terraform-google-modules/terraform-google-project-factoryPublic

NotificationsYou must be signed in to change notification settings
Fork570
Star917

Creates an opinionated Google Cloud project by using Shared VPC, IAM, and Google Cloud APIs

registry.terraform.io/modules/terraform-google-modules/project-factory/google

License

Apache-2.0 license

917 stars 570 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 1,259 Commits
.github		.github
build		build
docs		docs
examples		examples
helpers		helpers
modules		modules
test		test
.gitignore		.gitignore
.kitchen.yml		.kitchen.yml
.pre-commit-config.yaml		.pre-commit-config.yaml
CHANGELOG.md		CHANGELOG.md
CODEOWNERS		CODEOWNERS
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
main.tf		main.tf
metadata.display.yaml		metadata.display.yaml
metadata.yaml		metadata.yaml
outputs.tf		outputs.tf
variables.tf		variables.tf
versions.tf		versions.tf

Repository files navigation

Google Cloud Project Factory Terraform Module

FAQ |Troubleshooting Guide |Glossary.

This module allows you to create opinionated Google Cloud Platform projects. Itcreates projects and configures aspects like Shared VPC connectivity, IAMaccess, Service Accounts, and API enablement to follow best practices.

To include G Suite integration for creating groups and adding Service Accounts into groups, use thegsuite_enabled module.

Compatibility

This module is meant for use with Terraform 1.3+ and tested using Terraform 1.10+. If you find incompatibilities using Terraform >= 1.3, please open an issue.If you haven'tupgraded and need a Terraform0.12.x-compatible version of this module, the last released versionintended for Terraform 0.12.x is9.2.0.

Upgrading

See thedocs for detailed instructions on upgrading between major releases of the module.

Usage

There are multiple examples included in theexamples folder but simple usage is as follows:

module"project-factory" {source="terraform-google-modules/project-factory/google"version="~> 18.2"name="pf-test-1"random_project_id=trueorg_id="1234567890"usage_bucket_name="pf-test-1-usage-report-bucket"usage_bucket_prefix="pf/test/1/integration"billing_account="ABCDEF-ABCDEF-ABCDEF"svpc_host_project_id="shared_vpc_host_name"shared_vpc_subnets=["projects/base-project-196723/regions/us-east1/subnetworks/default","projects/base-project-196723/regions/us-central1/subnetworks/default","projects/base-project-196723/regions/us-central1/subnetworks/subnet-1",  ]}

Features

The Project Factory module will take the following actions:

Create a new GCP project using theproject_name.
If a shared VPC is specified, attach the new project to thesvpc_host_project_id.
It will also give the following users network access on the specified subnets:
- The project's new default service account (see step 4)
- The Google API service account for the project
- The project controlling group specified ingroup_name
Delete the default compute service account.
Create a new default service account for the project.
1. Give it access to the shared VPC(to be able to launch instances).
Attach the billing account (billing_account) to the project.
Give the controlling group access to the project, with thegroup_role.
Enable the required and specified APIs (activate_apis).
Delete the default network.
Enable usage report for GCE into central project bucket(target_usage_bucket), if provided.
If specified, create the GCS bucketbucket_name and give thefollowing accounts Storage Admin on it:
1. The controlling group (group_name).
2. The new default compute service account created for the project.
3. The Google APIs service account for the project.

The roles granted are specifically:

New Default Service Account
- compute.networkUser on host project or specified subnets
- storage.admin onbucket_name GCS bucket
group_name is the controlling group
- compute.networkUser on host project or specific subnets
- Specifiedgroup_role on project
- iam.serviceAccountUser on the default Service Account
- storage.admin onbucket_name GCS bucket
Google APIs Service Account
- compute.networkUser on host project or specified subnets
- storage.admin onbucket_name GCS bucket

Shared VPC subnets and IAM permissions

A service project's access to shared VPC networks is controlled via theroles/compute.networkUser role and the location to where that role isassigned. If that role is assigned to the shared VPC host project, then theservice project will have access toall shared VPC subnetworks. If that roleis assigned to individual subnetworks, then the service project will haveaccess to only the subnetworks on which that role was assigned. The logic fordetermining that location is as follows:

Ifvar.svpc_host_project_id andvar.shared_vpc_subnets are not set then thecompute.networkUser role is not assigned
Ifvar.svpc_host_project_id is set but no subnetworks are provided viavar.shared_vpc_subnets then thecompute.networkUser role is assigned at the host project and the service project will have access to all shared VPC subnetworks
Ifvar.svpc_host_project_id is set andvar.shared_vpc_subnets contains an array of subnetworks then thecompute.networkUser role is assigned to each subnetwork in the array

Inputs

Name	Description	Type	Default	Required
activate_api_identities	The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles). APIs in this list will automatically be appended to`activate_apis`. Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created). Any roles (e.g. service agent role) must be explicitly listed. Seehttps://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles.	list(object({ api = string roles = list(string) }))	`[]`	no
activate_apis	The list of apis to activate within the project	`list(string)`	[ "compute.googleapis.com" ]	no
auto_create_network	Create the default network	`bool`	`false`	no
billing_account	The ID of the billing account to associate this project with	`string`	n/a	yes
bucket_force_destroy	Force the deletion of all objects within the GCS bucket when deleting the bucket (optional)	`bool`	`false`	no
bucket_labels	A map of key/value label pairs to assign to the bucket (optional)	`map(string)`	`{}`	no
bucket_location	The location for a GCS bucket to create (optional)	`string`	`"US"`	no
bucket_name	A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional)	`string`	`""`	no
bucket_pap	Enable Public Access Prevention. Possible values are "enforced" or "inherited".	`string`	`"inherited"`	no
bucket_project	A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional)	`string`	`""`	no
bucket_ula	Enable Uniform Bucket Level Access	`bool`	`true`	no
bucket_versioning	Enable versioning for a GCS bucket to create (optional)	`bool`	`false`	no
budget_alert_pubsub_topic	The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of`projects/{project_id}/topics/{topic_id}`	`string`	`null`	no
budget_alert_spend_basis	The type of basis used to determine if spend has passed the threshold	`string`	`"CURRENT_SPEND"`	no
budget_alert_spent_percents	A list of percentages of the budget to alert on when threshold is exceeded	`list(number)`	[ 0.5, 0.7, 1 ]	no
budget_amount	The amount to use for a budget alert	`number`	`null`	no
budget_calendar_period	Specifies the calendar period for the budget. Possible values are MONTH, QUARTER, YEAR, CALENDAR_PERIOD_UNSPECIFIED, CUSTOM. custom_period_start_date and custom_period_end_date must be set if CUSTOM	`string`	`null`	no
budget_custom_period_end_date	Specifies the end date (DD-MM-YYYY) for the calendar_period CUSTOM	`string`	`null`	no
budget_custom_period_start_date	Specifies the start date (DD-MM-YYYY) for the calendar_period CUSTOM	`string`	`null`	no
budget_display_name	The display name of the budget. If not set defaults to `Budget For <projects[0]	All Projects>`	`string`	`null`
budget_labels	A single label and value pair specifying that usage from only this set of labeled resources should be included in the budget.	`map(string)`	`{}`	no
budget_monitoring_notification_channels	A list of monitoring notification channels in the form`[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed.	`list(string)`	`[]`	no
cloud_armor_tier	Managed protection tier to be set. Possible values are: CA_STANDARD, CA_ENTERPRISE_PAYGO	`string`	`null`	no
consumer_quotas	The quotas configuration you want to override for the project.	list(object({ service = string, metric = string, dimensions = map(string), limit = string, value = string, }))	`[]`	no
create_project_sa	Whether the default service account for the project shall be created	`bool`	`true`	no
default_network_tier	Default Network Service Tier for resources created in this project. If unset, the value will not be modified. Seehttps://cloud.google.com/network-tiers/docs/using-network-service-tiers andhttps://cloud.google.com/network-tiers.	`string`	`""`	no
default_service_account	Project default service account setting: can be one of`delete`,`deprivilege`,`disable`, or`keep`.	`string`	`"disable"`	no
deletion_policy	The deletion policy for the project. Possible values are: DELETE, PREVENT	`string`	`"PREVENT"`	no
disable_dependent_services	Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed.	`bool`	`true`	no
disable_services_on_destroy	Whether project services will be disabled when the resources are destroyed	`bool`	`true`	no
domain	The domain name (optional).	`string`	`""`	no
enable_shared_vpc_host_project	If this project is a shared VPC host project. If true, you mustnot set svpc_host_project_id variable. Default is false.	`bool`	`false`	no
essential_contacts	A mapping of users or groups to be assigned as Essential Contacts to the project, specifying a notification category	`map(list(string))`	`{}`	no
folder_id	The ID of a folder to host this project	`string`	`""`	no
grant_network_role	Whether or not to grant networkUser role on the host project/subnets	`bool`	`true`	no
grant_services_security_admin_role	Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules	`bool`	`false`	no
group_name	A group to control the project by being assigned group_role (defaults to project editor)	`string`	`""`	no
group_role	The role to give the controlling group (group_name) over the project (defaults to project editor)	`string`	`"roles/editor"`	no
labels	Map of labels for project	`map(string)`	`{}`	no
language_tag	Language code to be used for essential contacts notifications	`string`	`"en-US"`	no
lien	Add a lien on the project to prevent accidental deletion	`bool`	`false`	no
name	The name for the project	`string`	n/a	yes
org_id	The organization ID.	`string`	`null`	no
project_id	The ID to give the project. If not provided, the`name` will be used.	`string`	`""`	no
project_sa_description	Description to set for the project default service account.	`string`	`null`	no
project_sa_name	Default service account name for the project.	`string`	`"project-service-account"`	no
random_project_id	Adds a suffix of 4 random characters to the`project_id`.	`bool`	`false`	no
random_project_id_length	Sets the length of`random_project_id` to the provided length, and uses a`random_string` for a larger collusion domain. Recommended for use with CI.	`number`	`null`	no
sa_role	A role to give the default Service Account for the project (defaults to none)	`string`	`""`	no
shared_vpc_subnets	List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id)	`list(string)`	`[]`	no
svpc_host_project_id	The ID of the host project which hosts the shared VPC	`string`	`""`	no
tag_binding_values	Tag values to bind the project to.	`list(string)`	`[]`	no
usage_bucket_name	Name of a GCS bucket to store GCE usage reports in (optional)	`string`	`""`	no
usage_bucket_prefix	Prefix in the GCS bucket to store GCE usage reports in (optional)	`string`	`""`	no
vpc_service_control_attach_dry_run	Whether the project will be attached to a VPC Service Control Perimeter in Dry Run Mode. vpc_service_control_attach_enabled should be false for this to be true	`bool`	`false`	no
vpc_service_control_attach_enabled	Whether the project will be attached to a VPC Service Control Perimeter in ENFORCED MODE. vpc_service_control_attach_dry_run should be false for this to be true	`bool`	`false`	no
vpc_service_control_perimeter_name	The name of a VPC Service Control Perimeter to add the created project to	`string`	`null`	no
vpc_service_control_sleep_duration	The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter. VPC-SC is eventually consistent.	`string`	`"5s"`	no

Outputs

Name	Description
api_s_account	API service account email
api_s_account_fmt	API service account email formatted for terraform use
budget_name	The name of the budget if created
domain	The organization's domain
enabled_api_identities	Enabled API identities in the project
enabled_apis	Enabled APIs in the project
group_email	The email of the G Suite group with group_name
project_bucket_self_link	Project's bucket selfLink
project_bucket_url	Project's bucket url
project_id	ID of the project
project_name	Name of the project
project_number	Numeric identifier for the project
service_account_display_name	The display name of the default service account
service_account_email	The email of the default service account
service_account_id	The id of the default service account
service_account_name	The fully-qualified name of the default service account
service_account_unique_id	The unique id of the default service account
tag_bindings	Tag bindings
usage_report_export_bucket	GCE usage reports bucket

Requirements

Software

gcloud sdk >= 269.0.0
jq >= 1.6
Terraform >= 1.3
terraform-provider-google plugin >= 5.41
terraform-provider-google-beta plugin >= 5.41
terraform-provider-gsuite plugin ~> 0.1.x if GSuite functionality is desired

Permissions

In order to execute this module you must have a Service Account with thefollowing roles:

roles/resourcemanager.folderViewer on the folder that you want to create theproject in
roles/resourcemanager.organizationViewer on the organization
roles/resourcemanager.projectCreator on the organization
roles/billing.user on the organization
roles/storage.admin on bucket_project
If you are using shared VPC:
- roles/billing.user on the organization
- roles/compute.xpnAdmin on the organization
- roles/compute.networkAdmin on the organization
- roles/browser on the Shared VPC host project
- roles/resourcemanager.projectIamAdmin on the Shared VPC host project

Script Helper

Ahelper script is included to create the Seed ServiceAccount in theSeed Project,grant the necessary roles to theSeed Service Account,and enable the necessary API's in the Seed Project. Run it as follows:

./helpers/setup-sa.sh -o<organization id> -p<project id> [-b<billing account id>] [-f<folder id>] [-n<service account name>]

In order to execute this script, you must have an account with the following list ofpermissions:

resourcemanager.organizations.list
resourcemanager.projects.list
billing.accounts.list
iam.serviceAccounts.create
iam.serviceAccountKeys.create
resourcemanager.organizations.setIamPolicy
resourcemanager.projects.setIamPolicy
serviceusage.services.enable on the project
servicemanagement.services.bind on following services:
- cloudresourcemanager.googleapis.com
- cloudbilling.googleapis.com
- iam.googleapis.com
- admin.googleapis.com
- appengine.googleapis.com
billing.accounts.getIamPolicy on a billing account.
billing.accounts.setIamPolicy on a billing account.

Specifying credentials

The Project Factory module uses theGoogle Terraform providerto authenticate all GCP API calls.To configure credentials, you should configure thegoogle andgoogle-beta providers.

provider"google" {credentials="${file(var.credentials_path)}"}provider"google-beta" {credentials="${file(var.credentials_path)}"}

APIs

In order to operate the Project Factory, you must activate the following APIs onthe base project where the Service Account was created:

Cloud Resource Manager API -cloudresourcemanager.googleapis.comtroubleshooting
Cloud Billing API -cloudbilling.googleapis.comtroubleshooting
Identity and Access Management API -iam.googleapis.comtroubleshooting
Admin SDK -admin.googleapis.comtroubleshooting

Optional APIs

Google App Engine Admin API -appengine.googleapis.comtroubleshooting
- Please note that if you are deploying an App Engine Flex application, you should not delete the default compute service account(as is default behavior). Please see thetroubleshooting doc for more information.
Cloud Billing Budget API -billingbudgets.googleapis.com
- Please note this API is only required if configuring budgets for projects.

Verifying setup

Apreconditions checker script isincluded to verify that all preconditions are met before the Project Factoryruns. The script will run automatically if the script dependencies (Python,"google-auth", and "google-api-python-client") are available at runtime. If thedependencies are not met, the precondition checking step will be skipped.

The precondition checker script can be directly invoked before running theproject factory:

./helpers/preconditions/preconditions.py \  --credentials_path"./credentials.json" \  --billing_account 000000-000000-000000 \  --org_id 000000000000 \  --folder_id 000000000000 \  --shared_vpc'shared-vpc-host-ed64'

Caveats

Moving projects from org into a folder

There is currently a bug with moving a project which was originally created atthe root of the organization into a folder. The bug and workaround is describedhere,but as a general best practice it is easier to create all projects withinfolders to start. Moving projects between different foldersis supported.

Deleting default service accounts

Default SAs can be removed by settingdefault_service_account input variable todelete, but there can be certain scenarios where the default SAs are required. Hence some considerations to be aware of:

Using App Engine SA.
Cloud Scheduler dependency on AppEngine(default SA). Default SA is required to be able to setupCloud scheduler, please refer to thedocument for more upto date information.

With a combination of project-factory's default behavior,disable, and settingconstraints/iam.automaticIamGrantsForDefaultServiceAccounts org constraint will address removing the default editor IAM role on the SAs and limits the SA usage. However, when thedefault_service_account is set todelete please be aware of the default SA dependency for AppEngine/CloudScheduler services. Accounts deleted within 30days can berestored.

G Suite

The core Project Factory solely deals with GCP APIs and does not integrate G Suite functionality. If you would like certain group-management functionality which was previously included in the Project Factory, see theG Suite module.