Add checks to guarantee resource creation order

googleforgames · Apr 11, 2023 · 38bd3c3 · 38bd3c3
1 parent 24df96f
commit 38bd3c3
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 7 deletions.
diff --git a/infrastructure/org-policies/main.tf b/infrastructure/org-policies/main.tf
@@ -17,7 +17,6 @@ terraform {
     google = {
       source  = "hashicorp/google"
       version = "4.56.0"
-      user_project_override = true
     }
   }
 

diff --git a/infrastructure/org-policies/org-policies.tf b/infrastructure/org-policies/org-policies.tf
@@ -27,6 +27,8 @@ module "gcp_org_policy_v2_requireShieldedVm" {
   }]
   constraint  = "compute.requireShieldedVm"
   policy_type = "boolean"
+
+  depends_on = [google_project_service.project]
 }
 
 module "gcp_org_policy_v2_disableServiceAccountKeyCreation" {
@@ -43,6 +45,8 @@ module "gcp_org_policy_v2_disableServiceAccountKeyCreation" {
   }]
   constraint  = "iam.disableServiceAccountKeyCreation"
   policy_type = "boolean"
+
+  depends_on = [google_project_service.project]
 }
 
 module "gcp_org_policy_v2_vmCanIpForward" {
@@ -59,6 +63,8 @@ module "gcp_org_policy_v2_vmCanIpForward" {
   }]
   constraint  = "compute.vmCanIpForward"
   policy_type = "list"
+
+  depends_on = [google_project_service.project]
 }
 
 module "gcp_org_policy_v2_vmExternalIpAccess" {
@@ -75,4 +81,6 @@ module "gcp_org_policy_v2_vmExternalIpAccess" {
   }]
   constraint  = "compute.vmExternalIpAccess"
   policy_type = "list"
+
+  depends_on = [google_project_service.project]
 }
diff --git a/infrastructure/org-policies/project-services.tf b/infrastructure/org-policies/project-services.tf
@@ -12,10 +12,26 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-resource "google_project_services" "project" {
+resource "google_project_service" "project" {
   project = var.project
-  services   = ["iam.googleapis.com", 
-                "cloudresourcemanager.googleapis.com",
-                "orgpolicy.googleapis.com"
-                ]
+  for_each = toset(var.gcp_project_services)
+  service  = each.value
+
+  timeouts {
+    create = "30m"
+    update = "40m"
+  }
+
+  # Ensure service is truly active before continuing onward
+  provisioner "local-exec" {
+    command = <<EOF
+        while [ ! $(gcloud services list --project=${var.project} | grep ${each.value} | wc -l ) ];
+        do
+            sleep 1s 
+        done
+        EOF
+  }
+
+  disable_dependent_services = false
+  disable_on_destroy = false
 }
diff --git a/infrastructure/org-policies/variables.tf b/infrastructure/org-policies/variables.tf
@@ -12,9 +12,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-### Project Variables ###
+# Project Variables
 
 variable "project" {
   type        = string
   description = "GCP Project ID"
+}
+
+variable "gcp_project_services" {
+  type        = list(any)
+  description = "GCP Service APIs (<api>.googleapis.com) to enable for this project"
+  default     = []
 }