fix: adds extra apis variable (GoogleCloudPlatform#119)

datadrivers · May 17, 2023 · 730fd95 · 730fd95
1 parent d68f4da
commit 730fd95
Show file tree

Hide file tree

Showing 8 changed files with 34 additions and 24 deletions.
diff --git a/modules/job-exec/README.md b/modules/job-exec/README.md
@@ -42,7 +42,6 @@ Functional examples are included in the
 | location | Cloud Run job deployment location | `string` | n/a | yes |
 | name | The name of the Cloud Run job to create | `string` | n/a | yes |
 | project\_id | The project ID to deploy to | `string` | n/a | yes |
-| service\_account\_email | Service Account email needed for the job | `string` | `""` | no |
 
 ## Outputs
 

diff --git a/modules/job-exec/variables.tf b/modules/job-exec/variables.tf
@@ -40,13 +40,6 @@ variable "exec" {
   default     = false
 }
 
-variable "service_account_email" {
-  type        = string
-  description = "Service Account email needed for the job"
-  default     = ""
-}
-
-
 variable "argument" {
   type        = list(string)
   description = "Arguments passed to the ENTRYPOINT command, include these only if image entrypoint needs arguments"

diff --git a/modules/job-exec/versions.tf b/modules/job-exec/versions.tf
@@ -15,6 +15,7 @@
  */
 
 terraform {
+  required_version = ">= 0.13"
   required_providers {
     terracurl = {
       source  = "devops-rob/terracurl"

diff --git a/modules/secure-serverless-harness/README.md b/modules/secure-serverless-harness/README.md
@@ -70,15 +70,18 @@ module "secure_cloud_run_harness" {
 | key\_rotation\_period | Period of key rotation in seconds. Default value is equivalent to 30 days. | `string` | `"2592000s"` | no |
 | keyring\_name | Keyring name. | `string` | n/a | yes |
 | location | The location where resources are going to be deployed. | `string` | n/a | yes |
+| network\_project\_extra\_apis | The extra APIs to be enabled during network project creation. | `list(string)` | `[]` | no |
 | network\_project\_name | The name to give the shared vpc project. | `string` | `""` | no |
 | org\_id | The organization ID. | `string` | n/a | yes |
 | owners | List of comma-separated owners for each key declared in set\_owners\_for. | `list(string)` | `[]` | no |
 | parent\_folder\_id | The ID of a folder to host the infrastructure created in this module. | `string` | `""` | no |
 | prevent\_destroy | Set the prevent\_destroy lifecycle attribute on keys. | `bool` | `true` | no |
 | private\_service\_connect\_ip | The internal IP to be used for the private service connect. | `string` | n/a | yes |
 | region | The region in which the subnetwork will be created. | `string` | n/a | yes |
+| security\_project\_extra\_apis | The extra APIs to be enabled during security project creation. | `list(string)` | `[]` | no |
 | security\_project\_name | The name to give the security project. | `string` | n/a | yes |
 | serverless\_folder\_suffix | The suffix to be concat in the Serverless folder name fldr-serverless-<SUFFIX>. | `string` | `""` | no |
+| serverless\_project\_extra\_apis | The extra APIs to be enabled during serverless projects creation. | `map(list(string))` | `{}` | no |
 | serverless\_project\_names | The name to give the Cloud Serverless project. | `list(string)` | n/a | yes |
 | serverless\_type | The type of resource to be used. It supports only CLOUD\_RUN or CLOUD\_FUNCTION | `string` | n/a | yes |
 | service\_account\_project\_roles | Common roles to apply to the Cloud Serverless service account in the serverless project. | `map(list(string))` | `{}` | no |

diff --git a/modules/secure-serverless-harness/main.tf b/modules/secure-serverless-harness/main.tf
@@ -23,21 +23,20 @@ locals {
     "artifactregistry.googleapis.com",
     "run.googleapis.com",
     "cloudkms.googleapis.com",
-    "dns.googleapis.com"
+    "dns.googleapis.com",
+    "servicenetworking.googleapis.com"
   ], local.api)
-  kms_apis = [
+  kms_apis = concat([
     "cloudkms.googleapis.com",
     "artifactregistry.googleapis.com"
-  ]
+  ], var.security_project_extra_apis)
 
-  network_apis = [
+  network_apis = concat([
     "vpcaccess.googleapis.com",
     "compute.googleapis.com",
-    "dns.googleapis.com"
-  ]
-
-  network_project_id = var.use_shared_vpc ? module.network_project[0].project_id : ""
-
+    "dns.googleapis.com",
+    "servicenetworking.googleapis.com"
+  ], var.network_project_extra_apis)
   eventarc_identities = [for project in module.serverless_project : "serviceAccount:${project.services_identities["eventarc"]}"]
   gcs_identities      = [for project in module.serverless_project : "serviceAccount:${project.services_identities["gcs"]}"]
   decrypters          = join(",", concat(["serviceAccount:${google_project_service_identity.artifact_sa.email}"], local.eventarc_identities, local.gcs_identities, var.decrypters))
@@ -83,10 +82,10 @@ module "serverless_project" {
   billing_account               = var.billing_account
   serverless_type               = var.serverless_type
   org_id                        = var.org_id
-  activate_apis                 = local.serverless_apis
+  activate_apis                 = concat(local.serverless_apis, try(var.serverless_project_extra_apis[each.value], []))
   folder_name                   = google_folder.fld_serverless.name
   project_name                  = each.value
-  service_account_project_roles = length(var.service_account_project_roles) > 0 ? var.service_account_project_roles[each.value] : []
+  service_account_project_roles = try(var.service_account_project_roles[each.value], [])
 }
 
 

diff --git a/modules/secure-serverless-harness/network.tf b/modules/secure-serverless-harness/network.tf
@@ -18,7 +18,7 @@ locals {
   network_name = startswith(var.vpc_name, "vpc-") ? var.vpc_name : "vpc-${var.vpc_name}"
 
   services_projects = var.use_shared_vpc ? { for key, project in module.serverless_project : key => project.project_id } : {}
-  network_projects  = var.use_shared_vpc ? { for key, project in module.network_project : key => project.project_id } : { for key, project in module.serverless_project : key => project.project_id }
+  network_projects  = var.use_shared_vpc ? { for key, project in module.network_project : key => try(project.project_id, null) } : { for key, project in module.serverless_project : key => try(project.project_id, null) }
 }
 
 module "network" {
@@ -90,6 +90,7 @@ resource "google_compute_shared_vpc_service_project" "shared_vpc_attachment" {
   service_project = each.value
   depends_on = [
     module.serverless_project,
+    local.network_projects,
     time_sleep.wait_180_seconds
   ]
 }

diff --git a/modules/secure-serverless-harness/variables.tf b/modules/secure-serverless-harness/variables.tf
@@ -33,17 +33,35 @@ variable "security_project_name" {
   type        = string
 }
 
+variable "security_project_extra_apis" {
+  description = "The extra APIs to be enabled during security project creation."
+  type        = list(string)
+  default     = []
+}
+
 variable "network_project_name" {
   description = "The name to give the shared vpc project."
   type        = string
   default     = ""
 }
 
+variable "network_project_extra_apis" {
+  description = "The extra APIs to be enabled during network project creation."
+  type        = list(string)
+  default     = []
+}
+
 variable "serverless_project_names" {
   description = "The name to give the Cloud Serverless project."
   type        = list(string)
 }
 
+variable "serverless_project_extra_apis" {
+  description = "The extra APIs to be enabled during serverless projects creation."
+  type        = map(list(string))
+  default     = {}
+}
+
 variable "org_id" {
   description = "The organization ID."
   type        = string

diff --git a/modules/secure-serverless-net/iam.tf b/modules/secure-serverless-net/iam.tf
@@ -14,10 +14,6 @@
  * limitations under the License.
  */
 
-locals {
-  api = var.serverless_type == "CLOUD_RUN" ? "run" : "cloudfunctions"
-}
-
 data "google_project" "serverless_project_id" {
   project_id = var.serverless_project_id
 }