fix: adds variable to not disable APIs on destroy (#126)

GoogleCloudPlatform · Jun 19, 2023 · 3faedb5 · 3faedb5
1 parent 9179f98
commit 3faedb5
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 8 deletions.
diff --git a/modules/secure-serverless-harness/README.md b/modules/secure-serverless-harness/README.md
@@ -60,6 +60,7 @@ module "secure_cloud_run_harness" {
 | billing\_account | The ID of the billing account to associate this project with. | `string` | n/a | yes |
 | create\_access\_context\_manager\_access\_policy | Defines if Access Context Manager will be created by Terraform. | `bool` | `false` | no |
 | decrypters | List of comma-separated owners for each key declared in set\_decrypters\_for. | `list(string)` | `[]` | no |
+| disable\_services\_on\_destroy | Whether project services will be disabled when the resources are destroyed | `bool` | `false` | no |
 | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no |
 | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
 | egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to.<br><br>Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions). | <pre>list(object({<br>    from = any<br>    to   = any<br>  }))</pre> | `[]` | no |

diff --git a/modules/secure-serverless-harness/main.tf b/modules/secure-serverless-harness/main.tf
@@ -60,6 +60,8 @@ module "network_project" {
   billing_account   = var.billing_account
   folder_id         = google_folder.fld_serverless.name
 
+  disable_services_on_destroy = var.disable_services_on_destroy
+
   enable_shared_vpc_host_project = true
 }
 
@@ -72,6 +74,8 @@ module "security_project" {
   org_id            = var.org_id
   billing_account   = var.billing_account
   folder_id         = google_folder.fld_serverless.name
+
+  disable_services_on_destroy = var.disable_services_on_destroy
 }
 
 module "serverless_project" {
@@ -86,6 +90,8 @@ module "serverless_project" {
   folder_name                   = google_folder.fld_serverless.name
   project_name                  = each.value
   service_account_project_roles = try(var.service_account_project_roles[each.value], [])
+
+  disable_services_on_destroy = var.disable_services_on_destroy
 }
 
 

diff --git a/modules/secure-serverless-harness/variables.tf b/modules/secure-serverless-harness/variables.tf
@@ -220,6 +220,12 @@ variable "dns_enable_inbound_forwarding" {
   default     = true
 }
 
+variable "disable_services_on_destroy" {
+  description = "Whether project services will be disabled when the resources are destroyed"
+  default     = false
+  type        = bool
+}
+
 variable "dns_enable_logging" {
   type        = bool
   description = "Toggle DNS logging for VPC DNS."

diff --git a/modules/service-project-factory/main.tf b/modules/service-project-factory/main.tf
@@ -19,14 +19,15 @@ locals {
   api = var.serverless_type == "CLOUD_RUN" ? "run" : "cloudfunctions"
 }
 module "serverless_project" {
-  source            = "terraform-google-modules/project-factory/google"
-  version           = "~> 14.2"
-  random_project_id = "true"
-  activate_apis     = var.activate_apis
-  name              = var.project_name
-  org_id            = var.org_id
-  billing_account   = var.billing_account
-  folder_id         = var.folder_name
+  source                      = "terraform-google-modules/project-factory/google"
+  version                     = "~> 14.2"
+  random_project_id           = "true"
+  activate_apis               = var.activate_apis
+  name                        = var.project_name
+  org_id                      = var.org_id
+  billing_account             = var.billing_account
+  folder_id                   = var.folder_name
+  disable_services_on_destroy = var.disable_services_on_destroy
 
   svpc_host_project_id = var.network_project_id
   grant_network_role   = var.network_project_id != "" ? true : false

diff --git a/modules/service-project-factory/variables.tf b/modules/service-project-factory/variables.tf
@@ -50,6 +50,12 @@ variable "activate_apis" {
   type        = list(string)
 }
 
+variable "disable_services_on_destroy" {
+  description = "Whether project services will be disabled when the resources are destroyed"
+  default     = false
+  type        = bool
+}
+
 variable "folder_name" {
   description = "The folder name."
   type        = string