/terraform-google-project

Terraform example module for Google Cloud Platform project.

Primary LanguageHCLGNU General Public License v2.0GPL-2.0

Google Cloud Platform - Project Terraform Module

GitHub Actions:

Terraform Tests Dependabot

Infracost:

infracost

💵 Monthly estimates based on Infracost baseline costs.

Repository Description

Terraform example module for a Google Cloud Platform project.

Note

We do not recommend consuming this module like you might a public module. It is a baseline, something you can fork, potentially maintain, and modify to fit your organization's needs. Using public modules vs. writing your own has various drivers and trade-offs that your organization should evaluate.

🔩 Usage

Tip

You can check the tests/fixtures directory for example configurations. These fixtures set up the system for testing by providing all the necessary initial code, thus creating good examples on which to base your configurations.

Project Names

Project names include a prefix, a description as well as an environment, for example:

team-example-tf2a-sb

Note

The tf2a is a hex output from the random resource. We do not want to duplicate project IDs because project IDs are globally unique. Also, when you delete a project, it goes into a pending deletion state for 30 days, where you can't reuse the project ID. If you want to exclude this from your project name, you can use the variable: random_project_id = false

Development

Our focus is on the core fundamental practice of platform engineering, Infrastructure as Code.

Open Source Infrastructure (as Code) is a development model for infrastructure that focuses on open collaboration and applying relative lessons learned from software development practices that organizations can use internally at scale. - Open Source Infrastructure (as Code)

To avoid slowing down stream-aligned teams, we want to open up the possibility for contributions. The Open Source Infrastructure (as Code) model allows team members external to the platform team to contribute with only a slight increase in cognitive load. This section is for developers who want to contribute to this repository, describing the tools used, the skills, and the knowledge required, along with Terraform documentation.

See the documentation for setting up a local development environment here.

🛠️ Tools

📋 Skills and Knowledge

Links to documentation and other resources required to develop and iterate in this repository successfully.

🔍 Tests

All tests are mocked allowing us to test the module without creating infrastructure or requiring credentials. The trade-offs are acceptable in favor of speed and simplicity. In a Terraform test, a mocked provider or resource will generate fake data for all computed attributes that would normally be provided by the underlying provider APIs.

terraform init
terraform test

📓 Terraform Documentation

A child module automatically inherits default (un-aliased) provider configurations from its parent. The provider versions below are informational only and do not need to align with the provider configurations from its parent.

Providers

Name Version
google 6.8.0
random 3.6.3

Resources

Name Type
google_billing_budget.project resource
google_compute_project_metadata_item.enable_oslogin resource
google_kms_crypto_key.cis_2_2_logging_sink resource
google_kms_crypto_key_iam_member.cis_2_2_logging_sink resource
google_kms_key_ring.this resource
google_logging_metric.cis_logging_metrics resource
google_logging_project_bucket_config.cis_2_2_logging_sink resource
google_logging_project_sink.cis_2_2_logging_sink resource
google_monitoring_alert_policy.cis_logging_metrics resource
google_monitoring_notification_channel.this resource
google_project.this resource
google_project_iam_audit_config.cis_2_1 resource
google_project_iam_member.cis_2_2 resource
google_project_service.this resource
random_id.this resource
google_logging_project_cmek_settings.this data source

Inputs

Name Description Type Default Required
billing_account The alphanumeric ID of the billing account this project belongs to string "01C550-A2C86B-B8F16B" no
budget_notification_email The email address to send budget notifications to string "billing-admins@osinfra.io" no
cis_2_2_logging_bucket_locked Boolean to enable CIS 2.2 logging bucket lock bool true no
cis_2_2_logging_sink_project_id The CIS 2.2 logging sink project ID string "" no
deletion_policy The deletion policy for the project string "PREVENT" no
description A short description representing the system, or service you're building in the project for example: tools (for a tooling project), logging (for a logging project), services (for a services project) string n/a yes
environment The environment for example: sandbox, non-production, production string n/a yes
folder_id The numeric ID of the folder this project should be created under. Only one of org_id or folder_id may be specified string n/a yes
key_ring_location The location of the key ring to create string "us" no
labels A map of key/value pairs to assign to the resources being created map(string) {} no
monthly_budget_amount The monthly budget amount in USD to set for the project number 5 no
prefix The team prefix for example: ops (Operations), sec (Security) string "test" no
random_project_id If true, a random hex value with a prefix of tf will be added to the project_id bool true no
security_notification_email The email address to send security notifications to string "security@osinfra.io" no
services A list of services to enable in the project list(string) [] no

Outputs

Name Description
cis_2_2_logging_sink_project_id The CIS 2.2 logging sink benchmark project ID
cis_2_2_logging_sink_service_account The CIS 2.2 logging sink benchmark service account
cis_logging_metrics_alert_policy_names The CIS logging metrics alert policy names, we need these to test the resources with inspec
id The project ID
number The project number
unique_writer_identity The unique identity associated with this sink