Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
9a51c4d196
commit
2fc2f8fb92
@@ -41,22 +41,62 @@ module "automation-project" {
|
||||
tags = merge(local.tags, {
|
||||
(var.tag_names.context) = {
|
||||
description = "Resource management context."
|
||||
iam = {}
|
||||
iam = try(local.tags.context.iam, {})
|
||||
values = {
|
||||
data = {}
|
||||
gke = {}
|
||||
gcve = {}
|
||||
networking = {}
|
||||
sandbox = {}
|
||||
security = {}
|
||||
data = {
|
||||
iam = try(local.tags.context.values.data.iam, {})
|
||||
description = try(local.tags.context.values.data.description, null)
|
||||
}
|
||||
gke = {
|
||||
iam = try(local.tags.context.values.gke.iam, {})
|
||||
description = try(local.tags.context.values.gke.description, null)
|
||||
}
|
||||
gcve = {
|
||||
iam = try(local.tags.context.values.gcve.iam, {})
|
||||
description = try(local.tags.context.values.gcve.description, null)
|
||||
}
|
||||
networking = {
|
||||
iam = try(local.tags.context.values.networking.iam, {})
|
||||
description = try(local.tags.context.values.networking.description, null)
|
||||
}
|
||||
project-factory = {
|
||||
iam = try(local.tags.context.values.project-factory.iam, {})
|
||||
description = try(local.tags.context.values.project-factory.description, null)
|
||||
}
|
||||
sandbox = {
|
||||
iam = try(local.tags.context.values.sandbox.iam, {})
|
||||
description = try(local.tags.context.values.sandbox.description, null)
|
||||
}
|
||||
security = {
|
||||
iam = try(local.tags.context.values.security.iam, {})
|
||||
description = try(local.tags.context.values.security.description, null)
|
||||
}
|
||||
}
|
||||
}
|
||||
(var.tag_names.environment) = {
|
||||
description = "Environment definition."
|
||||
iam = {}
|
||||
iam = try(local.tags.environment.iam, {})
|
||||
values = {
|
||||
development = {}
|
||||
production = {}
|
||||
development = {
|
||||
iam = try(local.tags.environment.values.development.iam, {})
|
||||
iam_bindings = {
|
||||
pf = {
|
||||
members = [module.branch-pf-sa.iam_email]
|
||||
role = "roles/resourcemanager.tagUser"
|
||||
}
|
||||
}
|
||||
description = try(local.tags.environment.values.development.description, null)
|
||||
}
|
||||
production = {
|
||||
iam = try(local.tags.environment.values.production.iam, {})
|
||||
iam_bindings = {
|
||||
pf = {
|
||||
members = [module.branch-pf-sa.iam_email]
|
||||
role = "roles/resourcemanager.tagUser"
|
||||
}
|
||||
}
|
||||
description = try(local.tags.environment.values.production.description, null)
|
||||
}
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
@@ -68,7 +68,7 @@ locals {
|
||||
module "top-level-folder" {
|
||||
source = "../../../modules/folder"
|
||||
for_each = local.top_level_folders
|
||||
parent = "organizations/${var.organization.id}"
|
||||
parent = local.root_node
|
||||
name = each.value.name
|
||||
contacts = each.value.contacts
|
||||
firewall_policy = each.value.firewall_policy
|
||||
|
||||
@@ -309,13 +309,13 @@ gcloud storage cp gs://{prefix}-{tenant-shortname}-prod-iac-core-0/tfvars/0-boot
|
||||
|---|---|:---:|:---:|:---:|:---:|
|
||||
| [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string project_id = string project_number = string federated_identity_pool = string federated_identity_providers = map(object({ audiences = list(string) issuer = string issuer_uri = string name = string principal_branch = string principal_repo = string })) service_accounts = object({ resman = string resman-r = string }) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [billing_account](variables-fast.tf#L42) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | <code title="object({ id = string is_org_level = optional(bool, true) no_iam = optional(bool, false) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [logging](variables-fast.tf#L96) | Logging resources created by the bootstrap stage. | <code title="object({ project_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [org_policy_tags](variables-fast.tf#L115) | Organization policy tags. | <code title="object({ key_id = string key_name = string values = map(string) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [organization](variables-fast.tf#L105) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [prefix](variables-fast.tf#L132) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | <code title="object({ gcve_network_admin = string network_firewall_policies_admin = string ngfw_enterprise_admin = string organization_admin_viewer = string service_project_network_admin = string storage_viewer = string tenant_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [groups](variables-fast.tf#L68) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object({ gcp-billing-admins = optional(string, "gcp-billing-admins") gcp-devops = optional(string, "gcp-devops") gcp-network-admins = optional(string, "gcp-vpc-network-admins") gcp-organization-admins = optional(string, "gcp-organization-admins") gcp-security-admins = optional(string, "gcp-security-admins") })">object({…})</code> | | <code>{}</code> | <code>0-bootstrap</code> |
|
||||
| [locations](variables-fast.tf#L83) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object({ bq = optional(string, "EU") gcs = optional(string, "EU") logging = optional(string, "global") pubsub = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | <code>0-bootstrap</code> |
|
||||
| [logging](variables-fast.tf#L99) | Logging resources created by the bootstrap stage. | <code title="object({ project_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [org_policy_tags](variables-fast.tf#L118) | Organization policy tags. | <code title="object({ key_id = string key_name = string values = map(string) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [organization](variables-fast.tf#L108) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [prefix](variables-fast.tf#L135) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | <code title="object({ gcve_network_admin = string network_firewall_policies_admin = string network_firewall_policies_viewer = optional(string) ngfw_enterprise_admin = optional(string) ngfw_enterprise_viewer = optional(string) organization_admin_viewer = string service_project_network_admin = string storage_viewer = string tenant_network_admin = string })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [groups](variables-fast.tf#L71) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object({ gcp-billing-admins = optional(string, "gcp-billing-admins") gcp-devops = optional(string, "gcp-devops") gcp-network-admins = optional(string, "gcp-vpc-network-admins") gcp-organization-admins = optional(string, "gcp-organization-admins") gcp-security-admins = optional(string, "gcp-security-admins") })">object({…})</code> | | <code>{}</code> | <code>0-bootstrap</code> |
|
||||
| [locations](variables-fast.tf#L86) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object({ bq = optional(string, "EU") gcs = optional(string, "EU") logging = optional(string, "global") pubsub = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | <code>0-bootstrap</code> |
|
||||
| [outputs_location](variables.tf#L17) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [root_node](variables.tf#L23) | Root folder under which tenants are created, in folders/nnnn format. Defaults to the organization if null. | <code>string</code> | | <code>null</code> | |
|
||||
| [tag_names](variables.tf#L36) | Customized names for resource management tags. | <code title="object({ tenant = optional(string, "tenant") })">object({…})</code> | | <code>{}</code> | |
|
||||
|
||||
@@ -56,11 +56,14 @@ variable "custom_roles" {
|
||||
type = object({
|
||||
gcve_network_admin = string
|
||||
network_firewall_policies_admin = string
|
||||
ngfw_enterprise_admin = string
|
||||
organization_admin_viewer = string
|
||||
service_project_network_admin = string
|
||||
storage_viewer = string
|
||||
tenant_network_admin = string
|
||||
# TODO: remove after v34.0.0
|
||||
network_firewall_policies_viewer = optional(string)
|
||||
ngfw_enterprise_admin = optional(string)
|
||||
ngfw_enterprise_viewer = optional(string)
|
||||
organization_admin_viewer = string
|
||||
service_project_network_admin = string
|
||||
storage_viewer = string
|
||||
tenant_network_admin = string
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user