From 9b6262de4111a961ab7962cae9e6e5f807807bd6 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Wed, 3 Aug 2022 09:36:27 +0000 Subject: [PATCH 1/3] FAST: move region trigrams to a variable in network stages (#765) * add region trigram variable * debug check documentation * fix linting --- fast/stages/02-networking-nva/README.md | 7 ++++--- fast/stages/02-networking-nva/variables.tf | 9 +++++++++ fast/stages/02-networking-peering/README.md | 7 ++++--- fast/stages/02-networking-peering/main.tf | 4 ---- fast/stages/02-networking-peering/spoke-dev.tf | 2 +- fast/stages/02-networking-peering/spoke-prod.tf | 2 +- fast/stages/02-networking-peering/variables.tf | 9 +++++++++ fast/stages/02-networking-vpn/README.md | 7 ++++--- fast/stages/02-networking-vpn/main.tf | 4 ---- fast/stages/02-networking-vpn/spoke-dev.tf | 2 +- fast/stages/02-networking-vpn/spoke-prod.tf | 2 +- fast/stages/02-networking-vpn/variables.tf | 9 +++++++++ tests/fast/stages/s02_networking_peering/fixture/main.tf | 5 +++++ tests/fast/stages/s02_networking_vpn/fixture/main.tf | 5 +++++ 14 files changed, 53 insertions(+), 21 deletions(-) diff --git a/fast/stages/02-networking-nva/README.md b/fast/stages/02-networking-nva/README.md index 9f17f997..706f89f1 100644 --- a/fast/stages/02-networking-nva/README.md +++ b/fast/stages/02-networking-nva/README.md @@ -377,9 +377,10 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [onprem_cidr](variables.tf#L107) | Onprem addresses in name => range format. | map(string) | | {…} | | | [outputs_location](variables.tf#L125) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L142) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | | -| [router_configs](variables.tf#L183) | Configurations for CRs and onprem routers. | map(object({…})) | | {…} | | -| [service_accounts](variables.tf#L206) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman | -| [vpn_onprem_configs](variables.tf#L218) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | | +| [region_trigram](variables.tf#L183) | Short names for GCP regions. | map(string) | | {…} | | +| [router_configs](variables.tf#L192) | Configurations for CRs and onprem routers. | map(object({…})) | | {…} | | +| [service_accounts](variables.tf#L215) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman | +| [vpn_onprem_configs](variables.tf#L227) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | | ## Outputs diff --git a/fast/stages/02-networking-nva/variables.tf b/fast/stages/02-networking-nva/variables.tf index bc06729b..b0d844b3 100644 --- a/fast/stages/02-networking-nva/variables.tf +++ b/fast/stages/02-networking-nva/variables.tf @@ -180,6 +180,15 @@ variable "psa_ranges" { # } } +variable "region_trigram" { + description = "Short names for GCP regions." + type = map(string) + default = { + europe-west1 = "ew1" + europe-west3 = "ew3" + } +} + variable "router_configs" { description = "Configurations for CRs and onprem routers." type = map(object({ diff --git a/fast/stages/02-networking-peering/README.md b/fast/stages/02-networking-peering/README.md index 626af1b8..3dfbabe9 100644 --- a/fast/stages/02-networking-peering/README.md +++ b/fast/stages/02-networking-peering/README.md @@ -301,9 +301,10 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [peering_configs](variables-peerings.tf#L19) | Peering configurations. | map(object({…})) | | {…} | | | [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | | -| [router_onprem_configs](variables.tf#L166) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | | -| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman | -| [vpn_onprem_configs](variables.tf#L196) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | | +| [region_trigram](variables.tf#L166) | Short names for GCP regions. | map(string) | | {…} | | +| [router_onprem_configs](variables.tf#L175) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | | +| [service_accounts](variables.tf#L193) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman | +| [vpn_onprem_configs](variables.tf#L205) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | | ## Outputs diff --git a/fast/stages/02-networking-peering/main.tf b/fast/stages/02-networking-peering/main.tf index 9e013fd1..ba25bdb1 100644 --- a/fast/stages/02-networking-peering/main.tf +++ b/fast/stages/02-networking-peering/main.tf @@ -25,10 +25,6 @@ locals { name = "${env}-l7ilb-${s.region}" })] } - region_trigram = { - europe-west1 = "ew1" - europe-west3 = "ew3" - } stage3_sas_delegated_grants = [ "roles/composer.sharedVpcAgent", "roles/compute.networkUser", diff --git a/fast/stages/02-networking-peering/spoke-dev.tf b/fast/stages/02-networking-peering/spoke-dev.tf index a65c71ce..42ae5b73 100644 --- a/fast/stages/02-networking-peering/spoke-dev.tf +++ b/fast/stages/02-networking-peering/spoke-dev.tf @@ -91,7 +91,7 @@ module "dev-spoke-cloudnat" { source = "../../../modules/net-cloudnat" project_id = module.dev-spoke-project.project_id region = each.value - name = "dev-nat-${local.region_trigram[each.value]}" + name = "dev-nat-${var.region_trigram[each.value]}" router_create = true router_network = module.dev-spoke-vpc.name router_asn = 4200001024 diff --git a/fast/stages/02-networking-peering/spoke-prod.tf b/fast/stages/02-networking-peering/spoke-prod.tf index 6856df96..46115643 100644 --- a/fast/stages/02-networking-peering/spoke-prod.tf +++ b/fast/stages/02-networking-peering/spoke-prod.tf @@ -91,7 +91,7 @@ module "prod-spoke-cloudnat" { source = "../../../modules/net-cloudnat" project_id = module.prod-spoke-project.project_id region = each.value - name = "prod-nat-${local.region_trigram[each.value]}" + name = "prod-nat-${var.region_trigram[each.value]}" router_create = true router_network = module.prod-spoke-vpc.name router_asn = 4200001024 diff --git a/fast/stages/02-networking-peering/variables.tf b/fast/stages/02-networking-peering/variables.tf index 60bd8be1..f1cc25dc 100644 --- a/fast/stages/02-networking-peering/variables.tf +++ b/fast/stages/02-networking-peering/variables.tf @@ -163,6 +163,15 @@ variable "psa_ranges" { # } } +variable "region_trigram" { + description = "Short names for GCP regions." + type = map(string) + default = { + europe-west1 = "ew1" + europe-west3 = "ew3" + } +} + variable "router_onprem_configs" { description = "Configurations for routers used for onprem connectivity." type = map(object({ diff --git a/fast/stages/02-networking-vpn/README.md b/fast/stages/02-networking-vpn/README.md index a1de758c..043d8ff1 100644 --- a/fast/stages/02-networking-vpn/README.md +++ b/fast/stages/02-networking-vpn/README.md @@ -325,10 +325,11 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [l7ilb_subnets](variables.tf#L84) | Subnets used for L7 ILBs. | map(list(object({…}))) | | {…} | | | [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | | -| [router_onprem_configs](variables.tf#L166) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | | +| [region_trigram](variables.tf#L166) | Short names for GCP regions. | map(string) | | {…} | | +| [router_onprem_configs](variables.tf#L175) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | | | [router_spoke_configs](variables-vpn.tf#L18) | Configurations for routers used for internal connectivity. | map(object({…})) | | {…} | | -| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman | -| [vpn_onprem_configs](variables.tf#L196) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | | +| [service_accounts](variables.tf#L193) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman | +| [vpn_onprem_configs](variables.tf#L205) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | | | [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | map(object({…})) | | {…} | | ## Outputs diff --git a/fast/stages/02-networking-vpn/main.tf b/fast/stages/02-networking-vpn/main.tf index 9e013fd1..ba25bdb1 100644 --- a/fast/stages/02-networking-vpn/main.tf +++ b/fast/stages/02-networking-vpn/main.tf @@ -25,10 +25,6 @@ locals { name = "${env}-l7ilb-${s.region}" })] } - region_trigram = { - europe-west1 = "ew1" - europe-west3 = "ew3" - } stage3_sas_delegated_grants = [ "roles/composer.sharedVpcAgent", "roles/compute.networkUser", diff --git a/fast/stages/02-networking-vpn/spoke-dev.tf b/fast/stages/02-networking-vpn/spoke-dev.tf index a65c71ce..42ae5b73 100644 --- a/fast/stages/02-networking-vpn/spoke-dev.tf +++ b/fast/stages/02-networking-vpn/spoke-dev.tf @@ -91,7 +91,7 @@ module "dev-spoke-cloudnat" { source = "../../../modules/net-cloudnat" project_id = module.dev-spoke-project.project_id region = each.value - name = "dev-nat-${local.region_trigram[each.value]}" + name = "dev-nat-${var.region_trigram[each.value]}" router_create = true router_network = module.dev-spoke-vpc.name router_asn = 4200001024 diff --git a/fast/stages/02-networking-vpn/spoke-prod.tf b/fast/stages/02-networking-vpn/spoke-prod.tf index 6856df96..46115643 100644 --- a/fast/stages/02-networking-vpn/spoke-prod.tf +++ b/fast/stages/02-networking-vpn/spoke-prod.tf @@ -91,7 +91,7 @@ module "prod-spoke-cloudnat" { source = "../../../modules/net-cloudnat" project_id = module.prod-spoke-project.project_id region = each.value - name = "prod-nat-${local.region_trigram[each.value]}" + name = "prod-nat-${var.region_trigram[each.value]}" router_create = true router_network = module.prod-spoke-vpc.name router_asn = 4200001024 diff --git a/fast/stages/02-networking-vpn/variables.tf b/fast/stages/02-networking-vpn/variables.tf index 60bd8be1..f1cc25dc 100644 --- a/fast/stages/02-networking-vpn/variables.tf +++ b/fast/stages/02-networking-vpn/variables.tf @@ -163,6 +163,15 @@ variable "psa_ranges" { # } } +variable "region_trigram" { + description = "Short names for GCP regions." + type = map(string) + default = { + europe-west1 = "ew1" + europe-west3 = "ew3" + } +} + variable "router_onprem_configs" { description = "Configurations for routers used for onprem connectivity." type = map(object({ diff --git a/tests/fast/stages/s02_networking_peering/fixture/main.tf b/tests/fast/stages/s02_networking_peering/fixture/main.tf index 42040959..33011e3d 100644 --- a/tests/fast/stages/s02_networking_peering/fixture/main.tf +++ b/tests/fast/stages/s02_networking_peering/fixture/main.tf @@ -32,6 +32,11 @@ module "stage" { networking-dev = null networking-prod = null } + region_trigram = { + europe-west1 = "ew1" + europe-west3 = "ew3" + europe-west8 = "ew8" + } service_accounts = { data-platform-dev = "string" data-platform-prod = "string" diff --git a/tests/fast/stages/s02_networking_vpn/fixture/main.tf b/tests/fast/stages/s02_networking_vpn/fixture/main.tf index 6d7b8840..57d2eabb 100644 --- a/tests/fast/stages/s02_networking_vpn/fixture/main.tf +++ b/tests/fast/stages/s02_networking_vpn/fixture/main.tf @@ -32,6 +32,11 @@ module "stage" { networking-dev = null networking-prod = null } + region_trigram = { + europe-west1 = "ew1" + europe-west3 = "ew3" + europe-west8 = "ew8" + } service_accounts = { data-platform-dev = "string" data-platform-prod = "string" From bfefaf627e6ac699851ce6255c6f16c8923e3ca0 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Wed, 3 Aug 2022 14:34:09 +0000 Subject: [PATCH 2/3] refactor teams, fix #750 (#766) --- fast/stages/01-resman/README.md | 18 ++--- fast/stages/01-resman/billing.tf | 10 ++- fast/stages/01-resman/branch-networking.tf | 16 ++--- fast/stages/01-resman/branch-teams.tf | 78 +++++++++++++++------- fast/stages/01-resman/main.tf | 7 +- fast/stages/01-resman/organization.tf | 32 +++------ fast/stages/01-resman/outputs.tf | 21 +++++- 7 files changed, 109 insertions(+), 73 deletions(-) diff --git a/fast/stages/01-resman/README.md b/fast/stages/01-resman/README.md index 9f72f77e..03c93981 100644 --- a/fast/stages/01-resman/README.md +++ b/fast/stages/01-resman/README.md @@ -195,14 +195,14 @@ Due to its simplicity, this stage lends itself easily to customizations: adding | name | description | sensitive | consumers | |---|---|:---:|---| -| [cicd_repositories](outputs.tf#L154) | WIF configuration for CI/CD repositories. | | | -| [dataplatform](outputs.tf#L168) | Data for the Data Platform stage. | | | -| [networking](outputs.tf#L184) | Data for the networking stage. | | | -| [project_factories](outputs.tf#L193) | Data for the project factories stage. | | | -| [providers](outputs.tf#L209) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · xx-sandbox · xx-teams | -| [sandbox](outputs.tf#L216) | Data for the sandbox stage. | | xx-sandbox | -| [security](outputs.tf#L230) | Data for the networking stage. | | 02-security | -| [teams](outputs.tf#L240) | Data for the teams stage. | | | -| [tfvars](outputs.tf#L253) | Terraform variable files for the following stages. | ✓ | | +| [cicd_repositories](outputs.tf#L171) | WIF configuration for CI/CD repositories. | | | +| [dataplatform](outputs.tf#L185) | Data for the Data Platform stage. | | | +| [networking](outputs.tf#L201) | Data for the networking stage. | | | +| [project_factories](outputs.tf#L210) | Data for the project factories stage. | | | +| [providers](outputs.tf#L226) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · xx-sandbox · xx-teams | +| [sandbox](outputs.tf#L233) | Data for the sandbox stage. | | xx-sandbox | +| [security](outputs.tf#L247) | Data for the networking stage. | | 02-security | +| [teams](outputs.tf#L257) | Data for the teams stage. | | | +| [tfvars](outputs.tf#L270) | Terraform variable files for the following stages. | ✓ | | diff --git a/fast/stages/01-resman/billing.tf b/fast/stages/01-resman/billing.tf index f69b9ad9..2a5670b8 100644 --- a/fast/stages/01-resman/billing.tf +++ b/fast/stages/01-resman/billing.tf @@ -23,12 +23,10 @@ locals { module.branch-network-sa.iam_email, module.branch-security-sa.iam_email, ], - local.branch_dataplatform_sa_iam_emails, - # enable if individual teams can create their own projects - # [ - # for k, v in module.branch-teams-team-sa : v.iam_email - # ], - local.branch_teams_pf_sa_iam_emails, + local.branch_optional_sa_lists.dp-dev, + local.branch_optional_sa_lists.dp-prod, + local.branch_optional_sa_lists.pf-dev, + local.branch_optional_sa_lists.pf-prod, ) } diff --git a/fast/stages/01-resman/branch-networking.tf b/fast/stages/01-resman/branch-networking.tf index 684079fa..00b3a5d7 100644 --- a/fast/stages/01-resman/branch-networking.tf +++ b/fast/stages/01-resman/branch-networking.tf @@ -50,10 +50,10 @@ module "branch-network-prod-folder" { parent = module.branch-network-folder.id name = "Production" iam = { - "roles/compute.xpnAdmin" = compact([ - try(module.branch-dp-prod-sa.0.iam_email, ""), - try(module.branch-pf-prod-sa.0.iam_email, ""), - ]) + (local.custom_roles.service_project_network_admin) = concat( + local.branch_optional_sa_lists.dp-prod, + local.branch_optional_sa_lists.pf-prod, + ) } tag_bindings = { environment = try( @@ -67,10 +67,10 @@ module "branch-network-dev-folder" { parent = module.branch-network-folder.id name = "Development" iam = { - (local.custom_roles.service_project_network_admin) = compact([ - try(module.branch-dp-dev-sa.0.iam_email, ""), - try(module.branch-pf-dev-sa.0.iam_email, ""), - ]) + (local.custom_roles.service_project_network_admin) = concat( + local.branch_optional_sa_lists.dp-dev, + local.branch_optional_sa_lists.pf-dev, + ) } tag_bindings = { environment = try( diff --git a/fast/stages/01-resman/branch-teams.tf b/fast/stages/01-resman/branch-teams.tf index 3c9a2d69..168e81ca 100644 --- a/fast/stages/01-resman/branch-teams.tf +++ b/fast/stages/01-resman/branch-teams.tf @@ -21,11 +21,22 @@ moved { to = module.branch-teams-folder.0 } +# TODO(ludo): add support for CI/CD + +############### top-level Teams branch and automation resources ############### + module "branch-teams-folder" { source = "../../../modules/folder" count = var.fast_features.teams ? 1 : 0 parent = "organizations/${var.organization.id}" name = "Teams" + iam = { + "roles/logging.admin" = [module.branch-teams-sa.0.iam_email] + "roles/owner" = [module.branch-teams-sa.0.iam_email] + "roles/resourcemanager.folderAdmin" = [module.branch-teams-sa.0.iam_email] + "roles/resourcemanager.projectCreator" = [module.branch-teams-sa.0.iam_email] + "roles/compute.xpnAdmin" = [module.branch-teams-sa.0.iam_email] + } tag_bindings = { context = try( module.organization.tag_values["${var.tag_names.context}/teams"].id, null @@ -33,27 +44,44 @@ module "branch-teams-folder" { } } -moved { - from = module.branch-teams-prod-sa - to = module.branch-teams-prod-sa.0 -} - -module "branch-teams-prod-sa" { +module "branch-teams-sa" { source = "../../../modules/iam-service-account" count = var.fast_features.teams ? 1 : 0 project_id = var.automation.project_id name = "prod-resman-teams-0" - description = "Terraform resman production service account." + description = "Terraform resman teams service account." prefix = var.prefix + iam_storage_roles = { + (var.automation.outputs_bucket) = ["roles/storage.admin"] + } } -# Team-level folders, service accounts and buckets for each individual team +module "branch-teams-gcs" { + source = "../../../modules/gcs" + count = var.fast_features.teams ? 1 : 0 + project_id = var.automation.project_id + name = "prod-resman-teams-0" + prefix = var.prefix + versioning = true + iam = { + "roles/storage.objectAdmin" = [module.branch-teams-sa.0.iam_email] + } +} + +################## per-team folders and automation resources ################## module "branch-teams-team-folder" { - source = "../../../modules/folder" - for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {} - parent = module.branch-teams-folder.0.id - name = each.value.descriptive_name + source = "../../../modules/folder" + for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {} + parent = module.branch-teams-folder.0.id + name = each.value.descriptive_name + iam = { + "roles/logging.admin" = [module.branch-teams-team-sa[each.key].iam_email] + "roles/owner" = [module.branch-teams-team-sa[each.key].iam_email] + "roles/resourcemanager.folderAdmin" = [module.branch-teams-team-sa[each.key].iam_email] + "roles/resourcemanager.projectCreator" = [module.branch-teams-team-sa[each.key].iam_email] + "roles/compute.xpnAdmin" = [module.branch-teams-team-sa[each.key].iam_email] + } group_iam = each.value.group_iam == null ? {} : each.value.group_iam } @@ -85,7 +113,7 @@ module "branch-teams-team-gcs" { } } -# project factory per-team environment folders +# per-team environment folders where project factory SAs can create projects module "branch-teams-team-dev-folder" { source = "../../../modules/folder" @@ -96,12 +124,14 @@ module "branch-teams-team-dev-folder" { # environment-wide human permissions on the whole teams environment group_iam = {} iam = { - (local.custom_roles.service_project_network_admin) = [module.branch-pf-dev-sa.0.iam_email] + (local.custom_roles.service_project_network_admin) = ( + local.branch_optional_sa_lists.pf-dev + ) # remove owner here and at project level if SA does not manage project resources - "roles/owner" = [module.branch-pf-dev-sa.0.iam_email] - "roles/logging.admin" = [module.branch-pf-dev-sa.0.iam_email] - "roles/resourcemanager.folderAdmin" = [module.branch-pf-dev-sa.0.iam_email] - "roles/resourcemanager.projectCreator" = [module.branch-pf-dev-sa.0.iam_email] + "roles/owner" = local.branch_optional_sa_lists.pf-dev + "roles/logging.admin" = local.branch_optional_sa_lists.pf-dev + "roles/resourcemanager.folderAdmin" = local.branch_optional_sa_lists.pf-dev + "roles/resourcemanager.projectCreator" = local.branch_optional_sa_lists.pf-dev } tag_bindings = { environment = try( @@ -119,12 +149,14 @@ module "branch-teams-team-prod-folder" { # environment-wide human permissions on the whole teams environment group_iam = {} iam = { - (local.custom_roles.service_project_network_admin) = [module.branch-pf-prod-sa.0.iam_email] + (local.custom_roles.service_project_network_admin) = ( + local.branch_optional_sa_lists.pf-prod + ) # remove owner here and at project level if SA does not manage project resources - "roles/owner" = [module.branch-pf-prod-sa.0.iam_email] - "roles/logging.admin" = [module.branch-pf-prod-sa.0.iam_email] - "roles/resourcemanager.folderAdmin" = [module.branch-pf-prod-sa.0.iam_email] - "roles/resourcemanager.projectCreator" = [module.branch-pf-prod-sa.0.iam_email] + "roles/owner" = local.branch_optional_sa_lists.pf-prod + "roles/logging.admin" = local.branch_optional_sa_lists.pf-prod + "roles/resourcemanager.folderAdmin" = local.branch_optional_sa_lists.pf-prod + "roles/resourcemanager.projectCreator" = local.branch_optional_sa_lists.pf-prod } tag_bindings = { environment = try( diff --git a/fast/stages/01-resman/main.tf b/fast/stages/01-resman/main.tf index c4095796..0928498f 100644 --- a/fast/stages/01-resman/main.tf +++ b/fast/stages/01-resman/main.tf @@ -26,6 +26,12 @@ locals { billing_ext = var.billing_account.organization_id == null billing_org = var.billing_account.organization_id == var.organization.id billing_org_ext = !local.billing_ext && !local.billing_org + branch_optional_sa_lists = { + dp-dev = compact([try(module.branch-dp-dev-sa.0.iam_email, "")]) + dp-prod = compact([try(module.branch-dp-prod-sa.0.iam_email, "")]) + pf-dev = compact([try(module.branch-pf-dev-sa.0.iam_email, "")]) + pf-prod = compact([try(module.branch-pf-prod-sa.0.iam_email, "")]) + } cicd_repositories = { for k, v in coalesce(var.cicd_repositories, {}) : k => v if( @@ -57,7 +63,6 @@ locals { "02-security.auto.tfvars.json" ] } - custom_roles = coalesce(var.custom_roles, {}) groups = { for k, v in var.groups : diff --git a/fast/stages/01-resman/organization.tf b/fast/stages/01-resman/organization.tf index 1c012caa..da89528a 100644 --- a/fast/stages/01-resman/organization.tf +++ b/fast/stages/01-resman/organization.tf @@ -18,23 +18,6 @@ locals { - branch_dataplatform_sa_iam_emails = ( - var.fast_features.data_platform - ? [ - module.branch-dp-dev-sa.0.iam_email, - module.branch-dp-prod-sa.0.iam_email - ] - : [] - ) - # set to the empty list if you remove the teams branch - branch_teams_pf_sa_iam_emails = ( - var.fast_features.project_factory - ? [ - module.branch-pf-dev-sa.0.iam_email, - module.branch-pf-prod-sa.0.iam_email - ] - : [] - ) list_allow = { inherit_from_parent = false suggested_value = null @@ -72,18 +55,19 @@ module "organization" { ] }, local.billing_org ? { - "roles/billing.costsManager" = local.branch_teams_pf_sa_iam_emails + "roles/billing.costsManager" = concat( + local.branch_optional_sa_lists.pf-dev, + local.branch_optional_sa_lists.pf-prod + ) "roles/billing.user" = concat( [ module.branch-network-sa.iam_email, module.branch-security-sa.iam_email, ], - local.branch_dataplatform_sa_iam_emails, - # enable if individual teams can create their own projects - # [ - # for k, v in module.branch-teams-team-sa : v.iam_email - # ], - local.branch_teams_pf_sa_iam_emails + local.branch_optional_sa_lists.dp-dev, + local.branch_optional_sa_lists.dp-prod, + local.branch_optional_sa_lists.pf-dev, + local.branch_optional_sa_lists.pf-prod, ) } : {} ) diff --git a/fast/stages/01-resman/outputs.tf b/fast/stages/01-resman/outputs.tf index 9e0b6a17..51f0aa37 100644 --- a/fast/stages/01-resman/outputs.tf +++ b/fast/stages/01-resman/outputs.tf @@ -127,7 +127,24 @@ locals { name = "sandbox" sa = module.branch-sandbox-sa.0.email }) - } + }, + !var.fast_features.teams ? {} : merge( + { + "03-teams" = templatefile(local._tpl_providers, { + bucket = module.branch-teams-gcs.0.name + name = "teams" + sa = module.branch-teams-sa.0.email + }) + }, + { + for k, v in module.branch-teams-team-sa : + "03-teams-${k}" => templatefile(local._tpl_providers, { + bucket = module.branch-teams-team-gcs[k].name + name = "teams" + sa = v.email + }) + } + ) ) service_accounts = merge( { @@ -138,7 +155,7 @@ locals { project-factory-prod = try(module.branch-pf-prod-sa.0.email, null) sandbox = try(module.branch-sandbox-sa.0.email, null) security = module.branch-security-sa.email - teams = try(module.branch-teams-prod-sa.0.email, null) + teams = try(module.branch-teams-sa.0.email, null) }, { for k, v in module.branch-teams-team-sa : "team-${k}" => v.email From a48314cda3e9072ad0ba4ff1d6eee20ce6c9fbf3 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Wed, 3 Aug 2022 17:03:31 +0200 Subject: [PATCH 3/3] update changelog --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ac15056d..020e618f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,8 @@ All notable changes to this project will be documented in this file. ### FAST +- [[#766](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/766)] FAST: refactor teams branch ([ludoo](https://github.com/ludoo)) +- [[#765](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/765)] FAST: move region trigrams to a variable in network stages ([ludoo](https://github.com/ludoo)) - [[#759](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/759)] FAST: fix missing value to format principalSet ([imp14a](https://github.com/imp14a)) - [[#753](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/753)] Add support for IAM bindings on service accounts to project factory ([ludoo](https://github.com/ludoo)) - [[#745](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/745)] FAST: specify gitlab / github providers in CI/CD stage ([imp14a](https://github.com/imp14a)) @@ -78,7 +80,7 @@ All notable changes to this project will be documented in this file. - [[#763](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/763)] Changelog generator ([ludoo](https://github.com/ludoo)) - [[#762](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/762)] Update changelog on pull request merge ([ludoo](https://github.com/ludoo)) -- [[#680](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/680)] Toos: fix Raise ValueError when check_names detects overlong names ([27Bslash6](https://github.com/27Bslash6)) +- [[#680](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/680)] Tools: fix `ValueError` raised in `check_names.py` when overlong names are detected ([27Bslash6](https://github.com/27Bslash6)) - [[#672](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/672)] Module attribution and version updater tool, plus release automation ([rosmo](https://github.com/rosmo))