This module provisions a Terraform Cloud workspace, a set of two Google service accounts and workspace variables.
A Terraform Workspace service account is used to authenticate the Terraform Cloud workspace to the Google APIs. The Google service account key for that account is rotated every 30 days.
The workspace service account has only permissions granted which allows it to impersonate other service accounts.
module "tfe-workspace" {
source = "nephosolutions/tfe-workspace/google"
version = "2.0.0"
# insert required variables.tf here
}
Name | Version |
---|---|
terraform | >= 0.13 |
>= 3.52 | |
tfe | >= 0.36 |
Name | Version |
---|---|
tfe | 0.40.0 |
Name | Source | Version |
---|---|---|
service_account_impersonation | ./modules/service-account-impersonation | n/a |
tfe_workspace_sa | ./modules/service-account | n/a |
Name | Type |
---|---|
tfe_variable.google_default_region | resource |
tfe_variable.google_default_zone | resource |
tfe_variable.google_project_id | resource |
tfe_variable.tfe_organization | resource |
tfe_variable.tfe_workspace_sa | resource |
tfe_variable.tfe_workspace_sa_key | resource |
tfe_workspace.workspace | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
agent_pool_id | The ID of an agent pool to assign to the workspace. | string |
null |
no |
allow_destroy_plan | Whether destroy plans can be queued on the workspace. | bool |
false |
no |
auto_apply | Whether to automatically apply changes when a Terraform plan is successful. | bool |
false |
no |
description | A description for the workspace. | string |
n/a | yes |
execution_mode | Which execution mode to use. When set to local , the workspace will be used for state storage only. |
string |
"remote" |
no |
file_triggers_enabled | Whether to filter runs based on the changed files in a VCS push. If enabled, the working directory and trigger prefixes describe a set of paths which must contain changes for a VCS push to trigger a run. If disabled, any push will trigger a run. | bool |
false |
no |
global_remote_state | Whether the workspace allows all workspaces in the organization to access its state data during runs. If false, then only specifically approved workspaces can access its state (remote_state_consumer_ids ). |
bool |
false |
no |
google_default_region | The region used by default to create new resources | string |
n/a | yes |
google_default_zone | The zone within a region used by default to create new resources | string |
n/a | yes |
google_project_id | The Google Cloud Platform project ID | string |
n/a | yes |
name | Name of the workspace. | string |
n/a | yes |
queue_all_runs | Whether the workspace should start automatically performing runs immediately after its creation. | bool |
true |
no |
remote_state_consumer_ids | The set of workspace IDs set as explicit remote state consumers for the given workspace. | list(string) |
[] |
no |
service_accounts_to_impersonate | A list of service accounts which the Terraform workspace SA can impersonate. | list(string) |
[] |
no |
speculative_enabled | Whether this workspace allows speculative plans. Setting this to false prevents Terraform Cloud or the Terraform Enterprise instance from running plans on pull requests, which can improve security if the VCS repository is public or includes untrusted contributors. |
bool |
true |
no |
ssh_key_id | The ID of an SSH key to assign to the workspace. | string |
null |
no |
structured_run_output_enabled | Whether this workspace should show output from Terraform runs using the enhanced UI when available. Setting this to false ensures that all runs in this workspace will display their output as text logs. |
bool |
true |
no |
tag_names | A list of tag names for this workspace. Note that tags must only contain lowercase letters, numbers, colons, or hyphens. | list(string) |
[] |
no |
terraform_version | The version of Terraform to use for this workspace. This can be either an exact version or a version constraint (like ~> 1.0.0 ); if you specify a constraint, the workspace will always use the newest release that meets that constraint. |
string |
n/a | yes |
tfe_organization_name | Name of the Terraform Cloud organization. | string |
n/a | yes |
tfe_workspace_sa_key_rotation_days | Interval in days to rotate the workspace service account key. | number |
30 |
no |
trigger_patterns | List of glob patterns that describe the files Terraform Cloud monitors for changes. Trigger patterns are always appended to the root directory of the repository. | list(string) |
null |
no |
trigger_prefixes | List of repository-root-relative paths which describe all locations to be tracked for changes. | list(string) |
null |
no |
vcs_repo | Settings for the workspace's VCS repository, enabling the UI/VCS-driven run workflow. Omit this argument to utilize the CLI-driven and API-driven workflows, where runs are not driven by webhooks on your VCS provider. | object({ |
null |
no |
working_directory | A relative path that Terraform will execute within. Defaults to the root of your repository. | string |
null |
no |
Name | Description |
---|---|
tfe_workspace_sa | The Google Cloud service account for the TFE workspace. |