diff --git a/fast/stages/0-org-setup/cicd.tf b/fast/stages/0-org-setup/cicd.tf
index 3035c27e9..220d562d7 100644
--- a/fast/stages/0-org-setup/cicd.tf
+++ b/fast/stages/0-org-setup/cicd.tf
@@ -18,11 +18,11 @@ locals {
_cicd = try(yamldecode(file(local.paths.cicd)), {})
_cicd_identity_providers = {
for k, v in google_iam_workload_identity_pool_provider.default :
- "$wif_providers:${k}" => v.id
+ "$wif_providers:${k}" => v.name
}
_cicd_output_files = {
for k, v in google_storage_bucket_object.providers :
- "$output_files:providers/${k}" => v.name
+ "$output_files:providers/${k}" => split("/", v.name)[1]
}
cicd_project_ids = {
for k, v in merge(
diff --git a/fast/stages/0-org-setup/data/cicd.yaml b/fast/stages/0-org-setup/data/cicd.yaml
index 52040c902..eef12642a 100644
--- a/fast/stages/0-org-setup/data/cicd.yaml
+++ b/fast/stages/0-org-setup/data/cicd.yaml
@@ -38,8 +38,8 @@ workflows:
output_files:
storage_bucket: $storage_buckets:iac-0/iac-outputs
providers:
- apply: $output_files:providers/0-org
- plan: $output_files:providers/0-org-ro
+ apply: $output_files:providers/0-org-setup
+ plan: $output_files:providers/0-org-setup-ro
files:
- tfvars/0-boostrap.auto.tfvars.json
service_accounts:
diff --git a/fast/stages/0-org-setup/data/defaults.yaml b/fast/stages/0-org-setup/data/defaults.yaml
index 922affe38..10c39418c 100644
--- a/fast/stages/0-org-setup/data/defaults.yaml
+++ b/fast/stages/0-org-setup/data/defaults.yaml
@@ -51,20 +51,40 @@ output_files:
bucket: $storage_buckets:iac-0/iac-stage-state
prefix: 1-vpcsc
service_account: $iam_principals:service_accounts/iac-0/iac-vpcsc-rw
+ 1-vpcsc-ro:
+ bucket: $storage_buckets:iac-0/iac-stage-state
+ prefix: 1-vpcsc
+ service_account: $iam_principals:service_accounts/iac-0/iac-vpcsc-ro
2-networking:
bucket: $storage_buckets:iac-0/iac-stage-state
prefix: 2-networking
service_account: $iam_principals:service_accounts/iac-0/iac-networking-rw
+ 2-networking-ro:
+ bucket: $storage_buckets:iac-0/iac-stage-state
+ prefix: 2-networking
+ service_account: $iam_principals:service_accounts/iac-0/iac-networking-ro
2-security:
bucket: $storage_buckets:iac-0/iac-stage-state
prefix: 2-security
service_account: $iam_principals:service_accounts/iac-0/iac-security-rw
+ 2-security-ro:
+ bucket: $storage_buckets:iac-0/iac-stage-state
+ prefix: 2-security
+ service_account: $iam_principals:service_accounts/iac-0/iac-security-ro
2-project-factory:
bucket: $storage_buckets:iac-0/iac-stage-state
prefix: 2-project-factory
service_account: $iam_principals:service_accounts/iac-0/iac-pf-rw
+ 2-project-factory-ro:
+ bucket: $storage_buckets:iac-0/iac-stage-state
+ prefix: 2-project-factory
+ service_account: $iam_principals:service_accounts/iac-0/iac-pf-ro
3-data-platform-dev:
bucket: $storage_buckets:iac-0/iac-stage-state
prefix: 3-data-platform-dev
service_account: $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
+ 3-data-platform-dev-ro:
+ bucket: $storage_buckets:iac-0/iac-stage-state
+ prefix: 3-data-platform-dev
+ service_account: $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
diff --git a/modules/net-lb-app-ext/README.md b/modules/net-lb-app-ext/README.md
index 592e53127..fa8a7a3c2 100644
--- a/modules/net-lb-app-ext/README.md
+++ b/modules/net-lb-app-ext/README.md
@@ -1063,7 +1063,7 @@ After provisioning this change, and verifying that the new certificate is provis
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [name](variables.tf#L123) | Load balancer name. | string | ✓ | |
-| [project_id](variables.tf#L220) | Project id. | string | ✓ | |
+| [project_id](variables.tf#L238) | Project id. | string | ✓ | |
| [backend_buckets_config](variables.tf#L17) | Backend buckets configuration. | map(object({…})) | | {} |
| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…})) })) | | {} |
| [description](variables.tf#L51) | Optional description used for resources. | string | | "Terraform managed." |
@@ -1073,11 +1073,11 @@ After provisioning this change, and verifying that the new certificate is provis
| [http_proxy_config](variables.tf#L90) | HTTP proxy configuration. Only used for non-classic load balancers. | object({…}) | | {} |
| [https_proxy_config](variables.tf#L101) | HTTPS proxy connfiguration. | object({…}) | | {} |
| [labels](variables.tf#L117) | Labels set on resources. | map(string) | | {} |
-| [neg_configs](variables.tf#L128) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
-| [protocol](variables.tf#L225) | Protocol supported by this load balancer. | string | | "HTTP" |
-| [ssl_certificates](variables.tf#L238) | SSL target proxy certificates (only if protocol is HTTPS) for existing, custom, and managed certificates. | object({…}) | | {} |
+| [neg_configs](variables.tf#L128) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
+| [protocol](variables.tf#L243) | Protocol supported by this load balancer. | string | | "HTTP" |
+| [ssl_certificates](variables.tf#L256) | SSL target proxy certificates (only if protocol is HTTPS) for existing, custom, and managed certificates. | object({…}) | | {} |
| [urlmap_config](variables-urlmap.tf#L19) | The URL map configuration. | object({…}) | | {…} |
-| [use_classic_version](variables.tf#L256) | Use classic Global Load Balancer. | bool | | true |
+| [use_classic_version](variables.tf#L274) | Use classic Global Load Balancer. | bool | | true |
## Outputs
diff --git a/modules/net-lb-app-ext/negs.tf b/modules/net-lb-app-ext/negs.tf
index ec161a305..90e8ff395 100644
--- a/modules/net-lb-app-ext/negs.tf
+++ b/modules/net-lb-app-ext/negs.tf
@@ -47,7 +47,7 @@ locals {
}
neg_regional_serverless = {
for k, v in var.neg_configs :
- k => v if v.cloudrun != null || v.cloudfunction != null
+ k => v if v.cloudrun != null || v.cloudfunction != null || v.serverless_deployment != null
}
neg_zonal = {
# we need to rebuild new objects as we cannot merge different types
@@ -137,6 +137,7 @@ resource "google_compute_region_network_endpoint_group" "psc" {
}
resource "google_compute_region_network_endpoint_group" "serverless" {
+ provider = google-beta
for_each = local.neg_regional_serverless
project = (
each.value.project_id == null
@@ -144,7 +145,10 @@ resource "google_compute_region_network_endpoint_group" "serverless" {
: each.value.project_id
)
region = try(
- each.value.cloudrun.region, each.value.cloudfunction.region, null
+ each.value.cloudrun.region,
+ each.value.cloudfunction.region,
+ each.value.serverless_deployment.region,
+ null
)
name = "${var.name}-${each.key}"
description = coalesce(each.value.description, var.description)
@@ -164,4 +168,13 @@ resource "google_compute_region_network_endpoint_group" "serverless" {
url_mask = each.value.cloudrun.target_urlmask
}
}
+ dynamic "serverless_deployment" {
+ for_each = each.value.serverless_deployment == null ? [] : [""]
+ content {
+ platform = each.value.serverless_deployment.platform
+ resource = each.value.serverless_deployment.resource
+ version = each.value.serverless_deployment.version
+ url_mask = each.value.serverless_deployment.url_mask
+ }
+ }
}
diff --git a/modules/net-lb-app-ext/variables.tf b/modules/net-lb-app-ext/variables.tf
index 2f22cb08c..69be84ecf 100644
--- a/modules/net-lb-app-ext/variables.tf
+++ b/modules/net-lb-app-ext/variables.tf
@@ -143,6 +143,13 @@ variable "neg_configs" {
}))
target_urlmask = optional(string)
}))
+ serverless_deployment = optional(object({
+ region = string
+ platform = string
+ resource = optional(string)
+ version = optional(string)
+ url_mask = optional(string)
+ }))
gce = optional(object({
network = string
subnetwork = string
@@ -187,6 +194,7 @@ variable "neg_configs" {
for k, v in var.neg_configs : (
(try(v.cloudfunction, null) == null ? 0 : 1) +
(try(v.cloudrun, null) == null ? 0 : 1) +
+ (try(v.serverless_deployment, null) == null ? 0 : 1) +
(try(v.gce, null) == null ? 0 : 1) +
(try(v.hybrid, null) == null ? 0 : 1) +
(try(v.internet, null) == null ? 0 : 1) +
@@ -215,6 +223,16 @@ variable "neg_configs" {
])
error_message = "Cloud Function NEGs need either target function or target urlmask defined."
}
+ validation {
+ condition = alltrue([
+ for k, v in var.neg_configs : (
+ v.serverless_deployment == null
+ ? true
+ : v.serverless_deployment.url_mask != null || v.serverless_deployment.resource != null
+ )
+ ])
+ error_message = "Serverless deployment NEGs need either resource or url_mask defined."
+ }
}
variable "project_id" {