Skip to content

chore: add GCP terraform module #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 10, 2025
Merged

chore: add GCP terraform module #9

merged 2 commits into from
Nov 10, 2025

Conversation

@dpgaspar
Copy link
Member

@dpgaspar dpgaspar commented Nov 10, 2025
edited
Loading

Summary

This PR adds a Terraform module for setting up MPC (Managed Private Cloud) permissions in customer GCP projects, providing a declarative infrastructure-as-code alternative to the existing shell script approach.

Changes

New Terraform Module (gcp/terraform/modules/mpc-permissions/)

  • Custom IAM Role: Creates PresetMPCAdminV2 with all necessary permissions for Preset to manage MPC infrastructure
  • MPC Service Account: Creates preset-mpc-sa for Preset to use when managing customer resources
  • IAM Bindings: Configures impersonation and role assignments
  • Organization Policy Management: Optional Terraform-managed org policy configuration for allowed domains
  • Side-by-side migration support: Uses new default names to avoid conflicts with existing Deployment Manager resources

Module Features

  • Comprehensive input variables with sensible defaults
  • Full outputs for service account email, role IDs, and configuration status
  • Support for additional allowed organization domains
  • Terraform >= 1.6.3 and Google provider >= 5.0 compatibility

Documentation

  • Module README: Complete documentation at gcp/terraform/modules/mpc-permissions/README.md including:
    • Prerequisites and setup instructions
    • Usage examples (basic and advanced)
    • Input/output reference tables
    • Migration guide from Deployment Manager
    • Detailed permissions breakdown
  • Simplified main README: Streamlined to act as a directory pointing to detailed docs for both Terraform and shell script approaches

Example Configuration

Includes a working example at gcp/terraform/example/ demonstrating module usage with:

  • Provider configuration
  • Module invocation with preset service account selection
  • Outputs for customer handoff

Testing

The module has been designed to be:

  • Safe for public repositories (no hardcoded secrets or credentials)
  • Idempotent (safe to run multiple times)
  • Side-by-side compatible with existing Deployment Manager deployments

Migration Path

Customers can migrate from Deployment Manager to Terraform using a simple side-by-side approach:

  1. Run Terraform to create new resources (different names, no conflicts)
  2. Provide new service account email to Preset
  3. Preset switches automation to new service account
  4. (Optional) Clean up old Deployment Manager resources

@dpgaspar dpgaspar requested a review from garciajrx November 10, 2025 12:17
@dpgaspar dpgaspar merged commit bd97fdb into master Nov 10, 2025
@dpgaspar dpgaspar deleted the danielgaspar/sc-93630/gcp-create-terraform-and-shell-scripts-to branch November 10, 2025 13:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@garciajrx garciajrx garciajrx approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dpgaspar @garciajrx