Flexible stage 2s in FAST resource manager (#2840)

* wip * WIP * wip * wip * apply untested * tests * support tag expansion for tenant-level installations in IAM conditions * fix stage config output * inventories * remove dev files * tfdoc * enable org policies for stage folders * resman README * tfdoc * stage 3 documentation * inventory * support extra_dirs in testing franework * remove org policy files from stage 1 * Add principal interpolation to iam_by_principals (#2847) * Add principal interpolation to iam_by_principals * Fix tests * relax schemas * relax schemas --------- Co-authored-by: Julio Castillo <jccb@google.com>
2025-01-29 13:16:35 +01:00
parent 1009dd248b
commit 95ec5ee3b5
58 changed files with 1607 additions and 1394 deletions
--- a/tests/fast/stages/s1_resman/simple.tfvars
+++ b/tests/fast/stages/s1_resman/simple.tfvars
@@ -1,3 +1,67 @@
+# stage variables
+
+fast_addon = {
+  ngfw = {
+    parent_stage = "2-networking"
+  }
+}
+fast_stage_2 = {
+  # replicate one stage 2 via tfvars so as to check CI/CD configuration
+  project-factory = {
+    short_name = "pf"
+    cicd_config = {
+      identity_provider = "gh-test"
+      repository = {
+        name   = "cloud-foundation-fabric/1-resman"
+        branch = "main"
+      }
+    }
+    organization_config = {
+      iam_bindings_additive = {
+        sa_pf_conditional_org_policy = {
+          member = "rw"
+          role   = "roles/orgpolicy.policyAdmin"
+          condition = {
+            title       = "org_policy_tag_pf_scoped"
+            description = "Org policy tag scoped grant for project factory."
+            expression  = "resource.matchTag('$${organization.id}/$${tag_names.context}', 'project-factory')"
+          }
+        }
+      }
+    }
+  }
+}
+tags = {
+  context = {
+    values = {
+      data-platform = {}
+      gcve          = {}
+      gke           = {}
+      nsec          = {}
+      sandbox       = {}
+    }
+  }
+  environment = {
+    values = {
+      development = {
+        iam = {
+          "roles/resourcemanager.tagUser"   = ["gcve-dev-rw"]
+          "roles/resourcemanager.tagViewer" = ["gcve-dev-ro"]
+        }
+      }
+    }
+  }
+}
+top_level_folders = {
+  tenants = {
+    name              = "Tenants"
+    iam_by_principals = {}
+  }
+  shared = {
+    name = "Shared Infrastructure"
+  }
+}
+
 # globals

 billing_account = {
@@ -82,71 +146,3 @@ custom_roles = {
 logging = {
  project_id = "fast-prod-log-audit-0"
 }
-
-# stage variables
-
-fast_addon = {
-  ngfw = {
-    parent_stage = "2-networking"
-  }
-}
-fast_stage_2 = {
-  networking = {
-    cicd_config = {
-      identity_provider = "gh-test"
-      repository = {
-        branch = "main"
-        name   = "test/00-networking"
-        type   = "github"
-      }
-    }
-    folder_config = {
-      parent_id = "shared"
-    }
-  }
-  security = {
-    cicd_config = {
-      identity_provider = "gl-test"
-      repository = {
-        name = "test/00-security"
-        type = "gitlab"
-      }
-    }
-  }
-}
-tags = {
-  context = {
-    values = {
-      data-platform = {}
-      gcve          = {}
-      gke           = {}
-      nsec          = {}
-      sandbox       = {}
-    }
-  }
-  environment = {
-    values = {
-      development = {
-        iam = {
-          "roles/resourcemanager.tagUser"   = ["project-factory-dev"]
-          "roles/resourcemanager.tagViewer" = ["project-factory-dev-r"]
-        }
-      }
-      production = {
-        iam = {
-          "roles/resourcemanager.tagUser"   = ["project-factory-prod"]
-          "roles/resourcemanager.tagViewer" = ["project-factory-prod-r"]
-        }
-      }
-    }
-  }
-}
-top_level_folders = {
-  tenants = {
-    name              = "Tenants"
-    iam_by_principals = {}
-  }
-  shared = {
-    name = "Shared Infrastructure"
-  }
-}
--- a/tests/fast/stages/s1_resman/simple.yaml
+++ b/tests/fast/stages/s1_resman/simple.yaml
@@ -12,133 +12,43 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-values:
-  module.cicd-sa-ro["networking"].google_project_iam_member.project-roles["fast2-prod-automation-roles/logging.logWriter"]:
-    condition: []
-    project: fast2-prod-automation
-    role: roles/logging.logWriter
-  module.cicd-sa-ro["networking"].google_service_account.service_account[0]:
-    account_id: fast2-prod-resman-net-1r
-    create_ignore_already_exists: null
-    description: null
-    disabled: false
-    display_name: CI/CD 2-net prod service account (read-only).
-    email: fast2-prod-resman-net-1r@fast2-prod-automation.iam.gserviceaccount.com
-    member: serviceAccount:fast2-prod-resman-net-1r@fast2-prod-automation.iam.gserviceaccount.com
-    project: fast2-prod-automation
-    timeouts: null
-  module.cicd-sa-ro["networking"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]:
-    condition: []
-    members:
-    - principalSet://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/attribute.repository/test/00-networking
-    role: roles/iam.workloadIdentityUser
-  ? module.cicd-sa-ro["networking"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectViewer"]
-  : bucket: fast2-prod-iac-core-outputs
-    condition: []
-    role: roles/storage.objectViewer
-  module.cicd-sa-ro["security"].google_project_iam_member.project-roles["fast2-prod-automation-roles/logging.logWriter"]:
-    condition: []
-    project: fast2-prod-automation
-    role: roles/logging.logWriter
-  module.cicd-sa-ro["security"].google_service_account.service_account[0]:
-    account_id: fast2-prod-resman-sec-1r
-    create_ignore_already_exists: null
-    description: null
-    disabled: false
-    display_name: CI/CD 2-sec prod service account (read-only).
-    email: fast2-prod-resman-sec-1r@fast2-prod-automation.iam.gserviceaccount.com
-    member: serviceAccount:fast2-prod-resman-sec-1r@fast2-prod-automation.iam.gserviceaccount.com
-    project: fast2-prod-automation
-    timeouts: null
-  module.cicd-sa-ro["security"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]:
-    condition: []
-    members:
-    - principalSet://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/attribute.repository/test/00-security
-    role: roles/iam.workloadIdentityUser
-  ? module.cicd-sa-ro["security"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectViewer"]
-  : bucket: fast2-prod-iac-core-outputs
-    condition: []
-    role: roles/storage.objectViewer
-  module.cicd-sa-rw["networking"].google_project_iam_member.project-roles["fast2-prod-automation-roles/logging.logWriter"]:
-    condition: []
-    project: fast2-prod-automation
-    role: roles/logging.logWriter
-  module.cicd-sa-rw["networking"].google_service_account.service_account[0]:
-    account_id: fast2-prod-resman-net-1
-    create_ignore_already_exists: null
-    description: null
-    disabled: false
-    display_name: CI/CD 2-net prod service account.
-    email: fast2-prod-resman-net-1@fast2-prod-automation.iam.gserviceaccount.com
-    member: serviceAccount:fast2-prod-resman-net-1@fast2-prod-automation.iam.gserviceaccount.com
-    project: fast2-prod-automation
-    timeouts: null
-  module.cicd-sa-rw["networking"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]:
-    condition: []
-    members:
-    - principalSet://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/attribute.fast_sub/repo:test/00-networking:ref:refs/heads/main
-    role: roles/iam.workloadIdentityUser
-  ? module.cicd-sa-rw["networking"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectViewer"]
-  : bucket: fast2-prod-iac-core-outputs
-    condition: []
-    role: roles/storage.objectViewer
-  module.cicd-sa-rw["security"].google_project_iam_member.project-roles["fast2-prod-automation-roles/logging.logWriter"]:
-    condition: []
-    project: fast2-prod-automation
-    role: roles/logging.logWriter
-  module.cicd-sa-rw["security"].google_service_account.service_account[0]:
-    account_id: fast2-prod-resman-sec-1
-    create_ignore_already_exists: null
-    description: null
-    disabled: false
-    display_name: CI/CD 2-sec prod service account.
-    email: fast2-prod-resman-sec-1@fast2-prod-automation.iam.gserviceaccount.com
-    member: serviceAccount:fast2-prod-resman-sec-1@fast2-prod-automation.iam.gserviceaccount.com
-    project: fast2-prod-automation
-    timeouts: null
-  module.cicd-sa-rw["security"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]:
-    condition: []
-    members:
-    - principalSet://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/attribute.repository/test/00-security
-    role: roles/iam.workloadIdentityUser
-  ? module.cicd-sa-rw["security"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectViewer"]
-  : bucket: fast2-prod-iac-core-outputs
-    condition: []
-    role: roles/storage.objectViewer
-
 counts:
-  google_folder: 14
-  google_folder_iam_binding: 74
+  google_folder: 12
+  google_folder_iam_binding: 50
  google_org_policy_policy: 2
-  google_organization_iam_member: 18
-  google_project_iam_member: 23
-  google_service_account: 23
-  google_service_account_iam_binding: 23
-  google_storage_bucket: 10
-  google_storage_bucket_iam_binding: 20
-  google_storage_bucket_iam_member: 23
-  google_storage_bucket_object: 24
-  google_tags_tag_binding: 14
+  google_organization_iam_member: 15
+  google_project_iam_member: 13
+  google_service_account: 13
+  google_service_account_iam_binding: 13
+  google_storage_bucket: 6
+  google_storage_bucket_iam_binding: 12
+  google_storage_bucket_iam_member: 13
+  google_storage_bucket_object: 15
+  google_tags_tag_binding: 12
  google_tags_tag_key: 2
  google_tags_tag_value: 12
  google_tags_tag_value_iam_binding: 4
-  modules: 48
-  resources: 286
+  modules: 32
+  resources: 194

 outputs:
  cicd_repositories:
-    networking:
+    project-factory:
      provider: projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-github-ludomagno
      repository:
        branch: main
-        name: test/00-networking
+        name: cloud-foundation-fabric/1-resman
        type: github
-    security:
-      provider: projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-gitlab-ludomagno
-      repository:
-        branch: null
-        name: test/00-security
-        type: gitlab
-  folder_ids: __missing__
-  tfvars: __missing__
+  service_accounts:
+    gcve-dev-ro: fast2-dev-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com
+    gcve-dev-rw: fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com
+    gke-dev-ro: fast2-dev-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com
+    gke-dev-rw: fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com
+    networking-ro: fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com
+    networking-rw: fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com
+    project-factory-ro: fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com
+    project-factory-rw: fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com
+    sandbox: fast2-dev-resman-sbox-0@fast2-prod-automation.iam.gserviceaccount.com
+    security-ro: fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com
+    security-rw: fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com

--- a/tests/fast/stages/s1_resman/tftest.yaml
+++ b/tests/fast/stages/s1_resman/tftest.yaml
@@ -16,3 +16,5 @@ module: fast/stages/1-resman

 tests:
  simple:
+    # extra_dirs:
+    #   - ../../../tests/fast/stages/s1_resman/test-data
--- a/tests/fast/stages/s2_networking_a_simple/simple.yaml
+++ b/tests/fast/stages/s2_networking_a_simple/simple.yaml
@@ -39,7 +39,7 @@ counts:
  google_monitoring_dashboard: 3
  google_monitoring_monitored_project: 2
  google_project: 3
-  google_project_iam_binding: 4
+  google_project_iam_binding: 2
  google_project_iam_member: 20
  google_project_service: 26
  google_project_service_identity: 20
@@ -47,4 +47,4 @@ counts:
  google_tags_tag_binding: 3
  modules: 27
  random_id: 3
-  resources: 194
+  resources: 192
--- a/tests/fast/stages/s2_security/simple.yaml
+++ b/tests/fast/stages/s2_security/simple.yaml
@@ -20,14 +20,14 @@ counts:
  google_privateca_ca_pool: 1
  google_privateca_certificate_authority: 1
  google_project: 2
-  google_project_iam_binding: 4
+  google_project_iam_binding: 2
  google_project_iam_member: 4
  google_project_service: 10
  google_project_service_identity: 8
  google_storage_bucket_object: 1
  google_tags_tag_binding: 2
  modules: 12
-  resources: 58
+  resources: 56

 outputs:
  certificate_authority_pools: __missing__