initial import from internal modules

Author: ludoo

README.md

@@ -1,10 +1,14 @@
-# terraform-google-service-accounts
+# Terraform Service Accounts Module
 
-This module was generated from [terraform-google-module-template](https://github.com/terraform-google-modules/terraform-google-module-template/), which by default generates a module that simply creates a GCS bucket. As the module develops, this README should be updated.
+This module allows easy creation of one or more service accounts, and granting them basic roles.
 
 The resources/services/activations/deletions that this module will create/trigger are:
 
-- Create a GCS bucket with the provided name
+- one or more service accounts
+- optional project-level IAM role bindings for each service account
+- one optional billing IAM role binding per service account, at the organization or billing account level
+- two optional organization-level IAM bindings per service account, to enable the service accounts to create and manage Shared VPC networks
+- one optional service account key per service account
 
 ## Usage
 
@@ -14,9 +18,13 @@ Basic usage of this module is as follows:
 module "service_accounts" {
   source  = "terraform-google-modules/service-accounts/google"
   version = "~> 0.1"
-
   project_id  = "<PROJECT ID>"
-  bucket_name = "gcs-test-bucket"
+  prefix        = ""
+  names         = ["test-first", "test-second"]
+  project_roles = [
+    "project-foo=>roles/viewer",
+    "project-spam=>roles/storage.objectViewer",
+  ]
 }
 ```
 
@@ -25,6 +33,30 @@ Functional examples are included in the
 
 [^]: (autogen_docs_start)
 
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| billing\_account\_id | If assigning billing role, specificy a billing account (default is to assign at the organizational level). | string | `""` | no |
+| generate\_keys | Generate keys for service accounts. | string | `"false"` | no |
+| grant\_billing\_role | Grant billing user role. | string | `"false"` | no |
+| grant\_xpn\_roles | Grant roles for shared VPC management. | string | `"true"` | no |
+| names | Names of the service accounts to create. | list | `<list>` | no |
+| org\_id | Id of the organization for org-level roles. | string | `""` | no |
+| prefix | Prefix applied to service account names. | string | `""` | no |
+| project\_id | Project id where service account will be created. | string | n/a | yes |
+| project\_roles | Common roles to apply to all service accounts, project=>role as elements. | list | `<list>` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| email | Service account email (single-use case). |
+| emails | Map of service account emails. |
+| iam\_email | IAM-format service account email (single-use case). |
+| iam\_emails | IAM-format service account emails. |
+| keys | Map of service account keys. |
+
 [^]: (autogen_docs_end)
 
 ## Requirements
@@ -36,28 +68,14 @@ These sections describe requirements for using this module.
 The following dependencies must be available:
 
 - [Terraform][terraform] v0.11
-- [Terraform Provider for GCP][terraform-provider-gcp] plugin v2.0
-
-### Service Account
-
-A service account with the following roles must be used to provision
-the resources of this module:
-
-- Storage Admin: `roles/storage.admin`
-
-The [Project Factory module][project-factory-module] and the
-[IAM module][iam-module] may be used in combination to provision a
-service account with the necessary roles applied.
-
-### APIs
+- [Terraform Provider for GCP][terraform-provider-gcp] plugin >= v2.0
 
-A project with the following APIs enabled must be used to host the
-resources of this module:
+### IAM
 
-- Google Cloud Storage JSON API: `storage-api.googleapis.com`
+Service account or user credentials with the following roles must be used to provision the resources of this module:
 
-The [Project Factory module][project-factory-module] can be used to
-provision a project with the necessary APIs enabled.
+- Service Account Admin: `roles/iam.serviceAccountAdmin`
+- roles needed to grant optional IAM roles at the project or organizational level
 
 ## Contributing
 

examples/multiple_service_accounts/README.md

@@ -0,0 +1,27 @@
+# Simple Example
+
+This example illustrates how to use the `service-accounts` module.
+
+[^]: (autogen_docs_start)
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| project\_id | The ID of the project in which to provision resources. | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| emails | The service account emails. |
+| iam\_emails | The service account IAM-format emails. |
+| keys | The service account keys. |
+
+[^]: (autogen_docs_end)
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/multiple_service_accounts/main.tf

@@ -0,0 +1,32 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {
+  version = "~> 2.7.0"
+}
+
+module "service_accounts" {
+  source        = "../.."
+  project_id    = "${var.project_id}"
+  prefix        = ""
+  names         = ["test-first", "test-second"]
+  generate_keys = true
+
+  project_roles = [
+    "${var.project_id}=>roles/viewer",
+    "${var.project_id}=>roles/storage.objectViewer",
+  ]
+}

examples/multiple_service_accounts/outputs.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "emails" {
+  description = "The service account emails."
+  value       = "${values(module.service_accounts.emails)}"
+}
+
+output "iam_emails" {
+  description = "The service account IAM-format emails."
+  value       = "${values(module.service_accounts.iam_emails)}"
+}
+
+output "keys" {
+  description = "The service account keys."
+  value       = "${module.service_accounts.keys}"
+}

examples/simple_example/variables.tf renamed to examples/multiple_service_accounts/variables.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2018 Google LLC
+ * Copyright 2019 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,8 +18,3 @@ variable "project_id" {
   description = "The ID of the project in which to provision resources."
   type        = "string"
 }
-
-variable "bucket_name" {
-  description = "The name of the bucket to create."
-  type        = "string"
-}

examples/simple_example/README.md renamed to examples/single_service_account/README.md

@@ -4,6 +4,19 @@ This example illustrates how to use the `service-accounts` module.
 
 [^]: (autogen_docs_start)
 
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| project\_id | The ID of the project in which to provision resources. | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| email | The service account email. |
+| iam\_email | The service account IAM-format email. |
+
 [^]: (autogen_docs_end)
 
 To provision this example, run the following from within this directory:

examples/simple_example/main.tf renamed to examples/single_service_account/main.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2018 Google LLC
+ * Copyright 2019 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,12 +15,13 @@
  */
 
 provider "google" {
-  version = "~> 2.0"
+  version = "~> 2.7.0"
 }
 
 module "service_accounts" {
-  source = "../.."
-
-  project_id  = "${var.project_id}"
-  bucket_name = "${var.bucket_name}"
+  source        = "../.."
+  project_id    = "${var.project_id}"
+  prefix        = "single-test"
+  names         = ["first"]
+  project_roles = ["${var.project_id}=>roles/viewer"]
 }

examples/single_service_account/outputs.tf

@@ -0,0 +1,25 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "email" {
+  description = "The service account email."
+  value       = "${module.service_accounts.email}"
+}
+
+output "iam_email" {
+  description = "The service account IAM-format email."
+  value       = "${module.service_accounts.iam_email}"
+}

examples/simple_example/outputs.tf renamed to examples/single_service_account/variables.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2018 Google LLC
+ * Copyright 2019 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-output "bucket_name" {
-  description = "The name of the bucket."
-  value       = "${module.service_accounts.bucket_name}"
+variable "project_id" {
+  description = "The ID of the project in which to provision resources."
+  type        = "string"
 }

main.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2018 Google LLC
+ * Copyright 2019 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,11 +14,74 @@
  * limitations under the License.
  */
 
-terraform {
-  required_version = "~> 0.11.0"
+locals {
+  account_billing = "${var.grant_billing_role && var.billing_account_id != ""}"
+  org_billing     = "${var.grant_billing_role && var.billing_account_id == "" && var.org_id != ""}"
+  prefix          = "${var.prefix != "" ? "${var.prefix}-" : ""}"
+  xpn             = "${var.grant_xpn_roles && var.org_id != ""}"
 }
 
-resource "google_storage_bucket" "main" {
-  project = "${var.project_id}"
-  name    = "${var.bucket_name}"
+# create service accounts
+resource "google_service_account" "service_accounts" {
+  count        = "${length(var.names)}"
+  account_id   = "${local.prefix}${lower(element(var.names, count.index))}"
+  display_name = "Terraform-managed service account"
+  project      = "${var.project_id}"
+}
+
+# common roles
+resource "google_project_iam_member" "project-roles" {
+  count = "${length(var.project_roles) * length(var.names)}"
+
+  project = "${element(
+    split("=>", element(var.project_roles, count.index % length(var.names))
+  ), 0)}"
+
+  role = "${element(
+    split("=>", element(var.project_roles, count.index % length(var.names))
+  ), 1)}"
+
+  member = "serviceAccount:${element(
+    google_service_account.service_accounts.*.email,
+    count.index / length(var.project_roles)
+  )}"
+}
+
+# conditionally assign billing user role at the org level
+resource "google_organization_iam_member" "billing_user" {
+  count  = "${local.org_billing ? length(var.names) : 0}"
+  org_id = "${var.org_id}"
+  role   = "roles/billing.user"
+  member = "serviceAccount:${element(google_service_account.service_accounts.*.email, count.index)}"
+}
+
+# conditionally assign billing user role on a specific billing account
+resource "google_billing_account_iam_member" "billing_user" {
+  count              = "${local.account_billing ? length(var.names) : 0}"
+  billing_account_id = "${var.billing_account_id}"
+  role               = "roles/billing.user"
+  member             = "serviceAccount:${element(google_service_account.service_accounts.*.email, count.index)}"
+}
+
+# conditionally assign roles for shared VPC
+# ref: https://cloud.google.com/vpc/docs/shared-vpc
+
+resource "google_organization_iam_member" "xpn_admin" {
+  count  = "${local.xpn ? length(var.names) : 0}"
+  org_id = "${var.org_id}"
+  role   = "roles/compute.xpnAdmin"
+  member = "serviceAccount:${element(google_service_account.service_accounts.*.email, count.index)}"
+}
+
+resource "google_organization_iam_member" "organization_viewer" {
+  count  = "${local.xpn ? length(var.names) : 0}"
+  org_id = "${var.org_id}"
+  role   = "roles/resourcemanager.organizationViewer"
+  member = "serviceAccount:${element(google_service_account.service_accounts.*.email, count.index)}"
+}
+
+# keys
+resource "google_service_account_key" "keys" {
+  count              = "${var.generate_keys ? length(var.names) : 0}"
+  service_account_id = "${element(google_service_account.service_accounts.*.email, count.index)}"
 }