terraform-module-library
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseTerraform Module Library (GCP)
Terraform模块库(GCP)
GCP-primary module patterns for this workspace. Modules cover: Cloud Run v2, Cloud SQL PostgreSQL, Artifact Registry, VPC + Private Services, Secret Manager, Workload Identity Federation.
此工作区的GCP优先模块模式。模块涵盖:Cloud Run v2、Cloud SQL PostgreSQL、Artifact Registry、VPC + 私有服务、Secret Manager、Workload Identity Federation。
Iron Law
铁律
BEFORE creating a Terraform module:
1. Load terraform-skill for naming conventions and code structure standards
2. Every module MUST have: main.tf, variables.tf, outputs.tf, versions.tf, README.md
3. Every module MUST have tests in tests/ using native terraform test (1.6+) with mock providers
4. Sensitive outputs MUST be marked sensitive = true
5. Dispatch terraform-specialist agent to apply/provision — this skill is for authoring only创建Terraform模块之前:
1. 加载terraform-skill以遵循命名规范和代码结构标准
2. 每个模块必须包含:main.tf、variables.tf、outputs.tf、versions.tf、README.md
3. 每个模块必须在tests/目录下使用原生terraform test(1.6+)搭配模拟提供程序编写测试
4. 敏感输出必须标记为sensitive = true
5. 调度terraform-specialist agent进行部署/配置 — 本技能仅用于模块编写Standard Module Structure
标准模块结构
modules/
└── <module-name>/
├── main.tf # Resources only — no provider {}, no backend {}
├── variables.tf # All inputs with description, type, validation
├── outputs.tf # All outputs with description and sensitive flag
├── versions.tf # required_version + required_providers
├── README.md # Usage example + variable/output tables
└── tests/
└── main.tftest.hcl # Native terraform test with mock_provider (1.7+)modules/
└── <module-name>/
├── main.tf # 仅包含资源 — 无provider {},无backend {}
├── variables.tf # 所有输入需包含描述、类型和验证规则
├── outputs.tf # 所有输出需包含描述和敏感标记
├── versions.tf # required_version + required_providers
├── README.md # 使用示例 + 变量/输出表格
└── tests/
└── main.tftest.hcl # 使用mock_provider的原生terraform测试(1.7+)Pattern Selector
模式选择器
Which GCP resource are you modularizing?
|
+-- Cloud Run v2 service -> See references/gcp-modules.md § Cloud Run
+-- Cloud SQL (PostgreSQL) -> See references/gcp-modules.md § Cloud SQL
+-- Artifact Registry -> See references/gcp-modules.md § Artifact Registry
+-- VPC + Subnets -> See references/gcp-modules.md § VPC
+-- Secret Manager -> See references/gcp-modules.md § Secret Manager
+-- Workload Identity Fed. -> See references/gcp-modules.md § Workload Identity Federation你正在为哪个GCP资源构建模块?
|
+-- Cloud Run v2服务 -> 查看references/gcp-modules.md § Cloud Run
+-- Cloud SQL(PostgreSQL) -> 查看references/gcp-modules.md § Cloud SQL
+-- Artifact Registry -> 查看references/gcp-modules.md § Artifact Registry
+-- VPC + 子网 -> 查看references/gcp-modules.md § VPC
+-- Secret Manager -> 查看references/gcp-modules.md § Secret Manager
+-- Workload Identity Fed. -> 查看references/gcp-modules.md § Workload Identity FederationReference Files
参考文件
| File | Load When |
|---|---|
| Writing or reviewing any GCP Terraform module — has full HCL for all 6 modules |
| 文件 | 加载时机 |
|---|---|
| 编写或审核任何GCP Terraform模块时 — 包含所有6个模块的完整HCL代码 |
Module Authoring Checklist
模块编写检查清单
Before submitting any module:
- present with
versions.tfprovider pinned togoogle~> 6.0 - All variables have and
descriptiondeclaredtype - All sensitive outputs marked
sensitive = true - variable present for stateful resources (Cloud SQL, Artifact Registry)
deletion_protection - Tests in with at least one
tests/main.tftest.hclusingcommand = applymock_provider "google" - has usage example, variable table, and output table
README.md - used (not
for_each) for IAM members and multi-instance resourcescount - No hardcoded project IDs, regions, or resource names
- on container image for Cloud Run (CI/CD manages image, not Terraform)
lifecycle.ignore_changes - for Cloud SQL (no public IP)
ipv4_enabled = false
提交模块前需确认:
- 存在,其中
versions.tf提供程序固定为google~> 6.0 - 所有变量均声明了和
descriptiontype - 所有敏感输出均标记为
sensitive = true - 有状态资源(Cloud SQL、Artifact Registry)包含变量
deletion_protection - 中包含至少一个使用
tests/main.tftest.hcl的mock_provider "google"测试command = apply - 包含使用示例、变量表格和输出表格
README.md - IAM成员和多实例资源使用(而非
for_each)count - 无硬编码的项目ID、区域或资源名称
- Cloud Run的容器镜像设置(镜像由CI/CD管理,而非Terraform)
lifecycle.ignore_changes - Cloud SQL设置(无公网IP)
ipv4_enabled = false
Key Design Decisions
关键设计决策
| Decision | Rationale |
|---|---|
| CI/CD updates the image; Terraform manages config/scaling only. Prevents Terraform drift on every deploy. |
| No public IP; forces Cloud SQL Auth Proxy or private VPC access. Security baseline. |
| Never hardcode or commit passwords. Secret Manager is the source of truth. |
| Stable resource addressing; |
| Cleanup policies on Artifact Registry | Prevents unbounded storage cost from accumulated untagged images. |
WIF | Prevents cross-org token impersonation. |
| 决策 | 理由 |
|---|---|
Cloud Run设置 | 镜像由CI/CD更新;Terraform仅管理配置/扩缩容。避免每次部署时出现Terraform漂移。 |
Cloud SQL设置 | 无公网IP;强制使用Cloud SQL Auth Proxy或私有VPC访问。安全基线要求。 |
使用 | 绝不硬编码或提交密码。Secret Manager为可信数据源。 |
IAM成员使用 | 稳定的资源寻址; |
| Artifact Registry设置清理策略 | 避免因累积未标记镜像导致存储成本无限制增长。 |
WIF | 防止跨组织令牌冒充。 |
Cross-References
交叉引用
- Naming and testing conventions: Load skill (load it first)
terraform-skill - GCP provisioning: Dispatch agent
terraform-specialist - Provisioning workflow:
docs/workflows/cloud-run-terraform.md - Module development workflow:
docs/workflows/terraform-module-development.md - Security review post-apply: Dispatch agent
security-reviewer
- 命名和测试规范:加载技能(优先加载)
terraform-skill - GCP配置:调度agent
terraform-specialist - 配置工作流:
docs/workflows/cloud-run-terraform.md - 模块开发工作流:
docs/workflows/terraform-module-development.md - 部署后安全审核:调度agent
security-reviewer