Skip to content
This repository has been archived by the owner on Dec 4, 2023. It is now read-only.

Latest commit

 

History

History
133 lines (92 loc) · 4.85 KB

README.md

File metadata and controls

133 lines (92 loc) · 4.85 KB

DEPRECATED

This repository is no longer supported.

Please consider using one of the following repositories instead,

Terraform Modules

A set of Terraform Modules for configuring Production Infrastructure with Google Cloud Platform.

Supported Versions

terraform {
  required_version = "~> v1.6.2"

  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 5.4.0"
    }
    google-beta = {
      source  = "hashicorp/google-beta"
      version = "~> 5.4.0"
    }
  }
}

Instructions

Service Account

Define a Service Account in this way,

module "my_service_account" {
  source = "git::https://github.com/jobtome-labs/terraform-modules.git//serviceaccount-with-iam?ref=v4.3.0"

  project     = "my-gcp-project"
  name        = "my-application-deployer"
  displayname = "My Application Deployer"
  description = "Service Account for My Application Deployer"

  roles = ["roles/container.viewer"]
}
  • displayname is Optional and defaults to the name
  • description is Optional and defaults to empty
  • roles is an array of Roles
    • Custom Roles should be specified in the following form: projects/<project-name>/roles/<role-name>
    • Built-In Roles: roles/<role-name>

NOTE: Currently, if a Service Account is assigned an IAM Permission manually (in GCP Console), Terraform will NOT notice and will not remove it at next apply. This will be fixed in a future version by using resource type google_project_iam_binding instead of the current google_project_iam_member.

Examples

  1. For Kubernetes Deployer (the Kubernetes Cluster should have RBAC enabled):

    roles = [ "roles/container.viewer" ]

  2. Cloud Run Deployer:

    roles = [ "roles/cloudscheduler.admin", "roles/container.developer", "roles/run.invoker" ]

  3. Cloud Function Deployer:

    roles = ["roles/cloudtasks.enqueuer", "roles/cloudtasks.viewer", "roles/cloudtasks.taskRunner", "roles/cloudtasks.taskDeleter" ]

Pub/Sub

A Pub/Sub can be provisioned like this,

module "my_queue" {
  source = "git::https://github.com/jobtome-labs/terraform-modules.git//pubsub-with-iam?ref=v4.3.0"

  project = "my-gcp-project"
  name    = "my-pubsub"

  roles_topic = {
    admin      = [module.my_serviceaccount-3.full_name]
    editor     = []
    publisher  = [module.my_serviceaccount.full_name]
    subscriber = [module.my_serviceaccount.full_name]
    viewer     = [module.my_serviceaccount-2.full_name, module.my_serviceaccount.full_name]
  }

  roles_subscription = {
    admin      = [module.my_serviceaccount-3.full_name]
    editor     = []
    subscriber = [module.my_serviceaccount.full_name]
    viewer     = [module.my_serviceaccount-2.full_name, module.my_serviceaccount.full_name]
  }
}

By default, it provisions one Topic and one Subscription, having the same name. In case of importing a Pub/Sub into the Terraform State, it is possible to override this setting and name the Subscription differently (name_subscription).

The roles_topic Variable takes an object containing all possible Roles along with an array of Service Accounts with that privilege; In nobody should have that permission, should be set to empty array.

NOTE: If a Service Account gets a manually assigned additional permission against the Topic/Subscription (e.g., via GCP Console), Terraform will remove it at the next apply.

Same applies to roles_subscription.

NOTE: For the Subscription Resources, there is one less Role than for the Topic Resources.

One can have only a Topic by specifying topic_only = true. In this case, roles_subscription is ignored.

One can have more Subscriptions by specifying as an array (extra_subscriptions), which will contain objects with the following properties:

  • name
  • roles
  • message_retention_duration
  • ack_deadline_seconds
  • retain_acked_messages
  • ttl_list
  • push_list

which are the parameters of a Subscription (only the name is mandatory).

Notice ttl_list and push_list: Despite it is a single value (and both Optional ), it must be coerced into a list. If parameters are omitted, all Extra Subscriptions will have the same parameters (TTL, ACK, etc.) of the Main Subscription.

NOTE: Currently it is not possible to assign different permissions to the other Subscriptions. In other words, all Subscriptions will have the same permissions as the Main Subscription.