FAST: add support for project parents to bootstrap stage (#799)

* FAST: add support for project parents to bootstrap stage * change as per review comments
2022-09-08 14:11:46 +01:00 · 2022-09-08 14:11:46 +01:00 · 6035dc1491
parent 1e62078e37
commit 6035dc1491
6 changed files with 32 additions and 7 deletions
--- a/fast/stages/00-bootstrap/README.md
+++ b/fast/stages/00-bootstrap/README.md
@ -473,6 +473,7 @@ The remaining configuration is manual, as it regards the repositories themselves
 | [iam_additive](variables.tf#L146) | Organization-level custom IAM settings in role => [principal] format for non-authoritative bindings. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [log_sinks](variables.tf#L154) | Org-level log sinks, in name => {type, filter} format. | <code title="map&#40;object&#40;&#123;&#10;  filter &#61; string&#10;  type   &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#123;&#10;  audit-logs &#61; &#123;&#10;    filter &#61; &#34;logName:&#92;&#34;&#47;logs&#47;cloudaudit.googleapis.com&#37;2Factivity&#92;&#34; OR logName:&#92;&#34;&#47;logs&#47;cloudaudit.googleapis.com&#37;2Fsystem_event&#92;&#34;&#34;&#10;    type   &#61; &#34;bigquery&#34;&#10;  &#125;&#10;  vpc-sc &#61; &#123;&#10;    filter &#61; &#34;protoPayload.metadata.&#64;type&#61;&#92;&#34;type.googleapis.com&#47;google.cloud.audit.VpcServiceControlAuditMetadata&#92;&#34;&#34;&#10;    type   &#61; &#34;bigquery&#34;&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
 | [outputs_location](variables.tf#L188) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | <code>string</code> |  | <code>null</code> |  |
+| [project_parent_ids](variables.tf#L204) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | <code title="object&#40;&#123;&#10;  automation &#61; string&#10;  billing    &#61; string&#10;  logging    &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  automation &#61; null&#10;  billing    &#61; null&#10;  logging    &#61; null&#10;&#125;">&#123;&#8230;&#125;</code> |  |

 ## Outputs

--- a/fast/stages/00-bootstrap/automation.tf
+++ b/fast/stages/00-bootstrap/automation.tf
@ -20,8 +20,10 @@ module "automation-project" {
  source          = "../../../modules/project"
  billing_account = var.billing_account.id
  name            = "iac-core-0"
-  parent          = "organizations/${var.organization.id}"
-  prefix          = local.prefix
+  parent = coalesce(
+    var.project_parent_ids.automation, "organizations/${var.organization.id}"
+  )
+  prefix = local.prefix
  # human (groups) IAM bindings
  group_iam = {
    (local.groups.gcp-devops) = [
--- a/fast/stages/00-bootstrap/billing.tf
+++ b/fast/stages/00-bootstrap/billing.tf
@ -33,8 +33,10 @@ module "billing-export-project" {
  count           = local.billing_org ? 1 : 0
  billing_account = var.billing_account.id
  name            = "billing-exp-0"
-  parent          = "organizations/${var.organization.id}"
-  prefix          = local.prefix
+  parent = coalesce(
+    var.project_parent_ids.billing, "organizations/${var.organization.id}"
+  )
+  prefix = local.prefix
  iam = {
    "roles/owner" = [module.automation-tf-bootstrap-sa.iam_email]
  }
--- a/fast/stages/00-bootstrap/log-export.tf
+++ b/fast/stages/00-bootstrap/log-export.tf
@ -21,9 +21,11 @@ locals {
 }

 module "log-export-project" {
-  source          = "../../../modules/project"
-  name            = "audit-logs-0"
-  parent          = "organizations/${var.organization.id}"
+  source = "../../../modules/project"
+  name   = "audit-logs-0"
+  parent = coalesce(
+    var.project_parent_ids.logging, "organizations/${var.organization.id}"
+  )
  prefix          = local.prefix
  billing_account = var.billing_account.id
  iam = {
--- a/fast/stages/00-bootstrap/organization.tf
+++ b/fast/stages/00-bootstrap/organization.tf
@ -41,6 +41,9 @@ locals {
      [module.automation-tf-bootstrap-sa.iam_email],
      local._iam_bootstrap_user
    )
+    "roles/resourcemanager.projectMover" = [
+      module.automation-tf-bootstrap-sa.iam_email
+    ]
    "roles/resourcemanager.tagAdmin" = [
      module.automation-tf-resman-sa.iam_email
    ]
--- a/fast/stages/00-bootstrap/variables.tf
+++ b/fast/stages/00-bootstrap/variables.tf
@ -200,3 +200,18 @@ variable "prefix" {
    error_message = "Use a maximum of 9 characters for prefix."
  }
 }
+
+variable "project_parent_ids" {
+  description = "Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent."
+  type = object({
+    automation = string
+    billing    = string
+    logging    = string
+  })
+  default = {
+    automation = null
+    billing    = null
+    logging    = null
+  }
+  nullable = false
+}