feat: support optional tag binding

bharathkkb · bharathkkb · commit 8ab26d4193b1 · 2024-02-21T23:46:04.000Z
diff --git a/README.md b/README.md
@@ -158,6 +158,7 @@ determining that location is as follows:
 | sa\_role | A role to give the default Service Account for the project (defaults to none) | `string` | `""` | no |
 | shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project\_id/regions/$region/subnetworks/$subnet\_id) | `list(string)` | `[]` | no |
 | svpc\_host\_project\_id | The ID of the host project which hosts the shared VPC | `string` | `""` | no |
+| tag\_binding\_values | Tag values to bind the project to. | `list(string)` | `[]` | no |
 | usage\_bucket\_name | Name of a GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no |
 | usage\_bucket\_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no |
 | vpc\_service\_control\_attach\_enabled | Whether the project will be attached to a VPC Service Control Perimeter | `bool` | `false` | no |
@@ -185,6 +186,7 @@ determining that location is as follows:
 | service\_account\_id | The id of the default service account |
 | service\_account\_name | The fully-qualified name of the default service account |
 | service\_account\_unique\_id | The unique id of the default service account |
+| tag\_bindings | Tag bindings |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
diff --git a/examples/tags_project/README.md b/examples/tags_project/README.md
@@ -0,0 +1,21 @@
+# Project with tags
+
+This example illustrates how to create a project with a tag binding.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| billing\_account | The ID of the billing account to associate this project with | `any` | n/a | yes |
+| organization\_id | The organization id for the associated services | `string` | `"684124036889"` | no |
+| tag\_value | value | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| project\_id | The ID of the created project |
+| project\_num | The number of the created project |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/tags_project/main.tf b/examples/tags_project/main.tf
@@ -0,0 +1,27 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "project-factory" {
+  source  = "terraform-google-modules/project-factory/google"
+  version = "~> 14.0"
+
+  random_project_id       = true
+  name                    = "simple-tag-project"
+  org_id                  = var.organization_id
+  billing_account         = var.billing_account
+  default_service_account = "deprivilege"
+  tag_binding_values      = [var.tag_value]
+}
diff --git a/examples/tags_project/outputs.tf b/examples/tags_project/outputs.tf
@@ -0,0 +1,26 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "project_id" {
+  value       = module.project-factory.project_id
+  description = "The ID of the created project"
+}
+
+output "project_num" {
+  value       = module.project-factory.project_number
+  description = "The number of the created project"
+}
+
diff --git a/examples/tags_project/variables.tf b/examples/tags_project/variables.tf
@@ -0,0 +1,29 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "organization_id" {
+  description = "The organization id for the associated services"
+  default     = "684124036889"
+}
+
+variable "billing_account" {
+  description = "The ID of the billing account to associate this project with"
+}
+
+variable "tag_value" {
+  description = "value"
+  type        = string
+}
diff --git a/main.tf b/main.tf
@@ -68,6 +68,7 @@ module "project-factory" {
   vpc_service_control_perimeter_name = var.vpc_service_control_perimeter_name
   vpc_service_control_sleep_duration = var.vpc_service_control_sleep_duration
   default_network_tier               = var.default_network_tier
+  tag_binding_values                 = var.tag_binding_values
 }
 
 /******************************************
diff --git a/modules/core_project_factory/main.tf b/modules/core_project_factory/main.tf
@@ -371,3 +371,9 @@ resource "google_compute_project_default_network_tier" "default" {
   project      = google_project.main.number
   network_tier = var.default_network_tier
 }
+
+resource "google_tags_tag_binding" "bindings" {
+  for_each  = toset(var.tag_binding_values)
+  parent    = "//cloudresourcemanager.googleapis.com/projects/${google_project.main.number}"
+  tag_value = "tagValues/${each.value}"
+}
diff --git a/modules/core_project_factory/outputs.tf b/modules/core_project_factory/outputs.tf
@@ -95,3 +95,8 @@ output "enabled_api_identities" {
   description = "Enabled API identities in the project"
   value       = module.project_services.enabled_api_identities
 }
+
+output "tag_bindings" {
+  description = "Tag bindings"
+  value       = google_tags_tag_binding.bindings
+}
diff --git a/modules/core_project_factory/variables.tf b/modules/core_project_factory/variables.tf
@@ -258,3 +258,9 @@ variable "grant_network_role" {
   type        = bool
   default     = true
 }
+
+variable "tag_binding_values" {
+  description = "Tag values to bind the project to."
+  type        = list(string)
+  default     = []
+}
diff --git a/modules/core_project_factory/versions.tf b/modules/core_project_factory/versions.tf
@@ -20,11 +20,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 3.50, < 6"
+      version = ">= 3.64, < 6"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.50, < 6"
+      version = ">= 3.64, < 6"
     }
     null = {
       source  = "hashicorp/null"
diff --git a/outputs.tf b/outputs.tf
@@ -98,3 +98,8 @@ output "budget_name" {
   value       = module.budget.name
   description = "The name of the budget if created"
 }
+
+output "tag_bindings" {
+  description = "Tag bindings"
+  value       = module.project-factory.tag_bindings
+}
diff --git a/test/integration/tags_project/tags_project_test.go b/test/integration/tags_project/tags_project_test.go
@@ -0,0 +1,43 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tags_project
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud"
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft"
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestTagsProject(t *testing.T) {
+	tagsProjectT := tft.NewTFBlueprintTest(t)
+	tagsProjectT.DefineVerify(func(assert *assert.Assertions) {
+		tagsProjectT.DefaultVerify(assert)
+
+		projectNum := tagsProjectT.GetStringOutput("project_num")
+		tagValue := tagsProjectT.GetTFSetupStringOutput("tag_value")
+
+		parent := fmt.Sprintf("//cloudresourcemanager.googleapis.com/projects/%s", projectNum)
+		projBindings := gcloud.Runf(t, "resource-manager tags bindings list --parent=%s", parent).Array()
+		assert.Len(projBindings, 1, "expected one binding")
+
+		binding := utils.GetFirstMatchResult(t, projBindings, "parent", parent)
+		assert.Equalf(fmt.Sprintf("tagValues/%s", tagValue), binding.Get("tagValue").String(), "expected binding to %s", tagValue)
+	})
+	tagsProjectT.Test()
+}
diff --git a/test/setup/iam.tf b/test/setup/iam.tf
@@ -37,6 +37,10 @@ locals {
   int_required_org_roles = [
     "roles/accesscontextmanager.policyAdmin",
     "roles/resourcemanager.organizationViewer",
+    # CRUD tags.
+    "roles/resourcemanager.tagAdmin",
+    # Binding tags to resources.
+    "roles/resourcemanager.tagUser"
   ]
 }
 
diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf
@@ -58,3 +58,7 @@ output "group_name" {
 output "service_account_email" {
   value = google_service_account.int_test.email
 }
+
+output "tag_value" {
+  value = google_tags_tag_value.value.name
+}
diff --git a/test/setup/tags.tf b/test/setup/tags.tf
@@ -0,0 +1,33 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "random_string" "key_suffix" {
+  length  = 7
+  special = false
+  upper   = false
+}
+
+resource "google_tags_tag_key" "key" {
+  parent      = "organizations/${var.org_id}"
+  short_name  = "pf-key-${random_string.key_suffix.result}"
+  description = "Sample tag key"
+}
+
+resource "google_tags_tag_value" "value" {
+  parent      = "tagKeys/${google_tags_tag_key.key.name}"
+  short_name  = "sample-val"
+  description = "Sample val"
+}
diff --git a/variables.tf b/variables.tf
@@ -347,3 +347,9 @@ variable "language_tag" {
   type        = string
   default     = "en-US"
 }
+
+variable "tag_binding_values" {
+  description = "Tag values to bind the project to."
+  type        = list(string)
+  default     = []
+}

Original file line number	Diff line number	Diff line change
`@@ -68,6 +68,7 @@ module "project-factory" {`
`68`	`68`	`vpc_service_control_perimeter_name = var.vpc_service_control_perimeter_name`
`69`	`69`	`vpc_service_control_sleep_duration = var.vpc_service_control_sleep_duration`
`70`	`70`	`default_network_tier = var.default_network_tier`
	`71`	`+ tag_binding_values = var.tag_binding_values`
`71`	`72`	`}`
`72`	`73`
`73`	`74`	`/******************************************`
Original file line number	Diff line number	Diff line change
`@@ -95,3 +95,8 @@ output "enabled_api_identities" {`
`95`	`95`	`description = "Enabled API identities in the project"`
`96`	`96`	`value = module.project_services.enabled_api_identities`
`97`	`97`	`}`
	`98`	`+`
	`99`	`+output "tag_bindings" {`
	`100`	`+ description = "Tag bindings"`
	`101`	`+ value = google_tags_tag_binding.bindings`
	`102`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -20,11 +20,11 @@ terraform {`
`20`	`20`	`required_providers {`
`21`	`21`	`google = {`
`22`	`22`	`source = "hashicorp/google"`
`23`		`- version = ">= 3.50, < 6"`
	`23`	`+ version = ">= 3.64, < 6"`
`24`	`24`	`}`
`25`	`25`	`google-beta = {`
`26`	`26`	`source = "hashicorp/google-beta"`
`27`		`- version = ">= 3.50, < 6"`
	`27`	`+ version = ">= 3.64, < 6"`
`28`	`28`	`}`
`29`	`29`	`null = {`
`30`	`30`	`source = "hashicorp/null"`
Original file line number	Diff line number	Diff line change
`@@ -98,3 +98,8 @@ output "budget_name" {`
`98`	`98`	`value = module.budget.name`
`99`	`99`	`description = "The name of the budget if created"`
`100`	`100`	`}`
	`101`	`+`
	`102`	`+output "tag_bindings" {`
	`103`	`+ description = "Tag bindings"`
	`104`	`+ value = module.project-factory.tag_bindings`
	`105`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,10 @@ locals {`
`37`	`37`	`int_required_org_roles = [`
`38`	`38`	`"roles/accesscontextmanager.policyAdmin",`
`39`	`39`	`"roles/resourcemanager.organizationViewer",`
	`40`	`+ # CRUD tags.`
	`41`	`+ "roles/resourcemanager.tagAdmin",`
	`42`	`+ # Binding tags to resources.`
	`43`	`+ "roles/resourcemanager.tagUser"`
`40`	`44`	`]`
`41`	`45`	`}`
`42`	`46`
Original file line number	Diff line number	Diff line change
`@@ -58,3 +58,7 @@ output "group_name" {`
`58`	`58`	`output "service_account_email" {`
`59`	`59`	`value = google_service_account.int_test.email`
`60`	`60`	`}`
	`61`	`+`
	`62`	`+output "tag_value" {`
	`63`	`+ value = google_tags_tag_value.value.name`
	`64`	`+}`