feat: Removed preconditions script from Terraform execution (#478)

Author: thiagonache

README.md

@@ -135,9 +135,7 @@ determining that location is as follows:
 | lien | Add a lien on the project to prevent accidental deletion | bool | `"false"` | no |
 | name | The name for the project | string | n/a | yes |
 | org\_id | The organization ID. | string | n/a | yes |
-| pip\_executable\_path | Pip executable path for precondition requirements.txt install. | string | `"pip3"` | no |
 | project\_id | The ID to give the project. If not provided, the `name` will be used. | string | `""` | no |
-| python\_interpreter\_path | Python interpreter path for precondition check script. | string | `"python3"` | no |
 | random\_project\_id | Adds a suffix of 4 random characters to the `project_id` | bool | `"false"` | no |
 | sa\_role | A role to give the default Service Account for the project (defaults to none) | string | `""` | no |
 | shared\_vpc | The ID of the host project which hosts the shared VPC | string | `""` | no |
@@ -322,7 +320,7 @@ The precondition checker script can be directly invoked before running the
 project factory:
 
 ```sh
-./modules/core_project_factory/scripts/preconditions/preconditions.py \
+./helpers/preconditions/preconditions.py \
   --credentials_path "./credentials.json" \
   --billing_account 000000-000000-000000 \
   --org_id 000000000000 \
@@ -353,7 +351,7 @@ binary here:
 - https://releases.hashicorp.com/terraform/
 
 [gsuite-enabled-module]: modules/gsuite_enabled/README.md
-[preconditions-checker-script]: modules/core_project_factory/scripts/preconditions/preconditions.py
+[preconditions-checker-script]: helpers/preconditions/preconditions.py
 [terraform-provider-google]: https://github.com/terraform-providers/terraform-provider-google
 [terraform-provider-google-beta]: https://github.com/terraform-providers/terraform-provider-google-beta
 [terraform-provider-gsuite]: https://github.com/DeviaVir/terraform-provider-gsuite

docs/running_preconditions_script.md

@@ -0,0 +1,78 @@
+# Running preconditions script
+This module provides a helper script in order to check if the SEED (project where the GCP Service Account was created) met the requirements to satisfy a project creation needs. For example, check billing account permissions or if certain service API is enabled or not.
+
+
+# VirtualEnv (Optional)
+We recommend running the script inside of a [Python virtual environment](https://packaging.python.org/guides/installing-using-pip-and-virtual-environments/) to avoid installing extra packages in your Python default environment.
+
+After installing virtual env by following the link above, create a new Python environment by running:
+```
+$ python3 -m venv /tmp/preconditions
+```
+or
+```
+$ python2 -m virtualenv /tmp/preconditions
+```
+
+Finally, activate it:
+```
+$ source /tmp/preconditions/bin/activate
+```
+
+# How to
+Do the following steps in order to run preconditions script:
+
+1) Install Python dependencies
+    ```
+    $ pip install -r helpers/preconditions/requirements.txt
+    ```
+    <p><b>Note: If you are not running from virtualenv add the suffix --user on each command line</b></p>
+1) Execute script
+    ```
+    $ GOOGLE_CLOUD_PROJECT=my-seed-project python helpers/preconditions/preconditions.py --billing_account [REDACTED] --org_id [REDACTED] --folder_id [REDACTED]
+    [
+        {
+            "type": "Required APIs on service account project",
+            "name": "projects/my-seed-project",
+            "satisfied": [
+                "iam.googleapis.com"
+            ],
+            "unsatisfied": [
+                "admin.googleapis.com",
+                "cloudresourcemanager.googleapis.com",
+                "cloudbilling.googleapis.com"
+            ]
+        },
+        {
+            "type": "Service account permissions on billing account",
+            "name": "billingAccounts/[REDACTED]",
+            "satisfied": [
+                "billing.resourceAssociations.create"
+            ],
+            "unsatisfied": []
+        },
+        {
+            "type": "Service account permissions on parent folder",
+            "name": "folders/[REDACTED]",
+            "satisfied": [
+                "resourcemanager.projects.create"
+            ],
+            "unsatisfied": []
+        },
+        {
+            "type": "Service account permissions on organization",
+            "name": "organizations/[REDACTED]",
+            "satisfied": [],
+            "unsatisfied": []
+        }
+    ]
+    ```
+    Check #1 (Required APIs on service account project) => It is missing to enable admin, cloudresourcemanager and cloudbilling services APIs in the <b>my-seed-project</b>.
+
+    Check #2 (Service account permissions on billing accoun) => The permission required to associate projects with billing accounts is okay.
+
+    Check #3 (Service account permissions on parent folder) => The permission to create new projects into the folder specified is granted.
+
+    Check #4 (Service account permissions on organization) => No permission required since we are creating the project under the folder instead of the organisation. If no folder is specified it would be step three and require projects.create permission.
+
+    You can add one last check by setting the `--shared-vpc` parameter.

modules/core_project_factory/scripts/preconditions/preconditions.py renamed to helpers/preconditions/preconditions.py

@@ -58,8 +58,6 @@ module "project-factory" {
   disable_services_on_destroy        = var.disable_services_on_destroy
   default_service_account            = var.default_service_account
   disable_dependent_services         = var.disable_dependent_services
-  python_interpreter_path            = var.python_interpreter_path
-  pip_executable_path                = var.pip_executable_path
   use_tf_google_credentials_env_var  = var.use_tf_google_credentials_env_var
   skip_gcloud_download               = var.skip_gcloud_download
   vpc_service_control_attach_enabled = var.vpc_service_control_attach_enabled

modules/core_project_factory/scripts/preconditions/requirements.txt renamed to helpers/preconditions/requirements.txt

@@ -59,30 +59,6 @@ locals {
   shared_vpc_users_length = 3
 }
 
-resource "null_resource" "preconditions" {
-  triggers = {
-    credentials_path = var.credentials_path
-    billing_account  = var.billing_account
-    org_id           = var.org_id
-    folder_id        = var.folder_id
-    shared_vpc       = var.shared_vpc
-  }
-
-  provisioner "local-exec" {
-    command     = local.pip_requirements_absolute_path
-    interpreter = [var.pip_executable_path, "install", "-r"]
-    on_failure  = continue
-  }
-
-  provisioner "local-exec" {
-    command    = local.preconditions_command
-    on_failure = continue
-    environment = {
-      GRACEFUL_IMPORTERROR = "true"
-    }
-  }
-}
-
 /*******************************************
   Project creation
  *******************************************/
@@ -95,8 +71,6 @@ resource "google_project" "main" {
   auto_create_network = var.auto_create_network
 
   labels = var.labels
-
-  depends_on = [null_resource.preconditions]
 }
 
 /******************************************

main.tf

@@ -193,18 +193,6 @@ variable "enable_shared_vpc_host_project" {
   default     = false
 }
 
-variable "python_interpreter_path" {
-  description = "Python interpreter path for precondition check script."
-  type        = string
-  default     = "python3"
-}
-
-variable "pip_executable_path" {
-  description = "Pip executable path for precondition requirements.txt install."
-  type        = string
-  default     = "pip3"
-}
-
 variable "use_tf_google_credentials_env_var" {
   description = "Use GOOGLE_CREDENTIALS environment variable to run gcloud auth activate-service-account with."
   type        = bool

modules/core_project_factory/locals.tf

@@ -86,7 +86,6 @@ The roles granted are specifically:
 | name | The name for the project | string | n/a | yes |
 | org\_id | The organization ID. | string | n/a | yes |
 | project\_id | The ID to give the project. If not provided, the `name` will be used. | string | `""` | no |
-| python\_interpreter\_path | Python interpreter path for precondition check script. | string | `"python3"` | no |
 | random\_project\_id | Adds a suffix of 4 random characters to the `project_id` | string | `"false"` | no |
 | sa\_group | A G Suite group to place the default Service Account for the project in | string | `""` | no |
 | sa\_role | A role to give the default Service Account for the project (defaults to none) | string | `""` | no |

modules/core_project_factory/main.tf

@@ -99,7 +99,6 @@ module "project-factory" {
   disable_services_on_destroy       = var.disable_services_on_destroy
   default_service_account           = var.default_service_account
   disable_dependent_services        = var.disable_dependent_services
-  python_interpreter_path           = var.python_interpreter_path
   use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var
   skip_gcloud_download              = var.skip_gcloud_download
 }