fix(module/autoscale): Expose project_id for tf data source (#217)

PaloAltoNetworks · Sep 19, 2023 · a790467 · a790467
1 parent 5a16b33
commit a790467
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 20 deletions.
diff --git a/examples/autoscale/example.tfvars b/examples/autoscale/example.tfvars
@@ -30,6 +30,7 @@ panorama_vm_auth_key    = "01234567890123456789"
 #   region                = "us-central1"
 #   bucket_location       = "US"
 #   panorama_address      = "1.1.1.1"
+#   panorama2_address     = "2.2.2.2"
 #   vpc_connector_network = "panorama-vpc"
 #   vpc_connector_cidr    = "10.10.190.0/28"
 # }

diff --git a/examples/autoscale/main.tf b/examples/autoscale/main.tf
@@ -116,6 +116,7 @@ module "iam_service_account" {
 module "autoscale" {
   source = "../../modules/autoscale/"
 
+  project_id            = var.project_id
   name                  = "${var.name_prefix}vmseries"
   region                = var.region
   regional_mig          = true

diff --git a/modules/autoscale/README.md b/modules/autoscale/README.md
@@ -48,7 +48,6 @@ No modules.
 | [archive_file.delicensing_cfn](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
 | [google_compute_default_service_account.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_default_service_account) | data source |
 | [google_compute_zones.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_zones) | data source |
-| [google_project.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
 
 ### Inputs
 
@@ -68,6 +67,7 @@ No modules.
 | <a name="input_name"></a> [name](#input\_name) | The name of the VM-Series deployed. This value will be used as the `base_instance_name` and will be used as a prepended prefix for other created resources. | `string` | n/a | yes |
 | <a name="input_named_ports"></a> [named\_ports](#input\_named\_ports) | A list of named port configurations. The name identifies the backend port to receive the traffic <br>from the global load balancers.<pre>named_ports = [<br>  {<br>    name = "http"<br>    port = "80"<br>  },<br>  {<br>    name = "app42"<br>    port = "4242"<br>  },<br>]</pre> | `list` | `[]` | no |
 | <a name="input_network_interfaces"></a> [network\_interfaces](#input\_network\_interfaces) | List of the network interface specifications.<br><br>Available options:<br>- `subnetwork`       - (Required\|string) Self-link of a subnetwork to create interface in.<br>- `create_public_ip` - (Optional\|boolean) Whether to reserve public IP for the interface. | `list(any)` | n/a | yes |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | GCP Project ID to contain the created cloud resources. | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | The Google Cloud region for the resources. If null, provider region will be used. | `string` | `null` | no |
 | <a name="input_regional_mig"></a> [regional\_mig](#input\_regional\_mig) | Sets the managed instance group type to either a regional (if `true`) or a zonal (if `false`).<br>For more information please see [About regional MIGs](https://cloud.google.com/compute/docs/instance-groups/regional-migs#why_choose_regional_managed_instance_groups). | `bool` | n/a | yes |
 | <a name="input_scale_in_control_replicas_fixed"></a> [scale\_in\_control\_replicas\_fixed](#input\_scale\_in\_control\_replicas\_fixed) | Fixed number of VM-Series instances that can be killed within the scale-in time window. See `scale_in_control` in the [provider doc](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_autoscaler). | `number` | `1` | no |

diff --git a/modules/autoscale/main.tf b/modules/autoscale/main.tf
@@ -1,7 +1,10 @@
-data "google_compute_default_service_account" "main" {}
+data "google_compute_default_service_account" "main" {
+  project = var.project_id
+}
 
 # Instance template
 resource "google_compute_instance_template" "main" {
+  project          = var.project_id
   name_prefix      = var.name
   machine_type     = var.machine_type
   min_cpu_platform = var.min_cpu_platform
@@ -43,6 +46,7 @@ resource "google_compute_instance_template" "main" {
 resource "google_compute_instance_group_manager" "zonal" {
   for_each = var.regional_mig ? {} : var.zones
 
+  project            = var.project_id
   name               = "${var.name}-${each.value}"
   base_instance_name = var.name
   target_pools       = var.target_pools
@@ -77,9 +81,10 @@ resource "google_compute_instance_group_manager" "zonal" {
 resource "google_compute_autoscaler" "zonal" {
   for_each = var.regional_mig ? {} : var.zones
 
-  name   = "${var.name}-${each.value}"
-  target = google_compute_instance_group_manager.zonal[each.key].id
-  zone   = each.value
+  project = var.project_id
+  name    = "${var.name}-${each.value}"
+  target  = google_compute_instance_group_manager.zonal[each.key].id
+  zone    = each.value
 
   autoscaling_policy {
     min_replicas    = var.min_vmseries_replicas
@@ -108,12 +113,14 @@ resource "google_compute_autoscaler" "zonal" {
 data "google_compute_zones" "main" {
   count = var.regional_mig ? 1 : 0
 
-  region = var.region
+  project = var.project_id
+  region  = var.region
 }
 
 resource "google_compute_region_instance_group_manager" "regional" {
   count = var.regional_mig ? 1 : 0
 
+  project            = var.project_id
   name               = var.name
   base_instance_name = var.name
   target_pools       = var.target_pools
@@ -141,9 +148,10 @@ resource "google_compute_region_instance_group_manager" "regional" {
 resource "google_compute_region_autoscaler" "regional" {
   count = var.regional_mig ? 1 : 0
 
-  name   = var.name
-  target = google_compute_region_instance_group_manager.regional[0].id
-  region = var.region
+  project = var.project_id
+  name    = var.name
+  target  = google_compute_region_instance_group_manager.regional[0].id
+  region  = var.region
 
   autoscaling_policy {
     min_replicas    = var.min_vmseries_replicas
@@ -172,19 +180,22 @@ resource "google_compute_region_autoscaler" "regional" {
 resource "google_pubsub_topic" "main" {
   count = var.create_pubsub_topic ? 1 : 0
 
-  name = "${var.name}-mig"
+  project = var.project_id
+  name    = "${var.name}-mig"
 }
 
 resource "google_pubsub_subscription" "main" {
   count = var.create_pubsub_topic ? 1 : 0
 
-  name  = "${var.name}-mig"
-  topic = google_pubsub_topic.main[0].id
+  project = var.project_id
+  name    = "${var.name}-mig"
+  topic   = google_pubsub_topic.main[0].id
 }
 
 resource "google_pubsub_subscription_iam_member" "main" {
   count = var.create_pubsub_topic ? 1 : 0
 
+  project      = var.project_id
   subscription = google_pubsub_subscription.main[0].id
   role         = "roles/pubsub.subscriber"
   member       = "serviceAccount:${coalesce(var.service_account_email, data.google_compute_default_service_account.main.email)}"
@@ -193,8 +204,6 @@ resource "google_pubsub_subscription_iam_member" "main" {
 #---------------------------------------------------------------------------------
 # The following resources are used for delicensing
 
-data "google_project" "this" {}
-
 resource "random_id" "postfix" {
   byte_length = 2
 }
@@ -229,6 +238,7 @@ locals {
 # Credentials itself are set manually after secret store is created by Terraform.
 resource "google_secret_manager_secret" "delicensing_cfn_pano_creds" {
   count     = try(var.delicensing_cloud_function_config, null) != null ? 1 : 0
+  project   = var.project_id
   secret_id = local.delicensing_cfn.secret_name
   replication {
     automatic = true
@@ -238,6 +248,7 @@ resource "google_secret_manager_secret" "delicensing_cfn_pano_creds" {
 # Create a log sink to match the delete of a VM from a Managed Instance group during the initial phase
 resource "google_logging_project_sink" "delicensing_cfn" {
   count                  = try(var.delicensing_cloud_function_config, null) != null ? 1 : 0
+  project                = var.project_id
   destination            = "pubsub.googleapis.com/${google_pubsub_topic.delicensing_cfn[0].id}"
   name                   = local.delicensing_cfn.log_sink_name
   filter                 = "protoPayload.requestMetadata.callerSuppliedUserAgent=\"GCE Managed Instance Group\" AND protoPayload.methodName=\"v1.compute.instances.delete\" AND protoPayload.response.progress=\"0\""
@@ -246,14 +257,15 @@ resource "google_logging_project_sink" "delicensing_cfn" {
 
 # Create a pub/sub topic for messaging log sink events
 resource "google_pubsub_topic" "delicensing_cfn" {
-  count = try(var.delicensing_cloud_function_config, null) != null ? 1 : 0
-  name  = local.delicensing_cfn.topic_name
+  count   = try(var.delicensing_cloud_function_config, null) != null ? 1 : 0
+  project = var.project_id
+  name    = local.delicensing_cfn.topic_name
 }
 
 # Allow log router writer identity to publish to pub/sub
 resource "google_pubsub_topic_iam_member" "pubsub_sink_member" {
   count   = try(var.delicensing_cloud_function_config, null) != null ? 1 : 0
-  project = data.google_project.this.project_id
+  project = var.project_id
   topic   = local.delicensing_cfn.topic_name
   role    = "roles/pubsub.publisher"
   member  = google_logging_project_sink.delicensing_cfn[0].writer_identity
@@ -262,6 +274,7 @@ resource "google_pubsub_topic_iam_member" "pubsub_sink_member" {
 # VPC Connector required for Cloud Function to access local Panorama instance
 resource "google_vpc_access_connector" "delicensing_cfn" {
   count         = try(var.delicensing_cloud_function_config, null) != null ? 1 : 0
+  project       = var.project_id
   name          = local.delicensing_cfn.vpc_connector_name
   region        = var.delicensing_cloud_function_config.region
   ip_cidr_range = var.delicensing_cloud_function_config.vpc_connector_cidr
@@ -271,6 +284,7 @@ resource "google_vpc_access_connector" "delicensing_cfn" {
 # Cloud Function code storage bucket
 resource "google_storage_bucket" "delicensing_cfn" {
   count                       = try(var.delicensing_cloud_function_config, null) != null ? 1 : 0
+  project                     = var.project_id
   name                        = local.delicensing_cfn.bucket_name
   location                    = var.delicensing_cloud_function_config.bucket_location
   force_destroy               = true
@@ -301,20 +315,22 @@ resource "google_storage_bucket_object" "delicensing_cfn" {
 # Cloud Function Service Account
 resource "google_service_account" "delicensing_cfn" {
   count        = try(var.delicensing_cloud_function_config, null) != null ? 1 : 0
+  project      = var.project_id
   account_id   = local.delicensing_cfn.runtime_sa_account_id
   display_name = local.delicensing_cfn.runtime_sa_display_name
 }
 
 # Granting required roles to Cloud Function SA
 resource "google_project_iam_member" "delicensing_cfn" {
   for_each = try(var.delicensing_cloud_function_config, null) != null ? toset(local.delicensing_cfn.runtime_sa_roles) : []
-  project  = data.google_project.this.project_id
+  project  = var.project_id
   role     = each.key
   member   = "serviceAccount:${google_service_account.delicensing_cfn[0].email}"
 }
 
 resource "google_cloudfunctions2_function" "delicensing_cfn" {
   count       = try(var.delicensing_cloud_function_config, null) != null ? 1 : 0
+  project     = var.project_id
   name        = local.delicensing_cfn.function_name
   description = local.delicensing_cfn.description
   location    = var.delicensing_cloud_function_config.region
@@ -335,7 +351,7 @@ resource "google_cloudfunctions2_function" "delicensing_cfn" {
     environment_variables = {
       "PANORAMA_ADDRESS"  = local.delicensing_cfn.panorama_address
       "PANORAMA2_ADDRESS" = local.delicensing_cfn.panorama2_address
-      "PROJECT_ID"        = data.google_project.this.project_id
+      "PROJECT_ID"        = var.project_id
       "SECRET_NAME"       = google_secret_manager_secret.delicensing_cfn_pano_creds[0].secret_id
     }
     service_account_email          = google_service_account.delicensing_cfn[0].email
@@ -355,7 +371,7 @@ resource "google_cloudfunctions2_function" "delicensing_cfn" {
 # Allow Cloud Function invocation from pub/sub
 resource "google_project_iam_member" "delicensing_cfn_invoker" {
   count   = try(var.delicensing_cloud_function_config, null) != null ? 1 : 0
-  project = data.google_project.this.project_id
+  project = var.project_id
   role    = "roles/run.invoker"
   member  = "serviceAccount:${data.google_compute_default_service_account.main.email}"
 }
diff --git a/modules/autoscale/variables.tf b/modules/autoscale/variables.tf
@@ -9,6 +9,12 @@ variable "region" {
   default     = null
 }
 
+variable "project_id" {
+  description = "GCP Project ID to contain the created cloud resources."
+  type        = string
+  default     = null
+}
+
 variable "regional_mig" {
   description = <<-EOF
   Sets the managed instance group type to either a regional (if `true`) or a zonal (if `false`).