diff --git a/README.md b/README.md index 8deec2ff..c1d0efc9 100644 --- a/README.md +++ b/README.md @@ -146,6 +146,7 @@ determining that location is as follows: | shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) | list(string) | `` | no | | usage\_bucket\_name | Name of a GCS bucket to store GCE usage reports in (optional) | string | `""` | no | | usage\_bucket\_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | string | `""` | no | +| use\_tf\_google\_credentials\_env\_var | Use GOOGLE_CREDENTIALS environment variable to run gcloud auth activate-service-account with. | bool | `"false"` | no | ## Outputs diff --git a/main.tf b/main.tf index 4563b1ea..29539d2c 100644 --- a/main.tf +++ b/main.tf @@ -28,35 +28,36 @@ module "gsuite_group" { module "project-factory" { source = "./modules/core_project_factory" - group_email = module.gsuite_group.email - group_role = var.group_role - lien = var.lien - manage_group = var.group_name != "" ? "true" : "false" - random_project_id = var.random_project_id - org_id = var.org_id - name = var.name - project_id = var.project_id - shared_vpc = var.shared_vpc - shared_vpc_enabled = var.shared_vpc != "" - billing_account = var.billing_account - folder_id = var.folder_id - sa_role = var.sa_role - activate_apis = var.activate_apis - usage_bucket_name = var.usage_bucket_name - usage_bucket_prefix = var.usage_bucket_prefix - credentials_path = var.credentials_path - impersonate_service_account = var.impersonate_service_account - shared_vpc_subnets = var.shared_vpc_subnets - labels = var.labels - bucket_project = var.bucket_project - bucket_name = var.bucket_name - bucket_location = var.bucket_location - auto_create_network = var.auto_create_network - disable_services_on_destroy = var.disable_services_on_destroy - default_service_account = var.default_service_account - disable_dependent_services = var.disable_dependent_services - python_interpreter_path = var.python_interpreter_path - pip_executable_path = var.pip_executable_path + group_email = module.gsuite_group.email + group_role = var.group_role + lien = var.lien + manage_group = var.group_name != "" ? "true" : "false" + random_project_id = var.random_project_id + org_id = var.org_id + name = var.name + project_id = var.project_id + shared_vpc = var.shared_vpc + shared_vpc_enabled = var.shared_vpc != "" + billing_account = var.billing_account + folder_id = var.folder_id + sa_role = var.sa_role + activate_apis = var.activate_apis + usage_bucket_name = var.usage_bucket_name + usage_bucket_prefix = var.usage_bucket_prefix + credentials_path = var.credentials_path + impersonate_service_account = var.impersonate_service_account + shared_vpc_subnets = var.shared_vpc_subnets + labels = var.labels + bucket_project = var.bucket_project + bucket_name = var.bucket_name + bucket_location = var.bucket_location + auto_create_network = var.auto_create_network + disable_services_on_destroy = var.disable_services_on_destroy + default_service_account = var.default_service_account + disable_dependent_services = var.disable_dependent_services + python_interpreter_path = var.python_interpreter_path + pip_executable_path = var.pip_executable_path + use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var } /****************************************** diff --git a/modules/core_project_factory/main.tf b/modules/core_project_factory/main.tf index bb0de28d..762f0daa 100644 --- a/modules/core_project_factory/main.tf +++ b/modules/core_project_factory/main.tf @@ -160,7 +160,8 @@ module "gcloud_delete" { source = "terraform-google-modules/gcloud/google" version = "~> 0.5.0" - enabled = var.default_service_account == "delete" + enabled = var.default_service_account == "delete" + use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var create_cmd_entrypoint = "${path.module}/scripts/modify-service-account.sh" create_cmd_body = <<-EOT @@ -185,7 +186,8 @@ module "gcloud_deprivilege" { source = "terraform-google-modules/gcloud/google" version = "~> 0.5.0" - enabled = var.default_service_account == "deprivilege" + enabled = var.default_service_account == "deprivilege" + use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var create_cmd_entrypoint = "${path.module}/scripts/modify-service-account.sh" create_cmd_body = <<-EOT @@ -210,7 +212,8 @@ module "gcloud_disable" { source = "terraform-google-modules/gcloud/google" version = "~> 0.5.0" - enabled = var.default_service_account == "disable" + enabled = var.default_service_account == "disable" + use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var create_cmd_entrypoint = "${path.module}/scripts/modify-service-account.sh" create_cmd_body = <<-EOT diff --git a/modules/core_project_factory/variables.tf b/modules/core_project_factory/variables.tf index 137300a2..a1f0e48e 100644 --- a/modules/core_project_factory/variables.tf +++ b/modules/core_project_factory/variables.tf @@ -183,3 +183,9 @@ variable "pip_executable_path" { type = string default = "pip3" } + +variable "use_tf_google_credentials_env_var" { + description = "Use GOOGLE_CREDENTIALS environment variable to run gcloud auth activate-service-account with." + type = bool + default = false +} diff --git a/modules/gsuite_enabled/README.md b/modules/gsuite_enabled/README.md index 32adccdb..86e3093a 100644 --- a/modules/gsuite_enabled/README.md +++ b/modules/gsuite_enabled/README.md @@ -92,6 +92,7 @@ The roles granted are specifically: | shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) | list(string) | `` | no | | usage\_bucket\_name | Name of a GCS bucket to store GCE usage reports in (optional) | string | `""` | no | | usage\_bucket\_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | string | `""` | no | +| use\_tf\_google\_credentials\_env\_var | Use GOOGLE_CREDENTIALS environment variable to run gcloud auth activate-service-account with. | bool | `"false"` | no | ## Outputs diff --git a/modules/gsuite_enabled/main.tf b/modules/gsuite_enabled/main.tf index 5e1f2b7b..f6763d1e 100644 --- a/modules/gsuite_enabled/main.tf +++ b/modules/gsuite_enabled/main.tf @@ -71,33 +71,34 @@ module "project-factory" { ), 0, ) - group_role = var.group_role - lien = var.lien - manage_group = var.group_name != "" || var.create_group - random_project_id = var.random_project_id - org_id = var.org_id - name = var.name - project_id = var.project_id - shared_vpc = var.shared_vpc - shared_vpc_enabled = var.shared_vpc_enabled - billing_account = var.billing_account - folder_id = var.folder_id - sa_role = var.sa_role - activate_apis = var.activate_apis - usage_bucket_name = var.usage_bucket_name - usage_bucket_prefix = var.usage_bucket_prefix - credentials_path = var.credentials_path - impersonate_service_account = var.impersonate_service_account - shared_vpc_subnets = var.shared_vpc_subnets - labels = var.labels - bucket_project = var.bucket_project - bucket_name = var.bucket_name - bucket_location = var.bucket_location - auto_create_network = var.auto_create_network - disable_services_on_destroy = var.disable_services_on_destroy - default_service_account = var.default_service_account - disable_dependent_services = var.disable_dependent_services - python_interpreter_path = var.python_interpreter_path + group_role = var.group_role + lien = var.lien + manage_group = var.group_name != "" || var.create_group + random_project_id = var.random_project_id + org_id = var.org_id + name = var.name + project_id = var.project_id + shared_vpc = var.shared_vpc + shared_vpc_enabled = var.shared_vpc_enabled + billing_account = var.billing_account + folder_id = var.folder_id + sa_role = var.sa_role + activate_apis = var.activate_apis + usage_bucket_name = var.usage_bucket_name + usage_bucket_prefix = var.usage_bucket_prefix + credentials_path = var.credentials_path + impersonate_service_account = var.impersonate_service_account + shared_vpc_subnets = var.shared_vpc_subnets + labels = var.labels + bucket_project = var.bucket_project + bucket_name = var.bucket_name + bucket_location = var.bucket_location + auto_create_network = var.auto_create_network + disable_services_on_destroy = var.disable_services_on_destroy + default_service_account = var.default_service_account + disable_dependent_services = var.disable_dependent_services + python_interpreter_path = var.python_interpreter_path + use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var } /****************************************** diff --git a/modules/gsuite_enabled/variables.tf b/modules/gsuite_enabled/variables.tf index b8d93b4b..3401facc 100644 --- a/modules/gsuite_enabled/variables.tf +++ b/modules/gsuite_enabled/variables.tf @@ -194,3 +194,9 @@ variable "budget_alert_spent_percents" { type = list(number) default = [0.5, 0.7, 1.0] } + +variable "use_tf_google_credentials_env_var" { + description = "Use GOOGLE_CREDENTIALS environment variable to run gcloud auth activate-service-account with." + type = bool + default = false +} diff --git a/modules/shared_vpc/main.tf b/modules/shared_vpc/main.tf index b343f06e..d2287345 100755 --- a/modules/shared_vpc/main.tf +++ b/modules/shared_vpc/main.tf @@ -28,33 +28,34 @@ module "gsuite_group" { module "project-factory" { source = "../core_project_factory" - group_email = module.gsuite_group.email - group_role = var.group_role - lien = var.lien - manage_group = var.group_name != "" ? "true" : "false" - random_project_id = var.random_project_id - org_id = var.org_id - name = var.name - project_id = var.project_id - shared_vpc = var.shared_vpc - shared_vpc_enabled = true - billing_account = var.billing_account - folder_id = var.folder_id - sa_role = var.sa_role - activate_apis = var.activate_apis - usage_bucket_name = var.usage_bucket_name - usage_bucket_prefix = var.usage_bucket_prefix - credentials_path = var.credentials_path - shared_vpc_subnets = var.shared_vpc_subnets - labels = var.labels - bucket_project = var.bucket_project - bucket_name = var.bucket_name - bucket_location = var.bucket_location - auto_create_network = var.auto_create_network - disable_services_on_destroy = var.disable_services_on_destroy - default_service_account = var.default_service_account - disable_dependent_services = var.disable_dependent_services - python_interpreter_path = var.python_interpreter_path + group_email = module.gsuite_group.email + group_role = var.group_role + lien = var.lien + manage_group = var.group_name != "" ? "true" : "false" + random_project_id = var.random_project_id + org_id = var.org_id + name = var.name + project_id = var.project_id + shared_vpc = var.shared_vpc + shared_vpc_enabled = true + billing_account = var.billing_account + folder_id = var.folder_id + sa_role = var.sa_role + activate_apis = var.activate_apis + usage_bucket_name = var.usage_bucket_name + usage_bucket_prefix = var.usage_bucket_prefix + credentials_path = var.credentials_path + shared_vpc_subnets = var.shared_vpc_subnets + labels = var.labels + bucket_project = var.bucket_project + bucket_name = var.bucket_name + bucket_location = var.bucket_location + auto_create_network = var.auto_create_network + disable_services_on_destroy = var.disable_services_on_destroy + default_service_account = var.default_service_account + disable_dependent_services = var.disable_dependent_services + python_interpreter_path = var.python_interpreter_path + use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var } /****************************************** diff --git a/modules/shared_vpc/variables.tf b/modules/shared_vpc/variables.tf index 216dd6b7..f8ada4b2 100755 --- a/modules/shared_vpc/variables.tf +++ b/modules/shared_vpc/variables.tf @@ -188,3 +188,9 @@ variable "budget_alert_spent_percents" { type = list(number) default = [0.5, 0.7, 1.0] } + +variable "use_tf_google_credentials_env_var" { + description = "Use GOOGLE_CREDENTIALS environment variable to run gcloud auth activate-service-account with." + type = bool + default = false +} diff --git a/variables.tf b/variables.tf index 62ddc98c..622207ee 100644 --- a/variables.tf +++ b/variables.tf @@ -179,6 +179,12 @@ variable "pip_executable_path" { default = "pip3" } +variable "use_tf_google_credentials_env_var" { + description = "Use GOOGLE_CREDENTIALS environment variable to run gcloud auth activate-service-account with." + type = bool + default = false +} + variable "budget_amount" { description = "The amount to use for a budget alert" type = number