feat!: Add dimensions argument to consumer quota override (#683)

* Add dimensions argument to consumer quota override

* Add quota_project test suite

* Setup quota project test draft

* Update version

* Verify WAI

* Verify dimensions works and add tests

* Fix Cloud Build int file

* Forgot to change variable in gsuite_enabled module

* Generate docs

* Update w/ nit suggestions

Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>

README.md

@@ -128,7 +128,7 @@ determining that location is as follows:
 | budget\_display\_name | The display name of the budget. If not set defaults to `Budget For <projects[0]|All Projects>` | `string` | `null` | no |
 | budget\_labels | A single label and value pair specifying that usage from only this set of labeled resources should be included in the budget. | `map(string)` | `{}` | no |
 | budget\_monitoring\_notification\_channels | A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. | `list(string)` | `[]` | no |
-| consumer\_quotas | The quotas configuration you want to override for the project. | <pre>list(object({<br>    service = string,<br>    metric  = string,<br>    limit   = string,<br>    value   = string,<br>  }))</pre> | `[]` | no |
+| consumer\_quotas | The quotas configuration you want to override for the project. | <pre>list(object({<br>    service    = string,<br>    metric     = string,<br>    dimensions = map(string),<br>    limit      = string,<br>    value      = string,<br>  }))</pre> | `[]` | no |
 | create\_project\_sa | Whether the default service account for the project shall be created | `bool` | `true` | no |
 | default\_network\_tier | Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. | `string` | `""` | no |
 | default\_service\_account | Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`. | `string` | `"disable"` | no |

build/int.cloudbuild.yaml

@@ -138,6 +138,28 @@ steps:
     - verify vpc-sc-project-local
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && export TF_VAR_policy_id=$(gcloud access-context-manager policies list --organization="${TF_VAR_org_id:?}" --format="value(name)") && kitchen_do destroy vpc-sc-project-local']
+
+- id: init-quota-project-example
+  waitFor:
+    - prepare
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestQuotaProject --stage init --verbose']
+- id: apply-quota-project-example
+  waitFor:
+    - init-quota-project-example
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestQuotaProject --stage apply --verbose']
+- id: verify-quota-project-example
+  waitFor:
+    - apply-quota-project-example
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestQuotaProject --stage verify --verbose']
+- id: destroy-quota-project-example
+  waitFor:
+    - verify-quota-project-example
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestQuotaProject --stage destroy --verbose']
+
 tags:
 - 'ci'
 - 'integration'

examples/quota_project/README.md

@@ -1,4 +1,4 @@
-# Budget Project
+# Quota Project
 
 This example illustrates how to use quota_manager submodule to override customer quotas.
 
@@ -7,12 +7,14 @@ This example illustrates how to use quota_manager submodule to override customer
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| project\_id | The GCP project you want to override the consumer quotas. | `string` | n/a | yes |
+| billing\_account | The ID of the billing account to associate this project with | `string` | n/a | yes |
+| folder\_id | The ID of a folder to host this project. | `string` | `""` | no |
+| org\_id | The organization ID. | `string` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| quota\_overrides | The server-generated names of the quota override in the provided project. |
+| project\_id | The project ID in which to override quota |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/quota_project/main.tf

@@ -17,21 +17,43 @@
 /******************************************
   Consumer Quota
  *****************************************/
-module "project_quota_manager" {
-  source = "../../modules/quota_manager"
 
-  project_id = var.project_id
+resource "random_string" "suffix" {
+  length  = 4
+  special = false
+  upper   = false
+}
+
+module "quota-project" {
+  source            = "../../"
+  name              = "pf-ci-test-quota-${random_string.suffix.result}"
+  random_project_id = true
+  org_id            = var.org_id
+  folder_id         = var.folder_id
+  billing_account   = var.billing_account
+
+  activate_apis = [
+    "serviceusage.googleapis.com",
+    "compute.googleapis.com",
+    "servicemanagement.googleapis.com"
+  ]
+
   consumer_quotas = [
     {
       service = "compute.googleapis.com"
-      metric  = "SimulateMaintenanceEventGroup"
-      limit   = "%2F100s%2Fproject"
-      value   = "19"
-      }, {
-      service = "servicemanagement.googleapis.com"
-      metric  = "servicemanagement.googleapis.com%2Fdefault_requests"
-      limit   = "%2Fmin%2Fproject"
-      value   = "95"
+      metric  = urlencode("compute.googleapis.com/n2_cpus")
+      limit   = urlencode("/project/region")
+      dimensions = {
+        region = "us-central1"
+      }
+      value = "10"
+    },
+    {
+      service    = "servicemanagement.googleapis.com"
+      metric     = urlencode("servicemanagement.googleapis.com/default_requests")
+      limit      = urlencode("/min/project")
+      dimensions = {}
+      value      = "95"
     }
   ]
 }

examples/quota_project/outputs.tf

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-output "quota_overrides" {
-  description = "The server-generated names of the quota override in the provided project."
-  value       = module.project_quota_manager.quota_overrides
+output "project_id" {
+  description = "The project ID in which to override quota"
+  value       = module.quota-project.project_id
 }

examples/quota_project/variables.tf

@@ -14,7 +14,18 @@
  * limitations under the License.
  */
 
-variable "project_id" {
-  description = "The GCP project you want to override the consumer quotas."
+variable "org_id" {
+  description = "The organization ID."
+  type        = string
+}
+
+variable "folder_id" {
+  description = "The ID of a folder to host this project."
+  type        = string
+  default     = ""
+}
+
+variable "billing_account" {
+  description = "The ID of the billing account to associate this project with"
   type        = string
 }

modules/gsuite_enabled/README.md

@@ -69,7 +69,7 @@ The roles granted are specifically:
 | budget\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded | `list(number)` | <pre>[<br>  0.5,<br>  0.7,<br>  1<br>]</pre> | no |
 | budget\_amount | The amount to use for a budget alert | `number` | `null` | no |
 | budget\_monitoring\_notification\_channels | A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed. | `list(string)` | `[]` | no |
-| consumer\_quotas | The quotas configuration you want to override for the project. | <pre>list(object({<br>    service = string,<br>    metric  = string,<br>    limit   = string,<br>    value   = string,<br>  }))</pre> | `[]` | no |
+| consumer\_quotas | The quotas configuration you want to override for the project. | <pre>list(object({<br>    service    = string,<br>    metric     = string,<br>    dimensions = any,<br>    limit      = string,<br>    value      = string,<br>  }))</pre> | `[]` | no |
 | create\_group | Whether to create the group or not | `bool` | `false` | no |
 | create\_project\_sa | Whether the default service account for the project shall be created | `bool` | `true` | no |
 | default\_network\_tier | Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers. | `string` | `""` | no |

modules/gsuite_enabled/variables.tf

@@ -213,10 +213,11 @@ variable "budget_alert_spent_percents" {
 variable "consumer_quotas" {
   description = "The quotas configuration you want to override for the project."
   type = list(object({
-    service = string,
-    metric  = string,
-    limit   = string,
-    value   = string,
+    service    = string,
+    metric     = string,
+    dimensions = any,
+    limit      = string,
+    value      = string,
   }))
   default = []
 }

modules/quota_manager/README.md

@@ -14,11 +14,13 @@ module "project_quota_manager" {
     {
         service        = "compute.googleapis.com"
         metric         = "SimulateMaintenanceEventGroup"
+        dimensions     = { region = "us-central1" }
         limit          = "%2F100s%2Fproject"
         value = "19"
     },{
         service        = "servicemanagement.googleapis.com"
         metric         = "servicemanagement.googleapis.com%2Fdefault_requests"
+        dimensions     = {}
         limit          = "%2Fmin%2Fproject"
         value = "95"
     }
@@ -31,7 +33,7 @@ module "project_quota_manager" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| consumer\_quotas | The quotas configuration you want to override for the project. | <pre>list(object({<br>    service = string,<br>    metric  = string,<br>    limit   = string,<br>    value   = string,<br>  }))</pre> | n/a | yes |
+| consumer\_quotas | The quotas configuration you want to override for the project. | <pre>list(object({<br>    service    = string,<br>    metric     = string,<br>    dimensions = map(string),<br>    limit      = string,<br>    value      = string,<br>  }))</pre> | n/a | yes |
 | project\_id | The GCP project where you want to manage the consumer quotas | `string` | n/a | yes |
 
 ## Outputs

modules/quota_manager/main.tf

@@ -26,6 +26,7 @@ resource "google_service_usage_consumer_quota_override" "override" {
   service        = each.value.service
   metric         = each.value.metric
   limit          = each.value.limit
+  dimensions     = each.value.dimensions
   override_value = each.value.value
   force          = true
 }

modules/quota_manager/variables.tf

@@ -22,9 +22,10 @@ variable "project_id" {
 variable "consumer_quotas" {
   description = "The quotas configuration you want to override for the project."
   type = list(object({
-    service = string,
-    metric  = string,
-    limit   = string,
-    value   = string,
+    service    = string,
+    metric     = string,
+    dimensions = map(string),
+    limit      = string,
+    value      = string,
   }))
 }

modules/quota_manager/versions.tf

@@ -20,7 +20,7 @@ terraform {
   required_providers {
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.1, < 5.0"
+      version = "~> 4.11"
     }
   }
 }

test/integration/go.mod

@@ -3,11 +3,13 @@ module github.com/terraform-google-modules/terraform-google-project-factory/test
 go 1.17
 
 require (
-	github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.0.0-20220204062018-068713996f36
+	github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.0.0-20220401205256-9f9a444009fd
 	github.com/stretchr/testify v1.7.0
+	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
 )
 
 require (
+	cloud.google.com/go v0.51.0 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/agext/levenshtein v1.2.1 // indirect
@@ -18,6 +20,7 @@ require (
 	github.com/go-openapi/jsonpointer v0.19.3 // indirect
 	github.com/go-openapi/jsonreference v0.19.3 // indirect
 	github.com/go-openapi/swag v0.19.5 // indirect
+	github.com/golang/protobuf v1.4.2 // indirect
 	github.com/gruntwork-io/terratest v0.35.6 // indirect
 	github.com/hashicorp/errwrap v1.0.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.0 // indirect
@@ -28,14 +31,17 @@ require (
 	github.com/mitchellh/go-testing-interface v1.14.2-0.20210217184823-a52172cd2f64 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/tidwall/gjson v1.10.2 // indirect
+	github.com/tidwall/gjson v1.12.1 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.0 // indirect
+	github.com/tidwall/sjson v1.2.4 // indirect
 	github.com/zclconf/go-cty v1.2.1 // indirect
 	golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 // indirect
 	golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420 // indirect
 	golang.org/x/sys v0.0.0-20210603125802-9665404d3644 // indirect
 	golang.org/x/text v0.3.6 // indirect
+	google.golang.org/appengine v1.6.5 // indirect
+	google.golang.org/protobuf v1.24.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 	k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e // indirect