feat: add network service tier setting (#640)

* feat: add network service tier setting

This allows users to configure the project default Network Service
Tier.

* run docker_generate_docs

* code review fixes

* re-generate docs

* terraform fmt

* add blank line

Author: jawnsy

README.md

@@ -114,7 +114,7 @@ determining that location is as follows:
 | auto\_create\_network | Create the default network | `bool` | `false` | no |
 | billing\_account | The ID of the billing account to associate this project with | `string` | n/a | yes |
 | bucket\_force\_destroy | Force the deletion of all objects within the GCS bucket when deleting the bucket (optional) | `bool` | `false` | no |
-| bucket\_labels | A map of key/value label pairs to assign to the bucket (optional) | `map` | `{}` | no |
+| bucket\_labels | A map of key/value label pairs to assign to the bucket (optional) | `map(string)` | `{}` | no |
 | bucket\_location | The location for a GCS bucket to create (optional) | `string` | `"US"` | no |
 | bucket\_name | A name for a GCS bucket to create (in the bucket\_project project), useful for Terraform state (optional) | `string` | `""` | no |
 | bucket\_project | A project to create a GCS bucket (bucket\_name) in, useful for Terraform state (optional) | `string` | `""` | no |
@@ -127,6 +127,7 @@ determining that location is as follows:
 | budget\_monitoring\_notification\_channels | A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. | `list(string)` | `[]` | no |
 | consumer\_quotas | The quotas configuration you want to override for the project. | <pre>list(object({<br>    service = string,<br>    metric  = string,<br>    limit   = string,<br>    value   = string,<br>  }))</pre> | `[]` | no |
 | create\_project\_sa | Whether the default service account for the project shall be created | `bool` | `true` | no |
+| default\_network\_tier | Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. | `string` | `""` | no |
 | default\_service\_account | Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`. | `string` | `"disable"` | no |
 | disable\_dependent\_services | Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. | `bool` | `true` | no |
 | disable\_services\_on\_destroy | Whether project services will be disabled when the resources are destroyed | `bool` | `true` | no |

examples/gke_shared_vpc/README.md

@@ -29,6 +29,7 @@ More information about GKE with Shared VPC can be found here: https://cloud.goog
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | billing\_account | billing account | `any` | n/a | yes |
+| default\_network\_tier | Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. | `string` | `""` | no |
 | org\_id | organization id | `any` | n/a | yes |
 | shared\_vpc | The ID of the host project which hosts the shared VPC | `any` | n/a | yes |
 | shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$PROJECT\_ID/regions/$REGION/subnetworks/$SUBNET\_ID) | `list(string)` | `[]` | no |

examples/gke_shared_vpc/main.tf

@@ -23,4 +23,5 @@ module "project-factory" {
   svpc_host_project_id = var.shared_vpc
   activate_apis        = ["compute.googleapis.com", "container.googleapis.com", "cloudbilling.googleapis.com"]
   shared_vpc_subnets   = var.shared_vpc_subnets
+  default_network_tier = var.default_network_tier
 }

examples/gke_shared_vpc/variables.tf

@@ -32,3 +32,8 @@ variable "shared_vpc_subnets" {
   default     = []
 }
 
+variable "default_network_tier" {
+  description = "Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers."
+  type        = string
+  default     = ""
+}

examples/shared_vpc/README.md

@@ -12,6 +12,7 @@ It then attaches two new service projects to the host project.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | billing\_account | The ID of the billing account to associate this project with | `any` | n/a | yes |
+| default\_network\_tier | Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. | `string` | `""` | no |
 | folder\_id | The folder to create projects in | `any` | n/a | yes |
 | host\_project\_name | Name for Shared VPC host project | `string` | `"shared-vpc-host"` | no |
 | network\_name | Name for Shared VPC network | `string` | `"shared-network"` | no |

examples/shared_vpc/main.tf

@@ -30,6 +30,7 @@ module "host-project" {
   folder_id                      = var.folder_id
   billing_account                = var.billing_account
   enable_shared_vpc_host_project = true
+  default_network_tier           = var.default_network_tier
 }
 
 /******************************************

examples/shared_vpc/variables.tf

@@ -40,3 +40,9 @@ variable "network_name" {
   description = "Name for Shared VPC network"
   default     = "shared-network"
 }
+
+variable "default_network_tier" {
+  description = "Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers."
+  type        = string
+  default     = ""
+}

main.tf

@@ -63,6 +63,7 @@ module "project-factory" {
   disable_dependent_services         = var.disable_dependent_services
   vpc_service_control_attach_enabled = var.vpc_service_control_attach_enabled
   vpc_service_control_perimeter_name = var.vpc_service_control_perimeter_name
+  default_network_tier               = var.default_network_tier
 }
 
 /******************************************

modules/core_project_factory/main.tf

@@ -350,3 +350,12 @@ resource "google_project_service" "enable_access_context_manager" {
   project = google_project.main.number
   service = "accesscontextmanager.googleapis.com"
 }
+
+/******************************************
+  Configure default Network Service Tier
+ *****************************************/
+resource "google_compute_project_default_network_tier" "default" {
+  count        = var.default_network_tier != "" ? 1 : 0
+  project      = google_project.main.number
+  network_tier = var.default_network_tier
+}

modules/core_project_factory/variables.tf

@@ -165,7 +165,7 @@ variable "bucket_versioning" {
 
 variable "bucket_labels" {
   description = " A map of key/value label pairs to assign to the bucket (optional)"
-  type        = map
+  type        = map(string)
   default     = {}
 }
 
@@ -227,3 +227,9 @@ variable "vpc_service_control_perimeter_name" {
   type        = string
   default     = null
 }
+
+variable "default_network_tier" {
+  description = "Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers."
+  type        = string
+  default     = ""
+}

modules/gsuite_enabled/README.md

@@ -72,6 +72,7 @@ The roles granted are specifically:
 | consumer\_quotas | The quotas configuration you want to override for the project. | <pre>list(object({<br>    service = string,<br>    metric  = string,<br>    limit   = string,<br>    value   = string,<br>  }))</pre> | `[]` | no |
 | create\_group | Whether to create the group or not | `bool` | `false` | no |
 | create\_project\_sa | Whether the default service account for the project shall be created | `bool` | `true` | no |
+| default\_network\_tier | Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. | `string` | `""` | no |
 | default\_service\_account | Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`. | `string` | `"disable"` | no |
 | disable\_dependent\_services | Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. | `bool` | `true` | no |
 | disable\_services\_on\_destroy | Whether project services will be disabled when the resources are destroyed | `bool` | `true` | no |

modules/gsuite_enabled/main.tf

@@ -99,6 +99,7 @@ module "project-factory" {
   disable_services_on_destroy       = var.disable_services_on_destroy
   default_service_account           = var.default_service_account
   disable_dependent_services        = var.disable_dependent_services
+  default_network_tier              = var.default_network_tier
 }
 
 /******************************************

modules/gsuite_enabled/variables.tf

@@ -220,3 +220,9 @@ variable "consumer_quotas" {
   }))
   default = []
 }
+
+variable "default_network_tier" {
+  description = "Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers."
+  type        = string
+  default     = ""
+}

modules/svpc_service_project/README.md

@@ -44,6 +44,7 @@ module "service-project" {
 | budget\_amount | The amount to use for a budget alert | `number` | `null` | no |
 | budget\_monitoring\_notification\_channels | A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. | `list(string)` | `[]` | no |
 | create\_project\_sa | Whether the default service account for the project shall be created | `bool` | `true` | no |
+| default\_network\_tier | Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. | `string` | `""` | no |
 | default\_service\_account | Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`. | `string` | `"disable"` | no |
 | disable\_dependent\_services | Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. | `bool` | `true` | no |
 | disable\_services\_on\_destroy | Whether project services will be disabled when the resources are destroyed | `bool` | `true` | no |

modules/svpc_service_project/main.tf

@@ -57,6 +57,7 @@ module "project-factory" {
   disable_services_on_destroy       = var.disable_services_on_destroy
   default_service_account           = var.default_service_account
   disable_dependent_services        = var.disable_dependent_services
+  default_network_tier              = var.default_network_tier
 }
 
 /******************************************

modules/svpc_service_project/variables.tf

@@ -221,3 +221,9 @@ variable "grant_services_network_role" {
   type        = bool
   default     = true
 }
+
+variable "default_network_tier" {
+  description = "Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers."
+  type        = string
+  default     = ""
+}

variables.tf

@@ -165,7 +165,7 @@ variable "bucket_versioning" {
 
 variable "bucket_labels" {
   description = " A map of key/value label pairs to assign to the bucket (optional)"
-  type        = map
+  type        = map(string)
   default     = {}
 }
 
@@ -275,3 +275,9 @@ variable "consumer_quotas" {
   }))
   default = []
 }
+
+variable "default_network_tier" {
+  description = "Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers."
+  type        = string
+  default     = ""
+}