zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/blueprints/factories/project-factory
History
Ludovico Magnocavallo 819894d2ba
IAM interface refactor (#1595) 
* IAM modules refactor proposal

* policy

* subheading

* Update 20230816-iam-refactor.md

* log Julio's +1

* data-catalog-policy-tag

* dataproc

* dataproc

* folder

* folder

* folder

* folder

* project

* better filtering in test examples

* project

* folder

* folder

* organization

* fix variable descriptions

* kms

* net-vpc

* dataplex-datascan

* modules/iam-service-account

* modules/source-repository/

* blueprints/cloud-operations/vm-migration/

* blueprints/third-party-solutions/wordpress

* dataplex-datascan

* blueprints/cloud-operations/workload-identity-federation

* blueprints/data-solutions/cloudsql-multiregion/

* blueprints/data-solutions/composer-2

* Update 20230816-iam-refactor.md

* Update 20230816-iam-refactor.md

* capture discussion in architectural doc

* update variable names and refactor proposal

* project

* blueprints first round

* folder

* organization

* data-catalog-policy-tag

* re-enable folder inventory

* project module style fix

* dataproc

* source-repository

* source-repository tests

* dataplex-datascan

* dataplex-datascan tests

* net-vpc

* net-vpc test examples

* iam-service-account

* iam-service-account test examples

* kms

* boilerplate

* tfdoc

* fix module tests

* more blueprint fixes

* fix typo in data blueprints

* incomplete refactor of data platform foundations

* tfdoc

* data platform foundation

* refactor data platform foundation iam locals

* remove redundant example test

* shielded folder fix

* fix typo

* project factory

* project factory outputs

* tfdoc

* test workflow: less verbose tests, fix tf version

* re-enable -vv, shorter traceback, fix action version

* ignore github extension warning, re-enable action version

* fast bootstrap IAM, untested

* bootstrap stage IAM fixes

* stage 0 tests

* fast stage 1

* tenant stage 1

* minor changes to fast stage 0 and 1

* fast security stage

* fast mt stage 0

* fast mt stage 0

* fast pf
 		2023-08-20 09:44:20 +02:00
..
README.md IAM interface refactor (#1595) 2023-08-20 09:44:20 +02:00
factory.tf IAM interface refactor (#1595) 2023-08-20 09:44:20 +02:00
main.tf IAM interface refactor (#1595) 2023-08-20 09:44:20 +02:00
outputs.tf IAM interface refactor (#1595) 2023-08-20 09:44:20 +02:00
variables.tf IAM interface refactor (#1595) 2023-08-20 09:44:20 +02:00

README.md

Project Factory

This is a working example of how to manage project creation at scale, by wrapping the project module and driving it via external data, either directly provided or parsed via YAML files.

The wrapping layer around the project module is intentionally thin, so that

  • all the features of the project module are available
  • no "magic" or hidden side effects are implemented in code
  • debugging and integration of new features is simple

The code is meant to be executed by a high level service accounts with powerful permissions:

  • Shared VPC connection if service project attachment is desired
  • project creation on the nodes (folder or org) where projects will be defined

The module also supports optional creation of specific resources that usually part of the project creation flow:

  • service accounts used for VM instances, and associated basic roles
  • KMS key encrypt/decrypt permissions for service identities in the project
  • membership in VPC SC standard or bridge perimeters

Compared to the previous version of this code, network-related resources (DNS zones, VPC subnets, etc.) have been removed as they are not typically in scope for the team who manages project creation, and adding them when needed requires just a few trivial code changes.

Example

module "project-factory" {
  source = "./fabric/blueprints/factories/project-factory"
  data_defaults = {
    billing_account = "012345-67890A-ABCDEF"
  }
  data_merges = {
    labels = {
      environment = "test"
    }
    services = [
      "stackdriver.googleapis.com"
    ]
  }
  data_overrides = {
    contacts = {
      "admin@example.com" = ["ALL"]
    }
    prefix = "test-pf"
  }
  factory_data = {
    data_path = "data"
  }
}
# tftest modules=6 resources=12 files=prj-app-1,prj-app-2 inventory=example.yaml

billing_account: 012345-67890A-BCDEF0
labels:
 app: app-1
 team: foo
service_encryption_key_ids:
 compute:
 - projects/kms-central-prj/locations/europe-west3/keyRings/my-keyring/cryptoKeys/europe3-gce
services:
- storage.googleapis.com
service_accounts:
  app-1-be: {}
  app-1-fe: {}

# tftest-file id=prj-app-1 path=data/prj-app-1.yaml

labels:
 app: app-1
 team: foo
service_accounts:
  app-2-be: {}

# tftest-file id=prj-app-2 path=data/prj-app-2.yaml

Variables

name description type required default
factory_data Project data from either YAML files or externally parsed data. object({…})
data_defaults Optional default values used when corresponding project data from files are missing. object({…}) {}
data_merges Optional values that will be merged with corresponding data from files. Combines with data_defaults, file data, and data_overrides. object({…}) {}
data_overrides Optional values that override corresponding data from files. Takes precedence over file data and data_defaults. object({…}) {}

Outputs

name description sensitive
projects Project module outputs.
service_accounts Service account emails.