From 6035dc14917ca5c29743c5dd23ff1b1890672fb5 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Thu, 8 Sep 2022 14:11:46 +0100
Subject: [PATCH] FAST: add support for project parents to bootstrap stage
 (#799)

* FAST: add support for project parents to bootstrap stage

* change as per review comments
---
 fast/stages/00-bootstrap/README.md       |  1 +
 fast/stages/00-bootstrap/automation.tf   |  6 ++++--
 fast/stages/00-bootstrap/billing.tf      |  6 ++++--
 fast/stages/00-bootstrap/log-export.tf   |  8 +++++---
 fast/stages/00-bootstrap/organization.tf |  3 +++
 fast/stages/00-bootstrap/variables.tf    | 15 +++++++++++++++
 6 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/fast/stages/00-bootstrap/README.md b/fast/stages/00-bootstrap/README.md
index 5b7f495d..6fb5d9c5 100644
--- a/fast/stages/00-bootstrap/README.md
+++ b/fast/stages/00-bootstrap/README.md
@@ -473,6 +473,7 @@ The remaining configuration is manual, as it regards the repositories themselves
 | [iam_additive](variables.tf#L146) | Organization-level custom IAM settings in role => [principal] format for non-authoritative bindings. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [log_sinks](variables.tf#L154) | Org-level log sinks, in name => {type, filter} format. | <code title="map&#40;object&#40;&#123;&#10;  filter &#61; string&#10;  type   &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#123;&#10;  audit-logs &#61; &#123;&#10;    filter &#61; &#34;logName:&#92;&#34;&#47;logs&#47;cloudaudit.googleapis.com&#37;2Factivity&#92;&#34; OR logName:&#92;&#34;&#47;logs&#47;cloudaudit.googleapis.com&#37;2Fsystem_event&#92;&#34;&#34;&#10;    type   &#61; &#34;bigquery&#34;&#10;  &#125;&#10;  vpc-sc &#61; &#123;&#10;    filter &#61; &#34;protoPayload.metadata.&#64;type&#61;&#92;&#34;type.googleapis.com&#47;google.cloud.audit.VpcServiceControlAuditMetadata&#92;&#34;&#34;&#10;    type   &#61; &#34;bigquery&#34;&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
 | [outputs_location](variables.tf#L188) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | <code>string</code> |  | <code>null</code> |  |
+| [project_parent_ids](variables.tf#L204) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | <code title="object&#40;&#123;&#10;  automation &#61; string&#10;  billing    &#61; string&#10;  logging    &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  automation &#61; null&#10;  billing    &#61; null&#10;  logging    &#61; null&#10;&#125;">&#123;&#8230;&#125;</code> |  |
 
 ## Outputs
 
diff --git a/fast/stages/00-bootstrap/automation.tf b/fast/stages/00-bootstrap/automation.tf
index 32448990..41ba44e4 100644
--- a/fast/stages/00-bootstrap/automation.tf
+++ b/fast/stages/00-bootstrap/automation.tf
@@ -20,8 +20,10 @@ module "automation-project" {
   source          = "../../../modules/project"
   billing_account = var.billing_account.id
   name            = "iac-core-0"
-  parent          = "organizations/${var.organization.id}"
-  prefix          = local.prefix
+  parent = coalesce(
+    var.project_parent_ids.automation, "organizations/${var.organization.id}"
+  )
+  prefix = local.prefix
   # human (groups) IAM bindings
   group_iam = {
     (local.groups.gcp-devops) = [
diff --git a/fast/stages/00-bootstrap/billing.tf b/fast/stages/00-bootstrap/billing.tf
index 4fc74ce2..1291ef42 100644
--- a/fast/stages/00-bootstrap/billing.tf
+++ b/fast/stages/00-bootstrap/billing.tf
@@ -33,8 +33,10 @@ module "billing-export-project" {
   count           = local.billing_org ? 1 : 0
   billing_account = var.billing_account.id
   name            = "billing-exp-0"
-  parent          = "organizations/${var.organization.id}"
-  prefix          = local.prefix
+  parent = coalesce(
+    var.project_parent_ids.billing, "organizations/${var.organization.id}"
+  )
+  prefix = local.prefix
   iam = {
     "roles/owner" = [module.automation-tf-bootstrap-sa.iam_email]
   }
diff --git a/fast/stages/00-bootstrap/log-export.tf b/fast/stages/00-bootstrap/log-export.tf
index a0019914..6844985e 100644
--- a/fast/stages/00-bootstrap/log-export.tf
+++ b/fast/stages/00-bootstrap/log-export.tf
@@ -21,9 +21,11 @@ locals {
 }
 
 module "log-export-project" {
-  source          = "../../../modules/project"
-  name            = "audit-logs-0"
-  parent          = "organizations/${var.organization.id}"
+  source = "../../../modules/project"
+  name   = "audit-logs-0"
+  parent = coalesce(
+    var.project_parent_ids.logging, "organizations/${var.organization.id}"
+  )
   prefix          = local.prefix
   billing_account = var.billing_account.id
   iam = {
diff --git a/fast/stages/00-bootstrap/organization.tf b/fast/stages/00-bootstrap/organization.tf
index 0e69681d..e2bdbde5 100644
--- a/fast/stages/00-bootstrap/organization.tf
+++ b/fast/stages/00-bootstrap/organization.tf
@@ -41,6 +41,9 @@ locals {
       [module.automation-tf-bootstrap-sa.iam_email],
       local._iam_bootstrap_user
     )
+    "roles/resourcemanager.projectMover" = [
+      module.automation-tf-bootstrap-sa.iam_email
+    ]
     "roles/resourcemanager.tagAdmin" = [
       module.automation-tf-resman-sa.iam_email
     ]
diff --git a/fast/stages/00-bootstrap/variables.tf b/fast/stages/00-bootstrap/variables.tf
index e9cc26e3..3946fcf9 100644
--- a/fast/stages/00-bootstrap/variables.tf
+++ b/fast/stages/00-bootstrap/variables.tf
@@ -200,3 +200,18 @@ variable "prefix" {
     error_message = "Use a maximum of 9 characters for prefix."
   }
 }
+
+variable "project_parent_ids" {
+  description = "Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent."
+  type = object({
+    automation = string
+    billing    = string
+    logging    = string
+  })
+  default = {
+    automation = null
+    billing    = null
+    logging    = null
+  }
+  nullable = false
+}