From c73035f4e5a5f587f1893eb1cb781e6768bb1673 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Thu, 30 Jan 2025 08:48:58 +0100 Subject: [PATCH] Allow universe-bound projects to exclude services (#2852) * Allow universe-bound projects to exclude services * Update README --- modules/project/README.md | 6 +++--- modules/project/main.tf | 9 +++++---- modules/project/outputs.tf | 4 ++-- modules/project/service-agents.tf | 6 +++--- modules/project/variables.tf | 10 ++++++---- tests/modules/project/universe.tfvars | 15 +++++++++++++-- tests/modules/project/universe.yaml | 11 +++++++++++ 7 files changed, 43 insertions(+), 18 deletions(-) diff --git a/modules/project/README.md b/modules/project/README.md index eb7b37aa50..ce194ecb8d 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -1621,8 +1621,8 @@ alerts: | [skip_delete](variables.tf#L240) | Deprecated. Use deletion_policy. | bool | | null | | [tag_bindings](variables-tags.tf#L81) | Tag bindings for this project, in key => tag value id format. | map(string) | | null | | [tags](variables-tags.tf#L88) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | -| [universe](variables.tf#L252) | GCP universe where deploy the project. This will be prepended to the project id. | string | | "" | -| [vpc_sc](variables.tf#L259) | VPC-SC configuration for the project, use when `ignore_changes` for resources is set in the VPC-SC module. | object({…}) | | null | +| [universe](variables.tf#L252) | GCP universe where to deploy the project. The prefix will be prepended to the project id. | object({…}) | | null | +| [vpc_sc](variables.tf#L261) | VPC-SC configuration for the project, use when `ignore_changes` for resources is set in the VPC-SC module. | object({…}) | | null | ## Outputs @@ -1643,7 +1643,7 @@ alerts: | [quota_configs](outputs.tf#L144) | Quota configurations. | | | [quotas](outputs.tf#L155) | Quota resources. | | | [service_agents](outputs.tf#L160) | List of all (active) service agents for this project. | | -| [services](outputs.tf#L169) | Service APIs to enabled in the project. | | +| [services](outputs.tf#L169) | Service APIs to enable in the project. | | | [sink_writer_identities](outputs.tf#L178) | Writer identities created for each sink. | | | [tag_keys](outputs.tf#L185) | Tag key resources. | | | [tag_values](outputs.tf#L194) | Tag value resources. | | diff --git a/modules/project/main.tf b/modules/project/main.tf index fa22a75bcf..8cf3106e9d 100644 --- a/modules/project/main.tf +++ b/modules/project/main.tf @@ -26,7 +26,7 @@ locals { parent_type = var.parent == null ? null : split("/", var.parent)[0] parent_id = var.parent == null ? null : split("/", var.parent)[1] prefix = var.prefix == null ? "" : "${var.prefix}-" - project_id = "${local.universe}${local.prefix}${var.name}" + project_id = "${local.universe_prefix}${local.prefix}${var.name}" project = ( var.project_create ? { @@ -40,7 +40,8 @@ locals { name = try(data.google_project.project[0].name, null) } ) - universe = var.universe == "" ? "" : "${var.universe}:" + universe_prefix = var.universe == null ? "" : "${var.universe.prefix}:" + available_services = tolist(setsubtract(var.services, try(var.universe.unavailable_services, []))) } data "google_project" "project" { @@ -68,7 +69,7 @@ resource "google_project" "project" { } resource "google_project_service" "project_services" { - for_each = toset(var.services) + for_each = toset(local.available_services) project = local.project.project_id service = each.value disable_on_destroy = var.service_config.disable_on_destroy @@ -78,7 +79,7 @@ resource "google_project_service" "project_services" { resource "google_compute_project_metadata_item" "default" { for_each = ( - contains(var.services, "compute.googleapis.com") ? var.compute_metadata : {} + contains(local.available_services, "compute.googleapis.com") ? var.compute_metadata : {} ) project = local.project.project_id key = each.key diff --git a/modules/project/outputs.tf b/modules/project/outputs.tf index 6946164ff5..635518eb95 100644 --- a/modules/project/outputs.tf +++ b/modules/project/outputs.tf @@ -167,8 +167,8 @@ output "service_agents" { } output "services" { - description = "Service APIs to enabled in the project." - value = var.services + description = "Service APIs to enable in the project." + value = local.available_services depends_on = [ google_project_service.project_services, google_project_service_identity.default, diff --git a/modules/project/service-agents.tf b/modules/project/service-agents.tf index 00ca3cb493..0dee2b2ad7 100644 --- a/modules/project/service-agents.tf +++ b/modules/project/service-agents.tf @@ -1,5 +1,5 @@ /** - * Copyright 2024 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,7 +18,7 @@ locals { services = distinct(concat( - var.services, var.service_agents_config.services_enabled + local.available_services, var.service_agents_config.services_enabled )) _service_agents_data = yamldecode(file("${path.module}/service-agents.yaml")) # map of api => list of agents @@ -33,7 +33,7 @@ locals { (agent.name) => merge(agent, { email = format(agent.identity, local.project.number) iam_email = "serviceAccount:${format(agent.identity, local.project.number)}" - create_jit = api == "cloudservices" || contains(var.services, api) + create_jit = api == "cloudservices" || contains(local.available_services, api) }) } ]...) diff --git a/modules/project/variables.tf b/modules/project/variables.tf index 6dee667ad9..0342a58dbc 100644 --- a/modules/project/variables.tf +++ b/modules/project/variables.tf @@ -250,10 +250,12 @@ variable "skip_delete" { } variable "universe" { - description = "GCP universe where deploy the project. This will be prepended to the project id." - type = string - default = "" - nullable = false + description = "GCP universe where to deploy the project. The prefix will be prepended to the project id." + type = object({ + prefix = string + unavailable_services = optional(list(string), []) + }) + default = null } variable "vpc_sc" { diff --git a/tests/modules/project/universe.tfvars b/tests/modules/project/universe.tfvars index ae61d499c0..48524f3bd6 100644 --- a/tests/modules/project/universe.tfvars +++ b/tests/modules/project/universe.tfvars @@ -1,2 +1,13 @@ -prefix = "foo" -universe = "alpha" +prefix = "foo" +universe = { + prefix = "alpha" + unavailable_services = [ + "xxx.googleapis.com", + "yyy.googleapis.com" + ] +} +services = [ + "aaa.googleapis.com", + "bbb.googleapis.com", + "xxx.googleapis.com" +] diff --git a/tests/modules/project/universe.yaml b/tests/modules/project/universe.yaml index 5f0c8c8403..c35fac01b6 100644 --- a/tests/modules/project/universe.yaml +++ b/tests/modules/project/universe.yaml @@ -16,11 +16,22 @@ values: google_project.project[0]: name: foo-my-project project_id: alpha:foo-my-project + google_project_service.project_services["aaa.googleapis.com"]: + project: alpha:foo-my-project + service: aaa.googleapis.com + google_project_service.project_services["bbb.googleapis.com"]: + project: alpha:foo-my-project + service: bbb.googleapis.com counts: google_project: 1 + google_project_service: 2 + resources: 3 outputs: id: alpha:foo-my-project name: foo-my-project project_id: foo-my-project + services: + - aaa.googleapis.com + - bbb.googleapis.com