Merge branch 'master' of https://github.com/GoogleCloudPlatform/cloud-foundation-fabric into mgfeller/fast-readme-tfvars-auto
This commit is contained in:
commit
c66bb0e1c3
|
@ -48,6 +48,11 @@ jobs:
|
|||
with:
|
||||
python-version: ${{ env.PYTHON_VERSION }}
|
||||
|
||||
- name: Pin provider versions
|
||||
run: |
|
||||
sed -i 's/>=\(.*# tftest\)/=\1/g' default-versions.tf
|
||||
find -name versions.tf -exec cp default-versions.tf {} \;
|
||||
|
||||
- name: Run tests on documentation examples
|
||||
id: pytest
|
||||
run: |
|
||||
|
@ -76,6 +81,11 @@ jobs:
|
|||
terraform_version: ${{ env.TF_VERSION }}
|
||||
terraform_wrapper: false
|
||||
|
||||
- name: Pin provider versions
|
||||
run: |
|
||||
sed -i 's/>=\(.*# tftest\)/=\1/g' default-versions.tf
|
||||
find -name versions.tf -exec cp default-versions.tf {} \;
|
||||
|
||||
- name: Run tests environments
|
||||
id: pytest
|
||||
run: |
|
||||
|
@ -104,6 +114,11 @@ jobs:
|
|||
terraform_version: ${{ env.TF_VERSION }}
|
||||
terraform_wrapper: false
|
||||
|
||||
- name: Pin provider versions
|
||||
run: |
|
||||
sed -i 's/>=\(.*# tftest\)/=\1/g' default-versions.tf
|
||||
find -name versions.tf -exec cp default-versions.tf {} \;
|
||||
|
||||
- name: Run tests modules
|
||||
id: pytest
|
||||
run: |
|
||||
|
@ -132,6 +147,11 @@ jobs:
|
|||
terraform_version: ${{ env.TF_VERSION }}
|
||||
terraform_wrapper: false
|
||||
|
||||
- name: Pin provider versions
|
||||
run: |
|
||||
sed -i 's/>=\(.*# tftest\)/=\1/g' default-versions.tf
|
||||
find -name versions.tf -exec cp default-versions.tf {} \;
|
||||
|
||||
- name: Run tests on FAST stages
|
||||
id: pytest
|
||||
run: |
|
||||
|
|
|
@ -8,7 +8,8 @@ All notable changes to this project will be documented in this file.
|
|||
- add `id` output to service account module
|
||||
- add support for secrets to cloud function module
|
||||
- new binary authorization module
|
||||
- add `consumer_accept_list` option to `apigee-x-instance` module.
|
||||
- add `consumer_accept_list` option to `apigee-x-instance` module
|
||||
- fix addons for GKE autopilot
|
||||
|
||||
**FAST**
|
||||
|
||||
|
@ -17,6 +18,7 @@ All notable changes to this project will be documented in this file.
|
|||
- remove unsupported attributes and add supported ones to the Gitlab mapping used for Workload Identity Federation pools
|
||||
- add roles for CI/CD source repositories to stage 1 service account on automation project
|
||||
- fixes to CI/CD source repositories in stage 1
|
||||
- implement feature flags for FAST
|
||||
|
||||
## [16.0.0] - 2022-06-06
|
||||
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -461,31 +461,32 @@ The remaining configuration is manual, as it regards the repositories themselves
|
|||
| name | description | type | required | default | producer |
|
||||
|---|---|:---:|:---:|:---:|:---:|
|
||||
| [billing_account](variables.tf#L17) | Billing account id and organization id ('nnnnnnnn' or null). | <code title="object({ id = string organization_id = number })">object({…})</code> | ✓ | | |
|
||||
| [organization](variables.tf#L162) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | |
|
||||
| [prefix](variables.tf#L177) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | |
|
||||
| [organization](variables.tf#L179) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | |
|
||||
| [prefix](variables.tf#L194) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | |
|
||||
| [bootstrap_user](variables.tf#L25) | Email of the nominal user running this stage for the first time. | <code>string</code> | | <code>null</code> | |
|
||||
| [cicd_repositories](variables.tf#L31) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | <code title="object({ bootstrap = object({ branch = string identity_provider = string name = string type = string }) cicd = object({ branch = string identity_provider = string name = string type = string }) resman = object({ branch = string identity_provider = string name = string type = string }) })">object({…})</code> | | <code>null</code> | |
|
||||
| [custom_role_names](variables.tf#L83) | Names of custom roles defined at the org level. | <code title="object({ organization_iam_admin = string service_project_network_admin = string })">object({…})</code> | | <code title="{ organization_iam_admin = "organizationIamAdmin" service_project_network_admin = "serviceProjectNetworkAdmin" }">{…}</code> | |
|
||||
| [federated_identity_providers](variables.tf#L95) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | <code title="map(object({ attribute_condition = string issuer = string custom_settings = object({ issuer_uri = string allowed_audiences = list(string) }) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [groups](variables.tf#L109) | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | |
|
||||
| [iam](variables.tf#L123) | Organization-level custom IAM settings in role => [principal] format. | <code>map(list(string))</code> | | <code>{}</code> | |
|
||||
| [iam_additive](variables.tf#L129) | Organization-level custom IAM settings in role => [principal] format for non-authoritative bindings. | <code>map(list(string))</code> | | <code>{}</code> | |
|
||||
| [log_sinks](variables.tf#L137) | Org-level log sinks, in name => {type, filter} format. | <code title="map(object({ filter = string type = string }))">map(object({…}))</code> | | <code title="{ audit-logs = { filter = "logName:\"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName:\"/logs/cloudaudit.googleapis.com%2Fsystem_event\"" type = "bigquery" } vpc-sc = { filter = "protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\"" type = "bigquery" } }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L171) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | <code>string</code> | | <code>null</code> | |
|
||||
| [fast_features](variables.tf#L95) | Selective control for top-level FAST features. | <code title="object({ data_platform = bool project_factory = bool sandbox = bool teams = bool })">object({…})</code> | | <code title="{ data_platform = true project_factory = true sandbox = true teams = true }">{…}</code> | |
|
||||
| [federated_identity_providers](variables.tf#L112) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | <code title="map(object({ attribute_condition = string issuer = string custom_settings = object({ issuer_uri = string allowed_audiences = list(string) }) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [groups](variables.tf#L126) | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | |
|
||||
| [iam](variables.tf#L140) | Organization-level custom IAM settings in role => [principal] format. | <code>map(list(string))</code> | | <code>{}</code> | |
|
||||
| [iam_additive](variables.tf#L146) | Organization-level custom IAM settings in role => [principal] format for non-authoritative bindings. | <code>map(list(string))</code> | | <code>{}</code> | |
|
||||
| [log_sinks](variables.tf#L154) | Org-level log sinks, in name => {type, filter} format. | <code title="map(object({ filter = string type = string }))">map(object({…}))</code> | | <code title="{ audit-logs = { filter = "logName:\"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName:\"/logs/cloudaudit.googleapis.com%2Fsystem_event\"" type = "bigquery" } vpc-sc = { filter = "protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\"" type = "bigquery" } }">{…}</code> | |
|
||||
| [outputs_location](variables.tf#L188) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | <code>string</code> | | <code>null</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive | consumers |
|
||||
|---|---|:---:|---|
|
||||
| [automation](outputs.tf#L87) | Automation resources. | | |
|
||||
| [billing_dataset](outputs.tf#L92) | BigQuery dataset prepared for billing export. | | |
|
||||
| [cicd_repositories](outputs.tf#L97) | CI/CD repository configurations. | | |
|
||||
| [custom_roles](outputs.tf#L109) | Organization-level custom roles. | | |
|
||||
| [federated_identity](outputs.tf#L114) | Workload Identity Federation pool and providers. | | |
|
||||
| [outputs_bucket](outputs.tf#L124) | GCS bucket where generated output files are stored. | | |
|
||||
| [project_ids](outputs.tf#L129) | Projects created by this stage. | | |
|
||||
| [providers](outputs.tf#L149) | Terraform provider files for this stage and dependent stages. | ✓ | <code>stage-01</code> |
|
||||
| [service_accounts](outputs.tf#L138) | Automation service accounts created by this stage. | | |
|
||||
| [tfvars](outputs.tf#L158) | Terraform variable files for the following stages. | ✓ | |
|
||||
| [automation](outputs.tf#L88) | Automation resources. | | |
|
||||
| [billing_dataset](outputs.tf#L93) | BigQuery dataset prepared for billing export. | | |
|
||||
| [cicd_repositories](outputs.tf#L98) | CI/CD repository configurations. | | |
|
||||
| [custom_roles](outputs.tf#L110) | Organization-level custom roles. | | |
|
||||
| [federated_identity](outputs.tf#L115) | Workload Identity Federation pool and providers. | | |
|
||||
| [outputs_bucket](outputs.tf#L125) | GCS bucket where generated output files are stored. | | |
|
||||
| [project_ids](outputs.tf#L130) | Projects created by this stage. | | |
|
||||
| [providers](outputs.tf#L150) | Terraform provider files for this stage and dependent stages. | ✓ | <code>stage-01</code> |
|
||||
| [service_accounts](outputs.tf#L139) | Automation service accounts created by this stage. | | |
|
||||
| [tfvars](outputs.tf#L159) | Terraform variable files for the following stages. | ✓ | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -68,6 +68,7 @@ locals {
|
|||
}
|
||||
tfvars_globals = {
|
||||
billing_account = var.billing_account
|
||||
fast_features = var.fast_features
|
||||
groups = var.groups
|
||||
organization = var.organization
|
||||
prefix = var.prefix
|
||||
|
|
|
@ -92,6 +92,23 @@ variable "custom_role_names" {
|
|||
}
|
||||
}
|
||||
|
||||
variable "fast_features" {
|
||||
description = "Selective control for top-level FAST features."
|
||||
type = object({
|
||||
data_platform = bool
|
||||
project_factory = bool
|
||||
sandbox = bool
|
||||
teams = bool
|
||||
})
|
||||
default = {
|
||||
data_platform = true
|
||||
project_factory = true
|
||||
sandbox = true
|
||||
teams = true
|
||||
}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "federated_identity_providers" {
|
||||
description = "Workload Identity Federation pools. The `cicd_repositories` variable references keys here."
|
||||
type = map(object({
|
||||
|
|
|
@ -1,11 +1,10 @@
|
|||
# CI/CD bootstrap
|
||||
|
||||
The primary purpose of this stage is to set up your CI/CD project structure automatically, with most of the
|
||||
necessary configuration to run the pipelines out of the box.
|
||||
The primary purpose of this stage is to set up your CI/CD project structure automatically, with most of the necessary configuration to run the pipelines out of the box.
|
||||
|
||||
## How to run this stage
|
||||
|
||||
This stage is meant to be executed after the [bootstrap](../00-bootstrap) stage has run, as it leverages the automation service account and bucket created there.
|
||||
This stage is meant to be executed after the [bootstrap](../00-bootstrap) stage has run, as it leverages the automation service account and bucket created there.
|
||||
The entire stage is optional, you may also choose to create your repositories manually.
|
||||
|
||||
### Providers configuration
|
||||
|
@ -51,7 +50,7 @@ cp ../00-bootstrap/terraform.tfvars .
|
|||
|
||||
A second set of variables is specific to this stage, they are all optional so if you need to customize them, create an extra `terraform.tfvars` file or add them to the file copied from bootstrap.
|
||||
|
||||
Refer to the [Variables](#variables) table at the bottom of this document, for a full list of variables, their origin (e.g. a stage or specific to this one), and descriptions explaining their meaning. The sections below also describe some of the possible customizations.
|
||||
Refer to the [Variables](#variables) table at the bottom of this document, for a full list of variables, their origin (e.g. a stage or specific to this one), and descriptions explaining their meaning. The sections below also describe some of the possible customizations.
|
||||
|
||||
### CI/CD systems
|
||||
|
||||
|
@ -89,7 +88,7 @@ and such, the `00-cicd` stage creates all the repositories in your CI/CD system
|
|||
configuration is essentially a combination of all the `cicd_repositories` variables of the other stages
|
||||
plus additional CI/CD system specific configuration information.
|
||||
|
||||
This is an example of configuring the repositories in this stage.
|
||||
This is an example of configuring the repositories in this stage.
|
||||
|
||||
```hcl
|
||||
cicd_repositories = {
|
||||
|
@ -163,7 +162,6 @@ The `type` attribute can be set to one of the supported repository types: `githu
|
|||
|
||||
Once the stage is applied the generated output files will contain pre-configured workflow files for each repository, that will use Workload Identity Federation via a dedicated service account for each repository to impersonate the automation service account for the stage.
|
||||
|
||||
|
||||
Once done, you can run this stage:
|
||||
|
||||
```bash
|
||||
|
|
|
@ -15,17 +15,15 @@
|
|||
terraform {
|
||||
required_version = ">= 1.1.0"
|
||||
required_providers {
|
||||
gitlab = {
|
||||
source = "gitlabhq/gitlab"
|
||||
version = ">= 3.15.0"
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
github = {
|
||||
source = "integrations/github"
|
||||
version = ">= 4.26.0"
|
||||
}
|
||||
tls = {
|
||||
source = "hashicorp/tls"
|
||||
version = "3.4.0"
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -159,13 +159,14 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
|
|||
| [billing.tf](./billing.tf) | Billing resources for external billing use cases. | <code>organization</code> | <code>google_billing_account_iam_member</code> |
|
||||
| [branch-data-platform.tf](./branch-data-platform.tf) | Data Platform stages resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
|
||||
| [branch-networking.tf](./branch-networking.tf) | Networking stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
|
||||
| [branch-project-factory.tf](./branch-project-factory.tf) | Project factory stage resources. | <code>gcs</code> · <code>iam-service-account</code> | |
|
||||
| [branch-sandbox.tf](./branch-sandbox.tf) | Sandbox stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
|
||||
| [branch-security.tf](./branch-security.tf) | Security stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
|
||||
| [branch-teams.tf](./branch-teams.tf) | Team stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
|
||||
| [cicd-data-platform.tf](./cicd-data-platform.tf) | CI/CD resources for the data platform branch. | <code>iam-service-account</code> · <code>source-repository</code> | |
|
||||
| [cicd-networking.tf](./cicd-networking.tf) | CI/CD resources for the networking branch. | <code>iam-service-account</code> · <code>source-repository</code> | |
|
||||
| [cicd-project-factory.tf](./cicd-project-factory.tf) | CI/CD resources for the teams branch. | <code>iam-service-account</code> · <code>source-repository</code> | |
|
||||
| [cicd-security.tf](./cicd-security.tf) | CI/CD resources for the security branch. | <code>iam-service-account</code> · <code>source-repository</code> | |
|
||||
| [cicd-teams.tf](./cicd-teams.tf) | CI/CD resources for the teams branch. | <code>iam-service-account</code> · <code>source-repository</code> | |
|
||||
| [main.tf](./main.tf) | Module-level locals and resources. | | |
|
||||
| [organization.tf](./organization.tf) | Organization policies. | <code>organization</code> | <code>google_organization_iam_member</code> |
|
||||
| [outputs-files.tf](./outputs-files.tf) | Output files persistence to local filesystem. | | <code>local_file</code> |
|
||||
|
@ -179,28 +180,29 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
|
|||
|---|---|:---:|:---:|:---:|:---:|
|
||||
| [automation](variables.tf#L20) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string project_id = string project_number = string federated_identity_pool = string federated_identity_providers = map(object({ issuer = string issuer_uri = string name = string principal_tpl = string principalset_tpl = string })) })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [billing_account](variables.tf#L38) | Billing account id and organization id ('nnnnnnnn' or null). | <code title="object({ id = string organization_id = number })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [organization](variables.tf#L141) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [prefix](variables.tf#L165) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [organization](variables.tf#L159) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [prefix](variables.tf#L183) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [cicd_repositories](variables.tf#L47) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | <code title="object({ data_platform_dev = object({ branch = string identity_provider = string name = string type = string }) data_platform_prod = object({ branch = string identity_provider = string name = string type = string }) networking = object({ branch = string identity_provider = string name = string type = string }) project_factory_dev = object({ branch = string identity_provider = string name = string type = string }) project_factory_prod = object({ branch = string identity_provider = string name = string type = string }) security = object({ branch = string identity_provider = string name = string type = string }) })">object({…})</code> | | <code>null</code> | |
|
||||
| [custom_roles](variables.tf#L117) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>00-bootstrap</code> |
|
||||
| [groups](variables.tf#L126) | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| [organization_policy_configs](variables.tf#L151) | Organization policies customization. | <code title="object({ allowed_policy_member_domains = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||
| [outputs_location](variables.tf#L159) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | <code>string</code> | | <code>null</code> | |
|
||||
| [tag_names](variables.tf#L176) | Customized names for resource management tags. | <code title="object({ context = string environment = string })">object({…})</code> | | <code title="{ context = "context" environment = "environment" }">{…}</code> | |
|
||||
| [team_folders](variables.tf#L193) | Team folders to be created. Format is described in a code comment. | <code title="map(object({ descriptive_name = string group_iam = map(list(string)) impersonation_groups = list(string) }))">map(object({…}))</code> | | <code>null</code> | |
|
||||
| [fast_features](variables.tf#L126) | Selective control for top-level FAST features. | <code title="object({ data_platform = bool project_factory = bool sandbox = bool teams = bool })">object({…})</code> | | <code title="{ data_platform = true project_factory = true sandbox = true teams = true }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| [groups](variables.tf#L144) | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| [organization_policy_configs](variables.tf#L169) | Organization policies customization. | <code title="object({ allowed_policy_member_domains = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||
| [outputs_location](variables.tf#L177) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | <code>string</code> | | <code>null</code> | |
|
||||
| [tag_names](variables.tf#L194) | Customized names for resource management tags. | <code title="object({ context = string environment = string })">object({…})</code> | | <code title="{ context = "context" environment = "environment" }">{…}</code> | |
|
||||
| [team_folders](variables.tf#L211) | Team folders to be created. Format is described in a code comment. | <code title="map(object({ descriptive_name = string group_iam = map(list(string)) impersonation_groups = list(string) }))">map(object({…}))</code> | | <code>null</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive | consumers |
|
||||
|---|---|:---:|---|
|
||||
| [cicd_repositories](outputs.tf#L145) | WIF configuration for CI/CD repositories. | | |
|
||||
| [dataplatform](outputs.tf#L159) | Data for the Data Platform stage. | | |
|
||||
| [networking](outputs.tf#L175) | Data for the networking stage. | | |
|
||||
| [project_factories](outputs.tf#L184) | Data for the project factories stage. | | |
|
||||
| [providers](outputs.tf#L200) | Terraform provider files for this stage and dependent stages. | ✓ | <code>02-networking</code> · <code>02-security</code> · <code>03-dataplatform</code> · <code>xx-sandbox</code> · <code>xx-teams</code> |
|
||||
| [sandbox](outputs.tf#L207) | Data for the sandbox stage. | | <code>xx-sandbox</code> |
|
||||
| [security](outputs.tf#L217) | Data for the networking stage. | | <code>02-security</code> |
|
||||
| [teams](outputs.tf#L227) | Data for the teams stage. | | |
|
||||
| [tfvars](outputs.tf#L240) | Terraform variable files for the following stages. | ✓ | |
|
||||
| [cicd_repositories](outputs.tf#L154) | WIF configuration for CI/CD repositories. | | |
|
||||
| [dataplatform](outputs.tf#L168) | Data for the Data Platform stage. | | |
|
||||
| [networking](outputs.tf#L184) | Data for the networking stage. | | |
|
||||
| [project_factories](outputs.tf#L193) | Data for the project factories stage. | | |
|
||||
| [providers](outputs.tf#L209) | Terraform provider files for this stage and dependent stages. | ✓ | <code>02-networking</code> · <code>02-security</code> · <code>03-dataplatform</code> · <code>xx-sandbox</code> · <code>xx-teams</code> |
|
||||
| [sandbox](outputs.tf#L216) | Data for the sandbox stage. | | <code>xx-sandbox</code> |
|
||||
| [security](outputs.tf#L230) | Data for the networking stage. | | <code>02-security</code> |
|
||||
| [teams](outputs.tf#L240) | Data for the teams stage. | | |
|
||||
| [tfvars](outputs.tf#L253) | Terraform variable files for the following stages. | ✓ | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -16,8 +16,14 @@
|
|||
|
||||
# tfdoc:file:description Data Platform stages resources.
|
||||
|
||||
moved {
|
||||
from = module.branch-dp-folder
|
||||
to = module.branch-dp-folder.0
|
||||
}
|
||||
|
||||
module "branch-dp-folder" {
|
||||
source = "../../../modules/folder"
|
||||
count = var.fast_features.data_platform ? 1 : 0
|
||||
parent = "organizations/${var.organization.id}"
|
||||
name = "Data Platform"
|
||||
tag_bindings = {
|
||||
|
@ -27,18 +33,26 @@ module "branch-dp-folder" {
|
|||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-dp-dev-folder
|
||||
to = module.branch-dp-dev-folder.0
|
||||
}
|
||||
|
||||
module "branch-dp-dev-folder" {
|
||||
source = "../../../modules/folder"
|
||||
parent = module.branch-dp-folder.id
|
||||
count = var.fast_features.data_platform ? 1 : 0
|
||||
parent = module.branch-dp-folder.0.id
|
||||
name = "Development"
|
||||
group_iam = {}
|
||||
iam = {
|
||||
(local.custom_roles.service_project_network_admin) = [module.branch-dp-dev-sa.iam_email]
|
||||
(local.custom_roles.service_project_network_admin) = [
|
||||
module.branch-dp-dev-sa.0.iam_email
|
||||
]
|
||||
# remove owner here and at project level if SA does not manage project resources
|
||||
"roles/owner" = [module.branch-dp-dev-sa.iam_email]
|
||||
"roles/logging.admin" = [module.branch-dp-dev-sa.iam_email]
|
||||
"roles/resourcemanager.folderAdmin" = [module.branch-dp-dev-sa.iam_email]
|
||||
"roles/resourcemanager.projectCreator" = [module.branch-dp-dev-sa.iam_email]
|
||||
"roles/owner" = [module.branch-dp-dev-sa.0.iam_email]
|
||||
"roles/logging.admin" = [module.branch-dp-dev-sa.0.iam_email]
|
||||
"roles/resourcemanager.folderAdmin" = [module.branch-dp-dev-sa.0.iam_email]
|
||||
"roles/resourcemanager.projectCreator" = [module.branch-dp-dev-sa.0.iam_email]
|
||||
}
|
||||
tag_bindings = {
|
||||
context = try(
|
||||
|
@ -47,18 +61,24 @@ module "branch-dp-dev-folder" {
|
|||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-dp-prod-folder
|
||||
to = module.branch-dp-prod-folder.0
|
||||
}
|
||||
|
||||
module "branch-dp-prod-folder" {
|
||||
source = "../../../modules/folder"
|
||||
parent = module.branch-dp-folder.id
|
||||
count = var.fast_features.data_platform ? 1 : 0
|
||||
parent = module.branch-dp-folder.0.id
|
||||
name = "Production"
|
||||
group_iam = {}
|
||||
iam = {
|
||||
(local.custom_roles.service_project_network_admin) = [module.branch-dp-prod-sa.iam_email]
|
||||
(local.custom_roles.service_project_network_admin) = [module.branch-dp-prod-sa.0.iam_email]
|
||||
# remove owner here and at project level if SA does not manage project resources
|
||||
"roles/owner" = [module.branch-dp-prod-sa.iam_email]
|
||||
"roles/logging.admin" = [module.branch-dp-prod-sa.iam_email]
|
||||
"roles/resourcemanager.folderAdmin" = [module.branch-dp-prod-sa.iam_email]
|
||||
"roles/resourcemanager.projectCreator" = [module.branch-dp-prod-sa.iam_email]
|
||||
"roles/owner" = [module.branch-dp-prod-sa.0.iam_email]
|
||||
"roles/logging.admin" = [module.branch-dp-prod-sa.0.iam_email]
|
||||
"roles/resourcemanager.folderAdmin" = [module.branch-dp-prod-sa.0.iam_email]
|
||||
"roles/resourcemanager.projectCreator" = [module.branch-dp-prod-sa.0.iam_email]
|
||||
}
|
||||
tag_bindings = {
|
||||
context = try(
|
||||
|
@ -69,8 +89,14 @@ module "branch-dp-prod-folder" {
|
|||
|
||||
# automation service accounts and buckets
|
||||
|
||||
moved {
|
||||
from = module.branch-dp-dev-sa
|
||||
to = module.branch-dp-dev-sa.0
|
||||
}
|
||||
|
||||
module "branch-dp-dev-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.data_platform ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-dp-0"
|
||||
description = "Terraform data platform development service account."
|
||||
|
@ -85,8 +111,14 @@ module "branch-dp-dev-sa" {
|
|||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-dp-prod-sa
|
||||
to = module.branch-dp-prod-sa.0
|
||||
}
|
||||
|
||||
module "branch-dp-prod-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.data_platform ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-dp-0"
|
||||
description = "Terraform data platform production service account."
|
||||
|
@ -101,24 +133,36 @@ module "branch-dp-prod-sa" {
|
|||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-dp-dev-gcs
|
||||
to = module.branch-dp-dev-gcs.0
|
||||
}
|
||||
|
||||
module "branch-dp-dev-gcs" {
|
||||
source = "../../../modules/gcs"
|
||||
count = var.fast_features.data_platform ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-dp-0"
|
||||
prefix = var.prefix
|
||||
versioning = true
|
||||
iam = {
|
||||
"roles/storage.objectAdmin" = [module.branch-dp-dev-sa.iam_email]
|
||||
"roles/storage.objectAdmin" = [module.branch-dp-dev-sa.0.iam_email]
|
||||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-dp-prod-gcs
|
||||
to = module.branch-dp-prod-gcs.0
|
||||
}
|
||||
|
||||
module "branch-dp-prod-gcs" {
|
||||
source = "../../../modules/gcs"
|
||||
count = var.fast_features.data_platform ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-dp-0"
|
||||
prefix = var.prefix
|
||||
versioning = true
|
||||
iam = {
|
||||
"roles/storage.objectAdmin" = [module.branch-dp-prod-sa.iam_email]
|
||||
"roles/storage.objectAdmin" = [module.branch-dp-prod-sa.0.iam_email]
|
||||
}
|
||||
}
|
||||
|
|
|
@ -50,10 +50,10 @@ module "branch-network-prod-folder" {
|
|||
parent = module.branch-network-folder.id
|
||||
name = "Production"
|
||||
iam = {
|
||||
"roles/compute.xpnAdmin" = [
|
||||
module.branch-dp-prod-sa.iam_email,
|
||||
module.branch-teams-prod-pf-sa.iam_email
|
||||
]
|
||||
"roles/compute.xpnAdmin" = compact([
|
||||
try(module.branch-dp-prod-sa.0.iam_email, ""),
|
||||
try(module.branch-pf-prod-sa.0.iam_email, ""),
|
||||
])
|
||||
}
|
||||
tag_bindings = {
|
||||
environment = try(
|
||||
|
@ -67,10 +67,10 @@ module "branch-network-dev-folder" {
|
|||
parent = module.branch-network-folder.id
|
||||
name = "Development"
|
||||
iam = {
|
||||
(local.custom_roles.service_project_network_admin) = [
|
||||
module.branch-dp-dev-sa.iam_email,
|
||||
module.branch-teams-dev-pf-sa.iam_email
|
||||
]
|
||||
(local.custom_roles.service_project_network_admin) = compact([
|
||||
try(module.branch-dp-dev-sa.0.iam_email, ""),
|
||||
try(module.branch-pf-dev-sa.0.iam_email, ""),
|
||||
])
|
||||
}
|
||||
tag_bindings = {
|
||||
environment = try(
|
||||
|
|
|
@ -0,0 +1,97 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
# tfdoc:file:description Project factory stage resources.
|
||||
|
||||
moved {
|
||||
from = module.branch-teams-dev-pf-sa
|
||||
to = module.branch-pf-dev-sa.0
|
||||
}
|
||||
|
||||
module "branch-pf-dev-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.project_factory ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-pf-0"
|
||||
# naming: environment in description
|
||||
description = "Terraform project factory development service account."
|
||||
prefix = var.prefix
|
||||
iam = {
|
||||
"roles/iam.serviceAccountTokenCreator" = compact([
|
||||
try(module.branch-pf-dev-sa-cicd.0.iam_email, null)
|
||||
])
|
||||
}
|
||||
iam_storage_roles = {
|
||||
(var.automation.outputs_bucket) = ["roles/storage.admin"]
|
||||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-teams-prod-pf-sa
|
||||
to = module.branch-pf-prod-sa.0
|
||||
}
|
||||
|
||||
module "branch-pf-prod-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.project_factory ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-pf-0"
|
||||
# naming: environment in description
|
||||
description = "Terraform project factory production service account."
|
||||
prefix = var.prefix
|
||||
iam = {
|
||||
"roles/iam.serviceAccountTokenCreator" = compact([
|
||||
try(module.branch-pf-prod-sa-cicd.0.iam_email, null)
|
||||
])
|
||||
}
|
||||
iam_storage_roles = {
|
||||
(var.automation.outputs_bucket) = ["roles/storage.admin"]
|
||||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-teams-dev-pf-gcs
|
||||
to = module.branch-pf-dev-gcs.0
|
||||
}
|
||||
|
||||
module "branch-pf-dev-gcs" {
|
||||
source = "../../../modules/gcs"
|
||||
count = var.fast_features.project_factory ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-pf-0"
|
||||
prefix = var.prefix
|
||||
versioning = true
|
||||
iam = {
|
||||
"roles/storage.objectAdmin" = [module.branch-pf-dev-sa.0.iam_email]
|
||||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-teams-prod-pf-gcs
|
||||
to = module.branch-pf-prod-gcs.0
|
||||
}
|
||||
|
||||
module "branch-pf-prod-gcs" {
|
||||
source = "../../../modules/gcs"
|
||||
count = var.fast_features.project_factory ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-pf-0"
|
||||
prefix = var.prefix
|
||||
versioning = true
|
||||
iam = {
|
||||
"roles/storage.objectAdmin" = [module.branch-pf-prod-sa.0.iam_email]
|
||||
}
|
||||
}
|
|
@ -16,15 +16,21 @@
|
|||
|
||||
# tfdoc:file:description Sandbox stage resources.
|
||||
|
||||
moved {
|
||||
from = module.branch-sandbox-folder
|
||||
to = module.branch-sandbox-folder.0
|
||||
}
|
||||
|
||||
module "branch-sandbox-folder" {
|
||||
source = "../../../modules/folder"
|
||||
count = var.fast_features.sandbox ? 1 : 0
|
||||
parent = "organizations/${var.organization.id}"
|
||||
name = "Sandbox"
|
||||
iam = {
|
||||
"roles/logging.admin" = [module.branch-sandbox-sa.iam_email]
|
||||
"roles/owner" = [module.branch-sandbox-sa.iam_email]
|
||||
"roles/resourcemanager.folderAdmin" = [module.branch-sandbox-sa.iam_email]
|
||||
"roles/resourcemanager.projectCreator" = [module.branch-sandbox-sa.iam_email]
|
||||
"roles/logging.admin" = [module.branch-sandbox-sa.0.iam_email]
|
||||
"roles/owner" = [module.branch-sandbox-sa.0.iam_email]
|
||||
"roles/resourcemanager.folderAdmin" = [module.branch-sandbox-sa.0.iam_email]
|
||||
"roles/resourcemanager.projectCreator" = [module.branch-sandbox-sa.0.iam_email]
|
||||
}
|
||||
policy_boolean = {
|
||||
"constraints/sql.restrictPublicIp" = false
|
||||
|
@ -44,19 +50,31 @@ module "branch-sandbox-folder" {
|
|||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-sandbox-gcs
|
||||
to = module.branch-sandbox-gcs.0
|
||||
}
|
||||
|
||||
module "branch-sandbox-gcs" {
|
||||
source = "../../../modules/gcs"
|
||||
count = var.fast_features.sandbox ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-sbox-0"
|
||||
prefix = var.prefix
|
||||
versioning = true
|
||||
iam = {
|
||||
"roles/storage.objectAdmin" = [module.branch-sandbox-sa.iam_email]
|
||||
"roles/storage.objectAdmin" = [module.branch-sandbox-sa.0.iam_email]
|
||||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-sandbox-sa
|
||||
to = module.branch-sandbox-sa.0
|
||||
}
|
||||
|
||||
module "branch-sandbox-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.sandbox ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-sbox-0"
|
||||
description = "Terraform resman sandbox service account."
|
||||
|
|
|
@ -16,8 +16,14 @@
|
|||
|
||||
# tfdoc:file:description Team stage resources.
|
||||
|
||||
moved {
|
||||
from = module.branch-teams-folder
|
||||
to = module.branch-teams-folder.0
|
||||
}
|
||||
|
||||
module "branch-teams-folder" {
|
||||
source = "../../../modules/folder"
|
||||
count = var.fast_features.teams ? 1 : 0
|
||||
parent = "organizations/${var.organization.id}"
|
||||
name = "Teams"
|
||||
tag_bindings = {
|
||||
|
@ -27,8 +33,14 @@ module "branch-teams-folder" {
|
|||
}
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.branch-teams-prod-sa
|
||||
to = module.branch-teams-prod-sa.0
|
||||
}
|
||||
|
||||
module "branch-teams-prod-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
count = var.fast_features.teams ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-teams-0"
|
||||
description = "Terraform resman production service account."
|
||||
|
@ -39,15 +51,15 @@ module "branch-teams-prod-sa" {
|
|||
|
||||
module "branch-teams-team-folder" {
|
||||
source = "../../../modules/folder"
|
||||
for_each = coalesce(var.team_folders, {})
|
||||
parent = module.branch-teams-folder.id
|
||||
for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {}
|
||||
parent = module.branch-teams-folder.0.id
|
||||
name = each.value.descriptive_name
|
||||
group_iam = each.value.group_iam == null ? {} : each.value.group_iam
|
||||
}
|
||||
|
||||
module "branch-teams-team-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
for_each = coalesce(var.team_folders, {})
|
||||
for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {}
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-teams-${each.key}-0"
|
||||
description = "Terraform team ${each.key} service account."
|
||||
|
@ -63,7 +75,7 @@ module "branch-teams-team-sa" {
|
|||
|
||||
module "branch-teams-team-gcs" {
|
||||
source = "../../../modules/gcs"
|
||||
for_each = coalesce(var.team_folders, {})
|
||||
for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {}
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-teams-${each.key}-0"
|
||||
prefix = var.prefix
|
||||
|
@ -77,19 +89,19 @@ module "branch-teams-team-gcs" {
|
|||
|
||||
module "branch-teams-team-dev-folder" {
|
||||
source = "../../../modules/folder"
|
||||
for_each = coalesce(var.team_folders, {})
|
||||
for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {}
|
||||
parent = module.branch-teams-team-folder[each.key].id
|
||||
# naming: environment descriptive name
|
||||
name = "Development"
|
||||
# environment-wide human permissions on the whole teams environment
|
||||
group_iam = {}
|
||||
iam = {
|
||||
(local.custom_roles.service_project_network_admin) = [module.branch-teams-dev-pf-sa.iam_email]
|
||||
(local.custom_roles.service_project_network_admin) = [module.branch-pf-dev-sa.0.iam_email]
|
||||
# remove owner here and at project level if SA does not manage project resources
|
||||
"roles/owner" = [module.branch-teams-dev-pf-sa.iam_email]
|
||||
"roles/logging.admin" = [module.branch-teams-dev-pf-sa.iam_email]
|
||||
"roles/resourcemanager.folderAdmin" = [module.branch-teams-dev-pf-sa.iam_email]
|
||||
"roles/resourcemanager.projectCreator" = [module.branch-teams-dev-pf-sa.iam_email]
|
||||
"roles/owner" = [module.branch-pf-dev-sa.0.iam_email]
|
||||
"roles/logging.admin" = [module.branch-pf-dev-sa.0.iam_email]
|
||||
"roles/resourcemanager.folderAdmin" = [module.branch-pf-dev-sa.0.iam_email]
|
||||
"roles/resourcemanager.projectCreator" = [module.branch-pf-dev-sa.0.iam_email]
|
||||
}
|
||||
tag_bindings = {
|
||||
environment = try(
|
||||
|
@ -100,19 +112,19 @@ module "branch-teams-team-dev-folder" {
|
|||
|
||||
module "branch-teams-team-prod-folder" {
|
||||
source = "../../../modules/folder"
|
||||
for_each = coalesce(var.team_folders, {})
|
||||
for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {}
|
||||
parent = module.branch-teams-team-folder[each.key].id
|
||||
# naming: environment descriptive name
|
||||
name = "Production"
|
||||
# environment-wide human permissions on the whole teams environment
|
||||
group_iam = {}
|
||||
iam = {
|
||||
(local.custom_roles.service_project_network_admin) = [module.branch-teams-prod-pf-sa.iam_email]
|
||||
(local.custom_roles.service_project_network_admin) = [module.branch-pf-prod-sa.0.iam_email]
|
||||
# remove owner here and at project level if SA does not manage project resources
|
||||
"roles/owner" = [module.branch-teams-prod-pf-sa.iam_email]
|
||||
"roles/logging.admin" = [module.branch-teams-prod-pf-sa.iam_email]
|
||||
"roles/resourcemanager.folderAdmin" = [module.branch-teams-prod-pf-sa.iam_email]
|
||||
"roles/resourcemanager.projectCreator" = [module.branch-teams-prod-pf-sa.iam_email]
|
||||
"roles/owner" = [module.branch-pf-prod-sa.0.iam_email]
|
||||
"roles/logging.admin" = [module.branch-pf-prod-sa.0.iam_email]
|
||||
"roles/resourcemanager.folderAdmin" = [module.branch-pf-prod-sa.0.iam_email]
|
||||
"roles/resourcemanager.projectCreator" = [module.branch-pf-prod-sa.0.iam_email]
|
||||
}
|
||||
tag_bindings = {
|
||||
environment = try(
|
||||
|
@ -120,63 +132,3 @@ module "branch-teams-team-prod-folder" {
|
|||
)
|
||||
}
|
||||
}
|
||||
|
||||
# project factory per-team environment service accounts
|
||||
|
||||
module "branch-teams-dev-pf-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-pf-0"
|
||||
# naming: environment in description
|
||||
description = "Terraform project factory development service account."
|
||||
prefix = var.prefix
|
||||
iam = {
|
||||
"roles/iam.serviceAccountTokenCreator" = compact([
|
||||
try(module.branch-teams-dev-pf-sa-cicd.0.iam_email, null)
|
||||
])
|
||||
}
|
||||
iam_storage_roles = {
|
||||
(var.automation.outputs_bucket) = ["roles/storage.admin"]
|
||||
}
|
||||
}
|
||||
|
||||
module "branch-teams-prod-pf-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-pf-0"
|
||||
# naming: environment in description
|
||||
description = "Terraform project factory production service account."
|
||||
prefix = var.prefix
|
||||
iam = {
|
||||
"roles/iam.serviceAccountTokenCreator" = compact([
|
||||
try(module.branch-teams-prod-pf-sa-cicd.0.iam_email, null)
|
||||
])
|
||||
}
|
||||
iam_storage_roles = {
|
||||
(var.automation.outputs_bucket) = ["roles/storage.admin"]
|
||||
}
|
||||
}
|
||||
|
||||
# project factory per-team environment GCS buckets
|
||||
|
||||
module "branch-teams-dev-pf-gcs" {
|
||||
source = "../../../modules/gcs"
|
||||
project_id = var.automation.project_id
|
||||
name = "dev-resman-pf-0"
|
||||
prefix = var.prefix
|
||||
versioning = true
|
||||
iam = {
|
||||
"roles/storage.objectAdmin" = [module.branch-teams-dev-pf-sa.iam_email]
|
||||
}
|
||||
}
|
||||
|
||||
module "branch-teams-prod-pf-gcs" {
|
||||
source = "../../../modules/gcs"
|
||||
project_id = var.automation.project_id
|
||||
name = "prod-resman-pf-0"
|
||||
prefix = var.prefix
|
||||
versioning = true
|
||||
iam = {
|
||||
"roles/storage.objectAdmin" = [module.branch-teams-prod-pf-sa.iam_email]
|
||||
}
|
||||
}
|
||||
|
|
|
@ -28,8 +28,12 @@ module "branch-dp-dev-cicd-repo" {
|
|||
project_id = var.automation.project_id
|
||||
name = each.value.name
|
||||
iam = {
|
||||
"roles/source.admin" = [module.branch-dp-dev-sa.iam_email]
|
||||
"roles/source.reader" = [module.branch-dp-dev-sa-cicd.0.iam_email]
|
||||
"roles/source.admin" = compact([
|
||||
try(module.branch-dp-dev-sa.0.iam_email, "")
|
||||
])
|
||||
"roles/source.reader" = compact([
|
||||
try(module.branch-dp-dev-sa-cicd.0.iam_email, "")
|
||||
])
|
||||
}
|
||||
triggers = {
|
||||
fast-03-dp-dev = {
|
||||
|
@ -60,7 +64,7 @@ module "branch-dp-prod-cicd-repo" {
|
|||
project_id = var.automation.project_id
|
||||
name = each.value.name
|
||||
iam = {
|
||||
"roles/source.admin" = [module.branch-dp-prod-sa.iam_email]
|
||||
"roles/source.admin" = [module.branch-dp-prod-sa.0.iam_email]
|
||||
"roles/source.reader" = [module.branch-dp-prod-sa-cicd.0.iam_email]
|
||||
}
|
||||
triggers = {
|
||||
|
|
|
@ -18,7 +18,12 @@
|
|||
|
||||
# source repositories
|
||||
|
||||
module "branch-teams-dev-pf-cicd-repo" {
|
||||
moved {
|
||||
from = module.branch-teams-dev-pf-cicd-repo
|
||||
to = module.branch-pf-dev-cicd-repo
|
||||
}
|
||||
|
||||
module "branch-pf-dev-cicd-repo" {
|
||||
source = "../../../modules/source-repository"
|
||||
for_each = (
|
||||
try(local.cicd_repositories.project_factory_dev.type, null) == "sourcerepo"
|
||||
|
@ -28,8 +33,8 @@ module "branch-teams-dev-pf-cicd-repo" {
|
|||
project_id = var.automation.project_id
|
||||
name = each.value.name
|
||||
iam = {
|
||||
"roles/source.admin" = [module.branch-teams-dev-pf-sa.iam_email]
|
||||
"roles/source.reader" = [module.branch-teams-dev-pf-sa-cicd.0.iam_email]
|
||||
"roles/source.admin" = [module.branch-pf-dev-sa.0.iam_email]
|
||||
"roles/source.reader" = [module.branch-pf-dev-sa-cicd.0.iam_email]
|
||||
}
|
||||
triggers = {
|
||||
fast-03-pf-dev = {
|
||||
|
@ -37,7 +42,7 @@ module "branch-teams-dev-pf-cicd-repo" {
|
|||
included_files = [
|
||||
"**/*json", "**/*tf", "**/*yaml", ".cloudbuild/workflow.yaml"
|
||||
]
|
||||
service_account = module.branch-teams-dev-pf-sa-cicd.0.id
|
||||
service_account = module.branch-pf-dev-sa-cicd.0.id
|
||||
substitutions = {}
|
||||
template = {
|
||||
project_id = null
|
||||
|
@ -47,10 +52,15 @@ module "branch-teams-dev-pf-cicd-repo" {
|
|||
}
|
||||
}
|
||||
}
|
||||
depends_on = [module.branch-teams-dev-pf-sa-cicd]
|
||||
depends_on = [module.branch-pf-dev-sa-cicd]
|
||||
}
|
||||
|
||||
module "branch-teams-prod-pf-cicd-repo" {
|
||||
moved {
|
||||
from = module.branch-teams-prod-pf-cicd-repo
|
||||
to = module.branch-pf-prod-cicd-repo
|
||||
}
|
||||
|
||||
module "branch-pf-prod-cicd-repo" {
|
||||
source = "../../../modules/source-repository"
|
||||
for_each = (
|
||||
try(local.cicd_repositories.project_factory_prod.type, null) == "sourcerepo"
|
||||
|
@ -60,8 +70,8 @@ module "branch-teams-prod-pf-cicd-repo" {
|
|||
project_id = var.automation.project_id
|
||||
name = each.value.name
|
||||
iam = {
|
||||
"roles/source.admin" = [module.branch-teams-prod-pf-sa.iam_email]
|
||||
"roles/source.reader" = [module.branch-teams-prod-pf-sa-cicd.0.iam_email]
|
||||
"roles/source.admin" = [module.branch-pf-prod-sa.0.iam_email]
|
||||
"roles/source.reader" = [module.branch-pf-prod-sa-cicd.0.iam_email]
|
||||
}
|
||||
triggers = {
|
||||
fast-03-pf-prod = {
|
||||
|
@ -69,7 +79,7 @@ module "branch-teams-prod-pf-cicd-repo" {
|
|||
included_files = [
|
||||
"**/*json", "**/*tf", "**/*yaml", ".cloudbuild/workflow.yaml"
|
||||
]
|
||||
service_account = module.branch-teams-prod-pf-sa-cicd.0.id
|
||||
service_account = module.branch-pf-prod-sa-cicd.0.id
|
||||
substitutions = {}
|
||||
template = {
|
||||
project_id = null
|
||||
|
@ -79,12 +89,17 @@ module "branch-teams-prod-pf-cicd-repo" {
|
|||
}
|
||||
}
|
||||
}
|
||||
depends_on = [module.branch-teams-prod-pf-sa-cicd]
|
||||
depends_on = [module.branch-pf-prod-sa-cicd]
|
||||
}
|
||||
|
||||
# SAs used by CI/CD workflows to impersonate automation SAs
|
||||
|
||||
module "branch-teams-dev-pf-sa-cicd" {
|
||||
moved {
|
||||
from = module.branch-teams-dev-pf-sa-cicd
|
||||
to = module.branch-pf-dev-sa-cicd
|
||||
}
|
||||
|
||||
module "branch-pf-dev-sa-cicd" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
for_each = (
|
||||
try(local.cicd_repositories.project_factory_dev.name, null) != null
|
||||
|
@ -125,7 +140,12 @@ module "branch-teams-dev-pf-sa-cicd" {
|
|||
}
|
||||
}
|
||||
|
||||
module "branch-teams-prod-pf-sa-cicd" {
|
||||
moved {
|
||||
from = module.branch-teams-prod-pf-sa-cicd
|
||||
to = module.branch-pf-prod-sa-cicd
|
||||
}
|
||||
|
||||
module "branch-pf-prod-sa-cicd" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
for_each = (
|
||||
try(local.cicd_repositories.project_factory_prod.name, null) != null
|
|
@ -18,16 +18,23 @@
|
|||
|
||||
|
||||
locals {
|
||||
# set to the empty list if you remove the data platform branch
|
||||
branch_dataplatform_sa_iam_emails = [
|
||||
module.branch-dp-dev-sa.iam_email,
|
||||
module.branch-dp-prod-sa.iam_email
|
||||
]
|
||||
branch_dataplatform_sa_iam_emails = (
|
||||
var.fast_features.data_platform
|
||||
? [
|
||||
module.branch-dp-dev-sa.0.iam_email,
|
||||
module.branch-dp-prod-sa.0.iam_email
|
||||
]
|
||||
: []
|
||||
)
|
||||
# set to the empty list if you remove the teams branch
|
||||
branch_teams_pf_sa_iam_emails = [
|
||||
module.branch-teams-dev-pf-sa.iam_email,
|
||||
module.branch-teams-prod-pf-sa.iam_email
|
||||
]
|
||||
branch_teams_pf_sa_iam_emails = (
|
||||
var.fast_features.project_factory
|
||||
? [
|
||||
module.branch-pf-dev-sa.0.iam_email,
|
||||
module.branch-pf-prod-sa.0.iam_email
|
||||
]
|
||||
: []
|
||||
)
|
||||
list_allow = {
|
||||
inherit_from_parent = false
|
||||
suggested_value = null
|
||||
|
@ -176,18 +183,16 @@ module "organization" {
|
|||
|
||||
# organization policy admin role assigned with a condition on tags
|
||||
|
||||
resource "google_organization_iam_member" "org_policy_admin" {
|
||||
for_each = {
|
||||
data-dev = ["data", "development", module.branch-dp-dev-sa.iam_email]
|
||||
data-prod = ["data", "production", module.branch-dp-prod-sa.iam_email]
|
||||
pf-dev = ["teams", "development", module.branch-teams-dev-pf-sa.iam_email]
|
||||
pf-prod = ["teams", "production", module.branch-teams-prod-pf-sa.iam_email]
|
||||
resource "google_organization_iam_member" "org_policy_admin_dp" {
|
||||
for_each = !var.fast_features.data_platform ? {} : {
|
||||
data-dev = ["data", "development", module.branch-dp-dev-sa.0.iam_email]
|
||||
data-prod = ["data", "production", module.branch-dp-prod-sa.0.iam_email]
|
||||
}
|
||||
org_id = var.organization.id
|
||||
role = "roles/orgpolicy.policyAdmin"
|
||||
member = each.value.2
|
||||
condition {
|
||||
title = "org_policy_tag_scoped"
|
||||
title = "org_policy_tag_dp_scoped"
|
||||
description = "Org policy tag scoped grant for ${each.value.0}/${each.value.1}."
|
||||
expression = <<-END
|
||||
resource.matchTag('${var.organization.id}/${var.tag_names.context}', '${each.value.0}')
|
||||
|
@ -197,3 +202,21 @@ resource "google_organization_iam_member" "org_policy_admin" {
|
|||
}
|
||||
}
|
||||
|
||||
resource "google_organization_iam_member" "org_policy_admin_pf" {
|
||||
for_each = !var.fast_features.project_factory ? {} : {
|
||||
pf-dev = ["teams", "development", module.branch-pf-dev-sa.0.iam_email]
|
||||
pf-prod = ["teams", "production", module.branch-pf-prod-sa.0.iam_email]
|
||||
}
|
||||
org_id = var.organization.id
|
||||
role = "roles/orgpolicy.policyAdmin"
|
||||
member = each.value.2
|
||||
condition {
|
||||
title = "org_policy_tag_pf_scoped"
|
||||
description = "Org policy tag scoped grant for ${each.value.0}/${each.value.1}."
|
||||
expression = <<-END
|
||||
resource.matchTag('${var.organization.id}/${var.tag_names.context}', '${each.value.0}')
|
||||
&&
|
||||
resource.matchTag('${var.organization.id}/${var.tag_names.environment}', '${each.value.1}')
|
||||
END
|
||||
}
|
||||
}
|
||||
|
|
|
@ -33,12 +33,12 @@ locals {
|
|||
tf_var_files = local.cicd_workflow_var_files.stage_2
|
||||
}
|
||||
project_factory_dev = {
|
||||
service_account = try(module.branch-teams-dev-pf-sa-cicd.0.email, null)
|
||||
service_account = try(module.branch-pf-dev-sa-cicd.0.email, null)
|
||||
tf_providers_file = "03-project-factory-dev-providers.tf"
|
||||
tf_var_files = local.cicd_workflow_var_files.stage_3
|
||||
}
|
||||
project_factory_prod = {
|
||||
service_account = try(module.branch-teams-prod-pf-sa-cicd.0.email, null)
|
||||
service_account = try(module.branch-pf-prod-sa-cicd.0.email, null)
|
||||
tf_providers_file = "03-project-factory-prod-providers.tf"
|
||||
tf_var_files = local.cicd_workflow_var_files.stage_3
|
||||
}
|
||||
|
@ -62,13 +62,14 @@ locals {
|
|||
}
|
||||
folder_ids = merge(
|
||||
{
|
||||
data-platform = module.branch-dp-dev-folder.id
|
||||
networking = module.branch-network-folder.id
|
||||
networking-dev = module.branch-network-dev-folder.id
|
||||
networking-prod = module.branch-network-prod-folder.id
|
||||
sandbox = module.branch-sandbox-folder.id
|
||||
security = module.branch-security-folder.id
|
||||
teams = module.branch-teams-folder.id
|
||||
data-platform-dev = try(module.branch-dp-dev-folder.0.id, null)
|
||||
data-platform-prod = try(module.branch-dp-prod-folder.0.id, null)
|
||||
networking = module.branch-network-folder.id
|
||||
networking-dev = module.branch-network-dev-folder.id
|
||||
networking-prod = module.branch-network-prod-folder.id
|
||||
sandbox = try(module.branch-sandbox-folder.0.id, null)
|
||||
security = module.branch-security-folder.id
|
||||
teams = try(module.branch-teams-folder.0.id, null)
|
||||
},
|
||||
{
|
||||
for k, v in module.branch-teams-team-folder :
|
||||
|
@ -83,53 +84,61 @@ locals {
|
|||
"team-${k}-prod" => v.id
|
||||
}
|
||||
)
|
||||
providers = {
|
||||
"02-networking" = templatefile(local._tpl_providers, {
|
||||
bucket = module.branch-network-gcs.name
|
||||
name = "networking"
|
||||
sa = module.branch-network-sa.email
|
||||
})
|
||||
"02-security" = templatefile(local._tpl_providers, {
|
||||
bucket = module.branch-security-gcs.name
|
||||
name = "security"
|
||||
sa = module.branch-security-sa.email
|
||||
})
|
||||
"03-data-platform-dev" = templatefile(local._tpl_providers, {
|
||||
bucket = module.branch-dp-dev-gcs.name
|
||||
name = "dp-dev"
|
||||
sa = module.branch-dp-dev-sa.email
|
||||
})
|
||||
"03-data-platform-prod" = templatefile(local._tpl_providers, {
|
||||
bucket = module.branch-dp-prod-gcs.name
|
||||
name = "dp-prod"
|
||||
sa = module.branch-dp-prod-sa.email
|
||||
})
|
||||
"03-project-factory-dev" = templatefile(local._tpl_providers, {
|
||||
bucket = module.branch-teams-dev-pf-gcs.name
|
||||
name = "team-dev"
|
||||
sa = module.branch-teams-dev-pf-sa.email
|
||||
})
|
||||
"03-project-factory-prod" = templatefile(local._tpl_providers, {
|
||||
bucket = module.branch-teams-prod-pf-gcs.name
|
||||
name = "team-prod"
|
||||
sa = module.branch-teams-prod-pf-sa.email
|
||||
})
|
||||
"99-sandbox" = templatefile(local._tpl_providers, {
|
||||
bucket = module.branch-sandbox-gcs.name
|
||||
name = "sandbox"
|
||||
sa = module.branch-sandbox-sa.email
|
||||
})
|
||||
}
|
||||
providers = merge(
|
||||
{
|
||||
"02-networking" = templatefile(local._tpl_providers, {
|
||||
bucket = module.branch-network-gcs.name
|
||||
name = "networking"
|
||||
sa = module.branch-network-sa.email
|
||||
})
|
||||
"02-security" = templatefile(local._tpl_providers, {
|
||||
bucket = module.branch-security-gcs.name
|
||||
name = "security"
|
||||
sa = module.branch-security-sa.email
|
||||
})
|
||||
},
|
||||
!var.fast_features.data_platform ? {} : {
|
||||
"03-data-platform-dev" = templatefile(local._tpl_providers, {
|
||||
bucket = module.branch-dp-dev-gcs.0.name
|
||||
name = "dp-dev"
|
||||
sa = module.branch-dp-dev-sa.0.email
|
||||
})
|
||||
"03-data-platform-prod" = templatefile(local._tpl_providers, {
|
||||
bucket = module.branch-dp-prod-gcs.0.name
|
||||
name = "dp-prod"
|
||||
sa = module.branch-dp-prod-sa.0.email
|
||||
})
|
||||
},
|
||||
!var.fast_features.project_factory ? {} : {
|
||||
"03-project-factory-dev" = templatefile(local._tpl_providers, {
|
||||
bucket = module.branch-pf-dev-gcs.0.name
|
||||
name = "team-dev"
|
||||
sa = module.branch-pf-dev-sa.0.email
|
||||
})
|
||||
"03-project-factory-prod" = templatefile(local._tpl_providers, {
|
||||
bucket = module.branch-pf-prod-gcs.0.name
|
||||
name = "team-prod"
|
||||
sa = module.branch-pf-prod-sa.0.email
|
||||
})
|
||||
},
|
||||
!var.fast_features.sandbox ? {} : {
|
||||
"99-sandbox" = templatefile(local._tpl_providers, {
|
||||
bucket = module.branch-sandbox-gcs.0.name
|
||||
name = "sandbox"
|
||||
sa = module.branch-sandbox-sa.0.email
|
||||
})
|
||||
}
|
||||
)
|
||||
service_accounts = merge(
|
||||
{
|
||||
data-platform-dev = module.branch-dp-dev-sa.email
|
||||
data-platform-prod = module.branch-dp-prod-sa.email
|
||||
data-platform-dev = try(module.branch-dp-dev-sa.0.email, null)
|
||||
data-platform-prod = try(module.branch-dp-prod-sa.0.email, null)
|
||||
networking = module.branch-network-sa.email
|
||||
project-factory-dev = module.branch-teams-dev-pf-sa.email
|
||||
project-factory-prod = module.branch-teams-prod-pf-sa.email
|
||||
sandbox = module.branch-sandbox-sa.email
|
||||
project-factory-dev = try(module.branch-pf-dev-sa.0.email, null)
|
||||
project-factory-prod = try(module.branch-pf-prod-sa.0.email, null)
|
||||
sandbox = try(module.branch-sandbox-sa.0.email, null)
|
||||
security = module.branch-security-sa.email
|
||||
teams = module.branch-teams-prod-sa.email
|
||||
teams = try(module.branch-teams-prod-sa.0.email, null)
|
||||
},
|
||||
{
|
||||
for k, v in module.branch-teams-team-sa : "team-${k}" => v.email
|
||||
|
@ -158,16 +167,16 @@ output "cicd_repositories" {
|
|||
|
||||
output "dataplatform" {
|
||||
description = "Data for the Data Platform stage."
|
||||
value = {
|
||||
value = !var.fast_features.data_platform ? {} : {
|
||||
dev = {
|
||||
folder = module.branch-dp-dev-folder.id
|
||||
gcs_bucket = module.branch-dp-dev-gcs.name
|
||||
service_account = module.branch-dp-dev-sa.email
|
||||
folder = module.branch-dp-dev-folder.0.id
|
||||
gcs_bucket = module.branch-dp-dev-gcs.0.name
|
||||
service_account = module.branch-dp-dev-sa.0.email
|
||||
}
|
||||
prod = {
|
||||
folder = module.branch-dp-prod-folder.id
|
||||
gcs_bucket = module.branch-dp-prod-gcs.name
|
||||
service_account = module.branch-dp-prod-sa.email
|
||||
folder = module.branch-dp-prod-folder.0.id
|
||||
gcs_bucket = module.branch-dp-prod-gcs.0.name
|
||||
service_account = module.branch-dp-prod-sa.0.email
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -183,14 +192,14 @@ output "networking" {
|
|||
|
||||
output "project_factories" {
|
||||
description = "Data for the project factories stage."
|
||||
value = {
|
||||
value = !var.fast_features.project_factory ? {} : {
|
||||
dev = {
|
||||
bucket = module.branch-teams-dev-pf-gcs.name
|
||||
sa = module.branch-teams-dev-pf-sa.email
|
||||
bucket = module.branch-pf-dev-gcs.0.name
|
||||
sa = module.branch-pf-dev-sa.0.email
|
||||
}
|
||||
prod = {
|
||||
bucket = module.branch-teams-prod-pf-gcs.name
|
||||
sa = module.branch-teams-prod-pf-sa.email
|
||||
bucket = module.branch-pf-prod-gcs.0.name
|
||||
sa = module.branch-pf-prod-sa.0.email
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -207,11 +216,15 @@ output "providers" {
|
|||
output "sandbox" {
|
||||
# tfdoc:output:consumers xx-sandbox
|
||||
description = "Data for the sandbox stage."
|
||||
value = {
|
||||
folder = module.branch-sandbox-folder.id
|
||||
gcs_bucket = module.branch-sandbox-gcs.name
|
||||
service_account = module.branch-sandbox-sa.email
|
||||
}
|
||||
value = (
|
||||
var.fast_features.sandbox
|
||||
? {
|
||||
folder = module.branch-sandbox-folder.0.id
|
||||
gcs_bucket = module.branch-sandbox-gcs.0.name
|
||||
service_account = module.branch-sandbox-sa.0.email
|
||||
}
|
||||
: null
|
||||
)
|
||||
}
|
||||
|
||||
output "security" {
|
||||
|
|
|
@ -123,6 +123,24 @@ variable "custom_roles" {
|
|||
default = null
|
||||
}
|
||||
|
||||
variable "fast_features" {
|
||||
# tfdoc:variable:source 00-bootstrap
|
||||
description = "Selective control for top-level FAST features."
|
||||
type = object({
|
||||
data_platform = bool
|
||||
project_factory = bool
|
||||
sandbox = bool
|
||||
teams = bool
|
||||
})
|
||||
default = {
|
||||
data_platform = true
|
||||
project_factory = true
|
||||
sandbox = true
|
||||
teams = true
|
||||
}
|
||||
# nullable = false
|
||||
}
|
||||
|
||||
variable "groups" {
|
||||
# tfdoc:variable:source 00-bootstrap
|
||||
description = "Group names to grant organization-level permissions."
|
||||
|
|
|
@ -40,7 +40,7 @@ module "dev-spoke-project" {
|
|||
}
|
||||
metric_scopes = [module.landing-project.project_id]
|
||||
iam = {
|
||||
"roles/dns.admin" = [local.service_accounts.project-factory-dev]
|
||||
"roles/dns.admin" = compact([local.service_accounts.project-factory-dev])
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -123,10 +123,10 @@ module "peering-dev" {
|
|||
resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
|
||||
project = module.dev-spoke-project.project_id
|
||||
role = "roles/resourcemanager.projectIamAdmin"
|
||||
members = [
|
||||
members = compact([
|
||||
local.service_accounts.data-platform-dev,
|
||||
local.service_accounts.project-factory-dev,
|
||||
]
|
||||
])
|
||||
condition {
|
||||
title = "dev_stage3_sa_delegated_grants"
|
||||
description = "Development host project delegated grants."
|
||||
|
|
|
@ -40,7 +40,7 @@ module "prod-spoke-project" {
|
|||
}
|
||||
metric_scopes = [module.landing-project.project_id]
|
||||
iam = {
|
||||
"roles/dns.admin" = [local.service_accounts.project-factory-prod]
|
||||
"roles/dns.admin" = compact([local.service_accounts.project-factory-prod])
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -123,10 +123,10 @@ module "peering-prod" {
|
|||
resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
|
||||
project = module.prod-spoke-project.project_id
|
||||
role = "roles/resourcemanager.projectIamAdmin"
|
||||
members = [
|
||||
members = compact([
|
||||
local.service_accounts.data-platform-prod,
|
||||
local.service_accounts.project-factory-prod,
|
||||
]
|
||||
])
|
||||
condition {
|
||||
title = "prod_stage3_sa_delegated_grants"
|
||||
description = "Production host project delegated grants."
|
||||
|
|
|
@ -41,7 +41,7 @@ module "dev-spoke-project" {
|
|||
}
|
||||
metric_scopes = [module.landing-project.project_id]
|
||||
iam = {
|
||||
"roles/dns.admin" = [local.service_accounts.project-factory-dev]
|
||||
"roles/dns.admin" = compact([local.service_accounts.project-factory-dev])
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -100,10 +100,10 @@ module "dev-spoke-cloudnat" {
|
|||
resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
|
||||
project = module.dev-spoke-project.project_id
|
||||
role = "roles/resourcemanager.projectIamAdmin"
|
||||
members = [
|
||||
members = compact([
|
||||
local.service_accounts.data-platform-dev,
|
||||
local.service_accounts.project-factory-dev,
|
||||
]
|
||||
])
|
||||
condition {
|
||||
title = "dev_stage3_sa_delegated_grants"
|
||||
description = "Development host project delegated grants."
|
||||
|
|
|
@ -41,7 +41,7 @@ module "prod-spoke-project" {
|
|||
}
|
||||
metric_scopes = [module.landing-project.project_id]
|
||||
iam = {
|
||||
"roles/dns.admin" = [local.service_accounts.project-factory-prod]
|
||||
"roles/dns.admin" = compact([local.service_accounts.project-factory-prod])
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -100,10 +100,10 @@ module "prod-spoke-cloudnat" {
|
|||
resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
|
||||
project = module.prod-spoke-project.project_id
|
||||
role = "roles/resourcemanager.projectIamAdmin"
|
||||
members = [
|
||||
members = compact([
|
||||
local.service_accounts.data-platform-prod,
|
||||
local.service_accounts.project-factory-prod,
|
||||
]
|
||||
])
|
||||
condition {
|
||||
title = "prod_stage3_sa_delegated_grants"
|
||||
description = "Production host project delegated grants."
|
||||
|
|
|
@ -41,7 +41,7 @@ module "dev-spoke-project" {
|
|||
}
|
||||
metric_scopes = [module.landing-project.project_id]
|
||||
iam = {
|
||||
"roles/dns.admin" = [local.service_accounts.project-factory-dev]
|
||||
"roles/dns.admin" = compact([local.service_accounts.project-factory-dev])
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -100,10 +100,10 @@ module "dev-spoke-cloudnat" {
|
|||
resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
|
||||
project = module.dev-spoke-project.project_id
|
||||
role = "roles/resourcemanager.projectIamAdmin"
|
||||
members = [
|
||||
members = compact([
|
||||
local.service_accounts.data-platform-dev,
|
||||
local.service_accounts.project-factory-dev,
|
||||
]
|
||||
])
|
||||
condition {
|
||||
title = "dev_stage3_sa_delegated_grants"
|
||||
description = "Development host project delegated grants."
|
||||
|
|
|
@ -41,7 +41,7 @@ module "prod-spoke-project" {
|
|||
}
|
||||
metric_scopes = [module.landing-project.project_id]
|
||||
iam = {
|
||||
"roles/dns.admin" = [local.service_accounts.project-factory-prod]
|
||||
"roles/dns.admin" = compact([local.service_accounts.project-factory-prod])
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -100,10 +100,10 @@ module "prod-spoke-cloudnat" {
|
|||
resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
|
||||
project = module.prod-spoke-project.project_id
|
||||
role = "roles/resourcemanager.projectIamAdmin"
|
||||
members = [
|
||||
members = compact([
|
||||
local.service_accounts.data-platform-prod,
|
||||
local.service_accounts.project-factory-prod,
|
||||
]
|
||||
])
|
||||
condition {
|
||||
title = "prod_stage3_sa_delegated_grants"
|
||||
description = "Production host project delegated grants."
|
||||
|
|
|
@ -16,8 +16,10 @@
|
|||
|
||||
locals {
|
||||
dev_kms_restricted_admins = [
|
||||
"serviceAccount:${var.service_accounts.project-factory-dev}",
|
||||
"serviceAccount:${var.service_accounts.data-platform-dev}"
|
||||
for sa in compact([
|
||||
var.service_accounts.project-factory-dev,
|
||||
var.service_accounts.data-platform-dev
|
||||
]) : "serviceAccount:${sa}"
|
||||
]
|
||||
}
|
||||
|
||||
|
|
|
@ -16,8 +16,10 @@
|
|||
|
||||
locals {
|
||||
prod_kms_restricted_admins = [
|
||||
"serviceAccount:${var.service_accounts.project-factory-prod}",
|
||||
"serviceAccount:${var.service_accounts.data-platform-prod}"
|
||||
for sa in compact([
|
||||
var.service_accounts.project-factory-prod,
|
||||
var.service_accounts.data-platform-prod
|
||||
]) : "serviceAccount:${sa}"
|
||||
]
|
||||
}
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# FAST deployment clean up
|
||||
In case you require destroying a previous FAST deployment in your organization, follow these steps.
|
||||
If you want to destroy a previous FAST deployment in your organization, follow these steps.
|
||||
|
||||
Destruction must be done in reverse order, from stage 3 to stage 0:
|
||||
Destruction must be done in reverse order, from stage 3 to stage 0
|
||||
|
||||
## Stage 3 (Project Factory)
|
||||
|
||||
|
@ -11,7 +11,7 @@ terraform destroy
|
|||
```
|
||||
|
||||
## Stage 3 (GKE)
|
||||
Terraform refuses to delete non-empty GCS buckets and/or BigQuery datasets, so they need to be removed manually from tf state
|
||||
Terraform refuses to delete non-empty GCS buckets and BigQuery datasets, so they need to be removed manually from the state.
|
||||
|
||||
```bash
|
||||
cd $FAST_PWD/03-project-factory/prod/
|
||||
|
@ -37,10 +37,12 @@ cd $FAST_PWD/02-networking-XXX/
|
|||
terraform destroy
|
||||
```
|
||||
|
||||
There's a minor glitch that can surface running terraform destroy, where the service project attachments to the Shared VPC will not get destroyed even with the relevant API call succeeding. We are investigating the issue, in the meantime just manually remove the attachment in the Cloud console or via the ```gcloud beta compute shared-vpc associated-projects remove``` [command](https://cloud.google.com/sdk/gcloud/reference/beta/compute/shared-vpc/associated-projects/remove) when terraform destroy fails, and then relaunch the command.
|
||||
A minor glitch can surface running `terraform destroy`, where the service project attachments to the Shared VPCs will not get destroyed even with the relevant API call succeeding. We are investigating the issue but in the meantime, manually remove the attachment in the Cloud console or via the ```gcloud beta compute shared-vpc associated-projects remove``` [command](https://cloud.google.com/sdk/gcloud/reference/beta/compute/shared-vpc/associated-projects/remove) when destroy fails, and then relaunch the command.
|
||||
|
||||
## Stage 1 (Resource Management)
|
||||
Stage 1 is a little more complicated because of the GCS Buckets. By default terraform refuses to delete non-empty buckets, which is a good thing for your terraform state. However, it makes destruction a bit harder
|
||||
|
||||
Stage 1 is a little more complicated because of the GCS buckets containing your terraform statefiles. By default, Terraform refuses to delete non-empty buckets, which is good to protect your terraform state, but it makes destruction a bit harder. Use the commands below to remove the GCS buckets from the state and then execute `terraform destroy`
|
||||
|
||||
|
||||
```bash
|
||||
cd $FAST_PWD/01-resman/
|
||||
|
@ -54,9 +56,10 @@ terraform destroy
|
|||
```
|
||||
|
||||
## Stage 0 (Bootstrap)
|
||||
**You should follow these steps carefully because we can end up destroying our own permissions. As we will be removing gcp-admins group roles, where your user belongs to, you will be required to grant organization admin role again**
|
||||
|
||||
We also have to remove several resources (GCS buckets and BQ datasets) manually.
|
||||
**Warning: you should follow these steps carefully as we will modify our own permissions. Ensure you can grant yourself the Organization Admin role again. Otherwise, you will not be able to finish the destruction process and will, most likely, get locked out of your organization.**
|
||||
|
||||
Just like before, we manually remove several resources (GCS buckets and BQ datasets). Note that `terrafom destroy` will fail. This is expected; just continue with the rest of the steps.
|
||||
|
||||
```bash
|
||||
cd $FAST_PWD/00-bootstrap/
|
||||
|
@ -77,13 +80,14 @@ for x in $(terraform state list | grep google_bigquery_dataset); do
|
|||
done
|
||||
|
||||
terraform destroy
|
||||
```
|
||||
|
||||
# when this fails continue with the steps below
|
||||
# make your user (the one you are using to execute this step) org admin again, as we will remove organization-admins group roles
|
||||
When the destroy fails, continue with the steps below. Again, make sure your user (the one you are using to execute this step) has the Organization Administrator role, as we will remove the permissions for the organization-admins group
|
||||
|
||||
```bash
|
||||
# Add the Organization Admin role to $BU_USER in the GCP Console
|
||||
|
||||
# grant yourself this permission so you can finish the destruction
|
||||
# then execute the command below to grant yourself the permissions needed
|
||||
# to finish the destruction
|
||||
export FAST_DESTROY_ROLES="roles/billing.admin roles/logging.admin \
|
||||
roles/iam.organizationRoleAdmin roles/resourcemanager.projectDeleter \
|
||||
roles/resourcemanager.folderAdmin roles/owner"
|
||||
|
@ -105,6 +109,6 @@ terraform destroy
|
|||
rm -i terraform.tfstate*
|
||||
```
|
||||
|
||||
In case you are willing to deploy FAST stages again, the following changes shall be done before:
|
||||
In case you want to deploy FAST stages again, the make sure to:
|
||||
* Modify the [prefix](00-bootstrap/variables.tf) variable to allow the deployment of resources that need unique names (eg, projects).
|
||||
* Modify the [custom_roles](00-bootstrap/variables.tf) variable to allow recently deleted custom roles to be created again.
|
||||
* Modify the [custom_roles](00-bootstrap/variables.tf) variable to allow recently deleted custom roles to be created again.
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -39,7 +39,7 @@ resource "google_container_cluster" "cluster" {
|
|||
min_master_version = var.min_master_version
|
||||
network = var.network
|
||||
subnetwork = var.subnetwork
|
||||
logging_service = var.logging_config == null ? var.logging_service : null
|
||||
logging_service = var.monitoring_config != null ? null : var.logging_config == null ? var.logging_service : null
|
||||
monitoring_service = var.monitoring_config == null ? var.monitoring_service : null
|
||||
resource_labels = var.labels
|
||||
default_max_pods_per_node = var.enable_autopilot ? null : var.default_max_pods_per_node
|
||||
|
@ -60,7 +60,12 @@ resource "google_container_cluster" "cluster" {
|
|||
# TODO(ludomagno): compute addons map in locals and use a single dynamic block
|
||||
addons_config {
|
||||
dynamic "dns_cache_config" {
|
||||
for_each = var.enable_autopilot ? [] : [""]
|
||||
# Pass the user-provided value when autopilot is disabled. When
|
||||
# autopilot is enabled, pass the value only when the addon is
|
||||
# set to true. This will fail but warns the user that autopilot
|
||||
# doesn't support this option, instead of silently discarding
|
||||
# and hiding the error
|
||||
for_each = !var.enable_autopilot || (var.enable_autopilot && var.addons.dns_cache_config) ? [""] : []
|
||||
content {
|
||||
enabled = var.addons.dns_cache_config
|
||||
}
|
||||
|
@ -85,10 +90,18 @@ resource "google_container_cluster" "cluster" {
|
|||
auth = var.addons.istio_config.tls ? "AUTH_MUTUAL_TLS" : "AUTH_NONE"
|
||||
}
|
||||
gce_persistent_disk_csi_driver_config {
|
||||
enabled = var.addons.gce_persistent_disk_csi_driver_config
|
||||
enabled = var.enable_autopilot || var.addons.gce_persistent_disk_csi_driver_config
|
||||
}
|
||||
gcp_filestore_csi_driver_config {
|
||||
enabled = var.addons.gcp_filestore_csi_driver_config
|
||||
dynamic "gcp_filestore_csi_driver_config" {
|
||||
# Pass the user-provided value when autopilot is disabled. When
|
||||
# autopilot is enabled, pass the value only when the addon is
|
||||
# set to true. This will fail but warns the user that autopilot
|
||||
# doesn't support this option, instead of silently discarding
|
||||
# and hiding the error
|
||||
for_each = var.enable_autopilot && !var.addons.gcp_filestore_csi_driver_config ? [] : [""]
|
||||
content {
|
||||
enabled = var.addons.gcp_filestore_csi_driver_config
|
||||
}
|
||||
}
|
||||
kalm_config {
|
||||
enabled = var.addons.kalm_config
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,11 +17,11 @@ terraform {
|
|||
required_providers {
|
||||
google = {
|
||||
source = "hashicorp/google"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
google-beta = {
|
||||
source = "hashicorp/google-beta"
|
||||
version = ">= 4.17.0"
|
||||
version = ">= 4.20.0" # tftest
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue