a68a3b55cb
* Resman - bump GH TF version to coincide with module requirements (#1) Bootstrap was bumped in #1414 * Bump TF version in all workflow files * bump TF version in missed workflow file |
||
---|---|---|
.. | ||
data/org-policies | ||
templates | ||
IAM.md | ||
README.md | ||
branch-data-platform.tf | ||
branch-gke.tf | ||
branch-networking.tf | ||
branch-project-factory.tf | ||
branch-sandbox.tf | ||
branch-security.tf | ||
branch-teams.tf | ||
cicd-data-platform.tf | ||
cicd-gke.tf | ||
cicd-networking.tf | ||
cicd-project-factory.tf | ||
cicd-security.tf | ||
diagram.png | ||
diagram.svg | ||
main.tf | ||
outputs-files.tf | ||
outputs-gcs.tf | ||
outputs.tf | ||
root_node.tf | ||
variables.tf |
README.md
Tenant resource management
This stage is run for a specific tenant after tenant bootstrap has successfully created initial resources for the tenant, which is then decoupled from the organization.
It is logically equivalent and almost identical in code to the corresponding organization resource management stage, with a few notable differences:
- the hierarchy is rooted in the tenant top-level folder instead of the organization
- there's no management of tag values and keys since they organization-level resources (it could be implemented for tenant-specific tags if the need arises)
- automation service accounts for subsequent stages are configured but not created here (tenant-level bootstrap creates them and assigns organization-level permissions)
The stage runs with a dedicated service account for the tenant, which has no permissions at the organization level except for billing and organization policies, constrained by a condition on the tenant tag.
The following diagram is a high level reference of what this stage manages, showing one hypothetical tenant (additional tenants require additional instances of this stage being deployed):
%%{init: {'theme':'base'}}%%
classDiagram
Tenant_root~📁~ -- tn0_automation
Tenant_root~📁~ -- Networking~📁~
Tenant_root~📁~ -- Security~📁~
Tenant_root~📁~ -- Data_Platform~📁~
Data_Platform~📁~ -- DP_Dev~📁~
Data_Platform~📁~ -- DP_Prod~📁~
Tenant_root~📁~ -- GKE~📁~
GKE~📁~ -- GKE_Dev~📁~
GKE~📁~ -- GKE_Prod~📁~
Tenant_root~📁~ -- Teams~📁~
Teams~📁~ -- Team_0~📁~
Team_0~📁~ -- Team_0_Dev~📁~
Team_0~📁~ -- Team_0_Prod~📁~
Tenant_root~📁~ -- Sandbox~📁~
class Tenant_root~📁~ {
- IAM bindings()
- org policies()
}
class tn0_automation {
- GCS buckets
- IAM bindings()
}
class Data_Platform~📁~ {
- IAM bindings()
- tag bindings()
}
class DP_Dev~📁~ {
- IAM bindings()
- tag bindings()
}
class DP_Prod~📁~ {
- IAM bindings()
- tag bindings()
}
class GKE~📁~ {
- IAM bindings()
- tag bindings()
}
class GKE_Dev~📁~ {
- IAM bindings()
- tag bindings()
}
class GKE_Prod~📁~ {
- IAM bindings()
- tag bindings()
}
class Networking~📁~ {
- IAM bindings()
- tag bindings()
}
class Security~📁~ {
- IAM bindings()
- tag bindings()
}
class Sandbox~📁~ {
- IAM bindings()
- tag bindings()
}
class Teams~📁~ {
- IAM bindings()
- tag bindings()
}
class Team_0~📁~ {
- IAM bindings()
- tag bindings()
}
class Team_0_Dev~📁~ {
- IAM bindings()
- tag bindings()
}
class Team_0_Prod~📁~ {
- IAM bindings()
- tag bindings()
}
As most of the features of this stage follow the same design and configurations of the organization-level resource management stage, we will only focus on the tenant-specific configuration in this document.
How to run this stage
As mentioned above this stage is decoupled from organization-level stages: it uses a service account and state bucket from the tenant-specific automation project, and its tfvars and provider files are also tenant-specific.
The stage-links.sh
script can be used to get the commands needed for the provider and output files, just set the variable for the tenant shortname (the same one specified in the tenant bootstrap stage) and pass a single argument with your FAST output files folder path, or GCS bucket URI:
TENANT=tn0 ../../stage-links.sh ~/fast-config
The script output can be copy/pasted to a terminal:
# copy and paste the following commands for '1-resman-tenant'
ln -s ~/fast-config/tenants/tn0/providers/1-resman-tenant-providers.tf ./
ln -s ~/fast-config/tenants/tn0/tfvars/0-bootstrap-tenant.auto.tfvars.json ./
Once that is done, stage-level configuration variables are the same as the corresponding organization-level stage.
Note that the outputs_location
variable is disabled by default, you need to explicitly set it in your terraform.tfvars
file if you want output files to be generated by this stage. This is a sample terraform.tfvars
that configures it, refer to the org-level bootstrap stage documentation for more details:
outputs_location = "~/fast-config"
Running the stage
Once the configuration is done just go through the usual init/apply
cycle. On successful apply, a tfvars file specific for this tenant and a set of provider files will be created.
Files
name | description | modules | resources |
---|---|---|---|
branch-data-platform.tf | Data Platform stages resources. | folder · gcs · iam-service-account |
|
branch-gke.tf | GKE multitenant stage resources. | folder · gcs · iam-service-account |
|
branch-networking.tf | Networking stage resources. | folder · gcs · iam-service-account |
|
branch-project-factory.tf | Project factory stage resources. | gcs · iam-service-account |
|
branch-sandbox.tf | Sandbox stage resources. | folder · gcs |
|
branch-security.tf | Security stage resources. | folder · gcs · iam-service-account |
|
branch-teams.tf | Team stage resources. | folder · gcs · iam-service-account |
|
cicd-data-platform.tf | CI/CD resources for the data platform branch. | iam-service-account · source-repository |
|
cicd-gke.tf | CI/CD resources for the data platform branch. | iam-service-account · source-repository |
|
cicd-networking.tf | CI/CD resources for the networking branch. | iam-service-account · source-repository |
|
cicd-project-factory.tf | CI/CD resources for the teams branch. | iam-service-account · source-repository |
|
cicd-security.tf | CI/CD resources for the security branch. | iam-service-account · source-repository |
|
main.tf | Module-level locals and resources. | ||
outputs-files.tf | Output files persistence to local filesystem. | local_file |
|
outputs-gcs.tf | Output files persistence to automation GCS bucket. | google_storage_bucket_object |
|
outputs.tf | Module outputs. | ||
root_node.tf | Tenant root folder configuration. | folder |
|
variables.tf | Module variables. |
Variables
name | description | type | required | default | producer |
---|---|---|---|---|---|
automation | Automation resources created by the bootstrap stage. | object({…}) |
✓ | 0-bootstrap |
|
billing_account | Billing account id. If billing account is not part of the same org set is_org_level to false . To disable handling of billing IAM roles set no_iam to true . |
object({…}) |
✓ | 0-bootstrap |
|
organization | Organization details. | object({…}) |
✓ | 0-bootstrap |
|
prefix | Prefix used for resources that need unique names. Use 9 characters or less. | string |
✓ | 0-bootstrap |
|
root_node | Root folder node for the tenant, in folders/nnnnnn format. | string |
✓ | ||
short_name | Short name used to identify the tenant. | string |
✓ | ||
tags | Resource management tags. | object({…}) |
✓ | ||
cicd_repositories | CI/CD repository configuration. Identity providers reference keys in the automation.federated_identity_providers variable. Set to null to disable, or set individual repositories to null if not needed. |
object({…}) |
null |
||
custom_roles | Custom roles defined at the org level, in key => id format. | object({…}) |
null |
0-bootstrap |
|
data_dir | Relative path for the folder storing configuration data. | string |
"data" |
||
fast_features | Selective control for top-level FAST features. | object({…}) |
{} |
0-0-bootstrap |
|
groups | Group names to grant organization-level permissions. | object({…}) |
{} |
0-bootstrap |
|
locations | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) |
{…} |
0-bootstrap |
|
organization_policy_data_path | Path for the data folder used by the organization policies factory. | string |
null |
||
outputs_location | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string |
null |
||
team_folders | Team folders to be created. Format is described in a code comment. | map(object({…})) |
null |
||
test_skip_data_sources | Used when testing to bypass data sources. | bool |
false |
Outputs
name | description | sensitive | consumers |
---|---|---|---|
cicd_repositories | WIF configuration for CI/CD repositories. | ||
dataplatform | Data for the Data Platform stage. | ||
gke_multitenant | Data for the GKE multitenant stage. | 03-gke-multitenant |
|
networking | Data for the networking stage. | ||
project_factories | Data for the project factories stage. | ||
providers | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · xx-sandbox · xx-teams |
sandbox | Data for the sandbox stage. | xx-sandbox |
|
security | Data for the networking stage. | 02-security |
|
teams | Data for the teams stage. | ||
tfvars | Terraform variable files for the following stages. | ✓ |