diff --git a/fast/stages/01-resman/outputs.tf b/fast/stages/01-resman/outputs.tf
index 65190cbac..30a74a752 100644
--- a/fast/stages/01-resman/outputs.tf
+++ b/fast/stages/01-resman/outputs.tf
@@ -134,8 +134,8 @@ locals {
{
data-platform-dev = module.branch-dp-dev-sa.email
data-platform-prod = module.branch-dp-prod-sa.email
- gke-multitenant-dev = module.branch-gke-multitenant-dev-sa.iam_email
- gke-multitenant-prod = module.branch-gke-multitenant-prod-sa.iam_email
+ gke-multitenant-dev = module.branch-gke-multitenant-dev-sa.email
+ gke-multitenant-prod = module.branch-gke-multitenant-prod-sa.email
networking = module.branch-network-sa.email
project-factory-dev = module.branch-teams-dev-pf-sa.email
project-factory-prod = module.branch-teams-prod-pf-sa.email
diff --git a/fast/stages/02-networking-vpn/README.md b/fast/stages/02-networking-vpn/README.md
index 16191edb8..9b8a4d110 100644
--- a/fast/stages/02-networking-vpn/README.md
+++ b/fast/stages/02-networking-vpn/README.md
@@ -315,20 +315,19 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 00-bootstrap |
| [billing_account](variables.tf#L25) | Billing account id and organization id ('nnnnnnnn' or null). | object({…}) | ✓ | | 00-bootstrap |
| [folder_ids](variables.tf#L74) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 01-resman |
-| [organization](variables.tf#L109) | Organization details. | object({…}) | ✓ | | 00-bootstrap |
-| [prefix](variables.tf#L125) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 00-bootstrap |
+| [organization](variables.tf#L102) | Organization details. | object({…}) | ✓ | | 00-bootstrap |
+| [prefix](variables.tf#L118) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 00-bootstrap |
| [custom_adv](variables.tf#L34) | Custom advertisement definitions in name => range format. | map(string) | | {…} | |
| [custom_roles](variables.tf#L51) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 00-bootstrap |
| [data_dir](variables.tf#L60) | Relative path for the folder storing configuration data for network resources. | string | | "data" | |
| [dns](variables.tf#L66) | Onprem DNS resolvers. | map(list(string)) | | {…} | |
-| [gke_multitenant_sa](variables.tf#L84) | IAM emails for GKE multitenant service accounts. | map(string) | | {} | 01-resman |
-| [l7ilb_subnets](variables.tf#L91) | Subnets used for L7 ILBs. | map(list(object({…}))) | | {…} | |
-| [outputs_location](variables.tf#L119) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
-| [psa_ranges](variables.tf#L136) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | |
-| [router_onprem_configs](variables.tf#L173) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | |
+| [l7ilb_subnets](variables.tf#L84) | Subnets used for L7 ILBs. | map(list(object({…}))) | | {…} | |
+| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
+| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | |
+| [router_onprem_configs](variables.tf#L166) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | |
| [router_spoke_configs](variables-vpn.tf#L18) | Configurations for routers used for internal connectivity. | map(object({…})) | | {…} | |
-| [service_accounts](variables.tf#L191) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman |
-| [vpn_onprem_configs](variables.tf#L203) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
+| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman |
+| [vpn_onprem_configs](variables.tf#L198) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
| [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | map(object({…})) | | {…} | |
## Outputs
diff --git a/fast/stages/02-networking-vpn/spoke-dev.tf b/fast/stages/02-networking-vpn/spoke-dev.tf
index 525c83c7e..169ac6ba0 100644
--- a/fast/stages/02-networking-vpn/spoke-dev.tf
+++ b/fast/stages/02-networking-vpn/spoke-dev.tf
@@ -103,7 +103,7 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
members = [
local.service_accounts.data-platform-dev,
local.service_accounts.project-factory-dev,
- local.service_accounts.gke_multitenant_sa,
+ local.service_accounts.gke-multitenant-dev,
]
condition {
title = "dev_stage3_sa_delegated_grants"
diff --git a/fast/stages/02-networking-vpn/variables.tf b/fast/stages/02-networking-vpn/variables.tf
index 5557b485b..77ef3884f 100644
--- a/fast/stages/02-networking-vpn/variables.tf
+++ b/fast/stages/02-networking-vpn/variables.tf
@@ -81,13 +81,6 @@ variable "folder_ids" {
})
}
-variable "gke_multitenant_sa" {
- # tfdoc:variable:source 01-resman
- description = "IAM emails for GKE multitenant service accounts."
- type = map(string)
- default = {}
-}
-
variable "l7ilb_subnets" {
description = "Subnets used for L7 ILBs."
type = map(list(object({
@@ -194,6 +187,8 @@ variable "service_accounts" {
type = object({
data-platform-dev = string
data-platform-prod = string
+ gke-multitenant-dev = string
+ gke-multitenant-prod = string
project-factory-dev = string
project-factory-prod = string
})
diff --git a/fast/stages/03-gke-multitenant/dev/gke-clusters.tf b/fast/stages/03-gke-multitenant/dev/gke-clusters.tf
index efce81ac4..2438cc1c8 100644
--- a/fast/stages/03-gke-multitenant/dev/gke-clusters.tf
+++ b/fast/stages/03-gke-multitenant/dev/gke-clusters.tf
@@ -30,7 +30,7 @@ module "gke-cluster" {
project_id = module.gke-project-0.project_id
description = each.value.description
location = each.value.location
- network = var.shared_vpc_self_link
+ network = var.vpc_self_links.dev-spoke-0
subnetwork = each.value.net.subnet
secondary_range_pods = each.value.net.pods
secondary_range_services = each.value.net.services
@@ -77,7 +77,7 @@ module "gke-cluster" {
peering_config = {
export_routes = true
import_routes = false
- project_id = var.vpc_host_project
+ project_id = var.host_project_ids.dev-spoke-0
}
# resource_usage_export_config = {
# enabled = true
diff --git a/fast/stages/03-gke-multitenant/dev/main.tf b/fast/stages/03-gke-multitenant/dev/main.tf
index 1f7f3e133..b75cac694 100644
--- a/fast/stages/03-gke-multitenant/dev/main.tf
+++ b/fast/stages/03-gke-multitenant/dev/main.tf
@@ -15,7 +15,7 @@
*/
locals {
- labels = merge(var.labels, { environment = var.environment })
+ labels = merge(var.labels, { environment = "dev" })
_gke_robot_sa = "serviceAccount:${module.gke-project-0.service_accounts.robots.container-engine}"
_cloud_services_sa = "serviceAccount:${module.gke-project-0.service_accounts.cloud_services}"
@@ -23,9 +23,9 @@ locals {
module "gke-project-0" {
source = "../../../../modules/project"
- billing_account = var.billing_account_id
- name = "${var.environment}-gke-clusters-0"
- parent = var.folder_id
+ billing_account = var.billing_account.id
+ name = "dev-gke-clusters-0"
+ parent = var.folder_ids.gke-multitenant-dev
prefix = var.prefix
labels = local.labels
services = [
@@ -44,7 +44,7 @@ module "gke-project-0" {
# }
shared_vpc_service_config = {
attach = true
- host_project = var.vpc_host_project
+ host_project = var.host_project_ids.dev-spoke-0
service_identity_iam = {
"roles/compute.networkUser" = [
"cloudservices", "container-engine"
diff --git a/fast/stages/03-gke-multitenant/dev/variables.tf b/fast/stages/03-gke-multitenant/dev/variables.tf
index 06769b787..2a165b8ee 100644
--- a/fast/stages/03-gke-multitenant/dev/variables.tf
+++ b/fast/stages/03-gke-multitenant/dev/variables.tf
@@ -24,10 +24,13 @@
# default = null
# }
-variable "billing_account_id" {
+variable "billing_account" {
# tfdoc:variable:source 00-bootstrap
- description = "Billing account id."
- type = string
+ description = "Billing account id and organization id ('nnnnnnnn' or null)."
+ type = object({
+ id = string
+ organization_id = number
+ })
}
variable "cluster_defaults" {
@@ -97,16 +100,20 @@ variable "dns_domain" {
default = null
}
-variable "environment" {
+variable "folder_ids" {
# tfdoc:variable:source 01-resman
- description = "Environment abbreviation."
- type = string
+ description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created."
+ type = object({
+ gke-multitenant-dev = string
+ })
}
-variable "folder_id" {
- # tfdoc:variable:source 01-resman
- description = "Folder to be used for the networking resources in folders/nnnn format."
- type = string
+variable "host_project_ids" {
+ # tfdoc:variable:source 02-networking
+ description = "Host project for the shared VPC."
+ type = object({
+ dev-spoke-0 = string
+ })
}
variable "labels" {
@@ -155,15 +162,10 @@ variable "prefix" {
type = string
}
-variable "shared_vpc_self_link" {
+variable "vpc_self_links" {
# tfdoc:variable:source 02-networking
description = "Self link for the shared VPC."
- type = string
- default = null
-}
-
-variable "vpc_host_project" {
- # tfdoc:variable:source 02-networking
- description = "Host project for the shared VPC."
- type = string
+ type = object({
+ dev-spoke-0 = string
+ })
}