From 22221c01536fd837c61e913546c73b483ee67878 Mon Sep 17 00:00:00 2001 From: Abhishek Tiwari Date: Wed, 27 Nov 2024 19:24:16 +0000 Subject: [PATCH] chore: update blueprint metadata in latest format and add display metadata for project_services --- metadata.display.yaml | 200 +++++ metadata.yaml | 783 +++++++++--------- modules/budget/metadata.display.yaml | 75 ++ modules/budget/metadata.yaml | 283 +++---- .../essential_contacts/metadata.display.yaml | 39 + modules/essential_contacts/metadata.yaml | 188 +++-- modules/fabric-project/metadata.display.yaml | 87 ++ modules/fabric-project/metadata.yaml | 344 ++++---- modules/gsuite_enabled/metadata.display.yaml | 144 ++++ modules/gsuite_enabled/metadata.yaml | 566 ++++++------- .../project_services/metadata.display.yaml | 52 ++ modules/project_services/metadata.yaml | 230 ++--- modules/quota_manager/metadata.display.yaml | 36 + modules/quota_manager/metadata.yaml | 185 +++-- .../shared_vpc_access/metadata.display.yaml | 60 ++ modules/shared_vpc_access/metadata.yaml | 243 +++--- .../metadata.display.yaml | 138 +++ modules/svpc_service_project/metadata.yaml | 535 ++++++------ 18 files changed, 2503 insertions(+), 1685 deletions(-) create mode 100644 metadata.display.yaml create mode 100644 modules/budget/metadata.display.yaml create mode 100644 modules/essential_contacts/metadata.display.yaml create mode 100644 modules/fabric-project/metadata.display.yaml create mode 100644 modules/gsuite_enabled/metadata.display.yaml create mode 100644 modules/project_services/metadata.display.yaml create mode 100644 modules/quota_manager/metadata.display.yaml create mode 100644 modules/shared_vpc_access/metadata.display.yaml create mode 100644 modules/svpc_service_project/metadata.display.yaml diff --git a/metadata.display.yaml b/metadata.display.yaml new file mode 100644 index 00000000..fe8eb446 --- /dev/null +++ b/metadata.display.yaml @@ -0,0 +1,200 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-project-factory-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Google Cloud Project Factory Terraform Module + source: + repo: https://github.com/q2w/terraform-google-project-factory.git + sourceType: git + ui: + input: + variables: + activate_api_identities: + name: activate_api_identities + title: Activate Api Identities + activate_apis: + name: activate_apis + title: Activate Apis + auto_create_network: + name: auto_create_network + title: Auto Create Network + billing_account: + name: billing_account + title: Billing Account + bucket_force_destroy: + name: bucket_force_destroy + title: Bucket Force Destroy + bucket_labels: + name: bucket_labels + title: Bucket Labels + bucket_location: + name: bucket_location + title: Bucket Location + bucket_name: + name: bucket_name + title: Bucket Name + bucket_pap: + name: bucket_pap + title: Bucket Pap + bucket_project: + name: bucket_project + title: Bucket Project + bucket_ula: + name: bucket_ula + title: Bucket Ula + bucket_versioning: + name: bucket_versioning + title: Bucket Versioning + budget_alert_pubsub_topic: + name: budget_alert_pubsub_topic + title: Budget Alert Pubsub Topic + budget_alert_spend_basis: + name: budget_alert_spend_basis + title: Budget Alert Spend Basis + budget_alert_spent_percents: + name: budget_alert_spent_percents + title: Budget Alert Spent Percents + budget_amount: + name: budget_amount + title: Budget Amount + budget_calendar_period: + name: budget_calendar_period + title: Budget Calendar Period + budget_custom_period_end_date: + name: budget_custom_period_end_date + title: Budget Custom Period End Date + budget_custom_period_start_date: + name: budget_custom_period_start_date + title: Budget Custom Period Start Date + budget_display_name: + name: budget_display_name + title: Budget Display Name + budget_labels: + name: budget_labels + title: Budget Labels + budget_monitoring_notification_channels: + name: budget_monitoring_notification_channels + title: Budget Monitoring Notification Channels + cloud_armor_tier: + name: cloud_armor_tier + title: Cloud Armor Tier + consumer_quotas: + name: consumer_quotas + title: Consumer Quotas + create_project_sa: + name: create_project_sa + title: Create Project Sa + default_network_tier: + name: default_network_tier + title: Default Network Tier + default_service_account: + name: default_service_account + title: Default Service Account + deletion_policy: + name: deletion_policy + title: Deletion Policy + disable_dependent_services: + name: disable_dependent_services + title: Disable Dependent Services + disable_services_on_destroy: + name: disable_services_on_destroy + title: Disable Services On Destroy + domain: + name: domain + title: Domain + enable_shared_vpc_host_project: + name: enable_shared_vpc_host_project + title: Enable Shared Vpc Host Project + essential_contacts: + name: essential_contacts + title: Essential Contacts + folder_id: + name: folder_id + title: Folder Id + grant_network_role: + name: grant_network_role + title: Grant Network Role + grant_services_security_admin_role: + name: grant_services_security_admin_role + title: Grant Services Security Admin Role + group_name: + name: group_name + title: Group Name + group_role: + name: group_role + title: Group Role + labels: + name: labels + title: Labels + language_tag: + name: language_tag + title: Language Tag + lien: + name: lien + title: Lien + name: + name: name + title: Name + org_id: + name: org_id + title: Org Id + project_id: + name: project_id + title: Project Id + project_sa_name: + name: project_sa_name + title: Project Sa Name + random_project_id: + name: random_project_id + title: Random Project Id + random_project_id_length: + name: random_project_id_length + title: Random Project Id Length + sa_role: + name: sa_role + title: Sa Role + shared_vpc_subnets: + name: shared_vpc_subnets + title: Shared Vpc Subnets + svpc_host_project_id: + name: svpc_host_project_id + title: Svpc Host Project Id + tag_binding_values: + name: tag_binding_values + title: Tag Binding Values + usage_bucket_name: + name: usage_bucket_name + title: Usage Bucket Name + usage_bucket_prefix: + name: usage_bucket_prefix + title: Usage Bucket Prefix + vpc_service_control_attach_dry_run: + name: vpc_service_control_attach_dry_run + title: Vpc Service Control Attach Dry Run + vpc_service_control_attach_enabled: + name: vpc_service_control_attach_enabled + title: Vpc Service Control Attach Enabled + vpc_service_control_perimeter_name: + name: vpc_service_control_perimeter_name + title: Vpc Service Control Perimeter Name + vpc_service_control_sleep_duration: + name: vpc_service_control_sleep_duration + title: Vpc Service Control Sleep Duration diff --git a/metadata.yaml b/metadata.yaml index 9fd96462..a9c3717b 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,408 +19,381 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Google Cloud Project Factory Terraform Module - source: - repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git - sourceType: git - version: 17.0.0 - actuationTool: - type: Terraform - version: '>=0.13.0' - subBlueprints: - - name: app_engine - location: modules/app_engine - - name: budget - location: modules/budget - - name: core_project_factory - location: modules/core_project_factory - - name: essential_contacts - location: modules/essential_contacts - - name: fabric-project - location: modules/fabric-project - - name: gsuite_enabled - location: modules/gsuite_enabled - - name: gsuite_group - location: modules/gsuite_group - - name: project_services - location: modules/project_services - - name: quota_manager - location: modules/quota_manager - - name: shared_vpc_access - location: modules/shared_vpc_access - - name: svpc_service_project - location: modules/svpc_service_project - examples: - - name: app_engine - location: examples/app_engine - - name: budget_project - location: examples/budget_project - - name: essential_contacts - location: examples/essential_contacts - - name: fabric_project - location: examples/fabric_project - - name: gke_shared_vpc - location: examples/gke_shared_vpc - - name: group_project - location: examples/group_project - - name: project-hierarchy - location: examples/project-hierarchy - - name: project_services - location: examples/project_services - - name: quota_project - location: examples/quota_project - - name: shared_vpc - location: examples/shared_vpc - - name: simple_project - location: examples/simple_project - variables: - - name: activate_api_identities - description: |2 - The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles). - APIs in this list will automatically be appended to `activate_apis`. - Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created). - Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles. - type: |- - list(object({ - api = string - roles = list(string) - })) - default: [] - required: false - - name: activate_apis - description: The list of apis to activate within the project - type: list(string) - default: - - compute.googleapis.com - required: false - - name: auto_create_network - description: Create the default network - type: bool - default: false - required: false - - name: billing_account - description: The ID of the billing account to associate this project with - type: string - required: true - - name: bucket_force_destroy - description: Force the deletion of all objects within the GCS bucket when deleting the bucket (optional) - type: bool - default: false - required: false - - name: bucket_labels - description: ' A map of key/value label pairs to assign to the bucket (optional)' - type: map(string) - default: {} - required: false - - name: bucket_location - description: The location for a GCS bucket to create (optional) - type: string - default: US - required: false - - name: bucket_name - description: A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) - type: string - default: "" - required: false - - name: bucket_pap - description: Enable Public Access Prevention. Possible values are "enforced" or "inherited". - type: string - default: inherited - required: false - - name: bucket_project - description: A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) - type: string - default: "" - required: false - - name: bucket_ula - description: Enable Uniform Bucket Level Access - type: bool - default: true - required: false - - name: bucket_versioning - description: Enable versioning for a GCS bucket to create (optional) - type: bool - default: false - required: false - - name: budget_alert_pubsub_topic - description: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` - type: string - required: false - - name: budget_alert_spend_basis - description: The type of basis used to determine if spend has passed the threshold - type: string - default: CURRENT_SPEND - required: false - - name: budget_alert_spent_percents - description: A list of percentages of the budget to alert on when threshold is exceeded - type: list(number) - default: - - 0.5 - - 0.7 - - 1 - required: false - - name: budget_amount - description: The amount to use for a budget alert - type: number - required: false - - name: budget_calendar_period - description: Specifies the calendar period for the budget. Possible values are MONTH, QUARTER, YEAR, CALENDAR_PERIOD_UNSPECIFIED, CUSTOM. custom_period_start_date and custom_period_end_date must be set if CUSTOM - type: string - required: false - - name: budget_custom_period_end_date - description: Specifies the end date (DD-MM-YYYY) for the calendar_period CUSTOM - type: string - required: false - - name: budget_custom_period_start_date - description: Specifies the start date (DD-MM-YYYY) for the calendar_period CUSTOM - type: string - required: false - - name: budget_display_name - description: 'The display name of the budget. If not set defaults to `Budget For ` ' - type: string - required: false - - name: budget_labels - description: A single label and value pair specifying that usage from only this set of labeled resources should be included in the budget. - type: map(string) - default: {} - required: false - - name: budget_monitoring_notification_channels - description: A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. - type: list(string) - default: [] - required: false - - name: consumer_quotas - description: The quotas configuration you want to override for the project. - type: |- - list(object({ - service = string, - metric = string, - dimensions = map(string), - limit = string, - value = string, - })) - default: [] - required: false - - name: create_project_sa - description: Whether the default service account for the project shall be created - type: bool - default: true - required: false - - name: default_network_tier - description: Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. - type: string - default: "" - required: false - - name: default_service_account - description: 'Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`.' - type: string - default: disable - required: false - - name: disable_dependent_services - description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. - type: bool - default: true - required: false - - name: disable_services_on_destroy - description: Whether project services will be disabled when the resources are destroyed - type: bool - default: true - required: false - - name: domain - description: The domain name (optional). - type: string - default: "" - required: false - - name: enable_shared_vpc_host_project - description: If this project is a shared VPC host project. If true, you must *not* set svpc_host_project_id variable. Default is false. - type: bool - default: false - required: false - - name: essential_contacts - description: A mapping of users or groups to be assigned as Essential Contacts to the project, specifying a notification category - type: map(list(string)) - default: {} - required: false - - name: folder_id - description: The ID of a folder to host this project - type: string - default: "" - required: false - - name: grant_network_role - description: Whether or not to grant networkUser role on the host project/subnets - type: bool - default: true - required: false - - name: grant_services_security_admin_role - description: Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules - type: bool - default: false - required: false - - name: group_name - description: A group to control the project by being assigned group_role (defaults to project editor) - type: string - default: "" - required: false - - name: group_role - description: The role to give the controlling group (group_name) over the project (defaults to project editor) - type: string - default: roles/editor - required: false - - name: labels - description: Map of labels for project - type: map(string) - default: {} - required: false - - name: language_tag - description: Language code to be used for essential contacts notifications - type: string - default: en-US - required: false - - name: lien - description: Add a lien on the project to prevent accidental deletion - type: bool - default: false - required: false - - name: name - description: The name for the project - type: string - required: true - - name: org_id - description: The organization ID. - type: string - required: true - - name: project_id - description: The ID to give the project. If not provided, the `name` will be used. - type: string - default: "" - required: false - - name: project_sa_name - description: Default service account name for the project. - type: string - default: project-service-account - required: false - - name: random_project_id - description: Adds a suffix of 4 random characters to the `project_id`. - type: bool - default: false - required: false - - name: random_project_id_length - description: Sets the length of `random_project_id` to the provided length, and uses a `random_string` for a larger collusion domain. Recommended for use with CI. - type: number - required: false - - name: sa_role - description: A role to give the default Service Account for the project (defaults to none) - type: string - default: "" - required: false - - name: shared_vpc_subnets - description: List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) - type: list(string) - default: [] - required: false - - name: svpc_host_project_id - description: The ID of the host project which hosts the shared VPC - type: string - default: "" - required: false - - name: usage_bucket_name - description: Name of a GCS bucket to store GCE usage reports in (optional) - type: string - default: "" - required: false - - name: usage_bucket_prefix - description: Prefix in the GCS bucket to store GCE usage reports in (optional) - type: string - default: "" - required: false - - name: vpc_service_control_attach_enabled - description: Whether the project will be attached to a VPC Service Control Perimeter in ENFORCED MODE. vpc_service_control_attach_dry_run should be false for this to be true - type: bool - default: false - required: false - - name: vpc_service_control_attach_dry_run - description: Whether the project will be attached to a VPC Service Control Perimeter in Dry Run Mode. vpc_service_control_attach_enabled should be false for this to be true - type: bool - default: false - required: false - - name: vpc_service_control_perimeter_name - description: The name of a VPC Service Control Perimeter to add the created project to - type: string - required: false - - name: vpc_service_control_sleep_duration - description: The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter. VPC-SC is eventually consistent. - type: string - default: 5s - required: false - outputs: - - name: api_s_account - description: API service account email - - name: api_s_account_fmt - description: API service account email formatted for terraform use - - name: budget_name - description: The name of the budget if created - - name: domain - description: The organization's domain - - name: enabled_api_identities - description: Enabled API identities in the project - - name: enabled_apis - description: Enabled APIs in the project - - name: group_email - description: The email of the G Suite group with group_name - - name: project_bucket_self_link - description: Project's bucket selfLink - - name: project_bucket_url - description: Project's bucket url - - name: project_id - description: ID of the project - - name: project_name - description: Name of the project - - name: project_number - description: Numeric identifier for the project - - name: service_account_display_name - description: The display name of the default service account - - name: service_account_email - description: The email of the default service account - - name: service_account_id - description: The id of the default service account - - name: service_account_name - description: The fully-qualified name of the default service account - - name: service_account_unique_id - description: The unique id of the default service account - roles: - - level: Project + info: + title: Google Cloud Project Factory Terraform Module + source: + repo: https://github.com/q2w/terraform-google-project-factory.git + sourceType: git + version: 17.0.0 + actuationTool: + flavor: Terraform + version: ">=0.13.0" + description: {} + content: + subBlueprints: + - name: app_engine + location: modules/app_engine + - name: budget + location: modules/budget + - name: core_project_factory + location: modules/core_project_factory + - name: essential_contacts + location: modules/essential_contacts + - name: fabric-project + location: modules/fabric-project + - name: gsuite_enabled + location: modules/gsuite_enabled + - name: gsuite_group + location: modules/gsuite_group + - name: project_services + location: modules/project_services + - name: quota_manager + location: modules/quota_manager + - name: shared_vpc_access + location: modules/shared_vpc_access + - name: svpc_service_project + location: modules/svpc_service_project + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: random_project_id + description: Adds a suffix of 4 random characters to the `project_id`. + varType: bool + defaultValue: false + - name: random_project_id_length + description: Sets the length of `random_project_id` to the provided length, and uses a `random_string` for a larger collusion domain. Recommended for use with CI. + varType: number + - name: org_id + description: The organization ID. + varType: string + - name: domain + description: The domain name (optional). + varType: string + defaultValue: "" + - name: name + description: The name for the project + varType: string + required: true + - name: project_id + description: The ID to give the project. If not provided, the `name` will be used. + varType: string + defaultValue: "" + - name: svpc_host_project_id + description: The ID of the host project which hosts the shared VPC + varType: string + defaultValue: "" + - name: enable_shared_vpc_host_project + description: If this project is a shared VPC host project. If true, you must *not* set svpc_host_project_id variable. Default is false. + varType: bool + defaultValue: false + - name: billing_account + description: The ID of the billing account to associate this project with + varType: string + required: true + - name: folder_id + description: The ID of a folder to host this project + varType: string + defaultValue: "" + - name: group_name + description: A group to control the project by being assigned group_role (defaults to project editor) + varType: string + defaultValue: "" + - name: group_role + description: The role to give the controlling group (group_name) over the project (defaults to project editor) + varType: string + defaultValue: roles/editor + - name: create_project_sa + description: Whether the default service account for the project shall be created + varType: bool + defaultValue: true + - name: project_sa_name + description: Default service account name for the project. + varType: string + defaultValue: project-service-account + - name: sa_role + description: A role to give the default Service Account for the project (defaults to none) + varType: string + defaultValue: "" + - name: activate_apis + description: The list of apis to activate within the project + varType: list(string) + defaultValue: + - compute.googleapis.com + - name: activate_api_identities + description: " The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles).\n APIs in this list will automatically be appended to `activate_apis`.\n Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created).\n Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles.\n" + varType: |- + list(object({ + api = string + roles = list(string) + })) + defaultValue: [] + - name: usage_bucket_name + description: Name of a GCS bucket to store GCE usage reports in (optional) + varType: string + defaultValue: "" + - name: usage_bucket_prefix + description: Prefix in the GCS bucket to store GCE usage reports in (optional) + varType: string + defaultValue: "" + - name: shared_vpc_subnets + description: List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) + varType: list(string) + defaultValue: [] + - name: labels + description: Map of labels for project + varType: map(string) + defaultValue: {} + - name: bucket_project + description: A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) + varType: string + defaultValue: "" + - name: bucket_name + description: A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) + varType: string + defaultValue: "" + - name: bucket_location + description: The location for a GCS bucket to create (optional) + varType: string + defaultValue: US + - name: bucket_versioning + description: Enable versioning for a GCS bucket to create (optional) + varType: bool + defaultValue: false + - name: bucket_labels + description: " A map of key/value label pairs to assign to the bucket (optional)" + varType: map(string) + defaultValue: {} + - name: bucket_force_destroy + description: Force the deletion of all objects within the GCS bucket when deleting the bucket (optional) + varType: bool + defaultValue: false + - name: bucket_ula + description: Enable Uniform Bucket Level Access + varType: bool + defaultValue: true + - name: bucket_pap + description: Enable Public Access Prevention. Possible values are "enforced" or "inherited". + varType: string + defaultValue: inherited + - name: auto_create_network + description: Create the default network + varType: bool + defaultValue: false + - name: lien + description: Add a lien on the project to prevent accidental deletion + varType: bool + defaultValue: false + - name: disable_services_on_destroy + description: Whether project services will be disabled when the resources are destroyed + varType: bool + defaultValue: true + - name: default_service_account + description: "Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`." + varType: string + defaultValue: disable + - name: disable_dependent_services + description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. + varType: bool + defaultValue: true + - name: budget_amount + description: The amount to use for a budget alert + varType: number + - name: budget_display_name + description: "The display name of the budget. If not set defaults to `Budget For ` " + varType: string + - name: budget_alert_pubsub_topic + description: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` + varType: string + - name: budget_monitoring_notification_channels + description: A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. + varType: list(string) + defaultValue: [] + - name: budget_alert_spent_percents + description: A list of percentages of the budget to alert on when threshold is exceeded + varType: list(number) + defaultValue: + - 0.5 + - 0.7 + - 1 + - name: budget_alert_spend_basis + description: The type of basis used to determine if spend has passed the threshold + varType: string + defaultValue: CURRENT_SPEND + - name: budget_labels + description: A single label and value pair specifying that usage from only this set of labeled resources should be included in the budget. + varType: map(string) + defaultValue: {} + - name: budget_calendar_period + description: Specifies the calendar period for the budget. Possible values are MONTH, QUARTER, YEAR, CALENDAR_PERIOD_UNSPECIFIED, CUSTOM. custom_period_start_date and custom_period_end_date must be set if CUSTOM + varType: string + - name: budget_custom_period_start_date + description: Specifies the start date (DD-MM-YYYY) for the calendar_period CUSTOM + varType: string + - name: budget_custom_period_end_date + description: Specifies the end date (DD-MM-YYYY) for the calendar_period CUSTOM + varType: string + - name: vpc_service_control_attach_enabled + description: Whether the project will be attached to a VPC Service Control Perimeter in ENFORCED MODE. vpc_service_control_attach_dry_run should be false for this to be true + varType: bool + defaultValue: false + - name: vpc_service_control_attach_dry_run + description: Whether the project will be attached to a VPC Service Control Perimeter in Dry Run Mode. vpc_service_control_attach_enabled should be false for this to be true + varType: bool + defaultValue: false + - name: vpc_service_control_perimeter_name + description: The name of a VPC Service Control Perimeter to add the created project to + varType: string + - name: vpc_service_control_sleep_duration + description: The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter. VPC-SC is eventually consistent. + varType: string + defaultValue: 5s + - name: grant_services_security_admin_role + description: Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules + varType: bool + defaultValue: false + - name: grant_network_role + description: Whether or not to grant networkUser role on the host project/subnets + varType: bool + defaultValue: true + - name: consumer_quotas + description: The quotas configuration you want to override for the project. + varType: |- + list(object({ + service = string, + metric = string, + dimensions = map(string), + limit = string, + value = string, + })) + defaultValue: [] + - name: default_network_tier + description: Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. + varType: string + defaultValue: "" + - name: essential_contacts + description: A mapping of users or groups to be assigned as Essential Contacts to the project, specifying a notification category + varType: map(list(string)) + defaultValue: {} + - name: language_tag + description: Language code to be used for essential contacts notifications + varType: string + defaultValue: en-US + - name: tag_binding_values + description: Tag values to bind the project to. + varType: list(string) + defaultValue: [] + - name: cloud_armor_tier + description: "Managed protection tier to be set. Possible values are: CA_STANDARD, CA_ENTERPRISE_PAYGO" + varType: string + - name: deletion_policy + description: The deletion policy for the project. + varType: string + defaultValue: PREVENT + outputs: + - name: api_s_account + description: API service account email + - name: api_s_account_fmt + description: API service account email formatted for terraform use + - name: budget_name + description: The name of the budget if created + - name: domain + description: The organization's domain + - name: enabled_api_identities + description: Enabled API identities in the project + - name: enabled_apis + description: Enabled APIs in the project + - name: group_email + description: The email of the G Suite group with group_name + - name: project_bucket_self_link + description: Project's bucket selfLink + - name: project_bucket_url + description: Project's bucket url + - name: project_id + description: ID of the project + - name: project_name + description: Name of the project + - name: project_number + description: Numeric identifier for the project + - name: service_account_display_name + description: The display name of the default service account + - name: service_account_email + description: The email of the default service account + - name: service_account_id + description: The id of the default service account + - name: service_account_name + description: The fully-qualified name of the default service account + - name: service_account_unique_id + description: The unique id of the default service account + - name: tag_bindings + description: Tag bindings + - name: usage_report_export_bucket + description: GCE usage reports bucket + requirements: roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager - - level: Project - roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - services: - - admin.googleapis.com - - appengine.googleapis.com - - cloudbilling.googleapis.com - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - iamcredentials.googleapis.com - - oslogin.googleapis.com - - serviceusage.googleapis.com - - billingbudgets.googleapis.com - - pubsub.googleapis.com - - accesscontextmanager.googleapis.com - - essentialcontacts.googleapis.com - - serviceconsumermanagement.googleapis.com + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 5.41, < 7" + - source: hashicorp/google-beta + version: ">= 5.41, < 7" diff --git a/modules/budget/metadata.display.yaml b/modules/budget/metadata.display.yaml new file mode 100644 index 00000000..8cc8df0e --- /dev/null +++ b/modules/budget/metadata.display.yaml @@ -0,0 +1,75 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-project-factory-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Budget configuration for a project + source: + repo: https://github.com/q2w/terraform-google-project-factory.git + sourceType: git + dir: /modules/budget + ui: + input: + variables: + alert_pubsub_topic: + name: alert_pubsub_topic + title: Alert Pubsub Topic + alert_spend_basis: + name: alert_spend_basis + title: Alert Spend Basis + alert_spent_percents: + name: alert_spent_percents + title: Alert Spent Percents + amount: + name: amount + title: Amount + billing_account: + name: billing_account + title: Billing Account + calendar_period: + name: calendar_period + title: Calendar Period + create_budget: + name: create_budget + title: Create Budget + credit_types_treatment: + name: credit_types_treatment + title: Credit Types Treatment + custom_period_end_date: + name: custom_period_end_date + title: Custom Period End Date + custom_period_start_date: + name: custom_period_start_date + title: Custom Period Start Date + display_name: + name: display_name + title: Display Name + labels: + name: labels + title: Labels + monitoring_notification_channels: + name: monitoring_notification_channels + title: Monitoring Notification Channels + projects: + name: projects + title: Projects + services: + name: services + title: Services diff --git a/modules/budget/metadata.yaml b/modules/budget/metadata.yaml index a45a3c9c..9acbf667 100644 --- a/modules/budget/metadata.yaml +++ b/modules/budget/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,144 +19,145 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Budget configuration for a project - source: - repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git - sourceType: git - version: 17.0.0 - actuationTool: - type: Terraform - version: '>= 0.13' - examples: - - name: app_engine - location: examples/app_engine - - name: budget_project - location: examples/budget_project - - name: essential_contacts - location: examples/essential_contacts - - name: fabric_project - location: examples/fabric_project - - name: gke_shared_vpc - location: examples/gke_shared_vpc - - name: group_project - location: examples/group_project - - name: project-hierarchy - location: examples/project-hierarchy - - name: project_services - location: examples/project_services - - name: quota_project - location: examples/quota_project - - name: shared_vpc - location: examples/shared_vpc - - name: simple_project - location: examples/simple_project - variables: - - name: alert_pubsub_topic - description: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` - type: string - required: false - - name: alert_spend_basis - description: The type of basis used to determine if spend has passed the threshold - type: string - default: CURRENT_SPEND - required: false - - name: alert_spent_percents - description: A list of percentages of the budget to alert on when threshold is exceeded - type: list(number) - default: - - 0.5 - - 0.7 - - 1 - required: false - - name: amount - description: The amount to use as the budget - type: number - required: true - - name: billing_account - description: ID of the billing account to set a budget on - type: string - required: true - - name: calendar_period - description: Specifies the calendar period for the budget. Possible values are MONTH, QUARTER, YEAR, CALENDAR_PERIOD_UNSPECIFIED, CUSTOM. custom_period_start_date and custom_period_end_date must be set if CUSTOM - type: string - required: false - - name: create_budget - description: If the budget should be created - type: bool - default: true - required: false - - name: credit_types_treatment - description: Specifies how credits should be treated when determining spend for threshold calculations - type: string - default: INCLUDE_ALL_CREDITS - required: false - - name: custom_period_end_date - description: Specifies the end date (DD-MM-YYYY) for the calendar_period CUSTOM - type: string - required: false - - name: custom_period_start_date - description: Specifies the start date (DD-MM-YYYY) for the calendar_period CUSTOM - type: string - required: false - - name: display_name - description: 'The display name of the budget. If not set defaults to `Budget For ` ' - type: string - required: false - - name: labels - description: A single label and value pair specifying that usage from only this set of labeled resources should be included in the budget. - type: map(string) - default: {} - required: false - - name: monitoring_notification_channels - description: A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. - type: list(string) - default: [] - required: false - - name: projects - description: The project ids to include in this budget. If empty budget will include all projects - type: list(string) - required: true - - name: services - description: A list of services ids to be included in the budget. If omitted, all services will be included in the budget. Service ids can be found at https://cloud.google.com/skus/ - type: list(string) - required: false - outputs: - - name: name - description: Resource name of the budget. Values are of the form `billingAccounts/{billingAccountId}/budgets/{budgetId}.` - roles: - - level: Project + info: + title: Budget configuration for a project + source: + repo: https://github.com/q2w/terraform-google-project-factory.git + sourceType: git + dir: /modules/budget + version: 17.0.0 + actuationTool: + flavor: Terraform + version: ">= 0.13" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: billing_account + description: ID of the billing account to set a budget on + varType: string + required: true + - name: projects + description: The project ids to include in this budget. If empty budget will include all projects + varType: list(string) + required: true + - name: amount + description: The amount to use as the budget + varType: number + required: true + - name: create_budget + description: If the budget should be created + varType: bool + defaultValue: true + - name: display_name + description: "The display name of the budget. If not set defaults to `Budget For ` " + varType: string + - name: credit_types_treatment + description: Specifies how credits should be treated when determining spend for threshold calculations + varType: string + defaultValue: INCLUDE_ALL_CREDITS + - name: services + description: A list of services ids to be included in the budget. If omitted, all services will be included in the budget. Service ids can be found at https://cloud.google.com/skus/ + varType: list(string) + - name: calendar_period + description: Specifies the calendar period for the budget. Possible values are MONTH, QUARTER, YEAR, CALENDAR_PERIOD_UNSPECIFIED, CUSTOM. custom_period_start_date and custom_period_end_date must be set if CUSTOM + varType: string + - name: custom_period_start_date + description: Specifies the start date (DD-MM-YYYY) for the calendar_period CUSTOM + varType: string + - name: custom_period_end_date + description: Specifies the end date (DD-MM-YYYY) for the calendar_period CUSTOM + varType: string + - name: alert_spent_percents + description: A list of percentages of the budget to alert on when threshold is exceeded + varType: list(number) + defaultValue: + - 0.5 + - 0.7 + - 1 + - name: alert_spend_basis + description: The type of basis used to determine if spend has passed the threshold + varType: string + defaultValue: CURRENT_SPEND + - name: alert_pubsub_topic + description: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` + varType: string + - name: monitoring_notification_channels + description: A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. + varType: list(string) + defaultValue: [] + - name: labels + description: A single label and value pair specifying that usage from only this set of labeled resources should be included in the budget. + varType: map(string) + defaultValue: {} + outputs: + - name: name + description: Resource name of the budget. Values are of the form `billingAccounts/{billingAccountId}/budgets/{budgetId}.` + requirements: roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager - - level: Project - roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - services: - - admin.googleapis.com - - appengine.googleapis.com - - cloudbilling.googleapis.com - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - iamcredentials.googleapis.com - - oslogin.googleapis.com - - serviceusage.googleapis.com - - billingbudgets.googleapis.com - - pubsub.googleapis.com - - accesscontextmanager.googleapis.com - - essentialcontacts.googleapis.com - - serviceconsumermanagement.googleapis.com + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.28, < 7" diff --git a/modules/essential_contacts/metadata.display.yaml b/modules/essential_contacts/metadata.display.yaml new file mode 100644 index 00000000..94f7fba1 --- /dev/null +++ b/modules/essential_contacts/metadata.display.yaml @@ -0,0 +1,39 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-project-factory-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Essential Contacts configuration + source: + repo: https://github.com/q2w/terraform-google-project-factory.git + sourceType: git + dir: /modules/essential_contacts + ui: + input: + variables: + essential_contacts: + name: essential_contacts + title: Essential Contacts + language_tag: + name: language_tag + title: Language Tag + project_id: + name: project_id + title: Project Id diff --git a/modules/essential_contacts/metadata.yaml b/modules/essential_contacts/metadata.yaml index c1e2dda6..520e805e 100644 --- a/modules/essential_contacts/metadata.yaml +++ b/modules/essential_contacts/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,90 +19,104 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Essential Contacts configuration - source: - repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git - sourceType: git - version: 17.0.0 - actuationTool: - type: Terraform - version: '>= 0.13' - examples: - - name: app_engine - location: examples/app_engine - - name: budget_project - location: examples/budget_project - - name: essential_contacts - location: examples/essential_contacts - - name: fabric_project - location: examples/fabric_project - - name: gke_shared_vpc - location: examples/gke_shared_vpc - - name: group_project - location: examples/group_project - - name: project-hierarchy - location: examples/project-hierarchy - - name: project_services - location: examples/project_services - - name: quota_project - location: examples/quota_project - - name: shared_vpc - location: examples/shared_vpc - - name: simple_project - location: examples/simple_project - variables: - - name: essential_contacts - description: A mapping of users or groups to be assigned as Essential Contacts to the project, specifying a notification category - type: map(list(string)) - default: {} - required: false - - name: language_tag - description: Language code to be used for essential contacts notifiactions - type: string - required: true - - name: project_id - description: The GCP project you want to send Essential Contacts notifications for - type: string - required: true - outputs: - - name: essential_contacts - description: Essential Contact resources created - - name: project_id - description: The GCP project you want to enable APIs on - roles: - - level: Project + info: + title: Essential Contacts configuration + source: + repo: https://github.com/q2w/terraform-google-project-factory.git + sourceType: git + dir: /modules/essential_contacts + version: 17.0.0 + actuationTool: + flavor: Terraform + version: ">= 0.13" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: project_id + description: The GCP project you want to send Essential Contacts notifications for + varType: string + required: true + - name: essential_contacts + description: A mapping of users or groups to be assigned as Essential Contacts to the project, specifying a notification category + varType: map(list(string)) + defaultValue: {} + - name: language_tag + description: Language code to be used for essential contacts notifiactions + varType: string + required: true + outputs: + - name: essential_contacts + description: Essential Contact resources created + - name: project_id + description: The GCP project you want to enable APIs on + requirements: roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - - level: Project - roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager - - level: Project - roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin - services: - - admin.googleapis.com - - appengine.googleapis.com - - cloudbilling.googleapis.com - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - iamcredentials.googleapis.com - - oslogin.googleapis.com - - serviceusage.googleapis.com - - billingbudgets.googleapis.com - - pubsub.googleapis.com - - accesscontextmanager.googleapis.com - - essentialcontacts.googleapis.com - - serviceconsumermanagement.googleapis.com + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 3.43, < 7" + - source: hashicorp/google-beta + version: ">= 3.43, < 7" diff --git a/modules/fabric-project/metadata.display.yaml b/modules/fabric-project/metadata.display.yaml new file mode 100644 index 00000000..e1c5f239 --- /dev/null +++ b/modules/fabric-project/metadata.display.yaml @@ -0,0 +1,87 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-project-factory-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Google Cloud Simple Project Creation + source: + repo: https://github.com/q2w/terraform-google-project-factory.git + sourceType: git + dir: /modules/fabric-project + ui: + input: + variables: + activate_apis: + name: activate_apis + title: Activate Apis + auto_create_network: + name: auto_create_network + title: Auto Create Network + billing_account: + name: billing_account + title: Billing Account + custom_roles: + name: custom_roles + title: Custom Roles + deletion_policy: + name: deletion_policy + title: Deletion Policy + editors: + name: editors + title: Editors + extra_bindings_members: + name: extra_bindings_members + title: Extra Bindings Members + extra_bindings_roles: + name: extra_bindings_roles + title: Extra Bindings Roles + gce_service_account_roles: + name: gce_service_account_roles + title: Gce Service Account Roles + labels: + name: labels + title: Labels + lien_reason: + name: lien_reason + title: Lien Reason + name: + name: name + title: Name + oslogin: + name: oslogin + title: Oslogin + oslogin_admins: + name: oslogin_admins + title: Oslogin Admins + oslogin_users: + name: oslogin_users + title: Oslogin Users + owners: + name: owners + title: Owners + parent: + name: parent + title: Parent + prefix: + name: prefix + title: Prefix + viewers: + name: viewers + title: Viewers diff --git a/modules/fabric-project/metadata.yaml b/modules/fabric-project/metadata.yaml index f74208b3..9074a01d 100644 --- a/modules/fabric-project/metadata.yaml +++ b/modules/fabric-project/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,174 +19,176 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Google Cloud Simple Project Creation - source: - repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git - sourceType: git - version: 17.0.0 - actuationTool: - type: Terraform - version: '>= 0.13' - examples: - - name: app_engine - location: examples/app_engine - - name: budget_project - location: examples/budget_project - - name: essential_contacts - location: examples/essential_contacts - - name: fabric_project - location: examples/fabric_project - - name: gke_shared_vpc - location: examples/gke_shared_vpc - - name: group_project - location: examples/group_project - - name: project-hierarchy - location: examples/project-hierarchy - - name: project_services - location: examples/project_services - - name: quota_project - location: examples/quota_project - - name: shared_vpc - location: examples/shared_vpc - - name: simple_project - location: examples/simple_project - variables: - - name: activate_apis - description: Service APIs to enable. - type: list(string) - default: [] - required: false - - name: auto_create_network - description: Whether to create the default network for the project - type: bool - default: false - required: false - - name: billing_account - description: Billing account id. - type: string - default: "" - required: false - - name: custom_roles - description: Map of role name => comma-delimited list of permissions to create in this project. - type: map(string) - default: {} - required: false - - name: editors - description: Optional list of IAM-format members to set as project editor. - type: list(string) - default: [] - required: false - - name: extra_bindings_members - description: List of comma-delimited IAM-format members for additional IAM bindings, one item per role. - type: list(string) - default: [] - required: false - - name: extra_bindings_roles - description: List of roles for additional IAM bindings, pair with members list below. - type: list(string) - default: [] - required: false - - name: gce_service_account_roles - description: List of project id=>role to assign to the default GCE service account. - type: list(string) - default: [] - required: false - - name: labels - description: Resource labels. - type: map(string) - default: {} - required: false - - name: lien_reason - description: If non-empty, creates a project lien with this description. - type: string - default: "" - required: false - - name: name - description: Project name and id suffix. - type: string - required: true - - name: oslogin - description: Enable oslogin. - type: bool - default: false - required: false - - name: oslogin_admins - description: List of IAM-format members that will get OS Login admin role. - type: list(string) - default: [] - required: false - - name: oslogin_users - description: List of IAM-format members that will get OS Login user role. - type: list(string) - default: [] - required: false - - name: owners - description: Optional list of IAM-format members to set as project owners. - type: list(string) - default: [] - required: false - - name: parent - description: The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. - type: string - required: true - - name: prefix - description: Prefix used to generate project id and name. - type: string - required: true - - name: viewers - description: Optional list of IAM-format members to set as project viewers. - type: list(string) - default: [] - required: false - outputs: - - name: cloudsvc_service_account - description: Cloud services service account (depends on services). - - name: custom_roles - description: Ids of the created custom roles. - - name: gce_service_account - description: Default GCE service account (depends on services). - - name: gke_service_account - description: Default GKE service account (depends on services). - - name: name - description: Name (depends on services). - - name: number - description: Project number (depends on services). - - name: project_id - description: Project id (depends on services). - roles: - - level: Project + info: + title: Google Cloud Simple Project Creation + source: + repo: https://github.com/q2w/terraform-google-project-factory.git + sourceType: git + dir: /modules/fabric-project + version: 17.0.0 + actuationTool: + flavor: Terraform + version: ">= 0.13" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: parent + description: The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. + varType: string + required: true + - name: prefix + description: Prefix used to generate project id and name. + varType: string + required: true + - name: name + description: Project name and id suffix. + varType: string + required: true + - name: billing_account + description: Billing account id. + varType: string + defaultValue: "" + - name: activate_apis + description: Service APIs to enable. + varType: list(string) + defaultValue: [] + - name: owners + description: Optional list of IAM-format members to set as project owners. + varType: list(string) + defaultValue: [] + - name: editors + description: Optional list of IAM-format members to set as project editor. + varType: list(string) + defaultValue: [] + - name: viewers + description: Optional list of IAM-format members to set as project viewers. + varType: list(string) + defaultValue: [] + - name: lien_reason + description: If non-empty, creates a project lien with this description. + varType: string + defaultValue: "" + - name: oslogin + description: Enable oslogin. + varType: bool + defaultValue: false + - name: oslogin_admins + description: List of IAM-format members that will get OS Login admin role. + varType: list(string) + defaultValue: [] + - name: oslogin_users + description: List of IAM-format members that will get OS Login user role. + varType: list(string) + defaultValue: [] + - name: extra_bindings_roles + description: List of roles for additional IAM bindings, pair with members list below. + varType: list(string) + defaultValue: [] + - name: extra_bindings_members + description: List of comma-delimited IAM-format members for additional IAM bindings, one item per role. + varType: list(string) + defaultValue: [] + - name: auto_create_network + description: Whether to create the default network for the project + varType: bool + defaultValue: false + - name: custom_roles + description: Map of role name => comma-delimited list of permissions to create in this project. + varType: map(string) + defaultValue: {} + - name: gce_service_account_roles + description: List of project id=>role to assign to the default GCE service account. + varType: list(string) + defaultValue: [] + - name: labels + description: Resource labels. + varType: map(string) + defaultValue: {} + - name: deletion_policy + description: The deletion policy for the project. + varType: string + defaultValue: PREVENT + outputs: + - name: cloudsvc_service_account + description: Cloud services service account (depends on services). + - name: custom_roles + description: Ids of the created custom roles. + - name: gce_service_account + description: Default GCE service account (depends on services). + - name: gke_service_account + description: Default GKE service account (depends on services). + - name: name + description: Name (depends on services). + - name: number + description: Project number (depends on services). + - name: project_id + description: Project id (depends on services). + requirements: roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - - level: Project - roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager - services: - - admin.googleapis.com - - appengine.googleapis.com - - cloudbilling.googleapis.com - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - iamcredentials.googleapis.com - - oslogin.googleapis.com - - serviceusage.googleapis.com - - billingbudgets.googleapis.com - - pubsub.googleapis.com - - accesscontextmanager.googleapis.com - - essentialcontacts.googleapis.com - - serviceconsumermanagement.googleapis.com + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 5.41, < 7" diff --git a/modules/gsuite_enabled/metadata.display.yaml b/modules/gsuite_enabled/metadata.display.yaml new file mode 100644 index 00000000..f05c539c --- /dev/null +++ b/modules/gsuite_enabled/metadata.display.yaml @@ -0,0 +1,144 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-project-factory-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Google Cloud Project Factory with G Suite Terraform Module + source: + repo: https://github.com/q2w/terraform-google-project-factory.git + sourceType: git + dir: /modules/gsuite_enabled + ui: + input: + variables: + activate_apis: + name: activate_apis + title: Activate Apis + api_sa_group: + name: api_sa_group + title: Api Sa Group + auto_create_network: + name: auto_create_network + title: Auto Create Network + billing_account: + name: billing_account + title: Billing Account + bucket_location: + name: bucket_location + title: Bucket Location + bucket_name: + name: bucket_name + title: Bucket Name + bucket_project: + name: bucket_project + title: Bucket Project + bucket_versioning: + name: bucket_versioning + title: Bucket Versioning + budget_alert_pubsub_topic: + name: budget_alert_pubsub_topic + title: Budget Alert Pubsub Topic + budget_alert_spent_percents: + name: budget_alert_spent_percents + title: Budget Alert Spent Percents + budget_amount: + name: budget_amount + title: Budget Amount + budget_monitoring_notification_channels: + name: budget_monitoring_notification_channels + title: Budget Monitoring Notification Channels + consumer_quotas: + name: consumer_quotas + title: Consumer Quotas + create_group: + name: create_group + title: Create Group + create_project_sa: + name: create_project_sa + title: Create Project Sa + default_network_tier: + name: default_network_tier + title: Default Network Tier + default_service_account: + name: default_service_account + title: Default Service Account + disable_dependent_services: + name: disable_dependent_services + title: Disable Dependent Services + disable_services_on_destroy: + name: disable_services_on_destroy + title: Disable Services On Destroy + domain: + name: domain + title: Domain + enable_shared_vpc_host_project: + name: enable_shared_vpc_host_project + title: Enable Shared Vpc Host Project + enable_shared_vpc_service_project: + name: enable_shared_vpc_service_project + title: Enable Shared Vpc Service Project + folder_id: + name: folder_id + title: Folder Id + group_name: + name: group_name + title: Group Name + group_role: + name: group_role + title: Group Role + labels: + name: labels + title: Labels + lien: + name: lien + title: Lien + name: + name: name + title: Name + org_id: + name: org_id + title: Org Id + project_id: + name: project_id + title: Project Id + project_sa_name: + name: project_sa_name + title: Project Sa Name + random_project_id: + name: random_project_id + title: Random Project Id + sa_group: + name: sa_group + title: Sa Group + sa_role: + name: sa_role + title: Sa Role + shared_vpc: + name: shared_vpc + title: Shared Vpc + shared_vpc_subnets: + name: shared_vpc_subnets + title: Shared Vpc Subnets + usage_bucket_name: + name: usage_bucket_name + title: Usage Bucket Name + usage_bucket_prefix: + name: usage_bucket_prefix + title: Usage Bucket Prefix diff --git a/modules/gsuite_enabled/metadata.yaml b/modules/gsuite_enabled/metadata.yaml index b37a93db..42ed7e36 100644 --- a/modules/gsuite_enabled/metadata.yaml +++ b/modules/gsuite_enabled/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,295 +19,277 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Google Cloud Project Factory with G Suite Terraform Module - source: - repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git - sourceType: git - version: 17.0.0 - actuationTool: - type: Terraform - version: '>= 0.13' - examples: - - name: app_engine - location: examples/app_engine - - name: budget_project - location: examples/budget_project - - name: essential_contacts - location: examples/essential_contacts - - name: fabric_project - location: examples/fabric_project - - name: gke_shared_vpc - location: examples/gke_shared_vpc - - name: group_project - location: examples/group_project - - name: project-hierarchy - location: examples/project-hierarchy - - name: project_services - location: examples/project_services - - name: quota_project - location: examples/quota_project - - name: shared_vpc - location: examples/shared_vpc - - name: simple_project - location: examples/simple_project - variables: - - name: activate_apis - description: The list of apis to activate within the project - type: list(string) - default: - - compute.googleapis.com - required: false - - name: api_sa_group - description: A G Suite group to place the Google APIs Service Account for the project in - type: string - default: "" - required: false - - name: auto_create_network - description: Create the default network - type: bool - default: false - required: false - - name: billing_account - description: The ID of the billing account to associate this project with - type: string - required: true - - name: bucket_location - description: The location for a GCS bucket to create (optional) - type: string - default: "" - required: false - - name: bucket_name - description: A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) - type: string - default: "" - required: false - - name: bucket_project - description: A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) - type: string - default: "" - required: false - - name: bucket_versioning - description: Enable versioning for a GCS bucket to create (optional) - type: bool - default: false - required: false - - name: budget_alert_pubsub_topic - description: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` - type: string - required: false - - name: budget_alert_spent_percents - description: A list of percentages of the budget to alert on when threshold is exceeded - type: list(number) - default: - - 0.5 - - 0.7 - - 1 - required: false - - name: budget_amount - description: The amount to use for a budget alert - type: number - required: false - - name: budget_monitoring_notification_channels - description: A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. - type: list(string) - default: [] - required: false - - name: consumer_quotas - description: The quotas configuration you want to override for the project. - type: |- - list(object({ - service = string, - metric = string, - dimensions = any, - limit = string, - value = string, - })) - default: [] - required: false - - name: create_group - description: Whether to create the group or not - type: bool - default: false - required: false - - name: create_project_sa - description: Whether the default service account for the project shall be created - type: bool - default: true - required: false - - name: default_network_tier - description: Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. - type: string - default: "" - required: false - - name: default_service_account - description: 'Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`.' - type: string - default: disable - required: false - - name: disable_dependent_services - description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. - type: bool - default: true - required: false - - name: disable_services_on_destroy - description: Whether project services will be disabled when the resources are destroyed - type: bool - default: true - required: false - - name: domain - description: The domain name (optional). - type: string - default: "" - required: false - - name: enable_shared_vpc_host_project - description: If this project is a shared VPC host project. If true, you must *not* set shared_vpc variable. Default is false. - type: bool - default: false - required: false - - name: enable_shared_vpc_service_project - description: If shared VPC should be used - type: bool - default: false - required: false - - name: folder_id - description: The ID of a folder to host this project - type: string - default: "" - required: false - - name: group_name - description: A group to control the project by being assigned group_role - defaults to ${project_name}-editors - type: string - default: "" - required: false - - name: group_role - description: The role to give the controlling group (group_name) over the project (defaults to project editor) - type: string - default: roles/editor - required: false - - name: labels - description: Map of labels for project - type: map(string) - default: {} - required: false - - name: lien - description: Add a lien on the project to prevent accidental deletion - type: bool - default: false - required: false - - name: name - description: The name for the project - type: string - required: true - - name: org_id - description: The organization ID. - type: string - required: true - - name: project_id - description: The ID to give the project. If not provided, the `name` will be used. - type: string - default: "" - required: false - - name: project_sa_name - description: Default service account name for the project. - type: string - default: project-service-account - required: false - - name: random_project_id - description: Adds a suffix of 4 random characters to the `project_id` - type: bool - default: false - required: false - - name: sa_group - description: A G Suite group to place the default Service Account for the project in - type: string - default: "" - required: false - - name: sa_role - description: A role to give the default Service Account for the project (defaults to none) - type: string - default: "" - required: false - - name: shared_vpc - description: The ID of the host project which hosts the shared VPC - type: string - default: "" - required: false - - name: shared_vpc_subnets - description: List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) - type: list(string) - default: [] - required: false - - name: usage_bucket_name - description: Name of a GCS bucket to store GCE usage reports in (optional) - type: string - default: "" - required: false - - name: usage_bucket_prefix - description: Prefix in the GCS bucket to store GCE usage reports in (optional) - type: string - default: "" - required: false - outputs: - - name: domain - description: The organization's domain - - name: group_email - description: The email of the created G Suite group with group_name - - name: group_name - description: The group_name of the G Suite group - - name: project_bucket_self_link - description: Project's bucket selfLink - - name: project_bucket_url - description: Project's bucket url - - name: project_id - description: ID of the project - - name: project_name - description: Name of the project - - name: project_number - description: Numeric identifier for the project - - name: service_account_display_name - description: The display name of the default service account - - name: service_account_email - description: The email of the default service account - - name: service_account_id - description: The id of the default service account - - name: service_account_name - description: The fully-qualified name of the default service account - - name: service_account_unique_id - description: The unique id of the default service account - roles: - - level: Project + info: + title: Google Cloud Project Factory with G Suite Terraform Module + source: + repo: https://github.com/q2w/terraform-google-project-factory.git + sourceType: git + dir: /modules/gsuite_enabled + version: 17.0.0 + actuationTool: + flavor: Terraform + version: ">= 0.13" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: lien + description: Add a lien on the project to prevent accidental deletion + varType: bool + defaultValue: false + - name: random_project_id + description: Adds a suffix of 4 random characters to the `project_id` + varType: bool + defaultValue: false + - name: org_id + description: The organization ID. + varType: string + required: true + - name: domain + description: The domain name (optional). + varType: string + defaultValue: "" + - name: name + description: The name for the project + varType: string + required: true + - name: project_id + description: The ID to give the project. If not provided, the `name` will be used. + varType: string + defaultValue: "" + - name: shared_vpc + description: The ID of the host project which hosts the shared VPC + varType: string + defaultValue: "" + - name: billing_account + description: The ID of the billing account to associate this project with + varType: string + required: true + - name: folder_id + description: The ID of a folder to host this project + varType: string + defaultValue: "" + - name: group_name + description: A group to control the project by being assigned group_role - defaults to ${project_name}-editors + varType: string + defaultValue: "" + - name: create_group + description: Whether to create the group or not + varType: bool + defaultValue: false + - name: group_role + description: The role to give the controlling group (group_name) over the project (defaults to project editor) + varType: string + defaultValue: roles/editor + - name: sa_group + description: A G Suite group to place the default Service Account for the project in + varType: string + defaultValue: "" + - name: create_project_sa + description: Whether the default service account for the project shall be created + varType: bool + defaultValue: true + - name: project_sa_name + description: Default service account name for the project. + varType: string + defaultValue: project-service-account + - name: sa_role + description: A role to give the default Service Account for the project (defaults to none) + varType: string + defaultValue: "" + - name: activate_apis + description: The list of apis to activate within the project + varType: list(string) + defaultValue: + - compute.googleapis.com + - name: usage_bucket_name + description: Name of a GCS bucket to store GCE usage reports in (optional) + varType: string + defaultValue: "" + - name: usage_bucket_prefix + description: Prefix in the GCS bucket to store GCE usage reports in (optional) + varType: string + defaultValue: "" + - name: shared_vpc_subnets + description: List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) + varType: list(string) + defaultValue: [] + - name: labels + description: Map of labels for project + varType: map(string) + defaultValue: {} + - name: bucket_project + description: A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) + varType: string + defaultValue: "" + - name: bucket_name + description: A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) + varType: string + defaultValue: "" + - name: bucket_location + description: The location for a GCS bucket to create (optional) + varType: string + defaultValue: "" + - name: bucket_versioning + description: Enable versioning for a GCS bucket to create (optional) + varType: bool + defaultValue: false + - name: api_sa_group + description: A G Suite group to place the Google APIs Service Account for the project in + varType: string + defaultValue: "" + - name: auto_create_network + description: Create the default network + varType: bool + defaultValue: false + - name: disable_services_on_destroy + description: Whether project services will be disabled when the resources are destroyed + varType: bool + defaultValue: true + - name: default_service_account + description: "Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`." + varType: string + defaultValue: disable + - name: disable_dependent_services + description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. + varType: bool + defaultValue: true + - name: enable_shared_vpc_service_project + description: If shared VPC should be used + varType: bool + defaultValue: false + - name: enable_shared_vpc_host_project + description: If this project is a shared VPC host project. If true, you must *not* set shared_vpc variable. Default is false. + varType: bool + defaultValue: false + - name: budget_amount + description: The amount to use for a budget alert + varType: number + - name: budget_alert_pubsub_topic + description: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` + varType: string + - name: budget_monitoring_notification_channels + description: A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. + varType: list(string) + defaultValue: [] + - name: budget_alert_spent_percents + description: A list of percentages of the budget to alert on when threshold is exceeded + varType: list(number) + defaultValue: + - 0.5 + - 0.7 + - 1 + - name: consumer_quotas + description: The quotas configuration you want to override for the project. + varType: |- + list(object({ + service = string, + metric = string, + dimensions = any, + limit = string, + value = string, + })) + defaultValue: [] + - name: default_network_tier + description: Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. + varType: string + defaultValue: "" + outputs: + - name: domain + description: The organization's domain + - name: group_email + description: The email of the created G Suite group with group_name + - name: group_name + description: The group_name of the G Suite group + - name: project_bucket_self_link + description: Project's bucket selfLink + - name: project_bucket_url + description: Project's bucket url + - name: project_id + description: ID of the project + - name: project_name + description: Name of the project + - name: project_number + description: Numeric identifier for the project + - name: service_account_display_name + description: The display name of the default service account + - name: service_account_email + description: The email of the default service account + - name: service_account_id + description: The id of the default service account + - name: service_account_name + description: The fully-qualified name of the default service account + - name: service_account_unique_id + description: The unique id of the default service account + requirements: roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - - level: Project - roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager - - level: Project - roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin - services: - - admin.googleapis.com - - appengine.googleapis.com - - cloudbilling.googleapis.com - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - iamcredentials.googleapis.com - - oslogin.googleapis.com - - serviceusage.googleapis.com - - billingbudgets.googleapis.com - - pubsub.googleapis.com - - accesscontextmanager.googleapis.com - - essentialcontacts.googleapis.com - - serviceconsumermanagement.googleapis.com + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com + providerVersions: + - source: DeviaVir/gsuite + version: ~> 0.1 + - source: hashicorp/google + version: ">= 4.11, < 7" + - source: hashicorp/google-beta + version: ">= 4.11, < 7" diff --git a/modules/project_services/metadata.display.yaml b/modules/project_services/metadata.display.yaml new file mode 100644 index 00000000..3b7bccca --- /dev/null +++ b/modules/project_services/metadata.display.yaml @@ -0,0 +1,52 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-project-factory-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Project API Activation + source: + repo: https://github.com/q2w/terraform-google-project-factory.git + sourceType: git + dir: /modules/project_services + ui: + input: + variables: + activate_api_identities: + name: activate_api_identities + title: Activate Api Identities + activate_apis: + name: activate_apis + title: Activate Apis + altDefaults: + - type: ALTERNATE_TYPE_DC + value: + - aiplatform.googleapis.com + disable_dependent_services: + name: disable_dependent_services + title: Disable Dependent Services + disable_services_on_destroy: + name: disable_services_on_destroy + title: Disable Services On Destroy + enable_apis: + name: enable_apis + title: Enable Apis + project_id: + name: project_id + title: Project Id diff --git a/modules/project_services/metadata.yaml b/modules/project_services/metadata.yaml index e248f2c5..20cf3b98 100644 --- a/modules/project_services/metadata.yaml +++ b/modules/project_services/metadata.yaml @@ -19,116 +19,122 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Project API Activation - source: - repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git - sourceType: git - version: 17.0.0 - actuationTool: - type: Terraform - version: '>= 0.13' - examples: - - name: app_engine - location: examples/app_engine - - name: budget_project - location: examples/budget_project - - name: essential_contacts - location: examples/essential_contacts - - name: fabric_project - location: examples/fabric_project - - name: gke_shared_vpc - location: examples/gke_shared_vpc - - name: group_project - location: examples/group_project - - name: project-hierarchy - location: examples/project-hierarchy - - name: project_services - location: examples/project_services - - name: quota_project - location: examples/quota_project - - name: shared_vpc - location: examples/shared_vpc - - name: simple_project - location: examples/simple_project - variables: - - name: activate_api_identities - description: |2 - The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles). - APIs in this list will automatically be appended to `activate_apis`. - Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created). - Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles. - type: |- - list(object({ - api = string - roles = list(string) - })) - default: [] - required: false - - name: activate_apis - description: The list of apis to activate within the project - type: list(string) - default: [] - required: false - - name: disable_dependent_services - description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. https://www.terraform.io/docs/providers/google/r/google_project_service.html#disable_dependent_services - type: bool - default: true - required: false - - name: disable_services_on_destroy - description: Whether project services will be disabled when the resources are destroyed. https://www.terraform.io/docs/providers/google/r/google_project_service.html#disable_on_destroy - type: bool - default: true - required: false - - name: enable_apis - description: Whether to actually enable the APIs. If false, this module is a no-op. - type: bool - default: true - required: false - - name: project_id - description: The GCP project you want to enable APIs on - type: string - required: true - outputs: - - name: enabled_api_identities - description: Enabled API identities in the project - - name: enabled_apis - description: Enabled APIs in the project - - name: project_id - description: The GCP project you want to enable APIs on - roles: - - level: Project + info: + title: Project API Activation + source: + repo: https://github.com/q2w/terraform-google-project-factory.git + sourceType: git + dir: /modules/project_services + version: 17.0.0 + actuationTool: + flavor: Terraform + version: ">= 0.13" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: project_id + description: The GCP project you want to enable APIs on + varType: string + required: true + - name: enable_apis + description: Whether to actually enable the APIs. If false, this module is a no-op. + varType: bool + defaultValue: true + - name: activate_apis + description: The list of apis to activate within the project + varType: list(string) + defaultValue: [] + - name: activate_api_identities + description: " The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles).\n APIs in this list will automatically be appended to `activate_apis`.\n Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created).\n Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles.\n" + varType: |- + list(object({ + api = string + roles = list(string) + })) + defaultValue: [] + - name: disable_services_on_destroy + description: Whether project services will be disabled when the resources are destroyed. https://www.terraform.io/docs/providers/google/r/google_project_service.html#disable_on_destroy + varType: bool + defaultValue: true + - name: disable_dependent_services + description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. https://www.terraform.io/docs/providers/google/r/google_project_service.html#disable_dependent_services + varType: bool + defaultValue: true + outputs: + - name: enabled_api_identities + description: Enabled API identities in the project + - name: enabled_apis + description: Enabled APIs in the project + - name: project_id + description: The GCP project you want to enable APIs on + requirements: roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager - - level: Project - roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - services: - - admin.googleapis.com - - appengine.googleapis.com - - cloudbilling.googleapis.com - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - iamcredentials.googleapis.com - - oslogin.googleapis.com - - serviceusage.googleapis.com - - billingbudgets.googleapis.com - - pubsub.googleapis.com - - accesscontextmanager.googleapis.com - - essentialcontacts.googleapis.com - - serviceconsumermanagement.googleapis.com + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 3.43, < 7" + - source: hashicorp/google-beta + version: ">= 3.43, < 7" diff --git a/modules/quota_manager/metadata.display.yaml b/modules/quota_manager/metadata.display.yaml new file mode 100644 index 00000000..ca244437 --- /dev/null +++ b/modules/quota_manager/metadata.display.yaml @@ -0,0 +1,36 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-project-factory-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Consumer quota override for a project + source: + repo: https://github.com/q2w/terraform-google-project-factory.git + sourceType: git + dir: /modules/quota_manager + ui: + input: + variables: + consumer_quotas: + name: consumer_quotas + title: Consumer Quotas + project_id: + name: project_id + title: Project Id diff --git a/modules/quota_manager/metadata.yaml b/modules/quota_manager/metadata.yaml index 9f557c61..5aaa5df9 100644 --- a/modules/quota_manager/metadata.yaml +++ b/modules/quota_manager/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,89 +19,102 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Consumer quota override for a project - source: - repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git - sourceType: git - actuationTool: - type: Terraform - version: '>= 0.13' - examples: - - name: app_engine - location: examples/app_engine - - name: budget_project - location: examples/budget_project - - name: essential_contacts - location: examples/essential_contacts - - name: fabric_project - location: examples/fabric_project - - name: gke_shared_vpc - location: examples/gke_shared_vpc - - name: group_project - location: examples/group_project - - name: project-hierarchy - location: examples/project-hierarchy - - name: project_services - location: examples/project_services - - name: quota_project - location: examples/quota_project - - name: shared_vpc - location: examples/shared_vpc - - name: simple_project - location: examples/simple_project - variables: - - name: consumer_quotas - description: The quotas configuration you want to override for the project. - type: |- - list(object({ - service = string, - metric = string, - dimensions = map(string), - limit = string, - value = string, - })) - required: true - - name: project_id - description: The GCP project where you want to manage the consumer quotas - type: string - required: true - outputs: - - name: quota_overrides - description: The server-generated names of the quota override. - roles: - - level: Project + info: + title: Consumer quota override for a project + source: + repo: https://github.com/q2w/terraform-google-project-factory.git + sourceType: git + dir: /modules/quota_manager + actuationTool: + flavor: Terraform + version: ">= 0.13" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: project_id + description: The GCP project where you want to manage the consumer quotas + varType: string + required: true + - name: consumer_quotas + description: The quotas configuration you want to override for the project. + varType: |- + list(object({ + service = string, + metric = string, + dimensions = map(string), + limit = string, + value = string, + })) + required: true + outputs: + - name: quota_overrides + description: The server-generated names of the quota override. + requirements: roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager - - level: Project - roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - services: - - admin.googleapis.com - - appengine.googleapis.com - - cloudbilling.googleapis.com - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - iamcredentials.googleapis.com - - oslogin.googleapis.com - - serviceusage.googleapis.com - - billingbudgets.googleapis.com - - pubsub.googleapis.com - - accesscontextmanager.googleapis.com - - essentialcontacts.googleapis.com - - serviceconsumermanagement.googleapis.com + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com + providerVersions: + - source: hashicorp/google-beta + version: ">= 4.11, < 7" diff --git a/modules/shared_vpc_access/metadata.display.yaml b/modules/shared_vpc_access/metadata.display.yaml new file mode 100644 index 00000000..792ad60c --- /dev/null +++ b/modules/shared_vpc_access/metadata.display.yaml @@ -0,0 +1,60 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-project-factory-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Shared VPC Access + source: + repo: https://github.com/q2w/terraform-google-project-factory.git + sourceType: git + dir: /modules/shared_vpc_access + ui: + input: + variables: + active_apis: + name: active_apis + title: Active Apis + enable_shared_vpc_service_project: + name: enable_shared_vpc_service_project + title: Enable Shared Vpc Service Project + grant_network_role: + name: grant_network_role + title: Grant Network Role + grant_services_network_admin_role: + name: grant_services_network_admin_role + title: Grant Services Network Admin Role + grant_services_security_admin_role: + name: grant_services_security_admin_role + title: Grant Services Security Admin Role + host_project_id: + name: host_project_id + title: Host Project Id + lookup_project_numbers: + name: lookup_project_numbers + title: Lookup Project Numbers + service_project_id: + name: service_project_id + title: Service Project Id + service_project_number: + name: service_project_number + title: Service Project Number + shared_vpc_subnets: + name: shared_vpc_subnets + title: Shared Vpc Subnets diff --git a/modules/shared_vpc_access/metadata.yaml b/modules/shared_vpc_access/metadata.yaml index 381a67af..1bfd48b4 100644 --- a/modules/shared_vpc_access/metadata.yaml +++ b/modules/shared_vpc_access/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,118 +19,131 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Shared VPC Access - source: - repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git - sourceType: git - version: 17.0.0 - actuationTool: - type: Terraform - version: '>= 0.13' - examples: - - name: app_engine - location: examples/app_engine - - name: budget_project - location: examples/budget_project - - name: essential_contacts - location: examples/essential_contacts - - name: fabric_project - location: examples/fabric_project - - name: gke_shared_vpc - location: examples/gke_shared_vpc - - name: group_project - location: examples/group_project - - name: project-hierarchy - location: examples/project-hierarchy - - name: project_services - location: examples/project_services - - name: quota_project - location: examples/quota_project - - name: shared_vpc - location: examples/shared_vpc - - name: simple_project - location: examples/simple_project - variables: - - name: active_apis - description: The list of active apis on the service project. If api is not active this module will not try to activate it - type: list(string) - default: [] - required: false - - name: enable_shared_vpc_service_project - description: Flag set if SVPC enabled - type: bool - required: true - - name: grant_network_role - description: Whether or not to grant service agents the network roles on the host project - type: bool - default: true - required: false - - name: grant_services_security_admin_role - description: Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules - type: bool - default: false - required: false - - name: host_project_id - description: The ID of the host project which hosts the shared VPC - type: string - required: true - - name: lookup_project_numbers - description: Whether to look up the project numbers from data sources. If false, `service_project_number` will be used instead. - type: bool - default: true - required: false - - name: service_project_id - description: The ID of the service project - type: string - required: true - - name: service_project_number - description: Project number of the service project. Will be used if `lookup_service_project_number` is false. - type: string - required: false - - name: shared_vpc_subnets - description: List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) - type: list(string) - default: [] - required: false - outputs: - - name: active_api_service_accounts - description: List of active API service accounts in the service project. - - name: project_id - description: Service project ID. - roles: - - level: Project + info: + title: Shared VPC Access + source: + repo: https://github.com/q2w/terraform-google-project-factory.git + sourceType: git + dir: /modules/shared_vpc_access + version: 17.0.0 + actuationTool: + flavor: Terraform + version: ">= 0.13" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: host_project_id + description: The ID of the host project which hosts the shared VPC + varType: string + required: true + - name: enable_shared_vpc_service_project + description: Flag set if SVPC enabled + varType: bool + required: true + - name: service_project_id + description: The ID of the service project + varType: string + required: true + - name: service_project_number + description: Project number of the service project. Will be used if `lookup_service_project_number` is false. + varType: string + - name: lookup_project_numbers + description: Whether to look up the project numbers from data sources. If false, `service_project_number` will be used instead. + varType: bool + defaultValue: true + - name: shared_vpc_subnets + description: List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) + varType: list(string) + defaultValue: [] + - name: active_apis + description: The list of active apis on the service project. If api is not active this module will not try to activate it + varType: list(string) + defaultValue: [] + - name: grant_services_security_admin_role + description: Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules + varType: bool + defaultValue: false + - name: grant_services_network_admin_role + description: Whether or not to grant Datastream Service acount the Network Admin role on the host project so it can manage firewall rules + varType: bool + defaultValue: false + - name: grant_network_role + description: Whether or not to grant service agents the network roles on the host project + varType: bool + defaultValue: true + outputs: + - name: active_api_service_accounts + description: List of active API service accounts in the service project. + - name: project_id + description: Service project ID. + requirements: roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - - level: Project - roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager - services: - - admin.googleapis.com - - appengine.googleapis.com - - cloudbilling.googleapis.com - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - iamcredentials.googleapis.com - - oslogin.googleapis.com - - serviceusage.googleapis.com - - billingbudgets.googleapis.com - - pubsub.googleapis.com - - accesscontextmanager.googleapis.com - - essentialcontacts.googleapis.com - - serviceconsumermanagement.googleapis.com + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 3.43, < 7" + - source: hashicorp/google-beta + version: ">= 3.43, < 7" diff --git a/modules/svpc_service_project/metadata.display.yaml b/modules/svpc_service_project/metadata.display.yaml new file mode 100644 index 00000000..7fb5094f --- /dev/null +++ b/modules/svpc_service_project/metadata.display.yaml @@ -0,0 +1,138 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-project-factory-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Shared VPC + source: + repo: https://github.com/q2w/terraform-google-project-factory.git + sourceType: git + dir: /modules/svpc_service_project + ui: + input: + variables: + activate_api_identities: + name: activate_api_identities + title: Activate Api Identities + activate_apis: + name: activate_apis + title: Activate Apis + auto_create_network: + name: auto_create_network + title: Auto Create Network + billing_account: + name: billing_account + title: Billing Account + bucket_location: + name: bucket_location + title: Bucket Location + bucket_name: + name: bucket_name + title: Bucket Name + bucket_project: + name: bucket_project + title: Bucket Project + bucket_versioning: + name: bucket_versioning + title: Bucket Versioning + budget_alert_pubsub_topic: + name: budget_alert_pubsub_topic + title: Budget Alert Pubsub Topic + budget_alert_spent_percents: + name: budget_alert_spent_percents + title: Budget Alert Spent Percents + budget_amount: + name: budget_amount + title: Budget Amount + budget_monitoring_notification_channels: + name: budget_monitoring_notification_channels + title: Budget Monitoring Notification Channels + create_project_sa: + name: create_project_sa + title: Create Project Sa + default_network_tier: + name: default_network_tier + title: Default Network Tier + default_service_account: + name: default_service_account + title: Default Service Account + deletion_policy: + name: deletion_policy + title: Deletion Policy + disable_dependent_services: + name: disable_dependent_services + title: Disable Dependent Services + disable_services_on_destroy: + name: disable_services_on_destroy + title: Disable Services On Destroy + domain: + name: domain + title: Domain + folder_id: + name: folder_id + title: Folder Id + grant_network_role: + name: grant_network_role + title: Grant Network Role + grant_services_security_admin_role: + name: grant_services_security_admin_role + title: Grant Services Security Admin Role + group_name: + name: group_name + title: Group Name + group_role: + name: group_role + title: Group Role + labels: + name: labels + title: Labels + lien: + name: lien + title: Lien + name: + name: name + title: Name + org_id: + name: org_id + title: Org Id + project_id: + name: project_id + title: Project Id + project_sa_name: + name: project_sa_name + title: Project Sa Name + random_project_id: + name: random_project_id + title: Random Project Id + sa_role: + name: sa_role + title: Sa Role + shared_vpc: + name: shared_vpc + title: Shared Vpc + shared_vpc_subnets: + name: shared_vpc_subnets + title: Shared Vpc Subnets + usage_bucket_name: + name: usage_bucket_name + title: Usage Bucket Name + usage_bucket_prefix: + name: usage_bucket_prefix + title: Usage Bucket Prefix diff --git a/modules/svpc_service_project/metadata.yaml b/modules/svpc_service_project/metadata.yaml index c4aad930..e74f2f7b 100644 --- a/modules/svpc_service_project/metadata.yaml +++ b/modules/svpc_service_project/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,279 +19,262 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Shared VPC - source: - repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git - sourceType: git - version: 17.0.0 - actuationTool: - type: Terraform - version: '>=0.13.0' - examples: - - name: app_engine - location: examples/app_engine - - name: budget_project - location: examples/budget_project - - name: essential_contacts - location: examples/essential_contacts - - name: fabric_project - location: examples/fabric_project - - name: gke_shared_vpc - location: examples/gke_shared_vpc - - name: group_project - location: examples/group_project - - name: project-hierarchy - location: examples/project-hierarchy - - name: project_services - location: examples/project_services - - name: quota_project - location: examples/quota_project - - name: shared_vpc - location: examples/shared_vpc - - name: simple_project - location: examples/simple_project - variables: - - name: activate_api_identities - description: |2 - The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles). - APIs in this list will automatically be appended to `activate_apis`. - Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created). - Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles. - type: |- - list(object({ - api = string - roles = list(string) - })) - default: [] - required: false - - name: activate_apis - description: The list of apis to activate within the project - type: list(string) - default: - - compute.googleapis.com - required: false - - name: auto_create_network - description: Create the default network - type: bool - default: false - required: false - - name: billing_account - description: The ID of the billing account to associate this project with - type: string - required: true - - name: bucket_location - description: The location for a GCS bucket to create (optional) - type: string - default: US - required: false - - name: bucket_name - description: A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) - type: string - default: "" - required: false - - name: bucket_project - description: A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) - type: string - default: "" - required: false - - name: bucket_versioning - description: Enable versioning for a GCS bucket to create (optional) - type: bool - default: false - required: false - - name: budget_alert_pubsub_topic - description: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` - type: string - required: false - - name: budget_alert_spent_percents - description: A list of percentages of the budget to alert on when threshold is exceeded - type: list(number) - default: - - 0.5 - - 0.7 - - 1 - required: false - - name: budget_amount - description: The amount to use for a budget alert - type: number - required: false - - name: budget_monitoring_notification_channels - description: A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. - type: list(string) - default: [] - required: false - - name: create_project_sa - description: Whether the default service account for the project shall be created - type: bool - default: true - required: false - - name: default_network_tier - description: Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. - type: string - default: "" - required: false - - name: default_service_account - description: 'Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`.' - type: string - default: disable - required: false - - name: disable_dependent_services - description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. - type: bool - default: true - required: false - - name: disable_services_on_destroy - description: Whether project services will be disabled when the resources are destroyed - type: bool - default: true - required: false - - name: domain - description: The domain name (optional). - type: string - default: "" - required: false - - name: folder_id - description: The ID of a folder to host this project - type: string - default: "" - required: false - - name: grant_network_role - description: Whether or not to grant service agents the network roles on the host project - type: bool - default: true - required: false - - name: grant_services_security_admin_role - description: Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules - type: bool - default: false - required: false - - name: group_name - description: A group to control the project by being assigned group_role (defaults to project editor) - type: string - default: "" - required: false - - name: group_role - description: The role to give the controlling group (group_name) over the project (defaults to project editor) - type: string - default: roles/editor - required: false - - name: labels - description: Map of labels for project - type: map(string) - default: {} - required: false - - name: lien - description: Add a lien on the project to prevent accidental deletion - type: bool - default: false - required: false - - name: name - description: The name for the project - type: string - required: true - - name: org_id - description: The organization ID. - type: string - required: true - - name: project_id - description: The ID to give the project. If not provided, the `name` will be used. - type: string - default: "" - required: false - - name: project_sa_name - description: Default service account name for the project. - type: string - default: project-service-account - required: false - - name: random_project_id - description: Adds a suffix of 4 random characters to the `project_id` - type: bool - default: false - required: false - - name: sa_role - description: A role to give the default Service Account for the project (defaults to none) - type: string - default: "" - required: false - - name: shared_vpc - description: The ID of the host project which hosts the shared VPC - type: string - default: "" - required: false - - name: shared_vpc_subnets - description: List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) - type: list(string) - default: [] - required: false - - name: usage_bucket_name - description: Name of a GCS bucket to store GCE usage reports in (optional) - type: string - default: "" - required: false - - name: usage_bucket_prefix - description: Prefix in the GCS bucket to store GCE usage reports in (optional) - type: string - default: "" - required: false - outputs: - - name: domain - description: The organization's domain - - name: group_email - description: The email of the G Suite group with group_name - - name: project_bucket_self_link - description: Project's bucket selfLink - - name: project_bucket_url - description: Project's bucket url - - name: project_id - description: If provided, the project uses the given project ID. Mutually exclusive with random_project_id being true. - - name: project_name - description: The name for the project - - name: project_number - description: The number for the project - - name: service_account_display_name - description: The display name of the default service account - - name: service_account_email - description: The email of the default service account - - name: service_account_id - description: The id of the default service account - - name: service_account_name - description: The fully-qualified name of the default service account - - name: service_account_unique_id - description: The unique id of the default service account - roles: - - level: Project + info: + title: Shared VPC + source: + repo: https://github.com/q2w/terraform-google-project-factory.git + sourceType: git + dir: /modules/svpc_service_project + version: 17.0.0 + actuationTool: + flavor: Terraform + version: ">=0.13.0" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: random_project_id + description: Adds a suffix of 4 random characters to the `project_id` + varType: bool + defaultValue: false + - name: org_id + description: The organization ID. + varType: string + required: true + - name: domain + description: The domain name (optional). + varType: string + defaultValue: "" + - name: name + description: The name for the project + varType: string + required: true + - name: project_id + description: The ID to give the project. If not provided, the `name` will be used. + varType: string + defaultValue: "" + - name: shared_vpc + description: The ID of the host project which hosts the shared VPC + varType: string + defaultValue: "" + - name: billing_account + description: The ID of the billing account to associate this project with + varType: string + required: true + - name: folder_id + description: The ID of a folder to host this project + varType: string + defaultValue: "" + - name: group_name + description: A group to control the project by being assigned group_role (defaults to project editor) + varType: string + defaultValue: "" + - name: group_role + description: The role to give the controlling group (group_name) over the project (defaults to project editor) + varType: string + defaultValue: roles/editor + - name: create_project_sa + description: Whether the default service account for the project shall be created + varType: bool + defaultValue: true + - name: project_sa_name + description: Default service account name for the project. + varType: string + defaultValue: project-service-account + - name: sa_role + description: A role to give the default Service Account for the project (defaults to none) + varType: string + defaultValue: "" + - name: activate_apis + description: The list of apis to activate within the project + varType: list(string) + defaultValue: + - compute.googleapis.com + - name: activate_api_identities + description: " The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles).\n APIs in this list will automatically be appended to `activate_apis`.\n Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created).\n Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles.\n" + varType: |- + list(object({ + api = string + roles = list(string) + })) + defaultValue: [] + - name: usage_bucket_name + description: Name of a GCS bucket to store GCE usage reports in (optional) + varType: string + defaultValue: "" + - name: usage_bucket_prefix + description: Prefix in the GCS bucket to store GCE usage reports in (optional) + varType: string + defaultValue: "" + - name: shared_vpc_subnets + description: List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) + varType: list(string) + defaultValue: [] + - name: labels + description: Map of labels for project + varType: map(string) + defaultValue: {} + - name: bucket_project + description: A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) + varType: string + defaultValue: "" + - name: bucket_name + description: A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) + varType: string + defaultValue: "" + - name: bucket_location + description: The location for a GCS bucket to create (optional) + varType: string + defaultValue: US + - name: bucket_versioning + description: Enable versioning for a GCS bucket to create (optional) + varType: bool + defaultValue: false + - name: auto_create_network + description: Create the default network + varType: bool + defaultValue: false + - name: lien + description: Add a lien on the project to prevent accidental deletion + varType: bool + defaultValue: false + - name: disable_services_on_destroy + description: Whether project services will be disabled when the resources are destroyed + varType: bool + defaultValue: true + - name: default_service_account + description: "Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`." + varType: string + defaultValue: disable + - name: disable_dependent_services + description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. + varType: bool + defaultValue: true + - name: budget_amount + description: The amount to use for a budget alert + varType: number + - name: budget_alert_pubsub_topic + description: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` + varType: string + - name: budget_monitoring_notification_channels + description: A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. + varType: list(string) + defaultValue: [] + - name: budget_alert_spent_percents + description: A list of percentages of the budget to alert on when threshold is exceeded + varType: list(number) + defaultValue: + - 0.5 + - 0.7 + - 1 + - name: grant_services_security_admin_role + description: Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules + varType: bool + defaultValue: false + - name: grant_network_role + description: Whether or not to grant service agents the network roles on the host project + varType: bool + defaultValue: true + - name: default_network_tier + description: Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. + varType: string + defaultValue: "" + - name: deletion_policy + description: The deletion policy for the project. + varType: string + defaultValue: PREVENT + outputs: + - name: domain + description: The organization's domain + - name: group_email + description: The email of the G Suite group with group_name + - name: project_bucket_self_link + description: Project's bucket selfLink + - name: project_bucket_url + description: Project's bucket url + - name: project_id + description: If provided, the project uses the given project ID. Mutually exclusive with random_project_id being true. + - name: project_name + description: The name for the project + - name: project_number + description: The number for the project + - name: service_account_display_name + description: The display name of the default service account + - name: service_account_email + description: The email of the default service account + - name: service_account_id + description: The id of the default service account + - name: service_account_name + description: The fully-qualified name of the default service account + - name: service_account_unique_id + description: The unique id of the default service account + requirements: roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager - - level: Project - roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - services: - - admin.googleapis.com - - appengine.googleapis.com - - cloudbilling.googleapis.com - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - iamcredentials.googleapis.com - - oslogin.googleapis.com - - serviceusage.googleapis.com - - billingbudgets.googleapis.com - - pubsub.googleapis.com - - accesscontextmanager.googleapis.com - - essentialcontacts.googleapis.com - - serviceconsumermanagement.googleapis.com + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.5, < 7" + - source: hashicorp/google-beta + version: ">= 4.5, < 7"