terraform-google-modules · q2w · Aug 11, 2025 · Jul 18, 2025 · Jul 24, 2025 · Jul 28, 2025
@@ -18,7 +18,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.25
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.25.4
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 
@@ -79,7 +79,7 @@ docker_generate_docs:
 		-e ENABLE_BPMETADATA=1 \
 		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
-		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs'
+		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs --per-module-requirements'
 
 ## Generate files from autogen
 .PHONY: docker_generate_modules

@@ -336,24 +336,21 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
-          - roles/storage.admin
-          - roles/compute.admin
           - roles/run.admin
           - roles/iam.serviceAccountUser
           - roles/certificatemanager.owner
           - roles/vpcaccess.admin
           - roles/iam.serviceAccountAdmin
+          - roles/storage.admin
+          - roles/compute.admin
     services:
+      - certificatemanager.googleapis.com
       - cloudresourcemanager.googleapis.com
-      - storage-api.googleapis.com
-      - serviceusage.googleapis.com
       - compute.googleapis.com
-      - run.googleapis.com
       - iam.googleapis.com
-      - certificatemanager.googleapis.com
+      - run.googleapis.com
+      - serviceusage.googleapis.com
+      - storage-api.googleapis.com
       - vpcaccess.googleapis.com
     providerVersions:
       - source: hashicorp/google

@@ -323,25 +323,12 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
-          - roles/storage.admin
+          - roles/iam.serviceAccountAdmin
           - roles/compute.admin
-          - roles/run.admin
           - roles/iam.serviceAccountUser
-          - roles/certificatemanager.owner
-          - roles/vpcaccess.admin
-          - roles/iam.serviceAccountAdmin
     services:
       - cloudresourcemanager.googleapis.com
-      - storage-api.googleapis.com
-      - serviceusage.googleapis.com
       - compute.googleapis.com
-      - run.googleapis.com
-      - iam.googleapis.com
-      - certificatemanager.googleapis.com
-      - vpcaccess.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 6.0, < 7"

@@ -326,9 +326,6 @@ spec:
         description: The default URL map used by this module.
   requirements:
     roles:
-      - level: Project
-        roles:
-          - roles/compute.xpnAdmin
       - level: Project
         roles:
           - roles/storage.admin
@@ -339,13 +336,13 @@ spec:
           - roles/vpcaccess.admin
           - roles/iam.serviceAccountAdmin
     services:
+      - certificatemanager.googleapis.com
       - cloudresourcemanager.googleapis.com
-      - storage-api.googleapis.com
-      - serviceusage.googleapis.com
       - compute.googleapis.com
-      - run.googleapis.com
       - iam.googleapis.com
-      - certificatemanager.googleapis.com
+      - run.googleapis.com
+      - serviceusage.googleapis.com
+      - storage-api.googleapis.com
       - vpcaccess.googleapis.com
     providerVersions:
       - source: hashicorp/google

@@ -236,25 +236,11 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
-          - roles/storage.admin
+          - roles/compute.loadBalancerAdmin
           - roles/compute.admin
-          - roles/run.admin
-          - roles/iam.serviceAccountUser
-          - roles/certificatemanager.owner
-          - roles/vpcaccess.admin
-          - roles/iam.serviceAccountAdmin
     services:
-      - cloudresourcemanager.googleapis.com
-      - storage-api.googleapis.com
-      - serviceusage.googleapis.com
-      - compute.googleapis.com
-      - run.googleapis.com
-      - iam.googleapis.com
       - certificatemanager.googleapis.com
-      - vpcaccess.googleapis.com
+      - compute.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 6.0, < 7"

@@ -292,24 +292,21 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
+          - roles/iam.serviceAccountAdmin
           - roles/storage.admin
           - roles/compute.admin
           - roles/run.admin
           - roles/iam.serviceAccountUser
           - roles/certificatemanager.owner
           - roles/vpcaccess.admin
-          - roles/iam.serviceAccountAdmin
     services:
+      - certificatemanager.googleapis.com
       - cloudresourcemanager.googleapis.com
-      - storage-api.googleapis.com
-      - serviceusage.googleapis.com
       - compute.googleapis.com
-      - run.googleapis.com
       - iam.googleapis.com
-      - certificatemanager.googleapis.com
+      - run.googleapis.com
+      - serviceusage.googleapis.com
+      - storage-api.googleapis.com
       - vpcaccess.googleapis.com
     providerVersions:
       - source: hashicorp/google

@@ -15,15 +15,46 @@
  */
 
 locals {
-  int_required_project_roles = [
-    "roles/storage.admin",
-    "roles/compute.admin",
-    "roles/run.admin",
-    "roles/iam.serviceAccountUser",
-    "roles/certificatemanager.owner",
-    "roles/vpcaccess.admin",
-    "roles/iam.serviceAccountAdmin"
-  ]
+  per_module_roles = {
+    root = [
+      "roles/storage.admin",
+      "roles/compute.admin",
+      "roles/run.admin",
+      "roles/iam.serviceAccountUser",
+      "roles/certificatemanager.owner",
+      "roles/vpcaccess.admin",
+      "roles/iam.serviceAccountAdmin"
+    ]
+    backend = [
+      "roles/compute.admin",
+      "roles/iam.serviceAccountUser",
+      "roles/iam.serviceAccountAdmin"
+    ]
+    dynamic_backends = [
+      "roles/storage.admin",
+      "roles/compute.admin",
+      "roles/run.admin",
+      "roles/iam.serviceAccountUser",
+      "roles/certificatemanager.owner",
+      "roles/vpcaccess.admin",
+      "roles/iam.serviceAccountAdmin"
+    ]
+    frontend = [
+      "roles/compute.admin",
+      "roles/compute.loadBalancerAdmin",
+    ]
+    serverless_negs = [
+      "roles/storage.admin",
+      "roles/compute.admin",
+      "roles/run.admin",
+      "roles/iam.serviceAccountUser",
+      "roles/certificatemanager.owner",
+      "roles/vpcaccess.admin",
+      "roles/iam.serviceAccountAdmin"
+    ]
+  }
+
+  int_required_project_roles = tolist(toset(flatten(values(local.per_module_roles))))
   int_required_folder_roles = [
     "roles/compute.xpnAdmin"
   ]

@@ -14,6 +14,49 @@
  * limitations under the License.
  */
 
+locals {
+  per_module_services = {
+    root = [
+      "cloudresourcemanager.googleapis.com",
+      "storage-api.googleapis.com",
+      "serviceusage.googleapis.com",
+      "compute.googleapis.com",
+      "run.googleapis.com",
+      "iam.googleapis.com",
+      "certificatemanager.googleapis.com",
+      "vpcaccess.googleapis.com",
+    ]
+    backend = [
+      "compute.googleapis.com",
+      "cloudresourcemanager.googleapis.com",
+    ]
+    dynamic_backends = [
+      "cloudresourcemanager.googleapis.com",
+      "storage-api.googleapis.com",
+      "serviceusage.googleapis.com",
+      "compute.googleapis.com",
+      "run.googleapis.com",
+      "iam.googleapis.com",
+      "certificatemanager.googleapis.com",
+      "vpcaccess.googleapis.com",
+    ]
+    frontend = [
+      "compute.googleapis.com",
+      "certificatemanager.googleapis.com",
+    ]
+    serverless_negs = [
+      "cloudresourcemanager.googleapis.com",
+      "storage-api.googleapis.com",
+      "serviceusage.googleapis.com",
+      "compute.googleapis.com",
+      "run.googleapis.com",
+      "iam.googleapis.com",
+      "certificatemanager.googleapis.com",
+      "vpcaccess.googleapis.com",
+    ]
+  }
+}
+
 module "project-ci-lb-http" {
   source  = "terraform-google-modules/project-factory/google"
   version = "~> 17.0"
@@ -28,16 +71,7 @@ module "project-ci-lb-http" {
   disable_services_on_destroy = false
   deletion_policy             = "DELETE"
 
-  activate_apis = [
-    "cloudresourcemanager.googleapis.com",
-    "storage-api.googleapis.com",
-    "serviceusage.googleapis.com",
-    "compute.googleapis.com",
-    "run.googleapis.com",
-    "iam.googleapis.com",
-    "certificatemanager.googleapis.com",
-    "vpcaccess.googleapis.com",
-  ]
+  activate_apis = tolist(toset(flatten(values(local.per_module_services))))
 }
 
 module "project-ci-lb-http-1" {
@@ -54,14 +88,5 @@ module "project-ci-lb-http-1" {
   disable_services_on_destroy = false
   deletion_policy             = "DELETE"
 
-  activate_apis = [
-    "cloudresourcemanager.googleapis.com",
-    "storage-api.googleapis.com",
-    "serviceusage.googleapis.com",
-    "compute.googleapis.com",
-    "run.googleapis.com",
-    "iam.googleapis.com",
-    "certificatemanager.googleapis.com",
-    "vpcaccess.googleapis.com",
-  ]
+  activate_apis = tolist(toset(flatten(values(local.per_module_services))))
 }