Allow universe-bound projects to exclude services (GoogleCloudPlatform#2852)

* Allow universe-bound projects to exclude services

* Update README

Author: juliocc

modules/project/README.md

@@ -1621,8 +1621,8 @@ alerts:
 | [skip_delete](variables.tf#L240) | Deprecated. Use deletion_policy. | <code>bool</code> |  | <code>null</code> |
 | [tag_bindings](variables-tags.tf#L81) | Tag bindings for this project, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
 | [tags](variables-tags.tf#L88) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform project module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    role    &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  id &#61; optional&#40;string&#41;&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform project module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;      members &#61; list&#40;string&#41;&#10;      role    &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;      member &#61; string&#10;      role   &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [universe](variables.tf#L252) | GCP universe where deploy the project. This will be prepended to the project id. | <code>string</code> |  | <code>&#34;&#34;</code> |
-| [vpc_sc](variables.tf#L259) | VPC-SC configuration for the project, use when `ignore_changes` for resources is set in the VPC-SC module. | <code title="object&#40;&#123;&#10;  perimeter_name    &#61; string&#10;  perimeter_bridges &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  is_dry_run        &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [universe](variables.tf#L252) | GCP universe where to deploy the project. The prefix will be prepended to the project id. | <code title="object&#40;&#123;&#10;  prefix               &#61; string&#10;  unavailable_services &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [vpc_sc](variables.tf#L261) | VPC-SC configuration for the project, use when `ignore_changes` for resources is set in the VPC-SC module. | <code title="object&#40;&#123;&#10;  perimeter_name    &#61; string&#10;  perimeter_bridges &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  is_dry_run        &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
@@ -1643,7 +1643,7 @@ alerts:
 | [quota_configs](outputs.tf#L144) | Quota configurations. |  |
 | [quotas](outputs.tf#L155) | Quota resources. |  |
 | [service_agents](outputs.tf#L160) | List of all (active) service agents for this project. |  |
-| [services](outputs.tf#L169) | Service APIs to enabled in the project. |  |
+| [services](outputs.tf#L169) | Service APIs to enable in the project. |  |
 | [sink_writer_identities](outputs.tf#L178) | Writer identities created for each sink. |  |
 | [tag_keys](outputs.tf#L185) | Tag key resources. |  |
 | [tag_values](outputs.tf#L194) | Tag value resources. |  |

modules/project/main.tf

@@ -26,7 +26,7 @@ locals {
   parent_type = var.parent == null ? null : split("/", var.parent)[0]
   parent_id   = var.parent == null ? null : split("/", var.parent)[1]
   prefix      = var.prefix == null ? "" : "${var.prefix}-"
-  project_id  = "${local.universe}${local.prefix}${var.name}"
+  project_id  = "${local.universe_prefix}${local.prefix}${var.name}"
   project = (
     var.project_create ?
     {
@@ -40,7 +40,8 @@ locals {
       name       = try(data.google_project.project[0].name, null)
     }
   )
-  universe = var.universe == "" ? "" : "${var.universe}:"
+  universe_prefix    = var.universe == null ? "" : "${var.universe.prefix}:"
+  available_services = tolist(setsubtract(var.services, try(var.universe.unavailable_services, [])))
 }
 
 data "google_project" "project" {
@@ -68,7 +69,7 @@ resource "google_project" "project" {
 }
 
 resource "google_project_service" "project_services" {
-  for_each                   = toset(var.services)
+  for_each                   = toset(local.available_services)
   project                    = local.project.project_id
   service                    = each.value
   disable_on_destroy         = var.service_config.disable_on_destroy
@@ -78,7 +79,7 @@ resource "google_project_service" "project_services" {
 
 resource "google_compute_project_metadata_item" "default" {
   for_each = (
-    contains(var.services, "compute.googleapis.com") ? var.compute_metadata : {}
+    contains(local.available_services, "compute.googleapis.com") ? var.compute_metadata : {}
   )
   project    = local.project.project_id
   key        = each.key

modules/project/outputs.tf

@@ -167,8 +167,8 @@ output "service_agents" {
 }
 
 output "services" {
-  description = "Service APIs to enabled in the project."
-  value       = var.services
+  description = "Service APIs to enable in the project."
+  value       = local.available_services
   depends_on = [
     google_project_service.project_services,
     google_project_service_identity.default,

modules/project/service-agents.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2024 Google LLC
+ * Copyright 2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,7 +18,7 @@
 
 locals {
   services = distinct(concat(
-    var.services, var.service_agents_config.services_enabled
+    local.available_services, var.service_agents_config.services_enabled
   ))
   _service_agents_data = yamldecode(file("${path.module}/service-agents.yaml"))
   # map of api => list of agents
@@ -33,7 +33,7 @@ locals {
       (agent.name) => merge(agent, {
         email      = format(agent.identity, local.project.number)
         iam_email  = "serviceAccount:${format(agent.identity, local.project.number)}"
-        create_jit = api == "cloudservices" || contains(var.services, api)
+        create_jit = api == "cloudservices" || contains(local.available_services, api)
       })
     }
   ]...)

modules/project/variables.tf

@@ -250,10 +250,12 @@ variable "skip_delete" {
 }
 
 variable "universe" {
-  description = "GCP universe where deploy the project. This will be prepended to the project id."
-  type        = string
-  default     = ""
-  nullable    = false
+  description = "GCP universe where to deploy the project. The prefix will be prepended to the project id."
+  type = object({
+    prefix               = string
+    unavailable_services = optional(list(string), [])
+  })
+  default = null
 }
 
 variable "vpc_sc" {

tests/modules/project/universe.tfvars

@@ -1,2 +1,13 @@
-prefix   = "foo"
-universe = "alpha"
+prefix = "foo"
+universe = {
+  prefix = "alpha"
+  unavailable_services = [
+    "xxx.googleapis.com",
+    "yyy.googleapis.com"
+  ]
+}
+services = [
+  "aaa.googleapis.com",
+  "bbb.googleapis.com",
+  "xxx.googleapis.com"
+]

tests/modules/project/universe.yaml

@@ -16,11 +16,22 @@ values:
   google_project.project[0]:
     name: foo-my-project
     project_id: alpha:foo-my-project
+  google_project_service.project_services["aaa.googleapis.com"]:
+    project: alpha:foo-my-project
+    service: aaa.googleapis.com
+  google_project_service.project_services["bbb.googleapis.com"]:
+    project: alpha:foo-my-project
+    service: bbb.googleapis.com
 
 counts:
   google_project: 1
+  google_project_service: 2
+  resources: 3
 
 outputs:
   id: alpha:foo-my-project
   name: foo-my-project
   project_id: foo-my-project
+  services:
+  - aaa.googleapis.com
+  - bbb.googleapis.com