kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into fast-dev

Browse Source
This commit is contained in:
Ludovico Magnocavallo
2025-12-08 08:09:55 +00:00
parent b1969f6c60 ac68262733
commit 66b9106e6e
354 changed files with 3938 additions and 1212 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
fast/project-templates/managed-kafka/versions.tf generated
View File

@@ -12,24 +12,24 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# Fabric release: v49.1.0
# Fabric release: v49.2.0
terraform {
required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.6.0, < 8.0.0" # tftest
version = ">= 7.12.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.6.0, < 8.0.0" # tftest
version = ">= 7.12.0, < 8.0.0" # tftest
}
}
provider_meta "google" {
module_name = "google-pso-tool/cloud-foundation-fabric/fast/project-templates/managed-kafka:v49.1.0-tf"
module_name = "google-pso-tool/cloud-foundation-fabric/fast/project-templates/managed-kafka:v49.2.0-tf"
}
provider_meta "google-beta" {
module_name = "google-pso-tool/cloud-foundation-fabric/fast/project-templates/managed-kafka:v49.1.0-tf"
module_name = "google-pso-tool/cloud-foundation-fabric/fast/project-templates/managed-kafka:v49.2.0-tf"
}
}

30
fast/stages/0-org-setup/README.md
View File

@@ -7,6 +7,7 @@
- [Configure defaults](#configure-defaults)
- [Initial user permissions](#initial-user-permissions)
- [First apply cycle](#first-apply-cycle)
- [Default project](#default-project)
- [Importing org policies](#importing-org-policies)
- [Local output files storage](#local-output-files-storage)
- [Init and apply the stage](#init-and-apply-the-stage)
@@ -158,6 +159,20 @@ If you are using an externally managed billing account, make sure user has Billi
### First apply cycle
#### Default project
If the user applying this stage is starting new on GCP without any pre-existing project configured as default in `gcloud`, org policy creation will fail as the platform will be unable to track API usage quota. In those cases, manually create a temporary project, then enable the services need to bootstrap, and configure the project as default in `gcloud`. Once the first apply has run successfully, the `gcloud` default should be reset to the `iac-0` project, and the temporary one can be deleted.
Create the project via the cloud console, which ensures a unique id is chosen and allows associating a billing account. Once the project has been created, copy its project id (not the name) and use it in the commands below.
```bash
gcloud config set project [project id]
gcloud services enable \
bigquery.googleapis.com cloudbilling.googleapis.com cloudresourcemanager.googleapis.com \
essentialcontacts.googleapis.com iam.googleapis.com logging.googleapis.com \
orgpolicy.googleapis.com serviceusage.googleapis.com
```
#### Importing org policies
If your dataset includes org policies which are already set in the organization, you must either comment them out in the relevant YAML files or configure this stage to import them. To figure out which policies are set, run `gcloud org-policies list --organization [your org id]`, then set the `org_policies_imports` variable in your tfvars file. The following is an example.
@@ -172,8 +187,13 @@ compute.disableSerialPortAccess - SET
```tfvars
# create or edit the 0-org-setup.auto.tfvars.file
org_policies_imports = [
'iam.allowedPolicyMemberDomains',
'compute.disableSerialPortAccess'
"constraints/compute.managed.restrictProtocolForwardingCreationForTypes",
"constraints/essentialcontacts.managed.allowedContactDomains",
"constraints/iam.allowedPolicyMemberDomains",
"constraints/iam.automaticIamGrantsForDefaultServiceAccounts",
"constraints/iam.managed.disableServiceAccountKeyCreation",
"constraints/iam.managed.disableServiceAccountKeyUpload",
"constraints/storage.uniformBucketLevelAccess"
]
```
@@ -236,6 +256,12 @@ gcloud storage cp gs://test0-prod-iac-core-0-iac-outputs/providers/0-org-setup-p
gcloud storage cp gs://test0-prod-iac-core-0-iac-outputs/0-org-setup.auto.tfvars ./
```
If you had previously configured a temporary project in `gcloud`, you should now set the `iac-0` project as default.
```bash
gcloud config set project [iac-0 project id]
```
Once the provider file has been setup, migrate local state to the GCS backend and re-run apply.
```bash

2
fast/stages/0-org-setup/fast_version.txt
View File

@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# FAST release: v49.1.0
# FAST release: v49.2.0

6
fast/stages/0-org-setup/schemas/folder.schema.json
View File

@@ -74,6 +74,12 @@
}
}
},
"billing_budgets": {
"type": "array",
"items": {
"type": "string"
}
},
"contacts": {
"type": "object",
"additionalProperties": false,

23
fast/stages/1-vpcsc/README.md
View File

@@ -83,13 +83,32 @@ This only supports sinks defined in the bootstrap stage, but it can easily be us
The set of resources protected by each perimeter can be defined in two main ways:
- authoritatively, where protected resources are only defined in this stage
- cooperatively, where some resources are defined in this stage, and additional resources can be added separately (e.g. by a project factory)
- central and authoritative, where protected resources are only defined in this stage
- delegated and additive, where perimeter is defined in this stage and resources are added separately (e.g. by a project factory)
The first approach is more secure as it does not require granting editing permission to other actors, but it's also operationally heavier as it requires adding projects to the perimeter right after creation, before many operations can be run. For example, Shared VPC attachment for a service project cannot happen until the project is in the same perimeter as its host project. The main advantage of this approach is being able to leverage the resource discovery features provided by this stage.
The second approach is more flexible, but requires delegating a measure of control over perimeters to other actors, and losing control over perimeter membership which stops being enforced by Terraform.
When using the second approach, after applying this stage, provide perimeter information in your `defaults.yaml` file, for example:
```yaml
projects:
overrides:
vpc_sc:
perimeter_name: accessPolicies/12345/servicePerimeters/default
```
And then apply `0-org-setup` stage again. For later stages (such as networking, project factory), add the perimeter in a similar way, but there you can use context to provide perimeter:
```yaml
projects:
overrides:
vpc_sc:
perimeter_name: default
```
> [!CAUTION]
> Do not add any resources to the perimeter in this stage when using the second approach. Any resources added in this stage will not be properly removed from perimeter, if the `terraform apply` is also changing the perimeter definition.
#### Resource discovery
If the first approach is desired in combination with resource discovery, you can simply tweak exclusions via the `resource_discovery` variable as the feature is enabled by default.

2
fast/stages/1-vpcsc/fast_version.txt
View File

@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# FAST release: v49.1.0
# FAST release: v49.2.0

2
fast/stages/2-networking/fast_version.txt
View File

@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# FAST release: v49.1.0
# FAST release: v49.2.0

6
fast/stages/2-networking/schemas/folder.schema.json
View File

@@ -74,6 +74,12 @@
}
}
},
"billing_budgets": {
"type": "array",
"items": {
"type": "string"
}
},
"contacts": {
"type": "object",
"additionalProperties": false,

2
fast/stages/2-project-factory/fast_version.txt
View File

@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# FAST release: v49.1.0
# FAST release: v49.2.0

6
fast/stages/2-project-factory/schemas/folder.schema.json
View File

@@ -74,6 +74,12 @@
}
}
},
"billing_budgets": {
"type": "array",
"items": {
"type": "string"
}
},
"contacts": {
"type": "object",
"additionalProperties": false,

2
fast/stages/2-security/fast_version.txt
View File

@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# FAST release: v49.1.0
# FAST release: v49.2.0

6
fast/stages/2-security/schemas/folder.schema.json
View File

@@ -74,6 +74,12 @@
}
}
},
"billing_budgets": {
"type": "array",
"items": {
"type": "string"
}
},
"contacts": {
"type": "object",
"additionalProperties": false,

2
fast/stages/3-data-platform-dev/fast_version.txt
View File

@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# FAST release: v49.1.0
# FAST release: v49.2.0

2
fast/stages/3-gcve-dev/fast_version.txt
View File

@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# FAST release: v49.1.0
# FAST release: v49.2.0

2
fast/stages/3-gke-dev/fast_version.txt
View File

@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# FAST release: v49.1.0
# FAST release: v49.2.0

2
fast/stages/3-secops-dev/fast_version.txt
View File

@@ -12,4 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# FAST release: v49.1.0
# FAST release: v49.2.0