kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Expose factories_config for resman top level folders (#2707)

Browse Source 
* Expose factories_config for top_level_folders

* Complete top level folder schema

* Update README

* Fix escapes

* Update tests
This commit is contained in:
Julio Castillo
2024-11-17 23:54:56 +01:00
committed by GitHub
parent bb65920b4b
commit 4a739fcb87
6 changed files with 149 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
fast/stages/1-resman/README.md
View File

@@ -281,7 +281,7 @@ terraform apply
| [root_node](variables-fast.tf#L153) | Root node for the hierarchy, if running in tenant mode. | <code>string</code> | | <code>null</code> | <code>0-bootstrap</code> |
| [tag_names](variables.tf#L37) | Customized names for resource management tags. | <code title="object&#40;&#123;&#10; context &#61; optional&#40;string, &#34;context&#34;&#41;&#10; environment &#61; optional&#40;string, &#34;environment&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | |
| [tags](variables.tf#L51) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10; description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; values &#61; optional&#40;map&#40;object&#40;&#123;&#10; description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; id &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
| [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | <code title="map&#40;object&#40;&#123;&#10; name &#61; string&#10; parent_id &#61; optional&#40;string&#41;&#10; automation &#61; optional&#40;object&#40;&#123;&#10; environment_name &#61; optional&#40;string, &#34;prod&#34;&#41;&#10; sa_impersonation_principals &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; short_name &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; contacts &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; firewall_policy &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; policy &#61; string&#10; &#125;&#41;&#41;&#10; is_fast_context &#61; optional&#40;bool, true&#41;&#10; logging_data_access &#61; optional&#40;map&#40;map&#40;list&#40;string&#41;&#41;&#41;, &#123;&#125;&#41;&#10; logging_exclusions &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; logging_settings &#61; optional&#40;object&#40;&#123;&#10; disable_default_sink &#61; optional&#40;bool&#41;&#10; storage_location &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; logging_sinks &#61; optional&#40;map&#40;object&#40;&#123;&#10; bq_partitioned_table &#61; optional&#40;bool, false&#41;&#10; description &#61; optional&#40;string&#41;&#10; destination &#61; string&#10; disabled &#61; optional&#40;bool, false&#41;&#10; exclusions &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; filter &#61; optional&#40;string&#41;&#10; iam &#61; optional&#40;bool, true&#41;&#10; include_children &#61; optional&#40;bool, true&#41;&#10; type &#61; string&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10; members &#61; list&#40;string&#41;&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10; member &#61; string&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; iam_by_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; org_policies &#61; optional&#40;map&#40;object&#40;&#123;&#10; inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10; reset &#61; optional&#40;bool&#41;&#10; rules &#61; optional&#40;list&#40;object&#40;&#123;&#10; allow &#61; optional&#40;object&#40;&#123;&#10; all &#61; optional&#40;bool&#41;&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; deny &#61; optional&#40;object&#40;&#123;&#10; all &#61; optional&#40;bool&#41;&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10; condition &#61; optional&#40;object&#40;&#123;&#10; description &#61; optional&#40;string&#41;&#10; expression &#61; optional&#40;string&#41;&#10; location &#61; optional&#40;string&#41;&#10; title &#61; optional&#40;string&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;, &#91;&#93;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; tag_bindings &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
| [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | <code title="map&#40;object&#40;&#123;&#10; name &#61; string&#10; parent_id &#61; optional&#40;string&#41;&#10; automation &#61; optional&#40;object&#40;&#123;&#10; environment_name &#61; optional&#40;string, &#34;prod&#34;&#41;&#10; sa_impersonation_principals &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; short_name &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; contacts &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; factories_config &#61; optional&#40;object&#40;&#123;&#10; org_policies &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; firewall_policy &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; policy &#61; string&#10; &#125;&#41;&#41;&#10; is_fast_context &#61; optional&#40;bool, true&#41;&#10; logging_data_access &#61; optional&#40;map&#40;map&#40;list&#40;string&#41;&#41;&#41;, &#123;&#125;&#41;&#10; logging_exclusions &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; logging_settings &#61; optional&#40;object&#40;&#123;&#10; disable_default_sink &#61; optional&#40;bool&#41;&#10; storage_location &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; logging_sinks &#61; optional&#40;map&#40;object&#40;&#123;&#10; bq_partitioned_table &#61; optional&#40;bool, false&#41;&#10; description &#61; optional&#40;string&#41;&#10; destination &#61; string&#10; disabled &#61; optional&#40;bool, false&#41;&#10; exclusions &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; filter &#61; optional&#40;string&#41;&#10; iam &#61; optional&#40;bool, true&#41;&#10; include_children &#61; optional&#40;bool, true&#41;&#10; type &#61; string&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10; members &#61; list&#40;string&#41;&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10; member &#61; string&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; iam_by_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; org_policies &#61; optional&#40;map&#40;object&#40;&#123;&#10; inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10; reset &#61; optional&#40;bool&#41;&#10; rules &#61; optional&#40;list&#40;object&#40;&#123;&#10; allow &#61; optional&#40;object&#40;&#123;&#10; all &#61; optional&#40;bool&#41;&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; deny &#61; optional&#40;object&#40;&#123;&#10; all &#61; optional&#40;bool&#41;&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10; condition &#61; optional&#40;object&#40;&#123;&#10; description &#61; optional&#40;string&#41;&#10; expression &#61; optional&#40;string&#41;&#10; location &#61; optional&#40;string&#41;&#10; title &#61; optional&#40;string&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;, &#91;&#93;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; tag_bindings &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
## Outputs

2
fast/stages/1-resman/data/top-level-folders/sandbox.yaml
View File

@@ -18,3 +18,5 @@ name: Sandbox
automation:
environment_name: dev
short_name: sbox
factories_config:
org_policies: data/org-policies/sandbox

117
fast/stages/1-resman/schemas/top-level-folder.schema.json
View File

@@ -23,7 +23,42 @@
}
},
"contacts": {
"type": "string"
"type": "object",
"additionalProperties": false,
"patternProperties": {
"@": {
"type": "array",
"items": {
"type": "string",
"pattern": "^(?:ALL|SUSPENSION|SECURITY|TECHNICAL|BILLING|LEGAL|PRODUCT_UPDATES)$"
}
}
}
},
"factories_config": {
"type": "object",
"additionalProperties": false,
"properties": {
"org_policies": {
"type": "string"
}
}
},
"firewall_policy": {
"type": "object",
"additionalProperties": false,
"required": [
"name",
"policy"
],
"properties": {
"name": {
"type": "string"
},
"policy": {
"type": "string"
}
}
},
"iam": {
"$ref": "#/$defs/iam"
@@ -41,6 +76,86 @@
"type": "boolean",
"default": true
},
"logging_data_access": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^(?:[a-z_-]+)\\.googleapis\\.com$": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^(?:DATA_READ|DATA_WRITE|ADMIN_READ)$": {
"type": "array",
"items": {
"type": "string",
"pattern": "@"
}
}
}
}
}
},
"logging_exclusions": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"logging_settings": {
"type": "object",
"additionalProperties": false,
"properties": {
"disable_default_sink": {
"type": "boolean"
},
"storage_location": {
"type": "string"
}
}
},
"logging_sinks": {
"type": "object",
"additionalProperties": {
"type": "object",
"additionalProperties": false,
"required": [
"destination",
"type"
],
"properties": {
"bq_partitioned_table": {
"type": "boolean"
},
"description": {
"type": "string"
},
"destination": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"exclusions": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"filter": {
"type": "string"
},
"iam": {
"type": "boolean"
},
"include_children": {
"type": "boolean"
},
"type": {
"type": "string"
}
}
}
},
"name": {
"type": "string"
},

2
fast/stages/1-resman/top-level-folders.tf
View File

@@ -47,6 +47,7 @@ locals {
short_name = try(v.automation.short_name, null)
}
contacts = try(v.contacts, {})
factories_config = try(v.factories_config, null)
firewall_policy = try(v.firewall_policy, null)
is_fast_context = try(v.is_fast_context, true)
logging_data_access = try(v.logging_data_access, {})
@@ -76,6 +77,7 @@ module "top-level-folder" {
parent = coalesce(each.value.parent_id, local.root_node)
name = each.value.name
contacts = each.value.contacts
factories_config = each.value.factories_config
firewall_policy = each.value.firewall_policy
logging_data_access = each.value.logging_data_access
logging_exclusions = each.value.logging_exclusions

3
fast/stages/1-resman/variables-toplevel-folders.tf
View File

@@ -25,6 +25,9 @@ variable "top_level_folders" {
short_name = optional(string)
}))
contacts = optional(map(list(string)), {})
factories_config = optional(object({
org_policies = optional(string)
}))
firewall_policy = optional(object({
name = string
policy = string

26
tests/fast/stages/s1_resman/simple.yaml
View File

@@ -1656,6 +1656,29 @@ values:
deletion_protection: false
display_name: Sandbox
parent: organizations/123456789012
module.top-level-folder["sandbox"].google_org_policy_policy.default["compute.vmExternalIpAccess"]:
dry_run_spec: []
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: 'TRUE'
condition: []
deny_all: null
enforce: null
values: []
timeouts: null
module.top-level-folder["sandbox"].google_org_policy_policy.default["sql.restrictPublicIp"]:
dry_run_spec: []
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
timeouts: null
module.top-level-folder["sandbox"].google_tags_tag_binding.binding["context"]:
timeouts: null
@@ -1757,6 +1780,7 @@ values:
counts:
google_folder: 13
google_folder_iam_binding: 75
google_org_policy_policy: 2
google_organization_iam_member: 19
google_project_iam_member: 26
google_service_account: 26
@@ -1770,7 +1794,7 @@ counts:
google_tags_tag_value: 12
google_tags_tag_value_iam_binding: 4
modules: 52
resources: 303
resources: 305
outputs:
cicd_repositories: