feat: Add use_tf_var_google_credentials_env_var variable (#377)

* add use_tf_var_google_credentials_env_var variable * fix use_tf_var_google_credentials_env_var variable type * add use tf_var_google_credentials_env_var to variant modules * update docs 📝 * fix bugs 🐛 * regenerate docs 📝 Co-authored-by: Morgante Pell <morgante.pell@morgante.net>
terraform-google-modules · Mar 3, 2020 · 64459de · 64459de
1 parent 1105d8f
commit 64459de
Show file tree

Hide file tree

Showing 10 changed files with 118 additions and 86 deletions.
diff --git a/README.md b/README.md
@@ -146,6 +146,7 @@ determining that location is as follows:
 | shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) | list(string) | `<list>` | no |
 | usage\_bucket\_name | Name of a GCS bucket to store GCE usage reports in (optional) | string | `""` | no |
 | usage\_bucket\_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | string | `""` | no |
+| use\_tf\_google\_credentials\_env\_var | Use GOOGLE_CREDENTIALS environment variable to run gcloud auth activate-service-account with. | bool | `"false"` | no |
 
 ## Outputs
 

diff --git a/main.tf b/main.tf
@@ -28,35 +28,36 @@ module "gsuite_group" {
 module "project-factory" {
   source = "./modules/core_project_factory"
 
-  group_email                 = module.gsuite_group.email
-  group_role                  = var.group_role
-  lien                        = var.lien
-  manage_group                = var.group_name != "" ? "true" : "false"
-  random_project_id           = var.random_project_id
-  org_id                      = var.org_id
-  name                        = var.name
-  project_id                  = var.project_id
-  shared_vpc                  = var.shared_vpc
-  shared_vpc_enabled          = var.shared_vpc != ""
-  billing_account             = var.billing_account
-  folder_id                   = var.folder_id
-  sa_role                     = var.sa_role
-  activate_apis               = var.activate_apis
-  usage_bucket_name           = var.usage_bucket_name
-  usage_bucket_prefix         = var.usage_bucket_prefix
-  credentials_path            = var.credentials_path
-  impersonate_service_account = var.impersonate_service_account
-  shared_vpc_subnets          = var.shared_vpc_subnets
-  labels                      = var.labels
-  bucket_project              = var.bucket_project
-  bucket_name                 = var.bucket_name
-  bucket_location             = var.bucket_location
-  auto_create_network         = var.auto_create_network
-  disable_services_on_destroy = var.disable_services_on_destroy
-  default_service_account     = var.default_service_account
-  disable_dependent_services  = var.disable_dependent_services
-  python_interpreter_path     = var.python_interpreter_path
-  pip_executable_path         = var.pip_executable_path
+  group_email                       = module.gsuite_group.email
+  group_role                        = var.group_role
+  lien                              = var.lien
+  manage_group                      = var.group_name != "" ? "true" : "false"
+  random_project_id                 = var.random_project_id
+  org_id                            = var.org_id
+  name                              = var.name
+  project_id                        = var.project_id
+  shared_vpc                        = var.shared_vpc
+  shared_vpc_enabled                = var.shared_vpc != ""
+  billing_account                   = var.billing_account
+  folder_id                         = var.folder_id
+  sa_role                           = var.sa_role
+  activate_apis                     = var.activate_apis
+  usage_bucket_name                 = var.usage_bucket_name
+  usage_bucket_prefix               = var.usage_bucket_prefix
+  credentials_path                  = var.credentials_path
+  impersonate_service_account       = var.impersonate_service_account
+  shared_vpc_subnets                = var.shared_vpc_subnets
+  labels                            = var.labels
+  bucket_project                    = var.bucket_project
+  bucket_name                       = var.bucket_name
+  bucket_location                   = var.bucket_location
+  auto_create_network               = var.auto_create_network
+  disable_services_on_destroy       = var.disable_services_on_destroy
+  default_service_account           = var.default_service_account
+  disable_dependent_services        = var.disable_dependent_services
+  python_interpreter_path           = var.python_interpreter_path
+  pip_executable_path               = var.pip_executable_path
+  use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var
 }
 
 /******************************************

diff --git a/modules/core_project_factory/main.tf b/modules/core_project_factory/main.tf
@@ -160,7 +160,8 @@ module "gcloud_delete" {
   source  = "terraform-google-modules/gcloud/google"
   version = "~> 0.5.0"
 
-  enabled = var.default_service_account == "delete"
+  enabled                           = var.default_service_account == "delete"
+  use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var
 
   create_cmd_entrypoint = "${path.module}/scripts/modify-service-account.sh"
   create_cmd_body       = <<-EOT
@@ -185,7 +186,8 @@ module "gcloud_deprivilege" {
   source  = "terraform-google-modules/gcloud/google"
   version = "~> 0.5.0"
 
-  enabled = var.default_service_account == "deprivilege"
+  enabled                           = var.default_service_account == "deprivilege"
+  use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var
 
   create_cmd_entrypoint = "${path.module}/scripts/modify-service-account.sh"
   create_cmd_body       = <<-EOT
@@ -210,7 +212,8 @@ module "gcloud_disable" {
   source  = "terraform-google-modules/gcloud/google"
   version = "~> 0.5.0"
 
-  enabled = var.default_service_account == "disable"
+  enabled                           = var.default_service_account == "disable"
+  use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var
 
   create_cmd_entrypoint = "${path.module}/scripts/modify-service-account.sh"
   create_cmd_body       = <<-EOT

diff --git a/modules/core_project_factory/variables.tf b/modules/core_project_factory/variables.tf
@@ -183,3 +183,9 @@ variable "pip_executable_path" {
   type        = string
   default     = "pip3"
 }
+
+variable "use_tf_google_credentials_env_var" {
+  description = "Use GOOGLE_CREDENTIALS environment variable to run gcloud auth activate-service-account with."
+  type        = bool
+  default     = false
+}
diff --git a/modules/gsuite_enabled/README.md b/modules/gsuite_enabled/README.md
@@ -92,6 +92,7 @@ The roles granted are specifically:
 | shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) | list(string) | `<list>` | no |
 | usage\_bucket\_name | Name of a GCS bucket to store GCE usage reports in (optional) | string | `""` | no |
 | usage\_bucket\_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | string | `""` | no |
+| use\_tf\_google\_credentials\_env\_var | Use GOOGLE_CREDENTIALS environment variable to run gcloud auth activate-service-account with. | bool | `"false"` | no |
 
 ## Outputs
 

diff --git a/modules/gsuite_enabled/main.tf b/modules/gsuite_enabled/main.tf
@@ -71,33 +71,34 @@ module "project-factory" {
     ),
     0,
   )
-  group_role                  = var.group_role
-  lien                        = var.lien
-  manage_group                = var.group_name != "" || var.create_group
-  random_project_id           = var.random_project_id
-  org_id                      = var.org_id
-  name                        = var.name
-  project_id                  = var.project_id
-  shared_vpc                  = var.shared_vpc
-  shared_vpc_enabled          = var.shared_vpc_enabled
-  billing_account             = var.billing_account
-  folder_id                   = var.folder_id
-  sa_role                     = var.sa_role
-  activate_apis               = var.activate_apis
-  usage_bucket_name           = var.usage_bucket_name
-  usage_bucket_prefix         = var.usage_bucket_prefix
-  credentials_path            = var.credentials_path
-  impersonate_service_account = var.impersonate_service_account
-  shared_vpc_subnets          = var.shared_vpc_subnets
-  labels                      = var.labels
-  bucket_project              = var.bucket_project
-  bucket_name                 = var.bucket_name
-  bucket_location             = var.bucket_location
-  auto_create_network         = var.auto_create_network
-  disable_services_on_destroy = var.disable_services_on_destroy
-  default_service_account     = var.default_service_account
-  disable_dependent_services  = var.disable_dependent_services
-  python_interpreter_path     = var.python_interpreter_path
+  group_role                        = var.group_role
+  lien                              = var.lien
+  manage_group                      = var.group_name != "" || var.create_group
+  random_project_id                 = var.random_project_id
+  org_id                            = var.org_id
+  name                              = var.name
+  project_id                        = var.project_id
+  shared_vpc                        = var.shared_vpc
+  shared_vpc_enabled                = var.shared_vpc_enabled
+  billing_account                   = var.billing_account
+  folder_id                         = var.folder_id
+  sa_role                           = var.sa_role
+  activate_apis                     = var.activate_apis
+  usage_bucket_name                 = var.usage_bucket_name
+  usage_bucket_prefix               = var.usage_bucket_prefix
+  credentials_path                  = var.credentials_path
+  impersonate_service_account       = var.impersonate_service_account
+  shared_vpc_subnets                = var.shared_vpc_subnets
+  labels                            = var.labels
+  bucket_project                    = var.bucket_project
+  bucket_name                       = var.bucket_name
+  bucket_location                   = var.bucket_location
+  auto_create_network               = var.auto_create_network
+  disable_services_on_destroy       = var.disable_services_on_destroy
+  default_service_account           = var.default_service_account
+  disable_dependent_services        = var.disable_dependent_services
+  python_interpreter_path           = var.python_interpreter_path
+  use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var
 }
 
 /******************************************

diff --git a/modules/gsuite_enabled/variables.tf b/modules/gsuite_enabled/variables.tf
@@ -194,3 +194,9 @@ variable "budget_alert_spent_percents" {
   type        = list(number)
   default     = [0.5, 0.7, 1.0]
 }
+
+variable "use_tf_google_credentials_env_var" {
+  description = "Use GOOGLE_CREDENTIALS environment variable to run gcloud auth activate-service-account with."
+  type        = bool
+  default     = false
+}
diff --git a/modules/shared_vpc/main.tf b/modules/shared_vpc/main.tf
@@ -28,33 +28,34 @@ module "gsuite_group" {
 module "project-factory" {
   source = "../core_project_factory"
 
-  group_email                 = module.gsuite_group.email
-  group_role                  = var.group_role
-  lien                        = var.lien
-  manage_group                = var.group_name != "" ? "true" : "false"
-  random_project_id           = var.random_project_id
-  org_id                      = var.org_id
-  name                        = var.name
-  project_id                  = var.project_id
-  shared_vpc                  = var.shared_vpc
-  shared_vpc_enabled          = true
-  billing_account             = var.billing_account
-  folder_id                   = var.folder_id
-  sa_role                     = var.sa_role
-  activate_apis               = var.activate_apis
-  usage_bucket_name           = var.usage_bucket_name
-  usage_bucket_prefix         = var.usage_bucket_prefix
-  credentials_path            = var.credentials_path
-  shared_vpc_subnets          = var.shared_vpc_subnets
-  labels                      = var.labels
-  bucket_project              = var.bucket_project
-  bucket_name                 = var.bucket_name
-  bucket_location             = var.bucket_location
-  auto_create_network         = var.auto_create_network
-  disable_services_on_destroy = var.disable_services_on_destroy
-  default_service_account     = var.default_service_account
-  disable_dependent_services  = var.disable_dependent_services
-  python_interpreter_path     = var.python_interpreter_path
+  group_email                       = module.gsuite_group.email
+  group_role                        = var.group_role
+  lien                              = var.lien
+  manage_group                      = var.group_name != "" ? "true" : "false"
+  random_project_id                 = var.random_project_id
+  org_id                            = var.org_id
+  name                              = var.name
+  project_id                        = var.project_id
+  shared_vpc                        = var.shared_vpc
+  shared_vpc_enabled                = true
+  billing_account                   = var.billing_account
+  folder_id                         = var.folder_id
+  sa_role                           = var.sa_role
+  activate_apis                     = var.activate_apis
+  usage_bucket_name                 = var.usage_bucket_name
+  usage_bucket_prefix               = var.usage_bucket_prefix
+  credentials_path                  = var.credentials_path
+  shared_vpc_subnets                = var.shared_vpc_subnets
+  labels                            = var.labels
+  bucket_project                    = var.bucket_project
+  bucket_name                       = var.bucket_name
+  bucket_location                   = var.bucket_location
+  auto_create_network               = var.auto_create_network
+  disable_services_on_destroy       = var.disable_services_on_destroy
+  default_service_account           = var.default_service_account
+  disable_dependent_services        = var.disable_dependent_services
+  python_interpreter_path           = var.python_interpreter_path
+  use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var
 }
 
 /******************************************

diff --git a/modules/shared_vpc/variables.tf b/modules/shared_vpc/variables.tf
@@ -188,3 +188,9 @@ variable "budget_alert_spent_percents" {
   type        = list(number)
   default     = [0.5, 0.7, 1.0]
 }
+
+variable "use_tf_google_credentials_env_var" {
+  description = "Use GOOGLE_CREDENTIALS environment variable to run gcloud auth activate-service-account with."
+  type        = bool
+  default     = false
+}
diff --git a/variables.tf b/variables.tf
@@ -179,6 +179,12 @@ variable "pip_executable_path" {
   default     = "pip3"
 }
 
+variable "use_tf_google_credentials_env_var" {
+  description = "Use GOOGLE_CREDENTIALS environment variable to run gcloud auth activate-service-account with."
+  type        = bool
+  default     = false
+}
+
 variable "budget_amount" {
   description = "The amount to use for a budget alert"
   type        = number