-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
78 lines (70 loc) · 2.72 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
/**
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
module "bigquery_tables" {
source = "../.."
dataset_id = "foo"
dataset_name = "foo"
description = "some description"
project_id = var.table_project_id
location = "US"
delete_contents_on_destroy = var.delete_contents_on_destroy
tables = var.tables
dataset_labels = var.table_dataset_labels
# we provide the access control separately with another module, see bottom.
# Authorization module has the capability of authorizing views
# since access block in here conflicts with that, we only use the module.
access = []
}
module "bigquery_views_without_pii" {
source = "../.."
dataset_id = "${module.bigquery_tables.bigquery_dataset.dataset_id}_view_without_pii" # this creates a dependency so that we have the tables first
dataset_name = "foo view"
description = "some description"
project_id = var.view_project_id
delete_contents_on_destroy = var.delete_contents_on_destroy
location = "US"
views = var.views
dataset_labels = var.view_dataset_labels
access = [
{
role = "roles/bigquery.dataOwner"
special_group = "projectOwners"
}
]
}
# it is possible to pass the view access to a dataset resource but then we have a chicken-egg problem.
# the view wants first the tables are created, while the view access control needs the views
# so we create the authorized views after creating tables and views.
module "authorization" {
source = "../../modules/authorization"
project_id = var.table_project_id
dataset_id = module.bigquery_tables.bigquery_dataset.dataset_id
roles = []
# roles = [
# {
# role = "roles/bigquery.dataEditor"
# group_by_email = "[email protected]"
# }
# ]
authorized_views = [
for view in var.views :
{
project_id = var.view_project_id,
dataset_id = module.bigquery_views_without_pii.bigquery_dataset.dataset_id,
table_id = view.view_id
}
]
}