added vpc sc dry run mode option

Author: imrannayer

README.md

@@ -12,7 +12,7 @@ To include G Suite integration for creating groups and adding Service Accounts i
 
 ## Compatibility
 
-This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue.
+This module is meant for use with Terraform 0.13+ and tested using Terraform 1.3+. If you find incompatibilities using Terraform >=0.13, please open an issue.
  If you haven't
 [upgraded][terraform-0.13-upgrade] and need a Terraform
 0.12.x-compatible version of this module, the last released version
@@ -29,7 +29,7 @@ There are multiple examples included in the [examples](./examples/) folder but s
 ```hcl
 module "project-factory" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 14.5"
+  version = "~> 15.0"
 
   name                 = "pf-test-1"
   random_project_id    = true
@@ -161,7 +161,8 @@ determining that location is as follows:
 | tag\_binding\_values | Tag values to bind the project to. | `list(string)` | `[]` | no |
 | usage\_bucket\_name | Name of a GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no |
 | usage\_bucket\_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no |
-| vpc\_service\_control\_attach\_enabled | Whether the project will be attached to a VPC Service Control Perimeter | `bool` | `false` | no |
+| vpc\_service\_control\_attach\_dry\_run | Whether the project will be attached to a VPC Service Control Perimeter in Dry Run Mode. vpc\_service\_control\_attach\_enabled should be false for this to be true | `bool` | `false` | no |
+| vpc\_service\_control\_attach\_enabled | Whether the project will be attached to a VPC Service Control Perimeter in ENFORCED MODE. vpc\_service\_control\_attach\_dry\_run should be false for this to be true | `bool` | `false` | no |
 | vpc\_service\_control\_perimeter\_name | The name of a VPC Service Control Perimeter to add the created project to | `string` | `null` | no |
 | vpc\_service\_control\_sleep\_duration | The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter. VPC-SC is eventually consistent. | `string` | `"5s"` | no |
 
@@ -197,8 +198,8 @@ determining that location is as follows:
 -   [gcloud sdk](https://cloud.google.com/sdk/install) >= 269.0.0
 -   [jq](https://stedolan.github.io/jq/) >= 1.6
 -   [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0
--   [terraform-provider-google] plugin ~> 4.11
--   [terraform-provider-google-beta] plugin ~> 4.11
+-   [terraform-provider-google] plugin ~> 5.22
+-   [terraform-provider-google-beta] plugin ~> 5.22
 -   [terraform-provider-gsuite] plugin 0.1.x if GSuite functionality is desired
 
 ### Permissions

docs/upgrading_to_project_factory_v15.0.md

@@ -0,0 +1,8 @@
+# Upgrading to Project Factory v15.0
+
+The v15.0 release of Project Factory is a backwards incompatible release.
+
+### Google Cloud Platform Provider upgrade
+
+The Project Factory module now requires version 5.22 or higher of the Google Cloud Platform Provider and 5.22 or higher of
+the Google Cloud Platform Beta Provider.

main.tf

@@ -65,6 +65,7 @@ module "project-factory" {
   default_service_account            = var.default_service_account
   disable_dependent_services         = var.disable_dependent_services
   vpc_service_control_attach_enabled = var.vpc_service_control_attach_enabled
+  vpc_service_control_attach_dry_run = var.vpc_service_control_attach_dry_run
   vpc_service_control_perimeter_name = var.vpc_service_control_perimeter_name
   vpc_service_control_sleep_duration = var.vpc_service_control_sleep_duration
   default_network_tier               = var.default_network_tier

modules/core_project_factory/main.tf

@@ -345,7 +345,7 @@ resource "google_storage_bucket_iam_member" "api_s_account_storage_admin_on_proj
 }
 
 /******************************************
-  Attachment to VPC Service Control Perimeter
+  Attachment to VPC Service Control Perimeter in Enforce Mode
  *****************************************/
 resource "google_access_context_manager_service_perimeter_resource" "service_perimeter_attachment" {
   count          = var.vpc_service_control_attach_enabled ? 1 : 0
@@ -354,11 +354,21 @@ resource "google_access_context_manager_service_perimeter_resource" "service_per
   resource       = "projects/${google_project.main.number}"
 }
 
+/******************************************
+  Attachment to VPC Service Control Perimeter in Dry Run Mode
+ *****************************************/
+resource "google_access_context_manager_service_perimeter_dry_run_resource" "service_perimeter_attachment_dry_run" {
+  count          = var.vpc_service_control_attach_dry_run && !var.vpc_service_control_attach_enabled ? 1 : 0
+  depends_on     = [google_service_account.default_service_account]
+  perimeter_name = var.vpc_service_control_perimeter_name
+  resource       = "projects/${google_project.main.number}"
+}
+
 /******************************************
   Enable Access Context Manager API
  *****************************************/
 resource "google_project_service" "enable_access_context_manager" {
-  count   = var.vpc_service_control_attach_enabled ? 1 : 0
+  count   = var.vpc_service_control_attach_enabled || var.vpc_service_control_attach_enabled ? 1 : 0
   project = google_project.main.number
   service = "accesscontextmanager.googleapis.com"
 }

modules/core_project_factory/variables.tf

@@ -230,7 +230,13 @@ variable "enable_shared_vpc_host_project" {
 }
 
 variable "vpc_service_control_attach_enabled" {
-  description = "Whether the project will be attached to a VPC Service Control Perimeter"
+  description = "Whether the project will be attached to a VPC Service Control Perimeter in ENFORCED MODE. vpc_service_control_attach_dry_run should be false for this to be true"
+  type        = bool
+  default     = false
+}
+
+variable "vpc_service_control_attach_dry_run" {
+  description = "Whether the project will be attached to a VPC Service Control Perimeter in Dry Run Mode. vpc_service_control_attach_enabled should be false for this to be true"
   type        = bool
   default     = false
 }

modules/core_project_factory/versions.tf

@@ -20,11 +20,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 3.64, < 6"
+      version = ">= 5.22, < 6"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.64, < 6"
+      version = ">= 5.22, < 6"
     }
     null = {
       source  = "hashicorp/null"

variables.tf

@@ -289,7 +289,13 @@ variable "budget_custom_period_end_date" {
 }
 
 variable "vpc_service_control_attach_enabled" {
-  description = "Whether the project will be attached to a VPC Service Control Perimeter"
+  description = "Whether the project will be attached to a VPC Service Control Perimeter in ENFORCED MODE. vpc_service_control_attach_dry_run should be false for this to be true"
+  type        = bool
+  default     = false
+}
+
+variable "vpc_service_control_attach_dry_run" {
+  description = "Whether the project will be attached to a VPC Service Control Perimeter in Dry Run Mode. vpc_service_control_attach_enabled should be false for this to be true"
   type        = bool
   default     = false
 }

versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.28, < 6"
+      version = ">= 5.22, < 6"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 4.28, < 6"
+      version = ">= 5.22, < 6"
     }
   }
   provider_meta "google" {