fix: All dependencies on gcloud have been removed. (#491)

BREAKING CHANGE: All null_resources for executing gcloud scripts have been removed. See the upgrade guide for details.

Author: thiagonache

README.md

@@ -140,10 +140,8 @@ determining that location is as follows:
 | sa\_role | A role to give the default Service Account for the project (defaults to none) | `string` | `""` | no |
 | shared\_vpc | The ID of the host project which hosts the shared VPC | `string` | `""` | no |
 | shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project\_id/regions/$region/subnetworks/$subnet\_id) | `list(string)` | `[]` | no |
-| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud is already available outside the module) | `bool` | `false` | no |
 | usage\_bucket\_name | Name of a GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no |
 | usage\_bucket\_prefix | Prefix in the GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no |
-| use\_tf\_google\_credentials\_env\_var | Use GOOGLE\_CREDENTIALS environment variable to run gcloud auth activate-service-account with. | `bool` | `false` | no |
 | vpc\_service\_control\_attach\_enabled | Whether the project will be attached to a VPC Service Control Perimeter | `bool` | `false` | no |
 | vpc\_service\_control\_perimeter\_name | The name of a VPC Service Control Perimeter to add the created project to | `string` | `null` | no |
 

docs/upgrading_to_project_factory_v10.0.md

@@ -0,0 +1,190 @@
+# Upgrading to Project Factory v10.0
+
+The v10.0 release of Project Factory is a backwards incompatible release for
+all modules since the breaking change is on
+[core_project_factory](../modules/core_project_factory) module which removes the
+need of gcloud and local-execs.
+
+## Migration Instructions
+
+Remove any references to `skip_gcloud_download and use_tf_google_credentials_env_var` if applicable.
+
+## Upgrade provider version
+
+The new resource which replaces the gcloud commands is only available on version
+3.47 of Google's terraform provider. So, make sure you relax the version range
+or set it to 3.47. Finally, run terraform apply.
+
+```diff
+An execution plan has been generated and is shown below.
+Resource actions are indicated with the following symbols:
+  + create
+  - destroy
+
+Terraform will perform the following actions:
+
+  # module.project-factory.module.project-factory.google_project_default_service_accounts.default_service_accounts will be created
+  + resource "google_project_default_service_accounts" "default_service_accounts" {
+      + action           = "DISABLE"
+      + id               = (known after apply)
+      + project          = "pf-test-1-6331"
+      + restore_policy   = "REVERT"
+      + service_accounts = (known after apply)
+    }
+
+  # module.project-factory.module.project-factory.null_resource.preconditions will be destroyed
+  - resource "null_resource" "preconditions" {
+      - id       = "8792279262642897492" -> null
+      - triggers = {
+          - "billing_account"  = "REDACTED"
+          - "credentials_path" = ""
+          - "folder_id"        = ""
+          - "org_id"           = "REDACTED"
+          - "shared_vpc"       = ""
+        } -> null
+    }
+
+  # module.project-factory.module.project-factory.module.gcloud_delete.random_id.cache will be destroyed
+  - resource "random_id" "cache" {
+      - b64         = "s0C2TA" -> null
+      - b64_std     = "s0C2TA==" -> null
+      - b64_url     = "s0C2TA" -> null
+      - byte_length = 4 -> null
+      - dec         = "3007362636" -> null
+      - hex         = "b340b64c" -> null
+      - id          = "s0C2TA" -> null
+    }
+
+  # module.project-factory.module.project-factory.module.gcloud_deprivilege.random_id.cache will be destroyed
+  - resource "random_id" "cache" {
+      - b64         = "hPQCIQ" -> null
+      - b64_std     = "hPQCIQ==" -> null
+      - b64_url     = "hPQCIQ" -> null
+      - byte_length = 4 -> null
+      - dec         = "2230583841" -> null
+      - hex         = "84f40221" -> null
+      - id          = "hPQCIQ" -> null
+    }
+
+  # module.project-factory.module.project-factory.module.gcloud_disable.null_resource.decompress[0] will be destroyed
+  - resource "null_resource" "decompress" {
+      - id       = "4421481963953862822" -> null
+      - triggers = {
+          - "activated_apis"          = "compute.googleapis.com"
+          - "arguments"               = "bb0200e91aab415a1093a47a1cb2290c"
+          - "decompress_command"      = "tar -xzf .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/google-cloud-sdk.tar.gz -C .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a && cp .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/jq .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/google-cloud-sdk/bin/"
+          - "default_service_account" = "[email protected]"
+          - "download_gcloud_command" = "curl -sL -o .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/google-cloud-sdk.tar.gz https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-281.0.0-linux-x86_64.tar.gz"
+          - "download_jq_command"     = "curl -sL -o .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && chmod +x .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/jq"
+          - "md5"                     = "8724d44955a417594c942e0101e4fe82"
+          - "project_services"        = "pf-test-1-6331"
+        } -> null
+    }
+
+  # module.project-factory.module.project-factory.module.gcloud_disable.null_resource.decompress_destroy[0] will be destroyed
+  - resource "null_resource" "decompress_destroy" {
+      - id       = "5873000014534982711" -> null
+      - triggers = {
+          - "decompress_command" = "tar -xzf .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/google-cloud-sdk.tar.gz -C .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a && cp .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/jq .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/google-cloud-sdk/bin/"
+        } -> null
+    }
+
+  # module.project-factory.module.project-factory.module.gcloud_disable.null_resource.download_gcloud[0] will be destroyed
+  - resource "null_resource" "download_gcloud" {
+      - id       = "8730604705650342734" -> null
+      - triggers = {
+          - "activated_apis"          = "compute.googleapis.com"
+          - "arguments"               = "bb0200e91aab415a1093a47a1cb2290c"
+          - "default_service_account" = "[email protected]"
+          - "download_gcloud_command" = "curl -sL -o .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/google-cloud-sdk.tar.gz https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-281.0.0-linux-x86_64.tar.gz"
+          - "md5"                     = "8724d44955a417594c942e0101e4fe82"
+          - "project_services"        = "pf-test-1-6331"
+        } -> null
+    }
+
+  # module.project-factory.module.project-factory.module.gcloud_disable.null_resource.download_jq[0] will be destroyed
+  - resource "null_resource" "download_jq" {
+      - id       = "5384550100564211294" -> null
+      - triggers = {
+          - "activated_apis"          = "compute.googleapis.com"
+          - "arguments"               = "bb0200e91aab415a1093a47a1cb2290c"
+          - "default_service_account" = "[email protected]"
+          - "download_jq_command"     = "curl -sL -o .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && chmod +x .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/jq"
+          - "md5"                     = "8724d44955a417594c942e0101e4fe82"
+          - "project_services"        = "pf-test-1-6331"
+        } -> null
+    }
+
+  # module.project-factory.module.project-factory.module.gcloud_disable.null_resource.prepare_cache[0] will be destroyed
+  - resource "null_resource" "prepare_cache" {
+      - id       = "6650067270784592334" -> null
+      - triggers = {
+          - "activated_apis"          = "compute.googleapis.com"
+          - "arguments"               = "bb0200e91aab415a1093a47a1cb2290c"
+          - "default_service_account" = "[email protected]"
+          - "md5"                     = "8724d44955a417594c942e0101e4fe82"
+          - "prepare_cache_command"   = "mkdir .terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a"
+          - "project_services"        = "pf-test-1-6331"
+        } -> null
+    }
+
+  # module.project-factory.module.project-factory.module.gcloud_disable.null_resource.run_command[0] will be destroyed
+  - resource "null_resource" "run_command" {
+      - id       = "4614340806538524817" -> null
+      - triggers = {
+          - "activated_apis"          = "compute.googleapis.com"
+          - "arguments"               = "bb0200e91aab415a1093a47a1cb2290c"
+          - "create_cmd_body"         = <<~EOT
+                --project_id='pf-test-1-6331' \
+                --sa_id='[email protected]' \
+                --credentials_path='' \
+                --impersonate-service-account='' \
+                --action='disable'
+            EOT
+          - "create_cmd_entrypoint"   = ".terraform/modules/project-factory/modules/core_project_factory/scripts/modify-service-account.sh"
+          - "default_service_account" = "[email protected]"
+          - "destroy_cmd_body"        = "info"
+          - "destroy_cmd_entrypoint"  = "gcloud"
+          - "gcloud_bin_abs_path"     = "/Users/thiagocarvalho/dev/thiagonache/community/pdsa/.terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/google-cloud-sdk/bin"
+          - "md5"                     = "8724d44955a417594c942e0101e4fe82"
+          - "project_services"        = "pf-test-1-6331"
+        } -> null
+    }
+
+  # module.project-factory.module.project-factory.module.gcloud_disable.null_resource.upgrade[0] will be destroyed
+  - resource "null_resource" "upgrade" {
+      - id       = "3764618213551542611" -> null
+      - triggers = {
+          - "activated_apis"          = "compute.googleapis.com"
+          - "arguments"               = "bb0200e91aab415a1093a47a1cb2290c"
+          - "default_service_account" = "[email protected]"
+          - "md5"                     = "8724d44955a417594c942e0101e4fe82"
+          - "project_services"        = "pf-test-1-6331"
+          - "upgrade_command"         = ".terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/google-cloud-sdk/bin/gcloud components update --quiet"
+        } -> null
+    }
+
+  # module.project-factory.module.project-factory.module.gcloud_disable.null_resource.upgrade_destroy[0] will be destroyed
+  - resource "null_resource" "upgrade_destroy" {
+      - id       = "1128888759850027996" -> null
+      - triggers = {
+          - "upgrade_command" = ".terraform/modules/project-factory.project-factory.gcloud_disable/cache/1613618a/google-cloud-sdk/bin/gcloud components update --quiet"
+        } -> null
+    }
+
+  # module.project-factory.module.project-factory.module.gcloud_disable.random_id.cache will be destroyed
+  - resource "random_id" "cache" {
+      - b64         = "FhNhig" -> null
+      - b64_std     = "FhNhig==" -> null
+      - b64_url     = "FhNhig" -> null
+      - byte_length = 4 -> null
+      - dec         = "370368906" -> null
+      - hex         = "1613618a" -> null
+      - id          = "FhNhig" -> null
+    }
+
+Plan: 1 to add, 0 to change, 12 to destroy.
+```
+
+It is okay to create the resource since the API does not return error if you try
+to disable a disabled service account or delete a deleted service account.

examples/shared_vpc/main.tf

@@ -48,7 +48,6 @@ module "host-project" {
   org_id                         = var.organization_id
   folder_id                      = var.folder_id
   billing_account                = var.billing_account
-  skip_gcloud_download           = true
   enable_shared_vpc_host_project = true
 }
 
@@ -124,7 +123,6 @@ module "service-project" {
   ]
 
   disable_services_on_destroy = "false"
-  skip_gcloud_download        = "true"
 }
 
 /******************************************
@@ -150,7 +148,6 @@ module "service-project-b" {
   ]
 
   disable_services_on_destroy = "false"
-  skip_gcloud_download        = "true"
 }
 
 /******************************************

main.tf

@@ -58,8 +58,6 @@ module "project-factory" {
   disable_services_on_destroy        = var.disable_services_on_destroy
   default_service_account            = var.default_service_account
   disable_dependent_services         = var.disable_dependent_services
-  use_tf_google_credentials_env_var  = var.use_tf_google_credentials_env_var
-  skip_gcloud_download               = var.skip_gcloud_download
   vpc_service_control_attach_enabled = var.vpc_service_control_attach_enabled
   vpc_service_control_perimeter_name = var.vpc_service_control_perimeter_name
 }

modules/core_project_factory/main.tf

@@ -117,98 +117,11 @@ resource "google_compute_shared_vpc_host_project" "shared_vpc_host" {
   depends_on = [module.project_services]
 }
 
-/******************************************
-  Default compute service account retrieval
- *****************************************/
-data "null_data_source" "default_service_account" {
-  inputs = {
-    email = "${google_project.main.number}[email protected]"
-  }
-}
-
-/******************************************
-  Default compute service account deletion
- *****************************************/
-module "gcloud_delete" {
-  source  = "terraform-google-modules/gcloud/google"
-  version = "~> 2.0.0"
-
-  enabled                           = var.default_service_account == "delete"
-  use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var
-
-  skip_download = var.skip_gcloud_download
-
-  create_cmd_entrypoint = "${path.module}/scripts/modify-service-account.sh"
-  create_cmd_body       = <<-EOT
-    --project_id='${google_project.main.project_id}' \
-    --sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
-    --credentials_path='${var.credentials_path}' \
-    --impersonate-service-account='${var.impersonate_service_account}' \
-    --action='delete'
-  EOT
-
-  create_cmd_triggers = {
-    default_service_account = data.null_data_source.default_service_account.outputs["email"]
-    activated_apis          = join(",", local.activate_apis)
-    project_services        = module.project_services.project_id
-  }
-}
-
-/*********************************************
-  Default compute service account deprivilege
- ********************************************/
-module "gcloud_deprivilege" {
-  source  = "terraform-google-modules/gcloud/google"
-  version = "~> 2.0.0"
-
-  enabled                           = var.default_service_account == "deprivilege"
-  use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var
-
-  skip_download = var.skip_gcloud_download
-
-  create_cmd_entrypoint = "${path.module}/scripts/modify-service-account.sh"
-  create_cmd_body       = <<-EOT
-    --project_id='${google_project.main.project_id}' \
-    --sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
-    --credentials_path='${var.credentials_path}' \
-    --impersonate-service-account='${var.impersonate_service_account}' \
-    --action='deprivilege'
-  EOT
-
-  create_cmd_triggers = {
-    default_service_account = data.null_data_source.default_service_account.outputs["email"]
-    activated_apis          = join(",", local.activate_apis)
-    project_services        = module.project_services.project_id
-  }
-}
-
-/******************************************
-  Default compute service account disable
- *****************************************/
-module "gcloud_disable" {
-  source  = "terraform-google-modules/gcloud/google"
-  version = "~> 2.0.0"
-
-  enabled                           = var.default_service_account == "disable"
-  use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var
-
-  skip_download = var.skip_gcloud_download
-
-  create_cmd_entrypoint = "${path.module}/scripts/modify-service-account.sh"
-  create_cmd_body       = <<-EOT
-    --project_id='${google_project.main.project_id}' \
-    --sa_id='${data.null_data_source.default_service_account.outputs["email"]}' \
-    --credentials_path='${var.credentials_path}' \
-    --impersonate-service-account='${var.impersonate_service_account}' \
-    --action='disable'
-  EOT
-
-  create_cmd_triggers = {
-    default_service_account = data.null_data_source.default_service_account.outputs["email"]
-    activated_apis          = join(",", local.activate_apis)
-    project_services        = module.project_services.project_id
-  }
-
+resource "google_project_default_service_accounts" "default_service_accounts" {
+  action         = upper(var.default_service_account)
+  project        = google_project.main.project_id
+  restore_policy = "REVERT"
+  depends_on     = [module.project_services]
 }
 
 /******************************************