terraform-google-modules · morgante · Dec 11, 2020 · Aug 18, 2020 · Sep 2, 2020 · Oct 1, 2020
diff --git a/examples/shared_vpc/main.tf b/examples/shared_vpc/main.tf
@@ -107,10 +107,9 @@ module "service-project" {
   name              = var.service_project_name
   random_project_id = "false"
 
-  org_id             = var.organization_id
-  folder_id          = var.folder_id
-  billing_account    = var.billing_account
-  shared_vpc_enabled = true
+  org_id          = var.organization_id
+  folder_id       = var.folder_id
+  billing_account = var.billing_account
 
   shared_vpc         = module.host-project.project_id
   shared_vpc_subnets = module.vpc.subnets_self_links
@@ -134,10 +133,9 @@ module "service-project-b" {
   name              = "b-${var.service_project_name}"
   random_project_id = "false"
 
-  org_id             = var.organization_id
-  folder_id          = var.folder_id
-  billing_account    = var.billing_account
-  shared_vpc_enabled = true
+  org_id          = var.organization_id
+  folder_id       = var.folder_id
+  billing_account = var.billing_account
 
   shared_vpc = module.host-project.project_id
 

diff --git a/main.tf b/main.tf
@@ -62,6 +62,18 @@ module "project-factory" {
   vpc_service_control_perimeter_name = var.vpc_service_control_perimeter_name
 }
 
+/******************************************
+  Setting API service accounts for shared VPC
+ *****************************************/
+module "shared_vpc_access" {
+  source             = "./modules/shared_vpc_access"
+  shared_vpc_enabled = var.shared_vpc != "" ? true : false
+  host_project_id    = var.shared_vpc
+  service_project_id = module.project-factory.project_id
+  active_apis        = module.project-factory.enabled_apis
+  shared_vpc_subnets = var.shared_vpc_subnets
+}
+
 /******************************************
   Billing budget to create if amount is set
  *****************************************/

diff --git a/modules/shared_vpc/main.tf b/modules/shared_vpc/main.tf
@@ -65,6 +65,7 @@ module "project-factory" {
 module "shared_vpc_access" {
   source                 = "../shared_vpc_access"
   host_project_id        = var.shared_vpc
+  shared_vpc_enabled     = true
   service_project_id     = module.project-factory.project_id
   active_apis            = module.project-factory.enabled_apis
   shared_vpc_subnets     = var.shared_vpc_subnets

diff --git a/modules/shared_vpc/variables.tf b/modules/shared_vpc/variables.tf
@@ -185,12 +185,6 @@ variable "disable_dependent_services" {
   type        = bool
 }
 
-variable "shared_vpc_enabled" {
-  description = "If shared VPC should be used"
-  type        = bool
-  default     = false
-}
-
 variable "budget_amount" {
   description = "The amount to use for a budget alert"
   type        = number

diff --git a/modules/shared_vpc_access/README.md b/modules/shared_vpc_access/README.md
@@ -33,6 +33,7 @@ module "shared_vpc_access" {
 | lookup\_project\_numbers | Whether to look up the project numbers from data sources. If false, `service_project_number` will be used instead. | `bool` | `true` | no |
 | service\_project\_id | The ID of the service project | `string` | n/a | yes |
 | service\_project\_number | Project number of the service project. Will be used if `lookup_service_project_number` is false. | `string` | `null` | no |
+| shared\_vpc\_enabled | Flag set if SVPC enabled | `bool` | n/a | yes |
 | shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project\_id/regions/$region/subnetworks/$subnet\_id) | `list(string)` | `[]` | no |
 
 ## Outputs

diff --git a/modules/shared_vpc_access/main.tf b/modules/shared_vpc_access/main.tf
@@ -63,7 +63,7 @@ resource "google_compute_subnetwork_iam_member" "service_shared_vpc_subnet_users
  if "dataflow.googleapis.com" compute.networkUser role granted to dataflow service account for Dataflow on shared VPC Project if no subnets defined
  *****************************************/
 resource "google_project_iam_member" "service_shared_vpc_user" {
-  for_each = length(var.shared_vpc_subnets) == 0 ? local.active_apis : []
+  for_each = (length(var.shared_vpc_subnets) == 0) && var.shared_vpc_enabled ? local.active_apis : []
   project  = var.host_project_id
   role     = "roles/compute.networkUser"
   member   = format("serviceAccount:%s", local.apis[each.value])
@@ -74,7 +74,7 @@ resource "google_project_iam_member" "service_shared_vpc_user" {
   See: https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc
  *****************************************/
 resource "google_project_iam_member" "gke_host_agent" {
-  count   = local.gke_shared_vpc_enabled ? 1 : 0
+  count   = local.gke_shared_vpc_enabled && var.shared_vpc_enabled ? 1 : 0
   project = var.host_project_id
   role    = "roles/container.hostServiceAgentUser"
   member  = format("serviceAccount:%s", local.apis["container.googleapis.com"])

diff --git a/modules/shared_vpc_access/variables.tf b/modules/shared_vpc_access/variables.tf
@@ -19,6 +19,11 @@ variable "host_project_id" {
   type        = string
 }
 
+variable "shared_vpc_enabled" {
+  description = "Flag set if SVPC enabled"
+  type        = bool
+}
+
 variable "service_project_id" {
   description = "The ID of the service project"
   type        = string