Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix resource manager tag bindings in compute-vm module #1771

Merged
merged 6 commits into from Oct 18, 2023
Merged

Fix resource manager tag bindings in compute-vm module #1771

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
1deb388
fix resource manager tag bindings in compute-vm module
ludoo Oct 17, 2023
bc3f740
fix typo in variable description
ludoo Oct 17, 2023
ca0ec80
revert stale change
ludoo Oct 17, 2023
037b7cc
revert stale change
ludoo Oct 18, 2023
a8c514e
Merge branch 'master' into ludo/issue-1763
ludoo Oct 18, 2023
1d57975
Update README.md
ludoo Oct 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
29 changes: 28 additions & 1 deletion modules/compute-vm/README.md
View file
Open in desktop
Expand Up @@ -34,6 +34,7 @@ In both modes, an optional service account can be created and assigned to either
- [Instance group](#instance-group)
- [Instance Schedule](#instance-schedule)
- [Snapshot Schedules](#snapshot-schedules)
- [Resource Manager Tags](#resource-manager-tags)
- [Variables](#variables)
- [Outputs](#outputs)
- [TODO](#todo)
Expand Down Expand Up @@ -677,6 +678,32 @@ module "instance" {
}
# tftest modules=1 resources=5 inventory=snapshot-schedule-create.yaml
```

### Resource Manager Tags

Resource manager tags (or "secure tags") bindings are supported with the following limitations:

- a single `tag_bindings` variable is used for both the instance and the boot disk
- tag bindings are not created for attached disks
- tag bindings will not be created for the boot disk if the `use_independent_disk` flag is true
- tag bindings are ignore for instance templates
ludoo marked this conversation as resolved.
Show resolved Hide resolved

```hcl
module "simple-vm-example" {
source = "./fabric/modules/compute-vm"
project_id = var.project_id
zone = "europe-west1-b"
name = "test"
network_interfaces = [{
network = var.vpc.self_link
subnetwork = var.subnet.self_link
}]
tag_bindings = {
"tagKeys/1234567890" = "tagValues/7890123456"
}
}
# tftest modules=1 resources=1 inventory=tag-bindings.yaml
```
<!-- BEGIN TFDOC -->
## Variables

Expand Down Expand Up @@ -708,7 +735,7 @@ module "instance" {
| [service_account](variables.tf#L295) | Service account email and scopes. If email is null, the default Compute service account will be used unless auto_create is true, in which case a service account will be created. Set the variable to null to avoid attaching a service account. | <code title="object&#40;&#123;&#10; auto_create &#61; optional&#40;bool, false&#41;&#10; email &#61; optional&#40;string&#41;&#10; scopes &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [shielded_config](variables.tf#L305) | Shielded VM configuration of the instances. | <code title="object&#40;&#123;&#10; enable_secure_boot &#61; bool&#10; enable_vtpm &#61; bool&#10; enable_integrity_monitoring &#61; bool&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [snapshot_schedules](variables.tf#L315) | Snapshot schedule resource policies that can be attached to disks. | <code title="map&#40;object&#40;&#123;&#10; schedule &#61; object&#40;&#123;&#10; daily &#61; optional&#40;object&#40;&#123;&#10; days_in_cycle &#61; number&#10; start_time &#61; string&#10; &#125;&#41;&#41;&#10; hourly &#61; optional&#40;object&#40;&#123;&#10; hours_in_cycle &#61; number&#10; start_time &#61; string&#10; &#125;&#41;&#41;&#10; weekly &#61; optional&#40;list&#40;object&#40;&#123;&#10; day &#61; string&#10; start_time &#61; string&#10; &#125;&#41;&#41;&#41;&#10; &#125;&#41;&#10; description &#61; optional&#40;string&#41;&#10; retention_policy &#61; optional&#40;object&#40;&#123;&#10; max_retention_days &#61; number&#10; on_source_disk_delete_keep &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; snapshot_properties &#61; optional&#40;object&#40;&#123;&#10; chain_name &#61; optional&#40;string&#41;&#10; guest_flush &#61; optional&#40;bool&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;&#41;&#10; storage_locations &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [tag_bindings](variables.tf#L358) | Tag bindings for this instance, in key => tag value id format. | <code>map&#40;string&#41;</code> | | <code>null</code> |
| [tag_bindings](variables.tf#L358) | Tag bindings for this instance, in tag key => tag value format. | <code>map&#40;string&#41;</code> | | <code>null</code> |
| [tags](variables.tf#L364) | Instance network tags for firewall rule targets. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |

## Outputs
Expand Down
14 changes: 11 additions & 3 deletions modules/compute-vm/main.tf
View file
Open in desktop
Expand Up @@ -216,9 +216,10 @@ resource "google_compute_instance" "default" {
: [""]
)
content {
image = var.boot_disk.initialize_params.image
size = var.boot_disk.initialize_params.size
type = var.boot_disk.initialize_params.type
image = var.boot_disk.initialize_params.image
size = var.boot_disk.initialize_params.size
type = var.boot_disk.initialize_params.type
resource_manager_tags = var.tag_bindings
}
}
}
Expand Down Expand Up @@ -292,6 +293,13 @@ resource "google_compute_instance" "default" {
}
}

dynamic "params" {
for_each = var.tag_bindings == null ? [] : [""]
content {
resource_manager_tags = var.tag_bindings
}
}

# guest_accelerator
}

Expand Down
23 changes: 18 additions & 5 deletions modules/compute-vm/tags.tf
View file
Open in desktop
Expand Up @@ -16,8 +16,21 @@

# tfdoc:file:description Tag bindings.

resource "google_tags_tag_binding" "binding" {
for_each = var.create_template ? {} : coalesce(var.tag_bindings, {})
parent = "//compute.googleapis.com/${google_compute_instance.default.0.id}"
tag_value = each.value
}
# TODO: re-implement once
# - the provider accepts a project id in the parent without a permadiff
# - the disk resource exposes an id that can be used to build the parent

# locals {
# tag_parent_base = (
# "//compute.googleapis.com/projects/${var.project_id}/zones/${var.zone}"
# )
# }

# resource "google_tags_location_tag_binding" "instance" {
# for_each = var.create_template ? {} : coalesce(var.tag_bindings, {})
# parent = (
# "${local.tag_parent_base}/instances/${google_compute_instance.default.0.instance_id}"
# )
# tag_value = each.value
# location = var.zone
# }
2 changes: 1 addition & 1 deletion modules/compute-vm/variables.tf
View file
Open in desktop
Expand Up @@ -356,7 +356,7 @@ variable "snapshot_schedules" {
}

variable "tag_bindings" {
description = "Tag bindings for this instance, in key => tag value id format."
description = "Tag bindings for this instance, in tag key => tag value format."
type = map(string)
default = null
}
Expand Down
83 changes: 83 additions & 0 deletions tests/modules/compute_vm/examples/tag-bindings.yaml
View file
Open in desktop
@@ -0,0 +1,83 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

values:
module.simple-vm-example.google_compute_instance.default[0]:
advanced_machine_features: []
allow_stopping_for_update: true
attached_disk: []
boot_disk:
- auto_delete: true
disk_encryption_key_raw: null
initialize_params:
- image: projects/debian-cloud/global/images/family/debian-11
resource_manager_tags:
tagKeys/1234567890: tagValues/7890123456
size: 10
type: pd-balanced
mode: READ_WRITE
can_ip_forward: false
deletion_protection: false
description: Managed by the compute-vm Terraform module.
desired_status: null
enable_display: false
hostname: null
labels: null
machine_type: f1-micro
metadata: null
metadata_startup_script: null
name: test
network_interface:
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network: projects/xxx/global/networks/aaa
nic_type: null
queue_count: null
security_policy: null
subnetwork: subnet_self_link
network_performance_config: []
params:
- resource_manager_tags:
tagKeys/1234567890: tagValues/7890123456
project: project-id
resource_policies: null
scheduling:
- automatic_restart: true
instance_termination_action: null
local_ssd_recovery_timeout: []
maintenance_interval: null
max_run_duration: []
min_node_cpus: null
node_affinities: []
on_host_maintenance: MIGRATE
preemptible: false
provisioning_model: STANDARD
scratch_disk: []
service_account:
- scopes:
- https://www.googleapis.com/auth/devstorage.read_only
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
shielded_instance_config: []
tags: null
timeouts: null
zone: europe-west1-b

counts:
google_compute_instance: 1
modules: 1
resources: 1

outputs: {}