Add shared VPC host project ID variable and update related configurat…

…ions (#111)

.gitignore

@@ -18,7 +18,7 @@ crash.log
 # be included in version control.
 local.tfvars
 
-# Ignore override files as they are usually used to override ressources locally
+# Ignore override files as they are usually used to override resources locally
 override.tf
 override.tf.json
 *_override.tf
@@ -27,6 +27,9 @@ override.tf.json
 # Ignore plan output files
 plan.out
 
+# Ignore checkov directories and files
+.external_modules
+
 # Ignore Infracost directories and files
 .infracost
 

.pre-commit-config.yaml

@@ -11,7 +11,7 @@ repos:
       - id: check-symlinks
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.96.2
+    rev: v1.97.3
     hooks:
       - id: terraform_fmt
 
@@ -29,7 +29,7 @@ repos:
       - id: terraform_docs
 
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: 3.2.296
+    rev: 3.2.368
     hooks:
       - id: checkov
         verbose: true

README.md

@@ -98,6 +98,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [google_gke_hub_feature.multi_cluster_service_discovery](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_hub_feature) | resource |
 | [google_project_iam_member.container_deployer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.gke_hub_service_agent](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.host_project_network_viewer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
@@ -106,15 +107,17 @@ No modules.
 | [google_service_account.kubernetes_workload_identity](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
 | [google_service_account_iam_member.workload_identity](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource |
 | [random_id.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
-| [google_project.fleet_host](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
+| [google_project.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_gke_fleet_host_project_id"></a> [gke\_fleet\_host\_project\_id](#input\_gke\_fleet\_host\_project\_id) | The project ID of the GKE Hub host project | `string` | `""` | no |
+| <a name="input_labels"></a> [labels](#input\_labels) | A map of key/value pairs to assign to the resources being created | `map(string)` | `{}` | no |
 | <a name="input_namespaces"></a> [namespaces](#input\_namespaces) | A map of namespaces with the Google service account used for the namespace administrator and whether Istio injection is enabled or disabled | <pre>map(object({<br/>    google_service_account = string<br/>    istio_injection        = optional(string, "disabled")<br/>  }))</pre> | `{}` | no |
 | <a name="input_project"></a> [project](#input\_project) | The ID of the project in which the resource belongs | `string` | n/a | yes |
+| <a name="input_shared_vpc_host_project_id"></a> [shared\_vpc\_host\_project\_id](#input\_shared\_vpc\_host\_project\_id) | The project ID of the shared VPC host project | `string` | n/a | yes |
 
 ### Outputs
 

locals.tf

@@ -5,4 +5,6 @@ locals {
   container_deployer_service_accounts = toset(distinct([
     for k in values(var.namespaces) : k.google_service_account
   ]))
+
+  is_fleet_host = var.gke_fleet_host_project_id == ""
 }

main.tf

@@ -1,10 +1,17 @@
 # Google Project Data Source
 # https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project#google_project
 
-data "google_project" "fleet_host" {
-  count = var.gke_fleet_host_project_id != "" ? 1 : 0
+data "google_project" "this" {
+  project_id = local.is_fleet_host ? var.project : var.gke_fleet_host_project_id
+}
+
+resource "google_gke_hub_feature" "multi_cluster_service_discovery" {
+  count = local.is_fleet_host ? 1 : 0
 
-  project_id = var.gke_fleet_host_project_id
+  name     = "multiclusterservicediscovery"
+  labels   = var.labels
+  location = "global"
+  project  = var.project
 }
 
 # This section provides an example MCS configuration involving two existing GKE clusters each in a different Shared VPC service project.
@@ -16,21 +23,23 @@ data "google_project" "fleet_host" {
 # Create IAM binding granting the fleet host project's GKE Hub service account the GKE Service Agent role on the service cluster's project.
 
 resource "google_project_iam_member" "gke_hub_service_agent" {
-  count = var.gke_fleet_host_project_id != "" ? 1 : 0
+  count = local.is_fleet_host ? 0 : 1
 
-  member  = "serviceAccount:service-${data.google_project.fleet_host[count.index].number}@gcp-sa-gkehub.iam.gserviceaccount.com"
+  member  = "serviceAccount:service-${data.google_project.this.number}@gcp-sa-gkehub.iam.gserviceaccount.com"
   project = var.project
   role    = "roles/gkehub.serviceAgent"
 }
 
-# Create IAM binding granting the fleet host project's MCS service account the MCS Service Agent role on the service cluster's project.
+# Create IAM binding granting the fleet host project MCS service account the MCS Service Agent role on the Shared VPC host project.
 
 resource "google_project_iam_member" "multi_cluster_service_agent" {
-  count = var.gke_fleet_host_project_id != "" ? 1 : 0
+  count = local.is_fleet_host ? 1 : 0
 
-  member  = "serviceAccount:service-${data.google_project.fleet_host[count.index].number}@gcp-sa-mcsd.iam.gserviceaccount.com"
-  project = var.project
+  member  = "serviceAccount:service-${data.google_project.this.number}@gcp-sa-mcsd.iam.gserviceaccount.com"
+  project = var.shared_vpc_host_project_id
   role    = "roles/multiclusterservicediscovery.serviceAgent"
+
+  depends_on = [google_gke_hub_feature.multi_cluster_service_discovery]
 }
 
 # Create IAM binding granting each project's MCS service account the Network User role for its own project.
@@ -41,15 +50,15 @@ resource "google_project_iam_member" "multi_cluster_service_agent" {
 # As a W/A run the regional infrastructure first and then the global infrastructure.
 
 resource "google_project_iam_member" "host_project_network_viewer" {
-  count = var.gke_fleet_host_project_id != "" ? 1 : 0
+  count = local.is_fleet_host ? 0 : 1
 
   member  = "serviceAccount:${var.gke_fleet_host_project_id}.svc.id.goog[gke-mcs/gke-mcs-importer]"
   project = var.project
   role    = "roles/compute.networkViewer"
 }
 
 resource "google_project_iam_member" "service_project_network_viewer" {
-  count = var.gke_fleet_host_project_id == "" ? 1 : 0
+  count = local.is_fleet_host ? 1 : 0
 
   member  = "serviceAccount:${var.project}.svc.id.goog[gke-mcs/gke-mcs-importer]"
   project = var.project

outputs.tf

@@ -8,7 +8,7 @@ output "container_deployer_service_accounts" {
 
 output "gke_fleet_host_project_number" {
   description = "The project number of the fleet host project"
-  value       = var.gke_fleet_host_project_id != "" ? data.google_project.fleet_host[0].number : ""
+  value       = var.gke_fleet_host_project_id != "" ? data.google_project.this.number : ""
 }
 
 output "workload_identity_service_account_emails" {

regional/README.md

@@ -28,7 +28,6 @@ No requirements.
 | [google_container_cluster.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster) | resource |
 | [google_container_node_pool.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool) | resource |
 | [google_gke_hub_feature.multi_cluster_ingress](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_hub_feature) | resource |
-| [google_gke_hub_feature.multi_cluster_service_discovery](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_hub_feature) | resource |
 | [google_gke_hub_membership.clusters](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_hub_membership) | resource |
 | [google_gke_hub_membership.host](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_hub_membership) | resource |
 | [google_kms_crypto_key.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_crypto_key) | resource |

regional/main.tf

@@ -308,16 +308,6 @@ resource "google_gke_hub_feature" "multi_cluster_ingress" {
   }
 }
 
-resource "google_gke_hub_feature" "multi_cluster_service_discovery" {
-  count = var.enable_gke_hub_host ? 1 : 0
-
-  name     = "multiclusterservicediscovery"
-  labels   = var.labels
-  location = "global"
-  project  = var.project
-
-}
-
 # Google GKEHub Membership Resource
 # https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_hub_membership
 

static-analysis.datadog.yml

@@ -0,0 +1,3 @@
+schema-version: v1
+rulesets:
+  - github-actions

tests/default.tftest.hcl

@@ -31,6 +31,7 @@ run "gke_fleet_host" {
 
   variables {
     project = "mock-project-host-project"
+    shared_vpc_host_project_id = "mock-vpc-host-project"
   }
 }
 
@@ -86,6 +87,7 @@ run "gke_fleet_member" {
   variables {
     gke_fleet_host_project_id = "mock-fleet-host-project"
     project                   = "mock-project-member-project"
+    shared_vpc_host_project_id = "mock-vpc-host-project"
   }
 }
 

tests/fixtures/gke_fleet_host/main.tf

@@ -12,6 +12,11 @@ terraform {
 module "test" {
   source = "../../../"
 
-  namespaces = var.namespaces
-  project    = var.project
+  labels = {
+    "mock-key" = "mock-value"
+  }
+
+  namespaces                 = var.namespaces
+  project                    = var.project
+  shared_vpc_host_project_id = var.shared_vpc_host_project_id
 }

tests/fixtures/gke_fleet_host/variables.tf

@@ -15,3 +15,7 @@ variable "namespaces" {
     istio_injection        = optional(string, "disabled")
   }))
 }
+
+variable "shared_vpc_host_project_id" {
+  type = string
+}

tests/fixtures/gke_fleet_member/main.tf

@@ -13,6 +13,12 @@ module "test" {
   source = "../../../"
 
   gke_fleet_host_project_id = var.gke_fleet_host_project_id
-  namespaces                = var.namespaces
-  project                   = var.project
+
+  labels = {
+    "mock-key" = "mock-value"
+  }
+
+  namespaces                 = var.namespaces
+  project                    = var.project
+  shared_vpc_host_project_id = var.shared_vpc_host_project_id
 }

tests/fixtures/gke_fleet_member/variables.tf

@@ -19,3 +19,7 @@ variable "namespaces" {
     istio_injection        = optional(string, "disabled")
   }))
 }
+
+variable "shared_vpc_host_project_id" {
+  type = string
+}

variables.tf

@@ -7,6 +7,12 @@ variable "gke_fleet_host_project_id" {
   default     = ""
 }
 
+variable "labels" {
+  description = "A map of key/value pairs to assign to the resources being created"
+  type        = map(string)
+  default     = {}
+}
+
 variable "namespaces" {
   description = "A map of namespaces with the Google service account used for the namespace administrator and whether Istio injection is enabled or disabled"
   default     = {}
@@ -21,3 +27,8 @@ variable "project" {
   description = "The ID of the project in which the resource belongs"
   type        = string
 }
+
+variable "shared_vpc_host_project_id" {
+  description = "The project ID of the shared VPC host project"
+  type        = string
+}