Skip to content

Commit

Permalink
fix: All dependencies on gcloud have been removed. (#491)
Browse files Browse the repository at this point in the history 
BREAKING CHANGE: All null_resources for executing gcloud scripts have been removed. See the upgrade guide for details.
  • Loading branch information
@thiagonache
thiagonache authored Nov 10, 2020
1 parent 6d90ff3 commit 5886a4e
Show file tree
Hide file tree
Showing 20 changed files with 210 additions and 302 deletions.
2 changes: 0 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,10 +140,8 @@ determining that location is as follows:
| sa\_role | A role to give the default Service Account for the project (defaults to none) | `string` | `""` | no |
| shared\_vpc | The ID of the host project which hosts the shared VPC | `string` | `""` | no |
| shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project\_id/regions/$region/subnetworks/$subnet\_id) | `list(string)` | `[]` | no |
| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | `bool` | `false` | no |
| usage\_bucket\_name | Name of a GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no |
| usage\_bucket\_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no |
| use\_tf\_google\_credentials\_env\_var | Use GOOGLE\_CREDENTIALS environment variable to run gcloud auth activate-service-account with. | `bool` | `false` | no |
| vpc\_service\_control\_attach\_enabled | Whether the project will be attached to a VPC Service Control Perimeter | `bool` | `false` | no |
| vpc\_service\_control\_perimeter\_name | The name of a VPC Service Control Perimeter to add the created project to | `string` | `null` | no |

Expand Down
190 changes: 190 additions & 0 deletions docs/upgrading_to_project_factory_v10.0.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,190 @@
# Upgrading to Project Factory v10.0

The v10.0 release of Project Factory is a backwards incompatible release for
all modules since the breaking change is on
[core_project_factory](../modules/core_project_factory) module which removes the
need of gcloud and local-execs.

## Migration Instructions

Remove any references to `skip_gcloud_download and use_tf_google_credentials_env_var` if applicable.

## Upgrade provider version

The new resource which replaces the gcloud commands is only available on version
3.47 of Google's terraform provider. So, make sure you relax the version range
or set it to 3.47. Finally, run terraform apply.

```diff
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
- destroy

Terraform will perform the following actions:

# module.project-factory.module.project-factory.google_project_default_service_accounts.default_service_accounts will be created
+ resource "google_project_default_service_accounts" "default_service_accounts" {
+ action = "DISABLE"
+ id = (known after apply)
+ project = "pf-test-1-6331"
+ restore_policy = "REVERT"
+ service_accounts = (known after apply)
}

# module.project-factory.module.project-factory.null_resource.preconditions will be destroyed
- resource "null_resource" "preconditions" {
- id = "8792279262642897492" -> null
- triggers = {
- "billing_account" = "REDACTED"
- "credentials_path" = ""
- "folder_id" = ""
- "org_id" = "REDACTED"
- "shared_vpc" = ""
} -> null
}

# module.project-factory.module.project-factory.module.gcloud_delete.random_id.cache will be destroyed
- resource "random_id" "cache" {
- b64 = "s0C2TA" -> null
- b64_std = "s0C2TA==" -> null
- b64_url = "s0C2TA" -> null
- byte_length = 4 -> null
- dec = "3007362636" -> null
- hex = "b340b64c" -> null
- id = "s0C2TA" -> null
}

# module.project-factory.module.project-factory.module.gcloud_deprivilege.random_id.cache will be destroyed
- resource "random_id" "cache" {
- b64 = "hPQCIQ" -> null
- b64_std = "hPQCIQ==" -> null
- b64_url = "hPQCIQ" -> null
- byte_length = 4 -> null
- dec = "2230583841" -> null
- hex = "84f40221" -> null
- id = "hPQCIQ" -> null
}

# module.project-factory.module.project-factory.module.gcloud_disable.null_resource.decompress[0] will be destroyed
- resource "null_resource" "decompress" {
- id = "4421481963953862822" -> null
- triggers = {
- "activated_apis" = "compute.googleapis.com"
- "arguments" = "bb0200e91aab415a1093a47a1cb2290c"
- "decompress_command" = "tar -xzf .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/google-cloud-sdk.tar.gz -C .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a && cp .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/jq .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/google-cloud-sdk/bin/"
- "default_service_account" = "769221705452-compute@developer.gserviceaccount.com"
- "download_gcloud_command" = "curl -sL -o .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/google-cloud-sdk.tar.gz https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-281.0.0-linux-x86_64.tar.gz"
- "download_jq_command" = "curl -sL -o .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && chmod +x .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/jq"
- "md5" = "8724d44955a417594c942e0101e4fe82"
- "project_services" = "pf-test-1-6331"
} -> null
}

# module.project-factory.module.project-factory.module.gcloud_disable.null_resource.decompress_destroy[0] will be destroyed
- resource "null_resource" "decompress_destroy" {
- id = "5873000014534982711" -> null
- triggers = {
- "decompress_command" = "tar -xzf .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/google-cloud-sdk.tar.gz -C .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a && cp .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/jq .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/google-cloud-sdk/bin/"
} -> null
}

# module.project-factory.module.project-factory.module.gcloud_disable.null_resource.download_gcloud[0] will be destroyed
- resource "null_resource" "download_gcloud" {
- id = "8730604705650342734" -> null
- triggers = {
- "activated_apis" = "compute.googleapis.com"
- "arguments" = "bb0200e91aab415a1093a47a1cb2290c"
- "default_service_account" = "769221705452-compute@developer.gserviceaccount.com"
- "download_gcloud_command" = "curl -sL -o .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/google-cloud-sdk.tar.gz https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-281.0.0-linux-x86_64.tar.gz"
- "md5" = "8724d44955a417594c942e0101e4fe82"
- "project_services" = "pf-test-1-6331"
} -> null
}

# module.project-factory.module.project-factory.module.gcloud_disable.null_resource.download_jq[0] will be destroyed
- resource "null_resource" "download_jq" {
- id = "5384550100564211294" -> null
- triggers = {
- "activated_apis" = "compute.googleapis.com"
- "arguments" = "bb0200e91aab415a1093a47a1cb2290c"
- "default_service_account" = "769221705452-compute@developer.gserviceaccount.com"
- "download_jq_command" = "curl -sL -o .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && chmod +x .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/jq"
- "md5" = "8724d44955a417594c942e0101e4fe82"
- "project_services" = "pf-test-1-6331"
} -> null
}

# module.project-factory.module.project-factory.module.gcloud_disable.null_resource.prepare_cache[0] will be destroyed
- resource "null_resource" "prepare_cache" {
- id = "6650067270784592334" -> null
- triggers = {
- "activated_apis" = "compute.googleapis.com"
- "arguments" = "bb0200e91aab415a1093a47a1cb2290c"
- "default_service_account" = "769221705452-compute@developer.gserviceaccount.com"
- "md5" = "8724d44955a417594c942e0101e4fe82"
- "prepare_cache_command" = "mkdir .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a"
- "project_services" = "pf-test-1-6331"
} -> null
}

# module.project-factory.module.project-factory.module.gcloud_disable.null_resource.run_command[0] will be destroyed
- resource "null_resource" "run_command" {
- id = "4614340806538524817" -> null
- triggers = {
- "activated_apis" = "compute.googleapis.com"
- "arguments" = "bb0200e91aab415a1093a47a1cb2290c"
- "create_cmd_body" = <<~EOT
--project_id='pf-test-1-6331' \
--sa_id='769221705452-compute@developer.gserviceaccount.com' \
--credentials_path='' \
--impersonate-service-account='' \
--action='disable'
EOT
- "create_cmd_entrypoint" = ".terraform/modules/project-factory/modules/core_project_factory/scripts/modify-service-account.sh"
- "default_service_account" = "769221705452-compute@developer.gserviceaccount.com"
- "destroy_cmd_body" = "info"
- "destroy_cmd_entrypoint" = "gcloud"
- "gcloud_bin_abs_path" = "/Users/thiagocarvalho/dev/thiagonache/community/pdsa/.terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/google-cloud-sdk/bin"
- "md5" = "8724d44955a417594c942e0101e4fe82"
- "project_services" = "pf-test-1-6331"
} -> null
}

# module.project-factory.module.project-factory.module.gcloud_disable.null_resource.upgrade[0] will be destroyed
- resource "null_resource" "upgrade" {
- id = "3764618213551542611" -> null
- triggers = {
- "activated_apis" = "compute.googleapis.com"
- "arguments" = "bb0200e91aab415a1093a47a1cb2290c"
- "default_service_account" = "769221705452-compute@developer.gserviceaccount.com"
- "md5" = "8724d44955a417594c942e0101e4fe82"
- "project_services" = "pf-test-1-6331"
- "upgrade_command" = ".terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/google-cloud-sdk/bin/gcloud components update --quiet"
} -> null
}

# module.project-factory.module.project-factory.module.gcloud_disable.null_resource.upgrade_destroy[0] will be destroyed
- resource "null_resource" "upgrade_destroy" {
- id = "1128888759850027996" -> null
- triggers = {
- "upgrade_command" = ".terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/google-cloud-sdk/bin/gcloud components update --quiet"
} -> null
}

# module.project-factory.module.project-factory.module.gcloud_disable.random_id.cache will be destroyed
- resource "random_id" "cache" {
- b64 = "FhNhig" -> null
- b64_std = "FhNhig==" -> null
- b64_url = "FhNhig" -> null
- byte_length = 4 -> null
- dec = "370368906" -> null
- hex = "1613618a" -> null
- id = "FhNhig" -> null
}

Plan: 1 to add, 0 to change, 12 to destroy.
```

It is okay to create the resource since the API does not return error if you try
to disable a disabled service account or delete a deleted service account.
3 changes: 0 additions & 3 deletions examples/shared_vpc/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,6 @@ module "host-project" {
org_id = var.organization_id
folder_id = var.folder_id
billing_account = var.billing_account
skip_gcloud_download = true
enable_shared_vpc_host_project = true
}

Expand Down Expand Up @@ -124,7 +123,6 @@ module "service-project" {
]

disable_services_on_destroy = "false"
skip_gcloud_download = "true"
}

/******************************************
Expand All @@ -150,7 +148,6 @@ module "service-project-b" {
]

disable_services_on_destroy = "false"
skip_gcloud_download = "true"
}

/******************************************
Expand Down
2 changes: 0 additions & 2 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,8 +58,6 @@ module "project-factory" {
disable_services_on_destroy = var.disable_services_on_destroy
default_service_account = var.default_service_account
disable_dependent_services = var.disable_dependent_services
use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var
skip_gcloud_download = var.skip_gcloud_download
vpc_service_control_attach_enabled = var.vpc_service_control_attach_enabled
vpc_service_control_perimeter_name = var.vpc_service_control_perimeter_name
}
Expand Down
97 changes: 5 additions & 92 deletions modules/core_project_factory/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,98 +117,11 @@ resource "google_compute_shared_vpc_host_project" "shared_vpc_host" {
depends_on = [module.project_services]
}

/******************************************
Default compute service account retrieval
*****************************************/
data "null_data_source" "default_service_account" {
inputs = {
email = "${google_project.main.number}-compute@developer.gserviceaccount.com"
}
}

/******************************************
Default compute service account deletion
*****************************************/
module "gcloud_delete" {
source = "terraform-google-modules/gcloud/google"
version = "~> 2.0.0"

enabled = var.default_service_account == "delete"
use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var

skip_download = var.skip_gcloud_download

create_cmd_entrypoint = "${path.module}/scripts/modify-service-account.sh"
create_cmd_body = <<-EOT
--project_id='${google_project.main.project_id}' \
--sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
--credentials_path='${var.credentials_path}' \
--impersonate-service-account='${var.impersonate_service_account}' \
--action='delete'
EOT

create_cmd_triggers = {
default_service_account = data.null_data_source.default_service_account.outputs["email"]
activated_apis = join(",", local.activate_apis)
project_services = module.project_services.project_id
}
}

/*********************************************
Default compute service account deprivilege
********************************************/
module "gcloud_deprivilege" {
source = "terraform-google-modules/gcloud/google"
version = "~> 2.0.0"

enabled = var.default_service_account == "deprivilege"
use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var

skip_download = var.skip_gcloud_download

create_cmd_entrypoint = "${path.module}/scripts/modify-service-account.sh"
create_cmd_body = <<-EOT
--project_id='${google_project.main.project_id}' \
--sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
--credentials_path='${var.credentials_path}' \
--impersonate-service-account='${var.impersonate_service_account}' \
--action='deprivilege'
EOT

create_cmd_triggers = {
default_service_account = data.null_data_source.default_service_account.outputs["email"]
activated_apis = join(",", local.activate_apis)
project_services = module.project_services.project_id
}
}

/******************************************
Default compute service account disable
*****************************************/
module "gcloud_disable" {
source = "terraform-google-modules/gcloud/google"
version = "~> 2.0.0"

enabled = var.default_service_account == "disable"
use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var

skip_download = var.skip_gcloud_download

create_cmd_entrypoint = "${path.module}/scripts/modify-service-account.sh"
create_cmd_body = <<-EOT
--project_id='${google_project.main.project_id}' \
--sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
--credentials_path='${var.credentials_path}' \
--impersonate-service-account='${var.impersonate_service_account}' \
--action='disable'
EOT

create_cmd_triggers = {
default_service_account = data.null_data_source.default_service_account.outputs["email"]
activated_apis = join(",", local.activate_apis)
project_services = module.project_services.project_id
}

resource "google_project_default_service_accounts" "default_service_accounts" {
action = upper(var.default_service_account)
project = google_project.main.project_id
restore_policy = "REVERT"
depends_on = [module.project_services]
}

/******************************************
Expand Down
Loading

0 comments on commit 5886a4e

Please sign in to comment.