This module performs the same functions as the root module with the addition of integrating G Suite.
There are multiple examples included in the examples folder but simple usage is as follows:
module "project-factory" {
source = "terraform-google-modules/project-factory/google//modules/gsuite_enabled"
version = "~> 1.0"
billing_account = "ABCDEF-ABCDEF-ABCDEF"
create_group = "true"
credentials_path = "${local.credentials_file_path}"
group_name = "test_sa_group"
group_role = "roles/editor"
name = "pf-test-1"
org_id = "1234567890"
random_project_id = "true"
sa_group = "[email protected]"
shared_vpc = "shared_vpc_host_name"
shared_vpc_subnets = [
"projects/base-project-196723/regions/us-east1/subnetworks/default",
"projects/base-project-196723/regions/us-central1/subnetworks/default",
"projects/base-project-196723/regions/us-central1/subnetworks/subnet-1",
]
usage_bucket_name = "pf-test-1-usage-report-bucket"
usage_bucket_prefix = "pf/test/1/integration"
}
The G Suite Enabled module will perform the following actions in addition to those of the root module:
- Create a new Google group for the project using
group_name
ifcreate_group
is"true"
. - Add the new default service account for the project to the
sa_group
in Google Groups, if specified. - Add the Google APIs service account to the
api_sa_group
, if specified.
The roles granted are specifically:
- New Default Service Account
- MEMBER of the specified
sa_group
- MEMBER of the specified
- Google APIs Service Account
- MEMBER of the specified
api_sa_group
- MEMBER of the specified
Name | Description | Type | Default | Required |
---|---|---|---|---|
activate_apis | The list of apis to activate within the project | list(string) | <list> |
no |
api_sa_group | A G Suite group to place the Google APIs Service Account for the project in | string | "" |
no |
auto_create_network | Create the default network | string | "false" |
no |
billing_account | The ID of the billing account to associate this project with | string | n/a | yes |
bucket_location | The location for a GCS bucket to create (optional) | string | "" |
no |
bucket_name | A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) | string | "" |
no |
bucket_project | A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) | string | "" |
no |
create_group | Whether to create the group or not | bool | "false" |
no |
credentials_path | Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. | string | "" |
no |
default_service_account | Project default service account setting: can be one of delete , deprivilege , disable , or keep . |
string | "disable" |
no |
disable_dependent_services | Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. | string | "true" |
no |
disable_services_on_destroy | Whether project services will be disabled when the resources are destroyed | string | "true" |
no |
domain | The domain name (optional). | string | "" |
no |
folder_id | The ID of a folder to host this project | string | "" |
no |
group_name | A group to control the project by being assigned group_role - defaults to $${project_name}-editors | string | "" |
no |
group_role | The role to give the controlling group (group_name) over the project (defaults to project editor) | string | "roles/editor" |
no |
impersonate_service_account | An optional service account to impersonate. If this service account is not specified, Terraform will fall back to credential file or Application Default Credentials. | string | "" |
no |
labels | Map of labels for project | map(string) | <map> |
no |
lien | Add a lien on the project to prevent accidental deletion | string | "false" |
no |
name | The name for the project | string | n/a | yes |
org_id | The organization ID. | string | n/a | yes |
project_id | If provided, the project uses the given project ID. Mutually exclusive with random_project_id being true. | string | "" |
no |
python_interpreter_path | Python interpreter path for precondition check script. | string | "python3" |
no |
random_project_id | Enables project random id generation. Mutually exclusive with project_id being non-empty. | string | "false" |
no |
sa_group | A G Suite group to place the default Service Account for the project in | string | "" |
no |
sa_role | A role to give the default Service Account for the project (defaults to none) | string | "" |
no |
shared_vpc | The ID of the host project which hosts the shared VPC | string | "" |
no |
shared_vpc_enabled | If shared VPC should be used | bool | "false" |
no |
shared_vpc_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) | list(string) | <list> |
no |
usage_bucket_name | Name of a GCS bucket to store GCE usage reports in (optional) | string | "" |
no |
usage_bucket_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | string | "" |
no |
Name | Description |
---|---|
domain | The organization's domain |
group_email | The email of the created G Suite group with group_name |
group_name | The group_name of the G Suite group |
project_bucket_self_link | Project's bucket selfLink |
project_bucket_url | Project's bucket url |
project_id | |
project_name | |
project_number | |
service_account_display_name | The display name of the default service account |
service_account_email | The email of the default service account |
service_account_id | The id of the default service account |
service_account_name | The fully-qualified name of the default service account |
service_account_unique_id | The unique id of the default service account |