Fix: rename shared_vpc submodule to svpc_service_project(#517)

README.md

@@ -30,13 +30,13 @@ module "project-factory" {
   source  = "terraform-google-modules/project-factory/google"
   version = "~> 9.2"
 
-  name                = "pf-test-1"
-  random_project_id   = "true"
-  org_id              = "1234567890"
-  usage_bucket_name   = "pf-test-1-usage-report-bucket"
-  usage_bucket_prefix = "pf/test/1/integration"
-  billing_account     = "ABCDEF-ABCDEF-ABCDEF"
-  shared_vpc          = "shared_vpc_host_name"
+  name                 = "pf-test-1"
+  random_project_id    = "true"
+  org_id               = "1234567890"
+  usage_bucket_name    = "pf-test-1-usage-report-bucket"
+  usage_bucket_prefix  = "pf/test/1/integration"
+  billing_account      = "ABCDEF-ABCDEF-ABCDEF"
+  svpc_host_project_id = "shared_vpc_host_name"
 
   shared_vpc_subnets = [
     "projects/base-project-196723/regions/us-east1/subnetworks/default",
@@ -52,7 +52,7 @@ The Project Factory module will take the following actions:
 
 1. Create a new GCP project using the `project_name`.
 1. If a shared VPC is specified, attach the new project to the
-   `shared_vpc`.
+   `svpc_host_project_id`.
 
    It will also give the following users network access on the specified subnets:
 
@@ -100,9 +100,9 @@ is assigned to individual subnetworks, then the service project will have
 access to only the subnetworks on which that role was assigned. The logic for
 determining that location is as follows:
 
-1. If `var.shared_vpc` and `var.shared_vpc_subnets` are not set then the `compute.networkUser` role is not assigned
-1. If `var.shared_vpc` is set but no subnetworks are provided via `var.shared_vpc_subnets` then the `compute.networkUser` role is assigned at the host project and the service project will have access to all shared VPC subnetworks
-1. If `var.shared_vpc` is set and `var.shared_vpc_subnets` contains an array of subnetworks then the `compute.networkUser` role is assigned to each subnetwork in the array
+1. If `var.svpc_host_project_id` and `var.shared_vpc_subnets` are not set then the `compute.networkUser` role is not assigned
+1. If `var.svpc_host_project_id` is set but no subnetworks are provided via `var.shared_vpc_subnets` then the `compute.networkUser` role is assigned at the host project and the service project will have access to all shared VPC subnetworks
+1. If `var.svpc_host_project_id` is set and `var.shared_vpc_subnets` contains an array of subnetworks then the `compute.networkUser` role is assigned to each subnetwork in the array
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
@@ -126,7 +126,7 @@ determining that location is as follows:
 | disable\_dependent\_services | Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. | `bool` | `true` | no |
 | disable\_services\_on\_destroy | Whether project services will be disabled when the resources are destroyed | `string` | `"true"` | no |
 | domain | The domain name (optional). | `string` | `""` | no |
-| enable\_shared\_vpc\_host\_project | If this project is a shared VPC host project. If true, you must *not* set shared\_vpc variable. Default is false. | `bool` | `false` | no |
+| enable\_shared\_vpc\_host\_project | If this project is a shared VPC host project. If true, you must *not* set svpc\_host\_project\_id variable. Default is false. | `bool` | `false` | no |
 | folder\_id | The ID of a folder to host this project | `string` | `""` | no |
 | group\_name | A group to control the project by being assigned group\_role (defaults to project editor) | `string` | `""` | no |
 | group\_role | The role to give the controlling group (group\_name) over the project (defaults to project editor) | `string` | `"roles/editor"` | no |
@@ -138,8 +138,8 @@ determining that location is as follows:
 | project\_id | The ID to give the project. If not provided, the `name` will be used. | `string` | `""` | no |
 | random\_project\_id | Adds a suffix of 4 random characters to the `project_id` | `bool` | `false` | no |
 | sa\_role | A role to give the default Service Account for the project (defaults to none) | `string` | `""` | no |
-| shared\_vpc | The ID of the host project which hosts the shared VPC | `string` | `""` | no |
 | shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project\_id/regions/$region/subnetworks/$subnet\_id) | `list(string)` | `[]` | no |
+| svpc\_host\_project\_id | The ID of the host project which hosts the shared VPC | `string` | `""` | no |
 | usage\_bucket\_name | Name of a GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no |
 | usage\_bucket\_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no |
 | vpc\_service\_control\_attach\_enabled | Whether the project will be attached to a VPC Service Control Perimeter | `bool` | `false` | no |

examples/gke_shared_vpc/main.tf

@@ -37,13 +37,13 @@ provider "random" {
 }
 
 module "project-factory" {
-  source             = "../../"
-  random_project_id  = true
-  name               = "sample-gke-shared-project"
-  org_id             = var.org_id
-  billing_account    = var.billing_account
-  shared_vpc         = var.shared_vpc
-  activate_apis      = ["compute.googleapis.com", "container.googleapis.com", "cloudbilling.googleapis.com"]
-  credentials_path   = local.credentials_file_path
-  shared_vpc_subnets = var.shared_vpc_subnets
+  source               = "../../"
+  random_project_id    = true
+  name                 = "sample-gke-shared-project"
+  org_id               = var.org_id
+  billing_account      = var.billing_account
+  svpc_host_project_id = var.shared_vpc
+  activate_apis        = ["compute.googleapis.com", "container.googleapis.com", "cloudbilling.googleapis.com"]
+  credentials_path     = local.credentials_file_path
+  shared_vpc_subnets   = var.shared_vpc_subnets
 }

examples/shared_vpc/main.tf

@@ -102,7 +102,7 @@ module "vpc" {
   Service Project Creation
  *****************************************/
 module "service-project" {
-  source = "../../modules/shared_vpc"
+  source = "../../modules/svpc_service_project"
 
   name              = var.service_project_name
   random_project_id = "false"
@@ -128,7 +128,7 @@ module "service-project" {
   Second Service Project Creation
  *****************************************/
 module "service-project-b" {
-  source = "../../modules/shared_vpc"
+  source = "../../modules/svpc_service_project"
 
   name              = "b-${var.service_project_name}"
   random_project_id = "false"

main.tf

@@ -36,8 +36,8 @@ module "project-factory" {
   org_id                             = var.org_id
   name                               = var.name
   project_id                         = var.project_id
-  shared_vpc                         = var.shared_vpc
-  enable_shared_vpc_service_project  = var.shared_vpc != ""
+  shared_vpc                         = var.svpc_host_project_id
+  enable_shared_vpc_service_project  = var.svpc_host_project_id != ""
   enable_shared_vpc_host_project     = var.enable_shared_vpc_host_project
   billing_account                    = var.billing_account
   folder_id                          = var.folder_id
@@ -66,12 +66,12 @@ module "project-factory" {
   Setting API service accounts for shared VPC
  *****************************************/
 module "shared_vpc_access" {
-  source             = "./modules/shared_vpc_access"
-  shared_vpc_enabled = var.shared_vpc != "" ? true : false
-  host_project_id    = var.shared_vpc
-  service_project_id = module.project-factory.project_id
-  active_apis        = module.project-factory.enabled_apis
-  shared_vpc_subnets = var.shared_vpc_subnets
+  source                            = "./modules/shared_vpc_access"
+  enable_shared_vpc_service_project = var.svpc_host_project_id != "" ? true : false
+  host_project_id                   = var.svpc_host_project_id
+  service_project_id                = module.project-factory.project_id
+  active_apis                       = module.project-factory.enabled_apis
+  shared_vpc_subnets                = var.shared_vpc_subnets
 }
 
 /******************************************

modules/gsuite_enabled/README.md

@@ -77,6 +77,7 @@ The roles granted are specifically:
 | disable\_services\_on\_destroy | Whether project services will be disabled when the resources are destroyed | `string` | `"true"` | no |
 | domain | The domain name (optional). | `string` | `""` | no |
 | enable\_shared\_vpc\_host\_project | If this project is a shared VPC host project. If true, you must *not* set shared\_vpc variable. Default is false. | `bool` | `false` | no |
+| enable\_shared\_vpc\_service\_project | If shared VPC should be used | `bool` | `false` | no |
 | folder\_id | The ID of a folder to host this project | `string` | `""` | no |
 | group\_name | A group to control the project by being assigned group\_role - defaults to ${project\_name}-editors | `string` | `""` | no |
 | group\_role | The role to give the controlling group (group\_name) over the project (defaults to project editor) | `string` | `"roles/editor"` | no |
@@ -90,7 +91,6 @@ The roles granted are specifically:
 | sa\_group | A G Suite group to place the default Service Account for the project in | `string` | `""` | no |
 | sa\_role | A role to give the default Service Account for the project (defaults to none) | `string` | `""` | no |
 | shared\_vpc | The ID of the host project which hosts the shared VPC | `string` | `""` | no |
-| shared\_vpc\_enabled | If shared VPC should be used | `bool` | `false` | no |
 | shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project\_id/regions/$region/subnetworks/$subnet\_id) | `list(string)` | `[]` | no |
 | usage\_bucket\_name | Name of a GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no |
 | usage\_bucket\_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no |

modules/gsuite_enabled/main.tf

@@ -79,7 +79,7 @@ module "project-factory" {
   name                              = var.name
   project_id                        = var.project_id
   shared_vpc                        = var.shared_vpc
-  enable_shared_vpc_service_project = var.shared_vpc_enabled
+  enable_shared_vpc_service_project = var.enable_shared_vpc_service_project
   enable_shared_vpc_host_project    = var.enable_shared_vpc_host_project
   billing_account                   = var.billing_account
   folder_id                         = var.folder_id

modules/gsuite_enabled/variables.tf

@@ -173,7 +173,7 @@ variable "disable_dependent_services" {
   type        = string
 }
 
-variable "shared_vpc_enabled" {
+variable "enable_shared_vpc_service_project" {
   description = "If shared VPC should be used"
   type        = bool
   default     = false

modules/shared_vpc_access/README.md

@@ -28,12 +28,12 @@ module "shared_vpc_access" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | active\_apis | The list of active apis on the service project. If api is not active this module will not try to activate it | `list(string)` | `[]` | no |
+| enable\_shared\_vpc\_service\_project | Flag set if SVPC enabled | `bool` | n/a | yes |
 | grant\_services\_security\_admin\_role | Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules | `bool` | `false` | no |
 | host\_project\_id | The ID of the host project which hosts the shared VPC | `string` | n/a | yes |
 | lookup\_project\_numbers | Whether to look up the project numbers from data sources. If false, `service_project_number` will be used instead. | `bool` | `true` | no |
 | service\_project\_id | The ID of the service project | `string` | n/a | yes |
 | service\_project\_number | Project number of the service project. Will be used if `lookup_service_project_number` is false. | `string` | `null` | no |
-| shared\_vpc\_enabled | Flag set if SVPC enabled | `bool` | n/a | yes |
 | shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project\_id/regions/$region/subnetworks/$subnet\_id) | `list(string)` | `[]` | no |
 
 ## Outputs

modules/shared_vpc_access/main.tf

@@ -63,7 +63,7 @@ resource "google_compute_subnetwork_iam_member" "service_shared_vpc_subnet_users
  if "dataflow.googleapis.com" compute.networkUser role granted to dataflow service account for Dataflow on shared VPC Project if no subnets defined
  *****************************************/
 resource "google_project_iam_member" "service_shared_vpc_user" {
-  for_each = (length(var.shared_vpc_subnets) == 0) && var.shared_vpc_enabled ? local.active_apis : []
+  for_each = (length(var.shared_vpc_subnets) == 0) && var.enable_shared_vpc_service_project ? local.active_apis : []
   project  = var.host_project_id
   role     = "roles/compute.networkUser"
   member   = format("serviceAccount:%s", local.apis[each.value])
@@ -74,7 +74,7 @@ resource "google_project_iam_member" "service_shared_vpc_user" {
   See: https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc
  *****************************************/
 resource "google_project_iam_member" "gke_host_agent" {
-  count   = local.gke_shared_vpc_enabled && var.shared_vpc_enabled ? 1 : 0
+  count   = local.gke_shared_vpc_enabled && var.enable_shared_vpc_service_project ? 1 : 0
   project = var.host_project_id
   role    = "roles/container.hostServiceAgentUser"
   member  = format("serviceAccount:%s", local.apis["container.googleapis.com"])

modules/shared_vpc_access/variables.tf

@@ -19,7 +19,7 @@ variable "host_project_id" {
   type        = string
 }
 
-variable "shared_vpc_enabled" {
+variable "enable_shared_vpc_service_project" {
   description = "Flag set if SVPC enabled"
   type        = bool
 }

modules/shared_vpc/README.md → modules/svpc_service_project/README.md

@@ -6,7 +6,7 @@ The advantage of using this module over the root module, is being able to provis
 ## Example Usage
 ```hcl
 module "service-project" {
-  source  = "terraform-google-modules/project-factory/google//modules/shared_vpc"
+  source  = "terraform-google-modules/project-factory/google//modules/svpc_service_project"
   version = "~> 9.2"
 
   name                = "pf-test-1"

modules/shared_vpc/main.tf → modules/svpc_service_project/main.tf

@@ -63,14 +63,14 @@ module "project-factory" {
   Setting API service accounts for shared VPC
  *****************************************/
 module "shared_vpc_access" {
-  source                 = "../shared_vpc_access"
-  host_project_id        = var.shared_vpc
-  shared_vpc_enabled     = true
-  service_project_id     = module.project-factory.project_id
-  active_apis            = module.project-factory.enabled_apis
-  shared_vpc_subnets     = var.shared_vpc_subnets
-  service_project_number = module.project-factory.project_number
-  lookup_project_numbers = false
+  source                            = "../shared_vpc_access"
+  host_project_id                   = var.shared_vpc
+  enable_shared_vpc_service_project = true
+  service_project_id                = module.project-factory.project_id
+  active_apis                       = module.project-factory.enabled_apis
+  shared_vpc_subnets                = var.shared_vpc_subnets
+  service_project_number            = module.project-factory.project_number
+  lookup_project_numbers            = false
 }
 
 /******************************************

test/fixtures/full/main.tf

@@ -102,21 +102,21 @@ module "project-factory" {
   random_project_id = "false"
   project_id        = "pf-ci-test-full-id-${var.random_string_for_testing}"
 
-  domain              = var.domain
-  org_id              = var.org_id
-  folder_id           = var.folder_id
-  usage_bucket_name   = var.usage_bucket_name
-  usage_bucket_prefix = var.usage_bucket_prefix
-  billing_account     = var.billing_account
-  create_group        = true
-  group_role          = var.group_role
-  group_name          = var.group_name
-  shared_vpc          = var.shared_vpc
-  shared_vpc_enabled  = true
-  shared_vpc_subnets  = local.shared_vpc_subnets
-  sa_role             = var.sa_role
-  sa_group            = var.sa_group
-  lien                = "true"
+  domain                            = var.domain
+  org_id                            = var.org_id
+  folder_id                         = var.folder_id
+  usage_bucket_name                 = var.usage_bucket_name
+  usage_bucket_prefix               = var.usage_bucket_prefix
+  billing_account                   = var.billing_account
+  create_group                      = true
+  group_role                        = var.group_role
+  group_name                        = var.group_name
+  shared_vpc                        = var.shared_vpc
+  enable_shared_vpc_service_project = true
+  shared_vpc_subnets                = local.shared_vpc_subnets
+  sa_role                           = var.sa_role
+  sa_group                          = var.sa_group
+  lien                              = "true"
 
   activate_apis = [
     "compute.googleapis.com",

test/fixtures/shared_vpc_no_subnets/main.tf

@@ -44,18 +44,18 @@ provider "random" {
 module "project-factory" {
   source = "../../../modules/gsuite_enabled"
 
-  name               = "pf-ci-test-nosubnets-${var.random_string_for_testing}"
-  project_id         = "pf-ci-test-nosubnets-${var.random_string_for_testing}"
-  random_project_id  = "false"
-  domain             = var.domain
-  org_id             = var.org_id
-  folder_id          = var.folder_id
-  billing_account    = var.billing_account
-  create_group       = true
-  group_role         = var.group_role
-  group_name         = "pf-secondgroup-${var.random_string_for_testing}"
-  shared_vpc         = var.shared_vpc
-  shared_vpc_enabled = true
+  name                              = "pf-ci-test-nosubnets-${var.random_string_for_testing}"
+  project_id                        = "pf-ci-test-nosubnets-${var.random_string_for_testing}"
+  random_project_id                 = "false"
+  domain                            = var.domain
+  org_id                            = var.org_id
+  folder_id                         = var.folder_id
+  billing_account                   = var.billing_account
+  create_group                      = true
+  group_role                        = var.group_role
+  group_name                        = "pf-secondgroup-${var.random_string_for_testing}"
+  shared_vpc                        = var.shared_vpc
+  enable_shared_vpc_service_project = true
 
   activate_apis = [
     "compute.googleapis.com",

variables.tf

@@ -42,14 +42,14 @@ variable "project_id" {
   default     = ""
 }
 
-variable "shared_vpc" {
+variable "svpc_host_project_id" {
   description = "The ID of the host project which hosts the shared VPC"
   type        = string
   default     = ""
 }
 
 variable "enable_shared_vpc_host_project" {
-  description = "If this project is a shared VPC host project. If true, you must *not* set shared_vpc variable. Default is false."
+  description = "If this project is a shared VPC host project. If true, you must *not* set svpc_host_project_id variable. Default is false."
   type        = bool
   default     = false
 }