From f5ef06328af8ac8af7a1d6a128d54888c2936d22 Mon Sep 17 00:00:00 2001 From: Jon Buckley Date: Wed, 5 Feb 2025 17:25:02 -0500 Subject: [PATCH] chore: Add terraform-docs delimiters (#256) * chore(aws_gcp_vpn): Add terraform-docs delimiters * chore(aws_itse-roles): Add terraform-docs delimiters * chore(google_bigquery_log_sink): Add terraform-docs delimiters * chore(google_cdn-external): Add terraform-docs delimiters * chore(google_cdn_backend_bucket): Add terraform-docs delimiters * chore(google_certificate_manager_certificate_map): Add terraform-docs delimiters * chore(google_cloudsql_mysql): Add terraform-docs delimiters * chore(google_cloudsql_postgres): Add terraform-docs delimiters * chore(google_datastream): Add terraform-docs delimiters * chore(google_deployment_accounts): Add terraform-docs delimiters * chore(google_gar): Add terraform-docs delimiters * chore(google_gke): Add terraform-docs delimiters * chore(google_gke_namespace_logging): Add terraform-docs delimiters * chore(google_gke_tenant): Add terraform-docs delimiters * chore(google_memcache): Add terraform-docs delimiters * chore(google_monitoring): Add terraform-docs delimiters * chore(google_permissions): Add terraform-docs delimiters * chore(google_project-dns): Add terraform-docs delimiters * chore(google_project): Add terraform-docs delimiters * chore(google_psc_to_elastic): Add terraform-docs delimiters * chore(google_redis): Add terraform-docs delimiters * chore(google_tenant_project_bootstrap): Add terraform-docs delimiters * chore(google_tfstate): Add terraform-docs delimiters * chore(mozilla_workgroup): Add terraform-docs delimiters * chore(aws_gcp_vpn): Add .terraform-docs.yml * chore(aws_itse-roles): Add .terraform-docs.yml * chore(google_bigquery_log_sink): Add .terraform-docs.yml * chore(google_cdn-external): Add .terraform-docs.yml * chore(google_cdn_backend_bucket): Add .terraform-docs.yml * chore(google_certificate_manager_certificate_map): Add .terraform-docs.yml * chore(google_deployment_accounts): Add .terraform-docs.yml * chore(google_gar): Add .terraform-docs.yml * chore(google_gke_tenant): Add .terraform-docs.yml * chore(google_monitoring): Add .terraform-docs.yml * chore(google_permissions): Add .terraform-docs.yml * chore(google_project-dns): Add .terraform-docs.yml * chore(google_project): Add .terraform-docs.yml * chore(google_psc_to_elastic): Add .terraform-docs.yml * chore(google_tenant_project_bootstrap): Add .terraform-docs.yml * chore(google_tfstate): Add .terraform-docs.yml * chore(google_workload_identity): Add .terraform-docs.yml * chore(docs): aws_gcp_vpn/README.md * chore(docs): aws_itse-roles/README.md * chore(docs): google_bigquery_log_sink/README.md * chore(docs): google_cdn-external/README.md * chore(docs): google_cdn_backend_bucket/README.md * chore(docs): google_certificate_manager_certificate_map/README.md * chore(docs): google_deployment_accounts/README.md * chore(docs): google_gar/README.md * chore(docs): google_gke_tenant/README.md * chore(docs): google_monitoring/README.md * chore(docs): google_permissions/README.md * chore(docs): google_project-dns/README.md * chore(docs): google_project/README.md * chore(docs): google_psc_to_elastic/README.md * chore(docs): google_tenant_project_bootstrap/README.md * chore(docs): google_tfstate/README.md * chore(docs): google_workload_identity/README.md * chore(docs): google_cloudsql_mysql/README.md * chore(docs): google_cloudsql_postgres/README.md * chore(docs): google_datastream/README.md * chore(docs): google_gke/README.md * chore(docs): google_gke_namespace_logging/README.md * chore(docs): google_memcache/README.md * chore(docs): google_redis/README.md * chore(docs): mozilla_workgroup/README.md --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- aws_gcp_vpn/.terraform-docs.yml | 6 + aws_gcp_vpn/README.md | 20 ++ aws_itse-roles/.terraform-docs.yml | 6 + aws_itse-roles/README.md | 36 +-- google_bigquery_log_sink/.terraform-docs.yml | 6 + google_bigquery_log_sink/README.md | 25 +- google_cdn-external/.terraform-docs.yml | 6 + google_cdn-external/README.md | 48 +-- google_cdn_backend_bucket/.terraform-docs.yml | 6 + google_cdn_backend_bucket/README.md | 33 +- .../.terraform-docs.yml | 6 + .../README.md | 31 +- google_cloudsql_mysql/README.md | 4 +- google_cloudsql_postgres/README.md | 7 +- google_datastream/.readme-header.yml | 21 -- google_datastream/.terraform-docs.yml | 8 - google_datastream/README.md | 29 +- google_datastream/main.tf | 25 ++ .../.terraform-docs.yml | 24 ++ google_deployment_accounts/README.md | 110 +++++-- google_gar/.terraform-docs.yml | 12 + google_gar/README.md | 40 +-- google_gke/.terraform-docs.yml | 13 +- google_gke/README.md | 281 +----------------- .../.terraform-docs.yml | 5 +- google_gke_namespace_logging/README.md | 7 +- google_gke_tenant/.terraform-docs.yml | 6 + google_gke_tenant/README.md | 27 +- google_gke_tenant/main.tf | 4 + google_memcache/README.md | 6 +- google_monitoring/.terraform-docs.yml | 6 + google_monitoring/README.md | 25 +- google_permissions/.terraform-docs.yml | 20 ++ google_permissions/README.md | 117 ++++---- google_project-dns/.terraform-docs.yml | 6 + google_project-dns/README.md | 29 +- google_project/.terraform-docs.yml | 6 + google_project/README.md | 34 +-- google_psc_to_elastic/.terraform-docs.yml | 6 + google_psc_to_elastic/README.md | 34 +-- google_redis/README.md | 12 +- .../.terraform-docs.yml | 6 + google_tenant_project_bootstrap/README.md | 41 +-- google_tenant_project_bootstrap/main.tf | 5 + google_tfstate/.terraform-docs.yml | 6 + google_tfstate/README.md | 25 +- google_workload_identity/.terraform-docs.yml | 6 + google_workload_identity/README.md | 28 -- mozilla_workgroup/.terraform-docs.yml | 4 +- mozilla_workgroup/README.md | 57 +--- mozilla_workgroup/main.tf | 2 +- 51 files changed, 454 insertions(+), 879 deletions(-) create mode 100644 aws_gcp_vpn/.terraform-docs.yml create mode 100644 aws_itse-roles/.terraform-docs.yml create mode 100644 google_bigquery_log_sink/.terraform-docs.yml create mode 100644 google_cdn-external/.terraform-docs.yml create mode 100644 google_cdn_backend_bucket/.terraform-docs.yml create mode 100644 google_certificate_manager_certificate_map/.terraform-docs.yml delete mode 100644 google_datastream/.readme-header.yml create mode 100644 google_deployment_accounts/.terraform-docs.yml create mode 100644 google_gar/.terraform-docs.yml create mode 100644 google_gke_tenant/.terraform-docs.yml create mode 100644 google_gke_tenant/main.tf create mode 100644 google_monitoring/.terraform-docs.yml create mode 100644 google_permissions/.terraform-docs.yml create mode 100644 google_project-dns/.terraform-docs.yml create mode 100644 google_project/.terraform-docs.yml create mode 100644 google_psc_to_elastic/.terraform-docs.yml create mode 100644 google_tenant_project_bootstrap/.terraform-docs.yml create mode 100644 google_tfstate/.terraform-docs.yml create mode 100644 google_workload_identity/.terraform-docs.yml diff --git a/aws_gcp_vpn/.terraform-docs.yml b/aws_gcp_vpn/.terraform-docs.yml new file mode 100644 index 00000000..a0ed216c --- /dev/null +++ b/aws_gcp_vpn/.terraform-docs.yml @@ -0,0 +1,6 @@ +content: |- + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} diff --git a/aws_gcp_vpn/README.md b/aws_gcp_vpn/README.md index 4d213427..2a8b6b10 100644 --- a/aws_gcp_vpn/README.md +++ b/aws_gcp_vpn/README.md @@ -24,3 +24,23 @@ You'll also need to turn on Route Propagation in the routing table for this VPC ## Exporting peer VPN network routes to AWS If you'd like to connect to a service using VPC networking peering, such as CloudSQL, [follow the steps](https://cloud.google.com/sql/docs/mysql/configure-private-ip#vpn) to export custom routes and then create a custom route advertisement for that range. + + + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_private\_asn](#input\_aws\_private\_asn) | ASN for AWS VPN gateway | `number` | n/a | yes | +| [aws\_vpc\_id](#input\_aws\_vpc\_id) | AWS VPC id | `string` | n/a | yes | +| [aws\_vpn\_gateway\_id](#input\_aws\_vpn\_gateway\_id) | AWS VPN Gateway ID | `string` | n/a | yes | +| [gcp\_advertised\_ip\_ranges](#input\_gcp\_advertised\_ip\_ranges) | value | `set(object({ description = string, range = string }))` | `[]` | no | +| [gcp\_network\_name](#input\_gcp\_network\_name) | GCP VPN network name | `string` | `"default"` | no | +| [gcp\_private\_asn](#input\_gcp\_private\_asn) | ASN for GCP VPN gateway | `number` | n/a | yes | +| [gcp\_project\_id](#input\_gcp\_project\_id) | GCP project id | `string` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/aws_itse-roles/.terraform-docs.yml b/aws_itse-roles/.terraform-docs.yml new file mode 100644 index 00000000..a0ed216c --- /dev/null +++ b/aws_itse-roles/.terraform-docs.yml @@ -0,0 +1,6 @@ +content: |- + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} diff --git a/aws_itse-roles/README.md b/aws_itse-roles/README.md index 20edde2f..8175b2fb 100644 --- a/aws_itse-roles/README.md +++ b/aws_itse-roles/README.md @@ -1,3 +1,4 @@ + # Terraform Module for Default AWS Delegated Roles Module that creates roles on accounts to allow delegated access from another account. @@ -9,44 +10,12 @@ Module will create 4 different roles: - itsre-poweruser - Similar to admin but can't do any IAM tasks - itsre-atlantis - Atlantis (Terraform automation platform) role -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 3.0 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 3.0 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [aws_iam_role.admin_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role.atlantis_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role.poweruser_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role.readonly_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.admin_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.atlantis_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.poweruser_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.readonly_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.atlantis_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | - ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [atlantis\_principal](#input\_atlantis\_principal) | AWS account role ARN linked to Atlantis GCP Workload Identity (e.g. entrypoint to all AWS accounts by a given Atlantis). | `string` | n/a | yes | | [additional\_principals](#input\_additional\_principals) | List of additional principals' (user, role) ARNs allowed to assume the itse roles defined here. | `list(string)` | `[]` | no | +| [atlantis\_principal](#input\_atlantis\_principal) | AWS account role ARN linked to Atlantis GCP Workload Identity (e.g. entrypoint to all AWS accounts by a given Atlantis). | `string` | n/a | yes | | [external\_account\_id](#input\_external\_account\_id) | The AWS Account ID whose root user or Terraform role can assume the itse roles. Defaults to mozilla-itsre account. | `string` | `"177680776199"` | no | | [max\_session\_duration](#input\_max\_session\_duration) | Maximum session time (in seconds). Defaults to 12 hours (43,200 seconds). | `string` | `"43200"` | no | | [region](#input\_region) | Region for AWS Resources (defaults to us-west-2). | `string` | `"us-west-2"` | no | @@ -59,3 +28,4 @@ No modules. | [atlantis\_role\_arn](#output\_atlantis\_role\_arn) | ARN for the IT-SE Delegated Access Admin Role | | [poweruser\_role\_arn](#output\_poweruser\_role\_arn) | ARN for the IT-SE Delegated Access Admin Role | | [readonly\_role\_arn](#output\_readonly\_role\_arn) | ARN for the IT-SE Delegated Access Admin Role | + diff --git a/google_bigquery_log_sink/.terraform-docs.yml b/google_bigquery_log_sink/.terraform-docs.yml new file mode 100644 index 00000000..a0ed216c --- /dev/null +++ b/google_bigquery_log_sink/.terraform-docs.yml @@ -0,0 +1,6 @@ +content: |- + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} diff --git a/google_bigquery_log_sink/README.md b/google_bigquery_log_sink/README.md index 2d939a70..5c29126b 100644 --- a/google_bigquery_log_sink/README.md +++ b/google_bigquery_log_sink/README.md @@ -1,27 +1,5 @@ -## Requirements + -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [google](#requirement\_google) | >= 4.0 | - -## Providers - -| Name | Version | -|------|---------| -| [google](#provider\_google) | >= 4.0 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [google_bigquery_dataset.self](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_dataset) | resource | -| [google_logging_project_sink.self](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_project_sink) | resource | -| [google_project_iam_member.self](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | ## Inputs @@ -34,3 +12,4 @@ No modules. ## Outputs No outputs. + diff --git a/google_cdn-external/.terraform-docs.yml b/google_cdn-external/.terraform-docs.yml new file mode 100644 index 00000000..a0ed216c --- /dev/null +++ b/google_cdn-external/.terraform-docs.yml @@ -0,0 +1,6 @@ +content: |- + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} diff --git a/google_cdn-external/README.md b/google_cdn-external/README.md index 024ed62d..18fab66f 100644 --- a/google_cdn-external/README.md +++ b/google_cdn-external/README.md @@ -1,64 +1,34 @@ + # Google CDN Distribution for external endpoints -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | -| [google](#requirement\_google) | >= 4.42 | - -## Providers - -| Name | Version | -|------|---------| -| [google](#provider\_google) | >= 4.42 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [google_compute_backend_bucket.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_backend_bucket) | resource | -| [google_compute_backend_service.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_backend_service) | resource | -| [google_compute_global_forwarding_rule.http](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_forwarding_rule) | resource | -| [google_compute_global_forwarding_rule.https](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_forwarding_rule) | resource | -| [google_compute_global_network_endpoint.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_network_endpoint) | resource | -| [google_compute_global_network_endpoint_group.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_network_endpoint_group) | resource | -| [google_compute_target_http_proxy.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_target_http_proxy) | resource | -| [google_compute_target_https_proxy.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_target_https_proxy) | resource | -| [google_compute_url_map.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_url_map) | resource | -| [google_compute_url_map.https_redirect](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_url_map) | resource | - ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [addresses](#input\_addresses) | IP Addresses. | 
object({
    ipv4 = string,
    ipv6 = string,
  })
| n/a | yes | +| [addresses](#input\_addresses) | IP Addresses. | 
object({
    ipv4 = string,
    ipv6 = string,
  })
| n/a | yes | | [application](#input\_application) | Application name. | `string` | n/a | yes | -| [certs](#input\_certs) | List of certificates ids. If this list is empty, this will be HTTP only. | `list(string)` | n/a | yes | -| [environment](#input\_environment) | Environment name. | `string` | n/a | yes | -| [origin\_fqdn](#input\_origin\_fqdn) | Origin's fqdn: e.g., 'mozilla.org'. | `string` | n/a | yes | -| [primary\_hostname](#input\_primary\_hostname) | Primary hostname of service. | `string` | n/a | yes | | [backend\_timeout\_sec](#input\_backend\_timeout\_sec) | Timeout for backend service. | `number` | `10` | no | | [backend\_type](#input\_backend\_type) | Backend type to create. Must be set to one of [service, bucket, service\_and\_bucket]. When service\_and\_bucket, the default backend is the service | `string` | `"service"` | no | | [bucket\_name](#input\_bucket\_name) | Name of GCS bucket to use as CDN backend. Required if backend\_type is set to 'bucket' or 'service\_and\_bucket'. | `string` | `""` | no | | [cache\_key\_policy](#input\_cache\_key\_policy) | Cache key policy config to be passed to backend service. | `map(any)` | `{}` | no | | [cdn\_policy](#input\_cdn\_policy) | CDN policy config to be passed to backend service. | `map(any)` | `{}` | no | +| [certs](#input\_certs) | List of certificates ids. If this list is empty, this will be HTTP only. | `list(string)` | n/a | yes | | [compression\_mode](#input\_compression\_mode) | Can be AUTOMATIC or DISABLED | `string` | `"DISABLED"` | no | | [custom\_response\_headers](#input\_custom\_response\_headers) | Headers that the HTTP/S load balancer should add to proxied responses. | `list(string)` | `null` | no | +| [environment](#input\_environment) | Environment name. | `string` | n/a | yes | | [https\_redirect](#input\_https\_redirect) | Redirect from http to https. | `bool` | `true` | no | | [log\_sample\_rate](#input\_log\_sample\_rate) | Sample rate for Cloud Logging. Must be in the interval [0, 1]. | `number` | `1` | no | | [name](#input\_name) | Optional name of distribution. | `string` | `""` | no | -| [negative\_caching\_policy](#input\_negative\_caching\_policy) | Negative caching policy config to be passed to backend service. | 
list(object({
    code = string
    ttl  = string
  }))
| `[]` | no | +| [negative\_caching\_policy](#input\_negative\_caching\_policy) | Negative caching policy config to be passed to backend service. | 
list(object({
    code = string
    ttl  = string
  }))
| `[]` | no | +| [origin\_fqdn](#input\_origin\_fqdn) | Origin's fqdn: e.g., 'mozilla.org'. | `string` | n/a | yes | | [origin\_port](#input\_origin\_port) | Port to use for origin. | `number` | `443` | no | | [origin\_protocol](#input\_origin\_protocol) | Protocol for the origin. | `string` | `"HTTPS"` | no | -| [path\_rewrites](#input\_path\_rewrites) | Dictionary of path matchers. | 
map(object({
    hosts                = list(string)
    paths                = list(string)
    target               = string
    backend_bucket_paths = optional(list(string))
  }))
| `{}` | no | +| [path\_rewrites](#input\_path\_rewrites) | Dictionary of path matchers. | 
map(object({
    hosts                = list(string)
    paths                = list(string)
    target               = string
    backend_bucket_paths = optional(list(string))
  }))
| `{}` | no | +| [primary\_hostname](#input\_primary\_hostname) | Primary hostname of service. | `string` | n/a | yes | | [quic\_override](#input\_quic\_override) | Specifies the QUIC override policy. Possible values `NONE`, `ENABLE`, `DISABLE` | `string` | `"DISABLE"` | no | | [security\_policy](#input\_security\_policy) | Security policy as defined by google\_compute\_security\_policy | `string` | `null` | no | ## Outputs No outputs. + diff --git a/google_cdn_backend_bucket/.terraform-docs.yml b/google_cdn_backend_bucket/.terraform-docs.yml new file mode 100644 index 00000000..a0ed216c --- /dev/null +++ b/google_cdn_backend_bucket/.terraform-docs.yml @@ -0,0 +1,6 @@ +content: |- + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} diff --git a/google_cdn_backend_bucket/README.md b/google_cdn_backend_bucket/README.md index 1f7bbc92..dafada4d 100644 --- a/google_cdn_backend_bucket/README.md +++ b/google_cdn_backend_bucket/README.md @@ -1,36 +1,8 @@ + # google\_cdn\_backend\_bucket this module builds a GCP Load Balancer with a backend bucket -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.8.3 | -| [google](#requirement\_google) | >= 5.32.0 | - -## Providers - -| Name | Version | -|------|---------| -| [google](#provider\_google) | >= 5.32.0 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [google_compute_backend_bucket.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_backend_bucket) | resource | -| [google_compute_global_forwarding_rule.http](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_forwarding_rule) | resource | -| [google_compute_global_forwarding_rule.https](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_forwarding_rule) | resource | -| [google_compute_target_http_proxy.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_target_http_proxy) | resource | -| [google_compute_target_https_proxy.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_target_https_proxy) | resource | -| [google_compute_url_map.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_url_map) | resource | -| [google_compute_url_map.https_redirect](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_url_map) | resource | - ## Inputs | Name | Description | Type | Default | Required | @@ -38,7 +10,7 @@ No modules. | [addresses](#input\_addresses) | loadbalancer ips | `map(string)` | n/a | yes | | [application](#input\_application) | n/a | `string` | n/a | yes | | [bucket\_name](#input\_bucket\_name) | name of bucket to use for the CDN | `string` | n/a | yes | -| [cdn\_policy](#input\_cdn\_policy) | cdn policy | 
object({
    cache_mode        = optional(string, "CACHE_ALL_STATIC")
    client_ttl        = optional(number, 3600)
    default_ttl       = optional(number, 3600)
    max_ttl           = optional(number, 86400)
    negative_caching  = optional(bool, true)
    serve_while_stale = optional(number, 86400)
  })
| n/a | yes | +| [cdn\_policy](#input\_cdn\_policy) | cdn policy | 
object({
    cache_mode        = optional(string, "CACHE_ALL_STATIC")
    client_ttl        = optional(number, 3600)
    default_ttl       = optional(number, 3600)
    max_ttl           = optional(number, 86400)
    negative_caching  = optional(bool, true)
    serve_while_stale = optional(number, 86400)
  })
| n/a | yes | | [certificates](#input\_certificates) | list of certificate ids to use on the https target proxy | `list(string)` | n/a | yes | | [compression\_mode](#input\_compression\_mode) | n/a | `string` | `"DISABLED"` | no | | [environment](#input\_environment) | n/a | `string` | n/a | yes | @@ -48,3 +20,4 @@ No modules. ## Outputs No outputs. + diff --git a/google_certificate_manager_certificate_map/.terraform-docs.yml b/google_certificate_manager_certificate_map/.terraform-docs.yml new file mode 100644 index 00000000..a0ed216c --- /dev/null +++ b/google_certificate_manager_certificate_map/.terraform-docs.yml @@ -0,0 +1,6 @@ +content: |- + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} diff --git a/google_certificate_manager_certificate_map/README.md b/google_certificate_manager_certificate_map/README.md index 1151062e..2de372b5 100644 --- a/google_certificate_manager_certificate_map/README.md +++ b/google_certificate_manager_certificate_map/README.md @@ -1,38 +1,12 @@ -## Requirements + -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.8.3 | -| [google](#requirement\_google) | >= 5.32.0 | -| [random](#requirement\_random) | >= 3.6.2 | - -## Providers - -| Name | Version | -|------|---------| -| [google](#provider\_google) | >= 5.32.0 | -| [random](#provider\_random) | >= 3.6.2 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [google_certificate_manager_certificate.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/certificate_manager_certificate) | resource | -| [google_certificate_manager_certificate_map.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/certificate_manager_certificate_map) | resource | -| [google_certificate_manager_certificate_map_entry.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/certificate_manager_certificate_map_entry) | resource | -| [google_certificate_manager_dns_authorization.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/certificate_manager_dns_authorization) | resource | -| [random_id.certificate_map_entry_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [application](#input\_application) | n/a | `string` | n/a | yes | -| [certificates](#input\_certificates) | list of objects defining certificates to be added to the certmap | 
list(object({
    hostname           = string
    dns_authorization  = optional(bool, false)
    additional_domains = optional(list(string), [])
  }))
| `[]` | no | +| [certificates](#input\_certificates) | list of objects defining certificates to be added to the certmap | 
list(object({
    hostname           = string
    dns_authorization  = optional(bool, false)
    additional_domains = optional(list(string), [])
  }))
| `[]` | no | | [custom\_name\_prefix](#input\_custom\_name\_prefix) | use this to set a custom name\_prefix for resource names | `string` | `""` | no | | [environment](#input\_environment) | n/a | `string` | n/a | yes | | [realm](#input\_realm) | n/a | `string` | n/a | yes | @@ -41,3 +15,4 @@ No modules. ## Outputs No outputs. + diff --git a/google_cloudsql_mysql/README.md b/google_cloudsql_mysql/README.md index 58b2da24..27269fc8 100644 --- a/google_cloudsql_mysql/README.md +++ b/google_cloudsql_mysql/README.md @@ -1,3 +1,4 @@ + # cloudsql-mysql Creates CloudSQL MySQL Instance. @@ -110,7 +111,6 @@ output "mysql_database" { | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [application](#input\_application) | Application e.g., bouncer. | `any` | n/a | yes | -| [environment](#input\_environment) | Environment e.g., stage. | `any` | n/a | yes | | [authorized\_networks](#input\_authorized\_networks) | A list of authorized\_network maps: https://www.terraform.io/docs/providers/google/r/sql_database_instance.html | `list` | `[]` | no | | [availability\_type](#input\_availability\_type) | https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#availability_type | `string` | `"ZONAL"` | no | | [component](#input\_component) | A logical component of an application | `string` | `"db"` | no | @@ -127,6 +127,7 @@ output "mysql_database" { | [edition](#input\_edition) | The edition of the instance, can be `ENTERPRISE` or `ENTERPRISE_PLUS`. | `string` | `"ENTERPRISE"` | no | | [enable\_private\_path\_for\_google\_cloud\_services](#input\_enable\_private\_path\_for\_google\_cloud\_services) | If true, will allow Google Cloud Services access over private IP. | `bool` | `false` | no | | [enable\_public\_ip](#input\_enable\_public\_ip) | If true, will assign a public IP to database instance. | `bool` | `false` | no | +| [environment](#input\_environment) | Environment e.g., stage. | `any` | n/a | yes | | [force\_ha](#input\_force\_ha) | If set to true, create a mysql replica for HA. Currently the availability\_type works only for postgres | `bool` | `false` | no | | [instance\_version](#input\_instance\_version) | Version of database. Use this field if you need to spin up a new database instance. | `string` | `"v1"` | no | | [ip\_configuration\_ssl\_mode](#input\_ip\_configuration\_ssl\_mode) | n/a | `string` | `"ALLOW_UNENCRYPTED_AND_ENCRYPTED"` | no | @@ -165,3 +166,4 @@ output "mysql_database" { | [replica\_public\_ip\_address](#output\_replica\_public\_ip\_address) | n/a | | [self\_link](#output\_self\_link) | n/a | | [service\_account](#output\_service\_account) | n/a | + diff --git a/google_cloudsql_postgres/README.md b/google_cloudsql_postgres/README.md index 7a64e157..031d4d73 100644 --- a/google_cloudsql_postgres/README.md +++ b/google_cloudsql_postgres/README.md @@ -1,3 +1,4 @@ + # gcp-postgres Creates a PostgreSQL instance within GCP using Cloud SQL @@ -51,8 +52,6 @@ output "postgres_database" { | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [application](#input\_application) | Application e.g., bouncer. | `any` | n/a | yes | -| [environment](#input\_environment) | Environment e.g., stage. | `any` | n/a | yes | -| [realm](#input\_realm) | Realm e.g., nonprod. | `any` | n/a | yes | | [authorized\_networks](#input\_authorized\_networks) | n/a | `list` | `[]` | no | | [availability\_type](#input\_availability\_type) | high availability (REGIONAL) or single zone (ZONAL) | `string` | `"REGIONAL"` | no | | [component](#input\_component) | A logical component of an application | `string` | `"db"` | no | @@ -70,6 +69,7 @@ output "postgres_database" { | [enable\_insights\_config\_on\_replica](#input\_enable\_insights\_config\_on\_replica) | If true, will allow enable insights config on replica | `bool` | `false` | no | | [enable\_private\_path\_for\_google\_cloud\_services](#input\_enable\_private\_path\_for\_google\_cloud\_services) | If true, will allow Google Cloud Services access over private IP. | `bool` | `false` | no | | [enable\_public\_ip](#input\_enable\_public\_ip) | If true, will assign a public IP to database instance. | `bool` | `false` | no | +| [environment](#input\_environment) | Environment e.g., stage. | `any` | n/a | yes | | [instance\_version](#input\_instance\_version) | Version of database. Use this field if you need to spin up a new database instance. | `string` | `"v1"` | no | | [ip\_configuration\_ssl\_mode](#input\_ip\_configuration\_ssl\_mode) | n/a | `string` | `"ALLOW_UNENCRYPTED_AND_ENCRYPTED"` | no | | [maintenance\_window\_day](#input\_maintenance\_window\_day) | n/a | `number` | `1` | no | @@ -77,6 +77,7 @@ output "postgres_database" { | [maintenance\_window\_update\_track](#input\_maintenance\_window\_update\_track) | n/a | `string` | `"stable"` | no | | [network](#input\_network) | Network where the private peering should attach. | `string` | `"default"` | no | | [project\_id](#input\_project\_id) | n/a | `string` | `null` | no | +| [realm](#input\_realm) | Realm e.g., nonprod. | `any` | n/a | yes | | [region](#input\_region) | Region where database should be provisioned. | `string` | `"us-west1"` | no | | [replica\_availability\_type](#input\_replica\_availability\_type) | Allow setting availability configuration of replica | `string` | `"ZONAL"` | no | | [replica\_count](#input\_replica\_count) | n/a | `number` | `0` | no | @@ -102,3 +103,5 @@ output "postgres_database" { | [replica\_public\_ip\_address](#output\_replica\_public\_ip\_address) | n/a | | [self\_link](#output\_self\_link) | n/a | | [service\_account](#output\_service\_account) | n/a | +| [tier](#output\_tier) | n/a | + diff --git a/google_datastream/.readme-header.yml b/google_datastream/.readme-header.yml deleted file mode 100644 index b87de8b7..00000000 --- a/google_datastream/.readme-header.yml +++ /dev/null @@ -1,21 +0,0 @@ -# google_datastream -## WARNING! This is module only does part of the work. Because setting up postgresql as a source (the only thing I've tested) requires a valid database username and password, and we don't want to store passwords in Terraform, this module will only create a Private Connectivity Connection and a BigQuery Destination profile. -### Prework -- Pick a new /29 network for Datastream to use. This is the datastream_subnet under Inputs below. Add the subnet to https://mozilla-hub.atlassian.net/wiki/spaces/SRE/pages/27920489/GCP+Subnet+Allocations for tracking -- Create a CloudSQL Auth Proxy so Datastream can connect to Cloud SQL - - Doing this is outside the scope of these docs (that's convenient!), but see here for an example - - CloudSQL Auth Proxy Deployment: https://github.com/mozilla-it/webservices-infra/blob/main/moztodon/k8s/moztodon/templates/deployment-cloudsqlauthproxy.yaml - - CloudSQL Auth Proxy Service: https://github.com/mozilla-it/webservices-infra/blob/main/moztodon/k8s/moztodon/templates/service-cloudsqlauthproxy.yaml - - **Note the IP Address of the resulting Loadbalancer, you'll need it below** -### After this module runs, you will need to: -- [This might be mostly specific to Cloud SQL and Postgresql specifically] -- Create a SQL user for Datastream to act as in your source database. Save the password -- Create a new Stream (which includes setting up the Source Profile) manually - - Go to the Datastream console for your project: https://console.cloud.google.com/datastream/streams - - Choose CREATE STREAM - - Enter the username, password, IP (this is the IP of the CloudSQL Proxy from above), and database name - - For Postgresql specifically, you'll also be instructed to: - - Enable logical replication on the database - - This involves adding a database flag (which requires a db reboot) - - Create a publication and a replication slot - - In SQL you'll need to create a Publication, create a replication slot, and modify permissions for the datastream replication sql user (the console will provide sample queries to accomplish this) diff --git a/google_datastream/.terraform-docs.yml b/google_datastream/.terraform-docs.yml index a8130d43..0f1125ff 100644 --- a/google_datastream/.terraform-docs.yml +++ b/google_datastream/.terraform-docs.yml @@ -1,15 +1,7 @@ formatter: markdown content: |- - - {{ include ".readme-header.yml" }} - {{ .Header }} - {{ .Requirements }} - - {{ .Providers }} - {{ .Inputs }} {{ .Outputs }} - diff --git a/google_datastream/README.md b/google_datastream/README.md index 67c38ef1..149c530f 100644 --- a/google_datastream/README.md +++ b/google_datastream/README.md @@ -1,8 +1,9 @@ + +# google\_datastream -# google_datastream ## WARNING! This is module only does part of the work. Because setting up postgresql as a source (the only thing I've tested) requires a valid database username and password, and we don't want to store passwords in Terraform, this module will only create a Private Connectivity Connection and a BigQuery Destination profile. ### Prework -- Pick a new /29 network for Datastream to use. This is the datastream_subnet under Inputs below. Add the subnet to https://mozilla-hub.atlassian.net/wiki/spaces/SRE/pages/27920489/GCP+Subnet+Allocations for tracking +- Pick a new /29 network for Datastream to use. This is the datastream\_subnet under Inputs below. Add the subnet to https://mozilla-hub.atlassian.net/wiki/spaces/SRE/pages/27920489/GCP+Subnet+Allocations for tracking - Create a CloudSQL Auth Proxy so Datastream can connect to Cloud SQL - Doing this is outside the scope of these docs (that's convenient!), but see here for an example - CloudSQL Auth Proxy Deployment: https://github.com/mozilla-it/webservices-infra/blob/main/moztodon/k8s/moztodon/templates/deployment-cloudsqlauthproxy.yaml @@ -21,35 +22,21 @@ - Create a publication and a replication slot - In SQL you'll need to create a Publication, create a replication slot, and modify permissions for the datastream replication sql user (the console will provide sample queries to accomplish this) - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [google](#requirement\_google) | >= 4.71 | - -## Providers - -| Name | Version | -|------|---------| -| [google](#provider\_google) | >= 4.71 | - ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [application](#input\_application) | Application e.g., bouncer. | `any` | n/a | yes | +| [component](#input\_component) | n/a | `string` | `"datastream"` | no | | [datastream\_subnet](#input\_datastream\_subnet) | The subnet in our VPC for datastream to use. Like '172.19.0.0/29'. See https://mozilla-hub.atlassian.net/wiki/spaces/SRE/pages/27920489/GCP+Subnet+Allocations for what's been allocated. | `any` | n/a | yes | | [environment](#input\_environment) | Environment e.g., stage. | `any` | n/a | yes | -| [project\_id](#input\_project\_id) | Name of the project | `any` | n/a | yes | -| [vpc\_network](#input\_vpc\_network) | The id of the default VPC shared by all our projects | `any` | n/a | yes | -| [component](#input\_component) | n/a | `string` | `"datastream"` | no | | [location](#input\_location) | Where to create the datastream profiles and the destination datasets | `string` | `"us-west1"` | no | -| [postgresql\_profile](#input\_postgresql\_profile) | PostgreSQL profile | 
list(object({
    hostname = string
    username = string
    database = string
  }))
| `[]` | no | +| [postgresql\_profile](#input\_postgresql\_profile) | PostgreSQL profile | 
list(object({
    hostname = string
    username = string
    database = string
  }))
| `[]` | no | +| [project\_id](#input\_project\_id) | Name of the project | `any` | n/a | yes | | [realm](#input\_realm) | Realm e.g., nonprod. | `string` | `""` | no | +| [vpc\_network](#input\_vpc\_network) | The id of the default VPC shared by all our projects | `any` | n/a | yes | ## Outputs No outputs. + diff --git a/google_datastream/main.tf b/google_datastream/main.tf index 79244943..3e5ee52d 100644 --- a/google_datastream/main.tf +++ b/google_datastream/main.tf @@ -1,3 +1,28 @@ +/** + * # google_datastream + * + * ## WARNING! This is module only does part of the work. Because setting up postgresql as a source (the only thing I've tested) requires a valid database username and password, and we don't want to store passwords in Terraform, this module will only create a Private Connectivity Connection and a BigQuery Destination profile. + * ### Prework + * - Pick a new /29 network for Datastream to use. This is the datastream_subnet under Inputs below. Add the subnet to https://mozilla-hub.atlassian.net/wiki/spaces/SRE/pages/27920489/GCP+Subnet+Allocations for tracking + * - Create a CloudSQL Auth Proxy so Datastream can connect to Cloud SQL + * - Doing this is outside the scope of these docs (that's convenient!), but see here for an example + * - CloudSQL Auth Proxy Deployment: https://github.com/mozilla-it/webservices-infra/blob/main/moztodon/k8s/moztodon/templates/deployment-cloudsqlauthproxy.yaml + * - CloudSQL Auth Proxy Service: https://github.com/mozilla-it/webservices-infra/blob/main/moztodon/k8s/moztodon/templates/service-cloudsqlauthproxy.yaml + * - **Note the IP Address of the resulting Loadbalancer, you'll need it below** + * ### After this module runs, you will need to: + * - [This might be mostly specific to Cloud SQL and Postgresql specifically] + * - Create a SQL user for Datastream to act as in your source database. Save the password + * - Create a new Stream (which includes setting up the Source Profile) manually + * - Go to the Datastream console for your project: https://console.cloud.google.com/datastream/streams + * - Choose CREATE STREAM + * - Enter the username, password, IP (this is the IP of the CloudSQL Proxy from above), and database name + * - For Postgresql specifically, you'll also be instructed to: + * - Enable logical replication on the database + * - This involves adding a database flag (which requires a db reboot) + * - Create a publication and a replication slot + * - In SQL you'll need to create a Publication, create a replication slot, and modify permissions for the datastream replication sql user (the console will provide sample queries to accomplish this) + */ + #locals { #connection_profile_name = "projects/${var.project_id}/locations/${var.location}/connectionProfiles/${var.source_connection_profile_name}" #} diff --git a/google_deployment_accounts/.terraform-docs.yml b/google_deployment_accounts/.terraform-docs.yml new file mode 100644 index 00000000..3481b924 --- /dev/null +++ b/google_deployment_accounts/.terraform-docs.yml @@ -0,0 +1,24 @@ +content: |- + {{ .Header }} + + ## Examples + + ```hcl + {{ include "examples/circleci.tf" }} + ``` + + ```hcl + {{ include "examples/circleci2.tf" }} + ``` + + ```hcl + {{ include "examples/circleci3.tf" }} + ``` + + ```hcl + {{ include "examples/gha.tf" }} + ``` + + {{ .Inputs }} + + {{ .Outputs }} diff --git a/google_deployment_accounts/README.md b/google_deployment_accounts/README.md index 0c8452f7..f86dddd9 100644 --- a/google_deployment_accounts/README.md +++ b/google_deployment_accounts/README.md @@ -1,30 +1,105 @@ + # Terraform Module: Service Accounts for deployment from GitHub Actions and CircleCI Creates a Cloud IAM service account which lets CI workflows authenticate to GCP. -## Requirements +## Examples -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | ~> 1.0 | -| [google](#requirement\_google) | >= 3.0 | +```hcl +# Allow OIDC access from CircleCI jobs triggered in a specific repo +data "terraform_remote_state" "wip_project" { + backend = "gcs" -## Providers + config = { + bucket = "my-wip-project" + prefix = "wip-project/prefix" + } +} -| Name | Version | -|------|---------| -| [google](#provider\_google) | >= 3.0 | +module "google_deployment_accounts" { + source = "github.com/mozilla/terraform-modules//google_deployment_accounts?ref=main" + project = "my-project" + environment = "stage" + github_repository = "org/project" + wip_name = "circleci" + wip_project_number = data.terraform_remote_state.wip_project.number +} +``` -## Modules +```hcl +# Allow OIDC access from CircleCI jobs triggered on the main branch only of a +# specific repo +data "terraform_remote_state" "wip_project" { + backend = "gcs" -No modules. + config = { + bucket = "my-wip-project" + prefix = "wip-project/prefix" + } +} -## Resources +module "google_deployment_accounts" { + source = "github.com/mozilla/terraform-modules//google_deployment_accounts?ref=main" + project = "my-project" + environment = "stage" + github_repository = "org/project" + wip_name = "circleci" + wip_project_number = data.terraform_remote_state.wip_project.number + circleci_branches = ["main"] +} +``` -| Name | Type | -|------|------| -| [google_service_account.account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | -| [google_service_account_iam_binding.circleci-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource | -| [google_service_account_iam_binding.github-actions-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource | +```hcl +# A more complex example using attribute specifiers directly. Allow OIDC access +# from CircleCI jobs triggered on the main branch of org/repo1 and org/repo2, +# as well as any job using the fake-context context +data "terraform_remote_state" "wip_project" { + backend = "gcs" + + config = { + bucket = "my-wip-project" + prefix = "wip-project/prefix" + } +} + +locals { + allowed_repos = formatlist("attribute.vcs/github.com/org/%s:refs/heads/main", ["repo1", "repo2"]) + allowed_contexts = formatlist("attribute.context_id/%s", + one(values({ "fake-context" = "6e1515f7-40f0-4063-a74a-d77d22ee9f7e" } + ))) +} + +module "google_deployment_accounts" { + source = "github.com/mozilla/terraform-modules//google_deployment_accounts?ref=main" + project = "my-project" + environment = "prod" + wip_name = "circleci" + wip_project_number = data.terraform_remote_state.wip_project.number + circleci_attribute_specifiers = setunion( + local.allowed_repos, + local.allowed_contexts, + ) +} +``` + +```hcl +data "terraform_remote_state" "wip_project" { + backend = "gcs" + + config = { + bucket = "my-wip-project" + prefix = "wip-project/prefix" + } +} + +module "google_deployment_accounts" { + source = "github.com/mozilla/terraform-modules//google_deployment_accounts?ref=main" + project = "my-project" + environment = "stage" + github_repository = "org/project" + wip_name = "github-actions" + wip_project_number = data.terraform_remote_state.wip_project.number +} +``` ## Inputs @@ -48,3 +123,4 @@ No modules. | Name | Description | |------|-------------| | [service\_account](#output\_service\_account) | n/a | + diff --git a/google_gar/.terraform-docs.yml b/google_gar/.terraform-docs.yml new file mode 100644 index 00000000..b2b44341 --- /dev/null +++ b/google_gar/.terraform-docs.yml @@ -0,0 +1,12 @@ +content: |- + {{ .Header }} + + ## Examples + + ```hcl + {{ include "examples/example.tf" }} + ``` + + {{ .Inputs }} + + {{ .Outputs }} diff --git a/google_gar/README.md b/google_gar/README.md index 0f7e17c5..14197230 100644 --- a/google_gar/README.md +++ b/google_gar/README.md @@ -1,45 +1,30 @@ + # Terraform Module: Google Artifact Registry repository Creates a GAR repository and a service account to access it. -## Requirements +## Examples -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | ~> 1.0 | -| [google](#requirement\_google) | >= 3.0 | -| [google-beta](#requirement\_google-beta) | >= 4.0 | +```hcl +module "gar" { + source = "github.com/mozilla/terraform-modules//google_gar?ref=main" -## Providers - -| Name | Version | -|------|---------| -| [google](#provider\_google) | >= 3.0 | -| [google-beta](#provider\_google-beta) | >= 4.0 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [google-beta_google_artifact_registry_repository.repository](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_artifact_registry_repository) | resource | -| [google-beta_google_artifact_registry_repository_iam_member.reader](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_artifact_registry_repository_iam_member) | resource | -| [google-beta_google_artifact_registry_repository_iam_member.writer](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_artifact_registry_repository_iam_member) | resource | -| [google_project_service.gar](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource | -| [google_service_account.writer_service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | + description = "Default repository for test project" + application = "glonk" + realm = "nonprod" + repository_readers = ["user:jdoe@firefox.gcp.mozilla.com"] +} +``` ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [application](#input\_application) | Application, e.g. bouncer. | `string` | n/a | yes | -| [realm](#input\_realm) | Realm, e.g. nonprod. | `string` | n/a | yes | | [description](#input\_description) | n/a | `string` | `null` | no | | [format](#input\_format) | n/a | `string` | `"DOCKER"` | no | | [location](#input\_location) | Location of the repository. Should generally be set to a multi-region location like 'us' or 'europe'. | `string` | `"us"` | no | | [project](#input\_project) | n/a | `string` | `null` | no | +| [realm](#input\_realm) | Realm, e.g. nonprod. | `string` | n/a | yes | | [repository\_id](#input\_repository\_id) | n/a | `string` | `null` | no | | [repository\_readers](#input\_repository\_readers) | List of principals that should be granted read access to the respository. | `list(string)` | `[]` | no | | [writer\_service\_account\_id](#input\_writer\_service\_account\_id) | n/a | `string` | `"artifact-writer"` | no | @@ -50,3 +35,4 @@ No modules. |------|-------------| | [repository](#output\_repository) | n/a | | [writer\_service\_account](#output\_writer\_service\_account) | n/a | + diff --git a/google_gke/.terraform-docs.yml b/google_gke/.terraform-docs.yml index 0907a8f1..835ab99a 100644 --- a/google_gke/.terraform-docs.yml +++ b/google_gke/.terraform-docs.yml @@ -2,16 +2,6 @@ content: |- {{ .Header }} - {{ .Requirements }} - - {{ .Providers }} - - {{ .Resources }} - - {{ .Inputs }} - - {{ .Outputs }} - ## Simple Example This uses distinct networking variables and the (module) default node pool. @@ -36,3 +26,6 @@ content: |- {{ include "examples/complex2.tf" }} ``` + {{ .Inputs }} + + {{ .Outputs }} diff --git a/google_gke/README.md b/google_gke/README.md index f1843e76..6f4fdd04 100644 --- a/google_gke/README.md +++ b/google_gke/README.md @@ -1,106 +1,8 @@ + # Shared VPC-based GKE Module Module creates an opinionated GKE cluster plus related resources within a Shared VPC context. -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.8 | -| [google](#requirement\_google) | ~> 5.35 | -| [google-beta](#requirement\_google-beta) | ~> 5.35 | - -## Providers - -| Name | Version | -|------|---------| -| [google](#provider\_google) | ~> 5.35 | -| [google-beta](#provider\_google-beta) | ~> 5.35 | - -## Resources - -| Name | Type | -|------|------| -| [google-beta_google_compute_address.static_v4_k8s_api_proxy_ip](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_compute_address) | resource | -| [google-beta_google_container_cluster.primary](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_container_cluster) | resource | -| [google-beta_google_container_node_pool.pools](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_container_node_pool) | resource | -| [google_bigquery_dataset.dataset](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_dataset) | resource | -| [google_dns_record_set.k8s_api_proxy_dns_name](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource | -| [google_project_iam_member.cluster_service_account-defaults](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | -| [google_project_iam_member.cluster_service_account-gar](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | -| [google_project_iam_member.cluster_service_account-gcfs](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | -| [google_project_iam_member.cluster_service_account-gcr](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | -| [google_service_account.cluster_service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | -| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [create\_resource\_usage\_export\_dataset](#input\_create\_resource\_usage\_export\_dataset) | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. Defaults to empty string. | `bool` | `false` | no | -| [description](#input\_description) | The description of the cluster | `string` | `null` | no | -| [disable\_snat\_status](#input\_disable\_snat\_status) | Whether the cluster disables default in-node sNAT rules. Defaults to false. | `bool` | `false` | no | -| [dns\_cache](#input\_dns\_cache) | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no | -| [enable\_cost\_allocation](#input\_enable\_cost\_allocation) | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | -| [enable\_dataplane](#input\_enable\_dataplane) | Whether to enable dataplane v2 on the cluster. Sets DataPath field. Defaults to false. | `bool` | `false` | no | -| [enable\_gcfs](#input\_enable\_gcfs) | Enable Google Container File System (gcfs) image streaming. | `bool` | `true` | no | -| [enable\_k8s\_api\_proxy\_ip](#input\_enable\_k8s\_api\_proxy\_ip) | Whether we reserve an internal private ip for the k8s\_api\_proxy. Defaults to false. | `bool` | `false` | no | -| [enable\_network\_egress\_export](#input\_enable\_network\_egress\_export) | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. Doesn't work with Shared VPC (https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-usage-metering). Defaults to false. | `bool` | `false` | no | -| [enable\_private\_cluster](#input\_enable\_private\_cluster) | Determines whether the cluster is private or public. Defaults to private | `bool` | `true` | no | -| [enable\_public\_cidrs\_access](#input\_enable\_public\_cidrs\_access) | Whether the control plane is open to Google public IPs. Defaults to false. | `bool` | `false` | no | -| [enable\_resource\_consumption\_export](#input\_enable\_resource\_consumption\_export) | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. Defaults to true. | `bool` | `true` | no | -| [filestore\_csi\_driver](#input\_filestore\_csi\_driver) | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | -| [fuse\_csi\_driver](#input\_fuse\_csi\_driver) | The status of the GCSFuse CSI driver addon, which allows the usage of a gcs bucket as volumes | `bool` | `false` | no | -| [gateway\_api\_enabled](#input\_gateway\_api\_enabled) | Enabled Gateway in the GKE Cluster | `bool` | `false` | no | -| [google\_group\_name](#input\_google\_group\_name) | Name of the Google security group for use with Kubernetes RBAC. Must be in format: gke-security-groups@yourdomain.com | `string` | `null` | no | -| [grant\_registry\_access](#input\_grant\_registry\_access) | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `true` | no | -| [kubernetes\_version](#input\_kubernetes\_version) | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version. Defaults to 'latest'. | `string` | `"latest"` | no | -| [labels](#input\_labels) | The GCE resource labels (a map of key/value pairs) to be applied to the cluster & other cluster-related resources. Merged with default labels (see locals.tf). | `map(string)` | `{}` | no | -| [maintenance\_exclusions](#input\_maintenance\_exclusions) | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string }))` | `[]` | no | -| [maintenance\_start\_time](#input\_maintenance\_start\_time) | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"21:00"` | no | -| [master\_authorized\_networks](#input\_master\_authorized\_networks) | List of master authorized networks that can access the GKE Master Plane. If none are provided, it defaults to known Bastion hosts for the given realm. See locals.tf for defaults. | `list(object({ cidr_block = string, display_name = string }))` | 
[
  {
    "cidr_block": "192.0.0.8/32",
    "display_name": "tf module placeholder"
  }
]
| no | -| [master\_ipv4\_cidr\_block](#input\_master\_ipv4\_cidr\_block) | The IP range in CIDR notation to use for the hosted master network. Overidden by shared\_vpc\_outputs. | `string` | `null` | no | -| [monitoring\_config\_enable\_components](#input\_monitoring\_config\_enable\_components) | Monitoring configuration for the cluster | `list(string)` | 
[
  "SYSTEM_COMPONENTS",
  "APISERVER",
  "SCHEDULER",
  "CONTROLLER_MANAGER",
  "STORAGE",
  "HPA",
  "POD",
  "DAEMONSET",
  "DEPLOYMENT",
  "STATEFULSET"
]
| no | -| [monitoring\_enable\_managed\_prometheus](#input\_monitoring\_enable\_managed\_prometheus) | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | -| [name](#input\_name) | Name of the cluster or application (required). | `string` | n/a | yes | -| [network](#input\_network) | Shared VPC Network (formulated as a URL) wherein the cluster will be created. Overidden by shared\_vpc\_outputs. | `string` | `null` | no | -| [node\_pool\_sa\_roles](#input\_node\_pool\_sa\_roles) | n/a | `list` | 
[
  "roles/logging.logWriter",
  "roles/monitoring.metricWriter",
  "roles/monitoring.viewer",
  "roles/stackdriver.resourceMetadata.writer"
]
| no | -| [node\_pools](#input\_node\_pools) | Map containing node pools, with each node pool's name (or name\_prefix if `use_name_prefix` is true) being the key and the values being that node pool's configurations. Configurable options per node pool include: `disk_size_gb` (string), `disk_type` (string), `machine_type` (string), `max_count` (number), `max_surge` (number), `max_unavailable` (number), `min_count` (number), `use_name_prefix` (bool). See locals.tf for defaults. | `list(map(string))` | 
[
  {
    "name": "tf-default-node-pool"
  }
]
| no | -| [node\_pools\_guest\_accelerator](#input\_node\_pools\_guest\_accelerator) | Map containing node pools guest accelerator. Each node pool's name is the key. See locals.tf for defaults. | `map(map(string))` | 
{
  "tf-default-node-pool": {}
}
| no | -| [node\_pools\_labels](#input\_node\_pools\_labels) | Map containing node pools non-default labels (as a map of strings). Each key is used as node pool's name prefix. See locals.tf for defaults. | `map(map(string))` | 
{
  "tf-default-node-pool": {}
}
| no | -| [node\_pools\_oauth\_scopes](#input\_node\_pools\_oauth\_scopes) | Map containing node pools non-default OAuth scopes (as an list). Each node pool's name is the key. See locals.tf for defaults. | `map(list(string))` | 
{
  "tf-default-node-pool": []
}
| no | -| [node\_pools\_sysctls](#input\_node\_pools\_sysctls) | Map containing node pools non-default linux node config sysctls (as a map of maps). Each node pool's name is the key. | `map(map(any))` | 
{
  "tf-default-node-pool": {}
}
| no | -| [node\_pools\_tags](#input\_node\_pools\_tags) | Map containing node pools non-default tags (as an list). Each node pool's name is the key. See locals.tf for defaults. | `map(list(string))` | 
{
  "tf-default-node-pool": []
}
| no | -| [node\_pools\_taints](#input\_node\_pools\_taints) | Map containing node pools taints. Each node pool's name is the key. See locals.tf for defaults. | `map(list(map(string)))` | 
{
  "tf-default-node-pool": [
    {}
  ]
}
| no | -| [pods\_ip\_cidr\_range\_name](#input\_pods\_ip\_cidr\_range\_name) | The Name of the IP address range for cluster pods IPs. Overidden by shared\_vpc\_outputs. | `string` | `null` | no | -| [project\_id](#input\_project\_id) | The project ID to host the cluster in. | `string` | `null` | no | -| [project\_outputs](#input\_project\_outputs) | Sets cluster-related variables based on a homegrown Project outputs data structure. | 
object({
    id            = string
    name          = string
    number        = string
    zone_dns_name = string
    zone_name     = string
  })
| `null` | no | -| [realm](#input\_realm) | Name of infrastructure realm (e.g. prod or nonprod). | `string` | n/a | yes | -| [region](#input\_region) | Region where cluster & other regional resources should be provisioned. Defaults to us-central1. | `string` | `null` | no | -| [registry\_project\_ids](#input\_registry\_project\_ids) | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | -| [release\_channel](#input\_release\_channel) | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | -| [resource\_usage\_export\_dataset\_id](#input\_resource\_usage\_export\_dataset\_id) | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. Defaults to null. | `string` | `null` | no | -| [service\_account\_id](#input\_service\_account\_id) | Id of the service account to be provisioned, overrides the default 'gke-cluster\_name' value | `string` | `null` | no | -| [service\_subnetworks](#input\_service\_subnetworks) | Service subnetworks associated with Shared VPC, segmented by region | 
map(object({
    ip_cidr_range = string
    network       = string
    region        = string
    subnet_name   = string
    subnetwork    = string
    subnetwork_id = string
  }))
| `null` | no | -| [services\_ip\_cidr\_range\_name](#input\_services\_ip\_cidr\_range\_name) | The Name of the IP address range for cluster services IPs. Overidden by shared\_vpc\_outputs. | `string` | `null` | no | -| [shared\_vpc\_outputs](#input\_shared\_vpc\_outputs) | Sets networking-related variables based on a homegrown Shared VPC Terraform outputs data structure. | 
object({
    ip_cidr_range = object({
      master     = string
      pod        = string
      primary    = string
      service    = string
      additional = map(string)
    })
    network    = string
    project_id = string
    region     = string
    secondary_ip_ranges = object({
      pod = object({
        ip_cidr_range = string
        range_name    = string
      })
      service = object({
        ip_cidr_range = string
        range_name    = string
      })
    })
    additional_ip_ranges = map(map(string))
    subnet_name          = string
    subnetwork           = string
    subnetwork_id        = string
  })
| `null` | no | -| [subnetwork](#input\_subnetwork) | Shared VPC Subnetwork (formulated as a URL) wherein the cluster will be created. Overidden by shared\_vpc\_outputs. | `string` | `null` | no | -| [tags](#input\_tags) | The GCE resource tags (a list of strings) to be applied to the cluster & other cluster-related resources. Merged with default tags (see locals.tf). | `list(string)` | `[]` | no | -| [vertical\_pod\_autoscaling](#input\_vertical\_pod\_autoscaling) | Enables Vertical Pod Autoscaling in the cluster | `bool` | `false` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [ca\_certificate](#output\_ca\_certificate) | CA Certificate for the Cluster | -| [endpoint](#output\_endpoint) | Cluster endpoint | -| [k8s\_api\_proxy\_dns\_name](#output\_k8s\_api\_proxy\_dns\_name) | K8s api proxy dns record | -| [location](#output\_location) | Cluster location (region) | -| [master\_version](#output\_master\_version) | Current Kubernetes master version | -| [name](#output\_name) | Cluster name | -| [node\_pools](#output\_node\_pools) | List of node pools | -| [service\_account](#output\_service\_account) | Cluster Service Account | - ## Simple Example This uses distinct networking variables and the (module) default node pool. @@ -244,42 +146,6 @@ module "gke" { } ``` - -# Shared VPC-based GKE Module - -Module creates an opinionated GKE cluster plus related resources within a Shared VPC context. - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.8 | -| [google](#requirement\_google) | >= 6.11 | -| [google-beta](#requirement\_google-beta) | >= 6.11 | - -## Providers - -| Name | Version | -|------|---------| -| [google](#provider\_google) | >= 6.11 | -| [google-beta](#provider\_google-beta) | >= 6.11 | - -## Resources - -| Name | Type | -|------|------| -| [google-beta_google_compute_address.static_v4_k8s_api_proxy_ip](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_compute_address) | resource | -| [google-beta_google_container_cluster.primary](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_container_cluster) | resource | -| [google-beta_google_container_node_pool.pools](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_container_node_pool) | resource | -| [google_bigquery_dataset.dataset](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_dataset) | resource | -| [google_dns_record_set.k8s_api_proxy_dns_name](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource | -| [google_project_iam_member.cluster_service_account-defaults](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | -| [google_project_iam_member.cluster_service_account-gar](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | -| [google_project_iam_member.cluster_service_account-gcfs](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | -| [google_project_iam_member.cluster_service_account-gcr](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | -| [google_service_account.cluster_service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | -| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source | - ## Inputs | Name | Description | Type | Default | Required | @@ -349,147 +215,4 @@ Module creates an opinionated GKE cluster plus related resources within a Shared | [name](#output\_name) | Cluster name | | [node\_pools](#output\_node\_pools) | List of node pools | | [service\_account](#output\_service\_account) | Cluster Service Account | - -## Simple Example - -This uses distinct networking variables and the (module) default node pool. - -```hcl -data "terraform_remote_state" "vpc" { - backend = "gcs" - - config = { - bucket = "my-state-bucket" - prefix = "projects/my-sharedvpc-project" - } -} - -module "gke" { - source = "github.com/mozilla/terraform-modules//google_gke?ref=main" - - name = "my-cluster" - project_id = "shared-clusters" - realm = "nonprod" - region = "us-west1" - - master_ipv4_cidr_block = "1.2.3.4/28" - network = "projects/my-vpc-project/global/networks/my-vpc-network" - pods_ip_cidr_range_name = "my-pods-or-cluster-secondary-range-name" - services_ip_cidr_range_name = "my-services-secondary-range-name" - subnetwork = "projects/my-vpc-project/regions/us-west1/subnetworks/my-subnetwork" - - # don't expect metrics to BQ - enable_resource_consumption_export = false - - # who can access the k8s control plane - # adds placeholder bastion network by default - master_authorized_networks = [ - { - cidr_block = "1.2.3.4/32" - display_name = "bastion" - } - ] -} -``` - -## Complex Example 1 - - This uses a Mozilla-internal Shared VPC Terraform outputs variable for networking. It also sets up cluster to be able to access GAR images in a different project. - -```hcl -data "terraform_remote_state" "vpc" { - backend = "gcs" - - config = { - bucket = "my-state-bucket" - prefix = "projects/my-sharedvpc-project" - } -} - -module "gke" { - source = "github.com/mozilla/terraform-modules//google_gke?ref=main" - - name = "my-cluster" - project_id = "shared-clusters" - realm = "nonprod" - region = "us-west1" - shared_vpc_outputs = data.terraform_remote_state.projects.outputs.projects.shared.nonprod.id["shared-clusters"].regions["us-west1"] - - # export metrics to a module-created BigQuery dataset - create_resource_usage_export_dataset = true - - # access docker image GARs in another project - # (self-same cluster project id included by default) - registry_project_ids = [ - "team-app1" - ] - - # who can access the k8s control plane - # adds placeholder bastion network by default - master_authorized_networks = [ - { - cidr_block = "1.2.3.4/32" - display_name = "bastion" - } - ] -} - -``` - -## Complex Example 2 - - This uses a Mozilla-internal Shared VPC Terraform outputs variable for networking. It creates multiple node pools with some defaults changed per node pool. - -```hcl -data "terraform_remote_state" "vpc" { - backend = "gcs" - - config = { - bucket = "my-state-bucket" - prefix = "projects/my-sharedvpc-project" - } -} - -module "gke" { - source = "github.com/mozilla/terraform-modules//google_gke?ref=main" - - name = "my-cluster" - project_id = "shared-clusters" - realm = "nonprod" - region = "us-west1" - shared_vpc_outputs = data.terraform_remote_state.projects.outputs.projects.shared.nonprod.id["shared-clusters"].regions["us-west1"] - - # export metrics to a pre-created BigQuery dataset - resource_usage_export_dataset_id = "cluster_metrics_dataset" - - # Don't use module-defaults node pool - # second node pool has special labels for np 2 only; - # see locals.tf for default values - node_pools = [ - { - name = "nodepool-1" - }, - { - name = "nodepool-2" - machine_type = "n2-standard-2" - max_count = 6 - } - ] - - node_pools_labels = { - nodepool-2 = { - "my-np2-label" = "some-value" - } - } - - # who can access the k8s control plane - # adds placeholder bastion network by default - master_authorized_networks = [ - { - cidr_block = "1.2.3.4/32" - display_name = "bastion" - } - ] -} -``` - \ No newline at end of file + diff --git a/google_gke_namespace_logging/.terraform-docs.yml b/google_gke_namespace_logging/.terraform-docs.yml index 32055e31..c382bb0c 100644 --- a/google_gke_namespace_logging/.terraform-docs.yml +++ b/google_gke_namespace_logging/.terraform-docs.yml @@ -1,8 +1,11 @@ content: |- {{ .Header }} + ## Example ```hcl {{ include "examples/example1.tf" }} ``` + {{ .Inputs }} - {{ .Outputs }}% + + {{ .Outputs }} diff --git a/google_gke_namespace_logging/README.md b/google_gke_namespace_logging/README.md index aade3470..9ef724a4 100644 --- a/google_gke_namespace_logging/README.md +++ b/google_gke_namespace_logging/README.md @@ -1,7 +1,9 @@ + # Terraform Module: GKE Tenant Namepsace Logging Creates a logging bucket and grants access to the logging service account so that GKE Logs associated with the tenant namespace are available in the tenant project. The log routing configuration happens as part of the GKE tenant bootstrapping. + ## Example ```hcl module "gke_logging" { @@ -12,6 +14,7 @@ module "gke_logging" { logging_writer_service_account_member = "serviceAccount:test@gcp-sa-logging.iam.gserviceaccount.com" } ``` + ## Inputs | Name | Description | Type | Default | Required | @@ -24,9 +27,11 @@ module "gke_logging" { | [logging\_writer\_service\_account\_member](#input\_logging\_writer\_service\_account\_member) | The unique\_writer\_identity service account that is provisioned when creating a Logging Sink | `string` | n/a | yes | | [project](#input\_project) | n/a | `string` | `null` | no | | [retention\_days](#input\_retention\_days) | Log retention for logs, values between 1 and 3650 days | `number` | `90` | no | + ## Outputs | Name | Description | |------|-------------| | [logging\_bucket\_id](#output\_logging\_bucket\_id) | n/a | -| [logging\_dataset\_id](#output\_logging\_dataset\_id) | n/a |% +| [logging\_dataset\_id](#output\_logging\_dataset\_id) | n/a | + diff --git a/google_gke_tenant/.terraform-docs.yml b/google_gke_tenant/.terraform-docs.yml new file mode 100644 index 00000000..a0ed216c --- /dev/null +++ b/google_gke_tenant/.terraform-docs.yml @@ -0,0 +1,6 @@ +content: |- + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} diff --git a/google_gke_tenant/README.md b/google_gke_tenant/README.md index 0e0a4c98..976dcde2 100644 --- a/google_gke_tenant/README.md +++ b/google_gke_tenant/README.md @@ -1,34 +1,19 @@ + # Terraform Module: Google GKE tenant Sets up a service account for use with GKE -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | ~> 1.0 | -| [google](#requirement\_google) | >= 3.0 | - -## Providers - -| Name | Version | -|------|---------| -| [google](#provider\_google) | >= 3.0 | - -## Modules - -None - ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [environment](#input\_environment) | Environment e.g., stage. | `string` | n/a | yes | -| [project_id](#input\_project\_id) | n/a | `string` | `null` | yes | -| [application](#input\_application) | n/a | `string` | `null` | yes | +| [application](#input\_application) | Application name, eg. bouncer | `string` | `null` | no | +| [cluster\_project\_id](#input\_cluster\_project\_id) | The project ID for the GKE cluster this app uses | `string` | `null` | no | +| [environment](#input\_environment) | Environment to create (like, 'dev', 'stage', or 'prod') | `string` | `null` | no | +| [project\_id](#input\_project\_id) | The project ID in which we're doing this work. | `string` | `null` | no | ## Outputs | Name | Description | |------|-------------| | [gke\_service\_account](#output\_gke\_service\_account) | n/a | - + diff --git a/google_gke_tenant/main.tf b/google_gke_tenant/main.tf new file mode 100644 index 00000000..98b47da2 --- /dev/null +++ b/google_gke_tenant/main.tf @@ -0,0 +1,4 @@ +/** + * # Terraform Module: Google GKE tenant + * Sets up a service account for use with GKE + */ diff --git a/google_memcache/README.md b/google_memcache/README.md index ca93bb24..4678b29a 100644 --- a/google_memcache/README.md +++ b/google_memcache/README.md @@ -1,3 +1,4 @@ + # Terraform Module: Memcache Creates a memcache instance within GCP using Cloud Memorystore @@ -27,11 +28,10 @@ module "memcache" { |------|-------------|------|---------|:--------:| | [application](#input\_application) | Application e.g., bouncer. | `string` | n/a | yes | | [authorized\_network](#input\_authorized\_network) | The network name of the shared VPC - expects the format to be: projects//global/networks/ | `string` | n/a | yes | -| [environment](#input\_environment) | Environment e.g., stage. | `string` | n/a | yes | -| [realm](#input\_realm) | Realm e.g., nonprod. | `string` | n/a | yes | | [component](#input\_component) | A logical component of an application | `string` | `"cache"` | no | | [cpu\_count](#input\_cpu\_count) | n/a | `number` | `1` | no | | [custom\_name](#input\_custom\_name) | Use this field to set a custom name for the memcache instance | `string` | `""` | no | +| [environment](#input\_environment) | Environment e.g., stage. | `string` | n/a | yes | | [maintenance\_duration](#input\_maintenance\_duration) | The length of the maintenance window in seconds | `string` | `"10800s"` | no | | [maintenance\_window\_day](#input\_maintenance\_window\_day) | Day of the week maintenance should occur | `string` | `"TUESDAY"` | no | | [maintenance\_window\_hour](#input\_maintenance\_window\_hour) | The hour (from 0-23) when maintenance should start | `number` | `16` | no | @@ -40,6 +40,7 @@ module "memcache" { | [memory\_size\_mb](#input\_memory\_size\_mb) | Memory size in MiB | `number` | `1024` | no | | [node\_count](#input\_node\_count) | n/a | `number` | `1` | no | | [project\_id](#input\_project\_id) | n/a | `string` | `null` | no | +| [realm](#input\_realm) | Realm e.g., nonprod. | `string` | n/a | yes | | [region](#input\_region) | n/a | `string` | `null` | no | ## Outputs @@ -48,3 +49,4 @@ module "memcache" { |------|-------------| | [discovery\_endpoint](#output\_discovery\_endpoint) | n/a | | [memcache\_nodes](#output\_memcache\_nodes) | n/a | + diff --git a/google_monitoring/.terraform-docs.yml b/google_monitoring/.terraform-docs.yml new file mode 100644 index 00000000..a0ed216c --- /dev/null +++ b/google_monitoring/.terraform-docs.yml @@ -0,0 +1,6 @@ +content: |- + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} diff --git a/google_monitoring/README.md b/google_monitoring/README.md index 8d1f69c3..ac5a0e32 100644 --- a/google_monitoring/README.md +++ b/google_monitoring/README.md @@ -1,33 +1,14 @@ -## Requirements + -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.8.3 | -| [google](#requirement\_google) | >= 5.32.0 | - -## Providers - -| Name | Version | -|------|---------| -| [google](#provider\_google) | >= 5.32.0 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [google_monitoring_uptime_check_config.https](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_uptime_check_config) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes | -| [uptime\_checks](#input\_uptime\_checks) | n/a | 
list(object({
    name                = string
    host                = string
    path                = string
    request_method      = optional(string, "GET")
    content_type        = optional(string)
    custom_content_type = optional(string)
    body                = optional(string)
    timeout             = optional(string, "60s")
    period              = optional(string, "300s")
    user_labels         = optional(map(string), {})
    selected_regions    = optional(list(string), [])

    accepted_response_status_codes = optional(list(object({
      status_value = number
    })), [])

    accepted_response_status_classes = optional(list(object({
      status_class = string
    })), [])

    content_matchers = optional(list(object({
      content = optional(string)
      matcher = optional(string)
    })), [])
  }))
| `[]` | no | +| [uptime\_checks](#input\_uptime\_checks) | n/a | 
list(object({
    name                = string
    host                = string
    path                = string
    request_method      = optional(string, "GET")
    content_type        = optional(string)
    custom_content_type = optional(string)
    body                = optional(string)
    timeout             = optional(string, "60s")
    period              = optional(string, "300s")
    user_labels         = optional(map(string), {})
    selected_regions    = optional(list(string), ["EUROPE", "USA_OREGON", "USA_VIRGINIA"])

    accepted_response_status_codes = optional(list(object({
      status_value = number
    })), [])

    accepted_response_status_classes = optional(list(object({
      status_class = string
    })), [])

    content_matchers = optional(list(object({
      content = optional(string)
      matcher = optional(string)
    })), [])
  }))
| `[]` | no | ## Outputs No outputs. + diff --git a/google_permissions/.terraform-docs.yml b/google_permissions/.terraform-docs.yml new file mode 100644 index 00000000..febf44ed --- /dev/null +++ b/google_permissions/.terraform-docs.yml @@ -0,0 +1,20 @@ +content: |- + {{ .Header }} + + ## Examples + + ```hcl + {{ include "examples/basic/main.tf" }} + ``` + + ```hcl + {{ include "examples/basic_with_addon/main.tf" }} + ``` + + ```hcl + {{ include "examples/admin_only/main.tf" }} + ``` + + {{ .Inputs }} + + {{ .Outputs }} diff --git a/google_permissions/README.md b/google_permissions/README.md index 210ce144..8aa3b614 100644 --- a/google_permissions/README.md +++ b/google_permissions/README.md @@ -1,77 +1,61 @@ + # Google Permissions This module provides an interface to adding permissions to your google projects and folders. For information on how to add new roles to the modules, please see [this document](./ADDING\_NEW\_ROLE.md) -## Requirements +## Examples -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | ~> 1.2 | -| [google](#requirement\_google) | >=6.7.0 | -| [google-beta](#requirement\_google-beta) | >=6.7.0 | +```hcl +module "permissions" { + source = "github.com/mozilla/terraform-modules//google_permissions?ref=main" + // it is assumed that you loaded and have available a local.project + google_folder_id = local.project.folder.id + google_prod_project_id = local.project["prod"].id + google_nonprod_project_id = local.project["nonprod"].id + admin_ids = ["workgroup:my-project/workgroup_subgroup"] + developer_ids = ["workgroup:my-project/developers"] + viewer_ids = ["workgroup:my-project/viewers"] +} +``` -## Providers +```hcl +module "permissions" { + source = "../../../google_permissions" + // it is assumed that you loaded and have available a local.project + google_folder_id = local.project.folder.id + google_prod_project_id = local.project["prod"].id + google_nonprod_project_id = local.project["nonprod"].id + admin_ids = ["workgroup:my-project/admins"] + developer_ids = ["workgroup:my-project/developers"] + folder_roles = [ + "roles/bigquery.jobUser", + ] + prod_roles = [ + "roles/storage.objectAdmin", + "roles/storage.admin", + "roles/cloudsql.admin" + ] + nonprod_roles = [ + "roles/editor", + "roles/storage.admin", + "roles/cloudsql.admin" + ] +} +``` -| Name | Version | -|------|---------| -| [google](#provider\_google) | >=6.7.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [admins\_workgroup](#module\_admins\_workgroup) | ../mozilla_workgroup | n/a | -| [approvals\_workgroup](#module\_approvals\_workgroup) | ../mozilla_workgroup | n/a | -| [developers\_workgroup](#module\_developers\_workgroup) | ../mozilla_workgroup | n/a | -| [viewers\_workgroup](#module\_viewers\_workgroup) | ../mozilla_workgroup | n/a | -| [workgroup](#module\_workgroup) | ../mozilla_workgroup | n/a | - -## Resources - -| Name | Type | -|------|------| -| [google_cloud_asset_project_feed.project_feed](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_asset_project_feed) | resource | -| [google_folder_iam_binding.bq_data_viewer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/folder_iam_binding) | resource | -| [google_folder_iam_binding.bq_job_user](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/folder_iam_binding) | resource | -| [google_folder_iam_binding.developers_logging_admin](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/folder_iam_binding) | resource | -| [google_folder_iam_binding.developers_logging_privateLogViewer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/folder_iam_binding) | resource | -| [google_folder_iam_binding.developers_monitoring_alertPolicyEditor](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/folder_iam_binding) | resource | -| [google_folder_iam_binding.developers_monitoring_notificationChannelEditor](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/folder_iam_binding) | resource | -| [google_folder_iam_binding.developers_redis_admin](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/folder_iam_binding) | resource | -| [google_folder_iam_binding.developers_techsupport_editor](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/folder_iam_binding) | resource | -| [google_folder_iam_binding.folder](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/folder_iam_binding) | resource | -| [google_folder_iam_binding.owner](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/folder_iam_binding) | resource | -| [google_folder_iam_binding.viewer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/folder_iam_binding) | resource | -| [google_privileged_access_manager_entitlement.additional_entitlements](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/privileged_access_manager_entitlement) | resource | -| [google_privileged_access_manager_entitlement.default_nonprod_entitlement](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/privileged_access_manager_entitlement) | resource | -| [google_privileged_access_manager_entitlement.default_prod_entitlement](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/privileged_access_manager_entitlement) | resource | -| [google_project_iam_binding.automl_editor_prod](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.bucket_admin](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.editor_nonprod](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.nonprod_developer_cloudsql_viewer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.nonprod_developer_colabEnterpriseUser](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.nonprod_developer_db_admin](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.nonprod_developer_monitoring_uptimecheckconfigeditor](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.nonprod_developer_oath_config_editor](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.nonprod_developer_objectUser](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.nonprod_developer_pubsub_editor](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.nonprod_developer_secretmanager_admin](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.prod_bucket_admin](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.prod_developer_cloudsql_viewer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.prod_developer_colabEnterpriseUser](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.prod_developer_db_admin](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.prod_developer_monitoring_uptimecheckconfigeditor](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.prod_developer_objectUser](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.prod_developer_pubsub_editor](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.storage_objectadmin_prod](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_binding.translationhub_admin_prod](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_binding) | resource | -| [google_project_iam_member.cloudtranslate_editor_prod](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | -| [google_project_iam_member.developers_secretmanager_secretAccessor](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | -| [google_project_iam_member.developers_secretmanager_secretVersionAdder](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | -| [google_project_iam_member.prod_developer_secretmanager_secretAccessor](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | -| [google_project_iam_member.prod_developer_secretmanager_secretVersionAdder](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | +```hcl +module "permissions" { + source = "../../../google_permissions" + // it is assumed that you loaded and have available a local.project + google_folder_id = local.project.folder.id + google_prod_project_id = local.project["prod"].id + google_nonprod_project_id = local.project["nonprod"].id + admin_only = true + admin_ids = ["workgroup:my-project/admins"] +} +``` ## Inputs @@ -81,7 +65,7 @@ For information on how to add new roles to the modules, please see [this documen | [admin\_only](#input\_admin\_only) | Whether or not to create a project with admin-only role. | `bool` | `false` | no | | [app\_code](#input\_app\_code) | The application code for the permissions. See https://github.com/mozilla-services/inventory/blob/master/application_component_registry.csv. | `string` | `""` | no | | [developer\_ids](#input\_developer\_ids) | List of developer IDs to add to the project. | `list(string)` | `[]` | no | -| [entitlement\_data](#input\_entitlement\_data) | The entitlement data for the project. | 
object({
    enabled          = bool
    additional_roles = list(string)
    additional_entitlements = list(object({
      name       = string
      roles      = list(string)
      principals = list(string)
      approval_workflow = optional(object({
        principals = list(string)
      }))
    }))
  })
| 
{
  "additional_entitlements": [],
  "additional_roles": [],
  "enabled": false
}
| no | +| [entitlement\_data](#input\_entitlement\_data) | The entitlement data for the project. | 
object({
    enabled          = bool
    additional_roles = list(string)
    additional_entitlements = list(object({
      name       = string
      roles      = list(string)
      principals = list(string)
      approval_workflow = optional(object({
        principals = list(string)
      }))
    }))
  })
| 
{
  "additional_entitlements": [],
  "additional_roles": [],
  "enabled": false
}
| no | | [entitlement\_enabled](#input\_entitlement\_enabled) | Whether or not to enable entitlements. | `bool` | `false` | no | | [entitlement\_slack\_topic](#input\_entitlement\_slack\_topic) | The name of the pubsub topic to use for slack notifications. | `string` | `""` | no | | [feed\_id](#input\_feed\_id) | The ID of the feed to be created | `string` | `"grant_feed"` | no | @@ -100,3 +84,4 @@ For information on how to add new roles to the modules, please see [this documen | [validate\_folder\_roles](#output\_validate\_folder\_roles) | n/a | | [validate\_nonprod\_roles](#output\_validate\_nonprod\_roles) | n/a | | [validate\_prod\_roles](#output\_validate\_prod\_roles) | n/a | + diff --git a/google_project-dns/.terraform-docs.yml b/google_project-dns/.terraform-docs.yml new file mode 100644 index 00000000..a0ed216c --- /dev/null +++ b/google_project-dns/.terraform-docs.yml @@ -0,0 +1,6 @@ +content: |- + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} diff --git a/google_project-dns/README.md b/google_project-dns/README.md index ac2dca0a..88fb1cf7 100644 --- a/google_project-dns/README.md +++ b/google_project-dns/README.md @@ -1,3 +1,4 @@ + # Terraform Module: Project DNS Creates a DNS zone for an application's project and realm and links it to the parent zone. @@ -5,31 +6,6 @@ The created zone will be: `APP_NAME.REALM.TEAM_NAME.mozgcp.net` -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [google](#requirement\_google) | >= 3.0 | - -## Providers - -| Name | Version | -|------|---------| -| [google](#provider\_google) | >= 3.0 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [google_dns_managed_zone.zone](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone) | resource | -| [google_dns_record_set.ns](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource | -| [google_project_service.dns](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource | - ## Inputs | Name | Description | Type | Default | Required | @@ -38,8 +14,8 @@ No modules. | [parent\_managed\_zone](#input\_parent\_managed\_zone) | GCP DNS managed zone to add the record. | `string` | n/a | yes | | [parent\_project\_id](#input\_parent\_project\_id) | GCP project\_id that contains DNS zones used for delegation | `string` | n/a | yes | | [project\_id](#input\_project\_id) | GCP project\_id where the zone will be provisioned. | `string` | n/a | yes | -| [team\_name](#input\_team\_name) | Name of SRE team, which should correspond to the top-level folder name | `string` | n/a | yes | | [realm](#input\_realm) | Realm is a grouping of environments being one of: global, nonprod, prod | `string` | `""` | no | +| [team\_name](#input\_team\_name) | Name of SRE team, which should correspond to the top-level folder name | `string` | n/a | yes | ## Outputs @@ -47,3 +23,4 @@ No modules. |------|-------------| | [zone\_dns\_name](#output\_zone\_dns\_name) | n/a | | [zone\_name](#output\_zone\_name) | n/a | + diff --git a/google_project/.terraform-docs.yml b/google_project/.terraform-docs.yml new file mode 100644 index 00000000..a0ed216c --- /dev/null +++ b/google_project/.terraform-docs.yml @@ -0,0 +1,6 @@ +content: |- + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} diff --git a/google_project/README.md b/google_project/README.md index e4e59288..640384d9 100644 --- a/google_project/README.md +++ b/google_project/README.md @@ -1,42 +1,20 @@ + # Terraform Module for Project Provisioning Sets up a single GCP project linked to a billing account plus management metadata. -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [google](#requirement\_google) | >= 3.0 | - -## Providers - -| Name | Version | -|------|---------| -| [google](#provider\_google) | 3.90.1 | -| [random](#provider\_random) | 3.1.0 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project) | resource | -| [google_project_service.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource | -| [random_id.project](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | - ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [additional\_data\_access\_logs](#input\_additional\_data\_access\_logs) | Additional services that data access logs should be included for. Google Cloud services with audit logs: https://cloud.google.com/logging/docs/audit/services . | `list(string)` | `[]` | no | | [app\_code](#input\_app\_code) | Defaults to project\_name. Used for labels and metadata on application-related resources. See https://github.com/mozilla-services/inventory/blob/master/application_component_registry.csv. | `string` | `""` | no | | [billing\_account\_id](#input\_billing\_account\_id) | Associated billing account | `string` | n/a | yes | | [component\_code](#input\_component\_code) | Defaults to app\_code-uncat. See https://github.com/mozilla-services/inventory/blob/master/application_component_registry.csv | `string` | `""` | no | | [cost\_center](#input\_cost\_center) | Cost center of the project or resource. Default is 5650 (Services Engineering) | `string` | `"5650"` | no | +| [deletion\_policy](#input\_deletion\_policy) | The deletion policy for the Project. | `string` | `"PREVENT"` | no | | [display\_name](#input\_display\_name) | Display name for the project. Defaults to project\_name | `string` | `""` | no | | [extra\_project\_labels](#input\_extra\_project\_labels) | Extra project labels (a map of key/value pairs) to be applied to the Project. | `map(string)` | `{}` | no | +| [log\_analytics](#input\_log\_analytics) | Enable log analytics for \_Default log bucket | `bool` | `false` | no | | [parent\_id](#input\_parent\_id) | Parent folder (with GCP). | `string` | n/a | yes | | [program\_code](#input\_program\_code) | Program Code of the project or resource: https://mana.mozilla.org/wiki/display/FINArchive/Program+Codes. Drop the `PC - `, lowercase the string and substitute spaces for dashes. | `string` | `"firefox-services"` | no | | [program\_name](#input\_program\_name) | Name of the Firefox program being one of: ci, data, infrastructure, services, web. | `string` | `"services"` | no | @@ -44,7 +22,7 @@ No modules. | [project\_name](#input\_project\_name) | Name of project e.g., autopush | `string` | n/a | yes | | [project\_services](#input\_project\_services) | List of google\_project\_service APIs to enable. | `list(string)` | `[]` | no | | [realm](#input\_realm) | Realm is a grouping of environments being one of: global, nonprod, prod | `string` | `""` | no | -| [risk\_level](#input\_risk\_level) | The risk level of the project, usually comes from an RRA | `string` | `"low"` | yes | +| [risk\_level](#input\_risk\_level) | Level of risk the project poses, usually obtained from an RRA | `string` | `""` | no | ## Outputs @@ -53,4 +31,4 @@ No modules. | [name](#output\_name) | n/a | | [project\_id](#output\_project\_id) | n/a | | [project\_number](#output\_project\_number) | n/a | - + diff --git a/google_psc_to_elastic/.terraform-docs.yml b/google_psc_to_elastic/.terraform-docs.yml new file mode 100644 index 00000000..a0ed216c --- /dev/null +++ b/google_psc_to_elastic/.terraform-docs.yml @@ -0,0 +1,6 @@ +content: |- + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} diff --git a/google_psc_to_elastic/README.md b/google_psc_to_elastic/README.md index 6b2d6a11..55843762 100644 --- a/google_psc_to_elastic/README.md +++ b/google_psc_to_elastic/README.md @@ -1,34 +1,5 @@ -## Requirements + -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [ec](#requirement\_ec) | ~> 0.9.0 | -| [google](#requirement\_google) | >= 4.27 | - -## Providers - -| Name | Version | -|------|---------| -| [ec](#provider\_ec) | ~> 0.9.0 | -| [google](#provider\_google) | >= 4.27 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [google_compute_address.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_address) | resource | -| [google_compute_forwarding_rule.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_forwarding_rule) | resource | -| [google_dns_managed_zone.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone) | resource | -| [google_dns_record_set.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource | -| [ec_gcp_private_service_connect_endpoint.default](https://registry.terraform.io/providers/elastic/ec/latest/docs/data-sources/gcp_private_service_connect_endpoint) | data source | -| [google_compute_network.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_network) | data source | -| [google_compute_subnetwork.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_subnetwork) | data source | -| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source | ## Inputs @@ -37,11 +8,12 @@ No modules. | [gcp\_region](#input\_gcp\_region) | GCP region | `string` | n/a | yes | | [name](#input\_name) | GCP project name | `string` | n/a | yes | | [network\_name](#input\_network\_name) | VPC network name | `string` | n/a | yes | +| [project\_id\_for\_network](#input\_project\_id\_for\_network) | The project ID from which to retrieve the data of a network or subnet | `string` | `""` | no | | [subnetwork\_name](#input\_subnetwork\_name) | VPC subnetwork name | `string` | n/a | yes | -| [project\_id\_for\_network](#input\_project\_id\_for\_network) | The project ID of the network | `string` | `""` | no | ## Outputs | Name | Description | |------|-------------| | [psc\_connection\_id](#output\_psc\_connection\_id) | n/a | + diff --git a/google_redis/README.md b/google_redis/README.md index 62aec53e..c640c97a 100644 --- a/google_redis/README.md +++ b/google_redis/README.md @@ -1,3 +1,4 @@ + # Terraform Module: Redis Creates a Redis instance within GCP using Cloud Memorystore @@ -30,21 +31,21 @@ module "redis" { | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [application](#input\_application) | Application e.g., bouncer. | `string` | n/a | yes | -| [authorized\_network](#input\_authorized\_network) | The network name of the shared VPC | `string` | n/a | yes | -| [environment](#input\_environment) | Environment e.g., stage. | `string` | n/a | yes | -| [realm](#input\_realm) | Realm e.g., nonprod. | `string` | n/a | yes | -| [redis\_configs](#input\_redis\_configs) | Redis configs https://cloud.google.com/memorystore/docs/redis/reference/rest/v1/projects.locations.instances#Instance.FIELDS.redis_configs | `map(string)` | n/a | yes | -| [tier](#input\_tier) | Service tier of the instance. Either BASIC or STANDARD\_HA | `string` | n/a | yes | | [auth\_enabled](#input\_auth\_enabled) | Controls whether auth is enabled | `bool` | `false` | no | +| [authorized\_network](#input\_authorized\_network) | The network name of the shared VPC | `string` | n/a | yes | | [component](#input\_component) | A logical component of an application | `string` | `"cache"` | no | | [custom\_name](#input\_custom\_name) | Use this field to set a custom name for the redis instance | `string` | `""` | no | | [enable\_persistence](#input\_enable\_persistence) | Controls whether peristence features are enabled | `bool` | `false` | no | +| [environment](#input\_environment) | Environment e.g., stage. | `string` | n/a | yes | | [maintenance\_window\_day](#input\_maintenance\_window\_day) | Day of the week maintenance should occur | `string` | `"TUESDAY"` | no | | [maintenance\_window\_hour](#input\_maintenance\_window\_hour) | The hour (from 0-23) when maintenance should start | `number` | `16` | no | | [memory\_size\_gb](#input\_memory\_size\_gb) | Memory size in GiB | `number` | `1` | no | | [project\_id](#input\_project\_id) | n/a | `string` | `null` | no | +| [realm](#input\_realm) | Realm e.g., nonprod. | `string` | n/a | yes | +| [redis\_configs](#input\_redis\_configs) | Redis configs https://cloud.google.com/memorystore/docs/redis/reference/rest/v1/projects.locations.instances#Instance.FIELDS.redis_configs | `map(string)` | n/a | yes | | [redis\_version](#input\_redis\_version) | n/a | `string` | `"REDIS_6_X"` | no | | [region](#input\_region) | n/a | `string` | `null` | no | +| [tier](#input\_tier) | Service tier of the instance. Either BASIC or STANDARD\_HA | `string` | n/a | yes | | [transit\_encryption\_mode](#input\_transit\_encryption\_mode) | Controls whether tls is enabled | `string` | `"DISABLED"` | no | ## Outputs @@ -55,3 +56,4 @@ module "redis" { | [host](#output\_host) | n/a | | [persistence\_iam\_identity](#output\_persistence\_iam\_identity) | n/a | | [port](#output\_port) | n/a | + diff --git a/google_tenant_project_bootstrap/.terraform-docs.yml b/google_tenant_project_bootstrap/.terraform-docs.yml new file mode 100644 index 00000000..a0ed216c --- /dev/null +++ b/google_tenant_project_bootstrap/.terraform-docs.yml @@ -0,0 +1,6 @@ +content: |- + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} diff --git a/google_tenant_project_bootstrap/README.md b/google_tenant_project_bootstrap/README.md index 0ffc3e79..e57cdba7 100644 --- a/google_tenant_project_bootstrap/README.md +++ b/google_tenant_project_bootstrap/README.md @@ -1,47 +1,26 @@ + # Terraform Module: Tenant project bootstrapping Calls submodules to bootstrap a tenant project -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | ~> 1.0 | -| [google](#requirement\_google) | >= 3.0 | -| [google-beta](#requirement\_google\_beta) | >= 4.0 | - -## Providers - -| Name | Version | -|------|---------| -| [google](#provider\_google) | >= 3.0 | -| [google-beta](#provider\_google\_beta) | >= 4.0 | - -## Modules - -| Name | -|------| -| [google_gar](https://github.com/mozilla/terraform-modules/tree/main/google_gar) | -| [google_deployment_accounts](https://github.com/mozilla/terraform-modules/tree/main/google_deployment_accounts) | -| [google_gsm_for_gke](https://github.com/mozilla/terraform-modules/tree/main/google_gsm_for_gke) | - ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [environment](#input\_environment) | Environment e.g., stage. | `string` | n/a | yes | +| [application](#input\_application) | The name of the application. | `string` | `null` | no | +| [environment](#input\_environment) | Environment to create (like, 'dev', 'stage', or 'prod') | `string` | `null` | no | | [github\_repository](#input\_github\_repository) | The Github repository running the deployment workflows in the format org/repository | `string` | n/a | yes | -| [wip\_name](#input\_wip\_name) | The name of the workload identity provider | `string` | n/a | yes | +| [gke\_cluster\_project\_id](#input\_gke\_cluster\_project\_id) | The project ID for the GKE cluster this app uses | `string` | `null` | no | +| [project](#input\_project) | The project ID in which we're doing this work. | `string` | `null` | no | +| [realm](#input\_realm) | Name of infrastructure realm (e.g. prod, nonprod, mgmt, or global). | `string` | n/a | yes | +| [wip\_name](#input\_wip\_name) | The name of the workload identity provider | `string` | `"github-actions"` | no | | [wip\_project\_number](#input\_wip\_project\_number) | The project number of the project the workload identity provider lives in | `number` | n/a | yes | -| [project](#input\_project) | n/a | `string` | `null` | yes | -| [application](#input\_application) | n/a | `string` | `null` | yes | -| [realm](#input\_realm) | n/a | `string` | `null` | yes | ## Outputs | Name | Description | |------|-------------| -| [gke\_service\_account](#output\_gke\_service\_account) | n/a | | [deploy\_service\_account](#output\_deploy\_service\_account) | n/a | -| [gar\_service\_account](#output\_gar\_service\_account) | n/a | | [gar\_repository](#output\_gar\_repository) | n/a | - +| [gar\_service\_account](#output\_gar\_service\_account) | n/a | +| [gke\_service\_account](#output\_gke\_service\_account) | n/a | + diff --git a/google_tenant_project_bootstrap/main.tf b/google_tenant_project_bootstrap/main.tf index 504ec95c..15b7fda2 100644 --- a/google_tenant_project_bootstrap/main.tf +++ b/google_tenant_project_bootstrap/main.tf @@ -1,3 +1,8 @@ +/** + * # Terraform Module: Tenant project bootstrapping + * Calls submodules to bootstrap a tenant project + */ + module "google_gke_tenant" { source = "github.com/mozilla/terraform-modules//google_gke_tenant?ref=main" diff --git a/google_tfstate/.terraform-docs.yml b/google_tfstate/.terraform-docs.yml new file mode 100644 index 00000000..a0ed216c --- /dev/null +++ b/google_tfstate/.terraform-docs.yml @@ -0,0 +1,6 @@ +content: |- + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} diff --git a/google_tfstate/README.md b/google_tfstate/README.md index e8c9ede0..d53e98a3 100644 --- a/google_tfstate/README.md +++ b/google_tfstate/README.md @@ -1,29 +1,7 @@ + # Terraform Module for GCP Terraform State Storage Creates GCP storage bucket which will store a project's Terraform state. -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [google](#requirement\_google) | >= 3.0 | - -## Providers - -| Name | Version | -|------|---------| -| [google](#provider\_google) | >= 3.0 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [google_storage_bucket.tfstate](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket) | resource | - ## Inputs | Name | Description | Type | Default | Required | @@ -36,3 +14,4 @@ No modules. | Name | Description | |------|-------------| | [name](#output\_name) | n/a | + diff --git a/google_workload_identity/.terraform-docs.yml b/google_workload_identity/.terraform-docs.yml new file mode 100644 index 00000000..a0ed216c --- /dev/null +++ b/google_workload_identity/.terraform-docs.yml @@ -0,0 +1,6 @@ +content: |- + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} diff --git a/google_workload_identity/README.md b/google_workload_identity/README.md index ac753acb..5a9000c7 100644 --- a/google_workload_identity/README.md +++ b/google_workload_identity/README.md @@ -3,34 +3,6 @@ Creates identity mapping and optionally the service accounts to go with it -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [google](#requirement\_google) | ~> 3.0 | - -## Providers - -| Name | Version | -|------|---------| -| [google](#provider\_google) | ~> 3.0 | -| [kubernetes](#provider\_kubernetes) | n/a | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [google_project_iam_member.workload_identity_sa_bindings](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | -| [google_service_account.cluster_service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | -| [google_service_account_iam_member.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource | -| [kubernetes_service_account.main](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource | -| [google_service_account.cluster_service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/service_account) | data source | - ## Inputs | Name | Description | Type | Default | Required | diff --git a/mozilla_workgroup/.terraform-docs.yml b/mozilla_workgroup/.terraform-docs.yml index 802fe30a..f5216967 100644 --- a/mozilla_workgroup/.terraform-docs.yml +++ b/mozilla_workgroup/.terraform-docs.yml @@ -1,8 +1,10 @@ content: |- {{ .Header }} + ## Example ```hcl {{ include "examples/example1.tf" }} ``` + {{ .Inputs }} - {{ .Outputs }} \ No newline at end of file + {{ .Outputs }} diff --git a/mozilla_workgroup/README.md b/mozilla_workgroup/README.md index bda9cc1c..35e0bab8 100644 --- a/mozilla_workgroup/README.md +++ b/mozilla_workgroup/README.md @@ -1,3 +1,4 @@ + # Mozilla workgroup Retrieve workgroup ACL lists associated with data and gcp access workgroups. @@ -18,58 +19,7 @@ subgroup:SUBGROUP is supported, which will return all workgroups that contain a particular subgroup. This module is cloned from https://github.com/mozilla-services/cloudops-infra-terraform-modules/tree/master/data-workgroup. -## Example -```hcl -module "workgroup" { - source = "github.com/mozilla/terraform-modules//mozilla_workgroup?ref=main" - - ids = ["workgroup:app/admins"] - roles = {} - workgroup_outputs = ["members", "google_groups"] - terraform_remote_state_bucket = "moz-bucket" - terraform_remote_state_prefix = "projects/workgroups" -} -``` -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [ids](#input\_ids) | List of workgroup identifiers to look up access for | `set(string)` | n/a | yes | -| [roles](#input\_roles) | List of roles to generate bigquery acls for | `map(string)` | 
{
  "metadata_viewer": "roles/bigquery.metadataViewer",
  "read": "READER",
  "write": "WRITER"
}
| no | -| [terraform\_remote\_state\_bucket](#input\_terraform\_remote\_state\_bucket) | The GCS bucket used for terraform state that contains the expected workgroups output | `string` | n/a | yes | -| [terraform\_remote\_state\_prefix](#input\_terraform\_remote\_state\_prefix) | The path prefix where the terraform state file is located | `string` | n/a | yes | -| [workgroup\_outputs](#input\_workgroup\_outputs) | Expected outputs from workgroup output definition | `list(any)` | 
[
  "bigquery_acls",
  "members",
  "service_accounts",
  "google_groups"
]
| no | -## Outputs - -| Name | Description | -|------|-------------| -| [bigquery](#output\_bigquery) | bigquery acls for members associated with the input workgroups | -| [google\_groups](#output\_google\_groups) | google groups associated with the input workgroups, unqualified | -| [ids](#output\_ids) | pass input ids as output | -| [members](#output\_members) | authoritative, fully-qualified list of members associated with the input workgroups | -| [service\_accounts](#output\_service\_accounts) | service accounts associated with the input workgroups, unqualified | - - -# workgroup -Retrieve workgroup ACL lists associated with data and gcp access workgroups. - -Workgroup identifiers should be of the form: - -``` -workgroup:WORKGROUP_NAME[/SUBGROUP] -``` -where `SUBGROUP` defaults to `default`. For example: `workgroup:app`, `workgroup:app/admin`. - -For subgroup queries across all workgroups, an additional identifier format: - -``` -subgroup:SUBGROUP -``` - -is supported, which will return all workgroups that contain a particular subgroup. - -This module is cloned from https://github.com/mozilla-services/cloudops-infra-terraform-modules/tree/master/data-workgroup. ## Example ```hcl module "workgroup" { @@ -82,6 +32,7 @@ module "workgroup" { terraform_remote_state_prefix = "projects/workgroups" } ``` + ## Inputs | Name | Description | Type | Default | Required | @@ -90,7 +41,7 @@ module "workgroup" { | [roles](#input\_roles) | List of roles to generate bigquery acls for | `map(string)` | `{}` | no | | [terraform\_remote\_state\_bucket](#input\_terraform\_remote\_state\_bucket) | The GCS bucket used for terraform state that contains the expected workgroups output | `string` | `"moz-fx-platform-mgmt-global-tf"` | no | | [terraform\_remote\_state\_prefix](#input\_terraform\_remote\_state\_prefix) | The path prefix where the terraform state file is located | `string` | `"projects/google-workspace-management"` | no | -| [workgroup\_outputs](#input\_workgroup\_outputs) | Expected outputs from workgroup output definition | `list(any)` | 
[
  "members",
  "google_groups"
]
| no | +| [workgroup\_outputs](#input\_workgroup\_outputs) | Expected outputs from workgroup output definition | `list(any)` | 
[
  "members",
  "google_groups"
]
| no | ## Outputs | Name | Description | @@ -100,4 +51,4 @@ module "workgroup" { | [ids](#output\_ids) | pass input ids as output | | [members](#output\_members) | authoritative, fully-qualified list of members associated with the input workgroups | | [service\_accounts](#output\_service\_accounts) | service accounts associated with the input workgroups, unqualified | - \ No newline at end of file + diff --git a/mozilla_workgroup/main.tf b/mozilla_workgroup/main.tf index c3b3c711..8a17caeb 100644 --- a/mozilla_workgroup/main.tf +++ b/mozilla_workgroup/main.tf @@ -1,5 +1,5 @@ /** - * # workgroup + * # Mozilla workgroup * Retrieve workgroup ACL lists associated with data and gcp access workgroups. * * Workgroup identifiers should be of the form: