zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

stage 01

This commit is contained in:
Ludovico Magnocavallo 2022-06-30 18:22:57 +02:00
parent 7786dd3d90
commit 7b5ced7e15
19 changed files with 166 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
fast/stages/01-resman/branch-data-platform.tf
View File

@ -56,7 +56,8 @@ module "branch-dp-dev-folder" {
}
tag_bindings = {
context = try(
module.organization.tag_values["${var.tag_names.environment}/development"].id, null
module.organization.tag_values["${var.tag_names.environment}/development"].id,
null
)
}
}
@ -82,7 +83,8 @@ module "branch-dp-prod-folder" {
}
tag_bindings = {
context = try(
module.organization.tag_values["${var.tag_names.environment}/production"].id, null
module.organization.tag_values["${var.tag_names.environment}/production"].id,
null
)
}
}

156
fast/stages/01-resman/branch-gke.tf
View File

@ -16,99 +16,137 @@
# tfdoc:file:description GKE multitenant stage resources.
# top-level gke folder
moved {
from = module.branch-gke-folder
to = module.branch-gke-folder.0
}
module "branch-gke-folder" {
source = "../../../modules/folder"
count = var.fast_features.gke ? 1 : 0
parent = "organizations/${var.organization.id}"
name = "GKE"
# iam = {
# "roles/logging.admin" = [module.branch-gke-sa.iam_email]
# "roles/owner" = [module.branch-gke-sa.iam_email]
# "roles/resourcemanager.folderAdmin" = [module.branch-gke-sa.iam_email]
# "roles/resourcemanager.projectCreator" = [module.branch-gke-sa.iam_email]
# }
}
# GKE-level folders, service accounts and buckets for each individual environment
module "branch-gke-prod-folder" {
source = "../../../modules/folder"
parent = module.branch-gke-folder.id
name = "Production"
iam = {
"roles/owner" = [
module.branch-gke-prod-sa.iam_email
]
"roles/resourcemanager.projectCreator" = [
module.branch-gke-prod-sa.iam_email
]
"roles/compute.xpnAdmin" = [
module.branch-gke-prod-sa.iam_email
]
tag_bindings = {
context = try(
module.organization.tag_values["${var.tag_names.context}/gke"].id, null
)
}
}
module "branch-gke-prod-sa" {
source = "../../../modules/iam-service-account"
project_id = var.automation.project_id
name = "prod-resman-gke-0"
description = "Terraform gke multitenant prod service account."
prefix = var.prefix
iam = {
# FIXME(jccb): who should we use here?
"roles/iam.serviceAccountTokenCreator" = ["group:${local.groups.gcp-devops}"]
}
moved {
from = module.branch-gke-dev-folder
to = module.branch-gke-dev-folder.0
}
module "branch-gke-prod-gcs" {
source = "../../../modules/gcs"
project_id = var.automation.project_id
name = "prod-resman-gke-0"
prefix = var.prefix
versioning = true
iam = {
"roles/storage.objectAdmin" = [module.branch-gke-prod-sa.iam_email]
}
}
module "branch-gke-dev-folder" {
source = "../../../modules/folder"
parent = module.branch-gke-folder.id
count = var.fast_features.gke ? 1 : 0
parent = module.branch-gke-folder.0.id
name = "Development"
iam = {
"roles/owner" = [
module.branch-gke-dev-sa.iam_email
]
"roles/resourcemanager.projectCreator" = [
module.branch-gke-dev-sa.iam_email
]
"roles/compute.xpnAdmin" = [
module.branch-gke-dev-sa.iam_email
]
"roles/owner" = [module.branch-gke-dev-sa.0.iam_email]
"roles/logging.admin" = [module.branch-gke-dev-sa.0.iam_email]
"roles/resourcemanager.folderAdmin" = [module.branch-gke-dev-sa.0.iam_email]
"roles/resourcemanager.projectCreator" = [module.branch-gke-dev-sa.0.iam_email]
"roles/compute.xpnAdmin" = [module.branch-gke-dev-sa.0.iam_email]
}
tag_bindings = {
context = try(
module.organization.tag_values["${var.tag_names.environment}/development"].id,
null
)
}
}
moved {
from = module.branch-gke-prod-folder
to = module.branch-gke-prod-folder.0
}
module "branch-gke-prod-folder" {
source = "../../../modules/folder"
count = var.fast_features.gke ? 1 : 0
parent = module.branch-gke-folder.0.id
name = "Production"
iam = {
"roles/owner" = [module.branch-gke-prod-sa.0.iam_email]
"roles/logging.admin" = [module.branch-gke-prod-sa.0.iam_email]
"roles/resourcemanager.folderAdmin" = [module.branch-gke-prod-sa.0.iam_email]
"roles/resourcemanager.projectCreator" = [module.branch-gke-prod-sa.0.iam_email]
"roles/compute.xpnAdmin" = [module.branch-gke-prod-sa.0.iam_email]
}
tag_bindings = {
context = try(
module.organization.tag_values["${var.tag_names.environment}/production"].id,
null
)
}
}
moved {
from = module.branch-gke-dev-sa
to = module.branch-gke-dev-sa.0
}
module "branch-gke-dev-sa" {
source = "../../../modules/iam-service-account"
count = var.fast_features.gke ? 1 : 0
project_id = var.automation.project_id
name = "dev-resman-gke-0"
description = "Terraform gke multitenant dev service account."
prefix = var.prefix
iam = {
# FIXME(jccb): who should we use here?
"roles/iam.serviceAccountTokenCreator" = ["group:${local.groups.gcp-devops}"]
}
}
moved {
from = module.branch-gke-prod-sa
to = module.branch-gke-prod-sa.0
}
module "branch-gke-prod-sa" {
source = "../../../modules/iam-service-account"
count = var.fast_features.gke ? 1 : 0
project_id = var.automation.project_id
name = "prod-resman-gke-0"
description = "Terraform gke multitenant prod service account."
prefix = var.prefix
iam = {
"roles/iam.serviceAccountTokenCreator" = ["group:${local.groups.gcp-devops}"]
}
}
moved {
from = module.branch-gke-dev-gcs
to = module.branch-gke-dev-gcs.0
}
module "branch-gke-dev-gcs" {
source = "../../../modules/gcs"
count = var.fast_features.gke ? 1 : 0
project_id = var.automation.project_id
name = "dev-resman-gke-0"
prefix = var.prefix
versioning = true
iam = {
"roles/storage.objectAdmin" = [module.branch-gke-dev-sa.iam_email]
"roles/storage.objectAdmin" = [module.branch-gke-dev-sa.0.iam_email]
}
}
moved {
from = module.branch-gke-prod-gcs
to = module.branch-gke-prod-gcs.0
}
module "branch-gke-prod-gcs" {
source = "../../../modules/gcs"
count = var.fast_features.gke ? 1 : 0
project_id = var.automation.project_id
name = "prod-resman-gke-0"
prefix = var.prefix
versioning = true
iam = {
"roles/storage.objectAdmin" = [module.branch-gke-prod-sa.0.iam_email]
}
}

12
fast/stages/01-resman/branch-networking.tf
View File

@ -50,15 +50,16 @@ module "branch-network-prod-folder" {
parent = module.branch-network-folder.id
name = "Production"
iam = {
"roles/compute.xpnAdmin" = compact([
(local.custom_roles.service_project_network_admin) = compact([
try(module.branch-dp-prod-sa.0.iam_email, ""),
try(module.branch-pf-prod-sa.0.iam_email, ""),
module.branch-gke-prod-sa.iam_email,
try(module.branch-gke-prod-sa.0.iam_email, ""),
])
}
tag_bindings = {
environment = try(
module.organization.tag_values["${var.tag_names.environment}/production"].id, null
module.organization.tag_values["${var.tag_names.environment}/production"].id,
null
)
}
}
@ -71,12 +72,13 @@ module "branch-network-dev-folder" {
(local.custom_roles.service_project_network_admin) = compact([
try(module.branch-dp-dev-sa.0.iam_email, ""),
try(module.branch-pf-dev-sa.0.iam_email, ""),
module.branch-gke-dev-sa.iam_email,
try(module.branch-gke-dev-sa.iam_email, ""),
])
}
tag_bindings = {
environment = try(
module.organization.tag_values["${var.tag_names.environment}/development"].id, null
module.organization.tag_values["${var.tag_names.environment}/development"].id,
null
)
}
}

4
fast/stages/01-resman/organization.tf
View File

@ -29,8 +29,8 @@ locals {
branch_gke_sa_iam_emails = (
var.fast_features.gke
? [
module.branch-gke-dev-sa.iam_email,
module.branch-gke-prod-sa.iam_email
module.branch-gke-dev-sa.0.iam_email,
module.branch-gke-prod-sa.0.iam_email
]
: []
)

68
fast/stages/01-resman/outputs.tf
View File

@ -62,16 +62,16 @@ locals {
}
folder_ids = merge(
{
data-platform-dev = try(module.branch-dp-dev-folder.0.id, null)
data-platform-prod = try(module.branch-dp-prod-folder.0.id, null)
gke-multitenant-dev = module.branch-gke-dev-folder.id
gke-multitenant-prod = module.branch-gke-prod-folder.id
networking = module.branch-network-folder.id
networking-dev = module.branch-network-dev-folder.id
networking-prod = module.branch-network-prod-folder.id
sandbox = try(module.branch-sandbox-folder.0.id, null)
security = module.branch-security-folder.id
teams = try(module.branch-teams-folder.0.id, null)
data-platform-dev = try(module.branch-dp-dev-folder.0.id, null)
data-platform-prod = try(module.branch-dp-prod-folder.0.id, null)
gke-dev = try(module.branch-gke-dev-folder.0.id, null)
gke-prod = try(module.branch-gke-prod-folder.0.id, null)
networking = module.branch-network-folder.id
networking-dev = module.branch-network-dev-folder.id
networking-prod = module.branch-network-prod-folder.id
sandbox = try(module.branch-sandbox-folder.0.id, null)
security = module.branch-security-folder.id
teams = try(module.branch-teams-folder.0.id, null)
},
{
for k, v in module.branch-teams-team-folder :
@ -98,16 +98,6 @@ locals {
name = "security"
sa = module.branch-security-sa.email
})
"03-gke-dev" = templatefile(local._tpl_providers, {
bucket = module.branch-gke-dev-gcs.name
name = "gke-dev"
sa = module.branch-gke-dev-sa.email
})
"03-gke-prod" = templatefile(local._tpl_providers, {
bucket = module.branch-gke-prod-gcs.name
name = "gke-prod"
sa = module.branch-gke-prod-sa.email
})
},
!var.fast_features.data_platform ? {} : {
"03-data-platform-dev" = templatefile(local._tpl_providers, {
@ -121,6 +111,18 @@ locals {
sa = module.branch-dp-prod-sa.0.email
})
},
!var.fast_features.gke ? {} : {
"03-gke-dev" = templatefile(local._tpl_providers, {
bucket = module.branch-gke-dev-gcs.0.name
name = "gke-dev"
sa = module.branch-gke-dev-sa.0.email
})
"03-gke-prod" = templatefile(local._tpl_providers, {
bucket = module.branch-gke-prod-gcs.0.name
name = "gke-prod"
sa = module.branch-gke-prod-sa.0.email
})
},
!var.fast_features.project_factory ? {} : {
"03-project-factory-dev" = templatefile(local._tpl_providers, {
bucket = module.branch-pf-dev-gcs.0.name
@ -252,18 +254,22 @@ output "security" {
output "gke_multitenant" {
# tfdoc:output:consumers 03-gke-multitenant
description = "Data for the GKE multitenant stage."
value = {
"dev" = {
folder = module.branch-gke-dev-folder.id
gcs_bucket = module.branch-gke-dev-gcs.name
service_account = module.branch-gke-dev-sa.email
value = (
var.fast_features.gke
? {
"dev" = {
folder = module.branch-gke-dev-folder.0.id
gcs_bucket = module.branch-gke-dev-gcs.0.name
service_account = module.branch-gke-dev-sa.0.email
}
"prod" = {
folder = module.branch-gke-prod-folder.0.id
gcs_bucket = module.branch-gke-prod-gcs.0.name
service_account = module.branch-gke-prod-sa.0.email
}
}
"prod" = {
folder = module.branch-gke-prod-folder.id
gcs_bucket = module.branch-gke-prod-gcs.name
service_account = module.branch-gke-prod-sa.email
}
}
: {}
)
}
output "teams" {

2
fast/stages/02-networking-nva/spoke-dev.tf
View File

@ -126,7 +126,7 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
members = compact([
local.service_accounts.data-platform-dev,
local.service_accounts.project-factory-dev,
local.service_accounts.gke-multitenant-dev,
local.service_accounts.gke-dev,
])
condition {
title = "dev_stage3_sa_delegated_grants"

2
fast/stages/02-networking-nva/spoke-prod.tf
View File

@ -126,7 +126,7 @@ resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
members = compact([
local.service_accounts.data-platform-prod,
local.service_accounts.project-factory-prod,
local.service_accounts.gke-multitenant-prod,
local.service_accounts.gke-prod,
])
condition {
title = "prod_stage3_sa_delegated_grants"

4
fast/stages/02-networking-nva/variables.tf
View File

@ -209,8 +209,8 @@ variable "service_accounts" {
type = object({
data-platform-dev = string
data-platform-prod = string
gke-multitenant-dev = string
gke-multitenant-prod = string
gke-dev = string
gke-prod = string
project-factory-dev = string
project-factory-prod = string
})

6
fast/stages/02-networking-peering/README.md
View File

@ -151,8 +151,8 @@ There are two broad sets of variables you will need to fill in:
To avoid the tedious job of filling in the first group of variables with values derived from other stages' outputs, the same mechanism used above for the provider configuration can be used to leverage pre-configured `.tfvars` files.
If you have set a valid value for `outputs_location` in the bootstrap and in the resman stage, simply link the relevant `*.auto.tfvars.json` files from this stage's folder in the path you specified.
The `*` above is set to the name of the stage that produced it, except for `globals.auto.tfvars.json` which is also generated by the bootstrap stage, containing global values compiled manually for the bootstrap stage.
If you have set a valid value for `outputs_location` in the bootstrap and in the resman stage, simply link the relevant `*.auto.tfvars.json` files from this stage's folder in the path you specified.
The `*` above is set to the name of the stage that produced it, except for `globals.auto.tfvars.json` which is also generated by the bootstrap stage, containing global values compiled manually for the bootstrap stage.
For this stage, link the following files:
```bash
@ -302,7 +302,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [peering_configs](variables-peerings.tf#L19) | Peering configurations. | <code title="map&#40;object&#40;&#123;&#10; export_local_custom_routes &#61; bool&#10; export_peer_custom_routes &#61; bool&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; dev &#61; &#123;&#10; export_local_custom_routes &#61; true&#10; export_peer_custom_routes &#61; true&#10; &#125;&#10; prod &#61; &#123;&#10; export_local_custom_routes &#61; true&#10; export_peer_custom_routes &#61; true&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object&#40;&#123;&#10; dev &#61; object&#40;&#123;&#10; ranges &#61; map&#40;string&#41;&#10; routes &#61; object&#40;&#123;&#10; export &#61; bool&#10; import &#61; bool&#10; &#125;&#41;&#10; &#125;&#41;&#10; prod &#61; object&#40;&#123;&#10; ranges &#61; map&#40;string&#41;&#10; routes &#61; object&#40;&#123;&#10; export &#61; bool&#10; import &#61; bool&#10; &#125;&#41;&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | |
| [router_onprem_configs](variables.tf#L166) | Configurations for routers used for onprem connectivity. | <code title="map&#40;object&#40;&#123;&#10; adv &#61; object&#40;&#123;&#10; custom &#61; list&#40;string&#41;&#10; default &#61; bool&#10; &#125;&#41;&#10; asn &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; landing-ew1 &#61; &#123;&#10; asn &#61; &#34;65533&#34;&#10; adv &#61; null&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | <code title="object&#40;&#123;&#10; data-platform-dev &#61; string&#10; data-platform-prod &#61; string&#10; gke-multitenant-dev &#61; string&#10; gke-multitenant-prod &#61; string&#10; project-factory-dev &#61; string&#10; project-factory-prod &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | <code>01-resman</code> |
| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | <code title="object&#40;&#123;&#10; data-platform-dev &#61; string&#10; data-platform-prod &#61; string&#10; gke-dev &#61; string&#10; gke-multitenant-prod &#61; string&#10; project-factory-dev &#61; string&#10; project-factory-prod &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | <code>01-resman</code> |
| [vpn_onprem_configs](variables.tf#L198) | VPN gateway configuration for onprem interconnection. | <code title="map&#40;object&#40;&#123;&#10; adv &#61; object&#40;&#123;&#10; default &#61; bool&#10; custom &#61; list&#40;string&#41;&#10; &#125;&#41;&#10; peer_external_gateway &#61; object&#40;&#123;&#10; redundancy_type &#61; string&#10; interfaces &#61; list&#40;object&#40;&#123;&#10; id &#61; number&#10; ip_address &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#10; tunnels &#61; list&#40;object&#40;&#123;&#10; peer_asn &#61; number&#10; peer_external_gateway_interface &#61; number&#10; secret &#61; string&#10; session_range &#61; string&#10; vpn_gateway_interface &#61; number&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; landing-ew1 &#61; &#123;&#10; adv &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#10; &#34;cloud_dns&#34;, &#34;googleapis_private&#34;, &#34;googleapis_restricted&#34;, &#34;gcp_all&#34;&#10; &#93;&#10; &#125;&#10; peer_external_gateway &#61; &#123;&#10; redundancy_type &#61; &#34;SINGLE_IP_INTERNALLY_REDUNDANT&#34;&#10; interfaces &#61; &#91;&#10; &#123; id &#61; 0, ip_address &#61; &#34;8.8.8.8&#34; &#125;,&#10; &#93;&#10; &#125;&#10; tunnels &#61; &#91;&#10; &#123;&#10; peer_asn &#61; 65534&#10; peer_external_gateway_interface &#61; 0&#10; secret &#61; &#34;foobar&#34;&#10; session_range &#61; &#34;169.254.1.0&#47;30&#34;&#10; vpn_gateway_interface &#61; 0&#10; &#125;,&#10; &#123;&#10; peer_asn &#61; 65534&#10; peer_external_gateway_interface &#61; 0&#10; secret &#61; &#34;foobar&#34;&#10; session_range &#61; &#34;169.254.1.4&#47;30&#34;&#10; vpn_gateway_interface &#61; 1&#10; &#125;&#10; &#93;&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
## Outputs

2
fast/stages/02-networking-peering/spoke-dev.tf
View File

@ -103,7 +103,7 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
members = compact([
local.service_accounts.data-platform-dev,
local.service_accounts.project-factory-dev,
local.service_accounts.gke-multitenant-dev,
local.service_accounts.gke-dev,
])
condition {
title = "dev_stage3_sa_delegated_grants"

2
fast/stages/02-networking-peering/spoke-prod.tf
View File

@ -103,7 +103,7 @@ resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
members = compact([
local.service_accounts.data-platform-prod,
local.service_accounts.project-factory-prod,
local.service_accounts.gke-multitenant-prod,
local.service_accounts.gke-prod,
])
condition {
title = "prod_stage3_sa_delegated_grants"

4
fast/stages/02-networking-peering/variables.tf
View File

@ -187,8 +187,8 @@ variable "service_accounts" {
type = object({
data-platform-dev = string
data-platform-prod = string
gke-multitenant-dev = string
gke-multitenant-prod = string
gke-dev = string
gke-prod = string
project-factory-dev = string
project-factory-prod = string
})

2
fast/stages/02-networking-vpn/README.md
View File

@ -327,7 +327,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | <code title="object&#40;&#123;&#10; dev &#61; object&#40;&#123;&#10; ranges &#61; map&#40;string&#41;&#10; routes &#61; object&#40;&#123;&#10; export &#61; bool&#10; import &#61; bool&#10; &#125;&#41;&#10; &#125;&#41;&#10; prod &#61; object&#40;&#123;&#10; ranges &#61; map&#40;string&#41;&#10; routes &#61; object&#40;&#123;&#10; export &#61; bool&#10; import &#61; bool&#10; &#125;&#41;&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | |
| [router_onprem_configs](variables.tf#L166) | Configurations for routers used for onprem connectivity. | <code title="map&#40;object&#40;&#123;&#10; adv &#61; object&#40;&#123;&#10; custom &#61; list&#40;string&#41;&#10; default &#61; bool&#10; &#125;&#41;&#10; asn &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; landing-ew1 &#61; &#123;&#10; asn &#61; &#34;65533&#34;&#10; adv &#61; null&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [router_spoke_configs](variables-vpn.tf#L18) | Configurations for routers used for internal connectivity. | <code title="map&#40;object&#40;&#123;&#10; adv &#61; object&#40;&#123;&#10; custom &#61; list&#40;string&#41;&#10; default &#61; bool&#10; &#125;&#41;&#10; asn &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; landing-ew1 &#61; &#123; asn &#61; &#34;64512&#34;, adv &#61; null &#125;&#10; landing-ew4 &#61; &#123; asn &#61; &#34;64512&#34;, adv &#61; null &#125;&#10; spoke-dev-ew1 &#61; &#123; asn &#61; &#34;64513&#34;, adv &#61; null &#125;&#10; spoke-dev-ew4 &#61; &#123; asn &#61; &#34;64513&#34;, adv &#61; null &#125;&#10; spoke-prod-ew1 &#61; &#123; asn &#61; &#34;64514&#34;, adv &#61; null &#125;&#10; spoke-prod-ew4 &#61; &#123; asn &#61; &#34;64514&#34;, adv &#61; null &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | <code title="object&#40;&#123;&#10; data-platform-dev &#61; string&#10; data-platform-prod &#61; string&#10; gke-multitenant-dev &#61; string&#10; gke-multitenant-prod &#61; string&#10; project-factory-dev &#61; string&#10; project-factory-prod &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | <code>01-resman</code> |
| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | <code title="object&#40;&#123;&#10; data-platform-dev &#61; string&#10; data-platform-prod &#61; string&#10; gke-dev &#61; string&#10; gke-multitenant-prod &#61; string&#10; project-factory-dev &#61; string&#10; project-factory-prod &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | <code>01-resman</code> |
| [vpn_onprem_configs](variables.tf#L198) | VPN gateway configuration for onprem interconnection. | <code title="map&#40;object&#40;&#123;&#10; adv &#61; object&#40;&#123;&#10; default &#61; bool&#10; custom &#61; list&#40;string&#41;&#10; &#125;&#41;&#10; peer_external_gateway &#61; object&#40;&#123;&#10; redundancy_type &#61; string&#10; interfaces &#61; list&#40;object&#40;&#123;&#10; id &#61; number&#10; ip_address &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#10; tunnels &#61; list&#40;object&#40;&#123;&#10; peer_asn &#61; number&#10; peer_external_gateway_interface &#61; number&#10; secret &#61; string&#10; session_range &#61; string&#10; vpn_gateway_interface &#61; number&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; landing-ew1 &#61; &#123;&#10; adv &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#10; &#34;cloud_dns&#34;, &#34;googleapis_private&#34;, &#34;googleapis_restricted&#34;, &#34;gcp_all&#34;&#10; &#93;&#10; &#125;&#10; peer_external_gateway &#61; &#123;&#10; redundancy_type &#61; &#34;SINGLE_IP_INTERNALLY_REDUNDANT&#34;&#10; interfaces &#61; &#91;&#10; &#123; id &#61; 0, ip_address &#61; &#34;8.8.8.8&#34; &#125;,&#10; &#93;&#10; &#125;&#10; tunnels &#61; &#91;&#10; &#123;&#10; peer_asn &#61; 65534&#10; peer_external_gateway_interface &#61; 0&#10; secret &#61; &#34;foobar&#34;&#10; session_range &#61; &#34;169.254.1.0&#47;30&#34;&#10; vpn_gateway_interface &#61; 0&#10; &#125;,&#10; &#123;&#10; peer_asn &#61; 65534&#10; peer_external_gateway_interface &#61; 0&#10; secret &#61; &#34;foobar&#34;&#10; session_range &#61; &#34;169.254.1.4&#47;30&#34;&#10; vpn_gateway_interface &#61; 1&#10; &#125;&#10; &#93;&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | <code title="map&#40;object&#40;&#123;&#10; default &#61; bool&#10; custom &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; landing-ew1 &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;rfc_1918_10&#34;, &#34;rfc_1918_172&#34;, &#34;rfc_1918_192&#34;&#93;&#10; &#125;&#10; landing-ew4 &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;rfc_1918_10&#34;, &#34;rfc_1918_172&#34;, &#34;rfc_1918_192&#34;&#93;&#10; &#125;&#10; dev-ew1 &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;gcp_dev&#34;&#93;&#10; &#125;&#10; prod-ew1 &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;gcp_prod&#34;&#93;&#10; &#125;&#10; prod-ew4 &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;gcp_prod&#34;&#93;&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |

2
fast/stages/02-networking-vpn/spoke-dev.tf
View File

@ -103,7 +103,7 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
members = compact([
local.service_accounts.data-platform-dev,
local.service_accounts.project-factory-dev,
local.service_accounts.gke-multitenant-dev,
local.service_accounts.gke-dev,
])
condition {
title = "dev_stage3_sa_delegated_grants"

2
fast/stages/02-networking-vpn/spoke-prod.tf
View File

@ -103,7 +103,7 @@ resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
members = compact([
local.service_accounts.data-platform-prod,
local.service_accounts.project-factory-prod,
local.service_accounts.gke-multitenant-prod,
local.service_accounts.gke-prod,
])
condition {
title = "prod_stage3_sa_delegated_grants"

4
fast/stages/02-networking-vpn/variables.tf
View File

@ -187,8 +187,8 @@ variable "service_accounts" {
type = object({
data-platform-dev = string
data-platform-prod = string
gke-multitenant-dev = string
gke-multitenant-prod = string
gke-dev = string
gke-prod = string
project-factory-dev = string
project-factory-prod = string
})

2
fast/stages/03-gke-multitenant/dev/gke-hub.tf
View File

@ -27,7 +27,7 @@ module "gke-hub" {
config_sync = {
gcp_service_account_email = null
https_proxy = null
policy_dir = "fast/stages/03-gke-multitenant/config"
policy_dir = "fast/stages/03-gke/config"
secret_type = "none"
source_format = "hierarchy"
sync_branch = "fast-dev-gke-marzi"

2
fast/stages/03-gke-multitenant/dev/main.tf
View File

@ -25,7 +25,7 @@ module "gke-project-0" {
source = "../../../../modules/project"
billing_account = var.billing_account.id
name = "dev-gke-clusters-0"
parent = var.folder_ids.gke-multitenant-dev
parent = var.folder_ids.gke-dev
prefix = var.prefix
labels = local.labels
services = [

2
fast/stages/03-gke-multitenant/dev/variables.tf
View File

@ -113,7 +113,7 @@ variable "folder_ids" {
# tfdoc:variable:source 01-resman
description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created."
type = object({
gke-multitenant-dev = string
gke-dev = string
})
}