This module performs the same functions as the root module with the addition of integrating G Suite.
There are multiple examples included in the examples folder but simple usage is as follows:
module "project-factory" {
source = "terraform-google-modules/project-factory/google//modules/gsuite_enabled"
version = "~> 10.1"
billing_account = "ABCDEF-ABCDEF-ABCDEF"
create_group = true
credentials_path = "${local.credentials_file_path}"
group_name = "test_sa_group"
group_role = "roles/editor"
name = "pf-test-1"
org_id = "1234567890"
random_project_id = true
sa_group = "test_sa_group@yourdomain.com"
shared_vpc = "shared_vpc_host_name"
shared_vpc_subnets = [
"projects/base-project-196723/regions/us-east1/subnetworks/default",
"projects/base-project-196723/regions/us-central1/subnetworks/default",
"projects/base-project-196723/regions/us-central1/subnetworks/subnet-1",
]
usage_bucket_name = "pf-test-1-usage-report-bucket"
usage_bucket_prefix = "pf/test/1/integration"
}The G Suite Enabled module will perform the following actions in addition to those of the root module:
- Create a new Google group for the project using
group_nameifcreate_groupistrue. - Add the new default service account for the project to the
sa_groupin Google Groups, if specified. - Add the Google APIs service account to the
api_sa_group, if specified.
The roles granted are specifically:
- New Default Service Account
- MEMBER of the specified
sa_group
- MEMBER of the specified
- Google APIs Service Account
- MEMBER of the specified
api_sa_group
- MEMBER of the specified
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| activate_apis | The list of apis to activate within the project | list(string) |
[ |
no |
| api_sa_group | A G Suite group to place the Google APIs Service Account for the project in | string |
"" |
no |
| auto_create_network | Create the default network | bool |
false |
no |
| billing_account | The ID of the billing account to associate this project with | any |
n/a | yes |
| bucket_location | The location for a GCS bucket to create (optional) | string |
"" |
no |
| bucket_name | A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) | string |
"" |
no |
| bucket_project | A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) | string |
"" |
no |
| bucket_versioning | Enable versioning for a GCS bucket to create (optional) | bool |
false |
no |
| budget_alert_pubsub_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of projects/{project_id}/topics/{topic_id} |
string |
null |
no |
| budget_alert_spent_percents | A list of percentages of the budget to alert on when threshold is exceeded | list(number) |
[ |
no |
| budget_amount | The amount to use for a budget alert | number |
null |
no |
| budget_monitoring_notification_channels | A list of monitoring notification channels in the form [projects/{project_id}/notificationChannels/{channel_id}]. A maximum of 5 channels are allowed. |
list(string) |
[] |
no |
| consumer_quotas | The quotas configuration you want to override for the project. | list(object({ |
[] |
no |
| create_group | Whether to create the group or not | bool |
false |
no |
| create_project_sa | Whether the default service account for the project shall be created | bool |
true |
no |
| credentials_path | Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. | string |
"" |
no |
| default_service_account | Project default service account setting: can be one of delete, deprivilege, disable, or keep. |
string |
"disable" |
no |
| disable_dependent_services | Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed. | bool |
true |
no |
| disable_services_on_destroy | Whether project services will be disabled when the resources are destroyed | bool |
true |
no |
| domain | The domain name (optional). | string |
"" |
no |
| enable_shared_vpc_host_project | If this project is a shared VPC host project. If true, you must not set shared_vpc variable. Default is false. | bool |
false |
no |
| enable_shared_vpc_service_project | If shared VPC should be used | bool |
false |
no |
| folder_id | The ID of a folder to host this project | string |
"" |
no |
| group_name | A group to control the project by being assigned group_role - defaults to ${project_name}-editors | string |
"" |
no |
| group_role | The role to give the controlling group (group_name) over the project (defaults to project editor) | string |
"roles/editor" |
no |
| impersonate_service_account | An optional service account to impersonate. If this service account is not specified, Terraform will fall back to credential file or Application Default Credentials. | string |
"" |
no |
| labels | Map of labels for project | map(string) |
{} |
no |
| lien | Add a lien on the project to prevent accidental deletion | bool |
false |
no |
| name | The name for the project | any |
n/a | yes |
| org_id | The organization ID. | any |
n/a | yes |
| project_id | The ID to give the project. If not provided, the name will be used. |
string |
"" |
no |
| project_sa_name | Default service account name for the project. | string |
"project-service-account" |
no |
| random_project_id | Adds a suffix of 4 random characters to the project_id |
bool |
false |
no |
| sa_group | A G Suite group to place the default Service Account for the project in | string |
"" |
no |
| sa_role | A role to give the default Service Account for the project (defaults to none) | string |
"" |
no |
| shared_vpc | The ID of the host project which hosts the shared VPC | string |
"" |
no |
| shared_vpc_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) | list(string) |
[] |
no |
| usage_bucket_name | Name of a GCS bucket to store GCE usage reports in (optional) | string |
"" |
no |
| usage_bucket_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | string |
"" |
no |
| Name | Description |
|---|---|
| domain | The organization's domain |
| group_email | The email of the created G Suite group with group_name |
| group_name | The group_name of the G Suite group |
| project_bucket_self_link | Project's bucket selfLink |
| project_bucket_url | Project's bucket url |
| project_id | n/a |
| project_name | n/a |
| project_number | n/a |
| service_account_display_name | The display name of the default service account |
| service_account_email | The email of the default service account |
| service_account_id | The id of the default service account |
| service_account_name | The fully-qualified name of the default service account |
| service_account_unique_id | The unique id of the default service account |