FAST: add top-level folders and restructure teams/tenants in resman (#2254)

* remove teams and tenants from resman

* move fast features to stage 1, fix test inventories

* folders

* fix factory, add top level folder resources to outputs

* tfdoc

* stage 0 log sink defs

* tfdoc

* enable toc in resman readme

* simple tenants

* fast compatibility automation and logging

* testing fast-compatible tenants

* testing fast-compatible tenants

* tfdoc

* remove mt stages

* remove tests, fix links

* disable tflint

* fast tests

* make organization conditional in resman

* check names tool

* export real prefix to tfvars, prevent destroy errors

* prefix validation

* fix billing account export format

* tfdoc

* root node folder

* resman changes

* tenant resman roles

* first apply of tenant resman

* tenant log sinks in stage 1

* fix test vars

* tfdoc

* tenant vpc-sc access policy

* fix tests expected values

* tenant CI/CD

* identity providers

* wif

* tfdoc

* add comments to identity locals

* full-feature tenant resman apply

* tenant billing IAM

* stage test

* fix CI/CD comments

* tenant net stage verified

* tenant sec stage verified

* fix test

* README work

* tfdoc

* README

* README rewording

* README rewording

* tfdoc

* FAST excalidraw

* review comments

* diagram review changes

* add iam log sink for tenants

* remove redundant try from security stage

* Implement tflint-fast in Python driven by tftest.yaml files

* tflint

* test ci changes

* revert linting changes

* disable tflint for fast

* Create junit-style report for FAST tflint

* Remove junit-reporter

* YAPF tflint-fast.py

* Output tflint FAST to job summary

* Step summary

* Disable step_summary as output is not useful

* ignore tflint warning

* re-enable tflint on FAST

---------

Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com>

tests/fast/stages/s0_bootstrap/checklist.yaml

@@ -360,13 +360,15 @@ counts:
   google_bigquery_dataset: 1
   google_bigquery_default_service_account: 3
   google_essential_contacts_contact: 3
+  google_logging_organization_settings: 1
   google_logging_organization_sink: 4
   google_logging_project_bucket_config: 4
   google_org_policy_policy: 22
-  google_organization_iam_binding: 27
+  google_organization_iam_binding: 28
   google_organization_iam_custom_role: 7
-  google_organization_iam_member: 35
+  google_organization_iam_member: 36
   google_project: 3
+  google_project_iam_audit_config: 1
   google_project_iam_binding: 19
   google_project_iam_member: 7
   google_project_service: 31
@@ -376,9 +378,9 @@ counts:
   google_storage_bucket: 4
   google_storage_bucket_iam_binding: 2
   google_storage_bucket_iam_member: 4
-  google_storage_bucket_object: 9
+  google_storage_bucket_object: 10
   google_storage_project_service_account: 3
   google_tags_tag_key: 1
   google_tags_tag_value: 1
   modules: 18
-  resources: 202
+  resources: 205

tests/fast/stages/s0_bootstrap/simple.yaml

@@ -35,17 +35,20 @@ values:
     - group:gcp-support@example.com
     org_id: '123456789012'
     role: roles/monitoring.viewer
+counts:
 counts:
   google_bigquery_dataset: 1
   google_bigquery_default_service_account: 3
   google_essential_contacts_contact: 3
+  google_logging_organization_settings: 1
   google_logging_organization_sink: 4
   google_logging_project_bucket_config: 4
   google_org_policy_policy: 22
-  google_organization_iam_binding: 27
+  google_organization_iam_binding: 28
   google_organization_iam_custom_role: 7
-  google_organization_iam_member: 22
+  google_organization_iam_member: 23
   google_project: 3
+  google_project_iam_audit_config: 1
   google_project_iam_binding: 19
   google_project_iam_member: 7
   google_project_service: 31
@@ -55,13 +58,13 @@ counts:
   google_storage_bucket: 3
   google_storage_bucket_iam_binding: 2
   google_storage_bucket_iam_member: 4
-  google_storage_bucket_object: 7
+  google_storage_bucket_object: 8
   google_storage_project_service_account: 3
   google_tags_tag_key: 1
   google_tags_tag_value: 1
-  local_file: 7
+  local_file: 8
   modules: 17
-  resources: 193
+  resources: 197
 
 outputs:
   custom_roles:

tests/fast/stages/s1_resman/checklist.tfvars

@@ -29,6 +29,9 @@ groups = {
   gcp-security-admins     = "gcp-security-admins",
   gcp-support             = "gcp-support"
 }
+logging = {
+  project_id = "fast-prod-log-audit-0"
+}
 organization = {
   domain      = "fast.example.com"
   id          = 123456789012

tests/fast/stages/s1_resman/checklist.yaml

@@ -415,7 +415,7 @@ values:
     timeouts: null
 
 counts:
-  google_folder: 57
+  google_folder: 56
   google_folder_iam_binding: 69
   google_organization_iam_member: 6
   google_project_iam_member: 4
@@ -425,8 +425,8 @@ counts:
   google_storage_bucket_iam_binding: 4
   google_storage_bucket_iam_member: 4
   google_storage_bucket_object: 5
-  google_tags_tag_binding: 5
-  google_tags_tag_key: 3
-  google_tags_tag_value: 10
-  modules: 64
-  resources: 177
+  google_tags_tag_binding: 4
+  google_tags_tag_key: 2
+  google_tags_tag_value: 8
+  modules: 63
+  resources: 172

tests/fast/stages/s1_resman/simple.tfvars

@@ -26,6 +26,9 @@ groups = {
   gcp-security-admins     = "gcp-security-admins",
   gcp-support             = "gcp-support"
 }
+logging = {
+  project_id = "fast-prod-log-audit-0"
+}
 organization = {
   domain      = "fast.example.com"
   id          = 123456789012

tests/fast/stages/s1_resman/simple.yaml

@@ -13,8 +13,8 @@
 # limitations under the License.
 
 counts:
-  google_folder: 5
-  google_folder_iam_binding: 25
+  google_folder: 4
+  google_folder_iam_binding: 23
   google_organization_iam_member: 6
   google_project_iam_member: 4
   google_service_account: 4
@@ -23,8 +23,8 @@ counts:
   google_storage_bucket_iam_binding: 4
   google_storage_bucket_iam_member: 4
   google_storage_bucket_object: 5
-  google_tags_tag_binding: 5
-  google_tags_tag_key: 3
-  google_tags_tag_value: 10
-  modules: 12
-  resources: 81
+  google_tags_tag_binding: 4
+  google_tags_tag_key: 2
+  google_tags_tag_value: 8
+  modules: 11
+  resources: 74

tests/fast/stages/s1_tenant_factory/__init__.py

@@ -11,18 +11,3 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
-counts:
-  google_folder: 13
-  google_folder_iam_binding: 42
-  google_folder_iam_member: 3
-  google_org_policy_policy: 2
-  google_service_account: 9
-  google_service_account_iam_binding: 8
-  google_storage_bucket: 10
-  google_storage_bucket_iam_binding: 10
-  google_storage_bucket_iam_member: 9
-  google_storage_bucket_object: 11
-  google_tags_tag_binding: 12
-  modules: 32
-  resources: 129

tests/fast/stages/s1_tenant_factory/simple.tfvars

@@ -0,0 +1,114 @@
+automation = {
+  federated_identity_pool      = null
+  federated_identity_providers = null
+  project_id                   = "fast-prod-automation"
+  project_number               = 123456
+  outputs_bucket               = "test"
+  service_accounts = {
+    resman   = "ldj-prod-resman-0@fast2-prod-iac-core-0.iam.gserviceaccount.com"
+    resman-r = "ldj-prod-resman-0r@fast2-prod-iac-core-0.iam.gserviceaccount.com"
+  }
+}
+billing_account = {
+  id = "000000-111111-222222"
+}
+custom_roles = {
+  # organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin",
+  gcve_network_admin            = "organizations/123456789012/roles/gcveNetworkAdmin"
+  organization_admin_viewer     = "organizations/123456789012/roles/organizationAdminViewer"
+  service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
+  storage_viewer                = "organizations/123456789012/roles/storageViewer"
+  tenant_network_admin          = "organizations/123456789012/roles/tenantNetworkAdmin"
+}
+groups = {
+  gcp-billing-admins      = "gcp-billing-admins",
+  gcp-devops              = "gcp-devops",
+  gcp-network-admins      = "gcp-vpc-network-admins",
+  gcp-organization-admins = "gcp-organization-admins",
+  gcp-security-admins     = "gcp-security-admins",
+  gcp-support             = "gcp-support"
+}
+logging = {
+  project_id = "fast-prod-log-audit-0"
+}
+organization = {
+  domain      = "fast.example.com"
+  id          = 123456789012
+  customer_id = "C00000000"
+}
+org_policy_tags = {
+  key_id   = "tagKeys/281480694641817"
+  key_name = "org-policies"
+  values = {
+    "allowed-policy-member-domains-all" = "tagValues/281480211229353"
+    "compute-require-oslogin-false"     = "tagValues/281476830880807"
+  }
+}
+prefix    = "fast2"
+root_node = "folders/1234567890"
+tenant_configs = {
+  s0 = {
+    admin_principal  = "group:admins@example0.org"
+    descriptive_name = "Simple 0"
+  }
+  s1 = {
+    admin_principal = "group:admins@example1.org"
+    billing_account = {
+      # implicit no-iam
+      id = "102345-102345-102345"
+    }
+    descriptive_name = "Simple 1"
+    cloud_identity = {
+      customer_id = "ABCDEFGH"
+      domain      = "example1.org"
+      id          = 1234567890
+    }
+    vpc_sc_policy_create = true
+  }
+  f0 = {
+    admin_principal = "group:gcp-organization-admins@fast-0.example.org"
+    billing_account = {
+      # implicit use of org-level BA with IAM roles
+      no_iam = false
+    }
+    descriptive_name = "Fast 0"
+    cloud_identity = {
+      domain      = "fast-0.example.org"
+      id          = 12345678
+      customer_id = "C0C0C0C0"
+    }
+    fast_config = {
+      groups = {
+        gcp-network-admins = "gcp-network-admins"
+      }
+      cicd_config = {
+        identity_provider = "github"
+        name              = "fast-0/resman"
+        type              = "github"
+        branch            = "main"
+      }
+      workload_identity_providers = {
+        github = {
+          attribute_condition = "attribute.repository_owner==\"fast-0\""
+          issuer              = "github"
+        }
+      }
+    }
+    vpc_sc_policy_create = true
+  }
+  f1 = {
+    admin_principal = "group:gcp-organization-admins@fast-1.example.org"
+    # implicit use of org-level BA without IAM roles
+    descriptive_name = "Fast 1"
+    cloud_identity = {
+      domain      = "fast-1.example.org"
+      id          = 1234567
+      customer_id = "D0D0D0D0"
+    }
+    fast_config = {
+      groups = {
+        gcp-network-admins = "gcp-network-admins"
+      }
+    }
+  }
+}

tests/fast/stages/s1_tenant_factory/simple.yaml

@@ -0,0 +1,46 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+counts:
+  google_access_context_manager_access_policy: 2
+  google_access_context_manager_access_policy_iam_member: 7
+  google_bigquery_default_service_account: 4
+  google_essential_contacts_contact: 2
+  google_folder: 8
+  google_folder_iam_binding: 34
+  google_iam_workload_identity_pool: 1
+  google_iam_workload_identity_pool_provider: 1
+  google_logging_folder_sink: 4
+  google_logging_project_bucket_config: 4
+  google_org_policy_policy: 3
+  google_organization_iam_member: 6
+  google_project: 6
+  google_project_iam_audit_config: 2
+  google_project_iam_binding: 32
+  google_project_iam_member: 18
+  google_project_service: 56
+  google_project_service_identity: 8
+  google_service_account: 16
+  google_service_account_iam_binding: 6
+  google_service_account_iam_member: 2
+  google_storage_bucket: 8
+  google_storage_bucket_iam_binding: 8
+  google_storage_bucket_iam_member: 6
+  google_storage_bucket_object: 17
+  google_storage_project_service_account: 4
+  google_tags_tag_binding: 4
+  google_tags_tag_key: 1
+  google_tags_tag_value: 4
+  modules: 50
+  resources: 274

tests/fast/stages/s1_tenant_factory/tftest.yaml

@@ -0,0 +1,18 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module: fast/stages/1-tenant-factory
+
+tests:
+  simple:

tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.tfvars

@@ -1,61 +0,0 @@
-automation = {
-  federated_identity_pool      = null
-  federated_identity_providers = null
-  project_id                   = "fast-prod-automation"
-  project_number               = 123456
-  outputs_bucket               = "test"
-}
-billing_account = {
-  id = "000000-111111-222222"
-}
-custom_roles = {
-  # organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin",
-  service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
-  tenant_network_admin          = "organizations/123456789012/roles/TenantNetworkAdmin"
-}
-groups = {
-  gcp-billing-admins      = "gcp-billing-admins",
-  gcp-devops              = "gcp-devops",
-  gcp-network-admins      = "gcp-vpc-network-admins",
-  gcp-organization-admins = "gcp-organization-admins",
-  gcp-security-admins     = "gcp-security-admins",
-  gcp-support             = "gcp-support"
-}
-organization = {
-  domain      = "fast.example.com"
-  id          = 123456789012
-  customer_id = "C00000000"
-}
-prefix = "fast2"
-tag_keys = {
-  context     = "tagKeys/1234567890"
-  environment = "tagKeys/4567890123"
-  tenant      = "tagKeys/7890123456"
-}
-tag_names = {
-  context     = "context"
-  environment = "environment"
-  tenant      = "tenant"
-}
-tag_values = {
-  "context/data" : "tagValues/1234567890",
-  "context/gke" : "tagValues/1234567890",
-  "context/networking" : "tagValues/1234567890",
-  "context/sandbox" : "tagValues/1234567890",
-  "context/security" : "tagValues/1234567890",
-  "context/teams" : "tagValues/1234567890",
-  "environment/development" : "tagValues/1234567890",
-  "environment/production" : "tagValues/1234567890"
-}
-tenant_config = {
-  groups = {
-    gcp-admins = "gcp-tn01-admins"
-  }
-  descriptive_name = "Tenant 01"
-  locations = {
-    gcs     = "europe-west8"
-    logging = "europe-west8"
-  }
-  short_name = "tn01"
-}
-test_principal = "foo-prod-resman-0@foo-prod-iac-core-0.iam.gserviceaccount.com"

tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.yaml

@@ -1,33 +0,0 @@
-# Copyright 2023 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-counts:
-  google_bigquery_default_service_account: 2
-  google_folder: 1
-  google_folder_iam_binding: 5
-  google_organization_iam_member: 39
-  google_project: 2
-  google_project_iam_binding: 8
-  google_project_service: 26
-  google_project_service_identity: 3
-  google_service_account: 11
-  google_storage_bucket: 2
-  google_storage_bucket_iam_binding: 1
-  google_storage_bucket_iam_member: 1
-  google_storage_bucket_object: 2
-  google_storage_project_service_account: 2
-  google_tags_tag_binding: 1
-  google_tags_tag_value: 1
-  modules: 19
-  resources: 128

tests/fast/stages_multitenant/s0_bootstrap_tenant/tftest.yaml

@@ -1,10 +0,0 @@
-# skip boilerplate check
-
-module: fast/stages-multitenant/0-bootstrap-tenant
-
-tests:
-  simple:
-    tfvars:
-      - simple.tfvars
-    inventory:
-      - simple.yaml

tests/fast/stages_multitenant/s1_resman_tenant/simple.tfvars

@@ -1,70 +0,0 @@
-automation = {
-  federated_identity_pools     = null
-  federated_identity_providers = null
-  project_id                   = "tn0-prod-automation-0"
-  project_number               = 123456
-  outputs_bucket               = "tn0-prod-automation-0"
-  service_accounts = {
-    networking = "foo-tn0-net-0@foo-tn0-prod-iac-core-0.iam.gserviceaccount.com"
-    resman     = "foo-tn0-resman-0@foo-tn0-prod-iac-core-0.iam.gserviceaccount.com"
-    security   = "foo-tn0-sec-0@foo-tn0-prod-iac-core-0.iam.gserviceaccount.com"
-    dp-dev     = "foo-tn0-dp-dev-0@foo-tn0-prod-iac-core-0.iam.gserviceaccount.com"
-    dp-prod    = "foo-tn0-dp-prod-0@foo-tn0-prod-iac-core-0.iam.gserviceaccount.com"
-    gke-dev    = "foo-tn0-gke-dev-0@foo-tn0-prod-iac-core-0.iam.gserviceaccount.com"
-    gke-prod   = "foo-tn0-gke-prod-0@foo-tn0-prod-iac-core-0.iam.gserviceaccount.com"
-    pf-dev     = "foo-tn0-pf-dev-0@foo-tn0-prod-iac-core-0.iam.gserviceaccount.com"
-    pf-prod    = "foo-tn0-pf-prod-0@foo-tn0-prod-iac-core-0.iam.gserviceaccount.com"
-    sandbox    = "foo-tn0-sandbox-0@foo-tn0-prod-iac-core-0.iam.gserviceaccount.com"
-    teams      = "foo-tn0-teams-0@foo-tn0-prod-iac-core-0.iam.gserviceaccount.com"
-  }
-}
-billing_account = {
-  id = "000000-111111-222222"
-}
-custom_roles = {
-  # organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin",
-  service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
-}
-fast_features = {
-  data_platform   = true
-  gke             = true
-  project_factory = true
-  sandbox         = true
-  teams           = true
-}
-groups = {
-  gcp-devops          = "gcp-devops",
-  gcp-network-admins  = "gcp-vpc-network-admins",
-  gcp-security-admins = "gcp-security-admins",
-}
-organization = {
-  domain      = "fast.example.com"
-  id          = 123456789012
-  customer_id = "C00000000"
-}
-prefix     = "foo-tn0"
-root_node  = "folders/1234567890"
-short_name = "tn0"
-tags = {
-  keys = {
-    context     = "tagKeys/1234567890"
-    environment = "tagKeys/4567890123"
-    tenant      = "tagKeys/7890123456"
-  }
-  names = {
-    context     = "context"
-    environment = "environment"
-    tenant      = "tenant"
-  }
-  values = {
-    "context/data" : "tagValues/1234567890",
-    "context/gke" : "tagValues/1234567890",
-    "context/networking" : "tagValues/1234567890",
-    "context/sandbox" : "tagValues/1234567890",
-    "context/security" : "tagValues/1234567890",
-    "context/teams" : "tagValues/1234567890",
-    "environment/development" : "tagValues/1234567890",
-    "environment/production" : "tagValues/1234567890"
-  }
-}
-test_skip_data_sources = true

tests/fast/stages_multitenant/s1_resman_tenant/tftest.yaml

@@ -1,10 +0,0 @@
-# skip boilerplate check
-
-module: fast/stages-multitenant/1-resman-tenant
-
-tests:
-  simple:
-    tfvars:
-      - simple.tfvars
-    inventory:
-      - simple.yaml