From 622783c762c2715f23f666f4d59a37e454bbfe9f Mon Sep 17 00:00:00 2001 From: Evan Brown Date: Tue, 22 Nov 2016 22:55:40 -0800 Subject: [PATCH] providers/google: Support managing projects Add support for creating, updating, and deleting projects, as well as their enabled services and their IAM policies. Various concessions were made for backwards compatibility, and will be removed in 0.9 or 0.10. --- r/google_project.html.markdown | 82 +++++++++++++++-------- r/google_project_iam_policy.html.markdown | 69 +++++++++++++++++++ r/google_project_services.html.markdown | 32 +++++++++ 3 files changed, 155 insertions(+), 28 deletions(-) mode change 100644 => 100755 r/google_project.html.markdown create mode 100644 r/google_project_iam_policy.html.markdown create mode 100644 r/google_project_services.html.markdown diff --git a/r/google_project.html.markdown b/r/google_project.html.markdown old mode 100644 new mode 100755 index fda89dab..3112042a --- a/r/google_project.html.markdown +++ b/r/google_project.html.markdown @@ -8,29 +8,24 @@ description: |- # google\_project -Allows management of an existing Google Cloud Platform project, and is -currently limited to adding or modifying the IAM Policy for the project. +Allows creation and management of a Google Cloud Platform project and its +associated enabled services/APIs. -When adding a policy to a project, the policy will be merged with the -project's existing policy. The policy is always specified in a -`google_iam_policy` data source and referenced from the project's -`policy_data` attribute. +Projects created with this resource must be associated with an Organization. +See the [Organization documentation](https://cloud.google.com/resource-manager/docs/quickstart) for more details. + +The service account used to run Terraform when creating a `google_project` +resource must have `roles/resourcemanager.projectCreator`. See the +[Access Control for Organizations Using IAM](https://cloud.google.com/resource-manager/docs/access-control-org) +doc for more information. ## Example Usage ```js resource "google_project" "my_project" { - id = "your-project-id" - policy_data = "${data.google_iam_policy.admin.policy_data}" -} - -data "google_iam_policy" "admin" { - binding { - role = "roles/storage.objectViewer" - members = [ - "user:evandbrown@gmail.com", - ] - } + project_id = "your-project-id" + org_id = "1234567" + services = ["compute_component", "storage-component-json.googleapis.com", "iam.googleapis.com"] } ``` @@ -38,24 +33,55 @@ data "google_iam_policy" "admin" { The following arguments are supported: -* `id` - (Required) The project ID. - Changing this forces a new project to be referenced. +* `project_id` - (Optional) The project ID. + Changing this forces a new project to be created. If this attribute is not + set, `id` must be set. As `id` is deprecated, consider this attribute + required. If you are using `project_id` and creating a new project, the + `org_id` and `name` attributes are also required. -* `policy` - (Optional) The `google_iam_policy` data source that represents - the IAM policy that will be applied to the project. The policy will be - merged with any existing policy applied to the project. +* `id` - (Deprecated) The project ID. + This attribute has unexpected behaviour and probably does not work + as users would expect; it has been deprecated, and will be removed in future + versions of Terraform. The `project_id` attribute should be used instead. See + [below](#id-field) for more information about its behaviour. - Changing this updates the policy. +* `project_id` - (Required) The project ID. + Changing this forces a new project to be created. - Deleting this removes the policy, but leaves the original project policy - intact. If there are overlapping `binding` entries between the original - project policy and the data source policy, they will be removed. +* `org_id` - (Optional) The numeric ID of the organization this project belongs to. + This is required if you are creating a new project. + Changing this forces a new project to be created. + +* `name` - (Optional) The display name of the project. + This is required if you are creating a new project. + +* `services` - (Optional) The services/APIs that are enabled for this project. + For a list of available services, run `gcloud beta service-management list` + +* `skip_delete` - (Optional) If true, the Terraform resource can be deleted + without deleting the Project via the Google API. + +* `policy_data` - (Deprecated) The IAM policy associated with the project. + This argument is no longer supported, and will be removed in a future version + of Terraform. It should be replaced with a `google_project_iam_policy` resource. ## Attributes Reference In addition to the arguments listed above, the following computed attributes are exported: -* `name` - The name of the project. - * `number` - The numeric identifier of the project. +* `policy_etag` - (Deprecated) The etag of the project's IAM policy, used to + determine if the IAM policy has changed. Please use `google_project_iam_policy`'s + `etag` property instead; future versions of Terraform will remove the `policy_etag` + attribute + +## ID Field + +In previous versions of Terraform, `google_project` resources used an `id` field in +config files to specify the project ID. Unfortunately, due to limitations in Terraform, +this field always looked empty to Terraform. Terraform fell back on using the project +the Google Cloud provider is configured with. If you're using the `id` field in your +configurations, know that it is being ignored, and its value will always be seen as the +ID of the project being used to authenticate Terraform's requests. You should move to the +`project_id` field as soon as possible. diff --git a/r/google_project_iam_policy.html.markdown b/r/google_project_iam_policy.html.markdown new file mode 100644 index 00000000..a62c0273 --- /dev/null +++ b/r/google_project_iam_policy.html.markdown @@ -0,0 +1,69 @@ +--- +layout: "google" +page_title: "Google: google_project_iam_policy" +sidebar_current: "docs-google-project-iam-policy" +description: |- + Allows management of an IAM policy for a Google Cloud Platform project. +--- + +# google\_project\_iam\_policy + +Allows creation and management of an IAM policy for an existing Google Cloud +Platform project. + +## Example Usage + +```js +resource "google_project_iam_policy" "project" { + project = "your-project-id" + policy_data = "${data.google_iam_policy.admin.policy_data}" +} + +data "google_iam_policy" "admin" { + binding { + role = "roles/editor" + members = [ + "user:jane@example.com", + ] + } +} +``` + +## Argument Reference + +The following arguments are supported: + +* `project` - (Required) The project ID. + Changing this forces a new project to be created. + +* `policy_data` - (Required) The `google_iam_policy` data source that represents + the IAM policy that will be applied to the project. The policy will be + merged with any existing policy applied to the project. + + Changing this updates the policy. + + Deleting this removes the policy, but leaves the original project policy + intact. If there are overlapping `binding` entries between the original + project policy and the data source policy, they will be removed. + +* `authoritative` - (Optional) A boolean value indicating if this policy + should overwrite any existing IAM policy on the project. When set to true, + **any policies not in your config file will be removed**. This can **lock + you out** of your project until an Organization Administrator grants you + access again, so please exercise caution. If this argument is `true` and you + want to delete the resource, you must set the `disable_project` argument to + `true`, acknowledging that the project will be inaccessible to anyone but the + Organization Admins, as it will no longer have an IAM policy. + +* `disable_project` - (Optional) A boolean value that must be set to `true` + if you want to delete a `google_project_iam_policy` that is authoritative. + +## Attributes Reference + +In addition to the arguments listed above, the following computed attributes are +exported: + +* `etag` - (Computed) The etag of the project's IAM policy. + +* `restore_policy` - (Computed) The IAM policy that will be resotred when a + non-authoritative policy resource is deleted. diff --git a/r/google_project_services.html.markdown b/r/google_project_services.html.markdown new file mode 100644 index 00000000..4d16c857 --- /dev/null +++ b/r/google_project_services.html.markdown @@ -0,0 +1,32 @@ +--- +layout: "google" +page_title: "Google: google_project_services" +sidebar_current: "docs-google-project-services" +description: |- + Allows management of API services for a Google Cloud Platform project. +--- + +# google\_project\_services + +Allows management of enabled API services for an existing Google Cloud +Platform project. Services in an existing project that are not defined +in the config will be removed. + +## Example Usage + +```js +resource "google_project_services" "project" { + project_id = "your-project-id" + services = ["iam.googleapis.com", "cloudresourcemanager.googleapis.com"] +} +``` + +## Argument Reference + +The following arguments are supported: + +* `project_id` - (Required) The project ID. + Changing this forces a new project to be created. + +* `services` - (Required) The list of services that are enabled. Supports + update.