7a5dd4e6db
FAST: add top-level folders and restructure teams/tenants in resman ( #2254 )
...
* remove teams and tenants from resman
* move fast features to stage 1, fix test inventories
* folders
* fix factory, add top level folder resources to outputs
* tfdoc
* stage 0 log sink defs
* tfdoc
* enable toc in resman readme
* simple tenants
* fast compatibility automation and logging
* testing fast-compatible tenants
* testing fast-compatible tenants
* tfdoc
* remove mt stages
* remove tests, fix links
* disable tflint
* fast tests
* make organization conditional in resman
* check names tool
* export real prefix to tfvars, prevent destroy errors
* prefix validation
* fix billing account export format
* tfdoc
* root node folder
* resman changes
* tenant resman roles
* first apply of tenant resman
* tenant log sinks in stage 1
* fix test vars
* tfdoc
* tenant vpc-sc access policy
* fix tests expected values
* tenant CI/CD
* identity providers
* wif
* tfdoc
* add comments to identity locals
* full-feature tenant resman apply
* tenant billing IAM
* stage test
* fix CI/CD comments
* tenant net stage verified
* tenant sec stage verified
* fix test
* README work
* tfdoc
* README
* README rewording
* README rewording
* tfdoc
* FAST excalidraw
* review comments
* diagram review changes
* add iam log sink for tenants
* remove redundant try from security stage
* Implement tflint-fast in Python driven by tftest.yaml files
* tflint
* test ci changes
* revert linting changes
* disable tflint for fast
* Create junit-style report for FAST tflint
* Remove junit-reporter
* YAPF tflint-fast.py
* Output tflint FAST to job summary
* Step summary
* Disable step_summary as output is not useful
* ignore tflint warning
* re-enable tflint on FAST
---------
Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com>
2024-05-15 09:17:13 +00:00
3af7e257d2
Add tflint to pipelines ( #2220 )
...
* Fix terraform_deprecated_index
https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_index.md
* Fix terraform_deprecated_interpolation
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
* Fix more indexing
* Remove unused variable
* Enable TFLint for modules
* Add tflint config file
* Fix chdir
* Lint modules
* TFLint fixes
* TFLint
* Fixes binauthz README
* Fixes DNS response policy tests. Restores MIG outputs.
* Fixes other DNS response policy tests.
* Update tests for fast 2-e
* Moar fixed tests
---------
Co-authored-by: Simone Ruffilli <sruffilli@google.com>
2024-04-17 10:23:48 +02:00
a9ac0f40cd
Add variable to resman to control top-level folder IAM ( #2196 )
2024-04-04 10:26:35 +02:00
e7e188818a
Add service usage consumer role to IaC SAs, refactor delegated grants in FAST ( #1773 )
...
* add serviceusage role to iac sas, refactor delegated grants
* fix test
* tfdoc
2023-10-18 12:18:31 +00:00
f628cdbc06
FAST: move organization policies to stage 0 ( #1698 )
...
* design doc
* Update 0-org-policies.md
* moved org policies to stage 0, wip
* stage0
* stage 0
* export tag keys and values from stage 0
* rename factory variable
* change org policy outputs
* stage 1
* Update 0-org-policies.md
* make org policy variable not nullable, README changes
* use optionals for tag names
* better factory variable name
* README changes
* ADR
2023-09-21 14:03:21 +00:00
00cac9148a
fix(stages): only add sandbox SA when `sandbox` feature is enabled ( #1391 )
...
If you have the `project_factory` feature enabled, but not the `sandbox` feature (as it's not a requirement on your org), when doing a `terraform apply` on `1-resman` it raises this errors as it's expecting the wrong feature when creating the sandbox SA
```
│ Error: Invalid index
│
│ on branch-sandbox.tf line 68, in resource "google_organization_iam_member" "org_policy_admin_sandbox":
│ 68: member = module.branch-sandbox-sa.0.iam_email
│ ├────────────────
│ │ module.branch-sandbox-sa is empty tuple
│
│ The given key does not identify an element in this collection value: the collection has no elements.
```
2023-05-24 05:17:35 +00:00
e0911c6291
Add conditional org admin role to sandbox SA ( #1385 )
...
* add org admin conditional role to sandbox SA
* tfdoc
2023-05-21 10:48:41 +02:00
5fb17cb3ac
Widen scope for prod project factory SA to dev ( #1263 )
...
* restrict storage role on outputs bucket for stage SAs
* grant prod project factory SA authority over prod and dev org policies
* network stages delegated grants on dev to prod pf SA
* security grants to prod pf SA on dev
* tfdoc
* tests
2023-03-17 16:24:55 +00:00
a5e905cb80
Update remaining org policies
2023-02-21 15:49:16 +01:00
5453c585e0
FAST multitenant bootstrap and resource management, rename org-level FAST stages ( #1052 )
...
* rename stages
* remove support for external org billing, rename output files
* resman: make groups optional, align on new billing account variable
* bootstrap: multitenant outputs
* tenant bootstrap stage, untested
* fix folder name
* fix stage 0 output names
* optional creation for tag keys in organization module
* single tenant bootstrap minus tag
* rename output files, add tenant tag key
* fix organization module tag values output
* test skipping creation for tags in organization module
* single tenant bootstrap plan working
* multitenant bootstrap
* tfdoc
* fix check links error messages
* fix links
* tfdoc
* fix links
* rename fast tests, fix bootstrap tests
* multitenant stages have their own folder, simplify stage numbering
* stage renumbering
* wip
* rename tests
* exclude fast providers in fixture
* stage 0 tests
* stage 1 tests
* network stages tests
* stage tests
* tfdoc
* fix links
* tfdoc
* multitenant tests
* remove local files
* stage links command
* fix links script, TODO
* wip
* wip single tenant bootstrap
* working tenant bootstrap
* update gitignore
* remove local files
* tfdoc
* remove local files
* allow tests for tenant bootstrap stage
* tenant bootstrap proxies stage 1 tfvars
* stage 2 and 3 service accounts and IAM in tenant bootstrap
* wip
* wip
* wip
* drop multitenant bootstrap
* tfdoc
* add missing stage 2 SAs, fix org-level IAM condition
* wip
* wip
* optional tag value creation in organization module
* stage 1 working
* linting
* linting
* READMEs
* wip
* Make stage-links script work in old macos bash
* stage links command help
* fix output file names
* diagrams
* fix svg
* stage 0 skeleton and diagram
* test svg
* test svg
* test diagram
* diagram
* readme
* fix stage links script
* stage 0 readme
* README changes
* stage readmes
* fix outputs order
* fix link
* fix tests
* stage 1 test
* skip stage example
* boilerplate
* fix tftest skip
* default bootstrap stage log sinks to log buckets
* add logging to tenant bootstrap
* move iam variables out of tenant config
* fix cicd, reintroduce missing variable
* use optional in stage 1 cicd variable
* rename extras stage
* rename and move identity providers local, use optional for cicd variable
* tfdoc
* add support for wif pool and providers, ci/cd
* tfdoc
* fix links
* better handling of modules repository
* add missing role on logging project
* fix cicd pools in locals, test cicd
* fix workflow extension
* fix module source replacement
* allow tenant bootstrap cicd sa to impersonate resman sa
* tenant workflow templates fix for no providers file
* fix output files, push github workflow template to new repository
* remove try from outpout files
* align stage 1 cicd internals to stage 0
* tfdoc
* tests
* fix tests
* tests
* improve variable descriptions
* use optional in fast features
* actually create tenant log sinks, and allow the resman sa to do it
* test
* tests
* aaaand tests again
* fast features tenant override
* fast features tenant override
* fix wording
* add missing comment
* configure pf service accounts
* add missing comment
* tfdoc
* tests
* IAM docs
* update copyright
---------
Co-authored-by: Julio Castillo <jccb@google.com>
2023-02-04 15:00:45 +01:00
Ludovico Magnocavallo
Julio Castillo
Gustavo Valverde