Extend FAST to support different principal types (#2064)

* add doc draft * typos * typo * typo * typos * rewording * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * move iam variables to a separate file * move billing-account module to iam_principals * move data-catalog-policy-tag module to iam_principals * move dataplex-datascan module to iam_principals * move dataproc module to iam_principals * move folder module to iam_principals * copyright * move organization module to iam_principals * move project module to iam_principals * move source-repository module to iam_principals * update blueprints for iam_principals interface * FAST bootstrap * module READMEs fixes * FAST bootstrap * FAST networking stages * FAST security stage * FAST gke stage * FAST multitenant bootstrap stage * FAST multitenant resman stage * tfdoc * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * fix module test * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Rename iam_principals to iam_by_principals * Update IAM template to include iam_by_principals * Update Resman README * Fix ADR link format --------- Co-authored-by: Julio Castillo <jccb@google.com>
2024-02-12 16:35:30 +03:00
parent 3397d4cd52
commit 71a64487d5
108 changed files with 1366 additions and 1033 deletions
--- a/tests/fast/stages/s0_bootstrap/checklist.tfvars
+++ b/tests/fast/stages/s0_bootstrap/checklist.tfvars
@@ -6,6 +6,7 @@ organization = {
 billing_account = {
  id = "000000-111111-222222"
 }
+essential_contacts = "gcp-organization-admins@fast.example.com"
 factories_config = {
  checklist_data    = "checklist-data.json"
  checklist_org_iam = "checklist-org-iam.json"
--- a/tests/fast/stages/s0_bootstrap/simple.tfvars
+++ b/tests/fast/stages/s0_bootstrap/simple.tfvars
@@ -6,8 +6,12 @@ organization = {
 billing_account = {
  id = "000000-111111-222222"
 }
-prefix = "fast"
+essential_contacts = "gcp-organization-admins@fast.example.com"
+prefix             = "fast"
 org_policies_config = {
  import_defaults = false
 }
 outputs_location = "/fast-config"
+groups = {
+  gcp-support = "group:gcp-support@example.com"
+}
--- a/tests/fast/stages/s0_bootstrap/simple.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple.yaml
@@ -12,6 +12,29 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+values:
+  module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]:
+    condition: []
+    members:
+    - group:gcp-network-admins@fast.example.com
+    - group:gcp-security-admins@fast.example.com
+    - group:gcp-support@example.com
+    org_id: '123456789012'
+    role: roles/cloudsupport.techSupportEditor
+  module.organization.google_organization_iam_binding.authoritative["roles/logging.viewer"]:
+    condition: []
+    members:
+    - group:gcp-support@example.com
+    - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+    - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/logging.viewer
+  module.organization.google_organization_iam_binding.authoritative["roles/monitoring.viewer"]:
+    condition: []
+    members:
+    - group:gcp-support@example.com
+    org_id: '123456789012'
+    role: roles/monitoring.viewer
 counts:
  google_bigquery_dataset: 1
  google_bigquery_default_service_account: 3
--- a/tests/fast/stages/s2_networking_a_peering/common.tfvars
+++ b/tests/fast/stages/s2_networking_a_peering/common.tfvars
@@ -11,7 +11,8 @@ dns = {
  resolvers      = ["10.10.10.10"]
  enable_logging = true
 }
-enable_cloud_nat = true
+enable_cloud_nat   = true
+essential_contacts = "gcp-network-admins@fast.example.com"
 folder_ids = {
  networking      = null
  networking-dev  = null
--- a/tests/fast/stages/s2_networking_b_vpn/common.tfvars
+++ b/tests/fast/stages/s2_networking_b_vpn/common.tfvars
@@ -11,7 +11,8 @@ dns = {
  resolvers      = ["10.10.10.10"]
  enable_logging = true
 }
-enable_cloud_nat = true
+enable_cloud_nat   = true
+essential_contacts = "gcp-network-admins@fast.example.com"
 folder_ids = {
  networking      = null
  networking-dev  = null
--- a/tests/fast/stages/s2_networking_c_nva/common.tfvars
+++ b/tests/fast/stages/s2_networking_c_nva/common.tfvars
@@ -11,7 +11,8 @@ dns = {
  resolvers      = ["10.10.10.10"]
  enable_logging = true
 }
-enable_cloud_nat = true
+enable_cloud_nat   = true
+essential_contacts = "gcp-network-admins@fast.example.com"
 folder_ids = {
  networking      = null
  networking-dev  = null
--- a/tests/fast/stages/s2_networking_d_separate_envs/common.tfvars
+++ b/tests/fast/stages/s2_networking_d_separate_envs/common.tfvars
@@ -12,7 +12,8 @@ dns = {
  prod_resolvers = ["10.20.10.10"]
  enable_logging = true
 }
-enable_cloud_nat = true
+enable_cloud_nat   = true
+essential_contacts = "gcp-network-admins@fast.example.com"
 folder_ids = {
  networking      = null
  networking-dev  = null
--- a/tests/fast/stages/s2_networking_e_nva_bgp/common.tfvars
+++ b/tests/fast/stages/s2_networking_e_nva_bgp/common.tfvars
@@ -11,7 +11,8 @@ dns = {
  resolvers      = ["10.10.10.10"]
  enable_logging = true
 }
-enable_cloud_nat = true
+enable_cloud_nat   = true
+essential_contacts = "gcp-network-admins@fast.example.com"
 folder_ids = {
  networking      = null
  networking-dev  = null
--- a/tests/fast/stages/s2_security/common.tfvars
+++ b/tests/fast/stages/s2_security/common.tfvars
@@ -4,6 +4,7 @@ automation = {
 billing_account = {
  id = "000000-111111-222222"
 }
+essential_contacts = "gcp-security-admins@fast.example.com"
 folder_ids = {
  security = null
 }