feat: implement GCP modules for API management, budget, and Firestore, including variables, resources, and outputs#6
Conversation
…, including variables, resources, and outputs
There was a problem hiding this comment.
Pull request overview
Adds first-class Terraform support for managing GCP resources alongside existing AWS workspaces, including API enablement, budget alerts, and Firestore provisioning.
Changes:
- Introduces new reusable GCP modules: API enablement, billing budget, and Firestore database.
- Wires GCP provider configuration + new modules into the
rootandprodworkspaces. - Adds new variables/outputs and updates provider constraints/lockfiles for Google providers.
Reviewed changes
Copilot reviewed 21 out of 23 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| workspaces/root/variables.tf | Adds gcp_project_id / gcp_region inputs for root workspace. |
| workspaces/root/terraform.tfvars | Provides default root values for new GCP inputs. |
| workspaces/root/providers.tf | Configures the Google provider for the root workspace. |
| workspaces/root/main.tf | Instantiates the new Firestore module in root. |
| workspaces/root/outputs.tf | Exposes Firestore DB ID output from root. |
| workspaces/root/backend.tf | Adds Google provider requirement/version constraint. |
| workspaces/root/.terraform.lock.hcl | Locks Google provider version/hashes for root workspace. |
| workspaces/prod/variables.tf | Adds prod GCP variables including a GCP budget limit. |
| workspaces/prod/terraform.tfvars | Sets prod defaults for new GCP variables. |
| workspaces/prod/providers.tf | Updates Google provider configuration; removes google-beta provider block. |
| workspaces/prod/main.tf | Adds GCP API enablement, budget, and Firestore modules to prod. |
| workspaces/prod/outputs.tf | Exposes prod GCP outputs (enabled APIs, budget name, Firestore DB ID). |
| workspaces/prod/backend.tf | Bumps Google/Google-beta provider version constraints. |
| workspaces/prod/.terraform.lock.hcl | Updates Google/Google-beta lock entries and constraints. |
| modules/gcp/api/* | New module to enable a list of GCP APIs for a project. |
| modules/gcp/budget/* | New module to create a billing budget + email notification channel. |
| modules/gcp/firestore/* | New module to enable Firestore API and create a Firestore database. |
Files not reviewed (2)
- workspaces/prod/.terraform.lock.hcl: Language not supported
- workspaces/root/.terraform.lock.hcl: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "storage.googleapis.com", | ||
| ] | ||
| aws_region = "ap-southeast-1" | ||
| gcp_project_id = "durianpy-cms" |
There was a problem hiding this comment.
gcp_project_id is set here to "durianpy-cms", which conflicts with the prod workspace default ("durianpy-prod") and the header comment suggesting it should be provided via Terraform Cloud workspace variables. This can accidentally apply prod resources into the wrong GCP project; update this value to the prod project (or remove it from tfvars and set it via TFC variables).
| gcp_project_id = "durianpy-cms" | |
| gcp_project_id = "durianpy-prod" |
| "cloudresourcemanager.googleapis.com", | ||
| "firestore.googleapis.com" |
There was a problem hiding this comment.
firestore.googleapis.com is enabled here via module.gcp_project_apis, but the Firestore module also manages the same API with its own google_project_service resource. Managing the same project service from two Terraform resources will typically fail with “already managed”/conflict errors; pick a single place to enable this API (e.g., remove it from this list or make the Firestore module’s API-enabling optional).
| "cloudresourcemanager.googleapis.com", | |
| "firestore.googleapis.com" | |
| "cloudresourcemanager.googleapis.com" |
| resource "google_project_service" "firestore" { | ||
| project = var.project_id | ||
| service = var.api_service_name | ||
| disable_on_destroy = false | ||
| } |
There was a problem hiding this comment.
This module unconditionally creates a google_project_service for Firestore. When the caller also enables firestore.googleapis.com elsewhere (e.g., via a shared “enable APIs” module), Terraform ends up with two resources managing the same remote service and applies can fail. Consider adding a flag to disable API enabling here (or accept an existing service resource via dependency) so callers can avoid duplicate ownership.
There was a problem hiding this comment.
@copilot apply changes based on this feedback You may delete this line
There was a problem hiding this comment.
Implemented in 58be412. I removed firestore.googleapis.com from module.gcp_project_apis in workspaces/prod/main.tf, so Firestore API enablement is owned only by the Firestore module and no longer conflicts.
No UI changes were made (Terraform-only change), so there is no UI screenshot to attach.
| @@ -0,0 +1,10 @@ | |||
| variable "gcp_project_id" { | |||
There was a problem hiding this comment.
The input variable is named gcp_project_id, but the other GCP modules in this repo use project_id (e.g., modules/gcp/firestore/variables.tf:1, modules/gcp/budget/variables.tf:1). For a consistent module API and less glue code in callers, consider renaming this to project_id.
| variable "gcp_project_id" { | |
| variable "project_id" { |
| variable "billing_account_name" { | ||
| description = "Name of the GCP billing account to create the budget under." | ||
| type = string | ||
| default = "durianpy-cms" |
There was a problem hiding this comment.
Using data.google_billing_account lookup by display_name plus a repo-specific default ("durianpy-cms") makes the module brittle: display names aren’t guaranteed unique/stable and the default may not match the actual billing account display name in other environments. Prefer taking a billing_account_id (or billing_account resource name) as an explicit required input, or at least remove the default so misconfiguration fails fast.
| default = "durianpy-cms" |
| google = { | ||
| source = "hashicorp/google" | ||
| version = ">= 6.0" | ||
| version = ">= 7.26.0" | ||
| } | ||
| google-beta = { | ||
| source = "hashicorp/google-beta" | ||
| version = ">= 6.0" | ||
| version = ">= 7.26.0" | ||
| } |
There was a problem hiding this comment.
google-beta remains listed in required_providers, but this workspace no longer configures/uses the google-beta provider (the only references are in commented-out code). If it’s no longer needed, remove it from required_providers to avoid extra provider downloads/lockfile churn; if it is needed, re-add the provider configuration block in providers.tf.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 25 out of 27 changed files in this pull request and generated 2 comments.
Files not reviewed (2)
- workspaces/prod/.terraform.lock.hcl: Language not supported
- workspaces/root/.terraform.lock.hcl: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| data "google_billing_account" "account" { | ||
| display_name = var.billing_account_name | ||
| open = true | ||
| } |
There was a problem hiding this comment.
New modules in this repo consistently declare a terraform block with required_version and required_providers (see modules/aws/vpc/main.tf:1-9 and modules/gcp/api/main.tf:1-9). This module currently omits it; adding it would keep provider/version constraints explicit and aligned with the rest of the codebase.
| resource "google_project_service" "firestore" { | ||
| project = var.project_id | ||
| service = var.api_service_name |
There was a problem hiding this comment.
New modules in this repo consistently declare a terraform block with required_version and required_providers (e.g., modules/aws/budget/main.tf:1-9, modules/gcp/api/main.tf:1-9). Adding the same here would keep provider constraints explicit and consistent across modules.
Agent-Logs-Url: https://github.com/DurianPy-Davao-Python-User-Group/durianpy-root-infra/sessions/5b4be133-b743-4c0b-9667-5af40e9eebd0 Co-authored-by: ASPactores <91829714+ASPactores@users.noreply.github.com>
No description provided.