Terraform template to bootstrap a baseline project in Google Cloud.
| Feature | Description | File |
|---|---|---|
| Network | Compute Engine Network | network.tf |
| Subnet | Subnet in the default region | network.tf |
| NAT Gateway | NAT Gateway with static IP in the default region | network.tf |
| Private Service Connector | Private connector for private Google API's access | network.tf |
| Serverless VPC Connector | Serverless VPC connector for Serverless workload access | network.tf |
| Firewalls | Baseline firewall rules | firewall.tf |
| Budgets | Budget alert, defaults to 100 USD | budget.tf |
| IAM | Assigns defined roles to IAM users across 3 levels admin, dev and basic |
iam.tf |
| Services | Enables defined Google cloud API's | services.tf |
| Notifications | Email notification channel for budget alerts etc | monitoring.tf |
| CI/CD | GitHub Actions to lint, plan, and apply to Google Cloud |
.github/workflows/terraform-apply.yaml, .github/workflows/terraform-plan.yaml |
DO NOT FORK this is meant to be used from Use this template feature.
- Click on Use this template
- Give a name to your repo
- Wait until the first run of CI finishes
(Github Actions will process the template and commit to your new repo) - Clone your new repo.
- Update
terraform.tfvarsandprovider.tfwith yourprojectandbackend - If you don't want CI/CD (GitHub Actions), delete
.github/workflows/terraform-apply.yamland.github/workflows/terraform-plan.yaml - If you want CI/CD (GitHub Actions):
On the new repositorysettings->secretsadd yourGOOGLE_SERVICE_ACCOUNT,GOOGLE_WORKLOAD_IDENTITY_PROVIDERandTERRAFORM_PLAN_BUCKET(to store plan files).
Toplan, create afeature branchand raise aPRtomain.
Toapply, merge thePRintomain(note theapplyjob runs against thefeature branch).
A terraform module to set up Google Cloudworkload identityfor GitHub Actions is available here.
NOTE: WAIT until first CI run on github actions before cloning your new project.
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| ~> 6.0 |
| Name | Version |
|---|---|
| ~> 6.0 |
| Name | Description | Type | Required |
|---|---|---|---|
| notification_emails | Email addresses to send notifications to | list(string) |
yes |
| project_id | The ID of the project | string |
yes |
| admin_user_roles | Admin user roles | list(string) |
no |
| admin_users | Email address of admin users | list(string) |
no |
| basic_user_roles | Admin user roles | list(string) |
no |
| basic_users | Email address of basic users | list(string) |
no |
| billing_account_id | The ID of the Billing Account | string |
no |
| budget_alert_thresholds | What points should billing alerts be sent | list(number) |
no |
| budget_currency | The 3-letter currency code as defined in ISO 4217 | string |
no |
| dev_user_roles | Dev (developer) user roles | list(string) |
no |
| dev_users | Email address of dev (developer) users | list(string) |
no |
| enable_budget | Create a budget | bool |
no |
| enable_firewall_ingress_logs | Should firewall logs be enabled for ingress traffic | bool |
no |
| enable_nat_logs | Should Cloud NAT logs be enabled | bool |
no |
| enable_subnet_flow_logs | Should subnet flow logs be enabled | bool |
no |
| enabled_apis | Google Cloud API's to enable on the project. | list(string) |
no |
| labels | Common Labels | map(string) |
no |
| monthly_budget | Monthly budget | string |
no |
| prefix | Prefix to prepend to resource names | string |
no |
| region | Default region for resources | string |
no |
| Name | Description |
|---|---|
| network | Network name |
| subnet | Subnet name |
| vpc_connector_subnet | VPC connector subnet name |