Fix review comments.

2022-02-14 16:54:40 +01:00 · 2022-02-14 16:54:40 +01:00 · 7252e7ec01
parent 93ce6aac5b
commit 7252e7ec01
5 changed files with 37 additions and 54 deletions
--- a/fast/stages/01-resman/billing.tf
+++ b/fast/stages/01-resman/billing.tf
@ -20,16 +20,15 @@ locals {
  # used here for convenience, in organization.tf members are explicit
  billing_ext_users = concat(
    [
-      module.branch-dp-dev-sa.iam_email,
-      module.branch-dp-prod-sa.iam_email,
      module.branch-network-sa.iam_email,
      module.branch-security-sa.iam_email,
    ],
+    local.branch_dataplatform_sa_iam_emails,
    # enable if individual teams can create their own projects
    # [
    #   for k, v in module.branch-teams-team-sa : v.iam_email
    # ],
-    local.branch_teams_pf_sa_iam_emails
+    local.branch_teams_pf_sa_iam_emails,
  )
 }

--- a/fast/stages/01-resman/branch-dataplatform.tf
+++ b/fast/stages/01-resman/branch-dataplatform.tf
@ -21,36 +21,16 @@
 module "branch-dp-folder" {
  source = "../../../modules/folder"
  parent = "organizations/${var.organization.id}"
-  name   = "Dataplatform"
+  name   = "Data Platform"
 }

-#TODO check if I can delete those modules, Would you create a data-platform TF to run dev/prod?
-# module "branch-dp-sa" {
-#   source      = "../../../modules/iam-service-account"
-#   project_id  = var.automation_project_id
-#   name        = "resman-dp-0"
-#   description = "Terraform Data Platform production service account."
-#   prefix      = local.prefixes.prod
-# }
-
-# module "branch-dp-gcs" {
-#   source     = "../../../modules/gcs"
-#   project_id = var.automation_project_id
-#   name       = "dp-0"
-#   prefix     = local.prefixes.prod
-#   versioning = true
-#   iam = {
-#     "roles/storage.objectAdmin" = [module.branch-dp-sa.iam_email]
-#   }
-# }
-
 # environment: development folder

 module "branch-dp-dev-folder" {
  source = "../../../modules/folder"
  parent = module.branch-dp-folder.id
  # naming: environment descriptive name
-  name = "Data Platform - Development"
+  name = "Development"
  # environment-wide human permissions on the whole Data Platform environment
  group_iam = {}
  iam = {
@ -67,23 +47,26 @@ module "branch-dp-dev-folder" {
    "roles/resourcemanager.projectCreator" = [
      module.branch-dp-dev-sa.iam_email
    ]
+    "roles/compute.xpnAdmin" = [
+      module.branch-teams-dev-projectfactory-sa.iam_email
+    ]
  }
 }

 module "branch-dp-dev-sa" {
  source     = "../../../modules/iam-service-account"
  project_id = var.automation_project_id
-  name       = "resman-dp-dev-0"
+  name       = "dev-resman-dp-0"
  # naming: environment in description
  description = "Terraform Data Platform development service account."
-  prefix      = local.prefixes.dev
+  prefix      = var.prefix
 }

 module "branch-dp-dev-gcs" {
  source     = "../../../modules/gcs"
  project_id = var.automation_project_id
-  name       = "resman-dp-0"
-  prefix     = local.prefixes.dev
+  name       = "dev-resman-dp-0"
+  prefix     = var.prefix
  versioning = true
  iam = {
    "roles/storage.objectAdmin" = [module.branch-dp-dev-sa.iam_email]
@ -96,7 +79,7 @@ module "branch-dp-prod-folder" {
  source = "../../../modules/folder"
  parent = module.branch-dp-folder.id
  # naming: environment descriptive name
-  name = "Data Platform - Production"
+  name = "Production"
  # environment-wide human permissions on the whole Data Platform environment
  group_iam = {}
  iam = {
@ -113,23 +96,26 @@ module "branch-dp-prod-folder" {
    "roles/resourcemanager.projectCreator" = [
      module.branch-dp-prod-sa.iam_email
    ]
+    "roles/compute.xpnAdmin" = [
+      module.branch-teams-dev-projectfactory-sa.iam_email
+    ]
  }
 }

 module "branch-dp-prod-sa" {
  source     = "../../../modules/iam-service-account"
  project_id = var.automation_project_id
-  name       = "resman-dp-0"
+  name       = "prod-resman-dp-0"
  # naming: environment in description
  description = "Terraform Data Platform production service account."
-  prefix      = local.prefixes.prod
+  prefix      = var.prefix
 }

 module "branch-dp-prod-gcs" {
  source     = "../../../modules/gcs"
  project_id = var.automation_project_id
-  name       = "resman-dp-0"
-  prefix     = local.prefixes.prod
+  name       = "prod-resman-dp-0"
+  prefix     = var.prefix
  versioning = true
  iam = {
    "roles/storage.objectAdmin" = [module.branch-dp-prod-sa.iam_email]
--- a/fast/stages/01-resman/organization.tf
+++ b/fast/stages/01-resman/organization.tf
@ -69,7 +69,10 @@ module "organization" {
      )
    },
    local.billing_org ? {
-      "roles/billing.costsManager" = local.branch_teams_pf_sa_iam_emails
+      "roles/billing.costsManager" = concat(
+        local.branch_dataplatform_sa_iam_emails,
+        local.branch_teams_pf_sa_iam_emails
+      )
      "roles/billing.user" = concat(
        [
          module.branch-network-sa.iam_email,
--- a/fast/stages/01-resman/outputs.tf
+++ b/fast/stages/01-resman/outputs.tf
@ -69,7 +69,6 @@ locals {
        networking-prod = module.branch-network-prod-folder.id
      }
      project_factory_sa = local._project_factory_sas
-      data_platform_sa   = local._data_platform_sas
    })
    "02-security" = jsonencode({
      folder_id = module.branch-security-folder.id
@ -78,12 +77,10 @@ locals {
      }
    })
    "03-data-platform-dev" = jsonencode({
-      folder_id        = module.branch-dp-dev-folder.id
-      date_platform_sa = module.branch-dp-dev-sa.iam_email
+      folder_id = module.branch-dp-dev-folder.id
    })
    "03-data-platform-prod" = jsonencode({
-      folder_id        = module.branch-dp-dev-folder.id
-      date_platform_sa = module.branch-dp-dev-sa.iam_email
+      folder_id = module.branch-dp-dev-folder.id
    })
  }
 }
--- a/fast/stages/02-networking-vpn/outputs.tf
+++ b/fast/stages/02-networking-vpn/outputs.tf
@ -27,24 +27,22 @@ locals {
      shared_vpc_self_link = module.prod-spoke-vpc.self_link
      vpc_host_project     = module.prod-spoke-project.project_id
    })
-    "03-data-platform-prod" = jsonencode({
-      network_self_link = module.prod-spoke-vpc.self_link
-      subnet_self_links = {
-        load           = module.prod-spoke-vpc.subnets["europe-west1/prod-dp-lod-ew1"].self_link
-        orchestration  = module.prod-spoke-vpc.subnets["europe-west1/prod-dp-orc-ew1"].self_link
-        transformation = module.prod-spoke-vpc.subnets["europe-west1/prod-dp-trf-ew1"].self_link
+    "03-data-platform-dev" = jsonencode({
+      network_config = {
+        host_project      = module.dev-spoke-project.project_id
+        network_self_link = module.prod-spoke-vpc.self_link
+        subnet_self_links = {
+          load           = module.dev-spoke-vpc.subnets["europe-west1/dev-dp-lod-ew1"].self_link
+          orchestration  = module.dev-spoke-vpc.subnets["europe-west1/dev-dp-orc-ew1"].self_link
+          transformation = module.dev-spoke-vpc.subnets["europe-west1/dev-dp-trf-ew1"].self_link
+        }
      }
    })
    "03-data-platform-prod" = jsonencode({
      network_config = {
-        host_project = module.prod-spoke-project.project_id
-        network      = module.prod-spoke-vpc.self_link
-        vpc_subnet_range = {
-          load           = module.prod-spoke-vpc.subnets["europe-west1/prod-dp-lod-ew1"].ip_cidr_range
-          orchestration  = module.prod-spoke-vpc.subnets["europe-west1/prod-dp-orc-ew1"].ip_cidr_range
-          transformation = module.prod-spoke-vpc.subnets["europe-west1/prod-dp-trf-ew1"].ip_cidr_range
-        }
-        vpc_subnet_self_link = {
+        host_project      = module.prod-spoke-project.project_id
+        network_self_link = module.prod-spoke-vpc.self_link
+        subnet_self_links = {
          load           = module.prod-spoke-vpc.subnets["europe-west1/prod-dp-lod-ew1"].self_link
          orchestration  = module.prod-spoke-vpc.subnets["europe-west1/prod-dp-orc-ew1"].self_link
          transformation = module.prod-spoke-vpc.subnets["europe-west1/prod-dp-trf-ew1"].self_link