Merge remote-tracking branch 'origin/master' into fast-dev

fast/stages/0-org-setup/cicd.tf

@@ -18,11 +18,11 @@ locals {
   _cicd = try(yamldecode(file(local.paths.cicd)), {})
   _cicd_identity_providers = {
     for k, v in google_iam_workload_identity_pool_provider.default :
-    "$wif_providers:${k}" => v.id
+    "$wif_providers:${k}" => v.name
   }
   _cicd_output_files = {
     for k, v in google_storage_bucket_object.providers :
-    "$output_files:providers/${k}" => v.name
+    "$output_files:providers/${k}" => split("/", v.name)[1]
   }
   cicd_project_ids = {
     for k, v in merge(

fast/stages/0-org-setup/data/cicd.yaml

@@ -38,8 +38,8 @@ workflows:
     output_files:
       storage_bucket: $storage_buckets:iac-0/iac-outputs
       providers:
-        apply: $output_files:providers/0-org
-        plan: $output_files:providers/0-org-ro
+        apply: $output_files:providers/0-org-setup
+        plan: $output_files:providers/0-org-setup-ro
       files:
         - tfvars/0-boostrap.auto.tfvars.json
     service_accounts:

fast/stages/0-org-setup/data/defaults.yaml

@@ -51,20 +51,40 @@ output_files:
       bucket: $storage_buckets:iac-0/iac-stage-state
       prefix: 1-vpcsc
       service_account: $iam_principals:service_accounts/iac-0/iac-vpcsc-rw
+    1-vpcsc-ro:
+      bucket: $storage_buckets:iac-0/iac-stage-state
+      prefix: 1-vpcsc
+      service_account: $iam_principals:service_accounts/iac-0/iac-vpcsc-ro
     2-networking:
       bucket: $storage_buckets:iac-0/iac-stage-state
       prefix: 2-networking
       service_account: $iam_principals:service_accounts/iac-0/iac-networking-rw
+    2-networking-ro:
+      bucket: $storage_buckets:iac-0/iac-stage-state
+      prefix: 2-networking
+      service_account: $iam_principals:service_accounts/iac-0/iac-networking-ro
     2-security:
       bucket: $storage_buckets:iac-0/iac-stage-state
       prefix: 2-security
       service_account: $iam_principals:service_accounts/iac-0/iac-security-rw
+    2-security-ro:
+      bucket: $storage_buckets:iac-0/iac-stage-state
+      prefix: 2-security
+      service_account: $iam_principals:service_accounts/iac-0/iac-security-ro
     2-project-factory:
       bucket: $storage_buckets:iac-0/iac-stage-state
       prefix: 2-project-factory
       service_account: $iam_principals:service_accounts/iac-0/iac-pf-rw
+    2-project-factory-ro:
+      bucket: $storage_buckets:iac-0/iac-stage-state
+      prefix: 2-project-factory
+      service_account: $iam_principals:service_accounts/iac-0/iac-pf-ro
     3-data-platform-dev:
       bucket: $storage_buckets:iac-0/iac-stage-state
       prefix: 3-data-platform-dev
       service_account: $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
+    3-data-platform-dev-ro:
+      bucket: $storage_buckets:iac-0/iac-stage-state
+      prefix: 3-data-platform-dev
+      service_account: $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
 

modules/net-lb-app-ext/negs.tf

@@ -47,7 +47,7 @@ locals {
   }
   neg_regional_serverless = {
     for k, v in var.neg_configs :
-    k => v if v.cloudrun != null || v.cloudfunction != null
+    k => v if v.cloudrun != null || v.cloudfunction != null || v.serverless_deployment != null
   }
   neg_zonal = {
     # we need to rebuild new objects as we cannot merge different types
@@ -137,6 +137,7 @@ resource "google_compute_region_network_endpoint_group" "psc" {
 }
 
 resource "google_compute_region_network_endpoint_group" "serverless" {
+  provider = google-beta
   for_each = local.neg_regional_serverless
   project = (
     each.value.project_id == null
@@ -144,7 +145,10 @@ resource "google_compute_region_network_endpoint_group" "serverless" {
     : each.value.project_id
   )
   region = try(
-    each.value.cloudrun.region, each.value.cloudfunction.region, null
+    each.value.cloudrun.region,
+    each.value.cloudfunction.region,
+    each.value.serverless_deployment.region,
+    null
   )
   name                  = "${var.name}-${each.key}"
   description           = coalesce(each.value.description, var.description)
@@ -164,4 +168,13 @@ resource "google_compute_region_network_endpoint_group" "serverless" {
       url_mask = each.value.cloudrun.target_urlmask
     }
   }
+  dynamic "serverless_deployment" {
+    for_each = each.value.serverless_deployment == null ? [] : [""]
+    content {
+      platform = each.value.serverless_deployment.platform
+      resource = each.value.serverless_deployment.resource
+      version  = each.value.serverless_deployment.version
+      url_mask = each.value.serverless_deployment.url_mask
+    }
+  }
 }

modules/net-lb-app-ext/variables.tf

@@ -143,6 +143,13 @@ variable "neg_configs" {
       }))
       target_urlmask = optional(string)
     }))
+    serverless_deployment = optional(object({
+      region   = string
+      platform = string
+      resource = optional(string)
+      version  = optional(string)
+      url_mask = optional(string)
+    }))
     gce = optional(object({
       network    = string
       subnetwork = string
@@ -187,6 +194,7 @@ variable "neg_configs" {
       for k, v in var.neg_configs : (
         (try(v.cloudfunction, null) == null ? 0 : 1) +
         (try(v.cloudrun, null) == null ? 0 : 1) +
+        (try(v.serverless_deployment, null) == null ? 0 : 1) +
         (try(v.gce, null) == null ? 0 : 1) +
         (try(v.hybrid, null) == null ? 0 : 1) +
         (try(v.internet, null) == null ? 0 : 1) +
@@ -215,6 +223,16 @@ variable "neg_configs" {
     ])
     error_message = "Cloud Function NEGs need either target function or target urlmask defined."
   }
+  validation {
+    condition = alltrue([
+      for k, v in var.neg_configs : (
+        v.serverless_deployment == null
+        ? true
+        : v.serverless_deployment.url_mask != null || v.serverless_deployment.resource != null
+      )
+    ])
+    error_message = "Serverless deployment NEGs need either resource or url_mask defined."
+  }
 }
 
 variable "project_id" {