Refactor FAST project factory and supporting documentation (#2505)

* untested * teams pattern * rework doc * README * boierplate * tflint * Fix tflint for project factory * Correct path to pf * resman changes * fix factory variable default * fix links * project factory module substitutions * tflint * stage test * tfdoc * rename schema, address review comments * README typos and wording * tfdoc * review comments * remove test from yaml * revert output workflow changes * fix sa reference errors * tfdoc * pf tag roles * schema validation * pf tag roles * avoid null values in pf context --------- Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com>
2024-08-20 17:45:42 +01:00
parent dff209f565
commit ad5de9b7ea
57 changed files with 1948 additions and 2392 deletions
--- a/modules/project-factory/main.tf
+++ b/modules/project-factory/main.tf
@@ -16,13 +16,29 @@

 # tfdoc:file:description Projects and billing budgets factory resources.

+locals {
+  context = {
+    folder_ids = merge(
+      var.factories_config.context.folder_ids,
+      local.hierarchy
+    )
+    iam_principals = merge(
+      var.factories_config.context.iam_principals,
+      {
+        for k, v in module.automation-service-accounts :
+        k => v.iam_email
+      }
+    )
+  }
+}
+
 module "projects" {
  source          = "../project"
  for_each        = local.projects
  billing_account = each.value.billing_account
  name            = each.key
-  parent = try(
-    lookup(local.hierarchy, each.value.parent, each.value.parent), null
+  parent = lookup(
+    local.context.folder_ids, each.value.parent, each.value.parent
  )
  prefix              = each.value.prefix
  auto_create_network = try(each.value.auto_create_network, false)
@@ -33,11 +49,14 @@ module "projects" {
  )
  default_service_account = try(each.value.default_service_account, "keep")
  descriptive_name        = try(each.value.descriptive_name, null)
-  # IAM interpolates automation service accounts
  iam = {
    for k, v in lookup(each.value, "iam", {}) : k => [
      for vv in v : try(
-        module.automation-service-accounts["${each.key}/${vv}"].iam_email,
+        # automation service account
+        local.context.iam_principals["${each.key}/${vv}"],
+        # other context
+        local.context.iam_principals[vv],
+        # passthrough
        vv
      )
    ]
@@ -46,7 +65,11 @@ module "projects" {
    for k, v in lookup(each.value, "iam_bindings", {}) : k => merge(v, {
      members = [
        for vv in v.members : try(
-          module.automation-service-accounts["${each.key}/${vv}"].iam_email,
+          # automation service account
+          local.context.iam_principals["${each.key}/${vv}"],
+          # other context
+          local.context.iam_principals[vv],
+          # passthrough
          vv
        )
      ]
@@ -55,12 +78,16 @@ module "projects" {
  iam_bindings_additive = {
    for k, v in lookup(each.value, "iam_bindings_additive", {}) : k => merge(v, {
      member = try(
-        module.automation-service-accounts["${each.key}/${v.member}"].iam_email,
+        # automation service account
+        local.context.iam_principals["${each.key}/${v.member}"],
+        # other context
+        local.context.iam_principals[v.member],
+        # passthrough
        v.member
      )
    })
  }
-  # IAM principals would trigger dynamic key errors so we don't interpolate
+  # IAM by principals would trigger dynamic key errors so we don't interpolate
  iam_by_principals = try(each.value.iam_by_principals, {})
  labels = merge(
    each.value.labels, var.data_merges.labels
@@ -81,12 +108,27 @@ module "projects" {
    each.value.services,
    var.data_merges.services
  ))
-  shared_vpc_host_config    = each.value.shared_vpc_host_config
-  shared_vpc_service_config = each.value.shared_vpc_service_config
-  tag_bindings = merge(
-    each.value.tag_bindings,
-    var.data_merges.tag_bindings
+  shared_vpc_host_config = each.value.shared_vpc_host_config
+  shared_vpc_service_config = (
+    try(each.value.shared_vpc_service_config.host_project, null) == null
+    ? null
+    : merge(each.value.shared_vpc_service_config, {
+      host_project = lookup(
+        var.factories_config.context.vpc_host_projects,
+        each.value.shared_vpc_service_config.host_project,
+        each.value.shared_vpc_service_config.host_project
+      )
+      network_users = [
+        for v in try(each.value.shared_vpc_service_config.network_users, []) :
+        lookup(local.context.iam_principals, v, v)
+      ]
+      # TODO: network subnet users
+    })
  )
+  tag_bindings = {
+    for k, v in merge(each.value.tag_bindings, var.data_merges.tag_bindings) :
+    k => lookup(var.factories_config.context.tag_values, v, v)
+  }
  vpc_sc = each.value.vpc_sc
 }

@@ -99,7 +141,10 @@ module "service-accounts" {
  name         = each.value.name
  display_name = each.value.display_name
  iam_project_roles = merge(
-    each.value.iam_project_roles,
+    {
+      for k, v in each.value.iam_project_roles :
+      lookup(var.factories_config.context.vpc_host_projects, k, k) => v
+    },
    each.value.iam_self_roles == null ? {} : {
      (module.projects[each.value.project].project_id) = each.value.iam_self_roles
    }