feat(TPG >5.22)!: added vpc sc dry run mode option (#894)

Author: imrannayer

README.md

@@ -12,7 +12,7 @@ To include G Suite integration for creating groups and adding Service Accounts i
 
 ## Compatibility
 
-This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue.
+This module is meant for use with Terraform 0.13+ and tested using Terraform 1.3+. If you find incompatibilities using Terraform >=0.13, please open an issue.
  If you haven't
 [upgraded][terraform-0.13-upgrade] and need a Terraform
 0.12.x-compatible version of this module, the last released version
@@ -29,7 +29,7 @@ There are multiple examples included in the [examples](./examples/) folder but s
 ```hcl
 module "project-factory" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 14.5"
+  version = "~> 15.0"
 
   name                 = "pf-test-1"
   random_project_id    = true
@@ -161,7 +161,8 @@ determining that location is as follows:
 | tag\_binding\_values | Tag values to bind the project to. | `list(string)` | `[]` | no |
 | usage\_bucket\_name | Name of a GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no |
 | usage\_bucket\_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no |
-| vpc\_service\_control\_attach\_enabled | Whether the project will be attached to a VPC Service Control Perimeter | `bool` | `false` | no |
+| vpc\_service\_control\_attach\_dry\_run | Whether the project will be attached to a VPC Service Control Perimeter in Dry Run Mode. vpc\_service\_control\_attach\_enabled should be false for this to be true | `bool` | `false` | no |
+| vpc\_service\_control\_attach\_enabled | Whether the project will be attached to a VPC Service Control Perimeter in ENFORCED MODE. vpc\_service\_control\_attach\_dry\_run should be false for this to be true | `bool` | `false` | no |
 | vpc\_service\_control\_perimeter\_name | The name of a VPC Service Control Perimeter to add the created project to | `string` | `null` | no |
 | vpc\_service\_control\_sleep\_duration | The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter. VPC-SC is eventually consistent. | `string` | `"5s"` | no |
 
@@ -187,6 +188,7 @@ determining that location is as follows:
 | service\_account\_name | The fully-qualified name of the default service account |
 | service\_account\_unique\_id | The unique id of the default service account |
 | tag\_bindings | Tag bindings |
+| usage\_report\_export\_bucket | GCE usage reports bucket |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
@@ -197,9 +199,9 @@ determining that location is as follows:
 -   [gcloud sdk](https://cloud.google.com/sdk/install) >= 269.0.0
 -   [jq](https://stedolan.github.io/jq/) >= 1.6
 -   [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0
--   [terraform-provider-google] plugin ~> 4.11
--   [terraform-provider-google-beta] plugin ~> 4.11
--   [terraform-provider-gsuite] plugin 0.1.x if GSuite functionality is desired
+-   [terraform-provider-google] plugin >= 5.22
+-   [terraform-provider-google-beta] plugin >= 5.22
+-   [terraform-provider-gsuite] plugin ~> 0.1.x if GSuite functionality is desired
 
 ### Permissions
 

docs/upgrading_to_project_factory_v15.0.md

@@ -0,0 +1,8 @@
+# Upgrading to Project Factory v15.0
+
+The v15.0 release of Project Factory is a backwards incompatible release.
+
+### Google Cloud Platform Provider upgrade
+
+The Project Factory module now requires version 5.22 or higher of the Google Cloud Platform Provider and 5.22 or higher of
+the Google Cloud Platform Beta Provider.

main.tf

@@ -65,6 +65,7 @@ module "project-factory" {
   default_service_account            = var.default_service_account
   disable_dependent_services         = var.disable_dependent_services
   vpc_service_control_attach_enabled = var.vpc_service_control_attach_enabled
+  vpc_service_control_attach_dry_run = var.vpc_service_control_attach_dry_run
   vpc_service_control_perimeter_name = var.vpc_service_control_perimeter_name
   vpc_service_control_sleep_duration = var.vpc_service_control_sleep_duration
   default_network_tier               = var.default_network_tier

modules/core_project_factory/main.tf

@@ -109,7 +109,7 @@ module "project_services" {
   Shared VPC configuration
  *****************************************/
 resource "time_sleep" "wait_5_seconds" { #TODO rename resource in the next breaking change.
-  count           = var.vpc_service_control_attach_enabled ? 1 : 0
+  count           = var.vpc_service_control_attach_enabled || var.vpc_service_control_attach_dry_run ? 1 : 0
   depends_on      = [google_access_context_manager_service_perimeter_resource.service_perimeter_attachment[0], google_project_service.enable_access_context_manager[0]]
   create_duration = var.vpc_service_control_sleep_duration
 }
@@ -345,7 +345,7 @@ resource "google_storage_bucket_iam_member" "api_s_account_storage_admin_on_proj
 }
 
 /******************************************
-  Attachment to VPC Service Control Perimeter
+  Attachment to VPC Service Control Perimeter in Enforce Mode
  *****************************************/
 resource "google_access_context_manager_service_perimeter_resource" "service_perimeter_attachment" {
   count          = var.vpc_service_control_attach_enabled ? 1 : 0
@@ -354,11 +354,21 @@ resource "google_access_context_manager_service_perimeter_resource" "service_per
   resource       = "projects/${google_project.main.number}"
 }
 
+/******************************************
+  Attachment to VPC Service Control Perimeter in Dry Run Mode
+ *****************************************/
+resource "google_access_context_manager_service_perimeter_dry_run_resource" "service_perimeter_attachment_dry_run" {
+  count          = var.vpc_service_control_attach_dry_run && !var.vpc_service_control_attach_enabled ? 1 : 0
+  depends_on     = [google_service_account.default_service_account]
+  perimeter_name = var.vpc_service_control_perimeter_name
+  resource       = "projects/${google_project.main.number}"
+}
+
 /******************************************
   Enable Access Context Manager API
  *****************************************/
 resource "google_project_service" "enable_access_context_manager" {
-  count   = var.vpc_service_control_attach_enabled ? 1 : 0
+  count   = var.vpc_service_control_attach_enabled || var.vpc_service_control_attach_dry_run ? 1 : 0
   project = google_project.main.number
   service = "accesscontextmanager.googleapis.com"
 }

modules/core_project_factory/outputs.tf

@@ -100,3 +100,8 @@ output "tag_bindings" {
   description = "Tag bindings"
   value       = google_tags_tag_binding.bindings
 }
+
+output "usage_report_export_bucket" {
+  description = "GCE usage reports bucket"
+  value       = try(google_project_usage_export_bucket.usage_report_export[0], null)
+}

modules/core_project_factory/variables.tf

@@ -111,7 +111,7 @@ variable "activate_apis" {
 variable "activate_api_identities" {
   description = <<EOF
     The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles).
-    APIs in this list will automatically be appended to `activate_apis`.
+    APIs in this list will automatically be appended to `activate_apis`. Use for services supported by `gcloud beta services identity create`
     Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created).
     Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles.
   EOF
@@ -230,7 +230,13 @@ variable "enable_shared_vpc_host_project" {
 }
 
 variable "vpc_service_control_attach_enabled" {
-  description = "Whether the project will be attached to a VPC Service Control Perimeter"
+  description = "Whether the project will be attached to a VPC Service Control Perimeter in ENFORCED MODE. vpc_service_control_attach_dry_run should be false for this to be true"
+  type        = bool
+  default     = false
+}
+
+variable "vpc_service_control_attach_dry_run" {
+  description = "Whether the project will be attached to a VPC Service Control Perimeter in Dry Run Mode. vpc_service_control_attach_enabled should be false for this to be true"
   type        = bool
   default     = false
 }

modules/core_project_factory/versions.tf

@@ -20,11 +20,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 3.64, < 6"
+      version = ">= 5.22, < 6"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.64, < 6"
+      version = ">= 5.22, < 6"
     }
     null = {
       source  = "hashicorp/null"

outputs.tf

@@ -103,3 +103,8 @@ output "tag_bindings" {
   description = "Tag bindings"
   value       = module.project-factory.tag_bindings
 }
+
+output "usage_report_export_bucket" {
+  description = "GCE usage reports bucket"
+  value       = module.project-factory.usage_report_export_bucket
+}

variables.tf

@@ -289,7 +289,13 @@ variable "budget_custom_period_end_date" {
 }
 
 variable "vpc_service_control_attach_enabled" {
-  description = "Whether the project will be attached to a VPC Service Control Perimeter"
+  description = "Whether the project will be attached to a VPC Service Control Perimeter in ENFORCED MODE. vpc_service_control_attach_dry_run should be false for this to be true"
+  type        = bool
+  default     = false
+}
+
+variable "vpc_service_control_attach_dry_run" {
+  description = "Whether the project will be attached to a VPC Service Control Perimeter in Dry Run Mode. vpc_service_control_attach_enabled should be false for this to be true"
   type        = bool
   default     = false
 }

versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.28, < 6"
+      version = ">= 5.22, < 6"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.28, < 6"
+      version = ">= 5.22, < 6"
     }
   }
   provider_meta "google" {