diff --git a/metadata.yaml b/metadata.yaml index cfbbf543..67b673f8 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,408 +19,369 @@ metadata: annotations: config.kubernetes.io/local-config: "true" spec: - title: Google Cloud Project Factory Terraform Module - source: - repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git - sourceType: git - version: 15.0.1 - actuationTool: - type: Terraform - version: '>=0.13.0' - subBlueprints: - - name: app_engine - location: modules/app_engine - - name: budget - location: modules/budget - - name: core_project_factory - location: modules/core_project_factory - - name: essential_contacts - location: modules/essential_contacts - - name: fabric-project - location: modules/fabric-project - - name: gsuite_enabled - location: modules/gsuite_enabled - - name: gsuite_group - location: modules/gsuite_group - - name: project_services - location: modules/project_services - - name: quota_manager - location: modules/quota_manager - - name: shared_vpc_access - location: modules/shared_vpc_access - - name: svpc_service_project - location: modules/svpc_service_project - examples: - - name: app_engine - location: examples/app_engine - - name: budget_project - location: examples/budget_project - - name: essential_contacts - location: examples/essential_contacts - - name: fabric_project - location: examples/fabric_project - - name: gke_shared_vpc - location: examples/gke_shared_vpc - - name: group_project - location: examples/group_project - - name: project-hierarchy - location: examples/project-hierarchy - - name: project_services - location: examples/project_services - - name: quota_project - location: examples/quota_project - - name: shared_vpc - location: examples/shared_vpc - - name: simple_project - location: examples/simple_project - variables: - - name: activate_api_identities - description: |2 - The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles). - APIs in this list will automatically be appended to `activate_apis`. - Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created). - Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles. - type: |- - list(object({ - api = string - roles = list(string) - })) - default: [] - required: false - - name: activate_apis - description: The list of apis to activate within the project - type: list(string) - default: - - compute.googleapis.com - required: false - - name: auto_create_network - description: Create the default network - type: bool - default: false - required: false - - name: billing_account - description: The ID of the billing account to associate this project with - type: string - required: true - - name: bucket_force_destroy - description: Force the deletion of all objects within the GCS bucket when deleting the bucket (optional) - type: bool - default: false - required: false - - name: bucket_labels - description: ' A map of key/value label pairs to assign to the bucket (optional)' - type: map(string) - default: {} - required: false - - name: bucket_location - description: The location for a GCS bucket to create (optional) - type: string - default: US - required: false - - name: bucket_name - description: A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) - type: string - default: "" - required: false - - name: bucket_pap - description: Enable Public Access Prevention. Possible values are "enforced" or "inherited". - type: string - default: inherited - required: false - - name: bucket_project - description: A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) - type: string - default: "" - required: false - - name: bucket_ula - description: Enable Uniform Bucket Level Access - type: bool - default: true - required: false - - name: bucket_versioning - description: Enable versioning for a GCS bucket to create (optional) - type: bool - default: false - required: false - - name: budget_alert_pubsub_topic - description: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` - type: string - required: false - - name: budget_alert_spend_basis - description: The type of basis used to determine if spend has passed the threshold - type: string - default: CURRENT_SPEND - required: false - - name: budget_alert_spent_percents - description: A list of percentages of the budget to alert on when threshold is exceeded - type: list(number) - default: - - 0.5 - - 0.7 - - 1 - required: false - - name: budget_amount - description: The amount to use for a budget alert - type: number - required: false - - name: budget_calendar_period - description: Specifies the calendar period for the budget. Possible values are MONTH, QUARTER, YEAR, CALENDAR_PERIOD_UNSPECIFIED, CUSTOM. custom_period_start_date and custom_period_end_date must be set if CUSTOM - type: string - required: false - - name: budget_custom_period_end_date - description: Specifies the end date (DD-MM-YYYY) for the calendar_period CUSTOM - type: string - required: false - - name: budget_custom_period_start_date - description: Specifies the start date (DD-MM-YYYY) for the calendar_period CUSTOM - type: string - required: false - - name: budget_display_name - description: 'The display name of the budget. If not set defaults to `Budget For ` ' - type: string - required: false - - name: budget_labels - description: A single label and value pair specifying that usage from only this set of labeled resources should be included in the budget. - type: map(string) - default: {} - required: false - - name: budget_monitoring_notification_channels - description: A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. - type: list(string) - default: [] - required: false - - name: consumer_quotas - description: The quotas configuration you want to override for the project. - type: |- - list(object({ - service = string, - metric = string, - dimensions = map(string), - limit = string, - value = string, - })) - default: [] - required: false - - name: create_project_sa - description: Whether the default service account for the project shall be created - type: bool - default: true - required: false - - name: default_network_tier - description: Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. - type: string - default: "" - required: false - - name: default_service_account - description: 'Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`.' - type: string - default: disable - required: false - - name: disable_dependent_services - description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. - type: bool - default: true - required: false - - name: disable_services_on_destroy - description: Whether project services will be disabled when the resources are destroyed - type: bool - default: true - required: false - - name: domain - description: The domain name (optional). - type: string - default: "" - required: false - - name: enable_shared_vpc_host_project - description: If this project is a shared VPC host project. If true, you must *not* set svpc_host_project_id variable. Default is false. - type: bool - default: false - required: false - - name: essential_contacts - description: A mapping of users or groups to be assigned as Essential Contacts to the project, specifying a notification category - type: map(list(string)) - default: {} - required: false - - name: folder_id - description: The ID of a folder to host this project - type: string - default: "" - required: false - - name: grant_network_role - description: Whether or not to grant networkUser role on the host project/subnets - type: bool - default: true - required: false - - name: grant_services_security_admin_role - description: Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules - type: bool - default: false - required: false - - name: group_name - description: A group to control the project by being assigned group_role (defaults to project editor) - type: string - default: "" - required: false - - name: group_role - description: The role to give the controlling group (group_name) over the project (defaults to project editor) - type: string - default: roles/editor - required: false - - name: labels - description: Map of labels for project - type: map(string) - default: {} - required: false - - name: language_tag - description: Language code to be used for essential contacts notifications - type: string - default: en-US - required: false - - name: lien - description: Add a lien on the project to prevent accidental deletion - type: bool - default: false - required: false - - name: name - description: The name for the project - type: string - required: true - - name: org_id - description: The organization ID. - type: string - required: true - - name: project_id - description: The ID to give the project. If not provided, the `name` will be used. - type: string - default: "" - required: false - - name: project_sa_name - description: Default service account name for the project. - type: string - default: project-service-account - required: false - - name: random_project_id - description: Adds a suffix of 4 random characters to the `project_id`. - type: bool - default: false - required: false - - name: random_project_id_length - description: Sets the length of `random_project_id` to the provided length, and uses a `random_string` for a larger collusion domain. Recommended for use with CI. - type: number - required: false - - name: sa_role - description: A role to give the default Service Account for the project (defaults to none) - type: string - default: "" - required: false - - name: shared_vpc_subnets - description: List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) - type: list(string) - default: [] - required: false - - name: svpc_host_project_id - description: The ID of the host project which hosts the shared VPC - type: string - default: "" - required: false - - name: usage_bucket_name - description: Name of a GCS bucket to store GCE usage reports in (optional) - type: string - default: "" - required: false - - name: usage_bucket_prefix - description: Prefix in the GCS bucket to store GCE usage reports in (optional) - type: string - default: "" - required: false - - name: vpc_service_control_attach_enabled - description: Whether the project will be attached to a VPC Service Control Perimeter in ENFORCED MODE. vpc_service_control_attach_dry_run should be false for this to be true - type: bool - default: false - required: false - - name: vpc_service_control_attach_dry_run - description: Whether the project will be attached to a VPC Service Control Perimeter in Dry Run Mode. vpc_service_control_attach_enabled should be false for this to be true - type: bool - default: false - required: false - - name: vpc_service_control_perimeter_name - description: The name of a VPC Service Control Perimeter to add the created project to - type: string - required: false - - name: vpc_service_control_sleep_duration - description: The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter. VPC-SC is eventually consistent. - type: string - default: 5s - required: false - outputs: - - name: api_s_account - description: API service account email - - name: api_s_account_fmt - description: API service account email formatted for terraform use - - name: budget_name - description: The name of the budget if created - - name: domain - description: The organization's domain - - name: enabled_api_identities - description: Enabled API identities in the project - - name: enabled_apis - description: Enabled APIs in the project - - name: group_email - description: The email of the G Suite group with group_name - - name: project_bucket_self_link - description: Project's bucket selfLink - - name: project_bucket_url - description: Project's bucket url - - name: project_id - description: ID of the project - - name: project_name - description: Name of the project - - name: project_number - description: Numeric identifier for the project - - name: service_account_display_name - description: The display name of the default service account - - name: service_account_email - description: The email of the default service account - - name: service_account_id - description: The id of the default service account - - name: service_account_name - description: The fully-qualified name of the default service account - - name: service_account_unique_id - description: The unique id of the default service account - roles: - - level: Project + info: + title: Google Cloud Project Factory Terraform Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git + sourceType: git + version: 15.0.1 + actuationTool: + flavor: Terraform + version: ">=0.13.0" + description: {} + content: + subBlueprints: + - name: app_engine + location: modules/app_engine + - name: budget + location: modules/budget + - name: core_project_factory + location: modules/core_project_factory + - name: essential_contacts + location: modules/essential_contacts + - name: fabric-project + location: modules/fabric-project + - name: gsuite_enabled + location: modules/gsuite_enabled + - name: gsuite_group + location: modules/gsuite_group + - name: project_services + location: modules/project_services + - name: quota_manager + location: modules/quota_manager + - name: shared_vpc_access + location: modules/shared_vpc_access + - name: svpc_service_project + location: modules/svpc_service_project + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: activate_api_identities + description: " The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles).\n APIs in this list will automatically be appended to `activate_apis`.\n Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created).\n Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles.\n" + varType: |- + list(object({ + api = string + roles = list(string) + })) + defaultValue: [] + - name: activate_apis + description: The list of apis to activate within the project + varType: list(string) + defaultValue: + - compute.googleapis.com + - name: auto_create_network + description: Create the default network + varType: bool + defaultValue: false + - name: billing_account + description: The ID of the billing account to associate this project with + varType: string + required: true + - name: bucket_force_destroy + description: Force the deletion of all objects within the GCS bucket when deleting the bucket (optional) + varType: bool + defaultValue: false + - name: bucket_labels + description: " A map of key/value label pairs to assign to the bucket (optional)" + varType: map(string) + defaultValue: {} + - name: bucket_location + description: The location for a GCS bucket to create (optional) + varType: string + defaultValue: US + - name: bucket_name + description: A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) + varType: string + defaultValue: "" + - name: bucket_pap + description: Enable Public Access Prevention. Possible values are "enforced" or "inherited". + varType: string + defaultValue: inherited + - name: bucket_project + description: A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) + varType: string + defaultValue: "" + - name: bucket_ula + description: Enable Uniform Bucket Level Access + varType: bool + defaultValue: true + - name: bucket_versioning + description: Enable versioning for a GCS bucket to create (optional) + varType: bool + defaultValue: false + - name: budget_alert_pubsub_topic + description: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` + varType: string + - name: budget_alert_spend_basis + description: The type of basis used to determine if spend has passed the threshold + varType: string + defaultValue: CURRENT_SPEND + - name: budget_alert_spent_percents + description: A list of percentages of the budget to alert on when threshold is exceeded + varType: list(number) + defaultValue: + - 0.5 + - 0.7 + - 1 + - name: budget_amount + description: The amount to use for a budget alert + varType: number + - name: budget_calendar_period + description: Specifies the calendar period for the budget. Possible values are MONTH, QUARTER, YEAR, CALENDAR_PERIOD_UNSPECIFIED, CUSTOM. custom_period_start_date and custom_period_end_date must be set if CUSTOM + varType: string + - name: budget_custom_period_end_date + description: Specifies the end date (DD-MM-YYYY) for the calendar_period CUSTOM + varType: string + - name: budget_custom_period_start_date + description: Specifies the start date (DD-MM-YYYY) for the calendar_period CUSTOM + varType: string + - name: budget_display_name + description: "The display name of the budget. If not set defaults to `Budget For ` " + varType: string + - name: budget_labels + description: A single label and value pair specifying that usage from only this set of labeled resources should be included in the budget. + varType: map(string) + defaultValue: {} + - name: budget_monitoring_notification_channels + description: A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. + varType: list(string) + defaultValue: [] + - name: consumer_quotas + description: The quotas configuration you want to override for the project. + varType: |- + list(object({ + service = string, + metric = string, + dimensions = map(string), + limit = string, + value = string, + })) + defaultValue: [] + - name: create_project_sa + description: Whether the default service account for the project shall be created + varType: bool + defaultValue: true + - name: default_network_tier + description: Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. + varType: string + defaultValue: "" + - name: default_service_account + description: "Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`." + varType: string + defaultValue: disable + - name: disable_dependent_services + description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. + varType: bool + defaultValue: true + - name: disable_services_on_destroy + description: Whether project services will be disabled when the resources are destroyed + varType: bool + defaultValue: true + - name: domain + description: The domain name (optional). + varType: string + defaultValue: "" + - name: enable_shared_vpc_host_project + description: If this project is a shared VPC host project. If true, you must *not* set svpc_host_project_id variable. Default is false. + varType: bool + defaultValue: false + - name: essential_contacts + description: A mapping of users or groups to be assigned as Essential Contacts to the project, specifying a notification category + varType: map(list(string)) + defaultValue: {} + - name: folder_id + description: The ID of a folder to host this project + varType: string + defaultValue: "" + - name: grant_network_role + description: Whether or not to grant networkUser role on the host project/subnets + varType: bool + defaultValue: true + - name: grant_services_security_admin_role + description: Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules + varType: bool + defaultValue: false + - name: group_name + description: A group to control the project by being assigned group_role (defaults to project editor) + varType: string + defaultValue: "" + - name: group_role + description: The role to give the controlling group (group_name) over the project (defaults to project editor) + varType: string + defaultValue: roles/editor + - name: labels + description: Map of labels for project + varType: map(string) + defaultValue: {} + - name: language_tag + description: Language code to be used for essential contacts notifications + varType: string + defaultValue: en-US + - name: lien + description: Add a lien on the project to prevent accidental deletion + varType: bool + defaultValue: false + - name: name + description: The name for the project + varType: string + required: true + - name: org_id + description: The organization ID. + varType: string + - name: project_id + description: The ID to give the project. If not provided, the `name` will be used. + varType: string + defaultValue: "" + - name: project_sa_name + description: Default service account name for the project. + varType: string + defaultValue: project-service-account + - name: random_project_id + description: Adds a suffix of 4 random characters to the `project_id`. + varType: bool + defaultValue: false + - name: random_project_id_length + description: Sets the length of `random_project_id` to the provided length, and uses a `random_string` for a larger collusion domain. Recommended for use with CI. + varType: number + - name: sa_role + description: A role to give the default Service Account for the project (defaults to none) + varType: string + defaultValue: "" + - name: shared_vpc_subnets + description: List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) + varType: list(string) + defaultValue: [] + - name: svpc_host_project_id + description: The ID of the host project which hosts the shared VPC + varType: string + defaultValue: "" + - name: tag_binding_values + description: Tag values to bind the project to. + varType: list(string) + defaultValue: [] + - name: usage_bucket_name + description: Name of a GCS bucket to store GCE usage reports in (optional) + varType: string + defaultValue: "" + - name: usage_bucket_prefix + description: Prefix in the GCS bucket to store GCE usage reports in (optional) + varType: string + defaultValue: "" + - name: vpc_service_control_attach_dry_run + description: Whether the project will be attached to a VPC Service Control Perimeter in Dry Run Mode. vpc_service_control_attach_enabled should be false for this to be true + varType: bool + defaultValue: false + - name: vpc_service_control_attach_enabled + description: Whether the project will be attached to a VPC Service Control Perimeter in ENFORCED MODE. vpc_service_control_attach_dry_run should be false for this to be true + varType: bool + defaultValue: false + - name: vpc_service_control_perimeter_name + description: The name of a VPC Service Control Perimeter to add the created project to + varType: string + - name: vpc_service_control_sleep_duration + description: The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter. VPC-SC is eventually consistent. + varType: string + defaultValue: 5s + outputs: + - name: api_s_account + description: API service account email + - name: api_s_account_fmt + description: API service account email formatted for terraform use + - name: budget_name + description: The name of the budget if created + - name: domain + description: The organization's domain + - name: enabled_api_identities + description: Enabled API identities in the project + - name: enabled_apis + description: Enabled APIs in the project + - name: group_email + description: The email of the G Suite group with group_name + - name: project_bucket_self_link + description: Project's bucket selfLink + - name: project_bucket_url + description: Project's bucket url + - name: project_id + description: ID of the project + - name: project_name + description: Name of the project + - name: project_number + description: Numeric identifier for the project + - name: service_account_display_name + description: The display name of the default service account + - name: service_account_email + description: The email of the default service account + - name: service_account_id + description: The id of the default service account + - name: service_account_name + description: The fully-qualified name of the default service account + - name: service_account_unique_id + description: The unique id of the default service account + - name: tag_bindings + description: Tag bindings + - name: usage_report_export_bucket + description: GCE usage reports bucket + requirements: roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager - - level: Project - roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - services: - - admin.googleapis.com - - appengine.googleapis.com - - cloudbilling.googleapis.com - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - iamcredentials.googleapis.com - - oslogin.googleapis.com - - serviceusage.googleapis.com - - billingbudgets.googleapis.com - - pubsub.googleapis.com - - accesscontextmanager.googleapis.com - - essentialcontacts.googleapis.com - - serviceconsumermanagement.googleapis.com + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com diff --git a/modules/app_engine/README.md b/modules/app_engine/README.md new file mode 100644 index 00000000..addcfe55 --- /dev/null +++ b/modules/app_engine/README.md @@ -0,0 +1,40 @@ +# App Engine + +This module allows the creation of a [google billing budget](https://www.terraform.io/docs/providers/google/r/billing_budget.html) tied to a specific `project_id` + +## Usage + +Basic usage of this module is as follows: + +```hcl +module "project_myproject" { + source = "terraform-google-modules/project-factory/google//modules/budget" + billing_account = "ABCD-1234-ABCD-1234" + projects = ["my-project-id"] + amount = "100" +} +``` + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| auth\_domain | The domain to authenticate users with when using App Engine's User API. | `string` | `""` | no | +| feature\_settings | A list of maps of optional settings to configure specific App Engine features. | `list(object({ split_health_checks = bool }))` | 
[
  {
    "split_health_checks": true
  }
]
| no | +| location\_id | The location to serve the app from. | `string` | `""` | no | +| project\_id | The project to enable app engine on. | `string` | n/a | yes | +| serving\_status | The serving status of the app. | `string` | `"SERVING"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| code\_bucket | The GCS bucket code is being stored in for this app. | +| default\_bucket | The GCS bucket content is being stored in for this app. | +| default\_hostname | The default hostname for this app. | +| location\_id | The location app engine is serving from | +| name | Unique name of the app, usually apps/{PROJECT\_ID}. | +| url\_dispatch\_rule | A list of dispatch rule blocks. Each block has a domain, path, and service field. | + + diff --git a/modules/app_engine/metadata.yaml b/modules/app_engine/metadata.yaml new file mode 100644 index 00000000..e2f31c61 --- /dev/null +++ b/modules/app_engine/metadata.yaml @@ -0,0 +1,133 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-project-factory-app-engine + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: App Engine + source: + repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git + sourceType: git + dir: /modules/app_engine + actuationTool: + flavor: Terraform + version: ">= 0.13" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: auth_domain + description: The domain to authenticate users with when using App Engine's User API. + varType: string + defaultValue: "" + - name: feature_settings + description: A list of maps of optional settings to configure specific App Engine features. + varType: list(object({ split_health_checks = bool })) + defaultValue: + - split_health_checks: true + - name: location_id + description: The location to serve the app from. + varType: string + defaultValue: "" + - name: project_id + description: The project to enable app engine on. + varType: string + required: true + - name: serving_status + description: The serving status of the app. + varType: string + defaultValue: SERVING + outputs: + - name: code_bucket + description: The GCS bucket code is being stored in for this app. + - name: default_bucket + description: The GCS bucket content is being stored in for this app. + - name: default_hostname + description: The default hostname for this app. + - name: location_id + description: The location app engine is serving from + - name: name + description: Unique name of the app, usually apps/{PROJECT_ID}. + - name: url_dispatch_rule + description: A list of dispatch rule blocks. Each block has a domain, path, and service field. + requirements: + roles: + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com diff --git a/modules/budget/metadata.yaml b/modules/budget/metadata.yaml index 70093b3d..d3029bc4 100644 --- a/modules/budget/metadata.yaml +++ b/modules/budget/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,148 +15,146 @@ apiVersion: blueprints.cloud.google.com/v1alpha1 kind: BlueprintMetadata metadata: - name: terraform-google-project-factory + name: terraform-google-project-factory-budget annotations: config.kubernetes.io/local-config: "true" spec: - title: Budget configuration for a project - source: - repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git - sourceType: git - version: 15.0.1 - actuationTool: - type: Terraform - version: '>= 0.13' - examples: - - name: app_engine - location: examples/app_engine - - name: budget_project - location: examples/budget_project - - name: essential_contacts - location: examples/essential_contacts - - name: fabric_project - location: examples/fabric_project - - name: gke_shared_vpc - location: examples/gke_shared_vpc - - name: group_project - location: examples/group_project - - name: project-hierarchy - location: examples/project-hierarchy - - name: project_services - location: examples/project_services - - name: quota_project - location: examples/quota_project - - name: shared_vpc - location: examples/shared_vpc - - name: simple_project - location: examples/simple_project - variables: - - name: alert_pubsub_topic - description: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` - type: string - required: false - - name: alert_spend_basis - description: The type of basis used to determine if spend has passed the threshold - type: string - default: CURRENT_SPEND - required: false - - name: alert_spent_percents - description: A list of percentages of the budget to alert on when threshold is exceeded - type: list(number) - default: - - 0.5 - - 0.7 - - 1 - required: false - - name: amount - description: The amount to use as the budget - type: number - required: true - - name: billing_account - description: ID of the billing account to set a budget on - type: string - required: true - - name: calendar_period - description: Specifies the calendar period for the budget. Possible values are MONTH, QUARTER, YEAR, CALENDAR_PERIOD_UNSPECIFIED, CUSTOM. custom_period_start_date and custom_period_end_date must be set if CUSTOM - type: string - required: false - - name: create_budget - description: If the budget should be created - type: bool - default: true - required: false - - name: credit_types_treatment - description: Specifies how credits should be treated when determining spend for threshold calculations - type: string - default: INCLUDE_ALL_CREDITS - required: false - - name: custom_period_end_date - description: Specifies the end date (DD-MM-YYYY) for the calendar_period CUSTOM - type: string - required: false - - name: custom_period_start_date - description: Specifies the start date (DD-MM-YYYY) for the calendar_period CUSTOM - type: string - required: false - - name: display_name - description: 'The display name of the budget. If not set defaults to `Budget For ` ' - type: string - required: false - - name: labels - description: A single label and value pair specifying that usage from only this set of labeled resources should be included in the budget. - type: map(string) - default: {} - required: false - - name: monitoring_notification_channels - description: A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. - type: list(string) - default: [] - required: false - - name: projects - description: The project ids to include in this budget. If empty budget will include all projects - type: list(string) - required: true - - name: services - description: A list of services ids to be included in the budget. If omitted, all services will be included in the budget. Service ids can be found at https://cloud.google.com/skus/ - type: list(string) - required: false - outputs: - - name: name - description: Resource name of the budget. Values are of the form `billingAccounts/{billingAccountId}/budgets/{budgetId}.` - roles: - - level: Project + info: + title: Budget configuration for a project + source: + repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git + sourceType: git + dir: /modules/budget + version: 15.0.1 + actuationTool: + flavor: Terraform + version: ">= 0.13" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: alert_pubsub_topic + description: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` + varType: string + - name: alert_spend_basis + description: The type of basis used to determine if spend has passed the threshold + varType: string + defaultValue: CURRENT_SPEND + - name: alert_spent_percents + description: A list of percentages of the budget to alert on when threshold is exceeded + varType: list(number) + defaultValue: + - 0.5 + - 0.7 + - 1 + - name: amount + description: The amount to use as the budget + varType: number + required: true + - name: billing_account + description: ID of the billing account to set a budget on + varType: string + required: true + - name: calendar_period + description: Specifies the calendar period for the budget. Possible values are MONTH, QUARTER, YEAR, CALENDAR_PERIOD_UNSPECIFIED, CUSTOM. custom_period_start_date and custom_period_end_date must be set if CUSTOM + varType: string + - name: create_budget + description: If the budget should be created + varType: bool + defaultValue: true + - name: credit_types_treatment + description: Specifies how credits should be treated when determining spend for threshold calculations + varType: string + defaultValue: INCLUDE_ALL_CREDITS + - name: custom_period_end_date + description: Specifies the end date (DD-MM-YYYY) for the calendar_period CUSTOM + varType: string + - name: custom_period_start_date + description: Specifies the start date (DD-MM-YYYY) for the calendar_period CUSTOM + varType: string + - name: display_name + description: "The display name of the budget. If not set defaults to `Budget For ` " + varType: string + - name: labels + description: A single label and value pair specifying that usage from only this set of labeled resources should be included in the budget. + varType: map(string) + defaultValue: {} + - name: monitoring_notification_channels + description: A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. + varType: list(string) + defaultValue: [] + - name: projects + description: The project ids to include in this budget. If empty budget will include all projects + varType: list(string) + required: true + - name: services + description: A list of services ids to be included in the budget. If omitted, all services will be included in the budget. Service ids can be found at https://cloud.google.com/skus/ + varType: list(string) + outputs: + - name: name + description: Resource name of the budget. Values are of the form `billingAccounts/{billingAccountId}/budgets/{budgetId}.` + requirements: roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager - - level: Project - roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - services: - - admin.googleapis.com - - appengine.googleapis.com - - cloudbilling.googleapis.com - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - iamcredentials.googleapis.com - - oslogin.googleapis.com - - serviceusage.googleapis.com - - billingbudgets.googleapis.com - - pubsub.googleapis.com - - accesscontextmanager.googleapis.com - - essentialcontacts.googleapis.com - - serviceconsumermanagement.googleapis.com + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com diff --git a/modules/core_project_factory/README.md b/modules/core_project_factory/README.md new file mode 100644 index 00000000..2cd0c34b --- /dev/null +++ b/modules/core_project_factory/README.md @@ -0,0 +1,74 @@ +# Core Project Factory + + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| activate\_api\_identities | The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles).
APIs in this list will automatically be appended to `activate_apis`. Use for services supported by `gcloud beta services identity create`
Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created).
Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles. | 
list(object({
    api   = string
    roles = list(string)
  }))
| `[]` | no | +| activate\_apis | The list of apis to activate within the project | `list(string)` | 
[
  "compute.googleapis.com"
]
| no | +| auto\_create\_network | Create the default network | `bool` | `false` | no | +| billing\_account | The ID of the billing account to associate this project with | `string` | n/a | yes | +| bucket\_force\_destroy | Force the deletion of all objects within the GCS bucket when deleting the bucket (optional) | `bool` | `false` | no | +| bucket\_labels | A map of key/value label pairs to assign to the bucket (optional) | `map(string)` | `{}` | no | +| bucket\_location | The location for a GCS bucket to create (optional) | `string` | `"US"` | no | +| bucket\_name | A name for a GCS bucket to create (in the bucket\_project project), useful for Terraform state (optional) | `string` | `""` | no | +| bucket\_pap | Enable Public Access Prevention. Possible values are "enforced" or "inherited". | `string` | `"inherited"` | no | +| bucket\_project | A project to create a GCS bucket (bucket\_name) in, useful for Terraform state (optional) | `string` | `""` | no | +| bucket\_ula | Enable Uniform Bucket Level Access | `bool` | `true` | no | +| bucket\_versioning | Enable versioning for a GCS bucket to create (optional) | `bool` | `false` | no | +| create\_project\_sa | Whether the default service account for the project shall be created | `bool` | `true` | no | +| default\_network\_tier | Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. | `string` | `""` | no | +| default\_service\_account | Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`. | `string` | `"disable"` | no | +| disable\_dependent\_services | Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. | `bool` | `true` | no | +| disable\_services\_on\_destroy | Whether project services will be disabled when the resources are destroyed | `bool` | `true` | no | +| enable\_shared\_vpc\_host\_project | If this project is a shared VPC host project. If true, you must *not* set shared\_vpc variable. Default is false. | `bool` | `false` | no | +| enable\_shared\_vpc\_service\_project | If this project should be attached to a shared VPC. If true, you must set shared\_vpc variable. | `bool` | n/a | yes | +| folder\_id | The ID of a folder to host this project | `string` | `""` | no | +| grant\_network\_role | Whether or not to grant networkUser role on the host project/subnets | `bool` | `true` | no | +| group\_email | The email address of a group to control the project by being assigned group\_role. | `string` | `""` | no | +| group\_role | The role to give the controlling group (group\_name) over the project. | `string` | `""` | no | +| labels | Map of labels for project | `map(string)` | `{}` | no | +| lien | Add a lien on the project to prevent accidental deletion | `bool` | `false` | no | +| manage\_group | A toggle to indicate if a G Suite group should be managed. | `bool` | `false` | no | +| name | The name for the project | `string` | n/a | yes | +| org\_id | The organization ID. | `string` | `null` | no | +| project\_id | The ID to give the project. If not provided, the `name` will be used. | `string` | `""` | no | +| project\_sa\_name | Default service account name for the project. | `string` | `"project-service-account"` | no | +| random\_project\_id | Adds a suffix of 4 random characters to the `project_id`. | `bool` | `false` | no | +| random\_project\_id\_length | Sets the length of `random_project_id` to the provided length, and uses a `random_string` for a larger collusion domain. Recommended for use with CI. | `number` | `null` | no | +| sa\_role | A role to give the default Service Account for the project (defaults to none) | `string` | `""` | no | +| shared\_vpc | The ID of the host project which hosts the shared VPC | `string` | `""` | no | +| shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project\_id/regions/$region/subnetworks/$subnet\_id) | `list(string)` | `[]` | no | +| tag\_binding\_values | Tag values to bind the project to. | `list(string)` | `[]` | no | +| usage\_bucket\_name | Name of a GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no | +| usage\_bucket\_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no | +| vpc\_service\_control\_attach\_dry\_run | Whether the project will be attached to a VPC Service Control Perimeter in Dry Run Mode. vpc\_service\_control\_attach\_enabled should be false for this to be true | `bool` | `false` | no | +| vpc\_service\_control\_attach\_enabled | Whether the project will be attached to a VPC Service Control Perimeter in ENFORCED MODE. vpc\_service\_control\_attach\_dry\_run should be false for this to be true | `bool` | `false` | no | +| vpc\_service\_control\_perimeter\_name | The name of a VPC Service Control Perimeter to add the created project to | `string` | `null` | no | +| vpc\_service\_control\_sleep\_duration | The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter. VPC-SC is eventually consistent. | `string` | `"5s"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| api\_s\_account | API service account email | +| api\_s\_account\_fmt | API service account email formatted for terraform use | +| enabled\_api\_identities | Enabled API identities in the project | +| enabled\_apis | Enabled APIs in the project | +| project\_bucket\_name | The name of the projec's bucket | +| project\_bucket\_self\_link | Project's bucket selfLink | +| project\_bucket\_url | Project's bucket url | +| project\_id | ID of the project | +| project\_name | Name of the project | +| project\_number | Numeric identifier for the project | +| service\_account\_display\_name | The display name of the default service account | +| service\_account\_email | The email of the default service account | +| service\_account\_id | The id of the default service account | +| service\_account\_name | The fully-qualified name of the default service account | +| service\_account\_unique\_id | The unique id of the default service account | +| tag\_bindings | Tag bindings | +| usage\_report\_export\_bucket | GCE usage reports bucket | + + diff --git a/modules/core_project_factory/metadata.yaml b/modules/core_project_factory/metadata.yaml new file mode 100644 index 00000000..2db19b1f --- /dev/null +++ b/modules/core_project_factory/metadata.yaml @@ -0,0 +1,304 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-project-factory-core-project-factory + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Core Project Factory + source: + repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git + sourceType: git + dir: /modules/core_project_factory + actuationTool: + flavor: Terraform + version: ">= 0.13" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: activate_api_identities + description: " The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles).\n APIs in this list will automatically be appended to `activate_apis`. Use for services supported by `gcloud beta services identity create`\n Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created).\n Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles.\n" + varType: |- + list(object({ + api = string + roles = list(string) + })) + defaultValue: [] + - name: activate_apis + description: The list of apis to activate within the project + varType: list(string) + defaultValue: + - compute.googleapis.com + - name: auto_create_network + description: Create the default network + varType: bool + defaultValue: false + - name: billing_account + description: The ID of the billing account to associate this project with + varType: string + required: true + - name: bucket_force_destroy + description: Force the deletion of all objects within the GCS bucket when deleting the bucket (optional) + varType: bool + defaultValue: false + - name: bucket_labels + description: " A map of key/value label pairs to assign to the bucket (optional)" + varType: map(string) + defaultValue: {} + - name: bucket_location + description: The location for a GCS bucket to create (optional) + varType: string + defaultValue: US + - name: bucket_name + description: A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) + varType: string + defaultValue: "" + - name: bucket_pap + description: Enable Public Access Prevention. Possible values are "enforced" or "inherited". + varType: string + defaultValue: inherited + - name: bucket_project + description: A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) + varType: string + defaultValue: "" + - name: bucket_ula + description: Enable Uniform Bucket Level Access + varType: bool + defaultValue: true + - name: bucket_versioning + description: Enable versioning for a GCS bucket to create (optional) + varType: bool + defaultValue: false + - name: create_project_sa + description: Whether the default service account for the project shall be created + varType: bool + defaultValue: true + - name: default_network_tier + description: Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. + varType: string + defaultValue: "" + - name: default_service_account + description: "Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`." + varType: string + defaultValue: disable + - name: disable_dependent_services + description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. + varType: bool + defaultValue: true + - name: disable_services_on_destroy + description: Whether project services will be disabled when the resources are destroyed + varType: bool + defaultValue: true + - name: enable_shared_vpc_host_project + description: If this project is a shared VPC host project. If true, you must *not* set shared_vpc variable. Default is false. + varType: bool + defaultValue: false + - name: enable_shared_vpc_service_project + description: If this project should be attached to a shared VPC. If true, you must set shared_vpc variable. + varType: bool + required: true + - name: folder_id + description: The ID of a folder to host this project + varType: string + defaultValue: "" + - name: grant_network_role + description: Whether or not to grant networkUser role on the host project/subnets + varType: bool + defaultValue: true + - name: group_email + description: The email address of a group to control the project by being assigned group_role. + varType: string + defaultValue: "" + - name: group_role + description: The role to give the controlling group (group_name) over the project. + varType: string + defaultValue: "" + - name: labels + description: Map of labels for project + varType: map(string) + defaultValue: {} + - name: lien + description: Add a lien on the project to prevent accidental deletion + varType: bool + defaultValue: false + - name: manage_group + description: A toggle to indicate if a G Suite group should be managed. + varType: bool + defaultValue: false + - name: name + description: The name for the project + varType: string + required: true + - name: org_id + description: The organization ID. + varType: string + - name: project_id + description: The ID to give the project. If not provided, the `name` will be used. + varType: string + defaultValue: "" + - name: project_sa_name + description: Default service account name for the project. + varType: string + defaultValue: project-service-account + - name: random_project_id + description: Adds a suffix of 4 random characters to the `project_id`. + varType: bool + defaultValue: false + - name: random_project_id_length + description: Sets the length of `random_project_id` to the provided length, and uses a `random_string` for a larger collusion domain. Recommended for use with CI. + varType: number + - name: sa_role + description: A role to give the default Service Account for the project (defaults to none) + varType: string + defaultValue: "" + - name: shared_vpc + description: The ID of the host project which hosts the shared VPC + varType: string + defaultValue: "" + - name: shared_vpc_subnets + description: List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) + varType: list(string) + defaultValue: [] + - name: tag_binding_values + description: Tag values to bind the project to. + varType: list(string) + defaultValue: [] + - name: usage_bucket_name + description: Name of a GCS bucket to store GCE usage reports in (optional) + varType: string + defaultValue: "" + - name: usage_bucket_prefix + description: Prefix in the GCS bucket to store GCE usage reports in (optional) + varType: string + defaultValue: "" + - name: vpc_service_control_attach_dry_run + description: Whether the project will be attached to a VPC Service Control Perimeter in Dry Run Mode. vpc_service_control_attach_enabled should be false for this to be true + varType: bool + defaultValue: false + - name: vpc_service_control_attach_enabled + description: Whether the project will be attached to a VPC Service Control Perimeter in ENFORCED MODE. vpc_service_control_attach_dry_run should be false for this to be true + varType: bool + defaultValue: false + - name: vpc_service_control_perimeter_name + description: The name of a VPC Service Control Perimeter to add the created project to + varType: string + - name: vpc_service_control_sleep_duration + description: The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter. VPC-SC is eventually consistent. + varType: string + defaultValue: 5s + outputs: + - name: api_s_account + description: API service account email + - name: api_s_account_fmt + description: API service account email formatted for terraform use + - name: enabled_api_identities + description: Enabled API identities in the project + - name: enabled_apis + description: Enabled APIs in the project + - name: project_bucket_name + description: The name of the projec's bucket + - name: project_bucket_self_link + description: Project's bucket selfLink + - name: project_bucket_url + description: Project's bucket url + - name: project_id + description: ID of the project + - name: project_name + description: Name of the project + - name: project_number + description: Numeric identifier for the project + - name: service_account_display_name + description: The display name of the default service account + - name: service_account_email + description: The email of the default service account + - name: service_account_id + description: The id of the default service account + - name: service_account_name + description: The fully-qualified name of the default service account + - name: service_account_unique_id + description: The unique id of the default service account + - name: tag_bindings + description: Tag bindings + - name: usage_report_export_bucket + description: GCE usage reports bucket + requirements: + roles: + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com diff --git a/modules/essential_contacts/metadata.yaml b/modules/essential_contacts/metadata.yaml index d2a93dec..e813cabf 100644 --- a/modules/essential_contacts/metadata.yaml +++ b/modules/essential_contacts/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,94 +15,103 @@ apiVersion: blueprints.cloud.google.com/v1alpha1 kind: BlueprintMetadata metadata: - name: terraform-google-project-factory + name: terraform-google-project-factory-essential-contacts annotations: config.kubernetes.io/local-config: "true" spec: - title: Essential Contacts configuration - source: - repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git - sourceType: git - version: 15.0.1 - actuationTool: - type: Terraform - version: '>= 0.13' - examples: - - name: app_engine - location: examples/app_engine - - name: budget_project - location: examples/budget_project - - name: essential_contacts - location: examples/essential_contacts - - name: fabric_project - location: examples/fabric_project - - name: gke_shared_vpc - location: examples/gke_shared_vpc - - name: group_project - location: examples/group_project - - name: project-hierarchy - location: examples/project-hierarchy - - name: project_services - location: examples/project_services - - name: quota_project - location: examples/quota_project - - name: shared_vpc - location: examples/shared_vpc - - name: simple_project - location: examples/simple_project - variables: - - name: essential_contacts - description: A mapping of users or groups to be assigned as Essential Contacts to the project, specifying a notification category - type: map(list(string)) - default: {} - required: false - - name: language_tag - description: Language code to be used for essential contacts notifiactions - type: string - required: true - - name: project_id - description: The GCP project you want to send Essential Contacts notifications for - type: string - required: true - outputs: - - name: essential_contacts - description: Essential Contact resources created - - name: project_id - description: The GCP project you want to enable APIs on - roles: - - level: Project + info: + title: Essential Contacts configuration + source: + repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git + sourceType: git + dir: /modules/essential_contacts + version: 15.0.1 + actuationTool: + flavor: Terraform + version: ">= 0.13" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: essential_contacts + description: A mapping of users or groups to be assigned as Essential Contacts to the project, specifying a notification category + varType: map(list(string)) + defaultValue: {} + - name: language_tag + description: Language code to be used for essential contacts notifiactions + varType: string + required: true + - name: project_id + description: The GCP project you want to send Essential Contacts notifications for + varType: string + required: true + outputs: + - name: essential_contacts + description: Essential Contact resources created + - name: project_id + description: The GCP project you want to enable APIs on + requirements: roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - - level: Project - roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager - - level: Project - roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin - services: - - admin.googleapis.com - - appengine.googleapis.com - - cloudbilling.googleapis.com - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - iamcredentials.googleapis.com - - oslogin.googleapis.com - - serviceusage.googleapis.com - - billingbudgets.googleapis.com - - pubsub.googleapis.com - - accesscontextmanager.googleapis.com - - essentialcontacts.googleapis.com - - serviceconsumermanagement.googleapis.com + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com diff --git a/modules/fabric-project/metadata.yaml b/modules/fabric-project/metadata.yaml index d9ca53c9..7bffaf29 100644 --- a/modules/fabric-project/metadata.yaml +++ b/modules/fabric-project/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,178 +15,173 @@ apiVersion: blueprints.cloud.google.com/v1alpha1 kind: BlueprintMetadata metadata: - name: terraform-google-project-factory + name: terraform-google-project-factory-fabric-project annotations: config.kubernetes.io/local-config: "true" spec: - title: Google Cloud Simple Project Creation - source: - repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git - sourceType: git - version: 15.0.1 - actuationTool: - type: Terraform - version: '>= 0.13' - examples: - - name: app_engine - location: examples/app_engine - - name: budget_project - location: examples/budget_project - - name: essential_contacts - location: examples/essential_contacts - - name: fabric_project - location: examples/fabric_project - - name: gke_shared_vpc - location: examples/gke_shared_vpc - - name: group_project - location: examples/group_project - - name: project-hierarchy - location: examples/project-hierarchy - - name: project_services - location: examples/project_services - - name: quota_project - location: examples/quota_project - - name: shared_vpc - location: examples/shared_vpc - - name: simple_project - location: examples/simple_project - variables: - - name: activate_apis - description: Service APIs to enable. - type: list(string) - default: [] - required: false - - name: auto_create_network - description: Whether to create the default network for the project - type: bool - default: false - required: false - - name: billing_account - description: Billing account id. - type: string - default: "" - required: false - - name: custom_roles - description: Map of role name => comma-delimited list of permissions to create in this project. - type: map(string) - default: {} - required: false - - name: editors - description: Optional list of IAM-format members to set as project editor. - type: list(string) - default: [] - required: false - - name: extra_bindings_members - description: List of comma-delimited IAM-format members for additional IAM bindings, one item per role. - type: list(string) - default: [] - required: false - - name: extra_bindings_roles - description: List of roles for additional IAM bindings, pair with members list below. - type: list(string) - default: [] - required: false - - name: gce_service_account_roles - description: List of project id=>role to assign to the default GCE service account. - type: list(string) - default: [] - required: false - - name: labels - description: Resource labels. - type: map(string) - default: {} - required: false - - name: lien_reason - description: If non-empty, creates a project lien with this description. - type: string - default: "" - required: false - - name: name - description: Project name and id suffix. - type: string - required: true - - name: oslogin - description: Enable oslogin. - type: bool - default: false - required: false - - name: oslogin_admins - description: List of IAM-format members that will get OS Login admin role. - type: list(string) - default: [] - required: false - - name: oslogin_users - description: List of IAM-format members that will get OS Login user role. - type: list(string) - default: [] - required: false - - name: owners - description: Optional list of IAM-format members to set as project owners. - type: list(string) - default: [] - required: false - - name: parent - description: The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. - type: string - required: true - - name: prefix - description: Prefix used to generate project id and name. - type: string - required: true - - name: viewers - description: Optional list of IAM-format members to set as project viewers. - type: list(string) - default: [] - required: false - outputs: - - name: cloudsvc_service_account - description: Cloud services service account (depends on services). - - name: custom_roles - description: Ids of the created custom roles. - - name: gce_service_account - description: Default GCE service account (depends on services). - - name: gke_service_account - description: Default GKE service account (depends on services). - - name: name - description: Name (depends on services). - - name: number - description: Project number (depends on services). - - name: project_id - description: Project id (depends on services). - roles: - - level: Project + info: + title: Google Cloud Simple Project Creation + source: + repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git + sourceType: git + dir: /modules/fabric-project + version: 15.0.1 + actuationTool: + flavor: Terraform + version: ">= 0.13" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: activate_apis + description: Service APIs to enable. + varType: list(string) + defaultValue: [] + - name: auto_create_network + description: Whether to create the default network for the project + varType: bool + defaultValue: false + - name: billing_account + description: Billing account id. + varType: string + defaultValue: "" + - name: custom_roles + description: Map of role name => comma-delimited list of permissions to create in this project. + varType: map(string) + defaultValue: {} + - name: editors + description: Optional list of IAM-format members to set as project editor. + varType: list(string) + defaultValue: [] + - name: extra_bindings_members + description: List of comma-delimited IAM-format members for additional IAM bindings, one item per role. + varType: list(string) + defaultValue: [] + - name: extra_bindings_roles + description: List of roles for additional IAM bindings, pair with members list below. + varType: list(string) + defaultValue: [] + - name: gce_service_account_roles + description: List of project id=>role to assign to the default GCE service account. + varType: list(string) + defaultValue: [] + - name: labels + description: Resource labels. + varType: map(string) + defaultValue: {} + - name: lien_reason + description: If non-empty, creates a project lien with this description. + varType: string + defaultValue: "" + - name: name + description: Project name and id suffix. + varType: string + required: true + - name: oslogin + description: Enable oslogin. + varType: bool + defaultValue: false + - name: oslogin_admins + description: List of IAM-format members that will get OS Login admin role. + varType: list(string) + defaultValue: [] + - name: oslogin_users + description: List of IAM-format members that will get OS Login user role. + varType: list(string) + defaultValue: [] + - name: owners + description: Optional list of IAM-format members to set as project owners. + varType: list(string) + defaultValue: [] + - name: parent + description: The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. + varType: string + required: true + - name: prefix + description: Prefix used to generate project id and name. + varType: string + required: true + - name: viewers + description: Optional list of IAM-format members to set as project viewers. + varType: list(string) + defaultValue: [] + outputs: + - name: cloudsvc_service_account + description: Cloud services service account (depends on services). + - name: custom_roles + description: Ids of the created custom roles. + - name: gce_service_account + description: Default GCE service account (depends on services). + - name: gke_service_account + description: Default GKE service account (depends on services). + - name: name + description: Name (depends on services). + - name: number + description: Project number (depends on services). + - name: project_id + description: Project id (depends on services). + requirements: roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - - level: Project - roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager - services: - - admin.googleapis.com - - appengine.googleapis.com - - cloudbilling.googleapis.com - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - iamcredentials.googleapis.com - - oslogin.googleapis.com - - serviceusage.googleapis.com - - billingbudgets.googleapis.com - - pubsub.googleapis.com - - accesscontextmanager.googleapis.com - - essentialcontacts.googleapis.com - - serviceconsumermanagement.googleapis.com + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com diff --git a/modules/gsuite_enabled/metadata.yaml b/modules/gsuite_enabled/metadata.yaml index 34e8ca64..2f7711ae 100644 --- a/modules/gsuite_enabled/metadata.yaml +++ b/modules/gsuite_enabled/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,299 +15,274 @@ apiVersion: blueprints.cloud.google.com/v1alpha1 kind: BlueprintMetadata metadata: - name: terraform-google-project-factory + name: terraform-google-project-factory-gsuite-enabled annotations: config.kubernetes.io/local-config: "true" spec: - title: Google Cloud Project Factory with G Suite Terraform Module - source: - repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git - sourceType: git - version: 15.0.1 - actuationTool: - type: Terraform - version: '>= 0.13' - examples: - - name: app_engine - location: examples/app_engine - - name: budget_project - location: examples/budget_project - - name: essential_contacts - location: examples/essential_contacts - - name: fabric_project - location: examples/fabric_project - - name: gke_shared_vpc - location: examples/gke_shared_vpc - - name: group_project - location: examples/group_project - - name: project-hierarchy - location: examples/project-hierarchy - - name: project_services - location: examples/project_services - - name: quota_project - location: examples/quota_project - - name: shared_vpc - location: examples/shared_vpc - - name: simple_project - location: examples/simple_project - variables: - - name: activate_apis - description: The list of apis to activate within the project - type: list(string) - default: - - compute.googleapis.com - required: false - - name: api_sa_group - description: A G Suite group to place the Google APIs Service Account for the project in - type: string - default: "" - required: false - - name: auto_create_network - description: Create the default network - type: bool - default: false - required: false - - name: billing_account - description: The ID of the billing account to associate this project with - type: string - required: true - - name: bucket_location - description: The location for a GCS bucket to create (optional) - type: string - default: "" - required: false - - name: bucket_name - description: A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) - type: string - default: "" - required: false - - name: bucket_project - description: A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) - type: string - default: "" - required: false - - name: bucket_versioning - description: Enable versioning for a GCS bucket to create (optional) - type: bool - default: false - required: false - - name: budget_alert_pubsub_topic - description: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` - type: string - required: false - - name: budget_alert_spent_percents - description: A list of percentages of the budget to alert on when threshold is exceeded - type: list(number) - default: - - 0.5 - - 0.7 - - 1 - required: false - - name: budget_amount - description: The amount to use for a budget alert - type: number - required: false - - name: budget_monitoring_notification_channels - description: A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. - type: list(string) - default: [] - required: false - - name: consumer_quotas - description: The quotas configuration you want to override for the project. - type: |- - list(object({ - service = string, - metric = string, - dimensions = any, - limit = string, - value = string, - })) - default: [] - required: false - - name: create_group - description: Whether to create the group or not - type: bool - default: false - required: false - - name: create_project_sa - description: Whether the default service account for the project shall be created - type: bool - default: true - required: false - - name: default_network_tier - description: Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. - type: string - default: "" - required: false - - name: default_service_account - description: 'Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`.' - type: string - default: disable - required: false - - name: disable_dependent_services - description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. - type: bool - default: true - required: false - - name: disable_services_on_destroy - description: Whether project services will be disabled when the resources are destroyed - type: bool - default: true - required: false - - name: domain - description: The domain name (optional). - type: string - default: "" - required: false - - name: enable_shared_vpc_host_project - description: If this project is a shared VPC host project. If true, you must *not* set shared_vpc variable. Default is false. - type: bool - default: false - required: false - - name: enable_shared_vpc_service_project - description: If shared VPC should be used - type: bool - default: false - required: false - - name: folder_id - description: The ID of a folder to host this project - type: string - default: "" - required: false - - name: group_name - description: A group to control the project by being assigned group_role - defaults to ${project_name}-editors - type: string - default: "" - required: false - - name: group_role - description: The role to give the controlling group (group_name) over the project (defaults to project editor) - type: string - default: roles/editor - required: false - - name: labels - description: Map of labels for project - type: map(string) - default: {} - required: false - - name: lien - description: Add a lien on the project to prevent accidental deletion - type: bool - default: false - required: false - - name: name - description: The name for the project - type: string - required: true - - name: org_id - description: The organization ID. - type: string - required: true - - name: project_id - description: The ID to give the project. If not provided, the `name` will be used. - type: string - default: "" - required: false - - name: project_sa_name - description: Default service account name for the project. - type: string - default: project-service-account - required: false - - name: random_project_id - description: Adds a suffix of 4 random characters to the `project_id` - type: bool - default: false - required: false - - name: sa_group - description: A G Suite group to place the default Service Account for the project in - type: string - default: "" - required: false - - name: sa_role - description: A role to give the default Service Account for the project (defaults to none) - type: string - default: "" - required: false - - name: shared_vpc - description: The ID of the host project which hosts the shared VPC - type: string - default: "" - required: false - - name: shared_vpc_subnets - description: List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) - type: list(string) - default: [] - required: false - - name: usage_bucket_name - description: Name of a GCS bucket to store GCE usage reports in (optional) - type: string - default: "" - required: false - - name: usage_bucket_prefix - description: Prefix in the GCS bucket to store GCE usage reports in (optional) - type: string - default: "" - required: false - outputs: - - name: domain - description: The organization's domain - - name: group_email - description: The email of the created G Suite group with group_name - - name: group_name - description: The group_name of the G Suite group - - name: project_bucket_self_link - description: Project's bucket selfLink - - name: project_bucket_url - description: Project's bucket url - - name: project_id - description: ID of the project - - name: project_name - description: Name of the project - - name: project_number - description: Numeric identifier for the project - - name: service_account_display_name - description: The display name of the default service account - - name: service_account_email - description: The email of the default service account - - name: service_account_id - description: The id of the default service account - - name: service_account_name - description: The fully-qualified name of the default service account - - name: service_account_unique_id - description: The unique id of the default service account - roles: - - level: Project + info: + title: Google Cloud Project Factory with G Suite Terraform Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git + sourceType: git + dir: /modules/gsuite_enabled + version: 15.0.1 + actuationTool: + flavor: Terraform + version: ">= 0.13" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: activate_apis + description: The list of apis to activate within the project + varType: list(string) + defaultValue: + - compute.googleapis.com + - name: api_sa_group + description: A G Suite group to place the Google APIs Service Account for the project in + varType: string + defaultValue: "" + - name: auto_create_network + description: Create the default network + varType: bool + defaultValue: false + - name: billing_account + description: The ID of the billing account to associate this project with + varType: string + required: true + - name: bucket_location + description: The location for a GCS bucket to create (optional) + varType: string + defaultValue: "" + - name: bucket_name + description: A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) + varType: string + defaultValue: "" + - name: bucket_project + description: A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) + varType: string + defaultValue: "" + - name: bucket_versioning + description: Enable versioning for a GCS bucket to create (optional) + varType: bool + defaultValue: false + - name: budget_alert_pubsub_topic + description: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` + varType: string + - name: budget_alert_spent_percents + description: A list of percentages of the budget to alert on when threshold is exceeded + varType: list(number) + defaultValue: + - 0.5 + - 0.7 + - 1 + - name: budget_amount + description: The amount to use for a budget alert + varType: number + - name: budget_monitoring_notification_channels + description: A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. + varType: list(string) + defaultValue: [] + - name: consumer_quotas + description: The quotas configuration you want to override for the project. + varType: |- + list(object({ + service = string, + metric = string, + dimensions = any, + limit = string, + value = string, + })) + defaultValue: [] + - name: create_group + description: Whether to create the group or not + varType: bool + defaultValue: false + - name: create_project_sa + description: Whether the default service account for the project shall be created + varType: bool + defaultValue: true + - name: default_network_tier + description: Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. + varType: string + defaultValue: "" + - name: default_service_account + description: "Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`." + varType: string + defaultValue: disable + - name: disable_dependent_services + description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. + varType: bool + defaultValue: true + - name: disable_services_on_destroy + description: Whether project services will be disabled when the resources are destroyed + varType: bool + defaultValue: true + - name: domain + description: The domain name (optional). + varType: string + defaultValue: "" + - name: enable_shared_vpc_host_project + description: If this project is a shared VPC host project. If true, you must *not* set shared_vpc variable. Default is false. + varType: bool + defaultValue: false + - name: enable_shared_vpc_service_project + description: If shared VPC should be used + varType: bool + defaultValue: false + - name: folder_id + description: The ID of a folder to host this project + varType: string + defaultValue: "" + - name: group_name + description: A group to control the project by being assigned group_role - defaults to ${project_name}-editors + varType: string + defaultValue: "" + - name: group_role + description: The role to give the controlling group (group_name) over the project (defaults to project editor) + varType: string + defaultValue: roles/editor + - name: labels + description: Map of labels for project + varType: map(string) + defaultValue: {} + - name: lien + description: Add a lien on the project to prevent accidental deletion + varType: bool + defaultValue: false + - name: name + description: The name for the project + varType: string + required: true + - name: org_id + description: The organization ID. + varType: string + required: true + - name: project_id + description: The ID to give the project. If not provided, the `name` will be used. + varType: string + defaultValue: "" + - name: project_sa_name + description: Default service account name for the project. + varType: string + defaultValue: project-service-account + - name: random_project_id + description: Adds a suffix of 4 random characters to the `project_id` + varType: bool + defaultValue: false + - name: sa_group + description: A G Suite group to place the default Service Account for the project in + varType: string + defaultValue: "" + - name: sa_role + description: A role to give the default Service Account for the project (defaults to none) + varType: string + defaultValue: "" + - name: shared_vpc + description: The ID of the host project which hosts the shared VPC + varType: string + defaultValue: "" + - name: shared_vpc_subnets + description: List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) + varType: list(string) + defaultValue: [] + - name: usage_bucket_name + description: Name of a GCS bucket to store GCE usage reports in (optional) + varType: string + defaultValue: "" + - name: usage_bucket_prefix + description: Prefix in the GCS bucket to store GCE usage reports in (optional) + varType: string + defaultValue: "" + outputs: + - name: domain + description: The organization's domain + - name: group_email + description: The email of the created G Suite group with group_name + - name: group_name + description: The group_name of the G Suite group + - name: project_bucket_self_link + description: Project's bucket selfLink + - name: project_bucket_url + description: Project's bucket url + - name: project_id + description: ID of the project + - name: project_name + description: Name of the project + - name: project_number + description: Numeric identifier for the project + - name: service_account_display_name + description: The display name of the default service account + - name: service_account_email + description: The email of the default service account + - name: service_account_id + description: The id of the default service account + - name: service_account_name + description: The fully-qualified name of the default service account + - name: service_account_unique_id + description: The unique id of the default service account + requirements: roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - - level: Project - roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager - - level: Project - roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin - services: - - admin.googleapis.com - - appengine.googleapis.com - - cloudbilling.googleapis.com - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - iamcredentials.googleapis.com - - oslogin.googleapis.com - - serviceusage.googleapis.com - - billingbudgets.googleapis.com - - pubsub.googleapis.com - - accesscontextmanager.googleapis.com - - essentialcontacts.googleapis.com - - serviceconsumermanagement.googleapis.com + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com diff --git a/modules/gsuite_group/README.md b/modules/gsuite_group/README.md new file mode 100644 index 00000000..36ac4e1d --- /dev/null +++ b/modules/gsuite_group/README.md @@ -0,0 +1,21 @@ +# Gsuite Group + + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| domain | The domain name | `string` | `""` | no | +| name | The name of the group. | `string` | `""` | no | +| org\_id | The organization ID. | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| domain | The domain of the group's organization. | +| email | The email address of the group. | +| name | The username portion of the email address of the group. | + + diff --git a/modules/gsuite_group/metadata.yaml b/modules/gsuite_group/metadata.yaml new file mode 100644 index 00000000..6491c8a8 --- /dev/null +++ b/modules/gsuite_group/metadata.yaml @@ -0,0 +1,117 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-project-factory-gsuite-group + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Gsuite Group + source: + repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git + sourceType: git + dir: /modules/gsuite_group + actuationTool: + flavor: Terraform + version: ">= 0.13" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: domain + description: The domain name + varType: string + defaultValue: "" + - name: name + description: The name of the group. + varType: string + defaultValue: "" + - name: org_id + description: The organization ID. + varType: string + outputs: + - name: domain + description: The domain of the group's organization. + - name: email + description: The email address of the group. + - name: name + description: The username portion of the email address of the group. + requirements: + roles: + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com diff --git a/modules/project_services/metadata.yaml b/modules/project_services/metadata.yaml index 7ebce20d..1b342c5e 100644 --- a/modules/project_services/metadata.yaml +++ b/modules/project_services/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,120 +15,121 @@ apiVersion: blueprints.cloud.google.com/v1alpha1 kind: BlueprintMetadata metadata: - name: terraform-google-project-factory + name: terraform-google-project-factory-project-services annotations: config.kubernetes.io/local-config: "true" spec: - title: Project API Activation - source: - repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git - sourceType: git - version: 15.0.1 - actuationTool: - type: Terraform - version: '>= 0.13' - examples: - - name: app_engine - location: examples/app_engine - - name: budget_project - location: examples/budget_project - - name: essential_contacts - location: examples/essential_contacts - - name: fabric_project - location: examples/fabric_project - - name: gke_shared_vpc - location: examples/gke_shared_vpc - - name: group_project - location: examples/group_project - - name: project-hierarchy - location: examples/project-hierarchy - - name: project_services - location: examples/project_services - - name: quota_project - location: examples/quota_project - - name: shared_vpc - location: examples/shared_vpc - - name: simple_project - location: examples/simple_project - variables: - - name: activate_api_identities - description: |2 - The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles). - APIs in this list will automatically be appended to `activate_apis`. - Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created). - Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles. - type: |- - list(object({ - api = string - roles = list(string) - })) - default: [] - required: false - - name: activate_apis - description: The list of apis to activate within the project - type: list(string) - default: [] - required: false - - name: disable_dependent_services - description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. https://www.terraform.io/docs/providers/google/r/google_project_service.html#disable_dependent_services - type: bool - default: true - required: false - - name: disable_services_on_destroy - description: Whether project services will be disabled when the resources are destroyed. https://www.terraform.io/docs/providers/google/r/google_project_service.html#disable_on_destroy - type: bool - default: true - required: false - - name: enable_apis - description: Whether to actually enable the APIs. If false, this module is a no-op. - type: bool - default: true - required: false - - name: project_id - description: The GCP project you want to enable APIs on - type: string - required: true - outputs: - - name: enabled_api_identities - description: Enabled API identities in the project - - name: enabled_apis - description: Enabled APIs in the project - - name: project_id - description: The GCP project you want to enable APIs on - roles: - - level: Project + info: + title: Project API Activation + source: + repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git + sourceType: git + dir: /modules/project_services + version: 15.0.1 + actuationTool: + flavor: Terraform + version: ">= 0.13" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: activate_api_identities + description: " The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles).\n APIs in this list will automatically be appended to `activate_apis`.\n Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created).\n Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles.\n" + varType: |- + list(object({ + api = string + roles = list(string) + })) + defaultValue: [] + - name: activate_apis + description: The list of apis to activate within the project + varType: list(string) + defaultValue: [] + - name: disable_dependent_services + description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. https://www.terraform.io/docs/providers/google/r/google_project_service.html#disable_dependent_services + varType: bool + defaultValue: true + - name: disable_services_on_destroy + description: Whether project services will be disabled when the resources are destroyed. https://www.terraform.io/docs/providers/google/r/google_project_service.html#disable_on_destroy + varType: bool + defaultValue: true + - name: enable_apis + description: Whether to actually enable the APIs. If false, this module is a no-op. + varType: bool + defaultValue: true + - name: project_id + description: The GCP project you want to enable APIs on + varType: string + required: true + outputs: + - name: enabled_api_identities + description: Enabled API identities in the project + - name: enabled_apis + description: Enabled APIs in the project + - name: project_id + description: The GCP project you want to enable APIs on + requirements: roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager - - level: Project - roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - services: - - admin.googleapis.com - - appengine.googleapis.com - - cloudbilling.googleapis.com - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - iamcredentials.googleapis.com - - oslogin.googleapis.com - - serviceusage.googleapis.com - - billingbudgets.googleapis.com - - pubsub.googleapis.com - - accesscontextmanager.googleapis.com - - essentialcontacts.googleapis.com - - serviceconsumermanagement.googleapis.com + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com diff --git a/modules/quota_manager/metadata.yaml b/modules/quota_manager/metadata.yaml index 9f557c61..eaea2b99 100644 --- a/modules/quota_manager/metadata.yaml +++ b/modules/quota_manager/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,93 +15,103 @@ apiVersion: blueprints.cloud.google.com/v1alpha1 kind: BlueprintMetadata metadata: - name: terraform-google-project-factory + name: terraform-google-project-factory-quota-manager annotations: config.kubernetes.io/local-config: "true" spec: - title: Consumer quota override for a project - source: - repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git - sourceType: git - actuationTool: - type: Terraform - version: '>= 0.13' - examples: - - name: app_engine - location: examples/app_engine - - name: budget_project - location: examples/budget_project - - name: essential_contacts - location: examples/essential_contacts - - name: fabric_project - location: examples/fabric_project - - name: gke_shared_vpc - location: examples/gke_shared_vpc - - name: group_project - location: examples/group_project - - name: project-hierarchy - location: examples/project-hierarchy - - name: project_services - location: examples/project_services - - name: quota_project - location: examples/quota_project - - name: shared_vpc - location: examples/shared_vpc - - name: simple_project - location: examples/simple_project - variables: - - name: consumer_quotas - description: The quotas configuration you want to override for the project. - type: |- - list(object({ - service = string, - metric = string, - dimensions = map(string), - limit = string, - value = string, - })) - required: true - - name: project_id - description: The GCP project where you want to manage the consumer quotas - type: string - required: true - outputs: - - name: quota_overrides - description: The server-generated names of the quota override. - roles: - - level: Project + info: + title: Consumer quota override for a project + source: + repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git + sourceType: git + dir: /modules/quota_manager + actuationTool: + flavor: Terraform + version: ">= 0.13" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: consumer_quotas + description: The quotas configuration you want to override for the project. + varType: |- + list(object({ + service = string, + metric = string, + dimensions = map(string), + limit = string, + value = string, + })) + required: true + - name: project_id + description: The GCP project where you want to manage the consumer quotas + varType: string + required: true + outputs: + - name: quota_overrides + description: The server-generated names of the quota override. + requirements: roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager - - level: Project - roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - services: - - admin.googleapis.com - - appengine.googleapis.com - - cloudbilling.googleapis.com - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - iamcredentials.googleapis.com - - oslogin.googleapis.com - - serviceusage.googleapis.com - - billingbudgets.googleapis.com - - pubsub.googleapis.com - - accesscontextmanager.googleapis.com - - essentialcontacts.googleapis.com - - serviceconsumermanagement.googleapis.com + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com diff --git a/modules/shared_vpc_access/metadata.yaml b/modules/shared_vpc_access/metadata.yaml index 2ae8606c..b62a922e 100644 --- a/modules/shared_vpc_access/metadata.yaml +++ b/modules/shared_vpc_access/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,122 +15,130 @@ apiVersion: blueprints.cloud.google.com/v1alpha1 kind: BlueprintMetadata metadata: - name: terraform-google-project-factory + name: terraform-google-project-factory-shared-vpc-access annotations: config.kubernetes.io/local-config: "true" spec: - title: Shared VPC Access - source: - repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git - sourceType: git - version: 15.0.1 - actuationTool: - type: Terraform - version: '>= 0.13' - examples: - - name: app_engine - location: examples/app_engine - - name: budget_project - location: examples/budget_project - - name: essential_contacts - location: examples/essential_contacts - - name: fabric_project - location: examples/fabric_project - - name: gke_shared_vpc - location: examples/gke_shared_vpc - - name: group_project - location: examples/group_project - - name: project-hierarchy - location: examples/project-hierarchy - - name: project_services - location: examples/project_services - - name: quota_project - location: examples/quota_project - - name: shared_vpc - location: examples/shared_vpc - - name: simple_project - location: examples/simple_project - variables: - - name: active_apis - description: The list of active apis on the service project. If api is not active this module will not try to activate it - type: list(string) - default: [] - required: false - - name: enable_shared_vpc_service_project - description: Flag set if SVPC enabled - type: bool - required: true - - name: grant_network_role - description: Whether or not to grant service agents the network roles on the host project - type: bool - default: true - required: false - - name: grant_services_security_admin_role - description: Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules - type: bool - default: false - required: false - - name: host_project_id - description: The ID of the host project which hosts the shared VPC - type: string - required: true - - name: lookup_project_numbers - description: Whether to look up the project numbers from data sources. If false, `service_project_number` will be used instead. - type: bool - default: true - required: false - - name: service_project_id - description: The ID of the service project - type: string - required: true - - name: service_project_number - description: Project number of the service project. Will be used if `lookup_service_project_number` is false. - type: string - required: false - - name: shared_vpc_subnets - description: List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) - type: list(string) - default: [] - required: false - outputs: - - name: active_api_service_accounts - description: List of active API service accounts in the service project. - - name: project_id - description: Service project ID. - roles: - - level: Project + info: + title: Shared VPC Access + source: + repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git + sourceType: git + dir: /modules/shared_vpc_access + version: 15.0.1 + actuationTool: + flavor: Terraform + version: ">= 0.13" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: active_apis + description: The list of active apis on the service project. If api is not active this module will not try to activate it + varType: list(string) + defaultValue: [] + - name: enable_shared_vpc_service_project + description: Flag set if SVPC enabled + varType: bool + required: true + - name: grant_network_role + description: Whether or not to grant service agents the network roles on the host project + varType: bool + defaultValue: true + - name: grant_services_network_admin_role + description: Whether or not to grant Datastream Service acount the Network Admin role on the host project so it can manage firewall rules + varType: bool + defaultValue: false + - name: grant_services_security_admin_role + description: Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules + varType: bool + defaultValue: false + - name: host_project_id + description: The ID of the host project which hosts the shared VPC + varType: string + required: true + - name: lookup_project_numbers + description: Whether to look up the project numbers from data sources. If false, `service_project_number` will be used instead. + varType: bool + defaultValue: true + - name: service_project_id + description: The ID of the service project + varType: string + required: true + - name: service_project_number + description: Project number of the service project. Will be used if `lookup_service_project_number` is false. + varType: string + - name: shared_vpc_subnets + description: List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) + varType: list(string) + defaultValue: [] + outputs: + - name: active_api_service_accounts + description: List of active API service accounts in the service project. + - name: project_id + description: Service project ID. + requirements: roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - - level: Project - roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager - services: - - admin.googleapis.com - - appengine.googleapis.com - - cloudbilling.googleapis.com - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - iamcredentials.googleapis.com - - oslogin.googleapis.com - - serviceusage.googleapis.com - - billingbudgets.googleapis.com - - pubsub.googleapis.com - - accesscontextmanager.googleapis.com - - essentialcontacts.googleapis.com - - serviceconsumermanagement.googleapis.com + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com diff --git a/modules/svpc_service_project/metadata.yaml b/modules/svpc_service_project/metadata.yaml index 8e1c0e96..9c235c89 100644 --- a/modules/svpc_service_project/metadata.yaml +++ b/modules/svpc_service_project/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,283 +15,257 @@ apiVersion: blueprints.cloud.google.com/v1alpha1 kind: BlueprintMetadata metadata: - name: terraform-google-project-factory + name: terraform-google-project-factory-svpc-service-project annotations: config.kubernetes.io/local-config: "true" spec: - title: Shared VPC - source: - repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git - sourceType: git - version: 15.0.1 - actuationTool: - type: Terraform - version: '>=0.13.0' - examples: - - name: app_engine - location: examples/app_engine - - name: budget_project - location: examples/budget_project - - name: essential_contacts - location: examples/essential_contacts - - name: fabric_project - location: examples/fabric_project - - name: gke_shared_vpc - location: examples/gke_shared_vpc - - name: group_project - location: examples/group_project - - name: project-hierarchy - location: examples/project-hierarchy - - name: project_services - location: examples/project_services - - name: quota_project - location: examples/quota_project - - name: shared_vpc - location: examples/shared_vpc - - name: simple_project - location: examples/simple_project - variables: - - name: activate_api_identities - description: |2 - The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles). - APIs in this list will automatically be appended to `activate_apis`. - Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created). - Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles. - type: |- - list(object({ - api = string - roles = list(string) - })) - default: [] - required: false - - name: activate_apis - description: The list of apis to activate within the project - type: list(string) - default: - - compute.googleapis.com - required: false - - name: auto_create_network - description: Create the default network - type: bool - default: false - required: false - - name: billing_account - description: The ID of the billing account to associate this project with - type: string - required: true - - name: bucket_location - description: The location for a GCS bucket to create (optional) - type: string - default: US - required: false - - name: bucket_name - description: A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) - type: string - default: "" - required: false - - name: bucket_project - description: A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) - type: string - default: "" - required: false - - name: bucket_versioning - description: Enable versioning for a GCS bucket to create (optional) - type: bool - default: false - required: false - - name: budget_alert_pubsub_topic - description: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` - type: string - required: false - - name: budget_alert_spent_percents - description: A list of percentages of the budget to alert on when threshold is exceeded - type: list(number) - default: - - 0.5 - - 0.7 - - 1 - required: false - - name: budget_amount - description: The amount to use for a budget alert - type: number - required: false - - name: budget_monitoring_notification_channels - description: A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. - type: list(string) - default: [] - required: false - - name: create_project_sa - description: Whether the default service account for the project shall be created - type: bool - default: true - required: false - - name: default_network_tier - description: Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. - type: string - default: "" - required: false - - name: default_service_account - description: 'Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`.' - type: string - default: disable - required: false - - name: disable_dependent_services - description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. - type: bool - default: true - required: false - - name: disable_services_on_destroy - description: Whether project services will be disabled when the resources are destroyed - type: bool - default: true - required: false - - name: domain - description: The domain name (optional). - type: string - default: "" - required: false - - name: folder_id - description: The ID of a folder to host this project - type: string - default: "" - required: false - - name: grant_network_role - description: Whether or not to grant service agents the network roles on the host project - type: bool - default: true - required: false - - name: grant_services_security_admin_role - description: Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules - type: bool - default: false - required: false - - name: group_name - description: A group to control the project by being assigned group_role (defaults to project editor) - type: string - default: "" - required: false - - name: group_role - description: The role to give the controlling group (group_name) over the project (defaults to project editor) - type: string - default: roles/editor - required: false - - name: labels - description: Map of labels for project - type: map(string) - default: {} - required: false - - name: lien - description: Add a lien on the project to prevent accidental deletion - type: bool - default: false - required: false - - name: name - description: The name for the project - type: string - required: true - - name: org_id - description: The organization ID. - type: string - required: true - - name: project_id - description: The ID to give the project. If not provided, the `name` will be used. - type: string - default: "" - required: false - - name: project_sa_name - description: Default service account name for the project. - type: string - default: project-service-account - required: false - - name: random_project_id - description: Adds a suffix of 4 random characters to the `project_id` - type: bool - default: false - required: false - - name: sa_role - description: A role to give the default Service Account for the project (defaults to none) - type: string - default: "" - required: false - - name: shared_vpc - description: The ID of the host project which hosts the shared VPC - type: string - default: "" - required: false - - name: shared_vpc_subnets - description: List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) - type: list(string) - default: [] - required: false - - name: usage_bucket_name - description: Name of a GCS bucket to store GCE usage reports in (optional) - type: string - default: "" - required: false - - name: usage_bucket_prefix - description: Prefix in the GCS bucket to store GCE usage reports in (optional) - type: string - default: "" - required: false - outputs: - - name: domain - description: The organization's domain - - name: group_email - description: The email of the G Suite group with group_name - - name: project_bucket_self_link - description: Project's bucket selfLink - - name: project_bucket_url - description: Project's bucket url - - name: project_id - description: If provided, the project uses the given project ID. Mutually exclusive with random_project_id being true. - - name: project_name - description: The name for the project - - name: project_number - description: The number for the project - - name: service_account_display_name - description: The display name of the default service account - - name: service_account_email - description: The email of the default service account - - name: service_account_id - description: The id of the default service account - - name: service_account_name - description: The fully-qualified name of the default service account - - name: service_account_unique_id - description: The unique id of the default service account - roles: - - level: Project + info: + title: Shared VPC + source: + repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git + sourceType: git + dir: /modules/svpc_service_project + version: 15.0.1 + actuationTool: + flavor: Terraform + version: ">=0.13.0" + description: {} + content: + examples: + - name: app_engine + location: examples/app_engine + - name: budget_project + location: examples/budget_project + - name: essential_contacts + location: examples/essential_contacts + - name: fabric_project + location: examples/fabric_project + - name: gke_shared_vpc + location: examples/gke_shared_vpc + - name: group_project + location: examples/group_project + - name: project-hierarchy + location: examples/project-hierarchy + - name: project_services + location: examples/project_services + - name: quota_project + location: examples/quota_project + - name: shared_vpc + location: examples/shared_vpc + - name: simple_project + location: examples/simple_project + - name: tags_project + location: examples/tags_project + interfaces: + variables: + - name: activate_api_identities + description: " The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles).\n APIs in this list will automatically be appended to `activate_apis`.\n Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created).\n Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles.\n" + varType: |- + list(object({ + api = string + roles = list(string) + })) + defaultValue: [] + - name: activate_apis + description: The list of apis to activate within the project + varType: list(string) + defaultValue: + - compute.googleapis.com + - name: auto_create_network + description: Create the default network + varType: bool + defaultValue: false + - name: billing_account + description: The ID of the billing account to associate this project with + varType: string + required: true + - name: bucket_location + description: The location for a GCS bucket to create (optional) + varType: string + defaultValue: US + - name: bucket_name + description: A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) + varType: string + defaultValue: "" + - name: bucket_project + description: A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) + varType: string + defaultValue: "" + - name: bucket_versioning + description: Enable versioning for a GCS bucket to create (optional) + varType: bool + defaultValue: false + - name: budget_alert_pubsub_topic + description: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` + varType: string + - name: budget_alert_spent_percents + description: A list of percentages of the budget to alert on when threshold is exceeded + varType: list(number) + defaultValue: + - 0.5 + - 0.7 + - 1 + - name: budget_amount + description: The amount to use for a budget alert + varType: number + - name: budget_monitoring_notification_channels + description: A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. + varType: list(string) + defaultValue: [] + - name: create_project_sa + description: Whether the default service account for the project shall be created + varType: bool + defaultValue: true + - name: default_network_tier + description: Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. + varType: string + defaultValue: "" + - name: default_service_account + description: "Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`." + varType: string + defaultValue: disable + - name: disable_dependent_services + description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. + varType: bool + defaultValue: true + - name: disable_services_on_destroy + description: Whether project services will be disabled when the resources are destroyed + varType: bool + defaultValue: true + - name: domain + description: The domain name (optional). + varType: string + defaultValue: "" + - name: folder_id + description: The ID of a folder to host this project + varType: string + defaultValue: "" + - name: grant_network_role + description: Whether or not to grant service agents the network roles on the host project + varType: bool + defaultValue: true + - name: grant_services_security_admin_role + description: Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules + varType: bool + defaultValue: false + - name: group_name + description: A group to control the project by being assigned group_role (defaults to project editor) + varType: string + defaultValue: "" + - name: group_role + description: The role to give the controlling group (group_name) over the project (defaults to project editor) + varType: string + defaultValue: roles/editor + - name: labels + description: Map of labels for project + varType: map(string) + defaultValue: {} + - name: lien + description: Add a lien on the project to prevent accidental deletion + varType: bool + defaultValue: false + - name: name + description: The name for the project + varType: string + required: true + - name: org_id + description: The organization ID. + varType: string + required: true + - name: project_id + description: The ID to give the project. If not provided, the `name` will be used. + varType: string + defaultValue: "" + - name: project_sa_name + description: Default service account name for the project. + varType: string + defaultValue: project-service-account + - name: random_project_id + description: Adds a suffix of 4 random characters to the `project_id` + varType: bool + defaultValue: false + - name: sa_role + description: A role to give the default Service Account for the project (defaults to none) + varType: string + defaultValue: "" + - name: shared_vpc + description: The ID of the host project which hosts the shared VPC + varType: string + defaultValue: "" + - name: shared_vpc_subnets + description: List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) + varType: list(string) + defaultValue: [] + - name: usage_bucket_name + description: Name of a GCS bucket to store GCE usage reports in (optional) + varType: string + defaultValue: "" + - name: usage_bucket_prefix + description: Prefix in the GCS bucket to store GCE usage reports in (optional) + varType: string + defaultValue: "" + outputs: + - name: domain + description: The organization's domain + - name: group_email + description: The email of the G Suite group with group_name + - name: project_bucket_self_link + description: Project's bucket selfLink + - name: project_bucket_url + description: Project's bucket url + - name: project_id + description: If provided, the project uses the given project ID. Mutually exclusive with random_project_id being true. + - name: project_name + description: The name for the project + - name: project_number + description: The number for the project + - name: service_account_display_name + description: The display name of the default service account + - name: service_account_email + description: The email of the default service account + - name: service_account_id + description: The id of the default service account + - name: service_account_name + description: The fully-qualified name of the default service account + - name: service_account_unique_id + description: The unique id of the default service account + requirements: roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager - - level: Project - roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - services: - - admin.googleapis.com - - appengine.googleapis.com - - cloudbilling.googleapis.com - - cloudresourcemanager.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - iamcredentials.googleapis.com - - oslogin.googleapis.com - - serviceusage.googleapis.com - - billingbudgets.googleapis.com - - pubsub.googleapis.com - - accesscontextmanager.googleapis.com - - essentialcontacts.googleapis.com - - serviceconsumermanagement.googleapis.com + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + - level: Project + roles: + - roles/owner + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - billingbudgets.googleapis.com + - pubsub.googleapis.com + - accesscontextmanager.googleapis.com + - essentialcontacts.googleapis.com + - serviceconsumermanagement.googleapis.com