feat: initial commit composer v3

Author: prabhu34

modules/create_environment_v3/README.md

@@ -0,0 +1,119 @@
+# Module Cloud Composer Environment ([v3](https://cloud.google.com/composer/docs/composer-3/composer-overview))
+
+This module is used to create a Cloud Composer v3 environment.
+
+## Compatibility
+
+This module is meant for use with Terraform 1.3+ and tested using Terraform 1.3+. If you find incompatibilities using Terraform >=1.3, please open an issue.
+
+
+```hcl
+module "simple-composer-environment" {
+  source                               = "terraform-google-modules/composer/google//modules/create_environment_v3"
+  version                              = "~> 7.0"
+  project_id                           = var.project_id
+  composer_env_name                    = "test-composer-env"
+  region                               = "us-central1"
+  composer_service_account             = var.composer_service_account
+  network                              = "test-vpc"
+  subnetwork                           = "test-subnet"
+  grant_sa_agent_permission            = false
+  environment_size                     = "ENVIRONMENT_SIZE_SMALL"
+  use_private_environment              = true
+  composer_network_attachment_name     = "composer-na"
+
+  scheduler = {
+    cpu        = 0.5
+    memory_gb  = 1.875
+    storage_gb = 1
+    count      = 2
+  }
+
+  dag_processor = {
+    cpu        = 0.5
+    memory_gb  = 1.875
+    storage_gb = 1
+    count      = 2
+  }
+
+  web_server = {
+    cpu        = 0.5
+    memory_gb  = 1.875
+    storage_gb = 1
+  }
+
+  worker = {
+    cpu        = 0.5
+    memory_gb  = 1.875
+    storage_gb = 1
+    min_count  = 2
+    max_count  = 3
+  }
+
+  triggerer = {
+    cpu       = 1
+    memory_gb = 1
+    count     = 2
+  }
+}
+
+```
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| airflow\_config\_overrides | Airflow configuration properties to override. Property keys contain the section and property names, separated by a hyphen, for example "core-dags\_are\_paused\_at\_creation". | `map(string)` | `{}` | no |
+| cloud\_composer\_connection\_subnetwork | Subnetwork self-link. When specified, the environment will use Private Service Connect instead of VPC peerings to connect to CloudSQL in the Tenant Project. IP address of psc endpoint is allocated from this subnet | `string` | `null` | no |
+| cloud\_composer\_network\_ipv4\_cidr\_block | The CIDR block from which IP range in tenant project will be reserved. Required if VPC peering is used to connect to CloudSql instead of PSC | `string` | `null` | no |
+| cloud\_data\_lineage\_integration | Whether or not Dataplex data lineage integration is enabled. Cloud Composer environments in versions composer-2.1.2-airflow-..* and newer) | `bool` | `false` | no |
+| cloud\_sql\_ipv4\_cidr | The CIDR block from which IP range in tenant project will be reserved for Cloud SQL private service access. Required if VPC peering is used to connect to CloudSql instead of PSC | `string` | `null` | no |
+| composer\_env\_name | Name of Cloud Composer Environment | `string` | n/a | yes |
+| composer\_service\_account | Service Account for running Cloud Composer. | `string` | `null` | no |
+| enable\_ip\_masq\_agent | Deploys 'ip-masq-agent' daemon set in the GKE cluster and defines nonMasqueradeCIDRs equals to pod IP range so IP masquerading is used for all destination addresses, except between pods traffic. | `bool` | `false` | no |
+| enable\_private\_endpoint | Configure private access to the cluster endpoint. If true, access to the public endpoint of the GKE cluster is denied | `bool` | `false` | no |
+| enable\_privately\_used\_public\_ips | When enabled, IPs from public (non-RFC1918) ranges can be used for pod\_ip\_allocation\_range\_name and service\_ip\_allocation\_range\_name. | `bool` | `false` | no |
+| env\_variables | Variables of the airflow environment. | `map(string)` | `{}` | no |
+| environment\_size | The environment size controls the performance parameters of the managed Cloud Composer infrastructure that includes the Airflow database. Values for environment size are: `ENVIRONMENT_SIZE_SMALL`, `ENVIRONMENT_SIZE_MEDIUM`, and `ENVIRONMENT_SIZE_LARGE`. | `string` | `"ENVIRONMENT_SIZE_MEDIUM"` | no |
+| grant\_sa\_agent\_permission | Cloud Composer relies on Workload Identity as Google API authentication mechanism for Airflow. | `bool` | `true` | no |
+| image\_version | The version of the aiflow running in the cloud composer environment. | `string` | `"composer-2.10.2-airflow-2.10.2"` | no |
+| kms\_key\_name | Customer-managed Encryption Key fully qualified resource name, i.e. projects/project-id/locations/location/keyRings/keyring/cryptoKeys/key. | `string` | `null` | no |
+| labels | The resource labels (a map of key/value pairs) to be applied to the Cloud Composer. | `map(string)` | `{}` | no |
+| maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `null` | no |
+| maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `null` | no |
+| maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no |
+| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | <pre>list(object({<br>    cidr_block   = string<br>    display_name = string<br>  }))</pre> | `[]` | no |
+| master\_ipv4\_cidr | The CIDR block from which IP range in tenant project will be reserved for the GKE master. Required when `use_private_environment` and `enable_private_endpoint` is `true` | `string` | `null` | no |
+| network | The VPC network to host the composer cluster. | `string` | n/a | yes |
+| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
+| pod\_ip\_allocation\_range\_name | The name of the subnet secondary range, used to allocate IP addresses for the pods. | `string` | `null` | no |
+| project\_id | Project ID where Cloud Composer Environment is created. | `string` | n/a | yes |
+| pypi\_packages | Custom Python Package Index (PyPI) packages to be installed in the environment. Keys refer to the lowercase package name (e.g. "numpy"). | `map(string)` | `{}` | no |
+| region | Region where the Cloud Composer Environment is created. | `string` | `"us-central1"` | no |
+| resilience\_mode | Cloud Composer 2.1.15 or newer only. The resilience mode states whether high resilience is enabled for the environment or not. Values for resilience mode are `HIGH_RESILIENCE` for high resilience and `STANDARD_RESILIENCE` for standard resilience | `string` | `null` | no |
+| scheduled\_snapshots\_config | The recovery configuration settings for the Cloud Composer environment | <pre>object({<br>    enabled                    = optional(bool, false)<br>    snapshot_location          = optional(string)<br>    snapshot_creation_schedule = optional(string)<br>    time_zone                  = optional(string)<br>  })</pre> | `null` | no |
+| scheduler | Configuration for resources used by Airflow schedulers. | <pre>object({<br>    cpu        = string<br>    memory_gb  = number<br>    storage_gb = number<br>    count      = number<br>  })</pre> | <pre>{<br>  "count": 2,<br>  "cpu": 2,<br>  "memory_gb": 7.5,<br>  "storage_gb": 5<br>}</pre> | no |
+| service\_ip\_allocation\_range\_name | The name of the subnet secondary range, used to allocate IP addresses for the Services. | `string` | `null` | no |
+| storage\_bucket | Name of an existing Cloud Storage bucket to be used by the environment | `string` | `null` | no |
+| subnetwork | The name of the subnetwork to host the composer cluster. | `string` | n/a | yes |
+| subnetwork\_region | The subnetwork region of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
+| tags | Tags applied to all nodes. Tags are used to identify valid sources or targets for network firewalls. | `set(string)` | `[]` | no |
+| task\_logs\_retention\_storage\_mode | The mode of storage for Airflow workers task logs. Values for storage mode are CLOUD\_LOGGING\_ONLY to only store logs in cloud logging and CLOUD\_LOGGING\_AND\_CLOUD\_STORAGE to store logs in cloud logging and cloud storage. Cloud Composer 2.0.23 or newer only | `string` | `null` | no |
+| triggerer | Configuration for resources used by Airflow triggerer | <pre>object({<br>    cpu       = string<br>    memory_gb = number<br>    count     = number<br>  })</pre> | `null` | no |
+| use\_private\_environment | Create a private environment. | `bool` | `false` | no |
+| web\_server | Configuration for resources used by Airflow web server. | <pre>object({<br>    cpu        = string<br>    memory_gb  = number<br>    storage_gb = number<br>  })</pre> | <pre>{<br>  "cpu": 2,<br>  "memory_gb": 7.5,<br>  "storage_gb": 5<br>}</pre> | no |
+| web\_server\_network\_access\_control | The network-level access control policy for the Airflow web server. If unspecified, no network-level access restrictions are applied | <pre>list(object({<br>    allowed_ip_range = string<br>    description      = string<br>  }))</pre> | `null` | no |
+| worker | Configuration for resources used by Airflow workers. | <pre>object({<br>    cpu        = string<br>    memory_gb  = number<br>    storage_gb = number<br>    min_count  = number<br>    max_count  = number<br>  })</pre> | <pre>{<br>  "cpu": 2,<br>  "max_count": 6,<br>  "memory_gb": 7.5,<br>  "min_count": 2,<br>  "storage_gb": 5<br>}</pre> | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| airflow\_uri | URI of the Apache Airflow Web UI hosted within the Cloud Composer Environment. |
+| composer\_env | Cloud Composer Environment |
+| composer\_env\_id | ID of Cloud Composer Environment. |
+| composer\_env\_name | Name of the Cloud Composer Environment. |
+| gcs\_bucket | Google Cloud Storage bucket which hosts DAGs for the Cloud Composer Environment. |
+| gke\_cluster | Google Kubernetes Engine cluster used to run the Cloud Composer Environment. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/create_environment_v3/iam.tf

@@ -0,0 +1,26 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+data "google_project" "project" {
+  project_id = var.project_id
+}
+
+resource "google_project_iam_member" "composer_agent_service_account" {
+  count   = var.grant_sa_agent_permission ? 1 : 0
+  project = data.google_project.project.project_id
+  role    = "roles/composer.ServiceAgentV2Ext"
+  member  = format("serviceAccount:%s", local.cloud_composer_sa)
+}

modules/create_environment_v3/main.tf

@@ -0,0 +1,191 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  network_project_id = var.network_project_id != "" ? var.network_project_id : var.project_id
+  subnetwork_region  = var.subnetwork_region != "" ? var.subnetwork_region : var.region
+  cloud_composer_sa  = format("service-%[email protected]", data.google_project.project.number)
+}
+
+resource "google_composer_environment" "composer_env" {
+  provider = google-beta
+
+  project = var.project_id
+  name    = var.composer_env_name
+  region  = var.region
+  labels  = var.labels
+
+  dynamic "storage_config" {
+    for_each = var.storage_bucket != null ? ["storage_config"] : []
+    content {
+      bucket = var.storage_bucket
+    }
+  }
+
+  config {
+
+    enable_private_environment = var.use_private_environment # reusing the existing variable name from previous versions
+
+    environment_size = var.environment_size
+    resilience_mode  = var.resilience_mode
+
+    node_config {
+      service_account             = var.composer_service_account
+      tags                        = var.tags
+      network                     = var.create_network_attachment ? "projects/${local.network_project_id}/global/networks/${var.network}" : null
+      subnetwork                  = var.create_network_attachment ? "projects/${local.network_project_id}/regions/${local.subnetwork_region}/subnetworks/${var.subnetwork}" : null
+      composer_network_attachment = var.create_network_attachment ? null : "projects/{var.project_id}/regions/${var.region}/networkAttachments/${var.composer_network_attachment_name}"
+    }
+
+    dynamic "software_config" {
+      for_each = [
+        {
+          airflow_config_overrides = var.airflow_config_overrides
+          pypi_packages            = var.pypi_packages
+          env_variables            = var.env_variables
+          image_version            = var.image_version
+          web_server_plugins_mode  = var.web_server_plugins_mode
+      }]
+      content {
+        airflow_config_overrides = software_config.value["airflow_config_overrides"]
+        pypi_packages            = software_config.value["pypi_packages"]
+        env_variables            = software_config.value["env_variables"]
+        image_version            = software_config.value["image_version"]
+        web_server_plugins_mode  = software_config.value["web_server_plugins_mode"]
+        dynamic "cloud_data_lineage_integration" {
+          for_each = var.cloud_data_lineage_integration ? ["cloud_data_lineage_integration"] : []
+          content {
+            enabled = var.cloud_data_lineage_integration
+          }
+        }
+      }
+    }
+
+    dynamic "maintenance_window" {
+      for_each = (var.maintenance_end_time != null && var.maintenance_recurrence != null) ? [
+        {
+          start_time = var.maintenance_start_time
+          end_time   = var.maintenance_end_time
+          recurrence = var.maintenance_recurrence
+      }] : []
+      content {
+        start_time = maintenance_window.value["start_time"]
+        end_time   = maintenance_window.value["end_time"]
+        recurrence = maintenance_window.value["recurrence"]
+      }
+    }
+
+    workloads_config {
+
+      dynamic "scheduler" {
+        for_each = var.scheduler != null ? [var.scheduler] : []
+        content {
+          cpu        = scheduler.value["cpu"]
+          memory_gb  = scheduler.value["memory_gb"]
+          storage_gb = scheduler.value["storage_gb"]
+          count      = scheduler.value["count"]
+        }
+      }
+
+      dynamic "web_server" {
+        for_each = var.web_server != null ? [var.web_server] : []
+        content {
+          cpu        = web_server.value["cpu"]
+          memory_gb  = web_server.value["memory_gb"]
+          storage_gb = web_server.value["storage_gb"]
+        }
+      }
+
+      dynamic "worker" {
+        for_each = var.worker != null ? [var.worker] : []
+        content {
+          cpu        = worker.value["cpu"]
+          memory_gb  = worker.value["memory_gb"]
+          storage_gb = worker.value["storage_gb"]
+          min_count  = worker.value["min_count"]
+          max_count  = worker.value["max_count"]
+        }
+      }
+
+      dynamic "triggerer" {
+        for_each = var.triggerer != null ? [var.triggerer] : []
+        content {
+          cpu       = triggerer.value["cpu"]
+          memory_gb = triggerer.value["memory_gb"]
+          count     = triggerer.value["count"]
+        }
+      }
+
+      dynamic "dag_processor" {
+        for_each = var.dag_processor != null ? [var.dag_processor] : []
+        content {
+          cpu        = dag_processor.value["cpu"]
+          memory_gb  = dag_processor.value["memory_gb"]
+          storage_gb = dag_processor.value["storage_gb"]
+          count      = dag_processor.value["count"]
+        }
+      }
+
+    }
+
+    dynamic "recovery_config" {
+      for_each = var.scheduled_snapshots_config != null ? ["recovery_config"] : []
+      content {
+        dynamic "scheduled_snapshots_config" {
+          for_each = var.scheduled_snapshots_config != null ? [var.scheduled_snapshots_config] : []
+          content {
+            enabled                    = scheduled_snapshots_config.value["enabled"]
+            snapshot_location          = scheduled_snapshots_config.value["snapshot_location"]
+            snapshot_creation_schedule = scheduled_snapshots_config.value["snapshot_creation_schedule"]
+            time_zone                  = scheduled_snapshots_config.value["time_zone"]
+          }
+        }
+      }
+    }
+
+    dynamic "web_server_network_access_control" {
+      for_each = var.web_server_network_access_control == null ? [] : ["web_server_network_access_control"]
+      content {
+        dynamic "allowed_ip_range" {
+          for_each = { for x in var.web_server_network_access_control : x.allowed_ip_range => x }
+          content {
+            value       = allowed_ip_range.value["allowed_ip_range"]
+            description = allowed_ip_range.value["description"]
+          }
+        }
+      }
+    }
+
+    dynamic "encryption_config" {
+      for_each = var.kms_key_name != null ? ["encryption_config"] : []
+      content {
+        kms_key_name = var.kms_key_name
+      }
+    }
+
+    dynamic "data_retention_config" {
+      for_each = var.task_logs_retention_storage_mode == null ? [] : ["data_retention_config"]
+      content {
+        task_logs_retention_config {
+          storage_mode = var.task_logs_retention_storage_mode
+        }
+      }
+    }
+  }
+
+  depends_on = [google_project_iam_member.composer_agent_service_account]
+
+}

modules/create_environment_v3/outputs.tf

@@ -0,0 +1,40 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "composer_env_name" {
+  value       = google_composer_environment.composer_env.name
+  description = "Name of the Cloud Composer Environment."
+}
+
+output "composer_env_id" {
+  value       = google_composer_environment.composer_env.id
+  description = "ID of Cloud Composer Environment."
+}
+
+output "gcs_bucket" {
+  value       = google_composer_environment.composer_env.config[0].dag_gcs_prefix
+  description = "Google Cloud Storage bucket which hosts DAGs for the Cloud Composer Environment."
+}
+
+output "airflow_uri" {
+  value       = google_composer_environment.composer_env.config[0].airflow_uri
+  description = "URI of the Apache Airflow Web UI hosted within the Cloud Composer Environment."
+}
+
+output "composer_env" {
+  value       = google_composer_environment.composer_env
+  description = "Cloud Composer Environment"
+}