add support for setting project cloud armor tier

Author: imrannayer

README.md

@@ -132,6 +132,7 @@ determining that location is as follows:
 | budget\_display\_name | The display name of the budget. If not set defaults to `Budget For <projects[0]|All Projects>` | `string` | `null` | no |
 | budget\_labels | A single label and value pair specifying that usage from only this set of labeled resources should be included in the budget. | `map(string)` | `{}` | no |
 | budget\_monitoring\_notification\_channels | A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. | `list(string)` | `[]` | no |
+| cloud\_armor\_tier | Managed protection tier to be set. Possible values are: CA\_STANDARD, CA\_ENTERPRISE\_PAYGO. If not set, then project will be set to default Standard protection | `string` | `null` | no |
 | consumer\_quotas | The quotas configuration you want to override for the project. | <pre>list(object({<br>    service    = string,<br>    metric     = string,<br>    dimensions = map(string),<br>    limit      = string,<br>    value      = string,<br>  }))</pre> | `[]` | no |
 | create\_project\_sa | Whether the default service account for the project shall be created | `bool` | `true` | no |
 | default\_network\_tier | Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. | `string` | `""` | no |
@@ -173,6 +174,7 @@ determining that location is as follows:
 | api\_s\_account | API service account email |
 | api\_s\_account\_fmt | API service account email formatted for terraform use |
 | budget\_name | The name of the budget if created |
+| cloud\_armor\_tier | Managed protection tier to be set. If not set, then project will be set to default Standard protection |
 | domain | The organization's domain |
 | enabled\_api\_identities | Enabled API identities in the project |
 | enabled\_apis | Enabled APIs in the project |
@@ -199,8 +201,8 @@ determining that location is as follows:
 -   [gcloud sdk](https://cloud.google.com/sdk/install) >= 269.0.0
 -   [jq](https://stedolan.github.io/jq/) >= 1.6
 -   [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0
--   [terraform-provider-google] plugin >= 5.22
--   [terraform-provider-google-beta] plugin >= 5.22
+-   [terraform-provider-google] plugin >= 5.33
+-   [terraform-provider-google-beta] plugin >= 5.33
 -   [terraform-provider-gsuite] plugin ~> 0.1.x if GSuite functionality is desired
 
 ### Permissions

docs/upgrading_to_project_factory_v16.0.md

@@ -0,0 +1,7 @@
+# Upgrading to Project Factory v16.0
+
+The v16.0 release of Project Factory is a backwards incompatible release.
+
+### Google Cloud Platform Provider upgrade
+
+The Project Factory module now requires version `5.33` or higher of the Google Cloud Platform Provider and `5.33` or higher of the Google Cloud Platform Beta Provider.

main.tf

@@ -129,3 +129,13 @@ module "essential_contacts" {
   essential_contacts = var.essential_contacts
   language_tag       = var.language_tag
 }
+
+/******************************************
+  Cloud Armor tier of the project
+ *****************************************/
+module "cloud_armor_tier" {
+  source = "./modules/cloud_armor_tier"
+
+  project_id       = module.project-factory.project_id
+  cloud_armor_tier = var.cloud_armor_tier
+}

modules/cloud_armor_tier/README.md

@@ -0,0 +1,38 @@
+# Cloud Armor Tier
+
+This module uses the [`google_compute_project_cloud_armor_tier`](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_project_cloud_armor_tier)
+resource to set the Cloud Armor tier of the project.
+
+## Prerequisites
+
+1. Service account used to run Terraform has permission to To enroll a project into the Cloud Armor Enterprise subscription
+[`resourcemanager.projects.createBillingAssignment` and `resourcemanager.projects.update`](https://cloud.google.com/armor/docs/armor-enterprise-using#required_permissions).
+2. The target project has the compute engine API enabled `compute.googleapis.com `
+
+## Example Usage
+```
+module "cloud_armor_tier" {
+  source   = "terraform-google-modules/project-factory/google//module/cloud_armor_tier"
+  version  = "16.0"
+
+  project_id       = module.project-factory.project_id
+  cloud_armor_tier = var.cloud_armor_tier
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| cloud\_armor\_tier | Managed protection tier to be set. Possible values are: CA\_STANDARD, CA\_ENTERPRISE\_PAYGO | `string` | n/a | yes |
+| project\_id | The GCP project you want to send Essential Contacts notifications for | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| cloud\_armor\_tier | Cloud Armor tier for the project |
+| project\_id | The GCP project you want to enable APIs on |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/cloud_armor_tier/main.tf

@@ -0,0 +1,26 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/******************************************
+  Cloud Armor tier of the project
+ *****************************************/
+
+resource "google_compute_project_cloud_armor_tier" "cloud_armor_tier_config" {
+  count = var.cloud_armor_tier == null ? 0 : 1
+
+  project          = var.project_id
+  cloud_armor_tier = var.cloud_armor_tier
+}

modules/cloud_armor_tier/outputs.tf

@@ -0,0 +1,25 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "cloud_armor_tier" {
+  description = "Cloud Armor tier for the project"
+  value       = var.cloud_armor_tier
+}
+
+output "project_id" {
+  description = "The GCP project you want to enable APIs on"
+  value       = var.project_id
+}

modules/cloud_armor_tier/variables.tf

@@ -0,0 +1,25 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The GCP project you want to send Essential Contacts notifications for"
+  type        = string
+}
+
+variable "cloud_armor_tier" {
+  description = "Managed protection tier to be set. Possible values are: CA_STANDARD, CA_ENTERPRISE_PAYGO"
+  type        = string
+}

modules/cloud_armor_tier/versions.tf

@@ -0,0 +1,28 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 1.3"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 5.33, < 6"
+    }
+  }
+  provider_meta "google" {
+    module_name = "blueprints/terraform/terraform-google-project-factory:cloud_armor_tier/v15.0.1"
+  }
+}

outputs.tf

@@ -108,3 +108,8 @@ output "usage_report_export_bucket" {
   description = "GCE usage reports bucket"
   value       = module.project-factory.usage_report_export_bucket
 }
+
+output "cloud_armor_tier" {
+  description = "Managed protection tier to be set. If not set, then project will be set to default Standard protection"
+  value       = var.cloud_armor_tier
+}

variables.tf

@@ -359,3 +359,9 @@ variable "tag_binding_values" {
   type        = list(string)
   default     = []
 }
+
+variable "cloud_armor_tier" {
+  description = "Managed protection tier to be set. Possible values are: CA_STANDARD, CA_ENTERPRISE_PAYGO. If not set, then project will be set to default Standard protection"
+  type        = string
+  default     = null
+}

versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.22, < 6"
+      version = ">= 5.33, < 6"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.22, < 6"
+      version = ">= 5.33, < 6"
     }
   }
   provider_meta "google" {