Merge pull request terraform-google-modules#12 from terraform-google-…

…modules/aaron-lane-0.12

Release version for Terraform 0.12

CHANGELOG.md

@@ -7,6 +7,11 @@ project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+## [0.2.0] 2019-YY-ZZ
+
+### Added
+ - Supported version of Terraform is 0.12. [#10]
+
 ## [0.1.0] 2019-05-15
 
 ### Added
@@ -15,3 +20,5 @@ project adheres to [Semantic Versioning](http://semver.org/).
 
 [Unreleased]: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/compare/v0.1.0...HEAD
 [0.1.0]: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/releases/tag/v0.1.0
+[0.2.0]: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/releases/tag/v0.2.0
+[#10]: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/pull/10

Makefile

@@ -21,7 +21,7 @@ SHELL := /usr/bin/env bash
 # Docker build config variables
 CREDENTIALS_PATH 			?= /cft/workdir/credentials.json
 DOCKER_ORG 				:= gcr.io/cloud-foundation-cicd
-DOCKER_TAG_BASE_KITCHEN_TERRAFORM 	?= 1.0.1
+DOCKER_TAG_BASE_KITCHEN_TERRAFORM 	?= 2.3.0
 DOCKER_REPO_BASE_KITCHEN_TERRAFORM 	:= ${DOCKER_ORG}/cft/kitchen-terraform:${DOCKER_TAG_BASE_KITCHEN_TERRAFORM}
 
 # All is the first target in the file so it will get picked up when you just run 'make' on its own

README.md

@@ -2,40 +2,41 @@
 
 This module handles opiniated VPC Service Controls and Access Context Manager configuration and deployments.
 
+
+## Compatibility
+This module is meant for use with Terraform 0.12. If you haven't [upgraded](https://www.terraform.io/upgrade-guides/0-12.html) and need a Terraform 0.11.x-compatible version of this module, the last released version intended for Terraform 0.11.x
+is [0.1.0](https://registry.terraform.io/modules/terraform-google-modules/vpc-service-controls/google/0.1.0).
+
 ## Usage
 The root module only handles the configuration of the [access_context_manager_policy resource](https://www.terraform.io/docs/providers/google/r/access_context_manager_access_policy.html). For examples on how to use the root module with along with other submodules to configure all of VPC Service Controls and Access Context Manager resources, see the [examples](./examples/) folder and the [modules](./modules/) folder
 
 ```hcl
 provider "google" {
-  version     = "~> 2.5.0"
-  credentials = "${file("${var.credentials_path}")}"
+  version = "~> 2.5.0"
 }
 
 module "org_policy" {
   source      = "terraform-google-modules/vpc-service-controls/google"
-  parent_id   = "${var.parent_id}"
-  policy_name = "${var.policy_name}"
+  parent_id   = var.parent_id
+  policy_name = var.policy_name
 }
 
 module "access_level_members" {
-  source   = "terraform-google-modules/vpc-service-controls/google//modules/access_level"
-  policy      = "${module.org_policy.policy_id}"
-  name        = "terraform_members"
-  members  = "${var.members}"
+  source  = "terraform-google-modules/vpc-service-controls/google//modules/access_level"
+  policy  = module.org_policy.policy_id
+  name    = "terraform_members"
+  members = var.members
 }
 
 module "regular_service_perimeter_1" {
-   source         = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter"
-  policy         = "${module.org_policy.policy_id}"
-  perimeter_name = "regular_perimeter_1"
-
-  description    = "Perimeter shielding projects"
-  resources      = ["1111111"]
-
-  access_levels = ["${module.access_level_members.name}"]
+  source              = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter"
+  policy              = module.org_policy.policy_id
+  perimeter_name      = "regular_perimeter_1"
+  description         = "Perimeter shielding projects"
+  resources           = ["1111111"]
+  access_levels       = [module.access_level_members.name]
   restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"]
-
-  shared_resources = {
+  shared_resources    = {
     all = ["11111111"]
   }
 }
@@ -53,8 +54,7 @@ Then perform the following commands on the root folder:
 The [Access Context Manager API](https://cloud.google.com/access-context-manager/docs/) guarantees that resources will be created, but there may be a delay between a successful response and the change taking effect. For example, ["after you create a service perimeter, it may take up to 30 minutes for the changes to propagate and take effect"](https://cloud.google.com/vpc-service-controls/docs/create-service-perimeters).
 Because of these limitations in the API, you may first get an error when running `terraform apply` for the first time. However, for the [examples](./examples/) you should be able to succesfully deploy all resources by running `terraform apply` a second about 15 seconds after running it for the first time.
 
-[^]: (autogen_docs_start)
-
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
 
 | Name | Description | Type | Default | Required |
@@ -69,7 +69,7 @@ Because of these limitations in the API, you may first get an error when running
 | policy\_id | Resource name of the AccessPolicy. |
 | policy\_name | The policy's name. |
 
-[^]: (autogen_docs_end)
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Requirements
 
@@ -83,8 +83,8 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 
 ### Software Dependencies
 ### Terraform
-- [Terraform](https://www.terraform.io/downloads.html) 0.11.x
-- [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) plugin v2.0.0
+- [Terraform](https://www.terraform.io/downloads.html) >= 0.12.0
+- [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) >= v2.5.0
 
 ### Configure a Service Account
 
@@ -117,7 +117,7 @@ In order to operate with the Service Account you must activate the following API
 
 ## Install
 
-Be sure you have the correct Terraform version (0.11.x), you can choose the binary here:
+Be sure you have the correct Terraform version (0.12.x), you can choose the binary here:
 - https://releases.hashicorp.com/terraform/
 
 

examples/simple_example/README.md

@@ -19,17 +19,15 @@ You may use the following gcloud commands:
 
 
 
-[^]: (autogen_docs_start)
-
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| credentials\_path | Path to credentials.json key for service account deploying resources | string | n/a | yes |
-| members | An allowed list of members (users, service accounts). The signed-in identity originating the request must be a part of one of the provided members. If not specified, a request may come from any user (logged in/not logged in, etc.). Formats: user:{emailid}, serviceAccount:{emailid} | list | `<list>` | no |
+| members | An allowed list of members (users, service accounts). The signed-in identity originating the request must be a part of one of the provided members. If not specified, a request may come from any user (logged in/not logged in, etc.). Formats: user:{emailid}, serviceAccount:{emailid} | list(string) | n/a | yes |
 | parent\_id | The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent. | string | n/a | yes |
 | policy\_name | The policy's name. | string | n/a | yes |
-| protected\_project\_ids | Project id and number of the project INSIDE the regular service perimeter. This map variable expects an "id" for the project id and "number" key for the project number. | map | n/a | yes |
+| protected\_project\_ids | Project id and number of the project INSIDE the regular service perimeter. This map variable expects an "id" for the project id and "number" key for the project number. | object | n/a | yes |
 
 ## Outputs
 
@@ -40,7 +38,7 @@ You may use the following gcloud commands:
 | protected\_project\_id | Project id of the project INSIDE the regular service perimeter |
 | table\_id | Unique id for the BigQuery table being provisioned |
 
-[^]: (autogen_docs_end)
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 To provision this example, run the following from within this directory:
 - `terraform init` to get the plugins

examples/simple_example/main.tf

@@ -15,62 +15,63 @@
  */
 
 provider "google" {
-  version     = "~> 2.5.0"
-  credentials = "${file("${var.credentials_path}")}"
+  version = "~> 2.5.0"
 }
 
-module "org_policy" {
+module "access_context_manager_policy" {
   source      = "../.."
-  parent_id   = "${var.parent_id}"
-  policy_name = "${var.policy_name}"
+  parent_id   = var.parent_id
+  policy_name = var.policy_name
 }
 
 module "access_level_members" {
-  source  = "../../modules/access_level"
-  policy  = "${module.org_policy.policy_id}"
-  name    = "terraform_members"
-  members = "${var.members}"
+  source      = "../../modules/access_level"
+  description = "Simple Example Access Level"
+  policy      = module.access_context_manager_policy.policy_id
+  name        = "terraform_members"
+  members     = var.members
 }
 
 module "regular_service_perimeter_1" {
   source         = "../../modules/regular_service_perimeter"
-  policy         = "${module.org_policy.policy_id}"
+  policy         = module.access_context_manager_policy.policy_id
   perimeter_name = "regular_perimeter_1"
 
   description = "Perimeter shielding bigquery project"
-  resources   = ["${var.protected_project_ids["number"]}"]
+  resources   = [var.protected_project_ids["number"]]
 
-  access_levels       = ["${module.access_level_members.name}"]
+  access_levels       = [module.access_level_members.name]
   restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"]
 
   shared_resources = {
-    all = ["${var.protected_project_ids["number"]}"]
+    all = [var.protected_project_ids["number"]]
   }
 }
 
 module "bigquery" {
-  source  = "terraform-google-modules/bigquery/google"
-  version = "0.1.0"
-
+  source            = "terraform-google-modules/bigquery/google"
+  version           = "2.0.0"
   dataset_id        = "sample_dataset"
   dataset_name      = "sample_dataset"
   description       = "Dataset with a single table with one field"
   expiration        = "3600000"
-  project_id        = "${var.protected_project_ids["id"]}"
+  project_id        = var.protected_project_ids["id"]
   location          = "US"
-  table_id          = "example_table"
   time_partitioning = "DAY"
-  schema_file       = "sample_bq_schema.json"
 
   dataset_labels = {
     env      = "dev"
     billable = "true"
     owner    = "janesmith"
   }
 
-  table_labels = {
-    env      = "dev"
-    billable = "true"
-    owner    = "joedoe"
-  }
+  tables = [{
+    table_id = "example_table",
+    schema   = "sample_bq_schema.json",
+    labels = {
+      env      = "dev"
+      billable = "true"
+      owner    = "joedoe"
+    },
+  }, ]
 }

examples/simple_example/outputs.tf

@@ -16,20 +16,20 @@
 
 output "policy_name" {
   description = "Name of the parent policy"
-  value       = "${var.policy_name}"
+  value       = var.policy_name
 }
 
 output "protected_project_id" {
   description = "Project id of the project INSIDE the regular service perimeter"
-  value       = "${var.protected_project_ids["id"]}"
+  value       = var.protected_project_ids["id"]
 }
 
 output "dataset_id" {
   description = "Unique id for the BigQuery dataset being provisioned"
-  value       = "${module.bigquery.dataset_id}"
+  value       = module.bigquery.dataset_id
 }
 
 output "table_id" {
   description = "Unique id for the BigQuery table being provisioned"
-  value       = "${module.bigquery.table_id}"
+  value       = module.bigquery.table_id
 }

examples/simple_example/variables.tf

@@ -16,23 +16,20 @@
 
 variable "parent_id" {
   description = "The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent."
+  type        = string
 }
 
 variable "policy_name" {
   description = "The policy's name."
+  type        = string
 }
 
 variable "protected_project_ids" {
   description = "Project id and number of the project INSIDE the regular service perimeter. This map variable expects an \"id\" for the project id and \"number\" key for the project number."
-  type        = "map"
+  type        = object({ id = string, number = number })
 }
 
 variable "members" {
   description = "An allowed list of members (users, service accounts). The signed-in identity originating the request must be a part of one of the provided members. If not specified, a request may come from any user (logged in/not logged in, etc.). Formats: user:{emailid}, serviceAccount:{emailid}"
-  type        = "list"
-  default     = []
-}
-
-variable "credentials_path" {
-  description = "Path to credentials.json key for service account deploying resources"
+  type        = list(string)
 }

examples/simple_example/versions.tf

@@ -0,0 +1,19 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}

examples/simple_example_access_level/README.md

@@ -7,22 +7,20 @@ This example illustrates how to use the `vpc-service-controls` module to configu
 
 
 
-[^]: (autogen_docs_start)
-
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| credentials\_path | Path to credentials.json key for service account deploying resources | string | n/a | yes |
-| ip\_subnetworks | A list of CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed. | list | n/a | yes |
+| ip\_subnetworks | A list of CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed. | list(string) | n/a | yes |
 | parent\_id | The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent. | string | n/a | yes |
 | policy\_name | The policy's name. | string | n/a | yes |
-| protected\_project\_ids | Project id and number of the project INSIDE the regular service perimeter. This map variable expects an "id" for the project id and "number" key for the project number. | map | n/a | yes |
+| protected\_project\_ids | Project id and number of the project INSIDE the regular service perimeter. This map variable expects an "id" for the project id and "number" key for the project number. | object | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | policy\_name |  |
 
-[^]: (autogen_docs_end)
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/simple_example_access_level/main.tf

@@ -15,35 +15,35 @@
  */
 
 provider "google" {
-  version     = "~> 2.5.0"
-  credentials = "${file("${var.credentials_path}")}"
+  version = "~> 2.5.0"
 }
 
-module "org_policy" {
+module "access_context_manager_policy" {
   source      = "../.."
-  parent_id   = "${var.parent_id}"
-  policy_name = "${var.policy_name}"
+  parent_id   = var.parent_id
+  policy_name = var.policy_name
 }
 
 module "access_level_1" {
   source         = "../../modules/access_level"
-  policy         = "${module.org_policy.policy_id}"
+  policy         = module.access_context_manager_policy.policy_id
   name           = "single_ip_policy"
-  ip_subnetworks = "${var.ip_subnetworks}"
+  ip_subnetworks = var.ip_subnetworks
+  description    = "Some description"
 }
 
 module "regular_service_perimeter_1" {
   source         = "../../modules/regular_service_perimeter"
-  policy         = "${module.org_policy.policy_id}"
+  policy         = module.access_context_manager_policy.policy_id
   perimeter_name = "regular_perimeter_1"
   description    = "Some description"
-  resources      = ["${var.protected_project_ids["number"]}"]
+  resources      = [var.protected_project_ids["number"]]
 
   restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"]
 
-  access_levels = ["${module.access_level_1.name}"]
+  access_levels = [module.access_level_1.name]
 
   shared_resources = {
-    all = ["${var.protected_project_ids["number"]}"]
+    all = [var.protected_project_ids["number"]]
   }
 }

examples/simple_example_access_level/outputs.tf

@@ -15,5 +15,5 @@
  */
 
 output "policy_name" {
-  value = "${var.policy_name}"
+  value = var.policy_name
 }