98ebe..fbcc610c 100644 --- a/3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf +++ b/3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf @@ -35,8 +35,8 @@ locals { ***********************************************/ module "notebooks" { - source = "terraform-google-modules/cloud-dns/google" - version = "~> 5.0" + source = "terraform-google-modules/cloud-dns/google" + version = "~> 5.0" project_id = var.project_id type = "private" @@ -91,8 +91,8 @@ module "notebooks-googleusercontent" { } module "kernels-googleusercontent" { - source = "terraform-google-modules/cloud-dns/google" - version = "~> 5.0" + source = "terraform-google-modules/cloud-dns/google" + version = "~> 5.0" project_id = var.project_id type = "private" From 8676a28bcf5f37c2c004935a1f42b23291d34147 Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Tue, 14 May 2024 08:56:40 -0300 Subject: [PATCH 11/35] add env kms project id as variable --- .../business_unit_3/shared/ml_infra_projects.tf | 1 + .../modules/ml_infra_projects/artifacts_project.tf | 13 +++++++------ .../ml_infra_projects/service_catalog_project.tf | 13 +++++++------ 4-projects/modules/ml_infra_projects/variables.tf | 5 +++++ 4-projects/modules/ml_single_project/main.tf | 2 +- 4-projects/modules/ml_single_project/variables.tf | 5 +++++ 6 files changed, 26 insertions(+), 13 deletions(-) diff --git a/4-projects/business_unit_3/shared/ml_infra_projects.tf b/4-projects/business_unit_3/shared/ml_infra_projects.tf index 72c1f76d..94e8a655 100644 --- a/4-projects/business_unit_3/shared/ml_infra_projects.tf +++ b/4-projects/business_unit_3/shared/ml_infra_projects.tf @@ -31,4 +31,5 @@ module "ml_infra_project" { remote_state_bucket = var.remote_state_bucket artifacts_infra_pipeline_sa = module.infra_pipelines[0].terraform_service_accounts["bu3-artifact-publish"] service_catalog_infra_pipeline_sa = module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"] + environment_kms_project_id = "" } diff --git a/4-projects/modules/ml_infra_projects/artifacts_project.tf b/4-projects/modules/ml_infra_projects/artifacts_project.tf index c565f478..eb29db3a 100644 --- a/4-projects/modules/ml_infra_projects/artifacts_project.tf +++ b/4-projects/modules/ml_infra_projects/artifacts_project.tf @@ -48,12 +48,13 @@ module "app_infra_artifacts_project" { "sourcerepo.googleapis.com", ] # Metadata - project_suffix = "artifacts" - application_name = "app-infra-artifacts" - billing_code = var.billing_code - primary_contact = var.primary_contact - secondary_contact = var.secondary_contact - business_code = var.business_code + project_suffix = "artifacts" + application_name = "app-infra-artifacts" + billing_code = var.billing_code + primary_contact = var.primary_contact + secondary_contact = var.secondary_contact + business_code = var.business_code + environment_kms_project_id = var.environment_kms_project_id } resource "google_kms_crypto_key_iam_member" "ml_key" { diff --git a/4-projects/modules/ml_infra_projects/service_catalog_project.tf b/4-projects/modules/ml_infra_projects/service_catalog_project.tf index 672e5ed0..8867f093 100644 --- a/4-projects/modules/ml_infra_projects/service_catalog_project.tf +++ b/4-projects/modules/ml_infra_projects/service_catalog_project.tf @@ -46,12 +46,13 @@ module "app_service_catalog_project" { "sourcerepo.googleapis.com", ] # Metadata - project_suffix = "service-catalog" - application_name = "app-infra-ml" - billing_code = var.billing_code - primary_contact = var.primary_contact - secondary_contact = var.secondary_contact - business_code = var.business_code + project_suffix = "service-catalog" + application_name = "app-infra-ml" + billing_code = var.billing_code + primary_contact = var.primary_contact + secondary_contact = var.secondary_contact + business_code = var.business_code + environment_kms_project_id = var.environment_kms_project_id } resource "google_kms_crypto_key_iam_member" "sc_key" { diff --git a/4-projects/modules/ml_infra_projects/variables.tf b/4-projects/modules/ml_infra_projects/variables.tf index d0675b43..5984c23e 100644 --- a/4-projects/modules/ml_infra_projects/variables.tf +++ b/4-projects/modules/ml_infra_projects/variables.tf @@ -174,3 +174,8 @@ variable "service_catalog_infra_pipeline_sa" { description = "Service Catalog SA to be used by the Infra Pipeline CloudBuild trigger" type = string } + +variable "environment_kms_project_id" { + description = "Environment level KMS Project ID." + type = string +} diff --git a/4-projects/modules/ml_single_project/main.tf b/4-projects/modules/ml_single_project/main.tf index e493ef2a..ec922cc3 100644 --- a/4-projects/modules/ml_single_project/main.tf +++ b/4-projects/modules/ml_single_project/main.tf @@ -136,7 +136,7 @@ resource "google_kms_crypto_key" "kms_keys" { // Add crypto key viewer role to kms environment project resource "google_project_iam_member" "kms_viewer" { for_each = var.environment != "common" ? toset(local.pipeline_kms_sas) : toset([]) - project = local.environment_kms_project_id + project = var.environment_kms_project_id role = "roles/cloudkms.viewer" member = "serviceAccount:${each.key}" } diff --git a/4-projects/modules/ml_single_project/variables.tf b/4-projects/modules/ml_single_project/variables.tf index 751bba9d..a6442459 100644 --- a/4-projects/modules/ml_single_project/variables.tf +++ b/4-projects/modules/ml_single_project/variables.tf @@ -167,6 +167,11 @@ variable "remote_state_bucket" { variable "default_service_account" { description = "Project default service account setting: can be one of `delete`, `depriviledge`, or `keep`." + type = string default = "disable" +} + +variable "environment_kms_project_id" { + description = "Environment level KMS Project ID." type = string } From 0d4f6921ab71f38ff9fd560eb41d1cbdc5578ddd Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Tue, 14 May 2024 09:09:17 -0300 Subject: [PATCH 12/35] generate docs --- 4-projects/modules/ml_single_project/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/4-projects/modules/ml_single_project/README.md b/4-projects/modules/ml_single_project/README.md index 56ed4c95..9b86870c 100644 --- a/4-projects/modules/ml_single_project/README.md +++ b/4-projects/modules/ml_single_project/README.md @@ -12,6 +12,7 @@ | default\_service\_account | Project default service account setting: can be one of `delete`, `depriviledge`, or `keep`. | `string` | `"disable"` | no | | enable\_cloudbuild\_deploy | Enable infra deployment using Cloud Build | `bool` | `false` | no | | environment | The environment the single project belongs to | `string` | n/a | yes | +| environment\_kms\_project\_id | Environment level KMS Project ID. | `string` | n/a | yes | | folder\_id | The folder id where project will be created | `string` | n/a | yes | | key\_rings | Keyrings to attach project key to | `list(string)` | n/a | yes | | key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no | From 38069e26fd9fc380469dd86301fb935b3bb9555f Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Tue, 14 May 2024 09:24:06 -0300 Subject: [PATCH 13/35] Revert "Merge branch 'format/fmt-dns-module' into refactor/ml-infra-projects" This reverts commit be0ba50b372727917e4f98586d169353622a1cae, reversing changes made to 0d4f6921ab71f38ff9fd560eb41d1cbdc5578ddd. --- 3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf b/3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf index fbcc610c..75e98ebe 100644 --- a/3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf +++ b/3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf @@ -35,8 +35,8 @@ locals { ***********************************************/ module "notebooks" { - source = "terraform-google-modules/cloud-dns/google" - version = "~> 5.0" + source = "terraform-google-modules/cloud-dns/google" + version = "~> 5.0" project_id = var.project_id type = "private" @@ -91,8 +91,8 @@ module "notebooks-googleusercontent" { } module "kernels-googleusercontent" { - source = "terraform-google-modules/cloud-dns/google" - version = "~> 5.0" + source = "terraform-google-modules/cloud-dns/google" + version = "~> 5.0" project_id = var.project_id type = "private" From b6c863cb45d6db3d9b80a711ffa1baa9403e4d7b Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Tue, 14 May 2024 09:59:02 -0300 Subject: [PATCH 14/35] update to 2024 --- 4-projects/modules/ml_infra_projects/artifacts_project.tf | 2 +- 4-projects/modules/ml_infra_projects/service_catalog_project.tf | 2 +- 4-projects/modules/ml_single_project/main.tf | 2 +- 4-projects/modules/ml_single_project/outputs.tf | 2 +- 4-projects/modules/ml_single_project/versions.tf | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/4-projects/modules/ml_infra_projects/artifacts_project.tf b/4-projects/modules/ml_infra_projects/artifacts_project.tf index eb29db3a..974140e6 100644 --- a/4-projects/modules/ml_infra_projects/artifacts_project.tf +++ b/4-projects/modules/ml_infra_projects/artifacts_project.tf @@ -1,5 +1,5 @@ /** - * Copyright 2021 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/4-projects/modules/ml_infra_projects/service_catalog_project.tf b/4-projects/modules/ml_infra_projects/service_catalog_project.tf index 8867f093..01177415 100644 --- a/4-projects/modules/ml_infra_projects/service_catalog_project.tf +++ b/4-projects/modules/ml_infra_projects/service_catalog_project.tf @@ -1,5 +1,5 @@ /** - * Copyright 2021 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/4-projects/modules/ml_single_project/main.tf b/4-projects/modules/ml_single_project/main.tf index ec922cc3..79666b69 100644 --- a/4-projects/modules/ml_single_project/main.tf +++ b/4-projects/modules/ml_single_project/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2021 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/4-projects/modules/ml_single_project/outputs.tf b/4-projects/modules/ml_single_project/outputs.tf index cafb196b..d1f3c130 100644 --- a/4-projects/modules/ml_single_project/outputs.tf +++ b/4-projects/modules/ml_single_project/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2021 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/4-projects/modules/ml_single_project/versions.tf b/4-projects/modules/ml_single_project/versions.tf index 77897329..849027e7 100644 --- a/4-projects/modules/ml_single_project/versions.tf +++ b/4-projects/modules/ml_single_project/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2021-2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. From 56eceb0fd1369d48284b1a245726fedd7f6a60e5 Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Wed, 15 May 2024 08:17:32 -0300 Subject: [PATCH 15/35] add title and description to ml single project --- 4-projects/modules/ml_single_project/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/4-projects/modules/ml_single_project/README.md b/4-projects/modules/ml_single_project/README.md index 9b86870c..29cb2ca1 100644 --- a/4-projects/modules/ml_single_project/README.md +++ b/4-projects/modules/ml_single_project/README.md @@ -1,3 +1,7 @@ +# Machine Learning Single Project + +Create and manage a Google Cloud project with various configurations and roles required for application infrastructure and pipeline service accounts. It includes the setup of IAM roles, VPC networking, KMS keys, and budget alerts. The module leverages the terraform-google-modules/project-factory/google module for project creation and management. + ## Inputs From 2902891ed14a3be9cbe7a05696e8d860ff154303 Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Wed, 15 May 2024 08:27:53 -0300 Subject: [PATCH 16/35] add project_name as variable on ml_single_project --- 3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf | 8 ++++---- 4-projects/modules/ml_infra_projects/artifacts_project.tf | 4 +++- .../modules/ml_infra_projects/service_catalog_project.tf | 4 +++- 4-projects/modules/ml_single_project/README.md | 1 + 4-projects/modules/ml_single_project/main.tf | 2 +- 4-projects/modules/ml_single_project/variables.tf | 5 +++++ 6 files changed, 17 insertions(+), 7 deletions(-) diff --git a/3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf b/3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf index 75e98ebe..fbcc610c 100644 --- a/3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf +++ b/3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf @@ -35,8 +35,8 @@ locals { ***********************************************/ module "notebooks" { - source = "terraform-google-modules/cloud-dns/google" - version = "~> 5.0" + source = "terraform-google-modules/cloud-dns/google" + version = "~> 5.0" project_id = var.project_id type = "private" @@ -91,8 +91,8 @@ module "notebooks-googleusercontent" { } module "kernels-googleusercontent" { - source = "terraform-google-modules/cloud-dns/google" - version = "~> 5.0" + source = "terraform-google-modules/cloud-dns/google" + version = "~> 5.0" project_id = var.project_id type = "private" diff --git a/4-projects/modules/ml_infra_projects/artifacts_project.tf b/4-projects/modules/ml_infra_projects/artifacts_project.tf index 974140e6..29763a6b 100644 --- a/4-projects/modules/ml_infra_projects/artifacts_project.tf +++ b/4-projects/modules/ml_infra_projects/artifacts_project.tf @@ -15,6 +15,7 @@ */ locals { + artifacts_project_suffix = "artifacts" artifact_tf_sa_roles = [ "roles/artifactregistry.admin", "roles/cloudbuild.builds.editor", @@ -48,13 +49,14 @@ module "app_infra_artifacts_project" { "sourcerepo.googleapis.com", ] # Metadata - project_suffix = "artifacts" + project_suffix = local.artifacts_project_suffix application_name = "app-infra-artifacts" billing_code = var.billing_code primary_contact = var.primary_contact secondary_contact = var.secondary_contact business_code = var.business_code environment_kms_project_id = var.environment_kms_project_id + project_name = "${var.project_prefix}-${local.env_code}-${var.business_code}${local.artifacts_project_suffix}" } resource "google_kms_crypto_key_iam_member" "ml_key" { diff --git a/4-projects/modules/ml_infra_projects/service_catalog_project.tf b/4-projects/modules/ml_infra_projects/service_catalog_project.tf index 01177415..e8fc2d07 100644 --- a/4-projects/modules/ml_infra_projects/service_catalog_project.tf +++ b/4-projects/modules/ml_infra_projects/service_catalog_project.tf @@ -15,6 +15,7 @@ */ locals { + service_catalog_project_suffix = "service-catalog" service_catalog_tf_sa_roles = [ "roles/cloudbuild.builds.editor", "roles/iam.serviceAccountAdmin", @@ -46,13 +47,14 @@ module "app_service_catalog_project" { "sourcerepo.googleapis.com", ] # Metadata - project_suffix = "service-catalog" + project_suffix = local.service_catalog_project_suffix application_name = "app-infra-ml" billing_code = var.billing_code primary_contact = var.primary_contact secondary_contact = var.secondary_contact business_code = var.business_code environment_kms_project_id = var.environment_kms_project_id + project_name = "${var.project_prefix}-${local.env_code}-${var.business_code}${local.service_catalog_project_suffix}" } resource "google_kms_crypto_key_iam_member" "sc_key" { diff --git a/4-projects/modules/ml_single_project/README.md b/4-projects/modules/ml_single_project/README.md index 29cb2ca1..8078fea7 100644 --- a/4-projects/modules/ml_single_project/README.md +++ b/4-projects/modules/ml_single_project/README.md @@ -23,6 +23,7 @@ Create and manage a Google Cloud project with various configurations and roles r | org\_id | The organization id for the associated services | `string` | n/a | yes | | primary\_contact | The primary email contact for the project | `string` | n/a | yes | | project\_budget | Budget configuration.
budget\_amount: The amount to use as the budget.
alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.
alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | 
object({
    budget_amount        = optional(number, 1000)
    alert_spent_percents = optional(list(number), [1.2])
    alert_pubsub_topic   = optional(string, null)
    alert_spend_basis    = optional(string, "FORECASTED_SPEND")
  })
| `{}` | no | +| project\_name | Project Name. | `string` | n/a | yes | | project\_prefix | Name prefix to use for projects created. | `string` | `"prj"` | no | | project\_suffix | The name of the GCP project. Max 16 characters with 3 character business unit code. | `string` | n/a | yes | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | diff --git a/4-projects/modules/ml_single_project/main.tf b/4-projects/modules/ml_single_project/main.tf index 79666b69..43a7de9f 100644 --- a/4-projects/modules/ml_single_project/main.tf +++ b/4-projects/modules/ml_single_project/main.tf @@ -57,7 +57,7 @@ module "project" { random_project_id = true random_project_id_length = 4 activate_apis = distinct(concat(var.activate_apis, ["billingbudgets.googleapis.com"])) - name = "${var.project_prefix}-${local.env_code}-${var.business_code}${var.project_suffix}" + name = var.project_name org_id = var.org_id billing_account = var.billing_account folder_id = var.folder_id diff --git a/4-projects/modules/ml_single_project/variables.tf b/4-projects/modules/ml_single_project/variables.tf index a6442459..05a99cd0 100644 --- a/4-projects/modules/ml_single_project/variables.tf +++ b/4-projects/modules/ml_single_project/variables.tf @@ -175,3 +175,8 @@ variable "environment_kms_project_id" { description = "Environment level KMS Project ID." type = string } + +variable "project_name" { + description = "Project Name." + type = string +} From 3742d5bedbe999d5e4be04f11669c3dfa9c7c796 Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Wed, 15 May 2024 08:30:00 -0300 Subject: [PATCH 17/35] add missing locals.tf --- 4-projects/modules/ml_infra_projects/locals.tf | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 4-projects/modules/ml_infra_projects/locals.tf diff --git a/4-projects/modules/ml_infra_projects/locals.tf b/4-projects/modules/ml_infra_projects/locals.tf new file mode 100644 index 00000000..95f2f96f --- /dev/null +++ b/4-projects/modules/ml_infra_projects/locals.tf @@ -0,0 +1,3 @@ +locals { + env_code = element(split("", var.environment), 0) +} \ No newline at end of file From 5e426468397bfea44c4522a372e7ae90cc4de014 Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Wed, 15 May 2024 09:10:35 -0300 Subject: [PATCH 18/35] feat: parametrize prevent_destroy for project key --- 4-projects/business_unit_3/shared/README.md | 1 + .../shared/ml_infra_projects.tf | 1 + .../business_unit_3/shared/variables.tf | 6 +++ .../ml_infra_projects/artifacts_project.tf | 1 + .../modules/ml_infra_projects/locals.tf | 18 +++++++- .../service_catalog_project.tf | 1 + .../modules/ml_infra_projects/variables.tf | 5 +++ 4-projects/modules/ml_kms_key/main.tf | 43 +++++++++++++++++++ 4-projects/modules/ml_kms_key/outputs.tf | 20 +++++++++ 4-projects/modules/ml_kms_key/variables.tf | 36 ++++++++++++++++ 4-projects/modules/ml_kms_key/versions.tf | 19 ++++++++ .../modules/ml_single_project/README.md | 3 +- 4-projects/modules/ml_single_project/main.tf | 14 +++--- .../modules/ml_single_project/outputs.tf | 4 +- .../modules/ml_single_project/variables.tf | 5 +++ 15 files changed, 165 insertions(+), 12 deletions(-) create mode 100644 4-projects/modules/ml_kms_key/main.tf create mode 100644 4-projects/modules/ml_kms_key/outputs.tf create mode 100644 4-projects/modules/ml_kms_key/variables.tf create mode 100644 4-projects/modules/ml_kms_key/versions.tf diff --git a/4-projects/business_unit_3/shared/README.md b/4-projects/business_unit_3/shared/README.md index cfcdd22c..b65cb8a9 100644 --- a/4-projects/business_unit_3/shared/README.md +++ b/4-projects/business_unit_3/shared/README.md @@ -11,6 +11,7 @@ | keyring\_name | Name to be used for KMS Keyring | `string` | `"sample-keyring"` | no | | location\_gcs | Case-Sensitive Location for GCS Bucket | `string` | `"US"` | no | | location\_kms | Case-Sensitive Location for KMS Keyring | `string` | `"us"` | no | +| prevent\_destroy | Prevent Project Key destruction. | `bool` | `true` | no | | project\_budget | Budget configuration.
budget\_amount: The amount to use as the budget.
alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.
alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | 
object({
    budget_amount        = optional(number, 1000)
    alert_spent_percents = optional(list(number), [1.2])
    alert_pubsub_topic   = optional(string, null)
    alert_spend_basis    = optional(string, "FORECASTED_SPEND")
  })
| `{}` | no | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no | diff --git a/4-projects/business_unit_3/shared/ml_infra_projects.tf b/4-projects/business_unit_3/shared/ml_infra_projects.tf index 94e8a655..acc9abea 100644 --- a/4-projects/business_unit_3/shared/ml_infra_projects.tf +++ b/4-projects/business_unit_3/shared/ml_infra_projects.tf @@ -32,4 +32,5 @@ module "ml_infra_project" { artifacts_infra_pipeline_sa = module.infra_pipelines[0].terraform_service_accounts["bu3-artifact-publish"] service_catalog_infra_pipeline_sa = module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"] environment_kms_project_id = "" + prevent_destroy = var.prevent_destroy } diff --git a/4-projects/business_unit_3/shared/variables.tf b/4-projects/business_unit_3/shared/variables.tf index d06456fd..7efc60d6 100644 --- a/4-projects/business_unit_3/shared/variables.tf +++ b/4-projects/business_unit_3/shared/variables.tf @@ -87,3 +87,9 @@ variable "cloud_source_artifacts_repo_name" { description = "Name to give the could source repository for Artifacts" type = string } + +variable "prevent_destroy" { + description = "Prevent Project Key destruction." + type = bool + default = true +} diff --git a/4-projects/modules/ml_infra_projects/artifacts_project.tf b/4-projects/modules/ml_infra_projects/artifacts_project.tf index 29763a6b..5eaac184 100644 --- a/4-projects/modules/ml_infra_projects/artifacts_project.tf +++ b/4-projects/modules/ml_infra_projects/artifacts_project.tf @@ -57,6 +57,7 @@ module "app_infra_artifacts_project" { business_code = var.business_code environment_kms_project_id = var.environment_kms_project_id project_name = "${var.project_prefix}-${local.env_code}-${var.business_code}${local.artifacts_project_suffix}" + prevent_destroy = var.prevent_destroy } resource "google_kms_crypto_key_iam_member" "ml_key" { diff --git a/4-projects/modules/ml_infra_projects/locals.tf b/4-projects/modules/ml_infra_projects/locals.tf index 95f2f96f..32210121 100644 --- a/4-projects/modules/ml_infra_projects/locals.tf +++ b/4-projects/modules/ml_infra_projects/locals.tf @@ -1,3 +1,19 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + locals { env_code = element(split("", var.environment), 0) -} \ No newline at end of file +} diff --git a/4-projects/modules/ml_infra_projects/service_catalog_project.tf b/4-projects/modules/ml_infra_projects/service_catalog_project.tf index e8fc2d07..98794cdc 100644 --- a/4-projects/modules/ml_infra_projects/service_catalog_project.tf +++ b/4-projects/modules/ml_infra_projects/service_catalog_project.tf @@ -55,6 +55,7 @@ module "app_service_catalog_project" { business_code = var.business_code environment_kms_project_id = var.environment_kms_project_id project_name = "${var.project_prefix}-${local.env_code}-${var.business_code}${local.service_catalog_project_suffix}" + prevent_destroy = var.prevent_destroy } resource "google_kms_crypto_key_iam_member" "sc_key" { diff --git a/4-projects/modules/ml_infra_projects/variables.tf b/4-projects/modules/ml_infra_projects/variables.tf index 5984c23e..1032ea98 100644 --- a/4-projects/modules/ml_infra_projects/variables.tf +++ b/4-projects/modules/ml_infra_projects/variables.tf @@ -179,3 +179,8 @@ variable "environment_kms_project_id" { description = "Environment level KMS Project ID." type = string } + +variable "prevent_destroy" { + description = "Prevent Project Key destruction." + type = bool +} diff --git a/4-projects/modules/ml_kms_key/main.tf b/4-projects/modules/ml_kms_key/main.tf new file mode 100644 index 00000000..084303d8 --- /dev/null +++ b/4-projects/modules/ml_kms_key/main.tf @@ -0,0 +1,43 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + ephemeral_keys_for_each = var.prevent_destroy ? [] : var.key_rings + keys_for_each = var.prevent_destroy ? var.key_rings : [] + output_keys = var.prevent_destroy ? { for k, v in google_kms_crypto_key.kms_keys : split("/", k)[3] => v } : { for k, v in google_kms_crypto_key.ephemeral_kms_keys : split("/", k)[3] => v } +} + +resource "google_kms_crypto_key" "ephemeral_kms_keys" { + for_each = toset(local.ephemeral_keys_for_each) + + name = var.project_name + key_ring = each.key + rotation_period = var.key_rotation_period + lifecycle { + prevent_destroy = false + } +} + +resource "google_kms_crypto_key" "kms_keys" { + for_each = toset(local.keys_for_each) + + name = var.project_name + key_ring = each.key + rotation_period = var.key_rotation_period + lifecycle { + prevent_destroy = true + } +} diff --git a/4-projects/modules/ml_kms_key/outputs.tf b/4-projects/modules/ml_kms_key/outputs.tf new file mode 100644 index 00000000..b456923a --- /dev/null +++ b/4-projects/modules/ml_kms_key/outputs.tf @@ -0,0 +1,20 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "kms_keys" { + description = "Keys created for the project." + value = local.output_keys +} diff --git a/4-projects/modules/ml_kms_key/variables.tf b/4-projects/modules/ml_kms_key/variables.tf new file mode 100644 index 00000000..c17ee08e --- /dev/null +++ b/4-projects/modules/ml_kms_key/variables.tf @@ -0,0 +1,36 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "key_rings" { + description = "Keyrings to attach project key to." + type = list(string) +} + +variable "project_name" { + description = "Project Name." + type = string +} + +variable "key_rotation_period" { + description = "Rotation period in seconds to be used for KMS Key." + type = string + default = "7776000s" +} + +variable "prevent_destroy" { + description = "Prevent Key destruction." + type = bool +} diff --git a/4-projects/modules/ml_kms_key/versions.tf b/4-projects/modules/ml_kms_key/versions.tf new file mode 100644 index 00000000..2ff08fd4 --- /dev/null +++ b/4-projects/modules/ml_kms_key/versions.tf @@ -0,0 +1,19 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 1.3" +} diff --git a/4-projects/modules/ml_single_project/README.md b/4-projects/modules/ml_single_project/README.md index 8078fea7..534068a4 100644 --- a/4-projects/modules/ml_single_project/README.md +++ b/4-projects/modules/ml_single_project/README.md @@ -21,6 +21,7 @@ Create and manage a Google Cloud project with various configurations and roles r | key\_rings | Keyrings to attach project key to | `list(string)` | n/a | yes | | key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no | | org\_id | The organization id for the associated services | `string` | n/a | yes | +| prevent\_destroy | Prevent Key destruction. | `bool` | n/a | yes | | primary\_contact | The primary email contact for the project | `string` | n/a | yes | | project\_budget | Budget configuration.
budget\_amount: The amount to use as the budget.
alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.
alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | 
object({
    budget_amount        = optional(number, 1000)
    alert_spent_percents = optional(list(number), [1.2])
    alert_pubsub_topic   = optional(string, null)
    alert_spend_basis    = optional(string, "FORECASTED_SPEND")
  })
| `{}` | no | | project\_name | Project Name. | `string` | n/a | yes | @@ -41,7 +42,7 @@ Create and manage a Google Cloud project with various configurations and roles r | Name | Description | |------|-------------| | enabled\_apis | VPC Service Control services. | -| kms\_keys | keys created for the project | +| kms\_keys | Keys created for the project. | | project\_id | Project sample project id. | | project\_name | Name of the Project. | | project\_number | Project sample project number. | diff --git a/4-projects/modules/ml_single_project/main.tf b/4-projects/modules/ml_single_project/main.tf index 43a7de9f..ec62740c 100644 --- a/4-projects/modules/ml_single_project/main.tf +++ b/4-projects/modules/ml_single_project/main.tf @@ -123,14 +123,12 @@ resource "google_compute_subnetwork_iam_member" "account_role_to_vpc_subnets" { } // Add key for project -resource "google_kms_crypto_key" "kms_keys" { - for_each = toset(var.key_rings) - name = module.project.project_name - key_ring = each.key - rotation_period = var.key_rotation_period - lifecycle { - prevent_destroy = false - } +module "kms_keys" { + source = "../ml_kms_key" + key_rings = var.key_rings + key_rotation_period = var.key_rotation_period + project_name = module.project.project_name + prevent_destroy = var.prevent_destroy } // Add crypto key viewer role to kms environment project diff --git a/4-projects/modules/ml_single_project/outputs.tf b/4-projects/modules/ml_single_project/outputs.tf index d1f3c130..84699128 100644 --- a/4-projects/modules/ml_single_project/outputs.tf +++ b/4-projects/modules/ml_single_project/outputs.tf @@ -40,6 +40,6 @@ output "project_name" { } output "kms_keys" { - description = "keys created for the project" - value = { for k, v in google_kms_crypto_key.kms_keys : split("/", k)[3] => v } + description = "Keys created for the project." + value = module.kms_keys.kms_keys } diff --git a/4-projects/modules/ml_single_project/variables.tf b/4-projects/modules/ml_single_project/variables.tf index 05a99cd0..65d23fb9 100644 --- a/4-projects/modules/ml_single_project/variables.tf +++ b/4-projects/modules/ml_single_project/variables.tf @@ -180,3 +180,8 @@ variable "project_name" { description = "Project Name." type = string } + +variable "prevent_destroy" { + description = "Prevent Key destruction." + type = bool +} From 7ffece7b6971c16a8b3d71da29e5f45cbfc0b233 Mon Sep 17 00:00:00 2001 From: Caetano Colin <164910343+caetano-colin@users.noreply.github.com> Date: Wed, 15 May 2024 09:11:18 -0300 Subject: [PATCH 19/35] Update 4-projects/modules/ml_single_project/outputs.tf Co-authored-by: Daniel Andrade --- 4-projects/modules/ml_single_project/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/4-projects/modules/ml_single_project/outputs.tf b/4-projects/modules/ml_single_project/outputs.tf index 84699128..bd637b77 100644 --- a/4-projects/modules/ml_single_project/outputs.tf +++ b/4-projects/modules/ml_single_project/outputs.tf @@ -15,7 +15,7 @@ */ output "project_id" { - description = "Project sample project id." + description = "Project ID." value = module.project.project_id } From 82f73ebc4f74007bce8b0e1e36fb5ba1d9b5731b Mon Sep 17 00:00:00 2001 From: Caetano Colin <164910343+caetano-colin@users.noreply.github.com> Date: Wed, 15 May 2024 09:11:27 -0300 Subject: [PATCH 20/35] Update 4-projects/modules/ml_single_project/outputs.tf Co-authored-by: Daniel Andrade --- 4-projects/modules/ml_single_project/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/4-projects/modules/ml_single_project/outputs.tf b/4-projects/modules/ml_single_project/outputs.tf index bd637b77..246728e4 100644 --- a/4-projects/modules/ml_single_project/outputs.tf +++ b/4-projects/modules/ml_single_project/outputs.tf @@ -25,7 +25,7 @@ output "sa" { } output "project_number" { - description = "Project sample project number." + description = "Project number." value = module.project.project_number } From 8e861fda3dc24950afa0f13979edd753639ed816 Mon Sep 17 00:00:00 2001 From: Caetano Colin <164910343+caetano-colin@users.noreply.github.com> Date: Wed, 15 May 2024 09:11:36 -0300 Subject: [PATCH 21/35] Update 4-projects/modules/ml_infra_projects/variables.tf Co-authored-by: Daniel Andrade --- 4-projects/modules/ml_infra_projects/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/4-projects/modules/ml_infra_projects/variables.tf b/4-projects/modules/ml_infra_projects/variables.tf index 1032ea98..ad3c62e0 100644 --- a/4-projects/modules/ml_infra_projects/variables.tf +++ b/4-projects/modules/ml_infra_projects/variables.tf @@ -15,7 +15,7 @@ */ variable "org_id" { - description = "The organization id for the associated services" + description = "The Organization ID" type = string } From 87cbc5f72f52b2f843742d97de65bf336f2e7c42 Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Wed, 15 May 2024 09:14:05 -0300 Subject: [PATCH 22/35] chore: enabled_apis to locals --- 4-projects/modules/ml_single_project/main.tf | 5 +++-- 4-projects/modules/ml_single_project/outputs.tf | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/4-projects/modules/ml_single_project/main.tf b/4-projects/modules/ml_single_project/main.tf index ec62740c..50afa4b1 100644 --- a/4-projects/modules/ml_single_project/main.tf +++ b/4-projects/modules/ml_single_project/main.tf @@ -15,7 +15,8 @@ */ locals { - env_code = element(split("", var.environment), 0) + enabled_apis = distinct(concat(var.activate_apis, ["billingbudgets.googleapis.com"])) + env_code = element(split("", var.environment), 0) source_repos = setintersection( toset(keys(var.app_infra_pipeline_service_accounts)), toset(keys(var.sa_roles)) @@ -56,7 +57,7 @@ module "project" { random_project_id = true random_project_id_length = 4 - activate_apis = distinct(concat(var.activate_apis, ["billingbudgets.googleapis.com"])) + activate_apis = local.enabled_apis name = var.project_name org_id = var.org_id billing_account = var.billing_account diff --git a/4-projects/modules/ml_single_project/outputs.tf b/4-projects/modules/ml_single_project/outputs.tf index 84699128..b57a8ec9 100644 --- a/4-projects/modules/ml_single_project/outputs.tf +++ b/4-projects/modules/ml_single_project/outputs.tf @@ -31,7 +31,7 @@ output "project_number" { output "enabled_apis" { description = "VPC Service Control services." - value = distinct(concat(var.activate_apis, ["billingbudgets.googleapis.com"])) + value = local.enabled_apis } output "project_name" { From 6f819675f64a5d3d885b9496836bd3bc9732efae Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Wed, 15 May 2024 09:17:01 -0300 Subject: [PATCH 23/35] add space --- 4-projects/modules/ml_single_project/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/4-projects/modules/ml_single_project/README.md b/4-projects/modules/ml_single_project/README.md index 534068a4..2f0da106 100644 --- a/4-projects/modules/ml_single_project/README.md +++ b/4-projects/modules/ml_single_project/README.md @@ -2,6 +2,7 @@ Create and manage a Google Cloud project with various configurations and roles required for application infrastructure and pipeline service accounts. It includes the setup of IAM roles, VPC networking, KMS keys, and budget alerts. The module leverages the terraform-google-modules/project-factory/google module for project creation and management. + ## Inputs From caafacb62424fdbb4a2ae3d891d65aa16ac204e0 Mon Sep 17 00:00:00 2001 From: Caetano Colin <164910343+caetano-colin@users.noreply.github.com> Date: Wed, 15 May 2024 09:18:49 -0300 Subject: [PATCH 24/35] Update 4-projects/modules/ml_single_project/outputs.tf Co-authored-by: Daniel Andrade --- 4-projects/modules/ml_single_project/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/4-projects/modules/ml_single_project/outputs.tf b/4-projects/modules/ml_single_project/outputs.tf index 00ca2c00..97109f45 100644 --- a/4-projects/modules/ml_single_project/outputs.tf +++ b/4-projects/modules/ml_single_project/outputs.tf @@ -35,7 +35,7 @@ output "enabled_apis" { } output "project_name" { - description = "Name of the Project." + description = "Project Name." value = module.project.project_name } From e6d031b8a5dbe1ef70f4f2d70ede80ab261023e4 Mon Sep 17 00:00:00 2001 From: Caetano Colin <164910343+caetano-colin@users.noreply.github.com> Date: Wed, 15 May 2024 09:18:59 -0300 Subject: [PATCH 25/35] Update 4-projects/modules/ml_single_project/variables.tf Co-authored-by: Daniel Andrade --- 4-projects/modules/ml_single_project/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/4-projects/modules/ml_single_project/variables.tf b/4-projects/modules/ml_single_project/variables.tf index 65d23fb9..ee597b6a 100644 --- a/4-projects/modules/ml_single_project/variables.tf +++ b/4-projects/modules/ml_single_project/variables.tf @@ -15,7 +15,7 @@ */ variable "org_id" { - description = "The organization id for the associated services" + description = "The Organization ID" type = string } From 8d263aedc8ba06ef48f786a52858a2462044f13e Mon Sep 17 00:00:00 2001 From: Caetano Colin <164910343+caetano-colin@users.noreply.github.com> Date: Wed, 15 May 2024 09:19:12 -0300 Subject: [PATCH 26/35] Update 4-projects/modules/ml_single_project/variables.tf Co-authored-by: Daniel Andrade --- 4-projects/modules/ml_single_project/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/4-projects/modules/ml_single_project/variables.tf b/4-projects/modules/ml_single_project/variables.tf index ee597b6a..363cfc77 100644 --- a/4-projects/modules/ml_single_project/variables.tf +++ b/4-projects/modules/ml_single_project/variables.tf @@ -68,7 +68,7 @@ variable "activate_apis" { } variable "environment" { - description = "The environment the single project belongs to" + description = "The environment the project belongs to" type = string } From e6735c1a9954f0f78d21b086b68f7c5cf0414c41 Mon Sep 17 00:00:00 2001 From: Caetano Colin <164910343+caetano-colin@users.noreply.github.com> Date: Wed, 15 May 2024 09:19:26 -0300 Subject: [PATCH 27/35] Update 4-projects/modules/ml_single_project/variables.tf Co-authored-by: Daniel Andrade --- 4-projects/modules/ml_single_project/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/4-projects/modules/ml_single_project/variables.tf b/4-projects/modules/ml_single_project/variables.tf index 363cfc77..0090e595 100644 --- a/4-projects/modules/ml_single_project/variables.tf +++ b/4-projects/modules/ml_single_project/variables.tf @@ -73,7 +73,7 @@ variable "environment" { } variable "vpc_type" { - description = "The type of VPC to attach the project to. Possible options are base or restricted." + description = "The type of VPC to attach the project to. Possible options are `base` or `restricted`." type = string default = "" } From 30e67f7363ddd789d0ce921d775e8b006b4711eb Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Wed, 15 May 2024 09:21:31 -0300 Subject: [PATCH 28/35] update description --- 4-projects/modules/ml_single_project/README.md | 6 +++--- 4-projects/modules/ml_single_project/variables.tf | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/4-projects/modules/ml_single_project/README.md b/4-projects/modules/ml_single_project/README.md index 2f0da106..b860a72b 100644 --- a/4-projects/modules/ml_single_project/README.md +++ b/4-projects/modules/ml_single_project/README.md @@ -14,7 +14,7 @@ Create and manage a Google Cloud project with various configurations and roles r | billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | | billing\_code | The code that's used to provide chargeback information | `string` | n/a | yes | | business\_code | The code that describes which business unit owns the project | `string` | `"abcd"` | no | -| default\_service\_account | Project default service account setting: can be one of `delete`, `depriviledge`, or `keep`. | `string` | `"disable"` | no | +| default\_service\_account | Project default service account setting: can be one of `delete`, `depriviledge`, `keep` or `disable`. | `string` | `"disable"` | no | | enable\_cloudbuild\_deploy | Enable infra deployment using Cloud Build | `bool` | `false` | no | | environment | The environment the single project belongs to | `string` | n/a | yes | | environment\_kms\_project\_id | Environment level KMS Project ID. | `string` | n/a | yes | @@ -44,9 +44,9 @@ Create and manage a Google Cloud project with various configurations and roles r |------|-------------| | enabled\_apis | VPC Service Control services. | | kms\_keys | Keys created for the project. | -| project\_id | Project sample project id. | +| project\_id | Project ID. | | project\_name | Name of the Project. | -| project\_number | Project sample project number. | +| project\_number | Project number. | | sa | Project SA email | diff --git a/4-projects/modules/ml_single_project/variables.tf b/4-projects/modules/ml_single_project/variables.tf index 65d23fb9..f3279cee 100644 --- a/4-projects/modules/ml_single_project/variables.tf +++ b/4-projects/modules/ml_single_project/variables.tf @@ -166,7 +166,7 @@ variable "remote_state_bucket" { } variable "default_service_account" { - description = "Project default service account setting: can be one of `delete`, `depriviledge`, or `keep`." + description = "Project default service account setting: can be one of `delete`, `depriviledge`, `keep` or `disable`." type = string default = "disable" } From 32ba9acaa75f525ec87c1bfcc939541030c0538b Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Wed, 15 May 2024 09:29:37 -0300 Subject: [PATCH 29/35] chore: add trailing dots to where missing --- .../modules/ml_infra_projects/outputs.tf | 10 ++--- .../modules/ml_infra_projects/variables.tf | 38 +++++++++--------- .../modules/ml_single_project/README.md | 40 +++++++++---------- .../modules/ml_single_project/outputs.tf | 2 +- .../modules/ml_single_project/variables.tf | 34 ++++++++-------- 5 files changed, 62 insertions(+), 62 deletions(-) diff --git a/4-projects/modules/ml_infra_projects/outputs.tf b/4-projects/modules/ml_infra_projects/outputs.tf index ce0fabef..3b73df7c 100644 --- a/4-projects/modules/ml_infra_projects/outputs.tf +++ b/4-projects/modules/ml_infra_projects/outputs.tf @@ -20,26 +20,26 @@ output "service_catalog_project_id" { } output "common_artifacts_project_id" { - description = "App Infra Artifacts Project ID" + description = "App Infra Artifacts Project ID." value = try(module.app_infra_artifacts_project.project_id, "") } output "service_catalog_repo_name" { - description = "The name of the Service Catalog repository" + description = "The name of the Service Catalog repository." value = google_sourcerepo_repository.service_catalog.name } output "service_catalog_repo_id" { - description = "ID of the Service Catalog repository" + description = "ID of the Service Catalog repository." value = google_sourcerepo_repository.service_catalog.id } output "artifacts_repo_name" { - description = "The name of the Artifacts repository" + description = "The name of the Artifacts repository." value = google_sourcerepo_repository.artifact_repo.name } output "artifacts_repo_id" { - description = "ID of the Artifacts repository" + description = "ID of the Artifacts repository." value = google_sourcerepo_repository.artifact_repo.id } diff --git a/4-projects/modules/ml_infra_projects/variables.tf b/4-projects/modules/ml_infra_projects/variables.tf index ad3c62e0..07b4e176 100644 --- a/4-projects/modules/ml_infra_projects/variables.tf +++ b/4-projects/modules/ml_infra_projects/variables.tf @@ -15,22 +15,22 @@ */ variable "org_id" { - description = "The Organization ID" + description = "The Organization ID." type = string } variable "billing_account" { - description = "The ID of the billing account to associated this project with" + description = "The ID of the billing account to associated this project with." type = string } variable "folder_id" { - description = "The folder id where project will be created" + description = "The folder id where project will be created." type = string } variable "environment" { - description = "The environment the single project belongs to" + description = "The environment the single project belongs to." type = string } @@ -58,7 +58,7 @@ variable "project_prefix" { } variable "key_rings" { - description = "Keyrings to attach project key to" + description = "Keyrings to attach project key to." type = list(string) } @@ -68,23 +68,23 @@ variable "remote_state_bucket" { } variable "business_code" { - description = "The code that describes which business unit owns the project" + description = "The code that describes which business unit owns the project." type = string default = "abcd" } variable "billing_code" { - description = "The code that's used to provide chargeback information" + description = "The code that's used to provide chargeback information." type = string } variable "primary_contact" { - description = "The primary email contact for the project" + description = "The primary email contact for the project." type = string } variable "secondary_contact" { - description = "The secondary email contact for the project" + description = "The secondary email contact for the project." type = string default = "" } @@ -96,7 +96,7 @@ variable "vpc_type" { } variable "shared_vpc_host_project_id" { - description = "Shared VPC host project ID" + description = "Shared VPC host project ID." type = string default = "" } @@ -108,19 +108,19 @@ variable "shared_vpc_subnets" { } variable "vpc_service_control_attach_enabled" { - description = "Whether the project will be attached to a VPC Service Control Perimeter" + description = "Whether the project will be attached to a VPC Service Control Perimeter." type = bool default = false } variable "vpc_service_control_perimeter_name" { - description = "The name of a VPC Service Control Perimeter to add the created project to" + description = "The name of a VPC Service Control Perimeter to add the created project to." type = string default = null } variable "vpc_service_control_sleep_duration" { - description = "The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter" + description = "The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter." type = string default = "5s" } @@ -138,13 +138,13 @@ variable "sa_roles" { } variable "enable_cloudbuild_deploy" { - description = "Enable infra deployment using Cloud Build" + description = "Enable infra deployment using Cloud Build." type = bool default = false } variable "key_rotation_period" { - description = "Rotation period in seconds to be used for KMS Key" + description = "Rotation period in seconds to be used for KMS Key." type = string default = "7776000s" } @@ -156,22 +156,22 @@ variable "default_service_account" { } variable "cloud_source_service_catalog_repo_name" { - description = "Name to give the cloud source repository for Service Catalog" + description = "Name to give the cloud source repository for Service Catalog." type = string } variable "cloud_source_artifacts_repo_name" { - description = "Name to give the could source repository for Artifacts" + description = "Name to give the could source repository for Artifacts." type = string } variable "artifacts_infra_pipeline_sa" { - description = "Artifacts SA to be used by the Infra Pipeline CloudBuild trigger" + description = "Artifacts SA to be used by the Infra Pipeline CloudBuild trigger." type = string } variable "service_catalog_infra_pipeline_sa" { - description = "Service Catalog SA to be used by the Infra Pipeline CloudBuild trigger" + description = "Service Catalog SA to be used by the Infra Pipeline CloudBuild trigger." type = string } diff --git a/4-projects/modules/ml_single_project/README.md b/4-projects/modules/ml_single_project/README.md index b860a72b..8165effa 100644 --- a/4-projects/modules/ml_single_project/README.md +++ b/4-projects/modules/ml_single_project/README.md @@ -8,35 +8,35 @@ Create and manage a Google Cloud project with various configurations and roles r | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| activate\_apis | The api to activate for the GCP project | `list(string)` | `[]` | no | +| activate\_apis | The api to activate for the GCP project. | `list(string)` | `[]` | no | | app\_infra\_pipeline\_service\_accounts | The Service Accounts from App Infra Pipeline. | `map(string)` | `{}` | no | -| application\_name | The name of application where GCP resources relate | `string` | n/a | yes | -| billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | -| billing\_code | The code that's used to provide chargeback information | `string` | n/a | yes | -| business\_code | The code that describes which business unit owns the project | `string` | `"abcd"` | no | +| application\_name | The name of application where GCP resources relate. | `string` | n/a | yes | +| billing\_account | The ID of the billing account to associated this project with. | `string` | n/a | yes | +| billing\_code | The code that's used to provide chargeback information. | `string` | n/a | yes | +| business\_code | The code that describes which business unit owns the project. | `string` | `"abcd"` | no | | default\_service\_account | Project default service account setting: can be one of `delete`, `depriviledge`, `keep` or `disable`. | `string` | `"disable"` | no | -| enable\_cloudbuild\_deploy | Enable infra deployment using Cloud Build | `bool` | `false` | no | -| environment | The environment the single project belongs to | `string` | n/a | yes | +| enable\_cloudbuild\_deploy | Enable infra deployment using Cloud Build. | `bool` | `false` | no | +| environment | The environment the project belongs to. | `string` | n/a | yes | | environment\_kms\_project\_id | Environment level KMS Project ID. | `string` | n/a | yes | -| folder\_id | The folder id where project will be created | `string` | n/a | yes | -| key\_rings | Keyrings to attach project key to | `list(string)` | n/a | yes | -| key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no | -| org\_id | The organization id for the associated services | `string` | n/a | yes | +| folder\_id | The folder id where project will be created. | `string` | n/a | yes | +| key\_rings | Keyrings to attach project key to. | `list(string)` | n/a | yes | +| key\_rotation\_period | Rotation period in seconds to be used for KMS Key. | `string` | `"7776000s"` | no | +| org\_id | The Organization ID. | `string` | n/a | yes | | prevent\_destroy | Prevent Key destruction. | `bool` | n/a | yes | -| primary\_contact | The primary email contact for the project | `string` | n/a | yes | +| primary\_contact | The primary email contact for the project. | `string` | n/a | yes | | project\_budget | Budget configuration.
budget\_amount: The amount to use as the budget.
alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.
alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | 
object({
    budget_amount        = optional(number, 1000)
    alert_spent_percents = optional(list(number), [1.2])
    alert_pubsub_topic   = optional(string, null)
    alert_spend_basis    = optional(string, "FORECASTED_SPEND")
  })
| `{}` | no | | project\_name | Project Name. | `string` | n/a | yes | | project\_prefix | Name prefix to use for projects created. | `string` | `"prj"` | no | | project\_suffix | The name of the GCP project. Max 16 characters with 3 character business unit code. | `string` | n/a | yes | | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes | | sa\_roles | A list of roles to give the Service Account from App Infra Pipeline. | `map(list(string))` | `{}` | no | -| secondary\_contact | The secondary email contact for the project | `string` | `""` | no | -| shared\_vpc\_host\_project\_id | Shared VPC host project ID | `string` | `""` | no | +| secondary\_contact | The secondary email contact for the project. | `string` | `""` | no | +| shared\_vpc\_host\_project\_id | Shared VPC host project ID. | `string` | `""` | no | | shared\_vpc\_subnets | List of the shared vpc subnets self links. | `list(string)` | `[]` | no | -| vpc\_service\_control\_attach\_enabled | Whether the project will be attached to a VPC Service Control Perimeter | `bool` | `false` | no | -| vpc\_service\_control\_perimeter\_name | The name of a VPC Service Control Perimeter to add the created project to | `string` | `null` | no | -| vpc\_service\_control\_sleep\_duration | The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter | `string` | `"5s"` | no | -| vpc\_type | The type of VPC to attach the project to. Possible options are base or restricted. | `string` | `""` | no | +| vpc\_service\_control\_attach\_enabled | Whether the project will be attached to a VPC Service Control Perimeter. | `bool` | `false` | no | +| vpc\_service\_control\_perimeter\_name | The name of a VPC Service Control Perimeter to add the created project to. | `string` | `null` | no | +| vpc\_service\_control\_sleep\_duration | The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter. | `string` | `"5s"` | no | +| vpc\_type | The type of VPC to attach the project to. Possible options are `base` or `restricted`. | `string` | `""` | no | ## Outputs @@ -45,8 +45,8 @@ Create and manage a Google Cloud project with various configurations and roles r | enabled\_apis | VPC Service Control services. | | kms\_keys | Keys created for the project. | | project\_id | Project ID. | -| project\_name | Name of the Project. | +| project\_name | Project Name. | | project\_number | Project number. | -| sa | Project SA email | +| sa | Project SA email. | diff --git a/4-projects/modules/ml_single_project/outputs.tf b/4-projects/modules/ml_single_project/outputs.tf index 97109f45..b4aba602 100644 --- a/4-projects/modules/ml_single_project/outputs.tf +++ b/4-projects/modules/ml_single_project/outputs.tf @@ -20,7 +20,7 @@ output "project_id" { } output "sa" { - description = "Project SA email" + description = "Project SA email." value = module.project.service_account_email } diff --git a/4-projects/modules/ml_single_project/variables.tf b/4-projects/modules/ml_single_project/variables.tf index 7d5663ef..d55b3647 100644 --- a/4-projects/modules/ml_single_project/variables.tf +++ b/4-projects/modules/ml_single_project/variables.tf @@ -15,17 +15,17 @@ */ variable "org_id" { - description = "The Organization ID" + description = "The Organization ID." type = string } variable "folder_id" { - description = "The folder id where project will be created" + description = "The folder id where project will be created." type = string } variable "billing_account" { - description = "The ID of the billing account to associated this project with" + description = "The ID of the billing account to associated this project with." type = string } @@ -35,40 +35,40 @@ variable "project_suffix" { } variable "application_name" { - description = "The name of application where GCP resources relate" + description = "The name of application where GCP resources relate." type = string } variable "billing_code" { - description = "The code that's used to provide chargeback information" + description = "The code that's used to provide chargeback information." type = string } variable "primary_contact" { - description = "The primary email contact for the project" + description = "The primary email contact for the project." type = string } variable "secondary_contact" { - description = "The secondary email contact for the project" + description = "The secondary email contact for the project." type = string default = "" } variable "business_code" { - description = "The code that describes which business unit owns the project" + description = "The code that describes which business unit owns the project." type = string default = "abcd" } variable "activate_apis" { - description = "The api to activate for the GCP project" + description = "The api to activate for the GCP project." type = list(string) default = [] } variable "environment" { - description = "The environment the project belongs to" + description = "The environment the project belongs to." type = string } @@ -79,7 +79,7 @@ variable "vpc_type" { } variable "shared_vpc_host_project_id" { - description = "Shared VPC host project ID" + description = "Shared VPC host project ID." type = string default = "" } @@ -91,19 +91,19 @@ variable "shared_vpc_subnets" { } variable "vpc_service_control_attach_enabled" { - description = "Whether the project will be attached to a VPC Service Control Perimeter" + description = "Whether the project will be attached to a VPC Service Control Perimeter." type = bool default = false } variable "vpc_service_control_perimeter_name" { - description = "The name of a VPC Service Control Perimeter to add the created project to" + description = "The name of a VPC Service Control Perimeter to add the created project to." type = string default = null } variable "vpc_service_control_sleep_duration" { - description = "The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter" + description = "The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter." type = string default = "5s" } @@ -144,19 +144,19 @@ variable "sa_roles" { } variable "enable_cloudbuild_deploy" { - description = "Enable infra deployment using Cloud Build" + description = "Enable infra deployment using Cloud Build." type = bool default = false } variable "key_rotation_period" { - description = "Rotation period in seconds to be used for KMS Key" + description = "Rotation period in seconds to be used for KMS Key." type = string default = "7776000s" } variable "key_rings" { - description = "Keyrings to attach project key to" + description = "Keyrings to attach project key to." type = list(string) } From 83346f570149f0cbc1b4db9313c35ad15344a899 Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Wed, 15 May 2024 09:33:13 -0300 Subject: [PATCH 30/35] remove default value --- 4-projects/modules/ml_infra_projects/variables.tf | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/4-projects/modules/ml_infra_projects/variables.tf b/4-projects/modules/ml_infra_projects/variables.tf index 07b4e176..1e80bc60 100644 --- a/4-projects/modules/ml_infra_projects/variables.tf +++ b/4-projects/modules/ml_infra_projects/variables.tf @@ -70,7 +70,6 @@ variable "remote_state_bucket" { variable "business_code" { description = "The code that describes which business unit owns the project." type = string - default = "abcd" } variable "billing_code" { @@ -89,12 +88,6 @@ variable "secondary_contact" { default = "" } -variable "vpc_type" { - description = "The type of VPC to attach the project to. Possible options are base or restricted." - type = string - default = "" -} - variable "shared_vpc_host_project_id" { description = "Shared VPC host project ID." type = string @@ -150,7 +143,7 @@ variable "key_rotation_period" { } variable "default_service_account" { - description = "Project default service account setting: can be one of `delete`, `depriviledge`, or `keep`." + description = "Project default service account setting: can be one of `delete`, `depriviledge`, `keep` or `disable`." default = "disable" type = string } From bea34fa1617d5ee6f59cf8cdc84b7721692e4d8d Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Wed, 15 May 2024 09:41:36 -0300 Subject: [PATCH 31/35] restore dns file --- 3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf b/3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf index fbcc610c..75e98ebe 100644 --- a/3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf +++ b/3-networks-dual-svpc/modules/ml_dns_notebooks/main.tf @@ -35,8 +35,8 @@ locals { ***********************************************/ module "notebooks" { - source = "terraform-google-modules/cloud-dns/google" - version = "~> 5.0" + source = "terraform-google-modules/cloud-dns/google" + version = "~> 5.0" project_id = var.project_id type = "private" @@ -91,8 +91,8 @@ module "notebooks-googleusercontent" { } module "kernels-googleusercontent" { - source = "terraform-google-modules/cloud-dns/google" - version = "~> 5.0" + source = "terraform-google-modules/cloud-dns/google" + version = "~> 5.0" project_id = var.project_id type = "private" From a963b03b36560548e93cc61a1eb4cc73fd1ccf75 Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Wed, 15 May 2024 16:06:10 -0300 Subject: [PATCH 32/35] externalize project suffixes --- .../modules/ml_infra_projects/artifacts_project.tf | 5 ++--- .../ml_infra_projects/service_catalog_project.tf | 5 ++--- 4-projects/modules/ml_infra_projects/variables.tf | 12 ++++++++++++ 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/4-projects/modules/ml_infra_projects/artifacts_project.tf b/4-projects/modules/ml_infra_projects/artifacts_project.tf index 5eaac184..29d9cbcc 100644 --- a/4-projects/modules/ml_infra_projects/artifacts_project.tf +++ b/4-projects/modules/ml_infra_projects/artifacts_project.tf @@ -15,7 +15,6 @@ */ locals { - artifacts_project_suffix = "artifacts" artifact_tf_sa_roles = [ "roles/artifactregistry.admin", "roles/cloudbuild.builds.editor", @@ -49,14 +48,14 @@ module "app_infra_artifacts_project" { "sourcerepo.googleapis.com", ] # Metadata - project_suffix = local.artifacts_project_suffix + project_suffix = var.artifacts_project_suffix application_name = "app-infra-artifacts" billing_code = var.billing_code primary_contact = var.primary_contact secondary_contact = var.secondary_contact business_code = var.business_code environment_kms_project_id = var.environment_kms_project_id - project_name = "${var.project_prefix}-${local.env_code}-${var.business_code}${local.artifacts_project_suffix}" + project_name = "${var.project_prefix}-${local.env_code}-${var.business_code}${var.artifacts_project_suffix}" prevent_destroy = var.prevent_destroy } diff --git a/4-projects/modules/ml_infra_projects/service_catalog_project.tf b/4-projects/modules/ml_infra_projects/service_catalog_project.tf index 98794cdc..089bb143 100644 --- a/4-projects/modules/ml_infra_projects/service_catalog_project.tf +++ b/4-projects/modules/ml_infra_projects/service_catalog_project.tf @@ -15,7 +15,6 @@ */ locals { - service_catalog_project_suffix = "service-catalog" service_catalog_tf_sa_roles = [ "roles/cloudbuild.builds.editor", "roles/iam.serviceAccountAdmin", @@ -47,14 +46,14 @@ module "app_service_catalog_project" { "sourcerepo.googleapis.com", ] # Metadata - project_suffix = local.service_catalog_project_suffix + project_suffix = var.service_catalog_project_suffix application_name = "app-infra-ml" billing_code = var.billing_code primary_contact = var.primary_contact secondary_contact = var.secondary_contact business_code = var.business_code environment_kms_project_id = var.environment_kms_project_id - project_name = "${var.project_prefix}-${local.env_code}-${var.business_code}${local.service_catalog_project_suffix}" + project_name = "${var.project_prefix}-${local.env_code}-${var.business_code}${var.service_catalog_project_suffix}" prevent_destroy = var.prevent_destroy } diff --git a/4-projects/modules/ml_infra_projects/variables.tf b/4-projects/modules/ml_infra_projects/variables.tf index 1e80bc60..e9144b5c 100644 --- a/4-projects/modules/ml_infra_projects/variables.tf +++ b/4-projects/modules/ml_infra_projects/variables.tf @@ -177,3 +177,15 @@ variable "prevent_destroy" { description = "Prevent Project Key destruction." type = bool } + +variable "artifacts_project_suffix" { + description = "Artifacts Project Suffix." + type = string + default = "artifacts" +} + +variable "service_catalog_project_suffix" { + description = "Service Catalog Project Suffix." + type = string + default = "service-catalog" +} From e30ae29fda0e2cb8f3c8bddd75f87ba770aa9548 Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Wed, 15 May 2024 16:15:21 -0300 Subject: [PATCH 33/35] externalize application name --- .../modules/ml_infra_projects/artifacts_project.tf | 2 +- .../ml_infra_projects/service_catalog_project.tf | 2 +- 4-projects/modules/ml_infra_projects/variables.tf | 12 ++++++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/4-projects/modules/ml_infra_projects/artifacts_project.tf b/4-projects/modules/ml_infra_projects/artifacts_project.tf index 29d9cbcc..e3260633 100644 --- a/4-projects/modules/ml_infra_projects/artifacts_project.tf +++ b/4-projects/modules/ml_infra_projects/artifacts_project.tf @@ -49,7 +49,7 @@ module "app_infra_artifacts_project" { ] # Metadata project_suffix = var.artifacts_project_suffix - application_name = "app-infra-artifacts" + application_name = var.artifacts_application_name billing_code = var.billing_code primary_contact = var.primary_contact secondary_contact = var.secondary_contact diff --git a/4-projects/modules/ml_infra_projects/service_catalog_project.tf b/4-projects/modules/ml_infra_projects/service_catalog_project.tf index 089bb143..7e0a19b3 100644 --- a/4-projects/modules/ml_infra_projects/service_catalog_project.tf +++ b/4-projects/modules/ml_infra_projects/service_catalog_project.tf @@ -47,7 +47,7 @@ module "app_service_catalog_project" { ] # Metadata project_suffix = var.service_catalog_project_suffix - application_name = "app-infra-ml" + application_name = var.service_catalog_application_name billing_code = var.billing_code primary_contact = var.primary_contact secondary_contact = var.secondary_contact diff --git a/4-projects/modules/ml_infra_projects/variables.tf b/4-projects/modules/ml_infra_projects/variables.tf index e9144b5c..e9f891a9 100644 --- a/4-projects/modules/ml_infra_projects/variables.tf +++ b/4-projects/modules/ml_infra_projects/variables.tf @@ -189,3 +189,15 @@ variable "service_catalog_project_suffix" { type = string default = "service-catalog" } + +variable "service_catalog_application_name" { + description = "Service Catalog application name metadata." + type = string + default = "app-infra-catalog" +} + +variable "artifacts_application_name" { + description = "Artifacts application name metadata." + type = string + default = "app-infra-artifacts" +} From 5ba54de7f616b7662a6ef65fcaf645ecb0c8284f Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Wed, 22 May 2024 08:39:40 -0300 Subject: [PATCH 34/35] add files again --- .../shared/example_artifacts.tf | 96 +++++++++++++ .../shared/example_service_catalog.tf | 134 ++++++++++++++++++ 2 files changed, 230 insertions(+) create mode 100644 4-projects/business_unit_3/shared/example_artifacts.tf create mode 100644 4-projects/business_unit_3/shared/example_service_catalog.tf diff --git a/4-projects/business_unit_3/shared/example_artifacts.tf b/4-projects/business_unit_3/shared/example_artifacts.tf new file mode 100644 index 00000000..a24433bc --- /dev/null +++ b/4-projects/business_unit_3/shared/example_artifacts.tf @@ -0,0 +1,96 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + artifact_tf_sa_roles = [ + "roles/artifactregistry.admin", + "roles/cloudbuild.builds.editor", + "roles/cloudbuild.connectionAdmin", + "roles/iam.serviceAccountAdmin", + "roles/secretmanager.admin", + "roles/source.admin", + "roles/storage.admin", + ] + +} +module "app_infra_artifacts_project" { + source = "../../modules/single_project" + # count = local.enable_cloudbuild_deploy ? 1 : 0 + + org_id = local.org_id + billing_account = local.billing_account + folder_id = local.common_folder_name + environment = "common" + project_budget = var.project_budget + project_prefix = local.project_prefix + key_rings = local.shared_kms_key_ring + remote_state_bucket = var.remote_state_bucket + activate_apis = [ + "artifactregistry.googleapis.com", + "logging.googleapis.com", + "billingbudgets.googleapis.com", + "serviceusage.googleapis.com", + "storage.googleapis.com", + "cloudbuild.googleapis.com", + "secretmanager.googleapis.com", + "sourcerepo.googleapis.com", + ] + # Metadata + project_suffix = "artifacts" + application_name = "app-infra-artifacts" + billing_code = "1234" + primary_contact = "example@example.com" + secondary_contact = "example2@example.com" + business_code = "bu3" +} + +# resource "google_kms_crypto_key" "ml_key" { +# for_each = toset(local.shared_kms_key_ring) +# name = module.app_infra_artifacts_project[0].project_name +# key_ring = each.key +# rotation_period = var.key_rotation_period +# lifecycle { +# prevent_destroy = false +# } +# } + +resource "google_kms_crypto_key_iam_member" "ml_key" { + for_each = module.app_infra_cloudbuild_project[0].kms_keys + crypto_key_id = each.value.id + role = "roles/cloudkms.admin" + member = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-artifact-publish"]}" +} + +resource "google_project_iam_member" "artifact_tf_sa_roles" { + for_each = toset(local.artifact_tf_sa_roles) + project = module.app_infra_artifacts_project[0].project_id + role = each.key + member = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-artifact-publish"]}" +} + +// Add Service Agent for Cloud Build +resource "google_project_iam_member" "artifact_cloudbuild_agent" { + project = module.app_infra_artifacts_project[0].project_id + role = "roles/secretmanager.secretAccessor" + member = "serviceAccount:${module.app_infra_artifacts_project[0].project_number}@cloudbuild.gserviceaccount.com" +} + +// Add Repository for Artifact repo + +resource "google_sourcerepo_repository" "artifact_repo" { + project = module.app_infra_artifacts_project[0].project_id + name = var.cloud_source_artifacts_repo_name +} diff --git a/4-projects/business_unit_3/shared/example_service_catalog.tf b/4-projects/business_unit_3/shared/example_service_catalog.tf new file mode 100644 index 00000000..46cae7ab --- /dev/null +++ b/4-projects/business_unit_3/shared/example_service_catalog.tf @@ -0,0 +1,134 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + service_catalog_tf_sa_roles = [ + "roles/cloudbuild.builds.editor", + "roles/iam.serviceAccountAdmin", + "roles/cloudbuild.connectionAdmin", + "roles/secretmanager.admin", + "roles/storage.admin", + "roles/source.admin", + ] +} + +module "app_service_catalog_project" { + source = "../../modules/single_project" + # count = local.enable_cloudbuild_deploy ? 1 : 0 + + org_id = local.org_id + billing_account = local.billing_account + folder_id = local.common_folder_name + environment = "common" + project_budget = var.project_budget + project_prefix = local.project_prefix + key_rings = local.shared_kms_key_ring + remote_state_bucket = var.remote_state_bucket + activate_apis = [ + "logging.googleapis.com", + "storage.googleapis.com", + "serviceusage.googleapis.com", + "secretmanager.googleapis.com", + "cloudbuild.googleapis.com", + "cloudresourcemanager.googleapis.com", + "sourcerepo.googleapis.com", + ] + # Metadata + project_suffix = var.cloud_source_service_catalog_repo_name + application_name = "app-infra-ml" + billing_code = "1234" + primary_contact = "example@example.com" + secondary_contact = "example2@example.com" + business_code = "bu3" +} + +resource "google_kms_crypto_key_iam_member" "sc_key" { + for_each = module.app_service_catalog_project[0].kms_keys + crypto_key_id = each.value.id + role = "roles/cloudkms.admin" + member = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"]}" +} + +// Grab Service Agent for Secret Manager +resource "google_project_service_identity" "secretmanager_agent" { + provider = google-beta + project = module.app_service_catalog_project[0].project_id + service = "secretmanager.googleapis.com" +} + +// Add Secret Manager Service Agent to key with encrypt/decrypt permissions +resource "google_kms_crypto_key_iam_member" "secretmanager_agent" { + for_each = module.app_service_catalog_project[0].kms_keys + crypto_key_id = each.value.id + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:${google_project_service_identity.secretmanager_agent.email}" +} + +// Grab Service Agent for Storage +resource "google_project_service_identity" "storage" { + provider = google-beta + project = module.app_service_catalog_project[0].project_id + service = "storage.googleapis.com" +} +// Add Service Agent for Storage +resource "google_kms_crypto_key_iam_member" "storage_agent" { + for_each = module.app_service_catalog_project[0].kms_keys + crypto_key_id = each.value.id + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:service-${module.app_service_catalog_project[0].project_number}@gs-project-accounts.iam.gserviceaccount.com" + + depends_on = [google_project_service_identity.storage] +} + +// Add infra pipeline SA encrypt/decrypt permissions +resource "google_kms_crypto_key_iam_member" "storage-kms-key-binding" { + for_each = module.app_service_catalog_project[0].kms_keys + crypto_key_id = each.value.id + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"]}" +} + +resource "google_project_iam_member" "service_catalog_tf_sa_roles" { + for_each = toset(local.service_catalog_tf_sa_roles) + project = module.app_service_catalog_project[0].project_id + role = each.key + member = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"]}" +} + +// Add Service Agent for Cloud Build +resource "google_project_iam_member" "cloudbuild_agent" { + project = module.app_service_catalog_project[0].project_id + role = "roles/secretmanager.secretAccessor" + member = "serviceAccount:${module.app_service_catalog_project[0].project_number}@cloudbuild.gserviceaccount.com" +} + +// Add Service Catalog Source Repository + +resource "google_sourcerepo_repository" "service_catalog" { + project = module.app_service_catalog_project[0].project_id + name = var.cloud_source_service_catalog_repo_name +} + +/** + * When Jenkins CICD is used for deployment this resource + * is created to terraform validation works. + * Without this resource, this module creates zero resources + * and it breaks terraform validation throwing the error below: + * ERROR: [Terraform plan json does not contain resource_changes key] + */ +resource "null_resource" "jenkins_cicd_service_catalog" { + count = !local.enable_cloudbuild_deploy ? 1 : 0 +} From 2955195d0abd455763df91bf1f182fea76be9c00 Mon Sep 17 00:00:00 2001 From: caetano-colin Date: Wed, 22 May 2024 08:40:01 -0300 Subject: [PATCH 35/35] remove files again --- .../shared/example_artifacts.tf | 96 ------------- .../shared/example_service_catalog.tf | 134 ------------------ 2 files changed, 230 deletions(-) delete mode 100644 4-projects/business_unit_3/shared/example_artifacts.tf delete mode 100644 4-projects/business_unit_3/shared/example_service_catalog.tf diff --git a/4-projects/business_unit_3/shared/example_artifacts.tf b/4-projects/business_unit_3/shared/example_artifacts.tf deleted file mode 100644 index a24433bc..00000000 --- a/4-projects/business_unit_3/shared/example_artifacts.tf +++ /dev/null @@ -1,96 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - artifact_tf_sa_roles = [ - "roles/artifactregistry.admin", - "roles/cloudbuild.builds.editor", - "roles/cloudbuild.connectionAdmin", - "roles/iam.serviceAccountAdmin", - "roles/secretmanager.admin", - "roles/source.admin", - "roles/storage.admin", - ] - -} -module "app_infra_artifacts_project" { - source = "../../modules/single_project" - # count = local.enable_cloudbuild_deploy ? 1 : 0 - - org_id = local.org_id - billing_account = local.billing_account - folder_id = local.common_folder_name - environment = "common" - project_budget = var.project_budget - project_prefix = local.project_prefix - key_rings = local.shared_kms_key_ring - remote_state_bucket = var.remote_state_bucket - activate_apis = [ - "artifactregistry.googleapis.com", - "logging.googleapis.com", - "billingbudgets.googleapis.com", - "serviceusage.googleapis.com", - "storage.googleapis.com", - "cloudbuild.googleapis.com", - "secretmanager.googleapis.com", - "sourcerepo.googleapis.com", - ] - # Metadata - project_suffix = "artifacts" - application_name = "app-infra-artifacts" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu3" -} - -# resource "google_kms_crypto_key" "ml_key" { -# for_each = toset(local.shared_kms_key_ring) -# name = module.app_infra_artifacts_project[0].project_name -# key_ring = each.key -# rotation_period = var.key_rotation_period -# lifecycle { -# prevent_destroy = false -# } -# } - -resource "google_kms_crypto_key_iam_member" "ml_key" { - for_each = module.app_infra_cloudbuild_project[0].kms_keys - crypto_key_id = each.value.id - role = "roles/cloudkms.admin" - member = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-artifact-publish"]}" -} - -resource "google_project_iam_member" "artifact_tf_sa_roles" { - for_each = toset(local.artifact_tf_sa_roles) - project = module.app_infra_artifacts_project[0].project_id - role = each.key - member = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-artifact-publish"]}" -} - -// Add Service Agent for Cloud Build -resource "google_project_iam_member" "artifact_cloudbuild_agent" { - project = module.app_infra_artifacts_project[0].project_id - role = "roles/secretmanager.secretAccessor" - member = "serviceAccount:${module.app_infra_artifacts_project[0].project_number}@cloudbuild.gserviceaccount.com" -} - -// Add Repository for Artifact repo - -resource "google_sourcerepo_repository" "artifact_repo" { - project = module.app_infra_artifacts_project[0].project_id - name = var.cloud_source_artifacts_repo_name -} diff --git a/4-projects/business_unit_3/shared/example_service_catalog.tf b/4-projects/business_unit_3/shared/example_service_catalog.tf deleted file mode 100644 index 46cae7ab..00000000 --- a/4-projects/business_unit_3/shared/example_service_catalog.tf +++ /dev/null @@ -1,134 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - service_catalog_tf_sa_roles = [ - "roles/cloudbuild.builds.editor", - "roles/iam.serviceAccountAdmin", - "roles/cloudbuild.connectionAdmin", - "roles/secretmanager.admin", - "roles/storage.admin", - "roles/source.admin", - ] -} - -module "app_service_catalog_project" { - source = "../../modules/single_project" - # count = local.enable_cloudbuild_deploy ? 1 : 0 - - org_id = local.org_id - billing_account = local.billing_account - folder_id = local.common_folder_name - environment = "common" - project_budget = var.project_budget - project_prefix = local.project_prefix - key_rings = local.shared_kms_key_ring - remote_state_bucket = var.remote_state_bucket - activate_apis = [ - "logging.googleapis.com", - "storage.googleapis.com", - "serviceusage.googleapis.com", - "secretmanager.googleapis.com", - "cloudbuild.googleapis.com", - "cloudresourcemanager.googleapis.com", - "sourcerepo.googleapis.com", - ] - # Metadata - project_suffix = var.cloud_source_service_catalog_repo_name - application_name = "app-infra-ml" - billing_code = "1234" - primary_contact = "example@example.com" - secondary_contact = "example2@example.com" - business_code = "bu3" -} - -resource "google_kms_crypto_key_iam_member" "sc_key" { - for_each = module.app_service_catalog_project[0].kms_keys - crypto_key_id = each.value.id - role = "roles/cloudkms.admin" - member = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"]}" -} - -// Grab Service Agent for Secret Manager -resource "google_project_service_identity" "secretmanager_agent" { - provider = google-beta - project = module.app_service_catalog_project[0].project_id - service = "secretmanager.googleapis.com" -} - -// Add Secret Manager Service Agent to key with encrypt/decrypt permissions -resource "google_kms_crypto_key_iam_member" "secretmanager_agent" { - for_each = module.app_service_catalog_project[0].kms_keys - crypto_key_id = each.value.id - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - member = "serviceAccount:${google_project_service_identity.secretmanager_agent.email}" -} - -// Grab Service Agent for Storage -resource "google_project_service_identity" "storage" { - provider = google-beta - project = module.app_service_catalog_project[0].project_id - service = "storage.googleapis.com" -} -// Add Service Agent for Storage -resource "google_kms_crypto_key_iam_member" "storage_agent" { - for_each = module.app_service_catalog_project[0].kms_keys - crypto_key_id = each.value.id - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - member = "serviceAccount:service-${module.app_service_catalog_project[0].project_number}@gs-project-accounts.iam.gserviceaccount.com" - - depends_on = [google_project_service_identity.storage] -} - -// Add infra pipeline SA encrypt/decrypt permissions -resource "google_kms_crypto_key_iam_member" "storage-kms-key-binding" { - for_each = module.app_service_catalog_project[0].kms_keys - crypto_key_id = each.value.id - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - member = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"]}" -} - -resource "google_project_iam_member" "service_catalog_tf_sa_roles" { - for_each = toset(local.service_catalog_tf_sa_roles) - project = module.app_service_catalog_project[0].project_id - role = each.key - member = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"]}" -} - -// Add Service Agent for Cloud Build -resource "google_project_iam_member" "cloudbuild_agent" { - project = module.app_service_catalog_project[0].project_id - role = "roles/secretmanager.secretAccessor" - member = "serviceAccount:${module.app_service_catalog_project[0].project_number}@cloudbuild.gserviceaccount.com" -} - -// Add Service Catalog Source Repository - -resource "google_sourcerepo_repository" "service_catalog" { - project = module.app_service_catalog_project[0].project_id - name = var.cloud_source_service_catalog_repo_name -} - -/** - * When Jenkins CICD is used for deployment this resource - * is created to terraform validation works. - * Without this resource, this module creates zero resources - * and it breaks terraform validation throwing the error below: - * ERROR: [Terraform plan json does not contain resource_changes key] - */ -resource "null_resource" "jenkins_cicd_service_catalog" { - count = !local.enable_cloudbuild_deploy ? 1 : 0 -}