a8c84357f4
Integrate checklist data in FAST ( #1969 )
...
* add locals for additive and authoritative org iam roles
* first shot at IAM and logging location
* tfdoc
* use locals for locations
* fix file parsing, resman stubs
* initial resman implementation
* remove unneeded code
* fix data file
* replace dumb yamldecode
* fix wrong type in organization additive bindings try
* simplify logging local
* Use check asserts for version and org id
* Checks on checklist for resman
* refactor checks, ignore checklist files on wrong org id
* stage 0 tests
* fix checklist checks
* stage 1 tests
---------
Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com>
2024-01-18 05:45:29 +01:00
b15c573f18
add locations on terraform.tfvars.sample for bootstrap stage ( #1967 )
...
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
2024-01-09 07:32:27 +00:00
9d6e61428b
(WIP) Read-only service accounts for automation and CI/CD ( #1899 )
...
* add design doc for the new CI/CD sa
* describe the actual implementation
* specify which files will need to be changed
* Update 0-cicd-plan-sa.md
* Update 0-cicd-plan-sa.md
* Update 0-cicd-plan-sa.md
* Update 0-cicd-plan-sa.md
* Update 0-cicd-plan-sa.md
* Update 0-cicd-plan-sa.md
* Update 0-cicd-plan-sa.md
* Fix typo
* stage 0 read-only service accounts
* stage 0 IAM map
* linting
* cicd read-only service accounts
* tweak workflow templates
* roles and github workflow fixes
* tfdoc
* Ad-hoc custom role factory for FAST bootstrap
* use factory variable for custom roles data path
* custom roles factory in org/project modules
* tfdoc
* rename custom roles factory variable, fix gitlab template
* gitlab workflow fixes
* fix merge
* output plan results on failed assertion
* update stage 0 expected values
* data platform branch
* gke
* networking
* security
* project factory
* outputs
* workflow templates
* resman apply fixes
* tfdoc
* fix stage 1 test fixture
* fix gh workflow
* read-only resman sa roles
* fix test
* read-only resman sa roles
* read-only resman sa roles
* read-only resman sa roles
* read-only resman sa roles
* fix test variables
* rename wif principal attribute names
* rename wif principal variables
* multitenant stages
---------
Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com>
Co-authored-by: Julio Castillo <jccb@google.com>
2023-12-27 11:33:16 +00:00
a2263da1f3
fix GitHub CI/CD provider ( #1945 )
2023-12-21 17:10:50 +00:00
e592996ba0
Revert "Add debug step for JWT tokens" ( #1943 )
...
This reverts commit d95280081f
2023-12-21 14:50:27 +01:00
d95280081f
Add debug step for JWT tokens
2023-12-20 09:26:55 +01:00
bba814c091
Custom role factories for organization and project modules ( #1912 )
...
* backport custom role factories
* backport from fast ci/cd branch
* indent
* tfdoc
* fix module tests
2023-12-11 14:16:39 +00:00
21297f28a6
Patch Github actions ci google-github-actions/auth@v0 --> v2 ( #1900 )
...
* MInor patch auth
* Minor update auth
2023-12-04 12:16:02 +00:00
85b18cf42b
Document `fast_features` ( #1855 )
2023-11-20 21:41:06 +00:00
8d06afcdb8
Updating wording
2023-10-31 14:35:27 +00:00
4decc641bb
Stop wrapping yamldecode with try() ( #1812 )
2023-10-25 16:16:05 +02:00
a3290f2204
FAST: Add access transparency logs to the default sinks ( #1810 )
...
* Adds access transparency logs to the default sinks
2023-10-24 20:09:00 +00:00
4690bf206a
Update README.md
2023-10-21 18:59:17 +02:00
3e16c6a959
FAST: adds support to uploading a wif provider pubkey ( #1788 )
2023-10-21 16:52:19 +00:00
6d89b88149
versions.tf maintenance + copyright notice bump ( #1782 )
...
* Bump copyright notice to 2023
* Delete versions.tf on blueprints
* Pin provider to major version 5
* Remove comment
* Fix lint
* fix bq-ml blueprint readme
---------
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
Co-authored-by: Julio Castillo <jccb@google.com>
2023-10-20 18:17:47 +02:00
e0d84fb10b
add sink for workspace logs ( #1780 )
2023-10-19 14:51:01 +00:00
77a4696aa6
Add gcp org policy constraints file to bootstrap stage ( #1775 )
...
* add gcp org policy constraints file to bootstrap
* make the org policy factories more resilient
2023-10-18 18:21:16 +00:00
94ae8634fc
Update IAM.md
2023-10-18 19:57:03 +02:00
e41cc4ec36
Update IAM.md
2023-10-18 19:56:40 +02:00
6252198961
Update IAM.md
2023-10-18 19:56:20 +02:00
e7e188818a
Add service usage consumer role to IaC SAs, refactor delegated grants in FAST ( #1773 )
...
* add serviceusage role to iac sas, refactor delegated grants
* fix test
* tfdoc
2023-10-18 12:18:31 +00:00
252127bde5
Billing account module ( #1743 )
...
* initial untested draft
* readme and tests
* folder module tfdoc
* remove redundant billing cost manager role in fast stage 0
* fix FAST test
2023-10-15 15:02:50 +00:00
81c6959617
Update to lint.sh and wording to some tf
...
fast/stages-multitenant/0-bootstrap-tenant/identity-providers.tf
fast/stages/0-bootstrap/identity-providers.tf
tools/lint.sh
2023-10-05 00:17:20 -04:00
2ee8f57769
FAST: add example of custom org policy condition to bootstrap README ( #1718 )
...
* add oslogin constraint condition example to bootstrap
* add oslogin constraint condition example to bootstrap
* add oslogin constraint condition example to bootstrap
2023-09-30 10:22:56 +02:00
b2d27b5f12
Update bootstrap and destroy roles
2023-09-28 11:41:56 +02:00
30772d921c
Update README.md
2023-09-28 10:59:54 +02:00
fcc1aa87c4
fix latest commit
2023-09-28 10:58:31 +02:00
76b4605326
add missing roles for initial bootstrap
2023-09-28 10:57:46 +02:00
fb08e1b01e
Only apply org policies when bootstrap user is not set ( #1707 )
...
* only apply org policies when bootstrap user is not set
* Add Org Policy Admin to bootstrap roles
* Fix cleanup doc
---------
Co-authored-by: Julio Castillo <jccb@google.com>
2023-09-27 23:24:40 +02:00
22186ff884
Update README.md
...
Changed aopproach to approach
2023-09-27 13:59:19 +02:00
f628cdbc06
FAST: move organization policies to stage 0 ( #1698 )
...
* design doc
* Update 0-org-policies.md
* moved org policies to stage 0, wip
* stage0
* stage 0
* export tag keys and values from stage 0
* rename factory variable
* change org policy outputs
* stage 1
* Update 0-org-policies.md
* make org policy variable not nullable, README changes
* use optionals for tag names
* better factory variable name
* README changes
* ADR
2023-09-21 14:03:21 +00:00
82fcd5a7d3
rename FAST globals output file ( #1695 )
2023-09-20 10:36:06 +02:00
ec3b705f53
Change type of `iam_bindings` variable to allow multiple conditional bindings ( #1658 )
...
* modules
* fast
* dns readme
2023-09-08 08:56:31 +02:00
1adfb9fb32
Fix role name for delegated grants in FAST bootstrap
...
Fixes issue behind #1621
2023-08-24 19:13:42 +02:00
819894d2ba
IAM interface refactor ( #1595 )
...
* IAM modules refactor proposal
* policy
* subheading
* Update 20230816-iam-refactor.md
* log Julio's +1
* data-catalog-policy-tag
* dataproc
* dataproc
* folder
* folder
* folder
* folder
* project
* better filtering in test examples
* project
* folder
* folder
* organization
* fix variable descriptions
* kms
* net-vpc
* dataplex-datascan
* modules/iam-service-account
* modules/source-repository/
* blueprints/cloud-operations/vm-migration/
* blueprints/third-party-solutions/wordpress
* dataplex-datascan
* blueprints/cloud-operations/workload-identity-federation
* blueprints/data-solutions/cloudsql-multiregion/
* blueprints/data-solutions/composer-2
* Update 20230816-iam-refactor.md
* Update 20230816-iam-refactor.md
* capture discussion in architectural doc
* update variable names and refactor proposal
* project
* blueprints first round
* folder
* organization
* data-catalog-policy-tag
* re-enable folder inventory
* project module style fix
* dataproc
* source-repository
* source-repository tests
* dataplex-datascan
* dataplex-datascan tests
* net-vpc
* net-vpc test examples
* iam-service-account
* iam-service-account test examples
* kms
* boilerplate
* tfdoc
* fix module tests
* more blueprint fixes
* fix typo in data blueprints
* incomplete refactor of data platform foundations
* tfdoc
* data platform foundation
* refactor data platform foundation iam locals
* remove redundant example test
* shielded folder fix
* fix typo
* project factory
* project factory outputs
* tfdoc
* test workflow: less verbose tests, fix tf version
* re-enable -vv, shorter traceback, fix action version
* ignore github extension warning, re-enable action version
* fast bootstrap IAM, untested
* bootstrap stage IAM fixes
* stage 0 tests
* fast stage 1
* tenant stage 1
* minor changes to fast stage 0 and 1
* fast security stage
* fast mt stage 0
* fast mt stage 0
* fast pf
2023-08-20 09:44:20 +02:00
dcb3c32761
fix null object exception in bootstrap output when using cloudsource repos ( #1597 )
2023-08-17 09:03:23 +00:00
2423fd40c1
Fix FAST CI/CD for Gitlab ( #1593 )
...
* fix cicd (multitenant untested)
* tfdoc
* rename allowed_audiences to audiences, align multitenant
2023-08-15 12:59:31 +02:00
47daeaafe1
Update FAST CI/CD workflows so it can work with ID_TOKEN and Gitlab 15+
2023-08-03 16:09:45 +00:00
c918cfc800
Update README.md
2023-07-27 13:40:26 +02:00
e00d3bcba4
README: audit logs on org level go to a logging bucket, not bigquery
2023-07-10 16:42:01 +02:00
154df17951
FAST: initial implementation of lightweight tenants ( #1470 )
...
* initial import
* fixes
* fixes
* fixes
* red SA roles
* red SA roles
* org-level custom roles var, tenants IAM config
* tfdoc
* allow core SA to write output files to tenant bucket
* README
* implement comments on PR
* show tenant org example
* update example
2023-07-07 08:40:37 +02:00
a68a3b55cb
Bump TF version in all workflow templates to coincide with module requirements ( #1445 )
...
* Resman - bump GH TF version to coincide with module requirements (#1 )
Bootstrap was bumped in #1414
* Bump TF version in all workflow files
* bump TF version in missed workflow file
2023-06-16 07:39:28 +00:00
43ce70e1ed
Bump GH TF version to coincide with module requirements ( #1414 )
2023-06-03 06:20:11 +00:00
d2f0b17ec4
Allows groups from other orgs/domains ( #1383 )
...
* Allows groups from other orgs
2023-05-17 11:07:47 +02:00
87cd83f5c0
Several updates
...
Several updates
2023-05-13 23:51:46 -04:00
75cc2f3d7a
FAST: shorten stage 3 prefixes, enforce prefix length in stage 3s ( #1346 )
...
* shorten stage 3 prefixes, enforce prefix length in stage 3s
* tfdoc
* tfdoc
2023-05-03 07:39:41 +02:00
6f06ca5781
Fix readmes
2023-04-27 12:46:52 +02:00
56261101c3
Allow longer org pfx plus tenant pfx ( #1318 )
...
Thanks!!!
2023-04-12 01:36:37 +02:00
38808b37c0
Manage billing.creator role authoritatively in FAST bootstrap.
...
By default new orgs grant billing.creator and
resourcemanager.projectCreator to the whole domain[1]. This PR makes
FAST remove the former binding during the bootstrap (the latter is
already managed by FAST).
Fixes #1220
[1] https://cloud.google.com/resource-manager/docs/default-access-control
2023-03-07 17:52:00 +01:00
96e829bdf3
Billing exclusion support for FAST mt resman ( #1209 )
...
* fix files resource parsing in tfdoc
* fix tfdoc generated output
* billing exclusion support in mt bootstrap
2023-03-03 16:23:36 +00:00
Ludovico Magnocavallo
simonebruzzechesse
Wiktor Niesiobędzki
ibrahimparvez2
Julio Castillo
alealr
Simone Ruffilli
Alejandro Leal
giterinhub
Stefan Moser
Luca Prete
Natalia Strelkova
Keith Harvey
David Asaf
Roberto Jung Drebes
Dazbo