Merge pull request #144 from thefirstofthe300/breakout-app-engine

Breakout app engine

CHANGELOG.md

@@ -6,7 +6,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 Extending the adopted spec, each change should have a link to its corresponding pull request appended.
 
-## [Unreleased]
+## [2.0.0] - 2019-03-05
+2.0.0 is a major backwards incompatible release. See the [upgrade guide](./docs/upgrading_to_project_factory_v2.0.md) for details.
+
+### ADDED
+
+- Added separate App Engine module. [#144]
+
+### REMOVED
+
+- Removed `app_engine` argument (config block).
 
 ## [1.2.0] - 2019-03-05
 
@@ -69,7 +78,8 @@ Extending the adopted spec, each change should have a link to its corresponding
 ### ADDED
 - This is the initial release of the Project Factory Module.
 
-[Unreleased]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v1.2.0...HEAD
+[Unreleased]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v2.0.0...HEAD
+[2.0.0]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v1.2.0...v2.0.0
 [1.2.0]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v1.1.2...v1.2.0
 [1.1.2]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v1.1.1...v1.1.2
 [1.1.1]: https://github.com/terraform-google-modules/terraform-google-project-factory/compare/v1.1.0...v1.1.1
@@ -83,6 +93,7 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 [#153]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/153
 [#147]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/147
+[#144]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/144
 [#143]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/143
 [#141]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/141
 [#133]: https://github.com/terraform-google-modules/terraform-google-project-factory/pull/133

Makefile

@@ -18,7 +18,7 @@ SHELL := /usr/bin/env bash
 # Docker build config variables
 CREDENTIALS_PATH ?= /cft/workdir/credentials.json
 DOCKER_ORG := gcr.io/cloud-foundation-cicd
-DOCKER_TAG_BASE_KITCHEN_TERRAFORM ?= 0.11.10_216.0.0_1.19.1_0.1.10
+DOCKER_TAG_BASE_KITCHEN_TERRAFORM ?= 0.11.11_235.0.0_1.19.1_0.1.10
 DOCKER_REPO_BASE_KITCHEN_TERRAFORM := ${DOCKER_ORG}/cft/kitchen-terraform:${DOCKER_TAG_BASE_KITCHEN_TERRAFORM}
 
 all: check_shell check_python check_golang check_terraform check_docker check_base_files test_check_headers check_headers check_trailing_whitespace generate_docs ## Run all linters and update documentation

README.md

@@ -10,6 +10,13 @@ access, Service Accounts, and API enablement to follow best practices.
 To include G Suite integration for creating groups and adding Service Accounts into groups, use the
 [gsuite_enabled module][gsuite-enabled-module].
 
+## Upgrading
+
+The current version is 2.X. The following guides are available to assist with upgrades:
+
+- [0.X -> 1.0](./docs/upgrading_to_project_factory_v1.0.md)
+- [1.X -> 2.0](./docs/upgrading_to_project_factory_v2.0.md)
+
 ## Usage
 
 There are multiple examples included in the [examples](./examples/) folder but simple usage is as follows:
@@ -86,39 +93,37 @@ The roles granted are specifically:
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | activate\_apis | The list of apis to activate within the project | list | `<list>` | no |
-| app\_engine | A map for app engine configuration | map | `<map>` | no |
-| auto\_create\_network | Create the default network | string | `false` | no |
-| billing\_account | The ID of the billing account to associate this project with | string | - | yes |
-| bucket\_name | A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) | string | `` | no |
-| bucket\_project | A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) | string | `` | no |
-| credentials\_path | Path to a Service Account credentials file with permissions documented in the readme | string | `` | no |
-| disable\_services\_on\_destroy | Whether project services will be disabled when the resources are destroyed | string | `true` | no |
-| domain | The domain name (optional). | string | `` | no |
-| folder\_id | The ID of a folder to host this project | string | `` | no |
-| group\_name | A group to control the project by being assigned group_role (defaults to project editor) | string | `` | no |
-| group\_role | The role to give the controlling group (group_name) over the project (defaults to project editor) | string | `roles/editor` | no |
+| auto\_create\_network | Create the default network | string | `"false"` | no |
+| billing\_account | The ID of the billing account to associate this project with | string | n/a | yes |
+| bucket\_name | A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional) | string | `""` | no |
+| bucket\_project | A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional) | string | `""` | no |
+| credentials\_path | Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. | string | `""` | no |
+| disable\_services\_on\_destroy | Whether project services will be disabled when the resources are destroyed | string | `"true"` | no |
+| domain | The domain name (optional). | string | `""` | no |
+| folder\_id | The ID of a folder to host this project | string | `""` | no |
+| group\_name | A group to control the project by being assigned group_role (defaults to project editor) | string | `""` | no |
+| group\_role | The role to give the controlling group (group_name) over the project (defaults to project editor) | string | `"roles/editor"` | no |
 | labels | Map of labels for project | map | `<map>` | no |
-| lien | Add a lien on the project to prevent accidental deletion | string | `false` | no |
-| name | The name for the project | string | - | yes |
-| org\_id | The organization ID. | string | - | yes |
-| random\_project\_id | Enables project random id generation | string | `false` | no |
-| sa\_role | A role to give the default Service Account for the project (defaults to none) | string | `` | no |
-| shared\_vpc | The ID of the host project which hosts the shared VPC | string | `` | no |
+| lien | Add a lien on the project to prevent accidental deletion | string | `"false"` | no |
+| name | The name for the project | string | n/a | yes |
+| org\_id | The organization ID. | string | n/a | yes |
+| random\_project\_id | Enables project random id generation | string | `"false"` | no |
+| sa\_role | A role to give the default Service Account for the project (defaults to none) | string | `""` | no |
+| shared\_vpc | The ID of the host project which hosts the shared VPC | string | `""` | no |
 | shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id) | list | `<list>` | no |
-| usage\_bucket\_name | Name of a GCS bucket to store GCE usage reports in (optional) | string | `` | no |
-| usage\_bucket\_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | string | `` | no |
+| usage\_bucket\_name | Name of a GCS bucket to store GCE usage reports in (optional) | string | `""` | no |
+| usage\_bucket\_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | string | `""` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| app\_engine\_enabled | Whether app engine is enabled |
 | domain | The organization's domain |
 | group\_email | The email of the GSuite group with group_name |
 | project\_bucket\_self\_link | Project's bucket selfLink |
 | project\_bucket\_url | Project's bucket url |
-| project\_id | - |
-| project\_number | - |
+| project\_id |  |
+| project\_number |  |
 | service\_account\_display\_name | The display name of the default service account |
 | service\_account\_email | The email of the default service account |
 | service\_account\_id | The id of the default service account |
@@ -405,4 +410,4 @@ versions][release-new-version].
 [terraform-provider-gsuite]: https://github.com/DeviaVir/terraform-provider-gsuite
 [glossary]: /docs/GLOSSARY.md
 [release-new-version]: https://www.terraform.io/docs/registry/modules/publish.html#releasing-new-versions
-[application-default-credentials]: https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application
+[application-default-credentials]: https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application

docs/upgrading_to_project_factory_v2.0.md

@@ -0,0 +1,61 @@
+# Upgrading to Project Factory v2.0 (from v1.X)
+
+The v2.0 release of Project Factory is a backwards incompatible release. It only affects users who utilize the `app_engine` argument.
+
+## Migration Instructions
+
+### App Engine Argument Changes
+
+Version 1.X of Project Factory used the `app_engine` map variable to configure App Engine:
+
+```hcl
+/// @file main.tf
+module "project-factory" {
+  # ...
+  app_engine {
+    location_id = "${var.region}"
+    auth_domain = "${var.domain}"
+
+    feature_settings = [
+      {
+        split_health_checks = false
+      },
+    ]
+  }
+}
+```
+
+Version 2.X of Project Factory uses a new module named `app_engine`:
+
+```hcl
+/// @file main.tf
+module "project-factory" {
+  # ...
+}
+
+module "app-engine" {
+  source  = "terraform-google-modules/project-factory/google//modules/app_engine"
+  version = "~> 2.0"
+
+  project     = "${var.project_id}
+  location_id = "${var.region}"
+  auth_domain = "${var.domain}"
+
+  feature_settings = [
+    {
+      split_health_checks = true
+    },
+  ]
+}
+```
+
+### App Engine State Import
+
+The new implementation uses the `google_app_engine_application` resource which needs to be imported into the current state (make sure to replace `$YOUR_PROJECT_ID`):
+
+```sh
+terraform import module.app-engine.google_app_engine_application.main $YOUR_PROJECT_ID
+```
+
+After importing, run `terraform` `plan` and `apply`.
+

examples/app_engine/README.md

@@ -18,9 +18,9 @@ Expected variables:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| admin\_email | Admin user email on Gsuite | string | - | yes |
-| billing\_account | The ID of the billing account to associate this project with | string | - | yes |
-| organization\_id | The organization id for the associated services | string | - | yes |
+| admin\_email | Admin user email on Gsuite | string | n/a | yes |
+| billing\_account | The ID of the billing account to associate this project with | string | n/a | yes |
+| organization\_id | The organization id for the associated services | string | n/a | yes |
 
 ## Outputs
 

examples/gke_shared_vpc/README.md

@@ -29,10 +29,10 @@ More information about GKE with Shared VPC can be found here: https://cloud.goog
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| billing\_account | billing account | string | - | yes |
-| credentials\_path | Path to a Service Account credentials file with permissions documented in the readme | string | - | yes |
-| org\_id | organization id | string | - | yes |
-| shared\_vpc | The ID of the host project which hosts the shared VPC | string | - | yes |
+| billing\_account | billing account | string | n/a | yes |
+| credentials\_path | Path to a Service Account credentials file with permissions documented in the readme | string | n/a | yes |
+| org\_id | organization id | string | n/a | yes |
+| shared\_vpc | The ID of the host project which hosts the shared VPC | string | n/a | yes |
 | shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$PROJECT_ID/regions/$REGION/subnetworks/$SUBNET_ID) | list | `<list>` | no |
 
 [^]: (autogen_docs_end)

examples/group_project/README.md

@@ -20,12 +20,12 @@ Expected variables:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| admin\_email | Admin user email on Gsuite. This should be a user account, not a service account. | string | - | yes |
-| api\_sa\_group | An existing GSuite group email to place the Google APIs Service Account for the project in | string | - | yes |
-| billing\_account | The ID of the billing account to associate this project with | string | - | yes |
-| credentials\_file\_path | Service account json auth path | string | - | yes |
-| organization\_id | The organization id for the associated services | string | - | yes |
-| project\_group\_name | The name of a GSuite group to create for controlling the project | string | - | yes |
+| admin\_email | Admin user email on Gsuite. This should be a user account, not a service account. | string | n/a | yes |
+| api\_sa\_group | An existing GSuite group email to place the Google APIs Service Account for the project in | string | n/a | yes |
+| billing\_account | The ID of the billing account to associate this project with | string | n/a | yes |
+| credentials\_file\_path | Service account json auth path | string | n/a | yes |
+| organization\_id | The organization id for the associated services | string | n/a | yes |
+| project\_group\_name | The name of a GSuite group to create for controlling the project | string | n/a | yes |
 
 ## Outputs
 

examples/project-hierarchy/README.md

@@ -26,10 +26,10 @@ Expected variables:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| admin\_email | Admin user email on Gsuite | string | - | yes |
-| billing\_account | The ID of the billing account to associate this project with | string | - | yes |
-| credentials\_path | Path to a Service Account credentials file with permissions documented in the readme | string | - | yes |
-| organization\_id | The organization id for the associated services | string | - | yes |
+| admin\_email | Admin user email on Gsuite | string | n/a | yes |
+| billing\_account | The ID of the billing account to associate this project with | string | n/a | yes |
+| credentials\_path | Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. | string | `""` | no |
+| organization\_id | The organization id for the associated services | string | n/a | yes |
 
 ## Outputs
 

examples/simple_project/README.md

@@ -14,9 +14,9 @@ Expected variables:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| billing\_account | The ID of the billing account to associate this project with | string | - | yes |
-| credentials\_path | Path to a Service Account credentials file with permissions documented in the readme | string | - | yes |
-| organization\_id | The organization id for the associated services | string | - | yes |
+| billing\_account | The ID of the billing account to associate this project with | string | n/a | yes |
+| credentials\_path | Path to a service account credentials file with rights to run the Project Factory. If this file is absent Terraform will fall back to Application Default Credentials. | string | `""` | no |
+| organization\_id | The organization id for the associated services | string | n/a | yes |
 
 ## Outputs
 

main.tf

@@ -48,6 +48,5 @@ module "project-factory" {
   bucket_project              = "${var.bucket_project}"
   bucket_name                 = "${var.bucket_name}"
   auto_create_network         = "${var.auto_create_network}"
-  app_engine                  = "${var.app_engine}"
   disable_services_on_destroy = "${var.disable_services_on_destroy}"
 }

modules/app_engine/main.tf

@@ -0,0 +1,23 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_app_engine_application" "main" {
+  project          = "${var.project_id}"
+  location_id      = "${var.location_id}"
+  auth_domain      = "${var.auth_domain}"
+  serving_status   = "${var.serving_status}"
+  feature_settings = "${var.feature_settings}"
+}

modules/app_engine/outputs.tf

@@ -0,0 +1,40 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "name" {
+  description = "Unique name of the app, usually apps/{PROJECT_ID}."
+  value       = "${google_app_engine_application.main.name}"
+}
+
+output "url_dispatch_rule" {
+  description = "A list of dispatch rule blocks. Each block has a domain, path, and service field."
+  value       = "${google_app_engine_application.main.url_dispatch_rule}"
+}
+
+output "code_bucket" {
+  description = "The GCS bucket code is being stored in for this app."
+  value       = "${google_app_engine_application.main.code_bucket}"
+}
+
+output "default_hostname" {
+  description = "The default hostname for this app."
+  value       = "${google_app_engine_application.main.default_hostname}"
+}
+
+output "default_bucket" {
+  description = "The GCS bucket content is being stored in for this app."
+  value       = "${google_app_engine_application.main.default_bucket}"
+}

modules/app_engine/variables.tf

@@ -0,0 +1,39 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The project to enable app engine on."
+}
+
+variable "location_id" {
+  description = "The location to serve the app from."
+  default     = ""
+}
+
+variable "auth_domain" {
+  description = "The domain to authenticate users with when using App Engine's User API."
+  default     = ""
+}
+
+variable "serving_status" {
+  description = "The serving status of the app."
+  default     = "SERVING"
+}
+
+variable "feature_settings" {
+  description = "A list of maps of optional settings to configure specific App Engine features."
+  default     = []
+}