An Extenda Retail maintained Terraform Module, which is intended to create specific Project resources within the Google Cloud Platform and GSuite. It creates projects and configures aspects like Service Accounts, IAM access, API enablement, Workload Identity, GitHub Secrets.
| Name | Version |
|---|---|
| ~> 3.8 | |
| gsuite | ~> 0.1.35 |
GSuite Provider must be manually downloaded and installed in $HOME/.terraform.d/plugins. See GSuite Provider GitHub Repo for Installation instructions.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| activate_apis | The list of apis to activate within the project | list(string) |
n/a | yes |
| additional_user_access | List of IAM Roles to assign to groups and users | list(object({ |
[] |
no |
| billing_account | The ID of the billing account to associate this project with | any |
n/a | yes |
| bucket_name | The name of the bucket that will contain terraform state - must be globally unique | any |
n/a | yes |
| ci_cd_sa | Map of IAM Roles to assign to the CI/CD Pipeline Service Account | list(object({ |
[ |
no |
| clan_gsuite_group | The name of the clan group that needs to be added to the Service GSuite Group | string |
"" |
no |
| clan_roles | Roles to be added to the clan's group in the staging project | list(string) |
[] |
no |
| cloudrun_sa | Map of IAM Roles to assign to the CloudRun Runtime Service Account | list(object({ |
[ |
no |
| common_iam_roles | Default list of IAM Roles to assign to every Services Service Account | list(string) |
[ |
no |
| create_ci_cd_group | If the Service GSuite Group should be created for the CI/CD Service Account | bool |
false |
no |
| create_ci_cd_service_account | If the CI/CD Service Account should be created | bool |
true |
no |
| create_cloudrun_group | If the Service GSuite Group should be created for the CloudRun Runtime Service Account | bool |
false |
no |
| create_cloudrun_service_account | If the CloudRun Runtime Service Account should be created | bool |
true |
no |
| create_custom_roles | If the Custom Roles from the additioanl-use-access submodule should be created | bool |
true |
no |
| create_jit_access | If the eligible roles should be created | bool |
false |
no |
| create_pact_secrets | If the pact-broker secrets should be created | bool |
false |
no |
| create_sa | If the Service Account should be created | bool |
true |
no |
| create_secret_manager_group | If the Service GSuite Group should be created for the Secret Manager Access Service Account | bool |
false |
no |
| create_secret_manager_service_account | If the Secret Manager Access Service Account should be created | bool |
false |
no |
| create_service_sa | If the Service Account for new Services should be created | bool |
true |
no |
| create_services_group | If the Service GSuite Group should be created for the Services (services variable) | bool |
true |
no |
| credentials | JSON encoded service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fallback to GOOGLE_APPLICATION_CREDENTIALS env variable. | any |
null |
no |
| custom_external_roles | Map of service or service account to external projects to list of iam roles for add | map(map(list(string))) |
{} |
no |
| default_service_account | Project default service account setting: can be one of delete, deprivilege, disable, or keep. | string |
"deprivilege" |
no |
| dns_project_iam_roles | List of IAM Roles to add to DNS project | list(string) |
[ |
no |
| dns_project_id | ID of the project hosting Google Cloud DNS | string |
"" |
no |
| domain | Domain name of the Organization | string |
n/a | yes |
| env_name | Environment name (staging/prod). Creation of some resources depends on env_name | string |
"" |
no |
| folder_id | The ID of a folder to host this project | any |
n/a | yes |
| gcr_project_iam_roles | List of IAM Roles to add GCR project | list(string) |
[ |
no |
| gcr_project_id | ID of the project hosting Google Container Registry | string |
"" |
no |
| github_organization | GitHub organization to use GitHub prodifer with | string |
"extenda" |
no |
| github_token | GitHub token value (instead request GCP secret) | string |
"" |
no |
| github_token_gcp_project | GCP project that contains Secret Manager for Github token | string |
"tf-admin-90301274" |
no |
| github_token_gcp_secret | SGP secret name for GitHub token | string |
"github-token" |
no |
| gke_ca_certificate | Kubernetes certificate | string |
"" |
no |
| gke_host | Kubernetes endpoint | string |
"no-gke-host" |
no |
| impersonated_user_email | Email account of GSuite Admin user to impersonate for creating GSuite Groups. If not provided, will default to terraform@<var.domain> |
string |
"" |
no |
| jit_access | Map of IAM Roles to assign to the group | list(object({ |
[] |
no |
| labels | Map of labels for the project | map(string) |
{} |
no |
| name | The name for the project | any |
n/a | yes |
| org_id | The organization ID | any |
n/a | yes |
| pact_project_id | GCP project that contains secrets for pact-broker | string |
"platform-prod-2481" |
no |
| pactbroker_pass_secret | GCP secret name for pact-broker password | string |
"pactbroker_password" |
no |
| pactbroker_user_secret | GCP secret name for pact-broker user | string |
"pactbroker_username" |
no |
| parent_project_iam_roles | List of IAM Roles to add to the parent project | list(string) |
[ |
no |
| pipeline_project_id | GCP project that contains secrets for slack notify token | string |
pipeline-secrets-1136 |
no |
| parent_project_id | ID of the project to which add additional IAM roles for current project's CI/CD service account. Ignore if empty | string |
"" |
no |
| project_type | what type of project this is applied to | string |
"clan_project" |
no |
| random_project_id | Adds a suffix of 4 random characters to the project_id | bool |
true |
no |
| repositories | The GitHub repositories to update | list(string) |
[] |
no |
| secret_manager_sa | Map of IAM Roles to assign to the Secret Manager Access Service Account | list(object({ |
[ |
no |
| service_accounts | Map of IAM Roles to assign to the Service Account | list(object({ |
[] |
no |
| service_group_name | The name of the group that will be created for a service | string |
"" |
no |
| services | Map of IAM Roles to assign to the Services Service Account | list(object({ |
[] |
no |
| shared_vpc | The ID of the host project which hosts the shared VPC | string |
"" |
no |
| shared_vpc_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) | list(string) |
[] |
no |
| slack_notify_secret | GCP secret name for slack token | string |
slack-notify-token |
no |
| Name | Description |
|---|---|
| ci_cd_service_account_email | The CI/CD pipeline service account email |
| ci_cd_service_account_private_key_encoded | The CI/CD pipeline service account base64 encoded JSON key |
| cloudrun_service_account_email | The Cloud Run service account email |
| enabled_apis | Enabled APIs in the project |
| gsuite_group_email | The GSuite group emails created per each service |
| project_id | The project ID |
| project_name | The project name |
| project_number | The project number |
| secret_manager_service_account_private_key_encoded | The Cloud Run service account base64 encoded JSON key |
| service_account_email | The default service acccount email |
| service_account_private_keys_encoded | Service accounts base64 encoded JSON keys |
| service_emails | Services service account emails |
| service_private_keys_encoded | The Services service account base64 encoded JSON key |
| terraform_state_bucket | Bucket for saving terraform state of project resources |