From 9fabfafc63232a6fbc9449f758f96fdb66d6e726 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Wed, 16 Feb 2022 11:55:49 +0100 Subject: [PATCH] Update gke stage to use contract setup --- fast/stages/01-resman/outputs.tf | 4 +- fast/stages/02-networking-vpn/README.md | 17 ++++---- fast/stages/02-networking-vpn/spoke-dev.tf | 2 +- fast/stages/02-networking-vpn/variables.tf | 9 +---- .../03-gke-multitenant/dev/gke-clusters.tf | 4 +- fast/stages/03-gke-multitenant/dev/main.tf | 10 ++--- .../03-gke-multitenant/dev/variables.tf | 40 ++++++++++--------- 7 files changed, 41 insertions(+), 45 deletions(-) diff --git a/fast/stages/01-resman/outputs.tf b/fast/stages/01-resman/outputs.tf index 65190cbac..30a74a752 100644 --- a/fast/stages/01-resman/outputs.tf +++ b/fast/stages/01-resman/outputs.tf @@ -134,8 +134,8 @@ locals { { data-platform-dev = module.branch-dp-dev-sa.email data-platform-prod = module.branch-dp-prod-sa.email - gke-multitenant-dev = module.branch-gke-multitenant-dev-sa.iam_email - gke-multitenant-prod = module.branch-gke-multitenant-prod-sa.iam_email + gke-multitenant-dev = module.branch-gke-multitenant-dev-sa.email + gke-multitenant-prod = module.branch-gke-multitenant-prod-sa.email networking = module.branch-network-sa.email project-factory-dev = module.branch-teams-dev-pf-sa.email project-factory-prod = module.branch-teams-prod-pf-sa.email diff --git a/fast/stages/02-networking-vpn/README.md b/fast/stages/02-networking-vpn/README.md index 16191edb8..9b8a4d110 100644 --- a/fast/stages/02-networking-vpn/README.md +++ b/fast/stages/02-networking-vpn/README.md @@ -315,20 +315,19 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 00-bootstrap | | [billing_account](variables.tf#L25) | Billing account id and organization id ('nnnnnnnn' or null). | object({…}) | ✓ | | 00-bootstrap | | [folder_ids](variables.tf#L74) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 01-resman | -| [organization](variables.tf#L109) | Organization details. | object({…}) | ✓ | | 00-bootstrap | -| [prefix](variables.tf#L125) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 00-bootstrap | +| [organization](variables.tf#L102) | Organization details. | object({…}) | ✓ | | 00-bootstrap | +| [prefix](variables.tf#L118) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 00-bootstrap | | [custom_adv](variables.tf#L34) | Custom advertisement definitions in name => range format. | map(string) | | {…} | | | [custom_roles](variables.tf#L51) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 00-bootstrap | | [data_dir](variables.tf#L60) | Relative path for the folder storing configuration data for network resources. | string | | "data" | | | [dns](variables.tf#L66) | Onprem DNS resolvers. | map(list(string)) | | {…} | | -| [gke_multitenant_sa](variables.tf#L84) | IAM emails for GKE multitenant service accounts. | map(string) | | {} | 01-resman | -| [l7ilb_subnets](variables.tf#L91) | Subnets used for L7 ILBs. | map(list(object({…}))) | | {…} | | -| [outputs_location](variables.tf#L119) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | -| [psa_ranges](variables.tf#L136) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | | -| [router_onprem_configs](variables.tf#L173) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | | +| [l7ilb_subnets](variables.tf#L84) | Subnets used for L7 ILBs. | map(list(object({…}))) | | {…} | | +| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | +| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | | +| [router_onprem_configs](variables.tf#L166) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | | | [router_spoke_configs](variables-vpn.tf#L18) | Configurations for routers used for internal connectivity. | map(object({…})) | | {…} | | -| [service_accounts](variables.tf#L191) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman | -| [vpn_onprem_configs](variables.tf#L203) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | | +| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman | +| [vpn_onprem_configs](variables.tf#L198) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | | | [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | map(object({…})) | | {…} | | ## Outputs diff --git a/fast/stages/02-networking-vpn/spoke-dev.tf b/fast/stages/02-networking-vpn/spoke-dev.tf index 525c83c7e..169ac6ba0 100644 --- a/fast/stages/02-networking-vpn/spoke-dev.tf +++ b/fast/stages/02-networking-vpn/spoke-dev.tf @@ -103,7 +103,7 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" { members = [ local.service_accounts.data-platform-dev, local.service_accounts.project-factory-dev, - local.service_accounts.gke_multitenant_sa, + local.service_accounts.gke-multitenant-dev, ] condition { title = "dev_stage3_sa_delegated_grants" diff --git a/fast/stages/02-networking-vpn/variables.tf b/fast/stages/02-networking-vpn/variables.tf index 5557b485b..77ef3884f 100644 --- a/fast/stages/02-networking-vpn/variables.tf +++ b/fast/stages/02-networking-vpn/variables.tf @@ -81,13 +81,6 @@ variable "folder_ids" { }) } -variable "gke_multitenant_sa" { - # tfdoc:variable:source 01-resman - description = "IAM emails for GKE multitenant service accounts." - type = map(string) - default = {} -} - variable "l7ilb_subnets" { description = "Subnets used for L7 ILBs." type = map(list(object({ @@ -194,6 +187,8 @@ variable "service_accounts" { type = object({ data-platform-dev = string data-platform-prod = string + gke-multitenant-dev = string + gke-multitenant-prod = string project-factory-dev = string project-factory-prod = string }) diff --git a/fast/stages/03-gke-multitenant/dev/gke-clusters.tf b/fast/stages/03-gke-multitenant/dev/gke-clusters.tf index efce81ac4..2438cc1c8 100644 --- a/fast/stages/03-gke-multitenant/dev/gke-clusters.tf +++ b/fast/stages/03-gke-multitenant/dev/gke-clusters.tf @@ -30,7 +30,7 @@ module "gke-cluster" { project_id = module.gke-project-0.project_id description = each.value.description location = each.value.location - network = var.shared_vpc_self_link + network = var.vpc_self_links.dev-spoke-0 subnetwork = each.value.net.subnet secondary_range_pods = each.value.net.pods secondary_range_services = each.value.net.services @@ -77,7 +77,7 @@ module "gke-cluster" { peering_config = { export_routes = true import_routes = false - project_id = var.vpc_host_project + project_id = var.host_project_ids.dev-spoke-0 } # resource_usage_export_config = { # enabled = true diff --git a/fast/stages/03-gke-multitenant/dev/main.tf b/fast/stages/03-gke-multitenant/dev/main.tf index 1f7f3e133..b75cac694 100644 --- a/fast/stages/03-gke-multitenant/dev/main.tf +++ b/fast/stages/03-gke-multitenant/dev/main.tf @@ -15,7 +15,7 @@ */ locals { - labels = merge(var.labels, { environment = var.environment }) + labels = merge(var.labels, { environment = "dev" }) _gke_robot_sa = "serviceAccount:${module.gke-project-0.service_accounts.robots.container-engine}" _cloud_services_sa = "serviceAccount:${module.gke-project-0.service_accounts.cloud_services}" @@ -23,9 +23,9 @@ locals { module "gke-project-0" { source = "../../../../modules/project" - billing_account = var.billing_account_id - name = "${var.environment}-gke-clusters-0" - parent = var.folder_id + billing_account = var.billing_account.id + name = "dev-gke-clusters-0" + parent = var.folder_ids.gke-multitenant-dev prefix = var.prefix labels = local.labels services = [ @@ -44,7 +44,7 @@ module "gke-project-0" { # } shared_vpc_service_config = { attach = true - host_project = var.vpc_host_project + host_project = var.host_project_ids.dev-spoke-0 service_identity_iam = { "roles/compute.networkUser" = [ "cloudservices", "container-engine" diff --git a/fast/stages/03-gke-multitenant/dev/variables.tf b/fast/stages/03-gke-multitenant/dev/variables.tf index 06769b787..2a165b8ee 100644 --- a/fast/stages/03-gke-multitenant/dev/variables.tf +++ b/fast/stages/03-gke-multitenant/dev/variables.tf @@ -24,10 +24,13 @@ # default = null # } -variable "billing_account_id" { +variable "billing_account" { # tfdoc:variable:source 00-bootstrap - description = "Billing account id." - type = string + description = "Billing account id and organization id ('nnnnnnnn' or null)." + type = object({ + id = string + organization_id = number + }) } variable "cluster_defaults" { @@ -97,16 +100,20 @@ variable "dns_domain" { default = null } -variable "environment" { +variable "folder_ids" { # tfdoc:variable:source 01-resman - description = "Environment abbreviation." - type = string + description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." + type = object({ + gke-multitenant-dev = string + }) } -variable "folder_id" { - # tfdoc:variable:source 01-resman - description = "Folder to be used for the networking resources in folders/nnnn format." - type = string +variable "host_project_ids" { + # tfdoc:variable:source 02-networking + description = "Host project for the shared VPC." + type = object({ + dev-spoke-0 = string + }) } variable "labels" { @@ -155,15 +162,10 @@ variable "prefix" { type = string } -variable "shared_vpc_self_link" { +variable "vpc_self_links" { # tfdoc:variable:source 02-networking description = "Self link for the shared VPC." - type = string - default = null -} - -variable "vpc_host_project" { - # tfdoc:variable:source 02-networking - description = "Host project for the shared VPC." - type = string + type = object({ + dev-spoke-0 = string + }) }