add vars to gsuite

modules/gsuite_enabled/README.md

@@ -79,6 +79,8 @@ The roles granted are specifically:
 | enable\_shared\_vpc\_host\_project | If this project is a shared VPC host project. If true, you must *not* set shared\_vpc variable. Default is false. | `bool` | `false` | no |
 | enable\_shared\_vpc\_service\_project | If shared VPC should be used | `bool` | `false` | no |
 | folder\_id | The ID of a folder to host this project | `string` | `""` | no |
+| grant\_services\_network\_role | Whether or not to grant service agents the network roles on the host project | `bool` | `true` | no |
+| grant\_services\_security\_admin\_role | Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules | `bool` | `false` | no |
 | group\_name | A group to control the project by being assigned group\_role - defaults to ${project\_name}-editors | `string` | `""` | no |
 | group\_role | The role to give the controlling group (group\_name) over the project (defaults to project editor) | `string` | `"roles/editor"` | no |
 | labels | Map of labels for project | `map(string)` | `{}` | no |

modules/gsuite_enabled/main.tf

@@ -71,34 +71,36 @@ module "project-factory" {
     ),
     0,
   )
-  group_role                        = var.group_role
-  lien                              = var.lien
-  manage_group                      = var.group_name != "" || var.create_group
-  random_project_id                 = var.random_project_id
-  org_id                            = var.org_id
-  name                              = var.name
-  project_id                        = var.project_id
-  shared_vpc                        = var.shared_vpc
-  enable_shared_vpc_service_project = var.enable_shared_vpc_service_project
-  enable_shared_vpc_host_project    = var.enable_shared_vpc_host_project
-  billing_account                   = var.billing_account
-  folder_id                         = var.folder_id
-  create_project_sa                 = var.create_project_sa
-  project_sa_name                   = var.project_sa_name
-  sa_role                           = var.sa_role
-  activate_apis                     = var.activate_apis
-  usage_bucket_name                 = var.usage_bucket_name
-  usage_bucket_prefix               = var.usage_bucket_prefix
-  shared_vpc_subnets                = var.shared_vpc_subnets
-  labels                            = var.labels
-  bucket_project                    = var.bucket_project
-  bucket_name                       = var.bucket_name
-  bucket_location                   = var.bucket_location
-  bucket_versioning                 = var.bucket_versioning
-  auto_create_network               = var.auto_create_network
-  disable_services_on_destroy       = var.disable_services_on_destroy
-  default_service_account           = var.default_service_account
-  disable_dependent_services        = var.disable_dependent_services
+  group_role                         = var.group_role
+  lien                               = var.lien
+  manage_group                       = var.group_name != "" || var.create_group
+  random_project_id                  = var.random_project_id
+  org_id                             = var.org_id
+  name                               = var.name
+  project_id                         = var.project_id
+  shared_vpc                         = var.shared_vpc
+  enable_shared_vpc_service_project  = var.enable_shared_vpc_service_project
+  enable_shared_vpc_host_project     = var.enable_shared_vpc_host_project
+  grant_services_network_role        = var.grant_services_network_role
+  grant_services_security_admin_role = var.grant_services_security_admin_role
+  billing_account                    = var.billing_account
+  folder_id                          = var.folder_id
+  create_project_sa                  = var.create_project_sa
+  project_sa_name                    = var.project_sa_name
+  sa_role                            = var.sa_role
+  activate_apis                      = var.activate_apis
+  usage_bucket_name                  = var.usage_bucket_name
+  usage_bucket_prefix                = var.usage_bucket_prefix
+  shared_vpc_subnets                 = var.shared_vpc_subnets
+  labels                             = var.labels
+  bucket_project                     = var.bucket_project
+  bucket_name                        = var.bucket_name
+  bucket_location                    = var.bucket_location
+  bucket_versioning                  = var.bucket_versioning
+  auto_create_network                = var.auto_create_network
+  disable_services_on_destroy        = var.disable_services_on_destroy
+  default_service_account            = var.default_service_account
+  disable_dependent_services         = var.disable_dependent_services
 }
 
 /******************************************

modules/gsuite_enabled/variables.tf

@@ -210,6 +210,18 @@ variable "budget_alert_spent_percents" {
   default     = [0.5, 0.7, 1.0]
 }
 
+variable "grant_services_security_admin_role" {
+  description = "Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules"
+  type        = bool
+  default     = false
+}
+
+variable "grant_services_network_role" {
+  description = "Whether or not to grant service agents the network roles on the host project"
+  type        = bool
+  default     = true
+}
+
 variable "consumer_quotas" {
   description = "The quotas configuration you want to override for the project."
   type = list(object({