feat: Allow override of quotas on projects (#468)

README.md

@@ -122,6 +122,7 @@ determining that location is as follows:
 | budget\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded | `list(number)` | <pre>[<br>  0.5,<br>  0.7,<br>  1<br>]</pre> | no |
 | budget\_amount | The amount to use for a budget alert | `number` | `null` | no |
 | budget\_monitoring\_notification\_channels | A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. | `list(string)` | `[]` | no |
+| consumer\_quotas | The quotas configuration you want to override for the project. | <pre>list(object({<br>    service = string,<br>    metric  = string,<br>    limit   = string,<br>    value   = string,<br>  }))</pre> | `[]` | no |
 | create\_project\_sa | Whether the default service account for the project shall be created | `bool` | `true` | no |
 | credentials\_path | Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. | `string` | `""` | no |
 | default\_service\_account | Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`. | `string` | `"disable"` | no |

examples/quota_project/README.md

@@ -0,0 +1,18 @@
+# Budget Project
+
+This example illustrates how to use quota_manager submodule to override customer quotas.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| project\_id | The GCP project you want to override the consumer quotas. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| quota\_overrides | The server-generated names of the quota override in the provided project. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/quota_project/main.tf

@@ -0,0 +1,53 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {
+  version = "~> 3.54"
+}
+
+provider "google-beta" {
+  version = "~> 3.54"
+}
+
+provider "null" {
+  version = "~> 2.1"
+}
+
+provider "random" {
+  version = "~> 2.2"
+}
+
+/******************************************
+  Consumer Quota
+ *****************************************/
+module "project_quota_manager" {
+  source = "../../modules/quota_manager"
+
+  project_id = var.project_id
+  consumer_quotas = [
+    {
+      service = "compute.googleapis.com"
+      metric  = "SimulateMaintenanceEventGroup"
+      limit   = "%2F100s%2Fproject"
+      value   = "19"
+      }, {
+      service = "servicemanagement.googleapis.com"
+      metric  = "servicemanagement.googleapis.com%2Fdefault_requests"
+      limit   = "%2Fmin%2Fproject"
+      value   = "95"
+    }
+  ]
+}

examples/quota_project/outputs.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "quota_overrides" {
+  description = "The server-generated names of the quota override in the provided project."
+  value       = module.project_quota_manager.quota_overrides
+}

examples/quota_project/variables.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The GCP project you want to override the consumer quotas."
+  type        = string
+}

examples/quota_project/versions.tf

@@ -0,0 +1,33 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    google = {
+      source = "hashicorp/google"
+    }
+    google-beta = {
+      source = "hashicorp/google-beta"
+    }
+    null = {
+      source = "hashicorp/null"
+    }
+    random = {
+      source = "hashicorp/random"
+    }
+  }
+}

examples/shared_vpc/variables.tf

@@ -40,4 +40,3 @@ variable "network_name" {
   description = "Name for Shared VPC network"
   default     = "shared-network"
 }
-

main.tf

@@ -93,3 +93,13 @@ module "budget" {
   alert_pubsub_topic               = var.budget_alert_pubsub_topic
   monitoring_notification_channels = var.budget_monitoring_notification_channels
 }
+
+/******************************************
+  Quota to override if metrics are set
+ *****************************************/
+module "quotas" {
+  source = "./modules/quota_manager"
+
+  project_id      = module.project-factory.project_id
+  consumer_quotas = var.consumer_quotas
+}

modules/gsuite_enabled/README.md

@@ -70,6 +70,7 @@ The roles granted are specifically:
 | budget\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded | `list(number)` | <pre>[<br>  0.5,<br>  0.7,<br>  1<br>]</pre> | no |
 | budget\_amount | The amount to use for a budget alert | `number` | `null` | no |
 | budget\_monitoring\_notification\_channels | A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. | `list(string)` | `[]` | no |
+| consumer\_quotas | The quotas configuration you want to override for the project. | <pre>list(object({<br>    service = string,<br>    metric  = string,<br>    limit   = string,<br>    value   = string,<br>  }))</pre> | `[]` | no |
 | create\_group | Whether to create the group or not | `bool` | `false` | no |
 | create\_project\_sa | Whether the default service account for the project shall be created | `bool` | `true` | no |
 | credentials\_path | Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. | `string` | `""` | no |

modules/gsuite_enabled/main.tf

@@ -116,3 +116,12 @@ module "budget" {
   alert_pubsub_topic               = var.budget_alert_pubsub_topic
   monitoring_notification_channels = var.budget_monitoring_notification_channels
 }
+
+/******************************************
+  Consumer Quota
+ *****************************************/
+module "project_quota_manager" {
+  source          = "../../modules/quota_manager"
+  project_id      = module.project-factory.project_id
+  consumer_quotas = var.consumer_quotas
+}

modules/gsuite_enabled/variables.tf

@@ -214,3 +214,14 @@ variable "budget_alert_spent_percents" {
   type        = list(number)
   default     = [0.5, 0.7, 1.0]
 }
+
+variable "consumer_quotas" {
+  description = "The quotas configuration you want to override for the project."
+  type = list(object({
+    service = string,
+    metric  = string,
+    limit   = string,
+    value   = string,
+  }))
+  default = []
+}

modules/quota_manager/README.md

@@ -0,0 +1,43 @@
+# Consumer quota override for a project
+
+This module allows to manage the consumer override of quotas of a [google service usage consumer quota override](https://www.terraform.io/docs/providers/google/r/service_usage_consumer_quota_override.html) tied to a specific `project_id`
+
+## Usage
+
+Basic usage of this module is as follows:
+
+```hcl
+module "project_quota_manager" {
+  source          = "terraform-google-modules/project-factory/google//modules/quota_manager"
+  project         = "my-project-id"
+  consumer_quotas = [
+    {
+        service        = "compute.googleapis.com"
+        metric         = "SimulateMaintenanceEventGroup"
+        limit          = "%2F100s%2Fproject"
+        value = "19"
+    },{
+        service        = "servicemanagement.googleapis.com"
+        metric         = "servicemanagement.googleapis.com%2Fdefault_requests"
+        limit          = "%2Fmin%2Fproject"
+        value = "95"
+    }
+  ]
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| consumer\_quotas | The quotas configuration you want to override for the project. | <pre>list(object({<br>    service = string,<br>    metric  = string,<br>    limit   = string,<br>    value   = string,<br>  }))</pre> | n/a | yes |
+| project\_id | The GCP project where you want to manage the consumer quotas | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| quota\_overrides | The server-generated names of the quota override. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/quota_manager/main.tf

@@ -0,0 +1,31 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  consumer_quotas = { for index, quota in var.consumer_quotas : "${quota.service}-${quota.metric}" => quota }
+}
+
+resource "google_service_usage_consumer_quota_override" "override" {
+  provider = google-beta
+  for_each = local.consumer_quotas
+
+  project        = var.project_id
+  service        = each.value.service
+  metric         = each.value.metric
+  limit          = each.value.limit
+  override_value = each.value.value
+  force          = true
+}

modules/quota_manager/outputs.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "quota_overrides" {
+  description = "The server-generated names of the quota override."
+  value       = google_service_usage_consumer_quota_override.override
+}

modules/quota_manager/variables.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The GCP project where you want to manage the consumer quotas"
+  type        = string
+}
+
+variable "consumer_quotas" {
+  description = "The quotas configuration you want to override for the project."
+  type = list(object({
+    service = string,
+    metric  = string,
+    limit   = string,
+    value   = string,
+  }))
+}

modules/quota_manager/versions.tf

@@ -0,0 +1,23 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">=0.12.6, <0.14"
+
+  required_providers {
+    google-beta = ">= 3.1, < 4.0"
+  }
+}

variables.tf

@@ -246,3 +246,14 @@ variable "grant_services_security_admin_role" {
   type        = bool
   default     = false
 }
+
+variable "consumer_quotas" {
+  description = "The quotas configuration you want to override for the project."
+  type = list(object({
+    service = string,
+    metric  = string,
+    limit   = string,
+    value   = string,
+  }))
+  default = []
+}