Feature/336 gcloud module

CHANGELOG.md

@@ -8,6 +8,15 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 ## [Unreleased]
 
+### Added
+
+- The `pip_executable_path` variable which can be altered to support execution in a Windows environment. [#343]
+- The `modify-service-account.sh` steps are now executed in the context of the `terraform-google-gcloud` module so there is no longer a dependency on having `gcloud` installed on the host. [#343]
+
+### Fixed
+
+- The precondition script is fixed and will run successfully. `on_failure = "continue"` was also removed to prevent silent failures. [#343]
+
 ## [6.1.0] - 2019-12-18
 
 ### Added
@@ -294,6 +303,7 @@ Extending the adopted spec, each change should have a link to its corresponding
 [0.2.1]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v0.2.0...v0.2.1
 [0.2.0]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v0.1.0...v0.2.0
 
+[#343]: https://github.com/terraform-google-modules/terraform-google-project-factory/issues/343
 [#345]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/345
 [#341]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/341
 [#338]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/338

README.md

@@ -134,6 +134,7 @@ determining that location is as follows:
 | lien | Add a lien on the project to prevent accidental deletion | bool | `"false"` | no |
 | name | The name for the project | string | n/a | yes |
 | org\_id | The organization ID. | string | n/a | yes |
+| pip\_executable\_path | Pip executable path for precondition requirements.txt install. | string | `"pip3"` | no |
 | project\_id | If provided, the project uses the given project ID. Mutually exclusive with random_project_id being true. | string | `""` | no |
 | python\_interpreter\_path | Python interpreter path for precondition check script. | string | `"python3"` | no |
 | random\_project\_id | Enables project random id generation. Mutually exclusive with project_id being non-empty. | bool | `"false"` | no |

main.tf

@@ -56,4 +56,5 @@ module "project-factory" {
   default_service_account     = var.default_service_account
   disable_dependent_services  = var.disable_dependent_services
   python_interpreter_path     = var.python_interpreter_path
+  pip_executable_path         = var.pip_executable_path
 }

modules/core_project_factory/locals.tf

@@ -20,13 +20,12 @@ locals {
   pip_requirements_absolute_path = join("/", [local.preconditions_path, "requirements.txt"])
   preconditions_py_absolute_path = join("/", [local.preconditions_path, "preconditions.py"])
   attributes = {
-    billing_account_attr             = var.billing_account
-    org_id_attr                      = var.org_id
-    credentials_path_attr            = var.credentials_path
-    impersonate_service_account_attr = var.impersonate_service_account
-    folder_id_attr                   = var.folder_id
-    shared_vpc_attr                  = var.shared_vpc
+    billing_account             = var.billing_account
+    org_id                      = var.org_id
+    credentials_path            = var.credentials_path
+    impersonate_service_account = var.impersonate_service_account
+    folder_id                   = var.folder_id
+    shared_vpc                  = var.shared_vpc
   }
-  preconditions_command = "${var.python_interpreter_path} ${local.preconditions_py_absolute_path} %{for key, value in local.attributes}--${key} ${value} %{endfor}"
+  preconditions_command = "${var.python_interpreter_path} ${local.preconditions_py_absolute_path} %{for key, value in local.attributes}--${key}=\"${value}\" %{endfor}"
 }
-

modules/core_project_factory/main.tf

@@ -77,13 +77,11 @@ resource "null_resource" "preconditions" {
 
   provisioner "local-exec" {
     command     = local.pip_requirements_absolute_path
-    interpreter = ["pip3", "install", "-r"]
-    on_failure  = "continue"
+    interpreter = [var.pip_executable_path, "install", "-r"]
   }
 
   provisioner "local-exec" {
-    command    = local.preconditions_command
-    on_failure = "continue"
+    command = local.preconditions_command
     environment = {
       GRACEFUL_IMPORTERROR = "true"
     }
@@ -183,84 +181,77 @@ data "null_data_source" "default_service_account" {
 /******************************************
   Default compute service account deletion
  *****************************************/
-resource "null_resource" "delete_default_compute_service_account" {
-  count = var.default_service_account == "delete" ? 1 : 0
-
-  provisioner "local-exec" {
-    command    = <<EOD
-${path.module}/scripts/modify-service-account.sh \
-  --project_id='${google_project.main.project_id}' \
-  --sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
-  --credentials_path='${var.credentials_path}' \
-  --impersonate-service-account='${var.impersonate_service_account}' \
-  --action='delete'
-EOD
-    on_failure = "continue"
-  }
-
-  triggers = {
+module "gcloud_delete" {
+  source  = "terraform-google-modules/gcloud/google"
+  version = "~> 0.3"
+
+  enabled = var.default_service_account == "delete"
+
+  create_cmd_entrypoint = "${path.module}/scripts/modify-service-account.sh"
+  create_cmd_body       = <<-EOT
+    --project_id='${google_project.main.project_id}' \
+    --sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
+    --credentials_path='${var.credentials_path}' \
+    --impersonate-service-account='${var.impersonate_service_account}' \
+    --action='delete'
+  EOT
+
+  create_cmd_triggers = {
     default_service_account = data.null_data_source.default_service_account.outputs["email"]
     activated_apis          = join(",", local.activate_apis)
+    project_services        = module.project_services.project_id
   }
-
-  depends_on = [
-    module.project_services,
-  ]
 }
 
 /*********************************************
   Default compute service account deprivilege
  ********************************************/
-resource "null_resource" "deprivilege_default_compute_service_account" {
-  count = var.default_service_account == "deprivilege" ? 1 : 0
-
-  provisioner "local-exec" {
-    command    = <<EOD
-${path.module}/scripts/modify-service-account.sh \
-  --project_id='${google_project.main.project_id}' \
-  --sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
-  --credentials_path='${var.credentials_path}' \
-  --impersonate-service-account='${var.impersonate_service_account}' \
-  --action='deprivilege'
-EOD
-    on_failure = "continue"
-  }
-
-  triggers = {
+module "gcloud_deprivilege" {
+  source  = "terraform-google-modules/gcloud/google"
+  version = "~> 0.3"
+
+  enabled = var.default_service_account == "deprivilege"
+
+  create_cmd_entrypoint = "${path.module}/scripts/modify-service-account.sh"
+  create_cmd_body       = <<-EOT
+    --project_id='${google_project.main.project_id}' \
+    --sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
+    --credentials_path='${var.credentials_path}' \
+    --impersonate-service-account='${var.impersonate_service_account}' \
+    --action='deprivilege'
+  EOT
+
+  create_cmd_triggers = {
     default_service_account = data.null_data_source.default_service_account.outputs["email"]
     activated_apis          = join(",", local.activate_apis)
+    project_services        = module.project_services.project_id
   }
-
-  depends_on = [
-    module.project_services,
-  ]
 }
 
 /******************************************
   Default compute service account disable
  *****************************************/
-resource "null_resource" "disable_default_compute_service_account" {
-  count = var.default_service_account == "disable" ? 1 : 0
-
-  provisioner "local-exec" {
-    command = <<EOD
-${path.module}/scripts/modify-service-account.sh \
-  --project_id='${google_project.main.project_id}' \
-  --sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
-  --credentials_path='${var.credentials_path}' \
-  --impersonate-service-account='${var.impersonate_service_account}' \
-  --action='disable'
-EOD
-  }
-
-  triggers = {
+module "gcloud_disable" {
+  source  = "terraform-google-modules/gcloud/google"
+  version = "~> 0.3"
+
+  enabled = var.default_service_account == "disable"
+
+  create_cmd_entrypoint = "${path.module}/scripts/modify-service-account.sh"
+  create_cmd_body       = <<-EOT
+    --project_id='${google_project.main.project_id}' \
+    --sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
+    --credentials_path='${var.credentials_path}' \
+    --impersonate-service-account='${var.impersonate_service_account}' \
+    --action='disable'
+  EOT
+
+  create_cmd_triggers = {
     default_service_account = data.null_data_source.default_service_account.outputs["email"]
     activated_apis          = join(",", local.activate_apis)
+    project_services        = module.project_services.project_id
   }
 
-  depends_on = [
-    module.project_services,
-  ]
 }
 
 /******************************************
@@ -496,4 +487,3 @@ resource "google_project_iam_member" "gke_host_agent" {
     module.project_services,
   ]
 }
-

modules/core_project_factory/scripts/modify-service-account.sh

@@ -126,6 +126,3 @@ case $SA_ACTION in
       echo "$SA_ACTION is not a valid action, nothing to do."
       ;;
 esac
-
-
-

modules/core_project_factory/scripts/preconditions/requirements.txt

@@ -1,2 +1,3 @@
 google-api-python-client~=1.7
 google-auth~=1.6
+requests~=2.22

modules/core_project_factory/variables.tf

@@ -178,3 +178,8 @@ variable "python_interpreter_path" {
   default     = "python3"
 }
 
+variable "pip_executable_path" {
+  description = "Pip executable path for precondition requirements.txt install."
+  type        = string
+  default     = "pip3"
+}

variables.tf

@@ -172,3 +172,9 @@ variable "python_interpreter_path" {
   type        = string
   default     = "python3"
 }
+
+variable "pip_executable_path" {
+  description = "Pip executable path for precondition requirements.txt install."
+  type        = string
+  default     = "pip3"
+}