Merge branch 'master' into fast-dev-dp

fast/stages/00-bootstrap/README.md

@@ -55,6 +55,7 @@ For same-organization billing, we configure a custom organization role that can
 For details on configuring the different billing account modes, refer to the [How to run this stage](#how-to-run-this-stage) section below.
 
 ### Organization-level logging
+
 We create organization-level log sinks early in the bootstrap process to ensure a proper audit trail is in place from the very beginning.  By default, we provide log filters to capture [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit) and [VPC Service Controls violations](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors) into a Bigquery dataset in the top-level audit project.
 
 The [Customizations](#log-sinks-and-log-destinations) section explains how to change the logs captured and their destination.
@@ -100,12 +101,20 @@ The roles that the Organization Admin used in the first `apply` needs to self-gr
 To quickly self-grant the above roles, run the following code snippet as the initial Organization Admin:
 
 ```bash
-export BOOTSTRAP_ORG_ID=123456
+# set variable for current logged in user
-export BOOTSTRAP_USER=$(gcloud config list --format 'value(core.account)')
+export FAST_BU=$(gcloud config list --format 'value(core.account)')
-export BOOTSTRAP_ROLES="roles/billing.admin roles/logging.admin roles/iam.organizationRoleAdmin roles/resourcemanager.projectCreator"
+
-for role in $BOOTSTRAP_ROLES; do
+# find and set your org id
-  gcloud organizations add-iam-policy-binding $BOOTSTRAP_ORG_ID \
+gcloud organizations list --filter display_name:$partofyourdomain
-    --member user:$BOOTSTRAP_USER --role $role
+export FAST_ORG_ID=123456
+
+# set needed roles
+export FAST_ROLES="roles/billing.admin roles/logging.admin \
+  roles/iam.organizationRoleAdmin roles/resourcemanager.projectCreator"
+
+for role in $FAST_ROLES; do
+  gcloud organizations add-iam-policy-binding $FAST_ORG_ID \
+    --member user:$FAST_BU --role $role
 done
 ```
 
@@ -120,11 +129,11 @@ If that's not the case, an equivalent role needs to exist, or the predefined `re
 The identity applying this stage for the first time also needs two roles in billing organization, they can be removed after the first `apply` completes successfully:
 
 ```bash
-export BILLING_ORG_ID=789012
+export FAST_BILLING_ORG_ID=789012
-export BILLING_ROLES=(roles/billing.admin roles/resourcemanager.organizationAdmin)
+export FAST_ROLES=(roles/billing.admin roles/resourcemanager.organizationAdmin)
-for role in $BILLING_ROLES; do
+for role in $FAST_ROLES; do
-  gcloud organizations add-iam-policy-binding $BILLING_ORG_ID \
+  gcloud organizations add-iam-policy-binding $FAST_BILLING_ORG_ID \
-    --member user:$BOOTSTRAP_USER --role $role
+    --member user:$FAST_BU --role $role
 done
 ```
 
@@ -133,9 +142,9 @@ done
 If you are using a standalone billing account, the identity applying this stage for the first time needs to be a billing account administrator:
 
 ```bash
-export BILLING_ACCOUNT_ID=ABCD-01234-ABCD
+export FAST_BILLING_ACCOUNT_ID=ABCD-01234-ABCD
-gcloud beta billing accounts add-iam-policy-binding $BILLING_ACCOUNT \
+gcloud beta billing accounts add-iam-policy-binding $FAST_BILLING_ACCOUNT_ID \
-  --member user:$BOOTSTRAP_USER --role roles/billing.admin
+  --member user:$FAST_BU --role roles/billing.admin
 ```
 
 #### Groups
@@ -287,10 +296,10 @@ The one exception to this convention is for roles which are part of the delegate
 
 You can customize organization-level logs through the `log_sinks` variable in two ways:
 
-* creating additional log sinks to capture more logs
+- creating additional log sinks to capture more logs
-* changing the destination of captured logs
+- changing the destination of captured logs
 
-By default, all logs are exported to Bigquery, but FAST can create sinks to Cloud Logging Buckets, GCS, or PubSub. 
+By default, all logs are exported to Bigquery, but FAST can create sinks to Cloud Logging Buckets, GCS, or PubSub.
 
 If you need to capture additional logs, please refer to GCP's documentation on [scenarios for exporting logging data](https://cloud.google.com/architecture/exporting-stackdriver-logging-for-security-and-access-analytics), where you can find ready-made filter expressions for different use cases.
 

fast/stages/01-resman/branch-networking.tf

@@ -62,7 +62,7 @@ module "branch-network-gcs" {
 module "branch-network-prod-folder" {
   source = "../../../modules/folder"
   parent = module.branch-network-folder.id
-  name   = "prod"
+  name   = "Production"
   iam = {
     "roles/compute.xpnAdmin" = [
       module.branch-teams-prod-projectfactory-sa.iam_email
@@ -73,7 +73,7 @@ module "branch-network-prod-folder" {
 module "branch-network-dev-folder" {
   source = "../../../modules/folder"
   parent = module.branch-network-folder.id
-  name   = "dev"
+  name   = "Development"
   iam = {
     "roles/compute.xpnAdmin" = [
       module.branch-teams-dev-projectfactory-sa.iam_email

fast/stages/02-networking-nva/README.md

@@ -93,14 +93,13 @@ Spoke VPCs also define and reserve three "special" CIDR ranges, derived from the
 
 - [PSA (Private Service Access)](https://cloud.google.com/vpc/docs/private-services-access):
 
-  + The second-last /24 range is used for PSA (CloudSQL, Postrgres)
+  - The second-last /24 range is used for PSA (CloudSQL, Postrgres)
 
-  + The third-last /24 range is used for PSA (CloudSQL, MySQL)
+  - The third-last /24 range is used for PSA (CloudSQL, MySQL)
 
 - [Internal HTTPs Load Balancers (L7ILB)](https://cloud.google.com/load-balancing/docs/l7-internal):
 
-  + The last /24 range
+  - The last /24 range
-
 
 This is a summary of the subnets allocated by default in this setup:
 
@@ -229,6 +228,7 @@ If you have set a valid value for `outputs_location` in the bootstrap and in the
 ln -s ../../configs/example/02-networking/terraform-bootstrap.auto.tfvars.json
 ln -s ../../configs/example/02-networking/terraform-resman.auto.tfvars.json
 ```
+
 If you want to continue to rely on `outputs_location` logic, create a `terraform.tfvars` file and configure it as described [here](../00-bootstrap/#output-files-and-cross-stage-variables).
 
 Please, refer to the [variables](#variables) table below for a map of the variable origins, and use the sections below to understand how to adapt this stage to your networking configuration.
@@ -284,7 +284,7 @@ DNS queries sent to the on-premise infrastructure come from the `35.199.192.0/19
 
 #### On-premises to cloud
 
-The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *trusted landing VPC module* ([`vpc-landing.tf`](./vpc-landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP.
+The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in the *trusted landing VPC module* ([`landing.tf`](./landing.tf)) automatically reserves the first available IP address on each subnet (typically the third one in a CIDR) to expose the Cloud DNS service, so that it can be consumed from outside of GCP.
 
 ### Private Google Access
 
@@ -296,7 +296,7 @@ For PGA to work:
 Subnets created using the `net-vpc` module are PGA-enabled by default.
 
 - 199.36.153.4/30 (`restricted.googleapis.com`) and 199.36.153.8/30 (`private.googleapis.com`) should be routed from on-premises to the trusted landing VPC, and from there to the `default-internet-gateway`. \
-The `vpn_onprem_configs` variable contains the ranges advertised from GCP to on-premises. Furthermore, the trusted landing VPC (e.g. see `landing-trusted-vpc` in [`vpc-landing.tf`](./vpc-landing.tf)) has explicit routes to send traffic destined to restricted and private - googleapis.com to the Internet gateway (which works for Google APIs only, and not for the whole Internet, since Cloud NAT is not configured in the trusted landing VPC).
+The `vpn_onprem_configs` variable contains the ranges advertised from GCP to on-premises. Furthermore, the trusted landing VPC (e.g. see `landing-trusted-vpc` in [`landing.tf`](./landing.tf)) has explicit routes to send traffic destined to restricted and private - googleapis.com to the Internet gateway (which works for Google APIs only, and not for the whole Internet, since Cloud NAT is not configured in the trusted landing VPC).
 
 - On-premises, a private DNS zone for `googleapis.com` should be created and configured per [this article](https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid#config-domain). Its configuration can be copied from the module `googleapis-private-zone` in [`dns.tf`](./dns.tf)
 
@@ -320,9 +320,9 @@ You're now ready to run `terraform init` and `terraform apply`.
 
 To create a new environment (e.g. `staging`), a few changes are required:
 
-Create a `vpc-spoke-staging.tf` file by copying `vpc-spoke-prod.tf` file.
+Create a `spoke-staging.tf` file by copying `spoke-prod.tf` file.
 Adapt the new file by replacing the value "prod" with the value "staging".
-Running `diff vpc-spoke-dev.tf vpc-spoke-prod.tf` can help to see how environment files differ.
+Running `diff spoke-dev.tf spoke-prod.tf` can help to see how environment files differ.
 
 The new VPC requires a set of dedicated CIDRs, one per region, added to variable `custom_adv` (for example as `spoke_staging_ew1` and `spoke_staging_ew4`).
 >`custom_adv` is a map that "resolves" CIDR names to the actual addresses, and will be used later to configure routing.
@@ -348,15 +348,15 @@ Don't forget to add a peering zone in the landing project and point it to the ne
 | [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> |  |
 | [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> |  |
 | [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> |  |
+| [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> |  |
 | [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> |  |
 | [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. |  | <code>google_monitoring_dashboard</code> |
 | [nva.tf](./nva.tf) | None | <code>compute-mig</code> · <code>compute-vm</code> · <code>net-ilb</code> |  |
 | [outputs.tf](./outputs.tf) | Module outputs. |  | <code>local_file</code> |
+| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-address</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> |  |
+| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-address</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> |  |
 | [test-resources.tf](./test-resources.tf) | temporary instances for testing | <code>compute-vm</code> |  |
 | [variables.tf](./variables.tf) | Module variables. |  |  |
-| [vpc-landing.tf](./vpc-landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> |  |
-| [vpc-spoke-dev.tf](./vpc-spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-address</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> |  |
-| [vpc-spoke-prod.tf](./vpc-spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-address</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>net-vpc-peering</code> · <code>project</code> |  |
 | [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | <code>net-vpn-ha</code> |  |
 
 ## Variables

fast/stages/02-networking-vpn/README.md

@@ -226,7 +226,7 @@ DNS queries sent to the on-premises infrastructure come from the `35.199.192.0/1
 
 #### On-prem to cloud
 
-The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in module `landing-vpc` ([`landing.tf`](./vpc-landing.tf)) automatically reserves the first available IP address on each created subnet (typically the third one in a CIDR) to expose the Cloud DNS service so that it can be consumed from outside of GCP.
+The [Inbound DNS Policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-in) defined in module `landing-vpc` ([`landing.tf`](./landing.tf)) automatically reserves the first available IP address on each created subnet (typically the third one in a CIDR) to expose the Cloud DNS service so that it can be consumed from outside of GCP.
 
 ### Private Google Access
 
@@ -262,9 +262,9 @@ You're now ready to run `terraform init` and `apply`.
 
 To create a new environment (e.g. `staging`), a few changes are required.
 
-Create a `vpc-spoke-staging.tf` file by copying `vpc-spoke-prod.tf` file,
+Create a `spoke-staging.tf` file by copying `spoke-prod.tf` file,
 and adapt the new file by replacing the value "prod" with the value "staging".
-Running `diff vpc-spoke-dev.tf vpc-spoke-prod.tf` can help to see how environment files differ.
+Running `diff spoke-dev.tf spoke-prod.tf` can help to see how environment files differ.
 
 The new VPC requires a set of dedicated CIDRs, one per region, added to variable `custom_adv` (for example as `spoke_staging_ew1` and `spoke_staging_ew4`).
 >`custom_adv` is a map that "resolves" CIDR names to actual addresses, and will be used later to configure routing.
@@ -292,14 +292,14 @@ DNS configurations are centralised in the `dns.tf` file. Spokes delegate DNS res
 | [dns-dev.tf](./dns-dev.tf) | Development spoke DNS zones and peerings setup. | <code>dns</code> |  |
 | [dns-landing.tf](./dns-landing.tf) | Landing DNS zones and peerings setup. | <code>dns</code> |  |
 | [dns-prod.tf](./dns-prod.tf) | Production spoke DNS zones and peerings setup. | <code>dns</code> |  |
+| [landing.tf](./landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> |  |
 | [main.tf](./main.tf) | Networking folder and hierarchical policy. | <code>folder</code> |  |
 | [monitoring.tf](./monitoring.tf) | Network monitoring dashboards. |  | <code>google_monitoring_dashboard</code> |
 | [outputs.tf](./outputs.tf) | Module outputs. |  | <code>local_file</code> |
+| [spoke-dev.tf](./spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-address</code> · <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
+| [spoke-prod.tf](./spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-address</code> · <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
 | [test-resources.tf](./test-resources.tf) | temporary instances for testing | <code>compute-vm</code> |  |
 | [variables.tf](./variables.tf) | Module variables. |  |  |
-| [vpc-landing.tf](./vpc-landing.tf) | Landing VPC and related resources. | <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> |  |
-| [vpc-spoke-dev.tf](./vpc-spoke-dev.tf) | Dev spoke VPC and related resources. | <code>net-address</code> · <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
-| [vpc-spoke-prod.tf](./vpc-spoke-prod.tf) | Production spoke VPC and related resources. | <code>net-address</code> · <code>net-cloudnat</code> · <code>net-vpc</code> · <code>net-vpc-firewall</code> · <code>project</code> | <code>google_project_iam_binding</code> |
 | [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | <code>net-vpn-ha</code> |  |
 | [vpn-spoke-dev.tf](./vpn-spoke-dev.tf) | VPN between landing and development spoke. | <code>net-vpn-ha</code> |  |
 | [vpn-spoke-prod.tf](./vpn-spoke-prod.tf) | VPN between landing and production spoke. | <code>net-vpn-ha</code> |  |

fast/stages/03-project-factory/prod/README.md

@@ -108,11 +108,12 @@ terraform apply
 | name | description | type | required | default | producer |
 |---|---|:---:|:---:|:---:|:---:|
 | [billing_account_id](variables.tf#L19) | Billing account id. | <code>string</code> | ✓ |  | <code>00-bootstrap</code> |
+| [prefix](variables.tf#L44) | Prefix used for resources that need unique names. | <code>string</code> | ✓ |  | <code>00-bootstrap</code> |
 | [data_dir](variables.tf#L25) | Relative path for the folder storing configuration data. | <code>string</code> |  | <code>&#34;data&#47;projects&#34;</code> |  |
 | [defaults_file](variables.tf#L38) | Relative path for the file storing the project factory configuration. | <code>string</code> |  | <code>&#34;data&#47;defaults.yaml&#34;</code> |  |
 | [environment_dns_zone](variables.tf#L31) | DNS zone suffix for environment. | <code>string</code> |  | <code>null</code> | <code>02-networking</code> |
-| [shared_vpc_self_link](variables.tf#L44) | Self link for the shared VPC. | <code>string</code> |  | <code>null</code> | <code>02-networking</code> |
+| [shared_vpc_self_link](variables.tf#L50) | Self link for the shared VPC. | <code>string</code> |  | <code>null</code> | <code>02-networking</code> |
-| [vpc_host_project](variables.tf#L51) | Host project for the shared VPC. | <code>string</code> |  | <code>null</code> | <code>02-networking</code> |
+| [vpc_host_project](variables.tf#L57) | Host project for the shared VPC. | <code>string</code> |  | <code>null</code> | <code>02-networking</code> |
 
 ## Outputs
 

fast/stages/03-project-factory/prod/main.tf

@@ -33,24 +33,25 @@ locals {
 }
 
 module "projects" {
-  source             = "../../../../examples/factories/project-factory"
+  source                 = "../../../../examples/factories/project-factory"
-  for_each           = local.projects
+  for_each               = local.projects
-  defaults           = local.defaults
+  defaults               = local.defaults
-  project_id         = each.key
+  project_id             = each.key
-  billing_account_id = try(each.value.billing_account_id, null)
+  billing_account_id     = try(each.value.billing_account_id, null)
-  billing_alert      = try(each.value.billing_alert, null)
+  billing_alert          = try(each.value.billing_alert, null)
-  dns_zones          = try(each.value.dns_zones, [])
+  dns_zones              = try(each.value.dns_zones, [])
-  essential_contacts = try(each.value.essential_contacts, [])
+  essential_contacts     = try(each.value.essential_contacts, [])
-  folder_id          = each.value.folder_id
+  folder_id              = each.value.folder_id
-  group_iam          = try(each.value.group_iam, {})
+  group_iam              = try(each.value.group_iam, {})
-  iam                = try(each.value.iam, {})
+  iam                    = try(each.value.iam, {})
-  kms_service_agents = try(each.value.kms, {})
+  kms_service_agents     = try(each.value.kms, {})
-  labels             = try(each.value.labels, {})
+  labels                 = try(each.value.labels, {})
-  org_policies       = try(each.value.org_policies, null)
+  org_policies           = try(each.value.org_policies, null)
-  service_accounts   = try(each.value.service_accounts, {})
+  prefix                 = var.prefix
-  services           = try(each.value.services, [])
+  service_accounts       = try(each.value.service_accounts, {})
-  services_iam       = try(each.value.services_iam, {})
+  services               = try(each.value.services, [])
-  vpc                = try(each.value.vpc, null)
+  service_identities_iam = try(each.value.services_iam, {})
+  vpc                    = try(each.value.vpc, null)
 }
 
 

fast/stages/03-project-factory/prod/variables.tf

@@ -41,6 +41,12 @@ variable "defaults_file" {
   default     = "data/defaults.yaml"
 }
 
+variable "prefix" {
+  # tfdoc:variable:source 00-bootstrap
+  description = "Prefix used for resources that need unique names."
+  type        = string
+}
+
 variable "shared_vpc_self_link" {
   # tfdoc:variable:source 02-networking
   description = "Self link for the shared VPC."