diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
new file mode 100644
index 00000000..b29437ba
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,32 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**Environment**
+```
+output from `terraform -version`
+```
+
+```
+output from `git rev-parse --short HEAD`
+```
+
+**To Reproduce**
+Steps to reproduce the behavior
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Result**
+Terraform output and/or error messages
+
+**Additional context**
+Add any other context about the problem here
diff --git a/.github/labeler.yml b/.github/labeler.yml
index eb6dcfa3..be3a2828 100644
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/.github/workflows/daily-tag.yml b/.github/workflows/daily-tag.yml
index 99424ad6..7ae775a3 100644
--- a/.github/workflows/daily-tag.yml
+++ b/.github/workflows/daily-tag.yml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index c68c4dd3..83da309d 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1bfafeac..8db6afb3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file.
### BLUEPRINTS
+- [[#1765](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1765)] Add support for dual stack and multiple forwarding rules to net-lb-int module ([LucaPrete](https://github.com/LucaPrete))
- [[#1748](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1748)] Bump golang.org/x/net from 0.7.0 to 0.17.0 in /blueprints/cloud-operations/unmanaged-instances-healthcheck/function/restarter ([dependabot[bot]](https://github.com/dependabot[bot]))
- [[#1747](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1747)] Bump golang.org/x/net from 0.7.0 to 0.17.0 in /blueprints/cloud-operations/unmanaged-instances-healthcheck/function/healthchecker ([dependabot[bot]](https://github.com/dependabot[bot]))
- [[#1735](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1735)] Make deletion protection consistent across all modules ([juliocc](https://github.com/juliocc))
@@ -18,6 +19,7 @@ All notable changes to this project will be documented in this file.
### FAST
+- [[#1765](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1765)] Add support for dual stack and multiple forwarding rules to net-lb-int module ([LucaPrete](https://github.com/LucaPrete))
- [[#1760](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1760)] Add support for psa peered domains to fast stages ([ludoo](https://github.com/ludoo))
- [[#1759](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1759)] Minor edits to FAST network stage READMEs ([ludoo](https://github.com/ludoo))
- [[#1743](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1743)] Billing account module ([ludoo](https://github.com/ludoo))
@@ -27,6 +29,9 @@ All notable changes to this project will be documented in this file.
### MODULES
+- [[#1771](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1771)] Fix resource manager tag bindings in compute-vm module ([ludoo](https://github.com/ludoo))
+- [[#1769](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1769)] Remove incompatible balancing_mode ([wiktorn](https://github.com/wiktorn))
+- [[#1765](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1765)] Add support for dual stack and multiple forwarding rules to net-lb-int module ([LucaPrete](https://github.com/LucaPrete))
- [[#1762](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1762)] Make subnets depend on proxy only subnets ([juliocc](https://github.com/juliocc))
- [[#1757](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1757)] Add autoclass to GCS ([jeroenmonteban](https://github.com/jeroenmonteban))
- [[#1756](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1756)] Exposed stack_type variable in compute_vm module ([luigi-bitonti](https://github.com/luigi-bitonti))
diff --git a/blueprints/apigee/bigquery-analytics/send-requests.sh b/blueprints/apigee/bigquery-analytics/send-requests.sh
index b8908925..325cad78 100755
--- a/blueprints/apigee/bigquery-analytics/send-requests.sh
+++ b/blueprints/apigee/bigquery-analytics/send-requests.sh
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/apigee/bigquery-analytics/templates/create-datastore.sh.tpl b/blueprints/apigee/bigquery-analytics/templates/create-datastore.sh.tpl
index b163b97c..85c13005 100644
--- a/blueprints/apigee/bigquery-analytics/templates/create-datastore.sh.tpl
+++ b/blueprints/apigee/bigquery-analytics/templates/create-datastore.sh.tpl
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/apigee/bigquery-analytics/templates/deploy-apiproxy.sh.tpl b/blueprints/apigee/bigquery-analytics/templates/deploy-apiproxy.sh.tpl
index c80abebf..7986a51a 100644
--- a/blueprints/apigee/bigquery-analytics/templates/deploy-apiproxy.sh.tpl
+++ b/blueprints/apigee/bigquery-analytics/templates/deploy-apiproxy.sh.tpl
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/apigee/hybrid-gke/ansible/playbook.yaml b/blueprints/apigee/hybrid-gke/ansible/playbook.yaml
index 1daa4d86..eb46c6e2 100644
--- a/blueprints/apigee/hybrid-gke/ansible/playbook.yaml
+++ b/blueprints/apigee/hybrid-gke/ansible/playbook.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/apigee/hybrid-gke/templates/deploy-apiproxy.sh.tpl b/blueprints/apigee/hybrid-gke/templates/deploy-apiproxy.sh.tpl
index 4145e0d8..e9d22e3e 100644
--- a/blueprints/apigee/hybrid-gke/templates/deploy-apiproxy.sh.tpl
+++ b/blueprints/apigee/hybrid-gke/templates/deploy-apiproxy.sh.tpl
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/templates/deploy-apiproxy.sh.tpl b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/templates/deploy-apiproxy.sh.tpl
index 21a0be14..3a62b576 100644
--- a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/templates/deploy-apiproxy.sh.tpl
+++ b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/templates/deploy-apiproxy.sh.tpl
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/adfs/ansible/playbook.yaml b/blueprints/cloud-operations/adfs/ansible/playbook.yaml
index 9b2db5ab..6c387aec 100644
--- a/blueprints/cloud-operations/adfs/ansible/playbook.yaml
+++ b/blueprints/cloud-operations/adfs/ansible/playbook.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/adfs/ansible/roles/ad-provisioning/tasks/main.yaml b/blueprints/cloud-operations/adfs/ansible/roles/ad-provisioning/tasks/main.yaml
index f95bc7f0..79cddd9f 100644
--- a/blueprints/cloud-operations/adfs/ansible/roles/ad-provisioning/tasks/main.yaml
+++ b/blueprints/cloud-operations/adfs/ansible/roles/ad-provisioning/tasks/main.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/adfs/ansible/roles/adfs-installation/tasks/main.yaml b/blueprints/cloud-operations/adfs/ansible/roles/adfs-installation/tasks/main.yaml
index ccbe99d2..cb59908a 100644
--- a/blueprints/cloud-operations/adfs/ansible/roles/adfs-installation/tasks/main.yaml
+++ b/blueprints/cloud-operations/adfs/ansible/roles/adfs-installation/tasks/main.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/adfs/ansible/roles/adfs-prerequisites/tasks/main.yaml b/blueprints/cloud-operations/adfs/ansible/roles/adfs-prerequisites/tasks/main.yaml
index eeb6e1fc..6f560e6a 100644
--- a/blueprints/cloud-operations/adfs/ansible/roles/adfs-prerequisites/tasks/main.yaml
+++ b/blueprints/cloud-operations/adfs/ansible/roles/adfs-prerequisites/tasks/main.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/adfs/ansible/roles/anthos/tasks/main.yaml b/blueprints/cloud-operations/adfs/ansible/roles/anthos/tasks/main.yaml
index 4ca1d7f2..1a123093 100644
--- a/blueprints/cloud-operations/adfs/ansible/roles/anthos/tasks/main.yaml
+++ b/blueprints/cloud-operations/adfs/ansible/roles/anthos/tasks/main.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/adfs/ansible/roles/server-setup/tasks/main.yaml b/blueprints/cloud-operations/adfs/ansible/roles/server-setup/tasks/main.yaml
index 6b846f41..63048ccf 100644
--- a/blueprints/cloud-operations/adfs/ansible/roles/server-setup/tasks/main.yaml
+++ b/blueprints/cloud-operations/adfs/ansible/roles/server-setup/tasks/main.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/adfs/main.tf b/blueprints/cloud-operations/adfs/main.tf
index d6d31f84..b0cde26e 100644
--- a/blueprints/cloud-operations/adfs/main.tf
+++ b/blueprints/cloud-operations/adfs/main.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/adfs/outputs.tf b/blueprints/cloud-operations/adfs/outputs.tf
index 371dd477..d1e7b300 100644
--- a/blueprints/cloud-operations/adfs/outputs.tf
+++ b/blueprints/cloud-operations/adfs/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/adfs/scripts/ad-provisioning/main.py b/blueprints/cloud-operations/adfs/scripts/ad-provisioning/main.py
index e27c3ebb..92275438 100644
--- a/blueprints/cloud-operations/adfs/scripts/ad-provisioning/main.py
+++ b/blueprints/cloud-operations/adfs/scripts/ad-provisioning/main.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/adfs/scripts/anthos.ps1 b/blueprints/cloud-operations/adfs/scripts/anthos.ps1
index 5b98b568..f1ff87da 100644
--- a/blueprints/cloud-operations/adfs/scripts/anthos.ps1
+++ b/blueprints/cloud-operations/adfs/scripts/anthos.ps1
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/adfs/templates/gssh.sh.tpl b/blueprints/cloud-operations/adfs/templates/gssh.sh.tpl
index c61460ba..b366231d 100644
--- a/blueprints/cloud-operations/adfs/templates/gssh.sh.tpl
+++ b/blueprints/cloud-operations/adfs/templates/gssh.sh.tpl
@@ -1,6 +1,6 @@
#!/bin/bash
#
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/adfs/templates/vars.yaml.tpl b/blueprints/cloud-operations/adfs/templates/vars.yaml.tpl
index 8e67a549..4b1bd8ae 100644
--- a/blueprints/cloud-operations/adfs/templates/vars.yaml.tpl
+++ b/blueprints/cloud-operations/adfs/templates/vars.yaml.tpl
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/adfs/variables.tf b/blueprints/cloud-operations/adfs/variables.tf
index 66c1276d..b5d95398 100644
--- a/blueprints/cloud-operations/adfs/variables.tf
+++ b/blueprints/cloud-operations/adfs/variables.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/asset-inventory-feed-remediation/backend.tf.sample b/blueprints/cloud-operations/asset-inventory-feed-remediation/backend.tf.sample
index 36f4e8b8..e2e2c2e2 100644
--- a/blueprints/cloud-operations/asset-inventory-feed-remediation/backend.tf.sample
+++ b/blueprints/cloud-operations/asset-inventory-feed-remediation/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/asset-inventory-feed-remediation/cf/main.py b/blueprints/cloud-operations/asset-inventory-feed-remediation/cf/main.py
index 8a46eb13..75b857d8 100755
--- a/blueprints/cloud-operations/asset-inventory-feed-remediation/cf/main.py
+++ b/blueprints/cloud-operations/asset-inventory-feed-remediation/cf/main.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/dns-fine-grained-iam/backend.tf.sample b/blueprints/cloud-operations/dns-fine-grained-iam/backend.tf.sample
index 0b20c04a..98766c2b 100644
--- a/blueprints/cloud-operations/dns-fine-grained-iam/backend.tf.sample
+++ b/blueprints/cloud-operations/dns-fine-grained-iam/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/dns-fine-grained-iam/versions.tf b/blueprints/cloud-operations/dns-fine-grained-iam/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/cloud-operations/dns-fine-grained-iam/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/cloud-operations/dns-shared-vpc/versions.tf b/blueprints/cloud-operations/dns-shared-vpc/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/cloud-operations/dns-shared-vpc/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/cloud-operations/iam-delegated-role-grants/audit.py b/blueprints/cloud-operations/iam-delegated-role-grants/audit.py
index 75488c9b..42fc8ed8 100644
--- a/blueprints/cloud-operations/iam-delegated-role-grants/audit.py
+++ b/blueprints/cloud-operations/iam-delegated-role-grants/audit.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/iam-delegated-role-grants/versions.tf b/blueprints/cloud-operations/iam-delegated-role-grants/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/cloud-operations/iam-delegated-role-grants/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/cloud-operations/network-dashboard/dashboards/quotas-utilization.json b/blueprints/cloud-operations/network-dashboard/dashboards/quotas-utilization.json
index 361eb821..dc4904d7 100644
--- a/blueprints/cloud-operations/network-dashboard/dashboards/quotas-utilization.json
+++ b/blueprints/cloud-operations/network-dashboard/dashboards/quotas-utilization.json
@@ -59,7 +59,7 @@
"alignmentPeriod": "3600s",
"perSeriesAligner": "ALIGN_NEXT_OLDER"
},
- "filter": "metric.type=\"custom.googleapis.com/netmon/network/forwarding_rules_l4_used_ratio\" resource.type=\"global\"",
+ "filter": "metric.type=\"custom.googleapis.com/netmon/network/forwarding_rules_l7_used_ratio\" resource.type=\"global\"",
"secondaryAggregation": {
"alignmentPeriod": "60s",
"perSeriesAligner": "ALIGN_MEAN"
diff --git a/blueprints/cloud-operations/network-dashboard/deploy-cloud-function/main.tf b/blueprints/cloud-operations/network-dashboard/deploy-cloud-function/main.tf
index a6da87ca..337c800d 100644
--- a/blueprints/cloud-operations/network-dashboard/deploy-cloud-function/main.tf
+++ b/blueprints/cloud-operations/network-dashboard/deploy-cloud-function/main.tf
@@ -47,7 +47,7 @@ module "pubsub" {
project_id = module.project.project_id
name = var.name
regions = [var.region]
- subscriptions = { "${var.name}-default" = null }
+ subscriptions = {}
}
module "cloud-function" {
diff --git a/blueprints/cloud-operations/network-dashboard/src/main.py b/blueprints/cloud-operations/network-dashboard/src/main.py
index 3d0568b6..b05cac6a 100755
--- a/blueprints/cloud-operations/network-dashboard/src/main.py
+++ b/blueprints/cloud-operations/network-dashboard/src/main.py
@@ -1,5 +1,5 @@
#!/usr/bin/env python3
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/network-dashboard/src/plugins/__init__.py b/blueprints/cloud-operations/network-dashboard/src/plugins/__init__.py
index 1bdc4cb2..b4e87e35 100644
--- a/blueprints/cloud-operations/network-dashboard/src/plugins/__init__.py
+++ b/blueprints/cloud-operations/network-dashboard/src/plugins/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/network-dashboard/src/plugins/core-discover-cai-nodes.py b/blueprints/cloud-operations/network-dashboard/src/plugins/core-discover-cai-nodes.py
index dc5c5324..30082a8d 100644
--- a/blueprints/cloud-operations/network-dashboard/src/plugins/core-discover-cai-nodes.py
+++ b/blueprints/cloud-operations/network-dashboard/src/plugins/core-discover-cai-nodes.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -69,6 +69,13 @@ def start_discovery(resources, response=None, data=None):
LOGGER.info(f'discovery (has response: {response is not None})')
if response is None:
# return initial discovery URLs
+ if not resources['config:folders'] and not resources['config:projects']:
+ LOGGER.info(
+ f'No monitored project or folder given, defaulting to discovery root: {resources["config:discovery_root"]}'
+ )
+ dr_node = resources["config:discovery_root"].split("/")[0]
+ dr_value = resources["config:discovery_root"].split("/")[1]
+ yield HTTPRequest(CAI_URL.format(f'{dr_node}/{dr_value}'), {}, None)
for v in resources['config:folders']:
yield HTTPRequest(CAI_URL.format(f'folders/{v}'), {}, None)
for v in resources['config:projects']:
diff --git a/blueprints/cloud-operations/network-dashboard/src/plugins/discover-cai.py b/blueprints/cloud-operations/network-dashboard/src/plugins/discover-cai.py
index 16d2c5b8..246ebfe0 100644
--- a/blueprints/cloud-operations/network-dashboard/src/plugins/discover-cai.py
+++ b/blueprints/cloud-operations/network-dashboard/src/plugins/discover-cai.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -216,11 +216,13 @@ def _handle_sql_instances(resource, data):
'name': data['name'],
'self_link': _self_link(data['selfLink']),
'ipAddresses': [
- i['ipAddress'] for i in data['ipAddresses'] if i['type'] == 'PRIVATE'
+ i['ipAddress']
+ for i in data.get('ipAddresses')
+ if i['type'] == 'PRIVATE'
],
'region': data['region'],
'availabilityType': data['settings']['availabilityType'],
- 'network': data['settings']['ipConfiguration']['privateNetwork']
+ 'network': data['settings']['ipConfiguration'].get('privateNetwork')
}
diff --git a/blueprints/cloud-operations/network-dashboard/src/plugins/discover-compute-quota.py b/blueprints/cloud-operations/network-dashboard/src/plugins/discover-compute-quota.py
index 9801803a..7982b440 100644
--- a/blueprints/cloud-operations/network-dashboard/src/plugins/discover-compute-quota.py
+++ b/blueprints/cloud-operations/network-dashboard/src/plugins/discover-compute-quota.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/network-dashboard/src/plugins/discover-compute-routerstatus.py b/blueprints/cloud-operations/network-dashboard/src/plugins/discover-compute-routerstatus.py
index cd2840b7..5ed0cf17 100644
--- a/blueprints/cloud-operations/network-dashboard/src/plugins/discover-compute-routerstatus.py
+++ b/blueprints/cloud-operations/network-dashboard/src/plugins/discover-compute-routerstatus.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/network-dashboard/src/plugins/discover-group-networks.py b/blueprints/cloud-operations/network-dashboard/src/plugins/discover-group-networks.py
index a0cfec06..5e17a555 100644
--- a/blueprints/cloud-operations/network-dashboard/src/plugins/discover-group-networks.py
+++ b/blueprints/cloud-operations/network-dashboard/src/plugins/discover-group-networks.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/network-dashboard/src/plugins/discover-metric-descriptors.py b/blueprints/cloud-operations/network-dashboard/src/plugins/discover-metric-descriptors.py
index a9e4090d..5b9b6f6e 100644
--- a/blueprints/cloud-operations/network-dashboard/src/plugins/discover-metric-descriptors.py
+++ b/blueprints/cloud-operations/network-dashboard/src/plugins/discover-metric-descriptors.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/network-dashboard/src/plugins/monitoring.py b/blueprints/cloud-operations/network-dashboard/src/plugins/monitoring.py
index de4eae89..f3181599 100644
--- a/blueprints/cloud-operations/network-dashboard/src/plugins/monitoring.py
+++ b/blueprints/cloud-operations/network-dashboard/src/plugins/monitoring.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -17,9 +17,9 @@ import collections
import datetime
import json
import logging
+import time
from . import HTTPRequest
-from .utils import batched
DESCRIPTOR_TYPE_BASE = 'custom.googleapis.com/{}'
DESCRIPTOR_URL = ('https://content-monitoring.googleapis.com/v3'
@@ -74,6 +74,7 @@ def timeseries_requests(project_id, root, timeseries, descriptors):
bucket.append(ts)
LOGGER.info(f'metric types {list(ts_buckets.keys())}')
ts_buckets = list(ts_buckets.values())
+ api_calls, t = 0, time.time()
while ts_buckets:
data = {'timeSeries': []}
for bucket in ts_buckets:
@@ -103,4 +104,13 @@ def timeseries_requests(project_id, root, timeseries, descriptors):
tot_num = sum(len(b) for b in ts_buckets)
LOGGER.info(f'sending {req_num} remaining: {tot_num}')
yield HTTPRequest(url, HEADERS, json.dumps(data))
+ api_calls += 1
+ # Default quota is 180 request per minute per user
+ if api_calls >= 170:
+ td = time.time() - t
+ if td < 60:
+ LOGGER.info(
+ f'Pausing for {round(60 - td)}s to avoid monitoring quota issues')
+ time.sleep(60 - td)
+ api_calls, t = 0, time.time()
ts_buckets = [b for b in ts_buckets if b]
diff --git a/blueprints/cloud-operations/network-dashboard/src/plugins/series-firewall-policies.py b/blueprints/cloud-operations/network-dashboard/src/plugins/series-firewall-policies.py
index defd6975..0f9eafa9 100644
--- a/blueprints/cloud-operations/network-dashboard/src/plugins/series-firewall-policies.py
+++ b/blueprints/cloud-operations/network-dashboard/src/plugins/series-firewall-policies.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/network-dashboard/src/plugins/series-firewall-rules.py b/blueprints/cloud-operations/network-dashboard/src/plugins/series-firewall-rules.py
index 63cc5e20..b909520a 100644
--- a/blueprints/cloud-operations/network-dashboard/src/plugins/series-firewall-rules.py
+++ b/blueprints/cloud-operations/network-dashboard/src/plugins/series-firewall-rules.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/network-dashboard/src/plugins/series-networks.py b/blueprints/cloud-operations/network-dashboard/src/plugins/series-networks.py
index 40e7f42a..27d411f5 100644
--- a/blueprints/cloud-operations/network-dashboard/src/plugins/series-networks.py
+++ b/blueprints/cloud-operations/network-dashboard/src/plugins/series-networks.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/network-dashboard/src/plugins/series-peering-groups.py b/blueprints/cloud-operations/network-dashboard/src/plugins/series-peering-groups.py
index 9f792685..f1b7fa17 100644
--- a/blueprints/cloud-operations/network-dashboard/src/plugins/series-peering-groups.py
+++ b/blueprints/cloud-operations/network-dashboard/src/plugins/series-peering-groups.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/network-dashboard/src/plugins/series-psa.py b/blueprints/cloud-operations/network-dashboard/src/plugins/series-psa.py
index 82e06009..f2e676d7 100644
--- a/blueprints/cloud-operations/network-dashboard/src/plugins/series-psa.py
+++ b/blueprints/cloud-operations/network-dashboard/src/plugins/series-psa.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/network-dashboard/src/plugins/series-routes.py b/blueprints/cloud-operations/network-dashboard/src/plugins/series-routes.py
index 2d951a70..ffdda249 100644
--- a/blueprints/cloud-operations/network-dashboard/src/plugins/series-routes.py
+++ b/blueprints/cloud-operations/network-dashboard/src/plugins/series-routes.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/network-dashboard/src/plugins/series-subnets.py b/blueprints/cloud-operations/network-dashboard/src/plugins/series-subnets.py
index a9f0a5f3..b130ca4e 100644
--- a/blueprints/cloud-operations/network-dashboard/src/plugins/series-subnets.py
+++ b/blueprints/cloud-operations/network-dashboard/src/plugins/series-subnets.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/network-dashboard/src/plugins/utils.py b/blueprints/cloud-operations/network-dashboard/src/plugins/utils.py
index 5be65998..b4feb1cc 100644
--- a/blueprints/cloud-operations/network-dashboard/src/plugins/utils.py
+++ b/blueprints/cloud-operations/network-dashboard/src/plugins/utils.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/network-dashboard/src/tools/remove-descriptors.py b/blueprints/cloud-operations/network-dashboard/src/tools/remove-descriptors.py
index 93b1110e..083ce93d 100755
--- a/blueprints/cloud-operations/network-dashboard/src/tools/remove-descriptors.py
+++ b/blueprints/cloud-operations/network-dashboard/src/tools/remove-descriptors.py
@@ -1,5 +1,5 @@
#!/usr/bin/env python3
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/onprem-sa-key-management/backend.tf.sample b/blueprints/cloud-operations/onprem-sa-key-management/backend.tf.sample
index a22a87d8..4ef7e443 100644
--- a/blueprints/cloud-operations/onprem-sa-key-management/backend.tf.sample
+++ b/blueprints/cloud-operations/onprem-sa-key-management/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/onprem-sa-key-management/versions.tf b/blueprints/cloud-operations/onprem-sa-key-management/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/cloud-operations/onprem-sa-key-management/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/cloud-operations/packer-image-builder/packer/install_httpd.sh b/blueprints/cloud-operations/packer-image-builder/packer/install_httpd.sh
index 6d0c6a8e..f3061500 100644
--- a/blueprints/cloud-operations/packer-image-builder/packer/install_httpd.sh
+++ b/blueprints/cloud-operations/packer-image-builder/packer/install_httpd.sh
@@ -1,6 +1,6 @@
#!/bin/sh
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/packer-image-builder/versions.tf b/blueprints/cloud-operations/packer-image-builder/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/cloud-operations/packer-image-builder/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/cloud-operations/quota-monitoring/backend.tf.sample b/blueprints/cloud-operations/quota-monitoring/backend.tf.sample
index a0a18aed..8c5f5e6e 100644
--- a/blueprints/cloud-operations/quota-monitoring/backend.tf.sample
+++ b/blueprints/cloud-operations/quota-monitoring/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/quota-monitoring/versions.tf b/blueprints/cloud-operations/quota-monitoring/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/cloud-operations/quota-monitoring/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/backend.tf.sample b/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/backend.tf.sample
index fafd25d5..fe1c13e7 100644
--- a/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/backend.tf.sample
+++ b/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/cf/main.py b/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/cf/main.py
index 85bba465..2204cd9a 100755
--- a/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/cf/main.py
+++ b/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/cf/main.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/cffile/main.py b/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/cffile/main.py
index ed2e54b8..a42d1748 100755
--- a/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/cffile/main.py
+++ b/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/cffile/main.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/versions.tf b/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/cloud-operations/terraform-cloud-dynamic-credentials/tfc-workflow-using-wif/variables.tf b/blueprints/cloud-operations/terraform-cloud-dynamic-credentials/tfc-workflow-using-wif/variables.tf
index 3fc54afb..220466cc 100644
--- a/blueprints/cloud-operations/terraform-cloud-dynamic-credentials/tfc-workflow-using-wif/variables.tf
+++ b/blueprints/cloud-operations/terraform-cloud-dynamic-credentials/tfc-workflow-using-wif/variables.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/unmanaged-instances-healthcheck/main.tf b/blueprints/cloud-operations/unmanaged-instances-healthcheck/main.tf
index 11e63ee5..0f1fe019 100644
--- a/blueprints/cloud-operations/unmanaged-instances-healthcheck/main.tf
+++ b/blueprints/cloud-operations/unmanaged-instances-healthcheck/main.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/unmanaged-instances-healthcheck/outputs.tf b/blueprints/cloud-operations/unmanaged-instances-healthcheck/outputs.tf
index 2c347509..729eaf5f 100644
--- a/blueprints/cloud-operations/unmanaged-instances-healthcheck/outputs.tf
+++ b/blueprints/cloud-operations/unmanaged-instances-healthcheck/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/unmanaged-instances-healthcheck/variables.tf b/blueprints/cloud-operations/unmanaged-instances-healthcheck/variables.tf
index 14409a66..5344cd1c 100644
--- a/blueprints/cloud-operations/unmanaged-instances-healthcheck/variables.tf
+++ b/blueprints/cloud-operations/unmanaged-instances-healthcheck/variables.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/vm-migration/esxi/main.tf b/blueprints/cloud-operations/vm-migration/esxi/main.tf
index ead0fd97..3b1de023 100644
--- a/blueprints/cloud-operations/vm-migration/esxi/main.tf
+++ b/blueprints/cloud-operations/vm-migration/esxi/main.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/vm-migration/esxi/provider.tf b/blueprints/cloud-operations/vm-migration/esxi/provider.tf
index 4361013a..5951f056 100644
--- a/blueprints/cloud-operations/vm-migration/esxi/provider.tf
+++ b/blueprints/cloud-operations/vm-migration/esxi/provider.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/vm-migration/esxi/variables.tf b/blueprints/cloud-operations/vm-migration/esxi/variables.tf
index 34d2157b..e7e1c9f4 100644
--- a/blueprints/cloud-operations/vm-migration/esxi/variables.tf
+++ b/blueprints/cloud-operations/vm-migration/esxi/variables.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/vm-migration/esxi/vsphere.tf b/blueprints/cloud-operations/vm-migration/esxi/vsphere.tf
index 3a8376b3..53ba293b 100644
--- a/blueprints/cloud-operations/vm-migration/esxi/vsphere.tf
+++ b/blueprints/cloud-operations/vm-migration/esxi/vsphere.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/vm-migration/host-target-projects/backend.tf.sample b/blueprints/cloud-operations/vm-migration/host-target-projects/backend.tf.sample
index 4f2bb336..e1bb8eaf 100644
--- a/blueprints/cloud-operations/vm-migration/host-target-projects/backend.tf.sample
+++ b/blueprints/cloud-operations/vm-migration/host-target-projects/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/vm-migration/host-target-projects/main.tf b/blueprints/cloud-operations/vm-migration/host-target-projects/main.tf
index 44dc354d..ffe19839 100644
--- a/blueprints/cloud-operations/vm-migration/host-target-projects/main.tf
+++ b/blueprints/cloud-operations/vm-migration/host-target-projects/main.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/vm-migration/host-target-projects/outputs.tf b/blueprints/cloud-operations/vm-migration/host-target-projects/outputs.tf
index 2db8f1ae..36b30852 100644
--- a/blueprints/cloud-operations/vm-migration/host-target-projects/outputs.tf
+++ b/blueprints/cloud-operations/vm-migration/host-target-projects/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/vm-migration/host-target-projects/variables.tf b/blueprints/cloud-operations/vm-migration/host-target-projects/variables.tf
index 890fc823..16e4bcba 100644
--- a/blueprints/cloud-operations/vm-migration/host-target-projects/variables.tf
+++ b/blueprints/cloud-operations/vm-migration/host-target-projects/variables.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/backend.tf.sample b/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/backend.tf.sample
index 4f2bb336..e1bb8eaf 100644
--- a/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/backend.tf.sample
+++ b/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/main.tf b/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/main.tf
index ea09243b..037b8115 100644
--- a/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/main.tf
+++ b/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/main.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/outputs.tf b/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/outputs.tf
index c772de5f..73135538 100644
--- a/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/outputs.tf
+++ b/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/variables.tf b/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/variables.tf
index 556911e6..20a78226 100644
--- a/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/variables.tf
+++ b/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/variables.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/vm-migration/single-project/backend.tf.sample b/blueprints/cloud-operations/vm-migration/single-project/backend.tf.sample
index 4f2bb336..e1bb8eaf 100644
--- a/blueprints/cloud-operations/vm-migration/single-project/backend.tf.sample
+++ b/blueprints/cloud-operations/vm-migration/single-project/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/vm-migration/single-project/main.tf b/blueprints/cloud-operations/vm-migration/single-project/main.tf
index 402752ff..4b67936e 100644
--- a/blueprints/cloud-operations/vm-migration/single-project/main.tf
+++ b/blueprints/cloud-operations/vm-migration/single-project/main.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/vm-migration/single-project/outputs.tf b/blueprints/cloud-operations/vm-migration/single-project/outputs.tf
index 269bb2bd..cad915be 100644
--- a/blueprints/cloud-operations/vm-migration/single-project/outputs.tf
+++ b/blueprints/cloud-operations/vm-migration/single-project/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/vm-migration/single-project/variables.tf b/blueprints/cloud-operations/vm-migration/single-project/variables.tf
index eac89381..1d445676 100644
--- a/blueprints/cloud-operations/vm-migration/single-project/variables.tf
+++ b/blueprints/cloud-operations/vm-migration/single-project/variables.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/cloud-operations/workload-identity-federation/setup.sh b/blueprints/cloud-operations/workload-identity-federation/setup.sh
index cb609910..7fe3a710 100644
--- a/blueprints/cloud-operations/workload-identity-federation/setup.sh
+++ b/blueprints/cloud-operations/workload-identity-federation/setup.sh
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/bq-ml/README.md b/blueprints/data-solutions/bq-ml/README.md
index bb20ddfa..ea8bb7bf 100644
--- a/blueprints/data-solutions/bq-ml/README.md
+++ b/blueprints/data-solutions/bq-ml/README.md
@@ -46,6 +46,8 @@ To run the demo:
- Clone this repository
- Run the and run [`demo/bmql_pipeline.ipynb`](demo/bmql_pipeline.ipynb) Jupyter Notebook.
+
+
## Files
| name | description | modules | resources |
@@ -54,10 +56,9 @@ To run the demo:
| [main.tf](./main.tf) | Core resources. | project | |
| [outputs.tf](./outputs.tf) | Output variables. | | |
| [variables.tf](./variables.tf) | Terraform variables. | | |
-| [versions.tf](./versions.tf) | Version pins. | | |
| [vertex.tf](./vertex.tf) | Vertex resources. | iam-service-account | google_notebooks_instance · google_vertex_ai_metadata_store |
| [vpc.tf](./vpc.tf) | VPC resources. | net-cloudnat · net-vpc · net-vpc-firewall | google_project_iam_member |
-
+
## Variables
| name | description | type | required | default |
diff --git a/blueprints/data-solutions/bq-ml/outputs.tf b/blueprints/data-solutions/bq-ml/outputs.tf
index 8299ce2f..b300432a 100644
--- a/blueprints/data-solutions/bq-ml/outputs.tf
+++ b/blueprints/data-solutions/bq-ml/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/bq-ml/versions.tf b/blueprints/data-solutions/bq-ml/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/data-solutions/bq-ml/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/data-solutions/cloudsql-multiregion/backend.tf.sample b/blueprints/data-solutions/cloudsql-multiregion/backend.tf.sample
index 49a0883d..1e1c012a 100644
--- a/blueprints/data-solutions/cloudsql-multiregion/backend.tf.sample
+++ b/blueprints/data-solutions/cloudsql-multiregion/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf b/blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf
index 52ff10e9..e25812df 100644
--- a/blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf
+++ b/blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/cloudsql-multiregion/gce.tf b/blueprints/data-solutions/cloudsql-multiregion/gce.tf
index 07c48706..26d2b09c 100644
--- a/blueprints/data-solutions/cloudsql-multiregion/gce.tf
+++ b/blueprints/data-solutions/cloudsql-multiregion/gce.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/cmek-via-centralized-kms/backend.tf.sample b/blueprints/data-solutions/cmek-via-centralized-kms/backend.tf.sample
index 4f2bb336..e1bb8eaf 100644
--- a/blueprints/data-solutions/cmek-via-centralized-kms/backend.tf.sample
+++ b/blueprints/data-solutions/cmek-via-centralized-kms/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/cmek-via-centralized-kms/outputs.tf b/blueprints/data-solutions/cmek-via-centralized-kms/outputs.tf
index 1d7767a5..aa74f741 100644
--- a/blueprints/data-solutions/cmek-via-centralized-kms/outputs.tf
+++ b/blueprints/data-solutions/cmek-via-centralized-kms/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/cmek-via-centralized-kms/versions.tf b/blueprints/data-solutions/cmek-via-centralized-kms/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/data-solutions/cmek-via-centralized-kms/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/data-solutions/composer-2/backend.tf.sample b/blueprints/data-solutions/composer-2/backend.tf.sample
index 49a0883d..1e1c012a 100644
--- a/blueprints/data-solutions/composer-2/backend.tf.sample
+++ b/blueprints/data-solutions/composer-2/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-platform-foundations/03-composer.tf b/blueprints/data-solutions/data-platform-foundations/03-composer.tf
index af169e71..0d8a7ee6 100644
--- a/blueprints/data-solutions/data-platform-foundations/03-composer.tf
+++ b/blueprints/data-solutions/data-platform-foundations/03-composer.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-platform-foundations/06-common.tf b/blueprints/data-solutions/data-platform-foundations/06-common.tf
index 569c0a94..16d976c0 100644
--- a/blueprints/data-solutions/data-platform-foundations/06-common.tf
+++ b/blueprints/data-solutions/data-platform-foundations/06-common.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-platform-foundations/07-exposure.tf b/blueprints/data-solutions/data-platform-foundations/07-exposure.tf
index b6d674b8..bf09c336 100644
--- a/blueprints/data-solutions/data-platform-foundations/07-exposure.tf
+++ b/blueprints/data-solutions/data-platform-foundations/07-exposure.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-platform-foundations/backend.tf.sample b/blueprints/data-solutions/data-platform-foundations/backend.tf.sample
index 49a0883d..1e1c012a 100644
--- a/blueprints/data-solutions/data-platform-foundations/backend.tf.sample
+++ b/blueprints/data-solutions/data-platform-foundations/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-platform-foundations/demo/datapipeline.py b/blueprints/data-solutions/data-platform-foundations/demo/datapipeline.py
index e23fd116..41033110 100644
--- a/blueprints/data-solutions/data-platform-foundations/demo/datapipeline.py
+++ b/blueprints/data-solutions/data-platform-foundations/demo/datapipeline.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-platform-foundations/demo/datapipeline_dc_tags.py b/blueprints/data-solutions/data-platform-foundations/demo/datapipeline_dc_tags.py
index 65311dba..3c14cc1a 100644
--- a/blueprints/data-solutions/data-platform-foundations/demo/datapipeline_dc_tags.py
+++ b/blueprints/data-solutions/data-platform-foundations/demo/datapipeline_dc_tags.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-platform-foundations/demo/datapipeline_dc_tags_flex.py b/blueprints/data-solutions/data-platform-foundations/demo/datapipeline_dc_tags_flex.py
index a81ecef9..e73c6ccd 100644
--- a/blueprints/data-solutions/data-platform-foundations/demo/datapipeline_dc_tags_flex.py
+++ b/blueprints/data-solutions/data-platform-foundations/demo/datapipeline_dc_tags_flex.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-platform-foundations/demo/datapipeline_flex.py b/blueprints/data-solutions/data-platform-foundations/demo/datapipeline_flex.py
index e948fac6..233a351a 100644
--- a/blueprints/data-solutions/data-platform-foundations/demo/datapipeline_flex.py
+++ b/blueprints/data-solutions/data-platform-foundations/demo/datapipeline_flex.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-platform-foundations/demo/delete_table.py b/blueprints/data-solutions/data-platform-foundations/demo/delete_table.py
index 9ae3f384..adb7147e 100644
--- a/blueprints/data-solutions/data-platform-foundations/demo/delete_table.py
+++ b/blueprints/data-solutions/data-platform-foundations/demo/delete_table.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-platform-foundations/main.tf b/blueprints/data-solutions/data-platform-foundations/main.tf
index 8a22f386..66653c77 100644
--- a/blueprints/data-solutions/data-platform-foundations/main.tf
+++ b/blueprints/data-solutions/data-platform-foundations/main.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-platform-foundations/outputs.tf b/blueprints/data-solutions/data-platform-foundations/outputs.tf
index 5bc93123..131f6e7e 100644
--- a/blueprints/data-solutions/data-platform-foundations/outputs.tf
+++ b/blueprints/data-solutions/data-platform-foundations/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-platform-minimal/02-composer.tf b/blueprints/data-solutions/data-platform-minimal/02-composer.tf
index e82008c3..474775f6 100644
--- a/blueprints/data-solutions/data-platform-minimal/02-composer.tf
+++ b/blueprints/data-solutions/data-platform-minimal/02-composer.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-platform-minimal/04-common.tf b/blueprints/data-solutions/data-platform-minimal/04-common.tf
index 5080a083..abbec7ce 100644
--- a/blueprints/data-solutions/data-platform-minimal/04-common.tf
+++ b/blueprints/data-solutions/data-platform-minimal/04-common.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-platform-minimal/demo/dag_bq_gcs2bq.py b/blueprints/data-solutions/data-platform-minimal/demo/dag_bq_gcs2bq.py
index 321071b2..c56b968c 100644
--- a/blueprints/data-solutions/data-platform-minimal/demo/dag_bq_gcs2bq.py
+++ b/blueprints/data-solutions/data-platform-minimal/demo/dag_bq_gcs2bq.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-platform-minimal/demo/dag_dataflow_gcs2bq.py b/blueprints/data-solutions/data-platform-minimal/demo/dag_dataflow_gcs2bq.py
index 111efcdc..7d87a133 100644
--- a/blueprints/data-solutions/data-platform-minimal/demo/dag_dataflow_gcs2bq.py
+++ b/blueprints/data-solutions/data-platform-minimal/demo/dag_dataflow_gcs2bq.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-platform-minimal/demo/dag_delete_table.py b/blueprints/data-solutions/data-platform-minimal/demo/dag_delete_table.py
index 9653cac7..1ebc17c6 100644
--- a/blueprints/data-solutions/data-platform-minimal/demo/dag_delete_table.py
+++ b/blueprints/data-solutions/data-platform-minimal/demo/dag_delete_table.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-platform-minimal/main.tf b/blueprints/data-solutions/data-platform-minimal/main.tf
index 605e31f8..07281e6c 100644
--- a/blueprints/data-solutions/data-platform-minimal/main.tf
+++ b/blueprints/data-solutions/data-platform-minimal/main.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-platform-minimal/outputs.tf b/blueprints/data-solutions/data-platform-minimal/outputs.tf
index b02bffe4..431429dd 100644
--- a/blueprints/data-solutions/data-platform-minimal/outputs.tf
+++ b/blueprints/data-solutions/data-platform-minimal/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-playground/outputs.tf b/blueprints/data-solutions/data-playground/outputs.tf
index 35f2efeb..70f58faa 100644
--- a/blueprints/data-solutions/data-playground/outputs.tf
+++ b/blueprints/data-solutions/data-playground/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/data-playground/versions.tf b/blueprints/data-solutions/data-playground/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/data-solutions/data-playground/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/backend.tf.sample b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/backend.tf.sample
index 49a0883d..1e1c012a 100644
--- a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/backend.tf.sample
+++ b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/main.tf b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/main.tf
index 33faf353..75d0328d 100644
--- a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/main.tf
+++ b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/main.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/outputs.tf b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/outputs.tf
index 82b059cc..0cca2c3b 100644
--- a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/outputs.tf
+++ b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/serviceaccounts.tf b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/serviceaccounts.tf
index 5764ad53..9386cf25 100644
--- a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/serviceaccounts.tf
+++ b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/serviceaccounts.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/versions.tf b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/vpc.tf b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/vpc.tf
index 76bd841f..f4db3f0e 100644
--- a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/vpc.tf
+++ b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/vpc.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/shielded-folder/data/firewall-policies/cidrs.yaml b/blueprints/data-solutions/shielded-folder/data/firewall-policies/cidrs.yaml
index 90dabfb6..3591e95a 100644
--- a/blueprints/data-solutions/shielded-folder/data/firewall-policies/cidrs.yaml
+++ b/blueprints/data-solutions/shielded-folder/data/firewall-policies/cidrs.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
healthchecks:
- 35.191.0.0/16
@@ -12,4 +15,4 @@ rfc1918:
- 192.168.0.0/16
onprem_probes:
- - 10.255.255.254/32
\ No newline at end of file
+ - 10.255.255.254/32
diff --git a/blueprints/data-solutions/shielded-folder/data/firewall-policies/hierarchical-ingress-rules.yaml b/blueprints/data-solutions/shielded-folder/data/firewall-policies/hierarchical-ingress-rules.yaml
index a267527d..c7236cfe 100644
--- a/blueprints/data-solutions/shielded-folder/data/firewall-policies/hierarchical-ingress-rules.yaml
+++ b/blueprints/data-solutions/shielded-folder/data/firewall-policies/hierarchical-ingress-rules.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
allow-admins:
description: Access from the admin subnet to all subnets
@@ -14,8 +17,8 @@ allow-healthchecks:
source_ranges:
- healthchecks
layer4_configs:
- - protocol: tcp
- ports: ["80", "443"]
+ - protocol: tcp
+ ports: ["80", "443"]
allow-ssh-from-iap:
description: Enable SSH from IAP
@@ -24,8 +27,8 @@ allow-ssh-from-iap:
source_ranges:
- 35.235.240.0/20
layer4_configs:
- - protocol: tcp
- ports: ["22"]
+ - protocol: tcp
+ ports: ["22"]
allow-icmp:
description: Enable ICMP
@@ -34,4 +37,4 @@ allow-icmp:
source_ranges:
- 0.0.0.0/0
layer4_configs:
- - protocol: icmp
+ - protocol: icmp
diff --git a/blueprints/data-solutions/shielded-folder/data/org-policies/compute.yaml b/blueprints/data-solutions/shielded-folder/data/org-policies/compute.yaml
index a3f96b1b..16a48c5b 100644
--- a/blueprints/data-solutions/shielded-folder/data/org-policies/compute.yaml
+++ b/blueprints/data-solutions/shielded-folder/data/org-policies/compute.yaml
@@ -2,30 +2,32 @@
#
# sample subset of useful organization policies, edit to suit requirements
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
compute.disableGuestAttributesAccess:
rules:
- - enforce: true
+ - enforce: true
compute.requireOsLogin:
rules:
- - enforce: true
+ - enforce: true
compute.restrictLoadBalancerCreationForTypes:
rules:
- - allow:
- values:
- - in:INTERNAL
+ - allow:
+ values:
+ - in:INTERNAL
compute.skipDefaultNetworkCreation:
rules:
- - enforce: true
+ - enforce: true
compute.vmExternalIpAccess:
rules:
- - deny:
- all: true
-
-
+ - deny:
+ all: true
# compute.disableInternetNetworkEndpointGroup:
# rules:
# - enforce: true
diff --git a/blueprints/data-solutions/shielded-folder/data/org-policies/iam.yaml b/blueprints/data-solutions/shielded-folder/data/org-policies/iam.yaml
index 58e0032c..7d436765 100644
--- a/blueprints/data-solutions/shielded-folder/data/org-policies/iam.yaml
+++ b/blueprints/data-solutions/shielded-folder/data/org-policies/iam.yaml
@@ -2,14 +2,18 @@
#
# sample subset of useful organization policies, edit to suit requirements
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
iam.automaticIamGrantsForDefaultServiceAccounts:
rules:
- - enforce: true
+ - enforce: true
iam.disableServiceAccountKeyCreation:
rules:
- - enforce: true
+ - enforce: true
iam.disableServiceAccountKeyUpload:
rules:
- - enforce: true
+ - enforce: true
diff --git a/blueprints/data-solutions/shielded-folder/data/org-policies/serverless.yaml b/blueprints/data-solutions/shielded-folder/data/org-policies/serverless.yaml
index 3efb23cd..b67dea78 100644
--- a/blueprints/data-solutions/shielded-folder/data/org-policies/serverless.yaml
+++ b/blueprints/data-solutions/shielded-folder/data/org-policies/serverless.yaml
@@ -2,30 +2,33 @@
#
# sample subset of useful organization policies, edit to suit requirements
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
run.allowedIngress:
rules:
- - allow:
- values:
- - is:internal
-
+ - allow:
+ values:
+ - is:internal
# run.allowedVPCEgress:
# rules:
-# - allow:
-# values:
-# - is:private-ranges-only
+# - allow:
+# values:
+# - is:private-ranges-only
# cloudfunctions.allowedIngressSettings:
# rules:
-# - allow:
-# values:
-# - is:ALLOW_INTERNAL_ONLY
+# - allow:
+# values:
+# - is:ALLOW_INTERNAL_ONLY
# cloudfunctions.allowedVpcConnectorEgressSettings:
# rules:
-# - allow:
-# values:
-# - is:PRIVATE_RANGES_ONLY
+# - allow:
+# values:
+# - is:PRIVATE_RANGES_ONLY
# cloudfunctions.requireVPCConnector:
# rules:
-# - enforce: true
+# - enforce: true
diff --git a/blueprints/data-solutions/shielded-folder/data/org-policies/sql.yaml b/blueprints/data-solutions/shielded-folder/data/org-policies/sql.yaml
index 0eee8045..de2731a0 100644
--- a/blueprints/data-solutions/shielded-folder/data/org-policies/sql.yaml
+++ b/blueprints/data-solutions/shielded-folder/data/org-policies/sql.yaml
@@ -2,10 +2,14 @@
#
# sample subset of useful organization policies, edit to suit requirements
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
sql.restrictAuthorizedNetworks:
rules:
- - enforce: true
+ - enforce: true
sql.restrictPublicIp:
rules:
- - enforce: true
+ - enforce: true
diff --git a/blueprints/data-solutions/shielded-folder/data/org-policies/storage.yaml b/blueprints/data-solutions/shielded-folder/data/org-policies/storage.yaml
index 448357b8..2578d5a5 100644
--- a/blueprints/data-solutions/shielded-folder/data/org-policies/storage.yaml
+++ b/blueprints/data-solutions/shielded-folder/data/org-policies/storage.yaml
@@ -2,6 +2,10 @@
#
# sample subset of useful organization policies, edit to suit requirements
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
storage.uniformBucketLevelAccess:
rules:
- - enforce: true
+ - enforce: true
diff --git a/blueprints/data-solutions/sqlserver-alwayson/README.md b/blueprints/data-solutions/sqlserver-alwayson/README.md
index 7fd3231b..96937cbc 100644
--- a/blueprints/data-solutions/sqlserver-alwayson/README.md
+++ b/blueprints/data-solutions/sqlserver-alwayson/README.md
@@ -18,7 +18,6 @@ and to `C:\GcpSetupLog.txt` file.
-
## Files
| name | description | modules |
@@ -66,10 +65,8 @@ and to `C:\GcpSetupLog.txt` file.
| name | description | sensitive |
|---|---|:---:|
-| [instructions](outputs.tf#L19) | List of steps to follow after applying. | |
-
+| [instructions](outputs.tf#L22) | List of steps to follow after applying. | |
-
## Test
```hcl
diff --git a/blueprints/data-solutions/sqlserver-alwayson/main.tf b/blueprints/data-solutions/sqlserver-alwayson/main.tf
index c9297003..38486268 100644
--- a/blueprints/data-solutions/sqlserver-alwayson/main.tf
+++ b/blueprints/data-solutions/sqlserver-alwayson/main.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/sqlserver-alwayson/outputs.tf b/blueprints/data-solutions/sqlserver-alwayson/outputs.tf
index 1856f823..c9722b11 100644
--- a/blueprints/data-solutions/sqlserver-alwayson/outputs.tf
+++ b/blueprints/data-solutions/sqlserver-alwayson/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -13,7 +13,10 @@
# limitations under the License.
locals {
- loadbalancer_outputs = [for aog in var.always_on_groups : format("%s (%s)", module.listener-ilb[aog].forwarding_rule_address, aog)]
+ loadbalancer_outputs = [
+ for aog, ilb in module.listener-ilb
+ : format("%s (%s)", ilb.forwarding_rule_addresses[""], aog)
+ ]
}
output "instructions" {
diff --git a/blueprints/data-solutions/sqlserver-alwayson/scripts/functions.ps1 b/blueprints/data-solutions/sqlserver-alwayson/scripts/functions.ps1
index a07aac27..daf6df3d 100644
--- a/blueprints/data-solutions/sqlserver-alwayson/scripts/functions.ps1
+++ b/blueprints/data-solutions/sqlserver-alwayson/scripts/functions.ps1
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/sqlserver-alwayson/scripts/specialize-node.ps1 b/blueprints/data-solutions/sqlserver-alwayson/scripts/specialize-node.ps1
index 14e266a0..52211295 100644
--- a/blueprints/data-solutions/sqlserver-alwayson/scripts/specialize-node.ps1
+++ b/blueprints/data-solutions/sqlserver-alwayson/scripts/specialize-node.ps1
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/sqlserver-alwayson/scripts/specialize-witness.ps1 b/blueprints/data-solutions/sqlserver-alwayson/scripts/specialize-witness.ps1
index 30e309e9..92265088 100644
--- a/blueprints/data-solutions/sqlserver-alwayson/scripts/specialize-witness.ps1
+++ b/blueprints/data-solutions/sqlserver-alwayson/scripts/specialize-witness.ps1
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/sqlserver-alwayson/scripts/windows-startup-node.ps1 b/blueprints/data-solutions/sqlserver-alwayson/scripts/windows-startup-node.ps1
index 397c4f37..ddba1e47 100644
--- a/blueprints/data-solutions/sqlserver-alwayson/scripts/windows-startup-node.ps1
+++ b/blueprints/data-solutions/sqlserver-alwayson/scripts/windows-startup-node.ps1
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/sqlserver-alwayson/scripts/windows-startup-witness.ps1 b/blueprints/data-solutions/sqlserver-alwayson/scripts/windows-startup-witness.ps1
index c426a820..b318216d 100644
--- a/blueprints/data-solutions/sqlserver-alwayson/scripts/windows-startup-witness.ps1
+++ b/blueprints/data-solutions/sqlserver-alwayson/scripts/windows-startup-witness.ps1
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/sqlserver-alwayson/secrets.tf b/blueprints/data-solutions/sqlserver-alwayson/secrets.tf
index 7897013e..2a0bba8d 100644
--- a/blueprints/data-solutions/sqlserver-alwayson/secrets.tf
+++ b/blueprints/data-solutions/sqlserver-alwayson/secrets.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/sqlserver-alwayson/service-accounts.tf b/blueprints/data-solutions/sqlserver-alwayson/service-accounts.tf
index b94a24e5..9f6b3dfa 100644
--- a/blueprints/data-solutions/sqlserver-alwayson/service-accounts.tf
+++ b/blueprints/data-solutions/sqlserver-alwayson/service-accounts.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/sqlserver-alwayson/variables.tf b/blueprints/data-solutions/sqlserver-alwayson/variables.tf
index c4ab3cf5..fb2050ad 100644
--- a/blueprints/data-solutions/sqlserver-alwayson/variables.tf
+++ b/blueprints/data-solutions/sqlserver-alwayson/variables.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/data-solutions/sqlserver-alwayson/vpc.tf b/blueprints/data-solutions/sqlserver-alwayson/vpc.tf
index 5c4a15b0..1e53b3b0 100644
--- a/blueprints/data-solutions/sqlserver-alwayson/vpc.tf
+++ b/blueprints/data-solutions/sqlserver-alwayson/vpc.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -141,7 +141,11 @@ module "listener-ilb" {
region = var.region
name = "${var.prefix}-${each.value}-ilb"
service_label = "${var.prefix}-${each.value}-ilb"
- address = local.internal_address_ips["${var.prefix}-lb-${each.value}"]
+ forwarding_rules_config = {
+ "" = {
+ address = local.internal_address_ips["${var.prefix}-lb-${each.value}"]
+ }
+ }
vpc_config = {
network = local.network
subnetwork = local.subnetwork
diff --git a/blueprints/factories/net-vpc-firewall-yaml/README.md b/blueprints/factories/net-vpc-firewall-yaml/README.md
index 42cd6fad..e385a68e 100644
--- a/blueprints/factories/net-vpc-firewall-yaml/README.md
+++ b/blueprints/factories/net-vpc-firewall-yaml/README.md
@@ -41,6 +41,11 @@ module "dev-firewall" {
```yaml
# tftest-file id=common path=firewall/common/common.yaml
+
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
# allow ingress from GCLB to all instances in the network
lb-health-checks:
allow:
@@ -65,6 +70,11 @@ deny-all:
```yaml
# tftest-file id=dev path=firewall/dev/app.yaml
+
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
# Myapp egress
web-app-dev-egress:
allow:
@@ -89,6 +99,11 @@ web-app-dev-ingress:
```yaml
# tftest-file id=prod path=firewall/prod/app.yaml
+
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
# Myapp egress
web-app-prod-egress:
allow:
@@ -111,7 +126,6 @@ web-app-prod-ingress:
- web-app-a@myproject-prod.iam.gserviceaccount.com
```
-
### Configuration Structure
```bash
@@ -140,6 +154,11 @@ web-app-prod-ingress:
Firewall rules configuration should be placed in a set of yaml files in a folder/s. Firewall rule entry structure is following:
```yaml
+
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
rule-name: # descriptive name, naming convention is adjusted by the module
allow: # `allow` or `deny`
- ports: ['443', '80'] # ports for a specific protocol, keep empty list `[]` for all ports
diff --git a/blueprints/factories/net-vpc-firewall-yaml/main.tf b/blueprints/factories/net-vpc-firewall-yaml/main.tf
index 90416faa..0cfacf8a 100644
--- a/blueprints/factories/net-vpc-firewall-yaml/main.tf
+++ b/blueprints/factories/net-vpc-firewall-yaml/main.tf
@@ -31,7 +31,7 @@ locals {
firewall_rules = merge(
[
for config_file in local.firewall_rule_files :
- try(yamldecode(file(config_file)), {})
+ yamldecode(file(config_file))
]...
)
}
diff --git a/blueprints/factories/net-vpc-firewall-yaml/versions.tf b/blueprints/factories/net-vpc-firewall-yaml/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/factories/net-vpc-firewall-yaml/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/factories/project-factory/README.md b/blueprints/factories/project-factory/README.md
index 9aa23883..3a1219b2 100644
--- a/blueprints/factories/project-factory/README.md
+++ b/blueprints/factories/project-factory/README.md
@@ -59,7 +59,7 @@ module "project-factory" {
data_path = "data"
}
}
-# tftest modules=6 resources=14 files=prj-app-1,prj-app-2
+# tftest modules=6 resources=15 files=prj-app-1,prj-app-2
```
```yaml
@@ -94,6 +94,8 @@ org_policies:
iam.disableServiceAccountKeyCreation:
rules:
- enforce: false
+shared_vpc_service_config:
+ host_project: foo-host
# tftest-file id=prj-app-2 path=data/prj-app-2.yaml
```
diff --git a/blueprints/factories/project-factory/factory.tf b/blueprints/factories/project-factory/factory.tf
index da34dcca..d966d6d8 100644
--- a/blueprints/factories/project-factory/factory.tf
+++ b/blueprints/factories/project-factory/factory.tf
@@ -77,9 +77,13 @@ locals {
try(v.services, null),
var.data_defaults.services
)
- shared_vpc_service_config = coalesce(
- try(v.shared_vpc_service_config, null),
- var.data_defaults.shared_vpc_service_config
+ shared_vpc_service_config = (
+ try(v.shared_vpc_service_config, null) != null
+ ? merge(
+ { service_identity_iam = {}, service_iam_grants = [] },
+ v.shared_vpc_service_config
+ )
+ : var.data_defaults.shared_vpc_service_config
)
tag_bindings = coalesce(
var.data_overrides.tag_bindings,
diff --git a/blueprints/gke/autopilot/ansible/playbook.yaml b/blueprints/gke/autopilot/ansible/playbook.yaml
index ad30859c..309d2a75 100644
--- a/blueprints/gke/autopilot/ansible/playbook.yaml
+++ b/blueprints/gke/autopilot/ansible/playbook.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/gke/binauthz/app/clobuild.yaml b/blueprints/gke/binauthz/app/clobuild.yaml
index 6477ecd7..cdc0cd19 100644
--- a/blueprints/gke/binauthz/app/clobuild.yaml
+++ b/blueprints/gke/binauthz/app/clobuild.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/gke/binauthz/image/cloudbuild.yaml b/blueprints/gke/binauthz/image/cloudbuild.yaml
index ee103605..2c6429a3 100644
--- a/blueprints/gke/binauthz/image/cloudbuild.yaml
+++ b/blueprints/gke/binauthz/image/cloudbuild.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/gke/binauthz/templates/app.yaml.tpl b/blueprints/gke/binauthz/templates/app.yaml.tpl
index 43991c8d..26e3e198 100644
--- a/blueprints/gke/binauthz/templates/app.yaml.tpl
+++ b/blueprints/gke/binauthz/templates/app.yaml.tpl
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/gke/binauthz/templates/tenant-setup.yaml.tpl b/blueprints/gke/binauthz/templates/tenant-setup.yaml.tpl
index f5609dc2..5d97ed90 100644
--- a/blueprints/gke/binauthz/templates/tenant-setup.yaml.tpl
+++ b/blueprints/gke/binauthz/templates/tenant-setup.yaml.tpl
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/ansible/playbook.yaml b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/ansible/playbook.yaml
index 30114d22..b2c709a4 100644
--- a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/ansible/playbook.yaml
+++ b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/ansible/playbook.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/templates/gssh.sh.tpl b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/templates/gssh.sh.tpl
index c61460ba..b366231d 100644
--- a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/templates/gssh.sh.tpl
+++ b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/templates/gssh.sh.tpl
@@ -1,6 +1,6 @@
#!/bin/bash
#
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/gke/multitenant-fleet/outputs.tf b/blueprints/gke/multitenant-fleet/outputs.tf
index e9eb6985..11d9d217 100644
--- a/blueprints/gke/multitenant-fleet/outputs.tf
+++ b/blueprints/gke/multitenant-fleet/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/Dockerfile b/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/Dockerfile
index 748a64a2..6da90b51 100644
--- a/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/Dockerfile
+++ b/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/Dockerfile
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/versions.tf b/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/networking/__need_fixing/nginx-reverse-proxy-cluster/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/networking/__need_fixing/onprem-google-access-dns/backend.tf.sample b/blueprints/networking/__need_fixing/onprem-google-access-dns/backend.tf.sample
index 4f2bb336..e1bb8eaf 100644
--- a/blueprints/networking/__need_fixing/onprem-google-access-dns/backend.tf.sample
+++ b/blueprints/networking/__need_fixing/onprem-google-access-dns/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/__need_fixing/onprem-google-access-dns/versions.tf b/blueprints/networking/__need_fixing/onprem-google-access-dns/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/networking/__need_fixing/onprem-google-access-dns/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/networking/decentralized-firewall/backend.tf.sample b/blueprints/networking/decentralized-firewall/backend.tf.sample
index 4f2bb336..e1bb8eaf 100644
--- a/blueprints/networking/decentralized-firewall/backend.tf.sample
+++ b/blueprints/networking/decentralized-firewall/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/decentralized-firewall/firewall/common/common-egress.yaml b/blueprints/networking/decentralized-firewall/firewall/common/common-egress.yaml
index c4540e7a..0af388b8 100644
--- a/blueprints/networking/decentralized-firewall/firewall/common/common-egress.yaml
+++ b/blueprints/networking/decentralized-firewall/firewall/common/common-egress.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,6 +12,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
# Deny all egress (egress traffic is allowed by default)
deny-all:
deny:
diff --git a/blueprints/networking/decentralized-firewall/firewall/common/iap-access.yaml b/blueprints/networking/decentralized-firewall/firewall/common/iap-access.yaml
index 588af162..b8565473 100644
--- a/blueprints/networking/decentralized-firewall/firewall/common/iap-access.yaml
+++ b/blueprints/networking/decentralized-firewall/firewall/common/iap-access.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,6 +12,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
# Access via SSH from IAP to all instancess https://cloud.google.com/iap/docs/using-tcp-forwarding#create-firewall-rule
iap-ssh-access:
allow:
diff --git a/blueprints/networking/decentralized-firewall/firewall/common/lb-access.yaml b/blueprints/networking/decentralized-firewall/firewall/common/lb-access.yaml
index bd20e976..ca5c859a 100644
--- a/blueprints/networking/decentralized-firewall/firewall/common/lb-access.yaml
+++ b/blueprints/networking/decentralized-firewall/firewall/common/lb-access.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,6 +12,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
# Access from GCP LBs https://cloud.google.com/load-balancing/docs/https/#firewall_rules
lb-health-checks:
allow:
diff --git a/blueprints/networking/decentralized-firewall/firewall/dev/app-1/app1-rules.yaml b/blueprints/networking/decentralized-firewall/firewall/dev/app-1/app1-rules.yaml
index 1691fdf7..6b625b79 100644
--- a/blueprints/networking/decentralized-firewall/firewall/dev/app-1/app1-rules.yaml
+++ b/blueprints/networking/decentralized-firewall/firewall/dev/app-1/app1-rules.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,6 +12,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
# Allow traffic from the frontend VMs
app1-backend:
allow:
diff --git a/blueprints/networking/decentralized-firewall/firewall/dev/app-2/app2-rules.yaml b/blueprints/networking/decentralized-firewall/firewall/dev/app-2/app2-rules.yaml
index f979397d..82dd355e 100644
--- a/blueprints/networking/decentralized-firewall/firewall/dev/app-2/app2-rules.yaml
+++ b/blueprints/networking/decentralized-firewall/firewall/dev/app-2/app2-rules.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,6 +12,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
# Allow traffic from app1 frontend
app2-backend:
allow:
diff --git a/blueprints/networking/decentralized-firewall/firewall/prod/app-1/app1-rules.yaml b/blueprints/networking/decentralized-firewall/firewall/prod/app-1/app1-rules.yaml
index 1691fdf7..6b625b79 100644
--- a/blueprints/networking/decentralized-firewall/firewall/prod/app-1/app1-rules.yaml
+++ b/blueprints/networking/decentralized-firewall/firewall/prod/app-1/app1-rules.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,6 +12,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
# Allow traffic from the frontend VMs
app1-backend:
allow:
diff --git a/blueprints/networking/decentralized-firewall/main.tf b/blueprints/networking/decentralized-firewall/main.tf
index b994dc29..97ff9773 100644
--- a/blueprints/networking/decentralized-firewall/main.tf
+++ b/blueprints/networking/decentralized-firewall/main.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/decentralized-firewall/outputs.tf b/blueprints/networking/decentralized-firewall/outputs.tf
index 9542b892..be913883 100644
--- a/blueprints/networking/decentralized-firewall/outputs.tf
+++ b/blueprints/networking/decentralized-firewall/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/decentralized-firewall/validator/Dockerfile b/blueprints/networking/decentralized-firewall/validator/Dockerfile
index ddcbb453..82d9a523 100644
--- a/blueprints/networking/decentralized-firewall/validator/Dockerfile
+++ b/blueprints/networking/decentralized-firewall/validator/Dockerfile
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/decentralized-firewall/validator/action.yml b/blueprints/networking/decentralized-firewall/validator/action.yml
index 00c4819e..b7817d95 100644
--- a/blueprints/networking/decentralized-firewall/validator/action.yml
+++ b/blueprints/networking/decentralized-firewall/validator/action.yml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/decentralized-firewall/validator/firewallSchema.yaml b/blueprints/networking/decentralized-firewall/validator/firewallSchema.yaml
index 4db725e9..8d11f138 100644
--- a/blueprints/networking/decentralized-firewall/validator/firewallSchema.yaml
+++ b/blueprints/networking/decentralized-firewall/validator/firewallSchema.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/decentralized-firewall/validator/firewallSchemaAutoApprove.yaml b/blueprints/networking/decentralized-firewall/validator/firewallSchemaAutoApprove.yaml
index f4cb8315..e6a9ae9c 100644
--- a/blueprints/networking/decentralized-firewall/validator/firewallSchemaAutoApprove.yaml
+++ b/blueprints/networking/decentralized-firewall/validator/firewallSchemaAutoApprove.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/decentralized-firewall/validator/firewallSchemaSettings.yaml b/blueprints/networking/decentralized-firewall/validator/firewallSchemaSettings.yaml
index 13b3ff1c..822dcc1e 100644
--- a/blueprints/networking/decentralized-firewall/validator/firewallSchemaSettings.yaml
+++ b/blueprints/networking/decentralized-firewall/validator/firewallSchemaSettings.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/decentralized-firewall/validator/requirements.txt b/blueprints/networking/decentralized-firewall/validator/requirements.txt
index df645f6b..7084426b 100644
--- a/blueprints/networking/decentralized-firewall/validator/requirements.txt
+++ b/blueprints/networking/decentralized-firewall/validator/requirements.txt
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/decentralized-firewall/validator/validator.py b/blueprints/networking/decentralized-firewall/validator/validator.py
index 0daa40e3..72f23e84 100644
--- a/blueprints/networking/decentralized-firewall/validator/validator.py
+++ b/blueprints/networking/decentralized-firewall/validator/validator.py
@@ -1,5 +1,5 @@
#!/usr/bin/env python3
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/decentralized-firewall/variables.tf b/blueprints/networking/decentralized-firewall/variables.tf
index cf48e23c..d3b5b4b0 100644
--- a/blueprints/networking/decentralized-firewall/variables.tf
+++ b/blueprints/networking/decentralized-firewall/variables.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/decentralized-firewall/versions.tf b/blueprints/networking/decentralized-firewall/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/networking/decentralized-firewall/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/networking/filtering-proxy-psc/main.tf b/blueprints/networking/filtering-proxy-psc/main.tf
index 319217cd..6908197f 100644
--- a/blueprints/networking/filtering-proxy-psc/main.tf
+++ b/blueprints/networking/filtering-proxy-psc/main.tf
@@ -106,7 +106,7 @@ resource "google_compute_service_attachment" "service_attachment" {
enable_proxy_protocol = true
connection_preference = "ACCEPT_MANUAL"
nat_subnets = [module.vpc.subnets_psc["${var.region}/psc"].self_link]
- target_service = module.squid-ilb.forwarding_rule_self_link
+ target_service = module.squid-ilb.forwarding_rule_self_links[""]
consumer_accept_lists {
project_id_or_num = module.project.project_id
connection_limit = 10
@@ -206,8 +206,12 @@ module "squid-ilb" {
project_id = module.project.project_id
region = var.region
name = "squid-ilb"
- ports = [3128]
service_label = "squid-ilb"
+ forwarding_rules_config = {
+ "" = {
+ ports = [3128]
+ }
+ }
vpc_config = {
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["${var.region}/proxy"]
diff --git a/blueprints/networking/filtering-proxy-psc/startup.sh b/blueprints/networking/filtering-proxy-psc/startup.sh
index bdc2b9cb..904c4255 100644
--- a/blueprints/networking/filtering-proxy-psc/startup.sh
+++ b/blueprints/networking/filtering-proxy-psc/startup.sh
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/filtering-proxy-psc/versions.tf b/blueprints/networking/filtering-proxy-psc/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/networking/filtering-proxy-psc/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/networking/filtering-proxy/main.tf b/blueprints/networking/filtering-proxy/main.tf
index b9072a21..107ca1f7 100644
--- a/blueprints/networking/filtering-proxy/main.tf
+++ b/blueprints/networking/filtering-proxy/main.tf
@@ -17,7 +17,7 @@
locals {
squid_address = (
var.mig
- ? module.squid-ilb.0.forwarding_rule_address
+ ? module.squid-ilb.0.forwarding_rule_addresses[""]
: module.squid-vm.internal_ip
)
}
@@ -210,8 +210,12 @@ module "squid-ilb" {
project_id = module.project-host.project_id
region = var.region
name = "squid-ilb"
- ports = [3128]
service_label = "squid-ilb"
+ forwarding_rules_config = {
+ "" = {
+ ports = [3128]
+ }
+ }
vpc_config = {
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["${var.region}/proxy"]
diff --git a/blueprints/networking/filtering-proxy/versions.tf b/blueprints/networking/filtering-proxy/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/networking/filtering-proxy/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/networking/glb-hybrid-neg-internal/glb.tf b/blueprints/networking/glb-hybrid-neg-internal/glb.tf
index e071e7e6..b8edd35a 100644
--- a/blueprints/networking/glb-hybrid-neg-internal/glb.tf
+++ b/blueprints/networking/glb-hybrid-neg-internal/glb.tf
@@ -44,7 +44,7 @@ module "hybrid-glb" {
endpoints = {
primary = {
ip_address = (var.ilb_create
- ? module.test_vm_ilbs["primary"].forwarding_rule_address
+ ? module.test_vm_ilbs["primary"].forwarding_rule_addresses[""]
: module.test_vms["primary"].internal_ip
)
port = 80
@@ -59,7 +59,7 @@ module "hybrid-glb" {
endpoints = {
secondary = {
ip_address = (var.ilb_create
- ? module.test_vm_ilbs["secondary"].forwarding_rule_address
+ ? module.test_vm_ilbs["secondary"].forwarding_rule_addresses[""]
: module.test_vms["secondary"].internal_ip
)
port = 80
diff --git a/blueprints/networking/glb-hybrid-neg-internal/main.tf b/blueprints/networking/glb-hybrid-neg-internal/main.tf
index 55600156..3a7551ff 100644
--- a/blueprints/networking/glb-hybrid-neg-internal/main.tf
+++ b/blueprints/networking/glb-hybrid-neg-internal/main.tf
@@ -53,12 +53,12 @@ module "vpc_landing_untrusted" {
spoke1-primary = {
dest_range = var.ip_config.spoke_primary
next_hop_type = "ilb"
- next_hop = module.nva_untrusted_ilbs["primary"].forwarding_rule_self_link
+ next_hop = module.nva_untrusted_ilbs["primary"].forwarding_rule_self_links[""]
}
spoke1-secondary = {
dest_range = var.ip_config.spoke_secondary
next_hop_type = "ilb"
- next_hop = module.nva_untrusted_ilbs["secondary"].forwarding_rule_self_link
+ next_hop = module.nva_untrusted_ilbs["secondary"].forwarding_rule_self_links[""]
}
}
diff --git a/blueprints/networking/hub-and-spoke-peering/backend.tf.sample b/blueprints/networking/hub-and-spoke-peering/backend.tf.sample
index 4f2bb336..e1bb8eaf 100644
--- a/blueprints/networking/hub-and-spoke-peering/backend.tf.sample
+++ b/blueprints/networking/hub-and-spoke-peering/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/hub-and-spoke-peering/outputs.tf b/blueprints/networking/hub-and-spoke-peering/outputs.tf
index 7010404a..97b15117 100644
--- a/blueprints/networking/hub-and-spoke-peering/outputs.tf
+++ b/blueprints/networking/hub-and-spoke-peering/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/hub-and-spoke-peering/versions.tf b/blueprints/networking/hub-and-spoke-peering/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/networking/hub-and-spoke-peering/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/networking/hub-and-spoke-vpn/README.md b/blueprints/networking/hub-and-spoke-vpn/README.md
index d0f2d1f0..16fb1d67 100644
--- a/blueprints/networking/hub-and-spoke-vpn/README.md
+++ b/blueprints/networking/hub-and-spoke-vpn/README.md
@@ -66,7 +66,6 @@ ping test-r2.dev.example.com
-
## Files
| name | description | modules |
@@ -77,7 +76,6 @@ ping test-r2.dev.example.com
| [net-prod.tf](./net-prod.tf) | Production spoke VPC. | dns · net-vpc · net-vpc-firewall |
| [outputs.tf](./outputs.tf) | Module outputs. | |
| [variables.tf](./variables.tf) | Module variables. | |
-| [versions.tf](./versions.tf) | Version pins. | |
| [vpn-dev-r1.tf](./vpn-dev-r1.tf) | Landing to Development VPN for region 1. | net-vpn-ha |
| [vpn-prod-r1.tf](./vpn-prod-r1.tf) | Landing to Production VPN for region 1. | net-vpn-ha |
@@ -99,9 +97,7 @@ ping test-r2.dev.example.com
|---|---|:---:|
| [subnets](outputs.tf#L15) | Subnet details. | |
| [vms](outputs.tf#L39) | GCE VMs. | |
-
-
## Test
```hcl
module "test" {
diff --git a/blueprints/networking/hub-and-spoke-vpn/backend.tf.sample b/blueprints/networking/hub-and-spoke-vpn/backend.tf.sample
index 4f2bb336..e1bb8eaf 100644
--- a/blueprints/networking/hub-and-spoke-vpn/backend.tf.sample
+++ b/blueprints/networking/hub-and-spoke-vpn/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/hub-and-spoke-vpn/main.tf b/blueprints/networking/hub-and-spoke-vpn/main.tf
index 8810a71d..03390804 100644
--- a/blueprints/networking/hub-and-spoke-vpn/main.tf
+++ b/blueprints/networking/hub-and-spoke-vpn/main.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/hub-and-spoke-vpn/net-dev.tf b/blueprints/networking/hub-and-spoke-vpn/net-dev.tf
index d582a79f..fe033a6e 100644
--- a/blueprints/networking/hub-and-spoke-vpn/net-dev.tf
+++ b/blueprints/networking/hub-and-spoke-vpn/net-dev.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/hub-and-spoke-vpn/net-landing.tf b/blueprints/networking/hub-and-spoke-vpn/net-landing.tf
index ad7315d4..152d46bb 100644
--- a/blueprints/networking/hub-and-spoke-vpn/net-landing.tf
+++ b/blueprints/networking/hub-and-spoke-vpn/net-landing.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/hub-and-spoke-vpn/net-prod.tf b/blueprints/networking/hub-and-spoke-vpn/net-prod.tf
index a76ac778..385b7cbb 100644
--- a/blueprints/networking/hub-and-spoke-vpn/net-prod.tf
+++ b/blueprints/networking/hub-and-spoke-vpn/net-prod.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/hub-and-spoke-vpn/outputs.tf b/blueprints/networking/hub-and-spoke-vpn/outputs.tf
index befd20ff..062bbbfa 100644
--- a/blueprints/networking/hub-and-spoke-vpn/outputs.tf
+++ b/blueprints/networking/hub-and-spoke-vpn/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/hub-and-spoke-vpn/variables.tf b/blueprints/networking/hub-and-spoke-vpn/variables.tf
index 90fbd359..334d8496 100644
--- a/blueprints/networking/hub-and-spoke-vpn/variables.tf
+++ b/blueprints/networking/hub-and-spoke-vpn/variables.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/hub-and-spoke-vpn/versions.tf b/blueprints/networking/hub-and-spoke-vpn/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/networking/hub-and-spoke-vpn/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/networking/hub-and-spoke-vpn/vpn-dev-r1.tf b/blueprints/networking/hub-and-spoke-vpn/vpn-dev-r1.tf
index 49ced394..5dff262c 100644
--- a/blueprints/networking/hub-and-spoke-vpn/vpn-dev-r1.tf
+++ b/blueprints/networking/hub-and-spoke-vpn/vpn-dev-r1.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/hub-and-spoke-vpn/vpn-prod-r1.tf b/blueprints/networking/hub-and-spoke-vpn/vpn-prod-r1.tf
index 8c025d9e..678fa145 100644
--- a/blueprints/networking/hub-and-spoke-vpn/vpn-prod-r1.tf
+++ b/blueprints/networking/hub-and-spoke-vpn/vpn-prod-r1.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/ilb-next-hop/assets/gw.yaml b/blueprints/networking/ilb-next-hop/assets/gw.yaml
index 215821c4..73bd18dc 100644
--- a/blueprints/networking/ilb-next-hop/assets/gw.yaml
+++ b/blueprints/networking/ilb-next-hop/assets/gw.yaml
@@ -1,6 +1,6 @@
#cloud-config
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/ilb-next-hop/backend.tf.sample b/blueprints/networking/ilb-next-hop/backend.tf.sample
index 4f2bb336..e1bb8eaf 100644
--- a/blueprints/networking/ilb-next-hop/backend.tf.sample
+++ b/blueprints/networking/ilb-next-hop/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/ilb-next-hop/gateways.tf b/blueprints/networking/ilb-next-hop/gateways.tf
index 458b995d..2e99956e 100644
--- a/blueprints/networking/ilb-next-hop/gateways.tf
+++ b/blueprints/networking/ilb-next-hop/gateways.tf
@@ -67,7 +67,11 @@ module "ilb-left" {
network = module.vpc-left.self_link
subnetwork = values(module.vpc-left.subnet_self_links)[0]
}
- address = local.addresses.ilb-left
+ forwarding_rules_config = {
+ "" = {
+ address = local.addresses.ilb-left
+ }
+ }
backend_service_config = {
session_affinity = var.ilb_session_affinity
}
@@ -91,7 +95,11 @@ module "ilb-right" {
network = module.vpc-right.self_link
subnetwork = values(module.vpc-right.subnet_self_links)[0]
}
- address = local.addresses.ilb-right
+ forwarding_rules_config = {
+ "" = {
+ address = local.addresses.ilb-right
+ }
+ }
backend_service_config = {
session_affinity = var.ilb_session_affinity
}
diff --git a/blueprints/networking/ilb-next-hop/outputs.tf b/blueprints/networking/ilb-next-hop/outputs.tf
index c00282ae..c69501d9 100644
--- a/blueprints/networking/ilb-next-hop/outputs.tf
+++ b/blueprints/networking/ilb-next-hop/outputs.tf
@@ -18,8 +18,8 @@ output "addresses" {
description = "IP addresses."
value = {
gw = [for z, mod in module.gw : mod.internal_ip]
- ilb-left = module.ilb-left.forwarding_rule_address
- ilb-right = module.ilb-right.forwarding_rule_address
+ ilb-left = module.ilb-left.forwarding_rule_addresses[""]
+ ilb-right = module.ilb-right.forwarding_rule_addresses[""]
vm-left = [for z, mod in module.vm-left : mod.internal_ip]
vm-right = [for z, mod in module.vm-right : mod.internal_ip]
}
diff --git a/blueprints/networking/ilb-next-hop/versions.tf b/blueprints/networking/ilb-next-hop/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/networking/ilb-next-hop/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/networking/ilb-next-hop/vpc-left.tf b/blueprints/networking/ilb-next-hop/vpc-left.tf
index 4cc73159..13d4501d 100644
--- a/blueprints/networking/ilb-next-hop/vpc-left.tf
+++ b/blueprints/networking/ilb-next-hop/vpc-left.tf
@@ -29,7 +29,7 @@ module "vpc-left" {
to-right = {
dest_range = var.ip_ranges.right
next_hop_type = "ilb"
- next_hop = module.ilb-left.forwarding_rule.self_link
+ next_hop = module.ilb-left.forwarding_rule_self_links[""]
}
}
}
diff --git a/blueprints/networking/ilb-next-hop/vpc-right.tf b/blueprints/networking/ilb-next-hop/vpc-right.tf
index 5483d34a..e9cd4cd9 100644
--- a/blueprints/networking/ilb-next-hop/vpc-right.tf
+++ b/blueprints/networking/ilb-next-hop/vpc-right.tf
@@ -30,7 +30,7 @@ module "vpc-right" {
dest_range = var.ip_ranges.left
priority = var.ilb_right_enable ? 900 : 1100
next_hop_type = "ilb"
- next_hop = module.ilb-right.forwarding_rule.self_link
+ next_hop = module.ilb-right.forwarding_rule_self_links[""]
}
to-left-gw-1 = {
dest_range = var.ip_ranges.left
diff --git a/blueprints/networking/private-cloud-function-from-onprem/assets/main.py b/blueprints/networking/private-cloud-function-from-onprem/assets/main.py
index 6534cbd6..b7373748 100644
--- a/blueprints/networking/private-cloud-function-from-onprem/assets/main.py
+++ b/blueprints/networking/private-cloud-function-from-onprem/assets/main.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/private-cloud-function-from-onprem/versions.tf b/blueprints/networking/private-cloud-function-from-onprem/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/networking/private-cloud-function-from-onprem/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/networking/shared-vpc-gke/backend.tf.sample b/blueprints/networking/shared-vpc-gke/backend.tf.sample
index 4f2bb336..e1bb8eaf 100644
--- a/blueprints/networking/shared-vpc-gke/backend.tf.sample
+++ b/blueprints/networking/shared-vpc-gke/backend.tf.sample
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/shared-vpc-gke/outputs.tf b/blueprints/networking/shared-vpc-gke/outputs.tf
index c84254ad..fcf37ae7 100644
--- a/blueprints/networking/shared-vpc-gke/outputs.tf
+++ b/blueprints/networking/shared-vpc-gke/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/networking/shared-vpc-gke/versions.tf b/blueprints/networking/shared-vpc-gke/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/networking/shared-vpc-gke/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/blueprints/third-party-solutions/openshift/prepare.py b/blueprints/third-party-solutions/openshift/prepare.py
index 3c513a2f..c1620ef0 100755
--- a/blueprints/third-party-solutions/openshift/prepare.py
+++ b/blueprints/third-party-solutions/openshift/prepare.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/third-party-solutions/openshift/tf/versions.tf b/blueprints/third-party-solutions/openshift/tf/versions.tf
deleted file mode 100644
index 3963660f..00000000
--- a/blueprints/third-party-solutions/openshift/tf/versions.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
-
diff --git a/default-versions.tf b/default-versions.tf
index 3963660f..af346395 100644
--- a/default-versions.tf
+++ b/default-versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/fast/assets/schemas/firewall_rules.schema.yaml b/fast/assets/schemas/firewall_rules.schema.yaml
index 6f8a8054..74aba4b5 100644
--- a/fast/assets/schemas/firewall_rules.schema.yaml
+++ b/fast/assets/schemas/firewall_rules.schema.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/fast/assets/schemas/hierarchical_rules.schema.yaml b/fast/assets/schemas/hierarchical_rules.schema.yaml
index fdd72bc1..ad49bfa5 100644
--- a/fast/assets/schemas/hierarchical_rules.schema.yaml
+++ b/fast/assets/schemas/hierarchical_rules.schema.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/fast/assets/schemas/project.schema.yaml b/fast/assets/schemas/project.schema.yaml
index 2155c71a..cd75aa1e 100644
--- a/fast/assets/schemas/project.schema.yaml
+++ b/fast/assets/schemas/project.schema.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/fast/assets/schemas/project_defaults.schema.yaml b/fast/assets/schemas/project_defaults.schema.yaml
index 113fe26b..32e98ffc 100644
--- a/fast/assets/schemas/project_defaults.schema.yaml
+++ b/fast/assets/schemas/project_defaults.schema.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/fast/assets/schemas/subnet.schema.yaml b/fast/assets/schemas/subnet.schema.yaml
index c928a1b9..cc5aa10d 100644
--- a/fast/assets/schemas/subnet.schema.yaml
+++ b/fast/assets/schemas/subnet.schema.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/fast/assets/templates/workflow-github.yaml b/fast/assets/templates/workflow-github.yaml
index 2ae456d9..d2729947 100644
--- a/fast/assets/templates/workflow-github.yaml
+++ b/fast/assets/templates/workflow-github.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/fast/assets/templates/workflow-sourcerepo.yaml b/fast/assets/templates/workflow-sourcerepo.yaml
index 6dd15e8c..66136b4c 100644
--- a/fast/assets/templates/workflow-sourcerepo.yaml
+++ b/fast/assets/templates/workflow-sourcerepo.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/fast/stages-multitenant/0-bootstrap-tenant/templates/workflow-github.yaml b/fast/stages-multitenant/0-bootstrap-tenant/templates/workflow-github.yaml
index 9a1c81a1..2d92cce0 100644
--- a/fast/stages-multitenant/0-bootstrap-tenant/templates/workflow-github.yaml
+++ b/fast/stages-multitenant/0-bootstrap-tenant/templates/workflow-github.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/fast/stages-multitenant/0-bootstrap-tenant/templates/workflow-sourcerepo.yaml b/fast/stages-multitenant/0-bootstrap-tenant/templates/workflow-sourcerepo.yaml
index 9d22399d..195a8e2e 100644
--- a/fast/stages-multitenant/0-bootstrap-tenant/templates/workflow-sourcerepo.yaml
+++ b/fast/stages-multitenant/0-bootstrap-tenant/templates/workflow-sourcerepo.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/fast/stages-multitenant/1-resman-tenant/data/org-policies/compute.yaml b/fast/stages-multitenant/1-resman-tenant/data/org-policies/compute.yaml
index a3f96b1b..16a48c5b 100644
--- a/fast/stages-multitenant/1-resman-tenant/data/org-policies/compute.yaml
+++ b/fast/stages-multitenant/1-resman-tenant/data/org-policies/compute.yaml
@@ -2,30 +2,32 @@
#
# sample subset of useful organization policies, edit to suit requirements
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
compute.disableGuestAttributesAccess:
rules:
- - enforce: true
+ - enforce: true
compute.requireOsLogin:
rules:
- - enforce: true
+ - enforce: true
compute.restrictLoadBalancerCreationForTypes:
rules:
- - allow:
- values:
- - in:INTERNAL
+ - allow:
+ values:
+ - in:INTERNAL
compute.skipDefaultNetworkCreation:
rules:
- - enforce: true
+ - enforce: true
compute.vmExternalIpAccess:
rules:
- - deny:
- all: true
-
-
+ - deny:
+ all: true
# compute.disableInternetNetworkEndpointGroup:
# rules:
# - enforce: true
diff --git a/fast/stages-multitenant/1-resman-tenant/data/org-policies/iam.yaml b/fast/stages-multitenant/1-resman-tenant/data/org-policies/iam.yaml
index 58e0032c..7d436765 100644
--- a/fast/stages-multitenant/1-resman-tenant/data/org-policies/iam.yaml
+++ b/fast/stages-multitenant/1-resman-tenant/data/org-policies/iam.yaml
@@ -2,14 +2,18 @@
#
# sample subset of useful organization policies, edit to suit requirements
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
iam.automaticIamGrantsForDefaultServiceAccounts:
rules:
- - enforce: true
+ - enforce: true
iam.disableServiceAccountKeyCreation:
rules:
- - enforce: true
+ - enforce: true
iam.disableServiceAccountKeyUpload:
rules:
- - enforce: true
+ - enforce: true
diff --git a/fast/stages-multitenant/1-resman-tenant/data/org-policies/serverless.yaml b/fast/stages-multitenant/1-resman-tenant/data/org-policies/serverless.yaml
index 3efb23cd..0712f9fb 100644
--- a/fast/stages-multitenant/1-resman-tenant/data/org-policies/serverless.yaml
+++ b/fast/stages-multitenant/1-resman-tenant/data/org-policies/serverless.yaml
@@ -2,12 +2,15 @@
#
# sample subset of useful organization policies, edit to suit requirements
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
run.allowedIngress:
rules:
- - allow:
- values:
- - is:internal
-
+ - allow:
+ values:
+ - is:internal
# run.allowedVPCEgress:
# rules:
# - allow:
diff --git a/fast/stages-multitenant/1-resman-tenant/data/org-policies/sql.yaml b/fast/stages-multitenant/1-resman-tenant/data/org-policies/sql.yaml
index 0eee8045..de2731a0 100644
--- a/fast/stages-multitenant/1-resman-tenant/data/org-policies/sql.yaml
+++ b/fast/stages-multitenant/1-resman-tenant/data/org-policies/sql.yaml
@@ -2,10 +2,14 @@
#
# sample subset of useful organization policies, edit to suit requirements
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
sql.restrictAuthorizedNetworks:
rules:
- - enforce: true
+ - enforce: true
sql.restrictPublicIp:
rules:
- - enforce: true
+ - enforce: true
diff --git a/fast/stages-multitenant/1-resman-tenant/data/org-policies/storage.yaml b/fast/stages-multitenant/1-resman-tenant/data/org-policies/storage.yaml
index 448357b8..2578d5a5 100644
--- a/fast/stages-multitenant/1-resman-tenant/data/org-policies/storage.yaml
+++ b/fast/stages-multitenant/1-resman-tenant/data/org-policies/storage.yaml
@@ -2,6 +2,10 @@
#
# sample subset of useful organization policies, edit to suit requirements
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
storage.uniformBucketLevelAccess:
rules:
- - enforce: true
+ - enforce: true
diff --git a/fast/stages-multitenant/1-resman-tenant/templates/workflow-github.yaml b/fast/stages-multitenant/1-resman-tenant/templates/workflow-github.yaml
index 3f456bec..9266a134 100644
--- a/fast/stages-multitenant/1-resman-tenant/templates/workflow-github.yaml
+++ b/fast/stages-multitenant/1-resman-tenant/templates/workflow-github.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/fast/stages-multitenant/1-resman-tenant/templates/workflow-sourcerepo.yaml b/fast/stages-multitenant/1-resman-tenant/templates/workflow-sourcerepo.yaml
index 6dd15e8c..66136b4c 100644
--- a/fast/stages-multitenant/1-resman-tenant/templates/workflow-sourcerepo.yaml
+++ b/fast/stages-multitenant/1-resman-tenant/templates/workflow-sourcerepo.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/fast/stages/0-bootstrap/IAM.md b/fast/stages/0-bootstrap/IAM.md
index b938c44f..7f47ceb4 100644
--- a/fast/stages/0-bootstrap/IAM.md
+++ b/fast/stages/0-bootstrap/IAM.md
@@ -7,13 +7,12 @@ Legend: + additive, • conditional.
| members | roles |
|---|---|
|GCP organization domain
domain|[roles/browser](https://cloud.google.com/iam/docs/understanding-roles#browser) |
-|gcp-billing-admins
group|[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) +
[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) +|
|gcp-devops
group|[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor)
[roles/logging.viewer](https://cloud.google.com/iam/docs/understanding-roles#logging.viewer)
[roles/monitoring.viewer](https://cloud.google.com/iam/docs/understanding-roles#monitoring.viewer) |
|gcp-network-admins
group|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner)
[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor)
[roles/compute.orgFirewallPolicyAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.orgFirewallPolicyAdmin) +
[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) +|
-|gcp-organization-admins
group|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner)
[roles/cloudsupport.admin](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.admin)
[roles/compute.osAdminLogin](https://cloud.google.com/iam/docs/understanding-roles#compute.osAdminLogin)
[roles/compute.osLoginExternalUser](https://cloud.google.com/iam/docs/understanding-roles#compute.osLoginExternalUser)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator)
[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) +
[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) +
[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +|
+|gcp-organization-admins
group|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner)
[roles/cloudsupport.admin](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.admin)
[roles/compute.osAdminLogin](https://cloud.google.com/iam/docs/understanding-roles#compute.osAdminLogin)
[roles/compute.osLoginExternalUser](https://cloud.google.com/iam/docs/understanding-roles#compute.osLoginExternalUser)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator)
[roles/resourcemanager.tagAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagAdmin)
[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +
[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) +|
|gcp-security-admins
group|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner)
[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor)
[roles/iam.securityReviewer](https://cloud.google.com/iam/docs/understanding-roles#iam.securityReviewer)
[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/securitycenter.admin](https://cloud.google.com/iam/docs/understanding-roles#securitycenter.admin)
[roles/accesscontextmanager.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#accesscontextmanager.policyAdmin) +
[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) +
[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +|
-|prod-bootstrap-0
serviceAccount|[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator)
[roles/resourcemanager.projectMover](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectMover)
[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) +
[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) +
[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) +|
-|prod-resman-0
serviceAccount|organizations/[org_id #0]/roles/organizationIamAdmin •
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.tagAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagAdmin)
[roles/resourcemanager.tagUser](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagUser)
[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) +
[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) +
[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +|
+|prod-bootstrap-0
serviceAccount|[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator)
[roles/resourcemanager.projectMover](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectMover)
[roles/resourcemanager.tagAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagAdmin)
[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) +
[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +|
+|prod-resman-0
serviceAccount|[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator)
[roles/resourcemanager.tagAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagAdmin)
[roles/resourcemanager.tagUser](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagUser)
organizations/[org_id #0]/roles/organizationIamAdmin •
[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +|
## Project prod-audit-logs-0
@@ -21,12 +20,6 @@ Legend: + additive, • conditional.
|---|---|
|prod-bootstrap-0
serviceAccount|[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) |
-## Project prod-billing-exp-0
-
-| members | roles |
-|---|---|
-|prod-bootstrap-0
serviceAccount|[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) |
-
## Project prod-iac-core-0
| members | roles |
@@ -36,5 +29,5 @@ Legend: + additive, • conditional.
|SERVICE_IDENTITY_service-networking
serviceAccount|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) +|
|prod-bootstrap-0
serviceAccount|[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) |
|prod-bootstrap-1
serviceAccount|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) +|
-|prod-resman-0
serviceAccount|[roles/cloudbuild.builds.editor](https://cloud.google.com/iam/docs/understanding-roles#cloudbuild.builds.editor)
[roles/iam.serviceAccountAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountAdmin)
[roles/iam.workloadIdentityPoolAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.workloadIdentityPoolAdmin)
[roles/source.admin](https://cloud.google.com/iam/docs/understanding-roles#source.admin)
[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) |
+|prod-resman-0
serviceAccount|[roles/cloudbuild.builds.editor](https://cloud.google.com/iam/docs/understanding-roles#cloudbuild.builds.editor)
[roles/iam.serviceAccountAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountAdmin)
[roles/iam.workloadIdentityPoolAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.workloadIdentityPoolAdmin)
[roles/source.admin](https://cloud.google.com/iam/docs/understanding-roles#source.admin)
[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin)
[roles/resourcemanager.projectIamAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectIamAdmin) •
[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +|
|prod-resman-1
serviceAccount|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) +|
diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
index 4d7eae24..1a9f1bbb 100644
--- a/fast/stages/0-bootstrap/README.md
+++ b/fast/stages/0-bootstrap/README.md
@@ -136,7 +136,7 @@ Because of limitations of API availability, manual steps have to be followed to
### Organization-level logging
-We create organization-level log sinks early in the bootstrap process to ensure a proper audit trail is in place from the very beginning. By default, we provide log filters to capture [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit) and [VPC Service Controls violations](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors) into a logging bucket in the top-level audit project.
+We create organization-level log sinks early in the bootstrap process to ensure a proper audit trail is in place from the very beginning. By default, we provide log filters to capture [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Service Controls violations](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors) and [Workspace Logs](https://cloud.google.com/logging/docs/audit/configure-gsuite-audit-logs) into logging buckets in the top-level audit logging project.
The [Customizations](#log-sinks-and-log-destinations) section explains how to change the logs captured and their destination.
@@ -466,9 +466,11 @@ Provider key names are used by the `cicd_repositories` variable to configure aut
This is a sample configuration of a GitHub and a Gitlab provider. Every parameter is optional.
-If users don't specify the `issuer_uri` we assume the default `issuer_uri` for public platforms should be used.
+The `custom_settings` attributes are used to configure the provider to work with privately managed installations of Github and Gitlab:
-If users don't specify the `audience`, we set the url of the provider, as recommended in the [WIF FAQ section](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience).
+- `issuer_uri` (defaults to the public platforms one if not set)
+- `audience` (defaults to the public URL of the provider if not set, as recommended in the [WIF FAQ section](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience))
+- `jwks_json` for public key upload
```tfvars
federated_identity_providers = {
@@ -579,24 +581,24 @@ The remaining configuration is manual, as it regards the repositories themselves
| name | description | type | required | default | producer |
|---|---|:---:|:---:|:---:|:---:|
| [billing_account](variables.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | |
-| [organization](variables.tf#L243) | Organization details. | object({…}) | ✓ | | |
-| [prefix](variables.tf#L258) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | |
+| [organization](variables.tf#L248) | Organization details. | object({…}) | ✓ | | |
+| [prefix](variables.tf#L263) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | |
| [bootstrap_user](variables.tf#L27) | Email of the nominal user running this stage for the first time. | string | | null | |
| [cicd_repositories](variables.tf#L33) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | |
| [custom_role_names](variables.tf#L79) | Names of custom roles defined at the org level. | object({…}) | | {…} | |
| [custom_roles](variables.tf#L93) | Map of role names => list of permissions to additionally create at the organization level. | map(list(string)) | | {} | |
| [factories_config](variables.tf#L100) | Configuration for the organization policies factory. | object({…}) | | {} | |
| [fast_features](variables.tf#L109) | Selective control for top-level FAST features. | object({…}) | | {} | |
-| [federated_identity_providers](variables.tf#L122) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | |
-| [group_iam](variables.tf#L141) | Organization-level authoritative IAM binding for groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | map(list(string)) | | {} | |
-| [groups](variables.tf#L148) | Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed. | map(string) | | {…} | |
-| [iam](variables.tf#L166) | Organization-level custom IAM settings in role => [principal] format. | map(list(string)) | | {} | |
-| [iam_bindings_additive](variables.tf#L173) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | |
-| [locations](variables.tf#L188) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | |
-| [log_sinks](variables.tf#L202) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | |
-| [org_policies_config](variables.tf#L227) | Organization policies customization. | object({…}) | | {} | |
-| [outputs_location](variables.tf#L252) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | |
-| [project_parent_ids](variables.tf#L267) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {…} | |
+| [federated_identity_providers](variables.tf#L122) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | |
+| [group_iam](variables.tf#L142) | Organization-level authoritative IAM binding for groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | map(list(string)) | | {} | |
+| [groups](variables.tf#L149) | Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed. | map(string) | | {…} | |
+| [iam](variables.tf#L167) | Organization-level custom IAM settings in role => [principal] format. | map(list(string)) | | {} | |
+| [iam_bindings_additive](variables.tf#L174) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | |
+| [locations](variables.tf#L189) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | |
+| [log_sinks](variables.tf#L203) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | |
+| [org_policies_config](variables.tf#L232) | Organization policies customization. | object({…}) | | {} | |
+| [outputs_location](variables.tf#L257) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | |
+| [project_parent_ids](variables.tf#L272) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {…} | |
## Outputs
diff --git a/fast/stages/0-bootstrap/automation.tf b/fast/stages/0-bootstrap/automation.tf
index d74e9efb..55ec5619 100644
--- a/fast/stages/0-bootstrap/automation.tf
+++ b/fast/stages/0-bootstrap/automation.tf
@@ -60,6 +60,26 @@ module "automation-project" {
module.automation-tf-resman-sa.iam_email
]
}
+ iam_bindings = {
+ delegated_grants_resman = {
+ members = [module.automation-tf-resman-sa.iam_email]
+ role = "roles/resourcemanager.projectIamAdmin"
+ condition = {
+ title = "resman_delegated_grant"
+ description = "Resource manager service account delegated grant."
+ expression = format(
+ "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['%s'])",
+ "roles/serviceusage.serviceUsageConsumer"
+ )
+ }
+ }
+ }
+ iam_bindings_additive = {
+ serviceusage_resman = {
+ member = module.automation-tf-resman-sa.iam_email
+ role = "roles/serviceusage.serviceUsageConsumer"
+ }
+ }
services = [
"accesscontextmanager.googleapis.com",
"bigquery.googleapis.com",
diff --git a/fast/stages/0-bootstrap/data/org-policies/compute.yaml b/fast/stages/0-bootstrap/data/org-policies/compute.yaml
index a3f96b1b..16a48c5b 100644
--- a/fast/stages/0-bootstrap/data/org-policies/compute.yaml
+++ b/fast/stages/0-bootstrap/data/org-policies/compute.yaml
@@ -2,30 +2,32 @@
#
# sample subset of useful organization policies, edit to suit requirements
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
compute.disableGuestAttributesAccess:
rules:
- - enforce: true
+ - enforce: true
compute.requireOsLogin:
rules:
- - enforce: true
+ - enforce: true
compute.restrictLoadBalancerCreationForTypes:
rules:
- - allow:
- values:
- - in:INTERNAL
+ - allow:
+ values:
+ - in:INTERNAL
compute.skipDefaultNetworkCreation:
rules:
- - enforce: true
+ - enforce: true
compute.vmExternalIpAccess:
rules:
- - deny:
- all: true
-
-
+ - deny:
+ all: true
# compute.disableInternetNetworkEndpointGroup:
# rules:
# - enforce: true
diff --git a/fast/stages/0-bootstrap/data/org-policies/gcp.yaml b/fast/stages/0-bootstrap/data/org-policies/gcp.yaml
new file mode 100644
index 00000000..d244b6bb
--- /dev/null
+++ b/fast/stages/0-bootstrap/data/org-policies/gcp.yaml
@@ -0,0 +1,23 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
+# constraints/gcp.resourceLocations:
+# rules:
+# - allow:
+# values:
+# - "in:europe-locations"
diff --git a/fast/stages/0-bootstrap/data/org-policies/iam.yaml b/fast/stages/0-bootstrap/data/org-policies/iam.yaml
index 58e0032c..7d436765 100644
--- a/fast/stages/0-bootstrap/data/org-policies/iam.yaml
+++ b/fast/stages/0-bootstrap/data/org-policies/iam.yaml
@@ -2,14 +2,18 @@
#
# sample subset of useful organization policies, edit to suit requirements
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
iam.automaticIamGrantsForDefaultServiceAccounts:
rules:
- - enforce: true
+ - enforce: true
iam.disableServiceAccountKeyCreation:
rules:
- - enforce: true
+ - enforce: true
iam.disableServiceAccountKeyUpload:
rules:
- - enforce: true
+ - enforce: true
diff --git a/fast/stages/0-bootstrap/data/org-policies/serverless.yaml b/fast/stages/0-bootstrap/data/org-policies/serverless.yaml
index 4931c41b..1fce1a9b 100644
--- a/fast/stages/0-bootstrap/data/org-policies/serverless.yaml
+++ b/fast/stages/0-bootstrap/data/org-policies/serverless.yaml
@@ -2,13 +2,16 @@
#
# sample subset of useful organization policies, edit to suit requirements
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
run.allowedIngress:
rules:
- - allow:
- values:
- - is:internal
- - is:internal-and-cloud-load-balancing
-
+ - allow:
+ values:
+ - is:internal
+ - is:internal-and-cloud-load-balancing
# run.allowedVPCEgress:
# rules:
# - allow:
diff --git a/fast/stages/0-bootstrap/data/org-policies/sql.yaml b/fast/stages/0-bootstrap/data/org-policies/sql.yaml
index 0eee8045..de2731a0 100644
--- a/fast/stages/0-bootstrap/data/org-policies/sql.yaml
+++ b/fast/stages/0-bootstrap/data/org-policies/sql.yaml
@@ -2,10 +2,14 @@
#
# sample subset of useful organization policies, edit to suit requirements
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
sql.restrictAuthorizedNetworks:
rules:
- - enforce: true
+ - enforce: true
sql.restrictPublicIp:
rules:
- - enforce: true
+ - enforce: true
diff --git a/fast/stages/0-bootstrap/data/org-policies/storage.yaml b/fast/stages/0-bootstrap/data/org-policies/storage.yaml
index 448357b8..2578d5a5 100644
--- a/fast/stages/0-bootstrap/data/org-policies/storage.yaml
+++ b/fast/stages/0-bootstrap/data/org-policies/storage.yaml
@@ -2,6 +2,10 @@
#
# sample subset of useful organization policies, edit to suit requirements
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
storage.uniformBucketLevelAccess:
rules:
- - enforce: true
+ - enforce: true
diff --git a/fast/stages/0-bootstrap/identity-providers.tf b/fast/stages/0-bootstrap/identity-providers.tf
index fbb47a83..f648f965 100644
--- a/fast/stages/0-bootstrap/identity-providers.tf
+++ b/fast/stages/0-bootstrap/identity-providers.tf
@@ -89,5 +89,8 @@ resource "google_iam_workload_identity_pool_provider" "default" {
? each.value.custom_settings.issuer_uri
: try(each.value.issuer_uri, null)
)
+ # OIDC JWKs in JSON String format. If no value is provided, they key is
+ # fetched from the `.well-known` path for the issuer_uri
+ jwks_json = each.value.custom_settings.jwks_json
}
}
diff --git a/fast/stages/0-bootstrap/templates/workflow-github.yaml b/fast/stages/0-bootstrap/templates/workflow-github.yaml
index f18eae88..5d75a087 100644
--- a/fast/stages/0-bootstrap/templates/workflow-github.yaml
+++ b/fast/stages/0-bootstrap/templates/workflow-github.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/fast/stages/0-bootstrap/templates/workflow-sourcerepo.yaml b/fast/stages/0-bootstrap/templates/workflow-sourcerepo.yaml
index 6dd15e8c..66136b4c 100644
--- a/fast/stages/0-bootstrap/templates/workflow-sourcerepo.yaml
+++ b/fast/stages/0-bootstrap/templates/workflow-sourcerepo.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf
index 8446b4dd..af171b34 100644
--- a/fast/stages/0-bootstrap/variables.tf
+++ b/fast/stages/0-bootstrap/variables.tf
@@ -127,6 +127,7 @@ variable "federated_identity_providers" {
custom_settings = optional(object({
issuer_uri = optional(string)
audiences = optional(list(string), [])
+ jwks_json = optional(string)
}), {})
}))
default = {}
@@ -207,13 +208,17 @@ variable "log_sinks" {
}))
default = {
audit-logs = {
- filter = "logName:\"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName:\"/logs/cloudaudit.googleapis.com%2Fsystem_event\""
+ filter = "logName:\"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName:\"/logs/cloudaudit.googleapis.com%2Fsystem_event\" OR protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.TransparencyLog\""
type = "logging"
}
vpc-sc = {
filter = "protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\""
type = "logging"
}
+ workspace-audit-logs = {
+ filter = "logName:\"/logs/cloudaudit.googleapis.com%2Fdata_access\" and protoPayload.serviceName:\"login.googleapis.com\""
+ type = "logging"
+ }
}
validation {
condition = alltrue([
diff --git a/fast/stages/1-resman/IAM.md b/fast/stages/1-resman/IAM.md
index 403bd96c..9b19c43a 100644
--- a/fast/stages/1-resman/IAM.md
+++ b/fast/stages/1-resman/IAM.md
@@ -6,14 +6,10 @@ Legend: + additive, • conditional.
| members | roles |
|---|---|
-|dev-resman-dp-0
serviceAccount|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +•
[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) +|
-|dev-resman-gke-0
serviceAccount|[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) +|
-|dev-resman-pf-0
serviceAccount|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +•
[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) +
[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) +|
-|prod-resman-dp-0
serviceAccount|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +•
[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) +|
-|prod-resman-gke-0
serviceAccount|[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) +|
-|prod-resman-net-0
serviceAccount|[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) +
[roles/compute.orgFirewallPolicyAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.orgFirewallPolicyAdmin) +
[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) +|
-|prod-resman-pf-0
serviceAccount|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +•
[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) +
[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) +|
-|prod-resman-sec-0
serviceAccount|[roles/accesscontextmanager.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#accesscontextmanager.policyAdmin) +
[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) +|
+|dev-resman-pf-0
serviceAccount|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +•|
+|prod-resman-net-0
serviceAccount|[roles/compute.orgFirewallPolicyAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.orgFirewallPolicyAdmin) +
[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) +|
+|prod-resman-pf-0
serviceAccount|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +•|
+|security-0
serviceAccount|[roles/accesscontextmanager.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#accesscontextmanager.policyAdmin) +|
## Folder development [#0]
@@ -85,7 +81,13 @@ Legend: + additive, • conditional.
| members | roles |
|---|---|
|gcp-security-admins
group|[roles/viewer](https://cloud.google.com/iam/docs/understanding-roles#viewer) |
-|prod-resman-sec-0
serviceAccount|[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
+|security-0
serviceAccount|[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
+
+## Folder team 0
+
+| members | roles |
+|---|---|
+|prod-teams-team-0-0
serviceAccount|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin)
[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
## Folder teams
@@ -93,21 +95,19 @@ Legend: + additive, • conditional.
|---|---|
|prod-resman-teams-0
serviceAccount|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin)
[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
-## Folder teams test
-
-| members | roles |
-|---|---|
-|prod-teams-teams-test-0
serviceAccount|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin)
[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) |
-
## Project prod-iac-core-0
| members | roles |
|---|---|
-|dev-pf-resman-pf-1
serviceAccount|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) +|
-|dev-resman-dp-1
serviceAccount|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) +|
-|dev-resman-gke-1
serviceAccount|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) +|
-|prod-pf-resman-pf-1
serviceAccount|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) +|
-|prod-resman-dp-1
serviceAccount|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) +|
-|prod-resman-gke-1
serviceAccount|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) +|
+|dev-resman-dp-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +|
+|dev-resman-gke-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +|
+|dev-resman-pf-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +|
+|dev-resman-sbox-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +|
+|prod-resman-gke-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +|
+|prod-resman-net-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +|
|prod-resman-net-1
serviceAccount|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) +|
+|prod-resman-pf-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +|
|prod-resman-sec-1
serviceAccount|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) +|
+|prod-resman-teams-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +|
+|security-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +|
+|tn-egov-t0-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +|
diff --git a/fast/stages/1-resman/branch-data-platform.tf b/fast/stages/1-resman/branch-data-platform.tf
index 219c3c65..635522cf 100644
--- a/fast/stages/1-resman/branch-data-platform.tf
+++ b/fast/stages/1-resman/branch-data-platform.tf
@@ -88,6 +88,9 @@ module "branch-dp-dev-sa" {
try(module.branch-dp-dev-sa-cicd.0.iam_email, null)
])
}
+ iam_project_roles = {
+ (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"]
+ }
iam_storage_roles = {
(var.automation.outputs_bucket) = ["roles/storage.objectAdmin"]
}
diff --git a/fast/stages/1-resman/branch-gke.tf b/fast/stages/1-resman/branch-gke.tf
index 791305f2..3d46fec9 100644
--- a/fast/stages/1-resman/branch-gke.tf
+++ b/fast/stages/1-resman/branch-gke.tf
@@ -87,6 +87,9 @@ module "branch-gke-dev-sa" {
])
)
}
+ iam_project_roles = {
+ (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"]
+ }
iam_storage_roles = {
(var.automation.outputs_bucket) = ["roles/storage.objectAdmin"]
}
@@ -111,6 +114,9 @@ module "branch-gke-prod-sa" {
])
)
}
+ iam_project_roles = {
+ (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"]
+ }
iam_storage_roles = {
(var.automation.outputs_bucket) = ["roles/storage.objectAdmin"]
}
diff --git a/fast/stages/1-resman/branch-networking.tf b/fast/stages/1-resman/branch-networking.tf
index fe457569..e1379906 100644
--- a/fast/stages/1-resman/branch-networking.tf
+++ b/fast/stages/1-resman/branch-networking.tf
@@ -96,6 +96,9 @@ module "branch-network-sa" {
try(module.branch-network-sa-cicd.0.iam_email, null)
])
}
+ iam_project_roles = {
+ (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"]
+ }
iam_storage_roles = {
(var.automation.outputs_bucket) = ["roles/storage.objectAdmin"]
}
diff --git a/fast/stages/1-resman/branch-project-factory.tf b/fast/stages/1-resman/branch-project-factory.tf
index 7f2fbf28..6b708b27 100644
--- a/fast/stages/1-resman/branch-project-factory.tf
+++ b/fast/stages/1-resman/branch-project-factory.tf
@@ -29,6 +29,9 @@ module "branch-pf-dev-sa" {
try(module.branch-pf-dev-sa-cicd.0.iam_email, null)
])
}
+ iam_project_roles = {
+ (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"]
+ }
iam_storage_roles = {
(var.automation.outputs_bucket) = ["roles/storage.objectAdmin"]
}
@@ -47,6 +50,9 @@ module "branch-pf-prod-sa" {
try(module.branch-pf-prod-sa-cicd.0.iam_email, null)
])
}
+ iam_project_roles = {
+ (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"]
+ }
iam_storage_roles = {
(var.automation.outputs_bucket) = ["roles/storage.objectAdmin"]
}
diff --git a/fast/stages/1-resman/branch-sandbox.tf b/fast/stages/1-resman/branch-sandbox.tf
index 33eae4f0..3628df76 100644
--- a/fast/stages/1-resman/branch-sandbox.tf
+++ b/fast/stages/1-resman/branch-sandbox.tf
@@ -59,4 +59,7 @@ module "branch-sandbox-sa" {
name = "dev-resman-sbox-0"
display_name = "Terraform resman sandbox service account."
prefix = var.prefix
+ iam_project_roles = {
+ (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"]
+ }
}
diff --git a/fast/stages/1-resman/branch-security.tf b/fast/stages/1-resman/branch-security.tf
index 31a833dc..78c98aa0 100644
--- a/fast/stages/1-resman/branch-security.tf
+++ b/fast/stages/1-resman/branch-security.tf
@@ -60,9 +60,7 @@ module "branch-security-sa" {
])
}
iam_project_roles = {
- (var.automation.project_id) = [
- "roles/serviceusage.serviceUsageConsumer",
- ]
+ (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"]
}
iam_storage_roles = {
(var.automation.outputs_bucket) = ["roles/storage.objectAdmin"]
diff --git a/fast/stages/1-resman/branch-teams.tf b/fast/stages/1-resman/branch-teams.tf
index 9c9f5399..33026c8e 100644
--- a/fast/stages/1-resman/branch-teams.tf
+++ b/fast/stages/1-resman/branch-teams.tf
@@ -46,6 +46,9 @@ module "branch-teams-sa" {
name = "prod-resman-teams-0"
display_name = "Terraform resman teams service account."
prefix = var.prefix
+ iam_project_roles = {
+ (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"]
+ }
iam_storage_roles = {
(var.automation.outputs_bucket) = ["roles/storage.objectAdmin"]
}
@@ -82,6 +85,8 @@ module "branch-teams-team-folder" {
group_iam = each.value.group_iam == null ? {} : each.value.group_iam
}
+# TODO: move into team's own IaC project
+
module "branch-teams-team-sa" {
source = "../../../modules/iam-service-account"
for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {}
diff --git a/fast/stages/1-resman/branch-tenants.tf b/fast/stages/1-resman/branch-tenants.tf
index 2bbafd7d..251c63c8 100644
--- a/fast/stages/1-resman/branch-tenants.tf
+++ b/fast/stages/1-resman/branch-tenants.tf
@@ -135,6 +135,9 @@ module "tenant-core-sa" {
name = "tn-${each.key}-0"
description = "Terraform service account for tenant ${each.key}."
prefix = var.prefix
+ iam_project_roles = {
+ (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"]
+ }
}
module "tenant-core-gcs" {
diff --git a/fast/stages/1-resman/templates/workflow-github.yaml b/fast/stages/1-resman/templates/workflow-github.yaml
index 9fe63d23..6daa04f6 100644
--- a/fast/stages/1-resman/templates/workflow-github.yaml
+++ b/fast/stages/1-resman/templates/workflow-github.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/fast/stages/1-resman/templates/workflow-sourcerepo.yaml b/fast/stages/1-resman/templates/workflow-sourcerepo.yaml
index 6dd15e8c..66136b4c 100644
--- a/fast/stages/1-resman/templates/workflow-sourcerepo.yaml
+++ b/fast/stages/1-resman/templates/workflow-sourcerepo.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/fast/stages/2-networking-a-peering/README.md b/fast/stages/2-networking-a-peering/README.md
index 05478d79..e0c9f9b2 100644
--- a/fast/stages/2-networking-a-peering/README.md
+++ b/fast/stages/2-networking-a-peering/README.md
@@ -376,8 +376,8 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file |
| [peerings.tf](./peerings.tf) | None | net-vpc-peering | |
| [regions.tf](./regions.tf) | Compute short names for regions. | | |
-| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | google_project_iam_binding |
-| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | google_project_iam_binding |
+| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | |
+| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | |
| [test-resources.tf](./test-resources.tf) | temporary instances for testing | compute-vm | |
| [variables-peerings.tf](./variables-peerings.tf) | Peering related variables. | | |
| [variables.tf](./variables.tf) | Module variables. | | |
diff --git a/fast/stages/2-networking-a-peering/data/cidrs.yaml b/fast/stages/2-networking-a-peering/data/cidrs.yaml
index b6c25e21..3591e95a 100644
--- a/fast/stages/2-networking-a-peering/data/cidrs.yaml
+++ b/fast/stages/2-networking-a-peering/data/cidrs.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
healthchecks:
- 35.191.0.0/16
diff --git a/fast/stages/2-networking-a-peering/data/dns-policy-rules.yaml b/fast/stages/2-networking-a-peering/data/dns-policy-rules.yaml
index d091e4f0..f157cec0 100644
--- a/fast/stages/2-networking-a-peering/data/dns-policy-rules.yaml
+++ b/fast/stages/2-networking-a-peering/data/dns-policy-rules.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
accounts:
dns_name: "accounts.google.com."
diff --git a/fast/stages/2-networking-a-peering/data/firewall-rules/dev/rules.yaml b/fast/stages/2-networking-a-peering/data/firewall-rules/dev/rules.yaml
index cab42edc..68866161 100644
--- a/fast/stages/2-networking-a-peering/data/firewall-rules/dev/rules.yaml
+++ b/fast/stages/2-networking-a-peering/data/firewall-rules/dev/rules.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
ingress:
ingress-allow-composer-nodes:
diff --git a/fast/stages/2-networking-a-peering/data/firewall-rules/landing/rules.yaml b/fast/stages/2-networking-a-peering/data/firewall-rules/landing/rules.yaml
index 3c1425a7..2318f69d 100644
--- a/fast/stages/2-networking-a-peering/data/firewall-rules/landing/rules.yaml
+++ b/fast/stages/2-networking-a-peering/data/firewall-rules/landing/rules.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
ingress:
allow-onprem-probes-example:
diff --git a/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml
index 0aa722bb..26e58674 100644
--- a/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml
+++ b/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml
@@ -1,11 +1,14 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
-allow-admins:
- description: Access from the admin subnet to all subnets
- priority: 1000
- match:
- source_ranges:
- - rfc1918
+# allow-admins:
+# description: Access from the admin subnet to all subnets
+# priority: 1000
+# match:
+# source_ranges:
+# - rfc1918
allow-healthchecks:
description: Enable HTTP and HTTPS healthchecks
@@ -14,8 +17,8 @@ allow-healthchecks:
source_ranges:
- healthchecks
layer4_configs:
- - protocol: tcp
- ports: ["80", "443"]
+ - protocol: tcp
+ ports: ["80", "443"]
allow-ssh-from-iap:
description: Enable SSH from IAP
@@ -24,8 +27,8 @@ allow-ssh-from-iap:
source_ranges:
- 35.235.240.0/20
layer4_configs:
- - protocol: tcp
- ports: ["22"]
+ - protocol: tcp
+ ports: ["22"]
allow-icmp:
description: Enable ICMP
@@ -34,4 +37,12 @@ allow-icmp:
source_ranges:
- 0.0.0.0/0
layer4_configs:
- - protocol: icmp
+ - protocol: icmp
+
+allow-nat-ranges:
+ description: Enable NAT ranges for VPC serverless connector
+ priority: 1004
+ match:
+ source_ranges:
+ - 107.178.230.64/26
+ - 35.199.224.0/19
diff --git a/fast/stages/2-networking-a-peering/spoke-dev.tf b/fast/stages/2-networking-a-peering/spoke-dev.tf
index bfff002b..898bb850 100644
--- a/fast/stages/2-networking-a-peering/spoke-dev.tf
+++ b/fast/stages/2-networking-a-peering/spoke-dev.tf
@@ -43,6 +43,26 @@ module "dev-spoke-project" {
try(local.service_accounts.project-factory-prod, null),
])
}
+ # allow specific service accounts to assign a set of roles
+ iam_bindings = {
+ sa_delegated_grants = {
+ role = "roles/resourcemanager.projectIamAdmin"
+ members = compact([
+ try(local.service_accounts.data-platform-dev, null),
+ try(local.service_accounts.project-factory-dev, null),
+ try(local.service_accounts.project-factory-prod, null),
+ try(local.service_accounts.gke-dev, null),
+ ])
+ condition = {
+ title = "dev_stage3_sa_delegated_grants"
+ description = "Development host project delegated grants."
+ expression = format(
+ "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
+ join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
+ )
+ }
+ }
+ }
}
module "dev-spoke-vpc" {
@@ -84,23 +104,3 @@ module "dev-spoke-cloudnat" {
router_network = module.dev-spoke-vpc.name
logging_filter = "ERRORS_ONLY"
}
-
-# Create delegated grants for stage3 service accounts
-resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
- project = module.dev-spoke-project.project_id
- role = "roles/resourcemanager.projectIamAdmin"
- members = compact([
- try(local.service_accounts.data-platform-dev, null),
- try(local.service_accounts.project-factory-dev, null),
- try(local.service_accounts.project-factory-prod, null),
- try(local.service_accounts.gke-dev, null),
- ])
- condition {
- title = "dev_stage3_sa_delegated_grants"
- description = "Development host project delegated grants."
- expression = format(
- "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
- join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
- )
- }
-}
diff --git a/fast/stages/2-networking-a-peering/spoke-prod.tf b/fast/stages/2-networking-a-peering/spoke-prod.tf
index 505005bd..3226af61 100644
--- a/fast/stages/2-networking-a-peering/spoke-prod.tf
+++ b/fast/stages/2-networking-a-peering/spoke-prod.tf
@@ -42,6 +42,25 @@ module "prod-spoke-project" {
try(local.service_accounts.project-factory-prod, null),
])
}
+ # allow specific service accounts to assign a set of roles
+ iam_bindings = {
+ sa_delegated_grants = {
+ role = "roles/resourcemanager.projectIamAdmin"
+ members = compact([
+ try(local.service_accounts.data-platform-prod, null),
+ try(local.service_accounts.project-factory-prod, null),
+ try(local.service_accounts.gke-prod, null),
+ ])
+ condition = {
+ title = "prod_stage3_sa_delegated_grants"
+ description = "Production host project delegated grants."
+ expression = format(
+ "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
+ join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
+ )
+ }
+ }
+ }
}
module "prod-spoke-vpc" {
@@ -83,22 +102,3 @@ module "prod-spoke-cloudnat" {
router_network = module.prod-spoke-vpc.name
logging_filter = "ERRORS_ONLY"
}
-
-# Create delegated grants for stage3 service accounts
-resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
- project = module.prod-spoke-project.project_id
- role = "roles/resourcemanager.projectIamAdmin"
- members = compact([
- try(local.service_accounts.data-platform-prod, null),
- try(local.service_accounts.project-factory-prod, null),
- try(local.service_accounts.gke-prod, null),
- ])
- condition {
- title = "prod_stage3_sa_delegated_grants"
- description = "Production host project delegated grants."
- expression = format(
- "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
- join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
- )
- }
-}
diff --git a/fast/stages/2-networking-b-vpn/README.md b/fast/stages/2-networking-b-vpn/README.md
index 4de2666e..1ce344b5 100644
--- a/fast/stages/2-networking-b-vpn/README.md
+++ b/fast/stages/2-networking-b-vpn/README.md
@@ -397,8 +397,8 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard |
| [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file |
| [regions.tf](./regions.tf) | Compute short names for regions. | | |
-| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | google_project_iam_binding |
-| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | google_project_iam_binding |
+| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | |
+| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | |
| [test-resources.tf](./test-resources.tf) | temporary instances for testing | compute-vm | |
| [variables-vpn.tf](./variables-vpn.tf) | None | | |
| [variables.tf](./variables.tf) | Module variables. | | |
@@ -424,7 +424,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [psa_ranges](variables.tf#L138) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | null | |
| [regions](variables.tf#L157) | Region definitions. | object({…}) | | {…} | |
| [service_accounts](variables.tf#L169) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
-| [vpn_configs](variables-vpn.tf#L17) | Hub to spokes VPN configurations. | object({…}) | | {…} | |
+| [vpn_configs](variables-vpn.tf#L17) | Hub to spokes VPN configurations. | object({…}) | | {} | |
| [vpn_onprem_primary_config](variables.tf#L183) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
## Outputs
diff --git a/fast/stages/2-networking-b-vpn/data/cidrs.yaml b/fast/stages/2-networking-b-vpn/data/cidrs.yaml
index b6c25e21..3591e95a 100644
--- a/fast/stages/2-networking-b-vpn/data/cidrs.yaml
+++ b/fast/stages/2-networking-b-vpn/data/cidrs.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
healthchecks:
- 35.191.0.0/16
diff --git a/fast/stages/2-networking-b-vpn/data/dns-policy-rules.yaml b/fast/stages/2-networking-b-vpn/data/dns-policy-rules.yaml
index d091e4f0..f157cec0 100644
--- a/fast/stages/2-networking-b-vpn/data/dns-policy-rules.yaml
+++ b/fast/stages/2-networking-b-vpn/data/dns-policy-rules.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
accounts:
dns_name: "accounts.google.com."
diff --git a/fast/stages/2-networking-b-vpn/data/firewall-rules/dev/rules.yaml b/fast/stages/2-networking-b-vpn/data/firewall-rules/dev/rules.yaml
index cab42edc..68866161 100644
--- a/fast/stages/2-networking-b-vpn/data/firewall-rules/dev/rules.yaml
+++ b/fast/stages/2-networking-b-vpn/data/firewall-rules/dev/rules.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
ingress:
ingress-allow-composer-nodes:
diff --git a/fast/stages/2-networking-b-vpn/data/firewall-rules/landing/rules.yaml b/fast/stages/2-networking-b-vpn/data/firewall-rules/landing/rules.yaml
index 3c1425a7..2318f69d 100644
--- a/fast/stages/2-networking-b-vpn/data/firewall-rules/landing/rules.yaml
+++ b/fast/stages/2-networking-b-vpn/data/firewall-rules/landing/rules.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
ingress:
allow-onprem-probes-example:
diff --git a/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml
index 0aa722bb..26e58674 100644
--- a/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml
+++ b/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml
@@ -1,11 +1,14 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
-allow-admins:
- description: Access from the admin subnet to all subnets
- priority: 1000
- match:
- source_ranges:
- - rfc1918
+# allow-admins:
+# description: Access from the admin subnet to all subnets
+# priority: 1000
+# match:
+# source_ranges:
+# - rfc1918
allow-healthchecks:
description: Enable HTTP and HTTPS healthchecks
@@ -14,8 +17,8 @@ allow-healthchecks:
source_ranges:
- healthchecks
layer4_configs:
- - protocol: tcp
- ports: ["80", "443"]
+ - protocol: tcp
+ ports: ["80", "443"]
allow-ssh-from-iap:
description: Enable SSH from IAP
@@ -24,8 +27,8 @@ allow-ssh-from-iap:
source_ranges:
- 35.235.240.0/20
layer4_configs:
- - protocol: tcp
- ports: ["22"]
+ - protocol: tcp
+ ports: ["22"]
allow-icmp:
description: Enable ICMP
@@ -34,4 +37,12 @@ allow-icmp:
source_ranges:
- 0.0.0.0/0
layer4_configs:
- - protocol: icmp
+ - protocol: icmp
+
+allow-nat-ranges:
+ description: Enable NAT ranges for VPC serverless connector
+ priority: 1004
+ match:
+ source_ranges:
+ - 107.178.230.64/26
+ - 35.199.224.0/19
diff --git a/fast/stages/2-networking-b-vpn/spoke-dev.tf b/fast/stages/2-networking-b-vpn/spoke-dev.tf
index bfff002b..898bb850 100644
--- a/fast/stages/2-networking-b-vpn/spoke-dev.tf
+++ b/fast/stages/2-networking-b-vpn/spoke-dev.tf
@@ -43,6 +43,26 @@ module "dev-spoke-project" {
try(local.service_accounts.project-factory-prod, null),
])
}
+ # allow specific service accounts to assign a set of roles
+ iam_bindings = {
+ sa_delegated_grants = {
+ role = "roles/resourcemanager.projectIamAdmin"
+ members = compact([
+ try(local.service_accounts.data-platform-dev, null),
+ try(local.service_accounts.project-factory-dev, null),
+ try(local.service_accounts.project-factory-prod, null),
+ try(local.service_accounts.gke-dev, null),
+ ])
+ condition = {
+ title = "dev_stage3_sa_delegated_grants"
+ description = "Development host project delegated grants."
+ expression = format(
+ "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
+ join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
+ )
+ }
+ }
+ }
}
module "dev-spoke-vpc" {
@@ -84,23 +104,3 @@ module "dev-spoke-cloudnat" {
router_network = module.dev-spoke-vpc.name
logging_filter = "ERRORS_ONLY"
}
-
-# Create delegated grants for stage3 service accounts
-resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
- project = module.dev-spoke-project.project_id
- role = "roles/resourcemanager.projectIamAdmin"
- members = compact([
- try(local.service_accounts.data-platform-dev, null),
- try(local.service_accounts.project-factory-dev, null),
- try(local.service_accounts.project-factory-prod, null),
- try(local.service_accounts.gke-dev, null),
- ])
- condition {
- title = "dev_stage3_sa_delegated_grants"
- description = "Development host project delegated grants."
- expression = format(
- "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
- join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
- )
- }
-}
diff --git a/fast/stages/2-networking-b-vpn/spoke-prod.tf b/fast/stages/2-networking-b-vpn/spoke-prod.tf
index 505005bd..3226af61 100644
--- a/fast/stages/2-networking-b-vpn/spoke-prod.tf
+++ b/fast/stages/2-networking-b-vpn/spoke-prod.tf
@@ -42,6 +42,25 @@ module "prod-spoke-project" {
try(local.service_accounts.project-factory-prod, null),
])
}
+ # allow specific service accounts to assign a set of roles
+ iam_bindings = {
+ sa_delegated_grants = {
+ role = "roles/resourcemanager.projectIamAdmin"
+ members = compact([
+ try(local.service_accounts.data-platform-prod, null),
+ try(local.service_accounts.project-factory-prod, null),
+ try(local.service_accounts.gke-prod, null),
+ ])
+ condition = {
+ title = "prod_stage3_sa_delegated_grants"
+ description = "Production host project delegated grants."
+ expression = format(
+ "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
+ join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
+ )
+ }
+ }
+ }
}
module "prod-spoke-vpc" {
@@ -83,22 +102,3 @@ module "prod-spoke-cloudnat" {
router_network = module.prod-spoke-vpc.name
logging_filter = "ERRORS_ONLY"
}
-
-# Create delegated grants for stage3 service accounts
-resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
- project = module.prod-spoke-project.project_id
- role = "roles/resourcemanager.projectIamAdmin"
- members = compact([
- try(local.service_accounts.data-platform-prod, null),
- try(local.service_accounts.project-factory-prod, null),
- try(local.service_accounts.gke-prod, null),
- ])
- condition {
- title = "prod_stage3_sa_delegated_grants"
- description = "Production host project delegated grants."
- expression = format(
- "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
- join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
- )
- }
-}
diff --git a/fast/stages/2-networking-b-vpn/variables-vpn.tf b/fast/stages/2-networking-b-vpn/variables-vpn.tf
index 64edb611..c2be1826 100644
--- a/fast/stages/2-networking-b-vpn/variables-vpn.tf
+++ b/fast/stages/2-networking-b-vpn/variables-vpn.tf
@@ -17,37 +17,28 @@
variable "vpn_configs" {
description = "Hub to spokes VPN configurations."
type = object({
- dev = object({
- asn = number
+ dev = optional(object({
+ asn = optional(number, 65501)
custom_advertise = optional(object({
all_subnets = bool
ip_ranges = map(string)
}))
- })
- landing = object({
- asn = number
+ }), {})
+ landing = optional(object({
+ asn = optional(number, 65500)
custom_advertise = optional(object({
all_subnets = bool
ip_ranges = map(string)
}))
- })
- prod = object({
- asn = number
+ }), {})
+ prod = optional(object({
+ asn = optional(number, 65502)
custom_advertise = optional(object({
all_subnets = bool
ip_ranges = map(string)
}))
- })
+ }), {})
})
- default = {
- dev = {
- asn = 65501
- }
- landing = {
- asn = 65500
- }
- prod = {
- asn = 65502
- }
- }
+ nullable = false
+ default = {}
}
diff --git a/fast/stages/2-networking-c-nva/README.md b/fast/stages/2-networking-c-nva/README.md
index d61baf57..daee38fc 100644
--- a/fast/stages/2-networking-c-nva/README.md
+++ b/fast/stages/2-networking-c-nva/README.md
@@ -446,8 +446,8 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [nva.tf](./nva.tf) | None | compute-mig · compute-vm · simple-nva | |
| [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file |
| [regions.tf](./regions.tf) | Compute short names for regions. | | |
-| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | google_project_iam_binding |
-| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | google_project_iam_binding |
+| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | |
+| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | |
| [test-resources.tf](./test-resources.tf) | temporary instances for testing | compute-vm | |
| [variables.tf](./variables.tf) | Module variables. | | |
| [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | net-vpn-ha | |
diff --git a/fast/stages/2-networking-c-nva/data/cidrs.yaml b/fast/stages/2-networking-c-nva/data/cidrs.yaml
index b6c25e21..3591e95a 100644
--- a/fast/stages/2-networking-c-nva/data/cidrs.yaml
+++ b/fast/stages/2-networking-c-nva/data/cidrs.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
healthchecks:
- 35.191.0.0/16
diff --git a/fast/stages/2-networking-c-nva/data/dns-policy-rules.yaml b/fast/stages/2-networking-c-nva/data/dns-policy-rules.yaml
index d091e4f0..f157cec0 100644
--- a/fast/stages/2-networking-c-nva/data/dns-policy-rules.yaml
+++ b/fast/stages/2-networking-c-nva/data/dns-policy-rules.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
accounts:
dns_name: "accounts.google.com."
diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/dev/rules.yaml b/fast/stages/2-networking-c-nva/data/firewall-rules/dev/rules.yaml
index cab42edc..68866161 100644
--- a/fast/stages/2-networking-c-nva/data/firewall-rules/dev/rules.yaml
+++ b/fast/stages/2-networking-c-nva/data/firewall-rules/dev/rules.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
ingress:
ingress-allow-composer-nodes:
diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/rules.yaml b/fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/rules.yaml
index 1405170f..fea923b0 100644
--- a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/rules.yaml
+++ b/fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/rules.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
ingress:
allow-hc-nva-ssh-trusted:
diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/rules.yaml b/fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/rules.yaml
index aa51c0fe..f2793e49 100644
--- a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/rules.yaml
+++ b/fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/rules.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
ingress:
allow-hc-nva-ssh-untrusted:
diff --git a/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml
index 0aa722bb..26e58674 100644
--- a/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml
+++ b/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml
@@ -1,11 +1,14 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
-allow-admins:
- description: Access from the admin subnet to all subnets
- priority: 1000
- match:
- source_ranges:
- - rfc1918
+# allow-admins:
+# description: Access from the admin subnet to all subnets
+# priority: 1000
+# match:
+# source_ranges:
+# - rfc1918
allow-healthchecks:
description: Enable HTTP and HTTPS healthchecks
@@ -14,8 +17,8 @@ allow-healthchecks:
source_ranges:
- healthchecks
layer4_configs:
- - protocol: tcp
- ports: ["80", "443"]
+ - protocol: tcp
+ ports: ["80", "443"]
allow-ssh-from-iap:
description: Enable SSH from IAP
@@ -24,8 +27,8 @@ allow-ssh-from-iap:
source_ranges:
- 35.235.240.0/20
layer4_configs:
- - protocol: tcp
- ports: ["22"]
+ - protocol: tcp
+ ports: ["22"]
allow-icmp:
description: Enable ICMP
@@ -34,4 +37,12 @@ allow-icmp:
source_ranges:
- 0.0.0.0/0
layer4_configs:
- - protocol: icmp
+ - protocol: icmp
+
+allow-nat-ranges:
+ description: Enable NAT ranges for VPC serverless connector
+ priority: 1004
+ match:
+ source_ranges:
+ - 107.178.230.64/26
+ - 35.199.224.0/19
diff --git a/fast/stages/2-networking-c-nva/nva.tf b/fast/stages/2-networking-c-nva/nva.tf
index 9d099282..595b72b7 100644
--- a/fast/stages/2-networking-c-nva/nva.tf
+++ b/fast/stages/2-networking-c-nva/nva.tf
@@ -129,7 +129,11 @@ module "ilb-nva-untrusted" {
region = each.value.region
name = "nva-untrusted-${each.key}"
service_label = var.prefix
- global_access = true
+ forwarding_rules_config = {
+ "" = {
+ global_access = true
+ }
+ }
vpc_config = {
network = module.landing-untrusted-vpc.self_link
subnetwork = module.landing-untrusted-vpc.subnet_self_links[each.value.subnet]
@@ -160,7 +164,11 @@ module "ilb-nva-trusted" {
region = each.value.region
name = "nva-trusted-${each.key}"
service_label = var.prefix
- global_access = true
+ forwarding_rules_config = {
+ "" = {
+ global_access = true
+ }
+ }
vpc_config = {
network = module.landing-trusted-vpc.self_link
subnetwork = module.landing-trusted-vpc.subnet_self_links[each.value.subnet]
diff --git a/fast/stages/2-networking-c-nva/spoke-dev.tf b/fast/stages/2-networking-c-nva/spoke-dev.tf
index 0f6e8b8f..98c4038b 100644
--- a/fast/stages/2-networking-c-nva/spoke-dev.tf
+++ b/fast/stages/2-networking-c-nva/spoke-dev.tf
@@ -42,6 +42,26 @@ module "dev-spoke-project" {
try(local.service_accounts.project-factory-prod, null),
])
}
+ # allow specific service accounts to assign a set of roles
+ iam_bindings = {
+ sa_delegated_grants = {
+ role = "roles/resourcemanager.projectIamAdmin"
+ members = compact([
+ try(local.service_accounts.data-platform-dev, null),
+ try(local.service_accounts.project-factory-dev, null),
+ try(local.service_accounts.project-factory-prod, null),
+ try(local.service_accounts.gke-dev, null),
+ ])
+ condition = {
+ title = "dev_stage3_sa_delegated_grants"
+ description = "Development host project delegated grants."
+ expression = format(
+ "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
+ join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
+ )
+ }
+ }
+ }
}
module "dev-spoke-vpc" {
@@ -65,28 +85,28 @@ module "dev-spoke-vpc" {
priority = 1000
tags = ["primary"]
next_hop_type = "ilb"
- next_hop = module.ilb-nva-trusted["primary"].forwarding_rule_address
+ next_hop = module.ilb-nva-trusted["primary"].forwarding_rule_addresses[""]
}
nva-secondary-to-secondary = {
dest_range = "0.0.0.0/0"
priority = 1000
tags = ["secondary"]
next_hop_type = "ilb"
- next_hop = module.ilb-nva-trusted["secondary"].forwarding_rule_address
+ next_hop = module.ilb-nva-trusted["secondary"].forwarding_rule_addresses[""]
}
nva-primary-to-secondary = {
dest_range = "0.0.0.0/0"
priority = 1001
tags = ["primary"]
next_hop_type = "ilb"
- next_hop = module.ilb-nva-trusted["primary"].forwarding_rule_address
+ next_hop = module.ilb-nva-trusted["primary"].forwarding_rule_addresses[""]
}
nva-secondary-to-primary = {
dest_range = "0.0.0.0/0"
priority = 1001
tags = ["secondary"]
next_hop_type = "ilb"
- next_hop = module.ilb-nva-trusted["secondary"].forwarding_rule_address
+ next_hop = module.ilb-nva-trusted["secondary"].forwarding_rule_addresses[""]
}
}
}
@@ -110,23 +130,3 @@ module "peering-dev" {
local_network = module.dev-spoke-vpc.self_link
peer_network = module.landing-trusted-vpc.self_link
}
-
-# Create delegated grants for stage3 service accounts
-resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
- project = module.dev-spoke-project.project_id
- role = "roles/resourcemanager.projectIamAdmin"
- members = compact([
- try(local.service_accounts.data-platform-dev, null),
- try(local.service_accounts.project-factory-dev, null),
- try(local.service_accounts.project-factory-prod, null),
- try(local.service_accounts.gke-dev, null),
- ])
- condition {
- title = "dev_stage3_sa_delegated_grants"
- description = "Development host project delegated grants."
- expression = format(
- "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
- join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
- )
- }
-}
diff --git a/fast/stages/2-networking-c-nva/spoke-prod.tf b/fast/stages/2-networking-c-nva/spoke-prod.tf
index 98959509..91353c97 100644
--- a/fast/stages/2-networking-c-nva/spoke-prod.tf
+++ b/fast/stages/2-networking-c-nva/spoke-prod.tf
@@ -41,6 +41,25 @@ module "prod-spoke-project" {
try(local.service_accounts.project-factory-prod, null),
])
}
+ # allow specific service accounts to assign a set of roles
+ iam_bindings = {
+ sa_delegated_grants = {
+ role = "roles/resourcemanager.projectIamAdmin"
+ members = compact([
+ try(local.service_accounts.data-platform-prod, null),
+ try(local.service_accounts.project-factory-prod, null),
+ try(local.service_accounts.gke-prod, null),
+ ])
+ condition = {
+ title = "prod_stage3_sa_delegated_grants"
+ description = "Production host project delegated grants."
+ expression = format(
+ "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
+ join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
+ )
+ }
+ }
+ }
}
module "prod-spoke-vpc" {
@@ -64,28 +83,28 @@ module "prod-spoke-vpc" {
priority = 1000
tags = ["primary"]
next_hop_type = "ilb"
- next_hop = module.ilb-nva-trusted["primary"].forwarding_rule_address
+ next_hop = module.ilb-nva-trusted["primary"].forwarding_rule_addresses[""]
}
nva-secondary-to-secondary = {
dest_range = "0.0.0.0/0"
priority = 1000
tags = ["secondary"]
next_hop_type = "ilb"
- next_hop = module.ilb-nva-trusted["secondary"].forwarding_rule_address
+ next_hop = module.ilb-nva-trusted["secondary"].forwarding_rule_addresses[""]
}
nva-primary-to-secondary = {
dest_range = "0.0.0.0/0"
priority = 1001
tags = ["primary"]
next_hop_type = "ilb"
- next_hop = module.ilb-nva-trusted["secondary"].forwarding_rule_address
+ next_hop = module.ilb-nva-trusted["secondary"].forwarding_rule_addresses[""]
}
nva-secondary-to-primary = {
dest_range = "0.0.0.0/0"
priority = 1001
tags = ["secondary"]
next_hop_type = "ilb"
- next_hop = module.ilb-nva-trusted["primary"].forwarding_rule_address
+ next_hop = module.ilb-nva-trusted["primary"].forwarding_rule_addresses[""]
}
}
}
@@ -109,22 +128,3 @@ module "peering-prod" {
local_network = module.prod-spoke-vpc.self_link
peer_network = module.landing-trusted-vpc.self_link
}
-
-# Create delegated grants for stage3 service accounts
-resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
- project = module.prod-spoke-project.project_id
- role = "roles/resourcemanager.projectIamAdmin"
- members = compact([
- try(local.service_accounts.data-platform-prod, null),
- try(local.service_accounts.project-factory-prod, null),
- try(local.service_accounts.gke-prod, null),
- ])
- condition {
- title = "prod_stage3_sa_delegated_grants"
- description = "Production host project delegated grants."
- expression = format(
- "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
- join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
- )
- }
-}
diff --git a/fast/stages/2-networking-d-separate-envs/README.md b/fast/stages/2-networking-d-separate-envs/README.md
index e84530e8..88f68846 100644
--- a/fast/stages/2-networking-d-separate-envs/README.md
+++ b/fast/stages/2-networking-d-separate-envs/README.md
@@ -320,8 +320,8 @@ Regions are defined via the `regions` variable which sets up a mapping between t
| [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. | | google_monitoring_dashboard |
| [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file |
| [regions.tf](./regions.tf) | Compute short names for regions. | | |
-| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | google_project_iam_binding |
-| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | google_project_iam_binding |
+| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | |
+| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-cloudnat · net-vpc · net-vpc-firewall · project | |
| [test-resources.tf](./test-resources.tf) | Temporary instances for testing | compute-vm | |
| [variables.tf](./variables.tf) | Module variables. | | |
| [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | net-vpn-ha | |
diff --git a/fast/stages/2-networking-d-separate-envs/data/cidrs.yaml b/fast/stages/2-networking-d-separate-envs/data/cidrs.yaml
index b6c25e21..3591e95a 100644
--- a/fast/stages/2-networking-d-separate-envs/data/cidrs.yaml
+++ b/fast/stages/2-networking-d-separate-envs/data/cidrs.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
healthchecks:
- 35.191.0.0/16
diff --git a/fast/stages/2-networking-d-separate-envs/data/dns-policy-rules.yaml b/fast/stages/2-networking-d-separate-envs/data/dns-policy-rules.yaml
index d091e4f0..f157cec0 100644
--- a/fast/stages/2-networking-d-separate-envs/data/dns-policy-rules.yaml
+++ b/fast/stages/2-networking-d-separate-envs/data/dns-policy-rules.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
accounts:
dns_name: "accounts.google.com."
diff --git a/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/rules.yaml b/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/rules.yaml
index 67386c44..103215b7 100644
--- a/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/rules.yaml
+++ b/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/rules.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
ingress:
ingress-allow-composer-nodes:
diff --git a/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml
index 0aa722bb..26e58674 100644
--- a/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml
+++ b/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml
@@ -1,11 +1,14 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
-allow-admins:
- description: Access from the admin subnet to all subnets
- priority: 1000
- match:
- source_ranges:
- - rfc1918
+# allow-admins:
+# description: Access from the admin subnet to all subnets
+# priority: 1000
+# match:
+# source_ranges:
+# - rfc1918
allow-healthchecks:
description: Enable HTTP and HTTPS healthchecks
@@ -14,8 +17,8 @@ allow-healthchecks:
source_ranges:
- healthchecks
layer4_configs:
- - protocol: tcp
- ports: ["80", "443"]
+ - protocol: tcp
+ ports: ["80", "443"]
allow-ssh-from-iap:
description: Enable SSH from IAP
@@ -24,8 +27,8 @@ allow-ssh-from-iap:
source_ranges:
- 35.235.240.0/20
layer4_configs:
- - protocol: tcp
- ports: ["22"]
+ - protocol: tcp
+ ports: ["22"]
allow-icmp:
description: Enable ICMP
@@ -34,4 +37,12 @@ allow-icmp:
source_ranges:
- 0.0.0.0/0
layer4_configs:
- - protocol: icmp
+ - protocol: icmp
+
+allow-nat-ranges:
+ description: Enable NAT ranges for VPC serverless connector
+ priority: 1004
+ match:
+ source_ranges:
+ - 107.178.230.64/26
+ - 35.199.224.0/19
diff --git a/fast/stages/2-networking-d-separate-envs/spoke-dev.tf b/fast/stages/2-networking-d-separate-envs/spoke-dev.tf
index 61562f44..5cd8c355 100644
--- a/fast/stages/2-networking-d-separate-envs/spoke-dev.tf
+++ b/fast/stages/2-networking-d-separate-envs/spoke-dev.tf
@@ -43,6 +43,26 @@ module "dev-spoke-project" {
try(local.service_accounts.project-factory-prod, null),
])
}
+ # allow specific service accounts to assign a set of roles
+ iam_bindings = {
+ sa_delegated_grants = {
+ role = "roles/resourcemanager.projectIamAdmin"
+ members = compact([
+ try(local.service_accounts.data-platform-dev, null),
+ try(local.service_accounts.project-factory-dev, null),
+ try(local.service_accounts.project-factory-prod, null),
+ try(local.service_accounts.gke-dev, null),
+ ])
+ condition = {
+ title = "dev_stage3_sa_delegated_grants"
+ description = "Development host project delegated grants."
+ expression = format(
+ "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
+ join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
+ )
+ }
+ }
+ }
}
module "dev-spoke-vpc" {
@@ -84,23 +104,3 @@ module "dev-spoke-cloudnat" {
router_network = module.dev-spoke-vpc.name
logging_filter = "ERRORS_ONLY"
}
-
-# Create delegated grants for stage3 service accounts
-resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
- project = module.dev-spoke-project.project_id
- role = "roles/resourcemanager.projectIamAdmin"
- members = compact([
- try(local.service_accounts.data-platform-dev, null),
- try(local.service_accounts.gke-dev, null),
- try(local.service_accounts.project-factory-dev, null),
- try(local.service_accounts.project-factory-prod, null),
- ])
- condition {
- title = "dev_stage3_sa_delegated_grants"
- description = "Development host project delegated grants."
- expression = format(
- "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
- join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
- )
- }
-}
diff --git a/fast/stages/2-networking-d-separate-envs/spoke-prod.tf b/fast/stages/2-networking-d-separate-envs/spoke-prod.tf
index 7b42f546..6889bb96 100644
--- a/fast/stages/2-networking-d-separate-envs/spoke-prod.tf
+++ b/fast/stages/2-networking-d-separate-envs/spoke-prod.tf
@@ -42,6 +42,25 @@ module "prod-spoke-project" {
try(local.service_accounts.project-factory-prod, null)
])
}
+ # allow specific service accounts to assign a set of roles
+ iam_bindings = {
+ sa_delegated_grants = {
+ role = "roles/resourcemanager.projectIamAdmin"
+ members = compact([
+ try(local.service_accounts.data-platform-prod, null),
+ try(local.service_accounts.project-factory-prod, null),
+ try(local.service_accounts.gke-prod, null),
+ ])
+ condition = {
+ title = "prod_stage3_sa_delegated_grants"
+ description = "Production host project delegated grants."
+ expression = format(
+ "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
+ join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
+ )
+ }
+ }
+ }
}
module "prod-spoke-vpc" {
@@ -83,22 +102,3 @@ module "prod-spoke-cloudnat" {
router_network = module.prod-spoke-vpc.name
logging_filter = "ERRORS_ONLY"
}
-
-# Create delegated grants for stage3 service accounts
-resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
- project = module.prod-spoke-project.project_id
- role = "roles/resourcemanager.projectIamAdmin"
- members = compact([
- try(local.service_accounts.data-platform-prod, null),
- try(local.service_accounts.gke-platform-prod, null),
- try(local.service_accounts.project-factory-prod, null),
- ])
- condition {
- title = "prod_stage3_sa_delegated_grants"
- description = "Production host project delegated grants."
- expression = format(
- "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
- join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
- )
- }
-}
diff --git a/fast/stages/2-networking-e-nva-bgp/README.md b/fast/stages/2-networking-e-nva-bgp/README.md
index 4b3d6fad..e9bf8c10 100644
--- a/fast/stages/2-networking-e-nva-bgp/README.md
+++ b/fast/stages/2-networking-e-nva-bgp/README.md
@@ -472,8 +472,8 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [nva.tf](./nva.tf) | None | compute-vm · simple-nva | google_compute_address |
| [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file |
| [regions.tf](./regions.tf) | Compute short names for regions. | | |
-| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | google_project_iam_binding |
-| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | google_project_iam_binding |
+| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | |
+| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | net-vpc · net-vpc-firewall · net-vpc-peering · project | |
| [test-resources.tf](./test-resources.tf) | temporary instances for testing | compute-vm | |
| [variables.tf](./variables.tf) | Module variables. | | |
| [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | net-vpn-ha | |
diff --git a/fast/stages/2-networking-e-nva-bgp/data/cidrs.yaml b/fast/stages/2-networking-e-nva-bgp/data/cidrs.yaml
index 93d7bb0b..1dc04881 100644
--- a/fast/stages/2-networking-e-nva-bgp/data/cidrs.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/cidrs.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
healthchecks:
- 35.191.0.0/16
diff --git a/fast/stages/2-networking-e-nva-bgp/data/dns-policy-rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/dns-policy-rules.yaml
index d091e4f0..f157cec0 100644
--- a/fast/stages/2-networking-e-nva-bgp/data/dns-policy-rules.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/dns-policy-rules.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
accounts:
dns_name: "accounts.google.com."
diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/rules.yaml
index cab42edc..68866161 100644
--- a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/rules.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/rules.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
ingress:
ingress-allow-composer-nodes:
diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/rules.yaml
index 6e00603b..bd7bee57 100644
--- a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/rules.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/rules.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
ingress:
allow-hc-nva-ssh-trusted:
diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/rules.yaml
index c6077013..3588af4d 100644
--- a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/rules.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/rules.yaml
@@ -1,4 +1,7 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
ingress:
allow-hc-nva-ssh-untrusted:
diff --git a/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml
index 0aa722bb..26e58674 100644
--- a/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml
@@ -1,11 +1,14 @@
# skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
-allow-admins:
- description: Access from the admin subnet to all subnets
- priority: 1000
- match:
- source_ranges:
- - rfc1918
+# allow-admins:
+# description: Access from the admin subnet to all subnets
+# priority: 1000
+# match:
+# source_ranges:
+# - rfc1918
allow-healthchecks:
description: Enable HTTP and HTTPS healthchecks
@@ -14,8 +17,8 @@ allow-healthchecks:
source_ranges:
- healthchecks
layer4_configs:
- - protocol: tcp
- ports: ["80", "443"]
+ - protocol: tcp
+ ports: ["80", "443"]
allow-ssh-from-iap:
description: Enable SSH from IAP
@@ -24,8 +27,8 @@ allow-ssh-from-iap:
source_ranges:
- 35.235.240.0/20
layer4_configs:
- - protocol: tcp
- ports: ["22"]
+ - protocol: tcp
+ ports: ["22"]
allow-icmp:
description: Enable ICMP
@@ -34,4 +37,12 @@ allow-icmp:
source_ranges:
- 0.0.0.0/0
layer4_configs:
- - protocol: icmp
+ - protocol: icmp
+
+allow-nat-ranges:
+ description: Enable NAT ranges for VPC serverless connector
+ priority: 1004
+ match:
+ source_ranges:
+ - 107.178.230.64/26
+ - 35.199.224.0/19
diff --git a/fast/stages/2-networking-e-nva-bgp/spoke-dev.tf b/fast/stages/2-networking-e-nva-bgp/spoke-dev.tf
index 56b65e39..92a4a21f 100644
--- a/fast/stages/2-networking-e-nva-bgp/spoke-dev.tf
+++ b/fast/stages/2-networking-e-nva-bgp/spoke-dev.tf
@@ -42,6 +42,26 @@ module "dev-spoke-project" {
try(local.service_accounts.project-factory-prod, null),
])
}
+ # allow specific service accounts to assign a set of roles
+ iam_bindings = {
+ sa_delegated_grants = {
+ role = "roles/resourcemanager.projectIamAdmin"
+ members = compact([
+ try(local.service_accounts.data-platform-dev, null),
+ try(local.service_accounts.project-factory-dev, null),
+ try(local.service_accounts.project-factory-prod, null),
+ try(local.service_accounts.gke-dev, null),
+ ])
+ condition = {
+ title = "dev_stage3_sa_delegated_grants"
+ description = "Development host project delegated grants."
+ expression = format(
+ "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
+ join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
+ )
+ }
+ }
+ }
}
module "dev-spoke-vpc" {
@@ -80,23 +100,3 @@ module "peering-dev" {
local_network = module.dev-spoke-vpc.self_link
peer_network = module.landing-trusted-vpc.self_link
}
-
-# Create delegated grants for stage3 service accounts
-resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
- project = module.dev-spoke-project.project_id
- role = "roles/resourcemanager.projectIamAdmin"
- members = compact([
- try(local.service_accounts.data-platform-dev, null),
- try(local.service_accounts.project-factory-dev, null),
- try(local.service_accounts.project-factory-prod, null),
- try(local.service_accounts.gke-dev, null),
- ])
- condition {
- title = "dev_stage3_sa_delegated_grants"
- description = "Development host project delegated grants."
- expression = format(
- "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
- join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
- )
- }
-}
diff --git a/fast/stages/2-networking-e-nva-bgp/spoke-prod.tf b/fast/stages/2-networking-e-nva-bgp/spoke-prod.tf
index 6ae49dee..b5bff393 100644
--- a/fast/stages/2-networking-e-nva-bgp/spoke-prod.tf
+++ b/fast/stages/2-networking-e-nva-bgp/spoke-prod.tf
@@ -41,6 +41,25 @@ module "prod-spoke-project" {
try(local.service_accounts.project-factory-prod, null),
])
}
+ # allow specific service accounts to assign a set of roles
+ iam_bindings = {
+ sa_delegated_grants = {
+ role = "roles/resourcemanager.projectIamAdmin"
+ members = compact([
+ try(local.service_accounts.data-platform-prod, null),
+ try(local.service_accounts.project-factory-prod, null),
+ try(local.service_accounts.gke-prod, null),
+ ])
+ condition = {
+ title = "prod_stage3_sa_delegated_grants"
+ description = "Production host project delegated grants."
+ expression = format(
+ "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
+ join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
+ )
+ }
+ }
+ }
}
module "prod-spoke-vpc" {
@@ -79,22 +98,3 @@ module "peering-prod" {
local_network = module.prod-spoke-vpc.self_link
peer_network = module.landing-trusted-vpc.self_link
}
-
-# Create delegated grants for stage3 service accounts
-resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
- project = module.prod-spoke-project.project_id
- role = "roles/resourcemanager.projectIamAdmin"
- members = compact([
- try(local.service_accounts.data-platform-prod, null),
- try(local.service_accounts.project-factory-prod, null),
- try(local.service_accounts.gke-prod, null),
- ])
- condition {
- title = "prod_stage3_sa_delegated_grants"
- description = "Production host project delegated grants."
- expression = format(
- "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
- join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
- )
- }
-}
diff --git a/fast/stages/2-security/README.md b/fast/stages/2-security/README.md
index bdd86e7d..5ff903f0 100644
--- a/fast/stages/2-security/README.md
+++ b/fast/stages/2-security/README.md
@@ -42,7 +42,7 @@ IAM for management-related operations is already assigned at the folder level to
A reference Cloud KMS implementation is part of this stage, to provide a simple way of managing centralized keys, that are then shared and consumed widely across the organization to enable customer-managed encryption. The implementation is also easy to clone and modify to support other services like Secret Manager.
-The Cloud KMS configuration allows defining keys by name (typically matching the downstream service that uses them) in different locations, either based on a common default or a per-key setting. It then takes care internally of provisioning the relevant keyrings and creating keys in the appropriate location.
+The Cloud KMS configuration allows defining keys by name (typically matching the downstream service that uses them) in different locations. It then takes care internally of provisioning the relevant keyrings and creating keys in the appropriate location.
IAM roles on keys can be configured at the logical level for all locations where a logical key is created. Their management can also be delegated via [delegated role grants](https://cloud.google.com/iam/docs/setting-limits-on-granting-roles) exposed through a simple variable, to allow other identities to set IAM policies on keys. This is particularly useful in setups like project factories, making it possible to configure IAM bindings during project creation for team groups or service agent accounts (compute, storage, etc.).
@@ -141,10 +141,7 @@ terraform apply
### KMS keys
-Cloud KMS configuration is split in two variables:
-
-- `kms_defaults` configures the locations and rotation period, used for keys that don't specifically configure them
-- `kms_keys` configures the actual keys to create, and also allows configuring their IAM bindings and labels, and overriding locations and rotation period. When configuring locations for a key, please consider the limitations each cloud product may have.
+Cloud KMS configuration is controlled by `kms_keys`, which configures the actual keys to create, and also allows configuring their IAM bindings, labels, locations and rotation period. When configuring locations for a key, please consider the limitations each cloud product may have.
The additional `kms_restricted_admins` variable allows granting `roles/cloudkms.admin` to specified principals, restricted via [delegated role grants](https://cloud.google.com/iam/docs/setting-limits-on-granting-roles) so that it only allows granting the roles needed for encryption/decryption on keys. This allows safe delegation of key management to subsequent Terraform stages like the Project Factory, for example to grant usage access on relevant keys to the service agent accounts for compute, storage, etc.
@@ -155,10 +152,6 @@ An example of how to configure keys:
```tfvars
# terraform.tfvars
-kms_defaults = {
- locations = ["europe-west1", "europe-west3", "global"]
- rotation_period = "7776000s"
-}
kms_keys = {
compute = {
iam = {
@@ -167,8 +160,8 @@ kms_keys = {
]
}
labels = { service = "compute" }
- locations = null
- rotation_period = null
+ locations = ["europe-west1", "europe-west3", "global"]
+ rotation_period = "7776000s"
}
storage = {
iam = null
diff --git a/fast/stages/3-data-platform/dev/outputs.tf b/fast/stages/3-data-platform/dev/outputs.tf
index bb9956ec..f637ece7 100644
--- a/fast/stages/3-data-platform/dev/outputs.tf
+++ b/fast/stages/3-data-platform/dev/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/fast/stages/3-gke-multitenant/dev/outputs.tf b/fast/stages/3-gke-multitenant/dev/outputs.tf
index 3f231c68..a3f7165d 100644
--- a/fast/stages/3-gke-multitenant/dev/outputs.tf
+++ b/fast/stages/3-gke-multitenant/dev/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/fast/stages/3-project-factory/dev/README.md b/fast/stages/3-project-factory/dev/README.md
index 79a4b548..03bfa86c 100644
--- a/fast/stages/3-project-factory/dev/README.md
+++ b/fast/stages/3-project-factory/dev/README.md
@@ -87,5 +87,5 @@ terraform apply
| name | description | sensitive | consumers |
|---|---|:---:|---|
| [projects](outputs.tf#L17) | Created projects. | | |
-| [service_accounts](outputs.tf#L22) | Created service accounts. | | |
+| [service_accounts](outputs.tf#L27) | Created service accounts. | | |
diff --git a/fast/stages/3-project-factory/dev/outputs.tf b/fast/stages/3-project-factory/dev/outputs.tf
index 2c86ac9c..baaf3902 100644
--- a/fast/stages/3-project-factory/dev/outputs.tf
+++ b/fast/stages/3-project-factory/dev/outputs.tf
@@ -16,7 +16,12 @@
output "projects" {
description = "Created projects."
- value = module.projects.projects
+ value = {
+ for k, v in module.projects.projects : k => {
+ number = v.number
+ project_id = v.id
+ }
+ }
}
output "service_accounts" {
diff --git a/modules/README.md b/modules/README.md
index 4fbbd140..03c5cf65 100644
--- a/modules/README.md
+++ b/modules/README.md
@@ -74,7 +74,6 @@ These modules are used in the examples included in this repository. If you are u
## Data
-
- [BigQuery dataset](./bigquery-dataset)
- [Bigtable instance](./bigtable-instance)
- [Dataplex](./dataplex)
diff --git a/modules/__experimental/alloydb-instance/versions.tf b/modules/__experimental/alloydb-instance/versions.tf
index 3963660f..af346395 100644
--- a/modules/__experimental/alloydb-instance/versions.tf
+++ b/modules/__experimental/alloydb-instance/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/__experimental/net-neg/versions.tf b/modules/__experimental/net-neg/versions.tf
index 3963660f..af346395 100644
--- a/modules/__experimental/net-neg/versions.tf
+++ b/modules/__experimental/net-neg/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/api-gateway/versions.tf b/modules/api-gateway/versions.tf
index 3963660f..af346395 100644
--- a/modules/api-gateway/versions.tf
+++ b/modules/api-gateway/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/apigee/main.tf b/modules/apigee/main.tf
index 67fd74be..46f76555 100644
--- a/modules/apigee/main.tf
+++ b/modules/apigee/main.tf
@@ -137,20 +137,35 @@ resource "google_apigee_addons_config" "addons_config" {
for_each = toset(var.addons_config == null ? [] : [""])
org = local.org_name
addons_config {
- advanced_api_ops_config {
- enabled = var.addons_config.advanced_api_ops
+ dynamic "advanced_api_ops_config" {
+ for_each = var.addons_config.advanced_api_ops ? [""] : []
+ content {
+ enabled = true
+ }
}
- api_security_config {
- enabled = var.addons_config.api_security
+ dynamic "api_security_config" {
+ for_each = var.addons_config.api_security ? [""] : []
+ content {
+ enabled = true
+ }
}
- connectors_platform_config {
- enabled = var.addons_config.connectors_platform
+ dynamic "connectors_platform_config" {
+ for_each = var.addons_config.connectors_platform ? [""] : []
+ content {
+ enabled = true
+ }
}
- integration_config {
- enabled = var.addons_config.integration
+ dynamic "integration_config" {
+ for_each = var.addons_config.integration ? [""] : []
+ content {
+ enabled = true
+ }
}
- monetization_config {
- enabled = var.addons_config.monetization
+ dynamic "monetization_config" {
+ for_each = var.addons_config.monetization ? [""] : []
+ content {
+ enabled = true
+ }
}
}
}
diff --git a/modules/apigee/outputs.tf b/modules/apigee/outputs.tf
index eb3ab2cc..34c58a25 100644
--- a/modules/apigee/outputs.tf
+++ b/modules/apigee/outputs.tf
@@ -21,17 +21,17 @@ output "endpoint_attachment_hosts" {
output "envgroups" {
description = "Environment groups."
- value = try(google_apigee_envgroup.envgroups, null)
+ value = google_apigee_envgroup.envgroups
}
output "environments" {
description = "Environment."
- value = try(google_apigee_environment.environments, null)
+ value = google_apigee_environment.environments
}
output "instances" {
description = "Instances."
- value = try(google_apigee_instance.instances, null)
+ value = google_apigee_instance.instances
}
output "nat_ips" {
diff --git a/modules/apigee/versions.tf b/modules/apigee/versions.tf
index 3963660f..af346395 100644
--- a/modules/apigee/versions.tf
+++ b/modules/apigee/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/artifact-registry/outputs.tf b/modules/artifact-registry/outputs.tf
index bffd0fbe..b41faf82 100644
--- a/modules/artifact-registry/outputs.tf
+++ b/modules/artifact-registry/outputs.tf
@@ -22,7 +22,7 @@ output "id" {
output "image_path" {
description = "Repository path for images."
value = join("/", [
- "${var.location}-docker.pkg.dev",
+ "${var.location}-${local.format_string}.pkg.dev",
var.project_id,
var.name
])
diff --git a/modules/artifact-registry/versions.tf b/modules/artifact-registry/versions.tf
index 3963660f..af346395 100644
--- a/modules/artifact-registry/versions.tf
+++ b/modules/artifact-registry/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/bigquery-dataset/versions.tf b/modules/bigquery-dataset/versions.tf
index 3963660f..af346395 100644
--- a/modules/bigquery-dataset/versions.tf
+++ b/modules/bigquery-dataset/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/bigtable-instance/versions.tf b/modules/bigtable-instance/versions.tf
index 3963660f..af346395 100644
--- a/modules/bigtable-instance/versions.tf
+++ b/modules/bigtable-instance/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/billing-account/versions.tf b/modules/billing-account/versions.tf
index 3adb6d44..0cc9b972 100644
--- a/modules/billing-account/versions.tf
+++ b/modules/billing-account/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/binauthz/versions.tf b/modules/binauthz/versions.tf
index 3963660f..af346395 100644
--- a/modules/binauthz/versions.tf
+++ b/modules/binauthz/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/cloud-config-container/__need_fixing/onprem/cloud-config.yaml b/modules/cloud-config-container/__need_fixing/onprem/cloud-config.yaml
index ba27f84d..da5aa81e 100644
--- a/modules/cloud-config-container/__need_fixing/onprem/cloud-config.yaml
+++ b/modules/cloud-config-container/__need_fixing/onprem/cloud-config.yaml
@@ -1,6 +1,6 @@
#cloud-config
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/Dockerfile b/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/Dockerfile
index 8bb6165b..df698383 100644
--- a/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/Dockerfile
+++ b/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/Dockerfile
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/cloudbuild.yaml b/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/cloudbuild.yaml
index b451e79a..54319d75 100644
--- a/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/cloudbuild.yaml
+++ b/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/cloudbuild.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/entrypoint.sh b/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/entrypoint.sh
index 1d80c1bc..648b0cd9 100644
--- a/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/entrypoint.sh
+++ b/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/entrypoint.sh
@@ -1,6 +1,6 @@
#!/bin/sh -e
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/ipsec-vti.sh b/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/ipsec-vti.sh
index 5bff8bfc..27d2d4d1 100644
--- a/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/ipsec-vti.sh
+++ b/modules/cloud-config-container/__need_fixing/onprem/docker-images/strongswan/ipsec-vti.sh
@@ -1,6 +1,6 @@
#!/bin/bash
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/Dockerfile b/modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/Dockerfile
index dfc8f6ec..aff18f15 100644
--- a/modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/Dockerfile
+++ b/modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/Dockerfile
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/cloudbuild.yaml b/modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/cloudbuild.yaml
index 6da9ed88..b9e5a64f 100644
--- a/modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/cloudbuild.yaml
+++ b/modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/cloudbuild.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/entrypoint.sh b/modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/entrypoint.sh
index bee48ff6..822c1fbf 100644
--- a/modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/entrypoint.sh
+++ b/modules/cloud-config-container/__need_fixing/onprem/docker-images/toolbox/entrypoint.sh
@@ -1,6 +1,6 @@
#!/bin/sh -e
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/__need_fixing/onprem/static-vpn-gw-cloud-init.yaml b/modules/cloud-config-container/__need_fixing/onprem/static-vpn-gw-cloud-init.yaml
index 36be78bc..3b5e8c7e 100644
--- a/modules/cloud-config-container/__need_fixing/onprem/static-vpn-gw-cloud-init.yaml
+++ b/modules/cloud-config-container/__need_fixing/onprem/static-vpn-gw-cloud-init.yaml
@@ -1,6 +1,6 @@
#cloud-config
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/__need_fixing/onprem/versions.tf b/modules/cloud-config-container/__need_fixing/onprem/versions.tf
index 3963660f..af346395 100644
--- a/modules/cloud-config-container/__need_fixing/onprem/versions.tf
+++ b/modules/cloud-config-container/__need_fixing/onprem/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/cloud-config-container/coredns/cloud-config.yaml b/modules/cloud-config-container/coredns/cloud-config.yaml
index 9fe929e9..4293c762 100644
--- a/modules/cloud-config-container/coredns/cloud-config.yaml
+++ b/modules/cloud-config-container/coredns/cloud-config.yaml
@@ -1,6 +1,6 @@
#cloud-config
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/coredns/versions.tf b/modules/cloud-config-container/coredns/versions.tf
index 3963660f..af346395 100644
--- a/modules/cloud-config-container/coredns/versions.tf
+++ b/modules/cloud-config-container/coredns/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/cloud-config-container/cos-generic-metadata/cloud-config.yaml b/modules/cloud-config-container/cos-generic-metadata/cloud-config.yaml
index a8d1f229..9ffff4a5 100644
--- a/modules/cloud-config-container/cos-generic-metadata/cloud-config.yaml
+++ b/modules/cloud-config-container/cos-generic-metadata/cloud-config.yaml
@@ -1,6 +1,6 @@
#cloud-config
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/cos-generic-metadata/versions.tf b/modules/cloud-config-container/cos-generic-metadata/versions.tf
index 3963660f..af346395 100644
--- a/modules/cloud-config-container/cos-generic-metadata/versions.tf
+++ b/modules/cloud-config-container/cos-generic-metadata/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/cloud-config-container/envoy-traffic-director/files/customize.sh b/modules/cloud-config-container/envoy-traffic-director/files/customize.sh
index eb9ae82d..afd884c3 100644
--- a/modules/cloud-config-container/envoy-traffic-director/files/customize.sh
+++ b/modules/cloud-config-container/envoy-traffic-director/files/customize.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/envoy-traffic-director/files/envoy.yaml b/modules/cloud-config-container/envoy-traffic-director/files/envoy.yaml
index d9a14623..981837c5 100644
--- a/modules/cloud-config-container/envoy-traffic-director/files/envoy.yaml
+++ b/modules/cloud-config-container/envoy-traffic-director/files/envoy.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/envoy-traffic-director/versions.tf b/modules/cloud-config-container/envoy-traffic-director/versions.tf
index 3963660f..af346395 100644
--- a/modules/cloud-config-container/envoy-traffic-director/versions.tf
+++ b/modules/cloud-config-container/envoy-traffic-director/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/cloud-config-container/mysql/cloud-config.yaml b/modules/cloud-config-container/mysql/cloud-config.yaml
index 07706ae2..7d7cd4d6 100644
--- a/modules/cloud-config-container/mysql/cloud-config.yaml
+++ b/modules/cloud-config-container/mysql/cloud-config.yaml
@@ -1,6 +1,6 @@
#cloud-config
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/mysql/versions.tf b/modules/cloud-config-container/mysql/versions.tf
index 3963660f..af346395 100644
--- a/modules/cloud-config-container/mysql/versions.tf
+++ b/modules/cloud-config-container/mysql/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/cloud-config-container/nginx-tls/assets/cloud-config.yaml b/modules/cloud-config-container/nginx-tls/assets/cloud-config.yaml
index 2b7ebe84..e6282e32 100644
--- a/modules/cloud-config-container/nginx-tls/assets/cloud-config.yaml
+++ b/modules/cloud-config-container/nginx-tls/assets/cloud-config.yaml
@@ -1,6 +1,6 @@
#cloud-config
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/nginx-tls/assets/customize.sh b/modules/cloud-config-container/nginx-tls/assets/customize.sh
index 22b40064..52ddbe77 100644
--- a/modules/cloud-config-container/nginx-tls/assets/customize.sh
+++ b/modules/cloud-config-container/nginx-tls/assets/customize.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/nginx-tls/versions.tf b/modules/cloud-config-container/nginx-tls/versions.tf
index 3963660f..af346395 100644
--- a/modules/cloud-config-container/nginx-tls/versions.tf
+++ b/modules/cloud-config-container/nginx-tls/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/cloud-config-container/nginx/cloud-config.yaml b/modules/cloud-config-container/nginx/cloud-config.yaml
index f4d05bc4..bada8bc6 100644
--- a/modules/cloud-config-container/nginx/cloud-config.yaml
+++ b/modules/cloud-config-container/nginx/cloud-config.yaml
@@ -1,6 +1,6 @@
#cloud-config
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/nginx/versions.tf b/modules/cloud-config-container/nginx/versions.tf
index 3963660f..af346395 100644
--- a/modules/cloud-config-container/nginx/versions.tf
+++ b/modules/cloud-config-container/nginx/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/cloud-config-container/simple-nva/versions.tf b/modules/cloud-config-container/simple-nva/versions.tf
index 3963660f..af346395 100644
--- a/modules/cloud-config-container/simple-nva/versions.tf
+++ b/modules/cloud-config-container/simple-nva/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/cloud-config-container/squid/cloud-config.yaml b/modules/cloud-config-container/squid/cloud-config.yaml
index 5ba6e987..f3955f53 100644
--- a/modules/cloud-config-container/squid/cloud-config.yaml
+++ b/modules/cloud-config-container/squid/cloud-config.yaml
@@ -1,6 +1,6 @@
#cloud-config
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/squid/docker/Dockerfile b/modules/cloud-config-container/squid/docker/Dockerfile
index 2ae03a4f..35cced7e 100644
--- a/modules/cloud-config-container/squid/docker/Dockerfile
+++ b/modules/cloud-config-container/squid/docker/Dockerfile
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/squid/docker/cloudbuild.yaml b/modules/cloud-config-container/squid/docker/cloudbuild.yaml
index aca00b9b..7278a824 100644
--- a/modules/cloud-config-container/squid/docker/cloudbuild.yaml
+++ b/modules/cloud-config-container/squid/docker/cloudbuild.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/squid/docker/entrypoint.sh b/modules/cloud-config-container/squid/docker/entrypoint.sh
index 880eaf3d..0114f767 100755
--- a/modules/cloud-config-container/squid/docker/entrypoint.sh
+++ b/modules/cloud-config-container/squid/docker/entrypoint.sh
@@ -1,6 +1,6 @@
#!/bin/bash
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/modules/cloud-config-container/squid/versions.tf b/modules/cloud-config-container/squid/versions.tf
index 3963660f..af346395 100644
--- a/modules/cloud-config-container/squid/versions.tf
+++ b/modules/cloud-config-container/squid/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/cloud-function-v1/README.md b/modules/cloud-function-v1/README.md
index 6edd3324..2b768ac4 100644
--- a/modules/cloud-function-v1/README.md
+++ b/modules/cloud-function-v1/README.md
@@ -33,15 +33,15 @@ This deploys a Cloud Function with an HTTP endpoint, using a pre-existing GCS bu
```hcl
module "cf-http" {
source = "./fabric/modules/cloud-function-v1"
- project_id = "my-project"
+ project_id = var.project_id
name = "test-cf-http"
- bucket_name = "test-cf-bundles"
+ bucket_name = var.bucket
bundle_config = {
- source_dir = "fabric/assets/"
+ source_dir = "assets/sample-function/"
output_path = "bundle.zip"
}
}
-# tftest modules=1 resources=2
+# tftest modules=1 resources=2 e2e
```
### PubSub and non-HTTP triggers
diff --git a/modules/cloud-function-v1/versions.tf b/modules/cloud-function-v1/versions.tf
index 3963660f..af346395 100644
--- a/modules/cloud-function-v1/versions.tf
+++ b/modules/cloud-function-v1/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/cloud-function-v2/versions.tf b/modules/cloud-function-v2/versions.tf
index 3963660f..af346395 100644
--- a/modules/cloud-function-v2/versions.tf
+++ b/modules/cloud-function-v2/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/cloud-identity-group/versions.tf b/modules/cloud-identity-group/versions.tf
index 3963660f..af346395 100644
--- a/modules/cloud-identity-group/versions.tf
+++ b/modules/cloud-identity-group/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/cloud-run/README.md b/modules/cloud-run/README.md
index 5090aba1..bdfa3945 100644
--- a/modules/cloud-run/README.md
+++ b/modules/cloud-run/README.md
@@ -28,7 +28,7 @@ IAM bindings support the usual syntax. Container environment values can be decla
```hcl
module "cloud_run" {
source = "./fabric/modules/cloud-run"
- project_id = "my-project"
+ project_id = var.project_id
name = "hello"
containers = {
hello = {
@@ -49,7 +49,7 @@ module "cloud_run" {
"roles/run.invoker" = ["allUsers"]
}
}
-# tftest modules=1 resources=2 inventory=simple.yaml
+# tftest modules=1 resources=2 inventory=simple.yaml e2e
```
### Mounting secrets as volumes
diff --git a/modules/cloud-run/versions.tf b/modules/cloud-run/versions.tf
index 3963660f..af346395 100644
--- a/modules/cloud-run/versions.tf
+++ b/modules/cloud-run/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/cloudsql-instance/versions.tf b/modules/cloudsql-instance/versions.tf
index 3963660f..af346395 100644
--- a/modules/cloudsql-instance/versions.tf
+++ b/modules/cloudsql-instance/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/compute-mig/versions.tf b/modules/compute-mig/versions.tf
index 3963660f..af346395 100644
--- a/modules/compute-mig/versions.tf
+++ b/modules/compute-mig/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/compute-vm/README.md b/modules/compute-vm/README.md
index 5f6e18e3..052d71b7 100644
--- a/modules/compute-vm/README.md
+++ b/modules/compute-vm/README.md
@@ -34,9 +34,9 @@ In both modes, an optional service account can be created and assigned to either
- [Instance group](#instance-group)
- [Instance Schedule](#instance-schedule)
- [Snapshot Schedules](#snapshot-schedules)
+ - [Resource Manager Tags](#resource-manager-tags)
- [Variables](#variables)
- [Outputs](#outputs)
-- [TODO](#todo)
### Instance using defaults
@@ -677,6 +677,32 @@ module "instance" {
}
# tftest modules=1 resources=5 inventory=snapshot-schedule-create.yaml
```
+
+### Resource Manager Tags
+
+Resource manager tags (or "secure tags") bindings are supported with the following limitations:
+
+- a single `tag_bindings` variable is used for both the instance and the boot disk
+- tag bindings are not created for attached disks
+- tag bindings will not be created for the boot disk if the `use_independent_disk` flag is true
+- tag bindings are ignored for instance templates
+
+```hcl
+module "simple-vm-example" {
+ source = "./fabric/modules/compute-vm"
+ project_id = var.project_id
+ zone = "europe-west1-b"
+ name = "test"
+ network_interfaces = [{
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ }]
+ tag_bindings = {
+ "tagKeys/1234567890" = "tagValues/7890123456"
+ }
+}
+# tftest modules=1 resources=1 inventory=tag-bindings.yaml
+```
## Variables
@@ -708,7 +734,7 @@ module "instance" {
| [service_account](variables.tf#L295) | Service account email and scopes. If email is null, the default Compute service account will be used unless auto_create is true, in which case a service account will be created. Set the variable to null to avoid attaching a service account. | object({…}) | | {} |
| [shielded_config](variables.tf#L305) | Shielded VM configuration of the instances. | object({…}) | | null |
| [snapshot_schedules](variables.tf#L315) | Snapshot schedule resource policies that can be attached to disks. | map(object({…})) | | {} |
-| [tag_bindings](variables.tf#L358) | Tag bindings for this instance, in key => tag value id format. | map(string) | | null |
+| [tag_bindings](variables.tf#L358) | Tag bindings for this instance, in tag key => tag value format. | map(string) | | null |
| [tags](variables.tf#L364) | Instance network tags for firewall rule targets. | list(string) | | [] |
## Outputs
@@ -728,6 +754,4 @@ module "instance" {
| [template](outputs.tf#L82) | Template resource. | |
| [template_name](outputs.tf#L87) | Template name. | |
-## TODO
-- [ ] add support for instance groups
diff --git a/modules/compute-vm/main.tf b/modules/compute-vm/main.tf
index e236e454..e2d4dfcc 100644
--- a/modules/compute-vm/main.tf
+++ b/modules/compute-vm/main.tf
@@ -216,9 +216,10 @@ resource "google_compute_instance" "default" {
: [""]
)
content {
- image = var.boot_disk.initialize_params.image
- size = var.boot_disk.initialize_params.size
- type = var.boot_disk.initialize_params.type
+ image = var.boot_disk.initialize_params.image
+ size = var.boot_disk.initialize_params.size
+ type = var.boot_disk.initialize_params.type
+ resource_manager_tags = var.tag_bindings
}
}
}
@@ -292,6 +293,13 @@ resource "google_compute_instance" "default" {
}
}
+ dynamic "params" {
+ for_each = var.tag_bindings == null ? [] : [""]
+ content {
+ resource_manager_tags = var.tag_bindings
+ }
+ }
+
# guest_accelerator
}
diff --git a/modules/compute-vm/tags.tf b/modules/compute-vm/tags.tf
index 95be8318..cce3b99c 100644
--- a/modules/compute-vm/tags.tf
+++ b/modules/compute-vm/tags.tf
@@ -16,8 +16,21 @@
# tfdoc:file:description Tag bindings.
-resource "google_tags_tag_binding" "binding" {
- for_each = var.create_template ? {} : coalesce(var.tag_bindings, {})
- parent = "//compute.googleapis.com/${google_compute_instance.default.0.id}"
- tag_value = each.value
-}
+# TODO: re-implement once
+# - the provider accepts a project id in the parent without a permadiff
+# - the disk resource exposes an id that can be used to build the parent
+
+# locals {
+# tag_parent_base = (
+# "//compute.googleapis.com/projects/${var.project_id}/zones/${var.zone}"
+# )
+# }
+
+# resource "google_tags_location_tag_binding" "instance" {
+# for_each = var.create_template ? {} : coalesce(var.tag_bindings, {})
+# parent = (
+# "${local.tag_parent_base}/instances/${google_compute_instance.default.0.instance_id}"
+# )
+# tag_value = each.value
+# location = var.zone
+# }
diff --git a/modules/compute-vm/variables.tf b/modules/compute-vm/variables.tf
index 6d04f01b..d82ff1d4 100644
--- a/modules/compute-vm/variables.tf
+++ b/modules/compute-vm/variables.tf
@@ -356,7 +356,7 @@ variable "snapshot_schedules" {
}
variable "tag_bindings" {
- description = "Tag bindings for this instance, in key => tag value id format."
+ description = "Tag bindings for this instance, in tag key => tag value format."
type = map(string)
default = null
}
diff --git a/modules/compute-vm/versions.tf b/modules/compute-vm/versions.tf
index 3963660f..af346395 100644
--- a/modules/compute-vm/versions.tf
+++ b/modules/compute-vm/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/container-registry/versions.tf b/modules/container-registry/versions.tf
index 3963660f..af346395 100644
--- a/modules/container-registry/versions.tf
+++ b/modules/container-registry/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/data-catalog-policy-tag/versions.tf b/modules/data-catalog-policy-tag/versions.tf
index 3963660f..af346395 100644
--- a/modules/data-catalog-policy-tag/versions.tf
+++ b/modules/data-catalog-policy-tag/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/datafusion/versions.tf b/modules/datafusion/versions.tf
index 3963660f..af346395 100644
--- a/modules/datafusion/versions.tf
+++ b/modules/datafusion/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/dataplex-datascan/versions.tf b/modules/dataplex-datascan/versions.tf
index 3963660f..af346395 100644
--- a/modules/dataplex-datascan/versions.tf
+++ b/modules/dataplex-datascan/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/dataplex/versions.tf b/modules/dataplex/versions.tf
index 3963660f..af346395 100644
--- a/modules/dataplex/versions.tf
+++ b/modules/dataplex/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/dataproc/versions.tf b/modules/dataproc/versions.tf
index 3963660f..af346395 100644
--- a/modules/dataproc/versions.tf
+++ b/modules/dataproc/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/dns-response-policy/README.md b/modules/dns-response-policy/README.md
index 2c77f4e9..3e0e9c46 100644
--- a/modules/dns-response-policy/README.md
+++ b/modules/dns-response-policy/README.md
@@ -102,6 +102,11 @@ module "dns-policy" {
```
```yaml
+
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
gcr:
dns_name: "gcr.io."
local_data:
diff --git a/modules/dns-response-policy/main.tf b/modules/dns-response-policy/main.tf
index 69b7ff4a..5d168497 100644
--- a/modules/dns-response-policy/main.tf
+++ b/modules/dns-response-policy/main.tf
@@ -15,7 +15,9 @@
*/
locals {
- _factory_rules = try(yamldecode(file(var.rules_file)), {})
+ _factory_data = var.rules_file != null ? file(var.rules_file) : "{}"
+ _factory_rules = yamldecode(local._factory_data)
+
factory_rules = {
for k, v in local._factory_rules : k => {
dns_name = v.dns_name
diff --git a/modules/dns-response-policy/versions.tf b/modules/dns-response-policy/versions.tf
index 3963660f..af346395 100644
--- a/modules/dns-response-policy/versions.tf
+++ b/modules/dns-response-policy/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/dns/versions.tf b/modules/dns/versions.tf
index 3963660f..af346395 100644
--- a/modules/dns/versions.tf
+++ b/modules/dns/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/endpoints/versions.tf b/modules/endpoints/versions.tf
index 3963660f..af346395 100644
--- a/modules/endpoints/versions.tf
+++ b/modules/endpoints/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/folder/versions.tf b/modules/folder/versions.tf
index 3963660f..af346395 100644
--- a/modules/folder/versions.tf
+++ b/modules/folder/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/gcs/versions.tf b/modules/gcs/versions.tf
index 3963660f..af346395 100644
--- a/modules/gcs/versions.tf
+++ b/modules/gcs/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/gcve-private-cloud/versions.tf b/modules/gcve-private-cloud/versions.tf
index 3963660f..af346395 100644
--- a/modules/gcve-private-cloud/versions.tf
+++ b/modules/gcve-private-cloud/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/gke-cluster-autopilot/versions.tf b/modules/gke-cluster-autopilot/versions.tf
index 3963660f..af346395 100644
--- a/modules/gke-cluster-autopilot/versions.tf
+++ b/modules/gke-cluster-autopilot/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/gke-cluster-standard/README.md b/modules/gke-cluster-standard/README.md
index 71ca8c71..53b57e8f 100644
--- a/modules/gke-cluster-standard/README.md
+++ b/modules/gke-cluster-standard/README.md
@@ -272,8 +272,11 @@ module "cluster-1" {
enable_backup_agent = true
backup_plans = {
"backup-1" = {
- region = "europe-west-2"
+ region = "europe-west2"
schedule = "0 9 * * 1"
+ applications = {
+ namespace-1 = ["app-1", "app-2"]
+ }
}
}
}
@@ -307,28 +310,28 @@ module "cluster-1" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [location](variables.tf#L152) | Cluster zone or region. | string | ✓ | |
-| [name](variables.tf#L263) | Cluster name. | string | ✓ | |
-| [project_id](variables.tf#L289) | Cluster project id. | string | ✓ | |
-| [vpc_config](variables.tf#L312) | VPC-level configuration. | object({…}) | ✓ | |
-| [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | object({…}) | | {} |
-| [cluster_autoscaling](variables.tf#L37) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | object({…}) | | null |
-| [deletion_protection](variables.tf#L58) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | bool | | true |
-| [description](variables.tf#L65) | Cluster description. | string | | null |
-| [enable_addons](variables.tf#L71) | Addons enabled in the cluster (true means enabled). | object({…}) | | {…} |
-| [enable_features](variables.tf#L94) | Enable cluster-level features. Certain features allow configuration. | object({…}) | | {…} |
-| [issue_client_certificate](variables.tf#L140) | Enable issuing client certificate. | bool | | false |
-| [labels](variables.tf#L146) | Cluster resource labels. | map(string) | | null |
-| [logging_config](variables.tf#L157) | Logging configuration. | object({…}) | | {} |
-| [maintenance_config](variables.tf#L178) | Maintenance window configuration. | object({…}) | | {…} |
-| [max_pods_per_node](variables.tf#L201) | Maximum number of pods per node in this cluster. | number | | 110 |
-| [min_master_version](variables.tf#L207) | Minimum version of the master, defaults to the version of the most recent official release. | string | | null |
-| [monitoring_config](variables.tf#L213) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | object({…}) | | {} |
-| [node_locations](variables.tf#L268) | Zones in which the cluster's nodes are located. | list(string) | | [] |
-| [private_cluster_config](variables.tf#L275) | Private cluster configuration. | object({…}) | | null |
-| [release_channel](variables.tf#L294) | Release channel for GKE upgrades. | string | | null |
-| [service_account](variables.tf#L300) | Service account used for the default node pool, only useful if the default GCE service account has been disabled. | string | | null |
-| [tags](variables.tf#L306) | Network tags applied to nodes. | list(string) | | null |
+| [location](variables.tf#L154) | Cluster zone or region. | string | ✓ | |
+| [name](variables.tf#L265) | Cluster name. | string | ✓ | |
+| [project_id](variables.tf#L291) | Cluster project id. | string | ✓ | |
+| [vpc_config](variables.tf#L314) | VPC-level configuration. | object({…}) | ✓ | |
+| [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | object({…}) | | {} |
+| [cluster_autoscaling](variables.tf#L38) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | object({…}) | | null |
+| [deletion_protection](variables.tf#L59) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | bool | | true |
+| [description](variables.tf#L66) | Cluster description. | string | | null |
+| [enable_addons](variables.tf#L72) | Addons enabled in the cluster (true means enabled). | object({…}) | | {…} |
+| [enable_features](variables.tf#L96) | Enable cluster-level features. Certain features allow configuration. | object({…}) | | {…} |
+| [issue_client_certificate](variables.tf#L142) | Enable issuing client certificate. | bool | | false |
+| [labels](variables.tf#L148) | Cluster resource labels. | map(string) | | null |
+| [logging_config](variables.tf#L159) | Logging configuration. | object({…}) | | {} |
+| [maintenance_config](variables.tf#L180) | Maintenance window configuration. | object({…}) | | {…} |
+| [max_pods_per_node](variables.tf#L203) | Maximum number of pods per node in this cluster. | number | | 110 |
+| [min_master_version](variables.tf#L209) | Minimum version of the master, defaults to the version of the most recent official release. | string | | null |
+| [monitoring_config](variables.tf#L215) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | object({…}) | | {} |
+| [node_locations](variables.tf#L270) | Zones in which the cluster's nodes are located. | list(string) | | [] |
+| [private_cluster_config](variables.tf#L277) | Private cluster configuration. | object({…}) | | null |
+| [release_channel](variables.tf#L296) | Release channel for GKE upgrades. | string | | null |
+| [service_account](variables.tf#L302) | Service account used for the default node pool, only useful if the default GCE service account has been disabled. | string | | null |
+| [tags](variables.tf#L308) | Network tags applied to nodes. | list(string) | | null |
## Outputs
diff --git a/modules/gke-cluster-standard/main.tf b/modules/gke-cluster-standard/main.tf
index 43bd289c..f5d8fe75 100644
--- a/modules/gke-cluster-standard/main.tf
+++ b/modules/gke-cluster-standard/main.tf
@@ -13,7 +13,6 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-
resource "google_container_cluster" "cluster" {
provider = google-beta
project = var.project_id
@@ -84,6 +83,9 @@ resource "google_container_cluster" "cluster" {
gcp_filestore_csi_driver_config {
enabled = var.enable_addons.gcp_filestore_csi_driver
}
+ gcs_fuse_csi_driver_config {
+ enabled = var.enable_addons.gcs_fuse_csi_driver
+ }
kalm_config {
enabled = var.enable_addons.kalm
}
@@ -419,13 +421,28 @@ resource "google_gke_backup_backup_plan" "backup_plan" {
}
}
- all_namespaces = lookup(each.value, "namespaces", null) != null ? null : true
+ all_namespaces = lookup(each.value, "namespaces", null) != null || lookup(each.value, "applications", null) != null ? null : true
dynamic "selected_namespaces" {
for_each = each.value.namespaces != null ? [""] : []
content {
namespaces = each.value.namespaces
}
}
+ dynamic "selected_applications" {
+ for_each = each.value.applications != null ? [""] : []
+ content {
+ dynamic "namespaced_names" {
+ for_each = flatten([for k, vs in each.value.applications : [
+ for v in vs : { namespace = k, name = v }
+ ]])
+ content {
+ namespace = namespaced_names.value.namespace
+ name = namespaced_names.value.name
+ }
+ }
+ }
+
+ }
}
}
diff --git a/modules/gke-cluster-standard/variables.tf b/modules/gke-cluster-standard/variables.tf
index 62cfcf3c..221f6b8a 100644
--- a/modules/gke-cluster-standard/variables.tf
+++ b/modules/gke-cluster-standard/variables.tf
@@ -19,15 +19,16 @@ variable "backup_configs" {
type = object({
enable_backup_agent = optional(bool, false)
backup_plans = optional(map(object({
+ region = string
+ applications = optional(map(list(string)))
encryption_key = optional(string)
include_secrets = optional(bool, true)
include_volume_data = optional(bool, true)
namespaces = optional(list(string))
- region = string
- schedule = string
- retention_policy_days = optional(string)
+ schedule = optional(string)
+ retention_policy_days = optional(number)
retention_policy_lock = optional(bool, false)
- retention_policy_delete_lock_days = optional(string)
+ retention_policy_delete_lock_days = optional(number)
})), {})
})
default = {}
@@ -76,6 +77,7 @@ variable "enable_addons" {
dns_cache = optional(bool, false)
gce_persistent_disk_csi_driver = optional(bool, false)
gcp_filestore_csi_driver = optional(bool, false)
+ gcs_fuse_csi_driver = optional(bool, false)
horizontal_pod_autoscaling = optional(bool, false)
http_load_balancing = optional(bool, false)
istio = optional(object({
diff --git a/modules/gke-cluster-standard/versions.tf b/modules/gke-cluster-standard/versions.tf
index 3963660f..af346395 100644
--- a/modules/gke-cluster-standard/versions.tf
+++ b/modules/gke-cluster-standard/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/gke-hub/versions.tf b/modules/gke-hub/versions.tf
index 3963660f..af346395 100644
--- a/modules/gke-hub/versions.tf
+++ b/modules/gke-hub/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/gke-nodepool/README.md b/modules/gke-nodepool/README.md
index dbcc0cc4..e7d21911 100644
--- a/modules/gke-nodepool/README.md
+++ b/modules/gke-nodepool/README.md
@@ -103,6 +103,39 @@ module "cluster-1-nodepool-1" {
}
# tftest modules=1 resources=2 inventory=config.yaml
```
+### GPU Node & node pool configuration
+
+```hcl
+module "cluster-1-nodepool-gpu-1" {
+ source = "./fabric/modules/gke-nodepool"
+ project_id = "myproject"
+ cluster_name = "cluster-1"
+ location = "europe-west4-a"
+ name = "nodepool-gpu-1"
+ labels = { environment = "dev" }
+ service_account = {
+ create = true
+ email = "nodepool-gpu-1" # optional
+ oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
+ }
+ node_config = {
+ machine_type = "a2-highgpu-1g"
+ disk_size_gb = 50
+ disk_type = "pd-ssd"
+ ephemeral_ssd_count = 1
+ gvnic = true
+ spot = true
+ guest_accelerator = {
+ type = "nvidia-tesla-a100"
+ count = 1
+ gpu_driver = {
+ version = "LATEST"
+ }
+ }
+ }
+}
+# tftest modules=1 resources=2 inventory=guest-accelerator.yaml
+```
## Variables
@@ -110,22 +143,22 @@ module "cluster-1-nodepool-1" {
|---|---|:---:|:---:|:---:|
| [cluster_name](variables.tf#L23) | Cluster name. | string | ✓ | |
| [location](variables.tf#L41) | Cluster location. | string | ✓ | |
-| [project_id](variables.tf#L149) | Cluster project id. | string | ✓ | |
+| [project_id](variables.tf#L166) | Cluster project id. | string | ✓ | |
| [cluster_id](variables.tf#L17) | Cluster id. Optional, but providing cluster_id is recommended to prevent cluster misconfiguration in some of the edge cases. | string | | null |
| [gke_version](variables.tf#L28) | Kubernetes nodes version. Ignored if auto_upgrade is set in management_config. | string | | null |
| [labels](variables.tf#L34) | Kubernetes labels applied to each node. | map(string) | | {} |
| [max_pods_per_node](variables.tf#L46) | Maximum number of pods per node. | number | | null |
| [name](variables.tf#L52) | Optional nodepool name. | string | | null |
-| [node_config](variables.tf#L58) | Node-level configuration. | object({…}) | | {…} |
-| [node_count](variables.tf#L97) | Number of nodes per instance group. Initial value can only be changed by recreation, current is ignored when autoscaling is used. | object({…}) | | {…} |
-| [node_locations](variables.tf#L109) | Node locations. | list(string) | | null |
-| [nodepool_config](variables.tf#L115) | Nodepool-level configuration. | object({…}) | | null |
-| [pod_range](variables.tf#L137) | Pod secondary range configuration. | object({…}) | | null |
-| [reservation_affinity](variables.tf#L154) | Configuration of the desired reservation which instances could take capacity from. | object({…}) | | null |
-| [service_account](variables.tf#L164) | Nodepool service account. If this variable is set to null, the default GCE service account will be used. If set and email is null, a service account will be created. If scopes are null a default will be used. | object({…}) | | {} |
-| [sole_tenant_nodegroup](variables.tf#L175) | Sole tenant node group. | string | | null |
-| [tags](variables.tf#L181) | Network tags applied to nodes. | list(string) | | null |
-| [taints](variables.tf#L187) | Kubernetes taints applied to all nodes. | map(object({…})) | | {} |
+| [node_config](variables.tf#L58) | Node-level configuration. | object({…}) | | {…} |
+| [node_count](variables.tf#L113) | Number of nodes per instance group. Initial value can only be changed by recreation, current is ignored when autoscaling is used. | object({…}) | | {…} |
+| [node_locations](variables.tf#L125) | Node locations. | list(string) | | null |
+| [nodepool_config](variables.tf#L131) | Nodepool-level configuration. | object({…}) | | null |
+| [pod_range](variables.tf#L153) | Pod secondary range configuration. | object({…}) | | null |
+| [reservation_affinity](variables.tf#L171) | Configuration of the desired reservation which instances could take capacity from. | object({…}) | | null |
+| [service_account](variables.tf#L181) | Nodepool service account. If this variable is set to null, the default GCE service account will be used. If set and email is null, a service account will be created. If scopes are null a default will be used. | object({…}) | | {} |
+| [sole_tenant_nodegroup](variables.tf#L192) | Sole tenant node group. | string | | null |
+| [tags](variables.tf#L198) | Network tags applied to nodes. | list(string) | | null |
+| [taints](variables.tf#L204) | Kubernetes taints applied to all nodes. | map(object({…})) | | {} |
## Outputs
diff --git a/modules/gke-nodepool/main.tf b/modules/gke-nodepool/main.tf
index 8dfd3283..f5a104bd 100644
--- a/modules/gke-nodepool/main.tf
+++ b/modules/gke-nodepool/main.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -114,9 +114,10 @@ resource "google_container_node_pool" "nodepool" {
dynamic "network_config" {
for_each = var.pod_range != null ? [""] : []
content {
- create_pod_range = var.pod_range.secondary_pod_range.create
- pod_ipv4_cidr_block = var.pod_range.secondary_pod_range.cidr
- pod_range = var.pod_range.secondary_pod_range.name
+ create_pod_range = var.pod_range.secondary_pod_range.create
+ enable_private_nodes = var.pod_range.secondary_pod_range.enable_private_nodes
+ pod_ipv4_cidr_block = var.pod_range.secondary_pod_range.cidr
+ pod_range = var.pod_range.secondary_pod_range.name
}
}
@@ -164,7 +165,28 @@ resource "google_container_node_pool" "nodepool" {
content {
count = var.node_config.guest_accelerator.count
type = var.node_config.guest_accelerator.type
- gpu_partition_size = var.node_config.guest_accelerator.gpu_partition_size
+ gpu_partition_size = var.node_config.guest_accelerator.gpu_driver == null ? null : var.node_config.guest_accelerator.gpu_driver.partition_size
+
+ dynamic "gpu_sharing_config" {
+ for_each = var.node_config.guest_accelerator.gpu_driver != null ? [""] : []
+ content {
+ gpu_sharing_strategy = var.node_config.guest_accelerator.gpu_driver.max_shared_clients_per_gpu != null ? "TIME_SHARING" : null
+ max_shared_clients_per_gpu = var.node_config.guest_accelerator.gpu_driver.max_shared_clients_per_gpu
+ }
+ }
+
+ dynamic "gpu_driver_installation_config" {
+ for_each = var.node_config.guest_accelerator.gpu_driver != null ? [""] : []
+ content {
+ gpu_driver_version = var.node_config.guest_accelerator.gpu_driver.version
+ }
+ }
+ }
+ }
+ dynamic "local_nvme_ssd_block_config" {
+ for_each = coalesce(var.node_config.local_nvme_ssd_count, 0) > 0 ? [""] : []
+ content {
+ local_ssd_count = var.node_config.local_nvme_ssd_count
}
}
dynamic "gvnic" {
diff --git a/modules/gke-nodepool/variables.tf b/modules/gke-nodepool/variables.tf
index 46f3f1d3..17cfd88c 100644
--- a/modules/gke-nodepool/variables.tf
+++ b/modules/gke-nodepool/variables.tf
@@ -64,12 +64,17 @@ variable "node_config" {
ephemeral_ssd_count = optional(number)
gcfs = optional(bool, false)
guest_accelerator = optional(object({
- count = number
- type = string
- gpu_partition_size = optional(string)
+ count = number
+ type = string
+ gpu_driver = optional(object({
+ version = string
+ partition_size = optional(string)
+ max_shared_clients_per_gpu = optional(number)
+ }))
}))
- gvnic = optional(bool, false)
- image_type = optional(string)
+ local_nvme_ssd_count = optional(number)
+ gvnic = optional(bool, false)
+ image_type = optional(string)
kubelet_config = optional(object({
cpu_manager_policy = string
cpu_cfs_quota = optional(bool)
@@ -92,6 +97,17 @@ variable "node_config" {
default = {
disk_type = "pd-balanced"
}
+ validation {
+ condition = (
+ alltrue([
+ for k, v in var.node_config.guest_accelerator[*].gpu_driver : contains([
+ "GPU_DRIVER_VERSION_UNSPECIFIED", "INSTALLATION_DISABLED",
+ "DEFAULT", "LATEST"
+ ], v.version)
+ ])
+ )
+ error_message = "Invalid GPU driver version."
+ }
}
variable "node_count" {
@@ -138,9 +154,10 @@ variable "pod_range" {
description = "Pod secondary range configuration."
type = object({
secondary_pod_range = object({
- cidr = optional(string)
- create = optional(bool)
- name = string
+ name = string
+ cidr = optional(string)
+ create = optional(bool)
+ enable_private_nodes = optional(bool)
})
})
default = null
diff --git a/modules/gke-nodepool/versions.tf b/modules/gke-nodepool/versions.tf
index 3963660f..af346395 100644
--- a/modules/gke-nodepool/versions.tf
+++ b/modules/gke-nodepool/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/iam-service-account/versions.tf b/modules/iam-service-account/versions.tf
index 3963660f..af346395 100644
--- a/modules/iam-service-account/versions.tf
+++ b/modules/iam-service-account/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/kms/versions.tf b/modules/kms/versions.tf
index 3963660f..af346395 100644
--- a/modules/kms/versions.tf
+++ b/modules/kms/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/logging-bucket/versions.tf b/modules/logging-bucket/versions.tf
index 3963660f..af346395 100644
--- a/modules/logging-bucket/versions.tf
+++ b/modules/logging-bucket/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/ncc-spoke-ra/versions.tf b/modules/ncc-spoke-ra/versions.tf
index 3963660f..af346395 100644
--- a/modules/ncc-spoke-ra/versions.tf
+++ b/modules/ncc-spoke-ra/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/net-address/README.md b/modules/net-address/README.md
index 9f122352..c99ca511 100644
--- a/modules/net-address/README.md
+++ b/modules/net-address/README.md
@@ -106,13 +106,13 @@ module "addresses" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [project_id](variables.tf#L65) | Project where the addresses will be created. | string | ✓ | |
-| [external_addresses](variables.tf#L17) | Map of external addresses, keyed by name. | map(object({…})) | | {} |
-| [global_addresses](variables.tf#L27) | List of global addresses to create. | list(string) | | [] |
-| [internal_addresses](variables.tf#L33) | Map of internal addresses to create, keyed by name. | map(object({…})) | | {} |
-| [ipsec_interconnect_addresses](variables.tf#L47) | Map of internal addresses used for HPA VPN over Cloud Interconnect. | map(object({…})) | | {} |
-| [psa_addresses](variables.tf#L70) | Map of internal addresses used for Private Service Access. | map(object({…})) | | {} |
-| [psc_addresses](variables.tf#L81) | Map of internal addresses used for Private Service Connect. | map(object({…})) | | {} |
+| [project_id](variables.tf#L68) | Project where the addresses will be created. | string | ✓ | |
+| [external_addresses](variables.tf#L17) | Map of external addresses, keyed by name. | map(object({…})) | | {} |
+| [global_addresses](variables.tf#L28) | List of global addresses to create. | list(string) | | [] |
+| [internal_addresses](variables.tf#L34) | Map of internal addresses to create, keyed by name. | map(object({…})) | | {} |
+| [ipsec_interconnect_addresses](variables.tf#L49) | Map of internal addresses used for HPA VPN over Cloud Interconnect. | map(object({…})) | | {} |
+| [psa_addresses](variables.tf#L73) | Map of internal addresses used for Private Service Access. | map(object({…})) | | {} |
+| [psc_addresses](variables.tf#L86) | Map of internal addresses used for Private Service Connect. | map(object({…})) | | {} |
## Outputs
diff --git a/modules/net-address/main.tf b/modules/net-address/main.tf
index b09ba231..f80cab29 100644
--- a/modules/net-address/main.tf
+++ b/modules/net-address/main.tf
@@ -24,7 +24,7 @@ resource "google_compute_address" "external" {
provider = google-beta
for_each = var.external_addresses
project = var.project_id
- name = each.key
+ name = coalesce(each.value.name, each.key)
description = each.value.description
address_type = "EXTERNAL"
region = each.value.region
@@ -35,7 +35,7 @@ resource "google_compute_address" "internal" {
provider = google-beta
for_each = var.internal_addresses
project = var.project_id
- name = each.key
+ name = coalesce(each.value.name, each.key)
description = each.value.description
address_type = "INTERNAL"
region = each.value.region
@@ -49,7 +49,7 @@ resource "google_compute_address" "internal" {
resource "google_compute_global_address" "psc" {
for_each = var.psc_addresses
project = var.project_id
- name = each.key
+ name = coalesce(each.value.name, each.key)
description = each.value.description
address = try(each.value.address, null)
address_type = "INTERNAL"
@@ -61,7 +61,7 @@ resource "google_compute_global_address" "psc" {
resource "google_compute_global_address" "psa" {
for_each = var.psa_addresses
project = var.project_id
- name = each.key
+ name = coalesce(each.value.name, each.key)
description = each.value.description
address = each.value.address
address_type = "INTERNAL"
@@ -74,7 +74,7 @@ resource "google_compute_global_address" "psa" {
resource "google_compute_address" "ipsec_interconnect" {
for_each = var.ipsec_interconnect_addresses
project = var.project_id
- name = each.key
+ name = coalesce(each.value.name, each.key)
description = each.value.description
address = each.value.address
address_type = "INTERNAL"
diff --git a/modules/net-address/variables.tf b/modules/net-address/variables.tf
index ebcfa5b6..9f7c5c70 100644
--- a/modules/net-address/variables.tf
+++ b/modules/net-address/variables.tf
@@ -20,6 +20,7 @@ variable "external_addresses" {
region = string
description = optional(string, "Terraform managed.")
labels = optional(map(string), {})
+ name = optional(string)
}))
default = {}
}
@@ -38,6 +39,7 @@ variable "internal_addresses" {
address = optional(string)
description = optional(string, "Terraform managed.")
labels = optional(map(string))
+ name = optional(string)
purpose = optional(string)
tier = optional(string)
}))
@@ -51,6 +53,7 @@ variable "ipsec_interconnect_addresses" {
address = string
network = string
description = optional(string, "Terraform managed.")
+ name = optional(string)
prefix_length = number
}))
default = {}
@@ -72,8 +75,10 @@ variable "psa_addresses" {
type = map(object({
address = string
network = string
- description = optional(string, "Terraform managed.")
prefix_length = number
+ description = optional(string, "Terraform managed.")
+ name = optional(string)
+
}))
default = {}
}
@@ -84,6 +89,7 @@ variable "psc_addresses" {
address = string
network = string
description = optional(string, "Terraform managed.")
+ name = optional(string)
}))
default = {}
}
diff --git a/modules/net-address/versions.tf b/modules/net-address/versions.tf
index 3963660f..af346395 100644
--- a/modules/net-address/versions.tf
+++ b/modules/net-address/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/net-cloudnat/versions.tf b/modules/net-cloudnat/versions.tf
index 3963660f..af346395 100644
--- a/modules/net-cloudnat/versions.tf
+++ b/modules/net-cloudnat/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/net-firewall-policy/versions.tf b/modules/net-firewall-policy/versions.tf
index 3963660f..af346395 100644
--- a/modules/net-firewall-policy/versions.tf
+++ b/modules/net-firewall-policy/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/net-ipsec-over-interconnect/versions.tf b/modules/net-ipsec-over-interconnect/versions.tf
index 3963660f..af346395 100644
--- a/modules/net-ipsec-over-interconnect/versions.tf
+++ b/modules/net-ipsec-over-interconnect/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/net-lb-app-ext/variables-backend-service.tf b/modules/net-lb-app-ext/variables-backend-service.tf
index 51f65df5..e7290e5f 100644
--- a/modules/net-lb-app-ext/variables-backend-service.tf
+++ b/modules/net-lb-app-ext/variables-backend-service.tf
@@ -128,23 +128,24 @@ variable "backend_service_configs" {
default = {}
nullable = false
validation {
- condition = contains(
- [
- "-", "ROUND_ROBIN", "LEAST_REQUEST", "RING_HASH",
- "RANDOM", "ORIGINAL_DESTINATION", "MAGLEV"
- ],
- try(var.backend_service_configs.locality_lb_policy, "-")
- )
- error_message = "Invalid locality lb policy value."
- }
- validation {
- condition = contains(
- [
- "NONE", "CLIENT_IP", "CLIENT_IP_NO_DESTINATION",
- "CLIENT_IP_PORT_PROTO", "CLIENT_IP_PROTO"
- ],
- try(var.backend_service_configs.session_affinity, "NONE")
- )
+ condition = alltrue([
+ for backend_service in values(var.backend_service_configs) : contains(
+ [
+ "NONE", "CLIENT_IP", "CLIENT_IP_NO_DESTINATION",
+ "CLIENT_IP_PORT_PROTO", "CLIENT_IP_PROTO"
+ ],
+ coalesce(backend_service.session_affinity, "NONE")
+ )
+ ])
error_message = "Invalid session affinity value."
}
+ validation {
+ condition = alltrue(flatten([
+ for backend_service in values(var.backend_service_configs) : [
+ for backend in backend_service.backends : contains(
+ ["RATE", "UTILIZATION"], coalesce(backend.balancing_mode, "UTILIZATION")
+ )]
+ ]))
+ error_message = "When specified, balancing mode needs to be 'RATE' or 'UTILIZATION'."
+ }
}
diff --git a/modules/net-lb-app-ext/versions.tf b/modules/net-lb-app-ext/versions.tf
index 3963660f..af346395 100644
--- a/modules/net-lb-app-ext/versions.tf
+++ b/modules/net-lb-app-ext/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/net-lb-app-int/README.md b/modules/net-lb-app-int/README.md
index 29b35633..dfc4f5ec 100644
--- a/modules/net-lb-app-int/README.md
+++ b/modules/net-lb-app-int/README.md
@@ -331,9 +331,7 @@ module "ilb-l7" {
backend_service_configs = {
default = {
backends = [{
- balancing_mode = "RATE"
- group = "my-neg"
- max_rate = { per_endpoint = 1 }
+ group = "my-neg"
}]
health_checks = []
}
diff --git a/modules/net-lb-app-int/variables-backend-service.tf b/modules/net-lb-app-int/variables-backend-service.tf
index 0119d1b3..5cfe9a5a 100644
--- a/modules/net-lb-app-int/variables-backend-service.tf
+++ b/modules/net-lb-app-int/variables-backend-service.tf
@@ -109,23 +109,36 @@ variable "backend_service_configs" {
default = {}
nullable = false
validation {
- condition = contains(
- [
- "-", "ROUND_ROBIN", "LEAST_REQUEST", "RING_HASH",
- "RANDOM", "ORIGINAL_DESTINATION", "MAGLEV"
- ],
- try(var.backend_service_configs.locality_lb_policy, "-")
- )
+ condition = alltrue([
+ for backend_service in values(var.backend_service_configs) : contains(
+ [
+ "-", "ROUND_ROBIN", "LEAST_REQUEST", "RING_HASH",
+ "RANDOM", "ORIGINAL_DESTINATION", "MAGLEV"
+ ],
+ coalesce(backend_service.locality_lb_policy, "-")
+ )
+ ])
error_message = "Invalid locality lb policy value."
}
validation {
- condition = contains(
- [
- "NONE", "CLIENT_IP", "CLIENT_IP_NO_DESTINATION",
- "CLIENT_IP_PORT_PROTO", "CLIENT_IP_PROTO"
- ],
- try(var.backend_service_configs.session_affinity, "NONE")
- )
+ condition = alltrue([
+ for backend_service in values(var.backend_service_configs) : contains(
+ [
+ "NONE", "CLIENT_IP", "CLIENT_IP_NO_DESTINATION",
+ "CLIENT_IP_PORT_PROTO", "CLIENT_IP_PROTO"
+ ],
+ coalesce(backend_service.session_affinity, "NONE")
+ )
+ ])
error_message = "Invalid session affinity value."
}
+ validation {
+ condition = alltrue(flatten([
+ for backend_service in values(var.backend_service_configs) : [
+ for backend in backend_service.backends : contains(
+ ["RATE", "UTILIZATION"], coalesce(backend.balancing_mode, "UTILIZATION")
+ )]
+ ]))
+ error_message = "When specified, balancing mode needs to be 'RATE' or 'UTILIZATION'."
+ }
}
diff --git a/modules/net-lb-app-int/versions.tf b/modules/net-lb-app-int/versions.tf
index 3963660f..af346395 100644
--- a/modules/net-lb-app-int/versions.tf
+++ b/modules/net-lb-app-int/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/net-lb-ext/README.md b/modules/net-lb-ext/README.md
index c63f3ac5..020c1104 100644
--- a/modules/net-lb-ext/README.md
+++ b/modules/net-lb-ext/README.md
@@ -90,6 +90,78 @@ module "nlb" {
# tftest modules=1 resources=4
```
+### Mutiple forwarding rules
+
+You can add more forwarding rules to your load balancer and override some forwarding rules defaults, including the global access policy, the IP protocol, the IP version and ports.
+
+The example adds two forwarding rules:
+
+- the first one, called `nlb-test-vip-one` exposes an IPv4 address, it listens on all ports, and allows connections from any region.
+- the second one, called `nlb-test-vip-two` exposes an IPv4 address, it listens on port 80 and allows connections from the same region only.
+
+```hcl
+module "nlb" {
+ source = "./fabric/modules/net-lb-ext"
+ project_id = var.project_id
+ region = "europe-west1"
+ name = "nlb-test"
+ backends = [{
+ group = module.nlb.groups.my-group.self_link
+ }]
+ forwarding_rules_config = {
+ vip-one = {}
+ vip-two = {
+ ports = [80]
+ }
+ }
+ group_configs = {
+ my-group = {
+ zone = "europe-west1-b"
+ instances = [
+ "instance-1-self-link",
+ "instance-2-self-link"
+ ]
+ }
+ }
+}
+# tftest modules=1 resources=5
+```
+
+### Dual stack (IPv4 and IPv6)
+
+Your load balancer can use a combination of either or both IPv4 and IPv6 forwarding rules.
+In this example we set the load balancer to work as dual stack, meaning it exposes both an IPv4 and an IPv6 address.
+
+```hcl
+module "nlb" {
+ source = "./fabric/modules/net-lb-ext"
+ project_id = var.project_id
+ region = "europe-west1"
+ name = "nlb-test"
+ backends = [{
+ group = module.nlb.groups.my-group.self_link
+ }]
+ forwarding_rules_config = {
+ ipv4 = {
+ version = "IPV4"
+ }
+ ipv6 = {
+ version = "IPV6"
+ }
+ }
+ group_configs = {
+ my-group = {
+ zone = "europe-west1-b"
+ instances = [
+ "instance-1-self-link",
+ "instance-2-self-link"
+ ]
+ }
+ }
+}
+# tftest modules=1 resources=5
+```
+
### End to end example
This example spins up a simple HTTP server and combines four modules:
@@ -136,12 +208,16 @@ module "nlb" {
project_id = var.project_id
region = "europe-west1"
name = "nlb-test"
- ports = [80]
backends = [
for z, mod in module.instance-group : {
group = mod.group.self_link
}
]
+ forwarding_rules_config = {
+ "" = {
+ ports = [80]
+ }
+ }
health_check_config = {
http = {
port = 80
@@ -155,19 +231,18 @@ module "nlb" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [name](variables.tf#L189) | Name used for all resources. | string | ✓ | |
-| [project_id](variables.tf#L200) | Project id where resources will be created. | string | ✓ | |
-| [region](variables.tf#L216) | GCP region. | string | ✓ | |
-| [address](variables.tf#L17) | Optional IP address used for the forwarding rule. | string | | null |
-| [backend_service_config](variables.tf#L23) | Backend service level configuration. | object({…}) | | {} |
-| [backends](variables.tf#L72) | Load balancer backends, balancing mode is one of 'CONNECTION' or 'UTILIZATION'. | list(object({…})) | | [] |
-| [description](variables.tf#L83) | Optional description used for resources. | string | | "Terraform managed." |
-| [group_configs](variables.tf#L89) | Optional unmanaged groups to create. Can be referenced in backends via outputs. | map(object({…})) | | {} |
-| [health_check](variables.tf#L100) | Name of existing health check to use, disables auto-created health check. | string | | null |
-| [health_check_config](variables.tf#L106) | Optional auto-created health check configuration, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | object({…}) | | {…} |
-| [labels](variables.tf#L183) | Labels set on resources. | map(string) | | {} |
-| [ports](variables.tf#L194) | Comma-separated ports, leave null to use all ports. | list(string) | | null |
-| [protocol](variables.tf#L205) | IP protocol used, defaults to TCP. UDP or L3_DEFAULT can also be used. | string | | "TCP" |
+| [name](variables.tf#L198) | Name used for all resources. | string | ✓ | |
+| [project_id](variables.tf#L203) | Project id where resources will be created. | string | ✓ | |
+| [region](variables.tf#L219) | GCP region. | string | ✓ | |
+| [backend_service_config](variables.tf#L17) | Backend service level configuration. | object({…}) | | {} |
+| [backends](variables.tf#L66) | Load balancer backends. | list(object({…})) | | [] |
+| [description](variables.tf#L77) | Optional description used for resources. | string | | "Terraform managed." |
+| [forwarding_rules_config](variables.tf#L83) | The optional forwarding rules configuration. | map(object({…})) | | {…} |
+| [group_configs](variables.tf#L98) | Optional unmanaged groups to create. Can be referenced in backends via outputs. | map(object({…})) | | {} |
+| [health_check](variables.tf#L109) | Name of existing health check to use, disables auto-created health check. | string | | null |
+| [health_check_config](variables.tf#L115) | Optional auto-created health check configuration, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | object({…}) | | {…} |
+| [labels](variables.tf#L192) | Labels set on resources. | map(string) | | {} |
+| [protocol](variables.tf#L208) | IP protocol used, defaults to TCP. UDP or L3_DEFAULT can also be used. | string | | "TCP" |
## Outputs
@@ -176,13 +251,13 @@ module "nlb" {
| [backend_service](outputs.tf#L17) | Backend resource. | |
| [backend_service_id](outputs.tf#L22) | Backend id. | |
| [backend_service_self_link](outputs.tf#L27) | Backend self link. | |
-| [forwarding_rule](outputs.tf#L32) | Forwarding rule resource. | |
-| [forwarding_rule_address](outputs.tf#L37) | Forwarding rule address. | |
-| [forwarding_rule_self_link](outputs.tf#L42) | Forwarding rule self link. | |
-| [group_self_links](outputs.tf#L47) | Optional unmanaged instance group self links. | |
-| [groups](outputs.tf#L54) | Optional unmanaged instance group resources. | |
-| [health_check](outputs.tf#L59) | Auto-created health-check resource. | |
-| [health_check_self_id](outputs.tf#L64) | Auto-created health-check self id. | |
-| [health_check_self_link](outputs.tf#L69) | Auto-created health-check self link. | |
-| [id](outputs.tf#L74) | Fully qualified forwarding rule id. | |
+| [forwarding_rule_addresses](outputs.tf#L32) | Forwarding rule addresses. | |
+| [forwarding_rule_self_links](outputs.tf#L40) | Forwarding rule self links. | |
+| [forwarding_rules](outputs.tf#L48) | Forwarding rule resources. | |
+| [group_self_links](outputs.tf#L53) | Optional unmanaged instance group self links. | |
+| [groups](outputs.tf#L60) | Optional unmanaged instance group resources. | |
+| [health_check](outputs.tf#L65) | Auto-created health-check resource. | |
+| [health_check_self_id](outputs.tf#L70) | Auto-created health-check self id. | |
+| [health_check_self_link](outputs.tf#L75) | Auto-created health-check self link. | |
+| [id](outputs.tf#L80) | Fully qualified forwarding rule ids. | |
diff --git a/modules/net-lb-ext/groups.tf b/modules/net-lb-ext/groups.tf
index f3fcaa82..3389fb17 100644
--- a/modules/net-lb-ext/groups.tf
+++ b/modules/net-lb-ext/groups.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
diff --git a/modules/net-lb-ext/health-check.tf b/modules/net-lb-ext/health-check.tf
index 08ea0164..d41a437d 100644
--- a/modules/net-lb-ext/health-check.tf
+++ b/modules/net-lb-ext/health-check.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
diff --git a/modules/net-lb-ext/main.tf b/modules/net-lb-ext/main.tf
index 68619b6b..534b112a 100644
--- a/modules/net-lb-ext/main.tf
+++ b/modules/net-lb-ext/main.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -24,21 +24,26 @@ locals {
)
}
-resource "google_compute_forwarding_rule" "default" {
- provider = google-beta
- project = var.project_id
- region = var.region
- name = var.name
- description = var.description
- ip_address = var.address
- ip_protocol = var.protocol
+resource "google_compute_forwarding_rule" "forwarding_rules" {
+ for_each = var.forwarding_rules_config
+ provider = google-beta
+ project = var.project_id
+ region = var.region
+ name = (
+ each.key == "" ? var.name : "${var.name}-${each.key}"
+ )
+ description = each.value.description
+ ip_address = each.value.address
+ ip_protocol = each.value.protocol
+ ip_version = each.value.ip_version
backend_service = (
google_compute_region_backend_service.default.self_link
)
load_balancing_scheme = "EXTERNAL"
- ports = var.ports # "nnnnn" or "nnnnn,nnnnn,nnnnn" max 5
- all_ports = var.ports == null ? true : null
+ ports = each.value.ports # "nnnnn" or "nnnnn,nnnnn,nnnnn" max 5
+ all_ports = each.value.ports == null ? true : null
labels = var.labels
+ subnetwork = each.value.subnetwork
# is_mirroring_collector = false
}
diff --git a/modules/net-lb-ext/outputs.tf b/modules/net-lb-ext/outputs.tf
index f7bb5433..bd3f383a 100644
--- a/modules/net-lb-ext/outputs.tf
+++ b/modules/net-lb-ext/outputs.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -29,19 +29,25 @@ output "backend_service_self_link" {
value = google_compute_region_backend_service.default.self_link
}
-output "forwarding_rule" {
- description = "Forwarding rule resource."
- value = google_compute_forwarding_rule.default
+output "forwarding_rule_addresses" {
+ description = "Forwarding rule addresses."
+ value = {
+ for k, v in google_compute_forwarding_rule.forwarding_rules
+ : k => v.ip_address
+ }
}
-output "forwarding_rule_address" {
- description = "Forwarding rule address."
- value = google_compute_forwarding_rule.default.ip_address
+output "forwarding_rule_self_links" {
+ description = "Forwarding rule self links."
+ value = {
+ for k, v in google_compute_forwarding_rule.forwarding_rules
+ : k => v.self_link
+ }
}
-output "forwarding_rule_self_link" {
- description = "Forwarding rule self link."
- value = google_compute_forwarding_rule.default.self_link
+output "forwarding_rules" {
+ description = "Forwarding rule resources."
+ value = google_compute_forwarding_rule.forwarding_rules
}
output "group_self_links" {
@@ -72,6 +78,9 @@ output "health_check_self_link" {
}
output "id" {
- description = "Fully qualified forwarding rule id."
- value = google_compute_forwarding_rule.default.id
+ description = "Fully qualified forwarding rule ids."
+ value = {
+ for k, v in google_compute_forwarding_rule.forwarding_rules
+ : k => v.id
+ }
}
diff --git a/modules/net-lb-ext/variables.tf b/modules/net-lb-ext/variables.tf
index dbc9b54c..4c24f732 100644
--- a/modules/net-lb-ext/variables.tf
+++ b/modules/net-lb-ext/variables.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,12 +14,6 @@
* limitations under the License.
*/
-variable "address" {
- description = "Optional IP address used for the forwarding rule."
- type = string
- default = null
-}
-
variable "backend_service_config" {
description = "Backend service level configuration."
type = object({
@@ -70,7 +64,7 @@ variable "backend_service_config" {
}
variable "backends" {
- description = "Load balancer backends, balancing mode is one of 'CONNECTION' or 'UTILIZATION'."
+ description = "Load balancer backends."
type = list(object({
group = string
description = optional(string, "Terraform managed.")
@@ -86,6 +80,21 @@ variable "description" {
default = "Terraform managed."
}
+variable "forwarding_rules_config" {
+ description = "The optional forwarding rules configuration."
+ type = map(object({
+ address = optional(string)
+ description = optional(string)
+ ip_version = optional(string)
+ ports = optional(list(string), null)
+ protocol = optional(string, "TCP")
+ subnetwork = optional(string) # Required for IPv6
+ }))
+ default = {
+ "" = {}
+ }
+}
+
variable "group_configs" {
description = "Optional unmanaged groups to create. Can be referenced in backends via outputs."
type = map(object({
@@ -191,12 +200,6 @@ variable "name" {
type = string
}
-variable "ports" {
- description = "Comma-separated ports, leave null to use all ports."
- type = list(string)
- default = null
-}
-
variable "project_id" {
description = "Project id where resources will be created."
type = string
diff --git a/modules/net-lb-ext/versions.tf b/modules/net-lb-ext/versions.tf
index 3963660f..af346395 100644
--- a/modules/net-lb-ext/versions.tf
+++ b/modules/net-lb-ext/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/net-lb-int/README.md b/modules/net-lb-int/README.md
index 02c4fbc8..39344d5f 100644
--- a/modules/net-lb-int/README.md
+++ b/modules/net-lb-int/README.md
@@ -119,12 +119,16 @@ module "ilb" {
project_id = var.project_id
region = "europe-west1"
name = "ilb-test"
- protocol = "L3_DEFAULT"
service_label = "ilb-test"
vpc_config = {
network = var.vpc.self_link
subnetwork = var.subnet.self_link
}
+ forwarding_rules_config = {
+ "" = {
+ protocol = "L3_DEFAULT"
+ }
+ }
group_configs = {
my-group = {
zone = "europe-west1-b"
@@ -141,6 +145,90 @@ module "ilb" {
# tftest modules=1 resources=4
```
+### Mutiple forwarding rules
+
+You can add more forwarding rules to your load balancer and override some forwarding rules defaults, including the global access policy, the IP protocol, the IP version and ports.
+
+The example adds two forwarding rules:
+
+- the first one, called `ilb-test-vip-one` exposes an IPv4 address, it listens on all ports, and allows connections from any region.
+- the second one, called `ilb-test-vip-two` exposes an IPv4 address, it listens on port 80 and allows connections from the same region only.
+
+
+```hcl
+module "ilb" {
+ source = "./fabric/modules/net-lb-int"
+ project_id = var.project_id
+ region = "europe-west1"
+ name = "ilb-test"
+ service_label = "ilb-test"
+ vpc_config = {
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ }
+ forwarding_rules_config = {
+ vip-one = {}
+ vip-two = {
+ global_access = false
+ ports = [80]
+ }
+ }
+ group_configs = {
+ my-group = {
+ zone = "europe-west1-b"
+ instances = [
+ "instance-1-self-link",
+ "instance-2-self-link"
+ ]
+ }
+ }
+ backends = [{
+ group = module.ilb.groups.my-group.self_link
+ }]
+}
+# tftest modules=1 resources=5
+```
+
+### Dual stack (IPv4 and IPv6)
+
+Your load balancer can use a combination of either or both IPv4 and IPv6 forwarding rules.
+In this example we set the load balancer to work as dual stack, meaning it exposes both an IPv4 and an IPv6 address.
+
+```hcl
+module "ilb" {
+ source = "./fabric/modules/net-lb-int"
+ project_id = var.project_id
+ region = "europe-west1"
+ name = "ilb-test"
+ service_label = "ilb-test"
+ vpc_config = {
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ }
+ forwarding_rules_config = {
+ ipv4 = {
+ version = "IPV4"
+ }
+ ipv6 = {
+ version = "IPV6"
+ }
+ }
+ group_configs = {
+ my-group = {
+ zone = "europe-west1-b"
+ instances = [
+ "instance-1-self-link",
+ "instance-2-self-link"
+ ]
+ }
+ }
+ backends = [{
+ group = module.ilb.groups.my-group.self_link
+ }]
+}
+# tftest modules=1 resources=5
+```
+
### End to end example
This example spins up a simple HTTP server and combines four modules:
@@ -160,7 +248,7 @@ module "instance-group" {
source = "./fabric/modules/compute-vm"
for_each = toset(["b", "c"])
project_id = var.project_id
- zone = "europe-west1-${each.key}"
+ zone = "${var.region}-${each.key}"
name = "ilb-test-${each.key}"
network_interfaces = [{
network = var.vpc.self_link
@@ -185,18 +273,21 @@ module "instance-group" {
module "ilb" {
source = "./fabric/modules/net-lb-int"
project_id = var.project_id
- region = "europe-west1"
+ region = var.region
name = "ilb-test"
service_label = "ilb-test"
vpc_config = {
network = var.vpc.self_link
subnetwork = var.subnet.self_link
}
- ports = [80]
+ forwarding_rules_config = {
+ "" = {
+ ports = [80]
+ }
+ }
backends = [
for z, mod in module.instance-group : {
- group = mod.group.self_link
- balancing_mode = "UTILIZATION"
+ group = mod.group.self_link
}
]
health_check_config = {
@@ -205,29 +296,27 @@ module "ilb" {
}
}
}
-# tftest modules=3 resources=7
+# tftest modules=3 resources=7 e2e
```
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [name](variables.tf#L189) | Name used for all resources. | string | ✓ | |
-| [project_id](variables.tf#L200) | Project id where resources will be created. | string | ✓ | |
-| [region](variables.tf#L211) | GCP region. | string | ✓ | |
-| [vpc_config](variables.tf#L222) | VPC-level configuration. | object({…}) | ✓ | |
-| [address](variables.tf#L17) | Optional IP address used for the forwarding rule. | string | | null |
-| [backend_service_config](variables.tf#L23) | Backend service level configuration. | object({…}) | | {} |
-| [backends](variables.tf#L57) | Load balancer backends, balancing mode is one of 'CONNECTION' or 'UTILIZATION'. | list(object({…})) | | [] |
-| [description](variables.tf#L76) | Optional description used for resources. | string | | "Terraform managed." |
-| [global_access](variables.tf#L82) | Global access, defaults to false if not set. | bool | | null |
-| [group_configs](variables.tf#L88) | Optional unmanaged groups to create. Can be referenced in backends via outputs. | map(object({…})) | | {} |
-| [health_check](variables.tf#L100) | Name of existing health check to use, disables auto-created health check. | string | | null |
-| [health_check_config](variables.tf#L106) | Optional auto-created health check configuration, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | object({…}) | | {…} |
-| [labels](variables.tf#L183) | Labels set on resources. | map(string) | | {} |
-| [ports](variables.tf#L194) | Comma-separated ports, leave null to use all ports. | list(string) | | null |
-| [protocol](variables.tf#L205) | Forwarding rule protocol used, defaults to TCP. | string | | "TCP" |
-| [service_label](variables.tf#L216) | Optional prefix of the fully qualified forwarding rule name. | string | | null |
+| [name](variables.tf#L184) | Name used for all resources. | string | ✓ | |
+| [project_id](variables.tf#L189) | Project id where resources will be created. | string | ✓ | |
+| [region](variables.tf#L200) | GCP region. | string | ✓ | |
+| [vpc_config](variables.tf#L211) | VPC-level configuration. | object({…}) | ✓ | |
+| [backend_service_config](variables.tf#L17) | Backend service level configuration. | object({…}) | | {} |
+| [backends](variables.tf#L51) | Load balancer backends. | list(object({…})) | | [] |
+| [description](variables.tf#L62) | Optional description used for resources. | string | | "Terraform managed." |
+| [forwarding_rules_config](variables.tf#L68) | The optional forwarding rules configuration. | map(object({…})) | | {…} |
+| [group_configs](variables.tf#L83) | Optional unmanaged groups to create. Can be referenced in backends via outputs. | map(object({…})) | | {} |
+| [health_check](variables.tf#L95) | Name of existing health check to use, disables auto-created health check. | string | | null |
+| [health_check_config](variables.tf#L101) | Optional auto-created health check configuration, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | object({…}) | | {…} |
+| [labels](variables.tf#L178) | Labels set on resources. | map(string) | | {} |
+| [protocol](variables.tf#L194) | Forwarding rule protocol used, defaults to TCP. | string | | "TCP" |
+| [service_label](variables.tf#L205) | Optional prefix of the fully qualified forwarding rule name. | string | | null |
## Outputs
@@ -236,13 +325,13 @@ module "ilb" {
| [backend_service](outputs.tf#L17) | Backend resource. | |
| [backend_service_id](outputs.tf#L22) | Backend id. | |
| [backend_service_self_link](outputs.tf#L27) | Backend self link. | |
-| [forwarding_rule](outputs.tf#L32) | Forwarding rule resource. | |
-| [forwarding_rule_address](outputs.tf#L37) | Forwarding rule address. | |
-| [forwarding_rule_self_link](outputs.tf#L42) | Forwarding rule self link. | |
-| [group_self_links](outputs.tf#L47) | Optional unmanaged instance group self links. | |
-| [groups](outputs.tf#L54) | Optional unmanaged instance group resources. | |
-| [health_check](outputs.tf#L59) | Auto-created health-check resource. | |
-| [health_check_self_id](outputs.tf#L64) | Auto-created health-check self id. | |
-| [health_check_self_link](outputs.tf#L69) | Auto-created health-check self link. | |
-| [id](outputs.tf#L74) | Fully qualified forwarding rule id. | |
+| [forwarding_rule_addresses](outputs.tf#L32) | Forwarding rule address. | |
+| [forwarding_rule_self_links](outputs.tf#L40) | Forwarding rule self links. | |
+| [forwarding_rules](outputs.tf#L48) | Forwarding rule resources. | |
+| [group_self_links](outputs.tf#L56) | Optional unmanaged instance group self links. | |
+| [groups](outputs.tf#L63) | Optional unmanaged instance group resources. | |
+| [health_check](outputs.tf#L68) | Auto-created health-check resource. | |
+| [health_check_self_id](outputs.tf#L73) | Auto-created health-check self id. | |
+| [health_check_self_link](outputs.tf#L78) | Auto-created health-check self link. | |
+| [id](outputs.tf#L83) | Fully qualified forwarding rule ids. | |
diff --git a/modules/net-lb-int/groups.tf b/modules/net-lb-int/groups.tf
index 5bb71978..736dfc6f 100644
--- a/modules/net-lb-int/groups.tf
+++ b/modules/net-lb-int/groups.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
diff --git a/modules/net-lb-int/health-check.tf b/modules/net-lb-int/health-check.tf
index 88f9f6ea..c9525878 100644
--- a/modules/net-lb-int/health-check.tf
+++ b/modules/net-lb-int/health-check.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
diff --git a/modules/net-lb-int/main.tf b/modules/net-lb-int/main.tf
index eccb536e..4e2ebc67 100644
--- a/modules/net-lb-int/main.tf
+++ b/modules/net-lb-int/main.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -25,24 +25,28 @@ locals {
)
}
-resource "google_compute_forwarding_rule" "default" {
- provider = google-beta
- project = var.project_id
+resource "google_compute_forwarding_rule" "forwarding_rules" {
+ for_each = var.forwarding_rules_config
+ provider = google-beta
+ project = var.project_id
+ name = (
+ each.key == "" ? var.name : "${var.name}-${each.key}"
+ )
region = var.region
- name = var.name
- description = var.description
- ip_address = var.address
- ip_protocol = var.protocol
+ description = each.value.description
+ ip_address = each.value.address
+ ip_protocol = each.value.protocol
+ ip_version = each.value.ip_version
backend_service = (
google_compute_region_backend_service.default.self_link
)
load_balancing_scheme = "INTERNAL"
network = var.vpc_config.network
- ports = var.ports # "nnnnn" or "nnnnn,nnnnn,nnnnn" max 5
+ ports = each.value.ports # "nnnnn" or "nnnnn,nnnnn,nnnnn" max 5
subnetwork = var.vpc_config.subnetwork
- allow_global_access = var.global_access
+ allow_global_access = each.value.global_access
labels = var.labels
- all_ports = var.ports == null ? true : null
+ all_ports = each.value.ports == null ? true : null
service_label = var.service_label
# is_mirroring_collector = false
}
@@ -64,7 +68,7 @@ resource "google_compute_region_backend_service" "default" {
dynamic "backend" {
for_each = { for b in var.backends : b.group => b }
content {
- balancing_mode = backend.value.balancing_mode
+ balancing_mode = "CONNECTION"
description = backend.value.description
failover = backend.value.failover
group = backend.key
diff --git a/modules/net-lb-int/outputs.tf b/modules/net-lb-int/outputs.tf
index bab17b94..c4dabbb7 100644
--- a/modules/net-lb-int/outputs.tf
+++ b/modules/net-lb-int/outputs.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -29,19 +29,28 @@ output "backend_service_self_link" {
value = google_compute_region_backend_service.default.self_link
}
-output "forwarding_rule" {
- description = "Forwarding rule resource."
- value = google_compute_forwarding_rule.default
-}
-
-output "forwarding_rule_address" {
+output "forwarding_rule_addresses" {
description = "Forwarding rule address."
- value = google_compute_forwarding_rule.default.ip_address
+ value = {
+ for k, v in google_compute_forwarding_rule.forwarding_rules
+ : k => v.ip_address
+ }
}
-output "forwarding_rule_self_link" {
- description = "Forwarding rule self link."
- value = google_compute_forwarding_rule.default.self_link
+output "forwarding_rule_self_links" {
+ description = "Forwarding rule self links."
+ value = {
+ for k, v in google_compute_forwarding_rule.forwarding_rules
+ : k => v.self_link
+ }
+}
+
+output "forwarding_rules" {
+ description = "Forwarding rule resources."
+ value = {
+ for k, v in google_compute_forwarding_rule.forwarding_rules
+ : k => v
+ }
}
output "group_self_links" {
@@ -72,6 +81,9 @@ output "health_check_self_link" {
}
output "id" {
- description = "Fully qualified forwarding rule id."
- value = google_compute_forwarding_rule.default.id
+ description = "Fully qualified forwarding rule ids."
+ value = {
+ for k, v in google_compute_forwarding_rule.forwarding_rules
+ : k => v.id
+ }
}
diff --git a/modules/net-lb-int/variables.tf b/modules/net-lb-int/variables.tf
index d10f6dbd..22a568fc 100644
--- a/modules/net-lb-int/variables.tf
+++ b/modules/net-lb-int/variables.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,12 +14,6 @@
* limitations under the License.
*/
-variable "address" {
- description = "Optional IP address used for the forwarding rule."
- type = string
- default = null
-}
-
variable "backend_service_config" {
description = "Backend service level configuration."
type = object({
@@ -55,22 +49,14 @@ variable "backend_service_config" {
}
variable "backends" {
- description = "Load balancer backends, balancing mode is one of 'CONNECTION' or 'UTILIZATION'."
+ description = "Load balancer backends."
type = list(object({
- group = string
- balancing_mode = optional(string, "CONNECTION")
- description = optional(string, "Terraform managed.")
- failover = optional(bool, false)
+ group = string
+ description = optional(string, "Terraform managed.")
+ failover = optional(bool, false)
}))
default = []
nullable = false
- validation {
- condition = alltrue([
- for b in var.backends : contains(
- ["CONNECTION", "UTILIZATION"], coalesce(b.balancing_mode, "CONNECTION")
- )])
- error_message = "When specified balancing mode needs to be 'CONNECTION' or 'UTILIZATION'."
- }
}
variable "description" {
@@ -79,10 +65,19 @@ variable "description" {
default = "Terraform managed."
}
-variable "global_access" {
- description = "Global access, defaults to false if not set."
- type = bool
- default = null
+variable "forwarding_rules_config" {
+ description = "The optional forwarding rules configuration."
+ type = map(object({
+ address = optional(string)
+ description = optional(string)
+ global_access = optional(bool, true)
+ ip_version = optional(string)
+ ports = optional(list(string), null)
+ protocol = optional(string, "TCP")
+ }))
+ default = {
+ "" = {}
+ }
}
variable "group_configs" {
@@ -191,12 +186,6 @@ variable "name" {
type = string
}
-variable "ports" {
- description = "Comma-separated ports, leave null to use all ports."
- type = list(string)
- default = null
-}
-
variable "project_id" {
description = "Project id where resources will be created."
type = string
diff --git a/modules/net-lb-int/versions.tf b/modules/net-lb-int/versions.tf
index 3963660f..af346395 100644
--- a/modules/net-lb-int/versions.tf
+++ b/modules/net-lb-int/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/net-lb-proxy-int/variables.tf b/modules/net-lb-proxy-int/variables.tf
index 70a725a6..cd1a6e81 100644
--- a/modules/net-lb-proxy-int/variables.tf
+++ b/modules/net-lb-proxy-int/variables.tf
@@ -68,7 +68,7 @@ variable "backend_service_config" {
for b in var.backend_service_config.backends : contains(
["CONNECTION", "UTILIZATION"], coalesce(b.balancing_mode, "CONNECTION")
)])
- error_message = "When specified balancing mode needs to be 'CONNECTION' or 'UTILIZATION'."
+ error_message = "When specified, balancing mode needs to be 'CONNECTION' or 'UTILIZATION'."
}
}
diff --git a/modules/net-lb-proxy-int/versions.tf b/modules/net-lb-proxy-int/versions.tf
index 3963660f..af346395 100644
--- a/modules/net-lb-proxy-int/versions.tf
+++ b/modules/net-lb-proxy-int/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/net-swp/versions.tf b/modules/net-swp/versions.tf
index 3963660f..af346395 100644
--- a/modules/net-swp/versions.tf
+++ b/modules/net-swp/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/net-vlan-attachment/versions.tf b/modules/net-vlan-attachment/versions.tf
index 3963660f..af346395 100644
--- a/modules/net-vlan-attachment/versions.tf
+++ b/modules/net-vlan-attachment/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/net-vpc-firewall/README.md b/modules/net-vpc-firewall/README.md
index 47a696de..235f1ebc 100644
--- a/modules/net-vpc-firewall/README.md
+++ b/modules/net-vpc-firewall/README.md
@@ -186,6 +186,11 @@ module "firewall" {
```yaml
# tftest-file id=lbs path=configs/firewall/rules/load_balancers.yaml
+
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
ingress:
allow-healthchecks:
description: Allow ingress from healthchecks.
@@ -220,6 +225,11 @@ egress:
```yaml
# tftest-file id=cidrs path=configs/firewall/cidrs.yaml
+
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
healthchecks:
- 35.191.0.0/16
- 130.211.0.0/22
diff --git a/modules/net-vpc-firewall/main.tf b/modules/net-vpc-firewall/main.tf
index bd528b02..5f7a95b5 100644
--- a/modules/net-vpc-firewall/main.tf
+++ b/modules/net-vpc-firewall/main.tf
@@ -47,7 +47,7 @@ locals {
if contains(["EGRESS", "INGRESS"], r.direction)
}
_named_ranges = merge(
- try(yamldecode(file(var.factories_config.cidr_tpl_file)), {}),
+ can(var.factories_config.cidr_tpl_file) ? yamldecode(file(var.factories_config.cidr_tpl_file)) : {},
var.named_ranges
)
_rules = merge(
diff --git a/modules/net-vpc-firewall/versions.tf b/modules/net-vpc-firewall/versions.tf
index 3963660f..af346395 100644
--- a/modules/net-vpc-firewall/versions.tf
+++ b/modules/net-vpc-firewall/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/net-vpc-peering/versions.tf b/modules/net-vpc-peering/versions.tf
index 3963660f..af346395 100644
--- a/modules/net-vpc-peering/versions.tf
+++ b/modules/net-vpc-peering/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/net-vpc/versions.tf b/modules/net-vpc/versions.tf
index 3963660f..af346395 100644
--- a/modules/net-vpc/versions.tf
+++ b/modules/net-vpc/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/net-vpn-dynamic/versions.tf b/modules/net-vpn-dynamic/versions.tf
index 3963660f..af346395 100644
--- a/modules/net-vpn-dynamic/versions.tf
+++ b/modules/net-vpn-dynamic/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/net-vpn-ha/versions.tf b/modules/net-vpn-ha/versions.tf
index 3963660f..af346395 100644
--- a/modules/net-vpn-ha/versions.tf
+++ b/modules/net-vpn-ha/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/net-vpn-static/versions.tf b/modules/net-vpn-static/versions.tf
index 3963660f..af346395 100644
--- a/modules/net-vpn-static/versions.tf
+++ b/modules/net-vpn-static/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/organization/README.md b/modules/organization/README.md
index fd9ca094..86df8ab3 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -194,6 +194,11 @@ module "org" {
```yaml
# tftest-file id=gke path=configs/custom-constraints/gke.yaml
+
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
custom.gkeEnableLogging:
resource_types:
- container.googleapis.com/Cluster
@@ -216,6 +221,11 @@ custom.gkeEnableAutoUpgrade:
```yaml
# tftest-file id=dataproc path=configs/custom-constraints/dataproc.yaml
+
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
custom.dataprocNoMoreThan10Workers:
resource_types:
- dataproc.googleapis.com/Cluster
diff --git a/modules/organization/versions.tf b/modules/organization/versions.tf
index 3963660f..af346395 100644
--- a/modules/organization/versions.tf
+++ b/modules/organization/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/project/README.md b/modules/project/README.md
index 8a2a1b4e..43dfbc70 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -359,6 +359,11 @@ module "project" {
```yaml
# tftest-file id=boolean path=configs/org-policies/boolean.yaml
+
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
compute.disableGuestAttributesAccess:
rules:
- enforce: true
@@ -381,6 +386,11 @@ iam.disableServiceAccountKeyUpload:
```yaml
# tftest-file id=list path=configs/org-policies/list.yaml
+
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
compute.trustedImageProjects:
rules:
- allow:
diff --git a/modules/project/versions.tf b/modules/project/versions.tf
index 3963660f..af346395 100644
--- a/modules/project/versions.tf
+++ b/modules/project/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/projects-data-source/versions.tf b/modules/projects-data-source/versions.tf
index 3963660f..af346395 100644
--- a/modules/projects-data-source/versions.tf
+++ b/modules/projects-data-source/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/pubsub/versions.tf b/modules/pubsub/versions.tf
index 3963660f..af346395 100644
--- a/modules/pubsub/versions.tf
+++ b/modules/pubsub/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/secret-manager/versions.tf b/modules/secret-manager/versions.tf
index 3963660f..af346395 100644
--- a/modules/secret-manager/versions.tf
+++ b/modules/secret-manager/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/service-directory/versions.tf b/modules/service-directory/versions.tf
index 3963660f..af346395 100644
--- a/modules/service-directory/versions.tf
+++ b/modules/service-directory/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/source-repository/versions.tf b/modules/source-repository/versions.tf
index 3963660f..af346395 100644
--- a/modules/source-repository/versions.tf
+++ b/modules/source-repository/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/modules/vpc-sc/versions.tf b/modules/vpc-sc/versions.tf
index 3963660f..af346395 100644
--- a/modules/vpc-sc/versions.tf
+++ b/modules/vpc-sc/versions.tf
@@ -17,11 +17,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
+ version = ">= 5.0.0, < 6.0.0" # tftest
}
}
}
diff --git a/tests/__init__.py b/tests/__init__.py
index 67ec9681..97bcfa4f 100644
--- a/tests/__init__.py
+++ b/tests/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/blueprints/__init__.py b/tests/blueprints/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/blueprints/__init__.py
+++ b/tests/blueprints/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/blueprints/networking/__init__.py b/tests/blueprints/networking/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/blueprints/networking/__init__.py
+++ b/tests/blueprints/networking/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/blueprints/networking/onprem_google_access_dns/__init__.py b/tests/blueprints/networking/onprem_google_access_dns/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/blueprints/networking/onprem_google_access_dns/__init__.py
+++ b/tests/blueprints/networking/onprem_google_access_dns/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/blueprints/networking/onprem_google_access_dns/fixture/variables.tf b/tests/blueprints/networking/onprem_google_access_dns/fixture/variables.tf
index 626af011..291d2171 100644
--- a/tests/blueprints/networking/onprem_google_access_dns/fixture/variables.tf
+++ b/tests/blueprints/networking/onprem_google_access_dns/fixture/variables.tf
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/blueprints/networking/onprem_google_access_dns/test_plan.py.disabled b/tests/blueprints/networking/onprem_google_access_dns/test_plan.py.disabled
index 1c057cbe..c54cbc5d 100644
--- a/tests/blueprints/networking/onprem_google_access_dns/test_plan.py.disabled
+++ b/tests/blueprints/networking/onprem_google_access_dns/test_plan.py.disabled
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/collectors.py b/tests/collectors.py
index 3df7d3d0..749e192c 100644
--- a/tests/collectors.py
+++ b/tests/collectors.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/examples/__init__.py b/tests/examples/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/examples/__init__.py
+++ b/tests/examples/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/examples/conftest.py b/tests/examples/conftest.py
index 55702618..345df27f 100644
--- a/tests/examples/conftest.py
+++ b/tests/examples/conftest.py
@@ -27,9 +27,18 @@ Example = collections.namedtuple('Example', 'name code module files')
File = collections.namedtuple('File', 'path content')
-def pytest_generate_tests(metafunc):
+def get_tftest_directive(s):
+ """Returns tftest directive from code block or None when directive is not found"""
+ for x in s.splitlines():
+ if x.strip().startswith("#") and 'tftest' in x:
+ return x
+ return None
+
+
+def pytest_generate_tests(metafunc, test_group='example',
+ filter_tests=lambda x: True):
"""Find all README.md files and collect code examples tagged for testing."""
- if 'example' in metafunc.fixturenames:
+ if test_group in metafunc.fixturenames:
readmes = FABRIC_ROOT.glob('**/README.md')
examples = []
ids = []
@@ -59,7 +68,9 @@ def pytest_generate_tests(metafunc):
if isinstance(child, marko.block.FencedCode):
index += 1
code = child.children[0].children
- if 'tftest skip' in code:
+ tftest_tag = get_tftest_directive(code)
+ if tftest_tag and ('skip' in tftest_tag or
+ not filter_tests(tftest_tag)):
continue
if child.lang == 'hcl':
path = module.relative_to(FABRIC_ROOT)
@@ -72,4 +83,4 @@ def pytest_generate_tests(metafunc):
last_header = child.children[0].children
index = 0
- metafunc.parametrize('example', examples, ids=ids)
+ metafunc.parametrize(test_group, examples, ids=ids)
diff --git a/tests/examples/test_plan.py b/tests/examples/test_plan.py
index f5e2b9b9..3ff2992e 100644
--- a/tests/examples/test_plan.py
+++ b/tests/examples/test_plan.py
@@ -28,6 +28,10 @@ def test_example(plan_validator, tmp_path, example):
(tmp_path / 'fabric').symlink_to(BASE_PATH.parents[1])
(tmp_path / 'variables.tf').symlink_to(BASE_PATH / 'variables.tf')
(tmp_path / 'main.tf').write_text(example.code)
+ assets_path = BASE_PATH.parent / str(example.module).replace('-',
+ '_') / 'assets'
+ if assets_path.exists():
+ (tmp_path / 'assets').symlink_to(assets_path)
expected_modules = int(match.group(1))
expected_resources = int(match.group(2))
diff --git a/tests/examples_e2e/README.md b/tests/examples_e2e/README.md
new file mode 100644
index 00000000..027ef21c
--- /dev/null
+++ b/tests/examples_e2e/README.md
@@ -0,0 +1,88 @@
+# Prerequisites
+Prepare following information:
+* billing account id
+* your organization id
+* parent folder under which resources will be created
+ * (you may want to disable / restore to default some organization policies under this folder)
+* decide in which region you want to deploy (choose one, that has wide service coverage)
+* prepare a prefix, suffix and a timestamp for you (this is to provide project and other resources name uniqueness)
+* prepare service account that has necessary permissions (able to assign billing account to project, resource creation etc)
+
+# How does it work
+Each test case is provided by additional environment defined in [variables.tf](./variables.tf). This simplifies writing the examples as this follows the same structure as for non-end-to-end tests, and allows multiple, independent and concurrent runs of tests.
+
+The test environment can be provisioned automatically during the test run (which now takes ~2 minutes) and destroyed and the end, when of the tests (Option 1 below), which is targeting automated runs in CI/CD pipeline, or can be provisioned manually to reduce test time, which might be typical use case for tests run locally.
+
+# Option 1 - automatically provision and de-provision testing infrastructure
+
+## Create `e2e.tfvars` file
+```hcl
+billing_account = "123456-123456-123456" # billing account id to associate projects
+organization_id = "1234567890" # your organization id
+parent = "folders/1234567890" # folder under which test resources will be created
+prefix = "your-unique-prefix" # unique prefix for projects
+region = "europe-west4" # region to use
+
+# tftest skip
+```
+And set environment variable pointing to the file:
+```bash
+export TFTEST_E2E_SETUP_TFVARS_PATH=
+```
+
+Or set above variables in environment:
+```bash
+export TF_VAR_billing_account="123456-123456-123456" # billing account id to associate projects
+export TF_VAR_organization_id="1234567890" # your organization id
+export TF_VAR_parent="folders/1234567890" # folder under which test resources will be created
+export TF_VAR_prefix="your-unique-prefix" # unique prefix for projects
+export TF_VAR_region="europe-west4" # region to use
+```
+
+To use Service Account Impersonation, use provider environment variable
+```bash
+export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=@.iam.gserviceaccount.com
+```
+
+You can keep the prefix the same for all the tests run, the tests will add necessary suffix for subsequent runs, and in case tests are run in parallel, use separate suffix for the workers.
+# Run the tests
+```bash
+pytest tests/examples_e2e
+```
+
+# Option 2 - Provision manually test environment and use it for tests
+## Provision manually test environment
+In `tests/examples_e2e/setup_module` create `terraform.tfvars` with following values:
+```hcl
+billing_account = "123456-123456-123456" # billing account id to associate projects
+organization_id = "1234567890" # your organization id
+parent = "folders/1234567890" # folder under which test resources will be created
+prefix = "your-unique-prefix" # unique prefix for projects
+region = "europe-west4" # region to use
+suffix = "1" # suffix, keep 1 for now
+timestamp = "1696444185" # generate your own timestamp - will be used as a part of prefix
+# tftest skip
+```
+
+If you use service account impersonation, set `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT`
+```bash
+export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=@.iam.gserviceaccount.com
+```
+
+Provision the environment using terraform
+```bash
+(cd tests/examples_e2e/setup_module/ && terraform init && terraform apply)
+```
+
+This will generate also `tests/examples_e2e/setup_module/e2e_tests.tfvars` for you, which can be used by tests.
+
+## Setup your environment
+```bash
+export TFTEST_E2E_TFVARS_PATH=`pwd`/tests/examples_e2e/setup_module/e2e_tests.tfvars # generated above
+```
+
+## Run tests
+Run tests using:
+```bash
+pytest tests/examples_e2e
+```
diff --git a/tests/examples_e2e/__init__.py b/tests/examples_e2e/__init__.py
new file mode 100644
index 00000000..7ba50f93
--- /dev/null
+++ b/tests/examples_e2e/__init__.py
@@ -0,0 +1,13 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
diff --git a/tests/examples_e2e/conftest.py b/tests/examples_e2e/conftest.py
new file mode 100644
index 00000000..91f9a264
--- /dev/null
+++ b/tests/examples_e2e/conftest.py
@@ -0,0 +1,21 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Pytest configuration for testing code examples."""
+
+from ..examples.conftest import pytest_generate_tests as _examples_generate_test
+
+
+def pytest_generate_tests(metafunc):
+ """Find all README.md files and collect code examples tagged for testing."""
+ _examples_generate_test(metafunc, "examples_e2e", lambda x: 'e2e' in x)
diff --git a/tests/examples_e2e/setup_module/e2e_tests.tfvars.tftpl b/tests/examples_e2e/setup_module/e2e_tests.tfvars.tftpl
new file mode 100644
index 00000000..c21d7742
--- /dev/null
+++ b/tests/examples_e2e/setup_module/e2e_tests.tfvars.tftpl
@@ -0,0 +1,50 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+bucket= "${bucket}"
+billing_account_id = "${billing_account_id}"
+kms_key= {
+ self_link = "kms_key_self_link"
+}
+organization_id = "${organization_id}"
+folder_id = "${folder_id}"
+prefix = "${prefix}"
+project_id = "${project_id}"
+region = "${region}"
+service_account = {
+ id = "${service_account.id}"
+ email = "${service_account.email}"
+ iam_email = "${service_account.iam_email}"
+ }
+subnet = {
+ name = "${subnet.name}"
+ region = "${subnet.region}"
+ cidr = "${subnet.ip_cidr_range}"
+ self_link = "${subnet.self_link}"
+ }
+vpc = {
+ name = "${vpc.name}"
+ self_link = "${vpc.self_link}"
+ id = "${vpc.id}"
+ }
+
+# vpc1 = {
+# name = "vpc_name"
+# self_link = "projects/xxx/global/networks/bbb"
+# }
+#vpc2 = {
+# name = "vpc2_name"
+# self_link = "projects/xxx/global/networks/ccc"
+# }
+zone = "${region}-a"
diff --git a/tests/examples_e2e/setup_module/main.tf b/tests/examples_e2e/setup_module/main.tf
new file mode 100644
index 00000000..9bc5a979
--- /dev/null
+++ b/tests/examples_e2e/setup_module/main.tf
@@ -0,0 +1,107 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+locals {
+ prefix = "${var.prefix}-${var.timestamp}-${var.suffix}"
+ services = [
+ # trimmed down list of services, to be extended as needed
+ "cloudbuild.googleapis.com",
+ "cloudfunctions.googleapis.com",
+ "cloudresourcemanager.googleapis.com",
+ "compute.googleapis.com",
+ "iam.googleapis.com",
+ "run.googleapis.com",
+ "serviceusage.googleapis.com",
+ "stackdriver.googleapis.com",
+ "storage-component.googleapis.com",
+ "storage.googleapis.com",
+ ]
+}
+
+resource "google_folder" "folder" {
+ display_name = "E2E Tests ${var.timestamp}-${var.suffix}"
+ parent = var.parent
+}
+
+resource "google_project" "project" {
+ name = "${local.prefix}-prj"
+ billing_account = var.billing_account
+ folder_id = google_folder.folder.id
+ project_id = "${local.prefix}-prj"
+}
+
+resource "google_project_service" "project_service" {
+ for_each = toset(local.services)
+ service = each.value
+ project = google_project.project.project_id
+ disable_dependent_services = true
+}
+
+resource "google_storage_bucket" "bucket" {
+ location = var.region
+ name = "${local.prefix}-bucket"
+ project = google_project.project.project_id
+ force_destroy = true
+ depends_on = [google_project_service.project_service]
+}
+
+resource "google_compute_network" "network" {
+ name = "e2e-test"
+ project = google_project.project.project_id
+ auto_create_subnetworks = false
+ depends_on = [google_project_service.project_service]
+}
+
+resource "google_compute_subnetwork" "subnetwork" {
+ ip_cidr_range = "10.0.16.0/24"
+ name = "e2e-test-1"
+ network = google_compute_network.network.name
+ project = google_project.project.project_id
+ region = var.region
+}
+
+resource "google_service_account" "service_account" {
+ account_id = "e2e-service-account"
+ project = google_project.project.project_id
+ depends_on = [google_project_service.project_service]
+}
+
+resource "local_file" "terraform_tfvars" {
+ filename = "e2e_tests.tfvars"
+ content = templatefile("e2e_tests.tfvars.tftpl", {
+ bucket = google_storage_bucket.bucket.name
+ billing_account_id = var.billing_account
+ organization_id = var.organization_id
+ folder_id = google_folder.folder.folder_id
+ prefix = local.prefix
+ project_id = google_project.project.project_id
+ region = var.region
+ service_account = {
+ id = google_service_account.service_account.id
+ email = google_service_account.service_account.email
+ iam_email = "serviceAccount:${google_service_account.service_account.email}"
+ }
+ subnet = {
+ name = google_compute_subnetwork.subnetwork.name
+ region = google_compute_subnetwork.subnetwork.region
+ ip_cidr_range = google_compute_subnetwork.subnetwork.ip_cidr_range
+ self_link = google_compute_subnetwork.subnetwork.self_link
+ }
+ vpc = {
+ name = google_compute_network.network.name
+ self_link = google_compute_network.network.self_link
+ id = google_compute_network.network.id
+ }
+ })
+}
diff --git a/tests/examples_e2e/setup_module/variables.tf b/tests/examples_e2e/setup_module/variables.tf
new file mode 100644
index 00000000..d936cb20
--- /dev/null
+++ b/tests/examples_e2e/setup_module/variables.tf
@@ -0,0 +1,35 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+variable "billing_account" {
+ type = string
+}
+variable "organization_id" {
+ type = string
+}
+variable "parent" {
+ type = string
+}
+variable "prefix" {
+ type = string
+}
+variable "region" {
+ type = string
+}
+variable "suffix" {
+ type = string
+}
+variable "timestamp" {
+ type = string
+}
diff --git a/tests/examples_e2e/test_plan.py b/tests/examples_e2e/test_plan.py
new file mode 100644
index 00000000..84579b6b
--- /dev/null
+++ b/tests/examples_e2e/test_plan.py
@@ -0,0 +1,35 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+import re
+
+from pathlib import Path
+
+BASE_PATH = Path(__file__).parent
+COUNT_TEST_RE = re.compile(r'# tftest +modules=(\d+) +resources=(\d+)' +
+ r'(?: +files=([\w@,_-]+))?' +
+ r'(?: +inventory=([\w\-.]+))?')
+
+
+def test_example(e2e_validator, tmp_path, examples_e2e, e2e_tfvars_path):
+ (tmp_path / 'fabric').symlink_to(BASE_PATH.parents[1])
+ (tmp_path / 'variables.tf').symlink_to(BASE_PATH / 'variables.tf')
+ (tmp_path / 'main.tf').write_text(examples_e2e.code)
+ assets_path = BASE_PATH.parent / str(examples_e2e.module).replace(
+ '-', '_') / 'assets'
+ if assets_path.exists():
+ (tmp_path / 'assets').symlink_to(assets_path)
+ (tmp_path / 'terraform.tfvars').symlink_to(e2e_tfvars_path)
+
+ e2e_validator(module_path=tmp_path, extra_files=[],
+ tf_var_files=[(tmp_path / 'terraform.tfvars')])
diff --git a/tests/examples_e2e/variables.tf b/tests/examples_e2e/variables.tf
new file mode 100644
index 00000000..9a65aa7a
--- /dev/null
+++ b/tests/examples_e2e/variables.tf
@@ -0,0 +1,92 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# common variables used for examples
+
+variable "bucket" {
+ default = "bucket"
+}
+
+variable "billing_account_id" {
+ default = "123456-123456-123456"
+}
+
+variable "kms_key" {
+ default = {
+ self_link = "kms_key_self_link"
+ }
+}
+
+variable "organization_id" {
+ default = "organizations/1122334455"
+}
+
+variable "folder_id" {
+ default = "folders/1122334455"
+}
+
+variable "prefix" {
+ default = "test"
+}
+
+variable "project_id" {
+ default = "project-id"
+}
+
+variable "region" {
+ default = "region"
+}
+
+variable "service_account" {
+ default = {
+ id = "service_account_id"
+ email = "service_account_email"
+ iam_email = "service_account_iam_email"
+ }
+}
+
+variable "subnet" {
+ default = {
+ name = "subnet_name"
+ region = "subnet_region"
+ cidr = "subnet_cidr"
+ self_link = "subnet_self_link"
+ }
+}
+
+variable "vpc" {
+ default = {
+ name = "vpc_name"
+ self_link = "projects/xxx/global/networks/aaa"
+ id = "projects/xxx/global/networks/aaa"
+ }
+}
+
+variable "vpc1" {
+ default = {
+ name = "vpc_name"
+ self_link = "projects/xxx/global/networks/bbb"
+ }
+}
+
+variable "vpc2" {
+ default = {
+ name = "vpc2_name"
+ self_link = "projects/xxx/global/networks/ccc"
+ }
+}
+
+variable "zone" {
+ default = "zone"
+}
diff --git a/tests/fast/__init__.py b/tests/fast/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/fast/__init__.py
+++ b/tests/fast/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages/__init__.py b/tests/fast/stages/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/fast/stages/__init__.py
+++ b/tests/fast/stages/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages/s0_bootstrap/__init__.py b/tests/fast/stages/s0_bootstrap/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/fast/stages/s0_bootstrap/__init__.py
+++ b/tests/fast/stages/s0_bootstrap/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml
index 0afb9d02..5f64bb99 100644
--- a/tests/fast/stages/s0_bootstrap/simple.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple.yaml
@@ -15,13 +15,13 @@
counts:
google_bigquery_dataset: 1
google_bigquery_default_service_account: 3
- google_logging_organization_sink: 2
+ google_logging_organization_sink: 3
google_organization_iam_binding: 20
google_organization_iam_custom_role: 3
google_organization_iam_member: 13
google_project: 3
- google_project_iam_binding: 9
- google_project_iam_member: 3
+ google_project_iam_binding: 10
+ google_project_iam_member: 5
google_project_service: 29
google_project_service_identity: 3
google_service_account: 2
diff --git a/tests/fast/stages/s0_bootstrap/simple_projects.yaml b/tests/fast/stages/s0_bootstrap/simple_projects.yaml
index c4d359f3..de53c004 100644
--- a/tests/fast/stages/s0_bootstrap/simple_projects.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple_projects.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages/s0_bootstrap/simple_sas.yaml b/tests/fast/stages/s0_bootstrap/simple_sas.yaml
index 0424e598..741885f2 100644
--- a/tests/fast/stages/s0_bootstrap/simple_sas.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple_sas.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages/s1_resman/__init__.py b/tests/fast/stages/s1_resman/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/fast/stages/s1_resman/__init__.py
+++ b/tests/fast/stages/s1_resman/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages/s1_resman/test_plan.py b/tests/fast/stages/s1_resman/test_plan.py
index 39bdfc11..32ad12b5 100644
--- a/tests/fast/stages/s1_resman/test_plan.py
+++ b/tests/fast/stages/s1_resman/test_plan.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages/s2_networking_a_peering/__init__.py b/tests/fast/stages/s2_networking_a_peering/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/fast/stages/s2_networking_a_peering/__init__.py
+++ b/tests/fast/stages/s2_networking_a_peering/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages/s2_networking_a_peering/test_plan.py b/tests/fast/stages/s2_networking_a_peering/test_plan.py
index 35f3b7b3..28e3990c 100644
--- a/tests/fast/stages/s2_networking_a_peering/test_plan.py
+++ b/tests/fast/stages/s2_networking_a_peering/test_plan.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages/s2_security/__init__.py b/tests/fast/stages/s2_security/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/fast/stages/s2_security/__init__.py
+++ b/tests/fast/stages/s2_security/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages/s2_security/test_plan.py b/tests/fast/stages/s2_security/test_plan.py
index edf5622e..844b3f09 100644
--- a/tests/fast/stages/s2_security/test_plan.py
+++ b/tests/fast/stages/s2_security/test_plan.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages/s3_data_platform/__init__.py b/tests/fast/stages/s3_data_platform/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/fast/stages/s3_data_platform/__init__.py
+++ b/tests/fast/stages/s3_data_platform/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages/s3_data_platform/test_plan.py b/tests/fast/stages/s3_data_platform/test_plan.py
index ad7fa3d2..1205c2f4 100644
--- a/tests/fast/stages/s3_data_platform/test_plan.py
+++ b/tests/fast/stages/s3_data_platform/test_plan.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages/s3_gke_multitenant/__init__.py b/tests/fast/stages/s3_gke_multitenant/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/fast/stages/s3_gke_multitenant/__init__.py
+++ b/tests/fast/stages/s3_gke_multitenant/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages/s3_gke_multitenant/test_plan.py b/tests/fast/stages/s3_gke_multitenant/test_plan.py
index c517cb93..cf20a64f 100644
--- a/tests/fast/stages/s3_gke_multitenant/test_plan.py
+++ b/tests/fast/stages/s3_gke_multitenant/test_plan.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages/s3_project_factory/__init__.py b/tests/fast/stages/s3_project_factory/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/fast/stages/s3_project_factory/__init__.py
+++ b/tests/fast/stages/s3_project_factory/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages/s3_project_factory/test_plan.py b/tests/fast/stages/s3_project_factory/test_plan.py
index fa293da8..c2d5468c 100644
--- a/tests/fast/stages/s3_project_factory/test_plan.py
+++ b/tests/fast/stages/s3_project_factory/test_plan.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.yaml b/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.yaml
index e5ccc4fd..3e84c00e 100644
--- a/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.yaml
+++ b/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages_multitenant/s1_resman_tenant/simple.yaml b/tests/fast/stages_multitenant/s1_resman_tenant/simple.yaml
index 44c07c62..91dd9e9d 100644
--- a/tests/fast/stages_multitenant/s1_resman_tenant/simple.yaml
+++ b/tests/fast/stages_multitenant/s1_resman_tenant/simple.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fixtures.py b/tests/fixtures.py
index aef854cd..caa9c945 100644
--- a/tests/fixtures.py
+++ b/tests/fixtures.py
@@ -19,6 +19,7 @@ import glob
import os
import shutil
import tempfile
+import time
from pathlib import Path
import pytest
@@ -38,23 +39,23 @@ def _prepare_root_module(path):
terraform.tfvars) are deleted to ensure a clean test environment.
Otherwise, `path` is simply returned untouched.
"""
+ # if we're copying the module, we might as well ignore files and
+ # directories that are automatically read by terraform. Useful
+ # to avoid surprises if, for example, you have an active fast
+ # deployment with links to configs)
+ ignore_patterns = shutil.ignore_patterns('*.auto.tfvars',
+ '*.auto.tfvars.json',
+ '[0-9]-*-providers.tf',
+ 'terraform.tfstate*',
+ '.terraform.lock.hcl',
+ 'terraform.tfvars', '.terraform')
+
if os.environ.get('TFTEST_COPY'):
# if the TFTEST_COPY is set, create temp dir and copy the root
# module there
with tempfile.TemporaryDirectory(dir=path.parent) as tmp_path:
tmp_path = Path(tmp_path)
- # if we're copying the module, we might as well ignore files and
- # directories that are automatically read by terraform. Useful
- # to avoid surprises if, for example, you have an active fast
- # deployment with links to configs)
- ignore_patterns = shutil.ignore_patterns('*.auto.tfvars',
- '*.auto.tfvars.json',
- '[0-9]-*-providers.tf',
- 'terraform.tfstate*',
- '.terraform.lock.hcl',
- 'terraform.tfvars', '.terraform')
-
shutil.copytree(path, tmp_path, dirs_exist_ok=True,
ignore=ignore_patterns)
lockfile = _REPO_ROOT / 'tools' / 'lockfile' / '.terraform.lock.hcl'
@@ -63,6 +64,13 @@ def _prepare_root_module(path):
yield tmp_path
else:
+ # check if any ignore_patterns files are present in path
+ if unwanted_files := ignore_patterns(path, os.listdir(path=path)):
+ # prevent shooting yourself in the foot (unexpected test results) when ignored files are present
+ raise RuntimeError(
+ f'Test in path {path} contains {", ".join(unwanted_files)} which may affect '
+ f'test results. Please run tests with TFTEST_COPY=1 environment variable'
+ )
# if TFTEST_COPY is not set, just return the same path
yield path
@@ -190,7 +198,8 @@ def plan_validator(module_path, inventory_paths, basedir, tf_var_files=None,
# - include a descriptive error message to the assert
if 'values' in inventory:
- validate_plan_object(inventory['values'], summary.values, relative_path, "")
+ validate_plan_object(inventory['values'], summary.values, relative_path,
+ "")
if 'counts' in inventory:
expected_counts = inventory['counts']
@@ -216,7 +225,8 @@ def plan_validator(module_path, inventory_paths, basedir, tf_var_files=None,
return summary
-def validate_plan_object(expected_value, plan_value, relative_path, relative_address):
+def validate_plan_object(expected_value, plan_value, relative_path,
+ relative_address):
"""
Validate that plan object matches inventory
@@ -233,7 +243,8 @@ def validate_plan_object(expected_value, plan_value, relative_path, relative_add
for k, v in expected_value.items():
assert k in plan_value, \
f'{relative_path}: {k} is not a valid address in the plan'
- validate_plan_object(v, plan_value[k], relative_path, f'{relative_address}.{k}')
+ validate_plan_object(v, plan_value[k], relative_path,
+ f'{relative_address}.{k}')
# lists
elif isinstance(expected_value, list) and isinstance(plan_value, list):
@@ -241,7 +252,8 @@ def validate_plan_object(expected_value, plan_value, relative_path, relative_add
f'{relative_path}: {relative_address} has different length. Got {plan_value}, expected {expected_value}'
for i, (exp, actual) in enumerate(zip(expected_value, plan_value)):
- validate_plan_object(exp, actual, relative_path, f'{relative_address}[{i}]')
+ validate_plan_object(exp, actual, relative_path,
+ f'{relative_address}[{i}]')
# all other objects
else:
@@ -269,6 +281,107 @@ def plan_validator_fixture(request):
return inner
+def e2e_validator(module_path, extra_files, tf_var_files, basedir=None):
+ """Function running apply, plan and destroy to verify the case end to end
+
+ 1. Tests whether apply does not return errors
+ 2. Tests whether plan after apply is empty
+ 3. Tests whether destroy does not return errors
+ """
+ module_path = _REPO_ROOT / module_path
+ with _prepare_root_module(module_path) as test_path:
+ binary = os.environ.get('TERRAFORM', 'terraform')
+ tf = tftest.TerraformTest(test_path, binary=binary)
+ extra_files = [(module_path / filename).resolve()
+ for x in extra_files or []
+ for filename in glob.glob(x, root_dir=module_path)]
+ tf.setup(extra_files=extra_files, upgrade=True)
+ tf_var_files = [(basedir / x).resolve() for x in tf_var_files or []]
+
+ try:
+ apply = tf.apply(tf_var_file=tf_var_files)
+ plan = tf.plan(output=True, tf_var_file=tf_var_files)
+ changes = {}
+ for resource_name, value in plan.resource_changes.items():
+ if value.get('change', {}).get('actions') != ['no-op']:
+ changes[resource_name] = value
+
+ # compare before with after to raise more meaningful failure to the user, i.e one
+ # that shows how resource will change
+ plan_before_state = {k: v['before'] for k, v in changes.items()}
+ plan_after_state = {k: v['after'] for k, v in changes.items()}
+
+ assert plan_before_state == plan_after_state, f'Plan not empty after apply for values'
+
+ plan_before_sensitive_state = {
+ k: v['before_sensitive'] for k, v in changes.items()
+ }
+ plan_after_sensitive_state = {
+ k: v['after_sensitive'] for k, v in changes.items()
+ }
+ assert plan_before_sensitive_state == plan_after_sensitive_state, f'Plan not empty after apply for sensitive values'
+
+ # If above did not fail, this should not either, but left as a safety check
+ assert changes == {}, f'Plan not empty for following resources: {", ".join(changes.keys())}'
+ finally:
+ destroy = tf.destroy(tf_var_file=tf_var_files)
+
+
+@pytest.fixture(name='e2e_validator')
+def e2e_validator_fixture(request):
+ """Return a function to run end-to-end test
+
+ In the returned function `basedir` becomes optional and it defaults
+ to the directory of the calling test
+
+ """
+
+ def inner(module_path: str, extra_files: list, tf_var_files: list,
+ basedir: os.PathLike = None):
+ if basedir is None:
+ basedir = Path(request.fspath).parent
+ return e2e_validator(module_path, extra_files, tf_var_files, basedir)
+
+ return inner
+
+
+@pytest.fixture(scope='session', name='e2e_tfvars_path')
+def e2e_tfvars_path():
+ """Fixture preparing end-to-end test environment
+
+ If TFTEST_E2E_TFVARS_PATH is set in the environment, then assume the environment is already provisioned
+ and necessary variables are set in the file to which variable is pointing to.
+
+ Otherwise, create a unique test environment (in case of multiple workers - as many environments as
+ there are workers), that will be injected into each example test instead of `tests/examples/variables.tf`.
+
+ Returns path to tfvars file that contains information about envrionment to use for the tests.
+ """
+ if tfvars_path := os.environ.get('TFTEST_E2E_TFVARS_PATH'):
+ # no need to set up the project
+ if int(os.environ.get('PYTEST_XDIST_WORKER_COUNT', '0')) > 1:
+ raise RuntimeError(
+ 'Setting TFTEST_E2E_TFVARS_PATH is not compatible with running tests in parallel'
+ )
+ yield tfvars_path
+ else:
+ with _prepare_root_module(_REPO_ROOT / 'tests' / 'examples_e2e' /
+ 'setup_module') as test_path:
+ binary = os.environ.get('TERRAFORM', 'terraform')
+ tf = tftest.TerraformTest(test_path, binary=binary)
+ tf_vars_file = None
+ tf_vars = {
+ 'suffix': os.environ.get("PYTEST_XDIST_WORKER", "0"),
+ 'timestamp': str(int(time.time()))
+ }
+ if 'TFTEST_E2E_SETUP_TFVARS_PATH' in os.environ:
+ tf_vars_file = os.environ["TFTEST_E2E_SETUP_TFVARS_PATH"]
+ tf.setup(upgrade=True)
+ tf.apply(tf_vars=tf_vars, tf_var_file=tf_vars_file)
+ yield test_path / "e2e_tests.tfvars"
+ tf.destroy(tf_vars=tf_vars, tf_var_file=tf_vars_file)
+
+
# @pytest.fixture
# def repo_root():
# 'Return a pathlib.Path to the root of the repository'
diff --git a/tests/modules/__init__.py b/tests/modules/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/modules/__init__.py
+++ b/tests/modules/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/alloydb_instance/examples/alloydb_instance.yaml b/tests/modules/alloydb_instance/examples/alloydb_instance.yaml
index bf9a7c7e..80ed0738 100644
--- a/tests/modules/alloydb_instance/examples/alloydb_instance.yaml
+++ b/tests/modules/alloydb_instance/examples/alloydb_instance.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/cloud_config_container_coredns/__init__.py b/tests/modules/cloud_config_container_coredns/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/modules/cloud_config_container_coredns/__init__.py
+++ b/tests/modules/cloud_config_container_coredns/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/cloud_config_container_mysql/__init__.py b/tests/modules/cloud_config_container_mysql/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/modules/cloud_config_container_mysql/__init__.py
+++ b/tests/modules/cloud_config_container_mysql/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/blueprints/apigee/bigquery-analytics/versions.tf b/tests/modules/cloud_function_v1/assets/sample-function/main.py
similarity index 62%
rename from blueprints/apigee/bigquery-analytics/versions.tf
rename to tests/modules/cloud_function_v1/assets/sample-function/main.py
index 3963660f..0e09377c 100644
--- a/blueprints/apigee/bigquery-analytics/versions.tf
+++ b/tests/modules/cloud_function_v1/assets/sample-function/main.py
@@ -4,7 +4,7 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
-# https://www.apache.org/licenses/LICENSE-2.0
+# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
@@ -12,18 +12,9 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
+import functions_framework
+@functions_framework.http
+def main(request):
+ return "Hello World!"
diff --git a/tests/modules/cloud_run/examples/simple.yaml b/tests/modules/cloud_run/examples/simple.yaml
index 0964624c..fa29c512 100644
--- a/tests/modules/cloud_run/examples/simple.yaml
+++ b/tests/modules/cloud_run/examples/simple.yaml
@@ -19,7 +19,7 @@ values:
metadata:
- {}
name: hello
- project: my-project
+ project: project-id
template:
- metadata:
- {}
@@ -45,7 +45,7 @@ values:
location: europe-west1
members:
- allUsers
- project: my-project
+ project: project-id
role: roles/run.invoker
service: hello
diff --git a/tests/modules/compute_vm/examples/tag-bindings.yaml b/tests/modules/compute_vm/examples/tag-bindings.yaml
new file mode 100644
index 00000000..2f978824
--- /dev/null
+++ b/tests/modules/compute_vm/examples/tag-bindings.yaml
@@ -0,0 +1,83 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.simple-vm-example.google_compute_instance.default[0]:
+ advanced_machine_features: []
+ allow_stopping_for_update: true
+ attached_disk: []
+ boot_disk:
+ - auto_delete: true
+ disk_encryption_key_raw: null
+ initialize_params:
+ - image: projects/debian-cloud/global/images/family/debian-11
+ resource_manager_tags:
+ tagKeys/1234567890: tagValues/7890123456
+ size: 10
+ type: pd-balanced
+ mode: READ_WRITE
+ can_ip_forward: false
+ deletion_protection: false
+ description: Managed by the compute-vm Terraform module.
+ desired_status: null
+ enable_display: false
+ hostname: null
+ labels: null
+ machine_type: f1-micro
+ metadata: null
+ metadata_startup_script: null
+ name: test
+ network_interface:
+ - access_config: []
+ alias_ip_range: []
+ ipv6_access_config: []
+ network: projects/xxx/global/networks/aaa
+ nic_type: null
+ queue_count: null
+ security_policy: null
+ subnetwork: subnet_self_link
+ network_performance_config: []
+ params:
+ - resource_manager_tags:
+ tagKeys/1234567890: tagValues/7890123456
+ project: project-id
+ resource_policies: null
+ scheduling:
+ - automatic_restart: true
+ instance_termination_action: null
+ local_ssd_recovery_timeout: []
+ maintenance_interval: null
+ max_run_duration: []
+ min_node_cpus: null
+ node_affinities: []
+ on_host_maintenance: MIGRATE
+ preemptible: false
+ provisioning_model: STANDARD
+ scratch_disk: []
+ service_account:
+ - scopes:
+ - https://www.googleapis.com/auth/devstorage.read_only
+ - https://www.googleapis.com/auth/logging.write
+ - https://www.googleapis.com/auth/monitoring.write
+ shielded_instance_config: []
+ tags: null
+ timeouts: null
+ zone: europe-west1-b
+
+counts:
+ google_compute_instance: 1
+ modules: 1
+ resources: 1
+
+outputs: {}
diff --git a/tests/modules/conftest.py b/tests/modules/conftest.py
index c199cff7..ce707bbd 100644
--- a/tests/modules/conftest.py
+++ b/tests/modules/conftest.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/dataplex/examples/dataplex_lake.yaml b/tests/modules/dataplex/examples/dataplex_lake.yaml
index 38655101..9a0bab00 100644
--- a/tests/modules/dataplex/examples/dataplex_lake.yaml
+++ b/tests/modules/dataplex/examples/dataplex_lake.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/folder/__init__.py b/tests/modules/folder/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/modules/folder/__init__.py
+++ b/tests/modules/folder/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/folder/examples/hfw.yaml b/tests/modules/folder/examples/hfw.yaml
index b2f2a4f2..be3d864a 100644
--- a/tests/modules/folder/examples/hfw.yaml
+++ b/tests/modules/folder/examples/hfw.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/folder/examples/iam.yaml b/tests/modules/folder/examples/iam.yaml
index 39fa5652..a1c06e46 100644
--- a/tests/modules/folder/examples/iam.yaml
+++ b/tests/modules/folder/examples/iam.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/folder/examples/logging-data-access.yaml b/tests/modules/folder/examples/logging-data-access.yaml
index 91bcdd6e..60b38725 100644
--- a/tests/modules/folder/examples/logging-data-access.yaml
+++ b/tests/modules/folder/examples/logging-data-access.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/folder/examples/logging.yaml b/tests/modules/folder/examples/logging.yaml
index 79b0e007..b55b4bbb 100644
--- a/tests/modules/folder/examples/logging.yaml
+++ b/tests/modules/folder/examples/logging.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/folder/examples/tags.yaml b/tests/modules/folder/examples/tags.yaml
index 047fea06..1451b6d1 100644
--- a/tests/modules/folder/examples/tags.yaml
+++ b/tests/modules/folder/examples/tags.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/folder/test_plan_org_policies.py b/tests/modules/folder/test_plan_org_policies.py
index 16184537..7e52704e 100644
--- a/tests/modules/folder/test_plan_org_policies.py
+++ b/tests/modules/folder/test_plan_org_policies.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/gke_cluster_standard/examples/backup.yaml b/tests/modules/gke_cluster_standard/examples/backup.yaml
index b65b2a4f..97259a3c 100644
--- a/tests/modules/gke_cluster_standard/examples/backup.yaml
+++ b/tests/modules/gke_cluster_standard/examples/backup.yaml
@@ -19,15 +19,20 @@ values:
module.cluster-1.google_gke_backup_backup_plan.backup_plan["backup-1"]:
backup_config:
- - all_namespaces: true
+ - all_namespaces: null
encryption_key: []
include_secrets: true
include_volume_data: true
- selected_applications: []
+ selected_applications:
+ - namespaced_names:
+ - namespace: namespace-1
+ name: app-1
+ - namespace: namespace-1
+ name: app-2
selected_namespaces: []
backup_schedule:
- cron_schedule: 0 9 * * 1
- location: europe-west-2
+ location: europe-west2
name: backup-1
project: project-id
retention_policy:
diff --git a/tests/modules/gke_nodepool/examples/guest-accelerator.yaml b/tests/modules/gke_nodepool/examples/guest-accelerator.yaml
new file mode 100644
index 00000000..5f125ef6
--- /dev/null
+++ b/tests/modules/gke_nodepool/examples/guest-accelerator.yaml
@@ -0,0 +1,42 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.cluster-1-nodepool-gpu-1.google_container_node_pool.nodepool:
+ cluster: cluster-1
+ location: europe-west4-a
+ name: nodepool-gpu-1
+ node_config:
+ - boot_disk_kms_key: null
+ disk_size_gb: 50
+ disk_type: pd-ssd
+ ephemeral_storage_config:
+ - local_ssd_count: 1
+ ephemeral_storage_local_ssd_config: []
+ guest_accelerator:
+ - count: 1
+ gpu_driver_installation_config:
+ - gpu_driver_version: LATEST
+ gpu_partition_size: null
+ gpu_sharing_config:
+ - gpu_sharing_strategy: null
+ max_shared_clients_per_gpu: null
+ type: nvidia-tesla-a100
+ gvnic: []
+ machine_type: a2-highgpu-1g
+ spot: true
+ project: myproject
+
+counts:
+ google_container_node_pool: 1
diff --git a/tests/modules/iam_service_account/examples/basic.yaml b/tests/modules/iam_service_account/examples/basic.yaml
index 2a1f4efc..85ae8ad3 100644
--- a/tests/modules/iam_service_account/examples/basic.yaml
+++ b/tests/modules/iam_service_account/examples/basic.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/net_lb_app_ext/test-plan.yaml b/tests/modules/net_lb_app_ext/test-plan.yaml
index e05939e1..8ca6fcd0 100644
--- a/tests/modules/net_lb_app_ext/test-plan.yaml
+++ b/tests/modules/net_lb_app_ext/test-plan.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/net_lb_app_ext/tftest.yaml b/tests/modules/net_lb_app_ext/tftest.yaml
index 6e242ecd..36539362 100644
--- a/tests/modules/net_lb_app_ext/tftest.yaml
+++ b/tests/modules/net_lb_app_ext/tftest.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/net_lb_app_int/__init__.py b/tests/modules/net_lb_app_int/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/modules/net_lb_app_int/__init__.py
+++ b/tests/modules/net_lb_app_int/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/net_lb_ext/defaults.tfvars b/tests/modules/net_lb_ext/defaults.tfvars
new file mode 100644
index 00000000..2b34e7c9
--- /dev/null
+++ b/tests/modules/net_lb_ext/defaults.tfvars
@@ -0,0 +1,7 @@
+project_id = "my-project"
+region = "europe-west1"
+name = "nlb-test"
+backends = [{
+ group = "foo"
+ failover = false
+}]
diff --git a/tests/modules/net_lb_ext/defaults.yaml b/tests/modules/net_lb_ext/defaults.yaml
new file mode 100644
index 00000000..d0d8ff7a
--- /dev/null
+++ b/tests/modules/net_lb_ext/defaults.yaml
@@ -0,0 +1,46 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ google_compute_forwarding_rule.forwarding_rules[""]:
+ all_ports: true
+ ip_protocol: TCP
+ labels: null
+ load_balancing_scheme: EXTERNAL
+ name: nlb-test
+ project: my-project
+ region: europe-west1
+ google_compute_region_backend_service.default:
+ backend:
+ - balancing_mode: CONNECTION
+ capacity_scaler: null
+ description: Terraform managed.
+ failover: false
+ group: foo
+ max_connections: null
+ max_connections_per_endpoint: null
+ max_connections_per_instance: null
+ max_rate: null
+ max_rate_per_endpoint: null
+ max_rate_per_instance: null
+ max_utilization: null
+ load_balancing_scheme: EXTERNAL
+ name: nlb-test
+ project: my-project
+ protocol: UNSPECIFIED
+ region: europe-west1
+
+counts:
+ google_compute_forwarding_rule: 1
+ google_compute_region_backend_service: 1
diff --git a/tests/modules/net_lb_ext/dual-stack.tfvars b/tests/modules/net_lb_ext/dual-stack.tfvars
new file mode 100644
index 00000000..3d0ebe0b
--- /dev/null
+++ b/tests/modules/net_lb_ext/dual-stack.tfvars
@@ -0,0 +1,15 @@
+project_id = "my-project"
+region = "europe-west1"
+name = "nlb-test"
+backends = [{
+ group = "foo"
+ failover = false
+}]
+forwarding_rules_config = {
+ ipv4 = {
+ ip_version = "IPV4"
+ }
+ ipv6 = {
+ ip_version = "IPV6"
+ }
+}
diff --git a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/versions.tf b/tests/modules/net_lb_ext/dual-stack.yaml
similarity index 62%
rename from blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/versions.tf
rename to tests/modules/net_lb_ext/dual-stack.yaml
index 3963660f..8caff192 100644
--- a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/versions.tf
+++ b/tests/modules/net_lb_ext/dual-stack.yaml
@@ -4,7 +4,7 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
-# https://www.apache.org/licenses/LICENSE-2.0
+# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
@@ -12,18 +12,12 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
+values:
+ google_compute_forwarding_rule.forwarding_rules["ipv4"]:
+ ip_version: "IPV4"
+ google_compute_forwarding_rule.forwarding_rules["ipv6"]:
+ ip_version: "IPV6"
+counts:
+ google_compute_forwarding_rule: 2
+ google_compute_region_backend_service: 1
diff --git a/tests/modules/net_lb_ext/forwarding-rule.tfvars b/tests/modules/net_lb_ext/forwarding-rule.tfvars
new file mode 100644
index 00000000..9222e4a9
--- /dev/null
+++ b/tests/modules/net_lb_ext/forwarding-rule.tfvars
@@ -0,0 +1,13 @@
+project_id = "my-project"
+region = "europe-west1"
+name = "nlb-test"
+backends = [{
+ group = "foo"
+ failover = false
+}]
+forwarding_rules_config = {
+ "port-80" = {
+ ports = [80]
+ }
+}
+
diff --git a/blueprints/cloud-operations/adfs/versions.tf b/tests/modules/net_lb_ext/forwarding-rule.yaml
similarity index 62%
rename from blueprints/cloud-operations/adfs/versions.tf
rename to tests/modules/net_lb_ext/forwarding-rule.yaml
index 3963660f..f60787d6 100644
--- a/blueprints/cloud-operations/adfs/versions.tf
+++ b/tests/modules/net_lb_ext/forwarding-rule.yaml
@@ -4,7 +4,7 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
-# https://www.apache.org/licenses/LICENSE-2.0
+# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
@@ -12,18 +12,12 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
+values:
+ google_compute_forwarding_rule.forwarding_rules["port-80"]:
+ all_ports: null
+ ports:
+ - '80'
+counts:
+ google_compute_forwarding_rule: 1
+ google_compute_region_backend_service: 1
diff --git a/blueprints/cloud-operations/asset-inventory-feed-remediation/versions.tf b/tests/modules/net_lb_ext/tftest.yaml
similarity index 62%
rename from blueprints/cloud-operations/asset-inventory-feed-remediation/versions.tf
rename to tests/modules/net_lb_ext/tftest.yaml
index 3963660f..c219e478 100644
--- a/blueprints/cloud-operations/asset-inventory-feed-remediation/versions.tf
+++ b/tests/modules/net_lb_ext/tftest.yaml
@@ -4,7 +4,7 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
-# https://www.apache.org/licenses/LICENSE-2.0
+# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
@@ -12,18 +12,9 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-terraform {
- required_version = ">= 1.4.4"
- required_providers {
- google = {
- source = "hashicorp/google"
- version = ">= 5.0.0" # tftest
- }
- google-beta = {
- source = "hashicorp/google-beta"
- version = ">= 5.0.0" # tftest
- }
- }
-}
-
+module: modules/net-lb-ext
+tests:
+ defaults:
+ dual-stack:
+ forwarding-rule:
diff --git a/tests/modules/net_lb_int/defaults.tfvars b/tests/modules/net_lb_int/defaults.tfvars
index 3671a69d..6d09de6e 100644
--- a/tests/modules/net_lb_int/defaults.tfvars
+++ b/tests/modules/net_lb_int/defaults.tfvars
@@ -6,7 +6,6 @@ vpc_config = {
subnetwork = "default"
}
backends = [{
- balancing_mode = "CONNECTION"
- group = "foo"
- failover = false
+ group = "foo"
+ failover = false
}]
diff --git a/tests/modules/net_lb_int/defaults.yaml b/tests/modules/net_lb_int/defaults.yaml
index dcbc12d0..d35fa935 100644
--- a/tests/modules/net_lb_int/defaults.yaml
+++ b/tests/modules/net_lb_int/defaults.yaml
@@ -13,7 +13,7 @@
# limitations under the License.
values:
- google_compute_forwarding_rule.default:
+ google_compute_forwarding_rule.forwarding_rules[""]:
all_ports: true
ip_protocol: TCP
labels: null
diff --git a/tests/modules/net_lb_int/forwarding-rule.tfvars b/tests/modules/net_lb_int/forwarding-rule.tfvars
index c204090e..5f5b1d24 100644
--- a/tests/modules/net_lb_int/forwarding-rule.tfvars
+++ b/tests/modules/net_lb_int/forwarding-rule.tfvars
@@ -6,9 +6,14 @@ vpc_config = {
subnetwork = "default"
}
backends = [{
- balancing_mode = "CONNECTION"
- group = "foo"
- failover = false
+ group = "foo"
+ failover = false
}]
global_access = true
-ports = [80]
+
+forwarding_rules_config = {
+ "port-80" = {
+ ports = [80]
+ }
+}
+
diff --git a/tests/modules/net_lb_int/forwarding-rule.yaml b/tests/modules/net_lb_int/forwarding-rule.yaml
index 3608afcd..c29bda27 100644
--- a/tests/modules/net_lb_int/forwarding-rule.yaml
+++ b/tests/modules/net_lb_int/forwarding-rule.yaml
@@ -13,7 +13,7 @@
# limitations under the License.
values:
- google_compute_forwarding_rule.default:
+ google_compute_forwarding_rule.forwarding_rules["port-80"]:
all_ports: null
allow_global_access: true
ports:
diff --git a/tests/modules/net_vpc/__init__.py b/tests/modules/net_vpc/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/modules/net_vpc/__init__.py
+++ b/tests/modules/net_vpc/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/net_vpc/shared_vpc.yaml b/tests/modules/net_vpc/shared_vpc.yaml
index 5b6ffd3e..747e6c7e 100644
--- a/tests/modules/net_vpc/shared_vpc.yaml
+++ b/tests/modules/net_vpc/shared_vpc.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/net_vpc_peering/__init__.py b/tests/modules/net_vpc_peering/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/modules/net_vpc_peering/__init__.py
+++ b/tests/modules/net_vpc_peering/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/organization/__init__.py b/tests/modules/organization/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/modules/organization/__init__.py
+++ b/tests/modules/organization/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/organization/data/firewall-cidrs.yaml b/tests/modules/organization/data/firewall-cidrs.yaml
index 939bec32..35931c2b 100644
--- a/tests/modules/organization/data/firewall-cidrs.yaml
+++ b/tests/modules/organization/data/firewall-cidrs.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/organization/data/firewall-rules.yaml b/tests/modules/organization/data/firewall-rules.yaml
index 1b90983e..561332ef 100644
--- a/tests/modules/organization/data/firewall-rules.yaml
+++ b/tests/modules/organization/data/firewall-rules.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/organization/examples/custom-constraints.yaml b/tests/modules/organization/examples/custom-constraints.yaml
index db302398..b0253409 100644
--- a/tests/modules/organization/examples/custom-constraints.yaml
+++ b/tests/modules/organization/examples/custom-constraints.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/organization/examples/hfw.yaml b/tests/modules/organization/examples/hfw.yaml
index aba4bb3e..874e5389 100644
--- a/tests/modules/organization/examples/hfw.yaml
+++ b/tests/modules/organization/examples/hfw.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/organization/examples/logging-data-access.yaml b/tests/modules/organization/examples/logging-data-access.yaml
index b3507742..a566da2f 100644
--- a/tests/modules/organization/examples/logging-data-access.yaml
+++ b/tests/modules/organization/examples/logging-data-access.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/organization/examples/logging.yaml b/tests/modules/organization/examples/logging.yaml
index 68df72bc..d42ac424 100644
--- a/tests/modules/organization/examples/logging.yaml
+++ b/tests/modules/organization/examples/logging.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/organization/examples/network-tags.yaml b/tests/modules/organization/examples/network-tags.yaml
index 9cacffb6..d9c28724 100644
--- a/tests/modules/organization/examples/network-tags.yaml
+++ b/tests/modules/organization/examples/network-tags.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/organization/examples/roles.yaml b/tests/modules/organization/examples/roles.yaml
index 4705d195..ae5c9cd8 100644
--- a/tests/modules/organization/examples/roles.yaml
+++ b/tests/modules/organization/examples/roles.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/organization/examples/tags.yaml b/tests/modules/organization/examples/tags.yaml
index afbb7f8f..390aea5a 100644
--- a/tests/modules/organization/examples/tags.yaml
+++ b/tests/modules/organization/examples/tags.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/organization/org_policies_boolean.yaml b/tests/modules/organization/org_policies_boolean.yaml
index 00f98b06..30352b42 100644
--- a/tests/modules/organization/org_policies_boolean.yaml
+++ b/tests/modules/organization/org_policies_boolean.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/organization/org_policies_custom_constraints.yaml b/tests/modules/organization/org_policies_custom_constraints.yaml
index c558c066..40043575 100644
--- a/tests/modules/organization/org_policies_custom_constraints.yaml
+++ b/tests/modules/organization/org_policies_custom_constraints.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/organization/org_policies_list.yaml b/tests/modules/organization/org_policies_list.yaml
index 393eadde..1f1c1bf9 100644
--- a/tests/modules/organization/org_policies_list.yaml
+++ b/tests/modules/organization/org_policies_list.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/organization/tags.yaml b/tests/modules/organization/tags.yaml
index 3e5524d4..af2eafb5 100644
--- a/tests/modules/organization/tags.yaml
+++ b/tests/modules/organization/tags.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/organization/test_plan_org_policies.py b/tests/modules/organization/test_plan_org_policies.py
index f5002523..9a5d4a45 100644
--- a/tests/modules/organization/test_plan_org_policies.py
+++ b/tests/modules/organization/test_plan_org_policies.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/__init__.py b/tests/modules/project/__init__.py
index 6d6d1266..7ba50f93 100644
--- a/tests/modules/project/__init__.py
+++ b/tests/modules/project/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/examples/basic.yaml b/tests/modules/project/examples/basic.yaml
index a6ae5af3..56e6ecc0 100644
--- a/tests/modules/project/examples/basic.yaml
+++ b/tests/modules/project/examples/basic.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/examples/iam-authoritative.yaml b/tests/modules/project/examples/iam-authoritative.yaml
index d6e33ab2..eeb77aa6 100644
--- a/tests/modules/project/examples/iam-authoritative.yaml
+++ b/tests/modules/project/examples/iam-authoritative.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/examples/iam-group.yaml b/tests/modules/project/examples/iam-group.yaml
index 02728d01..0ca2ecdb 100644
--- a/tests/modules/project/examples/iam-group.yaml
+++ b/tests/modules/project/examples/iam-group.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/examples/kms.yaml b/tests/modules/project/examples/kms.yaml
index b3981881..4561262f 100644
--- a/tests/modules/project/examples/kms.yaml
+++ b/tests/modules/project/examples/kms.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/examples/logging-data-access.yaml b/tests/modules/project/examples/logging-data-access.yaml
index c6533839..3b35bbdc 100644
--- a/tests/modules/project/examples/logging-data-access.yaml
+++ b/tests/modules/project/examples/logging-data-access.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/examples/outputs.yaml b/tests/modules/project/examples/outputs.yaml
index 33989662..3a147e0b 100644
--- a/tests/modules/project/examples/outputs.yaml
+++ b/tests/modules/project/examples/outputs.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/examples/shared-vpc.yaml b/tests/modules/project/examples/shared-vpc.yaml
index b03f220a..169c897d 100644
--- a/tests/modules/project/examples/shared-vpc.yaml
+++ b/tests/modules/project/examples/shared-vpc.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/no_parent.yaml b/tests/modules/project/no_parent.yaml
index 57f2fbd4..66a8eaef 100644
--- a/tests/modules/project/no_parent.yaml
+++ b/tests/modules/project/no_parent.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/no_prefix.yaml b/tests/modules/project/no_prefix.yaml
index 6322ca9c..6c618bca 100644
--- a/tests/modules/project/no_prefix.yaml
+++ b/tests/modules/project/no_prefix.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/org_policies_boolean.yaml b/tests/modules/project/org_policies_boolean.yaml
index 4f23958f..71712e46 100644
--- a/tests/modules/project/org_policies_boolean.yaml
+++ b/tests/modules/project/org_policies_boolean.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/org_policies_list.yaml b/tests/modules/project/org_policies_list.yaml
index 2f1c64e0..62849314 100644
--- a/tests/modules/project/org_policies_list.yaml
+++ b/tests/modules/project/org_policies_list.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/parent_folder.yaml b/tests/modules/project/parent_folder.yaml
index 684f94d8..8117163e 100644
--- a/tests/modules/project/parent_folder.yaml
+++ b/tests/modules/project/parent_folder.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/parent_org.yaml b/tests/modules/project/parent_org.yaml
index ded3f6f3..18a65056 100644
--- a/tests/modules/project/parent_org.yaml
+++ b/tests/modules/project/parent_org.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/prefix.yaml b/tests/modules/project/prefix.yaml
index e5126e20..4ed5927f 100644
--- a/tests/modules/project/prefix.yaml
+++ b/tests/modules/project/prefix.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/service_encryption_keys.yaml b/tests/modules/project/service_encryption_keys.yaml
index 8e2bd823..a68c5f4a 100644
--- a/tests/modules/project/service_encryption_keys.yaml
+++ b/tests/modules/project/service_encryption_keys.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/test_plan.py b/tests/modules/project/test_plan.py
index 50d50b3c..0eff3417 100644
--- a/tests/modules/project/test_plan.py
+++ b/tests/modules/project/test_plan.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/test_plan_org_policies.py b/tests/modules/project/test_plan_org_policies.py
index fef2a8aa..30354aea 100644
--- a/tests/modules/project/test_plan_org_policies.py
+++ b/tests/modules/project/test_plan_org_policies.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/modules/project/tftest.yaml b/tests/modules/project/tftest.yaml
index 2fda31b7..2f7e633a 100644
--- a/tests/modules/project/tftest.yaml
+++ b/tests/modules/project/tftest.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tools/__init__.py b/tools/__init__.py
index bb545f47..5678014c 100644
--- a/tools/__init__.py
+++ b/tools/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tools/changelog.py b/tools/changelog.py
index 2de26819..cbf1f2ab 100755
--- a/tools/changelog.py
+++ b/tools/changelog.py
@@ -1,5 +1,5 @@
#!/usr/bin/env python3
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tools/check_boilerplate.py b/tools/check_boilerplate.py
index 839b1952..a0f3ad87 100755
--- a/tools/check_boilerplate.py
+++ b/tools/check_boilerplate.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tools/state_iam.py b/tools/state_iam.py
index 00c549a6..bfd3bbde 100755
--- a/tools/state_iam.py
+++ b/tools/state_iam.py
@@ -1,5 +1,5 @@
#!/usr/bin/env python3
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tools/validate_schema.py b/tools/validate_schema.py
index 7556667b..461b448d 100755
--- a/tools/validate_schema.py
+++ b/tools/validate_schema.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.