Skip to content

Terraform Cloud workspace for deployments into Google Cloud projects

License

Notifications You must be signed in to change notification settings

nephosolutions/terraform-google-tfe-workspace

Repository files navigation

Terraform Cloud workspace for Google Cloud deployments

This module provisions a Terraform Cloud workspace, a set of two Google service accounts and workspace variables.

A Terraform Workspace service account is used to authenticate the Terraform Cloud workspace to the Google APIs. The Google service account key for that account is rotated every 30 days.

The workspace service account has only permissions granted which allows it to impersonate other service accounts.

Usage

module "tfe-workspace" {
  source  = "nephosolutions/tfe-workspace/google"
  version = "2.0.0"

  # insert required variables.tf here
}

Requirements

Name Version
terraform >= 0.13
google >= 3.52
tfe >= 0.36

Providers

Name Version
tfe 0.40.0

Modules

Name Source Version
service_account_impersonation ./modules/service-account-impersonation n/a
tfe_workspace_sa ./modules/service-account n/a

Resources

Name Type
tfe_variable.google_default_region resource
tfe_variable.google_default_zone resource
tfe_variable.google_project_id resource
tfe_variable.tfe_organization resource
tfe_variable.tfe_workspace_sa resource
tfe_variable.tfe_workspace_sa_key resource
tfe_workspace.workspace resource

Inputs

Name Description Type Default Required
agent_pool_id The ID of an agent pool to assign to the workspace. string null no
allow_destroy_plan Whether destroy plans can be queued on the workspace. bool false no
auto_apply Whether to automatically apply changes when a Terraform plan is successful. bool false no
description A description for the workspace. string n/a yes
execution_mode Which execution mode to use. When set to local, the workspace will be used for state storage only. string "remote" no
file_triggers_enabled Whether to filter runs based on the changed files in a VCS push. If enabled, the working directory and trigger prefixes describe a set of paths which must contain changes for a VCS push to trigger a run. If disabled, any push will trigger a run. bool false no
global_remote_state Whether the workspace allows all workspaces in the organization to access its state data during runs. If false, then only specifically approved workspaces can access its state (remote_state_consumer_ids). bool false no
google_default_region The region used by default to create new resources string n/a yes
google_default_zone The zone within a region used by default to create new resources string n/a yes
google_project_id The Google Cloud Platform project ID string n/a yes
name Name of the workspace. string n/a yes
queue_all_runs Whether the workspace should start automatically performing runs immediately after its creation. bool true no
remote_state_consumer_ids The set of workspace IDs set as explicit remote state consumers for the given workspace. list(string) [] no
service_accounts_to_impersonate A list of service accounts which the Terraform workspace SA can impersonate. list(string) [] no
speculative_enabled Whether this workspace allows speculative plans. Setting this to false prevents Terraform Cloud or the Terraform Enterprise instance from running plans on pull requests, which can improve security if the VCS repository is public or includes untrusted contributors. bool true no
ssh_key_id The ID of an SSH key to assign to the workspace. string null no
structured_run_output_enabled Whether this workspace should show output from Terraform runs using the enhanced UI when available. Setting this to false ensures that all runs in this workspace will display their output as text logs. bool true no
tag_names A list of tag names for this workspace. Note that tags must only contain lowercase letters, numbers, colons, or hyphens. list(string) [] no
terraform_version The version of Terraform to use for this workspace. This can be either an exact version or a version constraint (like ~> 1.0.0); if you specify a constraint, the workspace will always use the newest release that meets that constraint. string n/a yes
tfe_organization_name Name of the Terraform Cloud organization. string n/a yes
tfe_workspace_sa_key_rotation_days Interval in days to rotate the workspace service account key. number 30 no
trigger_patterns List of glob patterns that describe the files Terraform Cloud monitors for changes. Trigger patterns are always appended to the root directory of the repository. list(string) null no
trigger_prefixes List of repository-root-relative paths which describe all locations to be tracked for changes. list(string) null no
vcs_repo Settings for the workspace's VCS repository, enabling the UI/VCS-driven run workflow. Omit this argument to utilize the CLI-driven and API-driven workflows, where runs are not driven by webhooks on your VCS provider.
object({
identifier = string
oauth_token_id = string
})
null no
working_directory A relative path that Terraform will execute within. Defaults to the root of your repository. string null no

Outputs

Name Description
tfe_workspace_sa The Google Cloud service account for the TFE workspace.

About

Terraform Cloud workspace for deployments into Google Cloud projects

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages