Merge branch 'master' into feature/add-autogenerator

CHANGELOG.md

@@ -8,6 +8,21 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 ## [Unreleased]
 
+### Changed
+
+- Changed required `google` provider version to `>= 2.1, < 4.0` [#350]
+
+## [6.2.0] - 2019-12-27
+
+### Added
+
+- The `pip_executable_path` variable which can be altered to support execution in a Windows environment. [#343]
+- The `modify-service-account.sh` steps are now executed in the context of the `terraform-google-gcloud` module so there is no longer a dependency on having `gcloud` installed on the host. [#343]
+
+### Fixed
+
+- The precondition script is fixed and will run successfully. `on_failure = "continue"` was also removed to prevent silent failures. [#343]
+
 ## [6.1.0] - 2019-12-18
 
 ### Added
@@ -261,7 +276,8 @@ Extending the adopted spec, each change should have a link to its corresponding
 ### ADDED
 - This is the initial release of the Project Factory Module.
 
-[Unreleased]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v6.1.0...HEAD
+[Unreleased]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v6.2.0...HEAD
+[6.2.0]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v6.1.0...v6.2.0
 [6.1.0]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v6.0.0...v6.1.0
 [6.0.0]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v5.0.0...v6.0.0
 [5.0.0]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v4.0.1...v5.0.0
@@ -294,6 +310,8 @@ Extending the adopted spec, each change should have a link to its corresponding
 [0.2.1]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v0.2.0...v0.2.1
 [0.2.0]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v0.1.0...v0.2.0
 
+[#350]: https://github.com/terraform-google-modules/terraform-google-project-factory/issues/350
+[#343]: https://github.com/terraform-google-modules/terraform-google-project-factory/issues/343
 [#345]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/345
 [#341]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/341
 [#338]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/338

README.md

@@ -134,6 +134,7 @@ determining that location is as follows:
 | lien | Add a lien on the project to prevent accidental deletion | bool | `"false"` | no |
 | name | The name for the project | string | n/a | yes |
 | org\_id | The organization ID. | string | n/a | yes |
+| pip\_executable\_path | Pip executable path for precondition requirements.txt install. | string | `"pip3"` | no |
 | project\_id | If provided, the project uses the given project ID. Mutually exclusive with random_project_id being true. | string | `""` | no |
 | python\_interpreter\_path | Python interpreter path for precondition check script. | string | `"python3"` | no |
 | random\_project\_id | Enables project random id generation. Mutually exclusive with project_id being non-empty. | bool | `"false"` | no |
@@ -169,8 +170,8 @@ determining that location is as follows:
 -   [gcloud sdk](https://cloud.google.com/sdk/install) >= 269.0.0
 -   [jq](https://stedolan.github.io/jq/) >= 1.6
 -   [Terraform](https://www.terraform.io/downloads.html) >= 0.12.6
--   [terraform-provider-google] plugin 2.1.x
--   [terraform-provider-google-beta] plugin 2.1.x
+-   [terraform-provider-google] plugin >= 2.1, < 4.0
+-   [terraform-provider-google-beta] plugin >= 2.1, < 4.0
 -   [terraform-provider-gsuite] plugin 0.1.x if GSuite functionality is desired
 
 ### Permissions
@@ -232,7 +233,7 @@ credentials to pass to these scripts. Credentials can be provided via two mechan
     ```terraform
     provider "google" {
       credentials = "${file(var.credentials_path)}"
-      version = "~> 1.20"
+      version = "~> 3.3"
     }
 
     module "project-factory" {
@@ -250,7 +251,7 @@ credentials to pass to these scripts. Credentials can be provided via two mechan
    provider "google" {
      # Terraform will check the `GOOGLE_APPLICATION_CREDENTIALS` variable, so no `credentials`
      # value is needed here.
-      version = "~> 1.20"
+      version = "~> 3.3"
    }
 
    module "project-factory" {

examples/simple_project/main.tf

@@ -23,12 +23,12 @@ locals {
  *****************************************/
 provider "google" {
   credentials = file(local.credentials_file_path)
-  version     = "~> 2.18.1"
+  version     = "~> 3.3.0"
 }
 
 provider "google-beta" {
   credentials = file(local.credentials_file_path)
-  version     = "~> 2.18.1"
+  version     = "~> 3.3.0"
 }
 
 provider "null" {

main.tf

@@ -58,4 +58,5 @@ module "project-factory" {
   default_service_account     = var.default_service_account
   disable_dependent_services  = var.disable_dependent_services
   python_interpreter_path     = var.python_interpreter_path
+  pip_executable_path         = var.pip_executable_path
 }

modules/app_engine/versions.tf

@@ -18,6 +18,6 @@ terraform {
   required_version = "~> 0.12.6"
 
   required_providers {
-    google = "~> 2.1"
+    google = ">= 2.1, < 4.0"
   }
 }

modules/core_project_factory/locals.tf

@@ -20,13 +20,12 @@ locals {
   pip_requirements_absolute_path = join("/", [local.preconditions_path, "requirements.txt"])
   preconditions_py_absolute_path = join("/", [local.preconditions_path, "preconditions.py"])
   attributes = {
-    billing_account_attr             = var.billing_account
-    org_id_attr                      = var.org_id
-    credentials_path_attr            = var.credentials_path
-    impersonate_service_account_attr = var.impersonate_service_account
-    folder_id_attr                   = var.folder_id
-    shared_vpc_attr                  = var.shared_vpc
+    billing_account             = var.billing_account
+    org_id                      = var.org_id
+    credentials_path            = var.credentials_path
+    impersonate_service_account = var.impersonate_service_account
+    folder_id                   = var.folder_id
+    shared_vpc                  = var.shared_vpc
   }
-  preconditions_command = "${var.python_interpreter_path} ${local.preconditions_py_absolute_path} %{for key, value in local.attributes}--${key} ${value} %{endfor}"
+  preconditions_command = "${var.python_interpreter_path} ${local.preconditions_py_absolute_path} %{for key, value in local.attributes}--${key}=\"${value}\" %{endfor}"
 }
-

modules/core_project_factory/main.tf

@@ -77,13 +77,11 @@ resource "null_resource" "preconditions" {
 
   provisioner "local-exec" {
     command     = local.pip_requirements_absolute_path
-    interpreter = ["pip3", "install", "-r"]
-    on_failure  = "continue"
+    interpreter = [var.pip_executable_path, "install", "-r"]
   }
 
   provisioner "local-exec" {
-    command    = local.preconditions_command
-    on_failure = "continue"
+    command = local.preconditions_command
     environment = {
       GRACEFUL_IMPORTERROR = "true"
     }
@@ -183,84 +181,77 @@ data "null_data_source" "default_service_account" {
 /******************************************
   Default compute service account deletion
  *****************************************/
-resource "null_resource" "delete_default_compute_service_account" {
-  count = var.default_service_account == "delete" ? 1 : 0
-
-  provisioner "local-exec" {
-    command    = <<EOD
-${path.module}/scripts/modify-service-account.sh \
-  --project_id='${google_project.main.project_id}' \
-  --sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
-  --credentials_path='${var.credentials_path}' \
-  --impersonate-service-account='${var.impersonate_service_account}' \
-  --action='delete'
-EOD
-    on_failure = "continue"
-  }
-
-  triggers = {
+module "gcloud_delete" {
+  source  = "terraform-google-modules/gcloud/google"
+  version = "~> 0.3"
+
+  enabled = var.default_service_account == "delete"
+
+  create_cmd_entrypoint = "${path.module}/scripts/modify-service-account.sh"
+  create_cmd_body       = <<-EOT
+    --project_id='${google_project.main.project_id}' \
+    --sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
+    --credentials_path='${var.credentials_path}' \
+    --impersonate-service-account='${var.impersonate_service_account}' \
+    --action='delete'
+  EOT
+
+  create_cmd_triggers = {
     default_service_account = data.null_data_source.default_service_account.outputs["email"]
     activated_apis          = join(",", local.activate_apis)
+    project_services        = module.project_services.project_id
   }
-
-  depends_on = [
-    module.project_services,
-  ]
 }
 
 /*********************************************
   Default compute service account deprivilege
  ********************************************/
-resource "null_resource" "deprivilege_default_compute_service_account" {
-  count = var.default_service_account == "deprivilege" ? 1 : 0
-
-  provisioner "local-exec" {
-    command    = <<EOD
-${path.module}/scripts/modify-service-account.sh \
-  --project_id='${google_project.main.project_id}' \
-  --sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
-  --credentials_path='${var.credentials_path}' \
-  --impersonate-service-account='${var.impersonate_service_account}' \
-  --action='deprivilege'
-EOD
-    on_failure = "continue"
-  }
-
-  triggers = {
+module "gcloud_deprivilege" {
+  source  = "terraform-google-modules/gcloud/google"
+  version = "~> 0.3"
+
+  enabled = var.default_service_account == "deprivilege"
+
+  create_cmd_entrypoint = "${path.module}/scripts/modify-service-account.sh"
+  create_cmd_body       = <<-EOT
+    --project_id='${google_project.main.project_id}' \
+    --sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
+    --credentials_path='${var.credentials_path}' \
+    --impersonate-service-account='${var.impersonate_service_account}' \
+    --action='deprivilege'
+  EOT
+
+  create_cmd_triggers = {
     default_service_account = data.null_data_source.default_service_account.outputs["email"]
     activated_apis          = join(",", local.activate_apis)
+    project_services        = module.project_services.project_id
   }
-
-  depends_on = [
-    module.project_services,
-  ]
 }
 
 /******************************************
   Default compute service account disable
  *****************************************/
-resource "null_resource" "disable_default_compute_service_account" {
-  count = var.default_service_account == "disable" ? 1 : 0
-
-  provisioner "local-exec" {
-    command = <<EOD
-${path.module}/scripts/modify-service-account.sh \
-  --project_id='${google_project.main.project_id}' \
-  --sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
-  --credentials_path='${var.credentials_path}' \
-  --impersonate-service-account='${var.impersonate_service_account}' \
-  --action='disable'
-EOD
-  }
-
-  triggers = {
+module "gcloud_disable" {
+  source  = "terraform-google-modules/gcloud/google"
+  version = "~> 0.3"
+
+  enabled = var.default_service_account == "disable"
+
+  create_cmd_entrypoint = "${path.module}/scripts/modify-service-account.sh"
+  create_cmd_body       = <<-EOT
+    --project_id='${google_project.main.project_id}' \
+    --sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
+    --credentials_path='${var.credentials_path}' \
+    --impersonate-service-account='${var.impersonate_service_account}' \
+    --action='disable'
+  EOT
+
+  create_cmd_triggers = {
     default_service_account = data.null_data_source.default_service_account.outputs["email"]
     activated_apis          = join(",", local.activate_apis)
+    project_services        = module.project_services.project_id
   }
 
-  depends_on = [
-    module.project_services,
-  ]
 }
 
 /******************************************
@@ -496,4 +487,3 @@ resource "google_project_iam_member" "gke_host_agent" {
     module.project_services,
   ]
 }
-

modules/core_project_factory/scripts/modify-service-account.sh

@@ -126,6 +126,3 @@ case $SA_ACTION in
       echo "$SA_ACTION is not a valid action, nothing to do."
       ;;
 esac
-
-
-

modules/core_project_factory/scripts/preconditions/requirements.txt

@@ -1,2 +1,3 @@
 google-api-python-client~=1.7
 google-auth~=1.6
+requests~=2.22

modules/core_project_factory/variables.tf

@@ -178,3 +178,8 @@ variable "python_interpreter_path" {
   default     = "python3"
 }
 
+variable "pip_executable_path" {
+  description = "Pip executable path for precondition requirements.txt install."
+  type        = string
+  default     = "pip3"
+}

modules/core_project_factory/versions.tf

@@ -18,8 +18,8 @@ terraform {
   required_version = "~> 0.12.6"
 
   required_providers {
-    google      = "~> 2.1"
-    google-beta = "~> 2.1"
+    google      = ">= 2.1, < 4.0"
+    google-beta = ">= 2.1, < 4.0"
     null        = "~> 2.1"
     random      = "~> 2.2"
   }

modules/gsuite_group/versions.tf

@@ -18,6 +18,6 @@ terraform {
   required_version = "~> 0.12.6"
 
   required_providers {
-    google = "~> 2.1"
+    google = ">= 2.1, < 4.0"
   }
 }

modules/project_services/versions.tf

@@ -18,6 +18,6 @@ terraform {
   required_version = "~> 0.12.6"
 
   required_providers {
-    google = "~> 2.1"
+    google = ">= 2.1, < 4.0"
   }
 }

test/fixtures/minimal/main.tf

@@ -15,11 +15,11 @@
  */
 
 provider "google" {
-  version = "~> 2.18.1"
+  version = "~> 3.3.0"
 }
 
 provider "google-beta" {
-  version = "~> 2.18.1"
+  version = "~> 3.3.0"
 }
 
 provider "null" {

variables.tf

@@ -174,3 +174,9 @@ variable "python_interpreter_path" {
   type        = string
   default     = "python3"
 }
+
+variable "pip_executable_path" {
+  description = "Pip executable path for precondition requirements.txt install."
+  type        = string
+  default     = "pip3"
+}