2022-01-19 05:17:20 -08:00
/ * *
2024-02-12 05:35:30 -08:00
* Copyright 2024 Google LLC
2022-01-19 05:17:20 -08:00
*
* Licensed under the Apache License , Version 2 . 0 ( the " License " ) ;
* you may not use this file except in compliance with the License .
* You may obtain a copy of the License at
*
* http : //www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing , software
* distributed under the License is distributed on an " AS IS " BASIS ,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND , either express or implied .
* See the License for the specific language governing permissions and
* limitations under the License .
* /
variable " billing_account " {
2023-03-03 00:24:41 -08:00
description = " Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. "
2022-01-19 05:17:20 -08:00
type = object ( {
FAST multitenant bootstrap and resource management, rename org-level FAST stages (#1052)
* rename stages
* remove support for external org billing, rename output files
* resman: make groups optional, align on new billing account variable
* bootstrap: multitenant outputs
* tenant bootstrap stage, untested
* fix folder name
* fix stage 0 output names
* optional creation for tag keys in organization module
* single tenant bootstrap minus tag
* rename output files, add tenant tag key
* fix organization module tag values output
* test skipping creation for tags in organization module
* single tenant bootstrap plan working
* multitenant bootstrap
* tfdoc
* fix check links error messages
* fix links
* tfdoc
* fix links
* rename fast tests, fix bootstrap tests
* multitenant stages have their own folder, simplify stage numbering
* stage renumbering
* wip
* rename tests
* exclude fast providers in fixture
* stage 0 tests
* stage 1 tests
* network stages tests
* stage tests
* tfdoc
* fix links
* tfdoc
* multitenant tests
* remove local files
* stage links command
* fix links script, TODO
* wip
* wip single tenant bootstrap
* working tenant bootstrap
* update gitignore
* remove local files
* tfdoc
* remove local files
* allow tests for tenant bootstrap stage
* tenant bootstrap proxies stage 1 tfvars
* stage 2 and 3 service accounts and IAM in tenant bootstrap
* wip
* wip
* wip
* drop multitenant bootstrap
* tfdoc
* add missing stage 2 SAs, fix org-level IAM condition
* wip
* wip
* optional tag value creation in organization module
* stage 1 working
* linting
* linting
* READMEs
* wip
* Make stage-links script work in old macos bash
* stage links command help
* fix output file names
* diagrams
* fix svg
* stage 0 skeleton and diagram
* test svg
* test svg
* test diagram
* diagram
* readme
* fix stage links script
* stage 0 readme
* README changes
* stage readmes
* fix outputs order
* fix link
* fix tests
* stage 1 test
* skip stage example
* boilerplate
* fix tftest skip
* default bootstrap stage log sinks to log buckets
* add logging to tenant bootstrap
* move iam variables out of tenant config
* fix cicd, reintroduce missing variable
* use optional in stage 1 cicd variable
* rename extras stage
* rename and move identity providers local, use optional for cicd variable
* tfdoc
* add support for wif pool and providers, ci/cd
* tfdoc
* fix links
* better handling of modules repository
* add missing role on logging project
* fix cicd pools in locals, test cicd
* fix workflow extension
* fix module source replacement
* allow tenant bootstrap cicd sa to impersonate resman sa
* tenant workflow templates fix for no providers file
* fix output files, push github workflow template to new repository
* remove try from outpout files
* align stage 1 cicd internals to stage 0
* tfdoc
* tests
* fix tests
* tests
* improve variable descriptions
* use optional in fast features
* actually create tenant log sinks, and allow the resman sa to do it
* test
* tests
* aaaand tests again
* fast features tenant override
* fast features tenant override
* fix wording
* add missing comment
* configure pf service accounts
* add missing comment
* tfdoc
* tests
* IAM docs
* update copyright
---------
Co-authored-by: Julio Castillo <jccb@google.com>
2023-02-04 06:00:45 -08:00
id = string
is_org_level = optional ( bool , true )
2023-03-03 00:24:41 -08:00
no_iam = optional ( bool , false )
2022-01-19 05:17:20 -08:00
} )
2023-03-03 00:24:41 -08:00
nullable = false
2022-01-19 05:17:20 -08:00
}
variable " bootstrap_user " {
description = " Email of the nominal user running this stage for the first time. "
type = string
default = null
}
2022-04-11 23:17:27 -07:00
variable " cicd_repositories " {
description = " CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. "
type = object ( {
FAST multitenant bootstrap and resource management, rename org-level FAST stages (#1052)
* rename stages
* remove support for external org billing, rename output files
* resman: make groups optional, align on new billing account variable
* bootstrap: multitenant outputs
* tenant bootstrap stage, untested
* fix folder name
* fix stage 0 output names
* optional creation for tag keys in organization module
* single tenant bootstrap minus tag
* rename output files, add tenant tag key
* fix organization module tag values output
* test skipping creation for tags in organization module
* single tenant bootstrap plan working
* multitenant bootstrap
* tfdoc
* fix check links error messages
* fix links
* tfdoc
* fix links
* rename fast tests, fix bootstrap tests
* multitenant stages have their own folder, simplify stage numbering
* stage renumbering
* wip
* rename tests
* exclude fast providers in fixture
* stage 0 tests
* stage 1 tests
* network stages tests
* stage tests
* tfdoc
* fix links
* tfdoc
* multitenant tests
* remove local files
* stage links command
* fix links script, TODO
* wip
* wip single tenant bootstrap
* working tenant bootstrap
* update gitignore
* remove local files
* tfdoc
* remove local files
* allow tests for tenant bootstrap stage
* tenant bootstrap proxies stage 1 tfvars
* stage 2 and 3 service accounts and IAM in tenant bootstrap
* wip
* wip
* wip
* drop multitenant bootstrap
* tfdoc
* add missing stage 2 SAs, fix org-level IAM condition
* wip
* wip
* optional tag value creation in organization module
* stage 1 working
* linting
* linting
* READMEs
* wip
* Make stage-links script work in old macos bash
* stage links command help
* fix output file names
* diagrams
* fix svg
* stage 0 skeleton and diagram
* test svg
* test svg
* test diagram
* diagram
* readme
* fix stage links script
* stage 0 readme
* README changes
* stage readmes
* fix outputs order
* fix link
* fix tests
* stage 1 test
* skip stage example
* boilerplate
* fix tftest skip
* default bootstrap stage log sinks to log buckets
* add logging to tenant bootstrap
* move iam variables out of tenant config
* fix cicd, reintroduce missing variable
* use optional in stage 1 cicd variable
* rename extras stage
* rename and move identity providers local, use optional for cicd variable
* tfdoc
* add support for wif pool and providers, ci/cd
* tfdoc
* fix links
* better handling of modules repository
* add missing role on logging project
* fix cicd pools in locals, test cicd
* fix workflow extension
* fix module source replacement
* allow tenant bootstrap cicd sa to impersonate resman sa
* tenant workflow templates fix for no providers file
* fix output files, push github workflow template to new repository
* remove try from outpout files
* align stage 1 cicd internals to stage 0
* tfdoc
* tests
* fix tests
* tests
* improve variable descriptions
* use optional in fast features
* actually create tenant log sinks, and allow the resman sa to do it
* test
* tests
* aaaand tests again
* fast features tenant override
* fast features tenant override
* fix wording
* add missing comment
* configure pf service accounts
* add missing comment
* tfdoc
* tests
* IAM docs
* update copyright
---------
Co-authored-by: Julio Castillo <jccb@google.com>
2023-02-04 06:00:45 -08:00
bootstrap = optional ( object ( {
2022-06-21 01:45:27 -07:00
name = string
type = string
2023-12-21 09:10:50 -08:00
branch = optional ( string )
identity_provider = optional ( string )
FAST multitenant bootstrap and resource management, rename org-level FAST stages (#1052)
* rename stages
* remove support for external org billing, rename output files
* resman: make groups optional, align on new billing account variable
* bootstrap: multitenant outputs
* tenant bootstrap stage, untested
* fix folder name
* fix stage 0 output names
* optional creation for tag keys in organization module
* single tenant bootstrap minus tag
* rename output files, add tenant tag key
* fix organization module tag values output
* test skipping creation for tags in organization module
* single tenant bootstrap plan working
* multitenant bootstrap
* tfdoc
* fix check links error messages
* fix links
* tfdoc
* fix links
* rename fast tests, fix bootstrap tests
* multitenant stages have their own folder, simplify stage numbering
* stage renumbering
* wip
* rename tests
* exclude fast providers in fixture
* stage 0 tests
* stage 1 tests
* network stages tests
* stage tests
* tfdoc
* fix links
* tfdoc
* multitenant tests
* remove local files
* stage links command
* fix links script, TODO
* wip
* wip single tenant bootstrap
* working tenant bootstrap
* update gitignore
* remove local files
* tfdoc
* remove local files
* allow tests for tenant bootstrap stage
* tenant bootstrap proxies stage 1 tfvars
* stage 2 and 3 service accounts and IAM in tenant bootstrap
* wip
* wip
* wip
* drop multitenant bootstrap
* tfdoc
* add missing stage 2 SAs, fix org-level IAM condition
* wip
* wip
* optional tag value creation in organization module
* stage 1 working
* linting
* linting
* READMEs
* wip
* Make stage-links script work in old macos bash
* stage links command help
* fix output file names
* diagrams
* fix svg
* stage 0 skeleton and diagram
* test svg
* test svg
* test diagram
* diagram
* readme
* fix stage links script
* stage 0 readme
* README changes
* stage readmes
* fix outputs order
* fix link
* fix tests
* stage 1 test
* skip stage example
* boilerplate
* fix tftest skip
* default bootstrap stage log sinks to log buckets
* add logging to tenant bootstrap
* move iam variables out of tenant config
* fix cicd, reintroduce missing variable
* use optional in stage 1 cicd variable
* rename extras stage
* rename and move identity providers local, use optional for cicd variable
* tfdoc
* add support for wif pool and providers, ci/cd
* tfdoc
* fix links
* better handling of modules repository
* add missing role on logging project
* fix cicd pools in locals, test cicd
* fix workflow extension
* fix module source replacement
* allow tenant bootstrap cicd sa to impersonate resman sa
* tenant workflow templates fix for no providers file
* fix output files, push github workflow template to new repository
* remove try from outpout files
* align stage 1 cicd internals to stage 0
* tfdoc
* tests
* fix tests
* tests
* improve variable descriptions
* use optional in fast features
* actually create tenant log sinks, and allow the resman sa to do it
* test
* tests
* aaaand tests again
* fast features tenant override
* fast features tenant override
* fix wording
* add missing comment
* configure pf service accounts
* add missing comment
* tfdoc
* tests
* IAM docs
* update copyright
---------
Co-authored-by: Julio Castillo <jccb@google.com>
2023-02-04 06:00:45 -08:00
} ) )
resman = optional ( object ( {
2022-04-11 23:17:27 -07:00
name = string
type = string
2023-12-21 09:10:50 -08:00
branch = optional ( string )
identity_provider = optional ( string )
FAST multitenant bootstrap and resource management, rename org-level FAST stages (#1052)
* rename stages
* remove support for external org billing, rename output files
* resman: make groups optional, align on new billing account variable
* bootstrap: multitenant outputs
* tenant bootstrap stage, untested
* fix folder name
* fix stage 0 output names
* optional creation for tag keys in organization module
* single tenant bootstrap minus tag
* rename output files, add tenant tag key
* fix organization module tag values output
* test skipping creation for tags in organization module
* single tenant bootstrap plan working
* multitenant bootstrap
* tfdoc
* fix check links error messages
* fix links
* tfdoc
* fix links
* rename fast tests, fix bootstrap tests
* multitenant stages have their own folder, simplify stage numbering
* stage renumbering
* wip
* rename tests
* exclude fast providers in fixture
* stage 0 tests
* stage 1 tests
* network stages tests
* stage tests
* tfdoc
* fix links
* tfdoc
* multitenant tests
* remove local files
* stage links command
* fix links script, TODO
* wip
* wip single tenant bootstrap
* working tenant bootstrap
* update gitignore
* remove local files
* tfdoc
* remove local files
* allow tests for tenant bootstrap stage
* tenant bootstrap proxies stage 1 tfvars
* stage 2 and 3 service accounts and IAM in tenant bootstrap
* wip
* wip
* wip
* drop multitenant bootstrap
* tfdoc
* add missing stage 2 SAs, fix org-level IAM condition
* wip
* wip
* optional tag value creation in organization module
* stage 1 working
* linting
* linting
* READMEs
* wip
* Make stage-links script work in old macos bash
* stage links command help
* fix output file names
* diagrams
* fix svg
* stage 0 skeleton and diagram
* test svg
* test svg
* test diagram
* diagram
* readme
* fix stage links script
* stage 0 readme
* README changes
* stage readmes
* fix outputs order
* fix link
* fix tests
* stage 1 test
* skip stage example
* boilerplate
* fix tftest skip
* default bootstrap stage log sinks to log buckets
* add logging to tenant bootstrap
* move iam variables out of tenant config
* fix cicd, reintroduce missing variable
* use optional in stage 1 cicd variable
* rename extras stage
* rename and move identity providers local, use optional for cicd variable
* tfdoc
* add support for wif pool and providers, ci/cd
* tfdoc
* fix links
* better handling of modules repository
* add missing role on logging project
* fix cicd pools in locals, test cicd
* fix workflow extension
* fix module source replacement
* allow tenant bootstrap cicd sa to impersonate resman sa
* tenant workflow templates fix for no providers file
* fix output files, push github workflow template to new repository
* remove try from outpout files
* align stage 1 cicd internals to stage 0
* tfdoc
* tests
* fix tests
* tests
* improve variable descriptions
* use optional in fast features
* actually create tenant log sinks, and allow the resman sa to do it
* test
* tests
* aaaand tests again
* fast features tenant override
* fast features tenant override
* fix wording
* add missing comment
* configure pf service accounts
* add missing comment
* tfdoc
* tests
* IAM docs
* update copyright
---------
Co-authored-by: Julio Castillo <jccb@google.com>
2023-02-04 06:00:45 -08:00
} ) )
2024-05-21 01:39:47 -07:00
tenants = optional ( object ( {
name = string
type = string
branch = optional ( string )
identity_provider = optional ( string )
} ) )
2022-04-11 23:17:27 -07:00
} )
default = null
2022-06-08 02:34:08 -07:00
validation {
condition = alltrue ( [
for k , v in coalesce ( var . cicd_repositories , { } ) :
v == null | | try ( v . name , null ) ! = null
] )
error_message = " Non-null repositories need a non-null name. "
}
2022-04-11 23:17:27 -07:00
validation {
condition = alltrue ( [
for k , v in coalesce ( var . cicd_repositories , { } ) :
2024-06-10 02:02:55 -07:00
v == null | | try ( v . identity_provider , null ) ! = null
2022-04-11 23:17:27 -07:00
] )
2024-06-10 02:02:55 -07:00
error_message = " Non-null repositories need a non-null provider. "
2022-04-11 23:17:27 -07:00
}
validation {
condition = alltrue ( [
for k , v in coalesce ( var . cicd_repositories , { } ) :
v == null | | (
2024-06-10 02:02:55 -07:00
contains ( [ " github " , " gitlab " ] , coalesce ( try ( v . type , null ) , " null " ) )
2022-04-11 23:17:27 -07:00
)
] )
2024-06-10 02:02:55 -07:00
error_message = " Invalid repository type, supported types: 'github' or 'gitlab'. "
2022-04-11 23:17:27 -07:00
}
}
2023-07-06 23:40:37 -07:00
variable " custom_roles " {
description = " Map of role names => list of permissions to additionally create at the organization level. "
type = map ( list ( string ) )
nullable = false
default = { }
}
2024-02-12 05:35:30 -08:00
variable " essential_contacts " {
description = " Email used for essential contacts, unset if null. "
type = string
default = null
}
2023-09-21 07:03:21 -07:00
variable " factories_config " {
2024-01-17 20:45:29 -08:00
description = " Configuration for the resource factories or external data. "
2023-09-21 07:03:21 -07:00
type = object ( {
2024-01-17 20:45:29 -08:00
checklist_data = optional ( string )
checklist_org_iam = optional ( string )
custom_roles = optional ( string , " data/custom-roles " )
org_policy = optional ( string , " data/org-policies " )
2023-09-21 07:03:21 -07:00
} )
nullable = false
default = { }
}
2022-01-19 05:17:20 -08:00
variable " groups " {
# https://cloud.google.com/docs/enterprise/setup-checklist
2024-02-12 05:35:30 -08:00
description = " Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. "
2024-01-17 20:45:29 -08:00
type = object ( {
2024-02-12 05:35:30 -08:00
gcp - billing - admins = optional ( string , " gcp-billing-admins " )
gcp - devops = optional ( string , " gcp-devops " )
2024-05-01 23:56:26 -07:00
gcp - network - admins = optional ( string , " gcp-vpc-network-admins " )
2024-02-12 05:35:30 -08:00
gcp - organization - admins = optional ( string , " gcp-organization-admins " )
gcp - security - admins = optional ( string , " gcp-security-admins " )
# aliased to gcp-devops as the checklist does not create it
gcp - support = optional ( string , " gcp-devops " )
2024-01-17 20:45:29 -08:00
} )
2024-02-12 05:35:30 -08:00
nullable = false
default = { }
2022-01-19 05:17:20 -08:00
}
variable " iam " {
description = " Organization-level custom IAM settings in role => [principal] format. "
type = map ( list ( string ) )
2023-08-20 00:44:20 -07:00
nullable = false
2022-01-19 05:17:20 -08:00
default = { }
}
2023-08-20 00:44:20 -07:00
variable " iam_bindings_additive " {
description = " Organization-level custom additive IAM bindings. Keys are arbitrary. "
type = map ( object ( {
member = string
role = string
condition = optional ( object ( {
expression = string
title = string
description = optional ( string )
} ) )
} ) )
nullable = false
default = { }
2022-01-19 05:17:20 -08:00
}
2024-02-12 05:35:30 -08:00
variable " iam_by_principals " {
description = " Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. "
type = map ( list ( string ) )
default = { }
nullable = false
}
2022-09-08 06:24:42 -07:00
variable " locations " {
description = " Optional locations for GCS, BigQuery, and logging buckets created here. "
type = object ( {
2023-08-20 00:44:20 -07:00
bq = optional ( string , " EU " )
gcs = optional ( string , " EU " )
logging = optional ( string , " global " )
pubsub = optional ( list ( string ) , [ ] )
2022-09-08 06:24:42 -07:00
} )
nullable = false
2023-08-20 00:44:20 -07:00
default = { }
2022-09-08 06:24:42 -07:00
}
2022-02-10 03:49:48 -08:00
# See https://cloud.google.com/architecture/exporting-stackdriver-logging-for-security-and-access-analytics
# for additional logging filter examples
2022-01-19 05:17:20 -08:00
variable " log_sinks " {
description = " Org-level log sinks, in name => {type, filter} format. "
type = map ( object ( {
filter = string
type = string
} ) )
2024-05-15 02:17:13 -07:00
nullable = false
2022-01-19 05:17:20 -08:00
default = {
audit - logs = {
2024-04-24 23:31:51 -07:00
filter = < < - FILTER
log_id ( " cloudaudit.googleapis.com/activity " ) OR
log_id ( " cloudaudit.googleapis.com/system_event " ) OR
log_id ( " cloudaudit.googleapis.com/policy " ) OR
log_id ( " cloudaudit.googleapis.com/access_transparency " )
FILTER
type = " logging "
}
iam = {
filter = < < - FILTER
protoPayload . serviceName =" iamcredentials.googleapis.com " OR
protoPayload . serviceName =" iam.googleapis.com " OR
protoPayload . serviceName =" sts.googleapis.com "
FILTER
FAST multitenant bootstrap and resource management, rename org-level FAST stages (#1052)
* rename stages
* remove support for external org billing, rename output files
* resman: make groups optional, align on new billing account variable
* bootstrap: multitenant outputs
* tenant bootstrap stage, untested
* fix folder name
* fix stage 0 output names
* optional creation for tag keys in organization module
* single tenant bootstrap minus tag
* rename output files, add tenant tag key
* fix organization module tag values output
* test skipping creation for tags in organization module
* single tenant bootstrap plan working
* multitenant bootstrap
* tfdoc
* fix check links error messages
* fix links
* tfdoc
* fix links
* rename fast tests, fix bootstrap tests
* multitenant stages have their own folder, simplify stage numbering
* stage renumbering
* wip
* rename tests
* exclude fast providers in fixture
* stage 0 tests
* stage 1 tests
* network stages tests
* stage tests
* tfdoc
* fix links
* tfdoc
* multitenant tests
* remove local files
* stage links command
* fix links script, TODO
* wip
* wip single tenant bootstrap
* working tenant bootstrap
* update gitignore
* remove local files
* tfdoc
* remove local files
* allow tests for tenant bootstrap stage
* tenant bootstrap proxies stage 1 tfvars
* stage 2 and 3 service accounts and IAM in tenant bootstrap
* wip
* wip
* wip
* drop multitenant bootstrap
* tfdoc
* add missing stage 2 SAs, fix org-level IAM condition
* wip
* wip
* optional tag value creation in organization module
* stage 1 working
* linting
* linting
* READMEs
* wip
* Make stage-links script work in old macos bash
* stage links command help
* fix output file names
* diagrams
* fix svg
* stage 0 skeleton and diagram
* test svg
* test svg
* test diagram
* diagram
* readme
* fix stage links script
* stage 0 readme
* README changes
* stage readmes
* fix outputs order
* fix link
* fix tests
* stage 1 test
* skip stage example
* boilerplate
* fix tftest skip
* default bootstrap stage log sinks to log buckets
* add logging to tenant bootstrap
* move iam variables out of tenant config
* fix cicd, reintroduce missing variable
* use optional in stage 1 cicd variable
* rename extras stage
* rename and move identity providers local, use optional for cicd variable
* tfdoc
* add support for wif pool and providers, ci/cd
* tfdoc
* fix links
* better handling of modules repository
* add missing role on logging project
* fix cicd pools in locals, test cicd
* fix workflow extension
* fix module source replacement
* allow tenant bootstrap cicd sa to impersonate resman sa
* tenant workflow templates fix for no providers file
* fix output files, push github workflow template to new repository
* remove try from outpout files
* align stage 1 cicd internals to stage 0
* tfdoc
* tests
* fix tests
* tests
* improve variable descriptions
* use optional in fast features
* actually create tenant log sinks, and allow the resman sa to do it
* test
* tests
* aaaand tests again
* fast features tenant override
* fast features tenant override
* fix wording
* add missing comment
* configure pf service accounts
* add missing comment
* tfdoc
* tests
* IAM docs
* update copyright
---------
Co-authored-by: Julio Castillo <jccb@google.com>
2023-02-04 06:00:45 -08:00
type = " logging "
2022-01-19 05:17:20 -08:00
}
vpc - sc = {
2024-04-24 23:31:51 -07:00
filter = < < - FILTER
2024-05-02 13:11:33 -07:00
protoPayload . metadata . @ type =" type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata "
2024-04-24 23:31:51 -07:00
FILTER
FAST multitenant bootstrap and resource management, rename org-level FAST stages (#1052)
* rename stages
* remove support for external org billing, rename output files
* resman: make groups optional, align on new billing account variable
* bootstrap: multitenant outputs
* tenant bootstrap stage, untested
* fix folder name
* fix stage 0 output names
* optional creation for tag keys in organization module
* single tenant bootstrap minus tag
* rename output files, add tenant tag key
* fix organization module tag values output
* test skipping creation for tags in organization module
* single tenant bootstrap plan working
* multitenant bootstrap
* tfdoc
* fix check links error messages
* fix links
* tfdoc
* fix links
* rename fast tests, fix bootstrap tests
* multitenant stages have their own folder, simplify stage numbering
* stage renumbering
* wip
* rename tests
* exclude fast providers in fixture
* stage 0 tests
* stage 1 tests
* network stages tests
* stage tests
* tfdoc
* fix links
* tfdoc
* multitenant tests
* remove local files
* stage links command
* fix links script, TODO
* wip
* wip single tenant bootstrap
* working tenant bootstrap
* update gitignore
* remove local files
* tfdoc
* remove local files
* allow tests for tenant bootstrap stage
* tenant bootstrap proxies stage 1 tfvars
* stage 2 and 3 service accounts and IAM in tenant bootstrap
* wip
* wip
* wip
* drop multitenant bootstrap
* tfdoc
* add missing stage 2 SAs, fix org-level IAM condition
* wip
* wip
* optional tag value creation in organization module
* stage 1 working
* linting
* linting
* READMEs
* wip
* Make stage-links script work in old macos bash
* stage links command help
* fix output file names
* diagrams
* fix svg
* stage 0 skeleton and diagram
* test svg
* test svg
* test diagram
* diagram
* readme
* fix stage links script
* stage 0 readme
* README changes
* stage readmes
* fix outputs order
* fix link
* fix tests
* stage 1 test
* skip stage example
* boilerplate
* fix tftest skip
* default bootstrap stage log sinks to log buckets
* add logging to tenant bootstrap
* move iam variables out of tenant config
* fix cicd, reintroduce missing variable
* use optional in stage 1 cicd variable
* rename extras stage
* rename and move identity providers local, use optional for cicd variable
* tfdoc
* add support for wif pool and providers, ci/cd
* tfdoc
* fix links
* better handling of modules repository
* add missing role on logging project
* fix cicd pools in locals, test cicd
* fix workflow extension
* fix module source replacement
* allow tenant bootstrap cicd sa to impersonate resman sa
* tenant workflow templates fix for no providers file
* fix output files, push github workflow template to new repository
* remove try from outpout files
* align stage 1 cicd internals to stage 0
* tfdoc
* tests
* fix tests
* tests
* improve variable descriptions
* use optional in fast features
* actually create tenant log sinks, and allow the resman sa to do it
* test
* tests
* aaaand tests again
* fast features tenant override
* fast features tenant override
* fix wording
* add missing comment
* configure pf service accounts
* add missing comment
* tfdoc
* tests
* IAM docs
* update copyright
---------
Co-authored-by: Julio Castillo <jccb@google.com>
2023-02-04 06:00:45 -08:00
type = " logging "
2022-01-19 05:17:20 -08:00
}
2023-10-19 07:51:01 -07:00
workspace - audit - logs = {
2024-04-24 23:31:51 -07:00
filter = < < - FILTER
2024-05-02 13:11:33 -07:00
log_id ( " cloudaudit.googleapis.com/data_access " ) AND
protoPayload . serviceName =" login.googleapis.com "
2024-04-24 23:31:51 -07:00
FILTER
2023-10-19 07:51:01 -07:00
type = " logging "
}
2022-01-19 05:17:20 -08:00
}
validation {
condition = alltrue ( [
for k , v in var . log_sinks :
contains ( [ " bigquery " , " logging " , " pubsub " , " storage " ] , v . type )
] )
error_message = " Type must be one of 'bigquery', 'logging', 'pubsub', 'storage'. "
}
}
2023-09-21 07:03:21 -07:00
variable " org_policies_config " {
description = " Organization policies customization. "
type = object ( {
constraints = optional ( object ( {
allowed_policy_member_domains = optional ( list ( string ) , [ ] )
} ) , { } )
2024-02-10 22:22:11 -08:00
import_defaults = optional ( bool , false )
2024-02-07 05:49:00 -08:00
tag_name = optional ( string , " org-policies " )
2023-09-21 07:03:21 -07:00
tag_values = optional ( map ( object ( {
description = optional ( string , " Managed by the Terraform organization module. " )
iam = optional ( map ( list ( string ) ) , { } )
id = optional ( string )
} ) ) , { } )
} )
default = { }
}
2022-01-19 05:17:20 -08:00
variable " organization " {
description = " Organization details. "
type = object ( {
id = number
2024-02-19 00:29:37 -08:00
domain = optional ( string )
customer_id = optional ( string )
2022-01-19 05:17:20 -08:00
} )
}
variable " outputs_location " {
2022-11-24 09:56:01 -08:00
description = " Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. "
2022-01-19 05:17:20 -08:00
type = string
default = null
}
variable " prefix " {
2022-02-12 04:29:22 -08:00
description = " Prefix used for resources that need unique names. Use 9 characters or less. "
2022-01-19 05:17:20 -08:00
type = string
2022-02-12 04:29:22 -08:00
validation {
condition = try ( length ( var . prefix ) , 0 ) < 10
error_message = " Use a maximum of 9 characters for prefix. "
}
2022-01-19 05:17:20 -08:00
}
2022-09-08 06:11:46 -07:00
variable " project_parent_ids " {
description = " Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. "
type = object ( {
2024-02-20 07:21:56 -08:00
automation = optional ( string )
billing = optional ( string )
logging = optional ( string )
2022-09-08 06:11:46 -07:00
} )
2024-02-20 07:21:56 -08:00
default = { }
2022-09-08 06:11:46 -07:00
nullable = false
}
2024-02-14 15:10:24 -08:00
variable " workforce_identity_providers " {
description = " Workforce Identity Federation pools. "
type = map ( object ( {
attribute_condition = optional ( string )
issuer = string
display_name = string
description = string
disabled = optional ( bool , false )
saml = optional ( object ( {
idp_metadata_xml = string
} ) , null )
} ) )
default = { }
nullable = false
}
variable " workload_identity_providers " {
description = " Workload Identity Federation pools. The `cicd_repositories` variable references keys here. "
type = map ( object ( {
attribute_condition = optional ( string )
issuer = string
custom_settings = optional ( object ( {
issuer_uri = optional ( string )
audiences = optional ( list ( string ) , [ ] )
jwks_json = optional ( string )
} ) , { } )
} ) )
default = { }
nullable = false
# TODO: fix validation
# validation {
# condition = var.federated_identity_providers.custom_settings == null
# error_message = "Custom settings cannot be null."
# }
}