Factories refactor (#1843)

* factories refactor doc * Adds file schema and filesystem organization * Update 20231106-factories.md * move factories out of blueprints and create new factories README * align factory in billing-account module * align factory in dataplex-datascan module * align factory in billing-account module * align factory in net-firewall-policy module * align factory in dns-response-policy module * align factory in net-vpc-firewall module * align factory in net-vpc module * align factory variable names in FAST * remove decentralized firewall blueprint * bump terraform version * bump module versions * update top-level READMEs * move project factory to modules * fix variable names and tests * tfdoc * remove changelog link * add project factory to top-level README * fix cludrun eventarc diff * fix README * fix cludrun eventarc diff --------- Co-authored-by: Simone Ruffilli <sruffilli@google.com>
2024-02-26 11:16:52 +01:00
parent 8e86f0e108
commit 6941313c7d
188 changed files with 917 additions and 2292 deletions
--- a/fast/stages/2-networking-a-peering/dns-landing.tf
+++ b/fast/stages/2-networking-a-peering/dns-landing.tf
@@ -82,8 +82,10 @@ module "landing-dns-policy-googleapis" {
  source     = "../../../modules/dns-response-policy"
  project_id = module.landing-project.project_id
  name       = "googleapis"
+  factories_config = {
+    rules = var.factories_config.dns_policy_rules_file
+  }
  networks = {
    landing = module.landing-vpc.self_link
  }
-  rules_file = var.factories_config.dns_policy_rules_file
 }
--- a/fast/stages/2-networking-a-peering/main.tf
+++ b/fast/stages/2-networking-a-peering/main.tf
@@ -60,7 +60,7 @@ module "firewall-policy-default" {
  source    = "../../../modules/net-firewall-policy"
  name      = var.factories_config.firewall_policy_name
  parent_id = module.folder.id
-  rules_factory_config = {
+  factories_config = {
    cidr_file_path          = "${var.factories_config.data_dir}/cidrs.yaml"
    ingress_rules_file_path = "${var.factories_config.data_dir}/hierarchical-ingress-rules.yaml"
  }
--- a/fast/stages/2-networking-b-vpn/dns-landing.tf
+++ b/fast/stages/2-networking-b-vpn/dns-landing.tf
@@ -82,8 +82,10 @@ module "landing-dns-policy-googleapis" {
  source     = "../../../modules/dns-response-policy"
  project_id = module.landing-project.project_id
  name       = "googleapis"
+  factories_config = {
+    rules = var.factories_config.dns_policy_rules_file
+  }
  networks = {
    landing = module.landing-vpc.self_link
  }
-  rules_file = var.factories_config.dns_policy_rules_file
 }
--- a/fast/stages/2-networking-b-vpn/main.tf
+++ b/fast/stages/2-networking-b-vpn/main.tf
@@ -60,7 +60,7 @@ module "firewall-policy-default" {
  source    = "../../../modules/net-firewall-policy"
  name      = var.factories_config.firewall_policy_name
  parent_id = module.folder.id
-  rules_factory_config = {
+  factories_config = {
    cidr_file_path          = "${var.factories_config.data_dir}/cidrs.yaml"
    ingress_rules_file_path = "${var.factories_config.data_dir}/hierarchical-ingress-rules.yaml"
  }
--- a/fast/stages/2-networking-c-nva/dns-landing.tf
+++ b/fast/stages/2-networking-c-nva/dns-landing.tf
@@ -91,9 +91,11 @@ module "landing-dns-policy-googleapis" {
  source     = "../../../modules/dns-response-policy"
  project_id = module.landing-project.project_id
  name       = "googleapis"
+  factories_config = {
+    rules = var.factories_config.dns_policy_rules_file
+  }
  networks = {
    landing-trusted   = module.landing-trusted-vpc.self_link
    landing-untrusted = module.landing-untrusted-vpc.self_link
  }
-  rules_file = var.factories_config.dns_policy_rules_file
 }
--- a/fast/stages/2-networking-c-nva/main.tf
+++ b/fast/stages/2-networking-c-nva/main.tf
@@ -61,7 +61,7 @@ module "firewall-policy-default" {
  source    = "../../../modules/net-firewall-policy"
  name      = var.factories_config.firewall_policy_name
  parent_id = module.folder.id
-  rules_factory_config = {
+  factories_config = {
    cidr_file_path          = "${var.factories_config.data_dir}/cidrs.yaml"
    ingress_rules_file_path = "${var.factories_config.data_dir}/hierarchical-ingress-rules.yaml"
  }
--- a/fast/stages/2-networking-d-separate-envs/dns-dev.tf
+++ b/fast/stages/2-networking-d-separate-envs/dns-dev.tf
@@ -77,8 +77,10 @@ module "dev-dns-policy-googleapis" {
  source     = "../../../modules/dns-response-policy"
  project_id = module.dev-spoke-project.project_id
  name       = "googleapis"
+  factories_config = {
+    rules = var.factories_config.dns_policy_rules_file
+  }
  networks = {
    dev = module.dev-spoke-vpc.self_link
  }
-  rules_file = var.factories_config.dns_policy_rules_file
 }
--- a/fast/stages/2-networking-d-separate-envs/dns-prod.tf
+++ b/fast/stages/2-networking-d-separate-envs/dns-prod.tf
@@ -77,8 +77,10 @@ module "prod-dns-policy-googleapis" {
  source     = "../../../modules/dns-response-policy"
  project_id = module.prod-spoke-project.project_id
  name       = "googleapis"
+  factories_config = {
+    rules = var.factories_config.dns_policy_rules_file
+  }
  networks = {
    prod = module.prod-spoke-vpc.self_link
  }
-  rules_file = var.factories_config.dns_policy_rules_file
 }
--- a/fast/stages/2-networking-d-separate-envs/main.tf
+++ b/fast/stages/2-networking-d-separate-envs/main.tf
@@ -56,7 +56,7 @@ module "firewall-policy-default" {
  source    = "../../../modules/net-firewall-policy"
  name      = var.factories_config.firewall_policy_name
  parent_id = module.folder.id
-  rules_factory_config = {
+  factories_config = {
    cidr_file_path          = "${var.factories_config.data_dir}/cidrs.yaml"
    ingress_rules_file_path = "${var.factories_config.data_dir}/hierarchical-ingress-rules.yaml"
  }
--- a/fast/stages/2-networking-e-nva-bgp/dns-landing.tf
+++ b/fast/stages/2-networking-e-nva-bgp/dns-landing.tf
@@ -91,9 +91,11 @@ module "landing-dns-policy-googleapis" {
  source     = "../../../modules/dns-response-policy"
  project_id = module.landing-project.project_id
  name       = "googleapis"
+  factories_config = {
+    rules = var.factories_config.dns_policy_rules_file
+  }
  networks = {
    landing-trusted   = module.landing-trusted-vpc.self_link
    landing-untrusted = module.landing-untrusted-vpc.self_link
  }
-  rules_file = var.factories_config.dns_policy_rules_file
 }
--- a/fast/stages/2-networking-e-nva-bgp/main.tf
+++ b/fast/stages/2-networking-e-nva-bgp/main.tf
@@ -61,7 +61,7 @@ module "firewall-policy-default" {
  source    = "../../../modules/net-firewall-policy"
  name      = var.factories_config.firewall_policy_name
  parent_id = module.folder.id
-  rules_factory_config = {
+  factories_config = {
    cidr_file_path          = "${var.factories_config.data_dir}/cidrs.yaml"
    ingress_rules_file_path = "${var.factories_config.data_dir}/hierarchical-ingress-rules.yaml"
  }
--- a/fast/stages/3-project-factory/dev/README.md
+++ b/fast/stages/3-project-factory/dev/README.md
@@ -1,7 +1,7 @@
 # Project factory

 The Project Factory (or PF) builds on top of your foundations to create and set up projects (and related resources) to be used for your workloads.
-It is organized in folders representing environments (e.g., "dev", "prod"), each implemented by a stand-alone terraform [resource factory](https://medium.com/google-cloud/resource-factories-a-descriptive-approach-to-terraform-581b3ebb59c).
+It is organized in folders representing environments (e.g., "dev", "prod"), each implemented by a stand-alone terraform [process factory](../../../../blueprints/factories/README.md).

 ## Design overview and choices

@@ -13,7 +13,7 @@ A single factory creates projects in a well-defined context, according to your r

 Projects for each environment across different teams are created by dedicated service accounts, as exemplified in the diagram above. While there's no intrinsic limitation regarding where the project factory can create a projects, the IAM bindings for the service account effectively enforce boundaries (e.g., the production service account shouldn't be able to create or have any access to the development projects, and vice versa).

-The project factory exposes all the features of the underlying [project module](../../../../modules/project/), including Shared VPC service project attachment, VPC SC perimeter membership, etc.
+The project factory stage lightly wraps the underlying [project-factory module](../../../../modules/project-factory/), including Shared VPC service project attachment, VPC SC perimeter membership, etc.
  
 ## How to run this stage

@@ -55,7 +55,7 @@ gcloud alpha storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/2-security.auto.

 If you're not using FAST, refer to the [Variables](#variables) table at the bottom of this document for a full list of variables, their origin (e.g., a stage or specific to this one), and descriptions explaining their meaning.

-Besides the values above, the project factory is driven by data files which closely follow the variables exposed by the [project module](../../../../modules/project/), with one file per project. Please refer to the underlying [project factory blueprint](../../../../blueprints/factories/project-factory/) documentation for details on the format.
+Besides the values above, the project factory is driven by YAML data files, with one file per project. Please refer to the underlying [project factory module](../../../../modules/project-factory/) documentation for details on the format.

 Once the configuration is complete, run the project factory with:

--- a/fast/stages/3-project-factory/dev/main.tf
+++ b/fast/stages/3-project-factory/dev/main.tf
@@ -17,7 +17,7 @@
 # tfdoc:file:description Project factory.

 module "projects" {
-  source = "../../../../blueprints/factories/project-factory"
+  source = "../../../../modules/project-factory"
  data_defaults = {
    billing_account = var.billing_account.id
    # more defaults are available, check the project factory variables