Merge pull request #313 from obriensystems/main

#284 - refactor module guardrails hardcoded services list to env
GoogleCloudPlatform · Sep 18, 2023 · 968fb01 · 968fb01
2 parents b497509 + e3b31b9
commit 968fb01
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 13 deletions.
diff --git a/environments/common/common.auto.tfvars b/environments/common/common.auto.tfvars
@@ -135,7 +135,17 @@ guardrails = {
   org_id_scan_list = [     # REQUIRED EDIT. Organization Id list for service account to have cloud asset viewer permission
   ]
   org_client = false #Set to true if deploying remote client landing zone.  Otherwise set to false if deploying for core organization landing zone.
-
+  guardrails_services   = [
+    "artifactregistry.googleapis.com",
+    "appengine.googleapis.com",
+    "cloudfunctions.googleapis.com",
+    "cloudasset.googleapis.com",
+    "cloudbuild.googleapis.com",
+    "cloudscheduler.googleapis.com",
+    "containerregistry.googleapis.com",
+    "sourcerepo.googleapis.com",
+    "storage.googleapis.com"
+  ]
 }
 
 

diff --git a/environments/common/main.tf b/environments/common/main.tf
@@ -117,6 +117,7 @@ module "core-guardrails" {
   environment          = local.organization_config.environment
   owner                = local.organization_config.owner
   terraform_sa_project = data.terraform_remote_state.bootstrap.outputs.project_id
+  services             = var.guardrails.guardrails_services
 }
 
 ###############################################################################

diff --git a/environments/common/variables.tf b/environments/common/variables.tf
@@ -300,6 +300,7 @@ variable "guardrails" {
     org_id_scan_list    = list(string)
     org_client          = bool
     user_defined_string = string
+    guardrails_services      = optional(list(string))
   })
   description = "GCP guard rails are created using rego based policies in this project"
 }

diff --git a/modules/guardrails/main.tf b/modules/guardrails/main.tf
@@ -26,17 +26,7 @@ module "guardrails_project" {
   location                       = var.region
   parent                         = var.parent
   tf_service_account_email       = var.tf_service_account_email
-  services = [
-    "artifactregistry.googleapis.com",
-    "appengine.googleapis.com",
-    "cloudfunctions.googleapis.com",
-    "cloudasset.googleapis.com",
-    "cloudbuild.googleapis.com",
-    "cloudscheduler.googleapis.com",
-    "containerregistry.googleapis.com",
-    "sourcerepo.googleapis.com",
-    "storage.googleapis.com"
-  ]
+  services                       = var.services
 }
 
 # Create guardrails if this is the main org

diff --git a/modules/guardrails/variables.tf b/modules/guardrails/variables.tf
@@ -79,4 +79,10 @@ variable "additional_user_defined_string" {
    variable "terraform_sa_project" {
   description = "GCP Project where the Terraform Service Account(s) exist"
   type        = string
-}
+}
+
+variable "services" {
+  description = "Service APIs to enable."
+  type        = list(string)
+  default     = []
+}