From 008a3719ad95b2a84706336fc4bb04d4a03e7460 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Mon, 1 Jun 2026 12:04:54 +0200 Subject: [PATCH] Support `service_agents_config.skip_iam` in project-factory and fast stages (#4007) * Support service_agents_config.skip_iam in project-factory and fast stages * Fix inventories * Change service-agent creation/iam order --- GEMINI.md | 1 + .../0-org-setup/schemas/project.schema.json | 21 +++++++ .../0-org-setup/schemas/project.schema.md | 7 +++ .../2-networking/schemas/project.schema.json | 21 +++++++ .../2-networking/schemas/project.schema.md | 7 +++ .../schemas/project.schema.json | 21 +++++++ .../schemas/project.schema.md | 7 +++ .../2-security/schemas/project.schema.json | 21 +++++++ .../2-security/schemas/project.schema.md | 7 +++ modules/project-factory/README.md | 6 +- modules/project-factory/projects-defaults.tf | 22 +++++++ modules/project-factory/projects.tf | 18 +++++- .../schemas/project.schema.json | 21 +++++++ .../project-factory/schemas/project.schema.md | 7 +++ modules/project-factory/variables-projects.tf | 6 ++ modules/project-factory/variables.tf | 6 ++ .../stages/s0_org_setup/customizations.yaml | 3 - tests/fast/stages/s0_org_setup/hardened.yaml | 9 --- tests/fast/stages/s0_org_setup/simple.yaml | 9 --- .../fast/stages/s0_org_setup/starter-gcd.yaml | 4 -- .../s2_networking/vlan_attachments.yaml | 60 ++++++++++++++++++- .../project_factory/examples/example.yaml | 56 +++++++++++++++-- 22 files changed, 303 insertions(+), 37 deletions(-) diff --git a/GEMINI.md b/GEMINI.md index b9a21014a..1a300c177 100644 --- a/GEMINI.md +++ b/GEMINI.md @@ -83,6 +83,7 @@ python3 tools/check_boilerplate.py --scan-files # Schema changes # A schema change should be reflected in all the other places that use the same schema. # These are documented in and can be checked via tools/duplicate-diff.py. +# Whenever you modify a `.schema.json` file, you MUST regenerate the corresponding `.schema.md` documentation file using `python3 tools/schema_docs.py`. ``` **Common gotcha — unsorted variables (`[SV]` error):** `check_documentation.py` requires variables in `variables.tf` to be in strict alphabetical order. When adding a new variable, insert it at the correct alphabetical position, not at the top of the file. diff --git a/fast/stages/0-org-setup/schemas/project.schema.json b/fast/stages/0-org-setup/schemas/project.schema.json index ff390091d..1bd81f72f 100644 --- a/fast/stages/0-org-setup/schemas/project.schema.json +++ b/fast/stages/0-org-setup/schemas/project.schema.json @@ -819,6 +819,27 @@ } } }, + "service_agents_config": { + "type": "object", + "additionalProperties": false, + "properties": { + "create_primary_agents": { + "type": "boolean" + }, + "grant_default_roles": { + "type": "boolean" + }, + "grant_service_agent_editor": { + "type": "boolean" + }, + "skip_iam": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, "service_encryption_key_ids": { "type": "object", "additionalProperties": false, diff --git a/fast/stages/0-org-setup/schemas/project.schema.md b/fast/stages/0-org-setup/schemas/project.schema.md index c7c8d88f8..60fd90bf2 100644 --- a/fast/stages/0-org-setup/schemas/project.schema.md +++ b/fast/stages/0-org-setup/schemas/project.schema.md @@ -253,6 +253,13 @@ - **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))* - **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))* - **tag_bindings**: *reference([tag_bindings](#refs-tag_bindings))* +- **service_agents_config**: *object* +
*additional properties: false* + - **create_primary_agents**: *boolean* + - **grant_default_roles**: *boolean* + - **grant_service_agent_editor**: *boolean* + - **skip_iam**: *array* + - items: *string* - **service_encryption_key_ids**: *object*
*additional properties: false* - **`^[a-z-]+\.googleapis\.com$`**: *array* diff --git a/fast/stages/2-networking/schemas/project.schema.json b/fast/stages/2-networking/schemas/project.schema.json index ff390091d..1bd81f72f 100644 --- a/fast/stages/2-networking/schemas/project.schema.json +++ b/fast/stages/2-networking/schemas/project.schema.json @@ -819,6 +819,27 @@ } } }, + "service_agents_config": { + "type": "object", + "additionalProperties": false, + "properties": { + "create_primary_agents": { + "type": "boolean" + }, + "grant_default_roles": { + "type": "boolean" + }, + "grant_service_agent_editor": { + "type": "boolean" + }, + "skip_iam": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, "service_encryption_key_ids": { "type": "object", "additionalProperties": false, diff --git a/fast/stages/2-networking/schemas/project.schema.md b/fast/stages/2-networking/schemas/project.schema.md index c7c8d88f8..60fd90bf2 100644 --- a/fast/stages/2-networking/schemas/project.schema.md +++ b/fast/stages/2-networking/schemas/project.schema.md @@ -253,6 +253,13 @@ - **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))* - **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))* - **tag_bindings**: *reference([tag_bindings](#refs-tag_bindings))* +- **service_agents_config**: *object* +
*additional properties: false* + - **create_primary_agents**: *boolean* + - **grant_default_roles**: *boolean* + - **grant_service_agent_editor**: *boolean* + - **skip_iam**: *array* + - items: *string* - **service_encryption_key_ids**: *object*
*additional properties: false* - **`^[a-z-]+\.googleapis\.com$`**: *array* diff --git a/fast/stages/2-project-factory/schemas/project.schema.json b/fast/stages/2-project-factory/schemas/project.schema.json index ff390091d..1bd81f72f 100644 --- a/fast/stages/2-project-factory/schemas/project.schema.json +++ b/fast/stages/2-project-factory/schemas/project.schema.json @@ -819,6 +819,27 @@ } } }, + "service_agents_config": { + "type": "object", + "additionalProperties": false, + "properties": { + "create_primary_agents": { + "type": "boolean" + }, + "grant_default_roles": { + "type": "boolean" + }, + "grant_service_agent_editor": { + "type": "boolean" + }, + "skip_iam": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, "service_encryption_key_ids": { "type": "object", "additionalProperties": false, diff --git a/fast/stages/2-project-factory/schemas/project.schema.md b/fast/stages/2-project-factory/schemas/project.schema.md index c7c8d88f8..60fd90bf2 100644 --- a/fast/stages/2-project-factory/schemas/project.schema.md +++ b/fast/stages/2-project-factory/schemas/project.schema.md @@ -253,6 +253,13 @@ - **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))* - **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))* - **tag_bindings**: *reference([tag_bindings](#refs-tag_bindings))* +- **service_agents_config**: *object* +
*additional properties: false* + - **create_primary_agents**: *boolean* + - **grant_default_roles**: *boolean* + - **grant_service_agent_editor**: *boolean* + - **skip_iam**: *array* + - items: *string* - **service_encryption_key_ids**: *object*
*additional properties: false* - **`^[a-z-]+\.googleapis\.com$`**: *array* diff --git a/fast/stages/2-security/schemas/project.schema.json b/fast/stages/2-security/schemas/project.schema.json index ff390091d..1bd81f72f 100644 --- a/fast/stages/2-security/schemas/project.schema.json +++ b/fast/stages/2-security/schemas/project.schema.json @@ -819,6 +819,27 @@ } } }, + "service_agents_config": { + "type": "object", + "additionalProperties": false, + "properties": { + "create_primary_agents": { + "type": "boolean" + }, + "grant_default_roles": { + "type": "boolean" + }, + "grant_service_agent_editor": { + "type": "boolean" + }, + "skip_iam": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, "service_encryption_key_ids": { "type": "object", "additionalProperties": false, diff --git a/fast/stages/2-security/schemas/project.schema.md b/fast/stages/2-security/schemas/project.schema.md index c7c8d88f8..60fd90bf2 100644 --- a/fast/stages/2-security/schemas/project.schema.md +++ b/fast/stages/2-security/schemas/project.schema.md @@ -253,6 +253,13 @@ - **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))* - **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))* - **tag_bindings**: *reference([tag_bindings](#refs-tag_bindings))* +- **service_agents_config**: *object* +
*additional properties: false* + - **create_primary_agents**: *boolean* + - **grant_default_roles**: *boolean* + - **grant_service_agent_editor**: *boolean* + - **skip_iam**: *array* + - items: *string* - **service_encryption_key_ids**: *object*
*additional properties: false* - **`^[a-z-]+\.googleapis\.com$`**: *array* diff --git a/modules/project-factory/README.md b/modules/project-factory/README.md index a26bc6a03..d78495c87 100644 --- a/modules/project-factory/README.md +++ b/modules/project-factory/README.md @@ -898,11 +898,11 @@ compute.disableSerialPortAccess: | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [factories_config](variables.tf#L194) | Path to folder with YAML resource description data files. Exclusions match the start of file paths, relative to their containing folder. | object({…}) | ✓ | | +| [factories_config](variables.tf#L200) | Path to folder with YAML resource description data files. Exclusions match the start of file paths, relative to their containing folder. | object({…}) | ✓ | | | [context](variables.tf#L17) | Context-specific interpolations. | object({…}) | | {} | | [data_defaults](variables.tf#L47) | Optional default values used when corresponding project or folder data from files are missing. | object({…}) | | {} | -| [data_merges](variables.tf#L124) | Optional values that will be merged with corresponding data from files. Combines with `data_defaults`, file data, and `data_overrides`. | object({…}) | | {} | -| [data_overrides](variables.tf#L143) | Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`. | object({…}) | | {} | +| [data_merges](variables.tf#L130) | Optional values that will be merged with corresponding data from files. Combines with `data_defaults`, file data, and `data_overrides`. | object({…}) | | {} | +| [data_overrides](variables.tf#L149) | Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`. | object({…}) | | {} | | [folders](variables-folders.tf#L17) | Folders data merged with factory data. | map(object({…})) | | {} | | [notification_channels](variables-billing.tf#L17) | Notification channels used by budget alerts. | map(object({…})) | | {} | | [projects](variables-projects.tf#L17) | Projects data merged with factory data. | map(object({…})) | | {} | diff --git a/modules/project-factory/projects-defaults.tf b/modules/project-factory/projects-defaults.tf index 9cc672f41..6eed89d4f 100644 --- a/modules/project-factory/projects-defaults.tf +++ b/modules/project-factory/projects-defaults.tf @@ -158,6 +158,19 @@ locals { try(v.service_encryption_key_ids, null), local.data_defaults.defaults.service_encryption_key_ids ) + service_agents_config = ( + try(v.service_agents_config, null) != null + ? merge( + { + create_primary_agents = true + grant_default_roles = true + grant_service_agent_editor = true + skip_iam = [] + }, + v.service_agents_config + ) + : local.data_defaults.defaults.service_agents_config + ) services = coalesce( # type: list(string) local.data_defaults.overrides.services, try(v.services, null), @@ -291,6 +304,15 @@ locals { } ) ) + service_agents_config = merge( + { + create_primary_agents = true + grant_default_roles = true + grant_service_agent_editor = true + skip_iam = [] + }, + try(local._data_defaults.defaults.service_agents_config, {}) + ) service_encryption_key_ids = {} services = [] shared_vpc_service_config = { diff --git a/modules/project-factory/projects.tf b/modules/project-factory/projects.tf index 62a22b119..f51193dc8 100644 --- a/modules/project-factory/projects.tf +++ b/modules/project-factory/projects.tf @@ -162,6 +162,16 @@ module "projects" { logging_sinks = try(each.value.logging_sinks, {}) notification_channels = try(each.value.notification_channels, null) quotas = each.value.quotas + # Most service agent permissions must be granted in this first pass + # to ensure dependencies (like CMEK or Shared VPC) work correctly. + # We disable grant_service_agent_editor here because the authoritative + # IAM editor role is managed in the second pass (projects-iam). + service_agents_config = { + create_primary_agents = each.value.service_agents_config.create_primary_agents + grant_default_roles = each.value.service_agents_config.grant_default_roles + grant_service_agent_editor = false + skip_iam = each.value.service_agents_config.skip_iam + } services = distinct(concat( each.value.services, var.data_merges.services @@ -243,9 +253,13 @@ module "projects-iam" { each.value.metric_scopes, var.data_merges.metric_scopes )) pam_entitlements = try(each.value.pam_entitlements, {}) + # The second pass handles the authoritative cloudservices editor binding. + # We disable primary agents creation and default roles here because they + # are already handled in the first pass, avoiding duplicate resource errors. service_agents_config = { - create_primary_agents = false - grant_default_roles = false + create_primary_agents = false + grant_default_roles = false + grant_service_agent_editor = each.value.service_agents_config.grant_service_agent_editor } service_encryption_key_ids = merge( each.value.service_encryption_key_ids, diff --git a/modules/project-factory/schemas/project.schema.json b/modules/project-factory/schemas/project.schema.json index ff390091d..1bd81f72f 100644 --- a/modules/project-factory/schemas/project.schema.json +++ b/modules/project-factory/schemas/project.schema.json @@ -819,6 +819,27 @@ } } }, + "service_agents_config": { + "type": "object", + "additionalProperties": false, + "properties": { + "create_primary_agents": { + "type": "boolean" + }, + "grant_default_roles": { + "type": "boolean" + }, + "grant_service_agent_editor": { + "type": "boolean" + }, + "skip_iam": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, "service_encryption_key_ids": { "type": "object", "additionalProperties": false, diff --git a/modules/project-factory/schemas/project.schema.md b/modules/project-factory/schemas/project.schema.md index c7c8d88f8..60fd90bf2 100644 --- a/modules/project-factory/schemas/project.schema.md +++ b/modules/project-factory/schemas/project.schema.md @@ -253,6 +253,13 @@ - **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))* - **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))* - **tag_bindings**: *reference([tag_bindings](#refs-tag_bindings))* +- **service_agents_config**: *object* +
*additional properties: false* + - **create_primary_agents**: *boolean* + - **grant_default_roles**: *boolean* + - **grant_service_agent_editor**: *boolean* + - **skip_iam**: *array* + - items: *string* - **service_encryption_key_ids**: *object*
*additional properties: false* - **`^[a-z-]+\.googleapis\.com$`**: *array* diff --git a/modules/project-factory/variables-projects.tf b/modules/project-factory/variables-projects.tf index fc8aad4e2..f29f09be4 100644 --- a/modules/project-factory/variables-projects.tf +++ b/modules/project-factory/variables-projects.tf @@ -490,6 +490,12 @@ variable "projects" { iam_self_roles = optional(list(string), []) iam_project_roles = optional(map(list(string)), {}) })), {}) + service_agents_config = optional(object({ + create_primary_agents = optional(bool, true) + grant_default_roles = optional(bool, true) + grant_service_agent_editor = optional(bool, true) + skip_iam = optional(set(string), []) + }), {}) service_encryption_key_ids = optional(map(list(string)), {}) services = optional(list(string), []) shared_vpc_host_config = optional(object({ diff --git a/modules/project-factory/variables.tf b/modules/project-factory/variables.tf index 291134dfe..aa63c212c 100644 --- a/modules/project-factory/variables.tf +++ b/modules/project-factory/variables.tf @@ -86,6 +86,12 @@ variable "data_defaults" { display_name = optional(string, "Terraform-managed.") iam_self_roles = optional(list(string)) })), {}) + service_agents_config = optional(object({ + create_primary_agents = optional(bool, true) + grant_default_roles = optional(bool, true) + grant_service_agent_editor = optional(bool, true) + skip_iam = optional(set(string), []) + }), {}) service_encryption_key_ids = optional(map(list(string)), {}) services = optional(list(string), []) shared_vpc_service_config = optional(object({ diff --git a/tests/fast/stages/s0_org_setup/customizations.yaml b/tests/fast/stages/s0_org_setup/customizations.yaml index e58d46234..6e315a8f5 100644 --- a/tests/fast/stages/s0_org_setup/customizations.yaml +++ b/tests/fast/stages/s0_org_setup/customizations.yaml @@ -118,7 +118,6 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/providers/0-org-setup-providers.tf sensitive_content: null source: null local_file.tfvars["globals"]: @@ -126,14 +125,12 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/tfvars/0-globals.auto.tfvars.json sensitive_content: null source: null local_file.tfvars["org-setup"]: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/tfvars/0-org-setup.auto.tfvars.json sensitive_content: null source: null module.factory.module.bigquery-datasets["iac-0/billing_export"].google_bigquery_dataset.default: diff --git a/tests/fast/stages/s0_org_setup/hardened.yaml b/tests/fast/stages/s0_org_setup/hardened.yaml index 79f958232..45f4baa6d 100644 --- a/tests/fast/stages/s0_org_setup/hardened.yaml +++ b/tests/fast/stages/s0_org_setup/hardened.yaml @@ -395,7 +395,6 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/providers/0-org-setup-providers.tf sensitive_content: null source: null local_file.providers["0-org-setup-ro"]: @@ -416,7 +415,6 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/providers/0-org-setup-ro-providers.tf sensitive_content: null source: null local_file.providers["1-vpcsc"]: @@ -438,7 +436,6 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/providers/1-vpcsc-providers.tf sensitive_content: null source: null local_file.providers["2-networking"]: @@ -460,7 +457,6 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/providers/2-networking-providers.tf sensitive_content: null source: null local_file.providers["2-project-factory"]: @@ -482,7 +478,6 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/providers/2-project-factory-providers.tf sensitive_content: null source: null local_file.providers["2-security"]: @@ -504,7 +499,6 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/providers/2-security-providers.tf sensitive_content: null source: null local_file.tfvars["globals"]: @@ -512,14 +506,12 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/tfvars/0-globals.auto.tfvars.json sensitive_content: null source: null local_file.tfvars["org-setup"]: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/tfvars/0-org-setup.auto.tfvars.json sensitive_content: null source: null local_file.workflows["org-setup"]: @@ -621,7 +613,6 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/workflows/org-setup.yaml sensitive_content: null source: null module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_admin_org_admins"]: diff --git a/tests/fast/stages/s0_org_setup/simple.yaml b/tests/fast/stages/s0_org_setup/simple.yaml index 3d2c6f4a1..a638ae970 100644 --- a/tests/fast/stages/s0_org_setup/simple.yaml +++ b/tests/fast/stages/s0_org_setup/simple.yaml @@ -395,7 +395,6 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/providers/0-org-setup-providers.tf sensitive_content: null source: null local_file.providers["0-org-setup-ro"]: @@ -416,7 +415,6 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/providers/0-org-setup-ro-providers.tf sensitive_content: null source: null local_file.providers["1-vpcsc"]: @@ -438,7 +436,6 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/providers/1-vpcsc-providers.tf sensitive_content: null source: null local_file.providers["2-networking"]: @@ -460,7 +457,6 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/providers/2-networking-providers.tf sensitive_content: null source: null local_file.providers["2-project-factory"]: @@ -482,7 +478,6 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/providers/2-project-factory-providers.tf sensitive_content: null source: null local_file.providers["2-security"]: @@ -504,7 +499,6 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/providers/2-security-providers.tf sensitive_content: null source: null local_file.tfvars["globals"]: @@ -512,14 +506,12 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/tfvars/0-globals.auto.tfvars.json sensitive_content: null source: null local_file.tfvars["org-setup"]: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/tfvars/0-org-setup.auto.tfvars.json sensitive_content: null source: null local_file.workflows["org-setup"]: @@ -621,7 +613,6 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/workflows/org-setup.yaml sensitive_content: null source: null module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_admin_org_admins"]: diff --git a/tests/fast/stages/s0_org_setup/starter-gcd.yaml b/tests/fast/stages/s0_org_setup/starter-gcd.yaml index cfa276432..7858b6bbc 100644 --- a/tests/fast/stages/s0_org_setup/starter-gcd.yaml +++ b/tests/fast/stages/s0_org_setup/starter-gcd.yaml @@ -150,7 +150,6 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/providers/0-org-setup-providers.tf sensitive_content: null source: null local_file.providers["0-org-setup-ro"]: @@ -171,7 +170,6 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/providers/0-org-setup-ro-providers.tf sensitive_content: null source: null local_file.tfvars["globals"]: @@ -179,14 +177,12 @@ values: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/tfvars/0-globals.auto.tfvars.json sensitive_content: null source: null local_file.tfvars["org-setup"]: content_base64: null directory_permission: '0777' file_permission: '0644' - filename: /tmp/fast-config/tfvars/0-org-setup.auto.tfvars.json sensitive_content: null source: null module.factory.module.bigquery-datasets["iac-0/billing_export"].google_bigquery_dataset.default: diff --git a/tests/fast/stages/s2_networking/vlan_attachments.yaml b/tests/fast/stages/s2_networking/vlan_attachments.yaml index cab8cfd48..051e905ac 100644 --- a/tests/fast/stages/s2_networking/vlan_attachments.yaml +++ b/tests/fast/stages/s2_networking/vlan_attachments.yaml @@ -4,7 +4,7 @@ # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # -# http://www.apache.org/licenses/LICENSE-2.0 +# https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, @@ -14,6 +14,7 @@ values: google_compute_ha_vpn_gateway.default["hub/to-onprem"]: + deletion_policy: DELETE description: null effective_labels: goog-terraform-provisioned: 'true' @@ -32,6 +33,7 @@ values: attachments: - name: to-onprem-vlan-0 - name: to-onprem-vlan-1 + deletion_policy: DELETE description: Terraform-managed. intent: - availability_sla: PRODUCTION_NON_CRITICAL @@ -46,6 +48,7 @@ values: advertised_ip_ranges: [] asn: 64514 keepalive_interval: 20 + deletion_policy: DELETE description: null encrypted_interconnect_router: null md5_authentication_keys: [] @@ -60,6 +63,7 @@ values: - fast-prod-net-core-0 - $project_ids:net-prod-0 - $project_ids:net-dev-0 + deletion_policy: DELETE description: Terraform-managed effective_labels: goog-terraform-provisioned: 'true' @@ -70,6 +74,7 @@ values: goog-terraform-provisioned: 'true' timeouts: null google_network_connectivity_hub.default["hub"]: + deletion_policy: DELETE description: Terraform-managed effective_labels: goog-terraform-provisioned: 'true' @@ -82,6 +87,7 @@ values: goog-terraform-provisioned: 'true' timeouts: null google_network_connectivity_spoke.tunnels["hub/to-onprem/hub"]: + deletion_policy: DELETE description: Terraform-managed. effective_labels: goog-terraform-provisioned: 'true' @@ -104,6 +110,7 @@ values: goog-terraform-provisioned: 'true' timeouts: null google_network_connectivity_spoke.vlan_attachments["hub-onprem-0/hub"]: + deletion_policy: DELETE description: Terraform-managed. effective_labels: goog-terraform-provisioned: 'true' @@ -126,6 +133,7 @@ values: goog-terraform-provisioned: 'true' timeouts: null google_network_connectivity_spoke.vlan_attachments["hub-onprem-1/hub"]: + deletion_policy: DELETE description: Terraform-managed. effective_labels: goog-terraform-provisioned: 'true' @@ -155,6 +163,7 @@ values: content_language: null contexts: [] customer_encryption: [] + deletion_policy: DELETE detect_md5hash: null event_based_hold: null force_empty_content_type: null @@ -164,7 +173,26 @@ values: source: null temporary_hold: null timeouts: null + google_storage_bucket_object.version[0]: + bucket: test + cache_control: null + content_disposition: null + content_encoding: null + content_language: null + contexts: [] + customer_encryption: [] + deletion_policy: DELETE + detect_md5hash: null + event_based_hold: null + force_empty_content_type: null + metadata: null + name: versions/2-networking-version.txt + retention: [] + source: fast_version.txt + temporary_hold: null + timeouts: null module.projects.module.projects-iam["net-core-0"].google_compute_shared_vpc_host_project.shared_vpc_host[0]: + deletion_policy: DELETE project: fast-prod-net-core-0 timeouts: null module.projects.module.projects["net-core-0"].data.google_logging_project_settings.logging_sa[0]: @@ -172,6 +200,7 @@ values: module.projects.module.projects["net-core-0"].google_project.project[0]: auto_create_network: false billing_account: 000000-111111-222222 + deletion_policy: DELETE effective_labels: goog-terraform-provisioned: 'true' folder_id: '12345678' @@ -216,60 +245,70 @@ values: project: fast-prod-net-core-0 role: roles/vpcaccess.serviceAgent module.projects.module.projects["net-core-0"].google_project_service.project_services["compute.googleapis.com"]: + deletion_policy: DELETE disable_dependent_services: false disable_on_destroy: false project: fast-prod-net-core-0 service: compute.googleapis.com timeouts: null module.projects.module.projects["net-core-0"].google_project_service.project_services["container.googleapis.com"]: + deletion_policy: DELETE disable_dependent_services: false disable_on_destroy: false project: fast-prod-net-core-0 service: container.googleapis.com timeouts: null module.projects.module.projects["net-core-0"].google_project_service.project_services["dns.googleapis.com"]: + deletion_policy: DELETE disable_dependent_services: false disable_on_destroy: false project: fast-prod-net-core-0 service: dns.googleapis.com timeouts: null module.projects.module.projects["net-core-0"].google_project_service.project_services["iap.googleapis.com"]: + deletion_policy: DELETE disable_dependent_services: false disable_on_destroy: false project: fast-prod-net-core-0 service: iap.googleapis.com timeouts: null module.projects.module.projects["net-core-0"].google_project_service.project_services["logging.googleapis.com"]: + deletion_policy: DELETE disable_dependent_services: false disable_on_destroy: false project: fast-prod-net-core-0 service: logging.googleapis.com timeouts: null module.projects.module.projects["net-core-0"].google_project_service.project_services["monitoring.googleapis.com"]: + deletion_policy: DELETE disable_dependent_services: false disable_on_destroy: false project: fast-prod-net-core-0 service: monitoring.googleapis.com timeouts: null module.projects.module.projects["net-core-0"].google_project_service.project_services["networkmanagement.googleapis.com"]: + deletion_policy: DELETE disable_dependent_services: false disable_on_destroy: false project: fast-prod-net-core-0 service: networkmanagement.googleapis.com timeouts: null module.projects.module.projects["net-core-0"].google_project_service.project_services["networksecurity.googleapis.com"]: + deletion_policy: DELETE disable_dependent_services: false disable_on_destroy: false project: fast-prod-net-core-0 service: networksecurity.googleapis.com timeouts: null module.projects.module.projects["net-core-0"].google_project_service.project_services["servicenetworking.googleapis.com"]: + deletion_policy: DELETE disable_dependent_services: false disable_on_destroy: false project: fast-prod-net-core-0 service: servicenetworking.googleapis.com timeouts: null module.projects.module.projects["net-core-0"].google_project_service.project_services["vpcaccess.googleapis.com"]: + deletion_policy: DELETE disable_dependent_services: false disable_on_destroy: false project: fast-prod-net-core-0 @@ -324,6 +363,7 @@ values: candidate_customer_router_ipv6_address: null candidate_subnets: - 169.254.0.0/29 + deletion_policy: DELETE description: Terraform managed. effective_labels: goog-terraform-provisioned: 'true' @@ -345,6 +385,7 @@ values: type: DEDICATED vlan_tag8021q: 123 module.vlan-attachments["hub-onprem-0"].google_compute_router_interface.default[0]: + deletion_policy: DELETE name: to-onprem-vlan-0-intf private_ip_address: null project: fast-prod-net-core-0 @@ -363,6 +404,7 @@ values: advertised_route_priority: null custom_learned_ip_ranges: [] custom_learned_route_priority: null + deletion_policy: DELETE enable: true enable_ipv6: false export_policies: null @@ -390,6 +432,7 @@ values: candidate_customer_router_ip_address: null candidate_customer_router_ipv6_address: null candidate_subnets: null + deletion_policy: DELETE description: Terraform managed. effective_labels: goog-terraform-provisioned: 'true' @@ -411,6 +454,7 @@ values: type: DEDICATED vlan_tag8021q: 124 module.vlan-attachments["hub-onprem-1"].google_compute_router_interface.default[0]: + deletion_policy: DELETE name: to-onprem-vlan-1-intf private_ip_address: null project: fast-prod-net-core-0 @@ -429,6 +473,7 @@ values: advertised_route_priority: null custom_learned_ip_ranges: [] custom_learned_route_priority: null + deletion_policy: DELETE enable: true enable_ipv6: false export_policies: null @@ -452,6 +497,7 @@ values: auto_create_subnetworks: false delete_bgp_always_compare_med: false delete_default_routes_on_create: true + deletion_policy: DELETE description: Terraform managed enable_ula_internal_ipv6: null mtu: 1500 @@ -463,6 +509,7 @@ values: routing_mode: GLOBAL timeouts: null module.vpc-factory.module.vpcs["hub"].google_compute_route.gateway["directpath-googleapis"]: + deletion_policy: DELETE description: Terraform-managed. dest_range: 34.126.0.0/18 name: hub-0-directpath-googleapis @@ -477,6 +524,7 @@ values: tags: null timeouts: null module.vpc-factory.module.vpcs["hub"].google_compute_route.gateway["private-googleapis"]: + deletion_policy: DELETE description: Terraform-managed. dest_range: 199.36.153.8/30 name: hub-0-private-googleapis @@ -491,6 +539,7 @@ values: tags: null timeouts: null module.vpc-factory.module.vpcs["hub"].google_compute_route.gateway["restricted-googleapis"]: + deletion_policy: DELETE description: Terraform-managed. dest_range: 199.36.153.4/30 name: hub-0-restricted-googleapis @@ -505,6 +554,7 @@ values: tags: null timeouts: null module.vpc-factory.module.vpcs["hub"].google_compute_subnetwork.subnetwork["europe-west1/hub-default"]: + deletion_policy: DELETE description: Default primary-region subnet for hub ip_cidr_range: 10.71.0.0/24 ip_collection: null @@ -522,6 +572,7 @@ values: send_secondary_ip_range_if_empty: true timeouts: null module.vpc-routes["hub"].google_compute_route.gateway["default"]: + deletion_policy: DELETE description: Terraform-managed. dest_range: 0.0.0.0/0 name: hub-0-default @@ -536,6 +587,7 @@ values: tags: null timeouts: null module.vpn-ha["hub/to-onprem"].google_compute_external_vpn_gateway.external_gateway["default"]: + deletion_policy: DELETE description: Terraform managed external VPN gateway effective_labels: goog-terraform-provisioned: 'true' @@ -552,6 +604,7 @@ values: goog-terraform-provisioned: 'true' timeouts: null module.vpn-ha["hub/to-onprem"].google_compute_router_interface.router_interface["remote-0"]: + deletion_policy: DELETE interconnect_attachment: null ip_range: 169.254.128.2/30 name: hub-to-onprem-remote-0 @@ -563,6 +616,7 @@ values: timeouts: null vpn_tunnel: hub-to-onprem-remote-0 module.vpn-ha["hub/to-onprem"].google_compute_router_interface.router_interface["remote-1"]: + deletion_policy: DELETE interconnect_attachment: null ip_range: 169.254.128.6/30 name: hub-to-onprem-remote-1 @@ -580,6 +634,7 @@ values: advertised_route_priority: 1000 custom_learned_ip_ranges: [] custom_learned_route_priority: null + deletion_policy: DELETE enable: true enable_ipv6: false export_policies: null @@ -603,6 +658,7 @@ values: advertised_route_priority: 1000 custom_learned_ip_ranges: [] custom_learned_route_priority: null + deletion_policy: DELETE enable: true enable_ipv6: false export_policies: null @@ -621,6 +677,7 @@ values: zero_custom_learned_route_priority: false module.vpn-ha["hub/to-onprem"].google_compute_vpn_tunnel.tunnels["remote-0"]: cipher_suite: [] + deletion_policy: DELETE description: null effective_labels: goog-terraform-provisioned: 'true' @@ -643,6 +700,7 @@ values: vpn_gateway_interface: 0 module.vpn-ha["hub/to-onprem"].google_compute_vpn_tunnel.tunnels["remote-1"]: cipher_suite: [] + deletion_policy: DELETE description: null effective_labels: goog-terraform-provisioned: 'true' diff --git a/tests/modules/project_factory/examples/example.yaml b/tests/modules/project_factory/examples/example.yaml index 22595f6d4..8910e8494 100644 --- a/tests/modules/project_factory/examples/example.yaml +++ b/tests/modules/project_factory/examples/example.yaml @@ -14,6 +14,7 @@ values: module.project-factory.google_network_security_dns_threat_detector.dns_threat_detector["dev-ta-app0-be"]: + deletion_policy: DELETE effective_labels: goog-terraform-provisioned: 'true' excluded_networks: [] @@ -30,6 +31,7 @@ values: cors: [] custom_placement_config: [] default_event_based_hold: null + deletion_policy: DELETE effective_labels: goog-terraform-provisioned: 'true' enable_object_retention: null @@ -74,6 +76,7 @@ values: ? module.project-factory.module.automation-service-accounts["dev-tb-app0-0/automation/ro"].google_service_account.service_account[0] : account_id: dev-tb-app0-0-ro create_ignore_already_exists: null + deletion_policy: DELETE description: Team B app 0 read-only automation sa. disabled: false display_name: Service account ro for dev-tb-app0-0. @@ -84,6 +87,7 @@ values: ? module.project-factory.module.automation-service-accounts["dev-tb-app0-0/automation/rw"].google_service_account.service_account[0] : account_id: dev-tb-app0-0-rw create_ignore_already_exists: null + deletion_policy: DELETE description: Team B app 0 read/write automation sa. disabled: false display_name: Service account rw for dev-tb-app0-0. @@ -97,6 +101,7 @@ values: default_partition_expiration_ms: null default_table_expiration_ms: null delete_contents_on_destroy: false + deletion_policy: DELETE description: Terraform managed. effective_labels: goog-terraform-provisioned: 'true' @@ -147,6 +152,7 @@ values: threshold_percent: 0.75 timeouts: null module.project-factory.module.billing-budgets[0].google_monitoring_notification_channel.default["billing-default"]: + deletion_policy: DELETE description: null display_name: Budget email notification billing-default. enabled: true @@ -163,6 +169,7 @@ values: cors: [] custom_placement_config: [] default_event_based_hold: null + deletion_policy: DELETE effective_labels: goog-terraform-provisioned: 'true' enable_object_retention: null @@ -186,6 +193,7 @@ values: versioning: - enabled: false module.project-factory.module.buckets["dev-ta-app0-be/app-0-bucket-a"].google_tags_location_tag_binding.binding["context"]: + deletion_policy: DELETE location: europe-west8 parent: //storage.googleapis.com/projects/_/buckets/test-pf-dev-ta-app0-be-app-0-bucket-a tag_value: tagValues/654321 @@ -195,6 +203,7 @@ values: cors: [] custom_placement_config: [] default_event_based_hold: null + deletion_policy: DELETE effective_labels: goog-terraform-provisioned: 'true' enable_object_retention: null @@ -232,18 +241,21 @@ values: - group:team-a-admins@example.org role: roles/viewer module.project-factory.module.folder-1["team-a"].google_folder.folder[0]: + deletion_policy: DELETE deletion_protection: false display_name: Team A parent: folders/5678901234 tags: null timeouts: null module.project-factory.module.folder-1["team-b"].google_folder.folder[0]: + deletion_policy: DELETE deletion_protection: false display_name: Team B parent: folders/5678901234 tags: null timeouts: null module.project-factory.module.folder-1["team-c"].google_folder.folder[0]: + deletion_policy: DELETE deletion_protection: false display_name: Team C parent: folders/5678901234 @@ -266,6 +278,7 @@ values: tag_value: tagValues/123456 timeouts: null module.project-factory.module.folder-2["team-a/app-0"].google_folder.folder[0]: + deletion_policy: DELETE deletion_protection: false display_name: App 0 tags: null @@ -299,16 +312,19 @@ values: - {} timeouts: null module.project-factory.module.folder-2["team-b/app-0"].google_folder.folder[0]: + deletion_policy: DELETE deletion_protection: false display_name: App 0 tags: null timeouts: null module.project-factory.module.folder-2["team-c/apps"].google_folder.folder[0]: + deletion_policy: DELETE deletion_protection: false display_name: Apps tags: null timeouts: null module.project-factory.module.folder-3["team-c/apps/test"].google_folder.folder[0]: + deletion_policy: DELETE deletion_protection: false display_name: Test tags: null @@ -326,11 +342,13 @@ values: - topic: projects/my-cai-feeds-project/topics/feed timeouts: null module.project-factory.module.folder-4["team-c/apps/test/app-x"].google_folder.folder[0]: + deletion_policy: DELETE deletion_protection: false display_name: App X tags: null timeouts: null module.project-factory.module.kms["dev-ta-app0-be/my-keyring"].google_kms_crypto_key.default["my-key"]: + deletion_policy: DELETE effective_labels: goog-terraform-provisioned: 'true' labels: null @@ -347,6 +365,7 @@ values: project: test-pf-dev-ta-app0-be timeouts: null module.project-factory.module.kms["dev-ta-app0-be/my-keyring"].google_tags_location_tag_binding.binding["context"]: + deletion_policy: DELETE location: europe-west1 tag_value: $tag_values:context/project-factory timeouts: null @@ -428,6 +447,7 @@ values: - user:user@example.com role: roles/resourcemanager.tagUser module.project-factory.module.projects-iam["dev-tb-app0-0"].google_compute_shared_vpc_host_project.shared_vpc_host[0]: + deletion_policy: DELETE project: test-pf-dev-tb-app0-0 timeouts: null ? module.project-factory.module.projects-iam["dev-tb-app0-0"].google_project_iam_audit_config.default["storage.googleapis.com"] @@ -542,30 +562,35 @@ values: project: test-pf-dev-ta-app0-be role: roles/pubsub.serviceAgent module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["compute.googleapis.com"]: + deletion_policy: DELETE disable_dependent_services: false disable_on_destroy: false project: test-pf-dev-ta-app0-be service: compute.googleapis.com timeouts: null ? module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["container.googleapis.com"] - : disable_dependent_services: false + : deletion_policy: DELETE + disable_dependent_services: false disable_on_destroy: false project: test-pf-dev-ta-app0-be service: container.googleapis.com timeouts: null module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["pubsub.googleapis.com"]: + deletion_policy: DELETE disable_dependent_services: false disable_on_destroy: false project: test-pf-dev-ta-app0-be service: pubsub.googleapis.com timeouts: null ? module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["stackdriver.googleapis.com"] - : disable_dependent_services: false + : deletion_policy: DELETE + disable_dependent_services: false disable_on_destroy: false project: test-pf-dev-ta-app0-be service: stackdriver.googleapis.com timeouts: null module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["storage.googleapis.com"]: + deletion_policy: DELETE disable_dependent_services: false disable_on_destroy: false project: test-pf-dev-ta-app0-be @@ -627,18 +652,21 @@ values: project: test-pf-dev-tb-app0-0 role: roles/run.serviceAgent module.project-factory.module.projects["dev-tb-app0-0"].google_project_service.project_services["run.googleapis.com"]: + deletion_policy: DELETE disable_dependent_services: false disable_on_destroy: false project: test-pf-dev-tb-app0-0 service: run.googleapis.com timeouts: null ? module.project-factory.module.projects["dev-tb-app0-0"].google_project_service.project_services["stackdriver.googleapis.com"] - : disable_dependent_services: false + : deletion_policy: DELETE + disable_dependent_services: false disable_on_destroy: false project: test-pf-dev-tb-app0-0 service: stackdriver.googleapis.com timeouts: null module.project-factory.module.projects["dev-tb-app0-0"].google_project_service.project_services["storage.googleapis.com"]: + deletion_policy: DELETE disable_dependent_services: false disable_on_destroy: false project: test-pf-dev-tb-app0-0 @@ -690,18 +718,21 @@ values: project: test-pf-dev-tb-app0-1 role: roles/container.defaultNodeServiceAgent ? module.project-factory.module.projects["dev-tb-app0-1"].google_project_service.project_services["container.googleapis.com"] - : disable_dependent_services: false + : deletion_policy: DELETE + disable_dependent_services: false disable_on_destroy: false project: test-pf-dev-tb-app0-1 service: container.googleapis.com timeouts: null ? module.project-factory.module.projects["dev-tb-app0-1"].google_project_service.project_services["stackdriver.googleapis.com"] - : disable_dependent_services: false + : deletion_policy: DELETE + disable_dependent_services: false disable_on_destroy: false project: test-pf-dev-tb-app0-1 service: stackdriver.googleapis.com timeouts: null module.project-factory.module.projects["dev-tb-app0-1"].google_project_service.project_services["storage.googleapis.com"]: + deletion_policy: DELETE disable_dependent_services: false disable_on_destroy: false project: test-pf-dev-tb-app0-1 @@ -723,6 +754,7 @@ values: timeouts: null module.project-factory.module.projects["teams-iac-0"].google_iam_workload_identity_pool.default["test-0"]: attestation_rules: [] + deletion_policy: DELETE description: null disabled: null display_name: Test pool. @@ -746,6 +778,7 @@ values: attribute.workflow: assertion.workflow google.subject: assertion.sub aws: [] + deletion_policy: DELETE description: null disabled: false display_name: GitHub test provider. @@ -786,18 +819,21 @@ values: project: test-pf-teams-iac-0 role: roles/container.defaultNodeServiceAgent module.project-factory.module.projects["teams-iac-0"].google_project_service.project_services["container.googleapis.com"]: + deletion_policy: DELETE disable_dependent_services: false disable_on_destroy: false project: test-pf-teams-iac-0 service: container.googleapis.com timeouts: null ? module.project-factory.module.projects["teams-iac-0"].google_project_service.project_services["stackdriver.googleapis.com"] - : disable_dependent_services: false + : deletion_policy: DELETE + disable_dependent_services: false disable_on_destroy: false project: test-pf-teams-iac-0 service: stackdriver.googleapis.com timeouts: null module.project-factory.module.projects["teams-iac-0"].google_project_service.project_services["storage.googleapis.com"]: + deletion_policy: DELETE disable_dependent_services: false disable_on_destroy: false project: test-pf-teams-iac-0 @@ -808,6 +844,7 @@ values: service: container.googleapis.com timeouts: null module.project-factory.module.pubsub["dev-ta-app0-be/app-0-topic-a"].google_pubsub_topic.default: + deletion_policy: DELETE effective_labels: goog-terraform-provisioned: 'true' ingestion_data_source_settings: [] @@ -832,6 +869,7 @@ values: : bigquery_config: [] cloud_storage_config: [] dead_letter_policy: [] + deletion_policy: DELETE effective_labels: goog-terraform-provisioned: 'true' enable_exactly_once_delivery: false @@ -850,6 +888,7 @@ values: goog-terraform-provisioned: 'true' timeouts: null module.project-factory.module.pubsub["dev-ta-app0-be/app-0-topic-b"].google_pubsub_topic.default: + deletion_policy: DELETE effective_labels: goog-terraform-provisioned: 'true' ingestion_data_source_settings: [] @@ -895,6 +934,7 @@ values: module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-be"].google_service_account.service_account[0]: account_id: app-0-be create_ignore_already_exists: null + deletion_policy: DELETE description: null disabled: false display_name: Backend instances. @@ -920,6 +960,7 @@ values: module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-fe"].google_service_account.service_account[0]: account_id: app-0-fe create_ignore_already_exists: null + deletion_policy: DELETE description: null disabled: false display_name: Frontend instances. @@ -938,6 +979,7 @@ values: module.project-factory.module.service-accounts["dev-tb-app0-0/vm-default"].google_service_account.service_account[0]: account_id: vm-default create_ignore_already_exists: null + deletion_policy: DELETE description: null disabled: false display_name: VM default service account. @@ -956,6 +998,7 @@ values: module.project-factory.module.service-accounts["dev-tb-app0-1/app-0-be"].google_service_account.service_account[0]: account_id: app-0-be create_ignore_already_exists: null + deletion_policy: DELETE description: null disabled: false display_name: Backend instances. @@ -966,6 +1009,7 @@ values: module.project-factory.module.taxonomies["dev-tb-app0-0"].google_data_catalog_taxonomy.default: activated_policy_types: - FINE_GRAINED_ACCESS_CONTROL + deletion_policy: DELETE description: Taxonomy - Terraform managed display_name: taxonomy project: test-pf-dev-tb-app0-0