fb08e1b01e
Only apply org policies when bootstrap user is not set ( #1707 )
...
* only apply org policies when bootstrap user is not set
* Add Org Policy Admin to bootstrap roles
* Fix cleanup doc
---------
Co-authored-by: Julio Castillo <jccb@google.com>
2023-09-27 23:24:40 +02:00
22186ff884
Update README.md
...
Changed aopproach to approach
2023-09-27 13:59:19 +02:00
1dfa72cadf
Define and adopt standard IP ranges for FAST networking ( #1697 )
...
* Define and adopt standard IP ranges for FAST networking
This PR documents and adopts a consistent IP address plan for FAST
networking stages
Fixes #1644
* Fix documented aggregated ranges for FAST
* Fix tests
* Fix ip ranges in documentation
* Fix NVA stages README
2023-09-21 14:27:53 +00:00
f628cdbc06
FAST: move organization policies to stage 0 ( #1698 )
...
* design doc
* Update 0-org-policies.md
* moved org policies to stage 0, wip
* stage0
* stage 0
* export tag keys and values from stage 0
* rename factory variable
* change org policy outputs
* stage 1
* Update 0-org-policies.md
* make org policy variable not nullable, README changes
* use optionals for tag names
* better factory variable name
* README changes
* ADR
2023-09-21 14:03:21 +00:00
82fcd5a7d3
rename FAST globals output file ( #1695 )
2023-09-20 10:36:06 +02:00
ad14a7d415
Update READMEs
2023-09-17 00:21:36 +02:00
960e015b42
Fix FAST tests
2023-09-17 00:21:36 +02:00
121598dbea
Move FAST security delegated admins to iam_bindings_additive
2023-09-17 00:21:36 +02:00
9c878dc9cf
Fix tests for new KMS IAM interface
2023-09-17 00:21:36 +02:00
d3d77d17fb
fix psa routing variable in FAST net stages ( #1685 )
2023-09-16 10:31:02 +02:00
6eb862a775
GKE cluster modules: add optional kube state metrics ( #1682 )
...
* `gke-cluster-standard`: add optional kube state metrics
* `gke-cluster-autopilot`: add optional kube state metrics
* FAST: add kube state metrics support for GKE
* blueprints/gke: add kube state metrics support
* Bump up the provider version to `v4.82.0`
2023-09-15 12:18:45 +01:00
f3be29cbc9
Fix tests
2023-09-15 00:27:55 +02:00
b3dc91b5cd
Upgrades to `monitoring_config` in `gke-cluster-*`, docs update, and cosmetics fixes to GKE cluster modules ( #1680 )
...
* gke-cluster-standard: upgrade `monitoring_config` to use object style. Add tests.
* gke-cluster-standard: update docs
* gke-cluster-autopilot: move gateway_api_config block (cosmetic change)
* gke-cluster-autopilot: update docs and fix typos
* Update blueprints due to `monitoring_config` changes in `gke-cluster-standard`.
* Update FAST due to `monitoring_config` changes in `gke-cluster-standard`.
* Update docs for affected blueprints and FAST stages
2023-09-14 23:25:57 +01:00
8d7772761c
Fix FAST readmes
2023-09-14 13:10:16 +02:00
c1be435b09
Fix range names definition of GKE clusters
...
Fixes #1677
2023-09-14 12:51:43 +02:00
949e98d375
Increase size of pod range for default GKE subnets in FAST
...
Related to the issues reported in #1644
2023-09-11 10:28:42 +02:00
3915a016c9
Align pf stage sample data to new format ( #1664 )
...
* align pf stage sample data to new format
* boilerplate
2023-09-09 10:04:19 +02:00
fcefadbd8e
[ #1661 ] Make FAST stage 1 resman tf destroy more reliable
...
Co-authored-by: Luca Prete <lucaprete@google.com>
2023-09-08 10:09:31 +00:00
e14789ecb0
link project factory documentation from FAST stage ( #1659 )
2023-09-08 07:14:16 +00:00
ec3b705f53
Change type of `iam_bindings` variable to allow multiple conditional bindings ( #1658 )
...
* modules
* fast
* dns readme
2023-09-08 08:56:31 +02:00
12e78af055
Fix project factory blueprint and fast stage ( #1654 )
2023-09-07 12:48:39 +00:00
988fd2ee05
gke-cluster-standard: change logging configuration ( #1638 )
...
* Update logging configuration of this module to use object interface in harmony with `gke-cluster-autopilot` module.
* Update blueprints that use this module.
* Add "WORKLOADS" log source to logging configuration of the blueprints where the README files say so.
* Update FAST stage 3 because it uses this module.
2023-08-31 12:49:15 +01:00
804e7c961e
Silence FAST tests warnings
...
- Fix pytest PytestUnraisableExceptionWarning
- Remove incorrect print
- Use tfvars for some examples in READMEs
2023-08-28 18:40:41 +02:00
c63884d52e
Remove unused ASN numbers in CloudNAT to avoid FAST provider errors
2023-08-28 15:32:30 +00:00
b88e4c6f6e
Fix syntax error in FAST nva
2023-08-28 16:28:01 +02:00
b701d55b1f
Fix tests
2023-08-28 16:00:48 +02:00
5e9829373c
Fix FAST hfw policies
2023-08-28 16:00:48 +02:00
4c64c15871
Revert "Remove unused ASN numbers from CloudNAT to avoid provider errors" ( #1626 )
...
This reverts commit 311bed8e83
2023-08-28 09:33:52 +02:00
1adfb9fb32
Fix role name for delegated grants in FAST bootstrap
...
Fixes issue behind #1621
2023-08-24 19:13:42 +02:00
50a449965f
Fix: align stage-2-e-nva-bgp to the latest APIs
2023-08-23 13:34:11 +02:00
8ca60881f1
Fix: use existing variable to optionally name fw policies ( #1610 )
2023-08-22 08:55:56 +02:00
819894d2ba
IAM interface refactor ( #1595 )
...
* IAM modules refactor proposal
* policy
* subheading
* Update 20230816-iam-refactor.md
* log Julio's +1
* data-catalog-policy-tag
* dataproc
* dataproc
* folder
* folder
* folder
* folder
* project
* better filtering in test examples
* project
* folder
* folder
* organization
* fix variable descriptions
* kms
* net-vpc
* dataplex-datascan
* modules/iam-service-account
* modules/source-repository/
* blueprints/cloud-operations/vm-migration/
* blueprints/third-party-solutions/wordpress
* dataplex-datascan
* blueprints/cloud-operations/workload-identity-federation
* blueprints/data-solutions/cloudsql-multiregion/
* blueprints/data-solutions/composer-2
* Update 20230816-iam-refactor.md
* Update 20230816-iam-refactor.md
* capture discussion in architectural doc
* update variable names and refactor proposal
* project
* blueprints first round
* folder
* organization
* data-catalog-policy-tag
* re-enable folder inventory
* project module style fix
* dataproc
* source-repository
* source-repository tests
* dataplex-datascan
* dataplex-datascan tests
* net-vpc
* net-vpc test examples
* iam-service-account
* iam-service-account test examples
* kms
* boilerplate
* tfdoc
* fix module tests
* more blueprint fixes
* fix typo in data blueprints
* incomplete refactor of data platform foundations
* tfdoc
* data platform foundation
* refactor data platform foundation iam locals
* remove redundant example test
* shielded folder fix
* fix typo
* project factory
* project factory outputs
* tfdoc
* test workflow: less verbose tests, fix tf version
* re-enable -vv, shorter traceback, fix action version
* ignore github extension warning, re-enable action version
* fast bootstrap IAM, untested
* bootstrap stage IAM fixes
* stage 0 tests
* fast stage 1
* tenant stage 1
* minor changes to fast stage 0 and 1
* fast security stage
* fast mt stage 0
* fast mt stage 0
* fast pf
2023-08-20 09:44:20 +02:00
6eeba5e599
[Data Platform] Update README.md ( #1601 )
...
Fix hardcoded path in readme.
2023-08-18 18:27:43 +02:00
ea0de3adbb
Fixing some typos
2023-08-18 05:51:00 +00:00
dcb3c32761
fix null object exception in bootstrap output when using cloudsource repos ( #1597 )
2023-08-17 09:03:23 +00:00
2423fd40c1
Fix FAST CI/CD for Gitlab ( #1593 )
...
* fix cicd (multitenant untested)
* tfdoc
* rename allowed_audiences to audiences, align multitenant
2023-08-15 12:59:31 +02:00
c5a77ebfe3
fix module path for teams cicd ( #1583 )
2023-08-09 21:41:56 +00:00
9600047a32
Enable team CI/CD impersonation ( #1579 )
2023-08-09 08:46:24 -04:00
79373721df
Remove firewall policy management from resource management modules ( #1581 )
...
* rename firewall policy module, fix outputs
* add TOC to firewall policy module
* don't depend policy on parent id
* remove firewall policy from resource management modules
* remove factory conditionals
* fast net a and b
* fast stages
* fast tfdoc
* fast tfdoc
* remove unused test
* fix shielded folder blueprint
* fix shielded folder blueprint
2023-08-09 11:23:07 +00:00
9c75aa469c
More module descriptions ( #1572 )
...
* bigquery dataset
* data catalog policy tag
* net-address
* fix data catalog callers
* bigquery dataset views
* fix data catalog callers
* logging bucket
* net vpn ha
2023-08-06 09:25:45 +00:00
311bed8e83
Remove unused ASN numbers from CloudNAT to avoid provider errors
2023-08-04 08:02:11 +00:00
47daeaafe1
Update FAST CI/CD workflows so it can work with ID_TOKEN and Gitlab 15+
2023-08-03 16:09:45 +00:00
b524aa137c
Peering module refactor ( #1547 )
...
* refactor net-vpc-peering module
* hub and spoke peering blueprint
* fast stages
* boilerplate
* fast tfdoc
---------
Co-authored-by: Julio Castillo <jccb@google.com>
2023-07-29 21:33:57 +02:00
c918cfc800
Update README.md
2023-07-27 13:40:26 +02:00
ea800fa475
fix stage links for GKE stage ( #1514 )
2023-07-20 10:48:45 +00:00
cacb0c02e2
Refactoring of dns module
2023-07-19 12:57:44 +02:00
aa1a79632b
Create 0-org-policies.md
2023-07-15 18:40:18 +02:00
4ad55923b7
Update 0-bootstram-user-iam.md
2023-07-13 19:33:01 +02:00
fbbe668015
Document architectural decisions ( #1506 )
...
* add architectural decisions log and first decision
* add header
* typo
2023-07-13 16:15:32 +02:00
e00d3bcba4
README: audit logs on org level go to a logging bucket, not bigquery
2023-07-10 16:42:01 +02:00
154df17951
FAST: initial implementation of lightweight tenants ( #1470 )
...
* initial import
* fixes
* fixes
* fixes
* red SA roles
* red SA roles
* org-level custom roles var, tenants IAM config
* tfdoc
* allow core SA to write output files to tenant bucket
* README
* implement comments on PR
* show tenant org example
* update example
2023-07-07 08:40:37 +02:00
623c886e95
Peering dashboard ( #1492 )
...
* Adding dashboard to monitor VPC and VPC peering group quotas
* Adding 1 ressource to the tests (dashboard)
* Adding dashboard and tests for other networking architecture
* Update test
2023-07-05 18:25:31 +02:00
d49a5c0fbb
Fix primary gke/dp ranges in FAST subnets
2023-06-30 19:28:21 +02:00
772cf813fc
FAST: short_name_is_prefix for multi-tenant ( #1478 )
...
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
2023-06-30 09:49:25 +02:00
43b3490ef1
Updating a few files for typos
...
fast/stages/3-data-platform/dev/README.md
fast/stages/3-data-platform/dev/outputs.tf
CHANGELOG.md
blueprints/data-solutions/data-platform-minimal/README.md
blueprints/data-solutions/data-platform-minimal/outputs.tf
blueprints/data-solutions/data-platform-foundations/README.md
2023-06-29 21:47:17 -04:00
d3e4864b57
Making the changes as suggested in https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1477#issuecomment-1612846907
2023-06-29 12:24:29 -04:00
0b19a16593
Changing the IP ranges in all networking stages
2023-06-28 14:45:33 -04:00
f75bc321b9
Changing the IP range of pods from 100.64.48.0/20 to 100.65.16.0/20 as there is an overlap in 100.64.0.0/16 range with dev-gke-nodes-ew1.yaml
2023-06-28 14:15:35 -04:00
d6aea3ff5f
Remove unneeded file from resman stage
2023-06-27 09:54:46 +02:00
638841c8d1
Rename network load balancer modules ( #1466 )
...
* update LB modules to new names
* update LB modules names
* update test paths
2023-06-26 07:50:10 +00:00
7cacc46b4b
fixup(project-factory): Use the correct KMS Service Agents attribute … ( #1446 )
...
* fixup(project-factory): Use the correct KMS Service Agents attribute name
* Add new KMS bindings to tests
* Update test resource counts
* Update README.md resource count
2023-06-19 23:53:08 +00:00
a68a3b55cb
Bump TF version in all workflow templates to coincide with module requirements ( #1445 )
...
* Resman - bump GH TF version to coincide with module requirements (#1 )
Bootstrap was bumped in #1414
* Bump TF version in all workflow files
* bump TF version in missed workflow file
2023-06-16 07:39:28 +00:00
815728aca6
fix repo names check ( #1443 )
2023-06-15 16:08:57 +00:00
e900e9c951
Make internal/external addresses optional in compute-vm
...
Fixes 1431
2023-06-08 14:00:10 +02:00
6b4bca10bd
Use RFC6598 addresses for pods and subnets
...
10.128.0.0/9 is public network.
Closes : #1424
2023-06-08 07:56:31 +02:00
c024eca320
Add custom tag support to FAST ( #1426 )
...
* initial implementation of custom tags
* depend org policies on tags
* fix test
* integrate default and custom org policy tags
2023-06-07 22:10:27 +00:00
7bd6e5d57b
Small fixes ( #1425 )
...
* fix serverless connector plugin outputs
* add internal and lb to allowed ingress org policy
* add validation condition on cloud run ingress settings
* tfdoc
* plugin tfdoc
* allow disabling googleapis routes with a single instruction in net-vpc
* fix variable def
* fix variable description
* fix cr variable validation
* fix usage of create_googleapis_routes in examples and stages
2023-06-07 17:37:46 +00:00
0fe3f165ed
Add VPN monitoring alerts to 2-networking and VPN usage chart
...
The Fast stage 2-networking-* currently adds a monitoring dashboard
for VPN metrics. This change adds an additional chart to monitor the
usage of the VPN bandwidth.
This change also adds the following monitoring alerts:
* VPN tunnel established
*
[VPN bandwidth](https://cloud.google.com/network-connectivity/docs/vpn/how-to/viewing-logs-metrics#define-bandwidth-alerts )
To configure the alerts, there is a new `alert_config` variable with
defined default values.
The alerts are created in the stage `b` by default. In the stages a,
c, d, and e, the alerts are created if the user creates the On-prem
VPN.
To disable the creation of alerts, add the following to
`terraform.tfvars`:
```
alert_config = {
vpn_tunnel_established = null
vpn_tunnel_bandwidth = null
}
```
2023-06-06 13:49:21 +01:00
9af4db2fa0
Delete FAQ.md
2023-06-06 14:47:26 +02:00
43ce70e1ed
Bump GH TF version to coincide with module requirements ( #1414 )
2023-06-03 06:20:11 +00:00
b6ce4222d1
Fix nva stages tests
2023-05-26 17:32:34 +02:00
fb121b4d08
Fix FAST tests
2023-05-26 17:17:40 +02:00
0888cce3a5
Rename to `create_googleapis_routes`
2023-05-26 16:43:43 +02:00
7a91a7e41c
Add default googleapi route creation to net-vpc
2023-05-26 10:55:35 +02:00
4aa99ea829
allow setting identities in egress policies ( #1394 )
2023-05-24 12:05:16 +02:00
00cac9148a
fix(stages): only add sandbox SA when `sandbox` feature is enabled ( #1391 )
...
If you have the `project_factory` feature enabled, but not the `sandbox` feature (as it's not a requirement on your org), when doing a `terraform apply` on `1-resman` it raises this errors as it's expecting the wrong feature when creating the sandbox SA
```
│ Error: Invalid index
│
│ on branch-sandbox.tf line 68, in resource "google_organization_iam_member" "org_policy_admin_sandbox":
│ 68: member = module.branch-sandbox-sa.0.iam_email
│ ├────────────────
│ │ module.branch-sandbox-sa is empty tuple
│
│ The given key does not identify an element in this collection value: the collection has no elements.
```
2023-05-24 05:17:35 +00:00
e0911c6291
Add conditional org admin role to sandbox SA ( #1385 )
...
* add org admin conditional role to sandbox SA
* tfdoc
2023-05-21 10:48:41 +02:00
d2f0b17ec4
Allows groups from other orgs/domains ( #1383 )
...
* Allows groups from other orgs
2023-05-17 11:07:47 +02:00
0ad21351c0
Merge branch 'master' into master
2023-05-15 14:25:42 -04:00
c4ec4868c2
Merge branch 'master' into fast-home-path-fix
2023-05-15 13:16:55 +02:00
f5b10fa3da
Fixed home path
2023-05-15 12:55:43 +02:00
7861ea74b8
fixed permissions for security stage SA ( #1376 )
...
it should be able to use automation project
as a quota project, hence it needs `serviceusage.serviceUsageConsumer`
role
2023-05-15 10:20:33 +00:00
87cd83f5c0
Several updates
...
Several updates
2023-05-13 23:51:46 -04:00
ac349332c4
fix routes priority typo
2023-05-09 21:28:56 +10:00
491b52f023
update variables files for gke nodepool taints ( #1358 )
...
* update variables files for gke node config taints to allow passing of node objects
* forgot to run terraform fmt..
* update module docs
2023-05-05 19:42:00 +02:00
efb0ebe689
Switch FAST networking stages to network policies for Google domains ( #1352 )
...
* peering stage implementation
* vpn stage implementation
* tfdoc
* tests
* add most supported google domains
* align all net stages
* add support for factory to DNS response policy module
* use dns policy factory in network stages
* boilerplate
2023-05-04 07:38:40 +02:00
75cc2f3d7a
FAST: shorten stage 3 prefixes, enforce prefix length in stage 3s ( #1346 )
...
* shorten stage 3 prefixes, enforce prefix length in stage 3s
* tfdoc
* tfdoc
2023-05-03 07:39:41 +02:00
6f06ca5781
Fix readmes
2023-04-27 12:46:52 +02:00
127787c65e
Add logging details to bootstrap outputs
2023-04-27 12:28:20 +02:00
016a4e08ae
fix fast tftest directives
2023-04-21 17:51:20 +02:00
121bc30e90
fix typo in variable name ( #1324 )
2023-04-17 07:40:05 +00:00
9072c3472e
strip org name from deploy key repo ( #1328 )
2023-04-17 08:59:07 +02:00
56261101c3
Allow longer org pfx plus tenant pfx ( #1318 )
...
Thanks!!!
2023-04-12 01:36:37 +02:00
2cd247bb1f
fix mt resman, add support for mt stage 2s ( #1315 )
2023-04-11 18:43:39 +09:00
4843d0dfaf
Fixed type in readme for FAST multitenant ( #1313 )
2023-04-11 04:47:03 +02:00
6917343a33
Fixed type in readme for FAST stages
2023-04-08 19:35:21 +01:00
a9cba47ce8
Add FAST stage 2-networking-e-nva-bgp (NVA+NCC)
...
Co-authored-by: Luca Prete <lucaprete@google.com>
Co-authored-by: Simone Bruzzechesse <bruzzechesse@google.com>
Co-authored-by: Simone Ruffilli <sruffilli@google.com>
2023-04-04 20:41:04 +02:00
e2b0ef55ab
Update hierarchical_rules.schema.yaml ( #1285 )
...
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
2023-03-30 06:30:52 +00:00
11b4fee5b5
Update Provider and Terraform variables section ( #1284 )
...
Updating readme so that the provider and terraform variables section is identical to the documentation in the other stages.
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
2023-03-28 14:18:44 +00:00
3d41d01efc
FAST plugin system ( #1266 )
...
* plugin folder, gitignore, serverless connector example
* add support to fast plugin variables and outputs to tfdoc
* rename folder, READMEs
* add variable description
* show diffs
* check documentation, use multiple files
* debug check doc
* try a different glob
* debug tfdoc names
* more debug
* and even more debug
* fix gitignore
* fix links
* support extra files in tests
* fix fixture, switch stage 2 peering to new tests
* tfdoc
* Allow globs in extra files
---------
Co-authored-by: Julio Castillo <jccb@google.com>
2023-03-24 12:28:32 +00:00
Ludovico Magnocavallo
giterinhub
Julio Castillo
Oliver Frolovs
Luca Prete
lcaggio
Alejandro Leal
Stefan Moser
Matt
Miren Esnaola
Natalia Strelkova
Aurélien Legrand
Roberto Jung Drebes
Alejandro Leal
Arvind Ganesh
Albert Lloveras
Keith Harvey
Wiktor Niesiobędzki
Ana Fernandez del Alamo
David Asaf
Gustavo Valverde
Alex Ostapenko
Fawzi
Jack P
Dazbo
Simone Ruffilli
Geoff Cardamone