diff --git a/blueprints/data-solutions/shielded-folder/data/firewall-policies/cidrs.yaml b/blueprints/data-solutions/shielded-folder/data/firewall-policies/cidrs.yaml index 90dabfb6a..3591e95a0 100644 --- a/blueprints/data-solutions/shielded-folder/data/firewall-policies/cidrs.yaml +++ b/blueprints/data-solutions/shielded-folder/data/firewall-policies/cidrs.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. healthchecks: - 35.191.0.0/16 @@ -12,4 +15,4 @@ rfc1918: - 192.168.0.0/16 onprem_probes: - - 10.255.255.254/32 \ No newline at end of file + - 10.255.255.254/32 diff --git a/blueprints/data-solutions/shielded-folder/data/firewall-policies/hierarchical-ingress-rules.yaml b/blueprints/data-solutions/shielded-folder/data/firewall-policies/hierarchical-ingress-rules.yaml index a267527dd..c7236cfe1 100644 --- a/blueprints/data-solutions/shielded-folder/data/firewall-policies/hierarchical-ingress-rules.yaml +++ b/blueprints/data-solutions/shielded-folder/data/firewall-policies/hierarchical-ingress-rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. allow-admins: description: Access from the admin subnet to all subnets @@ -14,8 +17,8 @@ allow-healthchecks: source_ranges: - healthchecks layer4_configs: - - protocol: tcp - ports: ["80", "443"] + - protocol: tcp + ports: ["80", "443"] allow-ssh-from-iap: description: Enable SSH from IAP @@ -24,8 +27,8 @@ allow-ssh-from-iap: source_ranges: - 35.235.240.0/20 layer4_configs: - - protocol: tcp - ports: ["22"] + - protocol: tcp + ports: ["22"] allow-icmp: description: Enable ICMP @@ -34,4 +37,4 @@ allow-icmp: source_ranges: - 0.0.0.0/0 layer4_configs: - - protocol: icmp + - protocol: icmp diff --git a/blueprints/data-solutions/shielded-folder/data/org-policies/compute.yaml b/blueprints/data-solutions/shielded-folder/data/org-policies/compute.yaml index a3f96b1b1..16a48c5be 100644 --- a/blueprints/data-solutions/shielded-folder/data/org-policies/compute.yaml +++ b/blueprints/data-solutions/shielded-folder/data/org-policies/compute.yaml @@ -2,30 +2,32 @@ # # sample subset of useful organization policies, edit to suit requirements +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + compute.disableGuestAttributesAccess: rules: - - enforce: true + - enforce: true compute.requireOsLogin: rules: - - enforce: true + - enforce: true compute.restrictLoadBalancerCreationForTypes: rules: - - allow: - values: - - in:INTERNAL + - allow: + values: + - in:INTERNAL compute.skipDefaultNetworkCreation: rules: - - enforce: true + - enforce: true compute.vmExternalIpAccess: rules: - - deny: - all: true - - + - deny: + all: true # compute.disableInternetNetworkEndpointGroup: # rules: # - enforce: true diff --git a/blueprints/data-solutions/shielded-folder/data/org-policies/iam.yaml b/blueprints/data-solutions/shielded-folder/data/org-policies/iam.yaml index 58e0032cb..7d4367655 100644 --- a/blueprints/data-solutions/shielded-folder/data/org-policies/iam.yaml +++ b/blueprints/data-solutions/shielded-folder/data/org-policies/iam.yaml @@ -2,14 +2,18 @@ # # sample subset of useful organization policies, edit to suit requirements +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + iam.automaticIamGrantsForDefaultServiceAccounts: rules: - - enforce: true + - enforce: true iam.disableServiceAccountKeyCreation: rules: - - enforce: true + - enforce: true iam.disableServiceAccountKeyUpload: rules: - - enforce: true + - enforce: true diff --git a/blueprints/data-solutions/shielded-folder/data/org-policies/serverless.yaml b/blueprints/data-solutions/shielded-folder/data/org-policies/serverless.yaml index 3efb23cde..b67dea783 100644 --- a/blueprints/data-solutions/shielded-folder/data/org-policies/serverless.yaml +++ b/blueprints/data-solutions/shielded-folder/data/org-policies/serverless.yaml @@ -2,30 +2,33 @@ # # sample subset of useful organization policies, edit to suit requirements +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + run.allowedIngress: rules: - - allow: - values: - - is:internal - + - allow: + values: + - is:internal # run.allowedVPCEgress: # rules: -# - allow: -# values: -# - is:private-ranges-only +# - allow: +# values: +# - is:private-ranges-only # cloudfunctions.allowedIngressSettings: # rules: -# - allow: -# values: -# - is:ALLOW_INTERNAL_ONLY +# - allow: +# values: +# - is:ALLOW_INTERNAL_ONLY # cloudfunctions.allowedVpcConnectorEgressSettings: # rules: -# - allow: -# values: -# - is:PRIVATE_RANGES_ONLY +# - allow: +# values: +# - is:PRIVATE_RANGES_ONLY # cloudfunctions.requireVPCConnector: # rules: -# - enforce: true +# - enforce: true diff --git a/blueprints/data-solutions/shielded-folder/data/org-policies/sql.yaml b/blueprints/data-solutions/shielded-folder/data/org-policies/sql.yaml index 0eee80453..de2731a03 100644 --- a/blueprints/data-solutions/shielded-folder/data/org-policies/sql.yaml +++ b/blueprints/data-solutions/shielded-folder/data/org-policies/sql.yaml @@ -2,10 +2,14 @@ # # sample subset of useful organization policies, edit to suit requirements +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + sql.restrictAuthorizedNetworks: rules: - - enforce: true + - enforce: true sql.restrictPublicIp: rules: - - enforce: true + - enforce: true diff --git a/blueprints/data-solutions/shielded-folder/data/org-policies/storage.yaml b/blueprints/data-solutions/shielded-folder/data/org-policies/storage.yaml index 448357b8b..2578d5a52 100644 --- a/blueprints/data-solutions/shielded-folder/data/org-policies/storage.yaml +++ b/blueprints/data-solutions/shielded-folder/data/org-policies/storage.yaml @@ -2,6 +2,10 @@ # # sample subset of useful organization policies, edit to suit requirements +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + storage.uniformBucketLevelAccess: rules: - - enforce: true + - enforce: true diff --git a/blueprints/factories/net-vpc-firewall-yaml/README.md b/blueprints/factories/net-vpc-firewall-yaml/README.md index 42cd6fad9..e385a68e8 100644 --- a/blueprints/factories/net-vpc-firewall-yaml/README.md +++ b/blueprints/factories/net-vpc-firewall-yaml/README.md @@ -41,6 +41,11 @@ module "dev-firewall" { ```yaml # tftest-file id=common path=firewall/common/common.yaml + +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + # allow ingress from GCLB to all instances in the network lb-health-checks: allow: @@ -65,6 +70,11 @@ deny-all: ```yaml # tftest-file id=dev path=firewall/dev/app.yaml + +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + # Myapp egress web-app-dev-egress: allow: @@ -89,6 +99,11 @@ web-app-dev-ingress: ```yaml # tftest-file id=prod path=firewall/prod/app.yaml + +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + # Myapp egress web-app-prod-egress: allow: @@ -111,7 +126,6 @@ web-app-prod-ingress: - web-app-a@myproject-prod.iam.gserviceaccount.com ``` - ### Configuration Structure ```bash @@ -140,6 +154,11 @@ web-app-prod-ingress: Firewall rules configuration should be placed in a set of yaml files in a folder/s. Firewall rule entry structure is following: ```yaml + +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + rule-name: # descriptive name, naming convention is adjusted by the module allow: # `allow` or `deny` - ports: ['443', '80'] # ports for a specific protocol, keep empty list `[]` for all ports diff --git a/blueprints/factories/net-vpc-firewall-yaml/main.tf b/blueprints/factories/net-vpc-firewall-yaml/main.tf index 90416faae..0cfacf8a6 100644 --- a/blueprints/factories/net-vpc-firewall-yaml/main.tf +++ b/blueprints/factories/net-vpc-firewall-yaml/main.tf @@ -31,7 +31,7 @@ locals { firewall_rules = merge( [ for config_file in local.firewall_rule_files : - try(yamldecode(file(config_file)), {}) + yamldecode(file(config_file)) ]... ) } diff --git a/blueprints/networking/decentralized-firewall/firewall/common/common-egress.yaml b/blueprints/networking/decentralized-firewall/firewall/common/common-egress.yaml index fa2a40d95..0af388b8d 100644 --- a/blueprints/networking/decentralized-firewall/firewall/common/common-egress.yaml +++ b/blueprints/networking/decentralized-firewall/firewall/common/common-egress.yaml @@ -12,6 +12,10 @@ # See the License for the specific language governing permissions and # limitations under the License. +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + # Deny all egress (egress traffic is allowed by default) deny-all: deny: diff --git a/blueprints/networking/decentralized-firewall/firewall/common/iap-access.yaml b/blueprints/networking/decentralized-firewall/firewall/common/iap-access.yaml index 9e26f9cc4..b8565473c 100644 --- a/blueprints/networking/decentralized-firewall/firewall/common/iap-access.yaml +++ b/blueprints/networking/decentralized-firewall/firewall/common/iap-access.yaml @@ -12,6 +12,10 @@ # See the License for the specific language governing permissions and # limitations under the License. +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + # Access via SSH from IAP to all instancess https://cloud.google.com/iap/docs/using-tcp-forwarding#create-firewall-rule iap-ssh-access: allow: diff --git a/blueprints/networking/decentralized-firewall/firewall/common/lb-access.yaml b/blueprints/networking/decentralized-firewall/firewall/common/lb-access.yaml index 7b07b2d41..ca5c859aa 100644 --- a/blueprints/networking/decentralized-firewall/firewall/common/lb-access.yaml +++ b/blueprints/networking/decentralized-firewall/firewall/common/lb-access.yaml @@ -12,6 +12,10 @@ # See the License for the specific language governing permissions and # limitations under the License. +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + # Access from GCP LBs https://cloud.google.com/load-balancing/docs/https/#firewall_rules lb-health-checks: allow: diff --git a/blueprints/networking/decentralized-firewall/firewall/dev/app-1/app1-rules.yaml b/blueprints/networking/decentralized-firewall/firewall/dev/app-1/app1-rules.yaml index 6ee730286..6b625b794 100644 --- a/blueprints/networking/decentralized-firewall/firewall/dev/app-1/app1-rules.yaml +++ b/blueprints/networking/decentralized-firewall/firewall/dev/app-1/app1-rules.yaml @@ -12,6 +12,10 @@ # See the License for the specific language governing permissions and # limitations under the License. +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + # Allow traffic from the frontend VMs app1-backend: allow: diff --git a/blueprints/networking/decentralized-firewall/firewall/dev/app-2/app2-rules.yaml b/blueprints/networking/decentralized-firewall/firewall/dev/app-2/app2-rules.yaml index 3d64bffce..82dd355ec 100644 --- a/blueprints/networking/decentralized-firewall/firewall/dev/app-2/app2-rules.yaml +++ b/blueprints/networking/decentralized-firewall/firewall/dev/app-2/app2-rules.yaml @@ -12,6 +12,10 @@ # See the License for the specific language governing permissions and # limitations under the License. +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + # Allow traffic from app1 frontend app2-backend: allow: diff --git a/blueprints/networking/decentralized-firewall/firewall/prod/app-1/app1-rules.yaml b/blueprints/networking/decentralized-firewall/firewall/prod/app-1/app1-rules.yaml index 6ee730286..6b625b794 100644 --- a/blueprints/networking/decentralized-firewall/firewall/prod/app-1/app1-rules.yaml +++ b/blueprints/networking/decentralized-firewall/firewall/prod/app-1/app1-rules.yaml @@ -12,6 +12,10 @@ # See the License for the specific language governing permissions and # limitations under the License. +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + # Allow traffic from the frontend VMs app1-backend: allow: diff --git a/fast/stages-multitenant/1-resman-tenant/data/org-policies/compute.yaml b/fast/stages-multitenant/1-resman-tenant/data/org-policies/compute.yaml index a3f96b1b1..16a48c5be 100644 --- a/fast/stages-multitenant/1-resman-tenant/data/org-policies/compute.yaml +++ b/fast/stages-multitenant/1-resman-tenant/data/org-policies/compute.yaml @@ -2,30 +2,32 @@ # # sample subset of useful organization policies, edit to suit requirements +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + compute.disableGuestAttributesAccess: rules: - - enforce: true + - enforce: true compute.requireOsLogin: rules: - - enforce: true + - enforce: true compute.restrictLoadBalancerCreationForTypes: rules: - - allow: - values: - - in:INTERNAL + - allow: + values: + - in:INTERNAL compute.skipDefaultNetworkCreation: rules: - - enforce: true + - enforce: true compute.vmExternalIpAccess: rules: - - deny: - all: true - - + - deny: + all: true # compute.disableInternetNetworkEndpointGroup: # rules: # - enforce: true diff --git a/fast/stages-multitenant/1-resman-tenant/data/org-policies/iam.yaml b/fast/stages-multitenant/1-resman-tenant/data/org-policies/iam.yaml index 58e0032cb..7d4367655 100644 --- a/fast/stages-multitenant/1-resman-tenant/data/org-policies/iam.yaml +++ b/fast/stages-multitenant/1-resman-tenant/data/org-policies/iam.yaml @@ -2,14 +2,18 @@ # # sample subset of useful organization policies, edit to suit requirements +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + iam.automaticIamGrantsForDefaultServiceAccounts: rules: - - enforce: true + - enforce: true iam.disableServiceAccountKeyCreation: rules: - - enforce: true + - enforce: true iam.disableServiceAccountKeyUpload: rules: - - enforce: true + - enforce: true diff --git a/fast/stages-multitenant/1-resman-tenant/data/org-policies/serverless.yaml b/fast/stages-multitenant/1-resman-tenant/data/org-policies/serverless.yaml index 3efb23cde..0712f9fb9 100644 --- a/fast/stages-multitenant/1-resman-tenant/data/org-policies/serverless.yaml +++ b/fast/stages-multitenant/1-resman-tenant/data/org-policies/serverless.yaml @@ -2,12 +2,15 @@ # # sample subset of useful organization policies, edit to suit requirements +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + run.allowedIngress: rules: - - allow: - values: - - is:internal - + - allow: + values: + - is:internal # run.allowedVPCEgress: # rules: # - allow: diff --git a/fast/stages-multitenant/1-resman-tenant/data/org-policies/sql.yaml b/fast/stages-multitenant/1-resman-tenant/data/org-policies/sql.yaml index 0eee80453..de2731a03 100644 --- a/fast/stages-multitenant/1-resman-tenant/data/org-policies/sql.yaml +++ b/fast/stages-multitenant/1-resman-tenant/data/org-policies/sql.yaml @@ -2,10 +2,14 @@ # # sample subset of useful organization policies, edit to suit requirements +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + sql.restrictAuthorizedNetworks: rules: - - enforce: true + - enforce: true sql.restrictPublicIp: rules: - - enforce: true + - enforce: true diff --git a/fast/stages-multitenant/1-resman-tenant/data/org-policies/storage.yaml b/fast/stages-multitenant/1-resman-tenant/data/org-policies/storage.yaml index 448357b8b..2578d5a52 100644 --- a/fast/stages-multitenant/1-resman-tenant/data/org-policies/storage.yaml +++ b/fast/stages-multitenant/1-resman-tenant/data/org-policies/storage.yaml @@ -2,6 +2,10 @@ # # sample subset of useful organization policies, edit to suit requirements +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + storage.uniformBucketLevelAccess: rules: - - enforce: true + - enforce: true diff --git a/fast/stages/0-bootstrap/data/org-policies/compute.yaml b/fast/stages/0-bootstrap/data/org-policies/compute.yaml index a3f96b1b1..16a48c5be 100644 --- a/fast/stages/0-bootstrap/data/org-policies/compute.yaml +++ b/fast/stages/0-bootstrap/data/org-policies/compute.yaml @@ -2,30 +2,32 @@ # # sample subset of useful organization policies, edit to suit requirements +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + compute.disableGuestAttributesAccess: rules: - - enforce: true + - enforce: true compute.requireOsLogin: rules: - - enforce: true + - enforce: true compute.restrictLoadBalancerCreationForTypes: rules: - - allow: - values: - - in:INTERNAL + - allow: + values: + - in:INTERNAL compute.skipDefaultNetworkCreation: rules: - - enforce: true + - enforce: true compute.vmExternalIpAccess: rules: - - deny: - all: true - - + - deny: + all: true # compute.disableInternetNetworkEndpointGroup: # rules: # - enforce: true diff --git a/fast/stages/0-bootstrap/data/org-policies/gcp.yaml b/fast/stages/0-bootstrap/data/org-policies/gcp.yaml index 5c13020d7..d244b6bbe 100644 --- a/fast/stages/0-bootstrap/data/org-policies/gcp.yaml +++ b/fast/stages/0-bootstrap/data/org-policies/gcp.yaml @@ -12,6 +12,10 @@ # See the License for the specific language governing permissions and # limitations under the License. +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + # constraints/gcp.resourceLocations: # rules: # - allow: diff --git a/fast/stages/0-bootstrap/data/org-policies/iam.yaml b/fast/stages/0-bootstrap/data/org-policies/iam.yaml index 58e0032cb..7d4367655 100644 --- a/fast/stages/0-bootstrap/data/org-policies/iam.yaml +++ b/fast/stages/0-bootstrap/data/org-policies/iam.yaml @@ -2,14 +2,18 @@ # # sample subset of useful organization policies, edit to suit requirements +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + iam.automaticIamGrantsForDefaultServiceAccounts: rules: - - enforce: true + - enforce: true iam.disableServiceAccountKeyCreation: rules: - - enforce: true + - enforce: true iam.disableServiceAccountKeyUpload: rules: - - enforce: true + - enforce: true diff --git a/fast/stages/0-bootstrap/data/org-policies/serverless.yaml b/fast/stages/0-bootstrap/data/org-policies/serverless.yaml index 4931c41b5..1fce1a9b0 100644 --- a/fast/stages/0-bootstrap/data/org-policies/serverless.yaml +++ b/fast/stages/0-bootstrap/data/org-policies/serverless.yaml @@ -2,13 +2,16 @@ # # sample subset of useful organization policies, edit to suit requirements +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + run.allowedIngress: rules: - - allow: - values: - - is:internal - - is:internal-and-cloud-load-balancing - + - allow: + values: + - is:internal + - is:internal-and-cloud-load-balancing # run.allowedVPCEgress: # rules: # - allow: diff --git a/fast/stages/0-bootstrap/data/org-policies/sql.yaml b/fast/stages/0-bootstrap/data/org-policies/sql.yaml index 0eee80453..de2731a03 100644 --- a/fast/stages/0-bootstrap/data/org-policies/sql.yaml +++ b/fast/stages/0-bootstrap/data/org-policies/sql.yaml @@ -2,10 +2,14 @@ # # sample subset of useful organization policies, edit to suit requirements +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + sql.restrictAuthorizedNetworks: rules: - - enforce: true + - enforce: true sql.restrictPublicIp: rules: - - enforce: true + - enforce: true diff --git a/fast/stages/0-bootstrap/data/org-policies/storage.yaml b/fast/stages/0-bootstrap/data/org-policies/storage.yaml index 448357b8b..2578d5a52 100644 --- a/fast/stages/0-bootstrap/data/org-policies/storage.yaml +++ b/fast/stages/0-bootstrap/data/org-policies/storage.yaml @@ -2,6 +2,10 @@ # # sample subset of useful organization policies, edit to suit requirements +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + storage.uniformBucketLevelAccess: rules: - - enforce: true + - enforce: true diff --git a/fast/stages/2-networking-a-peering/data/cidrs.yaml b/fast/stages/2-networking-a-peering/data/cidrs.yaml index b6c25e21a..3591e95a0 100644 --- a/fast/stages/2-networking-a-peering/data/cidrs.yaml +++ b/fast/stages/2-networking-a-peering/data/cidrs.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. healthchecks: - 35.191.0.0/16 diff --git a/fast/stages/2-networking-a-peering/data/dns-policy-rules.yaml b/fast/stages/2-networking-a-peering/data/dns-policy-rules.yaml index d091e4f08..f157cec02 100644 --- a/fast/stages/2-networking-a-peering/data/dns-policy-rules.yaml +++ b/fast/stages/2-networking-a-peering/data/dns-policy-rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. accounts: dns_name: "accounts.google.com." diff --git a/fast/stages/2-networking-a-peering/data/firewall-rules/dev/rules.yaml b/fast/stages/2-networking-a-peering/data/firewall-rules/dev/rules.yaml index cab42edc9..68866161c 100644 --- a/fast/stages/2-networking-a-peering/data/firewall-rules/dev/rules.yaml +++ b/fast/stages/2-networking-a-peering/data/firewall-rules/dev/rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. ingress: ingress-allow-composer-nodes: diff --git a/fast/stages/2-networking-a-peering/data/firewall-rules/landing/rules.yaml b/fast/stages/2-networking-a-peering/data/firewall-rules/landing/rules.yaml index 3c1425a7c..2318f69df 100644 --- a/fast/stages/2-networking-a-peering/data/firewall-rules/landing/rules.yaml +++ b/fast/stages/2-networking-a-peering/data/firewall-rules/landing/rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. ingress: allow-onprem-probes-example: diff --git a/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml index f43a9f07f..26e58674e 100644 --- a/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml +++ b/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. # allow-admins: # description: Access from the admin subnet to all subnets diff --git a/fast/stages/2-networking-b-vpn/data/cidrs.yaml b/fast/stages/2-networking-b-vpn/data/cidrs.yaml index b6c25e21a..3591e95a0 100644 --- a/fast/stages/2-networking-b-vpn/data/cidrs.yaml +++ b/fast/stages/2-networking-b-vpn/data/cidrs.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. healthchecks: - 35.191.0.0/16 diff --git a/fast/stages/2-networking-b-vpn/data/dns-policy-rules.yaml b/fast/stages/2-networking-b-vpn/data/dns-policy-rules.yaml index d091e4f08..f157cec02 100644 --- a/fast/stages/2-networking-b-vpn/data/dns-policy-rules.yaml +++ b/fast/stages/2-networking-b-vpn/data/dns-policy-rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. accounts: dns_name: "accounts.google.com." diff --git a/fast/stages/2-networking-b-vpn/data/firewall-rules/dev/rules.yaml b/fast/stages/2-networking-b-vpn/data/firewall-rules/dev/rules.yaml index cab42edc9..68866161c 100644 --- a/fast/stages/2-networking-b-vpn/data/firewall-rules/dev/rules.yaml +++ b/fast/stages/2-networking-b-vpn/data/firewall-rules/dev/rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. ingress: ingress-allow-composer-nodes: diff --git a/fast/stages/2-networking-b-vpn/data/firewall-rules/landing/rules.yaml b/fast/stages/2-networking-b-vpn/data/firewall-rules/landing/rules.yaml index 3c1425a7c..2318f69df 100644 --- a/fast/stages/2-networking-b-vpn/data/firewall-rules/landing/rules.yaml +++ b/fast/stages/2-networking-b-vpn/data/firewall-rules/landing/rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. ingress: allow-onprem-probes-example: diff --git a/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml index f43a9f07f..26e58674e 100644 --- a/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml +++ b/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. # allow-admins: # description: Access from the admin subnet to all subnets diff --git a/fast/stages/2-networking-c-nva/data/cidrs.yaml b/fast/stages/2-networking-c-nva/data/cidrs.yaml index b6c25e21a..3591e95a0 100644 --- a/fast/stages/2-networking-c-nva/data/cidrs.yaml +++ b/fast/stages/2-networking-c-nva/data/cidrs.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. healthchecks: - 35.191.0.0/16 diff --git a/fast/stages/2-networking-c-nva/data/dns-policy-rules.yaml b/fast/stages/2-networking-c-nva/data/dns-policy-rules.yaml index d091e4f08..f157cec02 100644 --- a/fast/stages/2-networking-c-nva/data/dns-policy-rules.yaml +++ b/fast/stages/2-networking-c-nva/data/dns-policy-rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. accounts: dns_name: "accounts.google.com." diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/dev/rules.yaml b/fast/stages/2-networking-c-nva/data/firewall-rules/dev/rules.yaml index cab42edc9..68866161c 100644 --- a/fast/stages/2-networking-c-nva/data/firewall-rules/dev/rules.yaml +++ b/fast/stages/2-networking-c-nva/data/firewall-rules/dev/rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. ingress: ingress-allow-composer-nodes: diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/rules.yaml b/fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/rules.yaml index 1405170fb..fea923b03 100644 --- a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/rules.yaml +++ b/fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. ingress: allow-hc-nva-ssh-trusted: diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/rules.yaml b/fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/rules.yaml index aa51c0fe8..f2793e494 100644 --- a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/rules.yaml +++ b/fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. ingress: allow-hc-nva-ssh-untrusted: diff --git a/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml index f43a9f07f..26e58674e 100644 --- a/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml +++ b/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. # allow-admins: # description: Access from the admin subnet to all subnets diff --git a/fast/stages/2-networking-d-separate-envs/data/cidrs.yaml b/fast/stages/2-networking-d-separate-envs/data/cidrs.yaml index b6c25e21a..3591e95a0 100644 --- a/fast/stages/2-networking-d-separate-envs/data/cidrs.yaml +++ b/fast/stages/2-networking-d-separate-envs/data/cidrs.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. healthchecks: - 35.191.0.0/16 diff --git a/fast/stages/2-networking-d-separate-envs/data/dns-policy-rules.yaml b/fast/stages/2-networking-d-separate-envs/data/dns-policy-rules.yaml index d091e4f08..f157cec02 100644 --- a/fast/stages/2-networking-d-separate-envs/data/dns-policy-rules.yaml +++ b/fast/stages/2-networking-d-separate-envs/data/dns-policy-rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. accounts: dns_name: "accounts.google.com." diff --git a/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/rules.yaml b/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/rules.yaml index 67386c446..103215b7b 100644 --- a/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/rules.yaml +++ b/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. ingress: ingress-allow-composer-nodes: diff --git a/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml index f43a9f07f..26e58674e 100644 --- a/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml +++ b/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. # allow-admins: # description: Access from the admin subnet to all subnets diff --git a/fast/stages/2-networking-e-nva-bgp/data/cidrs.yaml b/fast/stages/2-networking-e-nva-bgp/data/cidrs.yaml index 93d7bb0b1..1dc04881a 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/cidrs.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/cidrs.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. healthchecks: - 35.191.0.0/16 diff --git a/fast/stages/2-networking-e-nva-bgp/data/dns-policy-rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/dns-policy-rules.yaml index d091e4f08..f157cec02 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/dns-policy-rules.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/dns-policy-rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. accounts: dns_name: "accounts.google.com." diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/rules.yaml index cab42edc9..68866161c 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/rules.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. ingress: ingress-allow-composer-nodes: diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/rules.yaml index 6e00603bd..bd7bee57f 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/rules.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. ingress: allow-hc-nva-ssh-trusted: diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/rules.yaml index c6077013c..3588af4d6 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/rules.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. ingress: allow-hc-nva-ssh-untrusted: diff --git a/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml index f43a9f07f..26e58674e 100644 --- a/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml +++ b/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml @@ -1,4 +1,7 @@ # skip boilerplate check +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. # allow-admins: # description: Access from the admin subnet to all subnets diff --git a/modules/dns-response-policy/README.md b/modules/dns-response-policy/README.md index 2c77f4e93..3e0e9c468 100644 --- a/modules/dns-response-policy/README.md +++ b/modules/dns-response-policy/README.md @@ -102,6 +102,11 @@ module "dns-policy" { ``` ```yaml + +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + gcr: dns_name: "gcr.io." local_data: diff --git a/modules/dns-response-policy/main.tf b/modules/dns-response-policy/main.tf index 69b7ff4aa..5d1684977 100644 --- a/modules/dns-response-policy/main.tf +++ b/modules/dns-response-policy/main.tf @@ -15,7 +15,9 @@ */ locals { - _factory_rules = try(yamldecode(file(var.rules_file)), {}) + _factory_data = var.rules_file != null ? file(var.rules_file) : "{}" + _factory_rules = yamldecode(local._factory_data) + factory_rules = { for k, v in local._factory_rules : k => { dns_name = v.dns_name diff --git a/modules/folder/organization-policies.tf b/modules/folder/organization-policies.tf index 90d45ff01..2bf79c4ab 100644 --- a/modules/folder/organization-policies.tf +++ b/modules/folder/organization-policies.tf @@ -19,7 +19,7 @@ locals { _factory_data_raw = merge([ for f in try(fileset(var.org_policies_data_path, "*.yaml"), []) : - try(yamldecode(file("${var.org_policies_data_path}/${f}")), {}) + yamldecode(file("${var.org_policies_data_path}/${f}")) ]...) # simulate applying defaults to data coming from yaml files diff --git a/modules/net-vpc-firewall/README.md b/modules/net-vpc-firewall/README.md index 47a696de3..235f1ebc4 100644 --- a/modules/net-vpc-firewall/README.md +++ b/modules/net-vpc-firewall/README.md @@ -186,6 +186,11 @@ module "firewall" { ```yaml # tftest-file id=lbs path=configs/firewall/rules/load_balancers.yaml + +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + ingress: allow-healthchecks: description: Allow ingress from healthchecks. @@ -220,6 +225,11 @@ egress: ```yaml # tftest-file id=cidrs path=configs/firewall/cidrs.yaml + +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + healthchecks: - 35.191.0.0/16 - 130.211.0.0/22 diff --git a/modules/net-vpc-firewall/main.tf b/modules/net-vpc-firewall/main.tf index bd528b029..5f7a95b54 100644 --- a/modules/net-vpc-firewall/main.tf +++ b/modules/net-vpc-firewall/main.tf @@ -47,7 +47,7 @@ locals { if contains(["EGRESS", "INGRESS"], r.direction) } _named_ranges = merge( - try(yamldecode(file(var.factories_config.cidr_tpl_file)), {}), + can(var.factories_config.cidr_tpl_file) ? yamldecode(file(var.factories_config.cidr_tpl_file)) : {}, var.named_ranges ) _rules = merge( diff --git a/modules/organization/README.md b/modules/organization/README.md index fd9ca0943..86df8ab3b 100644 --- a/modules/organization/README.md +++ b/modules/organization/README.md @@ -194,6 +194,11 @@ module "org" { ```yaml # tftest-file id=gke path=configs/custom-constraints/gke.yaml + +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + custom.gkeEnableLogging: resource_types: - container.googleapis.com/Cluster @@ -216,6 +221,11 @@ custom.gkeEnableAutoUpgrade: ```yaml # tftest-file id=dataproc path=configs/custom-constraints/dataproc.yaml + +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + custom.dataprocNoMoreThan10Workers: resource_types: - dataproc.googleapis.com/Cluster diff --git a/modules/organization/organization-policies.tf b/modules/organization/organization-policies.tf index 602e72305..8d867f668 100644 --- a/modules/organization/organization-policies.tf +++ b/modules/organization/organization-policies.tf @@ -19,7 +19,7 @@ locals { _factory_data_raw = merge([ for f in try(fileset(var.org_policies_data_path, "*.yaml"), []) : - try(yamldecode(file("${var.org_policies_data_path}/${f}")), {}) + yamldecode(file("${var.org_policies_data_path}/${f}")) ]...) # simulate applying defaults to data coming from yaml files diff --git a/modules/project/README.md b/modules/project/README.md index 8a2a1b4e5..43dfbc704 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -359,6 +359,11 @@ module "project" { ```yaml # tftest-file id=boolean path=configs/org-policies/boolean.yaml + +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + compute.disableGuestAttributesAccess: rules: - enforce: true @@ -381,6 +386,11 @@ iam.disableServiceAccountKeyUpload: ```yaml # tftest-file id=list path=configs/org-policies/list.yaml + +--- +# Terraform will be unable to decode this file if it does not contain valid YAML +# You can retain `---` (start of the document) to indicate an empty document. + compute.trustedImageProjects: rules: - allow: diff --git a/modules/project/organization-policies.tf b/modules/project/organization-policies.tf index e4f10ddaa..37e6f2531 100644 --- a/modules/project/organization-policies.tf +++ b/modules/project/organization-policies.tf @@ -19,7 +19,7 @@ locals { _factory_data_raw = merge([ for f in try(fileset(var.org_policies_data_path, "*.yaml"), []) : - try(yamldecode(file("${var.org_policies_data_path}/${f}")), {}) + yamldecode(file("${var.org_policies_data_path}/${f}")) ]...) # simulate applying defaults to data coming from yaml files