Merge branch 'master' into net-dash-psa
This commit is contained in:
Aurélien Legrand
GitHub
commit
2cb576c8b6
|
|
@ -262,6 +262,7 @@ terraform init
|
|||
terraform apply \
|
||||
-var bootstrap_user=$(gcloud config list --format 'value(core.account)')
|
||||
```
|
||||
> If you see an error related to project name already exists, please make sure the project name is unique or the project was not deleted recently
|
||||
|
||||
Once the initial `apply` completes successfully, configure a remote backend using the new GCS bucket, and impersonation on the automation service account for this stage. To do this you can use the generated `providers.tf` file if you have configured output files as described above, or extract its contents from Terraform's output, then migrate state with `terraform init`:
|
||||
|
||||
|
|
|
|||
|
|
@ -111,11 +111,11 @@ module "automation-tf-bootstrap-gcs" {
|
|||
}
|
||||
|
||||
module "automation-tf-bootstrap-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
project_id = module.automation-project.project_id
|
||||
name = "bootstrap-0"
|
||||
description = "Terraform organization bootstrap service account."
|
||||
prefix = local.prefix
|
||||
source = "../../../modules/iam-service-account"
|
||||
project_id = module.automation-project.project_id
|
||||
name = "bootstrap-0"
|
||||
display_name = "Terraform organization bootstrap service account."
|
||||
prefix = local.prefix
|
||||
# allow SA used by CI/CD workflow to impersonate this SA
|
||||
iam = {
|
||||
"roles/iam.serviceAccountTokenCreator" = compact([
|
||||
|
|
@ -144,11 +144,11 @@ module "automation-tf-cicd-gcs" {
|
|||
}
|
||||
|
||||
module "automation-tf-cicd-provisioning-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
project_id = module.automation-project.project_id
|
||||
name = "cicd-0"
|
||||
description = "Terraform stage 1 CICD service account."
|
||||
prefix = local.prefix
|
||||
source = "../../../modules/iam-service-account"
|
||||
project_id = module.automation-project.project_id
|
||||
name = "cicd-0"
|
||||
display_name = "Terraform stage 1 CICD service account."
|
||||
prefix = local.prefix
|
||||
# allow SA used by CI/CD workflow to impersonate this SA
|
||||
iam = {
|
||||
"roles/iam.serviceAccountTokenCreator" = compact([
|
||||
|
|
@ -177,11 +177,11 @@ module "automation-tf-resman-gcs" {
|
|||
}
|
||||
|
||||
module "automation-tf-resman-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
project_id = module.automation-project.project_id
|
||||
name = "resman-0"
|
||||
description = "Terraform stage 1 resman service account."
|
||||
prefix = local.prefix
|
||||
source = "../../../modules/iam-service-account"
|
||||
project_id = module.automation-project.project_id
|
||||
name = "resman-0"
|
||||
display_name = "Terraform stage 1 resman service account."
|
||||
prefix = local.prefix
|
||||
# allow SA used by CI/CD workflow to impersonate this SA
|
||||
iam = {
|
||||
"roles/iam.serviceAccountTokenCreator" = compact([
|
||||
|
|
|
|||
|
|
@ -87,12 +87,12 @@ module "automation-tf-cicd-repo" {
|
|||
# SAs used by CI/CD workflows to impersonate automation SAs
|
||||
|
||||
module "automation-tf-cicd-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
for_each = local.cicd_repositories
|
||||
project_id = module.automation-project.project_id
|
||||
name = "${each.key}-1"
|
||||
description = "Terraform CI/CD ${each.key} service account."
|
||||
prefix = local.prefix
|
||||
source = "../../../modules/iam-service-account"
|
||||
for_each = local.cicd_repositories
|
||||
project_id = module.automation-project.project_id
|
||||
name = "${each.key}-1"
|
||||
display_name = "Terraform CI/CD ${each.key} service account."
|
||||
prefix = local.prefix
|
||||
iam = (
|
||||
each.value.type == "sourcerepo"
|
||||
# used directly from the cloud build trigger for source repos
|
||||
|
|
|
|||
|
|
@ -182,17 +182,18 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
|
|||
|---|---|:---:|:---:|:---:|:---:|
|
||||
| [automation](variables.tf#L20) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string project_id = string project_number = string federated_identity_pool = string federated_identity_providers = map(object({ issuer = string issuer_uri = string name = string principal_tpl = string principalset_tpl = string })) })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [billing_account](variables.tf#L38) | Billing account id and organization id ('nnnnnnnn' or null). | <code title="object({ id = string organization_id = number })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [organization](variables.tf#L191) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [prefix](variables.tf#L215) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [organization](variables.tf#L197) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [prefix](variables.tf#L221) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [cicd_repositories](variables.tf#L47) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | <code title="object({ data_platform_dev = object({ branch = string identity_provider = string name = string type = string }) data_platform_prod = object({ branch = string identity_provider = string name = string type = string }) gke_dev = object({ branch = string identity_provider = string name = string type = string }) gke_prod = object({ branch = string identity_provider = string name = string type = string }) networking = object({ branch = string identity_provider = string name = string type = string }) project_factory_dev = object({ branch = string identity_provider = string name = string type = string }) project_factory_prod = object({ branch = string identity_provider = string name = string type = string }) security = object({ branch = string identity_provider = string name = string type = string }) })">object({…})</code> | | <code>null</code> | |
|
||||
| [custom_roles](variables.tf#L129) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>00-bootstrap</code> |
|
||||
| [fast_features](variables.tf#L138) | Selective control for top-level FAST features. | <code title="object({ data_platform = bool gke = bool project_factory = bool sandbox = bool teams = bool })">object({…})</code> | | <code title="{ data_platform = true gke = true project_factory = true sandbox = true teams = true }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| [groups](variables.tf#L158) | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| [locations](variables.tf#L173) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object({ bq = string gcs = string logging = string pubsub = list(string) })">object({…})</code> | | <code title="{ bq = "EU" gcs = "EU" logging = "global" pubsub = [] }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| [organization_policy_configs](variables.tf#L201) | Organization policies customization. | <code title="object({ allowed_policy_member_domains = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||
| [outputs_location](variables.tf#L209) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | <code>string</code> | | <code>null</code> | |
|
||||
| [tag_names](variables.tf#L226) | Customized names for resource management tags. | <code title="object({ context = string environment = string })">object({…})</code> | | <code title="{ context = "context" environment = "environment" }">{…}</code> | |
|
||||
| [team_folders](variables.tf#L243) | Team folders to be created. Format is described in a code comment. | <code title="map(object({ descriptive_name = string group_iam = map(list(string)) impersonation_groups = list(string) }))">map(object({…}))</code> | | <code>null</code> | |
|
||||
| [data_dir](variables.tf#L138) | Relative path for the folder storing configuration data. | <code>string</code> | | <code>"data"</code> | |
|
||||
| [fast_features](variables.tf#L144) | Selective control for top-level FAST features. | <code title="object({ data_platform = bool gke = bool project_factory = bool sandbox = bool teams = bool })">object({…})</code> | | <code title="{ data_platform = true gke = true project_factory = true sandbox = true teams = true }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| [groups](variables.tf#L164) | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| [locations](variables.tf#L179) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object({ bq = string gcs = string logging = string pubsub = list(string) })">object({…})</code> | | <code title="{ bq = "EU" gcs = "EU" logging = "global" pubsub = [] }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| [organization_policy_configs](variables.tf#L207) | Organization policies customization. | <code title="object({ allowed_policy_member_domains = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||
| [outputs_location](variables.tf#L215) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | <code>string</code> | | <code>null</code> | |
|
||||
| [tag_names](variables.tf#L232) | Customized names for resource management tags. | <code title="object({ context = string environment = string })">object({…})</code> | | <code title="{ context = "context" environment = "environment" }">{…}</code> | |
|
||||
| [team_folders](variables.tf#L249) | Team folders to be created. Format is described in a code comment. | <code title="map(object({ descriptive_name = string group_iam = map(list(string)) impersonation_groups = list(string) }))">map(object({…}))</code> | | <code>null</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
|||
|
|
@ -77,12 +77,12 @@ module "branch-dp-prod-folder" {
|
|||
# automation service accounts and buckets
|
||||
|
||||
module "branch-dp-dev-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.data_platform ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-dp-0"
|
||||
description = "Terraform data platform development service account."
|
||||
prefix = var.prefix
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.data_platform ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-dp-0"
|
||||
display_name = "Terraform data platform development service account."
|
||||
prefix = var.prefix
|
||||
iam = {
|
||||
"roles/iam.serviceAccountTokenCreator" = compact([
|
||||
try(module.branch-dp-dev-sa-cicd.0.iam_email, null)
|
||||
|
|
@ -94,12 +94,12 @@ module "branch-dp-dev-sa" {
|
|||
}
|
||||
|
||||
module "branch-dp-prod-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.data_platform ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-dp-0"
|
||||
description = "Terraform data platform production service account."
|
||||
prefix = var.prefix
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.data_platform ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-dp-0"
|
||||
display_name = "Terraform data platform production service account."
|
||||
prefix = var.prefix
|
||||
iam = {
|
||||
"roles/iam.serviceAccountTokenCreator" = compact([
|
||||
try(module.branch-dp-prod-sa-cicd.0.iam_email, null)
|
||||
|
|
|
|||
|
|
@ -69,12 +69,12 @@ module "branch-gke-prod-folder" {
|
|||
}
|
||||
|
||||
module "branch-gke-dev-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.gke ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-gke-0"
|
||||
description = "Terraform gke multitenant dev service account."
|
||||
prefix = var.prefix
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.gke ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-gke-0"
|
||||
display_name = "Terraform gke multitenant dev service account."
|
||||
prefix = var.prefix
|
||||
iam = {
|
||||
"roles/iam.serviceAccountTokenCreator" = concat(
|
||||
["group:${local.groups.gcp-devops}"],
|
||||
|
|
@ -89,12 +89,12 @@ module "branch-gke-dev-sa" {
|
|||
}
|
||||
|
||||
module "branch-gke-prod-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.gke ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-gke-0"
|
||||
description = "Terraform gke multitenant prod service account."
|
||||
prefix = var.prefix
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.gke ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-gke-0"
|
||||
display_name = "Terraform gke multitenant prod service account."
|
||||
prefix = var.prefix
|
||||
iam = {
|
||||
"roles/iam.serviceAccountTokenCreator" = concat(
|
||||
["group:${local.groups.gcp-devops}"],
|
||||
|
|
|
|||
|
|
@ -86,11 +86,11 @@ module "branch-network-dev-folder" {
|
|||
# automation service account and bucket
|
||||
|
||||
module "branch-network-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-net-0"
|
||||
description = "Terraform resman networking service account."
|
||||
prefix = var.prefix
|
||||
source = "../../../modules/iam-service-account"
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-net-0"
|
||||
display_name = "Terraform resman networking service account."
|
||||
prefix = var.prefix
|
||||
iam = {
|
||||
"roles/iam.serviceAccountTokenCreator" = compact([
|
||||
try(module.branch-network-sa-cicd.0.iam_email, null)
|
||||
|
|
|
|||
|
|
@ -22,8 +22,8 @@ module "branch-pf-dev-sa" {
|
|||
project_id = var.automation.project_id
|
||||
name = "dev-resman-pf-0"
|
||||
# naming: environment in description
|
||||
description = "Terraform project factory development service account."
|
||||
prefix = var.prefix
|
||||
display_name = "Terraform project factory development service account."
|
||||
prefix = var.prefix
|
||||
iam = {
|
||||
"roles/iam.serviceAccountTokenCreator" = compact([
|
||||
try(module.branch-pf-dev-sa-cicd.0.iam_email, null)
|
||||
|
|
@ -40,8 +40,8 @@ module "branch-pf-prod-sa" {
|
|||
project_id = var.automation.project_id
|
||||
name = "prod-resman-pf-0"
|
||||
# naming: environment in description
|
||||
description = "Terraform project factory production service account."
|
||||
prefix = var.prefix
|
||||
display_name = "Terraform project factory production service account."
|
||||
prefix = var.prefix
|
||||
iam = {
|
||||
"roles/iam.serviceAccountTokenCreator" = compact([
|
||||
try(module.branch-pf-prod-sa-cicd.0.iam_email, null)
|
||||
|
|
|
|||
|
|
@ -68,10 +68,10 @@ moved {
|
|||
}
|
||||
|
||||
module "branch-sandbox-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.sandbox ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-sbox-0"
|
||||
description = "Terraform resman sandbox service account."
|
||||
prefix = var.prefix
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.sandbox ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-sbox-0"
|
||||
display_name = "Terraform resman sandbox service account."
|
||||
prefix = var.prefix
|
||||
}
|
||||
|
|
|
|||
|
|
@ -49,11 +49,11 @@ module "branch-security-folder" {
|
|||
# automation service account and bucket
|
||||
|
||||
module "branch-security-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-sec-0"
|
||||
description = "Terraform resman security service account."
|
||||
prefix = var.prefix
|
||||
source = "../../../modules/iam-service-account"
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-sec-0"
|
||||
display_name = "Terraform resman security service account."
|
||||
prefix = var.prefix
|
||||
iam = {
|
||||
"roles/iam.serviceAccountTokenCreator" = compact([
|
||||
try(module.branch-security-sa-cicd.0.iam_email, null)
|
||||
|
|
|
|||
|
|
@ -40,12 +40,12 @@ module "branch-teams-folder" {
|
|||
}
|
||||
|
||||
module "branch-teams-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.teams ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-teams-0"
|
||||
description = "Terraform resman teams service account."
|
||||
prefix = var.prefix
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.teams ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-teams-0"
|
||||
display_name = "Terraform resman teams service account."
|
||||
prefix = var.prefix
|
||||
iam_storage_roles = {
|
||||
(var.automation.outputs_bucket) = ["roles/storage.admin"]
|
||||
}
|
||||
|
|
@ -83,12 +83,12 @@ module "branch-teams-team-folder" {
|
|||
}
|
||||
|
||||
module "branch-teams-team-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {}
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-teams-${each.key}-0"
|
||||
description = "Terraform team ${each.key} service account."
|
||||
prefix = var.prefix
|
||||
source = "../../../modules/iam-service-account"
|
||||
for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {}
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-teams-${each.key}-0"
|
||||
display_name = "Terraform team ${each.key} service account."
|
||||
prefix = var.prefix
|
||||
iam = {
|
||||
"roles/iam.serviceAccountTokenCreator" = (
|
||||
each.value.impersonation_groups == null
|
||||
|
|
|
|||
|
|
@ -95,10 +95,10 @@ module "branch-dp-dev-sa-cicd" {
|
|||
? { 0 = local.cicd_repositories.data_platform_dev }
|
||||
: {}
|
||||
)
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-dp-1"
|
||||
description = "Terraform CI/CD data platform development service account."
|
||||
prefix = var.prefix
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-dp-1"
|
||||
display_name = "Terraform CI/CD data platform development service account."
|
||||
prefix = var.prefix
|
||||
iam = (
|
||||
each.value.type == "sourcerepo"
|
||||
# used directly from the cloud build trigger for source repos
|
||||
|
|
@ -138,10 +138,10 @@ module "branch-dp-prod-sa-cicd" {
|
|||
? { 0 = local.cicd_repositories.data_platform_prod }
|
||||
: {}
|
||||
)
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-dp-1"
|
||||
description = "Terraform CI/CD data platform production service account."
|
||||
prefix = var.prefix
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-dp-1"
|
||||
display_name = "Terraform CI/CD data platform production service account."
|
||||
prefix = var.prefix
|
||||
iam = (
|
||||
each.value.type == "sourcerepo"
|
||||
# used directly from the cloud build trigger for source repos
|
||||
|
|
|
|||
|
|
@ -95,10 +95,10 @@ module "branch-gke-dev-sa-cicd" {
|
|||
? { 0 = local.cicd_repositories.gke_dev }
|
||||
: {}
|
||||
)
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-gke-1"
|
||||
description = "Terraform CI/CD GKE development service account."
|
||||
prefix = var.prefix
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-gke-1"
|
||||
display_name = "Terraform CI/CD GKE development service account."
|
||||
prefix = var.prefix
|
||||
iam = (
|
||||
each.value.type == "sourcerepo"
|
||||
# used directly from the cloud build trigger for source repos
|
||||
|
|
@ -138,10 +138,10 @@ module "branch-gke-prod-sa-cicd" {
|
|||
? { 0 = local.cicd_repositories.gke_prod }
|
||||
: {}
|
||||
)
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-gke-1"
|
||||
description = "Terraform CI/CD GKE production service account."
|
||||
prefix = var.prefix
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-gke-1"
|
||||
display_name = "Terraform CI/CD GKE production service account."
|
||||
prefix = var.prefix
|
||||
iam = (
|
||||
each.value.type == "sourcerepo"
|
||||
# used directly from the cloud build trigger for source repos
|
||||
|
|
|
|||
|
|
@ -57,10 +57,10 @@ module "branch-network-sa-cicd" {
|
|||
? { 0 = local.cicd_repositories.networking }
|
||||
: {}
|
||||
)
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-net-1"
|
||||
description = "Terraform CI/CD stage 2 networking service account."
|
||||
prefix = var.prefix
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-net-1"
|
||||
display_name = "Terraform CI/CD stage 2 networking service account."
|
||||
prefix = var.prefix
|
||||
iam = (
|
||||
each.value.type == "sourcerepo"
|
||||
# used directly from the cloud build trigger for source repos
|
||||
|
|
|
|||
|
|
@ -106,10 +106,10 @@ module "branch-pf-dev-sa-cicd" {
|
|||
? { 0 = local.cicd_repositories.project_factory_dev }
|
||||
: {}
|
||||
)
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-pf-resman-pf-1"
|
||||
description = "Terraform CI/CD project factory development service account."
|
||||
prefix = var.prefix
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-pf-resman-pf-1"
|
||||
display_name = "Terraform CI/CD project factory development service account."
|
||||
prefix = var.prefix
|
||||
iam = (
|
||||
each.value.type == "sourcerepo"
|
||||
# used directly from the cloud build trigger for source repos
|
||||
|
|
@ -154,10 +154,10 @@ module "branch-pf-prod-sa-cicd" {
|
|||
? { 0 = local.cicd_repositories.project_factory_prod }
|
||||
: {}
|
||||
)
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-pf-resman-pf-1"
|
||||
description = "Terraform CI/CD project factory production service account."
|
||||
prefix = var.prefix
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-pf-resman-pf-1"
|
||||
display_name = "Terraform CI/CD project factory production service account."
|
||||
prefix = var.prefix
|
||||
iam = (
|
||||
each.value.type == "sourcerepo"
|
||||
# used directly from the cloud build trigger for source repos
|
||||
|
|
|
|||
|
|
@ -57,10 +57,10 @@ module "branch-security-sa-cicd" {
|
|||
? { 0 = local.cicd_repositories.security }
|
||||
: {}
|
||||
)
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-sec-1"
|
||||
description = "Terraform CI/CD stage 2 security service account."
|
||||
prefix = var.prefix
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-sec-1"
|
||||
display_name = "Terraform CI/CD stage 2 security service account."
|
||||
prefix = var.prefix
|
||||
iam = (
|
||||
each.value.type == "sourcerepo"
|
||||
# used directly from the cloud build trigger for source repos
|
||||
|
|
|
|||
|
|
@ -0,0 +1,73 @@
|
|||
# skip boilerplate check
|
||||
#
|
||||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
compute.disableGuestAttributesAccess:
|
||||
enforce: true
|
||||
|
||||
compute.requireOsLogin:
|
||||
enforce: true
|
||||
|
||||
compute.restrictLoadBalancerCreationForTypes:
|
||||
allow:
|
||||
values:
|
||||
- in:INTERNAL
|
||||
|
||||
compute.skipDefaultNetworkCreation:
|
||||
enforce: true
|
||||
|
||||
compute.vmExternalIpAccess:
|
||||
deny:
|
||||
all: true
|
||||
|
||||
|
||||
# compute.disableInternetNetworkEndpointGroup:
|
||||
# enforce: true
|
||||
|
||||
# compute.disableNestedVirtualization:
|
||||
# enforce: true
|
||||
|
||||
# compute.disableSerialPortAccess:
|
||||
# enforce: true
|
||||
|
||||
# compute.restrictCloudNATUsage:
|
||||
# deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictDedicatedInterconnectUsage:
|
||||
# deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictPartnerInterconnectUsage:
|
||||
# deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictProtocolForwardingCreationForTypes:
|
||||
# deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictSharedVpcHostProjects:
|
||||
# deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictSharedVpcSubnetworks:
|
||||
# deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictVpcPeering:
|
||||
# deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictVpnPeerIPs:
|
||||
# deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictXpnProjectLienRemoval:
|
||||
# enforce: true
|
||||
|
||||
# compute.setNewProjectDefaultToZonalDNSOnly:
|
||||
# enforce: true
|
||||
|
||||
# compute.vmCanIpForward:
|
||||
# deny:
|
||||
# all: true
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
# skip boilerplate check
|
||||
#
|
||||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
iam.automaticIamGrantsForDefaultServiceAccounts:
|
||||
enforce: true
|
||||
|
||||
iam.disableServiceAccountKeyCreation:
|
||||
enforce: true
|
||||
|
||||
iam.disableServiceAccountKeyUpload:
|
||||
enforce: true
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
# skip boilerplate check
|
||||
#
|
||||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
run.allowedIngress:
|
||||
allow:
|
||||
values:
|
||||
- is:internal
|
||||
|
||||
# run.allowedVPCEgress:
|
||||
# allow:
|
||||
# values:
|
||||
# - is:private-ranges-only
|
||||
|
||||
# cloudfunctions.allowedIngressSettings:
|
||||
# allow:
|
||||
# values:
|
||||
# - is:ALLOW_INTERNAL_ONLY
|
||||
|
||||
# cloudfunctions.allowedVpcConnectorEgressSettings:
|
||||
# allow:
|
||||
# values:
|
||||
# - is:PRIVATE_RANGES_ONLY
|
||||
|
||||
# cloudfunctions.requireVPCConnector:
|
||||
# enforce: true
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# skip boilerplate check
|
||||
#
|
||||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
sql.restrictAuthorizedNetworks:
|
||||
enforce: true
|
||||
|
||||
sql.restrictPublicIp:
|
||||
enforce: true
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
# skip boilerplate check
|
||||
#
|
||||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
storage.uniformBucketLevelAccess:
|
||||
enforce: true
|
||||
|
|
@ -66,44 +66,12 @@ module "organization" {
|
|||
)
|
||||
} : {}
|
||||
)
|
||||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
# sample subset of useful organization policies, edit to suit requirements
|
||||
org_policies = {
|
||||
"compute.disableGuestAttributesAccess" = { enforce = true }
|
||||
"compute.requireOsLogin" = { enforce = true }
|
||||
"compute.restrictLoadBalancerCreationForTypes" = { allow = { values = ["in:INTERNAL"] } }
|
||||
"compute.skipDefaultNetworkCreation" = { enforce = true }
|
||||
"compute.vmExternalIpAccess" = { deny = { all = true } }
|
||||
"iam.allowedPolicyMemberDomains" = { allow = { values = local.all_drs_domains } }
|
||||
"iam.automaticIamGrantsForDefaultServiceAccounts" = { enforce = true }
|
||||
"iam.disableServiceAccountKeyCreation" = { enforce = true }
|
||||
"iam.disableServiceAccountKeyUpload" = { enforce = true }
|
||||
"run.allowedIngress" = { allow = { values = ["is:internal"] } }
|
||||
"sql.restrictAuthorizedNetworks" = { enforce = true }
|
||||
"sql.restrictPublicIp" = { enforce = true }
|
||||
"storage.uniformBucketLevelAccess" = { enforce = true }
|
||||
# "cloudfunctions.allowedIngressSettings" = {
|
||||
# allow = { values = ["is:ALLOW_INTERNAL_ONLY"] }
|
||||
# }
|
||||
# "cloudfunctions.allowedVpcConnectorEgressSettings" = {
|
||||
# allow = { values = ["is:PRIVATE_RANGES_ONLY"] }
|
||||
# }
|
||||
# "cloudfunctions.requireVPCConnector" = { enforce = true }
|
||||
# "compute.disableInternetNetworkEndpointGroup" = { enforce = true }
|
||||
# "compute.disableNestedVirtualization" = { enforce = true }
|
||||
# "compute.disableSerialPortAccess" = { enforce = true }
|
||||
# "compute.restrictCloudNATUsage" = { deny = { all = true }}
|
||||
# "compute.restrictDedicatedInterconnectUsage" = { deny = { all = true }}
|
||||
# "compute.restrictPartnerInterconnectUsage" = { deny = { all = true }}
|
||||
# "compute.restrictProtocolForwardingCreationForTypes" = { deny = { all = true }}
|
||||
# "compute.restrictSharedVpcHostProjects" = { deny = { all = true }}
|
||||
# "compute.restrictSharedVpcSubnetworks" = { deny = { all = true }}
|
||||
# "compute.restrictVpcPeering" = { deny = { all = true }}
|
||||
# "compute.restrictVpnPeerIPs" = { deny = { all = true }}
|
||||
# "compute.restrictXpnProjectLienRemoval" = { enforce = true }
|
||||
# "compute.setNewProjectDefaultToZonalDNSOnly" = { enforce = true }
|
||||
# "compute.vmCanIpForward" = { deny = { all = true }}
|
||||
# "gcp.resourceLocations" = {
|
||||
"iam.allowedPolicyMemberDomains" = { allow = { values = local.all_drs_domains } }
|
||||
|
||||
#"gcp.resourceLocations" = {
|
||||
# allow = { values = local.allowed_regions }
|
||||
# }
|
||||
# "iam.workloadIdentityPoolProviders" = {
|
||||
|
|
@ -114,8 +82,9 @@ module "organization" {
|
|||
# ]
|
||||
# }
|
||||
# }
|
||||
# "run.allowedVPCEgress" = { allow = { values = ["is:private-ranges-only"] } }
|
||||
}
|
||||
org_policies_data_path = "${var.data_dir}/org-policies"
|
||||
|
||||
tags = {
|
||||
(var.tag_names.context) = {
|
||||
description = "Resource management context."
|
||||
|
|
|
|||
|
|
@ -135,6 +135,12 @@ variable "custom_roles" {
|
|||
default = null
|
||||
}
|
||||
|
||||
variable "data_dir" {
|
||||
description = "Relative path for the folder storing configuration data."
|
||||
type = string
|
||||
default = "data"
|
||||
}
|
||||
|
||||
variable "fast_features" {
|
||||
# tfdoc:variable:source 00-bootstrap
|
||||
description = "Selective control for top-level FAST features."
|
||||
|
|
|
|||
Loading…
Reference in New Issue