memes/.envrc

## .envrc
# Use the virtualenv defined for this project
layout virtualenvwrapper VENV_NAME
unset PS1

## .gitignore
# Ignore my direnv setup
.envrc

# Ignore Terraform plugin/module cache and local state files
.terraform
*.tfstate
*.tfstate.backup

# Don't include any local automatic variable assignment files
terraform.tfvars
terraform.tfvars.json
*.auto.tfvars
*.auto.tfvars.json

# Do not accidentally include any Ansible retry state files
*.retry

# Ignore Molecule pyc tests
__pycache__

## .pre-commit-config.yaml
repos:
  - repo: https://github.com/adrienverge/yamllint
    rev: v1.22.0
    hooks:
      - id: yamllint
        files: \.(yml|yaml)$
        types: [file, yaml]
        entry: yamllint --strict
  - repo: https://github.com/ansible/ansible-lint
    rev: v4.3.0a0
    hooks:
      - id: ansible-lint
        files: \.(yml|yaml)$
        types: [file, yaml]
        entry: yamllint --strict
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.29.0
    hooks:
      - id: terraform_fmt
      - id: terraform_validate
      - id: terraform_docs
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v2.5.0
    hooks:
      - id: check-executables-have-shebangs
      - id: check-json
      - id: check-merge-conflict
      - id: check-xml
      - id: check-yaml
      - id: detect-private-key
      - id: end-of-file-fixer
      - id: pretty-format-json
        args: [--autofix]
      - id: sort-simple-yaml
      - id: trailing-whitespace
  - repo: https://github.com/thoughtworks/talisman
    rev: v1.2.0
    hooks:
      - id: talisman-commit

## README.md

      
    Raw
  

              README.md
            
          
    NAME


Installation

This section should be removed when the installation is complete.


Create git for project
git init ~/projects/path/to/NAME


Make a virtual env for the project
mkvirtualenv -a ~/projects/path/to/NAME -p python3 NAME


Modify .envrc to use the new virtual env, and enable direnv
direnv allow


Install pre-commit hooks and update to the latest plugins
pre-commit install --install-hooks
pre-commit autoupdate


## main.tf
# This module has been tested with Terraform 0.12 only.
#
# Note: GCS backend requires the current user to have valid application-default
# credentials. An error like '... failed: dialing: google: could not find default
# credenitals' indicates that the calling user must (re-)authenticate application
# default credentials using `gcloud auth application-default login`.
terraform {
  required_version = "~> 0.12"
  backend "gcs" {
    bucket = "[STATE_BUCKET]"
    prefix = "[STATE/PATH]"
  }
}

# Provider configuration is handled in providers.tf

# Get the GCP organization via associated domain name
data "google_organization" "org" {
  domain = var.domain_name
}

# To avoid mistakes, I like to reference the billing account by friendly name and
# use that to get the billing ID.
data "google_billing_account" "billing" {
  display_name = var.billing_account_name
  open         = true
}

## providers.tf
# This module makes use of service account impersonation to allow organization
# user accounts to act as the org-wide Terraform service account. This file
# defines the initialisation of google and google-beta providers that are acting
# as the named service account, assuming that the invoking user account has the
# permissions to create an authentication token for the service account.

# Instantiate a google provider aliased as 'executor'. This provider will use
# the calling user's credentials to authenticate to GCP APIs.
provider "google" {
  version = "~> 3.14"
  alias   = "executor"
}

# Force the use of google.executor for initial API client configurqtion.
data "google_client_config" "executor" {
  provider = google.executor
}

# Attempt to retrieve an authentication token for the named service account
# using the calling user's credentils.
# This will fail if the caller does not have IAM permissions on the target
# service account.
data "google_service_account_access_token" "sa_token" {
  provider               = google.executor
  target_service_account = var.tf_sa_email
  lifetime               = format("%ds", var.tf_sa_token_lifetime_secs)
  # Force scope to 'cloud-platform' so that IAM is solely responsible for permissions
  scopes = [
    "https://www.googleapis.com/auth/cloud-platform",
  ]
}

# Instantiate unaliased google provider that is using the token associated with
# the target service account. This is the provider that will be used for
# resource creation.
provider "google" {
  version      = "~> 3.14"
  access_token = data.google_service_account_access_token.sa_token.access_token
}

# Instantiate unaliased google-beta provider that is using the token associated
# with the target service account. This is the provider that will be used for
# resource creation.
provider "google-beta" {
  version      = "~> 3.14"
  access_token = data.google_service_account_access_token.sa_token.access_token
}

## requirements-dev.txt
# Ansible role development and testing
molecule>=3.0
-r requirements.txt

## requirements.txt
# Ansible requirements
ansible>=2.9
google-auth>=1.13
pywinrm>=0.4

## variables.tf
variable "tf_sa_email" {
  type        = string
  description = <<EOD
The fully-qualified email address of the Terraform service account to use for
project creation. E.g.
tf_sa_email = "org-terraform@[BOOTSTRAP_PROJECT].iam.gserviceaccount.com"
EOD
}

variable "tf_sa_token_lifetime_secs" {
  type = number
  default = 1200
  description = <<EOD
The expiration duration for the service account token, in seconds. This value
should be high enough to prevent token timeout issues during resource creation,
but short enough that the token is useless replayed later. Default value is 1200.
EOD
}

variable "domain_name" {
  type        = string
  description = <<EOD
The TLD associated with the organisation that will be bootstrapped for Terraform
use.
E.g.
domain_name = "example.com"
EOD
}

variable "billing_account_name" {
  type        = string
  description = <<EOD
The billing display name associated with the GCP billing account to use for the
project, not the 20 char hexadecimal identifier.
E.g.
billing_account_name = "my-billing-account"
EOD
}
	# Use the virtualenv defined for this project
	layout virtualenvwrapper VENV_NAME
	unset PS1
	# Ignore my direnv setup
	.envrc

	# Ignore Terraform plugin/module cache and local state files
	.terraform
	*.tfstate
	*.tfstate.backup

	# Don't include any local automatic variable assignment files
	terraform.tfvars
	terraform.tfvars.json
	*.auto.tfvars
	*.auto.tfvars.json

	# Do not accidentally include any Ansible retry state files
	*.retry

	# Ignore Molecule pyc tests
	__pycache__
	repos:
	- repo: https://github.com/adrienverge/yamllint
	rev: v1.22.0
	hooks:
	- id: yamllint
	files: \.(yml\|yaml)$
	types: [file, yaml]
	entry: yamllint --strict
	- repo: https://github.com/ansible/ansible-lint
	rev: v4.3.0a0
	hooks:
	- id: ansible-lint
	files: \.(yml\|yaml)$
	types: [file, yaml]
	entry: yamllint --strict
	- repo: https://github.com/antonbabenko/pre-commit-terraform
	rev: v1.29.0
	hooks:
	- id: terraform_fmt
	- id: terraform_validate
	- id: terraform_docs
	- repo: https://github.com/pre-commit/pre-commit-hooks
	rev: v2.5.0
	hooks:
	- id: check-executables-have-shebangs
	- id: check-json
	- id: check-merge-conflict
	- id: check-xml
	- id: check-yaml
	- id: detect-private-key
	- id: end-of-file-fixer
	- id: pretty-format-json
	args: [--autofix]
	- id: sort-simple-yaml
	- id: trailing-whitespace
	- repo: https://github.com/thoughtworks/talisman
	rev: v1.2.0
	hooks:
	- id: talisman-commit
	# This module has been tested with Terraform 0.12 only.
	#
	# Note: GCS backend requires the current user to have valid application-default
	# credentials. An error like '... failed: dialing: google: could not find default
	# credenitals' indicates that the calling user must (re-)authenticate application
	# default credentials using `gcloud auth application-default login`.
	terraform {
	required_version = "~> 0.12"
	backend "gcs" {
	bucket = "[STATE_BUCKET]"
	prefix = "[STATE/PATH]"
	}
	}

	# Provider configuration is handled in providers.tf

	# Get the GCP organization via associated domain name
	data "google_organization" "org" {
	domain = var.domain_name
	}

	# To avoid mistakes, I like to reference the billing account by friendly name and
	# use that to get the billing ID.
	data "google_billing_account" "billing" {
	display_name = var.billing_account_name
	open = true
	}
	# This module makes use of service account impersonation to allow organization
	# user accounts to act as the org-wide Terraform service account. This file
	# defines the initialisation of google and google-beta providers that are acting
	# as the named service account, assuming that the invoking user account has the
	# permissions to create an authentication token for the service account.

	# Instantiate a google provider aliased as 'executor'. This provider will use
	# the calling user's credentials to authenticate to GCP APIs.
	provider "google" {
	version = "~> 3.14"
	alias = "executor"
	}

	# Force the use of google.executor for initial API client configurqtion.
	data "google_client_config" "executor" {
	provider = google.executor
	}

	# Attempt to retrieve an authentication token for the named service account
	# using the calling user's credentils.
	# This will fail if the caller does not have IAM permissions on the target
	# service account.
	data "google_service_account_access_token" "sa_token" {
	provider = google.executor
	target_service_account = var.tf_sa_email
	lifetime = format("%ds", var.tf_sa_token_lifetime_secs)
	# Force scope to 'cloud-platform' so that IAM is solely responsible for permissions
	scopes = [
	"https://www.googleapis.com/auth/cloud-platform",
	]
	}

	# Instantiate unaliased google provider that is using the token associated with
	# the target service account. This is the provider that will be used for
	# resource creation.
	provider "google" {
	version = "~> 3.14"
	access_token = data.google_service_account_access_token.sa_token.access_token
	}

	# Instantiate unaliased google-beta provider that is using the token associated
	# with the target service account. This is the provider that will be used for
	# resource creation.
	provider "google-beta" {
	version = "~> 3.14"
	access_token = data.google_service_account_access_token.sa_token.access_token
	}
	# Ansible role development and testing
	molecule>=3.0
	-r requirements.txt
	# Ansible requirements
	ansible>=2.9
	google-auth>=1.13
	pywinrm>=0.4
	variable "tf_sa_email" {
	type = string
	description = <<EOD
	The fully-qualified email address of the Terraform service account to use for
	project creation. E.g.
	tf_sa_email = "org-terraform@[BOOTSTRAP_PROJECT].iam.gserviceaccount.com"
	EOD
	}

	variable "tf_sa_token_lifetime_secs" {
	type = number
	default = 1200
	description = <<EOD
	The expiration duration for the service account token, in seconds. This value
	should be high enough to prevent token timeout issues during resource creation,
	but short enough that the token is useless replayed later. Default value is 1200.
	EOD
	}

	variable "domain_name" {
	type = string
	description = <<EOD
	The TLD associated with the organisation that will be bootstrapped for Terraform
	use.
	E.g.
	domain_name = "example.com"
	EOD
	}

	variable "billing_account_name" {
	type = string
	description = <<EOD
	The billing display name associated with the GCP billing account to use for the
	project, not the 20 char hexadecimal identifier.
	E.g.
	billing_account_name = "my-billing-account"
	EOD
	}