fixed terraform dependencies

GoogleCloudPlatform · Oct 29, 2023 · 064f8d6 · 064f8d6
1 parent dcafdca
commit 064f8d6
Show file tree

Hide file tree

Showing 8 changed files with 69 additions and 39 deletions.
diff --git a/deploy/external_load_balancer/cloud_run.tf b/deploy/external_load_balancer/cloud_run.tf
@@ -67,7 +67,7 @@ resource "google_cloud_run_v2_service" "api_service" {
 	    }
      }
   }
-  depends_on = [null_resource.build_api_image]
+  depends_on = [google_project_service.tag_engine_project, null_resource.build_api_image]
 }
 
 output "api_service_uri" {
@@ -148,7 +148,7 @@ resource "google_cloud_run_v2_service" "ui_service" {
 	    egress = "PRIVATE_RANGES_ONLY"
 	}
   }
-  depends_on = [null_resource.build_ui_image]
+  depends_on = [google_project_service.tag_engine_project, null_resource.build_ui_image]
 }
 
 output "ui_service_uri" {

diff --git a/deploy/external_load_balancer/firestore.tf b/deploy/external_load_balancer/firestore.tf
@@ -4,16 +4,32 @@
 # created automatically when the API is enabled. 
 # ************************************************************ #
 
-#resource "google_firestore_database" "create" {
-  #project     = var.tag_engine_project
-  #name        = "(default)"
-  #location_id = var.firestore_region
-  #type        = "FIRESTORE_NATIVE"
+resource "google_firestore_database" "create" {
+  project     = var.tag_engine_project
+  name        = "(default)"
+  location_id = var.firestore_region
+  type        = "FIRESTORE_NATIVE"
 
-  #depends_on = [google_project_service.tag_engine_project]
-  #}
+  depends_on = [google_project_service.tag_engine_project]
+}
+
+
+# ************************************************************ #
+# Install python packages
+# ************************************************************ #
+resource "null_resource" "install_packages" {
 
+provisioner "local-exec" {
+  command = "/bin/bash install_packages.sh"
+}
+
+triggers = {
+  always_run = timestamp()
+}
 
+depends_on = [google_cloud_run_v2_service.api_service, google_cloud_run_v2_service.ui_service]
+}
+
 # ************************************************************ #
 # Create the firestore indexes
 # ************************************************************ #
@@ -24,6 +40,6 @@ resource "null_resource" "firestore_indexes" {
     command = "python create_indexes.py ${var.tag_engine_project}"
   }
 
-  depends_on = [google_project_service.tag_engine_project]
+  depends_on = [google_firestore_database.create, null_resource.install_packages]
 }
 
diff --git a/deploy/external_load_balancer/iam_bindings.tf b/deploy/external_load_balancer/iam_bindings.tf
@@ -140,20 +140,19 @@ resource "google_project_iam_binding" "loggingViewer" {
   depends_on = [google_project_service.tag_engine_project]
 }
 
-resource "google_project_iam_binding" "PolicyTagReader" {
-  project = var.tag_engine_project
-  role    = "projects/${var.tag_engine_project}/roles/PolicyTagReader"
-  members = ["serviceAccount:${var.tag_creator_sa}"]
-  depends_on = [google_project_service.tag_engine_project]
-}
-
 resource "google_project_iam_binding" "BigQuerySchemaUpdate" {
   project = var.bigquery_project
   role    = "projects/${var.bigquery_project}/roles/BigQuerySchemaUpdate"
   members = ["serviceAccount:${var.tag_creator_sa}"]
-  depends_on = [google_project_service.tag_engine_project]
+  depends_on = [google_project_iam_custom_role.bigquery_schema_update]
 }
 
+resource "google_project_iam_binding" "PolicyTagReader" {
+  project = var.tag_engine_project
+  role    = "projects/${var.tag_engine_project}/roles/PolicyTagReader"
+  members = ["serviceAccount:${var.tag_creator_sa}"]
+  depends_on = [google_project_iam_custom_role.policy_tag_reader]
+}
 
 # ************************************************************ #
 # Create the service account policy bindings for tag_engine_sa

diff --git a/deploy/external_load_balancer/variables.tf b/deploy/external_load_balancer/variables.tf
@@ -1,7 +1,7 @@
 variable "required_apis" {
 	type = list
 	description = "list of required GCP services"
-	default = ["cloudresourcemanager.googleapis.com", "iam.googleapis.com", "cloudresourcemanager.googleapis.com", "cloudbuild.googleapis.com", "artifactregistry.googleapis.com", "vpcaccess.googleapis.com", "cloudtasks.googleapis.com", "firestore.googleapis.com", "datacatalog.googleapis.com", "iap.googleapis.com"] 
+	default = ["cloudresourcemanager.googleapis.com", "iam.googleapis.com", "cloudresourcemanager.googleapis.com", "cloudbuild.googleapis.com", "artifactregistry.googleapis.com", "run.googleapis.com", "vpcaccess.googleapis.com", "cloudtasks.googleapis.com", "firestore.googleapis.com", "datacatalog.googleapis.com", "iap.googleapis.com"] 
 }
 
 variable "tag_engine_project" {
@@ -96,4 +96,4 @@ variable "oauth_client_secret" {
 variable "authorized_user_accounts" {
   type = list(string)
   description = "The list of users you want to authorize to use the Tag Engine UI. Provide the email address for each user, which must be a google identity." 
-}
+}
diff --git a/deploy/without_load_balancer/cloud_run.tf b/deploy/without_load_balancer/cloud_run.tf
@@ -66,7 +66,7 @@ resource "google_cloud_run_v2_service" "api_service" {
 	    }
      }
   }
-  depends_on = [null_resource.build_api_image]
+  depends_on = [google_project_service.tag_engine_project, null_resource.build_api_image]
 }
 
 output "api_service_uri" {
@@ -134,7 +134,7 @@ resource "google_cloud_run_v2_service" "ui_service" {
 	    }
      }
   }
-  depends_on = [null_resource.build_ui_image]
+  depends_on = [google_project_service.tag_engine_project, null_resource.build_ui_image]
 }
 
 output "ui_service_uri" {

diff --git a/deploy/without_load_balancer/firestore.tf b/deploy/without_load_balancer/firestore.tf
@@ -4,16 +4,32 @@
 # created automatically when the API is enabled. 
 # ************************************************************ #
 
-#resource "google_firestore_database" "create" {
-  #project     = var.tag_engine_project
-  #name        = "(default)"
-  #location_id = var.firestore_region
-  #type        = "FIRESTORE_NATIVE"
+resource "google_firestore_database" "create" {
+  project     = var.tag_engine_project
+  name        = "(default)"
+  location_id = var.firestore_region
+  type        = "FIRESTORE_NATIVE"
 
-  #depends_on = [google_project_service.tag_engine_project]
-  #}
+  depends_on = [google_project_service.tag_engine_project]
+}
+
+
+# ************************************************************ #
+# Install python packages
+# ************************************************************ #
+resource "null_resource" "install_packages" {
 
+provisioner "local-exec" {
+  command = "/bin/bash install_packages.sh"
+}
+
+triggers = {
+  always_run = timestamp()
+}
 
+depends_on = [google_cloud_run_v2_service.api_service, google_cloud_run_v2_service.ui_service]
+}
+
 # ************************************************************ #
 # Create the firestore indexes
 # ************************************************************ #
@@ -24,6 +40,6 @@ resource "null_resource" "firestore_indexes" {
     command = "python create_indexes.py ${var.tag_engine_project}"
   }
 
-  depends_on = [google_project_service.tag_engine_project]
+  depends_on = [google_firestore_database.create, null_resource.install_packages]
 }
 
diff --git a/deploy/without_load_balancer/iam_bindings.tf b/deploy/without_load_balancer/iam_bindings.tf
@@ -140,20 +140,19 @@ resource "google_project_iam_binding" "loggingViewer" {
   depends_on = [google_project_service.tag_engine_project]
 }
 
-resource "google_project_iam_binding" "PolicyTagReader" {
-  project = var.tag_engine_project
-  role    = "projects/${var.tag_engine_project}/roles/PolicyTagReader"
-  members = ["serviceAccount:${var.tag_creator_sa}"]
-  depends_on = [google_project_service.tag_engine_project]
-}
-
 resource "google_project_iam_binding" "BigQuerySchemaUpdate" {
   project = var.bigquery_project
   role    = "projects/${var.bigquery_project}/roles/BigQuerySchemaUpdate"
   members = ["serviceAccount:${var.tag_creator_sa}"]
-  depends_on = [google_project_service.tag_engine_project]
+  depends_on = [google_project_iam_custom_role.bigquery_schema_update]
 }
 
+resource "google_project_iam_binding" "PolicyTagReader" {
+  project = var.tag_engine_project
+  role    = "projects/${var.tag_engine_project}/roles/PolicyTagReader"
+  members = ["serviceAccount:${var.tag_creator_sa}"]
+  depends_on = [google_project_iam_custom_role.policy_tag_reader]
+}
 
 # ************************************************************ #
 # Create the service account policy bindings for tag_engine_sa

diff --git a/deploy/without_load_balancer/variables.tf b/deploy/without_load_balancer/variables.tf
@@ -1,7 +1,7 @@
 variable "required_apis" {
 	type = list
 	description = "list of required GCP services"
-	default = ["cloudresourcemanager.googleapis.com", "iam.googleapis.com", "cloudresourcemanager.googleapis.com", "cloudbuild.googleapis.com", "artifactregistry.googleapis.com", "vpcaccess.googleapis.com", "cloudtasks.googleapis.com", "firestore.googleapis.com", "datacatalog.googleapis.com", "iap.googleapis.com"] 
+	default = ["cloudresourcemanager.googleapis.com", "iam.googleapis.com", "cloudresourcemanager.googleapis.com", "cloudbuild.googleapis.com", "artifactregistry.googleapis.com", "cloudtasks.googleapis.com", "firestore.googleapis.com", "datacatalog.googleapis.com", "run.googleapis.com"] 
 }
 
 variable "tag_engine_project" {