Merge branch 'master' into feat/add-pre-commit

Author: morgante

.kitchen.yml

@@ -38,3 +38,20 @@ suites:
       name: terraform
       command_timeout: 1800
       root_module_directory: test/fixtures/minimal
+
+  - name: "shared_vpc_no_subnets"
+    driver:
+      name: "terraform"
+      command_timeout: 1800
+      root_module_directory: test/fixtures/shared_vpc_no_subnets/
+    verifier:
+      name: terraform
+      systems:
+        - name: inspec-gcp
+          backend: gcp
+          controls:
+            - gcp
+        - name: local
+          backend: local
+          controls:
+            - gcloud

CHANGELOG.md

@@ -8,6 +8,27 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 ## [Unreleased]
 
+## [2.1.3] - 2019-04-03
+
+### Fixed
+
+- Unconditional check for optional
+  `resourcemanager.organization.get` permission in preconditions script.
+  [#178]
+- The `project_id` output depends on project service activation. [#180]
+
+## [2.1.2] - 2019-04-01
+
+### Fixed
+
+- Error when verifying billing account permissions [#175]
+
+## [2.1.1] - 2019-03-25
+
+### Fixed
+
+- Removed requirement of `roles/resourcemanager.organizationViewer` when `var.domain` is provided. [#172]
+
 ## [2.1.0] - 2019-03-11
 
 ### ADDED
@@ -91,7 +112,10 @@ Extending the adopted spec, each change should have a link to its corresponding
 ### ADDED
 - This is the initial release of the Project Factory Module.
 
-[Unreleased]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v2.1.0...HEAD
+[Unreleased]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v2.1.3...HEAD
+[2.1.3]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v2.1.2...v2.1.3
+[2.1.2]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v2.1.1...v2.1.2
+[2.1.1]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v2.1.0...v2.1.1
 [2.1.0]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v2.0.0...v2.1.0
 [2.0.0]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v1.2.0...v2.0.0
 [1.2.0]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v1.1.2...v1.2.0
@@ -105,6 +129,10 @@ Extending the adopted spec, each change should have a link to its corresponding
 [0.2.1]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v0.2.0...v0.2.1
 [0.2.0]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v0.1.0...v0.2.0
 
+[#180]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/180
+[#178]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/178
+[#175]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/175
+[#172]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/172
 [#164]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/164
 [#154]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/154
 [#153]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/153

examples/shared_vpc/README.md

@@ -0,0 +1,27 @@
+# Shared VPC Host Project
+
+This example illustrates how to create a [Shared VPC](https://cloud.google.com/vpc/docs/shared-vpc) host project.
+
+It includes creating the host project and using the [network module](https://github.com/terraform-google-modules/terraform-google-network) to create network.
+
+[^]: (autogen_docs_start)
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| billing\_account | The ID of the billing account to associate this project with | string | - | yes |
+| credentials\_path | Path to a Service Account credentials file with permissions documented in the readme | string | - | yes |
+| host\_project\_name | Name for Shared VPC host project | string | `shared-vpc-host` | no |
+| network\_name | Name for Shared VPC network | string | `shared-network` | no |
+| organization\_id | The organization id for the associated services | string | - | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| host\_project\_id | The ID of the created project |
+| network\_name | The name of the VPC being created |
+| network\_self\_link | The URI of the VPC being created |
+
+[^]: (autogen_docs_end)

examples/shared_vpc/main.tf

@@ -0,0 +1,80 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  credentials_file_path = "${var.credentials_path}"
+  subnet_01             = "${var.network_name}-subnet-01"
+  subnet_02             = "${var.network_name}-subnet-02"
+}
+
+/******************************************
+  Provider configuration
+ *****************************************/
+provider "google" {
+  credentials = "${file(local.credentials_file_path)}"
+  version     = "~> 1.19"
+}
+
+provider "google-beta" {
+  credentials = "${file(local.credentials_file_path)}"
+  version     = "~> 1.19"
+}
+
+/******************************************
+  Host Project Creation
+ *****************************************/
+module "host-project" {
+  source            = "../../"
+  random_project_id = "true"
+  name              = "${var.host_project_name}"
+  org_id            = "${var.organization_id}"
+  billing_account   = "${var.billing_account}"
+  credentials_path  = "${local.credentials_file_path}"
+}
+
+/******************************************
+  Network Creation
+ *****************************************/
+module "vpc" {
+  source  = "terraform-google-modules/network/google"
+  version = "0.6.0"
+
+  project_id   = "${module.host-project.project_id}"
+  network_name = "${var.network_name}"
+
+  delete_default_internet_gateway_routes = "true"
+  shared_vpc_host                        = "true"
+
+  subnets = [
+    {
+      subnet_name   = "${local.subnet_01}"
+      subnet_ip     = "10.10.10.0/24"
+      subnet_region = "us-west1"
+    },
+    {
+      subnet_name           = "${local.subnet_02}"
+      subnet_ip             = "10.10.20.0/24"
+      subnet_region         = "us-west1"
+      subnet_private_access = "true"
+      subnet_flow_logs      = "true"
+    },
+  ]
+
+  secondary_ranges = {
+    "${local.subnet_01}" = []
+    "${local.subnet_02}" = []
+  }
+}

examples/shared_vpc/outputs.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "host_project_id" {
+  value       = "${module.host-project.project_id}"
+  description = "The ID of the created project"
+}
+
+output "network_name" {
+  value       = "${module.vpc.network_name}"
+  description = "The name of the VPC being created"
+}
+
+output "network_self_link" {
+  value       = "${module.vpc.network_self_link}"
+  description = "The URI of the VPC being created"
+}

examples/shared_vpc/variables.tf

@@ -0,0 +1,37 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "organization_id" {
+  description = "The organization id for the associated services"
+}
+
+variable "billing_account" {
+  description = "The ID of the billing account to associate this project with"
+}
+
+variable "credentials_path" {
+  description = "Path to a Service Account credentials file with permissions documented in the readme"
+}
+
+variable "host_project_name" {
+  description = "Name for Shared VPC host project"
+  default     = "shared-vpc-host"
+}
+
+variable "network_name" {
+  description = "Name for Shared VPC network"
+  default     = "shared-network"
+}

modules/core_project_factory/outputs.tf

@@ -19,7 +19,7 @@ output "project_name" {
 }
 
 output "project_id" {
-  value = "${google_project.main.project_id}"
+  value = "${element(concat(google_project_service.project_services.*.project, list(google_project.main.project_id)), 0)}"
 }
 
 output "project_number" {

modules/core_project_factory/scripts/preconditions/preconditions.py

@@ -71,10 +71,7 @@ def asdict(self):
 
 class OrgPermissions:
     # Permissions that the service account must have for any organization
-    ALL_PERMISSIONS = [
-        # Typically granted with `roles/resourcemanager.organizationViewer`
-        "resourcemanager.organizations.get",
-    ]
+    ALL_PERMISSIONS = []
 
     # Permissions required when the service account is attaching a new project
     # to a shared VPC
@@ -115,14 +112,23 @@ def __init__(self, org_id, shared_vpc=False, parent=False):
             self.permissions += self.PARENT_PERMISSIONS
 
     def validate(self, credentials):
+        body = {"permissions": self.permissions}
+        resource = "organizations/" + self.org_id
+
+        # no permissions to validate
+        if len(self.permissions) == 0:
+            return {
+                "type": "Service account permissions on organization",
+                "name": resource,
+                "satisfied": [],
+                "unsatisfied": []
+            }
+
         service = discovery.build(
             'cloudresourcemanager', 'v1',
             credentials=credentials
         )
 
-        body = {"permissions": self.permissions}
-        resource = "organizations/" + self.org_id
-
         request = service.organizations().testIamPermissions(
             resource=resource,
             body=body)
@@ -286,16 +292,13 @@ def validate(self, credentials):
         request = service.billingAccounts().testIamPermissions(
             resource=resource,
             body=body)
-        try:
-            response = request.execute()
-        except errors.HttpError:
-            response = {"permissions": []}
+        response = request.execute()
 
         req = Requirements(
             "Service account permissions on billing account",
             resource,
             self.REQUIRED_PERMISSIONS,
-            response["permissions"],
+            response.get("permissions", []),
         )
 
         return req.asdict()

modules/gsuite_group/main.tf

@@ -15,13 +15,15 @@
  */
 
 locals {
-  domain = "${var.domain != "" ? var.domain : data.google_organization.org.domain}"
-  email  = "${format("%s@%s", var.name, local.domain)}"
+  domain_list = "${concat(data.google_organization.org.*.domain, list("dummy"))}"
+  domain      = "${var.domain == "" ? element(local.domain_list, 0) : var.domain}"
+  email       = "${format("%s@%s", var.name, local.domain)}"
 }
 
 /*****************************************
   Organization info retrieval
  *****************************************/
 data "google_organization" "org" {
+  count        = "${var.domain == "" ? 1 : 0}"
   organization = "${var.org_id}"
 }

test/fixtures/full/extra_outputs.tf

@@ -17,3 +17,11 @@
 output "extra_service_account_email" {
   value = "${google_service_account.extra_service_account.email}"
 }
+
+output "shared_vpc_subnet_name" {
+  value = "${local.shared_vpc_subnet_name}"
+}
+
+output "shared_vpc_subnet_region" {
+  value = "${local.shared_vpc_subnet_region}"
+}

test/fixtures/full/main.tf

@@ -37,8 +37,10 @@ provider "gsuite" {
 }
 
 locals {
-  shared_vpc_subnets = ["projects/${var.shared_vpc}/regions/${module.vpc.subnets_regions[0]}/subnetworks/${module.vpc.subnets_names[0]}"]
-  subnet_name        = "pf-test-subnet-${var.random_string_for_testing}"
+  subnet_name              = "pf-test-subnet-${var.random_string_for_testing}"
+  shared_vpc_subnet_name   = "${module.vpc.subnets_names[0]}"
+  shared_vpc_subnet_region = "${module.vpc.subnets_regions[0]}"
+  shared_vpc_subnets       = ["projects/${var.shared_vpc}/regions/${local.shared_vpc_subnet_region}/subnetworks/${local.shared_vpc_subnet_name}"]
 }
 
 module "vpc" {

test/fixtures/shared_vpc_no_subnets/extra_variables.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "credentials_path" {
+  description = "Path to a service account credentials file with rights to run the Project Factory."
+  default     = ""
+}