forked from GoogleCloudPlatform/cloud-foundation-fabric
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
114 lines (107 loc) · 4.75 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
locals {
bootstrap_oauth_client = var.oauth_config.client_secret == null || var.oauth_config.client_id == null
looker_instance_name = "${local.prefix}${var.name}"
oauth_client_id = local.bootstrap_oauth_client ? google_iap_client.looker_client[0].client_id : var.oauth_config.client_id
oauth_client_secret = local.bootstrap_oauth_client ? google_iap_client.looker_client[0].secret : var.oauth_config.client_secret
prefix = var.prefix == null ? "" : "${var.prefix}-"
}
resource "google_looker_instance" "looker" {
project = var.project_id
name = local.looker_instance_name
consumer_network = try(var.network_config.psa_config.network, null)
platform_edition = var.platform_edition
private_ip_enabled = try(var.network_config.psa_config.enable_private_ip, null)
public_ip_enabled = coalesce(var.network_config.public, false) || try(var.network_config.psa_config.enable_public_ip, false)
region = var.region
reserved_range = try(var.network_config.psa_config.allocated_ip_range, null)
oauth_config {
client_id = local.oauth_client_id
client_secret = local.oauth_client_secret
}
dynamic "admin_settings" {
for_each = var.admin_settings != null ? [""] : []
content {
allowed_email_domains = var.admin_settings.allowed_email_domains
}
}
dynamic "custom_domain" {
for_each = var.custom_domain != null ? [""] : []
content {
domain = var.custom_domain
}
}
dynamic "deny_maintenance_period" {
for_each = var.maintenance_config.deny_maintenance_period != null ? [1] : []
content {
start_date {
year = var.maintenance_config.deny_maintenance_period.start_date.year
month = var.maintenance_config.deny_maintenance_period.start_date.month
day = var.maintenance_config.deny_maintenance_period.start_date.day
}
end_date {
year = var.maintenance_config.deny_maintenance_period.start_date.year
month = var.maintenance_config.deny_maintenance_period.start_date.month
day = var.maintenance_config.deny_maintenance_period.start_date.day
}
time {
hours = var.maintenance_config.deny_maintenance_period.start_times.hours
minutes = var.maintenance_config.deny_maintenance_period.start_times.minutes
seconds = var.maintenance_config.deny_maintenance_period.start_times.seconds
nanos = var.maintenance_config.deny_maintenance_period.start_times.nanos
}
}
}
dynamic "encryption_config" {
for_each = var.encryption_config != null ? [""] : []
content {
kms_key_name = var.encryption_config.kms_key_name
}
}
dynamic "maintenance_window" {
for_each = var.maintenance_config.maintenance_window != null ? [""] : []
content {
day_of_week = var.maintenance_config.maintenance_window.day
start_time {
hours = var.maintenance_config.maintenance_window.start_times.hours
minutes = var.maintenance_config.maintenance_window.start_times.minutes
seconds = var.maintenance_config.maintenance_window.start_times.seconds
nanos = var.maintenance_config.maintenance_window.start_times.nanos
}
}
}
lifecycle {
ignore_changes = [
oauth_config # do not replace target oauth client updated on the console with default one
]
}
}
# Only "Organization Internal" brands can be created programmatically via API. To convert it into an external brands please use the GCP Console.
resource "google_iap_brand" "looker_brand" {
count = local.bootstrap_oauth_client ? 1 : 0
support_email = var.oauth_config.support_email
# application_title = "Looker Core Application"
application_title = "Cloud IAP protected Application"
project = var.project_id
}
# Only internal org clients can be created via declarative tools. External clients must be manually created via the GCP console.
# This is a temporary IAP oauth client to be replaced after Looker Core is provisioned.
resource "google_iap_client" "looker_client" {
count = local.bootstrap_oauth_client ? 1 : 0
display_name = "Looker Core default oauth client."
brand = google_iap_brand.looker_brand[0].name
}