Skip to content

Commit

Permalink
Merge pull request #6 from ingwarr/master
Browse files Browse the repository at this point in the history
Add support for Terraform v0.12 #5
  • Loading branch information
aaron-lane authored Jul 26, 2019
2 parents 6256d48 + 6371abc commit 55fb3f0
Show file tree
Hide file tree
Showing 27 changed files with 223 additions and 91 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ and this project adheres to
[Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]
### CHANGED

- Upgraded for usage with terraform-0.12.x [#6]


## [0.1.1] - 2019-06-14

Expand All @@ -26,3 +30,4 @@ and this project adheres to
[0.1.0]: https://github.com/terraform-google-modules/terraform-google-service-accounts/releases/tag/v0.1.0
[#3]: https://github.com/terraform-google-modules/terraform-google-service-accounts/pull/3
[#1]: https://github.com/terraform-google-modules/terraform-google-service-accounts/pull/1
[#6]: https://github.com/terraform-google-modules/terraform-google-service-accounts/pull/6
2 changes: 1 addition & 1 deletion Gemfile
Original file line number Diff line number Diff line change
Expand Up @@ -15,5 +15,5 @@
ruby '2.5.3'

source 'https://rubygems.org/' do
gem 'kitchen-terraform', '~> 4.8'
gem 'kitchen-terraform', '~> 4.9'
end
16 changes: 8 additions & 8 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ SHELL := /usr/bin/env bash
# Docker build config variables
CREDENTIALS_PATH ?= /cft/workdir/credentials.json
DOCKER_ORG := gcr.io/cloud-foundation-cicd
DOCKER_TAG_BASE_KITCHEN_TERRAFORM ?= 1.0.1
DOCKER_TAG_BASE_KITCHEN_TERRAFORM ?= 2.3.0
DOCKER_REPO_BASE_KITCHEN_TERRAFORM := ${DOCKER_ORG}/cft/kitchen-terraform:${DOCKER_TAG_BASE_KITCHEN_TERRAFORM}

# All is the first target in the file so it will get picked up when you just run 'make' on its own
Expand All @@ -30,7 +30,7 @@ all: check generate_docs

# Run all available linters
.PHONY: check
check: check_shell check_python check_golang check_terraform check_docker check_base_files test_check_headers check_headers check_trailing_whitespace
check: check_shell check_python check_golang check_terraform check_base_files test_check_headers check_headers check_trailing_whitespace

# The .PHONY directive tells make that this isn't a real target and so
# the presence of a file named 'check_shell' won't cause this target to stop
Expand Down Expand Up @@ -95,7 +95,7 @@ docker_run:
-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
-v $(CURDIR):/cft/workdir \
${DOCKER_REPO_BASE_KITCHEN_TERRAFORM} \
/bin/bash -c "source test/ci_integration.sh && setup_environment && exec /bin/bash"
/bin/bash -c "cd /cft/workdir && source test/ci_integration.sh && setup_environment && exec /bin/bash"

.PHONY: docker_create
docker_create:
Expand All @@ -105,7 +105,7 @@ docker_create:
-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
-v $(CURDIR):/cft/workdir \
${DOCKER_REPO_BASE_KITCHEN_TERRAFORM} \
/bin/bash -c "source test/ci_integration.sh && setup_environment && kitchen create"
/bin/bash -c "cd /cft/workdir && source test/ci_integration.sh && setup_environment && kitchen create"

.PHONY: docker_converge
docker_converge:
Expand All @@ -115,7 +115,7 @@ docker_converge:
-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
-v $(CURDIR):/cft/workdir \
${DOCKER_REPO_BASE_KITCHEN_TERRAFORM} \
/bin/bash -c "source test/ci_integration.sh && setup_environment && kitchen converge"
/bin/bash -c "cd /cft/workdir && source test/ci_integration.sh && setup_environment && kitchen converge"

.PHONY: docker_verify
docker_verify:
Expand All @@ -125,7 +125,7 @@ docker_verify:
-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
-v $(CURDIR):/cft/workdir \
${DOCKER_REPO_BASE_KITCHEN_TERRAFORM} \
/bin/bash -c "source test/ci_integration.sh && setup_environment && kitchen verify"
/bin/bash -c "cd /cft/workdir && source test/ci_integration.sh && setup_environment && kitchen verify"

.PHONY: docker_destroy
docker_destroy:
Expand All @@ -135,7 +135,7 @@ docker_destroy:
-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
-v $(CURDIR):/cft/workdir \
${DOCKER_REPO_BASE_KITCHEN_TERRAFORM} \
/bin/bash -c "source test/ci_integration.sh && setup_environment && kitchen destroy"
/bin/bash -c "cd /cft/workdir && source test/ci_integration.sh && setup_environment && kitchen destroy"

.PHONY: test_integration_docker
test_integration_docker:
Expand All @@ -145,4 +145,4 @@ test_integration_docker:
-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
-v $(CURDIR):/cft/workdir \
${DOCKER_REPO_BASE_KITCHEN_TERRAFORM} \
make test_integration
/bin/bash -c "cd /cft/workdir && source test/ci_integration.sh && setup_environment && make test_integration"
8 changes: 7 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,12 @@ The resources/services/activations/deletions that this module will create/trigge
- two optional organization-level IAM bindings per service account, to enable the service accounts to create and manage Shared VPC networks
- one optional service account key per service account

## Compatibility

This module is meant for use with Terraform 0.12. If you haven't [upgraded](https://www.terraform.io/upgrade-guides/0-12.html)
and need a Terraform 0.11.x-compatible version of this module, the last released version intended for
Terraform 0.11.x is [0.1.1](https://registry.terraform.io/modules/terraform-google-modules/service-accounts/google/0.1.1).

## Usage

Basic usage of this module is as follows:
Expand Down Expand Up @@ -67,7 +73,7 @@ These sections describe requirements for using this module.

The following dependencies must be available:

- [Terraform][terraform] v0.11
- [Terraform][terraform] v0.12
- [Terraform Provider for GCP][terraform-provider-gcp] plugin >= v2.0

### IAM
Expand Down
3 changes: 2 additions & 1 deletion examples/multiple_service_accounts/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ provider "google" {

module "service_accounts" {
source = "../.."
project_id = "${var.project_id}"
project_id = var.project_id
prefix = ""
names = ["test-first", "test-second"]
generate_keys = true
Expand All @@ -30,3 +30,4 @@ module "service_accounts" {
"${var.project_id}=>roles/storage.objectViewer",
]
}

7 changes: 4 additions & 3 deletions examples/multiple_service_accounts/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,15 +16,16 @@

output "emails" {
description = "The service account emails."
value = "${values(module.service_accounts.emails)}"
value = values(module.service_accounts.emails)
}

output "iam_emails" {
description = "The service account IAM-format emails."
value = "${values(module.service_accounts.iam_emails)}"
value = values(module.service_accounts.iam_emails)
}

output "keys" {
description = "The service account keys."
value = "${module.service_accounts.keys}"
value = module.service_accounts.keys
}

3 changes: 2 additions & 1 deletion examples/multiple_service_accounts/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,5 +16,6 @@

variable "project_id" {
description = "The ID of the project in which to provision resources."
type = "string"
type = string
}

19 changes: 19 additions & 0 deletions examples/multiple_service_accounts/versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
/**
* Copyright 2019 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

terraform {
required_version = ">= 0.12"
}
5 changes: 3 additions & 2 deletions examples/single_service_account/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,9 @@ provider "google" {

module "service_accounts" {
source = "../.."
project_id = "${var.project_id}"
prefix = "${var.prefix}"
project_id = var.project_id
prefix = var.prefix
names = ["single-account"]
project_roles = ["${var.project_id}=>roles/viewer"]
}

5 changes: 3 additions & 2 deletions examples/single_service_account/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,11 @@

output "email" {
description = "The service account email."
value = "${module.service_accounts.email}"
value = module.service_accounts.email
}

output "iam_email" {
description = "The service account IAM-format email."
value = "${module.service_accounts.iam_email}"
value = module.service_accounts.iam_email
}

4 changes: 3 additions & 1 deletion examples/single_service_account/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,12 @@

variable "project_id" {
description = "The ID of the project in which to provision resources."
type = "string"
type = string
}

variable "prefix" {
type = string
description = "Prefix applied to service account names."
default = ""
}

19 changes: 19 additions & 0 deletions examples/single_service_account/versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
/**
* Copyright 2019 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

terraform {
required_version = ">= 0.12"
}
65 changes: 37 additions & 28 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,73 +15,82 @@
*/

locals {
account_billing = "${var.grant_billing_role && var.billing_account_id != ""}"
org_billing = "${var.grant_billing_role && var.billing_account_id == "" && var.org_id != ""}"
prefix = "${var.prefix != "" ? "${var.prefix}-" : ""}"
xpn = "${var.grant_xpn_roles && var.org_id != ""}"
account_billing = var.grant_billing_role && var.billing_account_id != ""
org_billing = var.grant_billing_role && var.billing_account_id == "" && var.org_id != ""
prefix = var.prefix != "" ? "${var.prefix}-" : ""
xpn = var.grant_xpn_roles && var.org_id != ""
}

# create service accounts
resource "google_service_account" "service_accounts" {
count = "${length(var.names)}"
count = length(var.names)
account_id = "${local.prefix}${lower(element(var.names, count.index))}"
display_name = "Terraform-managed service account"
project = "${var.project_id}"
project = var.project_id
}

# common roles
resource "google_project_iam_member" "project-roles" {
count = "${length(var.project_roles) * length(var.names)}"
count = length(var.project_roles) * length(var.names)

project = "${element(
split("=>", element(var.project_roles, count.index % length(var.project_roles))
), 0)}"
project = element(
split(
"=>",
element(var.project_roles, count.index % length(var.project_roles)),
),
0,
)

role = "${element(
split("=>", element(var.project_roles, count.index % length(var.project_roles))
), 1)}"
role = element(
split(
"=>",
element(var.project_roles, count.index % length(var.project_roles)),
),
1,
)

member = "serviceAccount:${element(
google_service_account.service_accounts.*.email,
count.index / length(var.project_roles)
floor(count.index / length(var.project_roles)),
)}"
}

# conditionally assign billing user role at the org level
resource "google_organization_iam_member" "billing_user" {
count = "${local.org_billing ? length(var.names) : 0}"
org_id = "${var.org_id}"
count = local.org_billing ? length(var.names) : 0
org_id = var.org_id
role = "roles/billing.user"
member = "serviceAccount:${element(google_service_account.service_accounts.*.email, count.index)}"
member = "serviceAccount:${google_service_account.service_accounts[count.index].email}"
}

# conditionally assign billing user role on a specific billing account
resource "google_billing_account_iam_member" "billing_user" {
count = "${local.account_billing ? length(var.names) : 0}"
billing_account_id = "${var.billing_account_id}"
count = local.account_billing ? length(var.names) : 0
billing_account_id = var.billing_account_id
role = "roles/billing.user"
member = "serviceAccount:${element(google_service_account.service_accounts.*.email, count.index)}"
member = "serviceAccount:${google_service_account.service_accounts[count.index].email}"
}

# conditionally assign roles for shared VPC
# ref: https://cloud.google.com/vpc/docs/shared-vpc

resource "google_organization_iam_member" "xpn_admin" {
count = "${local.xpn ? length(var.names) : 0}"
org_id = "${var.org_id}"
count = local.xpn ? length(var.names) : 0
org_id = var.org_id
role = "roles/compute.xpnAdmin"
member = "serviceAccount:${element(google_service_account.service_accounts.*.email, count.index)}"
member = "serviceAccount:${google_service_account.service_accounts[count.index].email}"
}

resource "google_organization_iam_member" "organization_viewer" {
count = "${local.xpn ? length(var.names) : 0}"
org_id = "${var.org_id}"
count = local.xpn ? length(var.names) : 0
org_id = var.org_id
role = "roles/resourcemanager.organizationViewer"
member = "serviceAccount:${element(google_service_account.service_accounts.*.email, count.index)}"
member = "serviceAccount:${google_service_account.service_accounts[count.index].email}"
}

# keys
resource "google_service_account_key" "keys" {
count = "${var.generate_keys ? length(var.names) : 0}"
service_account_id = "${element(google_service_account.service_accounts.*.email, count.index)}"
count = var.generate_keys ? length(var.names) : 0
service_account_id = google_service_account.service_accounts[count.index].email
}

Loading

0 comments on commit 55fb3f0

Please sign in to comment.