No public description

PiperOrigin-RevId: 773613379

Author: Android Build Filesystem (ABFS) Team

.gitignore

@@ -0,0 +1,37 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore transient lock info files created by terraform apply
+.terraform.tfstate.lock.info
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

examples/simple/.terraform.lock.hcl

@@ -12,24 +12,23 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-resource "google_service_account" "abfs_server" {
-  project      = data.google_project.project.project_id
-  account_id   = "abfs-server"
-  display_name = "SA for ABFS server VMs"
+data "google_service_account" "abfs" {
+  project    = data.google_project.project.project_id
+  account_id = var.abfs_service_account_id
 }
 
 module "project-iam-bindings" {
-  source   = "terraform-google-modules/iam/google//modules/projects_iam"
-  version  = "8.1.0"
+  source  = "terraform-google-modules/iam/google//modules/projects_iam"
+  version = "8.1.0"
+
   projects = [data.google_project.project.project_id]
   mode     = "authoritative"
-
   bindings = {
-    "roles/logging.logWriter"                   = ["serviceAccount:${google_service_account.abfs_server.email}"],
-    "roles/monitoring.metricWriter"             = ["serviceAccount:${google_service_account.abfs_server.email}"],
-    "roles/monitoring.viewer"                   = ["serviceAccount:${google_service_account.abfs_server.email}"],
-    "roles/stackdriver.resourceMetadata.writer" = ["serviceAccount:${google_service_account.abfs_server.email}"],
-    "roles/artifactregistry.reader"             = ["serviceAccount:${google_service_account.abfs_server.email}"]
+    "roles/artifactregistry.reader"             = [data.google_service_account.abfs.member],
+    "roles/logging.logWriter"                   = [data.google_service_account.abfs.member],
+    "roles/monitoring.metricWriter"             = [data.google_service_account.abfs.member],
+    "roles/monitoring.viewer"                   = [data.google_service_account.abfs.member],
+    "roles/stackdriver.resourceMetadata.writer" = [data.google_service_account.abfs.member],
   }
 
   depends_on = [

examples/simple/iam.tf

@@ -17,7 +17,7 @@ module "abfs-deployment" {
 
   project_id            = var.project_id
   zone                  = var.zone
-  service_account_email = google_service_account.abfs_server.email
+  service_account_email = data.google_service_account.abfs.email
   subnetwork            = module.abfs-vpc.subnets["${var.region}/abfs-subnet"].name
   abfs_docker_image_uri = var.abfs_docker_image_uri
   abfs_license          = var.abfs_license
@@ -28,7 +28,7 @@ module "abfs-uploaders" {
 
   project_id                           = var.project_id
   zone                                 = var.zone
-  service_account_email                = google_service_account.abfs_server.email
+  service_account_email                = data.google_service_account.abfs.email
   subnetwork                           = module.abfs-vpc.subnets["${var.region}/abfs-subnet"].name
   abfs_docker_image_uri                = var.abfs_docker_image_uri
   abfs_gerrit_uploader_manifest_server = var.abfs_gerrit_uploader_manifest_server
@@ -40,7 +40,8 @@ module "abfs-uploaders" {
 }
 
 module "monitoring" {
-  source             = "./monitoring"
+  source = "./monitoring"
+
   project_id         = data.google_project.project.project_id
   notification_email = var.alert_notification_email
 }

examples/simple/main.tf

@@ -19,15 +19,14 @@ module "abfs-vpc" {
   project_id   = data.google_project.project.project_id
   network_name = "abfs-network"
   routing_mode = "GLOBAL"
-
   firewall_rules = [
     {
       description             = "Allow egress to Google APIs via Private Google Access"
       direction               = "EGRESS"
       name                    = "allow-egress-google-apis"
       priority                = 1000
       ranges                  = ["199.36.153.8/30", "34.126.0.0/18"]
-      target_service_accounts = [google_service_account.abfs_server.email]
+      target_service_accounts = [data.google_service_account.abfs.email]
 
       allow = [
         {
@@ -59,8 +58,8 @@ module "abfs-vpc" {
       priority    = 1000
 
       ranges                  = ["0.0.0.0/0"]
-      source_service_accounts = [google_service_account.abfs_server.email]
-      target_service_accounts = [google_service_account.abfs_server.email]
+      source_service_accounts = [data.google_service_account.abfs.email]
+      target_service_accounts = [data.google_service_account.abfs.email]
       allow = [
         {
           protocol = "icmp"
@@ -77,7 +76,6 @@ module "abfs-vpc" {
       ]
     }
   ]
-
   subnets = [
     {
       subnet_name           = "abfs-subnet"
@@ -100,8 +98,9 @@ resource "google_compute_router" "nat_router" {
 }
 
 module "cloud-nat" {
-  source     = "terraform-google-modules/cloud-nat/google"
-  version    = "~> 5.3"
+  source  = "terraform-google-modules/cloud-nat/google"
+  version = "~> 5.3"
+
   project_id = var.project_id
   region     = var.region
   router     = google_compute_router.nat_router.name

examples/simple/network.tf

@@ -16,7 +16,7 @@ output "license_information" {
   value = {
     project_id                = data.google_project.project.project_id,
     project_number            = data.google_project.project.number,
-    service_account_email     = google_service_account.abfs_server.email
-    service_account_unique_id = google_service_account.abfs_server.unique_id
+    service_account_email     = data.google_service_account.abfs.email
+    service_account_unique_id = data.google_service_account.abfs.unique_id
   }
 }

examples/simple/outputs.tf

@@ -65,3 +65,8 @@ variable "alert_notification_email" {
   type        = string
   description = "Email address to send alert notifications to"
 }
+
+variable "abfs_service_account_id" {
+  type        = string
+  description = "ABFS service account ID (e.g. abfs@<project-id>.iam.gserviceaccount.com)"
+}