This module allows you to create opinionated Google Cloud Platform projects. It
creates projects and configures aspects like Shared VPC connectivity, IAM
access, Service Accounts, and API enablement to follow best practices.
To include G Suite integration for creating groups and adding Service Accounts into groups, use the
gsuite_enabled module.
Compatibility
This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue.
If you haven't
upgraded and need a Terraform
0.12.x-compatible version of this module, the last released version
intended for Terraform 0.12.x is 9.2.0.
Upgrading
See the docs for detailed instructions on upgrading between major releases of the module.
Usage
There are multiple examples included in the examples folder but simple usage is as follows:
The Project Factory module will take the following actions:
Create a new GCP project using the project_name.
If a shared VPC is specified, attach the new project to the
svpc_host_project_id.
It will also give the following users network access on the specified subnets:
The project's new default service account (see step 4)
The Google API service account for the project
The project controlling group specified in group_name
Delete the default compute service account.
Create a new default service account for the project.
Give it access to the shared VPC
(to be able to launch instances).
Attach the billing account (billing_account) to the project.
Give the controlling group access to the project, with the group_role.
Enable the required and specified APIs (activate_apis).
Delete the default network.
Enable usage report for GCE into central project bucket
(target_usage_bucket), if provided.
If specified, create the GCS bucket bucket_name and give the
following accounts Storage Admin on it:
The controlling group (group_name).
The new default compute service account created for the project.
The Google APIs service account for the project.
The roles granted are specifically:
New Default Service Account
compute.networkUser on host project or specified subnets
storage.admin on bucket_name GCS bucket
group_name is the controlling group
compute.networkUser on host project or specific subnets
Specified group_role on project
iam.serviceAccountUser on the default Service Account
storage.admin on bucket_name GCS bucket
Google APIs Service Account
compute.networkUser on host project or specified subnets
storage.admin on bucket_name GCS bucket
Shared VPC subnets and IAM permissions
A service project's access to shared VPC networks is controlled via the
roles/compute.networkUser role and the location to where that role is
assigned. If that role is assigned to the shared VPC host project, then the
service project will have access to all shared VPC subnetworks. If that role
is assigned to individual subnetworks, then the service project will have
access to only the subnetworks on which that role was assigned. The logic for
determining that location is as follows:
If var.svpc_host_project_id and var.shared_vpc_subnets are not set then the compute.networkUser role is not assigned
If var.svpc_host_project_id is set but no subnetworks are provided via var.shared_vpc_subnets then the compute.networkUser role is assigned at the host project and the service project will have access to all shared VPC subnetworks
If var.svpc_host_project_id is set and var.shared_vpc_subnets contains an array of subnetworks then the compute.networkUser role is assigned to each subnetwork in the array
Inputs
Name
Description
Type
Default
Required
activate_api_identities
The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles). APIs in this list will automatically be appended to activate_apis. Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created). Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles.
list(object({ api = string roles = list(string) }))
[]
no
activate_apis
The list of apis to activate within the project
list(string)
[ "compute.googleapis.com" ]
no
auto_create_network
Create the default network
bool
false
no
billing_account
The ID of the billing account to associate this project with
string
n/a
yes
bucket_force_destroy
Force the deletion of all objects within the GCS bucket when deleting the bucket (optional)
bool
false
no
bucket_labels
A map of key/value label pairs to assign to the bucket (optional)
map(string)
{}
no
bucket_location
The location for a GCS bucket to create (optional)
string
"US"
no
bucket_name
A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional)
string
""
no
bucket_project
A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional)
string
""
no
bucket_ula
Enable Uniform Bucket Level Access
bool
true
no
bucket_versioning
Enable versioning for a GCS bucket to create (optional)
bool
false
no
budget_alert_pubsub_topic
The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of projects/{project_id}/topics/{topic_id}
string
null
no
budget_alert_spend_basis
The type of basis used to determine if spend has passed the threshold
string
"CURRENT_SPEND"
no
budget_alert_spent_percents
A list of percentages of the budget to alert on when threshold is exceeded
list(number)
[ 0.5, 0.7, 1 ]
no
budget_amount
The amount to use for a budget alert
number
null
no
budget_display_name
The display name of the budget. If not set defaults to `Budget For <projects[0]
All Projects>`
string
null
budget_labels
A single label and value pair specifying that usage from only this set of labeled resources should be included in the budget.
map(string)
{}
no
budget_monitoring_notification_channels
A list of monitoring notification channels in the form [projects/{project_id}/notificationChannels/{channel_id}]. A maximum of 5 channels are allowed.
list(string)
[]
no
consumer_quotas
The quotas configuration you want to override for the project.
list(object({ service = string, metric = string, dimensions = map(string), limit = string, value = string, }))
[]
no
create_project_sa
Whether the default service account for the project shall be created
In order to execute this module you must have a Service Account with the
following roles:
roles/resourcemanager.folderViewer on the folder that you want to create the
project in
roles/resourcemanager.organizationViewer on the organization
roles/resourcemanager.projectCreator on the organization
roles/billing.user on the organization
roles/storage.admin on bucket_project
If you are using shared VPC:
roles/billing.user on the organization
roles/compute.xpnAdmin on the organization
roles/compute.networkAdmin on the organization
roles/browser on the Shared VPC host project
roles/resourcemanager.projectIamAdmin on the Shared VPC host project
Script Helper
A helper script is included to create the Seed Service
Account in the Seed Project,
grant the necessary roles to the Seed Service Account,
and enable the necessary API's in the Seed Project. Run it as follows:
In order to execute this script, you must have an account with the following list of
permissions:
resourcemanager.organizations.list
resourcemanager.projects.list
billing.accounts.list
iam.serviceAccounts.create
iam.serviceAccountKeys.create
resourcemanager.organizations.setIamPolicy
resourcemanager.projects.setIamPolicy
serviceusage.services.enable on the project
servicemanagement.services.bind on following services:
cloudresourcemanager.googleapis.com
cloudbilling.googleapis.com
iam.googleapis.com
admin.googleapis.com
appengine.googleapis.com
billing.accounts.getIamPolicy on a billing account.
billing.accounts.setIamPolicy on a billing account.
Specifying credentials
The Project Factory module uses the Google Terraform provider
to authenticate all GCP API calls.
To configure credentials, you should configure the google and google-beta providers.
Google App Engine Admin API - appengine.googleapis.comtroubleshooting
Please note that if you are deploying an App Engine Flex application, you should not delete the default compute service account
(as is default behavior). Please see the troubleshooting doc for more information.
Cloud Billing Budget API - billingbudgets.googleapis.com
Please note this API is only required if configuring budgets for projects.
Verifying setup
A preconditions checker script is
included to verify that all preconditions are met before the Project Factory
runs. The script will run automatically if the script dependencies (Python,
"google-auth", and "google-api-python-client") are available at runtime. If the
dependencies are not met, the precondition checking step will be skipped.
The precondition checker script can be directly invoked before running the
project factory:
There is currently a bug with moving a project which was originally created at
the root of the organization into a folder. The bug and workaround is described
here,
but as a general best practice it is easier to create all projects within
folders to start. Moving projects between different folders is supported.
Deleting default service accounts
Default SAs can be removed by setting default_service_account input variable to delete, but there can be certain scenarios where the default SAs are required. Hence some considerations to be aware of:
Cloud Scheduler dependency on AppEngine(default SA). Default SA is required to be able to setup Cloud scheduler, please refer to the document for more upto date information.
With a combination of project-factory's default behavior, disable, and setting constraints/iam.automaticIamGrantsForDefaultServiceAccounts org constraint will address removing the default editor IAM role on the SAs and limits the SA usage. However, when the default_service_account is set to delete please be aware of the default SA dependency for AppEngine/CloudScheduler services. Accounts deleted within 30days can be restored.
G Suite
The core Project Factory solely deals with GCP APIs and does not integrate G Suite functionality. If you would like certain group-management functionality which was previously included in the Project Factory, see the G Suite module.
Install
Terraform
Be sure you have the correct Terraform version (0.13.0+), you can choose the
binary here:
请发表评论