If a shared VPC is specified, attach the new project to the svpc_host_project_id.
It will also give the following users network access on the specified subnets:
The project's new default service account (see step 4)
The Google API service account for the project
The project controlling group specified in group_name
Delete the default compute service account.
Create a new default service account for the project.
Give it access to the shared VPC (to be able to launch instances).
Attach the billing account (billing_account) to the project.
Give the controlling group access to the project, with the group_role.
Enable the required and specified APIs (activate_apis).
Delete the default network.
Enable usage report for GCE into central project bucket (target_usage_bucket), if provided.
If specified, create the GCS bucket bucket_name and give the following accounts Storage Admin on it:
The controlling group (group_name).
The new default compute service account created for the project.
The Google APIs service account for the project.
The roles granted are specifically:
New Default Service Account
compute.networkUser on host project or specified subnets
storage.admin on bucket_name GCS bucket
group_name is the controlling group
compute.networkUser on host project or specific subnets
Specified group_role on project
iam.serviceAccountUser on the default Service Account
storage.admin on bucket_name GCS bucket
Google APIs Service Account
compute.networkUser on host project or specified subnets
storage.admin on bucket_name GCS bucket
Shared VPC subnets and IAM permissions
A service project's access to shared VPC networks is controlled via the roles/compute.networkUser role and the location to where that role is assigned. If that role is assigned to the shared VPC host project, then the service project will have access to all shared VPC subnetworks. If that role is assigned to individual subnetworks, then the service project will have access to only the subnetworks on which that role was assigned. The logic for determining that location is as follows:
If var.svpc_host_project_id and var.shared_vpc_subnets are not set then the compute.networkUser role is not assigned
If var.svpc_host_project_id is set but no subnetworks are provided via var.shared_vpc_subnets then the compute.networkUser role is assigned at the host project and the service project will have access to all shared VPC subnetworks
If var.svpc_host_project_id is set and var.shared_vpc_subnets contains an array of subnetworks then the compute.networkUser role is assigned to each subnetwork in the array
What would you like to be added
To create the GCP project for the factory, along with IAM access, Service Accounts, and API enablement
Why is this needed
To host the factory in GCP
Implementation
The terraform Project Factory module will take the following actions:
project_name
.svpc_host_project_id
. It will also give the following users network access on the specified subnets:group_name
billing_account
) to the project.group_role
.activate_apis
).target_usage_bucket
), if provided.bucket_name
and give the following accounts Storage Admin on it:group_name
).The roles granted are specifically:
compute.networkUser
on host project or specified subnetsstorage.admin
onbucket_name
GCS bucketgroup_name
is the controlling groupcompute.networkUser
on host project or specific subnetsSpecified group_role
on projectiam.serviceAccountUser
on the default Service Accountstorage.admin
onbucket_name
GCS bucketcompute.networkUser
on host project or specified subnetsstorage.admin
onbucket_name
GCS bucketShared VPC subnets and IAM permissions
A service project's access to shared VPC networks is controlled via the
roles/compute.networkUser
role and the location to where that role is assigned. If that role is assigned to the shared VPC host project, then the service project will have access to all shared VPC subnetworks. If that role is assigned to individual subnetworks, then the service project will have access to only the subnetworks on which that role was assigned. The logic for determining that location is as follows:var.svpc_host_project_id
andvar.shared_vpc_subnets
are not set then thecompute.networkUser
role is not assignedvar.svpc_host_project_id
is set but no subnetworks are provided viavar.shared_vpc_subnets
then thecompute.networkUser
role is assigned at the host project and the service project will have access to all shared VPC subnetworksvar.svpc_host_project_id
is set andvar.shared_vpc_subnets
contains an array of subnetworks then thecompute.networkUser
role is assigned to each subnetwork in the array