This repository is no longer supported.
Please consider using one of the following repositories instead,
- terraform-google-cloud-nat
- terraform-google-vpc-network
- terraform-google-iam
- terraform-google-pubsub
- terraform-google-kubernetes-engine
- terraform-google-cloud-sql
A set of Terraform Modules for configuring Production Infrastructure with Google Cloud Platform.
terraform {
required_version = "~> v1.6.2"
required_providers {
google = {
source = "hashicorp/google"
version = "~> 5.4.0"
}
google-beta = {
source = "hashicorp/google-beta"
version = "~> 5.4.0"
}
}
}
Define a Service Account in this way,
module "my_service_account" {
source = "git::https://github.com/jobtome-labs/terraform-modules.git//serviceaccount-with-iam?ref=v4.3.0"
project = "my-gcp-project"
name = "my-application-deployer"
displayname = "My Application Deployer"
description = "Service Account for My Application Deployer"
roles = ["roles/container.viewer"]
}
displayname
is Optional and defaults to thename
description
is Optional and defaults to emptyroles
is an array of Roles- Custom Roles should be specified in the following form:
projects/<project-name>/roles/<role-name>
- Built-In Roles:
roles/<role-name>
- Custom Roles should be specified in the following form:
NOTE: Currently, if a Service Account is assigned an IAM Permission manually (in GCP Console), Terraform will NOT notice and will not remove it at next apply. This will be fixed in a future version by using resource type google_project_iam_binding
instead of the current google_project_iam_member
.
-
For Kubernetes Deployer (the Kubernetes Cluster should have RBAC enabled):
roles = [ "roles/container.viewer" ]
-
Cloud Run Deployer:
roles = [ "roles/cloudscheduler.admin", "roles/container.developer", "roles/run.invoker" ]
-
Cloud Function Deployer:
roles = ["roles/cloudtasks.enqueuer", "roles/cloudtasks.viewer", "roles/cloudtasks.taskRunner", "roles/cloudtasks.taskDeleter" ]
A Pub/Sub can be provisioned like this,
module "my_queue" {
source = "git::https://github.com/jobtome-labs/terraform-modules.git//pubsub-with-iam?ref=v4.3.0"
project = "my-gcp-project"
name = "my-pubsub"
roles_topic = {
admin = [module.my_serviceaccount-3.full_name]
editor = []
publisher = [module.my_serviceaccount.full_name]
subscriber = [module.my_serviceaccount.full_name]
viewer = [module.my_serviceaccount-2.full_name, module.my_serviceaccount.full_name]
}
roles_subscription = {
admin = [module.my_serviceaccount-3.full_name]
editor = []
subscriber = [module.my_serviceaccount.full_name]
viewer = [module.my_serviceaccount-2.full_name, module.my_serviceaccount.full_name]
}
}
By default, it provisions one Topic and one Subscription, having the same name. In case of importing a Pub/Sub into the Terraform State, it is possible to override this setting and name the Subscription differently (name_subscription
).
The roles_topic
Variable takes an object containing all possible Roles along with an array of Service Accounts with that privilege; In nobody should have that permission, should be set to empty array.
NOTE: If a Service Account gets a manually assigned additional permission against the Topic/Subscription (e.g., via GCP Console), Terraform will remove it at the next apply.
Same applies to roles_subscription
.
NOTE: For the Subscription Resources, there is one less Role than for the Topic Resources.
One can have only a Topic by specifying topic_only = true
. In this case, roles_subscription
is ignored.
One can have more Subscriptions by specifying as an array (extra_subscriptions
), which will contain objects with the following properties:
name
roles
message_retention_duration
ack_deadline_seconds
retain_acked_messages
ttl_list
push_list
which are the parameters of a Subscription (only the name
is mandatory).
Notice ttl_list
and push_list
: Despite it is a single value (and both Optional ), it must be coerced into a list. If parameters are omitted, all Extra Subscriptions will have the same parameters (TTL, ACK, etc.) of the Main Subscription.
NOTE: Currently it is not possible to assign different permissions to the other Subscriptions. In other words, all Subscriptions will have the same permissions as the Main Subscription.