Skip to content

Latest commit

 

History

History
114 lines (96 loc) · 6.34 KB

File metadata and controls

114 lines (96 loc) · 6.34 KB

Google Cloud Project Factory with G Suite Terraform Module

This module performs the same functions as the root module with the addition of integrating G Suite.

Usage

There are multiple examples included in the examples folder but simple usage is as follows:

module "project-factory" {
  source = "terraform-google-modules/project-factory/google//modules/gsuite_enabled"
  version = "~> 1.0"

  billing_account   = "ABCDEF-ABCDEF-ABCDEF"
  create_group      = "true"
  credentials_path  = "${local.credentials_file_path}"
  group_name        = "test_sa_group"
  group_role        = "roles/editor"
  name              = "pf-test-1"
  org_id            = "1234567890"
  random_project_id = "true"
  sa_group          = "[email protected]"
  shared_vpc        = "shared_vpc_host_name"

  shared_vpc_subnets = [
    "projects/base-project-196723/regions/us-east1/subnetworks/default",
    "projects/base-project-196723/regions/us-central1/subnetworks/default",
    "projects/base-project-196723/regions/us-central1/subnetworks/subnet-1",
  ]

  usage_bucket_name   = "pf-test-1-usage-report-bucket"
  usage_bucket_prefix = "pf/test/1/integration"
}

Features

The G Suite Enabled module will perform the following actions in addition to those of the root module:

  1. Create a new Google group for the project using group_name if create_group is "true".
  2. Add the new default service account for the project to the sa_group in Google Groups, if specified.
  3. Add the Google APIs service account to the api_sa_group, if specified.

The roles granted are specifically:

  • New Default Service Account
    • MEMBER of the specified sa_group
  • Google APIs Service Account
    • MEMBER of the specified api_sa_group

Inputs

Name Description Type Default Required
activate_apis The list of apis to activate within the project list(string) <list> no
api_sa_group A G Suite group to place the Google APIs Service Account for the project in string "" no
auto_create_network Create the default network string "false" no
billing_account The ID of the billing account to associate this project with string n/a yes
bucket_location The location for a GCS bucket to create (optional) string "" no
bucket_name A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) string "" no
bucket_project A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) string "" no
create_group Whether to create the group or not bool "false" no
credentials_path Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. string "" no
default_service_account Project default service account setting: can be one of delete, deprivilege, disable, or keep. string "disable" no
disable_dependent_services Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. string "true" no
disable_services_on_destroy Whether project services will be disabled when the resources are destroyed string "true" no
domain The domain name (optional). string "" no
folder_id The ID of a folder to host this project string "" no
group_name A group to control the project by being assigned group_role - defaults to $${project_name}-editors string "" no
group_role The role to give the controlling group (group_name) over the project (defaults to project editor) string "roles/editor" no
impersonate_service_account An optional service account to impersonate. If this service account is not specified, Terraform will fall back to credential file or Application Default Credentials. string "" no
labels Map of labels for project map(string) <map> no
lien Add a lien on the project to prevent accidental deletion string "false" no
name The name for the project string n/a yes
org_id The organization ID. string n/a yes
project_id If provided, the project uses the given project ID. Mutually exclusive with random_project_id being true. string "" no
python_interpreter_path Python interpreter path for precondition check script. string "python3" no
random_project_id Enables project random id generation. Mutually exclusive with project_id being non-empty. string "false" no
sa_group A G Suite group to place the default Service Account for the project in string "" no
sa_role A role to give the default Service Account for the project (defaults to none) string "" no
shared_vpc The ID of the host project which hosts the shared VPC string "" no
shared_vpc_enabled If shared VPC should be used bool "false" no
shared_vpc_subnets List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) list(string) <list> no
usage_bucket_name Name of a GCS bucket to store GCE usage reports in (optional) string "" no
usage_bucket_prefix Prefix in the GCS bucket to store GCE usage reports in (optional) string "" no

Outputs

Name Description
domain The organization's domain
group_email The email of the created G Suite group with group_name
group_name The group_name of the G Suite group
project_bucket_self_link Project's bucket selfLink
project_bucket_url Project's bucket url
project_id
project_name
project_number
service_account_display_name The display name of the default service account
service_account_email The email of the default service account
service_account_id The id of the default service account
service_account_name The fully-qualified name of the default service account
service_account_unique_id The unique id of the default service account