Merge pull request #1 from ludoo/fabric-import-from-internal-module

Initial import from internal modules

Author: aaron-lane

README.md

@@ -1,10 +1,14 @@
-# terraform-google-service-accounts
+# Terraform Service Accounts Module
 
-This module was generated from [terraform-google-module-template](https://github.com/terraform-google-modules/terraform-google-module-template/), which by default generates a module that simply creates a GCS bucket. As the module develops, this README should be updated.
+This module allows easy creation of one or more service accounts, and granting them basic roles.
 
 The resources/services/activations/deletions that this module will create/trigger are:
 
-- Create a GCS bucket with the provided name
+- one or more service accounts
+- optional project-level IAM role bindings for each service account
+- one optional billing IAM role binding per service account, at the organization or billing account level
+- two optional organization-level IAM bindings per service account, to enable the service accounts to create and manage Shared VPC networks
+- one optional service account key per service account
 
 ## Usage
 
@@ -14,9 +18,13 @@ Basic usage of this module is as follows:
 module "service_accounts" {
   source  = "terraform-google-modules/service-accounts/google"
   version = "~> 0.1"
-
   project_id  = "<PROJECT ID>"
-  bucket_name = "gcs-test-bucket"
+  prefix        = ""
+  names         = ["test-first", "test-second"]
+  project_roles = [
+    "project-foo=>roles/viewer",
+    "project-spam=>roles/storage.objectViewer",
+  ]
 }
 ```
 
@@ -25,6 +33,30 @@ Functional examples are included in the
 
 [^]: (autogen_docs_start)
 
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| billing\_account\_id | If assigning billing role, specificy a billing account (default is to assign at the organizational level). | string | `""` | no |
+| generate\_keys | Generate keys for service accounts. | string | `"false"` | no |
+| grant\_billing\_role | Grant billing user role. | string | `"false"` | no |
+| grant\_xpn\_roles | Grant roles for shared VPC management. | string | `"true"` | no |
+| names | Names of the service accounts to create. | list | `<list>` | no |
+| org\_id | Id of the organization for org-level roles. | string | `""` | no |
+| prefix | Prefix applied to service account names. | string | `""` | no |
+| project\_id | Project id where service account will be created. | string | n/a | yes |
+| project\_roles | Common roles to apply to all service accounts, project=>role as elements. | list | `<list>` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| email | Service account email (single-use case). |
+| emails | Map of service account emails. |
+| iam\_email | IAM-format service account email (single-use case). |
+| iam\_emails | IAM-format service account emails. |
+| keys | Map of service account keys. |
+
 [^]: (autogen_docs_end)
 
 ## Requirements
@@ -36,28 +68,14 @@ These sections describe requirements for using this module.
 The following dependencies must be available:
 
 - [Terraform][terraform] v0.11
-- [Terraform Provider for GCP][terraform-provider-gcp] plugin v2.0
-
-### Service Account
-
-A service account with the following roles must be used to provision
-the resources of this module:
-
-- Storage Admin: `roles/storage.admin`
-
-The [Project Factory module][project-factory-module] and the
-[IAM module][iam-module] may be used in combination to provision a
-service account with the necessary roles applied.
-
-### APIs
+- [Terraform Provider for GCP][terraform-provider-gcp] plugin >= v2.0
 
-A project with the following APIs enabled must be used to host the
-resources of this module:
+### IAM
 
-- Google Cloud Storage JSON API: `storage-api.googleapis.com`
+Service account or user credentials with the following roles must be used to provision the resources of this module:
 
-The [Project Factory module][project-factory-module] can be used to
-provision a project with the necessary APIs enabled.
+- Service Account Admin: `roles/iam.serviceAccountAdmin`
+- roles needed to grant optional IAM roles at the project or organizational level
 
 ## Contributing
 

examples/multiple_service_accounts/README.md

@@ -0,0 +1,27 @@
+# Multiple Service Accounts
+
+This example illustrates how to use the `service-accounts` module to generate multiple service accounts.
+
+[^]: (autogen_docs_start)
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| project\_id | The ID of the project in which to provision resources. | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| emails | The service account emails. |
+| iam\_emails | The service account IAM-format emails. |
+| keys | The service account keys. |
+
+[^]: (autogen_docs_end)
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/multiple_service_accounts/main.tf

@@ -0,0 +1,32 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {
+  version = "~> 2.7.0"
+}
+
+module "service_accounts" {
+  source        = "../.."
+  project_id    = "${var.project_id}"
+  prefix        = ""
+  names         = ["test-first", "test-second"]
+  generate_keys = true
+
+  project_roles = [
+    "${var.project_id}=>roles/viewer",
+    "${var.project_id}=>roles/storage.objectViewer",
+  ]
+}

examples/multiple_service_accounts/outputs.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "emails" {
+  description = "The service account emails."
+  value       = "${values(module.service_accounts.emails)}"
+}
+
+output "iam_emails" {
+  description = "The service account IAM-format emails."
+  value       = "${values(module.service_accounts.iam_emails)}"
+}
+
+output "keys" {
+  description = "The service account keys."
+  value       = "${module.service_accounts.keys}"
+}

examples/multiple_service_accounts/variables.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The ID of the project in which to provision resources."
+  type        = "string"
+}

examples/simple_example/README.md

@@ -0,0 +1,26 @@
+# Single Service Account
+
+This example illustrates how to use the `service-accounts` module to generate a single service account.
+
+[^]: (autogen_docs_start)
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| project\_id | The ID of the project in which to provision resources. | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| email | The service account email. |
+| iam\_email | The service account IAM-format email. |
+
+[^]: (autogen_docs_end)
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/single_service_account/README.md

@@ -0,0 +1,27 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {
+  version = "~> 2.7.0"
+}
+
+module "service_accounts" {
+  source        = "../.."
+  project_id    = "${var.project_id}"
+  prefix        = "${var.prefix}"
+  names         = ["single-account"]
+  project_roles = ["${var.project_id}=>roles/viewer"]
+}

examples/single_service_account/main.tf

@@ -0,0 +1,25 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "email" {
+  description = "The service account email."
+  value       = "${module.service_accounts.email}"
+}
+
+output "iam_email" {
+  description = "The service account IAM-format email."
+  value       = "${module.service_accounts.iam_email}"
+}

examples/single_service_account/outputs.tf

@@ -0,0 +1,25 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The ID of the project in which to provision resources."
+  type        = "string"
+}
+
+variable "prefix" {
+  description = "Prefix applied to service account names."
+  default     = ""
+}