This module performs the same functions as the root module with the addition of assigning the project as a Shared VPC service project associated with a given host project and granting IAM permissions on host project and subnets to appropriate API service accounts based on activated APIs.
The advantage of using this module over the root module, is being able to provision both the host project and service projects within a single configuration. See examples/shared_vpc for a full example.
module "service-project" {
source = "terraform-google-modules/project-factory/google//modules/svpc_service_project"
version = "~> 14.5"
name = "pf-test-1"
random_project_id = true
org_id = "1234567890"
usage_bucket_name = "pf-test-1-usage-report-bucket"
usage_bucket_prefix = "pf/test/1/integration"
billing_account = "ABCDEF-ABCDEF-ABCDEF"
shared_vpc = module.host-project.project_id
activate_apis = [
"compute.googleapis.com",
"container.googleapis.com",
"dataproc.googleapis.com",
"dataflow.googleapis.com",
]
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| activate_api_identities | The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles). APIs in this list will automatically be appended to activate_apis.Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created). Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles. |
list(object({ |
[] |
no |
| activate_apis | The list of apis to activate within the project | list(string) |
[ |
no |
| auto_create_network | Create the default network | bool |
false |
no |
| billing_account | The ID of the billing account to associate this project with | string |
n/a | yes |
| bucket_location | The location for a GCS bucket to create (optional) | string |
"US" |
no |
| bucket_name | A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) | string |
"" |
no |
| bucket_project | A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) | string |
"" |
no |
| bucket_versioning | Enable versioning for a GCS bucket to create (optional) | bool |
false |
no |
| budget_alert_pubsub_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of projects/{project_id}/topics/{topic_id} |
string |
null |
no |
| budget_alert_spent_percents | A list of percentages of the budget to alert on when threshold is exceeded | list(number) |
[ |
no |
| budget_amount | The amount to use for a budget alert | number |
null |
no |
| budget_monitoring_notification_channels | A list of monitoring notification channels in the form [projects/{project_id}/notificationChannels/{channel_id}]. A maximum of 5 channels are allowed. |
list(string) |
[] |
no |
| create_project_sa | Whether the default service account for the project shall be created | bool |
true |
no |
| default_network_tier | Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. | string |
"" |
no |
| default_service_account | Project default service account setting: can be one of delete, deprivilege, disable, or keep. |
string |
"disable" |
no |
| disable_dependent_services | Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. | bool |
true |
no |
| disable_services_on_destroy | Whether project services will be disabled when the resources are destroyed | bool |
true |
no |
| domain | The domain name (optional). | string |
"" |
no |
| folder_id | The ID of a folder to host this project | string |
"" |
no |
| grant_network_role | Whether or not to grant service agents the network roles on the host project | bool |
true |
no |
| grant_services_security_admin_role | Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules | bool |
false |
no |
| group_name | A group to control the project by being assigned group_role (defaults to project editor) | string |
"" |
no |
| group_role | The role to give the controlling group (group_name) over the project (defaults to project editor) | string |
"roles/editor" |
no |
| labels | Map of labels for project | map(string) |
{} |
no |
| lien | Add a lien on the project to prevent accidental deletion | bool |
false |
no |
| name | The name for the project | string |
n/a | yes |
| org_id | The organization ID. | string |
n/a | yes |
| project_id | The ID to give the project. If not provided, the name will be used. |
string |
"" |
no |
| project_sa_name | Default service account name for the project. | string |
"project-service-account" |
no |
| random_project_id | Adds a suffix of 4 random characters to the project_id |
bool |
false |
no |
| sa_role | A role to give the default Service Account for the project (defaults to none) | string |
"" |
no |
| shared_vpc | The ID of the host project which hosts the shared VPC | string |
"" |
no |
| shared_vpc_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) | list(string) |
[] |
no |
| usage_bucket_name | Name of a GCS bucket to store GCE usage reports in (optional) | string |
"" |
no |
| usage_bucket_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | string |
"" |
no |
| Name | Description |
|---|---|
| domain | The organization's domain |
| group_email | The email of the G Suite group with group_name |
| project_bucket_self_link | Project's bucket selfLink |
| project_bucket_url | Project's bucket url |
| project_id | If provided, the project uses the given project ID. Mutually exclusive with random_project_id being true. |
| project_name | The name for the project |
| project_number | The number for the project |
| service_account_display_name | The display name of the default service account |
| service_account_email | The email of the default service account |
| service_account_id | The id of the default service account |
| service_account_name | The fully-qualified name of the default service account |
| service_account_unique_id | The unique id of the default service account |