diff --git a/fast/stages/01-resman/README.md b/fast/stages/01-resman/README.md
index f525193d..3ac9c09e 100644
--- a/fast/stages/01-resman/README.md
+++ b/fast/stages/01-resman/README.md
@@ -168,13 +168,13 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
|---|---|:---:|:---:|:---:|:---:|
| [automation_project_id](variables.tf#L20) | Project id for the automation project created by the bootstrap stage. | string
| ✓ | | 00-bootstrap
|
| [billing_account](variables.tf#L26) | Billing account id and organization id ('nnnnnnnn' or null). | object({…})
| ✓ | | 00-bootstrap
|
-| [organization](variables.tf#L57) | Organization details. | object({…})
| ✓ | | 00-bootstrap
|
-| [prefix](variables.tf#L81) | Prefix used for resources that need unique names. Use 9 characters or less. | string
| ✓ | | 00-bootstrap
|
-| [custom_roles](variables.tf#L35) | Custom roles defined at the org level, in key => id format. | map(string)
| | {}
| 00-bootstrap
|
-| [groups](variables.tf#L42) | Group names to grant organization-level permissions. | map(string)
| | {…}
| 00-bootstrap
|
-| [organization_policy_configs](variables.tf#L67) | Organization policies customization. | object({…})
| | null
| |
-| [outputs_location](variables.tf#L75) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string
| | null
| |
-| [team_folders](variables.tf#L92) | Team folders to be created. Format is described in a code comment. | map(object({…}))
| | null
| |
+| [organization](variables.tf#L59) | Organization details. | object({…})
| ✓ | | 00-bootstrap
|
+| [prefix](variables.tf#L83) | Prefix used for resources that need unique names. Use 9 characters or less. | string
| ✓ | | 00-bootstrap
|
+| [custom_roles](variables.tf#L35) | Custom roles defined at the org level, in key => id format. | object({…})
| | null
| 00-bootstrap
|
+| [groups](variables.tf#L44) | Group names to grant organization-level permissions. | map(string)
| | {…}
| 00-bootstrap
|
+| [organization_policy_configs](variables.tf#L69) | Organization policies customization. | object({…})
| | null
| |
+| [outputs_location](variables.tf#L77) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string
| | null
| |
+| [team_folders](variables.tf#L94) | Team folders to be created. Format is described in a code comment. | map(object({…}))
| | null
| |
## Outputs
diff --git a/fast/stages/01-resman/branch-data-platform.tf b/fast/stages/01-resman/branch-data-platform.tf
index 9585f051..e6ecad3f 100644
--- a/fast/stages/01-resman/branch-data-platform.tf
+++ b/fast/stages/01-resman/branch-data-platform.tf
@@ -35,10 +35,10 @@ module "branch-dp-dev-folder" {
name = "Development"
group_iam = {}
iam = {
+ (local.custom_roles.service_project_network_admin) = [module.branch-dp-dev-sa.iam_email]
# remove owner here and at project level if SA does not manage project resources
- "roles/compute.xpnAdmin" = [module.branch-dp-dev-sa.iam_email]
- "roles/logging.admin" = [module.branch-dp-dev-sa.iam_email]
"roles/owner" = [module.branch-dp-dev-sa.iam_email]
+ "roles/logging.admin" = [module.branch-dp-dev-sa.iam_email]
"roles/resourcemanager.folderAdmin" = [module.branch-dp-dev-sa.iam_email]
"roles/resourcemanager.projectCreator" = [module.branch-dp-dev-sa.iam_email]
}
@@ -74,12 +74,12 @@ module "branch-dp-prod-folder" {
name = "Production"
group_iam = {}
iam = {
+ (local.custom_roles.service_project_network_admin) = [module.branch-dp-prod-sa.iam_email]
# remove owner here and at project level if SA does not manage project resources
- "roles/logging.admin" = [module.branch-dp-prod-sa.iam_email]
"roles/owner" = [module.branch-dp-prod-sa.iam_email]
+ "roles/logging.admin" = [module.branch-dp-prod-sa.iam_email]
"roles/resourcemanager.folderAdmin" = [module.branch-dp-prod-sa.iam_email]
"roles/resourcemanager.projectCreator" = [module.branch-dp-prod-sa.iam_email]
- "roles/compute.xpnAdmin" = [module.branch-dp-prod-sa.iam_email]
}
tag_bindings = {
context = module.organization.tag_values["environment/production"].id
diff --git a/fast/stages/01-resman/branch-networking.tf b/fast/stages/01-resman/branch-networking.tf
index 3b5e2ff1..43ababfc 100644
--- a/fast/stages/01-resman/branch-networking.tf
+++ b/fast/stages/01-resman/branch-networking.tf
@@ -82,7 +82,7 @@ module "branch-network-dev-folder" {
parent = module.branch-network-folder.id
name = "Development"
iam = {
- "roles/compute.xpnAdmin" = [
+ (local.custom_roles.service_project_network_admin) = [
module.branch-dp-dev-sa.iam_email,
module.branch-teams-dev-pf-sa.iam_email
]
diff --git a/fast/stages/01-resman/branch-teams.tf b/fast/stages/01-resman/branch-teams.tf
index a377be9a..8f615931 100644
--- a/fast/stages/01-resman/branch-teams.tf
+++ b/fast/stages/01-resman/branch-teams.tf
@@ -84,22 +84,12 @@ module "branch-teams-team-dev-folder" {
# environment-wide human permissions on the whole teams environment
group_iam = {}
iam = {
+ (local.custom_roles.service_project_network_admin) = [module.branch-teams-dev-pf-sa.iam_email]
# remove owner here and at project level if SA does not manage project resources
- "roles/owner" = [
- module.branch-teams-dev-pf-sa.iam_email
- ]
- "roles/logging.admin" = [
- module.branch-teams-dev-pf-sa.iam_email
- ]
- "roles/resourcemanager.folderAdmin" = [
- module.branch-teams-dev-pf-sa.iam_email
- ]
- "roles/resourcemanager.projectCreator" = [
- module.branch-teams-dev-pf-sa.iam_email
- ]
- "roles/compute.xpnAdmin" = [
- module.branch-teams-dev-pf-sa.iam_email
- ]
+ "roles/owner" = [module.branch-teams-dev-pf-sa.iam_email]
+ "roles/logging.admin" = [module.branch-teams-dev-pf-sa.iam_email]
+ "roles/resourcemanager.folderAdmin" = [module.branch-teams-dev-pf-sa.iam_email]
+ "roles/resourcemanager.projectCreator" = [module.branch-teams-dev-pf-sa.iam_email]
}
tag_bindings = {
environment = module.organization.tag_values["environment/development"].id
@@ -147,22 +137,12 @@ module "branch-teams-team-prod-folder" {
# environment-wide human permissions on the whole teams environment
group_iam = {}
iam = {
+ (local.custom_roles.service_project_network_admin) = [module.branch-teams-prod-pf-sa.iam_email]
# remove owner here and at project level if SA does not manage project resources
- "roles/owner" = [
- module.branch-teams-prod-pf-sa.iam_email
- ]
- "roles/logging.admin" = [
- module.branch-teams-prod-pf-sa.iam_email
- ]
- "roles/resourcemanager.folderAdmin" = [
- module.branch-teams-prod-pf-sa.iam_email
- ]
- "roles/resourcemanager.projectCreator" = [
- module.branch-teams-prod-pf-sa.iam_email
- ]
- "roles/compute.xpnAdmin" = [
- module.branch-teams-prod-pf-sa.iam_email
- ]
+ "roles/owner" = [module.branch-teams-prod-pf-sa.iam_email]
+ "roles/logging.admin" = [module.branch-teams-prod-pf-sa.iam_email]
+ "roles/resourcemanager.folderAdmin" = [module.branch-teams-prod-pf-sa.iam_email]
+ "roles/resourcemanager.projectCreator" = [module.branch-teams-prod-pf-sa.iam_email]
}
tag_bindings = {
environment = module.organization.tag_values["environment/production"].id
diff --git a/fast/stages/01-resman/main.tf b/fast/stages/01-resman/main.tf
index 9d12239e..0cc1c6bb 100644
--- a/fast/stages/01-resman/main.tf
+++ b/fast/stages/01-resman/main.tf
@@ -19,6 +19,7 @@ locals {
billing_ext = var.billing_account.organization_id == null
billing_org = var.billing_account.organization_id == var.organization.id
billing_org_ext = !local.billing_ext && !local.billing_org
+ custom_roles = coalesce(var.custom_roles, {})
groups = {
for k, v in var.groups :
k => "${v}@${var.organization.domain}"
diff --git a/fast/stages/01-resman/variables.tf b/fast/stages/01-resman/variables.tf
index 7c8a584d..639aba6f 100644
--- a/fast/stages/01-resman/variables.tf
+++ b/fast/stages/01-resman/variables.tf
@@ -35,8 +35,10 @@ variable "billing_account" {
variable "custom_roles" {
# tfdoc:variable:source 00-bootstrap
description = "Custom roles defined at the org level, in key => id format."
- type = map(string)
- default = {}
+ type = object({
+ service_project_network_admin = string
+ })
+ default = null
}
variable "groups" {
diff --git a/fast/stages/02-networking-nva/spoke-dev.tf b/fast/stages/02-networking-nva/spoke-dev.tf
index 3c3cd3d6..a5acd921 100644
--- a/fast/stages/02-networking-nva/spoke-dev.tf
+++ b/fast/stages/02-networking-nva/spoke-dev.tf
@@ -40,9 +40,6 @@ module "dev-spoke-project" {
metric_scopes = [module.landing-project.project_id]
iam = {
"roles/dns.admin" = [local.service_accounts.project-factory-dev]
- (local.custom_roles.service_project_network_admin) = values(
- local.service_accounts
- )
}
}
diff --git a/fast/stages/02-networking-nva/spoke-prod.tf b/fast/stages/02-networking-nva/spoke-prod.tf
index 28d0b089..9ce40bc2 100644
--- a/fast/stages/02-networking-nva/spoke-prod.tf
+++ b/fast/stages/02-networking-nva/spoke-prod.tf
@@ -40,9 +40,6 @@ module "prod-spoke-project" {
metric_scopes = [module.landing-project.project_id]
iam = {
"roles/dns.admin" = [local.service_accounts.project-factory-prod]
- (local.custom_roles.service_project_network_admin) = values(
- local.service_accounts
- )
}
}
diff --git a/fast/stages/02-networking-vpn/spoke-dev.tf b/fast/stages/02-networking-vpn/spoke-dev.tf
index f6457952..d62949af 100644
--- a/fast/stages/02-networking-vpn/spoke-dev.tf
+++ b/fast/stages/02-networking-vpn/spoke-dev.tf
@@ -41,9 +41,6 @@ module "dev-spoke-project" {
metric_scopes = [module.landing-project.project_id]
iam = {
"roles/dns.admin" = [local.service_accounts.project-factory-dev]
- (local.custom_roles.service_project_network_admin) = values(
- local.service_accounts
- )
}
}
diff --git a/fast/stages/02-networking-vpn/spoke-prod.tf b/fast/stages/02-networking-vpn/spoke-prod.tf
index 09fc23a6..001bab75 100644
--- a/fast/stages/02-networking-vpn/spoke-prod.tf
+++ b/fast/stages/02-networking-vpn/spoke-prod.tf
@@ -41,9 +41,6 @@ module "prod-spoke-project" {
metric_scopes = [module.landing-project.project_id]
iam = {
"roles/dns.admin" = [local.service_accounts.project-factory-prod]
- (local.custom_roles.service_project_network_admin) = values(
- local.service_accounts
- )
}
}
diff --git a/fast/stages/03-project-factory/dev/data/projects/project.yaml b/fast/stages/03-project-factory/dev/data/projects/project.yaml.sample
similarity index 100%
rename from fast/stages/03-project-factory/dev/data/projects/project.yaml
rename to fast/stages/03-project-factory/dev/data/projects/project.yaml.sample
diff --git a/tests/fast/stages/s01_resman/fixture/main.tf b/tests/fast/stages/s01_resman/fixture/main.tf
index 2509f4d5..e4e1bdf3 100644
--- a/tests/fast/stages/s01_resman/fixture/main.tf
+++ b/tests/fast/stages/s01_resman/fixture/main.tf
@@ -22,8 +22,8 @@ module "stage" {
organization_id = 123456789012
}
custom_roles = {
- "organizationIamAdmin" : "organizations/123456789012/roles/organizationIamAdmin",
- "xpnServiceAdmin" : "organizations/123456789012/roles/xpnServiceAdmin"
+ # organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin",
+ service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
}
groups = {
gcp-billing-admins = "gcp-billing-admins",