From 026cea4554aabe9a5bea50567a210d3308743c2f Mon Sep 17 00:00:00 2001 From: Lorenzo Caggioni Date: Mon, 14 Feb 2022 10:27:03 +0100 Subject: [PATCH] Align with master branch --- fast/stages/00-bootstrap/organization.tf | 1 - fast/stages/01-resman/organization.tf | 6 +++--- fast/stages/README.md | 12 ++++++------ 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/fast/stages/00-bootstrap/organization.tf b/fast/stages/00-bootstrap/organization.tf index b10bc159..689f378b 100644 --- a/fast/stages/00-bootstrap/organization.tf +++ b/fast/stages/00-bootstrap/organization.tf @@ -195,7 +195,6 @@ resource "google_organization_iam_binding" "org_admin_delegated" { "roles/compute.orgFirewallPolicyAdmin", "roles/compute.xpnAdmin", "roles/orgpolicy.policyAdmin", - module.organization.custom_role_id.serviceProjectNetworkAdmin ], local.billing_org ? [ "roles/billing.admin", diff --git a/fast/stages/01-resman/organization.tf b/fast/stages/01-resman/organization.tf index f19afef8..5c9bed6a 100644 --- a/fast/stages/01-resman/organization.tf +++ b/fast/stages/01-resman/organization.tf @@ -19,7 +19,7 @@ locals { # set to the empty list if you remove the data platform branch - branch_dataplatform_pf_sa_iam_emails = [ + branch_dataplatform_sa_iam_emails = [ module.branch-dp-dev-sa.iam_email, module.branch-dp-prod-sa.iam_email ] @@ -64,7 +64,7 @@ module "organization" { module.branch-network-sa.iam_email ] "roles/orgpolicy.policyAdmin" = concat( - local.branch_dataplatform_pf_sa_iam_emails, + local.branch_dataplatform_sa_iam_emails, local.branch_teams_pf_sa_iam_emails ) }, @@ -79,7 +79,7 @@ module "organization" { # [ # for k, v in module.branch-teams-team-sa : v.iam_email # ], - local.branch_dataplatform_pf_sa_iam_emails, + local.branch_dataplatform_sa_iam_emails, local.branch_teams_pf_sa_iam_emails ) } : {} diff --git a/fast/stages/README.md b/fast/stages/README.md index 3bb19f64..4bb70e0a 100644 --- a/fast/stages/README.md +++ b/fast/stages/README.md @@ -8,21 +8,21 @@ Refer to each stage's documentation for a detailed description of its purpose, t ## Organizational level (00-01) -- [Bootstrap](00-bootstrap/README.md) +- [Bootstrap](00-bootstrap/README.md) Enables critical organization-level functionality that depends on broad permissions. It has two primary purposes. The first is to bootstrap the resources needed for automation of this and the following stages (service accounts, GCS buckets). And secondly, it applies the minimum amount of configuration needed at the organization level, to avoid the need of broad permissions later on, and to implement a minimum of security features like sinks and exports from the start. -- [Resource Management](01-resman/README.md) +- [Resource Management](01-resman/README.md) Creates the base resource hierarchy (folders) and the automation resources required later to delegate deployment of each part of the hierarchy to separate stages. This stage also configures organization-level policies and any exceptions needed by different branches of the resource hierarchy. ## Shared resources (02) -- [Security](02-security/README.md) +- [Security](02-security/README.md) Manages centralized security configurations in a separate stage, and is typically owned by the security team. This stage implements VPC Security Controls via separate perimeters for environments and central services, and creates projects to host centralized KMS keys used by the whole organization. It's meant to be easily extended to include other security-related resources which are required, like Secret Manager. -- [Networking](02-networking/README.md) - Manages centralized network resources in a separate stage, and is typically owned by the networking team. This stage implements a hub-and-spoke design, and includes connectivity via VPN to on-premises, and YAML-based factories for firewall rules (hierarchical and VPC-level) and subnets. +- Networking ([VPN](02-networking-vpn/README.md)/[NVA](02-networking-nva/README.md)) + Manages centralized network resources in a separate stage, and is typically owned by the networking team. This stage implements a hub-and-spoke design, and includes connectivity via VPN to on-premises, and YAML-based factories for firewall rules (hierarchical and VPC-level) and subnets. It's currently available in two versions: [spokes connected via VPN](02-networking-vpn/README.md), [and spokes connected via appliances](02-networking-nva/README.md). ## Environment-level resources (03) -- [Project Factory](03-project-factory/README.md) +- [Project Factory](03-project-factory/README.md) YAML-based fatory to create and configure application or team-level projects. Configuration includes VPC-level settings for Shared VPC, service-level configuration for CMEK encryption via centralized keys, and service account creation for workloads and applications. This stage is meant to be used once per environment. - Data Platform (in development) - GKE Multitenant (in development)