Creates several Google Cloud folders under the same parent
Home Page: https://registry.terraform.io/modules/terraform-google-modules/folders/google
License: Apache License 2.0
![release-please[bot] avatar](https://avatars.githubusercontent.com/in/40688?v=4 "release-please[bot]")
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "renovate[bot]")
With the current versions set on the hashicorp/google module.
Exchange Text
initializing the backend...
Initializing provider plugins...
Error: Failed to query available provider packages
Could not retrieve the list of available versions for provider
hashicorp/google: no available releases match the given constraints 3.5.0, >=
3.45.0, < 4.0.0
The description of set_roles is inaccurate; it refers to a non-existent variable "role_members".
Hi There
I can see in the version.tf you are now supporting terraform 13. However you haven't created a tag for this.
So i'm just wondering when a new tag will be created?
Cheers,
Brett
Currently, parent is specified using both the parent_id and parent_type.
This makes it challenging to nest folders because the output from this module is folders/{id} but the expected input is {id}.
We should converge so only folders/{id} is the input (and parent_type is deprecated).
Hi,
I unable to understand how to create Service account at org level in GCP to create the folder/project creation to working on this module. As per module i have to place file the credential path. Since i unable to create a service i unable to provide it.
Kindly assist me on this.
Example:
I got Admin access for org level. And i have created a member (not service account) and provide access to folder creator role and project create role. Now i don't know how to use this module.
If we rename a previously created folder through names variable, terraform will destroy the folder and recreate a new one, as the folder name is used as the for_each key.
Note 1: If after the initial creation, we have created resources under the folder such as projects, the deletion will fail and the renaming will never occur.
Note 2: the workaround to remove the folder from the state and delete the folder with manual action is not acceptable
Note 3: Also the potential workaround to add the new folder name as a new value in the list and keep the old name as it is is not acceptable as we do not want to keep a second folder, we need a renaming.
names = ["previous_name"]
changed to:
names = ["new_name"]
-------------------------------
Plan result:
# module.module1.google_folder.folders["previous_name"] will be destroyed
[...]
# module.module1.google_folder.folders["new_name"] will be created
[...]The variables needs to be adapted to isolate the requested folder display name from the for_each resource key to allow renaming.
For example:
instead of flat names variable, use a list such as:
names= [
{folder_key = "my_folder_1", folder_name= "requested_display_name"},
]
and for folders resource, replace toset with something similar to:
resource "google_folder" "folders" {
for_each = {for folder in var.names: folder.folder_key => folder}
display_name = "${local.prefix}${each.value.folder_name}"
This way, when we change folder_name later to "new_name", we do not change folder_key, the state key is unchanged and the folder is renamed as expected.No response
Unless I'm mistaken, the same roles list (folder_admin_roles) will be deployed for the admins.
Objective here is to change the variables to allow having a different set of roles for each admin for each folder.
No response
No response
No response
I used the module to create a set of folders, then I tried to rename it but instead of update-in-place, the plan announced that it would be a destroy.
~ update in-place
Terraform will perform the following actions:
google_folder.department1 will be updated in-place
~ resource "google_folder" "department1" {
~ display_name = "test-folder" -> "test-folders"
id = "folders/273697474191"
name = "folders/273697474191"
# (4 unchanged attributes hidden)
}
module.folders_commoncoreplatform.google_folder.folders["Prod"] will be destroyed
module.folders_commoncoreplatform.google_folder.folders["Prods"] will be created
module "folders_commoncoreplatform" {
source = "terraform-google-modules/folders/google"
version = "~> 3.0"
parent = "${module.folders_infra.ids["Common-Core-Platform"]}"
names = [
"Dev",
"Labs",
"Prod"
]
depends_on = [
module.folders_infra
]
}1.1.4.No response
The README is out of date.
The outputs are old and the syntax is <=0.12.
This module is not yet covered by CI, which means we don't have a consistent way to ensure that integration tests pass before merging PRs.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
Makefile
cft/developer-tools 1.19build/int.cloudbuild.yaml
cft/developer-tools 1.19build/lint.cloudbuild.yaml
cft/developer-tools 1.19
examples/dynamic_example/main.tf
terraform-google-modules/folders/google ~> 4.0terraform-google-modules/folders/google ~> 4.0terraform-google-modules/folders/google ~> 4.0terraform-google-modules/folders/google ~> 4.0examples/dynamic_example/versions.tf
google >= 3.50hashicorp/terraform >= 0.13examples/simple_example/main.tf
terraform-google-modules/folders/google ~> 4.0test/fixtures/simple_example/main.tf
test/setup/main.tf
terraform-google-modules/project-factory/google ~> 14.0test/setup/versions.tf
google >= 3.38, < 6google-beta >= 3.38, < 6hashicorp/terraform >= 0.13versions.tf
google >= 3.45, < 6random >= 3.0hashicorp/terraform >= 1.3.0
I noticed that after the upgrade from v3.1.0 to v3.2.0 the terraform plan contains a lot of forces replacement for some unknown reason. Here's an example from the plan:
resource "google_folder_iam_member" "impersonate" {
folder = "folders/<folder id>" -> (known after apply) # forces replacement
..
}
This resource looks like this:
resource "google_folder_iam_member" "impersonate" {
depends_on = [
google_service_account.per_folder
]
for_each = local.folder_ids
folder = each.value
role = "roles/<role>"
member = "serviceAccount:<member SA>"
}
And our usage of the module looks like this:
module "root_level_folders" {
source = "terraform-google-modules/folders/google"
version = "~> 3.2.0"
names = var.root_folders
parent = data.terraform_remote_state.seed.outputs.root_folder_id
prefix = var.folder_prefix
}
module "project_level_folders" {
source = "terraform-google-modules/folders/google"
version = "~> 3.2.0"
names = var.project_folders
parent = module.root_level_folders.ids["projects"]
prefix = var.folder_prefix
}
# Merge all folder outputs to single map of folder ids
locals {
folder_ids = merge(module.root_level_folders.ids, module.project_level_folders.ids)
}
Any clues on why the introduced changes causes the plan to force replacement?
I get below error when I try to create 2 folders under one organization using the 'simple_example' code:
module.folders.google_folder.folders[0]: Creating...
module.folders.google_folder.folders[1]: Creating...
Error: Error creating folder 'shared-test' in 'organization/**********': googleapi: Error 400: Request contains an invalid argument., badRequest
on ../../main.tf line 25, in resource "google_folder" "folders":
25: resource "google_folder" "folders" {
Error: Error creating folder 'management_test' in 'organization/***********': googleapi: Error 400: Request contains an invalid argument., badRequest
on ../../main.tf line 25, in resource "google_folder" "folders":
25: resource "google_folder" "folders" {
We should update the testing to use Cloud Build and a new Service Account per run, as documented here.
If you remove a folder from the list, it seems to introduce an error. I suspect this is because the resource still exists but the output is being interpolated.
Error:
Error: Error in function call
on .terraform/modules/folders-root/terraform-google-modules-terraform-google-folders-0c75f1c/outputs.tf line 19, in output "names_and_display_names":
19: value = zipmap(var.names, google_folder.folders.*.display_name)
|----------------
| google_folder.folders is tuple with 2 elements
| var.names is list of string with 1 element
Call to function "zipmap" failed: number of keys (1) does not match number of
values (2).
Likely fix is simply to only grab the first n google_folder resources for the zipmap.
After release v4.0 we must change code a bit. But now the concept with folder_admin_roles and all_folder_admins is not properly working anymore.
With v4.x the following roles will be deleted:
With new release we want to add additional members with per_folder_admins declaration. We can add separate folders in the per_folder_admins without destroying default roles on not defined folder in that attribute. Like this:
module "department_folders" {
source = "terraform-google-modules/folders/google"
version = "~> 4.0"
parent = "organizations/${var.organization_id}"
names = var.department_names
set_roles = true
folder_admin_roles = ["roles/viewer"]
all_folder_admins = ["group:[email protected]"]
per_folder_admins = {
test = {
members = ["group:[email protected]"],
roles = ["roles/viewer"]
}
}
}But with that implementation now the permissions for folders dev and prod would be deleted:
# module.department_folders.google_folder_iam_binding.owners["dev-roles/viewer"] will be destroyed
# (because key ["dev-roles/viewer"] is not in for_each map)
- resource "google_folder_iam_binding" "owners" {
...
}department_names = [
"test",
"dev",
"prod"
]
# With v3.x
module "department_folders" {
source = "terraform-google-modules/folders/google"
version = "~> 4.0"
parent = "organizations/${var.organization_id}"
names = var.department_names
set_roles = true
folder_admin_roles = ["roles/viewer"]
all_folder_admins = ["group:[email protected]"]
}
#With v4.0 we want to add additional members to separate folders with per_folder_admins declaration:
module "department_folders" {
source = "terraform-google-modules/folders/google"
version = "~> 4.0"
parent = "organizations/${var.organization_id}"
names = var.department_names
set_roles = true
folder_admin_roles = ["roles/viewer"]
all_folder_admins = ["group:[email protected]"]
per_folder_admins = {
test = {
members = ["group:[email protected]"],
roles = ["roles/viewer"]
}
}
}$ terraform --version
Terraform v1.4.6
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v4.75.0
+ provider registry.terraform.io/hashicorp/google-beta v4.75.0
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.5.1
+ provider registry.terraform.io/hashicorp/time v0.9.1It was only as workarround possible to fix that with the following:
module "department_folders" {
source = "terraform-google-modules/folders/google"
version = "~> 4.0"
parent = "organizations/${var.organization_id}"
names = var.department_names
set_roles = true
folder_admin_roles = ["roles/viewer"]
all_folder_admins = ["group:[email protected]"]
per_folder_admins = {
test = {
members = ["group:[email protected]"],
roles = ["roles/viewer"]
},
dev = {
members = []
},
prod = {
members = []
}
}
}Note: We have originally opened issue 40, which has been closed because similar to issue 38.
However issue 38 is also closed with no change delivered, stating that this is due to a terraform constraint.
However we reject this reason, there is a proposed solution.
Request:
If we rename a previously created folder through names variable, terraform will destroy the folder and recreate a new one, as the folder name is used as a for_each key.
Note 1: the workaround to manually remove the folder from the state and delete the folder is not acceptable, the goal is to automate with Terraform and avoiding manual actions.
Note 2: Also the potential workaround to add the new folder name as a new value in the list and keep the old name as it is is not acceptable as we do not want to keep a second folder, we need a renaming.
names = ["previous_name"]
changed to:
names = ["new_name"]
-------------------------------
Plan result:
# module.module1.google_folder.folders["previous_name"] will be destroyed
[...]
# module.module1.google_folder.folders["new_name"] will be created
[...]The variables needs to be adapted to isolate the requested folder display name from the for_each resource key to allow renaming.
For example:
instead of flat names variable, use a list such as:
names= [
{folder_key = "my_folder_1", folder_name= "requested_display_name"},
]
and for folders resource, replace toset with something similar to:
resource "google_folder" "folders" {
for_each = {for folder in var.names: folder.folder_key => folder}
display_name = "${local.prefix}${each.value.folder_name}"
This way, when we change folder_name later to "new_name", we do not change folder_key, the state key is unchanged and the folder is renamed as expected.
Originally posted by @lemoo5sg in #38 (comment)
The prefix variable is not taken into account when building outputs in outputs.tf, making it necessary to manually interpolate such prefix in expressions that depend on the outputs of this module.
The outputs to take the prefix into account.
Planning failed. Terraform encountered an error while generating this plan.
╷
│ Error: Invalid index
│
│ on project.tf line 7, in module "project-factory":
│ 7: folder_id = module.folder.ids["${module.folder.name}"]
│ ├────────────────
│ │ module.folder.ids is object with 1 attribute "folder"
│ │ module.folder.name is "tst-folder"
│
│ The given key does not identify an element in this collection value.
variable "prefix" {
default = "tst"
type = string
}
module "folder" {
source = "terraform-google-modules/folders/google"
version = "3.2.0"
names = [
"folder"
]
parent = var.org_id
prefix = var.prefix
}
module "project-factory" {
source = "terraform-google-modules/project-factory/google"
version = "14.2.0"
auto_create_network = false
billing_account = "123-456-789"
folder_id = module.folder.ids["${module.folder.name}"]
name = "test-project"
org_id = data.google_organization.main_organization.org_id
random_project_id = true
}Terraform v1.4.4
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v4.59.0
+ provider registry.terraform.io/hashicorp/google-beta v4.59.0
+ provider registry.terraform.io/hashicorp/local v2.4.0
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.4.3
+ provider registry.terraform.io/hashicorp/time v0.9.1No response
Hi there,
I have an error due to creation of folders in the organizations type as below
module.folders.google_folder_iam_binding.owners[2]: Creating...
module.folders.google_folder_iam_binding.owners[0]: Creating...
module.folders.google_folder_iam_binding.owners[1]: Creating...
module.folders.google_folder_iam_binding.owners[3]: Creating...
Error: Error applying IAM policy for folder "folders/NUMBER-HERE": Error setting IAM policy for folder "folders/NUMBER-HERE": googleapi: Error 400: Policy members must be of the form "<type>:<value>"., badRequest
on .terraform/modules/folders/terraform-google-modules-terraform-google-folders-6764061/main.tf line 34, in resource "google_folder_iam_binding" "owners":
34: resource "google_folder_iam_binding" "owners" {
...
repeated 3 timesConfig state:
service-account.json created in a project and adding the service-account's email ([email protected] into a member in an organization level (Role: Owner,Folder Admin, Folder IAM Admin, Organization Viewer)Thanks.
You're supposed to be able to pass in a list of all_folder_admins which should create the folder bindings accordingly. This is not happening due to the conditional inside the folder binding resource.
You pass in a list of folder admins, i.e.
all_folder_admins = [
"group:[email protected]"
]
and you see on plan/apply folder binding resources with the above values.
passing the aforementioned variable was as ineffective as Ranier Wolfcastle's goggles during the tsunami of acid scene in Radioactive Man: The Movie.
Looking at the Terraform module code it appears that the local value local.folder_admin_roles_map_data expects var.per_folder_admins to be set. This local is a requirement for the resource google_folder_iam_binding.owners, however if you just pass in the list of roles for all_folder_admins and nothing for the aforementioned variable the folder binding is completely ignored.
module "folder" {
source = "terraform-google-modules/folders/google"
version = "4.0.0"
parent = "folder/12345667"
set_roles = true
all_folder_admins = ["group:[email protected]"]
names = ["bob_folder"]
}`v1.5.2`The docs for all_folder_admins specifies: List of roles that will be applied to a folder if roles are not explictly specified in per_folder_admins.
This suggests that if per_folder_admins is not passed in this should be properly handled, but as you can see in the Terraform if per_folder_admins is not passed in the iam binding resource for_each just sees an empty map.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.