diff --git a/fast/stages/01-resman/billing.tf b/fast/stages/01-resman/billing.tf index 4d5f39b3..3e2020e7 100644 --- a/fast/stages/01-resman/billing.tf +++ b/fast/stages/01-resman/billing.tf @@ -20,16 +20,15 @@ locals { # used here for convenience, in organization.tf members are explicit billing_ext_users = concat( [ - module.branch-dp-dev-sa.iam_email, - module.branch-dp-prod-sa.iam_email, module.branch-network-sa.iam_email, module.branch-security-sa.iam_email, ], + local.branch_dataplatform_sa_iam_emails, # enable if individual teams can create their own projects # [ # for k, v in module.branch-teams-team-sa : v.iam_email # ], - local.branch_teams_pf_sa_iam_emails + local.branch_teams_pf_sa_iam_emails, ) } diff --git a/fast/stages/01-resman/branch-dataplatform.tf b/fast/stages/01-resman/branch-dataplatform.tf index 57a96b4d..2573564a 100644 --- a/fast/stages/01-resman/branch-dataplatform.tf +++ b/fast/stages/01-resman/branch-dataplatform.tf @@ -21,36 +21,16 @@ module "branch-dp-folder" { source = "../../../modules/folder" parent = "organizations/${var.organization.id}" - name = "Dataplatform" + name = "Data Platform" } -#TODO check if I can delete those modules, Would you create a data-platform TF to run dev/prod? -# module "branch-dp-sa" { -# source = "../../../modules/iam-service-account" -# project_id = var.automation_project_id -# name = "resman-dp-0" -# description = "Terraform Data Platform production service account." -# prefix = local.prefixes.prod -# } - -# module "branch-dp-gcs" { -# source = "../../../modules/gcs" -# project_id = var.automation_project_id -# name = "dp-0" -# prefix = local.prefixes.prod -# versioning = true -# iam = { -# "roles/storage.objectAdmin" = [module.branch-dp-sa.iam_email] -# } -# } - # environment: development folder module "branch-dp-dev-folder" { source = "../../../modules/folder" parent = module.branch-dp-folder.id # naming: environment descriptive name - name = "Data Platform - Development" + name = "Development" # environment-wide human permissions on the whole Data Platform environment group_iam = {} iam = { @@ -67,23 +47,26 @@ module "branch-dp-dev-folder" { "roles/resourcemanager.projectCreator" = [ module.branch-dp-dev-sa.iam_email ] + "roles/compute.xpnAdmin" = [ + module.branch-teams-dev-projectfactory-sa.iam_email + ] } } module "branch-dp-dev-sa" { source = "../../../modules/iam-service-account" project_id = var.automation_project_id - name = "resman-dp-dev-0" + name = "dev-resman-dp-0" # naming: environment in description description = "Terraform Data Platform development service account." - prefix = local.prefixes.dev + prefix = var.prefix } module "branch-dp-dev-gcs" { source = "../../../modules/gcs" project_id = var.automation_project_id - name = "resman-dp-0" - prefix = local.prefixes.dev + name = "dev-resman-dp-0" + prefix = var.prefix versioning = true iam = { "roles/storage.objectAdmin" = [module.branch-dp-dev-sa.iam_email] @@ -96,7 +79,7 @@ module "branch-dp-prod-folder" { source = "../../../modules/folder" parent = module.branch-dp-folder.id # naming: environment descriptive name - name = "Data Platform - Production" + name = "Production" # environment-wide human permissions on the whole Data Platform environment group_iam = {} iam = { @@ -113,23 +96,26 @@ module "branch-dp-prod-folder" { "roles/resourcemanager.projectCreator" = [ module.branch-dp-prod-sa.iam_email ] + "roles/compute.xpnAdmin" = [ + module.branch-teams-dev-projectfactory-sa.iam_email + ] } } module "branch-dp-prod-sa" { source = "../../../modules/iam-service-account" project_id = var.automation_project_id - name = "resman-dp-0" + name = "prod-resman-dp-0" # naming: environment in description description = "Terraform Data Platform production service account." - prefix = local.prefixes.prod + prefix = var.prefix } module "branch-dp-prod-gcs" { source = "../../../modules/gcs" project_id = var.automation_project_id - name = "resman-dp-0" - prefix = local.prefixes.prod + name = "prod-resman-dp-0" + prefix = var.prefix versioning = true iam = { "roles/storage.objectAdmin" = [module.branch-dp-prod-sa.iam_email] diff --git a/fast/stages/01-resman/organization.tf b/fast/stages/01-resman/organization.tf index 5c9bed6a..bfd25a69 100644 --- a/fast/stages/01-resman/organization.tf +++ b/fast/stages/01-resman/organization.tf @@ -69,7 +69,10 @@ module "organization" { ) }, local.billing_org ? { - "roles/billing.costsManager" = local.branch_teams_pf_sa_iam_emails + "roles/billing.costsManager" = concat( + local.branch_dataplatform_sa_iam_emails, + local.branch_teams_pf_sa_iam_emails + ) "roles/billing.user" = concat( [ module.branch-network-sa.iam_email, diff --git a/fast/stages/01-resman/outputs.tf b/fast/stages/01-resman/outputs.tf index 1df5ea1a..9fc6f636 100644 --- a/fast/stages/01-resman/outputs.tf +++ b/fast/stages/01-resman/outputs.tf @@ -69,7 +69,6 @@ locals { networking-prod = module.branch-network-prod-folder.id } project_factory_sa = local._project_factory_sas - data_platform_sa = local._data_platform_sas }) "02-security" = jsonencode({ folder_id = module.branch-security-folder.id @@ -78,12 +77,10 @@ locals { } }) "03-data-platform-dev" = jsonencode({ - folder_id = module.branch-dp-dev-folder.id - date_platform_sa = module.branch-dp-dev-sa.iam_email + folder_id = module.branch-dp-dev-folder.id }) "03-data-platform-prod" = jsonencode({ - folder_id = module.branch-dp-dev-folder.id - date_platform_sa = module.branch-dp-dev-sa.iam_email + folder_id = module.branch-dp-dev-folder.id }) } } diff --git a/fast/stages/02-networking-vpn/outputs.tf b/fast/stages/02-networking-vpn/outputs.tf index b76aa65b..be14f3b6 100644 --- a/fast/stages/02-networking-vpn/outputs.tf +++ b/fast/stages/02-networking-vpn/outputs.tf @@ -27,24 +27,22 @@ locals { shared_vpc_self_link = module.prod-spoke-vpc.self_link vpc_host_project = module.prod-spoke-project.project_id }) - "03-data-platform-prod" = jsonencode({ - network_self_link = module.prod-spoke-vpc.self_link - subnet_self_links = { - load = module.prod-spoke-vpc.subnets["europe-west1/prod-dp-lod-ew1"].self_link - orchestration = module.prod-spoke-vpc.subnets["europe-west1/prod-dp-orc-ew1"].self_link - transformation = module.prod-spoke-vpc.subnets["europe-west1/prod-dp-trf-ew1"].self_link + "03-data-platform-dev" = jsonencode({ + network_config = { + host_project = module.dev-spoke-project.project_id + network_self_link = module.prod-spoke-vpc.self_link + subnet_self_links = { + load = module.dev-spoke-vpc.subnets["europe-west1/dev-dp-lod-ew1"].self_link + orchestration = module.dev-spoke-vpc.subnets["europe-west1/dev-dp-orc-ew1"].self_link + transformation = module.dev-spoke-vpc.subnets["europe-west1/dev-dp-trf-ew1"].self_link + } } }) "03-data-platform-prod" = jsonencode({ network_config = { - host_project = module.prod-spoke-project.project_id - network = module.prod-spoke-vpc.self_link - vpc_subnet_range = { - load = module.prod-spoke-vpc.subnets["europe-west1/prod-dp-lod-ew1"].ip_cidr_range - orchestration = module.prod-spoke-vpc.subnets["europe-west1/prod-dp-orc-ew1"].ip_cidr_range - transformation = module.prod-spoke-vpc.subnets["europe-west1/prod-dp-trf-ew1"].ip_cidr_range - } - vpc_subnet_self_link = { + host_project = module.prod-spoke-project.project_id + network_self_link = module.prod-spoke-vpc.self_link + subnet_self_links = { load = module.prod-spoke-vpc.subnets["europe-west1/prod-dp-lod-ew1"].self_link orchestration = module.prod-spoke-vpc.subnets["europe-west1/prod-dp-orc-ew1"].self_link transformation = module.prod-spoke-vpc.subnets["europe-west1/prod-dp-trf-ew1"].self_link