diff --git a/fast/stages/2-networking-a-simple/README.md b/fast/stages/2-networking-a-simple/README.md
index 5c32c0fa0..be97c8658 100644
--- a/fast/stages/2-networking-a-simple/README.md
+++ b/fast/stages/2-networking-a-simple/README.md
@@ -456,21 +456,20 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap |
| [billing_account](variables-fast.tf#L27) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap |
-| [folder_ids](variables-fast.tf#L59) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman |
-| [organization](variables-fast.tf#L69) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
-| [prefix](variables-fast.tf#L79) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap |
+| [folder_ids](variables-fast.tf#L50) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman |
+| [organization](variables-fast.tf#L60) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
+| [prefix](variables-fast.tf#L70) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap |
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | |
| [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | |
-| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
| [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | |
| [enable_cloud_nat](variables.tf#L58) | Deploy Cloud NAT. | bool | | false | |
| [essential_contacts](variables.tf#L65) | Email used for essential contacts, unset if null. | string | | null | |
| [factories_config](variables.tf#L71) | Configuration for network resource factories. | object({…}) | | {…} | |
-| [fast_features](variables-fast.tf#L49) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap |
+| [fast_features](variables-fast.tf#L40) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap |
| [outputs_location](variables.tf#L92) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
| [psa_ranges](variables.tf#L98) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | {} | |
| [regions](variables.tf#L118) | Region definitions. | object({…}) | | {…} | |
-| [service_accounts](variables-fast.tf#L89) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
+| [service_accounts](variables-fast.tf#L80) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
| [spoke_configs](variables.tf#L130) | Spoke connectivity configurations. | object({…}) | | {…} | |
| [vpn_onprem_primary_config](variables.tf#L180) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
diff --git a/fast/stages/2-networking-a-simple/main.tf b/fast/stages/2-networking-a-simple/main.tf
index ec4670cd3..1587f0582 100644
--- a/fast/stages/2-networking-a-simple/main.tf
+++ b/fast/stages/2-networking-a-simple/main.tf
@@ -17,7 +17,6 @@
# tfdoc:file:description Networking folder and hierarchical policy.
locals {
- custom_roles = coalesce(var.custom_roles, {})
service_accounts = {
for k, v in coalesce(var.service_accounts, {}) :
k => "serviceAccount:${v}" if v != null
diff --git a/fast/stages/2-networking-a-simple/net-dev.tf b/fast/stages/2-networking-a-simple/net-dev.tf
index 7322bce13..69624c557 100644
--- a/fast/stages/2-networking-a-simple/net-dev.tf
+++ b/fast/stages/2-networking-a-simple/net-dev.tf
@@ -46,9 +46,6 @@ module "dev-spoke-project" {
iam = {
"roles/dns.admin" = compact([
try(local.service_accounts.gke-dev, null),
- try(local.service_accounts.project-factory, null),
- try(local.service_accounts.project-factory-dev, null),
- try(local.service_accounts.project-factory-prod, null),
])
}
# allow specific service accounts to assign a set of roles
diff --git a/fast/stages/2-networking-a-simple/net-landing.tf b/fast/stages/2-networking-a-simple/net-landing.tf
index 3c4c7c319..164cfdc25 100644
--- a/fast/stages/2-networking-a-simple/net-landing.tf
+++ b/fast/stages/2-networking-a-simple/net-landing.tf
@@ -32,16 +32,6 @@ module "landing-project" {
shared_vpc_host_config = {
enabled = true
}
- iam = {
- "roles/dns.admin" = compact([
- try(local.service_accounts.project-factory, null),
- try(local.service_accounts.project-factory-prod, null)
- ])
- (local.custom_roles.service_project_network_admin) = compact([
- try(local.service_accounts.project-factory, null),
- try(local.service_accounts.project-factory-prod, null)
- ])
- }
}
module "landing-vpc" {
diff --git a/fast/stages/2-networking-a-simple/net-prod.tf b/fast/stages/2-networking-a-simple/net-prod.tf
index fe2d0b6b5..813cd5bf1 100644
--- a/fast/stages/2-networking-a-simple/net-prod.tf
+++ b/fast/stages/2-networking-a-simple/net-prod.tf
@@ -46,8 +46,6 @@ module "prod-spoke-project" {
iam = {
"roles/dns.admin" = compact([
try(local.service_accounts.gke-prod, null),
- try(local.service_accounts.project-factory, null),
- try(local.service_accounts.project-factory-prod, null),
])
}
# allow specific service accounts to assign a set of roles
diff --git a/fast/stages/2-networking-a-simple/variables-fast.tf b/fast/stages/2-networking-a-simple/variables-fast.tf
index 85f102368..e9c032671 100644
--- a/fast/stages/2-networking-a-simple/variables-fast.tf
+++ b/fast/stages/2-networking-a-simple/variables-fast.tf
@@ -37,15 +37,6 @@ variable "billing_account" {
}
}
-variable "custom_roles" {
- # tfdoc:variable:source 0-bootstrap
- description = "Custom roles defined at the org level, in key => id format."
- type = object({
- service_project_network_admin = string
- })
- default = null
-}
-
variable "fast_features" {
# tfdoc:variable:source 0-0-bootstrap
description = "Selective control for top-level FAST features."
diff --git a/fast/stages/2-networking-b-nva/README.md b/fast/stages/2-networking-b-nva/README.md
index 5b28c70aa..548863fcd 100644
--- a/fast/stages/2-networking-b-nva/README.md
+++ b/fast/stages/2-networking-b-nva/README.md
@@ -518,23 +518,22 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap |
| [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap |
-| [folder_ids](variables-fast.tf#L57) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman |
-| [organization](variables-fast.tf#L67) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
-| [prefix](variables-fast.tf#L77) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap |
+| [folder_ids](variables-fast.tf#L48) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman |
+| [organization](variables-fast.tf#L58) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
+| [prefix](variables-fast.tf#L68) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap |
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | |
| [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | |
-| [custom_roles](variables-fast.tf#L38) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
| [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | |
| [enable_cloud_nat](variables.tf#L58) | Deploy Cloud NAT. | bool | | false | |
| [enable_ncc_ra](variables.tf#L65) | Deploy NCC Router Appliance to create a BGP session between core VPCs and the appliances. | bool | | false | |
| [essential_contacts](variables.tf#L72) | Email used for essential contacts, unset if null. | string | | null | |
| [factories_config](variables.tf#L78) | Configuration for network resource factories. | object({…}) | | {…} | |
-| [fast_features](variables-fast.tf#L47) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap |
+| [fast_features](variables-fast.tf#L38) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap |
| [gcp_ranges](variables.tf#L99) | GCP address ranges in name => range format. | map(string) | | {…} | |
| [outputs_location](variables.tf#L114) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
| [psa_ranges](variables.tf#L120) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | |
| [regions](variables.tf#L140) | Region definitions. | object({…}) | | {…} | |
-| [service_accounts](variables-fast.tf#L87) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
+| [service_accounts](variables-fast.tf#L78) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman |
| [vpn_onprem_primary_config](variables.tf#L152) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | |
| [vpn_onprem_secondary_config](variables.tf#L195) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | |
diff --git a/fast/stages/2-networking-b-nva/main.tf b/fast/stages/2-networking-b-nva/main.tf
index fc514d00c..44e44ee7b 100644
--- a/fast/stages/2-networking-b-nva/main.tf
+++ b/fast/stages/2-networking-b-nva/main.tf
@@ -17,8 +17,7 @@
# tfdoc:file:description Networking folder and hierarchical policy.
locals {
- custom_roles = coalesce(var.custom_roles, {})
- nva_zones = ["b", "c"]
+ nva_zones = ["b", "c"]
# combine all regions from variables and subnets
regions = distinct(concat(
values(var.regions),
diff --git a/fast/stages/2-networking-b-nva/net-dev.tf b/fast/stages/2-networking-b-nva/net-dev.tf
index 1efc3ea77..a2d4678c6 100644
--- a/fast/stages/2-networking-b-nva/net-dev.tf
+++ b/fast/stages/2-networking-b-nva/net-dev.tf
@@ -45,9 +45,6 @@ module "dev-spoke-project" {
iam = {
"roles/dns.admin" = compact([
try(local.service_accounts.gke-dev, null),
- try(local.service_accounts.project-factory, null),
- try(local.service_accounts.project-factory-dev, null),
- try(local.service_accounts.project-factory-prod, null),
])
}
# allow specific service accounts to assign a set of roles
diff --git a/fast/stages/2-networking-b-nva/net-landing.tf b/fast/stages/2-networking-b-nva/net-landing.tf
index faff17982..e0d24e9ce 100644
--- a/fast/stages/2-networking-b-nva/net-landing.tf
+++ b/fast/stages/2-networking-b-nva/net-landing.tf
@@ -38,16 +38,6 @@ module "landing-project" {
shared_vpc_host_config = {
enabled = true
}
- iam = {
- "roles/dns.admin" = compact([
- try(local.service_accounts.project-factory, null),
- try(local.service_accounts.project-factory-prod, null)
- ])
- (local.custom_roles.service_project_network_admin) = compact([
- try(local.service_accounts.project-factory, null),
- try(local.service_accounts.project-factory-prod, null)
- ])
- }
}
# DMZ (untrusted) VPC
diff --git a/fast/stages/2-networking-b-nva/net-prod.tf b/fast/stages/2-networking-b-nva/net-prod.tf
index 1a1d6aa34..62b9ae523 100644
--- a/fast/stages/2-networking-b-nva/net-prod.tf
+++ b/fast/stages/2-networking-b-nva/net-prod.tf
@@ -45,8 +45,6 @@ module "prod-spoke-project" {
iam = {
"roles/dns.admin" = compact([
try(local.service_accounts.gke-prod, null),
- try(local.service_accounts.project-factory, null),
- try(local.service_accounts.project-factory-prod, null),
])
}
# allow specific service accounts to assign a set of roles
diff --git a/fast/stages/2-networking-b-nva/variables-fast.tf b/fast/stages/2-networking-b-nva/variables-fast.tf
index e3c44bf63..bdb3ae8d7 100644
--- a/fast/stages/2-networking-b-nva/variables-fast.tf
+++ b/fast/stages/2-networking-b-nva/variables-fast.tf
@@ -35,15 +35,6 @@ variable "billing_account" {
}
}
-variable "custom_roles" {
- # tfdoc:variable:source 0-bootstrap
- description = "Custom roles defined at the org level, in key => id format."
- type = object({
- service_project_network_admin = string
- })
- default = null
-}
-
variable "fast_features" {
# tfdoc:variable:source 0-0-bootstrap
description = "Selective control for top-level FAST features."
diff --git a/fast/stages/2-networking-c-separate-envs/net-dev.tf b/fast/stages/2-networking-c-separate-envs/net-dev.tf
index c12957632..a0422c5ee 100644
--- a/fast/stages/2-networking-c-separate-envs/net-dev.tf
+++ b/fast/stages/2-networking-c-separate-envs/net-dev.tf
@@ -45,9 +45,6 @@ module "dev-spoke-project" {
iam = {
"roles/dns.admin" = compact([
try(local.service_accounts.gke-dev, null),
- try(local.service_accounts.project-factory, null),
- try(local.service_accounts.project-factory-dev, null),
- try(local.service_accounts.project-factory-prod, null),
])
}
# allow specific service accounts to assign a set of roles
diff --git a/fast/stages/2-networking-c-separate-envs/net-prod.tf b/fast/stages/2-networking-c-separate-envs/net-prod.tf
index 552d31184..fcf77af44 100644
--- a/fast/stages/2-networking-c-separate-envs/net-prod.tf
+++ b/fast/stages/2-networking-c-separate-envs/net-prod.tf
@@ -45,8 +45,6 @@ module "prod-spoke-project" {
iam = {
"roles/dns.admin" = compact([
try(local.service_accounts.gke-prod, null),
- try(local.service_accounts.project-factory, null),
- try(local.service_accounts.project-factory-prod, null)
])
}
# allow specific service accounts to assign a set of roles
diff --git a/tests/fast/stages/s2_networking_a_simple/simple.yaml b/tests/fast/stages/s2_networking_a_simple/simple.yaml
index 5930102e2..0621f9987 100644
--- a/tests/fast/stages/s2_networking_a_simple/simple.yaml
+++ b/tests/fast/stages/s2_networking_a_simple/simple.yaml
@@ -14,4 +14,4 @@
counts:
modules: 29
- resources: 158
+ resources: 156
diff --git a/tests/fast/stages/s2_networking_a_simple/vpn.yaml b/tests/fast/stages/s2_networking_a_simple/vpn.yaml
index 65c4bb809..33b4f1ed8 100644
--- a/tests/fast/stages/s2_networking_a_simple/vpn.yaml
+++ b/tests/fast/stages/s2_networking_a_simple/vpn.yaml
@@ -14,4 +14,4 @@
counts:
modules: 31
- resources: 195
+ resources: 193
diff --git a/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml
index 71e2be72c..45c85e802 100644
--- a/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml
+++ b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml
@@ -43,11 +43,11 @@ counts:
google_network_connectivity_hub: 2
google_network_connectivity_spoke: 4
google_project: 3
- google_project_iam_binding: 6
+ google_project_iam_binding: 4
google_project_iam_member: 2
google_project_service: 22
google_project_service_identity: 5
google_storage_bucket_object: 2
modules: 39
random_id: 2
- resources: 224
+ resources: 222
diff --git a/tests/fast/stages/s2_networking_b_nva/simple.yaml b/tests/fast/stages/s2_networking_b_nva/simple.yaml
index ed5c69ea3..aaac0cb9b 100644
--- a/tests/fast/stages/s2_networking_b_nva/simple.yaml
+++ b/tests/fast/stages/s2_networking_b_nva/simple.yaml
@@ -45,7 +45,7 @@ counts:
google_monitoring_dashboard: 3
google_monitoring_monitored_project: 2
google_project: 3
- google_project_iam_binding: 6
+ google_project_iam_binding: 4
google_project_iam_member: 2
google_project_service: 21
google_project_service_identity: 5
@@ -53,4 +53,4 @@ counts:
google_vpc_access_connector: 2
modules: 43
random_id: 2
- resources: 209
+ resources: 207