composer-shared-vpc

Cloud Composer in Shared VPC

This repo uses terraform to create below resources in order to deploy a private composer environment in shared VPC.

• Two projects, one for shared VPC and other for composer environment
• One shared VPC and subnets in host project
• Neccesary IAM permissions and firewall rules in order to deploy composer env
• Service Account for composer workers
• Composer env itself

Requirements

• A folder in org where projects will be created

• A service account which will be used by terraform having below permissions

  • at above folder level
    • "roles/resourcemanager.projectCreator"
    • "roles/compute.xpnAdmin"
  • at org level
    • "roles/browser"
  • At billing account level
    • "roles/billing.admin"
  • At bucket(used to store state) level
    • "roles/storage.objectAdmin"

• User/Service account executing terraform code need to have below permissions on above service account used by terraform.

  • "roles/iam.serviceAccountTokenCreator"

Providers

Name	Version
google.impersonate	n/a

Modules

Name	Source	Version
composer-env	./composer_v1_pvt_shared_vpc	n/a
shared	./shared/	n/a

Resources

Name	Type
google_service_account_access_token.default	data source

Inputs

Name	Description	Type	Default	Required
billing_account	The ID of the billing account to associate this project with	string	n/a	yes
composer_subnets	subnets for composer workers	map(object({ description = string cidr_range = string region = string private_access = bool flow_logs = bool secondary_ranges = list(object({ range_name = string ip_cidr_range = string })) }))	{}	no
composer_v1_private_envs	composer v1 private envs	map(object({ region = string zone = string pod_ip_range_name = string service_ip_range_name = string subnet = string control_plane_cidr = string web_server_cidr = string cloud_sql_cidr = string tags = list(string) software_config = object({ airflow_config_overrides = map(string) env_variables = map(string) image_version = string pypi_packages = map(string) python_version = string }) }))	{}	no
deny_all_egrees_rule_create	Create deny all egress	bool	true	no
folder_name	Parent folder for projects, folder should be child of organization	string	n/a	yes
org_id	The organization id for the associated services	string	n/a	yes
prefix	prefix for resource names	string	n/a	yes
terraform_service_account	Service account email of the account to impersonate to run Terraform.	string	n/a	yes
vm_ext_ip_access_policy_create	Create VM external policy constraint at project level to allow public IPs for public composer envs	bool	true	no

Outputs

No outputs.