Skip to content

Latest commit

 

History

History
111 lines (93 loc) · 5.97 KB

File metadata and controls

111 lines (93 loc) · 5.97 KB

Google Cloud Project Factory with G Suite Terraform Module

This module performs the same functions as the root module with the addition of integrating G Suite.

Usage

There are multiple examples included in the examples folder but simple usage is as follows:

module "project-factory" {
  source = "terraform-google-modules/project-factory/google//modules/gsuite_enabled"
  version = "~> 1.0"

  billing_account   = "ABCDEF-ABCDEF-ABCDEF"
  create_group      = "true"
  credentials_path  = "${local.credentials_file_path}"
  group_name        = "test_sa_group"
  group_role        = "roles/editor"
  name              = "pf-test-1"
  org_id            = "1234567890"
  random_project_id = "true"
  sa_group          = "[email protected]"
  shared_vpc        = "shared_vpc_host_name"

  shared_vpc_subnets = [
    "projects/base-project-196723/regions/us-east1/subnetworks/default",
    "projects/base-project-196723/regions/us-central1/subnetworks/default",
    "projects/base-project-196723/regions/us-central1/subnetworks/subnet-1",
  ]

  usage_bucket_name   = "pf-test-1-usage-report-bucket"
  usage_bucket_prefix = "pf/test/1/integration"
}

Features

The G Suite Enabled module will perform the following actions in addition to those of the root module:

  1. Create a new Google group for the project using group_name if create_group is "true".
  2. Add the new default service account for the project to the sa_group in Google Groups, if specified.
  3. Add the Google APIs service account to the api_sa_group, if specified.

The roles granted are specifically:

  • New Default Service Account
    • MEMBER of the specified sa_group
  • Google APIs Service Account
    • MEMBER of the specified api_sa_group

Inputs

Name Description Type Default Required
activate_apis The list of apis to activate within the project list(string) <list> no
api_sa_group A GSuite group to place the Google APIs Service Account for the project in string "" no
apis_authority Toggles authoritative management of project services. string "false" no
auto_create_network Create the default network string "false" no
billing_account The ID of the billing account to associate this project with string n/a yes
bucket_location The location for a GCS bucket to create (optional) string "" no
bucket_name A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) string "" no
bucket_project A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) string "" no
create_group Whether to create the group or not string "false" no
credentials_path Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. string "" no
default_service_account Project default service account setting: can be one of delete, depriviledge, or keep. string "delete" no
disable_dependent_services Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. string "true" no
disable_services_on_destroy Whether project services will be disabled when the resources are destroyed string "true" no
domain The domain name (optional). string "" no
folder_id The ID of a folder to host this project string "" no
group_name A group to control the project by being assigned group_role - defaults to $${project_name}-editors string "" no
group_role The role to give the controlling group (group_name) over the project (defaults to project editor) string "roles/editor" no
labels Map of labels for project map(string) <map> no
lien Add a lien on the project to prevent accidental deletion string "false" no
name The name for the project string n/a yes
org_id The organization ID. string n/a yes
project_id If provided, the project uses the given project ID. Mutually exclusive with random_project_id being true. string "" no
random_project_id Enables project random id generation. Mutually exclusive with project_id being non-empty. string "false" no
sa_group A GSuite group to place the default Service Account for the project in string "" no
sa_role A role to give the default Service Account for the project (defaults to none) string "" no
shared_vpc The ID of the host project which hosts the shared VPC string "" no
shared_vpc_subnets List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) list(string) <list> no
usage_bucket_name Name of a GCS bucket to store GCE usage reports in (optional) string "" no
usage_bucket_prefix Prefix in the GCS bucket to store GCE usage reports in (optional) string "" no

Outputs

Name Description
domain The organization's domain
group_email The email of the created GSuite group with group_name
project_bucket_self_link Project's bucket selfLink
project_bucket_url Project's bucket url
project_id
project_name
project_number
service_account_display_name The display name of the default service account
service_account_email The email of the default service account
service_account_id The id of the default service account
service_account_name The fully-qualified name of the default service account
service_account_unique_id The unique id of the default service account