Merge branch 'GoogleCloudPlatform:master' into master

2022-09-07 17:00:37 +02:00 · 2022-09-07 17:00:37 +02:00 · 953cda6462
parent ad75ec4ee0 1e62078e37
commit 953cda6462
73 changed files with 306 additions and 330 deletions
--- a/.github/workflows/merge-pr.yml
+++ b/.github/workflows/merge-pr.yml
@ -1,51 +0,0 @@
 # Copyright 2022 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 name: Post-merge tasks
 on:
  pull_request:
    branches:
      - master
    types:
      - closed
 env:
  PYTHON_VERSION: "3.10"
 jobs:
  if_merged:
    if: github.event.pull_request.merged == true
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Set up Python
        uses: actions/setup-python@v2
        with:
          python-version: ${{ env.PYTHON_VERSION }}
      - name: Install dependencies
        run: |
          pip install -r tools/requirements.txt
      - name: Update Changelog
        run: |
          python3 tools/changelog.py --token secrets.GITHUB_TOKEN CHANGELOG.md
      - name: Commit and push Changelog
        env:
          CI_COMMIT_MESSAGE: Update Changelog
          CI_COMMIT_AUTHOR: Fabric Repo Workflows
        run: |
          git config --global user.name "${{ env.CI_COMMIT_AUTHOR }}"
          git config --global user.email "username@users.noreply.github.com"
          git commit -a -m "${{ env.CI_COMMIT_MESSAGE }}"
          git push
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -9,6 +9,7 @@ All notable changes to this project will be documented in this file.
 ###  FAST
 - [[#793](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/793)] FAST: fix typo in CI/CD stage outputs. ([fawzihmouda](https://github.com/fawzihmouda)) <!-- 2022-09-04 11:50:36+00:00 -->
 - [[#774](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/774)] FAST: fix data-platform-dev folder in stage 03-data-platform ([sttomm](https://github.com/sttomm)) <!-- 2022-08-16 07:36:24+00:00 -->
 - [[#770](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/770)] FAST: fix to move without `output_location` ([daisuky-jp](https://github.com/daisuky-jp)) <!-- 2022-08-07 07:00:27+00:00 -->
 - [[#767](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/767)] Allow interpolating SAs in project factory subnet IAM bindings ([ludoo](https://github.com/ludoo)) <!-- 2022-08-04 08:39:28+00:00 -->
@ -98,6 +99,7 @@ All notable changes to this project will be documented in this file.
 ### TOOLS
 - [[#794](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/794)] Test documentation examples in the `examples/` folder ([juliocc](https://github.com/juliocc)) <!-- 2022-09-06 19:38:26+00:00 -->
 - [[#788](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/788)] fix yaml quotes for merge-pr workflow ([drebes](https://github.com/drebes)) <!-- 2022-08-31 13:47:33+00:00 -->
 - [[#763](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/763)] Changelog generator ([ludoo](https://github.com/ludoo)) <!-- 2022-08-02 09:45:06+00:00 -->
 - [[#762](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/762)] Update changelog on pull request merge ([ludoo](https://github.com/ludoo)) <!-- 2022-07-30 17:04:00+00:00 -->
--- a/examples/cloud-operations/iam-delegated-role-grants/README.md
+++ b/examples/cloud-operations/iam-delegated-role-grants/README.md
@ -33,6 +33,7 @@ You can easily configure the example for this use case:
 delegated_role_grants = ["roles/compute.networkUser"]
 direct_role_grants = []
 restricted_role_grant = "roles/compute.networkAdmin"
 # tftest skip
 ```
 This diagram shows the resources and expected behaviour:
--- a/examples/data-solutions/data-platform-foundations/README.md
+++ b/examples/data-solutions/data-platform-foundations/README.md
@ -127,7 +127,7 @@ We suggest a centralized approach to key management, where Organization Security
 To configure the use of Cloud KMS on resources, you have to specify the key id on the `service_encryption_keys` variable. Key locations should match resource locations. Example:
-```hcl
+```tfvars
 service_encryption_keys = {
    bq       = "KEY_URL_MULTIREGIONAL"
    composer = "KEY_URL_REGIONAL"
@ -135,6 +135,7 @@ service_encryption_keys = {
    storage  = "KEY_URL_MULTIREGIONAL"
    pubsub   = "KEY_URL_MULTIREGIONAL"
 }
 # tftest skip
 ```
 This step is optional and depends on customer policies and security best practices.
@ -191,12 +192,13 @@ The Data Platform is meant to be executed by a Service Account (or a regular use
 There are three sets of variables you will need to fill in:
-```hcl
+```tfvars
 billing_account_id  = "111111-222222-333333"
 older_id            = "folders/123456789012"
 organization_domain = "domain.com"
 prefix              = "myco"
-```
+# tftest skip`
 ``
 For more fine details check variables on [`variables.tf`](./variables.tf) and update according to the desired configuration. Remember to create team groups described [below](#groups).
@ -207,6 +209,22 @@ terraform init
 terraform apply
 ```
 ## How to use this example from Terraform
 While this example can be used as a standalone deployment, it can also be called directly as a Terraform module by providing the variables values as show below:
 ```hcl
 module "data-platform" {
  source              = "./fabric/examples/data-solutions/data-platform-foundations"
  billing_account_id  = var.billing_account_id
  folder_id           = var.folder_id
  organization_domain = "example.com"
  prefix              = "myprefix"
 }
 # tftest modules=1 resources=1
 ```
 ## Customizations
 ### Create Cloud Key Management keys as part of the Data Platform
--- a/examples/factories/project-factory/README.md
+++ b/examples/factories/project-factory/README.md
@ -79,6 +79,8 @@ module "projects" {
  services_iam       = try(each.value.services_iam, {})
  vpc                = try(each.value.vpc, null)
 }
 # tftest skip
 ```
 ### Projects configuration
--- a/examples/networking/hub-and-spoke-peering/README.md
+++ b/examples/networking/hub-and-spoke-peering/README.md
@ -47,7 +47,7 @@ The example configures the peering with the GKE master VPC to export routes for
 Change the GKE cluster module and add a new variable after `private_cluster_config`:
-```hcl
+```tfvars
  peering_config = {
    export_routes = true
    import_routes = false
--- a/examples/networking/hub-and-spoke-vpn/README.md
+++ b/examples/networking/hub-and-spoke-vpn/README.md
@ -50,6 +50,8 @@ module "project" {
    disable_dependent_services = false
  }
 }
 # tftest skip
 ```
 ## Testing
--- a/fast/stages/00-cicd/outputs.tf
+++ b/fast/stages/00-cicd/outputs.tf
@ -23,7 +23,7 @@ locals {
  tfvars = {
    cicd_repositories = merge(local.cicd_repositories_by_system["gitlab"], local.cicd_repositories_by_system["github"])
    cicd_ssh_urls     = merge(local.gitlab_cicd_ssh, local.github_cicd_ssh)
-    cicd_https_urls   = merge(local.gitlab_cicd_https, local.gitlab_cicd_https)
+    cicd_https_urls   = merge(local.gitlab_cicd_https, local.github_cicd_https)
  }
 }
--- a/modules/__experimental/net-dns-policy-address/README.md
+++ b/modules/__experimental/net-dns-policy-address/README.md
@ -8,7 +8,7 @@ Since it's currently impossible to fetch those addresses using a GCP data source
 ```hcl
 module "dns-policy-addresses" {
-  source     = "./modules/__experimental/net-dns-policy-addresses"
+  source     = "./fabric/modules/__experimental/net-dns-policy-addresses"
  project_id = "myproject"
  regions    = ["europe-west1", "europe-west3"]
 }
--- a/modules/__experimental/net-neg/README.md
+++ b/modules/__experimental/net-neg/README.md
@ -7,7 +7,7 @@ Note: this module will integrated into a general-purpose load balancing module i
 ## Example
 ```hcl
 module "neg" {
-  source     = "./modules/net-neg"
+  source     = "./fabric/modules/net-neg"
  project_id = "myproject"
  name       = "myneg"
  network    = module.vpc.self_link
--- a/modules/api-gateway/README.md
+++ b/modules/api-gateway/README.md
@ -6,7 +6,7 @@ This module allows creating an API with its associated API config and API gatewa
 ## Basic example
 ```hcl
 module "gateway" {
-  source                = "./modules/api-gateway"
+  source                = "./fabric/modules/api-gateway"
  project_id            = "my-project"
  api_id                = "api"
  region                = "europe-west1"
@ -21,7 +21,7 @@ module "gateway" {
 ## Basic example + customer service account
 ```hcl
 module "gateway" {
-  source                = "./modules/api-gateway"
+  source                = "./fabric/modules/api-gateway"
  project_id            = "my-project"
  api_id                = "api"
  region                = "europe-west1"
@ -40,7 +40,7 @@ module "gateway" {
 ## Basic example + service account creation
 ```hcl
 module "gateway" {
-  source                = "./modules/api-gateway"
+  source                = "./fabric/modules/api-gateway"
  project_id            = "my-project"
  api_id                = "api"
  region                = "europe-west1"
--- a/modules/apigee-organization/README.md
+++ b/modules/apigee-organization/README.md
@ -8,7 +8,7 @@ This module allows managing a single Apigee organization and its environments an
 ```hcl
 module "apigee-organization" {
-  source     = "./modules/apigee-organization"
+  source     = "./fabric/modules/apigee-organization"
  project_id = "my-project"
  analytics_region = "us-central1"
  runtime_type = "CLOUD"
@ -36,7 +36,7 @@ module "apigee-organization" {
 ```hcl
 module "apigee-organization" {
-  source     = "./modules/apigee-organization"
+  source     = "./fabric/modules/apigee-organization"
  project_id = "my-project"
  analytics_region = "us-central1"
  runtime_type = "CLOUD"
@ -76,7 +76,7 @@ module "apigee-organization" {
 ```hcl
 module "apigee-organization" {
-  source     = "./modules/apigee-organization"
+  source     = "./fabric/modules/apigee-organization"
  project_id = "my-project"
  analytics_region = "us-central1"
  runtime_type = "HYBRID"
--- a/modules/apigee-x-instance/README.md
+++ b/modules/apigee-x-instance/README.md
@ -8,7 +8,7 @@ This module allows managing a single Apigee X instance and its environment attac
 ```hcl
 module "apigee-x-instance" {
-  source             = "./modules/apigee-x-instance"
+  source             = "./fabric/modules/apigee-x-instance"
  name               = "my-us-instance"
  region             = "us-central1"
  ip_range           = "10.0.0.0/22"
@ -26,7 +26,7 @@ module "apigee-x-instance" {
 ```hcl
 module "apigee-x-instance" {
-  source              = "./modules/apigee-x-instance"
+  source              = "./fabric/modules/apigee-x-instance"
  name                = "my-us-instance"
  region              = "us-central1"
  ip_range            = "10.0.0.0/22"
--- a/modules/artifact-registry/README.md
+++ b/modules/artifact-registry/README.md
@ -8,7 +8,7 @@ Note: Artifact Registry is still in beta, hence this module currently uses the b
 ```hcl
 module "docker_artifact_registry" {
-  source     = "./modules/artifact-registry"
+  source     = "./fabric/modules/artifact-registry"
  project_id = "myproject"
  location   = "europe-west1"
  format     = "DOCKER"
--- a/modules/bigquery-dataset/README.md
+++ b/modules/bigquery-dataset/README.md
@ -19,7 +19,7 @@ The access variables are split into `access` and `access_identities` variables,
 ```hcl
 module "bigquery-dataset" {
-  source     = "./modules/bigquery-dataset"
+  source     = "./fabric/modules/bigquery-dataset"
  project_id = "my-project"
  id          = "my-dataset"
  access = {
@ -44,7 +44,7 @@ Access configuration can also be specified via IAM instead of basic roles via th
 ```hcl
 module "bigquery-dataset" {
-  source     = "./modules/bigquery-dataset"
+  source     = "./fabric/modules/bigquery-dataset"
  project_id = "my-project"
  id          = "my-dataset"
  iam = {
@ -60,7 +60,7 @@ Dataset options are set via the `options` variable. all options must be specifie
 ```hcl
 module "bigquery-dataset" {
-  source     = "./modules/bigquery-dataset"
+  source     = "./fabric/modules/bigquery-dataset"
  project_id = "my-project"
  id         = "my-dataset"
  options = {
@ -85,7 +85,7 @@ locals {
 }
 module "bigquery-dataset" {
-  source     = "./modules/bigquery-dataset"
+  source     = "./fabric/modules/bigquery-dataset"
  project_id = "my-project"
  id         = "my_dataset"
  tables = {
@ -113,7 +113,7 @@ locals {
 }
 module "bigquery-dataset" {
-  source     = "./modules/bigquery-dataset"
+  source     = "./fabric/modules/bigquery-dataset"
  project_id = "my-project"
  id         = "my-dataset"
  tables = {
@ -145,7 +145,7 @@ locals {
 }
 module "bigquery-dataset" {
-  source     = "./modules/bigquery-dataset"
+  source     = "./fabric/modules/bigquery-dataset"
  project_id = "my-project"
  id         = "my_dataset"
  tables = {
--- a/modules/bigtable-instance/README.md
+++ b/modules/bigtable-instance/README.md
@ -14,7 +14,7 @@ This module allows managing a single BigTable instance, including access configu
 ```hcl
 module "bigtable-instance" {
-  source               = "./modules/bigtable-instance"
+  source               = "./fabric/modules/bigtable-instance"
  project_id           = "my-project"
  name                 = "instance"
  cluster_id           = "instance"
--- a/modules/billing-budget/README.md
+++ b/modules/billing-budget/README.md
@ -15,7 +15,7 @@ Send a notification to an email when a set of projects reach $100 of spend.
 ```hcl
 module "budget" {
-  source          = "./modules/billing-budget"
+  source          = "./fabric/modules/billing-budget"
  billing_account = var.billing_account_id
  name            = "$100 budget"
  amount          = 100
@ -42,7 +42,7 @@ Send a notification to a PubSub topic the total spend of a billing account reach
 ```hcl
 module "budget" {
-  source          = "./modules/billing-budget"
+  source          = "./fabric/modules/billing-budget"
  billing_account = var.billing_account_id
  name            = "previous period budget"
  amount          = 0
@ -54,7 +54,7 @@ module "budget" {
 }
 module "pubsub" {
-  source     = "./modules/pubsub"
+  source     = "./fabric/modules/pubsub"
  project_id = var.project_id
  name       = "budget-topic"
 }
--- a/modules/binauthz/README.md
+++ b/modules/binauthz/README.md
@ -8,7 +8,7 @@ This module simplifies the creation of a Binary Authorization policy, attestors
 ```hcl
 module "binauthz" {
-  source     = "./modules/binauthz"
+  source     = "./fabric/modules/binauthz"
  project_id = "my_project"
  global_policy_evaluation_mode = "DISABLE"
  default_admission_rule = {
--- a/modules/cloud-config-container/coredns/README.md
+++ b/modules/cloud-config-container/coredns/README.md
@ -24,7 +24,7 @@ This example will create a `cloud-config` that uses the module's defaults, creat
 ```hcl
 module "cos-coredns" {
-  source           = "./modules/cloud-config-container/coredns"
+  source           = "./fabric/modules/cloud-config-container/coredns"
 }
 # use it as metadata in a compute instance or template
@ -40,8 +40,8 @@ This example will create a `cloud-config` using a custom CoreDNS configuration,
 ```hcl
 module "cos-coredns" {
-  source           = "./modules/cloud-config-container/coredns"
+  source           = "./fabric/modules/cloud-config-container/coredns"
-  coredns_config = "./modules/cloud-config-container/coredns/Corefile-hosts"
+  coredns_config = "./fabric/modules/cloud-config-container/coredns/Corefile-hosts"
  files = {
    "/etc/coredns/example.hosts" = {
      content     = "127.0.0.2 foo.example.org foo"
@ -57,7 +57,7 @@ This example shows how to create the single instance optionally managed by the m
 ```hcl
 module "cos-coredns" {
-  source           = "./modules/cloud-config-container/coredns"
+  source           = "./fabric/modules/cloud-config-container/coredns"
  test_instance = {
    project_id = "my-project"
    zone       = "europe-west1-b"
--- a/modules/cloud-config-container/cos-generic-metadata/README.md
+++ b/modules/cloud-config-container/cos-generic-metadata/README.md
@ -14,7 +14,7 @@ This example will create a `cloud-config` that starts [Envoy Proxy](https://www.
 ```hcl
 module "cos-envoy" {
-  source = "./modules/cos-generic-metadata"
+  source = "./fabric/modules/cos-generic-metadata"
  container_image = "envoyproxy/envoy:v1.14.1"
  container_name  = "envoy"
--- a/modules/cloud-config-container/envoy-traffic-director/README.md
+++ b/modules/cloud-config-container/envoy-traffic-director/README.md
@ -13,12 +13,12 @@ This module depends on the [`cos-generic-metadata` module](../cos-generic-metada
 ```hcl
 # Envoy TD config
 module "cos-envoy-td" {
-  source = "./modules/cloud-config-container/envoy-traffic-director"
+  source = "./fabric/modules/cloud-config-container/envoy-traffic-director"
 }
 # COS VM
 module "vm-cos" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  project_id = local.project_id
  zone       = local.zone
  name       = "cos-envoy-td"
--- a/modules/cloud-config-container/mysql/README.md
+++ b/modules/cloud-config-container/mysql/README.md
@ -26,7 +26,7 @@ This example will create a `cloud-config` that uses the container's default conf
 ```hcl
 module "cos-mysql" {
-  source         = "./modules/cos-container/mysql"
+  source         = "./fabric/modules/cos-container/mysql"
  mysql_password = "foo"
 }
@ -43,7 +43,7 @@ This example will create a `cloud-config` that uses a custom MySQL configuration
 ```hcl
 module "cos-mysql" {
-  source         = "./modules/cos-container/mysql"
+  source         = "./fabric/modules/cos-container/mysql"
  mysql_config   = "./my.cnf"
  mysql_password = "CiQAsd7WY=="
  kms_config     = {
@ -61,7 +61,7 @@ This example shows how to create the single instance optionally managed by the m
 ```hcl
 module "cos-mysql" {
-  source         = "./modules/cos-container/mysql"
+  source         = "./fabric/modules/cos-container/mysql"
  mysql_password = "foo"
  test_instance = {
    project_id = "my-project"
--- a/modules/cloud-config-container/nginx-tls/README.md
+++ b/modules/cloud-config-container/nginx-tls/README.md
@ -14,12 +14,12 @@ This module depends on the [`cos-generic-metadata` module](../cos-generic-metada
 ```hcl
 # Nginx with self-signed TLS config
 module "cos-nginx-tls" {
-  source = "./modules/cloud-config-container/nginx-tls"
+  source = "./fabric/modules/cloud-config-container/nginx-tls"
 }
 # COS VM
 module "vm-nginx-tls" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  project_id = local.project_id
  zone       = local.zone
  name       = "cos-nginx-tls"
--- a/modules/cloud-config-container/nginx/README.md
+++ b/modules/cloud-config-container/nginx/README.md
@ -24,7 +24,7 @@ This example will create a `cloud-config` that uses the module's defaults, creat
 ```hcl
 module "cos-nginx" {
-  source           = "./modules/cloud-config-container/nginx"
+  source           = "./fabric/modules/cloud-config-container/nginx"
 }
 # use it as metadata in a compute instance or template
@ -40,7 +40,7 @@ This example shows how to create the single instance optionally managed by the m
 ```hcl
 module "cos-nginx" {
-  source           = "./modules/cloud-config-container/nginx"
+  source           = "./fabric/modules/cloud-config-container/nginx"
  test_instance = {
    project_id = "my-project"
    zone       = "europe-west1-b"
--- a/modules/cloud-config-container/onprem/README.md
+++ b/modules/cloud-config-container/onprem/README.md
@ -24,7 +24,7 @@ The test instance is optional, as described above.
 ```hcl
 module "cloud-vpn" {
-  source     = "./modules/net-vpn-static"
+  source     = "./fabric/modules/net-vpn-static"
  project_id = "my-project"
  region     = "europe-west1"
  network    = "my-vpc"
@ -41,7 +41,7 @@ module "cloud-vpn" {
 }
 module "on-prem" {
-  source = "./modules/cos-container/on-prem"
+  source = "./fabric/modules/cos-container/on-prem"
  name       = "onprem"
  vpn_config = {
    type          = "static"
--- a/modules/cloud-config-container/squid/README.md
+++ b/modules/cloud-config-container/squid/README.md
@ -24,7 +24,7 @@ This example will create a `cloud-config` that allows any client in the 10.0.0.0
 ```hcl
 module "cos-squid" {
-  source           = "./modules/cloud-config-container/squid"
+  source           = "./fabric/modules/cloud-config-container/squid"
  whitelist = [".github.com"]
  clients   = ["10.0.0.0/8"]
 }
@ -42,7 +42,7 @@ This example shows how to create the single instance optionally managed by the m
 ```hcl
 module "cos-squid" {
-  source           = "./modules/cloud-config-container/squid"
+  source           = "./fabric/modules/cloud-config-container/squid"
  whitelist = ["github.com"]
  clients   = ["10.0.0.0/8"]
  test_instance = {
--- a/modules/cloud-function/README.md
+++ b/modules/cloud-function/README.md
@ -16,7 +16,7 @@ This deploys a Cloud Function with an HTTP endpoint, using a pre-existing GCS bu
 ```hcl
 module "cf-http" {
-  source        = "./modules/cloud-function"
+  source        = "./fabric/modules/cloud-function"
  project_id    = "my-project"
  name          = "test-cf-http"
  bucket_name   = "test-cf-bundles"
@ -35,7 +35,7 @@ Other trigger types other than HTTP are configured via the `trigger_config` vari
 ```hcl
 module "cf-http" {
-  source        = "./modules/cloud-function"
+  source        = "./fabric/modules/cloud-function"
  project_id    = "my-project"
  name          = "test-cf-http"
  bucket_name   = "test-cf-bundles"
@ -59,7 +59,7 @@ To allow anonymous access to the function, grant the `roles/cloudfunctions.invok
 ```hcl
 module "cf-http" {
-  source        = "./modules/cloud-function"
+  source        = "./fabric/modules/cloud-function"
  project_id    = "my-project"
  name          = "test-cf-http"
  bucket_name   = "test-cf-bundles"
@ -81,7 +81,7 @@ You can have the module auto-create the GCS bucket used for deployment via the `
 ```hcl
 module "cf-http" {
-  source        = "./modules/cloud-function"
+  source        = "./fabric/modules/cloud-function"
  project_id    = "my-project"
  name          = "test-cf-http"
  bucket_name   = "test-cf-bundles"
@ -104,7 +104,7 @@ To use a custom service account managed by the module, set `service_account_crea
 ```hcl
 module "cf-http" {
-  source        = "./modules/cloud-function"
+  source        = "./fabric/modules/cloud-function"
  project_id    = "my-project"
  name          = "test-cf-http"
  bucket_name   = "test-cf-bundles"
@ -122,7 +122,7 @@ To use an externally managed service account, pass its email in `service_account
 ```hcl
 module "cf-http" {
-  source        = "./modules/cloud-function"
+  source        = "./fabric/modules/cloud-function"
  project_id    = "my-project"
  name          = "test-cf-http"
  bucket_name   = "test-cf-bundles"
@ -142,7 +142,7 @@ In order to help prevent `archive_zip.output_md5` from changing cross platform (
 ```hcl
 module "cf-http" {
-  source        = "./modules/cloud-function"
+  source        = "./fabric/modules/cloud-function"
  project_id    = "my-project"
  name          = "test-cf-http"
  bucket_name   = "test-cf-bundles"
--- a/modules/cloud-identity-group/README.md
+++ b/modules/cloud-identity-group/README.md
@ -17,7 +17,7 @@ Until that bug is fixed, this module will only support the creation of MEMBER an
 ### Simple Group
 ```hcl
 module "group" {
-  source       = "./modules/cloud-identity-group"
+  source       = "./fabric/modules/cloud-identity-group"
  customer_id  = "customers/C01234567"
  name         = "mygroup@example.com"
  display_name = "My group name"
@ -34,7 +34,7 @@ module "group" {
 ### Group with managers
 ```hcl
 module "group" {
-  source       = "./modules/cloud-identity-group"
+  source       = "./fabric/modules/cloud-identity-group"
  customer_id  = "customers/C01234567"
  name         = "mygroup2@example.com"
  display_name = "My group name 2"
--- a/modules/cloud-run/README.md
+++ b/modules/cloud-run/README.md
@ -10,7 +10,7 @@ This deploys a Cloud Run service and sets some environment variables.
 ```hcl
 module "cloud_run" {
-  source     = "./modules/cloud-run"
+  source     = "./fabric/modules/cloud-run"
  project_id = "my-project"
  name       = "hello"
  containers = [{
@ -36,7 +36,7 @@ module "cloud_run" {
 ```hcl
 module "cloud_run" {
-  source     = "./modules/cloud-run"
+  source     = "./fabric/modules/cloud-run"
  project_id = "my-project"
  name       = "hello"
  containers = [{
@ -64,7 +64,7 @@ module "cloud_run" {
 ```hcl
 module "cloud_run" {
-  source     = "./modules/cloud-run"
+  source     = "./fabric/modules/cloud-run"
  project_id = var.project_id
  name       = "hello"
  region     = var.region
@ -98,7 +98,7 @@ This deploys a Cloud Run service with traffic split between two revisions.
 ```hcl
 module "cloud_run" {
-  source     = "./modules/cloud-run"
+  source     = "./fabric/modules/cloud-run"
  project_id = "my-project"
  name       = "hello"
  revision_name = "green"
@ -123,7 +123,7 @@ This deploys a Cloud Run service that will be triggered when messages are publis
 ```hcl
 module "cloud_run" {
-  source     = "./modules/cloud-run"
+  source     = "./fabric/modules/cloud-run"
  project_id = "my-project"
  name       = "hello"
  containers = [{
@ -147,7 +147,7 @@ This deploys a Cloud Run service that will be triggered when specific log events
 ```hcl
 module "cloud_run" {
-  source     = "./modules/cloud-run"
+  source     = "./fabric/modules/cloud-run"
  project_id = "my-project"
  name       = "hello"
  containers = [{
@ -173,7 +173,7 @@ To use a custom service account managed by the module, set `service_account_crea
 ```hcl
 module "cloud_run" {
-  source     = "./modules/cloud-run"
+  source     = "./fabric/modules/cloud-run"
  project_id = "my-project"
  name       = "hello"
  containers = [{
@ -192,7 +192,7 @@ To use an externally managed service account, pass its email in `service_account
 ```hcl
 module "cloud_run" {
-  source     = "./modules/cloud-run"
+  source     = "./fabric/modules/cloud-run"
  project_id = "my-project"
  name       = "hello"
  containers = [{
--- a/modules/cloudsql-instance/README.md
+++ b/modules/cloudsql-instance/README.md
@ -12,7 +12,7 @@ This example shows how to setup a project, VPC and a standalone Cloud SQL instan
 ```hcl
 module "project" {
-  source          = "./modules/project"
+  source          = "./fabric/modules/project"
  billing_account = var.billing_account_id
  parent          = var.organization_id
  name            = "my-db-project"
@ -22,7 +22,7 @@ module "project" {
 }
 module "vpc" {
-  source     = "./modules/net-vpc"
+  source     = "./fabric/modules/net-vpc"
  project_id = module.project.project_id
  name       = "my-network"
  psa_config = {
@ -32,7 +32,7 @@ module "vpc" {
 }
 module "db" {
-  source           = "./modules/cloudsql-instance"
+  source           = "./fabric/modules/cloudsql-instance"
  project_id       = module.project.project_id
  network          = module.vpc.self_link
  name             = "db"
@ -47,7 +47,7 @@ module "db" {
 ```hcl
 module "db" {
-  source           = "./modules/cloudsql-instance"
+  source           = "./fabric/modules/cloudsql-instance"
  project_id       = var.project_id
  network          = var.vpc.self_link
  name             = "db"
@ -67,7 +67,7 @@ module "db" {
 ```hcl
 module "db" {
-  source           = "./modules/cloudsql-instance"
+  source           = "./fabric/modules/cloudsql-instance"
  project_id       = var.project_id
  network          = var.vpc.self_link
  name             = "db"
@ -98,7 +98,7 @@ module "db" {
 ```hcl
 module "project" {
-  source          = "./modules/project"
+  source          = "./fabric/modules/project"
  billing_account = var.billing_account_id
  parent          = var.organization_id
  name            = "my-db-project"
@ -109,7 +109,7 @@ module "project" {
 }
 module "kms" {
-  source     = "./modules/kms"
+  source     = "./fabric/modules/kms"
  project_id = module.project.project_id
  keyring = {
    name     = "keyring"
@ -128,7 +128,7 @@ module "kms" {
 }
 module "db" {
-  source              = "./modules/cloudsql-instance"
+  source              = "./fabric/modules/cloudsql-instance"
  project_id          = module.project.project_id
  encryption_key_name = module.kms.keys["key-sql"].id
  network             = var.vpc.self_link
--- a/modules/compute-mig/README.md
+++ b/modules/compute-mig/README.md
@ -12,11 +12,11 @@ This example shows how to manage a simple MIG that leverages the `compute-vm` mo
 ```hcl
 module "cos-nginx" {
-  source = "./modules/cloud-config-container/nginx"
+  source = "./fabric/modules/cloud-config-container/nginx"
 }
 module "nginx-template" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  project_id = var.project_id
  name       = "nginx-template"
  zone     = "europe-west1-b"
@ -39,7 +39,7 @@ module "nginx-template" {
 }
 module "nginx-mig" {
-  source      = "./modules/compute-mig"
+  source      = "./fabric/modules/compute-mig"
  project_id  = "my-project"
  location    = "europe-west1-b"
  name        = "mig-test"
@ -58,11 +58,11 @@ If multiple versions are desired, use more `compute-vm` instances for the additi
 ```hcl
 module "cos-nginx" {
-  source = "./modules/cloud-config-container/nginx"
+  source = "./fabric/modules/cloud-config-container/nginx"
 }
 module "nginx-template" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  project_id = var.project_id
  name       = "nginx-template"
  zone     = "europe-west1-b"
@ -85,7 +85,7 @@ module "nginx-template" {
 }
 module "nginx-mig" {
-  source      = "./modules/compute-mig"
+  source      = "./fabric/modules/compute-mig"
  project_id  = "my-project"
  location    = "europe-west1-b"
  name        = "mig-test"
@ -111,11 +111,11 @@ Autohealing policies can use an externally defined health check, or have this mo
 ```hcl
 module "cos-nginx" {
-  source = "./modules/cloud-config-container/nginx"
+  source = "./fabric/modules/cloud-config-container/nginx"
 }
 module "nginx-template" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  project_id = var.project_id
  name       = "nginx-template"
  zone     = "europe-west1-b"
@ -138,7 +138,7 @@ module "nginx-template" {
 }
 module "nginx-mig" {
-  source = "./modules/compute-mig"
+  source = "./fabric/modules/compute-mig"
  project_id = "my-project"
  location     = "europe-west1-b"
  name       = "mig-test"
@ -167,11 +167,11 @@ The module can create and manage an autoscaler associated with the MIG. When usi
 ```hcl
 module "cos-nginx" {
-  source = "./modules/cloud-config-container/nginx"
+  source = "./fabric/modules/cloud-config-container/nginx"
 }
 module "nginx-template" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  project_id = var.project_id
  name       = "nginx-template"
  zone     = "europe-west1-b"
@ -194,7 +194,7 @@ module "nginx-template" {
 }
 module "nginx-mig" {
-  source = "./modules/compute-mig"
+  source = "./fabric/modules/compute-mig"
  project_id = "my-project"
  location     = "europe-west1-b"
  name       = "mig-test"
@ -219,11 +219,11 @@ module "nginx-mig" {
 ```hcl
 module "cos-nginx" {
-  source = "./modules/cloud-config-container/nginx"
+  source = "./fabric/modules/cloud-config-container/nginx"
 }
 module "nginx-template" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  project_id = var.project_id
  name       = "nginx-template"
  zone     = "europe-west1-b"
@ -246,7 +246,7 @@ module "nginx-template" {
 }
 module "nginx-mig" {
-  source = "./modules/compute-mig"
+  source = "./fabric/modules/compute-mig"
  project_id = "my-project"
  location     = "europe-west1-b"
  name       = "mig-test"
@ -281,11 +281,11 @@ Note that when referencing the stateful disk, you use `device_name` and not `dis
 ```hcl
 module "cos-nginx" {
-  source = "./modules/cloud-config-container/nginx"
+  source = "./fabric/modules/cloud-config-container/nginx"
 }
 module "nginx-template" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  project_id = var.project_id
  name       = "nginx-template"
  zone     = "europe-west1-b"
@ -319,7 +319,7 @@ module "nginx-template" {
 }
 module "nginx-mig" {
-  source = "./modules/compute-mig"
+  source = "./fabric/modules/compute-mig"
  project_id = "my-project"
  location     = "europe-west1-b"
  name       = "mig-test"
@ -358,11 +358,11 @@ Note that you will need to know the instance name in order to use this configura
 ```hcl
 module "cos-nginx" {
-  source = "./modules/cloud-config-container/nginx"
+  source = "./fabric/modules/cloud-config-container/nginx"
 }
 module "nginx-template" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  project_id = var.project_id
  name       = "nginx-template"
  zone     = "europe-west1-b"
@ -396,7 +396,7 @@ module "nginx-template" {
 }
 module "nginx-mig" {
-  source = "./modules/compute-mig"
+  source = "./fabric/modules/compute-mig"
  project_id = "my-project"
  location     = "europe-west1-b"
  name       = "mig-test"
--- a/modules/compute-vm/README.md
+++ b/modules/compute-vm/README.md
@ -15,7 +15,7 @@ The simplest example leverages defaults for the boot disk image and size, and us
 ```hcl
 module "simple-vm-example" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  project_id = var.project_id
  zone     = "europe-west1-b"
  name       = "test"
@ -37,7 +37,7 @@ module "simple-vm-example" {
 ```hcl
 module "spot-vm-example" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  project_id = var.project_id
  zone     = "europe-west1-b"
  name       = "test"
@ -72,7 +72,7 @@ This is an example of attaching a pre-existing regional PD to a new instance:
 ```hcl
 module "simple-vm-example" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  project_id = var.project_id
  zone     = "${var.region}-b"
  name       = "test"
@ -102,7 +102,7 @@ And the same example for an instance template (where not using the full self lin
 ```hcl
 module "simple-vm-example" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  project_id = var.project_id
  zone     = "${var.region}-b"
  name       = "test"
@ -135,7 +135,7 @@ This example shows how to control disk encryption via the the `encryption` varia
 ```hcl
 module "kms-vm-example" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  project_id = var.project_id
  zone       = "europe-west1-b"
  name       = "kms-test"
@ -175,7 +175,7 @@ This example shows how to add additional [Alias IPs](https://cloud.google.com/vp
 ```hcl
 module "vm-with-alias-ips" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  project_id = "my-project"
  zone       = "europe-west1-b"
  name       = "test"
@ -224,7 +224,7 @@ resource "google_compute_image" "cos-gvnic" {
 }
 module "vm-with-gvnic" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  project_id = "my-project"
  zone       = "europe-west1-b"
  name       = "test"
@ -256,7 +256,7 @@ This example shows how to use the module to manage an instance template that def
 ```hcl
 module "cos-test" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  project_id = "my-project"
  zone     = "europe-west1-b"
  name       = "test"
@ -296,7 +296,7 @@ locals {
 }
 module "instance-group" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  project_id = "my-project"
  zone     = "europe-west1-b"
  name       = "ilb-test"
--- a/modules/container-registry/README.md
+++ b/modules/container-registry/README.md
@ -6,7 +6,7 @@ This module simplifies the creation of GCS buckets used by Google Container Regi
 ```hcl
 module "container_registry" {
-  source     = "./modules/container-registry"
+  source     = "./fabric/modules/container-registry"
  project_id = "myproject"
  location   = "EU"
  iam = {
--- a/modules/data-catalog-policy-tag/README.md
+++ b/modules/data-catalog-policy-tag/README.md
@ -9,7 +9,7 @@ Note: Data Catalog is still in beta, hence this module currently uses the beta p
 ```hcl
 module "cmn-dc" {
-  source     = "./modules/data-catalog-policy-tag"
+  source     = "./fabric/modules/data-catalog-policy-tag"
  name       = "my-datacatalog-policy-tags"
  project_id = "my-project"
  tags       = {
@ -23,7 +23,7 @@ module "cmn-dc" {
 ```hcl
 module "cmn-dc" {
-  source     = "./modules/data-catalog-policy-tag"
+  source     = "./fabric/modules/data-catalog-policy-tag"
  name       = "my-datacatalog-policy-tags"
  project_id = "my-project"
  tags       = { 
--- a/modules/datafusion/README.md
+++ b/modules/datafusion/README.md
@ -8,7 +8,7 @@ This module allows simple management of ['Google Data Fusion'](https://cloud.goo
 ```hcl
 module "datafusion" {
-  source          = "./modules/datafusion"
+  source          = "./fabric/modules/datafusion"
  name            = "my-datafusion"
  region          = "europe-west1"
  project_id      = "my-project"
@ -23,7 +23,7 @@ module "datafusion" {
 ```hcl
 module "datafusion" {
-  source               = "./modules/datafusion"
+  source               = "./fabric/modules/datafusion"
  name                 = "my-datafusion"
  region               = "europe-west1"
  project_id           = "my-project"
--- a/modules/dns/README.md
+++ b/modules/dns/README.md
@ -10,7 +10,7 @@ For DNSSEC configuration, refer to the [`dns_managed_zone` documentation](https:
 ```hcl
 module "private-dns" {
-  source          = "./modules/dns"
+  source          = "./fabric/modules/dns"
  project_id      = "myproject"
  type            = "private"
  name            = "test-example"
@ -27,7 +27,7 @@ module "private-dns" {
 ```hcl
 module "private-dns" {
-  source          = "./modules/dns"
+  source          = "./fabric/modules/dns"
  project_id      = "myproject"
  type            = "forwarding"
  name            = "test-example"
@ -42,7 +42,7 @@ module "private-dns" {
 ```hcl
 module "private-dns" {
-  source          = "./modules/dns"
+  source          = "./fabric/modules/dns"
  project_id      = "myproject"
  type            = "peering"
  name            = "test-example"
--- a/modules/endpoints/README.md
+++ b/modules/endpoints/README.md
@ -8,7 +8,7 @@ This module allows simple management of ['Google Cloud Endpoints'](https://cloud
 ```hcl
 module "endpoint" {
-  source         = "./modules/endpoints"
+  source         = "./fabric/modules/endpoints"
  project_id     = "my-project"
  service_name   = "YOUR-API.endpoints.YOUR-PROJECT-ID.cloud.goog"
  openapi_config = { "yaml_path" = "openapi.yaml" }
--- a/modules/folder/README.md
+++ b/modules/folder/README.md
@ -8,7 +8,7 @@ This module allows the creation and management of folders, including support for
 ```hcl
 module "folder" {
-  source = "./modules/folder"
+  source = "./fabric/modules/folder"
  parent = "organizations/1234567890"
  name  = "Folder name"
  group_iam       = {
@ -28,7 +28,7 @@ module "folder" {
 ```hcl
 module "folder" {
-  source = "./modules/folder"
+  source = "./fabric/modules/folder"
  parent = "organizations/1234567890"
  name  = "Folder name"
  policy_boolean = {
@ -53,7 +53,7 @@ In the same way as for the [organization](../organization) module, the in-built
 ```hcl
 module "folder" {
-  source          = "./modules/folder"
+  source          = "./fabric/modules/folder"
  parent = "organizations/1234567890"
  name  = "Folder name"
  firewall_policy_factory = {
@ -109,33 +109,33 @@ allow-ssh-from-iap:
 ```hcl
 module "gcs" {
-  source        = "./modules/gcs"
+  source        = "./fabric/modules/gcs"
  project_id    = "my-project"
  name          = "gcs_sink"
  force_destroy = true
 }
 module "dataset" {
-  source     = "./modules/bigquery-dataset"
+  source     = "./fabric/modules/bigquery-dataset"
  project_id = "my-project"
  id         = "bq_sink"
 }
 module "pubsub" {
-  source     = "./modules/pubsub"
+  source     = "./fabric/modules/pubsub"
  project_id = "my-project"
  name       = "pubsub_sink"
 }
 module "bucket" {
-  source      = "./modules/logging-bucket"
+  source      = "./fabric/modules/logging-bucket"
  parent_type = "project"
  parent      = "my-project"
  id          = "bucket"
 }
 module "folder-sink" {
-  source = "./modules/folder"
+  source = "./fabric/modules/folder"
  parent = "folders/657104291943"
  name   = "my-folder"
  logging_sinks = {
@ -181,7 +181,7 @@ module "folder-sink" {
 ```hcl
 module "folder1" {
-  source = "./modules/folder"
+  source = "./fabric/modules/folder"
  parent = var.organization_id
  name   = "policy-container"
@ -206,7 +206,7 @@ module "folder1" {
 }
 module "folder2" {
-  source = "./modules/folder"
+  source = "./fabric/modules/folder"
  parent = var.organization_id
  name   = "hf2"
  firewall_policy_association = {
@ -222,7 +222,7 @@ Refer to the [Creating and managing tags](https://cloud.google.com/resource-mana
 ```hcl
 module "org" {
-  source          = "./modules/organization"
+  source          = "./fabric/modules/organization"
  organization_id = var.organization_id
  tags = {
    environment = {
@ -237,7 +237,7 @@ module "org" {
 }
 module "folder" {
-  source = "./modules/folder"
+  source = "./fabric/modules/folder"
  name   = "Test"
  parent = module.org.organization_id
  tag_bindings = {
--- a/modules/folders-unit/README.md
+++ b/modules/folders-unit/README.md
@ -6,7 +6,7 @@ This module allows creation and management of an organizational hierarchy "unit"
 ```hcl
 module "folders-unit" {
-  source                = "./modules/folders-unit"
+  source                = "./fabric/modules/folders-unit"
  name                  = "Business Intelligence"
  short_name            = "bi"
  automation_project_id = "automation-project-394yr923811"
--- a/modules/gcs/README.md
+++ b/modules/gcs/README.md
@ -3,7 +3,7 @@
 ```hcl
 module "bucket" {
-  source     = "./modules/gcs"
+  source     = "./fabric/modules/gcs"
  project_id = "myproject"
  prefix     = "test"
  name       = "my-bucket"
@ -18,7 +18,7 @@ module "bucket" {
 ```hcl
 module "bucket" {
-  source     = "./modules/gcs"
+  source     = "./fabric/modules/gcs"
  project_id = "myproject"
  prefix     = "test"
  name       = "my-bucket"
@ -34,7 +34,7 @@ module "bucket" {
 ```hcl
 module "bucket" {
-  source     = "./modules/gcs"
+  source     = "./fabric/modules/gcs"
  project_id = "myproject"
  prefix     = "test"
  name       = "my-bucket"
@ -59,7 +59,7 @@ module "bucket" {
 ```hcl
 module "bucket" {
-  source     = "./modules/gcs"
+  source     = "./fabric/modules/gcs"
  project_id = "myproject"
  prefix     = "test"
  name      = "my-bucket"
@ -91,7 +91,7 @@ module "bucket" {
 ### Minimal example with GCS notifications
 ```hcl
 module "bucket-gcs-notification" {
-  source     = "./modules/gcs"
+  source     = "./fabric/modules/gcs"
  project_id = "myproject"
  prefix     = "test"
  name       = "my-bucket"
--- a/modules/gke-cluster/README.md
+++ b/modules/gke-cluster/README.md
@ -8,7 +8,7 @@ This module allows simplified creation and management of GKE clusters and should
 ```hcl
 module "cluster-1" {
-  source                    = "./modules/gke-cluster"
+  source                    = "./fabric/modules/gke-cluster"
  project_id                = "myproject"
  name                      = "cluster-1"
  location                  = "europe-west1-b"
@ -37,7 +37,7 @@ module "cluster-1" {
 ```hcl
 module "cluster-1" {
-  source                    = "./modules/gke-cluster"
+  source                    = "./fabric/modules/gke-cluster"
  project_id                = "myproject"
  name                      = "cluster-1"
  location                  = "europe-west1-b"
--- a/modules/gke-hub/README.md
+++ b/modules/gke-hub/README.md
@ -17,7 +17,7 @@ To use this module you must ensure the following APIs are enabled in the target
 ```hcl
 module "project" {
-  source          = "./modules/project"
+  source          = "./fabric/modules/project"
  billing_account = var.billing_account_id
  name            = "gkehub-test"
  parent          = "folders/12345"
@ -33,7 +33,7 @@ module "project" {
 }
 module "vpc" {
-  source     = "./modules/net-vpc"
+  source     = "./fabric/modules/net-vpc"
  project_id = module.project.project_id
  name       = "network"
  subnets = [{
@ -48,7 +48,7 @@ module "vpc" {
 }
 module "cluster_1" {
-  source                   = "./modules/gke-cluster"
+  source                   = "./fabric/modules/gke-cluster"
  project_id               = module.project.project_id
  name                     = "cluster-1"
  location                 = "europe-west1-b"
@ -67,7 +67,7 @@ module "cluster_1" {
 }
 module "hub" {
-  source     = "./modules/gke-hub"
+  source     = "./fabric/modules/gke-hub"
  project_id = module.project.project_id
  clusters = {
    cluster-1 = module.cluster_1.id
@ -124,7 +124,7 @@ module "hub" {
 ```hcl
 module "project" {
-  source          = "./modules/project"
+  source          = "./fabric/modules/project"
  billing_account = "123-456-789"
  name            = "gkehub-test"
  parent          = "folders/12345"
@ -140,7 +140,7 @@ module "project" {
 }
 module "vpc" {
-  source     = "./modules/net-vpc"
+  source     = "./fabric/modules/net-vpc"
  project_id = module.project.project_id
  name       = "vpc"
  mtu        = 1500
@ -173,7 +173,7 @@ module "vpc" {
 }
 module "firewall" {
-  source     = "./modules/net-vpc-firewall"
+  source     = "./fabric/modules/net-vpc-firewall"
  project_id = module.project.project_id
  network    = module.vpc.name
  custom_rules = { 
@ -225,7 +225,7 @@ module "firewall" {
 }
 module "cluster_1" {
-  source                   = "./modules/gke-cluster"
+  source                   = "./fabric/modules/gke-cluster"
  project_id               = module.project.project_id
  name                     = "cluster-1"
  location                 = "europe-wes1"
@ -252,7 +252,7 @@ module "cluster_1" {
 }
 module "cluster_1_nodepool" {
-  source                      = "./modules/gke-nodepool"
+  source                      = "./fabric/modules/gke-nodepool"
  project_id                  = module.project.project_id
  cluster_name                = module.cluster_1.name
  location                    = "europe-west1"
@ -264,7 +264,7 @@ module "cluster_1_nodepool" {
 }
 module "cluster_2" {
-  source                   = "./modules/gke-cluster"
+  source                   = "./fabric/modules/gke-cluster"
  project_id               = module.project.project_id
  name                     = "cluster-1"
  location                 = "europe-wes1"
@ -291,7 +291,7 @@ module "cluster_2" {
 }
 module "cluster_2_nodepool" {
-  source                      = "./modules/gke-nodepool"
+  source                      = "./fabric/modules/gke-nodepool"
  project_id                  = module.project.project_id
  cluster_name                = module.cluster_2.name
  location                    = "europe-west4"
@ -304,7 +304,7 @@ module "cluster_2_nodepool" {
 module "hub" {
-  source     = "./modules/gke-hub"
+  source     = "./fabric/modules/gke-hub"
  project_id = module.project.project_id
  clusters = { 
    cluster-1 = module.cluster_1.id
--- a/modules/gke-nodepool/README.md
+++ b/modules/gke-nodepool/README.md
@ -10,7 +10,7 @@ If no specific node configuration is set via variables, the module uses the prov
 ```hcl
 module "cluster-1-nodepool-1" {
-  source                      = "./modules/gke-nodepool"
+  source                      = "./fabric/modules/gke-nodepool"
  project_id                  = "myproject"
  cluster_name                = "cluster-1"
  location                    = "europe-west1-b"
@ -24,7 +24,7 @@ To have the module auto-create a service account for the nodes, set the `node_se
 ```hcl
 module "cluster-1-nodepool-1" {
-  source                      = "./modules/gke-nodepool"
+  source                      = "./fabric/modules/gke-nodepool"
  project_id                  = "myproject"
  cluster_name                = "cluster-1"
  location                    = "europe-west1-b"
--- a/modules/iam-service-account/README.md
+++ b/modules/iam-service-account/README.md
@ -8,7 +8,7 @@ Note that this module does not fully comply with our design principles, as outpu
 ```hcl
 module "myproject-default-service-accounts" {
-  source            = "./modules/iam-service-account"
+  source            = "./fabric/modules/iam-service-account"
  project_id        = "myproject"
  name              = "vm-default"
  generate_key      = true
--- a/modules/iot-core/README.md
+++ b/modules/iot-core/README.md
@ -44,7 +44,7 @@ device_2:
 ```hcl
 module "iot-platform" {
-  source                     = "./modules/iot-core"
+  source                     = "./fabric/modules/iot-core"
  project_id                 = "my_project_id"
  region                     = "europe-west1"
  telemetry_pubsub_topic_id = "telemetry_topic_id"
@ -67,7 +67,7 @@ If you need to match specific MQTT topics (eg, /temperature) into specific PubSu
 ```hcl
 module "iot-platform" {
-  source                     = "./modules/iot-core"
+  source                     = "./fabric/modules/iot-core"
  project_id                 = "my_project_id"
  region                     = "europe-west1"
  telemetry_pubsub_topic_id = "telemetry_topic_id"
@ -99,7 +99,7 @@ In this example, we will show how to extend the **[Data Foundations Platform](..
 ```hcl
 module "iot-platform" {
-  source                     = "./modules/iot-core"
+  source                     = "./fabric/modules/iot-core"
  project_id                 = "landing-project-id"
  region                     = "europe-west1"
  telemetry_pubsub_topic_id = "landing_pubsub_topic_id"
--- a/modules/kms/README.md
+++ b/modules/kms/README.md
@ -14,7 +14,7 @@ In this module **no lifecycle blocks are set on resources to prevent destroy**,
 ```hcl
 module "kms" {
-  source         = "./modules/kms"
+  source         = "./fabric/modules/kms"
  project_id     = "my-project"
  iam    = {
    "roles/cloudkms.admin" = ["user:user1@example.com"]
@ -30,7 +30,7 @@ module "kms" {
 ```hcl
 module "kms" {
-  source     = "./modules/kms"
+  source     = "./fabric/modules/kms"
  project_id = "my-project"
  iam_additive = {
    "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
@ -63,7 +63,7 @@ module "kms" {
 ```hcl
 module "kms" {
-  source      = "./modules/kms"
+  source      = "./fabric/modules/kms"
  project_id  = "my-project"
  key_purpose = {
    key-c = {
--- a/modules/logging-bucket/README.md
+++ b/modules/logging-bucket/README.md
@ -12,7 +12,7 @@ See also the `logging_sinks` argument within the [project](../project/), [folder
 ```hcl
 module "bucket" {
-  source      = "./modules/logging-bucket"
+  source      = "./fabric/modules/logging-bucket"
  parent_type = "project"
  parent      = var.project_id
  id          = "mybucket"
@ -25,13 +25,13 @@ module "bucket" {
 ```hcl
 module "folder" {
-  source = "./modules/folder"
+  source = "./fabric/modules/folder"
  parent = "folders/657104291943"
  name   = "my folder"
 }
 module "bucket-default" {
-  source      = "./modules/logging-bucket"
+  source      = "./fabric/modules/logging-bucket"
  parent_type = "folder"
  parent      = module.folder.id
  id          = "_Default"
--- a/modules/naming-convention/README.md
+++ b/modules/naming-convention/README.md
@ -14,7 +14,7 @@ In its default configuration, the module supports an option prefix and suffix, a
 ```hcl
 module "names-org" {
-  source     = "./modules/naming-convention"
+  source     = "./fabric/modules/naming-convention"
  prefix      = "myco"
  environment = "dev"
  team        = "cloud"
@ -30,7 +30,7 @@ module "names-org" {
 }
 module "project-tf" {
-  source = "./modules/project"
+  source = "./fabric/modules/project"
  # myco-cloud-dev-tf
  name   = module.names-org.names.project.tf
  # { environment = "dev", scope = "global", team = "cloud" }
@ -42,7 +42,7 @@ You can also enable resource type naming, useful with some legacy CMDB setups. W
 ```hcl
 module "names-org" {
-  source     = "./modules/naming-convention"
+  source     = "./fabric/modules/naming-convention"
  prefix      = "myco"
  environment = "dev"
  team        = "cloud"
@ -59,7 +59,7 @@ module "names-org" {
 }
 module "project-tf" {
-  source = "./modules/project"
+  source = "./fabric/modules/project"
  # prj-myco-cloud-dev-tf
  name   = module.names-org.names.prj.tf
 }
--- a/modules/net-address/README.md
+++ b/modules/net-address/README.md
@ -8,7 +8,7 @@ This module allows reserving Compute Engine external, global, and internal addre
 ```hcl
 module "addresses" {
-  source     = "./modules/net-address"
+  source     = "./fabric/modules/net-address"
  project_id = var.project_id
  external_addresses = {
    nat-1      = var.region
@ -23,7 +23,7 @@ module "addresses" {
 ```hcl
 module "addresses" {
-  source     = "./modules/net-address"
+  source     = "./fabric/modules/net-address"
  project_id = var.project_id
  internal_addresses = {
    ilb-1 = {
@ -51,7 +51,7 @@ module "addresses" {
 ```hcl
 module "addresses" {
-  source     = "./modules/net-address"
+  source     = "./fabric/modules/net-address"
  project_id = var.project_id
  psa_addresses = {
    cloudsql-mysql = {
@ -68,7 +68,7 @@ module "addresses" {
 ```hcl
 module "addresses" {
-  source     = "./modules/net-address"
+  source     = "./fabric/modules/net-address"
  project_id = var.project_id
  psc_addresses = {
    one = {
--- a/modules/net-cloudnat/README.md
+++ b/modules/net-cloudnat/README.md
@ -6,7 +6,7 @@ Simple Cloud NAT management, with optional router creation.
 ```hcl
 module "nat" {
-  source         = "./modules/net-cloudnat"
+  source         = "./fabric/modules/net-cloudnat"
  project_id     = "my-project"
  region         = "europe-west1"
  name           = "default"
--- a/modules/net-glb/README.md
+++ b/modules/net-glb/README.md
@ -10,7 +10,7 @@ This is a minimal example, which creates a global HTTP load balancer, pointing t
 ```hcl
 module "glb" {
-  source     = "./modules/net-glb"
+  source     = "./fabric/modules/net-glb"
  name       = "glb-test"
  project_id = var.project_id
@ -35,7 +35,7 @@ A very similar coniguration also applies to GCE instance groups:
 ```hcl
 module "glb" {
-  source     = "./modules/net-glb"
+  source     = "./fabric/modules/net-glb"
  name       = "glb-test"
  project_id = var.project_id
@ -72,7 +72,7 @@ For example, to contextually create a health check and attach it to the backend
 ```hcl
 module "glb" {
-  source     = "./modules/net-glb"
+  source     = "./fabric/modules/net-glb"
  name       = "glb-test"
  project_id = var.project_id
@ -117,7 +117,7 @@ Serverless backends can also be used, as shown in the example below.
 ```hcl
 module "glb" {
-  source     = "./modules/net-glb"
+  source     = "./fabric/modules/net-glb"
  name       = "glb-test"
  project_id = var.project_id
@ -163,7 +163,7 @@ Backends can be multiple, group and bucket backends can be mixed and group backe
 ```hcl
 module "glb" {
-  source     = "./modules/net-glb"
+  source     = "./fabric/modules/net-glb"
  name       = "glb-test"
  project_id = var.project_id
@ -227,7 +227,7 @@ In this example, we're using one backend service as the default backend
 ```hcl
 module "glb" {
-  source     = "./modules/net-glb"
+  source     = "./fabric/modules/net-glb"
  name       = "glb-test"
  project_id = var.project_id
@ -295,7 +295,7 @@ Optionally, a static IP address can be reserved:
 ```hcl
 module "glb" {
-  source     = "./modules/net-glb"
+  source     = "./fabric/modules/net-glb"
  name       = "glb-test"
  project_id = var.project_id
@ -332,7 +332,7 @@ If no `ssl_certificates_config` variable is specified, a managed certificate for
 ```hcl
 module "glb" {
-  source     = "./modules/net-glb"
+  source     = "./fabric/modules/net-glb"
  name       = "glb-test"
  project_id = var.project_id
@ -366,7 +366,7 @@ If the ids specified in the `target_proxy_https_config` variable are not found i
 ```hcl
 module "glb" {
-  source     = "./modules/net-glb"
+  source     = "./fabric/modules/net-glb"
  name       = "glb-test"
  project_id = var.project_id
@ -414,7 +414,7 @@ Using unamanged certificates is also possible. Here is an example:
 ```hcl
 module "glb" {
-  source     = "./modules/net-glb"
+  source     = "./fabric/modules/net-glb"
  name       = "glb-test"
  project_id = var.project_id
@ -487,7 +487,7 @@ You can also use regional load balancing by specifying a `region` parameter:
 ```hcl
 module "glb" {
-  source     = "./modules/net-glb"
+  source     = "./fabric/modules/net-glb"
  name       = "glb-test"
  project_id = var.project_id
  region     = var.region
--- a/modules/net-ilb-l7/README.md
+++ b/modules/net-ilb-l7/README.md
@ -11,7 +11,7 @@ An HTTP ILB with a backend service pointing to a GCE instance group:
 ```hcl
 module "ilb" {
-  source     = "./modules/net-ilb-l7"
+  source     = "./fabric/modules/net-ilb-l7"
  name       = "ilb-test"
  project_id = var.project_id
  region     = "europe-west1"
@ -39,7 +39,7 @@ Network and subnetwork can be entered using their name (if present in the same p
 ```hcl
 module "ilb" {
-  source     = "./modules/net-ilb-l7"
+  source     = "./fabric/modules/net-ilb-l7"
  name       = "ilb-test"
  project_id = var.project_id
  region     = "europe-west1"
@ -75,7 +75,7 @@ For example, to contextually create a health check and attach it to the backend
 ```hcl
 module "ilb" {
-  source     = "./modules/net-ilb-l7"
+  source     = "./fabric/modules/net-ilb-l7"
  name       = "ilb-test"
  project_id = var.project_id
  region     = "europe-west1"
@ -118,7 +118,7 @@ Zonal Network Endpoint Groups (NEGs) can also be used, as shown in the example b
 ```hcl
 module "ilb" {
-  source     = "./modules/net-ilb-l7"
+  source     = "./fabric/modules/net-ilb-l7"
  name       = "ilb-test"
  project_id = var.project_id
  region     = "europe-west1"
@ -175,7 +175,7 @@ In this example, we're using a backend service as the default backend
 ```hcl
 module "ilb" {
-  source     = "./modules/net-ilb-l7"
+  source     = "./fabric/modules/net-ilb-l7"
  name       = "ilb-test"
  project_id = var.project_id
  region     = "europe-west1"
@ -234,7 +234,7 @@ Optionally, a static IP address can be reserved:
 ```hcl
 module "ilb" {
-  source     = "./modules/net-ilb-l7"
+  source     = "./fabric/modules/net-ilb-l7"
  name       = "ilb-test"
  project_id = var.project_id
  region     = "europe-west1"
@ -271,7 +271,7 @@ When HTTPS is enabled, if the ids specified in the `target_proxy_https_config` v
 ```hcl
 module "ilb" {
-  source     = "./modules/net-ilb-l7"
+  source     = "./fabric/modules/net-ilb-l7"
  name       = "ilb-test"
  project_id = var.project_id
  region     = "europe-west1"
@ -307,7 +307,7 @@ Otherwise, unmanaged certificates can also be contextually created:
 ```hcl
 module "ilb" {
-  source     = "./modules/net-ilb-l7"
+  source     = "./fabric/modules/net-ilb-l7"
  name       = "ilb-test"
  project_id = var.project_id
  region     = "europe-west1"
--- a/modules/net-ilb/README.md
+++ b/modules/net-ilb/README.md
@ -18,7 +18,7 @@ This examples shows how to create an ILB by combining externally managed instanc
 ```hcl
 module "ilb" {
-  source        = "./modules/net-ilb"
+  source        = "./fabric/modules/net-ilb"
  project_id    = var.project_id
  region        = "europe-west1"
  name          = "ilb-test"
@ -58,11 +58,11 @@ Note that the example uses the GCE default service account. You might want to cr
 ```hcl
 module "cos-nginx" {
-  source = "./modules/cloud-config-container/nginx"
+  source = "./fabric/modules/cloud-config-container/nginx"
 }
 module "instance-group" {
-  source     = "./modules/compute-vm"
+  source     = "./fabric/modules/compute-vm"
  for_each = toset(["b", "c"])
  project_id = var.project_id
  zone     = "europe-west1-${each.key}"
@ -86,7 +86,7 @@ module "instance-group" {
 }
 module "ilb" {
-  source        = "./modules/net-ilb"
+  source        = "./fabric/modules/net-ilb"
  project_id    = var.project_id
  region        = "europe-west1"
  name          = "ilb-test"
--- a/modules/net-interconnect-attachment-direct/README.md
+++ b/modules/net-interconnect-attachment-direct/README.md
@ -8,7 +8,7 @@ This module allows creation of a VLAN attachment for Direct Interconnect and rou
 ```hcl
 module "vlan-attachment-1" {
-  source         = "./modules/net-interconnect-attachment-direct"
+  source         = "./fabric/modules/net-interconnect-attachment-direct"
  project_id     = "dedicated-ic-5-8492"
  region         = "us-west2"
  router_network = "myvpc"
@ -25,7 +25,7 @@ module "vlan-attachment-1" {
 ```hcl
 module "vlan-attachment-1" {
-  source      = "./modules/net-interconnect-attachment-direct"
+  source      = "./fabric/modules/net-interconnect-attachment-direct"
  project_id  = "dedicated-ic-3-8386"
  region      = "us-west2"
  router_name = "router-1"
@ -63,7 +63,7 @@ module "vlan-attachment-1" {
 }
 module "vlan-attachment-2" {
-  source      = "./modules/net-interconnect-attachment-direct"
+  source      = "./fabric/modules/net-interconnect-attachment-direct"
  project_id  = "dedicated-ic-3-8386"
  region      = "us-west2"
  router_name = "router-2"
--- a/modules/net-vpc-firewall/README.md
+++ b/modules/net-vpc-firewall/README.md
@ -16,7 +16,7 @@ This is often useful for prototyping or testing infrastructure, allowing open in
 ```hcl
 module "firewall" {
-  source               = "./modules/net-vpc-firewall"
+  source               = "./fabric/modules/net-vpc-firewall"
  project_id           = "my-project"
  network              = "my-network"
  admin_ranges         = ["10.0.0.0/8"]
@ -30,7 +30,7 @@ This is an example of how to define custom rules, with a sample rule allowing op
 ```hcl
 module "firewall" {
-  source       = "./modules/net-vpc-firewall"
+  source       = "./fabric/modules/net-vpc-firewall"
  project_id   = "my-project"
  network      = "my-network"
  admin_ranges = ["10.0.0.0/8"]
@ -57,7 +57,7 @@ If you don't want any predefined rules set `admin_ranges`, `http_source_ranges`,
 ```hcl
 module "firewall" {
-  source              = "./modules/net-vpc-firewall"
+  source              = "./fabric/modules/net-vpc-firewall"
  project_id          = "my-project"
  network             = "my-network"
  admin_ranges        = []
@ -87,7 +87,7 @@ The module includes a rules factory (see [Resource Factories](../../examples/fac
 ```hcl
 module "firewall" {
-  source             = "./modules/net-vpc-firewall"
+  source             = "./fabric/modules/net-vpc-firewall"
  project_id         = "my-project"
  network            = "my-network"
  data_folder        = "config/firewall"
--- a/modules/net-vpc-peering/README.md
+++ b/modules/net-vpc-peering/README.md
@ -13,7 +13,7 @@ Basic usage of this module is as follows:
 ```hcl
 module "peering" {
-  source        = "./modules/net-vpc-peering"
+  source        = "./fabric/modules/net-vpc-peering"
  prefix        = "name-prefix"
  local_network = "projects/project-1/global/networks/vpc-1"
  peer_network  = "projects/project-1/global/networks/vpc-2"
@ -25,14 +25,14 @@ If you need to create more than one peering for the same VPC Network `(A -> B, A
 ```hcl
 module "peering-a-b" {
-  source        = "./modules/net-vpc-peering"
+  source        = "./fabric/modules/net-vpc-peering"
  prefix        = "name-prefix"
  local_network = "projects/project-a/global/networks/vpc-a"
  peer_network  = "projects/project-b/global/networks/vpc-b"
 }
 module "peering-a-c" {
-  source        = "./modules/net-vpc-peering"
+  source        = "./fabric/modules/net-vpc-peering"
  prefix        = "name-prefix"
  local_network = "projects/project-a/global/networks/vpc-a"
  peer_network  = "projects/project-c/global/networks/vpc-c"
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@ -10,7 +10,7 @@ The module allows for several different VPC configurations, some of the most com
 ```hcl
 module "vpc" {
-  source     = "./modules/net-vpc"
+  source     = "./fabric/modules/net-vpc"
  project_id = "my-project"
  name       = "my-network"
  subnets = [
@ -42,7 +42,7 @@ If you only want to create the "local" side of the peering, use `peering_create_
 ```hcl
 module "vpc-hub" {
-  source     = "./modules/net-vpc"
+  source     = "./fabric/modules/net-vpc"
  project_id = "hub"
  name       = "vpc-hub"
  subnets = [{
@ -54,7 +54,7 @@ module "vpc-hub" {
 }
 module "vpc-spoke-1" {
-  source     = "./modules/net-vpc"
+  source     = "./fabric/modules/net-vpc"
  project_id = "spoke1"
  name       = "vpc-spoke1"
  subnets = [{
@ -89,7 +89,7 @@ locals {
 }
 module "vpc-host" {
-  source     = "./modules/net-vpc"
+  source     = "./fabric/modules/net-vpc"
  project_id = "my-project"
  name       = "my-host-network"
  subnets = [
@ -127,7 +127,7 @@ module "vpc-host" {
 ```hcl
 module "vpc" {
-  source     = "./modules/net-vpc"
+  source     = "./fabric/modules/net-vpc"
  project_id = "my-project"
  name       = "my-network"
  subnets = [
@ -152,7 +152,7 @@ Custom routes can be optionally exported/imported through the peering formed wit
 ```hcl
 module "vpc" {
-  source     = "./modules/net-vpc"
+  source     = "./fabric/modules/net-vpc"
  project_id = "my-project"
  name       = "my-network"
  subnets = [
@ -180,7 +180,7 @@ Along with common private subnets module supports creation more service specific
 ```hcl
 module "vpc" {
-  source     = "./modules/net-vpc"
+  source     = "./fabric/modules/net-vpc"
  project_id = "my-project"
  name       = "my-network"
@ -207,7 +207,7 @@ module "vpc" {
 ```hcl
 module "vpc" {
-  source     = "./modules/net-vpc"
+  source     = "./fabric/modules/net-vpc"
  project_id = "my-project"
  name       = "my-network"
  dns_policy = {
@ -236,7 +236,7 @@ The `net-vpc` module includes a subnet factory (see [Resource Factories](../../e
 ```hcl
 module "vpc" {
-  source      = "./modules/net-vpc"
+  source      = "./fabric/modules/net-vpc"
  project_id  = "my-project"
  name        = "my-network"
  data_folder = "config/subnets"
--- a/modules/net-vpn-dynamic/README.md
+++ b/modules/net-vpn-dynamic/README.md
@ -9,7 +9,7 @@ This example shows how to configure a single VPN tunnel using a couple of extra
 ```hcl
 module "vpn-dynamic" {
-  source          = "./modules/net-vpn-dynamic"
+  source          = "./fabric/modules/net-vpn-dynamic"
  project_id      = "my-project"
  region          = "europe-west1"
  network         = "my-vpc"
--- a/modules/net-vpn-ha/README.md
+++ b/modules/net-vpn-ha/README.md
@ -6,7 +6,7 @@ This module makes it easy to deploy either GCP-to-GCP or GCP-to-On-prem [Cloud H
 ### GCP to GCP
 ```hcl
 module "vpn_ha-1" {
-  source           = "./modules/net-vpn-ha"
+  source           = "./fabric/modules/net-vpn-ha"
  project_id       = "<PROJECT_ID>"
  region           = "europe-west4"
  network          = "https://www.googleapis.com/compute/v1/projects/<PROJECT_ID>/global/networks/network-1"
@ -51,7 +51,7 @@ module "vpn_ha-1" {
 }
 module "vpn_ha-2" {
-  source           = "./modules/net-vpn-ha"
+  source           = "./fabric/modules/net-vpn-ha"
  project_id       = "<PROJECT_ID>"
  region           = "europe-west4"
  network          = "https://www.googleapis.com/compute/v1/projects/<PROJECT_ID>/global/networks/local-network"
@ -96,7 +96,7 @@ Note: When using the `for_each` meta-argument you might experience a Cycle Error
 ```hcl
 module "vpn_ha" {
-  source     = "./modules/net-vpn-ha"
+  source     = "./fabric/modules/net-vpn-ha"
  project_id = var.project_id
  region     = var.region
  network    = var.vpc.self_link
--- a/modules/net-vpn-static/README.md
+++ b/modules/net-vpn-static/README.md
@ -4,7 +4,7 @@
 ```hcl
 module "addresses" {
-  source     = "./modules/net-address"
+  source     = "./fabric/modules/net-address"
  project_id = var.project_id
  external_addresses = {
    vpn = "europe-west1"
@ -12,7 +12,7 @@ module "addresses" {
 }
 module "vpn" {
-  source          = "./modules/net-vpn-static"
+  source          = "./fabric/modules/net-vpn-static"
  project_id      = var.project_id
  region          = var.region
  network         = var.vpc.self_link
--- a/modules/organization-policy/README.md
+++ b/modules/organization-policy/README.md
@ -13,14 +13,14 @@ Yaml based factory can simplify centralized management of Org Policies for a Dev
 ```hcl
 # using configuration provided in a set of yaml files
 module "org-policy-factory" {
-  source = "./modules/organization-policy"
+  source = "./fabric/modules/organization-policy"
  config_directory = "./policies"
 }
 # using configuration provided in the module variable
 module "org-policy" {
-  source = "./modules/organization-policy"
+  source = "./fabric/modules/organization-policy"
  policies = {
    "folders/1234567890" = {
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@ -11,7 +11,7 @@ This module allows managing several organization properties:
 ```hcl
 module "org" {
-  source          = "./modules/organization"
+  source          = "./fabric/modules/organization"
  organization_id = "organizations/1234567890"
  group_iam       = {
    "cloud-owners@example.org" = ["roles/owner", "roles/projectCreator"]
@ -60,7 +60,7 @@ Once you have policies (either created via the module or externally), you can as
 ```hcl
 module "org" {
-  source          = "./modules/organization"
+  source          = "./fabric/modules/organization"
  organization_id = var.organization_id
  firewall_policies = {
    iap-policy = {
@ -92,7 +92,7 @@ The in-built factory allows you to define a single policy, using one file for ru
 ```hcl
 module "org" {
-  source          = "./modules/organization"
+  source          = "./fabric/modules/organization"
  organization_id = var.organization_id
  firewall_policy_factory = {
    cidr_file   = "data/cidrs.yaml"
@ -147,33 +147,33 @@ allow-ssh-from-iap:
 ```hcl
 module "gcs" {
-  source        = "./modules/gcs"
+  source        = "./fabric/modules/gcs"
  project_id    = var.project_id
  name          = "gcs_sink"
  force_destroy = true
 }
 module "dataset" {
-  source     = "./modules/bigquery-dataset"
+  source     = "./fabric/modules/bigquery-dataset"
  project_id = var.project_id
  id         = "bq_sink"
 }
 module "pubsub" {
-  source     = "./modules/pubsub"
+  source     = "./fabric/modules/pubsub"
  project_id = var.project_id
  name       = "pubsub_sink"
 }
 module "bucket" {
-  source      = "./modules/logging-bucket"
+  source      = "./fabric/modules/logging-bucket"
  parent_type = "project"
  parent      = "my-project"
  id          = "bucket"
 }
 module "org" {
-  source          = "./modules/organization"
+  source          = "./fabric/modules/organization"
  organization_id = var.organization_id
  logging_sinks = {
@ -223,7 +223,7 @@ module "org" {
 ```hcl
 module "org" {
-  source          = "./modules/organization"
+  source          = "./fabric/modules/organization"
  organization_id = var.organization_id
  custom_roles = {
    "myRole" = [
@ -243,7 +243,7 @@ Refer to the [Creating and managing tags](https://cloud.google.com/resource-mana
 ```hcl
 module "org" {
-  source          = "./modules/organization"
+  source          = "./fabric/modules/organization"
  organization_id = var.organization_id
  tags = {
    environment = {
--- a/modules/project/README.md
+++ b/modules/project/README.md
@ -21,7 +21,7 @@ locals {
 }
 module "project" {
-  source          = "./modules/project"
+  source          = "./fabric/modules/project"
  billing_account = "123456-123456-123456"
  name            = "project-example"
  parent          = "folders/1234567890"
@ -43,7 +43,7 @@ The `group_iam` variable uses group email addresses as keys and is a convenient
 ```hcl
 module "project" {
-  source          = "./modules/project"
+  source          = "./fabric/modules/project"
  billing_account = "123456-123456-123456"
  name            = "project-example"
  parent          = "folders/1234567890"
@ -70,7 +70,7 @@ Additive IAM is typically used where bindings for specific roles are controlled
 ```hcl
 module "project" {
-  source          = "./modules/project"
+  source          = "./fabric/modules/project"
  name            = "project-example"
  iam_additive = {
    "roles/viewer"               = [
@ -94,7 +94,7 @@ As mentioned above, there are cases where authoritative management of specific I
 ```hcl
 module "project" {
-  source          = "./modules/project"
+  source          = "./fabric/modules/project"
  name            = "project-example"
  group_iam = {
    "foo@example.com" = [
@ -120,7 +120,7 @@ You can enable Shared VPC Host at the project level and manage project service a
 ```hcl
 module "project" {
-  source          = "./modules/project"
+  source          = "./fabric/modules/project"
  name            = "project-example"
  shared_vpc_host_config = {
    enabled          = true
@ -134,7 +134,7 @@ module "project" {
 ```hcl
 module "project" {
-  source          = "./modules/project"
+  source          = "./fabric/modules/project"
  name            = "project-example"
  shared_vpc_service_config = {
    attach               = true
@ -159,7 +159,7 @@ module "project" {
 ```hcl
 module "project" {
-  source          = "./modules/project"
+  source          = "./fabric/modules/project"
  billing_account = "123456-123456-123456"
  name            = "project-example"
  parent          = "folders/1234567890"
@ -188,33 +188,33 @@ module "project" {
 ```hcl
 module "gcs" {
-  source        = "./modules/gcs"
+  source        = "./fabric/modules/gcs"
  project_id    = var.project_id
  name          = "gcs_sink"
  force_destroy = true
 }
 module "dataset" {
-  source     = "./modules/bigquery-dataset"
+  source     = "./fabric/modules/bigquery-dataset"
  project_id = var.project_id
  id         = "bq_sink"
 }
 module "pubsub" {
-  source     = "./modules/pubsub"
+  source     = "./fabric/modules/pubsub"
  project_id = var.project_id
  name       = "pubsub_sink"
 }
 module "bucket" {
-  source      = "./modules/logging-bucket"
+  source      = "./fabric/modules/logging-bucket"
  parent_type = "project"
  parent      = "my-project"
  id          = "bucket"
 }
 module "project-host" {
-  source          = "./modules/project"
+  source          = "./fabric/modules/project"
  name            = "my-project"
  billing_account = "123456-123456-123456"
  parent          = "folders/1234567890"
@ -267,7 +267,7 @@ The module offers a simple, centralized way to assign `roles/cloudkms.cryptoKeyE
 ```hcl
 module "project" {
-  source          = "./modules/project"
+  source          = "./fabric/modules/project"
  name            = "my-project"
  billing_account = "123456-123456-123456"
  prefix          = "foo"
@ -294,7 +294,7 @@ Refer to the [Creating and managing tags](https://cloud.google.com/resource-mana
 ```hcl
 module "org" {
-  source          = "./modules/organization"
+  source          = "./fabric/modules/organization"
  organization_id = var.organization_id
  tags = {
    environment = {
@ -309,7 +309,7 @@ module "org" {
 }
 module "project" {
-  source = "./modules/project"
+  source = "./fabric/modules/project"
  name   = "test-project"
  tag_bindings = {
    env-prod = module.org.tag_values["environment/prod"].id
@ -327,7 +327,7 @@ One non-obvious output is `service_accounts`, which offers a simple way to disco
 ```hcl
 module "project" {
-  source   = "./modules/project"
+  source   = "./fabric/modules/project"
  name     = "project-example"
  services = [
    "compute.googleapis.com"
--- a/modules/projects-data-source/README.md
+++ b/modules/projects-data-source/README.md
@ -10,7 +10,7 @@ A good usage pattern would be when we want all the projects under a specific fol
 ```hcl
 module "my-org" {
-  source     = "./modules/projects-data-source"
+  source     = "./fabric/modules/projects-data-source"
  parent     = "organizations/123456789"
 }
@ -29,7 +29,7 @@ output "folders" {
 ```hcl
 module "my-dev" {
-  source = "./modules/projects-data-source"
+  source = "./fabric/modules/projects-data-source"
  parent = "folders/123456789"
  filter = "labels.env:DEV lifecycleState:ACTIVE"   
 }
--- a/modules/pubsub/README.md
+++ b/modules/pubsub/README.md
@ -9,7 +9,7 @@ This module allows managing a single Pub/Sub topic, including multiple subscript
 ```hcl
 module "pubsub" {
-  source     = "./modules/pubsub"
+  source     = "./fabric/modules/pubsub"
  project_id = "my-project"
  name       = "my-topic"
  iam = {
@ -26,7 +26,7 @@ Subscriptions are defined with the `subscriptions` variable, allowing optional c
 ```hcl
 module "pubsub" {
-  source     = "./modules/pubsub"
+  source     = "./fabric/modules/pubsub"
  project_id = "my-project"
  name       = "my-topic"
  subscriptions = {
@ -52,7 +52,7 @@ Push subscriptions need extra configuration in the `push_configs` variable.
 ```hcl
 module "pubsub" {
-  source     = "./modules/pubsub"
+  source     = "./fabric/modules/pubsub"
  project_id = "my-project"
  name       = "my-topic"
  subscriptions = {
@ -73,7 +73,7 @@ module "pubsub" {
 ```hcl
 module "pubsub" {
-  source     = "./modules/pubsub"
+  source     = "./fabric/modules/pubsub"
  project_id = "my-project"
  name       = "my-topic"
  subscriptions = {
--- a/modules/secret-manager/README.md
+++ b/modules/secret-manager/README.md
@ -14,7 +14,7 @@ The secret replication policy is automatically managed if no location is set, or
 ```hcl
 module "secret-manager" {
-  source     = "./modules/secret-manager"
+  source     = "./fabric/modules/secret-manager"
  project_id = "my-project"
  secrets    = {
    test-auto   = null
@ -30,7 +30,7 @@ IAM bindings can be set per secret in the same way as for most other modules sup
 ```hcl
 module "secret-manager" {
-  source     = "./modules/secret-manager"
+  source     = "./fabric/modules/secret-manager"
  project_id = "my-project"
  secrets    = {
    test-auto   = null
@ -54,7 +54,7 @@ As mentioned above, please be aware that **version data will be stored in state
 ```hcl
 module "secret-manager" {
-  source     = "./modules/secret-manager"
+  source     = "./fabric/modules/secret-manager"
  project_id = "my-project"
  secrets    = {
    test-auto   = null
--- a/modules/service-directory/README.md
+++ b/modules/service-directory/README.md
@ -11,7 +11,7 @@ It can be used in conjunction with the [DNS](../dns) module to create [service-d
 ```hcl
 module "service-directory" {
-  source      = "./modules/service-directory"
+  source      = "./fabric/modules/service-directory"
  project_id  = "my-project"
  location    = "europe-west1"
  name        = "sd-1"
@ -28,7 +28,7 @@ module "service-directory" {
 ```hcl
 module "service-directory" {
-  source      = "./modules/service-directory"
+  source      = "./fabric/modules/service-directory"
  project_id  = "my-project"
  location    = "europe-west1"
  name        = "sd-1"
@ -59,7 +59,7 @@ Wiring a service directory namespace to a private DNS zone allows querying the n
 ```hcl
 module "service-directory" {
-  source      = "./modules/service-directory"
+  source      = "./fabric/modules/service-directory"
  project_id  = "my-project"
  location    = "europe-west1"
  name       = "apps"
@ -77,7 +77,7 @@ module "service-directory" {
 }
 module "dns-sd" {
-  source                      = "./modules/dns"
+  source                      = "./fabric/modules/dns"
  project_id                  = "my-project"
  type                        = "service-directory"
  name                        = "apps"
--- a/modules/source-repository/README.md
+++ b/modules/source-repository/README.md
@ -8,7 +8,7 @@ This module allows managing a single Cloud Source Repository, including IAM bind
 ```hcl
 module "repo" {
-  source     = "./modules/source-repository"
+  source     = "./fabric/modules/source-repository"
  project_id = "my-project"
  name       = "my-repo"
  iam = {
@ -22,7 +22,7 @@ module "repo" {
 ```hcl
 module "repo" {
-  source     = "./modules/source-repository"
+  source     = "./fabric/modules/source-repository"
  project_id = "my-project"
  name       = "my-repo"
  triggers = {
--- a/modules/vpc-sc/README.md
+++ b/modules/vpc-sc/README.md
@ -14,7 +14,7 @@ By default, the module is configured to use an existing policy, passed in by nam
 ```hcl
 module "test" {
-  source        = "./modules/vpc-sc"
+  source        = "./fabric/modules/vpc-sc"
  access_policy = "12345678"
 }
 # tftest modules=0 resources=0
@ -24,7 +24,7 @@ If you need the module to create the policy for you, use the `access_policy_crea
 ```hcl
 module "test" {
-  source        = "./modules/vpc-sc"
+  source        = "./fabric/modules/vpc-sc"
  access_policy = null
  access_policy_create = {
    parent = "organizations/123456"
@ -40,7 +40,7 @@ As highlighted above, the `access_levels` type replicates the underlying resourc
 ```hcl
 module "test" {
-  source        = "./modules/vpc-sc"
+  source        = "./fabric/modules/vpc-sc"
  access_policy = "12345678"
  access_levels = {
    a1 = {
@ -81,7 +81,7 @@ Resources for both perimeters have a `lifecycle` block that ignores changes to `
 ```hcl
 module "test" {
-  source        = "./modules/vpc-sc"
+  source        = "./fabric/modules/vpc-sc"
  access_policy = "12345678"
  service_perimeters_bridge = {
    b1 = {
@ -103,7 +103,7 @@ module "test" {
 ```hcl
 module "test" {
-  source        = "./modules/vpc-sc"
+  source        = "./fabric/modules/vpc-sc"
  access_policy = "12345678"
  access_levels = {
    a1 = {
--- a/tests/conftest.py
+++ b/tests/conftest.py
@ -11,7 +11,6 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 "Shared fixtures"
 import inspect
@ -46,12 +45,13 @@ def _plan_runner():
      tf = tftest.TerraformTest(tmp_path, BASEDIR,
                                os.environ.get('TERRAFORM', 'terraform'))
      tf.setup(upgrade=True)
-      return tf.plan(output=True, refresh=refresh, tf_vars=tf_vars, targets=targets)
+      return tf.plan(output=True, refresh=refresh, tf_vars=tf_vars,
                     targets=targets)
  return run_plan
-@ pytest.fixture(scope='session')
+@pytest.fixture(scope='session')
 def plan_runner(_plan_runner):
  "Returns a function to run Terraform plan on a module fixture."
@ -65,15 +65,15 @@ def plan_runner(_plan_runner):
  return run_plan
-@ pytest.fixture(scope='session')
+@pytest.fixture(scope='session')
 def e2e_plan_runner(_plan_runner):
  "Returns a function to run Terraform plan on an end-to-end fixture."
  def run_plan(fixture_path=None, targets=None, refresh=True,
               include_bare_resources=False, **tf_vars):
    "Runs Terraform plan on an end-to-end module using defaults, returns data."
-    plan = _plan_runner(fixture_path, targets=targets,
+    plan = _plan_runner(fixture_path, targets=targets, refresh=refresh,
-                        refresh=refresh, **tf_vars)
+                        **tf_vars)
    # skip the fixture
    root_module = plan.root_module['child_modules'][0]
    modules = dict((mod['address'], mod['resources'])
@ -87,7 +87,7 @@ def e2e_plan_runner(_plan_runner):
  return run_plan
-@ pytest.fixture(scope='session')
+@pytest.fixture(scope='session')
 def doc_example_plan_runner(_plan_runner):
  "Returns a function to run Terraform plan on documentation examples."
@ -99,14 +99,12 @@ def doc_example_plan_runner(_plan_runner):
    plan = tf.plan(output=True, refresh=True)
    # the fixture is the example we are testing
    modules = plan.modules or {}
-    return (
+    return (len(modules), sum(len(m.resources) for m in modules.values()))
        len(modules),
        sum(len(m.resources) for m in modules.values()))
  return run_plan
-@ pytest.fixture(scope='session')
+@pytest.fixture(scope='session')
 def apply_runner():
  "Returns a function to run Terraform apply on a fixture."
--- a/tests/doc_examples/conftest.py
+++ b/tests/doc_examples/conftest.py
@ -16,18 +16,19 @@ from pathlib import Path
 import marko
-MODULES_PATH = Path(__file__).parents[2] / 'modules/'
+FABRIC_ROOT = Path(__file__).parents[2]
 MODULES_PATH = FABRIC_ROOT / 'modules/'
 EXAMPLES_PATH = FABRIC_ROOT / 'examples/'
 def pytest_generate_tests(metafunc):
  if 'example' in metafunc.fixturenames:
-    modules = [
+    modules = [x for x in MODULES_PATH.iterdir() if x.is_dir()]
-        x for x in MODULES_PATH.iterdir()
+    modules.extend(x for x in EXAMPLES_PATH.glob("*/*") if x.is_dir())
        if x.is_dir()
    ]
    modules.sort()
    examples = []
    ids = []
    for module in modules:
      readme = module / 'README.md'
      if not readme.exists():
@ -42,7 +43,8 @@ def pytest_generate_tests(metafunc):
          if 'tftest skip' in code:
            continue
          examples.append(code)
-          name = f'{module.stem}:{last_header}'
+          path = module.relative_to(FABRIC_ROOT)
          name = f'{path}:{last_header}'
          if index > 1:
            name += f' {index}'
          ids.append(name)
--- a/tests/doc_examples/test_plan.py
+++ b/tests/doc_examples/test_plan.py
@ -15,14 +15,12 @@
 import re
 from pathlib import Path
 BASE_PATH = Path(__file__).parent
 EXPECTED_RESOURCES_RE = re.compile(r'# tftest modules=(\d+) resources=(\d+)')
 def test_example(doc_example_plan_runner, tmp_path, example):
-  (tmp_path / 'modules').symlink_to(
+  (tmp_path / 'fabric').symlink_to(Path(BASE_PATH, '../../').resolve())
      Path(BASE_PATH, '../../modules/').resolve())
  (tmp_path / 'variables.tf').symlink_to(
      Path(BASE_PATH, 'variables.tf').resolve())
  (tmp_path / 'main.tf').write_text(example)
--- a/tests/doc_examples/variables.tf
+++ b/tests/doc_examples/variables.tf
@ -32,6 +32,10 @@ variable "organization_id" {
  default = "organizations/1122334455"
 }
 variable "folder_id" {
  default = "folders/1122334455"
 }
 variable "project_id" {
  default = "projects/project-id"
 }