Merge branch 'master' into feature/add-autogenerator

CHANGELOG.md

@@ -8,11 +8,24 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 ## [Unreleased]
 
+## [6.1.0] - 2019-12-18
+
 ### Added
 
 - The `python_interpreter_path` variable which can be altered to support execution in a Windows environment. [#265]
 - Support for importing existing projects. [#138]
 
+### Changed
+
+- When deleting a service account, deprivilege first to remove IAM binding [#341]
+- The preconditions script checks for the existence of `gcloud`. [#331]
+- The service account setup script only requests the specified project. [#338]
+
+### Fixed
+
+- Fixed typo in `default_service_account` variable's default value from `depriviledge` to `deprivilege`. [#345]
+- The `feature_settings` variable on the `app_engine` submodule has a valid default. [#324]
+
 ## [6.0.0] - 2019-11-26
 
 6.0.0 is a backwards incompatible release. See the [upgrade guide](./docs/upgrading_to_project_factory_v6.0.md) for details.
@@ -112,15 +125,15 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 ### Fixed
 
-- Precoditions script handles projects with a large number of enabled APIs. [#220]
+- Preconditions script handles projects with a large number of enabled APIs. [#220]
 
 ## [2.3.0] - 2019-05-28
 
 ### Added
 
 - Feature that toggles authoritative management of project services. [#213]
 - Option that provides ability to choose the region of the bucket [#207]
-- Added option to depriviledge or keep default compute service account. [#186]
+- Added option to deprivilege or keep default compute service account. [#186]
 
 ### Fixed
 
@@ -248,7 +261,8 @@ Extending the adopted spec, each change should have a link to its corresponding
 ### ADDED
 - This is the initial release of the Project Factory Module.
 
-[Unreleased]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v6.0.0...HEAD
+[Unreleased]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v6.1.0...HEAD
+[6.1.0]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v6.0.0...v6.1.0
 [6.0.0]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v5.0.0...v6.0.0
 [5.0.0]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v4.0.1...v5.0.0
 [4.0.1]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v4.0.0...v4.0.1
@@ -280,6 +294,11 @@ Extending the adopted spec, each change should have a link to its corresponding
 [0.2.1]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v0.2.0...v0.2.1
 [0.2.0]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v0.1.0...v0.2.0
 
+[#345]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/345
+[#341]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/341
+[#338]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/338
+[#331]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/331
+[#324]: https://github.com/terraform-google-modules/terraform-google-project-factory/issues/324
 [#313]: https://github.com/terraform-google-modules/terraform-google-project-factory/issues/313
 [#300]: https://github.com/terraform-google-modules/terraform-google-project-factory/issues/300
 [#309]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/309

README.md

@@ -122,7 +122,7 @@ determining that location is as follows:
 | bucket\_name | A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) | string | `""` | no |
 | bucket\_project | A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) | string | `""` | no |
 | credentials\_path | Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. | string | `""` | no |
-| default\_service\_account | Project default service account setting: can be one of `delete`, `depriviledge`, `disable`, or `keep`. | string | `"disable"` | no |
+| default\_service\_account | Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`. | string | `"disable"` | no |
 | disable\_dependent\_services | Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. | bool | `"true"` | no |
 | disable\_services\_on\_destroy | Whether project services will be disabled when the resources are destroyed | string | `"true"` | no |
 | domain | The domain name (optional). | string | `""` | no |

docs/TROUBLESHOOTING.md

@@ -251,7 +251,7 @@ requires that the default compute service account be in place in the project.
 In order to deploy an App Engine Flex application into a project created by Project Factory,
 the default service account must not be disabled (as is the default behavior) or deleted. To prevent the
 default service account from being deleted, ensure that the `default_service_account` input
-is set to either `depriviledge` or `keep`.
+is set to either `deprivilege` or `keep`.
 
 - - -
 ### Seed project missing APIs

examples/simple_project/README.md

@@ -15,7 +15,7 @@ Expected variables:
 |------|-------------|:----:|:-----:|:-----:|
 | billing\_account | The ID of the billing account to associate this project with | string | n/a | yes |
 | credentials\_path | Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. | string | `""` | no |
-| default\_service\_account | Project default service account setting: can be one of `delete`, `depriviledge`, `disable`, or `keep`. | string | n/a | yes |
+| default\_service\_account | Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`. | string | n/a | yes |
 | organization\_id | The organization id for the associated services | string | n/a | yes |
 
 ## Outputs

examples/simple_project/variables.tf

@@ -28,6 +28,6 @@ variable "credentials_path" {
 }
 
 variable "default_service_account" {
-  description = "Project default service account setting: can be one of `delete`, `depriviledge`, `disable`, or `keep`."
+  description = "Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`."
 }
 

modules/core_project_factory/main.tf

@@ -209,10 +209,10 @@ EOD
 }
 
 /*********************************************
-  Default compute service account depriviledge
+  Default compute service account deprivilege
  ********************************************/
-resource "null_resource" "depriviledge_default_compute_service_account" {
-  count = var.default_service_account == "depriviledge" ? 1 : 0
+resource "null_resource" "deprivilege_default_compute_service_account" {
+  count = var.default_service_account == "deprivilege" ? 1 : 0
 
   provisioner "local-exec" {
     command    = <<EOD
@@ -221,7 +221,7 @@ ${path.module}/scripts/modify-service-account.sh \
   --sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
   --credentials_path='${var.credentials_path}' \
   --impersonate-service-account='${var.impersonate_service_account}' \
-  --action='depriviledge'
+  --action='deprivilege'
 EOD
     on_failure = "continue"
   }

modules/core_project_factory/scripts/modify-service-account.sh

@@ -72,23 +72,23 @@ delete_sa() {
   fi
 }
 
-# Function to depriviledge the default service account.
-depriviledge_sa() {
+# Function to deprivilege the default service account.
+deprivilege_sa() {
   EDITORS_LIST_COMMAND="gcloud projects get-iam-policy $PROJECT_ID \
   --flatten=bindings[].members \
   --format=table(bindings.role,bindings.members) \
   --filter=bindings.role:editor $APPEND_IMPERSONATE"
   EDITORS_LIST=$(${EDITORS_LIST_COMMAND} || exit 1)
 
   if [[ $EDITORS_LIST = *"$SA_ID"* ]]; then
-      echo "Depriviledge service account $SA_ID in project $PROJECT_ID"
+      echo "Deprivilege service account $SA_ID in project $PROJECT_ID"
       SA_DEPRIV_COMMAND="gcloud projects remove-iam-policy-binding $PROJECT_ID \
       --member=serviceAccount:$SA_ID \
       --role=roles/editor \
       --project=$PROJECT_ID $APPEND_IMPERSONATE"
       ${SA_DEPRIV_COMMAND}
   else
-      echo "Service account not listed. It appears to have already been depriviledged."
+      echo "Service account not listed. It appears to have already been deprivileged."
   fi
 }
 
@@ -113,10 +113,10 @@ disable_sa() {
 # Perform specified action of default service account.
 case $SA_ACTION in
   delete)
-      depriviledge_sa
+      deprivilege_sa
       delete_sa ;;
-  depriviledge)
-      depriviledge_sa ;;
+  deprivilege)
+      deprivilege_sa ;;
   disable)
       disable_sa ;;
   keep)

modules/core_project_factory/variables.tf

@@ -156,7 +156,7 @@ variable "disable_services_on_destroy" {
 }
 
 variable "default_service_account" {
-  description = "Project default service account setting: can be one of `delete`, `depriviledge`, `disable`, or `keep`."
+  description = "Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`."
   default     = "disable"
   type        = string
 }

modules/gsuite_enabled/README.md

@@ -67,7 +67,7 @@ The roles granted are specifically:
 | bucket\_project | A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) | string | `""` | no |
 | create\_group | Whether to create the group or not | bool | `"false"` | no |
 | credentials\_path | Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. | string | `""` | no |
-| default\_service\_account | Project default service account setting: can be one of `delete`, `depriviledge`, `disable`, or `keep`. | string | `"disable"` | no |
+| default\_service\_account | Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`. | string | `"disable"` | no |
 | disable\_dependent\_services | Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. | string | `"true"` | no |
 | disable\_services\_on\_destroy | Whether project services will be disabled when the resources are destroyed | string | `"true"` | no |
 | domain | The domain name (optional). | string | `""` | no |