chore: add exclusivity condition on project_org_id and project_folder_id (#5)

albertodonato · web-flow · commit 126a61ca7f8f · 2025-02-19T13:19:10.000Z
* reformat

* chore: add exclusivity condition on project_org_id and project_folder_id
diff --git a/main.tf b/main.tf
@@ -1,65 +1,65 @@
 locals {
-    stacklet_assumed_role = "arn:aws:sts::${var.stacklet_aws_account_id}:assumed-role/${var.stacklet_aws_role_name}"
+  stacklet_assumed_role = "arn:aws:sts::${var.stacklet_aws_account_id}:assumed-role/${var.stacklet_aws_role_name}"
 
-    source_tables = [for key in var.billing_tables : {
-        "key"        : key,
-        "project_id" : split(".", key)[0],
-        "dataset_id" : split(".", key)[1],
-        "table_id"   : split(".", key)[2],
-    }]
+  source_tables = [for key in var.billing_tables : {
+    "key" : key,
+    "project_id" : split(".", key)[0],
+    "dataset_id" : split(".", key)[1],
+    "table_id" : split(".", key)[2],
+  }]
 }
 
 
 # A project for all the resources to live in, and the APIs it needs activated.
 resource "google_project" "billing_export" {
-    name            = "Stacklet billing export"
-    project_id      = var.project_id
-    org_id          = var.project_org_id
-    folder_id       = var.project_folder_id
-    billing_account = var.project_billing_account_id
+  name            = "Stacklet billing export"
+  project_id      = var.project_id
+  org_id          = var.project_org_id
+  folder_id       = var.project_folder_id
+  billing_account = var.project_billing_account_id
 }
 resource "google_project_service" "iamcredentials" {
-    project = google_project.billing_export.project_id
-    service = "iamcredentials.googleapis.com"
+  project = google_project.billing_export.project_id
+  service = "iamcredentials.googleapis.com"
 }
 resource "google_project_service" "bigquery" {
-    project = google_project.billing_export.project_id
-    service = "bigquery.googleapis.com"
+  project = google_project.billing_export.project_id
+  service = "bigquery.googleapis.com"
 }
 
 
 # Allow AWS roles from the Stacklet account to assume identities in GCP.
 resource "google_iam_workload_identity_pool" "stacklet_access" {
-    project                   = google_project.billing_export.project_id
-    workload_identity_pool_id = "stacklet-access"
-    display_name              = "Stacklet billing export"
+  project                   = google_project.billing_export.project_id
+  workload_identity_pool_id = "stacklet-access"
+  display_name              = "Stacklet billing export"
 }
 resource "google_iam_workload_identity_pool_provider" "stacklet_account" {
-    project                            = google_project.billing_export.project_id
-    workload_identity_pool_id          = google_iam_workload_identity_pool.stacklet_access.workload_identity_pool_id
-    workload_identity_pool_provider_id = "stacklet-account"
-    display_name                       = "Stacklet FOCUS export"
-    disabled                           = false
+  project                            = google_project.billing_export.project_id
+  workload_identity_pool_id          = google_iam_workload_identity_pool.stacklet_access.workload_identity_pool_id
+  workload_identity_pool_provider_id = "stacklet-account"
+  display_name                       = "Stacklet FOCUS export"
+  disabled                           = false
 
-    # The default attribute mapping for AWS sets `aws_role` attribute which matches the
-    # `local.stacklet_assumed_role` as used in the service account IAM policy.
-    aws {
-        account_id = var.stacklet_aws_account_id
-    }
+  # The default attribute mapping for AWS sets `aws_role` attribute which matches the
+  # `local.stacklet_assumed_role` as used in the service account IAM policy.
+  aws {
+    account_id = var.stacklet_aws_account_id
+  }
 }
 
 
 # Service account, which can be impersonated by `local.stacklet_assumed_role`.
 resource "google_service_account" "billing_access" {
-    project      = google_project.billing_export.project_id
-    account_id   = "stacklet-billing-access"
-    display_name = "Stacklet WIF billing access"
+  project      = google_project.billing_export.project_id
+  account_id   = "stacklet-billing-access"
+  display_name = "Stacklet WIF billing access"
 }
 data "google_iam_policy" "stacklet_role_access" {
-    binding {
-        role = "roles/iam.serviceAccountTokenCreator"
-        members = ["principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.stacklet_access.name}/attribute.aws_role/${local.stacklet_assumed_role}"]
-    }
+  binding {
+    role    = "roles/iam.serviceAccountTokenCreator"
+    members = ["principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.stacklet_access.name}/attribute.aws_role/${local.stacklet_assumed_role}"]
+  }
 }
 resource "google_service_account_iam_policy" "billing_access" {
   service_account_id = google_service_account.billing_access.name
@@ -74,20 +74,20 @@ resource "google_project_iam_member" "sa_bq_jobs" {
   member  = google_service_account.billing_access.member
 }
 resource "google_bigquery_table_iam_member" "sa_bq_tables" {
-    for_each = { for table in local.source_tables : table.key => table }
+  for_each = { for table in local.source_tables : table.key => table }
 
-    project    = each.value.project_id
-    dataset_id = each.value.dataset_id
-    table_id   = each.value.table_id
-    role       = "roles/bigquery.dataViewer"
-    member     = google_service_account.billing_access.member
+  project    = each.value.project_id
+  dataset_id = each.value.dataset_id
+  table_id   = each.value.table_id
+  role       = "roles/bigquery.dataViewer"
+  member     = google_service_account.billing_access.member
 }
 
 
 # Discover dataset locations for output.
 data "google_bigquery_dataset" "table_datasets" {
-    for_each = { for table in local.source_tables : table.key => table }
+  for_each = { for table in local.source_tables : table.key => table }
 
-    project    = each.value.project_id
-    dataset_id = each.value.dataset_id
+  project    = each.value.project_id
+  dataset_id = each.value.dataset_id
 }
diff --git a/output.tf b/output.tf
@@ -1,31 +1,31 @@
 locals {
-    project_id            = google_project.billing_export.project_id
-    table_locations       = [ for key in var.billing_tables : { table = key, location = data.google_bigquery_dataset.table_datasets[key].location }]
-    wif_audience          = "//iam.googleapis.com/projects/${google_project.billing_export.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.stacklet_access.workload_identity_pool_id}/providers/${google_iam_workload_identity_pool_provider.stacklet_account.workload_identity_pool_provider_id}"
-    wif_impersonation_url = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${google_service_account.billing_access.email}:generateAccessToken"
+  project_id            = google_project.billing_export.project_id
+  table_locations       = [for key in var.billing_tables : { table = key, location = data.google_bigquery_dataset.table_datasets[key].location }]
+  wif_audience          = "//iam.googleapis.com/projects/${google_project.billing_export.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.stacklet_access.workload_identity_pool_id}/providers/${google_iam_workload_identity_pool_provider.stacklet_account.workload_identity_pool_provider_id}"
+  wif_impersonation_url = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${google_service_account.billing_access.email}:generateAccessToken"
 }
 
 output "project_id" {
-    value = local.project_id
+  value = local.project_id
 }
 
 output "table_locations" {
-    value = local.table_locations
+  value = local.table_locations
 }
 
 output "wif_audience" {
-    value = local.wif_audience
+  value = local.wif_audience
 }
 
 output "wif_impersonation_url" {
-    value = local.wif_impersonation_url
+  value = local.wif_impersonation_url
 }
 
 output "access_blob" {
-    value = base64encode(jsonencode({
-        projectId           = local.project_id,
-        tableLocations      = local.table_locations,
-        wifAudience         = local.wif_audience,
-        wifImpersonationURL = local.wif_impersonation_url,
-    }))
+  value = base64encode(jsonencode({
+    projectId           = local.project_id,
+    tableLocations      = local.table_locations,
+    wifAudience         = local.wif_audience,
+    wifImpersonationURL = local.wif_impersonation_url,
+  }))
 }
diff --git a/provider.tf b/provider.tf
@@ -1,3 +1,3 @@
 provider "google" {
-    default_labels = var.resource_labels
+  default_labels = var.resource_labels
 }
diff --git a/vars.tf b/vars.tf
@@ -1,47 +1,52 @@
 variable "resource_labels" {
-    type        = map(string)
-    default     = {}
-    description = "Labels to apply to the project and applicable resources"
+  type        = map(string)
+  default     = {}
+  description = "Labels to apply to the project and applicable resources"
 }
 
 variable "project_id" {
-    type        = string
-    description = "ID of project to hold all resources"
+  type        = string
+  description = "ID of project to hold all resources"
 }
 
 variable "project_org_id" {
-    type        = string
-    default     = null
-    description = "Where to create the project (optional, exclusive of project_folder_id)"
+  type        = string
+  default     = null
+  description = "Where to create the project (optional, exclusive of project_folder_id)"
 }
 
 variable "project_folder_id" {
-    type        = string
-    default     = null
-    description = "Where to create the project (optional, exclusive of project_org_id)"
+  type        = string
+  default     = null
+  description = "Where to create the project (optional, exclusive of project_org_id)"
+
+  validation {
+    condition     = var.project_org_id == null || var.project_folder_id == null
+    error_message = "project_org_id and project_folder_id are exclusive"
+  }
 }
 
 variable "project_billing_account_id" {
-    type        = string
-    default     = null
-    description = "Billing account responsible for any costs incurred"
+  type        = string
+  default     = null
+  description = "Billing account responsible for any costs incurred"
 }
 
 variable "billing_tables" {
-    type        = list(string)
-    description = "Billing export tables in <project_id>.<dataset_id>.<table_id> format."
-    validation {
-        condition     = alltrue([for t in var.billing_tables : length(split(".", t)) == 3])
-        error_message = "All tables must be <project_id>.<dataset_id>.<table_id>"
-    }
+  type        = list(string)
+  description = "Billing export tables in <project_id>.<dataset_id>.<table_id> format."
+  validation {
+    condition     = alltrue([for t in var.billing_tables : length(split(".", t)) == 3])
+    error_message = "All tables must be <project_id>.<dataset_id>.<table_id>"
+  }
 }
 
 variable "stacklet_aws_account_id" {
-    type        = string
-    description = "AWS account which will use WIF to query billing data (chosen by Stacklet)"
+  type        = string
+  description = "AWS account which will use WIF to query billing data (chosen by Stacklet)"
 }
 
 variable "stacklet_aws_role_name" {
-    type        = string
-    description = "AWS IAM role which will use WIF to query billing data (chosen by Stacklet)"
+  type        = string
+  description = "AWS IAM role which will use WIF to query billing data (chosen by Stacklet)"
 }

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`provider "google" {`
`2`		`- default_labels = var.resource_labels`
	`2`	`+ default_labels = var.resource_labels`
`3`	`3`	`}`