diff --git a/CHANGELOG.md b/CHANGELOG.md
index ac15056de..020e618f4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,8 @@ All notable changes to this project will be documented in this file.
### FAST
+- [[#766](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/766)] FAST: refactor teams branch ([ludoo](https://github.com/ludoo))
+- [[#765](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/765)] FAST: move region trigrams to a variable in network stages ([ludoo](https://github.com/ludoo))
- [[#759](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/759)] FAST: fix missing value to format principalSet ([imp14a](https://github.com/imp14a))
- [[#753](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/753)] Add support for IAM bindings on service accounts to project factory ([ludoo](https://github.com/ludoo))
- [[#745](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/745)] FAST: specify gitlab / github providers in CI/CD stage ([imp14a](https://github.com/imp14a))
@@ -78,7 +80,7 @@ All notable changes to this project will be documented in this file.
- [[#763](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/763)] Changelog generator ([ludoo](https://github.com/ludoo))
- [[#762](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/762)] Update changelog on pull request merge ([ludoo](https://github.com/ludoo))
-- [[#680](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/680)] Toos: fix Raise ValueError when check_names detects overlong names ([27Bslash6](https://github.com/27Bslash6))
+- [[#680](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/680)] Tools: fix `ValueError` raised in `check_names.py` when overlong names are detected ([27Bslash6](https://github.com/27Bslash6))
- [[#672](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/672)] Module attribution and version updater tool, plus release automation ([rosmo](https://github.com/rosmo))
diff --git a/fast/stages/01-resman/README.md b/fast/stages/01-resman/README.md
index ee763d28c..e2372033a 100644
--- a/fast/stages/01-resman/README.md
+++ b/fast/stages/01-resman/README.md
@@ -196,15 +196,15 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
| name | description | sensitive | consumers |
|---|---|:---:|---|
-| [cicd_repositories](outputs.tf#L171) | WIF configuration for CI/CD repositories. | | |
-| [dataplatform](outputs.tf#L185) | Data for the Data Platform stage. | | |
-| [gke_multitenant](outputs.tf#L257) | Data for the GKE multitenant stage. | | 03-gke-multitenant |
-| [networking](outputs.tf#L201) | Data for the networking stage. | | |
-| [project_factories](outputs.tf#L210) | Data for the project factories stage. | | |
-| [providers](outputs.tf#L226) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · xx-sandbox · xx-teams |
-| [sandbox](outputs.tf#L233) | Data for the sandbox stage. | | xx-sandbox |
-| [security](outputs.tf#L247) | Data for the networking stage. | | 02-security |
-| [teams](outputs.tf#L278) | Data for the teams stage. | | |
-| [tfvars](outputs.tf#L291) | Terraform variable files for the following stages. | ✓ | |
+| [cicd_repositories](outputs.tf#L188) | WIF configuration for CI/CD repositories. | | |
+| [dataplatform](outputs.tf#L202) | Data for the Data Platform stage. | | |
+| [gke_multitenant](outputs.tf#L274) | Data for the GKE multitenant stage. | | 03-gke-multitenant |
+| [networking](outputs.tf#L218) | Data for the networking stage. | | |
+| [project_factories](outputs.tf#L227) | Data for the project factories stage. | | |
+| [providers](outputs.tf#L243) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · xx-sandbox · xx-teams |
+| [sandbox](outputs.tf#L250) | Data for the sandbox stage. | | xx-sandbox |
+| [security](outputs.tf#L264) | Data for the networking stage. | | 02-security |
+| [teams](outputs.tf#L295) | Data for the teams stage. | | |
+| [tfvars](outputs.tf#L308) | Terraform variable files for the following stages. | ✓ | |
diff --git a/fast/stages/01-resman/billing.tf b/fast/stages/01-resman/billing.tf
index 359232a7f..fe497c7c3 100644
--- a/fast/stages/01-resman/billing.tf
+++ b/fast/stages/01-resman/billing.tf
@@ -23,13 +23,12 @@ locals {
module.branch-network-sa.iam_email,
module.branch-security-sa.iam_email,
],
- local.branch_dataplatform_sa_iam_emails,
- local.branch_gke_sa_iam_emails,
- local.branch_pf_sa_iam_emails,
- # enable if individual teams can create their own projects
- # [
- # for k, v in module.branch-teams-team-sa : v.iam_email
- # ],
+ local.branch_optional_sa_lists.dp-dev,
+ local.branch_optional_sa_lists.dp-prod,
+ local.branch_optional_sa_lists.gke-dev,
+ local.branch_optional_sa_lists.gke-prod,
+ local.branch_optional_sa_lists.pf-dev,
+ local.branch_optional_sa_lists.pf-prod,
)
}
diff --git a/fast/stages/01-resman/branch-networking.tf b/fast/stages/01-resman/branch-networking.tf
index bf15c4681..9f83fc2f9 100644
--- a/fast/stages/01-resman/branch-networking.tf
+++ b/fast/stages/01-resman/branch-networking.tf
@@ -50,11 +50,11 @@ module "branch-network-prod-folder" {
parent = module.branch-network-folder.id
name = "Production"
iam = {
- (local.custom_roles.service_project_network_admin) = compact([
- try(module.branch-dp-prod-sa.0.iam_email, ""),
- try(module.branch-pf-prod-sa.0.iam_email, ""),
- try(module.branch-gke-prod-sa.0.iam_email, ""),
- ])
+ (local.custom_roles.service_project_network_admin) = concat(
+ local.branch_optional_sa_lists.dp-prod,
+ local.branch_optional_sa_lists.gke-prod,
+ local.branch_optional_sa_lists.pf-prod,
+ )
}
tag_bindings = {
environment = try(
@@ -69,11 +69,11 @@ module "branch-network-dev-folder" {
parent = module.branch-network-folder.id
name = "Development"
iam = {
- (local.custom_roles.service_project_network_admin) = compact([
- try(module.branch-dp-dev-sa.0.iam_email, ""),
- try(module.branch-pf-dev-sa.0.iam_email, ""),
- try(module.branch-gke-dev-sa.iam_email, ""),
- ])
+ (local.custom_roles.service_project_network_admin) = concat(
+ local.branch_optional_sa_lists.dp-dev,
+ local.branch_optional_sa_lists.gke-dev,
+ local.branch_optional_sa_lists.pf-dev,
+ )
}
tag_bindings = {
environment = try(
diff --git a/fast/stages/01-resman/branch-teams.tf b/fast/stages/01-resman/branch-teams.tf
index 3c9a2d696..168e81caf 100644
--- a/fast/stages/01-resman/branch-teams.tf
+++ b/fast/stages/01-resman/branch-teams.tf
@@ -21,11 +21,22 @@ moved {
to = module.branch-teams-folder.0
}
+# TODO(ludo): add support for CI/CD
+
+############### top-level Teams branch and automation resources ###############
+
module "branch-teams-folder" {
source = "../../../modules/folder"
count = var.fast_features.teams ? 1 : 0
parent = "organizations/${var.organization.id}"
name = "Teams"
+ iam = {
+ "roles/logging.admin" = [module.branch-teams-sa.0.iam_email]
+ "roles/owner" = [module.branch-teams-sa.0.iam_email]
+ "roles/resourcemanager.folderAdmin" = [module.branch-teams-sa.0.iam_email]
+ "roles/resourcemanager.projectCreator" = [module.branch-teams-sa.0.iam_email]
+ "roles/compute.xpnAdmin" = [module.branch-teams-sa.0.iam_email]
+ }
tag_bindings = {
context = try(
module.organization.tag_values["${var.tag_names.context}/teams"].id, null
@@ -33,27 +44,44 @@ module "branch-teams-folder" {
}
}
-moved {
- from = module.branch-teams-prod-sa
- to = module.branch-teams-prod-sa.0
-}
-
-module "branch-teams-prod-sa" {
+module "branch-teams-sa" {
source = "../../../modules/iam-service-account"
count = var.fast_features.teams ? 1 : 0
project_id = var.automation.project_id
name = "prod-resman-teams-0"
- description = "Terraform resman production service account."
+ description = "Terraform resman teams service account."
prefix = var.prefix
+ iam_storage_roles = {
+ (var.automation.outputs_bucket) = ["roles/storage.admin"]
+ }
}
-# Team-level folders, service accounts and buckets for each individual team
+module "branch-teams-gcs" {
+ source = "../../../modules/gcs"
+ count = var.fast_features.teams ? 1 : 0
+ project_id = var.automation.project_id
+ name = "prod-resman-teams-0"
+ prefix = var.prefix
+ versioning = true
+ iam = {
+ "roles/storage.objectAdmin" = [module.branch-teams-sa.0.iam_email]
+ }
+}
+
+################## per-team folders and automation resources ##################
module "branch-teams-team-folder" {
- source = "../../../modules/folder"
- for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {}
- parent = module.branch-teams-folder.0.id
- name = each.value.descriptive_name
+ source = "../../../modules/folder"
+ for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {}
+ parent = module.branch-teams-folder.0.id
+ name = each.value.descriptive_name
+ iam = {
+ "roles/logging.admin" = [module.branch-teams-team-sa[each.key].iam_email]
+ "roles/owner" = [module.branch-teams-team-sa[each.key].iam_email]
+ "roles/resourcemanager.folderAdmin" = [module.branch-teams-team-sa[each.key].iam_email]
+ "roles/resourcemanager.projectCreator" = [module.branch-teams-team-sa[each.key].iam_email]
+ "roles/compute.xpnAdmin" = [module.branch-teams-team-sa[each.key].iam_email]
+ }
group_iam = each.value.group_iam == null ? {} : each.value.group_iam
}
@@ -85,7 +113,7 @@ module "branch-teams-team-gcs" {
}
}
-# project factory per-team environment folders
+# per-team environment folders where project factory SAs can create projects
module "branch-teams-team-dev-folder" {
source = "../../../modules/folder"
@@ -96,12 +124,14 @@ module "branch-teams-team-dev-folder" {
# environment-wide human permissions on the whole teams environment
group_iam = {}
iam = {
- (local.custom_roles.service_project_network_admin) = [module.branch-pf-dev-sa.0.iam_email]
+ (local.custom_roles.service_project_network_admin) = (
+ local.branch_optional_sa_lists.pf-dev
+ )
# remove owner here and at project level if SA does not manage project resources
- "roles/owner" = [module.branch-pf-dev-sa.0.iam_email]
- "roles/logging.admin" = [module.branch-pf-dev-sa.0.iam_email]
- "roles/resourcemanager.folderAdmin" = [module.branch-pf-dev-sa.0.iam_email]
- "roles/resourcemanager.projectCreator" = [module.branch-pf-dev-sa.0.iam_email]
+ "roles/owner" = local.branch_optional_sa_lists.pf-dev
+ "roles/logging.admin" = local.branch_optional_sa_lists.pf-dev
+ "roles/resourcemanager.folderAdmin" = local.branch_optional_sa_lists.pf-dev
+ "roles/resourcemanager.projectCreator" = local.branch_optional_sa_lists.pf-dev
}
tag_bindings = {
environment = try(
@@ -119,12 +149,14 @@ module "branch-teams-team-prod-folder" {
# environment-wide human permissions on the whole teams environment
group_iam = {}
iam = {
- (local.custom_roles.service_project_network_admin) = [module.branch-pf-prod-sa.0.iam_email]
+ (local.custom_roles.service_project_network_admin) = (
+ local.branch_optional_sa_lists.pf-prod
+ )
# remove owner here and at project level if SA does not manage project resources
- "roles/owner" = [module.branch-pf-prod-sa.0.iam_email]
- "roles/logging.admin" = [module.branch-pf-prod-sa.0.iam_email]
- "roles/resourcemanager.folderAdmin" = [module.branch-pf-prod-sa.0.iam_email]
- "roles/resourcemanager.projectCreator" = [module.branch-pf-prod-sa.0.iam_email]
+ "roles/owner" = local.branch_optional_sa_lists.pf-prod
+ "roles/logging.admin" = local.branch_optional_sa_lists.pf-prod
+ "roles/resourcemanager.folderAdmin" = local.branch_optional_sa_lists.pf-prod
+ "roles/resourcemanager.projectCreator" = local.branch_optional_sa_lists.pf-prod
}
tag_bindings = {
environment = try(
diff --git a/fast/stages/01-resman/main.tf b/fast/stages/01-resman/main.tf
index 590c40271..f754306e4 100644
--- a/fast/stages/01-resman/main.tf
+++ b/fast/stages/01-resman/main.tf
@@ -26,6 +26,14 @@ locals {
billing_ext = var.billing_account.organization_id == null
billing_org = var.billing_account.organization_id == var.organization.id
billing_org_ext = !local.billing_ext && !local.billing_org
+ branch_optional_sa_lists = {
+ dp-dev = compact([try(module.branch-dp-dev-sa.0.iam_email, "")])
+ dp-prod = compact([try(module.branch-dp-prod-sa.0.iam_email, "")])
+ gke-dev = compact([try(module.branch-gke-dev-sa.0.iam_email, "")])
+ gke-prod = compact([try(module.branch-gke-prod-sa.0.iam_email, "")])
+ pf-dev = compact([try(module.branch-pf-dev-sa.0.iam_email, "")])
+ pf-prod = compact([try(module.branch-pf-prod-sa.0.iam_email, "")])
+ }
cicd_repositories = {
for k, v in coalesce(var.cicd_repositories, {}) : k => v
if(
diff --git a/fast/stages/01-resman/organization.tf b/fast/stages/01-resman/organization.tf
index 913a5f86e..6596f9c00 100644
--- a/fast/stages/01-resman/organization.tf
+++ b/fast/stages/01-resman/organization.tf
@@ -18,30 +18,6 @@
locals {
- branch_dataplatform_sa_iam_emails = (
- var.fast_features.data_platform
- ? [
- module.branch-dp-dev-sa.0.iam_email,
- module.branch-dp-prod-sa.0.iam_email
- ]
- : []
- )
- branch_gke_sa_iam_emails = (
- var.fast_features.gke
- ? [
- module.branch-gke-dev-sa.0.iam_email,
- module.branch-gke-prod-sa.0.iam_email
- ]
- : []
- )
- branch_pf_sa_iam_emails = (
- var.fast_features.project_factory
- ? [
- module.branch-pf-dev-sa.0.iam_email,
- module.branch-pf-prod-sa.0.iam_email
- ]
- : []
- )
list_allow = {
inherit_from_parent = false
suggested_value = null
@@ -79,19 +55,21 @@ module "organization" {
]
},
local.billing_org ? {
- "roles/billing.costsManager" = local.branch_pf_sa_iam_emails
+ "roles/billing.costsManager" = concat(
+ local.branch_optional_sa_lists.pf-dev,
+ local.branch_optional_sa_lists.pf-prod
+ )
"roles/billing.user" = concat(
[
module.branch-network-sa.iam_email,
module.branch-security-sa.iam_email,
],
- local.branch_dataplatform_sa_iam_emails,
- local.branch_gke_sa_iam_emails,
- local.branch_pf_sa_iam_emails,
- # enable if individual teams can create their own projects
- # [
- # for k, v in module.branch-teams-team-sa : v.iam_email
- # ],
+ local.branch_optional_sa_lists.dp-dev,
+ local.branch_optional_sa_lists.dp-prod,
+ local.branch_optional_sa_lists.gke-dev,
+ local.branch_optional_sa_lists.gke-prod,
+ local.branch_optional_sa_lists.pf-dev,
+ local.branch_optional_sa_lists.pf-prod,
)
} : {}
)
diff --git a/fast/stages/01-resman/outputs.tf b/fast/stages/01-resman/outputs.tf
index f5ccc6bab..804662aed 100644
--- a/fast/stages/01-resman/outputs.tf
+++ b/fast/stages/01-resman/outputs.tf
@@ -142,7 +142,24 @@ locals {
name = "sandbox"
sa = module.branch-sandbox-sa.0.email
})
- }
+ },
+ !var.fast_features.teams ? {} : merge(
+ {
+ "03-teams" = templatefile(local._tpl_providers, {
+ bucket = module.branch-teams-gcs.0.name
+ name = "teams"
+ sa = module.branch-teams-sa.0.email
+ })
+ },
+ {
+ for k, v in module.branch-teams-team-sa :
+ "03-teams-${k}" => templatefile(local._tpl_providers, {
+ bucket = module.branch-teams-team-gcs[k].name
+ name = "teams"
+ sa = v.email
+ })
+ }
+ )
)
service_accounts = merge(
{
@@ -155,7 +172,7 @@ locals {
project-factory-prod = try(module.branch-pf-prod-sa.0.email, null)
sandbox = try(module.branch-sandbox-sa.0.email, null)
security = module.branch-security-sa.email
- teams = try(module.branch-teams-prod-sa.0.email, null)
+ teams = try(module.branch-teams-sa.0.email, null)
},
{
for k, v in module.branch-teams-team-sa : "team-${k}" => v.email
diff --git a/fast/stages/02-networking-nva/README.md b/fast/stages/02-networking-nva/README.md
index dbf04a766..91071b2c0 100644
--- a/fast/stages/02-networking-nva/README.md
+++ b/fast/stages/02-networking-nva/README.md
@@ -377,9 +377,10 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [onprem_cidr](variables.tf#L107) | Onprem addresses in name => range format. | map(string) | | {…} | |
| [outputs_location](variables.tf#L125) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
| [psa_ranges](variables.tf#L142) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | |
-| [router_configs](variables.tf#L183) | Configurations for CRs and onprem routers. | map(object({…})) | | {…} | |
-| [service_accounts](variables.tf#L206) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman |
-| [vpn_onprem_configs](variables.tf#L220) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
+| [region_trigram](variables.tf#L183) | Short names for GCP regions. | map(string) | | {…} | |
+| [router_configs](variables.tf#L192) | Configurations for CRs and onprem routers. | map(object({…})) | | {…} | |
+| [service_accounts](variables.tf#L215) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman |
+| [vpn_onprem_configs](variables.tf#L229) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
## Outputs
diff --git a/fast/stages/02-networking-nva/variables.tf b/fast/stages/02-networking-nva/variables.tf
index 594afd26d..1d94ec034 100644
--- a/fast/stages/02-networking-nva/variables.tf
+++ b/fast/stages/02-networking-nva/variables.tf
@@ -180,6 +180,15 @@ variable "psa_ranges" {
# }
}
+variable "region_trigram" {
+ description = "Short names for GCP regions."
+ type = map(string)
+ default = {
+ europe-west1 = "ew1"
+ europe-west3 = "ew3"
+ }
+}
+
variable "router_configs" {
description = "Configurations for CRs and onprem routers."
type = map(object({
diff --git a/fast/stages/02-networking-peering/README.md b/fast/stages/02-networking-peering/README.md
index 351af478a..0e5c72a7b 100644
--- a/fast/stages/02-networking-peering/README.md
+++ b/fast/stages/02-networking-peering/README.md
@@ -301,9 +301,10 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
| [peering_configs](variables-peerings.tf#L19) | Peering configurations. | map(object({…})) | | {…} | |
| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | |
-| [router_onprem_configs](variables.tf#L166) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | |
-| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman |
-| [vpn_onprem_configs](variables.tf#L198) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
+| [region_trigram](variables.tf#L166) | Short names for GCP regions. | map(string) | | {…} | |
+| [router_onprem_configs](variables.tf#L175) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | |
+| [service_accounts](variables.tf#L193) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman |
+| [vpn_onprem_configs](variables.tf#L207) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
## Outputs
diff --git a/fast/stages/02-networking-peering/main.tf b/fast/stages/02-networking-peering/main.tf
index de6264649..f68d39eb8 100644
--- a/fast/stages/02-networking-peering/main.tf
+++ b/fast/stages/02-networking-peering/main.tf
@@ -25,10 +25,6 @@ locals {
name = "${env}-l7ilb-${s.region}"
})]
}
- region_trigram = {
- europe-west1 = "ew1"
- europe-west3 = "ew3"
- }
stage3_sas_delegated_grants = [
"roles/composer.sharedVpcAgent",
"roles/compute.networkUser",
diff --git a/fast/stages/02-networking-peering/spoke-dev.tf b/fast/stages/02-networking-peering/spoke-dev.tf
index f2c657280..5b6f5d92e 100644
--- a/fast/stages/02-networking-peering/spoke-dev.tf
+++ b/fast/stages/02-networking-peering/spoke-dev.tf
@@ -92,7 +92,7 @@ module "dev-spoke-cloudnat" {
source = "../../../modules/net-cloudnat"
project_id = module.dev-spoke-project.project_id
region = each.value
- name = "dev-nat-${local.region_trigram[each.value]}"
+ name = "dev-nat-${var.region_trigram[each.value]}"
router_create = true
router_network = module.dev-spoke-vpc.name
router_asn = 4200001024
diff --git a/fast/stages/02-networking-peering/spoke-prod.tf b/fast/stages/02-networking-peering/spoke-prod.tf
index 30608d3a9..d58bfebc4 100644
--- a/fast/stages/02-networking-peering/spoke-prod.tf
+++ b/fast/stages/02-networking-peering/spoke-prod.tf
@@ -92,7 +92,7 @@ module "prod-spoke-cloudnat" {
source = "../../../modules/net-cloudnat"
project_id = module.prod-spoke-project.project_id
region = each.value
- name = "prod-nat-${local.region_trigram[each.value]}"
+ name = "prod-nat-${var.region_trigram[each.value]}"
router_create = true
router_network = module.prod-spoke-vpc.name
router_asn = 4200001024
diff --git a/fast/stages/02-networking-peering/variables.tf b/fast/stages/02-networking-peering/variables.tf
index 018e39832..111633e6d 100644
--- a/fast/stages/02-networking-peering/variables.tf
+++ b/fast/stages/02-networking-peering/variables.tf
@@ -163,6 +163,15 @@ variable "psa_ranges" {
# }
}
+variable "region_trigram" {
+ description = "Short names for GCP regions."
+ type = map(string)
+ default = {
+ europe-west1 = "ew1"
+ europe-west3 = "ew3"
+ }
+}
+
variable "router_onprem_configs" {
description = "Configurations for routers used for onprem connectivity."
type = map(object({
diff --git a/fast/stages/02-networking-vpn/README.md b/fast/stages/02-networking-vpn/README.md
index 36cfc7e9d..010b2246c 100644
--- a/fast/stages/02-networking-vpn/README.md
+++ b/fast/stages/02-networking-vpn/README.md
@@ -325,10 +325,11 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [l7ilb_subnets](variables.tf#L84) | Subnets used for L7 ILBs. | map(list(object({…}))) | | {…} | |
| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | |
-| [router_onprem_configs](variables.tf#L166) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | |
+| [region_trigram](variables.tf#L166) | Short names for GCP regions. | map(string) | | {…} | |
+| [router_onprem_configs](variables.tf#L175) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | |
| [router_spoke_configs](variables-vpn.tf#L18) | Configurations for routers used for internal connectivity. | map(object({…})) | | {…} | |
-| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman |
-| [vpn_onprem_configs](variables.tf#L198) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
+| [service_accounts](variables.tf#L193) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman |
+| [vpn_onprem_configs](variables.tf#L207) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
| [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | map(object({…})) | | {…} | |
## Outputs
diff --git a/fast/stages/02-networking-vpn/main.tf b/fast/stages/02-networking-vpn/main.tf
index de6264649..f68d39eb8 100644
--- a/fast/stages/02-networking-vpn/main.tf
+++ b/fast/stages/02-networking-vpn/main.tf
@@ -25,10 +25,6 @@ locals {
name = "${env}-l7ilb-${s.region}"
})]
}
- region_trigram = {
- europe-west1 = "ew1"
- europe-west3 = "ew3"
- }
stage3_sas_delegated_grants = [
"roles/composer.sharedVpcAgent",
"roles/compute.networkUser",
diff --git a/fast/stages/02-networking-vpn/spoke-dev.tf b/fast/stages/02-networking-vpn/spoke-dev.tf
index f2c657280..5b6f5d92e 100644
--- a/fast/stages/02-networking-vpn/spoke-dev.tf
+++ b/fast/stages/02-networking-vpn/spoke-dev.tf
@@ -92,7 +92,7 @@ module "dev-spoke-cloudnat" {
source = "../../../modules/net-cloudnat"
project_id = module.dev-spoke-project.project_id
region = each.value
- name = "dev-nat-${local.region_trigram[each.value]}"
+ name = "dev-nat-${var.region_trigram[each.value]}"
router_create = true
router_network = module.dev-spoke-vpc.name
router_asn = 4200001024
diff --git a/fast/stages/02-networking-vpn/spoke-prod.tf b/fast/stages/02-networking-vpn/spoke-prod.tf
index 30608d3a9..d58bfebc4 100644
--- a/fast/stages/02-networking-vpn/spoke-prod.tf
+++ b/fast/stages/02-networking-vpn/spoke-prod.tf
@@ -92,7 +92,7 @@ module "prod-spoke-cloudnat" {
source = "../../../modules/net-cloudnat"
project_id = module.prod-spoke-project.project_id
region = each.value
- name = "prod-nat-${local.region_trigram[each.value]}"
+ name = "prod-nat-${var.region_trigram[each.value]}"
router_create = true
router_network = module.prod-spoke-vpc.name
router_asn = 4200001024
diff --git a/fast/stages/02-networking-vpn/variables.tf b/fast/stages/02-networking-vpn/variables.tf
index 018e39832..111633e6d 100644
--- a/fast/stages/02-networking-vpn/variables.tf
+++ b/fast/stages/02-networking-vpn/variables.tf
@@ -163,6 +163,15 @@ variable "psa_ranges" {
# }
}
+variable "region_trigram" {
+ description = "Short names for GCP regions."
+ type = map(string)
+ default = {
+ europe-west1 = "ew1"
+ europe-west3 = "ew3"
+ }
+}
+
variable "router_onprem_configs" {
description = "Configurations for routers used for onprem connectivity."
type = map(object({
diff --git a/tests/fast/stages/s02_networking_peering/fixture/main.tf b/tests/fast/stages/s02_networking_peering/fixture/main.tf
index b7a0577f6..a2ed52474 100644
--- a/tests/fast/stages/s02_networking_peering/fixture/main.tf
+++ b/tests/fast/stages/s02_networking_peering/fixture/main.tf
@@ -32,6 +32,11 @@ module "stage" {
networking-dev = null
networking-prod = null
}
+ region_trigram = {
+ europe-west1 = "ew1"
+ europe-west3 = "ew3"
+ europe-west8 = "ew8"
+ }
service_accounts = {
data-platform-dev = "string"
data-platform-prod = "string"
diff --git a/tests/fast/stages/s02_networking_vpn/fixture/main.tf b/tests/fast/stages/s02_networking_vpn/fixture/main.tf
index a3c1885ea..2ddb024fc 100644
--- a/tests/fast/stages/s02_networking_vpn/fixture/main.tf
+++ b/tests/fast/stages/s02_networking_vpn/fixture/main.tf
@@ -32,6 +32,11 @@ module "stage" {
networking-dev = null
networking-prod = null
}
+ region_trigram = {
+ europe-west1 = "ew1"
+ europe-west3 = "ew3"
+ europe-west8 = "ew8"
+ }
service_accounts = {
data-platform-dev = "string"
data-platform-prod = "string"