Merge pull request #309 from terraform-google-modules/fabric-issue-308

Fix issue #308 in fabric submodule, add submodule tests, general cleanup

Author: morgante

.kitchen.yml

@@ -32,6 +32,11 @@ suites:
       name: terraform
       command_timeout: 1800
       root_module_directory: test/fixtures/minimal
+  - name: fabric_project
+    driver:
+      name: terraform
+      command_timeout: 1800
+      root_module_directory: test/fixtures/fabric_project
 # Disabled due to issue #275
 # (https://github.com/terraform-google-modules/terraform-google-project-factory/issues/275)
 #  - name: full

CODEOWNERS

@@ -1 +1,4 @@
 * @morgante @aaron-lane @adrienthebo
+
+# CFT Fabric
+/modules/fabric-project/ @terraform-google-modules/cft-fabric

examples/fabric_project/README.md

@@ -0,0 +1,25 @@
+# Simple Project
+
+This example illustrates how to create a simple project using the `fabric-project` submodule.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| activate\_apis | Service APIs to enable. | list(string) | `<list>` | no |
+| billing\_account | Billing account id. | string | n/a | yes |
+| name | Project name, joined with prefix. | string | `"fabric-project"` | no |
+| owners | Optional list of IAM-format members to set as project owners. | list(string) | `<list>` | no |
+| parent | Organization or folder id, in the `organizations/nnn` or `folders/nnn` format. | string | n/a | yes |
+| prefix | Prefix prepended to project name, uses random id by default. | string | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| name | The name of the created project. |
+| project\_id | The project id of the created project. |
+| project\_number | The project number of the created project. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/fabric_project/main.tf

@@ -0,0 +1,35 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  prefix = var.prefix == "" ? random_string.prefix.result : var.prefix
+}
+
+resource "random_string" "prefix" {
+  length  = 30 - length(var.name) - 1
+  upper   = false
+  number  = false
+  special = false
+}
+module "fabric-project" {
+  source          = "../../modules/fabric-project"
+  activate_apis   = var.activate_apis
+  billing_account = var.billing_account
+  name            = var.name
+  owners          = var.owners
+  parent          = var.parent
+  prefix          = local.prefix
+}

examples/fabric_project/outputs.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "project_id" {
+  description = "The project id of the created project."
+  value       = module.fabric-project.project_id
+}
+
+output "name" {
+  description = "The name of the created project."
+  value       = module.fabric-project.name
+}
+
+output "project_number" {
+  description = "The project number of the created project."
+  value       = module.fabric-project.number
+}

examples/fabric_project/variables.tf

@@ -0,0 +1,49 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "activate_apis" {
+  description = "Service APIs to enable."
+  type        = list(string)
+  default     = ["compute.googleapis.com"]
+}
+
+variable "billing_account" {
+  description = "Billing account id."
+  type        = string
+}
+
+variable "name" {
+  description = "Project name, joined with prefix."
+  type        = string
+  default     = "fabric-project"
+}
+
+variable "owners" {
+  description = "Optional list of IAM-format members to set as project owners."
+  type        = list(string)
+  default     = []
+}
+
+variable "parent" {
+  description = "Organization or folder id, in the `organizations/nnn` or `folders/nnn` format."
+  type        = string
+}
+
+variable "prefix" {
+  description = "Prefix prepended to project name, uses random id by default."
+  type        = string
+  default     = ""
+}

modules/fabric-project/README.md

@@ -34,24 +34,24 @@ module "project_myproject" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| activate\_apis | Service APIs to enable. | list | `<list>` | no |
-| auto\_create\_network | Whether to create the default network for the project | string | `"false"` | no |
+| activate\_apis | Service APIs to enable. | list(string) | `<list>` | no |
+| auto\_create\_network | Whether to create the default network for the project | bool | `"false"` | no |
 | billing\_account | Billing account id. | string | `""` | no |
-| custom\_roles | Map of role name => comma-delimited list of permissions to create in this project. | map | `<map>` | no |
-| editors | Optional list of IAM-format members to set as project editor. | list | `<list>` | no |
-| extra\_bindings\_members | List of comma-delimited IAM-format members for additional IAM bindings, one item per role. | list | `<list>` | no |
-| extra\_bindings\_roles | List of roles for additional IAM bindings, pair with members list below. | list | `<list>` | no |
-| gce\_service\_account\_roles | List of project id=>role to assign to the default GCE service account. | list | `<list>` | no |
-| labels | Resource labels. | map | `<map>` | no |
+| custom\_roles | Map of role name => comma-delimited list of permissions to create in this project. | map(string) | `<map>` | no |
+| editors | Optional list of IAM-format members to set as project editor. | list(string) | `<list>` | no |
+| extra\_bindings\_members | List of comma-delimited IAM-format members for additional IAM bindings, one item per role. | list(string) | `<list>` | no |
+| extra\_bindings\_roles | List of roles for additional IAM bindings, pair with members list below. | list(string) | `<list>` | no |
+| gce\_service\_account\_roles | List of project id=>role to assign to the default GCE service account. | list(string) | `<list>` | no |
+| labels | Resource labels. | map(string) | `<map>` | no |
 | lien\_reason | If non-empty, creates a project lien with this description. | string | `""` | no |
 | name | Project name and id suffix. | string | n/a | yes |
-| oslogin | Enable oslogin. | string | `"false"` | no |
-| oslogin\_admins | List of IAM-format members that will get OS Login admin role. | list | `<list>` | no |
-| oslogin\_users | List of IAM-format members that will get OS Login user role. | list | `<list>` | no |
-| owners | Optional list of IAM-format members to set as project owners. | list | `<list>` | no |
-| parent | The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id | string | n/a | yes |
-| prefix | Prefix used to generate project id and name | string | n/a | yes |
-| viewers | Optional list of IAM-format members to set as project viewers. | list | `<list>` | no |
+| oslogin | Enable oslogin. | bool | `"false"` | no |
+| oslogin\_admins | List of IAM-format members that will get OS Login admin role. | list(string) | `<list>` | no |
+| oslogin\_users | List of IAM-format members that will get OS Login user role. | list(string) | `<list>` | no |
+| owners | Optional list of IAM-format members to set as project owners. | list(string) | `<list>` | no |
+| parent | The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. | string | n/a | yes |
+| prefix | Prefix used to generate project id and name. | string | n/a | yes |
+| viewers | Optional list of IAM-format members to set as project viewers. | list(string) | `<list>` | no |
 
 ## Outputs
 
@@ -61,6 +61,7 @@ module "project_myproject" {
 | custom\_roles | Ids of the created custom roles. |
 | gce\_service\_account | Default GCE service account (depends on services). |
 | gke\_service\_account | Default GKE service account (depends on services). |
+| name | Name (depends on services). |
 | number | Project number (depends on services). |
 | project\_id | Project id (depends on services). |
 

modules/fabric-project/main.tf

@@ -37,11 +37,12 @@ resource "google_project" "project" {
   labels              = var.labels
 }
 
-module "project_services" {
-  source = "../project_services"
-
-  project_id    = google_project.project.project_id
-  activate_apis = var.activate_apis
+resource "google_project_service" "project_services" {
+  for_each                   = toset(var.activate_apis)
+  project                    = google_project.project.project_id
+  service                    = each.value
+  disable_on_destroy         = true
+  disable_dependent_services = true
 }
 
 # this will fail for external users, who need to be manually added so they
@@ -74,7 +75,7 @@ resource "google_compute_project_metadata_item" "oslogin_meta" {
   value   = "TRUE"
 
   # depend on services or it will fail on destroy
-  depends_on = [module.project_services]
+  depends_on = [google_project_service.project_services]
 }
 
 resource "google_project_iam_member" "oslogin_admins" {

modules/fabric-project/outputs.tf

@@ -17,31 +17,37 @@
 output "project_id" {
   description = "Project id (depends on services)."
   value       = google_project.project.project_id
-  depends_on  = [google_project_services.services]
+  depends_on  = [google_project_service.project_services]
+}
+
+output "name" {
+  description = "Name (depends on services)."
+  value       = google_project.project.name
+  depends_on  = [google_project_service.project_services]
 }
 
 output "number" {
   description = "Project number (depends on services)."
   value       = google_project.project.number
-  depends_on  = [google_project_services.services]
+  depends_on  = [google_project_service.project_services]
 }
 
 output "cloudsvc_service_account" {
   description = "Cloud services service account (depends on services)."
   value       = "${local.cloudsvc_service_account}"
-  depends_on  = ["google_project_services.services"]
+  depends_on  = [google_project_service.project_services]
 }
 
 output "gce_service_account" {
   description = "Default GCE service account (depends on services)."
   value       = local.gce_service_account
-  depends_on  = [google_project_services.services]
+  depends_on  = [google_project_service.project_services]
 }
 
 output "gke_service_account" {
   description = "Default GKE service account (depends on services)."
   value       = local.gke_service_account
-  depends_on  = [google_project_services.services]
+  depends_on  = [google_project_service.project_services]
 }
 
 output "custom_roles" {

modules/fabric-project/variables.tf

@@ -15,59 +15,71 @@
  */
 
 variable "parent" {
-  description = "The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id"
+  description = "The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id."
+  type        = string
 }
 
 variable "prefix" {
-  description = "Prefix used to generate project id and name"
+  description = "Prefix used to generate project id and name."
+  type        = string
 }
 
 variable "name" {
   description = "Project name and id suffix."
+  type        = string
 }
 
 variable "billing_account" {
   description = "Billing account id."
+  type        = string
   default     = ""
 }
 
 variable "activate_apis" {
   description = "Service APIs to enable."
+  type        = list(string)
   default     = []
 }
 
 variable "owners" {
   description = "Optional list of IAM-format members to set as project owners."
+  type        = list(string)
   default     = []
 }
 
 variable "editors" {
   description = "Optional list of IAM-format members to set as project editor."
+  type        = list(string)
   default     = []
 }
 
 variable "viewers" {
   description = "Optional list of IAM-format members to set as project viewers."
+  type        = list(string)
   default     = []
 }
 
 variable "lien_reason" {
   description = "If non-empty, creates a project lien with this description."
+  type        = string
   default     = ""
 }
 
 variable "oslogin" {
   description = "Enable oslogin."
+  type        = bool
   default     = false
 }
 
 variable "oslogin_admins" {
   description = "List of IAM-format members that will get OS Login admin role."
+  type        = list(string)
   default     = []
 }
 
 variable "oslogin_users" {
   description = "List of IAM-format members that will get OS Login user role."
+  type        = list(string)
   default     = []
 }
 
@@ -76,31 +88,37 @@ variable "oslogin_users" {
 
 variable "extra_bindings_roles" {
   description = "List of roles for additional IAM bindings, pair with members list below."
+  type        = list(string)
   default     = []
 }
 
 variable "extra_bindings_members" {
   description = "List of comma-delimited IAM-format members for additional IAM bindings, one item per role."
+  type        = list(string)
   default     = []
 }
 
 variable "auto_create_network" {
   description = "Whether to create the default network for the project"
+  type        = bool
   default     = false
 }
 
 variable "custom_roles" {
   description = "Map of role name => comma-delimited list of permissions to create in this project."
+  type        = map(string)
   default     = {}
 }
 
 variable "gce_service_account_roles" {
   description = "List of project id=>role to assign to the default GCE service account."
+  type        = list(string)
   default     = []
 }
 
 variable "labels" {
   description = "Resource labels."
+  type        = map(string)
   default     = {}
 }