Misc FAST fixes (#2253)
* Misc FAST fixes * Fix readme * Fix FAST nva bgp tests
This commit is contained in:
parent
dccf5735c5
commit
94c32c1d71
|
@ -208,7 +208,7 @@ This configuration is possible but unsupported and only exists for development p
|
|||
| [custom_roles](variables.tf#L95) | Custom roles defined at the organization level, in key => id format. | <code title="object({ service_project_network_admin = string tenant_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [fast_features](variables.tf#L105) | Selective control for top-level FAST features. | <code title="object({ data_platform = optional(bool, true) gke = optional(bool, true) project_factory = optional(bool, true) sandbox = optional(bool, true) teams = optional(bool, true) })">object({…})</code> | | <code>{}</code> | <code>0-bootstrap</code> |
|
||||
| [federated_identity_providers](variables.tf#L119) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | <code title="map(object({ attribute_condition = optional(string) issuer = string custom_settings = optional(object({ issuer_uri = optional(string) audiences = optional(list(string), []) }), {}) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [groups](variables.tf#L133) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object({ gcp-devops = optional(string, "gcp-devops") gcp-network-admins = optional(string, "gcp-network-admins") gcp-security-admins = optional(string, "gcp-security-admins") })">object({…})</code> | | <code>{}</code> | <code>0-bootstrap</code> |
|
||||
| [groups](variables.tf#L133) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object({ gcp-devops = optional(string, "gcp-devops") gcp-network-admins = optional(string, "gcp-vpc-network-admins") gcp-security-admins = optional(string, "gcp-security-admins") })">object({…})</code> | | <code>{}</code> | <code>0-bootstrap</code> |
|
||||
| [iam](variables.tf#L146) | Tenant-level custom IAM settings in role => [principal] format. | <code>map(list(string))</code> | | <code>{}</code> | |
|
||||
| [iam_bindings_additive](variables.tf#L152) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [iam_by_principals](variables.tf#L167) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> | |
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2023 Google LLC
|
||||
* Copyright 2024 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
@ -136,7 +136,7 @@ variable "groups" {
|
|||
description = "Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated."
|
||||
type = object({
|
||||
gcp-devops = optional(string, "gcp-devops")
|
||||
gcp-network-admins = optional(string, "gcp-network-admins")
|
||||
gcp-network-admins = optional(string, "gcp-vpc-network-admins")
|
||||
gcp-security-admins = optional(string, "gcp-security-admins")
|
||||
})
|
||||
nullable = false
|
||||
|
|
|
@ -39,6 +39,7 @@ Use the following diagram as a simple high level reference for the following sec
|
|||
- [Log sinks and log destinations](#log-sinks-and-log-destinations)
|
||||
- [Names and naming convention](#names-and-naming-convention)
|
||||
- [Workload Identity Federation](#workload-identity-federation)
|
||||
- [Project folders](#project-folders)
|
||||
- [CI/CD repositories](#cicd-repositories)
|
||||
- [Toggling features](#toggling-features)
|
||||
- [Files](#files)
|
||||
|
@ -533,6 +534,18 @@ workload_identity_providers = {
|
|||
}
|
||||
```
|
||||
|
||||
### Project folders
|
||||
|
||||
By default this stage creates all its projects directly under the orgaization node. If desired, projects can be moved under a folder using the `project_parent_ids` variable.
|
||||
|
||||
```tfvars
|
||||
project_parent_ids = {
|
||||
automation = "folders/1234567890"
|
||||
billing = "folders/9876543210"
|
||||
logging = "folders/1234567890"
|
||||
}
|
||||
```
|
||||
|
||||
### CI/CD repositories
|
||||
|
||||
FAST is designed to directly support running in automated workflows from separate repositories for each stage. The `cicd_repositories` variable allows you to configure impersonation from external repositories leveraging Workload identity Federation, and pre-configures a FAST workflow file that can be used to validate and apply the code in each repository.
|
||||
|
@ -595,9 +608,10 @@ The remaining configuration is manual, as it regards the repositories themselves
|
|||
|
||||
Some FAST features can be enabled or disabled using the `fast_features` variables. While this variable is not directly used in the bootstrap stage, it can instruct the following stages to create certain resources only if needed.
|
||||
|
||||
The `fast_features` variable consists of 4 toggles:
|
||||
The `fast_features` variable consists of 6 toggles:
|
||||
|
||||
- **`data_platform`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-data-platform](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-data-platform) stage
|
||||
- **`gcve`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-gcve](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-gcve) stage
|
||||
- **`gke`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-gke-multitenant](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-gke-multitenant) stage
|
||||
- **`project_factory`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-project-factory](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-project-factory) stage
|
||||
- **`sandbox`** controls the creation of a "Sandbox" top level folder with relaxed policies, intended for sandbox environments where users can experiment
|
||||
|
@ -636,7 +650,7 @@ The `fast_features` variable consists of 4 toggles:
|
|||
| [essential_contacts](variables.tf#L86) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
|
||||
| [factories_config](variables.tf#L92) | Configuration for the resource factories or external data. | <code title="object({ checklist_data = optional(string) checklist_org_iam = optional(string) custom_roles = optional(string, "data/custom-roles") org_policy = optional(string, "data/org-policies") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [fast_features](variables.tf#L104) | Selective control for top-level FAST features. | <code title="object({ data_platform = optional(bool, false) gcve = optional(bool, false) gke = optional(bool, false) project_factory = optional(bool, false) sandbox = optional(bool, false) teams = optional(bool, false) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [groups](variables.tf#L118) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object({ gcp-billing-admins = optional(string, "gcp-billing-admins") gcp-devops = optional(string, "gcp-devops") gcp-network-admins = optional(string, "gcp-network-admins") gcp-organization-admins = optional(string, "gcp-organization-admins") gcp-security-admins = optional(string, "gcp-security-admins") gcp-support = optional(string, "gcp-devops") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [groups](variables.tf#L118) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object({ gcp-billing-admins = optional(string, "gcp-billing-admins") gcp-devops = optional(string, "gcp-devops") gcp-network-admins = optional(string, "gcp-vpc-network-admins") gcp-organization-admins = optional(string, "gcp-organization-admins") gcp-security-admins = optional(string, "gcp-security-admins") gcp-support = optional(string, "gcp-devops") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [iam](variables.tf#L134) | Organization-level custom IAM settings in role => [principal] format. | <code>map(list(string))</code> | | <code>{}</code> | |
|
||||
| [iam_bindings_additive](variables.tf#L141) | Organization-level custom additive IAM bindings. Keys are arbitrary. | <code title="map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [iam_by_principals](variables.tf#L156) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> | |
|
||||
|
|
|
@ -121,7 +121,7 @@ variable "groups" {
|
|||
type = object({
|
||||
gcp-billing-admins = optional(string, "gcp-billing-admins")
|
||||
gcp-devops = optional(string, "gcp-devops")
|
||||
gcp-network-admins = optional(string, "gcp-network-admins")
|
||||
gcp-network-admins = optional(string, "gcp-vpc-network-admins")
|
||||
gcp-organization-admins = optional(string, "gcp-organization-admins")
|
||||
gcp-security-admins = optional(string, "gcp-security-admins")
|
||||
# aliased to gcp-devops as the checklist does not create it
|
||||
|
|
|
@ -358,21 +358,21 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
|
|||
|---|---|:---:|:---:|:---:|:---:|
|
||||
| [automation](variables.tf#L20) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string project_id = string project_number = string federated_identity_pool = string federated_identity_providers = map(object({ audiences = list(string) issuer = string issuer_uri = string name = string principal_branch = string principal_repo = string })) service_accounts = object({ resman-r = string }) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [billing_account](variables.tf#L42) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | <code title="object({ id = string is_org_level = optional(bool, true) no_iam = optional(bool, false) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [organization](variables.tf#L232) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [prefix](variables.tf#L248) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [organization](variables.tf#L227) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [prefix](variables.tf#L243) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [cicd_repositories](variables.tf#L53) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | <code title="object({ data_platform_dev = optional(object({ name = string type = string branch = optional(string) identity_provider = optional(string) })) data_platform_prod = optional(object({ name = string type = string branch = optional(string) identity_provider = optional(string) })) gke_dev = optional(object({ name = string type = string branch = optional(string) identity_provider = optional(string) })) gke_prod = optional(object({ name = string type = string branch = optional(string) identity_provider = optional(string) })) gcve_dev = optional(object({ name = string type = string branch = optional(string) identity_provider = optional(string) })) gcve_prod = optional(object({ name = string type = string branch = optional(string) identity_provider = optional(string) })) networking = optional(object({ name = string type = string branch = optional(string) identity_provider = optional(string) })) project_factory_dev = optional(object({ name = string type = string branch = optional(string) identity_provider = optional(string) })) project_factory_prod = optional(object({ name = string type = string branch = optional(string) identity_provider = optional(string) })) security = optional(object({ name = string type = string branch = optional(string) identity_provider = optional(string) })) })">object({…})</code> | | <code>null</code> | |
|
||||
| [custom_roles](variables.tf#L147) | Custom roles defined at the org level, in key => id format. | <code title="object({ gcve_network_admin = string organization_admin_viewer = string service_project_network_admin = string storage_viewer = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [factories_config](variables.tf#L159) | Configuration for the resource factories or external data. | <code title="object({ checklist_data = optional(string) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [fast_features](variables.tf#L168) | Selective control for top-level FAST features. | <code title="object({ data_platform = optional(bool, false) gke = optional(bool, false) gcve = optional(bool, false) project_factory = optional(bool, false) sandbox = optional(bool, false) teams = optional(bool, false) })">object({…})</code> | | <code>{}</code> | <code>0-0-bootstrap</code> |
|
||||
| [folder_iam](variables.tf#L183) | Authoritative IAM for top-level folders. | <code title="object({ data_platform = optional(map(list(string)), {}) gcve = optional(map(list(string)), {}) gke = optional(map(list(string)), {}) sandbox = optional(map(list(string)), {}) security = optional(map(list(string)), {}) network = optional(map(list(string)), {}) teams = optional(map(list(string)), {}) tenants = optional(map(list(string)), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [groups](variables.tf#L199) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object({ gcp-billing-admins = optional(string, "gcp-billing-admins") gcp-devops = optional(string, "gcp-devops") gcp-network-admins = optional(string, "gcp-network-admins") gcp-organization-admins = optional(string, "gcp-organization-admins") gcp-security-admins = optional(string, "gcp-security-admins") })">object({…})</code> | | <code>{}</code> | <code>0-bootstrap</code> |
|
||||
| [locations](variables.tf#L214) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object({ bq = string gcs = string logging = string pubsub = list(string) })">object({…})</code> | | <code title="{ bq = "EU" gcs = "EU" logging = "global" pubsub = [] }">{…}</code> | <code>0-bootstrap</code> |
|
||||
| [outputs_location](variables.tf#L242) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [tag_names](variables.tf#L259) | Customized names for resource management tags. | <code title="object({ context = optional(string, "context") environment = optional(string, "environment") tenant = optional(string, "tenant") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [tags](variables.tf#L274) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) })), {}) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [team_folders](variables.tf#L295) | Team folders to be created. Format is described in a code comment. | <code title="map(object({ descriptive_name = string iam_by_principals = map(list(string)) impersonation_principals = list(string) cicd = optional(object({ branch = string identity_provider = string name = string type = string })) }))">map(object({…}))</code> | | <code>null</code> | |
|
||||
| [tenants](variables.tf#L311) | Lightweight tenant definitions. | <code title="map(object({ admin_principal = string descriptive_name = string billing_account = optional(string) organization = optional(object({ customer_id = string domain = string id = number })) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [tenants_config](variables.tf#L327) | Lightweight tenants shared configuration. Roles will be assigned to tenant admin group and service accounts. | <code title="object({ core_folder_roles = optional(list(string), []) tenant_folder_roles = optional(list(string), []) top_folder_roles = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [groups](variables.tf#L199) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object({ gcp-billing-admins = optional(string, "gcp-billing-admins") gcp-devops = optional(string, "gcp-devops") gcp-network-admins = optional(string, "gcp-vpc-network-admins") gcp-organization-admins = optional(string, "gcp-organization-admins") gcp-security-admins = optional(string, "gcp-security-admins") })">object({…})</code> | | <code>{}</code> | <code>0-bootstrap</code> |
|
||||
| [locations](variables.tf#L214) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object({ bq = optional(string, "EU") gcs = optional(string, "EU") logging = optional(string, "global") pubsub = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | <code>0-bootstrap</code> |
|
||||
| [outputs_location](variables.tf#L237) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [tag_names](variables.tf#L254) | Customized names for resource management tags. | <code title="object({ context = optional(string, "context") environment = optional(string, "environment") tenant = optional(string, "tenant") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [tags](variables.tf#L269) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) })), {}) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [team_folders](variables.tf#L290) | Team folders to be created. Format is described in a code comment. | <code title="map(object({ descriptive_name = string iam_by_principals = map(list(string)) impersonation_principals = list(string) cicd = optional(object({ branch = string identity_provider = string name = string type = string })) }))">map(object({…}))</code> | | <code>null</code> | |
|
||||
| [tenants](variables.tf#L306) | Lightweight tenant definitions. | <code title="map(object({ admin_principal = string descriptive_name = string billing_account = optional(string) organization = optional(object({ customer_id = string domain = string id = number })) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [tenants_config](variables.tf#L322) | Lightweight tenants shared configuration. Roles will be assigned to tenant admin group and service accounts. | <code title="object({ core_folder_roles = optional(list(string), []) tenant_folder_roles = optional(list(string), []) top_folder_roles = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
@ -380,7 +380,7 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
|
|||
|---|---|:---:|---|
|
||||
| [cicd_repositories](outputs.tf#L391) | WIF configuration for CI/CD repositories. | | |
|
||||
| [dataplatform](outputs.tf#L405) | Data for the Data Platform stage. | | |
|
||||
| [gcve](outputs.tf#L421) | Data for the GCVE stage. | | <code>03-gke-multitenant</code> |
|
||||
| [gcve](outputs.tf#L421) | Data for the GCVE stage. | | <code>03-gcve</code> |
|
||||
| [gke_multitenant](outputs.tf#L442) | Data for the GKE multitenant stage. | | <code>03-gke-multitenant</code> |
|
||||
| [networking](outputs.tf#L463) | Data for the networking stage. | | |
|
||||
| [project_factories](outputs.tf#L472) | Data for the project factories stage. | | |
|
||||
|
|
|
@ -419,7 +419,7 @@ output "dataplatform" {
|
|||
}
|
||||
|
||||
output "gcve" {
|
||||
# tfdoc:output:consumers 03-gke-multitenant
|
||||
# tfdoc:output:consumers 03-gcve
|
||||
description = "Data for the GCVE stage."
|
||||
value = (
|
||||
var.fast_features.gcve
|
||||
|
|
|
@ -203,7 +203,7 @@ variable "groups" {
|
|||
type = object({
|
||||
gcp-billing-admins = optional(string, "gcp-billing-admins")
|
||||
gcp-devops = optional(string, "gcp-devops")
|
||||
gcp-network-admins = optional(string, "gcp-network-admins")
|
||||
gcp-network-admins = optional(string, "gcp-vpc-network-admins")
|
||||
gcp-organization-admins = optional(string, "gcp-organization-admins")
|
||||
gcp-security-admins = optional(string, "gcp-security-admins")
|
||||
})
|
||||
|
@ -215,18 +215,13 @@ variable "locations" {
|
|||
# tfdoc:variable:source 0-bootstrap
|
||||
description = "Optional locations for GCS, BigQuery, and logging buckets created here."
|
||||
type = object({
|
||||
bq = string
|
||||
gcs = string
|
||||
logging = string
|
||||
pubsub = list(string)
|
||||
bq = optional(string, "EU")
|
||||
gcs = optional(string, "EU")
|
||||
logging = optional(string, "global")
|
||||
pubsub = optional(list(string), [])
|
||||
})
|
||||
default = {
|
||||
bq = "EU"
|
||||
gcs = "EU"
|
||||
logging = "global"
|
||||
pubsub = []
|
||||
}
|
||||
nullable = false
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "organization" {
|
||||
|
|
|
@ -11,14 +11,14 @@
|
|||
# - rfc1918
|
||||
|
||||
allow-healthchecks:
|
||||
description: Enable HTTP and HTTPS healthchecks
|
||||
description: Enable SSH, HTTP and HTTPS healthchecks
|
||||
priority: 1001
|
||||
match:
|
||||
source_ranges:
|
||||
- healthchecks
|
||||
layer4_configs:
|
||||
- protocol: tcp
|
||||
ports: ["80", "443"]
|
||||
ports: ["22", "80", "443"]
|
||||
|
||||
allow-ssh-from-iap:
|
||||
description: Enable SSH from IAP
|
||||
|
|
|
@ -11,14 +11,14 @@
|
|||
# - rfc1918
|
||||
|
||||
allow-healthchecks:
|
||||
description: Enable HTTP and HTTPS healthchecks
|
||||
description: Enable SSH, HTTP and HTTPS healthchecks
|
||||
priority: 1001
|
||||
match:
|
||||
source_ranges:
|
||||
- healthchecks
|
||||
layer4_configs:
|
||||
- protocol: tcp
|
||||
ports: ["80", "443"]
|
||||
ports: ["22", "80", "443"]
|
||||
|
||||
allow-ssh-from-iap:
|
||||
description: Enable SSH from IAP
|
||||
|
|
|
@ -11,14 +11,14 @@
|
|||
# - rfc1918
|
||||
|
||||
allow-healthchecks:
|
||||
description: Enable HTTP and HTTPS healthchecks
|
||||
description: Enable SSH, HTTP and HTTPS healthchecks
|
||||
priority: 1001
|
||||
match:
|
||||
source_ranges:
|
||||
- healthchecks
|
||||
layer4_configs:
|
||||
- protocol: tcp
|
||||
ports: ["80", "443"]
|
||||
ports: ["22", "80", "443"]
|
||||
|
||||
allow-ssh-from-iap:
|
||||
description: Enable SSH from IAP
|
||||
|
|
|
@ -11,14 +11,14 @@
|
|||
# - rfc1918
|
||||
|
||||
allow-healthchecks:
|
||||
description: Enable HTTP and HTTPS healthchecks
|
||||
description: Enable SSH, HTTP and HTTPS healthchecks
|
||||
priority: 1001
|
||||
match:
|
||||
source_ranges:
|
||||
- healthchecks
|
||||
layer4_configs:
|
||||
- protocol: tcp
|
||||
ports: ["80", "443"]
|
||||
ports: ["22", "80", "443"]
|
||||
|
||||
allow-ssh-from-iap:
|
||||
description: Enable SSH from IAP
|
||||
|
|
|
@ -11,14 +11,14 @@
|
|||
# - rfc1918
|
||||
|
||||
allow-healthchecks:
|
||||
description: Enable HTTP and HTTPS healthchecks
|
||||
description: Enable SSH, HTTP and HTTPS healthchecks
|
||||
priority: 1001
|
||||
match:
|
||||
source_ranges:
|
||||
- healthchecks
|
||||
layer4_configs:
|
||||
- protocol: tcp
|
||||
ports: ["80", "443"]
|
||||
ports: ["22", "80", "443"]
|
||||
|
||||
allow-ssh-from-iap:
|
||||
description: Enable SSH from IAP
|
||||
|
|
|
@ -55,9 +55,9 @@ values:
|
|||
module.organization.google_organization_iam_binding.authoritative["roles/cloudasset.owner"]:
|
||||
condition: []
|
||||
members:
|
||||
- group:gcp-network-admins@fast.example.com
|
||||
- group:gcp-organization-admins@fast.example.com
|
||||
- group:gcp-security-admins@fast.example.com
|
||||
- group:gcp-vpc-network-admins@fast.example.com
|
||||
org_id: '123456789012'
|
||||
role: roles/cloudasset.owner
|
||||
module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.admin"]:
|
||||
|
@ -70,8 +70,8 @@ values:
|
|||
condition: []
|
||||
members:
|
||||
- group:gcp-devops@fast.example.com
|
||||
- group:gcp-network-admins@fast.example.com
|
||||
- group:gcp-security-admins@fast.example.com
|
||||
- group:gcp-vpc-network-admins@fast.example.com
|
||||
org_id: '123456789012'
|
||||
role: roles/cloudsupport.techSupportEditor
|
||||
module.organization.google_organization_iam_binding.authoritative["roles/compute.osAdminLogin"]:
|
||||
|
@ -131,7 +131,7 @@ values:
|
|||
condition: []
|
||||
members:
|
||||
- group:gcp-devops@fast.example.com
|
||||
- group:gcp-network-admins@fast.example.com
|
||||
- group:gcp-vpc-network-admins@fast.example.com
|
||||
- serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
|
||||
- serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
|
||||
org_id: '123456789012'
|
||||
|
@ -240,19 +240,19 @@ values:
|
|||
member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
|
||||
org_id: '123456789012'
|
||||
role: roles/billing.viewer
|
||||
? module.organization.google_organization_iam_member.bindings["roles/compute.networkAdmin-group:gcp-network-admins@fast.example.com"]
|
||||
? module.organization.google_organization_iam_member.bindings["roles/compute.networkAdmin-group:gcp-vpc-network-admins@fast.example.com"]
|
||||
: condition: []
|
||||
member: group:gcp-network-admins@fast.example.com
|
||||
member: group:gcp-vpc-network-admins@fast.example.com
|
||||
org_id: '123456789012'
|
||||
role: roles/compute.networkAdmin
|
||||
? module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:gcp-network-admins@fast.example.com"]
|
||||
? module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:gcp-vpc-network-admins@fast.example.com"]
|
||||
: condition: []
|
||||
member: group:gcp-network-admins@fast.example.com
|
||||
member: group:gcp-vpc-network-admins@fast.example.com
|
||||
org_id: '123456789012'
|
||||
role: roles/compute.orgFirewallPolicyAdmin
|
||||
? module.organization.google_organization_iam_member.bindings["roles/compute.securityAdmin-group:gcp-network-admins@fast.example.com"]
|
||||
? module.organization.google_organization_iam_member.bindings["roles/compute.securityAdmin-group:gcp-vpc-network-admins@fast.example.com"]
|
||||
: condition: []
|
||||
member: group:gcp-network-admins@fast.example.com
|
||||
member: group:gcp-vpc-network-admins@fast.example.com
|
||||
org_id: '123456789012'
|
||||
role: roles/compute.securityAdmin
|
||||
? module.organization.google_organization_iam_member.bindings["roles/compute.viewer-group:gcp-security-admins@fast.example.com"]
|
||||
|
@ -260,9 +260,9 @@ values:
|
|||
member: group:gcp-security-admins@fast.example.com
|
||||
org_id: '123456789012'
|
||||
role: roles/compute.viewer
|
||||
? module.organization.google_organization_iam_member.bindings["roles/compute.xpnAdmin-group:gcp-network-admins@fast.example.com"]
|
||||
? module.organization.google_organization_iam_member.bindings["roles/compute.xpnAdmin-group:gcp-vpc-network-admins@fast.example.com"]
|
||||
: condition: []
|
||||
member: group:gcp-network-admins@fast.example.com
|
||||
member: group:gcp-vpc-network-admins@fast.example.com
|
||||
org_id: '123456789012'
|
||||
role: roles/compute.xpnAdmin
|
||||
? module.organization.google_organization_iam_member.bindings["roles/container.viewer-group:gcp-security-admins@fast.example.com"]
|
||||
|
|
|
@ -16,9 +16,9 @@ values:
|
|||
module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]:
|
||||
condition: []
|
||||
members:
|
||||
- group:gcp-network-admins@fast.example.com
|
||||
- group:gcp-security-admins@fast.example.com
|
||||
- group:gcp-support@example.com
|
||||
- group:gcp-vpc-network-admins@fast.example.com
|
||||
org_id: '123456789012'
|
||||
role: roles/cloudsupport.techSupportEditor
|
||||
module.organization.google_organization_iam_binding.authoritative["roles/logging.viewer"]:
|
||||
|
|
|
@ -24,7 +24,7 @@ factories_config = {
|
|||
groups = {
|
||||
gcp-billing-admins = "gcp-billing-admins",
|
||||
gcp-devops = "gcp-devops",
|
||||
gcp-network-admins = "gcp-network-admins",
|
||||
gcp-network-admins = "gcp-vpc-network-admins",
|
||||
gcp-organization-admins = "gcp-organization-admins",
|
||||
gcp-security-admins = "gcp-security-admins",
|
||||
gcp-support = "gcp-support"
|
||||
|
|
|
@ -21,7 +21,7 @@ custom_roles = {
|
|||
groups = {
|
||||
gcp-billing-admins = "gcp-billing-admins",
|
||||
gcp-devops = "gcp-devops",
|
||||
gcp-network-admins = "gcp-network-admins",
|
||||
gcp-network-admins = "gcp-vpc-network-admins",
|
||||
gcp-organization-admins = "gcp-organization-admins",
|
||||
gcp-security-admins = "gcp-security-admins",
|
||||
gcp-support = "gcp-support"
|
||||
|
|
|
@ -19,7 +19,7 @@ folder_ids = {
|
|||
networking-prod = null
|
||||
}
|
||||
groups = {
|
||||
gcp-network-admins = "gcp-network-admins"
|
||||
gcp-network-admins = "gcp-vpc-network-admins"
|
||||
}
|
||||
service_accounts = {
|
||||
data-platform-dev = "string"
|
||||
|
|
|
@ -19,7 +19,7 @@ folder_ids = {
|
|||
networking-prod = null
|
||||
}
|
||||
groups = {
|
||||
gcp-network-admins = "gcp-network-admins"
|
||||
gcp-network-admins = "gcp-vpc-network-admins"
|
||||
}
|
||||
service_accounts = {
|
||||
data-platform-dev = "string"
|
||||
|
|
|
@ -19,7 +19,7 @@ folder_ids = {
|
|||
networking-prod = null
|
||||
}
|
||||
groups = {
|
||||
gcp-network-admins = "gcp-network-admins"
|
||||
gcp-network-admins = "gcp-vpc-network-admins"
|
||||
}
|
||||
service_accounts = {
|
||||
data-platform-dev = "string"
|
||||
|
|
|
@ -20,7 +20,7 @@ folder_ids = {
|
|||
networking-prod = null
|
||||
}
|
||||
groups = {
|
||||
gcp-network-admins = "gcp-network-admins"
|
||||
gcp-network-admins = "gcp-vpc-network-admins"
|
||||
}
|
||||
service_accounts = {
|
||||
data-platform-dev = "string"
|
||||
|
|
|
@ -19,7 +19,7 @@ folder_ids = {
|
|||
networking-prod = null
|
||||
}
|
||||
groups = {
|
||||
gcp-network-admins = "gcp-network-admins"
|
||||
gcp-network-admins = "gcp-vpc-network-admins"
|
||||
}
|
||||
service_accounts = {
|
||||
data-platform-dev = "string"
|
||||
|
|
|
@ -740,7 +740,7 @@ values:
|
|||
timeouts: null
|
||||
? module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-healthchecks"]
|
||||
: action: allow
|
||||
description: Enable HTTP and HTTPS healthchecks
|
||||
description: Enable SSH, HTTP and HTTPS healthchecks
|
||||
direction: INGRESS
|
||||
disabled: false
|
||||
enable_logging: null
|
||||
|
@ -753,6 +753,7 @@ values:
|
|||
layer4_configs:
|
||||
- ip_protocol: tcp
|
||||
ports:
|
||||
- "22"
|
||||
- "80"
|
||||
- "443"
|
||||
src_address_groups: null
|
||||
|
|
|
@ -16,7 +16,7 @@ custom_roles = {
|
|||
groups = {
|
||||
gcp-billing-admins = "gcp-billing-admins",
|
||||
gcp-devops = "gcp-devops",
|
||||
gcp-network-admins = "gcp-network-admins",
|
||||
gcp-network-admins = "gcp-vpc-network-admins",
|
||||
gcp-organization-admins = "gcp-organization-admins",
|
||||
gcp-security-admins = "gcp-security-admins",
|
||||
gcp-support = "gcp-support"
|
||||
|
|
|
@ -34,7 +34,7 @@ fast_features = {
|
|||
}
|
||||
groups = {
|
||||
gcp-devops = "gcp-devops",
|
||||
gcp-network-admins = "gcp-network-admins",
|
||||
gcp-network-admins = "gcp-vpc-network-admins",
|
||||
gcp-security-admins = "gcp-security-admins",
|
||||
}
|
||||
organization = {
|
||||
|
|
Loading…
Reference in New Issue