From 94c32c1d71e96d8332b8e74f71045aa4e4b5e0a6 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Thu, 2 May 2024 08:56:26 +0200 Subject: [PATCH] Misc FAST fixes (#2253) * Misc FAST fixes * Fix readme * Fix FAST nva bgp tests --- .../0-bootstrap-tenant/README.md | 2 +- .../0-bootstrap-tenant/variables.tf | 4 ++-- fast/stages/0-bootstrap/README.md | 18 +++++++++++++-- fast/stages/0-bootstrap/variables.tf | 2 +- fast/stages/1-resman/README.md | 22 +++++++++---------- fast/stages/1-resman/outputs.tf | 2 +- fast/stages/1-resman/variables.tf | 17 +++++--------- .../data/hierarchical-ingress-rules.yaml | 4 ++-- .../data/hierarchical-ingress-rules.yaml | 4 ++-- .../data/hierarchical-ingress-rules.yaml | 4 ++-- .../data/hierarchical-ingress-rules.yaml | 4 ++-- .../data/hierarchical-ingress-rules.yaml | 4 ++-- tests/fast/stages/s0_bootstrap/checklist.yaml | 22 +++++++++---------- tests/fast/stages/s0_bootstrap/simple.yaml | 2 +- tests/fast/stages/s1_resman/checklist.tfvars | 2 +- tests/fast/stages/s1_resman/simple.tfvars | 2 +- .../s2_networking_a_peering/simple.tfvars | 2 +- .../stages/s2_networking_b_vpn/simple.tfvars | 2 +- .../stages/s2_networking_c_nva/simple.tfvars | 2 +- .../simple.tfvars | 2 +- .../s2_networking_e_nva_bgp/simple.tfvars | 2 +- .../s2_networking_e_nva_bgp/simple.yaml | 3 ++- .../s0_bootstrap_tenant/simple.tfvars | 2 +- .../s1_resman_tenant/simple.tfvars | 2 +- 24 files changed, 71 insertions(+), 61 deletions(-) diff --git a/fast/stages-multitenant/0-bootstrap-tenant/README.md b/fast/stages-multitenant/0-bootstrap-tenant/README.md index 9e3a74d8..a1b3ba36 100644 --- a/fast/stages-multitenant/0-bootstrap-tenant/README.md +++ b/fast/stages-multitenant/0-bootstrap-tenant/README.md @@ -208,7 +208,7 @@ This configuration is possible but unsupported and only exists for development p | [custom_roles](variables.tf#L95) | Custom roles defined at the organization level, in key => id format. | object({…}) | | null | 0-bootstrap | | [fast_features](variables.tf#L105) | Selective control for top-level FAST features. | object({…}) | | {} | 0-bootstrap | | [federated_identity_providers](variables.tf#L119) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | | -| [groups](variables.tf#L133) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | +| [groups](variables.tf#L133) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | | [iam](variables.tf#L146) | Tenant-level custom IAM settings in role => [principal] format. | map(list(string)) | | {} | | | [iam_bindings_additive](variables.tf#L152) | Individual additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | | | [iam_by_principals](variables.tf#L167) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | diff --git a/fast/stages-multitenant/0-bootstrap-tenant/variables.tf b/fast/stages-multitenant/0-bootstrap-tenant/variables.tf index 74daa0a9..5fa964be 100644 --- a/fast/stages-multitenant/0-bootstrap-tenant/variables.tf +++ b/fast/stages-multitenant/0-bootstrap-tenant/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -136,7 +136,7 @@ variable "groups" { description = "Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated." type = object({ gcp-devops = optional(string, "gcp-devops") - gcp-network-admins = optional(string, "gcp-network-admins") + gcp-network-admins = optional(string, "gcp-vpc-network-admins") gcp-security-admins = optional(string, "gcp-security-admins") }) nullable = false diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md index ee5c7f52..43060232 100644 --- a/fast/stages/0-bootstrap/README.md +++ b/fast/stages/0-bootstrap/README.md @@ -39,6 +39,7 @@ Use the following diagram as a simple high level reference for the following sec - [Log sinks and log destinations](#log-sinks-and-log-destinations) - [Names and naming convention](#names-and-naming-convention) - [Workload Identity Federation](#workload-identity-federation) + - [Project folders](#project-folders) - [CI/CD repositories](#cicd-repositories) - [Toggling features](#toggling-features) - [Files](#files) @@ -533,6 +534,18 @@ workload_identity_providers = { } ``` +### Project folders + +By default this stage creates all its projects directly under the orgaization node. If desired, projects can be moved under a folder using the `project_parent_ids` variable. + +```tfvars +project_parent_ids = { + automation = "folders/1234567890" + billing = "folders/9876543210" + logging = "folders/1234567890" +} +``` + ### CI/CD repositories FAST is designed to directly support running in automated workflows from separate repositories for each stage. The `cicd_repositories` variable allows you to configure impersonation from external repositories leveraging Workload identity Federation, and pre-configures a FAST workflow file that can be used to validate and apply the code in each repository. @@ -595,9 +608,10 @@ The remaining configuration is manual, as it regards the repositories themselves Some FAST features can be enabled or disabled using the `fast_features` variables. While this variable is not directly used in the bootstrap stage, it can instruct the following stages to create certain resources only if needed. -The `fast_features` variable consists of 4 toggles: +The `fast_features` variable consists of 6 toggles: - **`data_platform`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-data-platform](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-data-platform) stage +- **`gcve`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-gcve](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-gcve) stage - **`gke`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-gke-multitenant](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-gke-multitenant) stage - **`project_factory`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-project-factory](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-project-factory) stage - **`sandbox`** controls the creation of a "Sandbox" top level folder with relaxed policies, intended for sandbox environments where users can experiment @@ -636,7 +650,7 @@ The `fast_features` variable consists of 4 toggles: | [essential_contacts](variables.tf#L86) | Email used for essential contacts, unset if null. | string | | null | | | [factories_config](variables.tf#L92) | Configuration for the resource factories or external data. | object({…}) | | {} | | | [fast_features](variables.tf#L104) | Selective control for top-level FAST features. | object({…}) | | {} | | -| [groups](variables.tf#L118) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | | +| [groups](variables.tf#L118) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | | | [iam](variables.tf#L134) | Organization-level custom IAM settings in role => [principal] format. | map(list(string)) | | {} | | | [iam_bindings_additive](variables.tf#L141) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | | | [iam_by_principals](variables.tf#L156) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf index b769f108..26ec513a 100644 --- a/fast/stages/0-bootstrap/variables.tf +++ b/fast/stages/0-bootstrap/variables.tf @@ -121,7 +121,7 @@ variable "groups" { type = object({ gcp-billing-admins = optional(string, "gcp-billing-admins") gcp-devops = optional(string, "gcp-devops") - gcp-network-admins = optional(string, "gcp-network-admins") + gcp-network-admins = optional(string, "gcp-vpc-network-admins") gcp-organization-admins = optional(string, "gcp-organization-admins") gcp-security-admins = optional(string, "gcp-security-admins") # aliased to gcp-devops as the checklist does not create it diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index 6b7836fd..5ac02487 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -358,21 +358,21 @@ Due to its simplicity, this stage lends itself easily to customizations: adding |---|---|:---:|:---:|:---:|:---:| | [automation](variables.tf#L20) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables.tf#L42) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | 0-bootstrap | -| [organization](variables.tf#L232) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables.tf#L248) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | +| [organization](variables.tf#L227) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables.tf#L243) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | | [cicd_repositories](variables.tf#L53) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | | [custom_roles](variables.tf#L147) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [factories_config](variables.tf#L159) | Configuration for the resource factories or external data. | object({…}) | | {} | | | [fast_features](variables.tf#L168) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | | [folder_iam](variables.tf#L183) | Authoritative IAM for top-level folders. | object({…}) | | {} | | -| [groups](variables.tf#L199) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | -| [locations](variables.tf#L214) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {…} | 0-bootstrap | -| [outputs_location](variables.tf#L242) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | -| [tag_names](variables.tf#L259) | Customized names for resource management tags. | object({…}) | | {} | | -| [tags](variables.tf#L274) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | -| [team_folders](variables.tf#L295) | Team folders to be created. Format is described in a code comment. | map(object({…})) | | null | | -| [tenants](variables.tf#L311) | Lightweight tenant definitions. | map(object({…})) | | {} | | -| [tenants_config](variables.tf#L327) | Lightweight tenants shared configuration. Roles will be assigned to tenant admin group and service accounts. | object({…}) | | {} | | +| [groups](variables.tf#L199) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | +| [locations](variables.tf#L214) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | +| [outputs_location](variables.tf#L237) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | +| [tag_names](variables.tf#L254) | Customized names for resource management tags. | object({…}) | | {} | | +| [tags](variables.tf#L269) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | +| [team_folders](variables.tf#L290) | Team folders to be created. Format is described in a code comment. | map(object({…})) | | null | | +| [tenants](variables.tf#L306) | Lightweight tenant definitions. | map(object({…})) | | {} | | +| [tenants_config](variables.tf#L322) | Lightweight tenants shared configuration. Roles will be assigned to tenant admin group and service accounts. | object({…}) | | {} | | ## Outputs @@ -380,7 +380,7 @@ Due to its simplicity, this stage lends itself easily to customizations: adding |---|---|:---:|---| | [cicd_repositories](outputs.tf#L391) | WIF configuration for CI/CD repositories. | | | | [dataplatform](outputs.tf#L405) | Data for the Data Platform stage. | | | -| [gcve](outputs.tf#L421) | Data for the GCVE stage. | | 03-gke-multitenant | +| [gcve](outputs.tf#L421) | Data for the GCVE stage. | | 03-gcve | | [gke_multitenant](outputs.tf#L442) | Data for the GKE multitenant stage. | | 03-gke-multitenant | | [networking](outputs.tf#L463) | Data for the networking stage. | | | | [project_factories](outputs.tf#L472) | Data for the project factories stage. | | | diff --git a/fast/stages/1-resman/outputs.tf b/fast/stages/1-resman/outputs.tf index 31e95902..de411b91 100644 --- a/fast/stages/1-resman/outputs.tf +++ b/fast/stages/1-resman/outputs.tf @@ -419,7 +419,7 @@ output "dataplatform" { } output "gcve" { - # tfdoc:output:consumers 03-gke-multitenant + # tfdoc:output:consumers 03-gcve description = "Data for the GCVE stage." value = ( var.fast_features.gcve diff --git a/fast/stages/1-resman/variables.tf b/fast/stages/1-resman/variables.tf index 84174667..3256b9bb 100644 --- a/fast/stages/1-resman/variables.tf +++ b/fast/stages/1-resman/variables.tf @@ -203,7 +203,7 @@ variable "groups" { type = object({ gcp-billing-admins = optional(string, "gcp-billing-admins") gcp-devops = optional(string, "gcp-devops") - gcp-network-admins = optional(string, "gcp-network-admins") + gcp-network-admins = optional(string, "gcp-vpc-network-admins") gcp-organization-admins = optional(string, "gcp-organization-admins") gcp-security-admins = optional(string, "gcp-security-admins") }) @@ -215,18 +215,13 @@ variable "locations" { # tfdoc:variable:source 0-bootstrap description = "Optional locations for GCS, BigQuery, and logging buckets created here." type = object({ - bq = string - gcs = string - logging = string - pubsub = list(string) + bq = optional(string, "EU") + gcs = optional(string, "EU") + logging = optional(string, "global") + pubsub = optional(list(string), []) }) - default = { - bq = "EU" - gcs = "EU" - logging = "global" - pubsub = [] - } nullable = false + default = {} } variable "organization" { diff --git a/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml index 93d42fbe..e444dd3f 100644 --- a/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml +++ b/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml @@ -11,14 +11,14 @@ # - rfc1918 allow-healthchecks: - description: Enable HTTP and HTTPS healthchecks + description: Enable SSH, HTTP and HTTPS healthchecks priority: 1001 match: source_ranges: - healthchecks layer4_configs: - protocol: tcp - ports: ["80", "443"] + ports: ["22", "80", "443"] allow-ssh-from-iap: description: Enable SSH from IAP diff --git a/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml index 0504f376..817be2e9 100644 --- a/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml +++ b/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml @@ -11,14 +11,14 @@ # - rfc1918 allow-healthchecks: - description: Enable HTTP and HTTPS healthchecks + description: Enable SSH, HTTP and HTTPS healthchecks priority: 1001 match: source_ranges: - healthchecks layer4_configs: - protocol: tcp - ports: ["80", "443"] + ports: ["22", "80", "443"] allow-ssh-from-iap: description: Enable SSH from IAP diff --git a/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml index 0504f376..817be2e9 100644 --- a/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml +++ b/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml @@ -11,14 +11,14 @@ # - rfc1918 allow-healthchecks: - description: Enable HTTP and HTTPS healthchecks + description: Enable SSH, HTTP and HTTPS healthchecks priority: 1001 match: source_ranges: - healthchecks layer4_configs: - protocol: tcp - ports: ["80", "443"] + ports: ["22", "80", "443"] allow-ssh-from-iap: description: Enable SSH from IAP diff --git a/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml index 0504f376..817be2e9 100644 --- a/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml +++ b/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml @@ -11,14 +11,14 @@ # - rfc1918 allow-healthchecks: - description: Enable HTTP and HTTPS healthchecks + description: Enable SSH, HTTP and HTTPS healthchecks priority: 1001 match: source_ranges: - healthchecks layer4_configs: - protocol: tcp - ports: ["80", "443"] + ports: ["22", "80", "443"] allow-ssh-from-iap: description: Enable SSH from IAP diff --git a/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml index 0504f376..817be2e9 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml @@ -11,14 +11,14 @@ # - rfc1918 allow-healthchecks: - description: Enable HTTP and HTTPS healthchecks + description: Enable SSH, HTTP and HTTPS healthchecks priority: 1001 match: source_ranges: - healthchecks layer4_configs: - protocol: tcp - ports: ["80", "443"] + ports: ["22", "80", "443"] allow-ssh-from-iap: description: Enable SSH from IAP diff --git a/tests/fast/stages/s0_bootstrap/checklist.yaml b/tests/fast/stages/s0_bootstrap/checklist.yaml index 8c24a1fd..0b1d71d4 100644 --- a/tests/fast/stages/s0_bootstrap/checklist.yaml +++ b/tests/fast/stages/s0_bootstrap/checklist.yaml @@ -55,9 +55,9 @@ values: module.organization.google_organization_iam_binding.authoritative["roles/cloudasset.owner"]: condition: [] members: - - group:gcp-network-admins@fast.example.com - group:gcp-organization-admins@fast.example.com - group:gcp-security-admins@fast.example.com + - group:gcp-vpc-network-admins@fast.example.com org_id: '123456789012' role: roles/cloudasset.owner module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.admin"]: @@ -70,8 +70,8 @@ values: condition: [] members: - group:gcp-devops@fast.example.com - - group:gcp-network-admins@fast.example.com - group:gcp-security-admins@fast.example.com + - group:gcp-vpc-network-admins@fast.example.com org_id: '123456789012' role: roles/cloudsupport.techSupportEditor module.organization.google_organization_iam_binding.authoritative["roles/compute.osAdminLogin"]: @@ -131,7 +131,7 @@ values: condition: [] members: - group:gcp-devops@fast.example.com - - group:gcp-network-admins@fast.example.com + - group:gcp-vpc-network-admins@fast.example.com - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com org_id: '123456789012' @@ -240,19 +240,19 @@ values: member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com org_id: '123456789012' role: roles/billing.viewer - ? module.organization.google_organization_iam_member.bindings["roles/compute.networkAdmin-group:gcp-network-admins@fast.example.com"] + ? module.organization.google_organization_iam_member.bindings["roles/compute.networkAdmin-group:gcp-vpc-network-admins@fast.example.com"] : condition: [] - member: group:gcp-network-admins@fast.example.com + member: group:gcp-vpc-network-admins@fast.example.com org_id: '123456789012' role: roles/compute.networkAdmin - ? module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:gcp-network-admins@fast.example.com"] + ? module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:gcp-vpc-network-admins@fast.example.com"] : condition: [] - member: group:gcp-network-admins@fast.example.com + member: group:gcp-vpc-network-admins@fast.example.com org_id: '123456789012' role: roles/compute.orgFirewallPolicyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/compute.securityAdmin-group:gcp-network-admins@fast.example.com"] + ? module.organization.google_organization_iam_member.bindings["roles/compute.securityAdmin-group:gcp-vpc-network-admins@fast.example.com"] : condition: [] - member: group:gcp-network-admins@fast.example.com + member: group:gcp-vpc-network-admins@fast.example.com org_id: '123456789012' role: roles/compute.securityAdmin ? module.organization.google_organization_iam_member.bindings["roles/compute.viewer-group:gcp-security-admins@fast.example.com"] @@ -260,9 +260,9 @@ values: member: group:gcp-security-admins@fast.example.com org_id: '123456789012' role: roles/compute.viewer - ? module.organization.google_organization_iam_member.bindings["roles/compute.xpnAdmin-group:gcp-network-admins@fast.example.com"] + ? module.organization.google_organization_iam_member.bindings["roles/compute.xpnAdmin-group:gcp-vpc-network-admins@fast.example.com"] : condition: [] - member: group:gcp-network-admins@fast.example.com + member: group:gcp-vpc-network-admins@fast.example.com org_id: '123456789012' role: roles/compute.xpnAdmin ? module.organization.google_organization_iam_member.bindings["roles/container.viewer-group:gcp-security-admins@fast.example.com"] diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml index 69908ad3..bdc0ec68 100644 --- a/tests/fast/stages/s0_bootstrap/simple.yaml +++ b/tests/fast/stages/s0_bootstrap/simple.yaml @@ -16,9 +16,9 @@ values: module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]: condition: [] members: - - group:gcp-network-admins@fast.example.com - group:gcp-security-admins@fast.example.com - group:gcp-support@example.com + - group:gcp-vpc-network-admins@fast.example.com org_id: '123456789012' role: roles/cloudsupport.techSupportEditor module.organization.google_organization_iam_binding.authoritative["roles/logging.viewer"]: diff --git a/tests/fast/stages/s1_resman/checklist.tfvars b/tests/fast/stages/s1_resman/checklist.tfvars index 88df6b62..0e303043 100644 --- a/tests/fast/stages/s1_resman/checklist.tfvars +++ b/tests/fast/stages/s1_resman/checklist.tfvars @@ -24,7 +24,7 @@ factories_config = { groups = { gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", - gcp-network-admins = "gcp-network-admins", + gcp-network-admins = "gcp-vpc-network-admins", gcp-organization-admins = "gcp-organization-admins", gcp-security-admins = "gcp-security-admins", gcp-support = "gcp-support" diff --git a/tests/fast/stages/s1_resman/simple.tfvars b/tests/fast/stages/s1_resman/simple.tfvars index 9cb85288..8086201d 100644 --- a/tests/fast/stages/s1_resman/simple.tfvars +++ b/tests/fast/stages/s1_resman/simple.tfvars @@ -21,7 +21,7 @@ custom_roles = { groups = { gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", - gcp-network-admins = "gcp-network-admins", + gcp-network-admins = "gcp-vpc-network-admins", gcp-organization-admins = "gcp-organization-admins", gcp-security-admins = "gcp-security-admins", gcp-support = "gcp-support" diff --git a/tests/fast/stages/s2_networking_a_peering/simple.tfvars b/tests/fast/stages/s2_networking_a_peering/simple.tfvars index bdff7a43..9a117062 100644 --- a/tests/fast/stages/s2_networking_a_peering/simple.tfvars +++ b/tests/fast/stages/s2_networking_a_peering/simple.tfvars @@ -19,7 +19,7 @@ folder_ids = { networking-prod = null } groups = { - gcp-network-admins = "gcp-network-admins" + gcp-network-admins = "gcp-vpc-network-admins" } service_accounts = { data-platform-dev = "string" diff --git a/tests/fast/stages/s2_networking_b_vpn/simple.tfvars b/tests/fast/stages/s2_networking_b_vpn/simple.tfvars index 24d3a8e0..b9c4ec9d 100644 --- a/tests/fast/stages/s2_networking_b_vpn/simple.tfvars +++ b/tests/fast/stages/s2_networking_b_vpn/simple.tfvars @@ -19,7 +19,7 @@ folder_ids = { networking-prod = null } groups = { - gcp-network-admins = "gcp-network-admins" + gcp-network-admins = "gcp-vpc-network-admins" } service_accounts = { data-platform-dev = "string" diff --git a/tests/fast/stages/s2_networking_c_nva/simple.tfvars b/tests/fast/stages/s2_networking_c_nva/simple.tfvars index fca8913f..c2a9cef0 100644 --- a/tests/fast/stages/s2_networking_c_nva/simple.tfvars +++ b/tests/fast/stages/s2_networking_c_nva/simple.tfvars @@ -19,7 +19,7 @@ folder_ids = { networking-prod = null } groups = { - gcp-network-admins = "gcp-network-admins" + gcp-network-admins = "gcp-vpc-network-admins" } service_accounts = { data-platform-dev = "string" diff --git a/tests/fast/stages/s2_networking_d_separate_envs/simple.tfvars b/tests/fast/stages/s2_networking_d_separate_envs/simple.tfvars index 071011dd..8522e2b2 100644 --- a/tests/fast/stages/s2_networking_d_separate_envs/simple.tfvars +++ b/tests/fast/stages/s2_networking_d_separate_envs/simple.tfvars @@ -20,7 +20,7 @@ folder_ids = { networking-prod = null } groups = { - gcp-network-admins = "gcp-network-admins" + gcp-network-admins = "gcp-vpc-network-admins" } service_accounts = { data-platform-dev = "string" diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/simple.tfvars b/tests/fast/stages/s2_networking_e_nva_bgp/simple.tfvars index fca8913f..c2a9cef0 100644 --- a/tests/fast/stages/s2_networking_e_nva_bgp/simple.tfvars +++ b/tests/fast/stages/s2_networking_e_nva_bgp/simple.tfvars @@ -19,7 +19,7 @@ folder_ids = { networking-prod = null } groups = { - gcp-network-admins = "gcp-network-admins" + gcp-network-admins = "gcp-vpc-network-admins" } service_accounts = { data-platform-dev = "string" diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml index f0594c4c..993910f7 100644 --- a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml +++ b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml @@ -740,7 +740,7 @@ values: timeouts: null ? module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-healthchecks"] : action: allow - description: Enable HTTP and HTTPS healthchecks + description: Enable SSH, HTTP and HTTPS healthchecks direction: INGRESS disabled: false enable_logging: null @@ -753,6 +753,7 @@ values: layer4_configs: - ip_protocol: tcp ports: + - "22" - "80" - "443" src_address_groups: null diff --git a/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.tfvars b/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.tfvars index 52ca76a3..e3691e9c 100644 --- a/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.tfvars +++ b/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.tfvars @@ -16,7 +16,7 @@ custom_roles = { groups = { gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", - gcp-network-admins = "gcp-network-admins", + gcp-network-admins = "gcp-vpc-network-admins", gcp-organization-admins = "gcp-organization-admins", gcp-security-admins = "gcp-security-admins", gcp-support = "gcp-support" diff --git a/tests/fast/stages_multitenant/s1_resman_tenant/simple.tfvars b/tests/fast/stages_multitenant/s1_resman_tenant/simple.tfvars index 33cf4619..9cc9d46c 100644 --- a/tests/fast/stages_multitenant/s1_resman_tenant/simple.tfvars +++ b/tests/fast/stages_multitenant/s1_resman_tenant/simple.tfvars @@ -34,7 +34,7 @@ fast_features = { } groups = { gcp-devops = "gcp-devops", - gcp-network-admins = "gcp-network-admins", + gcp-network-admins = "gcp-vpc-network-admins", gcp-security-admins = "gcp-security-admins", } organization = {