From 443a9b9538804d4f564cfdafa040a125c6276251 Mon Sep 17 00:00:00 2001 From: Antonio Lopez <94461129+ajlopezn@users.noreply.github.com> Date: Fri, 3 Jun 2022 13:02:42 +0200 Subject: [PATCH 01/31] Create CLEANUP.md instructions to clean up FAST deployment --- fast/CLEANUP.md | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 fast/CLEANUP.md diff --git a/fast/CLEANUP.md b/fast/CLEANUP.md new file mode 100644 index 00000000..952339bf --- /dev/null +++ b/fast/CLEANUP.md @@ -0,0 +1,38 @@ +# FAST deployment clean up +In case you require destroying FAST deployment in your organization, follow these steps. + +Destruction goes in reverse order, from stage 3 to stage 0: + +## Stage 3 (Project Factory) + +```bash +cd $FAST_PWD/03-project-factory/prod/ +terraform destroy +``` + +## Stage 3 (GKE) + +```bash +cd $FAST_PWD/03-project-factory/prod/ + +for x in $(terraform state list | grep google_bigquery_dataset); do + terraform state rm "$x"; +done + +terraform destroy +``` + + +# Stage 2 (Security) +```bash +cd $FAST_PWD/02-security/ +terraform destroy +``` + +# Networking +```bash +cd $FAST_PWD/02-networking-XXX/ +terraform destroy +```bash + +There's a minor glitch that can surface running terraform destroy, where the service project attachments to the Shared VPC will not get destroyed even with the relevant API call succeeding. We are investigating the issue, in the meantime just manually remove the attachment in the Cloud console or via the gcloud beta compute shared-vpc associated-projects remove command when terraform destroy fails, and then relaunch the command. From 8d4ea4ec67cb3ab353ec80ac22368dc0e95e3ac8 Mon Sep 17 00:00:00 2001 From: Antonio Lopez <94461129+ajlopezn@users.noreply.github.com> Date: Fri, 3 Jun 2022 13:06:46 +0200 Subject: [PATCH 02/31] Update CLEANUP.md --- fast/CLEANUP.md | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/fast/CLEANUP.md b/fast/CLEANUP.md index 952339bf..26adeaf9 100644 --- a/fast/CLEANUP.md +++ b/fast/CLEANUP.md @@ -29,10 +29,28 @@ cd $FAST_PWD/02-security/ terraform destroy ``` -# Networking +# Stage 2 (Networking) ```bash cd $FAST_PWD/02-networking-XXX/ terraform destroy -```bash +``` There's a minor glitch that can surface running terraform destroy, where the service project attachments to the Shared VPC will not get destroyed even with the relevant API call succeeding. We are investigating the issue, in the meantime just manually remove the attachment in the Cloud console or via the gcloud beta compute shared-vpc associated-projects remove command when terraform destroy fails, and then relaunch the command. + +# Stage 1 (Resource Management) +Stage 1 is a little more complicated because of the GCS Buckets. By default terraform refuses to delete non-empty buckets, which is a good thing for your terraform state. However, it makes destruction a bit harder + + +```bash +cd $FAST_PWD/01-resman/ + +# remove buckets from state since terraform refuses to delete them +for x in $(terraform state list | grep google_storage_bucket.bucket); do + terraform state rm "$x" +done + +terraform destroy + +``` + + From d7fd11b5fd090e0e785ea61db0631d2be4df261a Mon Sep 17 00:00:00 2001 From: Antonio Lopez <94461129+ajlopezn@users.noreply.github.com> Date: Fri, 3 Jun 2022 13:15:18 +0200 Subject: [PATCH 03/31] Update CLEANUP.md --- fast/CLEANUP.md | 50 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/fast/CLEANUP.md b/fast/CLEANUP.md index 26adeaf9..edc93f04 100644 --- a/fast/CLEANUP.md +++ b/fast/CLEANUP.md @@ -50,7 +50,55 @@ for x in $(terraform state list | grep google_storage_bucket.bucket); do done terraform destroy - ``` +# Stage 0 (Bootstrap) +You should follow these steps carefully because we can end up destroying our own permissions. We also have to remove several resources (GCS buckets and BQ datasets) manually. +```bash +cd $FAST_PWD/00-bootstrap/ + +# remove provider config to execute without SA impersonation +rm 00-bootstrap-providers.tf + +# migrate to local state +terraform init -migrate-state + +# remove buckets and BQ dataset manually +for x in $(terraform state list | grep google_storage_bucket.bucket); do + terraform state rm "$x"; +done + +for x in $(terraform state list | grep google_bigquery_dataset); do + terraform state rm "$x"; +done + +terraform destroy + +# when this fails continue with the steps below +# make your user (the one you are using to execute this step) org admin again, as we will remove organization-admins group roles + +# Add the Organization Admin role to $BU_USER in the GCP Console + +# grant yourself this permission so you can finish the destruction +export FAST_DESTROY_ROLES="roles/billing.admin roles/logging.admin \ + roles/iam.organizationRoleAdmin roles/resourcemanager.projectDeleter \ + roles/resourcemanager.folderAdmin roles/owner" + +export FAST_BU=$(gcloud config list --format 'value(core.account)') + +# find your org id +gcloud organizations list --filter display_name:[part of your domain] + +# set your org id +export FAST_ORG_ID=XXXX + +for role in $FAST_DESTROY_ROLES; do + gcloud organizations add-iam-policy-binding $FAST_ORG_ID \ + --member user:$FAST_BU --role $role +done + +terraform destroy +rm -i terraform.tfstate* + +``` From 5701348d3df0b86625002bb564e648f06c7874b9 Mon Sep 17 00:00:00 2001 From: Antonio Lopez <94461129+ajlopezn@users.noreply.github.com> Date: Fri, 3 Jun 2022 13:21:30 +0200 Subject: [PATCH 04/31] Update CLEANUP.md --- fast/CLEANUP.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/fast/CLEANUP.md b/fast/CLEANUP.md index edc93f04..3f9b230a 100644 --- a/fast/CLEANUP.md +++ b/fast/CLEANUP.md @@ -23,13 +23,13 @@ terraform destroy ``` -# Stage 2 (Security) +## Stage 2 (Security) ```bash cd $FAST_PWD/02-security/ terraform destroy ``` -# Stage 2 (Networking) +## Stage 2 (Networking) ```bash cd $FAST_PWD/02-networking-XXX/ terraform destroy @@ -37,7 +37,7 @@ terraform destroy There's a minor glitch that can surface running terraform destroy, where the service project attachments to the Shared VPC will not get destroyed even with the relevant API call succeeding. We are investigating the issue, in the meantime just manually remove the attachment in the Cloud console or via the gcloud beta compute shared-vpc associated-projects remove command when terraform destroy fails, and then relaunch the command. -# Stage 1 (Resource Management) +## Stage 1 (Resource Management) Stage 1 is a little more complicated because of the GCS Buckets. By default terraform refuses to delete non-empty buckets, which is a good thing for your terraform state. However, it makes destruction a bit harder @@ -52,8 +52,10 @@ done terraform destroy ``` -# Stage 0 (Bootstrap) -You should follow these steps carefully because we can end up destroying our own permissions. We also have to remove several resources (GCS buckets and BQ datasets) manually. +## Stage 0 (Bootstrap) +***You should follow these steps carefully because we can end up destroying our own permissions. As we will be removing gcp-admins group roles, where your user belongs, you will be required to grant organization admin role again *** + +We also have to remove several resources (GCS buckets and BQ datasets) manually. ```bash cd $FAST_PWD/00-bootstrap/ From 2ace596ca88fa3cb711f52ac2170cbb127e973c3 Mon Sep 17 00:00:00 2001 From: Antonio Lopez <94461129+ajlopezn@users.noreply.github.com> Date: Fri, 3 Jun 2022 13:22:49 +0200 Subject: [PATCH 05/31] Update CLEANUP.md --- fast/CLEANUP.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fast/CLEANUP.md b/fast/CLEANUP.md index 3f9b230a..2ea26275 100644 --- a/fast/CLEANUP.md +++ b/fast/CLEANUP.md @@ -53,7 +53,7 @@ terraform destroy ``` ## Stage 0 (Bootstrap) -***You should follow these steps carefully because we can end up destroying our own permissions. As we will be removing gcp-admins group roles, where your user belongs, you will be required to grant organization admin role again *** +**You should follow these steps carefully because we can end up destroying our own permissions. As we will be removing gcp-admins group roles, where your user belongs, you will be required to grant organization admin role again** We also have to remove several resources (GCS buckets and BQ datasets) manually. From 02f8986a1e751db858d69aa6ba92dc9f3556db15 Mon Sep 17 00:00:00 2001 From: Antonio Lopez <94461129+ajlopezn@users.noreply.github.com> Date: Fri, 3 Jun 2022 13:38:05 +0200 Subject: [PATCH 06/31] Update CLEANUP.md --- fast/CLEANUP.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fast/CLEANUP.md b/fast/CLEANUP.md index 2ea26275..1994067b 100644 --- a/fast/CLEANUP.md +++ b/fast/CLEANUP.md @@ -11,10 +11,12 @@ terraform destroy ``` ## Stage 3 (GKE) +Terraform refuses to delete empty GCS buckets and/or BigQuery datasets, so they need to be removed manually from tf state ```bash cd $FAST_PWD/03-project-factory/prod/ +# remove BQ dataset manually for x in $(terraform state list | grep google_bigquery_dataset); do terraform state rm "$x"; done @@ -66,7 +68,7 @@ rm 00-bootstrap-providers.tf # migrate to local state terraform init -migrate-state -# remove buckets and BQ dataset manually +# remove GCS buckets and BQ dataset manually for x in $(terraform state list | grep google_storage_bucket.bucket); do terraform state rm "$x"; done From 21cfb69797c80f68b45c12c2e9c0cbbc4b03cf21 Mon Sep 17 00:00:00 2001 From: Antonio Lopez <94461129+ajlopezn@users.noreply.github.com> Date: Fri, 10 Jun 2022 16:03:10 +0200 Subject: [PATCH 07/31] Update CLEANUP.md delete spaces in headers --- fast/CLEANUP.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/fast/CLEANUP.md b/fast/CLEANUP.md index 1994067b..e0aa6e4e 100644 --- a/fast/CLEANUP.md +++ b/fast/CLEANUP.md @@ -1,16 +1,16 @@ -# FAST deployment clean up +#FAST deployment clean up In case you require destroying FAST deployment in your organization, follow these steps. Destruction goes in reverse order, from stage 3 to stage 0: -## Stage 3 (Project Factory) +##Stage 3 (Project Factory) ```bash cd $FAST_PWD/03-project-factory/prod/ terraform destroy ``` -## Stage 3 (GKE) +##Stage 3 (GKE) Terraform refuses to delete empty GCS buckets and/or BigQuery datasets, so they need to be removed manually from tf state ```bash @@ -25,13 +25,13 @@ terraform destroy ``` -## Stage 2 (Security) +##Stage 2 (Security) ```bash cd $FAST_PWD/02-security/ terraform destroy ``` -## Stage 2 (Networking) +##Stage 2 (Networking) ```bash cd $FAST_PWD/02-networking-XXX/ terraform destroy @@ -39,7 +39,7 @@ terraform destroy There's a minor glitch that can surface running terraform destroy, where the service project attachments to the Shared VPC will not get destroyed even with the relevant API call succeeding. We are investigating the issue, in the meantime just manually remove the attachment in the Cloud console or via the gcloud beta compute shared-vpc associated-projects remove command when terraform destroy fails, and then relaunch the command. -## Stage 1 (Resource Management) +##Stage 1 (Resource Management) Stage 1 is a little more complicated because of the GCS Buckets. By default terraform refuses to delete non-empty buckets, which is a good thing for your terraform state. However, it makes destruction a bit harder @@ -54,7 +54,7 @@ done terraform destroy ``` -## Stage 0 (Bootstrap) +##Stage 0 (Bootstrap) **You should follow these steps carefully because we can end up destroying our own permissions. As we will be removing gcp-admins group roles, where your user belongs, you will be required to grant organization admin role again** We also have to remove several resources (GCS buckets and BQ datasets) manually. From a262ed39414e7d358b1d4e81ce22042e2d33a3d3 Mon Sep 17 00:00:00 2001 From: Antonio Lopez <94461129+ajlopezn@users.noreply.github.com> Date: Fri, 10 Jun 2022 16:20:29 +0200 Subject: [PATCH 08/31] Update CLEANUP.md --- fast/CLEANUP.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/fast/CLEANUP.md b/fast/CLEANUP.md index e0aa6e4e..1994067b 100644 --- a/fast/CLEANUP.md +++ b/fast/CLEANUP.md @@ -1,16 +1,16 @@ -#FAST deployment clean up +# FAST deployment clean up In case you require destroying FAST deployment in your organization, follow these steps. Destruction goes in reverse order, from stage 3 to stage 0: -##Stage 3 (Project Factory) +## Stage 3 (Project Factory) ```bash cd $FAST_PWD/03-project-factory/prod/ terraform destroy ``` -##Stage 3 (GKE) +## Stage 3 (GKE) Terraform refuses to delete empty GCS buckets and/or BigQuery datasets, so they need to be removed manually from tf state ```bash @@ -25,13 +25,13 @@ terraform destroy ``` -##Stage 2 (Security) +## Stage 2 (Security) ```bash cd $FAST_PWD/02-security/ terraform destroy ``` -##Stage 2 (Networking) +## Stage 2 (Networking) ```bash cd $FAST_PWD/02-networking-XXX/ terraform destroy @@ -39,7 +39,7 @@ terraform destroy There's a minor glitch that can surface running terraform destroy, where the service project attachments to the Shared VPC will not get destroyed even with the relevant API call succeeding. We are investigating the issue, in the meantime just manually remove the attachment in the Cloud console or via the gcloud beta compute shared-vpc associated-projects remove command when terraform destroy fails, and then relaunch the command. -##Stage 1 (Resource Management) +## Stage 1 (Resource Management) Stage 1 is a little more complicated because of the GCS Buckets. By default terraform refuses to delete non-empty buckets, which is a good thing for your terraform state. However, it makes destruction a bit harder @@ -54,7 +54,7 @@ done terraform destroy ``` -##Stage 0 (Bootstrap) +## Stage 0 (Bootstrap) **You should follow these steps carefully because we can end up destroying our own permissions. As we will be removing gcp-admins group roles, where your user belongs, you will be required to grant organization admin role again** We also have to remove several resources (GCS buckets and BQ datasets) manually. From 77f3048a8c2b4ab75ad7e92243c1e8ec75c71e1f Mon Sep 17 00:00:00 2001 From: Antonio Lopez <94461129+ajlopezn@users.noreply.github.com> Date: Fri, 10 Jun 2022 16:34:46 +0200 Subject: [PATCH 09/31] Update CLEANUP.md include comments in PR --- fast/CLEANUP.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fast/CLEANUP.md b/fast/CLEANUP.md index 1994067b..2cc35a26 100644 --- a/fast/CLEANUP.md +++ b/fast/CLEANUP.md @@ -1,4 +1,4 @@ -# FAST deployment clean up +# a FAST deployment clean up In case you require destroying FAST deployment in your organization, follow these steps. Destruction goes in reverse order, from stage 3 to stage 0: @@ -11,7 +11,7 @@ terraform destroy ``` ## Stage 3 (GKE) -Terraform refuses to delete empty GCS buckets and/or BigQuery datasets, so they need to be removed manually from tf state +Terraform refuses to delete non empty GCS buckets and/or BigQuery datasets, so they need to be removed manually from tf state ```bash cd $FAST_PWD/03-project-factory/prod/ @@ -37,7 +37,7 @@ cd $FAST_PWD/02-networking-XXX/ terraform destroy ``` -There's a minor glitch that can surface running terraform destroy, where the service project attachments to the Shared VPC will not get destroyed even with the relevant API call succeeding. We are investigating the issue, in the meantime just manually remove the attachment in the Cloud console or via the gcloud beta compute shared-vpc associated-projects remove command when terraform destroy fails, and then relaunch the command. +There's a minor glitch that can surface running terraform destroy, where the service project attachments to the Shared VPC will not get destroyed even with the relevant API call succeeding. We are investigating the issue, in the meantime just manually remove the attachment in the Cloud console or via the ```gcloud beta compute shared-vpc associated-projects remove``` command when terraform destroy fails, and then relaunch the command. ## Stage 1 (Resource Management) Stage 1 is a little more complicated because of the GCS Buckets. By default terraform refuses to delete non-empty buckets, which is a good thing for your terraform state. However, it makes destruction a bit harder From a1a5011cd147a317f0d55d741a83586c61be07c8 Mon Sep 17 00:00:00 2001 From: Antonio Lopez <94461129+ajlopezn@users.noreply.github.com> Date: Fri, 10 Jun 2022 16:41:10 +0200 Subject: [PATCH 10/31] Update CLEANUP.md link to gcloud beta compute shared-vpc associated-projects remove doc --- fast/CLEANUP.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fast/CLEANUP.md b/fast/CLEANUP.md index 2cc35a26..88469dad 100644 --- a/fast/CLEANUP.md +++ b/fast/CLEANUP.md @@ -37,7 +37,7 @@ cd $FAST_PWD/02-networking-XXX/ terraform destroy ``` -There's a minor glitch that can surface running terraform destroy, where the service project attachments to the Shared VPC will not get destroyed even with the relevant API call succeeding. We are investigating the issue, in the meantime just manually remove the attachment in the Cloud console or via the ```gcloud beta compute shared-vpc associated-projects remove``` command when terraform destroy fails, and then relaunch the command. +There's a minor glitch that can surface running terraform destroy, where the service project attachments to the Shared VPC will not get destroyed even with the relevant API call succeeding. We are investigating the issue, in the meantime just manually remove the attachment in the Cloud console or via the ```gcloud beta compute shared-vpc associated-projects remove``` [command](https://cloud.google.com/sdk/gcloud/reference/beta/compute/shared-vpc/associated-projects/remove) when terraform destroy fails, and then relaunch the command. ## Stage 1 (Resource Management) Stage 1 is a little more complicated because of the GCS Buckets. By default terraform refuses to delete non-empty buckets, which is a good thing for your terraform state. However, it makes destruction a bit harder From 1dbd13fc4b934a4bfc96c1203cde7ba33ce11b76 Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Fri, 10 Jun 2022 16:47:24 +0200 Subject: [PATCH 11/31] fichero movido a fast/stages --- fast/CLEANUP.md | 108 ------------------------------------------------ 1 file changed, 108 deletions(-) delete mode 100644 fast/CLEANUP.md diff --git a/fast/CLEANUP.md b/fast/CLEANUP.md deleted file mode 100644 index 88469dad..00000000 --- a/fast/CLEANUP.md +++ /dev/null @@ -1,108 +0,0 @@ -# a FAST deployment clean up -In case you require destroying FAST deployment in your organization, follow these steps. - -Destruction goes in reverse order, from stage 3 to stage 0: - -## Stage 3 (Project Factory) - -```bash -cd $FAST_PWD/03-project-factory/prod/ -terraform destroy -``` - -## Stage 3 (GKE) -Terraform refuses to delete non empty GCS buckets and/or BigQuery datasets, so they need to be removed manually from tf state - -```bash -cd $FAST_PWD/03-project-factory/prod/ - -# remove BQ dataset manually -for x in $(terraform state list | grep google_bigquery_dataset); do - terraform state rm "$x"; -done - -terraform destroy -``` - - -## Stage 2 (Security) -```bash -cd $FAST_PWD/02-security/ -terraform destroy -``` - -## Stage 2 (Networking) -```bash -cd $FAST_PWD/02-networking-XXX/ -terraform destroy -``` - -There's a minor glitch that can surface running terraform destroy, where the service project attachments to the Shared VPC will not get destroyed even with the relevant API call succeeding. We are investigating the issue, in the meantime just manually remove the attachment in the Cloud console or via the ```gcloud beta compute shared-vpc associated-projects remove``` [command](https://cloud.google.com/sdk/gcloud/reference/beta/compute/shared-vpc/associated-projects/remove) when terraform destroy fails, and then relaunch the command. - -## Stage 1 (Resource Management) -Stage 1 is a little more complicated because of the GCS Buckets. By default terraform refuses to delete non-empty buckets, which is a good thing for your terraform state. However, it makes destruction a bit harder - - -```bash -cd $FAST_PWD/01-resman/ - -# remove buckets from state since terraform refuses to delete them -for x in $(terraform state list | grep google_storage_bucket.bucket); do - terraform state rm "$x" -done - -terraform destroy -``` - -## Stage 0 (Bootstrap) -**You should follow these steps carefully because we can end up destroying our own permissions. As we will be removing gcp-admins group roles, where your user belongs, you will be required to grant organization admin role again** - -We also have to remove several resources (GCS buckets and BQ datasets) manually. - -```bash -cd $FAST_PWD/00-bootstrap/ - -# remove provider config to execute without SA impersonation -rm 00-bootstrap-providers.tf - -# migrate to local state -terraform init -migrate-state - -# remove GCS buckets and BQ dataset manually -for x in $(terraform state list | grep google_storage_bucket.bucket); do - terraform state rm "$x"; -done - -for x in $(terraform state list | grep google_bigquery_dataset); do - terraform state rm "$x"; -done - -terraform destroy - -# when this fails continue with the steps below -# make your user (the one you are using to execute this step) org admin again, as we will remove organization-admins group roles - -# Add the Organization Admin role to $BU_USER in the GCP Console - -# grant yourself this permission so you can finish the destruction -export FAST_DESTROY_ROLES="roles/billing.admin roles/logging.admin \ - roles/iam.organizationRoleAdmin roles/resourcemanager.projectDeleter \ - roles/resourcemanager.folderAdmin roles/owner" - -export FAST_BU=$(gcloud config list --format 'value(core.account)') - -# find your org id -gcloud organizations list --filter display_name:[part of your domain] - -# set your org id -export FAST_ORG_ID=XXXX - -for role in $FAST_DESTROY_ROLES; do - gcloud organizations add-iam-policy-binding $FAST_ORG_ID \ - --member user:$FAST_BU --role $role -done - -terraform destroy -rm -i terraform.tfstate* - -``` From a37af012038e68cb63771f693428586ae8d891f4 Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Fri, 10 Jun 2022 16:57:40 +0200 Subject: [PATCH 12/31] fichero movido a fast/stages --- fast/stages/CLEANUP.md | 108 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 fast/stages/CLEANUP.md diff --git a/fast/stages/CLEANUP.md b/fast/stages/CLEANUP.md new file mode 100644 index 00000000..88469dad --- /dev/null +++ b/fast/stages/CLEANUP.md @@ -0,0 +1,108 @@ +# a FAST deployment clean up +In case you require destroying FAST deployment in your organization, follow these steps. + +Destruction goes in reverse order, from stage 3 to stage 0: + +## Stage 3 (Project Factory) + +```bash +cd $FAST_PWD/03-project-factory/prod/ +terraform destroy +``` + +## Stage 3 (GKE) +Terraform refuses to delete non empty GCS buckets and/or BigQuery datasets, so they need to be removed manually from tf state + +```bash +cd $FAST_PWD/03-project-factory/prod/ + +# remove BQ dataset manually +for x in $(terraform state list | grep google_bigquery_dataset); do + terraform state rm "$x"; +done + +terraform destroy +``` + + +## Stage 2 (Security) +```bash +cd $FAST_PWD/02-security/ +terraform destroy +``` + +## Stage 2 (Networking) +```bash +cd $FAST_PWD/02-networking-XXX/ +terraform destroy +``` + +There's a minor glitch that can surface running terraform destroy, where the service project attachments to the Shared VPC will not get destroyed even with the relevant API call succeeding. We are investigating the issue, in the meantime just manually remove the attachment in the Cloud console or via the ```gcloud beta compute shared-vpc associated-projects remove``` [command](https://cloud.google.com/sdk/gcloud/reference/beta/compute/shared-vpc/associated-projects/remove) when terraform destroy fails, and then relaunch the command. + +## Stage 1 (Resource Management) +Stage 1 is a little more complicated because of the GCS Buckets. By default terraform refuses to delete non-empty buckets, which is a good thing for your terraform state. However, it makes destruction a bit harder + + +```bash +cd $FAST_PWD/01-resman/ + +# remove buckets from state since terraform refuses to delete them +for x in $(terraform state list | grep google_storage_bucket.bucket); do + terraform state rm "$x" +done + +terraform destroy +``` + +## Stage 0 (Bootstrap) +**You should follow these steps carefully because we can end up destroying our own permissions. As we will be removing gcp-admins group roles, where your user belongs, you will be required to grant organization admin role again** + +We also have to remove several resources (GCS buckets and BQ datasets) manually. + +```bash +cd $FAST_PWD/00-bootstrap/ + +# remove provider config to execute without SA impersonation +rm 00-bootstrap-providers.tf + +# migrate to local state +terraform init -migrate-state + +# remove GCS buckets and BQ dataset manually +for x in $(terraform state list | grep google_storage_bucket.bucket); do + terraform state rm "$x"; +done + +for x in $(terraform state list | grep google_bigquery_dataset); do + terraform state rm "$x"; +done + +terraform destroy + +# when this fails continue with the steps below +# make your user (the one you are using to execute this step) org admin again, as we will remove organization-admins group roles + +# Add the Organization Admin role to $BU_USER in the GCP Console + +# grant yourself this permission so you can finish the destruction +export FAST_DESTROY_ROLES="roles/billing.admin roles/logging.admin \ + roles/iam.organizationRoleAdmin roles/resourcemanager.projectDeleter \ + roles/resourcemanager.folderAdmin roles/owner" + +export FAST_BU=$(gcloud config list --format 'value(core.account)') + +# find your org id +gcloud organizations list --filter display_name:[part of your domain] + +# set your org id +export FAST_ORG_ID=XXXX + +for role in $FAST_DESTROY_ROLES; do + gcloud organizations add-iam-policy-binding $FAST_ORG_ID \ + --member user:$FAST_BU --role $role +done + +terraform destroy +rm -i terraform.tfstate* + +``` From 8da7fbd351a7f47b9b7f93d92aa0e3528b337ae6 Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Fri, 10 Jun 2022 17:16:11 +0200 Subject: [PATCH 13/31] cleanup reference in readme --- fast/stages/CLEANUP.md | 4 ++-- fast/stages/README.md | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/fast/stages/CLEANUP.md b/fast/stages/CLEANUP.md index 88469dad..aeeed567 100644 --- a/fast/stages/CLEANUP.md +++ b/fast/stages/CLEANUP.md @@ -1,5 +1,5 @@ -# a FAST deployment clean up -In case you require destroying FAST deployment in your organization, follow these steps. +# FAST deployment clean up +In case you require destroying a FAST deployment in your organization, follow these steps. Destruction goes in reverse order, from stage 3 to stage 0: diff --git a/fast/stages/README.md b/fast/stages/README.md index 8b081428..d7951ba7 100644 --- a/fast/stages/README.md +++ b/fast/stages/README.md @@ -17,6 +17,8 @@ To achieve this, we rely on specific GCP functionality like [delegated role gran Refer to each stage's documentation for a detailed description of its purpose, the architectural choices made in its design, and how it can be configured and wired together to terraform a whole GCP organization. The following is a brief overview of each stage. +To destroy a previous FAST deployment follow the instructions detailed in [cleanup](CLEANUP.md). + ## Organizational level (00-01) - [Bootstrap](00-bootstrap/README.md) From 4658e5faa78991bc00e2ddb5b0731b1581a0f1a4 Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Fri, 10 Jun 2022 17:29:04 +0200 Subject: [PATCH 14/31] added variables required to be modified before applying again --- fast/stages/CLEANUP.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fast/stages/CLEANUP.md b/fast/stages/CLEANUP.md index aeeed567..ff27945c 100644 --- a/fast/stages/CLEANUP.md +++ b/fast/stages/CLEANUP.md @@ -104,5 +104,8 @@ done terraform destroy rm -i terraform.tfstate* - ``` + +In case you are willing to deploy again FAST stages, the following changes shall be done before: +* Modify [prefix](/00-bootstrap/variables.tf#L167) variable to allow deployment of resources that need unique names (eg, projects) +* Modify [custom_roles](00-bootstrap/variables.tf#L77) variable to allow recently deleted custom roles to be created again \ No newline at end of file From 822e4b987abcf411889d174170f96a036da72e7c Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Fri, 10 Jun 2022 18:21:44 +0200 Subject: [PATCH 15/31] solved links issue --- fast/stages/CLEANUP.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/fast/stages/CLEANUP.md b/fast/stages/CLEANUP.md index ff27945c..e138a6d0 100644 --- a/fast/stages/CLEANUP.md +++ b/fast/stages/CLEANUP.md @@ -1,7 +1,7 @@ # FAST deployment clean up -In case you require destroying a FAST deployment in your organization, follow these steps. +In case you require destroying a previous FAST deployment in your organization, follow these steps. -Destruction goes in reverse order, from stage 3 to stage 0: +Destruction must be done in reverse order, from stage 3 to stage 0: ## Stage 3 (Project Factory) @@ -11,7 +11,7 @@ terraform destroy ``` ## Stage 3 (GKE) -Terraform refuses to delete non empty GCS buckets and/or BigQuery datasets, so they need to be removed manually from tf state +Terraform refuses to delete non-empty GCS buckets and/or BigQuery datasets, so they need to be removed manually from tf state ```bash cd $FAST_PWD/03-project-factory/prod/ @@ -42,7 +42,6 @@ There's a minor glitch that can surface running terraform destroy, where the ser ## Stage 1 (Resource Management) Stage 1 is a little more complicated because of the GCS Buckets. By default terraform refuses to delete non-empty buckets, which is a good thing for your terraform state. However, it makes destruction a bit harder - ```bash cd $FAST_PWD/01-resman/ @@ -55,7 +54,7 @@ terraform destroy ``` ## Stage 0 (Bootstrap) -**You should follow these steps carefully because we can end up destroying our own permissions. As we will be removing gcp-admins group roles, where your user belongs, you will be required to grant organization admin role again** +**You should follow these steps carefully because we can end up destroying our own permissions. As we will be removing gcp-admins group roles, where your user belongs to, you will be required to grant organization admin role again** We also have to remove several resources (GCS buckets and BQ datasets) manually. @@ -106,6 +105,6 @@ terraform destroy rm -i terraform.tfstate* ``` -In case you are willing to deploy again FAST stages, the following changes shall be done before: -* Modify [prefix](/00-bootstrap/variables.tf#L167) variable to allow deployment of resources that need unique names (eg, projects) -* Modify [custom_roles](00-bootstrap/variables.tf#L77) variable to allow recently deleted custom roles to be created again \ No newline at end of file +In case you are willing to deploy FAST stages again, the following changes shall be done before: +* Modify the [prefix](/00-bootstrap/variables.tf) variable to allow the deployment of resources that need unique names (eg, projects). +* Modify the [custom_roles](00-bootstrap/variables.tf) variable to allow recently deleted custom roles to be created again. \ No newline at end of file From c91ec944f98af068fe7addef786636314dad052b Mon Sep 17 00:00:00 2001 From: ajlopezn Date: Fri, 10 Jun 2022 18:34:00 +0200 Subject: [PATCH 16/31] solved another link issue --- fast/stages/CLEANUP.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fast/stages/CLEANUP.md b/fast/stages/CLEANUP.md index e138a6d0..a0a1688f 100644 --- a/fast/stages/CLEANUP.md +++ b/fast/stages/CLEANUP.md @@ -106,5 +106,5 @@ rm -i terraform.tfstate* ``` In case you are willing to deploy FAST stages again, the following changes shall be done before: -* Modify the [prefix](/00-bootstrap/variables.tf) variable to allow the deployment of resources that need unique names (eg, projects). +* Modify the [prefix](00-bootstrap/variables.tf) variable to allow the deployment of resources that need unique names (eg, projects). * Modify the [custom_roles](00-bootstrap/variables.tf) variable to allow recently deleted custom roles to be created again. \ No newline at end of file From 2eb996d33d806b34bc4c0d52f140f68401d9224e Mon Sep 17 00:00:00 2001 From: "agusramirez@google.com" Date: Wed, 15 Jun 2022 19:12:11 -0500 Subject: [PATCH 17/31] sourcerepo and cloudbuild at 01-resman --- fast/stages/00-bootstrap/automation.tf | 3 ++- fast/stages/01-resman/cicd-networking.tf | 2 +- fast/stages/01-resman/cicd-security.tf | 2 +- fast/stages/01-resman/cicd-teams.tf | 4 ++-- fast/stages/01-resman/outputs.tf | 8 +++++--- 5 files changed, 11 insertions(+), 8 deletions(-) diff --git a/fast/stages/00-bootstrap/automation.tf b/fast/stages/00-bootstrap/automation.tf index 0874fc4f..11a8b34d 100644 --- a/fast/stages/00-bootstrap/automation.tf +++ b/fast/stages/00-bootstrap/automation.tf @@ -36,7 +36,8 @@ module "automation-project" { # machine (service accounts) IAM bindings iam = { "roles/owner" = [ - module.automation-tf-bootstrap-sa.iam_email + module.automation-tf-bootstrap-sa.iam_email, + module.automation-tf-resman-sa.iam_email ] "roles/iam.serviceAccountAdmin" = [ module.automation-tf-resman-sa.iam_email diff --git a/fast/stages/01-resman/cicd-networking.tf b/fast/stages/01-resman/cicd-networking.tf index 541d8bda..9bb96f79 100644 --- a/fast/stages/01-resman/cicd-networking.tf +++ b/fast/stages/01-resman/cicd-networking.tf @@ -35,7 +35,7 @@ module "branch-network-cicd-repo" { fast-02-networking = { filename = ".cloudbuild/workflow.yaml" included_files = ["**/*tf", ".cloudbuild/workflow.yaml"] - service_account = module.branch-network-sa.id + service_account = module.branch-network-sa-cicd.0.id substitutions = {} template = { project_id = null diff --git a/fast/stages/01-resman/cicd-security.tf b/fast/stages/01-resman/cicd-security.tf index d6b0b869..ff456166 100644 --- a/fast/stages/01-resman/cicd-security.tf +++ b/fast/stages/01-resman/cicd-security.tf @@ -35,7 +35,7 @@ module "branch-security-cicd-repo" { fast-02-security = { filename = ".cloudbuild/workflow.yaml" included_files = ["**/*tf", ".cloudbuild/workflow.yaml"] - service_account = module.branch-security-sa.id + service_account = module.branch-security-sa-cicd.0.id substitutions = {} template = { project_id = null diff --git a/fast/stages/01-resman/cicd-teams.tf b/fast/stages/01-resman/cicd-teams.tf index 2766e301..931b0a7c 100644 --- a/fast/stages/01-resman/cicd-teams.tf +++ b/fast/stages/01-resman/cicd-teams.tf @@ -37,7 +37,7 @@ module "branch-teams-dev-pf-cicd-repo" { included_files = [ "**/*json", "**/*tf", "**/*yaml", ".cloudbuild/workflow.yaml" ] - service_account = module.branch-teams-dev-pf-sa.iam_email + service_account = module.branch-teams-dev-pf-sa-cicd.0.id substitutions = {} template = { project_id = null @@ -68,7 +68,7 @@ module "branch-teams-prod-pf-cicd-repo" { included_files = [ "**/*json", "**/*tf", "**/*yaml", ".cloudbuild/workflow.yaml" ] - service_account = module.branch-teams-prod-pf-sa.iam_email + service_account = module.branch-teams-prod-pf-sa-cicd.0.id substitutions = {} template = { project_id = null diff --git a/fast/stages/01-resman/outputs.tf b/fast/stages/01-resman/outputs.tf index f91a843d..b7de5240 100644 --- a/fast/stages/01-resman/outputs.tf +++ b/fast/stages/01-resman/outputs.tf @@ -144,9 +144,11 @@ output "cicd_repositories" { description = "WIF configuration for CI/CD repositories." value = { for k, v in local.cicd_repositories : k => { - branch = v.branch - name = v.name - provider = local.identity_providers[v.identity_provider].name + branch = v.branch + name = v.name + provider = try( + local.identity_providers[v.identity_provider].name, null + ) service_account = local.cicd_workflow_attrs[k].service_account } if v != null } From 35e5ffaf854edd1ec8509427b7c94a1711ec0e07 Mon Sep 17 00:00:00 2001 From: Ray Walker Date: Thu, 16 Jun 2022 10:39:05 +1000 Subject: [PATCH 18/31] fix: Raise ValueError when check_names detects overlong names ValueError may not be the correct type? Closes #679 --- tools/check_names.py | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/tools/check_names.py b/tools/check_names.py index 7e45fd87..e3fcf88f 100755 --- a/tools/check_names.py +++ b/tools/check_names.py @@ -84,13 +84,21 @@ def main(dirs, prefix_length=None): source_just = max(len(k) for k in MOD_LIMITS) name_just = max(len(n.name) for n in names) value_just = max(len(n.value) for n in names) + errors = [] for name in names: name_length = name.length + prefix_length - flag = '✗' if name_length >= MOD_LIMITS[name.source] else '✓' - print(f'[{flag}] {name.source.ljust(source_just)} ' - f'{name.name.ljust(name_just)} ' - f'{name.value.ljust(value_just)} ' - f'({name_length})') + if name_length >= MOD_LIMITS[name.source]: + flag = "✗" + errors += [f"{name.source}:{name.name}:{name_length}"] + else: + flag = "✓" + + print(f"[{flag}] {name.source.ljust(source_just)} " + f"{name.name.ljust(name_just)} " + f"{name.value.ljust(value_just)} " + f"({name_length})") + if errors: + raise ValueError(errors) if __name__ == '__main__': From e3d91e84e4463162cac6ca9d96645bc2787a17ec Mon Sep 17 00:00:00 2001 From: "agusramirez@google.com" Date: Wed, 15 Jun 2022 21:34:26 -0500 Subject: [PATCH 19/31] sourcerepo and cloudbuild at 01-resman --- fast/stages/01-resman/cicd-data-platform.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fast/stages/01-resman/cicd-data-platform.tf b/fast/stages/01-resman/cicd-data-platform.tf index e62a0220..66247d26 100644 --- a/fast/stages/01-resman/cicd-data-platform.tf +++ b/fast/stages/01-resman/cicd-data-platform.tf @@ -37,7 +37,7 @@ module "branch-dp-dev-cicd-repo" { included_files = [ "**/*json", "**/*tf", "**/*yaml", ".cloudbuild/workflow.yaml" ] - service_account = module.branch-dp-dev-sa.iam_email + service_account = module.branch-dp-dev-sa-cicd.0.id substitutions = {} template = { project_id = null @@ -68,7 +68,7 @@ module "branch-dp-prod-cicd-repo" { included_files = [ "**/*json", "**/*tf", "**/*yaml", ".cloudbuild/workflow.yaml" ] - service_account = module.branch-dp-prod-sa.iam_email + service_account = module.branch-dp-prod-sa-cicd.0.id substitutions = {} template = { project_id = null From cbf008fed564447037a5f5f39e85aa317b1ffff9 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 16 Jun 2022 16:34:46 +0200 Subject: [PATCH 20/31] add support for secrets (#684) --- modules/cloud-function/README.md | 11 ++++++----- modules/cloud-function/main.tf | 29 +++++++++++++++++++++++++++++ modules/cloud-function/variables.tf | 12 ++++++++++++ 3 files changed, 47 insertions(+), 5 deletions(-) diff --git a/modules/cloud-function/README.md b/modules/cloud-function/README.md index 6eac68bf..73a1d3f2 100644 --- a/modules/cloud-function/README.md +++ b/modules/cloud-function/README.md @@ -173,11 +173,12 @@ module "cf-http" { | [labels](variables.tf#L82) | Resource labels. | map(string) | | {} | | [prefix](variables.tf#L93) | Optional prefix used for resource names. | string | | null | | [region](variables.tf#L104) | Region used for all resources. | string | | "europe-west1" | -| [service_account](variables.tf#L110) | Service account email. Unused if service account is auto-created. | string | | null | -| [service_account_create](variables.tf#L116) | Auto-create service account. | bool | | false | -| [trigger_config](variables.tf#L122) | Function trigger configuration. Leave null for HTTP trigger. | object({…}) | | null | -| [vpc_connector](variables.tf#L132) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | object({…}) | | null | -| [vpc_connector_config](variables.tf#L142) | VPC connector network configuration. Must be provided if new VPC connector is being created. | object({…}) | | null | +| [secrets](variables.tf#L110) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | map(object({…})) | | {} | +| [service_account](variables.tf#L122) | Service account email. Unused if service account is auto-created. | string | | null | +| [service_account_create](variables.tf#L128) | Auto-create service account. | bool | | false | +| [trigger_config](variables.tf#L134) | Function trigger configuration. Leave null for HTTP trigger. | object({…}) | | null | +| [vpc_connector](variables.tf#L144) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | object({…}) | | null | +| [vpc_connector_config](variables.tf#L154) | VPC connector network configuration. Must be provided if new VPC connector is being created. | object({…}) | | null | ## Outputs diff --git a/modules/cloud-function/main.tf b/modules/cloud-function/main.tf index 949cb69b..0a26c120 100644 --- a/modules/cloud-function/main.tf +++ b/modules/cloud-function/main.tf @@ -91,6 +91,35 @@ resource "google_cloudfunctions_function" "function" { } } + dynamic "secret_environment_variables" { + for_each = { for k, v in var.secrets : k => v if !v.is_volume } + iterator = secret + content { + key = secret.key + project_id = secret.value.project_id + secret = secret.value.secret + version = try(secret.value.versions.0, "latest") + } + } + + dynamic "secret_volumes" { + for_each = { for k, v in var.secrets : k => v if v.is_volume } + iterator = secret + content { + mount_path = secret.key + project_id = secret.value.project_id + secret = secret.value.secret + dynamic "versions" { + for_each = secret.value.versions + iterator = version + content { + path = split(":", version)[1] + version = split(":", version)[0] + } + } + } + } + } resource "google_cloudfunctions_function_iam_binding" "default" { diff --git a/modules/cloud-function/variables.tf b/modules/cloud-function/variables.tf index a613b2f6..ce8633c8 100644 --- a/modules/cloud-function/variables.tf +++ b/modules/cloud-function/variables.tf @@ -107,6 +107,18 @@ variable "region" { default = "europe-west1" } +variable "secrets" { + description = "Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format." + type = map(object({ + is_volume = bool + project_id = number + secret = string + versions = list(string) + })) + nullable = false + default = {} +} + variable "service_account" { description = "Service account email. Unused if service account is auto-created." type = string From 58e553c2df730dc3d18e93963ff4b114638bc8dc Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 16 Jun 2022 19:06:35 +0200 Subject: [PATCH 21/31] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b8bdd3a..c2bfa150 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file. - add support for IAM and Cloud Build triggers to source repository module - add `id` output to service account module +- add support for secrets to cloud function module **FAST** From f163bad220972d58d36de4864a36c4f459276f2f Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 16 Jun 2022 21:56:18 +0200 Subject: [PATCH 22/31] add automation project number to stage 0 outputs --- fast/stages/00-bootstrap/automation.tf | 7 ++++++- fast/stages/00-bootstrap/outputs.tf | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/fast/stages/00-bootstrap/automation.tf b/fast/stages/00-bootstrap/automation.tf index 11a8b34d..bba34d06 100644 --- a/fast/stages/00-bootstrap/automation.tf +++ b/fast/stages/00-bootstrap/automation.tf @@ -36,7 +36,9 @@ module "automation-project" { # machine (service accounts) IAM bindings iam = { "roles/owner" = [ - module.automation-tf-bootstrap-sa.iam_email, + module.automation-tf-bootstrap-sa.iam_email + ] + "roles/cloudbuild.builds.editor" = [ module.automation-tf-resman-sa.iam_email ] "roles/iam.serviceAccountAdmin" = [ @@ -45,6 +47,9 @@ module "automation-project" { "roles/iam.workloadIdentityPoolAdmin" = [ module.automation-tf-resman-sa.iam_email ] + "roles/source.admin" = [ + module.automation-tf-resman-sa.iam_email + ] "roles/storage.admin" = [ module.automation-tf-resman-sa.iam_email ] diff --git a/fast/stages/00-bootstrap/outputs.tf b/fast/stages/00-bootstrap/outputs.tf index cfb2460b..91045865 100644 --- a/fast/stages/00-bootstrap/outputs.tf +++ b/fast/stages/00-bootstrap/outputs.tf @@ -57,6 +57,7 @@ locals { federated_identity_providers = local.wif_providers outputs_bucket = module.automation-tf-output-gcs.name project_id = module.automation-project.project_id + project_number = module.automation-project.number } custom_roles = local.custom_roles } From c87c645bf088e37521ea54b956a316a4bc3e980f Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 16 Jun 2022 21:56:48 +0200 Subject: [PATCH 23/31] add missing try to stage 1 outputs --- fast/stages/01-resman/outputs.tf | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/fast/stages/01-resman/outputs.tf b/fast/stages/01-resman/outputs.tf index b7de5240..73ed2eed 100644 --- a/fast/stages/01-resman/outputs.tf +++ b/fast/stages/01-resman/outputs.tf @@ -52,9 +52,11 @@ locals { for k, v in local.cicd_repositories : k => templatefile( "${path.module}/templates/workflow-${v.type}.yaml", merge(local.cicd_workflow_attrs[k], { - identity_provider = local.identity_providers[v.identity_provider].name - outputs_bucket = var.automation.outputs_bucket - stage_name = k + identity_provider = try( + local.identity_providers[v.identity_provider].name, null + ) + outputs_bucket = var.automation.outputs_bucket + stage_name = k }) ) } From 2b61efb722187ba548dd79aff08a9f41ad20212d Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 16 Jun 2022 21:57:09 +0200 Subject: [PATCH 24/31] add project number to sgae 1 values --- fast/stages/01-resman/variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/fast/stages/01-resman/variables.tf b/fast/stages/01-resman/variables.tf index c31e6779..c1d534bc 100644 --- a/fast/stages/01-resman/variables.tf +++ b/fast/stages/01-resman/variables.tf @@ -23,6 +23,7 @@ variable "automation" { type = object({ outputs_bucket = string project_id = string + project_number = string federated_identity_pool = string federated_identity_providers = map(object({ issuer = string From da17d5786346eace988e6ed8a95c7cad6b848b33 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 16 Jun 2022 21:59:44 +0200 Subject: [PATCH 25/31] fix tfdoc --- fast/stages/00-bootstrap/README.md | 20 +++++++-------- fast/stages/01-resman/README.md | 40 +++++++++++++++--------------- 2 files changed, 30 insertions(+), 30 deletions(-) diff --git a/fast/stages/00-bootstrap/README.md b/fast/stages/00-bootstrap/README.md index c217a50f..3fcfb66c 100644 --- a/fast/stages/00-bootstrap/README.md +++ b/fast/stages/00-bootstrap/README.md @@ -457,15 +457,15 @@ The remaining configuration is manual, as it regards the repositories themselves | name | description | sensitive | consumers | |---|---|:---:|---| -| [automation](outputs.tf#L81) | Automation resources. | | | -| [billing_dataset](outputs.tf#L86) | BigQuery dataset prepared for billing export. | | | -| [cicd_repositories](outputs.tf#L91) | CI/CD repository configurations. | | | -| [custom_roles](outputs.tf#L103) | Organization-level custom roles. | | | -| [federated_identity](outputs.tf#L108) | Workload Identity Federation pool and providers. | | | -| [outputs_bucket](outputs.tf#L118) | GCS bucket where generated output files are stored. | | | -| [project_ids](outputs.tf#L123) | Projects created by this stage. | | | -| [providers](outputs.tf#L142) | Terraform provider files for this stage and dependent stages. | ✓ | stage-01 | -| [service_accounts](outputs.tf#L132) | Automation service accounts created by this stage. | | | -| [tfvars](outputs.tf#L151) | Terraform variable files for the following stages. | ✓ | | +| [automation](outputs.tf#L82) | Automation resources. | | | +| [billing_dataset](outputs.tf#L87) | BigQuery dataset prepared for billing export. | | | +| [cicd_repositories](outputs.tf#L92) | CI/CD repository configurations. | | | +| [custom_roles](outputs.tf#L104) | Organization-level custom roles. | | | +| [federated_identity](outputs.tf#L109) | Workload Identity Federation pool and providers. | | | +| [outputs_bucket](outputs.tf#L119) | GCS bucket where generated output files are stored. | | | +| [project_ids](outputs.tf#L124) | Projects created by this stage. | | | +| [providers](outputs.tf#L143) | Terraform provider files for this stage and dependent stages. | ✓ | stage-01 | +| [service_accounts](outputs.tf#L133) | Automation service accounts created by this stage. | | | +| [tfvars](outputs.tf#L152) | Terraform variable files for the following stages. | ✓ | | diff --git a/fast/stages/01-resman/README.md b/fast/stages/01-resman/README.md index 8ec133ce..a054106f 100644 --- a/fast/stages/01-resman/README.md +++ b/fast/stages/01-resman/README.md @@ -178,30 +178,30 @@ Due to its simplicity, this stage lends itself easily to customizations: adding | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| -| [automation](variables.tf#L20) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 00-bootstrap | -| [billing_account](variables.tf#L37) | Billing account id and organization id ('nnnnnnnn' or null). | object({…}) | ✓ | | 00-bootstrap | -| [organization](variables.tf#L140) | Organization details. | object({…}) | ✓ | | 00-bootstrap | -| [prefix](variables.tf#L164) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 00-bootstrap | -| [cicd_repositories](variables.tf#L46) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | -| [custom_roles](variables.tf#L116) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 00-bootstrap | -| [groups](variables.tf#L125) | Group names to grant organization-level permissions. | map(string) | | {…} | 00-bootstrap | -| [organization_policy_configs](variables.tf#L150) | Organization policies customization. | object({…}) | | null | | -| [outputs_location](variables.tf#L158) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | string | | null | | -| [tag_names](variables.tf#L175) | Customized names for resource management tags. | object({…}) | | {…} | | -| [team_folders](variables.tf#L192) | Team folders to be created. Format is described in a code comment. | map(object({…})) | | null | | +| [automation](variables.tf#L20) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 00-bootstrap | +| [billing_account](variables.tf#L38) | Billing account id and organization id ('nnnnnnnn' or null). | object({…}) | ✓ | | 00-bootstrap | +| [organization](variables.tf#L141) | Organization details. | object({…}) | ✓ | | 00-bootstrap | +| [prefix](variables.tf#L165) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 00-bootstrap | +| [cicd_repositories](variables.tf#L47) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | +| [custom_roles](variables.tf#L117) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 00-bootstrap | +| [groups](variables.tf#L126) | Group names to grant organization-level permissions. | map(string) | | {…} | 00-bootstrap | +| [organization_policy_configs](variables.tf#L151) | Organization policies customization. | object({…}) | | null | | +| [outputs_location](variables.tf#L159) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | string | | null | | +| [tag_names](variables.tf#L176) | Customized names for resource management tags. | object({…}) | | {…} | | +| [team_folders](variables.tf#L193) | Team folders to be created. Format is described in a code comment. | map(object({…})) | | null | | ## Outputs | name | description | sensitive | consumers | |---|---|:---:|---| -| [cicd_repositories](outputs.tf#L143) | WIF configuration for CI/CD repositories. | | | -| [dataplatform](outputs.tf#L155) | Data for the Data Platform stage. | | | -| [networking](outputs.tf#L171) | Data for the networking stage. | | | -| [project_factories](outputs.tf#L180) | Data for the project factories stage. | | | -| [providers](outputs.tf#L196) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · xx-sandbox · xx-teams | -| [sandbox](outputs.tf#L203) | Data for the sandbox stage. | | xx-sandbox | -| [security](outputs.tf#L213) | Data for the networking stage. | | 02-security | -| [teams](outputs.tf#L223) | Data for the teams stage. | | | -| [tfvars](outputs.tf#L236) | Terraform variable files for the following stages. | ✓ | | +| [cicd_repositories](outputs.tf#L145) | WIF configuration for CI/CD repositories. | | | +| [dataplatform](outputs.tf#L159) | Data for the Data Platform stage. | | | +| [networking](outputs.tf#L175) | Data for the networking stage. | | | +| [project_factories](outputs.tf#L184) | Data for the project factories stage. | | | +| [providers](outputs.tf#L200) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · xx-sandbox · xx-teams | +| [sandbox](outputs.tf#L207) | Data for the sandbox stage. | | xx-sandbox | +| [security](outputs.tf#L217) | Data for the networking stage. | | 02-security | +| [teams](outputs.tf#L227) | Data for the teams stage. | | | +| [tfvars](outputs.tf#L240) | Terraform variable files for the following stages. | ✓ | | From 528219bbf34ad6a2f2caf280e7edb9dad4c8fd46 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 16 Jun 2022 22:03:08 +0200 Subject: [PATCH 26/31] fix stage1 tests --- tests/fast/stages/s01_resman/fixture/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/fast/stages/s01_resman/fixture/main.tf b/tests/fast/stages/s01_resman/fixture/main.tf index ddb9aafe..57d35b16 100644 --- a/tests/fast/stages/s01_resman/fixture/main.tf +++ b/tests/fast/stages/s01_resman/fixture/main.tf @@ -20,6 +20,7 @@ module "stage" { federated_identity_pool = null federated_identity_providers = null project_id = "fast-prod-automation" + project_number = 123456 outputs_bucket = "test" } billing_account = { From 6d8f3f7e22f071b9a8e6ef77db3deb4339df6b5b Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 16 Jun 2022 22:16:20 +0200 Subject: [PATCH 27/31] depend service account outputs on iam roles --- modules/iam-service-account/README.md | 12 ++++++------ modules/iam-service-account/outputs.tf | 13 +++++++++++-- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/modules/iam-service-account/README.md b/modules/iam-service-account/README.md index ab6b1882..fe07ddbf 100644 --- a/modules/iam-service-account/README.md +++ b/modules/iam-service-account/README.md @@ -62,11 +62,11 @@ module "myproject-default-service-accounts" { | name | description | sensitive | |---|---|:---:| | [email](outputs.tf#L17) | Service account email. | | -| [iam_email](outputs.tf#L25) | IAM-format service account email. | | -| [id](outputs.tf#L33) | Service account id. | | -| [key](outputs.tf#L38) | Service account key. | ✓ | -| [name](outputs.tf#L44) | Service account name. | | -| [service_account](outputs.tf#L49) | Service account resource. | | -| [service_account_credentials](outputs.tf#L54) | Service account json credential templates for uploaded public keys data. | | +| [iam_email](outputs.tf#L27) | IAM-format service account email. | | +| [id](outputs.tf#L37) | Service account id. | | +| [key](outputs.tf#L47) | Service account key. | ✓ | +| [name](outputs.tf#L53) | Service account name. | | +| [service_account](outputs.tf#L58) | Service account resource. | | +| [service_account_credentials](outputs.tf#L63) | Service account json credential templates for uploaded public keys data. | | diff --git a/modules/iam-service-account/outputs.tf b/modules/iam-service-account/outputs.tf index 4f0e0aa5..2823910b 100644 --- a/modules/iam-service-account/outputs.tf +++ b/modules/iam-service-account/outputs.tf @@ -18,7 +18,9 @@ output "email" { description = "Service account email." value = local.resource_email_static depends_on = [ - local.service_account + local.service_account, + google_service_account_iam_binding.roles, + google_service_account_iam_member.additive ] } @@ -26,13 +28,20 @@ output "iam_email" { description = "IAM-format service account email." value = local.resource_iam_email_static depends_on = [ - local.service_account + local.service_account, + google_service_account_iam_binding.roles, + google_service_account_iam_member.additive ] } output "id" { description = "Service account id." value = local.service_account.id + depends_on = [ + local.service_account, + google_service_account_iam_binding.roles, + google_service_account_iam_member.additive + ] } output "key" { From a35ed1ca0f2665f1e88c1b967b0287445a4d1ef7 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 16 Jun 2022 22:16:43 +0200 Subject: [PATCH 28/31] allow using cicd service accounts in build triggers --- fast/stages/01-resman/cicd-data-platform.tf | 8 ++++++-- fast/stages/01-resman/cicd-networking.tf | 4 +++- fast/stages/01-resman/cicd-security.tf | 4 +++- fast/stages/01-resman/cicd-teams.tf | 8 ++++++-- fast/stages/01-resman/main.tf | 6 ++++++ 5 files changed, 24 insertions(+), 6 deletions(-) diff --git a/fast/stages/01-resman/cicd-data-platform.tf b/fast/stages/01-resman/cicd-data-platform.tf index 66247d26..c5c08d7f 100644 --- a/fast/stages/01-resman/cicd-data-platform.tf +++ b/fast/stages/01-resman/cicd-data-platform.tf @@ -96,7 +96,9 @@ module "branch-dp-dev-sa-cicd" { iam = ( each.value.type == "sourcerepo" # used directly from the cloud build trigger for source repos - ? {} + ? { + "roles/iam.serviceAccountUser" = [local.automation_resman_sa] + } # impersonated via workload identity federation for external repos : { "roles/iam.workloadIdentityUser" = [ @@ -135,7 +137,9 @@ module "branch-dp-prod-sa-cicd" { iam = ( each.value.type == "sourcerepo" # used directly from the cloud build trigger for source repos - ? {} + ? { + "roles/iam.serviceAccountUser" = [local.automation_resman_sa] + } # impersonated via workload identity federation for external repos : { "roles/iam.workloadIdentityUser" = [ diff --git a/fast/stages/01-resman/cicd-networking.tf b/fast/stages/01-resman/cicd-networking.tf index 9bb96f79..2853db88 100644 --- a/fast/stages/01-resman/cicd-networking.tf +++ b/fast/stages/01-resman/cicd-networking.tf @@ -63,7 +63,9 @@ module "branch-network-sa-cicd" { iam = ( each.value.type == "sourcerepo" # used directly from the cloud build trigger for source repos - ? {} + ? { + "roles/iam.serviceAccountUser" = [local.automation_resman_sa] + } # impersonated via workload identity federation for external repos : { "roles/iam.workloadIdentityUser" = [ diff --git a/fast/stages/01-resman/cicd-security.tf b/fast/stages/01-resman/cicd-security.tf index ff456166..601b7cc5 100644 --- a/fast/stages/01-resman/cicd-security.tf +++ b/fast/stages/01-resman/cicd-security.tf @@ -63,7 +63,9 @@ module "branch-security-sa-cicd" { iam = ( each.value.type == "sourcerepo" # used directly from the cloud build trigger for source repos - ? {} + ? { + "roles/iam.serviceAccountUser" = [local.automation_resman_sa] + } # impersonated via workload identity federation for external repos : { "roles/iam.workloadIdentityUser" = [ diff --git a/fast/stages/01-resman/cicd-teams.tf b/fast/stages/01-resman/cicd-teams.tf index 931b0a7c..67b333f6 100644 --- a/fast/stages/01-resman/cicd-teams.tf +++ b/fast/stages/01-resman/cicd-teams.tf @@ -96,7 +96,9 @@ module "branch-teams-dev-pf-sa-cicd" { iam = ( each.value.type == "sourcerepo" # used directly from the cloud build trigger for source repos - ? {} + ? { + "roles/iam.serviceAccountUser" = [local.automation_resman_sa] + } # impersonated via workload identity federation for external repos : { "roles/iam.workloadIdentityUser" = [ @@ -135,7 +137,9 @@ module "branch-teams-prod-pf-sa-cicd" { iam = ( each.value.type == "sourcerepo" # used directly from the cloud build trigger for source repos - ? {} + ? { + "roles/iam.serviceAccountUser" = [local.automation_resman_sa] + } # impersonated via workload identity federation for external repos : { "roles/iam.workloadIdentityUser" = [ diff --git a/fast/stages/01-resman/main.tf b/fast/stages/01-resman/main.tf index 6cefbd25..5520c03a 100644 --- a/fast/stages/01-resman/main.tf +++ b/fast/stages/01-resman/main.tf @@ -16,6 +16,10 @@ locals { # convenience flags that express where billing account resides + automation_resman_sa = format( + "serviceAccount:%s", + data.google_client_openid_userinfo.provider_identity.email + ) billing_ext = var.billing_account.organization_id == null billing_org = var.billing_account.organization_id == var.organization.id billing_org_ext = !local.billing_ext && !local.billing_org @@ -64,3 +68,5 @@ locals { try(var.automation.federated_identity_providers, null), {} ) } + +data "google_client_openid_userinfo" "provider_identity" {} From ee23694fed4cc3373578ee9fb1bf874da209adb7 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 16 Jun 2022 23:09:35 +0200 Subject: [PATCH 29/31] revert service account modules changes to outputs --- modules/iam-service-account/README.md | 14 ++++++++------ modules/iam-service-account/outputs.tf | 12 +++--------- 2 files changed, 11 insertions(+), 15 deletions(-) diff --git a/modules/iam-service-account/README.md b/modules/iam-service-account/README.md index fe07ddbf..ad39c389 100644 --- a/modules/iam-service-account/README.md +++ b/modules/iam-service-account/README.md @@ -2,6 +2,8 @@ This module allows simplified creation and management of one a service account and its IAM bindings. A key can optionally be generated and will be stored in Terraform state. To use it create a sensitive output in your root modules referencing the `key` output, then extract the private key from the JSON formatted outputs. Alternatively, the `key` can be generated with `openssl` library and only public part uploaded to the Service Account, for more refer to the [Onprem SA Key Management](../../examples/cloud-operations/onprem-sa-key-management/) example. +Note that this module does not fully comply with our design principles, as outputs have no dependencies on IAM bindings to prevent resource cycles. + ## Example ```hcl @@ -62,11 +64,11 @@ module "myproject-default-service-accounts" { | name | description | sensitive | |---|---|:---:| | [email](outputs.tf#L17) | Service account email. | | -| [iam_email](outputs.tf#L27) | IAM-format service account email. | | -| [id](outputs.tf#L37) | Service account id. | | -| [key](outputs.tf#L47) | Service account key. | ✓ | -| [name](outputs.tf#L53) | Service account name. | | -| [service_account](outputs.tf#L58) | Service account resource. | | -| [service_account_credentials](outputs.tf#L63) | Service account json credential templates for uploaded public keys data. | | +| [iam_email](outputs.tf#L25) | IAM-format service account email. | | +| [id](outputs.tf#L33) | Service account id. | | +| [key](outputs.tf#L41) | Service account key. | ✓ | +| [name](outputs.tf#L47) | Service account name. | | +| [service_account](outputs.tf#L52) | Service account resource. | | +| [service_account_credentials](outputs.tf#L57) | Service account json credential templates for uploaded public keys data. | | diff --git a/modules/iam-service-account/outputs.tf b/modules/iam-service-account/outputs.tf index 2823910b..42196534 100644 --- a/modules/iam-service-account/outputs.tf +++ b/modules/iam-service-account/outputs.tf @@ -18,9 +18,7 @@ output "email" { description = "Service account email." value = local.resource_email_static depends_on = [ - local.service_account, - google_service_account_iam_binding.roles, - google_service_account_iam_member.additive + local.service_account ] } @@ -28,9 +26,7 @@ output "iam_email" { description = "IAM-format service account email." value = local.resource_iam_email_static depends_on = [ - local.service_account, - google_service_account_iam_binding.roles, - google_service_account_iam_member.additive + local.service_account ] } @@ -38,9 +34,7 @@ output "id" { description = "Service account id." value = local.service_account.id depends_on = [ - local.service_account, - google_service_account_iam_binding.roles, - google_service_account_iam_member.additive + local.service_account ] } From a09eb39a962f075ab8330fabd10aa7da3afa584b Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 16 Jun 2022 23:11:08 +0200 Subject: [PATCH 30/31] disable provider data source when not needed, explicitly depend on CI/CD SAs --- fast/stages/01-resman/cicd-data-platform.tf | 6 ++++-- fast/stages/01-resman/cicd-networking.tf | 3 ++- fast/stages/01-resman/cicd-security.tf | 3 ++- fast/stages/01-resman/cicd-teams.tf | 6 ++++-- fast/stages/01-resman/main.tf | 13 +++++++++---- 5 files changed, 21 insertions(+), 10 deletions(-) diff --git a/fast/stages/01-resman/cicd-data-platform.tf b/fast/stages/01-resman/cicd-data-platform.tf index c5c08d7f..4a5c6d3f 100644 --- a/fast/stages/01-resman/cicd-data-platform.tf +++ b/fast/stages/01-resman/cicd-data-platform.tf @@ -47,6 +47,7 @@ module "branch-dp-dev-cicd-repo" { } } } + depends_on = [module.branch-dp-dev-sa-cicd] } module "branch-dp-prod-cicd-repo" { @@ -78,6 +79,7 @@ module "branch-dp-prod-cicd-repo" { } } } + depends_on = [module.branch-dp-prod-sa-cicd] } # SAs used by CI/CD workflows to impersonate automation SAs @@ -97,7 +99,7 @@ module "branch-dp-dev-sa-cicd" { each.value.type == "sourcerepo" # used directly from the cloud build trigger for source repos ? { - "roles/iam.serviceAccountUser" = [local.automation_resman_sa] + "roles/iam.serviceAccountUser" = local.automation_resman_sa } # impersonated via workload identity federation for external repos : { @@ -138,7 +140,7 @@ module "branch-dp-prod-sa-cicd" { each.value.type == "sourcerepo" # used directly from the cloud build trigger for source repos ? { - "roles/iam.serviceAccountUser" = [local.automation_resman_sa] + "roles/iam.serviceAccountUser" = local.automation_resman_sa } # impersonated via workload identity federation for external repos : { diff --git a/fast/stages/01-resman/cicd-networking.tf b/fast/stages/01-resman/cicd-networking.tf index 2853db88..95177047 100644 --- a/fast/stages/01-resman/cicd-networking.tf +++ b/fast/stages/01-resman/cicd-networking.tf @@ -45,6 +45,7 @@ module "branch-network-cicd-repo" { } } } + depends_on = [module.branch-network-sa-cicd] } # SA used by CI/CD workflows to impersonate automation SAs @@ -64,7 +65,7 @@ module "branch-network-sa-cicd" { each.value.type == "sourcerepo" # used directly from the cloud build trigger for source repos ? { - "roles/iam.serviceAccountUser" = [local.automation_resman_sa] + "roles/iam.serviceAccountUser" = local.automation_resman_sa } # impersonated via workload identity federation for external repos : { diff --git a/fast/stages/01-resman/cicd-security.tf b/fast/stages/01-resman/cicd-security.tf index 601b7cc5..86fd84fd 100644 --- a/fast/stages/01-resman/cicd-security.tf +++ b/fast/stages/01-resman/cicd-security.tf @@ -45,6 +45,7 @@ module "branch-security-cicd-repo" { } } } + depends_on = [module.branch-security-sa-cicd] } # SA used by CI/CD workflows to impersonate automation SAs @@ -64,7 +65,7 @@ module "branch-security-sa-cicd" { each.value.type == "sourcerepo" # used directly from the cloud build trigger for source repos ? { - "roles/iam.serviceAccountUser" = [local.automation_resman_sa] + "roles/iam.serviceAccountUser" = local.automation_resman_sa } # impersonated via workload identity federation for external repos : { diff --git a/fast/stages/01-resman/cicd-teams.tf b/fast/stages/01-resman/cicd-teams.tf index 67b333f6..f5e81fd3 100644 --- a/fast/stages/01-resman/cicd-teams.tf +++ b/fast/stages/01-resman/cicd-teams.tf @@ -47,6 +47,7 @@ module "branch-teams-dev-pf-cicd-repo" { } } } + depends_on = [module.branch-teams-dev-pf-sa-cicd] } module "branch-teams-prod-pf-cicd-repo" { @@ -78,6 +79,7 @@ module "branch-teams-prod-pf-cicd-repo" { } } } + depends_on = [module.branch-teams-prod-pf-sa-cicd] } # SAs used by CI/CD workflows to impersonate automation SAs @@ -97,7 +99,7 @@ module "branch-teams-dev-pf-sa-cicd" { each.value.type == "sourcerepo" # used directly from the cloud build trigger for source repos ? { - "roles/iam.serviceAccountUser" = [local.automation_resman_sa] + "roles/iam.serviceAccountUser" = local.automation_resman_sa } # impersonated via workload identity federation for external repos : { @@ -138,7 +140,7 @@ module "branch-teams-prod-pf-sa-cicd" { each.value.type == "sourcerepo" # used directly from the cloud build trigger for source repos ? { - "roles/iam.serviceAccountUser" = [local.automation_resman_sa] + "roles/iam.serviceAccountUser" = local.automation_resman_sa } # impersonated via workload identity federation for external repos : { diff --git a/fast/stages/01-resman/main.tf b/fast/stages/01-resman/main.tf index 5520c03a..c4095796 100644 --- a/fast/stages/01-resman/main.tf +++ b/fast/stages/01-resman/main.tf @@ -16,9 +16,12 @@ locals { # convenience flags that express where billing account resides - automation_resman_sa = format( - "serviceAccount:%s", - data.google_client_openid_userinfo.provider_identity.email + automation_resman_sa = try( + [format( + "serviceAccount:%s", + data.google_client_openid_userinfo.provider_identity.0.email + )], + [] ) billing_ext = var.billing_account.organization_id == null billing_org = var.billing_account.organization_id == var.organization.id @@ -69,4 +72,6 @@ locals { ) } -data "google_client_openid_userinfo" "provider_identity" {} +data "google_client_openid_userinfo" "provider_identity" { + count = length(local.cicd_repositories) > 0 ? 1 : 0 +} From 6c80aedc681f849958d765d5bcf0cb3683c6526e Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Fri, 17 Jun 2022 07:36:12 +0200 Subject: [PATCH 31/31] Update CHANGELOG.md --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c2bfa150..decff9ae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,8 @@ All notable changes to this project will be documented in this file. - add support for Cloud Source Repositories in stage 0 and 1 CI/CD - fix Gitlab workflow indentation - remove unsupported attributes and add supported ones to the Gitlab mapping used for Workload Identity Federation pools +- add roles for CI/CD source repositories to stage 1 service account on automation project +- fixes to CI/CD source repositories in stage 1 ## [16.0.0] - 2022-06-06