-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvariables.tf
514 lines (431 loc) · 26 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
/**
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "labels" {
description = "(Optional) Labels attached to Data Warehouse resources."
type = map(string)
default = {}
}
variable "remove_owner_role" {
description = "(Optional) If set to true, remove all owner roles in all projects in case it has been found in some project."
type = bool
default = false
}
variable "trusted_locations" {
description = "This is a list of trusted regions where location-based GCP resources can be created."
type = list(string)
default = ["us-locations"]
}
variable "trusted_subnetworks" {
description = "The URI of the subnetworks where resources are going to be deployed."
type = list(string)
default = []
}
variable "org_id" {
description = "GCP Organization ID."
type = string
}
variable "pubsub_resource_location" {
description = "The location in which the messages published to Pub/Sub will be persisted. This location cannot be a multi-region."
type = string
default = "us-east4"
}
variable "location" {
description = "The location for the KMS Customer Managed Encryption Keys, Cloud Storage Buckets, and Bigquery datasets. This location can be a multi-region."
type = string
default = "us-east4"
}
variable "terraform_service_account" {
description = "The email address of the service account that will run the Terraform code."
type = string
}
variable "data_ingestion_project_id" {
description = "The ID of the project in which the data ingestion resources will be created"
type = string
}
variable "data_governance_project_id" {
description = "The ID of the project in which the data governance resources will be created."
type = string
}
variable "non_confidential_data_project_id" {
description = "The ID of the project in which the Bigquery will be created."
type = string
}
variable "confidential_data_project_id" {
description = "Project where the confidential datasets and tables are created."
type = string
}
variable "sdx_project_number" {
description = "The Project Number to configure Secure data exchange with egress rule for dataflow templates. Required if using a dataflow job template from a private storage bucket outside of the perimeter."
type = string
default = ""
}
variable "access_context_manager_policy_id" {
description = "The id of the default Access Context Manager policy. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR-ORGANIZATION_ID --format=\"value(name)\"`."
type = string
default = ""
}
variable "perimeter_additional_members" {
description = "The list additional members to be added on perimeter access. Prefix user: (user:[email protected]) or serviceAccount: (serviceAccount:[email protected]) is required."
type = list(string)
default = []
}
variable "bucket_name" {
description = "The name of the bucket being provisioned."
type = string
validation {
condition = length(var.bucket_name) < 20
error_message = "The bucket_name must contain less than 20 characters. This ensures the name can be prefixed with the project-id and suffixed with 8 random characters."
}
}
variable "bucket_class" {
description = "The storage class for the bucket being provisioned."
type = string
default = "STANDARD"
}
variable "bucket_lifecycle_rules" {
description = "List of lifecycle rules to configure. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#lifecycle_rule except condition.matches_storage_class should be a comma delimited string."
type = list(object({
# Object with keys:
# - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass.
# - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule.
action = any
# Object with keys:
# - age - (Optional) Minimum age of an object in days to satisfy this condition.
# - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.
# - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY".
# - matches_storage_class - (Optional) Storage Class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, DURABLE_REDUCED_AVAILABILITY.
# - matches_prefix - (Optional) One or more matching name prefixes to satisfy this condition.
# - matches_suffix - (Optional) One or more matching name suffixes to satisfy this condition
# - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.
condition = any
}))
default = [{
action = {
type = "Delete"
}
condition = {
age = 30
with_state = "ANY"
matches_storage_class = "STANDARD"
}
}]
}
variable "confidential_dataset_id" {
description = "Unique ID for the confidential dataset being provisioned."
type = string
default = "secured_dataset"
}
variable "dataset_id" {
description = "Unique ID for the dataset being provisioned."
type = string
}
variable "dataset_name" {
description = "Friendly name for the dataset being provisioned."
type = string
default = "Data-ingestion dataset"
}
variable "dataset_description" {
description = "Dataset description."
type = string
default = "Data-ingestion dataset"
}
variable "dataset_default_table_expiration_ms" {
description = "TTL of tables using the dataset in MS. The default value is null."
type = number
default = null
}
variable "cmek_keyring_name" {
description = "The Keyring prefix name for the KMS Customer Managed Encryption Keys being provisioned."
type = string
}
variable "key_rotation_period_seconds" {
description = "Rotation period for keys. The default value is 30 days."
type = string
default = "2592000s"
}
variable "delete_contents_on_destroy" {
description = "(Optional) If set to true, delete all the tables in the dataset when destroying the resource; otherwise, destroying the resource will fail if tables are present."
type = bool
default = false
}
variable "data_ingestion_dataflow_deployer_identities" {
description = "List of members in the standard GCP form: user:{email}, serviceAccount:{email} that will deploy Dataflow jobs in the Data Ingestion project. These identities will be added to the VPC-SC secure data exchange egress rules."
type = list(string)
default = []
}
variable "confidential_data_dataflow_deployer_identities" {
description = "List of members in the standard GCP form: user:{email}, serviceAccount:{email} that will deploy Dataflow jobs in the Confidential Data project. These identities will be added to the VPC-SC secure data exchange egress rules."
type = list(string)
default = []
}
variable "kms_key_protection_level" {
description = "The protection level to use when creating a key. Possible values: [\"SOFTWARE\", \"HSM\"]"
type = string
default = "HSM"
}
variable "security_administrator_group" {
description = "Google Cloud IAM group that administers security configurations in the organization(org policies, KMS, VPC service perimeter)."
type = string
}
variable "network_administrator_group" {
description = "Google Cloud IAM group that reviews network configuration. Typically, this includes members of the networking team."
type = string
}
variable "security_analyst_group" {
description = "Google Cloud IAM group that monitors and responds to security incidents."
type = string
}
variable "data_analyst_group" {
description = "Google Cloud IAM group that analyzes the data in the warehouse."
type = string
}
variable "data_engineer_group" {
description = "Google Cloud IAM group that sets up and maintains the data pipeline and warehouse."
type = string
}
variable "data_ingestion_egress_policies" {
description = "A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) for the Data Ingestion perimeter, each list object has a `from` and `to` value that describes egress_from and egress_to. See also [secure data exchange](https://cloud.google.com/vpc-service-controls/docs/secure-data-exchange#allow_access_to_a_google_cloud_resource_outside_the_perimeter) and the [VPC-SC](https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/v3.1.0/modules/regular_service_perimeter/README.md) module. You can use the placeholders `DATA_INGESTION_DATAFLOW_CONTROLLER_SA` and `CONFIDENTIAL_DATA_DATAFLOW_CONTROLLER_SA` to refer to the services accounts being created by the main module."
type = list(object({
from = any
to = any
}))
default = []
}
variable "data_ingestion_ingress_policies" {
description = "A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress_from and ingress_to.\n\nExample: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type=\"ID_TYPE\" }, to={ resources=[], operations={ \"SRV_NAME\"={ OP_TYPE=[] }}}}]`\n\nValid Values:\n`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`\n`SRV_NAME` = \"`*`\" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)\n`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions). You can use the placeholders `DATA_INGESTION_DATAFLOW_CONTROLLER_SA` and `CONFIDENTIAL_DATA_DATAFLOW_CONTROLLER_SA` to refer to the services accounts being created by the main module."
type = list(object({
from = any
to = any
}))
default = []
}
variable "data_ingestion_access_level_combining_function" {
description = "How the conditions list should be combined to determine if a request is granted this AccessLevel. If AND is used, each Condition must be satisfied for the AccessLevel to be applied. If OR is used, at least one Condition must be satisfied for the AccessLevel to be applied."
type = string
default = "AND"
}
variable "data_ingestion_access_level_ip_subnetworks" {
description = "Condition - A list of CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (that is, all the host bits must be zero) or the input is considered malformed. For example, \"192.0.2.0/24\" is accepted but \"192.0.2.1/24\" is not. Similarly, for IPv6, \"2001:db8::/32\" is accepted whereas \"2001:db8::1/32\" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed."
type = list(string)
default = []
}
variable "data_ingestion_access_level_negate" {
description = "Whether to negate the Condition. If true, the Condition becomes a NAND over its non-empty fields, each field must be false for the Condition overall to be satisfied."
type = bool
default = false
}
variable "data_ingestion_access_level_require_screen_lock" {
description = "Condition - Whether or not screenlock is required for the DevicePolicy to be true."
type = bool
default = false
}
variable "data_ingestion_access_level_require_corp_owned" {
description = "Condition - Whether the device needs to be corp owned."
type = bool
default = false
}
variable "data_ingestion_access_level_allowed_encryption_statuses" {
description = "Condition - A list of allowed encryptions statuses. An empty list allows all statuses."
type = list(string)
default = []
}
variable "data_ingestion_access_level_allowed_device_management_levels" {
description = "Condition - A list of allowed device management levels. An empty list allows all management levels."
type = list(string)
default = []
}
variable "data_ingestion_access_level_minimum_version" {
description = "The minimum allowed OS version. If not set, any version of this OS satisfies the constraint. Format: \"major.minor.patch\" such as \"10.5.301\", \"9.2.1\"."
type = string
default = ""
}
variable "data_ingestion_access_level_os_type" {
description = "The operating system type of the device."
type = string
default = "OS_UNSPECIFIED"
}
variable "data_ingestion_required_access_levels" {
description = "Condition - A list of other access levels defined in the same Policy, referenced by resource name. Referencing an AccessLevel which does not exist is an error. All access levels listed must be granted for the Condition to be true."
type = list(string)
default = []
}
variable "data_ingestion_access_level_regions" {
description = "Condition - The request must originate from one of the provided countries or regions. Format: A valid ISO 3166-1 alpha-2 code."
type = list(string)
default = []
}
variable "data_governance_egress_policies" {
description = "A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) for the Data Governance perimeter, each list object has a `from` and `to` value that describes egress_from and egress_to. See also [secure data exchange](https://cloud.google.com/vpc-service-controls/docs/secure-data-exchange#allow_access_to_a_google_cloud_resource_outside_the_perimeter) and the [VPC-SC](https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/v3.1.0/modules/regular_service_perimeter/README.md) module. You can use the placeholders `DATA_INGESTION_DATAFLOW_CONTROLLER_SA` and `CONFIDENTIAL_DATA_DATAFLOW_CONTROLLER_SA` to refer to the services accounts being created by the main module."
type = list(object({
from = any
to = any
}))
default = []
}
variable "data_governance_ingress_policies" {
description = "A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress_from and ingress_to.\n\nExample: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type=\"ID_TYPE\" }, to={ resources=[], operations={ \"SRV_NAME\"={ OP_TYPE=[] }}}}]`\n\nValid Values:\n`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`\n`SRV_NAME` = \"`*`\" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)\n`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions). You can use the placeholders `DATA_INGESTION_DATAFLOW_CONTROLLER_SA` and `CONFIDENTIAL_DATA_DATAFLOW_CONTROLLER_SA` to refer to the services accounts being created by the main module."
type = list(object({
from = any
to = any
}))
default = []
}
variable "data_governance_access_level_combining_function" {
description = "How the conditions list should be combined to determine if a request is granted this AccessLevel. If AND is used, each Condition must be satisfied for the AccessLevel to be applied. If OR is used, at least one Condition must be satisfied for the AccessLevel to be applied."
type = string
default = "AND"
}
variable "data_governance_access_level_ip_subnetworks" {
description = "Condition - A list of CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (that is, all the host bits must be zero) or the input is considered malformed. For example, \"192.0.2.0/24\" is accepted but \"192.0.2.1/24\" is not. Similarly, for IPv6, \"2001:db8::/32\" is accepted whereas \"2001:db8::1/32\" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed."
type = list(string)
default = []
}
variable "data_governance_access_level_negate" {
description = "Whether to negate the Condition. If true, the Condition becomes a NAND over its non-empty fields, each field must be false for the Condition overall to be satisfied."
type = bool
default = false
}
variable "data_governance_access_level_require_screen_lock" {
description = "Condition - Whether or not screenlock is required for the DevicePolicy to be true."
type = bool
default = false
}
variable "data_governance_access_level_require_corp_owned" {
description = "Condition - Whether the device needs to be corp owned."
type = bool
default = false
}
variable "data_governance_access_level_allowed_encryption_statuses" {
description = "Condition - A list of allowed encryptions statuses. An empty list allows all statuses."
type = list(string)
default = []
}
variable "data_governance_access_level_allowed_device_management_levels" {
description = "Condition - A list of allowed device management levels. An empty list allows all management levels."
type = list(string)
default = []
}
variable "data_governance_access_level_minimum_version" {
description = "The minimum allowed OS version. If not set, any version of this OS satisfies the constraint. Format: \"major.minor.patch\" such as \"10.5.301\", \"9.2.1\"."
type = string
default = ""
}
variable "data_governance_access_level_os_type" {
description = "The operating system type of the device."
type = string
default = "OS_UNSPECIFIED"
}
variable "data_governance_required_access_levels" {
description = "Condition - A list of other access levels defined in the same Policy, referenced by resource name. Referencing an AccessLevel which does not exist is an error. All access levels listed must be granted for the Condition to be true."
type = list(string)
default = []
}
variable "data_governance_access_level_regions" {
description = "Condition - The request must originate from one of the provided countries or regions. Format: A valid ISO 3166-1 alpha-2 code."
type = list(string)
default = []
}
variable "confidential_data_egress_policies" {
description = "A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) for the Confidential Data perimeter, each list object has a `from` and `to` value that describes egress_from and egress_to. See also [secure data exchange](https://cloud.google.com/vpc-service-controls/docs/secure-data-exchange#allow_access_to_a_google_cloud_resource_outside_the_perimeter) and the [VPC-SC](https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/v3.1.0/modules/regular_service_perimeter/README.md) module. You can use the placeholders `DATA_INGESTION_DATAFLOW_CONTROLLER_SA` and `CONFIDENTIAL_DATA_DATAFLOW_CONTROLLER_SA` to refer to the services accounts being created by the main module."
type = list(object({
from = any
to = any
}))
default = []
}
variable "confidential_data_ingress_policies" {
description = "A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress_from and ingress_to.\n\nExample: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type=\"ID_TYPE\" }, to={ resources=[], operations={ \"SRV_NAME\"={ OP_TYPE=[] }}}}]`\n\nValid Values:\n`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow indentities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`\n`SRV_NAME` = \"`*`\" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)\n`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions). You can use the placeholders `DATA_INGESTION_DATAFLOW_CONTROLLER_SA` and `CONFIDENTIAL_DATA_DATAFLOW_CONTROLLER_SA` to refer to the services accounts being created by the main module."
type = list(object({
from = any
to = any
}))
default = []
}
variable "confidential_data_access_level_combining_function" {
description = "How the conditions list should be combined to determine if a request is granted this AccessLevel. If AND is used, each Condition must be satisfied for the AccessLevel to be applied. If OR is used, at least one Condition must be satisfied for the AccessLevel to be applied."
type = string
default = "AND"
}
variable "confidential_data_access_level_ip_subnetworks" {
description = "Condition - A list of CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (that is, all the host bits must be zero) or the input is considered malformed. For example, \"192.0.2.0/24\" is accepted but \"192.0.2.1/24\" is not. Similarly, for IPv6, \"2001:db8::/32\" is accepted whereas \"2001:db8::1/32\" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed."
type = list(string)
default = []
}
variable "confidential_data_access_level_negate" {
description = "Whether to negate the Condition. If true, the Condition becomes a NAND over its non-empty fields, each field must be false for the Condition overall to be satisfied."
type = bool
default = false
}
variable "confidential_data_access_level_require_screen_lock" {
description = "Condition - Whether or not screenlock is required for the DevicePolicy to be true."
type = bool
default = false
}
variable "confidential_data_access_level_require_corp_owned" {
description = "Condition - Whether the device needs to be corp owned."
type = bool
default = false
}
variable "confidential_data_access_level_allowed_encryption_statuses" {
description = "Condition - A list of allowed encryptions statuses. An empty list allows all statuses."
type = list(string)
default = []
}
variable "confidential_data_access_level_allowed_device_management_levels" {
description = "Condition - A list of allowed device management levels. An empty list allows all management levels."
type = list(string)
default = []
}
variable "confidential_data_access_level_minimum_version" {
description = "The minimum allowed OS version. If not set, any version of this OS satisfies the constraint. Format: \"major.minor.patch\" such as \"10.5.301\", \"9.2.1\"."
type = string
default = ""
}
variable "confidential_data_access_level_os_type" {
description = "The operating system type of the device."
type = string
default = "OS_UNSPECIFIED"
}
variable "confidential_data_required_access_levels" {
description = "Condition - A list of other access levels defined in the same Policy, referenced by resource name. Referencing an AccessLevel which does not exist is an error. All access levels listed must be granted for the Condition to be true."
type = list(string)
default = []
}
variable "confidential_data_access_level_regions" {
description = "Condition - The request must originate from one of the provided countries or regions. Format: A valid ISO 3166-1 alpha-2 code."
type = list(string)
default = []
}
variable "data_ingestion_perimeter" {
description = "Existing data ingestion perimeter to be used instead of the auto-created perimeter. The service account provided in the variable `terraform_service_account` must be in an access level member list for this perimeter **before** this perimeter can be used in this module."
type = string
default = ""
}
variable "data_governance_perimeter" {
description = "Existing data governance perimeter to be used instead of the auto-created perimeter. The service account provided in the variable `terraform_service_account` must be in an access level member list for this perimeter **before** this perimeter can be used in this module."
type = string
default = ""
}
variable "confidential_data_perimeter" {
description = "Existing confidential data perimeter to be used instead of the auto-created perimeter. The service account provided in the variable `terraform_service_account` must be in an access level member list for this perimeter **before** this perimeter can be used in this module."
type = string
default = ""
}
variable "enable_bigquery_read_roles_in_data_ingestion" {
description = "(Optional) If set to true, it will grant to the dataflow controller service account created in the data ingestion project the necessary roles to read from a bigquery table."
type = bool
default = false
}