diff --git a/examples/shared_vpc/main.tf b/examples/shared_vpc/main.tf index 17a670a1..8f26ba77 100644 --- a/examples/shared_vpc/main.tf +++ b/examples/shared_vpc/main.tf @@ -107,10 +107,9 @@ module "service-project" { name = var.service_project_name random_project_id = "false" - org_id = var.organization_id - folder_id = var.folder_id - billing_account = var.billing_account - shared_vpc_enabled = true + org_id = var.organization_id + folder_id = var.folder_id + billing_account = var.billing_account shared_vpc = module.host-project.project_id shared_vpc_subnets = module.vpc.subnets_self_links @@ -134,10 +133,9 @@ module "service-project-b" { name = "b-${var.service_project_name}" random_project_id = "false" - org_id = var.organization_id - folder_id = var.folder_id - billing_account = var.billing_account - shared_vpc_enabled = true + org_id = var.organization_id + folder_id = var.folder_id + billing_account = var.billing_account shared_vpc = module.host-project.project_id diff --git a/main.tf b/main.tf index fc8a9738..fc0704b6 100644 --- a/main.tf +++ b/main.tf @@ -62,6 +62,18 @@ module "project-factory" { vpc_service_control_perimeter_name = var.vpc_service_control_perimeter_name } +/****************************************** + Setting API service accounts for shared VPC + *****************************************/ +module "shared_vpc_access" { + source = "./modules/shared_vpc_access" + shared_vpc_enabled = var.shared_vpc != "" ? true : false + host_project_id = var.shared_vpc + service_project_id = module.project-factory.project_id + active_apis = module.project-factory.enabled_apis + shared_vpc_subnets = var.shared_vpc_subnets +} + /****************************************** Billing budget to create if amount is set *****************************************/ diff --git a/modules/shared_vpc/main.tf b/modules/shared_vpc/main.tf index 223d6f53..415d5059 100755 --- a/modules/shared_vpc/main.tf +++ b/modules/shared_vpc/main.tf @@ -65,6 +65,7 @@ module "project-factory" { module "shared_vpc_access" { source = "../shared_vpc_access" host_project_id = var.shared_vpc + shared_vpc_enabled = true service_project_id = module.project-factory.project_id active_apis = module.project-factory.enabled_apis shared_vpc_subnets = var.shared_vpc_subnets diff --git a/modules/shared_vpc/variables.tf b/modules/shared_vpc/variables.tf index 0dfa2c90..168bb18d 100755 --- a/modules/shared_vpc/variables.tf +++ b/modules/shared_vpc/variables.tf @@ -185,12 +185,6 @@ variable "disable_dependent_services" { type = bool } -variable "shared_vpc_enabled" { - description = "If shared VPC should be used" - type = bool - default = false -} - variable "budget_amount" { description = "The amount to use for a budget alert" type = number diff --git a/modules/shared_vpc_access/README.md b/modules/shared_vpc_access/README.md index 145e1207..11aaeb7b 100644 --- a/modules/shared_vpc_access/README.md +++ b/modules/shared_vpc_access/README.md @@ -33,6 +33,7 @@ module "shared_vpc_access" { | lookup\_project\_numbers | Whether to look up the project numbers from data sources. If false, `service_project_number` will be used instead. | `bool` | `true` | no | | service\_project\_id | The ID of the service project | `string` | n/a | yes | | service\_project\_number | Project number of the service project. Will be used if `lookup_service_project_number` is false. | `string` | `null` | no | +| shared\_vpc\_enabled | Flag set if SVPC enabled | `bool` | n/a | yes | | shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project\_id/regions/$region/subnetworks/$subnet\_id) | `list(string)` | `[]` | no | ## Outputs diff --git a/modules/shared_vpc_access/main.tf b/modules/shared_vpc_access/main.tf index e505b36e..934c4663 100644 --- a/modules/shared_vpc_access/main.tf +++ b/modules/shared_vpc_access/main.tf @@ -63,7 +63,7 @@ resource "google_compute_subnetwork_iam_member" "service_shared_vpc_subnet_users if "dataflow.googleapis.com" compute.networkUser role granted to dataflow service account for Dataflow on shared VPC Project if no subnets defined *****************************************/ resource "google_project_iam_member" "service_shared_vpc_user" { - for_each = length(var.shared_vpc_subnets) == 0 ? local.active_apis : [] + for_each = (length(var.shared_vpc_subnets) == 0) && var.shared_vpc_enabled ? local.active_apis : [] project = var.host_project_id role = "roles/compute.networkUser" member = format("serviceAccount:%s", local.apis[each.value]) @@ -74,7 +74,7 @@ resource "google_project_iam_member" "service_shared_vpc_user" { See: https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc *****************************************/ resource "google_project_iam_member" "gke_host_agent" { - count = local.gke_shared_vpc_enabled ? 1 : 0 + count = local.gke_shared_vpc_enabled && var.shared_vpc_enabled ? 1 : 0 project = var.host_project_id role = "roles/container.hostServiceAgentUser" member = format("serviceAccount:%s", local.apis["container.googleapis.com"]) diff --git a/modules/shared_vpc_access/variables.tf b/modules/shared_vpc_access/variables.tf index b81c6c48..903c2797 100644 --- a/modules/shared_vpc_access/variables.tf +++ b/modules/shared_vpc_access/variables.tf @@ -19,6 +19,11 @@ variable "host_project_id" { type = string } +variable "shared_vpc_enabled" { + description = "Flag set if SVPC enabled" + type = bool +} + variable "service_project_id" { description = "The ID of the service project" type = string