diff --git a/CHANGELOG.md b/CHANGELOG.md index 87ddfd38a..cf0158c3e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,21 @@ All notable changes to this project will be documented in this file. -## [Unreleased] +## [Unreleased] + +## [45.0.0] - 2025-09-20 + +### FAST + +- [[#3343](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3343)] Remove unused bootstrap_user variable ([wiktorn](https://github.com/wiktorn)) +- [[#3342](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3342)] Cleanup 0-org-setup cloud build org-policies ([wiktorn](https://github.com/wiktorn)) +- [[#3325](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3325)] Incremental improvements to project factory and underlying modules ([ludoo](https://github.com/ludoo)) +- [[#3311](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3311)] New security stage leveraging project factory and contexts ([ludoo](https://github.com/ludoo)) + +### MODULES + +- [[#3325](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3325)] Incremental improvements to project factory and underlying modules ([ludoo](https://github.com/ludoo)) +- [[#3311](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3311)] New security stage leveraging project factory and contexts ([ludoo](https://github.com/ludoo)) ## [44.2.0] - 2025-09-20 @@ -1596,7 +1610,8 @@ Project templates are still following the old project factory schemas, and will - [[#2163](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2163)] feat: add e2e test for pubsub module ([andybubu](https://github.com/andybubu)) -[Unreleased]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v44.2.0...HEAD +[Unreleased]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v45.0.0...HEAD +[45.0.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v45.0.0...44.2.0 [44.2.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v44.2.0...44.1.0 [44.1.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v44.1.0...44.0.0 [44.0.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v44.0.0...43.0.0 diff --git a/default-versions.tf b/default-versions.tf index 9b93dbd1a..009b53c2c 100644 --- a/default-versions.tf +++ b/default-versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/path:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/path:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/path:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/path:v45.0.0-tf" } } diff --git a/default-versions.tofu b/default-versions.tofu index ea764c8da..11f2895cf 100644 --- a/default-versions.tofu +++ b/default-versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/path:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/path:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/path:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/path:v45.0.0-tofu" } } diff --git a/fast/project-templates/managed-kafka/versions.tf b/fast/project-templates/managed-kafka/versions.tf index d66f1ab64..5fdb34f76 100644 --- a/fast/project-templates/managed-kafka/versions.tf +++ b/fast/project-templates/managed-kafka/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/fast/project-templates/managed-kafka:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/fast/project-templates/managed-kafka:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/fast/project-templates/managed-kafka:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/fast/project-templates/managed-kafka:v45.0.0-tf" } } diff --git a/fast/stages/0-bootstrap-legacy/.fast-stage.env b/fast/stages/0-bootstrap-legacy/.fast-stage.env deleted file mode 100644 index a842174c3..000000000 --- a/fast/stages/0-bootstrap-legacy/.fast-stage.env +++ /dev/null @@ -1,5 +0,0 @@ -FAST_STAGE_DESCRIPTION="organization bootstrap" -FAST_STAGE_LEVEL=0 -FAST_STAGE_NAME=bootstrap -# FAST_STAGE_DEPS="0-globals 0-bootstrap" -# FAST_STAGE_OPTIONAL="" \ No newline at end of file diff --git a/fast/stages/0-bootstrap-legacy/IAM.md b/fast/stages/0-bootstrap-legacy/IAM.md deleted file mode 100644 index d9e8f51ec..000000000 --- a/fast/stages/0-bootstrap-legacy/IAM.md +++ /dev/null @@ -1,41 +0,0 @@ -# IAM bindings reference - -Legend: + additive, conditional. - -## Organization [organization #0] - -| members | roles | -|---|---| -|GCP organization domain
domain|[roles/browser](https://cloud.google.com/iam/docs/understanding-roles#browser) | -|gcp-devops
group|[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor)
[roles/logging.viewer](https://cloud.google.com/iam/docs/understanding-roles#logging.viewer)
[roles/monitoring.viewer](https://cloud.google.com/iam/docs/understanding-roles#monitoring.viewer) | -|gcp-network-admins
group|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner)
[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor)
[roles/compute.orgFirewallPolicyAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.orgFirewallPolicyAdmin) +
[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) +| -|gcp-organization-admins
group|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner)
[roles/cloudsupport.admin](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.admin)
[roles/compute.osAdminLogin](https://cloud.google.com/iam/docs/understanding-roles#compute.osAdminLogin)
[roles/compute.osLoginExternalUser](https://cloud.google.com/iam/docs/understanding-roles#compute.osLoginExternalUser)
[roles/iam.workforcePoolAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.workforcePoolAdmin)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator)
[roles/resourcemanager.tagAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagAdmin)
[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +
[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) +| -|gcp-security-admins
group|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner)
[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor)
[roles/iam.securityReviewer](https://cloud.google.com/iam/docs/understanding-roles#iam.securityReviewer)
[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/securitycenter.admin](https://cloud.google.com/iam/docs/understanding-roles#securitycenter.admin)
[roles/accesscontextmanager.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#accesscontextmanager.policyAdmin) +
[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) +
[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +| -|prod-bootstrap-0
serviceAccount|[roles/essentialcontacts.admin](https://cloud.google.com/iam/docs/understanding-roles#essentialcontacts.admin)
[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator)
[roles/resourcemanager.projectMover](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectMover)
[roles/resourcemanager.tagAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagAdmin)
[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) +
[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +| -|prod-bootstrap-0r
serviceAccount|organizations/[organization #0]/roles/organizationAdminViewer +
organizations/[organization #0]/roles/tagViewer +
[roles/essentialcontacts.viewer](https://cloud.google.com/iam/docs/understanding-roles#essentialcontacts.viewer)
[roles/logging.viewer](https://cloud.google.com/iam/docs/understanding-roles#logging.viewer)
[roles/resourcemanager.folderViewer](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderViewer)
[roles/resourcemanager.tagViewer](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagViewer)
[roles/iam.organizationRoleViewer](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleViewer) +
[roles/orgpolicy.policyViewer](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyViewer) +| -|prod-resman-0
serviceAccount|[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator)
[roles/resourcemanager.tagAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagAdmin)
[roles/resourcemanager.tagUser](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagUser)
organizations/[organization #0]/roles/organizationIamAdmin
[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +| -|prod-resman-0r
serviceAccount|organizations/[organization #0]/roles/organizationAdminViewer +
organizations/[organization #0]/roles/tagViewer +
[roles/logging.viewer](https://cloud.google.com/iam/docs/understanding-roles#logging.viewer)
[roles/resourcemanager.folderViewer](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderViewer)
[roles/resourcemanager.tagViewer](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagViewer)
[roles/serviceusage.serviceUsageViewer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageViewer)
[roles/orgpolicy.policyViewer](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyViewer) +| - -## Project prod-audit-logs-0 - -| members | roles | -|---|---| -|prod-bootstrap-0
serviceAccount|[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) | -|prod-bootstrap-0r
serviceAccount|[roles/viewer](https://cloud.google.com/iam/docs/understanding-roles#viewer) | -|service-org-xxxxxx
serviceAccount|[roles/logging.bucketWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.bucketWriter) +| - -## Project prod-iac-core-0 - -| members | roles | -|---|---| -|gcp-devops
group|[roles/iam.serviceAccountAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountAdmin)
[roles/iam.serviceAccountTokenCreator](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountTokenCreator) | -|gcp-organization-admins
group|[roles/iam.serviceAccountTokenCreator](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountTokenCreator)
[roles/iam.workloadIdentityPoolAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.workloadIdentityPoolAdmin) | -|SERVICE_IDENTITY_service-networking
serviceAccount|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) +| -|prod-bootstrap-0
serviceAccount|[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) | -|prod-bootstrap-0r
serviceAccount|organizations/[organization #0]/roles/storageViewer
[roles/viewer](https://cloud.google.com/iam/docs/understanding-roles#viewer) | -|prod-bootstrap-1
serviceAccount|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) +| -|prod-bootstrap-1r
serviceAccount|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) +| -|prod-resman-0
serviceAccount|[roles/cloudbuild.builds.editor](https://cloud.google.com/iam/docs/understanding-roles#cloudbuild.builds.editor)
[roles/iam.serviceAccountAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountAdmin)
[roles/iam.workloadIdentityPoolAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.workloadIdentityPoolAdmin)
[roles/source.admin](https://cloud.google.com/iam/docs/understanding-roles#source.admin)
[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin)
[roles/resourcemanager.projectIamAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectIamAdmin)
[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| -|prod-resman-0r
serviceAccount|organizations/[organization #0]/roles/storageViewer
[roles/browser](https://cloud.google.com/iam/docs/understanding-roles#browser)
[roles/cloudbuild.builds.viewer](https://cloud.google.com/iam/docs/understanding-roles#cloudbuild.builds.viewer)
[roles/iam.serviceAccountViewer](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountViewer)
[roles/iam.workloadIdentityPoolViewer](https://cloud.google.com/iam/docs/understanding-roles#iam.workloadIdentityPoolViewer)
[roles/source.reader](https://cloud.google.com/iam/docs/understanding-roles#source.reader)
[roles/viewer](https://cloud.google.com/iam/docs/understanding-roles#viewer)
[roles/serviceusage.serviceUsageViewer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageViewer) +| -|prod-resman-1
serviceAccount|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) +| -|prod-resman-1r
serviceAccount|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) +| diff --git a/fast/stages/0-bootstrap-legacy/README.md b/fast/stages/0-bootstrap-legacy/README.md deleted file mode 100644 index 5b8d60a38..000000000 --- a/fast/stages/0-bootstrap-legacy/README.md +++ /dev/null @@ -1,726 +0,0 @@ -# Organization Bootstrap (Legacy) - -The primary purpose of this stage is to enable critical organization-level functionalities that depend on broad administrative permissions, and prepare the prerequisites needed to enable automation in this and future stages. - -It is intentionally simple, to minimize usage of administrative-level permissions and enable simple auditing and troubleshooting, and only deals with three sets of resources: - -- project, service accounts, and GCS buckets for automation -- projects, BQ datasets, and sinks for audit log and billing exports -- IAM bindings on the organization - -Use the following diagram as a simple high level reference for the following sections, which describe the stage and its possible customizations in detail. - -

- Organization-level diagram -

- - -- [Design overview and choices](#design-overview-and-choices) - - [User groups](#user-groups) - - [Organization-level IAM](#organization-level-iam) - - [Organization policies](#organization-policies) - - [Security Command Center Enterprise](#security-command-center-enterprise) - - [Tags and Organization Policy conditions](#tags-and-organization-policy-conditions) - - [Automation project and resources](#automation-project-and-resources) - - [Billing account](#billing-account) - - [Organization-level logging](#organization-level-logging) - - [Naming](#naming) - - [Workforce Identity Federation](#workforce-identity-federation) - - [Workload Identity Federation and CI/CD](#workload-identity-federation-and-cicd) -- [How to run this stage](#how-to-run-this-stage) - - [Prerequisites](#prerequisites) - - [Standalone billing account](#standalone-billing-account) - - [Preventing creation of billing-related IAM bindings](#preventing-creation-of-billing-related-iam-bindings) - - [Groups](#groups) - - [Configure variables](#configure-variables) - - [Output files and cross-stage variables](#output-files-and-cross-stage-variables) - - [Running the stage](#running-the-stage) -- [Customizations](#customizations) - - [Group names](#group-names) - - [IAM](#iam) - - [Log sinks and log destinations](#log-sinks-and-log-destinations) - - [Names and naming convention](#names-and-naming-convention) - - [Workload Identity Federation](#workload-identity-federation) - - [Project folders](#project-folders) - - [CI/CD repositories](#cicd-repositories) - - [Add-ons](#add-ons) -- [Files](#files) -- [Variables](#variables) -- [Outputs](#outputs) - - -## Design overview and choices - -As mentioned above, this stage only does the bare minimum required to bootstrap automation, and ensure that base audit and billing exports are in place from the start to provide some measure of accountability, even before the security configurations are applied in a later stage. - -It also sets up organization-level IAM bindings so the Organization Administrator role is only used here, trading off some design freedom for ease of auditing and troubleshooting, and reducing the risk of costly security mistakes down the line. The only exception to this rule is for the [Resource Management stage](../1-resman-legacy) service account, described below. - -### User groups - -User groups are important, not only here but throughout the whole automation process. They provide a stable frame of reference that allows decoupling the final set of permissions for each group, from the stage where entities and resources are created and their IAM bindings defined. For example, the final set of roles for the networking group is contributed by this stage at the organization level (XPN Admin, Cloud Asset Viewer, etc.), and by the Resource Management stage at the folder level. - -We have standardized the initial set of groups on those outlined in the [GCP Enterprise Setup Checklist](https://cloud.google.com/docs/enterprise/setup-checklist) to simplify adoption. They provide a comprehensive and flexible starting point that can suit most users. Adding new groups, or deviating from the initial setup is possible and reasonably simple, and it's briefly outlined in the customization section below. - -### Organization-level IAM - -The service account used in the [Resource Management stage](../1-resman-legacy) needs to be able to grant specific permissions at the organizational level, to enable specific functionality for subsequent stages that deal with network or security resources, or billing-related activities. - -In order to be able to assign those roles without having the full authority of the Organization Admin role, this stage defines a custom role that only allows setting IAM policies on the organization, and grants it via a [delegated role grant](https://cloud.google.com/iam/docs/setting-limits-on-granting-roles) that only allows it to be used to grant a limited subset of roles. - -In this way, the Resource Management service account can effectively act as an Organization Admin, but only to grant the specific roles it needs to control. - -One consequence of the above setup is the need to configure IAM bindings that can be assigned via the condition as non-authoritative, since those same roles are effectively under the control of two stages: this one and Resource Management. Using authoritative bindings for these roles (instead of non-authoritative ones) would generate potential conflicts, where each stage could try to overwrite and negate the bindings applied by the other at each `apply` cycle. - -A full reference of IAM roles managed by this stage [is available here](./IAM.md). - -### Organization policies - -It's often desirable to have organization policies deployed before any other resource in the org, so as to ensure compliance with specific requirements (e.g. location restrictions), or control the configuration of specific resources (e.g. default network at project creation or service account grants). - -To cover this use case, organization policies have been moved from the resource management to the bootstrap stage in FAST versions after 26.0.0. They are managed via the usual factory approach, and a [sample set of data files](./data/org-policies/) is included with this stage. They are not applied during the initial run when the `bootstrap_user` variable is set, to work around incompatibilities with user credentials. - -FAST uses unmanaged organization policies by default. For those who prefer managed policies, a separate sample set is available. To use these managed policies, configure `factories_config` as shown below. - -```tfvars -factories_config = { - org_policies = "data/org-policies-managed" -} -``` - -#### Security Command Center Enterprise - -The DRS policy mentioned above might make it complex to [enable Security Command Center Enterprise](https://cloud.google.com/security-command-center/docs/activate-enterprise-tier#verify_organization_policies). If this is the case, you can temporarily disable it via the Cloud Console, enable SCC Enterprise, then re-enable the policy. - -#### Tags and Organization Policy conditions - -Organization policy exceptions are managed via a dedicated resource management tag hierarchy, rooted in the `org-policies` tag key. A default condition is already present for the the `iam.allowedPolicyMemberDomains` constraint, that relaxes the policy on resources that have the `org-policies/allowed-policy-member-domains-all` tag value bound or inherited, and similarly for `essentialcontacts.allowedContactDomains` via the `allowed-essential-contacts-domains-all` tag value. - -Further tag values can be defined via the `org_policies_config.tag_values` variable, and IAM access can be granted on them via the same variable. Once a tag value has been created, its id can be used in constraint rule conditions. Note that only one tag value from a given tag key can be bound to a node (organization, folder, or project) in the resource hierarchy. Since these tag values are all rooted in the `org-policies` key, this limits the ability to apply fine-grained policy constraints. It may be more desirable to model policy overrides using coarser groups of tag values to create a policy "profile". For example, instead of separating `compute.skipDefaultNetworkCreation` and `compute.vmExternalIpAccess`, enforce both constraints by default and relax them both using the same tag value such as `sandbox`. See [tags overview](https://cloud.google.com/resource-manager/docs/tags/tags-overview) for more information. - -Management of the rest of the tag hierarchy is delegated to the resource management stage, as that is often intimately tied to the folder hierarchy design. - -The organization policy tag key and values managed by this stage have been added to the `0-bootstrap.auto.tfvars` stage, so that IAM can be delegated to the resource management or successive stages via their ids. - -The following example shows an example on how to define an additional tag value, and use it in a boolean constraint rule. - -This snippet defines a new tag value under the `org-policies` tag key via the `org_policies_config` variable, and assigns the permission to bind it to a group. - -```hcl -# stage 0 custom tfvars -org_policies_config = { - tag_values = { - compute-require-oslogin-false = { - description = "Bind this tag to set oslogin to false." - iam = { - "roles/resourcemanager.tagUser" = [ - "group:foo@example.com" - ] - } - } - } -} -# tftest skip -``` - -The above tag can be used to define a constraint condition via the `data/org-policies/compute.yaml` or similar factory file. The name of the tag can be referenced from the factory files using `tags.org_policies_config`, as shown below. - -```yaml -compute.requireOsLogin: - rules: - - enforce: true - - enforce: false - condition: - expression: resource.matchTag('${tags.org_policies_tag_name}', 'compute-require-oslogin-false') -``` - -### Automation project and resources - -One other design choice worth mentioning here is using a single automation project for all foundational stages. We trade off some complexity on the API side (single source for usage quota, multiple service activation) for increased flexibility and simpler operations, while still effectively providing the same degree of separation via resource-level IAM. - -### Billing account - -We support three use cases in regards to billing: - -- the billing account is part of this same organization, IAM bindings will be set at the organization level -- the billing account is not considered part of an organization (even though it might be), billing IAM bindings are set on the billing account itself -- billing IAM is managed separately, and no bindings should (or can) be set via Terraform, this requires a few extra steps and is definitely not recommended and mainly used for development purposes - -For same-organization billing, we configure a custom organization role that can set IAM bindings, via a delegated role grant to limit its scope to the relevant roles. - -For details on configuring the different billing account modes, refer to the [How to run this stage](#how-to-run-this-stage) section below. - -Because of limitations of API availability, manual steps have to be followed to enable billing export within billing project to BigQuery dataset `billing_export` which will be created as part of the bootstrap stage. The process to share billing data [is outlined here](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-setup#enable-bq-export). - -### Organization-level logging - -We create organization-level log sinks early in the bootstrap process to ensure a proper audit trail is in place from the very beginning. By default, we provide log filters to capture [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Service Controls violations](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors) and [Workspace Logs](https://cloud.google.com/logging/docs/audit/configure-gsuite-audit-logs) into logging buckets in the top-level audit logging project. - -An organization-level sink captures IAM data access logs, including authentication and impersonation events for service accounts. To manage logging costs, the default configuration enables IAM data access logging only within the automation project (where sensitive service accounts reside). For enhanced security across the entire organization, consider enabling these logs at the organization level. - -The [Customizations](#log-sinks-and-log-destinations) section explains how to change the logs captured and their destination. - -### Naming - -We are intentionally not supporting random prefix/suffixes for names, as that is an antipattern typically only used in development. It does not map to our customer's actual production usage, where they always adopt a fixed naming convention. - -What is implemented here is a fairly common convention, composed of tokens ordered by relative importance: - -- an organization-level static prefix less or equal to 9 characters (e.g. `myco` or `myco-gcp`) -- an optional tenant-level prefix, if using tenant factory -- an environment identifier (e.g. `prod`) -- a team/owner identifier (e.g. `sec` for Security) -- a context identifier (e.g. `core` or `kms`) -- an arbitrary identifier used to distinguish similar resources (e.g. `0`, `1`) - -> [!WARNING] -> When using tenant factory, a tenant prefix will be automatically generated as `{prefix}-{tenant-shortname}`. The maximum length of such prefix must be 11 characters or less, which means that the longer org-level prefix you use, the less chars you'll have available for the `tenant-shortname`. - -Tokens are joined by a `-` character, making it easy to separate the individual tokens visually, and to programmatically split them in billing exports to derive initial high-level groupings for cost attribution. - -The convention is used in its full form only for specific resources with globally unique names (projects, GCS buckets). Other resources adopt a shorter version for legibility, as the full context can always be derived from their project. - -The [Customizations](#names-and-naming-convention) section on names below explains how to configure tokens, or implement a different naming convention. - -### Workforce Identity Federation - -This stage supports configuration of [Workforce Identity Federation](https://cloud.google.com/iam/docs/workforce-identity-federation) which lets an external identity provider (IdP) to authenticate and authorize a group of users (usually employees) using IAM, so that the users can access Google Cloud services. - -The following example shows an example on how to define a Workforce Identity pool for the organization. - -```hcl -# stage 0 wif tfvars -workforce_identity_providers = { - test = { - issuer = "azuread" - display_name = "wif-provider" - description = "Workforce Identity pool" - saml = { - idp_metadata_xml = "..." - } - } -} -# tftest skip -``` - -### Workload Identity Federation and CI/CD - -This stage also implements initial support for two interrelated features - -- configuration of [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) pools and providers -- configuration of CI/CD repositories to allow impersonation via Workload identity Federation, and stage running via provided workflow templates - -Workload Identity Federation support allows configuring external providers independently from CI/CD, and offers predefined attributes for a few well known ones (more can be easily added by editing the `identity-providers-wlif.tf` file). Once providers have been configured their names are passed to the following stages via interface outputs, and can be leveraged to set up access or impersonation in IAM bindings. - -CI/CD support is fully implemented for GitHub, Gitlab, and Cloud Source Repositories / Cloud Build. For GitHub, we also offer a [separate supporting setup](../../extras/0-cicd-github/) to quickly create / configure repositories. The same applies for Gitlab with the [following extra stage](../../extras/0-cicd-gitlab/). - - - -For details on how to configure both features, refer to the Customizations sections below on [Workload Identity Federation](#workload-identity-federation) and [CI/CD repositories](#cicd-repositories). - -These features are optional and only enabled if the relevant variables have been populated. - -## How to run this stage - -This stage has straightforward initial requirements, as it is designed to work on newly created GCP organizations. Four steps are needed to bring up this stage: - -- an Organization Admin self-assigns the required roles listed below -- the same administrator runs the first `init/apply` sequence passing a special variable to `apply` -- the providers configuration file is derived from the Terraform output or linked from the generated file -- a second `init` is run to migrate state, and from then on, the stage is run via impersonation - -### Prerequisites - -The roles that the Organization Admin used in the first `apply` needs to self-grant are: - -- Billing Account Administrator (`roles/billing.admin`) - either on the organization or the billing account (see the following section for details) -- Logging Admin (`roles/logging.admin`) -- Organization Role Administrator (`roles/iam.organizationRoleAdmin`) -- Organization Administrator (`roles/resourcemanager.organizationAdmin`) -- Project Creator (`roles/resourcemanager.projectCreator`) -- Tag Admin (`roles/resourcemanager.tagAdmin`) -- Owner (`roles/owner`) - -To quickly self-grant the above roles, run the following code snippet as the initial Organization Admin: - -```bash -# set variable for current logged in user -export FAST_BU=$(gcloud config list --format 'value(core.account)') - -# find and set your org id -gcloud organizations list -export FAST_ORG_ID=123456 - -# set needed roles -export FAST_ROLES="roles/billing.admin roles/logging.admin \ - roles/iam.organizationRoleAdmin roles/resourcemanager.projectCreator \ - roles/resourcemanager.organizationAdmin roles/resourcemanager.tagAdmin \ - roles/owner" - -for role in $FAST_ROLES; do - gcloud organizations add-iam-policy-binding $FAST_ORG_ID \ - --member user:$FAST_BU --role $role --condition None -done -``` - -Then make sure the same user is also part of the `gcp-organization-admins` group so that impersonating the automation service account later on will be possible. - -#### Standalone billing account - -If you are using a standalone billing account, the identity applying this stage for the first time needs to be a billing account administrator: - -```bash -export FAST_BILLING_ACCOUNT_ID=ABCD-01234-ABCD -gcloud beta billing accounts add-iam-policy-binding $FAST_BILLING_ACCOUNT_ID \ - --member user:$FAST_BU --role roles/billing.admin -``` - -#### Preventing creation of billing-related IAM bindings - -This configuration is possible but unsupported and only present for development purposes, use at your own risk: - -- configure `billing_account.id` as `null` and `billing_account.no_iam` to `true` in your `tfvars` file -- apply with `terraform apply -target 'module.automation-project.google_project.project[0]'` in addition to the initial user variable -- once Terraform raises an error run `terraform untaint 'module.automation-project.google_project.project[0]'` -- repeat the two steps above for `'module.log-export-project.google_project.project[0]'` -- go through the process to associate the billing account with the two projects -- configure `billing_account.id` with the real billing account id -- resume applying normally - -#### Groups - -Before the first run, the following IAM groups must exist to allow IAM bindings to be created (actual names are flexible, see the [Customization](#customizations) section): - -- `gcp-billing-admins` -- `gcp-devops` -- `gcp-vpc-network-admins` -- `gcp-organization-admins` -- `gcp-security-admins` - -You can refer to [this animated image](./groups.gif) for a step by step on group creation via the [Google Cloud Enterprise Checklist](https://cloud.google.com/docs/enterprise/setup-checklist). - -Please note that not all groups defined by the Checklist are actually used by FAST, as our approach to IAM is slightly different. As an example, we do not centralize monitoring functions as in our experience those are typically domain-specific (e.g. networking or application-level), so we don't leverage the corresponding groups. You are free of course to create those groups via the Checklist, and assign them roles via the IAM variables exposed by this stage. - -One more difference compared to the Checklist is the use in FAST of an additional group to centralize support functions like viewing tickets and accessing logging and monitoring data. To remain consistent with the [Google Cloud Enterprise Checklist](https://cloud.google.com/docs/enterprise/setup-checklist) we map these permissions to the `gcp-devops` group by default. However, we recommend creating a dedicated `gcp-support` group and updating the `groups` variable with the right value. - -#### Configure variables - -Then make sure you have configured the correct values for the following variables by providing a `terraform.tfvars` file: - -- `billing_account` - an object containing `id` as the id of your billing account, derived from the Cloud Console UI or by running `gcloud beta billing accounts list`, and the `is_org_level` flag that controls whether organization or account-level bindings are used, and a billing export project and dataset are created -- `groups` - the name mappings for your groups, if you're following the default convention you can leave this to the provided default -- `organization.id`, `organization.domain`, `organization.customer_id` - the id, domain and customer id of your organization, derived from the Cloud Console UI or by running `gcloud organizations list` -- `prefix` - the fixed org-level prefix used in your naming, maximum 9 characters long. Note that if you are using multitenant stages, then you will later need to configure a `tenant prefix`. - This `tenant prefix` can have a maximum length of 2 characters, - plus any unused characters from the from the `prefix`. - For example, if you specify a `prefix` that is 7 characters long, - then your `tenant prefix` can have a maximum of 4 characters. - -You can also adapt the example that follows to your needs: - -```tfvars -# use `gcloud beta billing accounts list` -# if you have too many accounts, check the Cloud Console :) -billing_account = { - id = "012345-67890A-BCDEF0" -} - -# use `gcloud organizations list` -organization = { - domain = "example.org" - id = 1234567890 - customer_id = "C000001" -} - -# local path to store tfvars/provider outputs generated by this stage -outputs_location = "~/fast-config" - -# locations for GCS, BigQuery, and logging buckets created here -locations = { - bq = "EU" - gcs = "EU" - logging = "global" - pubsub = [] -} - -# use something unique and no longer than 9 characters -prefix = "abcd" -``` - -### Output files and cross-stage variables - -Each foundational FAST stage generates provider configurations and variable files can be consumed by the following stages, and saves them in a dedicated GCS bucket in the automation project. These files are a handy way to simplify stage configuration, and are also used by our CI/CD workflows to configure the repository files in the pipelines that validate and apply the code. - -Alongside the GCS stored files, you can also configure a second copy to be saves on the local filesystem, as a convenience when developing or bringing up the infrastructure before a proper CI/CD setup is in place. - -This second set of files is disabled by default, you can enable it by setting the `outputs_location` variable to a valid path on a local filesystem, e.g. - -```tfvars -outputs_location = "~/fast-config" -``` - -Once the variable is set, `apply` will generate and manage providers and variables files, including the initial one used for this stage after the first run. You can then link these files in the relevant stages, instead of manually transferring outputs from one stage, to Terraform variables in another. - -Below is the outline of the output files generated by all stages, which is identical for both the GCS and local filesystem copies: - -```bash -[path specified in outputs_location] -├── providers -│   ├── 0-bootstrap-providers.tf -│   ├── 1-resman-providers.tf -│   ├── 2-networking-providers.tf -│   ├── 2-security-providers.tf -│   ├── 2-project-factory-dev-providers.tf -│   ├── 2-project-factory-prod-providers.tf -│   └── 9-sandbox-providers.tf -└── tfvars -│ ├── 0-bootstrap.auto.tfvars.json -│ ├── 1-resman.auto.tfvars.json -│ ├── 2-networking.auto.tfvars.json -│ └── 2-security.auto.tfvars.json -└── workflows - └── [optional depending on the configured CI/CD repositories] -``` - -### Running the stage - -Before running `init` and `apply`, check your environment so no extra variables that might influence authentication are present (e.g. `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT`). In general you should use user application credentials, and FAST will then take care to provision automation identities and configure impersonation for you. - -When running the first `apply` as a user, you need to pass a special runtime variable so that the user roles are preserved when setting IAM bindings. - -```bash -terraform init -terraform apply \ - -var bootstrap_user=$(gcloud config list --format 'value(core.account)') -``` - -> If you see an error related to project name already exists, please make sure the project name is unique or the project was not deleted recently - -Once the initial `apply` completes successfully, configure a remote backend using the new GCS bucket, and impersonation on the automation service account for this stage. To do this you can use the generated `providers.tf` file from either - -- the local filesystem if you have configured output files as described above -- the GCS bucket where output files are always stored -- Terraform outputs (not recommended as it's more complex) - -The following two snippets show how to leverage the `fast-links.sh` script in the FAST stages folder to fetch the commands required for output files linking or copying, using either the local output folder configured via Terraform variables, or the GCS bucket which can be derived from the `automation` output. - -```bash -../fast-links.sh ~/fast-config - -# File linking commands for organization bootstrap stage - -# provider file -ln -s ~/fast-config/fast-test-00/providers/0-bootstrap-providers.tf ./ - -# conventional place for stage tfvars (manually created) -ln -s ~/fast-config/fast-test-00/0-bootstrap.auto.tfvars ./ -``` - -```bash -../fast-links.sh gs://xxx-prod-iac-core-outputs-0 - -# File linking commands for organization bootstrap stage - -# provider file -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/0-bootstrap-providers.tf ./ - -# conventional place for stage tfvars (manually created) -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/0-bootstrap.auto.tfvars ./ -``` - -- important for CI/CD -The `0-bootstrap.auto.tfvars` file is a crucial component of the CI/CD pipeline and must be manually created. This file is essentially the `terraform.tfvars` file renamed to avoid being ignored in version control systems like GitHub or GitLab, where `terraform.tfvars` is often included in `.gitignore`. By renaming it and committing `0-bootstrap.auto.tfvars` to your source control, you ensure that the necessary configurations are available in the pipeline. - -Copy/paste the command returned by the script to link or copy the provider file, then migrate state with `terraform init` and run `terraform apply`. If your organization was created with "Secure by Default Org Policy", that is with some of the org policies enabled, add `-var 'org_policies_config={"import_defaults": true}'` to `terraform apply`: - -```bash -terraform init -migrate-state -terraform apply -``` - -or - -```bash -terraform init -migrate-state -terraform apply -var 'org_policies_config={"import_defaults": true}' -``` - -if there default policies are enabled. - -Make sure the user you're logged in with is a member of the `gcp-organization-admins` group or impersonation will not be possible. - -## Customizations - -Most variables (e.g. `billing_account` and `organization`) are only used to input actual values and should be self-explanatory. The only meaningful customizations that apply here are groups, and IAM roles. - -### Group names - -As we mentioned above, groups reflect the convention used in the [GCP Enterprise Setup Checklist](https://cloud.google.com/docs/enterprise/setup-checklist), with an added level of indirection: the `groups` variable maps logical names to actual names, so that you don't need to delve into the code if your group names do not comply with the checklist convention. - -For example, if your network admins team is called `net-rockstars@example.com`, simply set that name in the variable, minus the domain which is interpolated internally with the organization domain: - -```hcl -variable "groups" { - description = "Group names to grant organization-level permissions." - type = map(string) - default = { - gcp-network-admins = "net-rockstars" - # [...] - } -} -# tftest skip -``` - -If your groups layout differs substantially from the checklist, define all relevant groups in the `groups` variable, then rearrange IAM roles in the code to match your setup. - -### IAM - -One other area where we directly support customizations is IAM. The code here, as in all stages, follows a simple pattern derived from best practices: - -- operational roles for humans are assigned to groups -- any other principal is a service account - -In code, the distinction above reflects on how IAM bindings are specified in the underlying module variables: - -- group roles "for humans" always use `iam_by_principals` variables -- service account roles always use `iam` variables - -This makes it easy to tweak user roles by adding mappings to the `iam_by_principals` variables of the relevant resources, without having to understand and deal with the details of service account roles. - -One more critical difference in IAM bindings is between authoritative and additive: - -- authoritative bindings have complete control on principals for a given role; this is the recommended best practice when a single automation actor controls the role, as it removes drift each time Terraform runs -- additive bindings have control only on given role/principal pairs, and need to be used whenever multiple automation actors need to control the role, as is the case for the network user role in Shared VPC setups, and many other situations - -This stage groups all IAM definitions in the [organization-iam.tf](./organization-iam.tf) file, to allow easy parsing of roles assigned to each group and machine identity. - -When customizations are needed, three stage-level variables allow injecting additional bindings to match the desired setup: - -- `iam_by_principals` allows adding authoritative bindings for groups -- `iam` allows adding authoritative bindings for any type of supported principal, and is merged with the internal `iam` local and then with group bindings at the module level -- `iam_bindings_additive` allows adding individual role/member pairs, and also supports IAM conditions - -Refer to the [project module](../../../modules/project/) for examples on how to use the IAM variables, and they are an interface shared across all our modules. - -### Log sinks and log destinations - -You can customize organization-level logs through the `log_sinks` variable in two ways: - -- creating additional log sinks to capture more logs -- changing the destination of captured logs - -By default, all logs are exported to a log bucket, but FAST can create sinks to BigQuery, GCS, or PubSub. - -If you need to capture additional logs, please refer to GCP's documentation on [scenarios for exporting logging data](https://cloud.google.com/architecture/exporting-stackdriver-logging-for-security-and-access-analytics), where you can find ready-made filter expressions for different use cases. - -When using Pubsub or BigQuery destinations, make sure the read-only stage service account (`prefix-prod-bootstrap-0r@prefix-prod-iac-core-0.iam.gserviceaccount.com`) has the necessary permissions to view destination resources. You can add them manually via the authoritative `iam` or the additive `iam_bindings_additive` variables. Refer to issue [#2540](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/issues/2540) for a discussion on this topic, and simple commands to verify proper permissions have been added. - -### Names and naming convention - -Configuring the individual tokens for the naming convention described above, has varying degrees of complexity: - -- the static prefix can be set via the `prefix` variable once -- the environment identifier is set to `prod` as resources here influence production and are considered as such, and can be changed in `main.tf` locals - -All other tokens are set directly in resource names, as providing abstractions to manage them would have added too much complexity to the code, making it less readable and more fragile. - -If a different convention is needed, identify names via search/grep (e.g. with `^\s+name\s+=\s+"`) and change them in an editor: it should take a couple of minutes at most, as there's just a handful of modules and resources to change. - -Names used in internal references (e.g. `module.foo-prod.id`) are only used by Terraform and do not influence resource naming, so they are best left untouched to avoid having to debug complex errors. - -### Workload Identity Federation - -At any time during this stage's lifecycle you can configure a Workload Identity Federation pool, and one or more providers. These are part of this stage's interface, included in the automatically generated `.tfvars` files and accepted by the Resource Managent stage that follows. - -The variable maps each provider's `issuer` attribute with the definitions in the `identity-providers-wlif.tf` file. We currently support GitHub and Gitlab directly, and extending to definitions to support more providers is trivial (send us a PR if you do!). - -Provider key names are used by the `cicd_repositories` variable to configure authentication for CI/CD repositories, and generally from your Terraform code whenever you need to configure IAM access or impersonation for federated identities. - -This is a sample configuration of a GitHub and a Gitlab provider. Every parameter is optional. - -The `custom_settings` attributes are used to configure the provider to work with privately managed installations of Github and Gitlab: - -- `issuer_uri` (defaults to the public platforms one if not set) -- `audience` (defaults to the public URL of the provider if not set, as recommended in the [WIF FAQ section](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience)) -- `jwks_json` for public key upload - -```tfvars -workload_identity_providers = { - # Use the public GitHub and specify an attribute condition - github-public-sample = { - attribute_condition = "attribute.repository_owner==\"my-github-org\"" - issuer = "github" - } - # Use a private instance of Gitlab and specify a custom issuer_uri - gitlab-private-sample = { - issuer = "gitlab" - custom_settings = { - issuer_uri = "https://gitlab.fast.example.com" - } - } - # Use a private instance of Gitlab. - # Specify a custom audience and a custom issuer_uri - gitlab-private-aud-sample = { - attribute_condition = "attribute.namespace_path==\"my-gitlab-org\"" - issuer = "gitlab" - custom_settings = { - audiences = ["https://gitlab.fast.example.com"] - issuer_uri = "https://gitlab.fast.example.com" - } - } -} -``` - -### Project folders - -By default this stage creates all its projects directly under the orgaization node. If desired, projects can be moved under a folder using the `project_parent_ids` variable. - -```tfvars -project_parent_ids = { - automation = "folders/1234567890" - billing = "folders/9876543210" - logging = "folders/1234567890" -} -``` - -### CI/CD repositories - -FAST is designed to directly support running in automated workflows from separate repositories for each stage. The `cicd_repositories` variable allows you to configure impersonation from external repositories leveraging Workload identity Federation, and pre-configures a FAST workflow file that can be used to validate and apply the code in each repository. - -The repository design we support is fairly simple, with a repository for modules that enables centralization and versioning, and one repository for each stage optionally configured from the previous stage. - -This is an example of configuring the bootstrap and resource management repositories in this stage. CI/CD configuration is optional, so the entire variable or any of its attributes can be set to null if not needed. - -```tfvars -cicd_config = { - bootstrap = { - identity_provider = "github-sample" - repository = { - branch = null - name = "my-gh-org/fast-bootstrap" - type = "github" - } - } - resman = { - identity_provider = "github-sample" - repository = { - branch = "main" - name = "my-gh-org/fast-resman" - type = "github" - } - } -} -``` - -The `type` attribute can be set to one of the supported repository types: `github` or `gitlab`. - -Once the stage is applied the generated output files will contain pre-configured workflow files for each repository, that will use Workload Identity Federation via a dedicated service account for each repository to impersonate the automation service account for the stage. - -You can use Terraform to automate creation of the repositories using the extra stage defined in [fast/extras/0-cicd-github](../../extras/0-cicd-github/) (only for Github for now). - -The remaining configuration is manual, as it regards the repositories themselves: - -- create a repository for modules - - clone and populate it with the Fabric modules - - configure authentication to the modules repository - - for GitHub - - create a key pair - - create a [deploy key](https://docs.github.com/en/developers/overview/managing-deploy-keys#deploy-keys) in the modules repository with the public key - - create a `CICD_MODULES_KEY` secret with the private key in each of the repositories that need to access modules (for Gitlab, please Base64 encode the private key for masking) - - for Gitlab - - TODO - - for Source Repositories - - assign the reader role to the CI/CD service accounts -- create one repository for each stage - - do an initial apply cycle for the stage so that state exists - - clone and populate them with the stage source - - edit the modules source to match your modules repository - - a simple way is using the "Replace in files" function of your editor - - search for `source\s*= "../../../modules/([^"]+)"` - - replace with: - - modules stored on GitHub: `source = "git@github.com:my-org/fast-modules.git//$1?ref=v1.0"` - - modules stored on Gitlab: `source = "git::ssh://git@gitlab.com/my-org/fast-modules.git//$1?ref=v1.0"` - - modules stored on Source Repositories: `"source = git::https://source.developers.google.com/p/my-project/r/my-repository//$1?ref=v1.0"`. You may need to run `git config --global credential.'https://source.developers.google.com'.helper gcloud.sh` first as documented [here](https://cloud.google.com/source-repositories/docs/adding-repositories-as-remotes#add_the_repository_as_a_remote) - - copy the generated workflow file for the stage from the GCS output files bucket or from the local clone if enabled - - for GitHub, place it in a `.github/workflows` folder in the repository root - - for Gitlab, rename it to `.gitlab-ci.yml` and place it in the repository root - - for Source Repositories, place it in `.cloudbuild/workflow.yaml` - - To prevent the creation of local files in the CI/CD pipeline, comment out the `outputs_location` line in the `terraform.tfvars` file by adding a `#` at the beginning, like so: `# outputs_location = "~/fast-config"`. This configuration is only necessary for the initial local deployments and should not be used in the CI/CD environment. - -### Add-ons - -FAST defines a simple mechanism to extend stage functionality via the use of [add-ons](../../addons/). Configuration for stage 1 add-ons happens here via the `fast_addon` variable. Refer to the add-ons documentation for more details on their use. - - - -## Files - -| name | description | modules | resources | -|---|---|---|---| -| [automation.tf](./automation.tf) | Automation project and resources. | gcs · iam-service-account · project | | -| [billing.tf](./billing.tf) | Billing export project and dataset. | bigquery-dataset · billing-account · logging-bucket · project | | -| [cicd.tf](./cicd.tf) | CI/CD locals and resources. | iam-service-account | | -| [identity-providers-wfif-defs.tf](./identity-providers-wfif-defs.tf) | Workforce Identity provider definitions. | | | -| [identity-providers-wfif.tf](./identity-providers-wfif.tf) | Workforce Identity Federation provider definitions. | | google_iam_workforce_pool · google_iam_workforce_pool_provider | -| [identity-providers-wlif-defs.tf](./identity-providers-wlif-defs.tf) | Workload Identity provider definitions. | | | -| [identity-providers-wlif.tf](./identity-providers-wlif.tf) | Workload Identity Federation provider definitions. | | google_iam_workload_identity_pool · google_iam_workload_identity_pool_provider | -| [log-export.tf](./log-export.tf) | Audit log project and sink. | bigquery-dataset · gcs · logging-bucket · project · pubsub | | -| [main.tf](./main.tf) | Module-level locals and resources. | | | -| [organization-iam.tf](./organization-iam.tf) | Organization-level IAM bindings locals. | | | -| [organization.tf](./organization.tf) | Organization-level IAM. | organization | | -| [outputs-files.tf](./outputs-files.tf) | Output files persistence to local filesystem. | | local_file | -| [outputs-gcs.tf](./outputs-gcs.tf) | Output files persistence to automation GCS bucket. | | google_storage_bucket_object | -| [outputs-providers.tf](./outputs-providers.tf) | Locals for provider output files. | | | -| [outputs.tf](./outputs.tf) | Module outputs. | | | -| [variables-addons.tf](./variables-addons.tf) | None | | | -| [variables.tf](./variables.tf) | Module variables. | | | - -## Variables - -| name | description | type | required | default | producer | -|---|---|:---:|:---:|:---:|:---:| -| [billing_account](variables.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | | -| [organization](variables.tf#L282) | Organization details. | object({…}) | ✓ | | | -| [prefix](variables.tf#L297) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | | -| [bootstrap_user](variables.tf#L39) | Email of the nominal user running this stage for the first time. | string | | null | | -| [cicd_config](variables.tf#L45) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | {} | | -| [custom_roles](variables.tf#L86) | Map of role names => list of permissions to additionally create at the organization level. | map(list(string)) | | {} | | -| [environments](variables.tf#L93) | Environment names. When not defined, short name is set to the key and tag name to lower(name). | map(object({…})) | | {…} | | -| [essential_contacts](variables.tf#L133) | Email used for essential contacts, unset if null. | string | | null | | -| [factories_config](variables.tf#L139) | Configuration for the resource factories or external data. | object({…}) | | {} | | -| [fast_addon](variables-addons.tf#L17) | FAST addons configurations for stages 1. Keys are used as short names for the add-on resources. | map(object({…})) | | {} | | -| [groups](variables.tf#L151) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | | -| [iam](variables.tf#L168) | Organization-level custom IAM settings in role => [principal] format. | map(list(string)) | | {} | | -| [iam_bindings_additive](variables.tf#L175) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | | -| [iam_by_principals](variables.tf#L190) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | -| [locations](variables.tf#L197) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | | -| [log_sinks](variables.tf#L211) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | | -| [org_policies_config](variables.tf#L267) | Organization policies customization. | object({…}) | | {} | | -| [outputs_location](variables.tf#L291) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | -| [project_parent_ids](variables.tf#L306) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {} | | -| [resource_names](variables.tf#L317) | Resource names overrides for specific resources. Prefix is always set via code, except where noted in the variable type. | object({…}) | | {} | | -| [universe](variables.tf#L349) | Target GCP universe. | object({…}) | | null | | -| [workforce_identity_providers](variables.tf#L359) | Workforce Identity Federation pools. | map(object({…})) | | {} | | -| [workload_identity_providers](variables.tf#L375) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | | - -## Outputs - -| name | description | sensitive | consumers | -|---|---|:---:|---| -| [automation](outputs.tf#L113) | Automation resources. | | | -| [billing_dataset](outputs.tf#L118) | BigQuery dataset prepared for billing export. | | | -| [cicd_repositories](outputs.tf#L123) | CI/CD repository configurations. | | | -| [custom_roles](outputs.tf#L135) | Organization-level custom roles. | | | -| [outputs_bucket](outputs.tf#L140) | GCS bucket where generated output files are stored. | | | -| [project_ids](outputs.tf#L145) | Projects created by this stage. | | | -| [providers](outputs.tf#L155) | Terraform provider files for this stage and dependent stages. | ✓ | stage-01 | -| [service_accounts](outputs.tf#L162) | Automation service accounts created by this stage. | | | -| [tfvars](outputs.tf#L171) | Terraform variable files for the following stages. | ✓ | | -| [tfvars_globals](outputs.tf#L177) | Terraform Globals variable files for the following stages. | ✓ | | -| [workforce_identity_pool](outputs.tf#L183) | Workforce Identity Federation pool. | | | -| [workload_identity_pool](outputs.tf#L192) | Workload Identity Federation pool and providers. | | | - diff --git a/fast/stages/0-bootstrap-legacy/automation.tf b/fast/stages/0-bootstrap-legacy/automation.tf deleted file mode 100644 index 40bd4bfcc..000000000 --- a/fast/stages/0-bootstrap-legacy/automation.tf +++ /dev/null @@ -1,369 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Automation project and resources. - -module "automation-project" { - source = "../../../modules/project" - billing_account = var.billing_account.id - name = var.resource_names["project-automation"] - parent = coalesce( - var.project_parent_ids.automation, "organizations/${var.organization.id}" - ) - prefix = var.prefix - universe = var.universe - contacts = ( - var.bootstrap_user != null || var.essential_contacts == null - ? {} - : { (var.essential_contacts) = ["ALL"] } - ) - factories_config = { - org_policies = ( - var.bootstrap_user != null ? null : var.factories_config.org_policies_iac - ) - } - # human (groups) IAM bindings - iam_by_principals = { - (local.principals.gcp-devops) = [ - "roles/iam.serviceAccountAdmin", - "roles/iam.serviceAccountTokenCreator", - ] - (local.principals.gcp-organization-admins) = [ - "roles/iam.serviceAccountTokenCreator", - "roles/iam.workloadIdentityPoolAdmin" - ] - } - # machine (service accounts) IAM bindings - iam = { - "roles/browser" = [ - module.automation-tf-resman-r-sa.iam_email - ] - "roles/owner" = [ - module.automation-tf-bootstrap-sa.iam_email - ] - "roles/cloudbuild.builds.editor" = [ - module.automation-tf-resman-sa.iam_email - ] - "roles/cloudbuild.builds.viewer" = [ - module.automation-tf-resman-r-sa.iam_email - ] - "roles/iam.serviceAccountAdmin" = [ - module.automation-tf-resman-sa.iam_email - ] - "roles/iam.serviceAccountViewer" = [ - module.automation-tf-resman-r-sa.iam_email - ] - "roles/iam.workloadIdentityPoolAdmin" = [ - module.automation-tf-resman-sa.iam_email - ] - "roles/iam.workloadIdentityPoolViewer" = [ - module.automation-tf-resman-r-sa.iam_email - ] - "roles/source.admin" = [ - module.automation-tf-resman-sa.iam_email - ] - "roles/source.reader" = [ - module.automation-tf-resman-r-sa.iam_email - ] - "roles/storage.admin" = [ - module.automation-tf-resman-sa.iam_email - ] - (module.organization.custom_role_id["storage_viewer"]) = [ - module.automation-tf-bootstrap-r-sa.iam_email, - module.automation-tf-resman-r-sa.iam_email - ] - "roles/viewer" = [ - module.automation-tf-bootstrap-r-sa.iam_email, - module.automation-tf-resman-r-sa.iam_email - ] - } - iam_bindings = { - delegated_grants_resman = { - members = [module.automation-tf-resman-sa.iam_email] - role = "roles/resourcemanager.projectIamAdmin" - condition = { - title = "resman_delegated_grant" - description = "Resource manager service account delegated grant." - expression = format( - "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['%s'])", - "roles/serviceusage.serviceUsageConsumer" - ) - } - } - } - iam_bindings_additive = { - serviceusage_resman = { - member = module.automation-tf-resman-sa.iam_email - role = "roles/serviceusage.serviceUsageConsumer" - } - serviceusage_resman_r = { - member = module.automation-tf-resman-r-sa.iam_email - role = "roles/serviceusage.serviceUsageViewer" - } - } - org_policies = ( - var.bootstrap_user != null || var.org_policies_config.iac_policy_member_domains == null - ? {} - : { - "iam.allowedPolicyMemberDomains" = { - inherit_from_parent = true - rules = [{ - allow = { - values = var.org_policies_config.iac_policy_member_domains - } - }] - } - } - ) - services = concat( - [ - "accesscontextmanager.googleapis.com", - "bigquery.googleapis.com", - "bigqueryreservation.googleapis.com", - "bigquerystorage.googleapis.com", - "billingbudgets.googleapis.com", - "cloudasset.googleapis.com", - "cloudbilling.googleapis.com", - "cloudkms.googleapis.com", - "cloudquotas.googleapis.com", - "cloudresourcemanager.googleapis.com", - "datacatalog.googleapis.com", - "essentialcontacts.googleapis.com", - "iam.googleapis.com", - "iamcredentials.googleapis.com", - "logging.googleapis.com", - "monitoring.googleapis.com", - "networksecurity.googleapis.com", - "orgpolicy.googleapis.com", - "pubsub.googleapis.com", - "servicenetworking.googleapis.com", - "serviceusage.googleapis.com", - "storage-component.googleapis.com", - "storage.googleapis.com", - "sts.googleapis.com", - ], - # enable specific service only after org policies have been applied - var.bootstrap_user != null ? [] : [ - "cloudbuild.googleapis.com", - "compute.googleapis.com", - "container.googleapis.com", - ] - ) - # Enable IAM data access logs to capture impersonation and service - # account token generation events. This is implemented within the - # automation project to limit log volume. For heightened security, - # consider enabling it at the organization level. A log sink within - # the organization will collect and store these logs in a logging - # bucket. See - # https://cloud.google.com/iam/docs/audit-logging#audited_operations - logging_data_access = { - "iam.googleapis.com" = { - # ADMIN_READ captures impersonation and GenerateAccessToken API calls - ADMIN_READ = {} - # enable DATA_WRITE if you want to capture configuration changes - # to IAM-related resources (roles, deny policies, service - # accounts, identity pools, etc) - # DATA_WRITE = {} - } - "sts.googleapis.com" = { - # ADMIN_READ captures SecurityTokenService.ExchangeToken API calls - ADMIN_READ = {} - } - } -} - -# output files bucket - -module "automation-tf-output-gcs" { - source = "../../../modules/gcs" - project_id = module.automation-project.project_id - name = var.resource_names["gcs-outputs"] - prefix = var.prefix - location = local.locations.gcs - versioning = true - depends_on = [module.organization] -} - -# this stage's bucket and service account - -module "automation-tf-bootstrap-gcs" { - source = "../../../modules/gcs" - project_id = module.automation-project.project_id - name = var.resource_names["gcs-bootstrap"] - prefix = var.prefix - location = local.locations.gcs - versioning = true - depends_on = [module.organization] -} - -module "automation-tf-bootstrap-sa" { - source = "../../../modules/iam-service-account" - project_id = module.automation-project.project_id - name = var.resource_names["sa-bootstrap"] - display_name = "Terraform organization bootstrap service account." - prefix = var.prefix - # allow SA used by CI/CD workflow to impersonate this SA - iam = { - "roles/iam.serviceAccountTokenCreator" = [ - for k, v in local.cicd_repositories : - module.automation-tf-cicd-sa[k].iam_email if v.stage == "bootstrap" - ] - } - iam_storage_roles = { - (module.automation-tf-output-gcs.name) = ["roles/storage.admin"] - } -} - -module "automation-tf-bootstrap-r-sa" { - source = "../../../modules/iam-service-account" - project_id = module.automation-project.project_id - name = var.resource_names["sa-bootstrap_ro"] - display_name = "Terraform organization bootstrap service account (read-only)." - prefix = var.prefix - # allow SA used by CI/CD workflow to impersonate this SA - iam = { - "roles/iam.serviceAccountTokenCreator" = [ - for k, v in local.cicd_repositories : - module.automation-tf-cicd-r-sa[k].iam_email if v.stage == "bootstrap" - ] - } - # we grant organization roles here as IAM bindings have precedence over - # custom roles in the organization module, so these need to depend on it - iam_organization_roles = { - (var.organization.id) = [ - module.organization.custom_role_id["organization_admin_viewer"], - module.organization.custom_role_id["tag_viewer"] - ] - } - iam_storage_roles = { - (module.automation-tf-output-gcs.name) = [module.organization.custom_role_id["storage_viewer"]] - } -} - -# resource hierarchy stage's bucket and service account - -module "automation-tf-resman-gcs" { - source = "../../../modules/gcs" - project_id = module.automation-project.project_id - name = var.resource_names["gcs-resman"] - prefix = var.prefix - location = local.locations.gcs - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.automation-tf-resman-sa.iam_email] - "roles/storage.objectViewer" = [module.automation-tf-resman-r-sa.iam_email] - } - depends_on = [module.organization] -} - -module "automation-tf-resman-sa" { - source = "../../../modules/iam-service-account" - project_id = module.automation-project.project_id - name = var.resource_names["sa-resman"] - display_name = "Terraform stage 1 resman service account." - prefix = var.prefix - # allow SA used by CI/CD workflow to impersonate this SA - iam = { - "roles/iam.serviceAccountTokenCreator" = [ - for k, v in local.cicd_repositories : - module.automation-tf-cicd-sa[k].iam_email if v.stage == "resman" - ] - } - iam_storage_roles = { - (module.automation-tf-output-gcs.name) = ["roles/storage.admin"] - } -} - -module "automation-tf-resman-r-sa" { - source = "../../../modules/iam-service-account" - project_id = module.automation-project.project_id - name = var.resource_names["sa-resman_ro"] - display_name = "Terraform stage 1 resman service account (read-only)." - prefix = var.prefix - # allow SA used by CI/CD workflow to impersonate this SA - iam = { - "roles/iam.serviceAccountTokenCreator" = [ - for k, v in local.cicd_repositories : - module.automation-tf-cicd-r-sa[k].iam_email if v.stage == "resman" - ] - } - # we grant organization roles here as IAM bindings have precedence over - # custom roles in the organization module, so these need to depend on it - iam_organization_roles = { - (var.organization.id) = [ - module.organization.custom_role_id["organization_admin_viewer"], - module.organization.custom_role_id["tag_viewer"] - ] - } - iam_storage_roles = { - (module.automation-tf-output-gcs.name) = [module.organization.custom_role_id["storage_viewer"]] - } -} - -# VPC SC stage's bucket and service account - -module "automation-tf-vpcsc-gcs" { - source = "../../../modules/gcs" - project_id = module.automation-project.project_id - name = var.resource_names["gcs-vpcsc"] - prefix = var.prefix - location = local.locations.gcs - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.automation-tf-vpcsc-sa.iam_email] - "roles/storage.objectViewer" = [module.automation-tf-vpcsc-r-sa.iam_email] - } - depends_on = [module.organization] -} - -module "automation-tf-vpcsc-sa" { - source = "../../../modules/iam-service-account" - project_id = module.automation-project.project_id - name = var.resource_names["sa-vpcsc"] - display_name = "Terraform stage 1 vpcsc service account." - prefix = var.prefix - # allow security group and SA used by CI/CD workflow to impersonate this SA - iam = { - "roles/iam.serviceAccountTokenCreator" = concat( - [local.principals["gcp-security-admins"]], - [ - for k, v in local.cicd_repositories : - module.automation-tf-cicd-sa[k].iam_email if v.stage == "vpcsc" - ] - ) - } - iam_storage_roles = { - (module.automation-tf-output-gcs.name) = ["roles/storage.admin"] - } -} - -module "automation-tf-vpcsc-r-sa" { - source = "../../../modules/iam-service-account" - project_id = module.automation-project.project_id - name = var.resource_names["sa-vpcsc_ro"] - display_name = "Terraform stage 1 vpcsc service account (read-only)." - prefix = var.prefix - # allow SA used by CI/CD workflow to impersonate this SA - iam = { - "roles/iam.serviceAccountTokenCreator" = [ - for k, v in local.cicd_repositories : - module.automation-tf-cicd-r-sa[k].iam_email if v.stage == "vpcsc" - ] - } - iam_storage_roles = { - (module.automation-tf-output-gcs.name) = [module.organization.custom_role_id["storage_viewer"]] - } -} diff --git a/fast/stages/0-bootstrap-legacy/billing.tf b/fast/stages/0-bootstrap-legacy/billing.tf deleted file mode 100644 index 941e5c741..000000000 --- a/fast/stages/0-bootstrap-legacy/billing.tf +++ /dev/null @@ -1,127 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Billing export project and dataset. - -locals { - billing_mode = ( - var.billing_account.no_iam - ? null - : var.billing_account.is_org_level ? "org" : "resource" - ) - - _billing_iam_bindings = { - "roles/billing.admin" = [ - local.principals.gcp-billing-admins, - local.principals.gcp-organization-admins, - module.automation-tf-bootstrap-sa.iam_email, - module.automation-tf-resman-sa.iam_email - ], - "roles/billing.viewer" = [ - module.automation-tf-bootstrap-r-sa.iam_email, - module.automation-tf-resman-r-sa.iam_email - ], - "roles/logging.configWriter" = local.billing_mode == "org" || !var.billing_account.force_create.log_bucket ? [] : [ - module.automation-tf-bootstrap-sa.iam_email - ] - } - - _billing_iam_bindings_add = flatten([for role, bindings in local._billing_iam_bindings : [ - for member in bindings : { - member = member, - role = role - } - ]]) - - billing_iam_bindings_additive = { - for b in local._billing_iam_bindings_add : "${b.role}-${b.member}" => { - member = b.member - role = b.role - } - } -} - -# billing account in same org (IAM is in the organization.tf file) - -module "billing-export-project" { - source = "../../../modules/project" - count = ( - local.billing_mode == "org" || var.billing_account.force_create.project == true ? 1 : 0 - ) - billing_account = var.billing_account.id - name = var.resource_names["project-billing"] - parent = coalesce( - var.project_parent_ids.billing, "organizations/${var.organization.id}" - ) - prefix = var.prefix - universe = var.universe - contacts = ( - var.bootstrap_user != null || var.essential_contacts == null - ? {} - : { (var.essential_contacts) = ["ALL"] } - ) - iam = { - "roles/owner" = [module.automation-tf-bootstrap-sa.iam_email] - "roles/viewer" = [module.automation-tf-bootstrap-r-sa.iam_email] - } - services = [ - # "cloudresourcemanager.googleapis.com", - # "iam.googleapis.com", - # "serviceusage.googleapis.com", - "bigquery.googleapis.com", - "bigquerydatatransfer.googleapis.com", - "storage.googleapis.com" - ] -} - -module "billing-export-dataset" { - source = "../../../modules/bigquery-dataset" - count = ( - local.billing_mode == "org" || var.billing_account.force_create.dataset == true ? 1 : 0 - ) - project_id = module.billing-export-project[0].project_id - id = var.resource_names["bq-billing"] - friendly_name = "Billing export." - location = local.locations.bq -} - -# standalone billing account - -module "billing-account-logbucket" { - source = "../../../modules/logging-bucket" - count = local.billing_mode == "resource" && var.billing_account.force_create.log_bucket ? 1 : 0 - parent_type = "project" - parent = module.log-export-project.project_id - name = "billing-account" - location = local.locations.logging - log_analytics = { enable = true } - # org-level logging settings ready before we create any logging buckets - depends_on = [module.organization-logging] -} - -module "billing-account" { - source = "../../../modules/billing-account" - count = local.billing_mode == "resource" ? 1 : 0 - id = var.billing_account.id - iam_bindings_additive = local.billing_iam_bindings_additive - logging_sinks = !var.billing_account.force_create.log_bucket ? {} : { - billing_bucket_log_sink = { - destination = module.billing-account-logbucket[0].id - type = "logging" - description = "billing-account sink (Terraform-managed)." - } - } -} diff --git a/fast/stages/0-bootstrap-legacy/cicd.tf b/fast/stages/0-bootstrap-legacy/cicd.tf deleted file mode 100644 index 1c2771c45..000000000 --- a/fast/stages/0-bootstrap-legacy/cicd.tf +++ /dev/null @@ -1,127 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description CI/CD locals and resources. - -locals { - _cicd_configs = merge( - # stages - { - for k, v in var.cicd_config : k => merge(v, { - level = k == "bootstrap" ? 0 : 1 - stage = k - }) if v != null - }, - # addons - { - for k, v in var.fast_addon : k => merge(v.cicd_config, { - level = 1 - stage = substr(v.parent_stage, 2, -1) - }) if v.cicd_config != null - } - ) - cicd_providers = { - for k, v in google_iam_workload_identity_pool_provider.default : - k => { - audiences = concat( - v.oidc[0].allowed_audiences, - ["https://iam.googleapis.com/${v.name}"] - ) - issuer = local.workload_identity_providers[k].issuer - issuer_uri = try(v.oidc[0].issuer_uri, null) - name = v.name - principal_branch = local.workload_identity_providers[k].principal_branch - principal_repo = local.workload_identity_providers[k].principal_repo - } - } - cicd_repositories = { - for k, v in local._cicd_configs : k => v if( - contains(keys(local.workload_identity_providers), v.identity_provider) && - fileexists("${path.module}/templates/workflow-${v.repository.type}.yaml") - ) - } - cicd_workflow_providers = merge( - { - for k, v in local.cicd_repositories : - k => "${v.level}-${k}-providers.tf" - }, - { - for k, v in local.cicd_repositories : - "${k}-r" => "${v.level}-${k}-r-providers.tf" - } - ) -} - -# SAs used by CI/CD workflows to impersonate automation SAs - -module "automation-tf-cicd-sa" { - source = "../../../modules/iam-service-account" - for_each = local.cicd_repositories - project_id = module.automation-project.project_id - name = templatestring( - var.resource_names["sa-cicd_template"], { key = each.key } - ) - display_name = "Terraform CI/CD ${each.key} service account." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - each.value.repository.branch == null - ? format( - local.workload_identity_providers_defs[each.value.repository.type].principal_repo, - google_iam_workload_identity_pool.default[0].name, - each.value.repository.name - ) - : format( - local.workload_identity_providers_defs[each.value.repository.type].principal_branch, - google_iam_workload_identity_pool.default[0].name, - each.value.repository.name, - each.value.repository.branch - ) - ] - } - iam_project_roles = { - (module.automation-project.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (module.automation-tf-output-gcs.name) = ["roles/storage.objectViewer"] - } -} - -module "automation-tf-cicd-r-sa" { - source = "../../../modules/iam-service-account" - for_each = local.cicd_repositories - project_id = module.automation-project.project_id - name = templatestring( - var.resource_names["sa-cicd_template_ro"], { key = each.key } - ) - display_name = "Terraform CI/CD ${each.key} service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - format( - local.workload_identity_providers_defs[each.value.repository.type].principal_repo, - google_iam_workload_identity_pool.default[0].name, - each.value.repository.name - ) - ] - } - iam_project_roles = { - (module.automation-project.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (module.automation-tf-output-gcs.name) = ["roles/storage.objectViewer"] - } -} diff --git a/fast/stages/0-bootstrap-legacy/data/custom-constraints/accesscontextmanager.yaml b/fast/stages/0-bootstrap-legacy/data/custom-constraints/accesscontextmanager.yaml deleted file mode 100644 index 4c7e59fdc..000000000 --- a/fast/stages/0-bootstrap-legacy/data/custom-constraints/accesscontextmanager.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/org-policy-custom-constraint.schema.json - -custom.denyBridgePerimeters: - resource_types: - - accesscontextmanager.googleapis.com/ServicePerimeter - method_types: - - CREATE - - UPDATE - condition: "resource.perimeterType == 'PERIMETER_TYPE_BRIDGE'" - action_type: DENY - display_name: Disable perimeter bridges - description: Disables the use of perimeter bridges. Instead, use ingress and egress rules. diff --git a/fast/stages/0-bootstrap-legacy/data/custom-constraints/gke.yaml b/fast/stages/0-bootstrap-legacy/data/custom-constraints/gke.yaml deleted file mode 100644 index 5420d9685..000000000 --- a/fast/stages/0-bootstrap-legacy/data/custom-constraints/gke.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policy-custom-constraint.schema.json - -# custom.disableKubeletReadOnlyPort: -# resource_types: -# - container.googleapis.com/Cluster -# method_types: -# - CREATE -# - UPDATE -# condition: resource.nodeConfig.kubeletConfig.insecureKubeletReadonlyPortEnabled == true -# action_type: DENY -# display_name: Disable Kubelet Read-Only Port 10255 -# description: Disallows the use of Kubelet read-only port 10255 to enhance security diff --git a/fast/stages/0-bootstrap-legacy/data/custom-roles/billing_viewer.yaml b/fast/stages/0-bootstrap-legacy/data/custom-roles/billing_viewer.yaml deleted file mode 100644 index a80fa7f5c..000000000 --- a/fast/stages/0-bootstrap-legacy/data/custom-roles/billing_viewer.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/custom-role.schema.json - -name: billingViewer -includedPermissions: -- billing.accounts.get -- billing.accounts.getIamPolicy -- billing.accounts.getSpendingInformation -- billing.accounts.getUsageExportSpec -- billing.accounts.list -- billing.budgets.get -- billing.budgets.list -- billing.budgets.update -- billing.credits.list -- billing.resourceAssociations.list -- recommender.costInsights.get -- recommender.costInsights.list diff --git a/fast/stages/0-bootstrap-legacy/data/custom-roles/dns_zone_binder.yaml b/fast/stages/0-bootstrap-legacy/data/custom-roles/dns_zone_binder.yaml deleted file mode 100644 index 0a8d96857..000000000 --- a/fast/stages/0-bootstrap-legacy/data/custom-roles/dns_zone_binder.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/custom-role.schema.json - -name: dnsZoneBinder -includedPermissions: - - dns.networks.bindPrivateDNSZone \ No newline at end of file diff --git a/fast/stages/0-bootstrap-legacy/data/custom-roles/gcve_network_admin.yaml b/fast/stages/0-bootstrap-legacy/data/custom-roles/gcve_network_admin.yaml deleted file mode 100644 index 3f7213da0..000000000 --- a/fast/stages/0-bootstrap-legacy/data/custom-roles/gcve_network_admin.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/custom-role.schema.json - -name: gcveNetworkAdmin -includedPermissions: - - vmwareengine.networkPeerings.create - - vmwareengine.networkPeerings.delete - - vmwareengine.networkPeerings.get - - vmwareengine.networkPeerings.list - - vmwareengine.operations.get diff --git a/fast/stages/0-bootstrap-legacy/data/custom-roles/gcve_network_viewer.yaml b/fast/stages/0-bootstrap-legacy/data/custom-roles/gcve_network_viewer.yaml deleted file mode 100644 index f2ee44789..000000000 --- a/fast/stages/0-bootstrap-legacy/data/custom-roles/gcve_network_viewer.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/custom-role.schema.json - -name: gcveNetworkViewer -includedPermissions: - - vmwareengine.networkPeerings.get - - vmwareengine.networkPeerings.list - - vmwareengine.operations.get diff --git a/fast/stages/0-bootstrap-legacy/data/custom-roles/kms_key_encryption_admin.yaml b/fast/stages/0-bootstrap-legacy/data/custom-roles/kms_key_encryption_admin.yaml deleted file mode 100644 index d24480e41..000000000 --- a/fast/stages/0-bootstrap-legacy/data/custom-roles/kms_key_encryption_admin.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/custom-role.schema.json - -name: kmsKeyEncryptionAdmin -includedPermissions: - - cloudkms.cryptoKeyVersions.get - - cloudkms.cryptoKeyVersions.list - - cloudkms.cryptoKeys.get - - cloudkms.cryptoKeys.getIamPolicy - - cloudkms.cryptoKeys.list - - cloudkms.cryptoKeys.setIamPolicy diff --git a/fast/stages/0-bootstrap-legacy/data/custom-roles/kms_key_viewer.yaml b/fast/stages/0-bootstrap-legacy/data/custom-roles/kms_key_viewer.yaml deleted file mode 100644 index 71eb905fe..000000000 --- a/fast/stages/0-bootstrap-legacy/data/custom-roles/kms_key_viewer.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/custom-role.schema.json - -name: kmsKeyViewer -includedPermissions: - - cloudkms.cryptoKeyVersions.get - - cloudkms.cryptoKeyVersions.list - - cloudkms.cryptoKeys.get - - cloudkms.cryptoKeys.getIamPolicy - - cloudkms.cryptoKeys.list diff --git a/fast/stages/0-bootstrap-legacy/data/custom-roles/network_firewall_policies_admin.yaml b/fast/stages/0-bootstrap-legacy/data/custom-roles/network_firewall_policies_admin.yaml deleted file mode 100644 index 457bef64d..000000000 --- a/fast/stages/0-bootstrap-legacy/data/custom-roles/network_firewall_policies_admin.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/custom-role.schema.json - -name: networkFirewallPoliciesAdmin -includedPermissions: - - compute.networks.setFirewallPolicy - - networksecurity.firewallEndpointAssociations.create - - networksecurity.firewallEndpointAssociations.delete - - networksecurity.firewallEndpointAssociations.get - - networksecurity.firewallEndpointAssociations.list - - networksecurity.firewallEndpointAssociations.update diff --git a/fast/stages/0-bootstrap-legacy/data/custom-roles/ngfw_enterprise_admin.yaml b/fast/stages/0-bootstrap-legacy/data/custom-roles/ngfw_enterprise_admin.yaml deleted file mode 100644 index 007c7426f..000000000 --- a/fast/stages/0-bootstrap-legacy/data/custom-roles/ngfw_enterprise_admin.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/custom-role.schema.json - -name: ngfwEnterpriseAdmin -includedPermissions: - - networksecurity.firewallEndpoints.create - - networksecurity.firewallEndpoints.delete - - networksecurity.firewallEndpoints.get - - networksecurity.firewallEndpoints.list - - networksecurity.firewallEndpoints.update - - networksecurity.firewallEndpoints.use - - networksecurity.locations.get - - networksecurity.locations.list - - networksecurity.operations.cancel - - networksecurity.operations.delete - - networksecurity.operations.get - - networksecurity.operations.list - - networksecurity.securityProfileGroups.create - - networksecurity.securityProfileGroups.delete - - networksecurity.securityProfileGroups.get - - networksecurity.securityProfileGroups.list - - networksecurity.securityProfileGroups.update - - networksecurity.securityProfileGroups.use - - networksecurity.securityProfiles.create - - networksecurity.securityProfiles.delete - - networksecurity.securityProfiles.get - - networksecurity.securityProfiles.list - - networksecurity.securityProfiles.update - - networksecurity.securityProfiles.use - - networksecurity.tlsInspectionPolicies.create - - networksecurity.tlsInspectionPolicies.delete - - networksecurity.tlsInspectionPolicies.get - - networksecurity.tlsInspectionPolicies.list - - networksecurity.tlsInspectionPolicies.update - - networksecurity.tlsInspectionPolicies.use diff --git a/fast/stages/0-bootstrap-legacy/data/custom-roles/ngfw_enterprise_viewer.yaml b/fast/stages/0-bootstrap-legacy/data/custom-roles/ngfw_enterprise_viewer.yaml deleted file mode 100644 index 73e560d78..000000000 --- a/fast/stages/0-bootstrap-legacy/data/custom-roles/ngfw_enterprise_viewer.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/custom-role.schema.json - -name: ngfwEnterpriseViewer -includedPermissions: - - networksecurity.firewallEndpoints.get - - networksecurity.firewallEndpoints.list - - networksecurity.firewallEndpoints.use - - networksecurity.locations.get - - networksecurity.locations.list - - networksecurity.operations.get - - networksecurity.operations.list - - networksecurity.securityProfileGroups.get - - networksecurity.securityProfileGroups.list - - networksecurity.securityProfileGroups.use - - networksecurity.securityProfiles.get - - networksecurity.securityProfiles.list - - networksecurity.securityProfiles.use - - networksecurity.tlsInspectionPolicies.get - - networksecurity.tlsInspectionPolicies.list - - networksecurity.tlsInspectionPolicies.use diff --git a/fast/stages/0-bootstrap-legacy/data/custom-roles/organization_admin_viewer.yaml b/fast/stages/0-bootstrap-legacy/data/custom-roles/organization_admin_viewer.yaml deleted file mode 100644 index 755fe1a18..000000000 --- a/fast/stages/0-bootstrap-legacy/data/custom-roles/organization_admin_viewer.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/custom-role.schema.json -# this is used by the plan-only admin SA - -name: organizationAdminViewer -includedPermissions: - - essentialcontacts.contacts.get - - essentialcontacts.contacts.list - - logging.settings.get - - orgpolicy.constraints.list - - orgpolicy.policies.list - - orgpolicy.policy.get - - resourcemanager.folders.get - - resourcemanager.folders.getIamPolicy - - resourcemanager.folders.list - - resourcemanager.organizations.get - - resourcemanager.organizations.getIamPolicy - - resourcemanager.projects.get - - resourcemanager.projects.getIamPolicy - - resourcemanager.projects.list - - storage.buckets.getIamPolicy diff --git a/fast/stages/0-bootstrap-legacy/data/custom-roles/organization_iam_admin.yaml b/fast/stages/0-bootstrap-legacy/data/custom-roles/organization_iam_admin.yaml deleted file mode 100644 index 8b1df2d9a..000000000 --- a/fast/stages/0-bootstrap-legacy/data/custom-roles/organization_iam_admin.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/custom-role.schema.json -# this is needed for use in additive IAM bindings, to avoid conflicts - -name: organizationIamAdmin -includedPermissions: - - resourcemanager.organizations.get - - resourcemanager.organizations.getIamPolicy - - resourcemanager.organizations.setIamPolicy diff --git a/fast/stages/0-bootstrap-legacy/data/custom-roles/project_iam_viewer.yaml b/fast/stages/0-bootstrap-legacy/data/custom-roles/project_iam_viewer.yaml deleted file mode 100644 index 2f268aa11..000000000 --- a/fast/stages/0-bootstrap-legacy/data/custom-roles/project_iam_viewer.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/custom-role.schema.json -# this is used by the plan-only admin SA - -name: projectIamViewer -includedPermissions: -- iam.policybindings.get -- iam.policybindings.list -- resourcemanager.projects.get -- resourcemanager.projects.getIamPolicy -- resourcemanager.projects.searchPolicyBindings diff --git a/fast/stages/0-bootstrap-legacy/data/custom-roles/service_project_network_admin.yaml b/fast/stages/0-bootstrap-legacy/data/custom-roles/service_project_network_admin.yaml deleted file mode 100644 index 83e3b3a31..000000000 --- a/fast/stages/0-bootstrap-legacy/data/custom-roles/service_project_network_admin.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/custom-role.schema.json - -name: serviceProjectNetworkAdmin -includedPermissions: - - compute.globalOperations.get - # compute.networks.updatePeering and compute.networks.get are - # used by automation service accounts who manage service - # projects where peering creation might be needed (e.g. GKE). If - # you remove them your network administrators should create - # peerings for service projects - - compute.networks.updatePeering - - compute.networks.get - - compute.organizations.disableXpnResource - - compute.organizations.enableXpnResource - - compute.projects.get - - compute.subnetworks.getIamPolicy - - compute.subnetworks.setIamPolicy - - dns.networks.bindPrivateDNSZone - - resourcemanager.projects.get diff --git a/fast/stages/0-bootstrap-legacy/data/custom-roles/storage_viewer.yaml b/fast/stages/0-bootstrap-legacy/data/custom-roles/storage_viewer.yaml deleted file mode 100644 index 59522313d..000000000 --- a/fast/stages/0-bootstrap-legacy/data/custom-roles/storage_viewer.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/custom-role.schema.json -# the following permissions are a descoped version of storage.admin - -name: storageViewer -includedPermissions: - - storage.buckets.get - - storage.buckets.getIamPolicy - - storage.buckets.getObjectInsights - - storage.buckets.list - - storage.buckets.listEffectiveTags - - storage.buckets.listTagBindings - - storage.managedFolders.get - - storage.managedFolders.getIamPolicy - - storage.managedFolders.list - - storage.multipartUploads.list - - storage.multipartUploads.listParts - - storage.objects.get - - storage.objects.getIamPolicy - - storage.objects.list diff --git a/fast/stages/0-bootstrap-legacy/data/custom-roles/tag_viewer.yaml b/fast/stages/0-bootstrap-legacy/data/custom-roles/tag_viewer.yaml deleted file mode 100644 index 247e6d641..000000000 --- a/fast/stages/0-bootstrap-legacy/data/custom-roles/tag_viewer.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/custom-role.schema.json -# the following permissions are a descoped version of tagAdm - -name: tagViewer -includedPermissions: - - resourcemanager.tagHolds.list - - resourcemanager.tagKeys.get - - resourcemanager.tagKeys.getIamPolicy - - resourcemanager.tagKeys.list - - resourcemanager.tagValues.get - - resourcemanager.tagValues.getIamPolicy - - resourcemanager.tagValues.list diff --git a/fast/stages/0-bootstrap-legacy/data/custom-roles/tenant_network_admin.yaml b/fast/stages/0-bootstrap-legacy/data/custom-roles/tenant_network_admin.yaml deleted file mode 100644 index a07df2a06..000000000 --- a/fast/stages/0-bootstrap-legacy/data/custom-roles/tenant_network_admin.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/custom-role.schema.json - -name: tenantNetworkAdmin -includedPermissions: - - compute.globalOperations.get diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies-iac/compute.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies-iac/compute.yaml deleted file mode 100644 index ffdcc7e9c..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies-iac/compute.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -compute.skipDefaultNetworkCreation: - rules: - - enforce: true diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies-iac/iam.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies-iac/iam.yaml deleted file mode 100644 index b88458e49..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies-iac/iam.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -iam.automaticIamGrantsForDefaultServiceAccounts: - rules: - - enforce: true - -iam.disableServiceAccountKeyCreation: - rules: - - enforce: true - -iam.workloadIdentityPoolProviders: - rules: - - allow: - values: - - https://token.actions.githubusercontent.com - - https://gitlab.com - - https://app.terraform.io diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/accesscontextmanager.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies-managed/accesscontextmanager.yaml deleted file mode 100644 index 4ae43a1d1..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/accesscontextmanager.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -custom.denyBridgePerimeters: - rules: - - enforce: true diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/cloudbuild.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies-managed/cloudbuild.yaml deleted file mode 100644 index 8e463fbbc..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/cloudbuild.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -compute.disableGuestAttributesAccess: - rules: - - enforce: true - -cloudbuild.disableCreateDefaultServiceAccount: - rules: - - enforce: true - -cloudbuild.useBuildServiceAccount: - rules: - - enforce: true - -cloudbuild.useComputeServiceAccount: - rules: - - enforce: true - diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/compute.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies-managed/compute.yaml deleted file mode 100644 index 2790a9b0a..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/compute.yaml +++ /dev/null @@ -1,141 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -compute.disableInternetNetworkEndpointGroup: - rules: - - enforce: true - -compute.disableGuestAttributesAccess: - rules: - - enforce: true - -compute.disableNestedVirtualization: - rules: - - enforce: true - -compute.disableSerialPortAccess: - rules: - - enforce: true - -compute.disableVpcExternalIpv6: - rules: - - enforce: true - -compute.requireOsLogin: - rules: - - enforce: true - -compute.restrictLoadBalancerCreationForTypes: - rules: - - allow: - values: - - in:INTERNAL - -compute.skipDefaultNetworkCreation: - rules: - - enforce: true - -compute.setNewProjectDefaultToZonalDNSOnly: - rules: - - enforce: true - -# only allow GCP images by default -compute.trustedImageProjects: - rules: - - allow: - values: - - "is:projects/centos-cloud" - - "is:projects/cos-cloud" - - "is:projects/debian-cloud" - - "is:projects/fedora-cloud" - - "is:projects/fedora-coreos-cloud" - - "is:projects/opensuse-cloud" - - "is:projects/rhel-cloud" - - "is:projects/rhel-sap-cloud" - - "is:projects/rocky-linux-cloud" - - "is:projects/suse-cloud" - - "is:projects/suse-sap-cloud" - - "is:projects/ubuntu-os-cloud" - - "is:projects/ubuntu-os-pro-cloud" - - "is:projects/windows-cloud" - - "is:projects/windows-sql-cloud" - - "is:projects/confidential-vm-images" - - "is:projects/backupdr-images" - - "is:projects/deeplearning-platform-release" - - "is:projects/serverless-vpc-access-images" - -compute.vmExternalIpAccess: - rules: - - deny: - all: true - -# compute.disableInternetNetworkEndpointGroup: -# rules: -# - enforce: true - -# compute.restrictCloudNATUsage: -# rules: -# - deny: -# all: true - -# compute.restrictDedicatedInterconnectUsage: -# rules: -# - deny: -# all: true - -# compute.restrictPartnerInterconnectUsage: -# rules: -# - deny: -# all: true - -compute.managed.restrictProtocolForwardingCreationForTypes: - rules: - - enforce: true - parameters: | - {"allowedSchemes": ["INTERNAL"]} - -# compute.restrictSharedVpcHostProjects: -# rules: -# - deny: -# all: true - -# compute.restrictSharedVpcSubnetworks: -# rules: -# - deny: -# all: true - -# compute.restrictVpcPeering: -# rules: -# - deny: -# all: true - -# compute.restrictVpnPeerIPs: -# rules: -# - deny: -# all: true - -# compute.restrictXpnProjectLienRemoval: -# rules: -# - enforce: true - -# compute.vmCanIpForward: -# rules: -# - deny: -# all: true diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/essentialcontacts.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies-managed/essentialcontacts.yaml deleted file mode 100644 index 00dbc5083..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/essentialcontacts.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -essentialcontacts.allowedContactDomains: - rules: - - allow: - values: - - '@${organization.domain}' - condition: - title: Restrict essential contacts domains - expression: | - !resource.matchTag('${tags.org_policies_tag_name}', 'allowed-essential-contacts-domains-all') - - allow: - all: true - condition: - title: Allow essential contacts from any domain - expression: | - resource.matchTag('${tags.org_policies_tag_name}', 'allowed-essential-contacts-domains-all') diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/gcp.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies-managed/gcp.yaml deleted file mode 100644 index 534ff4b7b..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/gcp.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -gcp.resourceLocations: - rules: - - allow: - all: true -# - allow: -# values: -# - "in:europe-locations" diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/gke.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies-managed/gke.yaml deleted file mode 100644 index 01a883724..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/gke.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -# custom.disableKubeletReadOnlyPort: -# rules: -# - enforce: true - -container.managed.enablePrivateNodes: - rules: - - enforce: true - -# container.managed.enableControlPlaneDNSOnlyAccess: -# rules: -# - enforce: true diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/iam.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies-managed/iam.yaml deleted file mode 100644 index d122b661c..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/iam.yaml +++ /dev/null @@ -1,71 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -iam.managed.allowedPolicyMembers: - rules: - - enforce: false - condition: - title: Allow any member domain - expression: | - resource.matchTag('${tags.org_policies_tag_name}', 'allowed-policy-member-domains-all') - - - enforce: true - parameters: >- - { - "allowedPrincipalSets": [ - "//cloudresourcemanager.googleapis.com/organizations/${organization.id}" - ] - } - -iam.disableAuditLoggingExemption: - rules: - - enforce: true - -iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccounts: - rules: - - enforce: true - -iam.managed.disableServiceAccountKeyCreation: - rules: - - enforce: true - -iam.managed.disableServiceAccountKeyUpload: - rules: - - enforce: true - -iam.managed.disableServiceAccountApiKeyCreation: - rules: - - enforce: true - -iam.serviceAccountKeyExposureResponse: - rules: - - allow: - values: - - is:DISABLE_KEY - -iam.workloadIdentityPoolAwsAccounts: - rules: - - deny: - all: true - -iam.workloadIdentityPoolProviders: - rules: - - deny: - all: true diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/serverless.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies-managed/serverless.yaml deleted file mode 100644 index 85ed3553f..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/serverless.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -run.allowedIngress: - rules: - - allow: - values: - - is:internal-and-cloud-load-balancing - -run.managed.requireInvokerIam: - rules: - - enforce: true - -# run.allowedVPCEgress: -# rules: -# - allow: -# values: -# - is:private-ranges-only - -# cloudfunctions.allowedIngressSettings: -# rules: -# - allow: -# values: -# - is:ALLOW_INTERNAL_ONLY - -# cloudfunctions.allowedVpcConnectorEgressSettings: -# rules: -# - allow: -# values: -# - is:PRIVATE_RANGES_ONLY - -# cloudfunctions.requireVPCConnector: -# rules: -# - enforce: true - -# cloudfunctions.restrictAllowedGenerations: -# rules: -# - allow: -# values: -# - is:2ndGen diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/sql.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies-managed/sql.yaml deleted file mode 100644 index d0fca4c65..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/sql.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -sql.restrictAuthorizedNetworks: - rules: - - enforce: true - -sql.restrictPublicIp: - rules: - - enforce: true diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/storage.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies-managed/storage.yaml deleted file mode 100644 index ca1a6cecb..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies-managed/storage.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -storage.uniformBucketLevelAccess: - rules: - - enforce: true - -storage.publicAccessPrevention: - rules: - - enforce: true - -storage.secureHttpTransport: - rules: - - enforce: true - -storage.restrictAuthTypes: - rules: - - deny: - values: - - in:ALL_HMAC_SIGNED_REQUESTS diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies/accesscontextmanager.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies/accesscontextmanager.yaml deleted file mode 100644 index 4ae43a1d1..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies/accesscontextmanager.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -custom.denyBridgePerimeters: - rules: - - enforce: true diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies/cloudbuild.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies/cloudbuild.yaml deleted file mode 100644 index 8e463fbbc..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies/cloudbuild.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -compute.disableGuestAttributesAccess: - rules: - - enforce: true - -cloudbuild.disableCreateDefaultServiceAccount: - rules: - - enforce: true - -cloudbuild.useBuildServiceAccount: - rules: - - enforce: true - -cloudbuild.useComputeServiceAccount: - rules: - - enforce: true - diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies/compute.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies/compute.yaml deleted file mode 100644 index d27fe3937..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies/compute.yaml +++ /dev/null @@ -1,146 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -compute.disableGuestAttributesAccess: - rules: - - enforce: true - -compute.disableInternetNetworkEndpointGroup: - rules: - - enforce: true - -compute.disableNestedVirtualization: - rules: - - enforce: true - -compute.disableSerialPortAccess: - rules: - - enforce: true - -compute.disableVpcExternalIpv6: - rules: - - enforce: true - -compute.requireOsLogin: - rules: - - enforce: true - -compute.restrictLoadBalancerCreationForTypes: - rules: - - allow: - values: - - in:INTERNAL - -compute.skipDefaultNetworkCreation: - rules: - - enforce: true - -compute.setNewProjectDefaultToZonalDNSOnly: - rules: - - enforce: true - -# only allow GCP images by default -compute.trustedImageProjects: - rules: - - allow: - values: - - "is:projects/centos-cloud" - - "is:projects/cos-cloud" - - "is:projects/debian-cloud" - - "is:projects/fedora-cloud" - - "is:projects/fedora-coreos-cloud" - - "is:projects/opensuse-cloud" - - "is:projects/rhel-cloud" - - "is:projects/rhel-sap-cloud" - - "is:projects/rocky-linux-cloud" - - "is:projects/suse-cloud" - - "is:projects/suse-sap-cloud" - - "is:projects/ubuntu-os-cloud" - - "is:projects/ubuntu-os-pro-cloud" - - "is:projects/windows-cloud" - - "is:projects/windows-sql-cloud" - - "is:projects/confidential-vm-images" - - "is:projects/confidential-space-images" - - "is:projects/backupdr-images" - - "is:projects/deeplearning-platform-release" - - "is:projects/serverless-vpc-access-images" - - "is:projects/gke-node-images" - - "is:projects/gke-windows-node-images" - - "is:projects/ubuntu-os-gke-cloud" - - -compute.vmExternalIpAccess: - rules: - - deny: - all: true - -# compute.disableInternetNetworkEndpointGroup: -# rules: -# - enforce: true - -# compute.restrictCloudNATUsage: -# rules: -# - deny: -# all: true - -# compute.restrictDedicatedInterconnectUsage: -# rules: -# - deny: -# all: true - -# compute.restrictPartnerInterconnectUsage: -# rules: -# - deny: -# all: true - -compute.restrictProtocolForwardingCreationForTypes: - rules: - - allow: - values: - - is:INTERNAL - -# compute.restrictSharedVpcHostProjects: -# rules: -# - deny: -# all: true - -# compute.restrictSharedVpcSubnetworks: -# rules: -# - deny: -# all: true - -# compute.restrictVpcPeering: -# rules: -# - deny: -# all: true - -# compute.restrictVpnPeerIPs: -# rules: -# - deny: -# all: true - -# compute.restrictXpnProjectLienRemoval: -# rules: -# - enforce: true - -# compute.vmCanIpForward: -# rules: -# - deny: -# all: true diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies/essentialcontacts.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies/essentialcontacts.yaml deleted file mode 100644 index 00dbc5083..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies/essentialcontacts.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -essentialcontacts.allowedContactDomains: - rules: - - allow: - values: - - '@${organization.domain}' - condition: - title: Restrict essential contacts domains - expression: | - !resource.matchTag('${tags.org_policies_tag_name}', 'allowed-essential-contacts-domains-all') - - allow: - all: true - condition: - title: Allow essential contacts from any domain - expression: | - resource.matchTag('${tags.org_policies_tag_name}', 'allowed-essential-contacts-domains-all') diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies/gcp.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies/gcp.yaml deleted file mode 100644 index 534ff4b7b..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies/gcp.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -gcp.resourceLocations: - rules: - - allow: - all: true -# - allow: -# values: -# - "in:europe-locations" diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies/gke.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies/gke.yaml deleted file mode 100644 index 01a883724..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies/gke.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -# custom.disableKubeletReadOnlyPort: -# rules: -# - enforce: true - -container.managed.enablePrivateNodes: - rules: - - enforce: true - -# container.managed.enableControlPlaneDNSOnlyAccess: -# rules: -# - enforce: true diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies/iam.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies/iam.yaml deleted file mode 100644 index 54edbaf89..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies/iam.yaml +++ /dev/null @@ -1,71 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -iam.allowedPolicyMemberDomains: - rules: - - allow: - values: - - is:${organization.customer_id} - condition: - title: Restrict member domains - expression: | - !resource.matchTag('${tags.org_policies_tag_name}', 'allowed-policy-member-domains-all') - - allow: - all: true - condition: - title: Allow any member domain - expression: | - resource.matchTag('${tags.org_policies_tag_name}', 'allowed-policy-member-domains-all') - -iam.disableAuditLoggingExemption: - rules: - - enforce: true - -iam.automaticIamGrantsForDefaultServiceAccounts: - rules: - - enforce: true - -iam.disableServiceAccountKeyCreation: - rules: - - enforce: true - -iam.disableServiceAccountKeyUpload: - rules: - - enforce: true - -iam.managed.disableServiceAccountApiKeyCreation: - rules: - - enforce: true - -iam.serviceAccountKeyExposureResponse: - rules: - - allow: - values: - - is:DISABLE_KEY - -iam.workloadIdentityPoolAwsAccounts: - rules: - - deny: - all: true - -iam.workloadIdentityPoolProviders: - rules: - - deny: - all: true diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies/serverless.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies/serverless.yaml deleted file mode 100644 index 85ed3553f..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies/serverless.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -run.allowedIngress: - rules: - - allow: - values: - - is:internal-and-cloud-load-balancing - -run.managed.requireInvokerIam: - rules: - - enforce: true - -# run.allowedVPCEgress: -# rules: -# - allow: -# values: -# - is:private-ranges-only - -# cloudfunctions.allowedIngressSettings: -# rules: -# - allow: -# values: -# - is:ALLOW_INTERNAL_ONLY - -# cloudfunctions.allowedVpcConnectorEgressSettings: -# rules: -# - allow: -# values: -# - is:PRIVATE_RANGES_ONLY - -# cloudfunctions.requireVPCConnector: -# rules: -# - enforce: true - -# cloudfunctions.restrictAllowedGenerations: -# rules: -# - allow: -# values: -# - is:2ndGen diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies/sql.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies/sql.yaml deleted file mode 100644 index d0fca4c65..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies/sql.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -sql.restrictAuthorizedNetworks: - rules: - - enforce: true - -sql.restrictPublicIp: - rules: - - enforce: true diff --git a/fast/stages/0-bootstrap-legacy/data/org-policies/storage.yaml b/fast/stages/0-bootstrap-legacy/data/org-policies/storage.yaml deleted file mode 100644 index ca1a6cecb..000000000 --- a/fast/stages/0-bootstrap-legacy/data/org-policies/storage.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# sample subset of useful organization policies, edit to suit requirements -# start of document (---) avoids errors if the file only contains comments - -# yaml-language-server: $schema=../../schemas/org-policies.schema.json - -storage.uniformBucketLevelAccess: - rules: - - enforce: true - -storage.publicAccessPrevention: - rules: - - enforce: true - -storage.secureHttpTransport: - rules: - - enforce: true - -storage.restrictAuthTypes: - rules: - - deny: - values: - - in:ALL_HMAC_SIGNED_REQUESTS diff --git a/fast/stages/0-bootstrap-legacy/diagram.png b/fast/stages/0-bootstrap-legacy/diagram.png deleted file mode 100644 index d5cff6b30..000000000 Binary files a/fast/stages/0-bootstrap-legacy/diagram.png and /dev/null differ diff --git a/fast/stages/0-bootstrap-legacy/fast_version.txt b/fast/stages/0-bootstrap-legacy/fast_version.txt deleted file mode 100644 index ba9053698..000000000 --- a/fast/stages/0-bootstrap-legacy/fast_version.txt +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# FAST release: v44.2.0 \ No newline at end of file diff --git a/fast/stages/0-bootstrap-legacy/groups.gif b/fast/stages/0-bootstrap-legacy/groups.gif deleted file mode 100644 index 0744cb099..000000000 Binary files a/fast/stages/0-bootstrap-legacy/groups.gif and /dev/null differ diff --git a/fast/stages/0-bootstrap-legacy/identity-providers-wfif-defs.tf b/fast/stages/0-bootstrap-legacy/identity-providers-wfif-defs.tf deleted file mode 100644 index f4d6b3029..000000000 --- a/fast/stages/0-bootstrap-legacy/identity-providers-wfif-defs.tf +++ /dev/null @@ -1,42 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Workforce Identity provider definitions. - -locals { - workforce_identity_providers_defs = { - azuread = { - attribute_mapping = { - "google.subject" = "assertion.subject" - "google.display_name" = "assertion.attributes.userprincipalname[0]" - "google.groups" = "assertion.attributes.groups" - "attribute.first_name" = "assertion.attributes.givenname[0]" - "attribute.last_name" = "assertion.attributes.surname[0]" - "attribute.user_email" = "assertion.attributes.mail[0]" - } - } - okta = { - attribute_mapping = { - "google.subject" = "assertion.subject" - "google.display_name" = "assertion.subject" - "google.groups" = "assertion.attributes.groups" - "attribute.first_name" = "assertion.attributes.firstName[0]" - "attribute.last_name" = "assertion.attributes.lastName[0]" - "attribute.user_email" = "assertion.attributes.email[0]" - } - } - } -} diff --git a/fast/stages/0-bootstrap-legacy/identity-providers-wfif.tf b/fast/stages/0-bootstrap-legacy/identity-providers-wfif.tf deleted file mode 100644 index fa6a07fad..000000000 --- a/fast/stages/0-bootstrap-legacy/identity-providers-wfif.tf +++ /dev/null @@ -1,53 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Workforce Identity Federation provider definitions. - -locals { - workforce_identity_providers = { - for k, v in var.workforce_identity_providers : k => merge( - v, - lookup(local.workforce_identity_providers_defs, v.issuer, {}) - ) - } -} - -resource "google_iam_workforce_pool" "default" { - count = length(local.workforce_identity_providers) > 0 ? 1 : 0 - parent = "organizations/${var.organization.id}" - location = "global" - workforce_pool_id = templatestring( - var.resource_names["wf-bootstrap"], { prefix = var.prefix } - ) -} - -resource "google_iam_workforce_pool_provider" "default" { - for_each = local.workforce_identity_providers - attribute_condition = each.value.attribute_condition - attribute_mapping = each.value.attribute_mapping - description = each.value.description - disabled = each.value.disabled - display_name = each.value.display_name - location = google_iam_workforce_pool.default[0].location - provider_id = templatestring(var.resource_names["wf-provider_template"], { - prefix = var.prefix - key = each.key - }) - workforce_pool_id = google_iam_workforce_pool.default[0].workforce_pool_id - saml { - idp_metadata_xml = each.value.saml.idp_metadata_xml - } -} diff --git a/fast/stages/0-bootstrap-legacy/identity-providers-wlif-defs.tf b/fast/stages/0-bootstrap-legacy/identity-providers-wlif-defs.tf deleted file mode 100644 index 8331281e4..000000000 --- a/fast/stages/0-bootstrap-legacy/identity-providers-wlif-defs.tf +++ /dev/null @@ -1,78 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Workload Identity provider definitions. - -locals { - workload_identity_providers_defs = { - # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect - github = { - attribute_mapping = { - "google.subject" = "assertion.sub" - "attribute.sub" = "assertion.sub" - "attribute.actor" = "assertion.actor" - "attribute.repository" = "assertion.repository" - "attribute.repository_owner" = "assertion.repository_owner" - "attribute.ref" = "assertion.ref" - "attribute.fast_sub" = "\"repo:\" + assertion.repository + \":ref:\" + assertion.ref" - } - issuer_uri = "https://token.actions.githubusercontent.com" - principal_branch = "principalSet://iam.googleapis.com/%s/attribute.fast_sub/repo:%s:ref:refs/heads/%s" - principal_repo = "principalSet://iam.googleapis.com/%s/attribute.repository/%s" - } - # https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload - gitlab = { - attribute_mapping = { - "google.subject" = "assertion.sub" - "attribute.sub" = "assertion.sub" - "attribute.environment" = "assertion.environment" - "attribute.environment_protected" = "assertion.environment_protected" - "attribute.namespace_id" = "assertion.namespace_id" - "attribute.namespace_path" = "assertion.namespace_path" - "attribute.pipeline_id" = "assertion.pipeline_id" - "attribute.pipeline_source" = "assertion.pipeline_source" - "attribute.project_id" = "assertion.project_id" - "attribute.project_path" = "assertion.project_path" - "attribute.repository" = "assertion.project_path" - "attribute.ref" = "assertion.ref" - "attribute.ref_protected" = "assertion.ref_protected" - "attribute.ref_type" = "assertion.ref_type" - } - issuer_uri = "https://gitlab.com" - principal_branch = "principalSet://iam.googleapis.com/%s/attribute.sub/project_path:%s:ref_type:branch:ref:%s" - principal_repo = "principalSet://iam.googleapis.com/%s/attribute.repository/%s" - } - # https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/workload-identity-tokens#token-structure - terraform = { - attribute_mapping = { - "google.subject" = "assertion.terraform_workspace_id" - "attribute.aud" = "assertion.aud" - "attribute.terraform_run_phase" = "assertion.terraform_run_phase" - "attribute.terraform_project_id" = "assertion.terraform_project_id" - "attribute.terraform_project_name" = "assertion.terraform_project_name" - "attribute.terraform_workspace_id" = "assertion.terraform_workspace_id" - "attribute.terraform_workspace_name" = "assertion.terraform_workspace_name" - "attribute.terraform_organization_id" = "assertion.terraform_organization_id" - "attribute.terraform_organization_name" = "assertion.terraform_organization_name" - "attribute.terraform_run_id" = "assertion.terraform_run_id" - "attribute.terraform_full_workspace" = "assertion.terraform_full_workspace" - } - issuer_uri = "https://app.terraform.io" - principal_branch = "principalSet://iam.googleapis.com/%s/attribute.terraform_workspace_id/%s" - principal_repo = "principalSet://iam.googleapis.com/%s/attribute.terraform_project_id/%s" - } - } -} diff --git a/fast/stages/0-bootstrap-legacy/identity-providers-wlif.tf b/fast/stages/0-bootstrap-legacy/identity-providers-wlif.tf deleted file mode 100644 index 41458d7f4..000000000 --- a/fast/stages/0-bootstrap-legacy/identity-providers-wlif.tf +++ /dev/null @@ -1,64 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Workload Identity Federation provider definitions. - -locals { - workload_identity_providers = { - for k, v in var.workload_identity_providers : k => merge( - v, - lookup(local.workload_identity_providers_defs, v.issuer, {}) - ) - } -} - -resource "google_iam_workload_identity_pool" "default" { - provider = google-beta - count = length(local.workload_identity_providers) > 0 ? 1 : 0 - project = module.automation-project.project_id - workload_identity_pool_id = templatestring( - var.resource_names["wif-bootstrap"], { prefix = var.prefix } - ) -} - -resource "google_iam_workload_identity_pool_provider" "default" { - provider = google-beta - for_each = local.workload_identity_providers - project = module.automation-project.project_id - workload_identity_pool_id = ( - google_iam_workload_identity_pool.default[0].workload_identity_pool_id - ) - workload_identity_pool_provider_id = templatestring( - var.resource_names["wif-provider_template"], { - prefix = var.prefix - key = each.key - }) - attribute_condition = each.value.attribute_condition - attribute_mapping = each.value.attribute_mapping - oidc { - # Setting an empty list configures allowed_audiences to the url of the provider - allowed_audiences = each.value.custom_settings.audiences - # If users don't provide an issuer_uri, we set the public one for the platform chosen. - issuer_uri = ( - each.value.custom_settings.issuer_uri != null - ? each.value.custom_settings.issuer_uri - : try(each.value.issuer_uri, null) - ) - # OIDC JWKs in JSON String format. If no value is provided, they key is - # fetched from the `.well-known` path for the issuer_uri - jwks_json = each.value.custom_settings.jwks_json - } -} diff --git a/fast/stages/0-bootstrap-legacy/log-export.tf b/fast/stages/0-bootstrap-legacy/log-export.tf deleted file mode 100644 index c4eacc438..000000000 --- a/fast/stages/0-bootstrap-legacy/log-export.tf +++ /dev/null @@ -1,111 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Audit log project and sink. - -locals { - log_sink_destinations = merge( - { - for k, v in var.log_sinks : k => { - id = module.log-export-project.project_id - } if v.type == "project" - }, - # use the same dataset for all sinks with `bigquery` as destination - { - for k, v in var.log_sinks : - k => module.log-export-dataset[0] if v.type == "bigquery" - }, - # use the same gcs bucket for all sinks with `storage` as destination - { - for k, v in var.log_sinks : - k => module.log-export-gcs[0] if v.type == "storage" - }, - # use separate pubsub topics and logging buckets for sinks with - # destination `pubsub` and `logging` - module.log-export-pubsub, - module.log-export-logbucket - ) - log_types = toset([for k, v in var.log_sinks : v.type]) -} - -module "log-export-project" { - source = "../../../modules/project" - name = var.resource_names["project-logs"] - parent = coalesce( - var.project_parent_ids.logging, "organizations/${var.organization.id}" - ) - prefix = var.prefix - universe = var.universe - billing_account = var.billing_account.id - contacts = ( - var.bootstrap_user != null || var.essential_contacts == null - ? {} - : { (var.essential_contacts) = ["ALL"] } - ) - iam = { - "roles/owner" = [module.automation-tf-bootstrap-sa.iam_email] - "roles/viewer" = [module.automation-tf-bootstrap-r-sa.iam_email] - } - services = [ - # "cloudresourcemanager.googleapis.com", - # "iam.googleapis.com", - # "serviceusage.googleapis.com", - "bigquery.googleapis.com", - "storage.googleapis.com", - "stackdriver.googleapis.com" - ] -} - -# one log export per type, with conditionals to skip those not needed - -module "log-export-dataset" { - source = "../../../modules/bigquery-dataset" - count = contains(local.log_types, "bigquery") ? 1 : 0 - project_id = module.log-export-project.project_id - id = var.resource_names["bq-logs"] - friendly_name = "Audit logs export." - location = local.locations.bq -} - -module "log-export-gcs" { - source = "../../../modules/gcs" - count = contains(local.log_types, "storage") ? 1 : 0 - project_id = module.log-export-project.project_id - name = var.resource_names["gcs-logs"] - prefix = var.prefix - location = local.locations.gcs -} - -module "log-export-logbucket" { - source = "../../../modules/logging-bucket" - for_each = toset([for k, v in var.log_sinks : k if v.type == "logging"]) - parent = module.log-export-project.project_id - name = each.key - location = local.locations.logging - log_analytics = { enable = true } - # org-level logging settings ready before we create any logging buckets - depends_on = [module.organization-logging] -} - -module "log-export-pubsub" { - source = "../../../modules/pubsub" - for_each = toset([for k, v in var.log_sinks : k if v.type == "pubsub"]) - project_id = module.log-export-project.project_id - name = templatestring( - var.resource_names["pubsub-logs_template"], { key = each.key } - ) - regions = local.locations.pubsub -} diff --git a/fast/stages/0-bootstrap-legacy/main.tf b/fast/stages/0-bootstrap-legacy/main.tf deleted file mode 100644 index c7ce07cf7..000000000 --- a/fast/stages/0-bootstrap-legacy/main.tf +++ /dev/null @@ -1,31 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - principals = { - for k, v in var.groups : k => ( - can(regex("^[a-zA-Z]+:", v)) - ? v - : "group:${v}@${var.organization.domain}" - ) - } - locations = { - bq = var.locations.bq - gcs = var.locations.gcs - logging = var.locations.logging - pubsub = var.locations.pubsub - } -} diff --git a/fast/stages/0-bootstrap-legacy/organization-iam.tf b/fast/stages/0-bootstrap-legacy/organization-iam.tf deleted file mode 100644 index 1d2a74261..000000000 --- a/fast/stages/0-bootstrap-legacy/organization-iam.tf +++ /dev/null @@ -1,215 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Organization-level IAM bindings locals. - -locals { - # IAM roles in the org to reset (remove principals) - iam_delete_roles = [ - "roles/billing.creator" - ] - # domain IAM bindings - iam_domain_bindings = var.organization.domain == null ? {} : { - "domain:${var.organization.domain}" = { - authoritative = ["roles/browser"] - additive = [] - } - } - # human (groups) IAM bindings - iam_principal_bindings = { - (local.principals.gcp-billing-admins) = { - authoritative = [] - additive = ( - local.billing_mode != "org" ? [] : [ - "roles/billing.admin" - ] - ) - } - (local.principals.gcp-network-admins) = { - authoritative = [ - "roles/cloudasset.owner", - "roles/cloudsupport.techSupportEditor", - ] - additive = [ - "roles/compute.orgFirewallPolicyAdmin", - "roles/compute.xpnAdmin" - ] - } - (local.principals.gcp-organization-admins) = { - authoritative = [ - "roles/cloudasset.owner", - "roles/cloudsupport.admin", - "roles/compute.osAdminLogin", - "roles/compute.osLoginExternalUser", - "roles/owner", - "roles/resourcemanager.folderAdmin", - "roles/resourcemanager.organizationAdmin", - "roles/resourcemanager.projectCreator", - "roles/resourcemanager.tagAdmin", - ] - additive = concat( - [ - "roles/iam.workforcePoolAdmin", - "roles/orgpolicy.policyAdmin" - ], - local.billing_mode != "org" ? [] : [ - "roles/billing.admin" - ] - ) - } - (local.principals.gcp-security-admins) = { - authoritative = [ - "roles/cloudasset.owner", - "roles/cloudsupport.techSupportEditor", - "roles/iam.securityReviewer", - "roles/logging.admin", - "roles/securitycenter.admin", - ] - additive = [ - "roles/accesscontextmanager.policyAdmin", - "roles/iam.organizationRoleAdmin", - "roles/orgpolicy.policyAdmin" - ] - } - (local.principals.gcp-support) = { - authoritative = [ - "roles/cloudsupport.techSupportEditor", - "roles/logging.viewer", - "roles/monitoring.viewer", - ] - additive = [] - } - } - # machine (service accounts) IAM bindings, in logical format - # the service account module's "magic" outputs allow us to use dynamic values - iam_sa_bindings = { - (module.automation-tf-bootstrap-sa.iam_email) = { - authoritative = [ - "roles/essentialcontacts.admin", - "roles/logging.admin", - "roles/resourcemanager.organizationAdmin", - "roles/resourcemanager.projectCreator", - "roles/resourcemanager.projectMover", - "roles/resourcemanager.tagAdmin" - ] - additive = concat( - [ - "roles/iam.organizationRoleAdmin", - "roles/iam.workforcePoolAdmin", - "roles/orgpolicy.policyAdmin" - ], - local.billing_mode != "org" ? [] : [ - "roles/billing.admin" - ] - ) - } - (module.automation-tf-bootstrap-r-sa.iam_email) = { - authoritative = [ - "roles/essentialcontacts.viewer", - "roles/logging.viewer", - "roles/resourcemanager.folderViewer", - "roles/resourcemanager.tagViewer" - ] - additive = concat( - [ - # the organizationAdminViewer custom role is granted via the SA module - "roles/iam.organizationRoleViewer", - "roles/iam.workforcePoolViewer", - "roles/orgpolicy.policyViewer" - ], - local.billing_mode != "org" ? [] : [ - "roles/billing.viewer" - ] - ) - } - (module.automation-tf-resman-sa.iam_email) = { - authoritative = [ - "roles/essentialcontacts.admin", - "roles/logging.admin", - "roles/resourcemanager.folderAdmin", - "roles/resourcemanager.projectCreator", - "roles/resourcemanager.tagAdmin", - "roles/resourcemanager.tagUser" - ] - additive = concat( - [ - "roles/accesscontextmanager.policyAdmin", - "roles/orgpolicy.policyAdmin" - ], - local.billing_mode != "org" ? [] : [ - "roles/billing.admin" - ] - ) - } - (module.automation-tf-resman-r-sa.iam_email) = { - authoritative = [ - "roles/essentialcontacts.viewer", - "roles/logging.viewer", - "roles/resourcemanager.folderViewer", - "roles/resourcemanager.tagViewer", - "roles/serviceusage.serviceUsageViewer" - ] - additive = concat( - [ - "roles/accesscontextmanager.policyReader", - # the organizationAdminViewer custom role is granted via the SA module - "roles/orgpolicy.policyViewer" - ], - local.billing_mode != "org" ? [] : [ - "roles/billing.viewer" - ] - ) - } - (module.automation-tf-vpcsc-sa.iam_email) = { - authoritative = [] - additive = [ - "roles/accesscontextmanager.policyAdmin", - "roles/cloudasset.viewer" - ] - } - (module.automation-tf-vpcsc-r-sa.iam_email) = { - authoritative = [] - additive = [ - "roles/accesscontextmanager.policyReader", - "roles/cloudasset.viewer" - ] - } - } - # Check if boostrap_user comes from WIF - bootstrap_principal = var.bootstrap_user == null ? null : ( - strcontains(var.bootstrap_user, ":") - ? var.bootstrap_user - : "user:${var.bootstrap_user}" - ) - - # bootstrap user bindings - iam_user_bootstrap_bindings = var.bootstrap_user == null ? {} : { - (local.bootstrap_principal) = { - authoritative = [ - "roles/logging.admin", - "roles/owner", - "roles/resourcemanager.organizationAdmin", - "roles/resourcemanager.projectCreator", - "roles/resourcemanager.tagAdmin" - ] - additive = ( - local.billing_mode != "org" ? [] : [ - "roles/billing.admin" - ] - ) - } - } -} diff --git a/fast/stages/0-bootstrap-legacy/organization.tf b/fast/stages/0-bootstrap-legacy/organization.tf deleted file mode 100644 index a19ba76d9..000000000 --- a/fast/stages/0-bootstrap-legacy/organization.tf +++ /dev/null @@ -1,237 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Organization-level IAM. - -locals { - # reassemble logical bindings into the formats expected by the module - _iam_bindings = merge( - local.iam_domain_bindings, - local.iam_sa_bindings, - local.iam_user_bootstrap_bindings, - { - for k, v in local.iam_principal_bindings : k => { - authoritative = [] - additive = v.additive - } - } - ) - _iam_bindings_auth = flatten([ - for member, data in local._iam_bindings : [ - for role in data.authoritative : { - member = member - role = role - } - ] - ]) - _iam_bindings_add = flatten([ - for member, data in local._iam_bindings : [ - for role in data.additive : { - member = member - role = role - } - ] - ]) - org_policies_tag_name = "${var.organization.id}/${var.org_policies_config.tag_name}" - iam_principals = { - for k, v in local.iam_principal_bindings : k => v.authoritative - } - iam = merge( - { - for r in local.iam_delete_roles : r => [] - }, - { - for b in local._iam_bindings_auth : b.role => b.member... - } - ) - iam_bindings_additive = { - for b in local._iam_bindings_add : "${b.role}-${b.member}" => { - member = b.member - role = b.role - } - } -} - -# TODO: add a check block to ensure our custom roles exist in the factory files - -# import org policy constraints enabled by default in new orgs since February 2024 -import { - for_each = ( - !var.org_policies_config.import_defaults || var.bootstrap_user != null - ? toset([]) - : toset([ - # source: https://cloud.google.com/resource-manager/docs/secure-by-default-organizations#organization_policies_enforced_on_organization_resources - # listed in the order as on page - "iam.disableServiceAccountKeyCreation", - "iam.disableServiceAccountKeyUpload", - "iam.automaticIamGrantsForDefaultServiceAccounts", - "iam.allowedPolicyMemberDomains", - "essentialcontacts.allowedContactDomains", - "storage.uniformBucketLevelAccess", - "compute.setNewProjectDefaultToZonalDNSOnly", # Verified as of 2024-09-13 - "compute.restrictProtocolForwardingCreationForTypes", # Verified as of 2025-02-13 - ]) - ) - id = "organizations/${var.organization.id}/policies/${each.key}" - to = module.organization.google_org_policy_policy.default[each.key] -} - -module "organization-logging" { - # Preconfigure organization-wide logging settings to ensure project - # log buckets (_Default, _Required) are created in the location - # specified by `var.locations.logging`. This separate - # organization-block prevents circular dependencies with later - # project creation. - source = "../../../modules/organization" - organization_id = "organizations/${var.organization.id}" - logging_settings = { - storage_location = var.locations.logging - } -} - -module "organization" { - source = "../../../modules/organization" - organization_id = module.organization-logging.id - # human (groups) IAM bindings - iam_by_principals = { - for key in distinct(concat( - keys(local.iam_principals), - keys(var.iam_by_principals), - )) : - key => distinct(concat( - lookup(local.iam_principals, key, []), - lookup(var.iam_by_principals, key, []), - )) - } - # machine (service accounts) IAM bindings - iam = merge( - { - for k, v in local.iam : k => distinct(concat(v, lookup(var.iam, k, []))) - }, - { - for k, v in var.iam : k => v if lookup(local.iam, k, null) == null - } - ) - # additive bindings, used for roles co-managed by different stages - iam_bindings_additive = merge( - local.iam_bindings_additive, - var.iam_bindings_additive - ) - # delegated role grant for resource manager service account - iam_bindings = merge( - { - organization_iam_admin_conditional = { - members = [module.automation-tf-resman-sa.iam_email] - role = module.organization.custom_role_id["organization_iam_admin"] - condition = { - expression = ( - format( - <<-EOT - api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s]) - || api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s]) - || api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s]) - EOT - , join(",", formatlist("'%s'", [ - "roles/accesscontextmanager.policyEditor", - "roles/accesscontextmanager.policyReader", - "roles/cloudasset.viewer", - "roles/compute.orgFirewallPolicyAdmin", - "roles/compute.orgFirewallPolicyUser", - "roles/compute.xpnAdmin", - "roles/orgpolicy.policyAdmin", - "roles/orgpolicy.policyViewer", - "roles/resourcemanager.organizationViewer", - ])) - , join(",", formatlist("'%s'", [ - "roles/iam.workforcePoolAdmin", - "roles/iam.workforcePoolViewer" - ])) - , join(",", formatlist("'%s'", [ - module.organization.custom_role_id["billing_viewer"], - module.organization.custom_role_id["network_firewall_policies_admin"], - module.organization.custom_role_id["ngfw_enterprise_admin"], - module.organization.custom_role_id["ngfw_enterprise_viewer"], - module.organization.custom_role_id["service_project_network_admin"], - module.organization.custom_role_id["tenant_network_admin"] - ])) - ) - ) - title = "automation_sa_delegated_grants" - description = "Automation service account delegated grants." - } - } - }, - local.billing_mode != "org" ? {} : { - organization_billing_conditional = { - members = [module.automation-tf-resman-sa.iam_email] - role = module.organization.custom_role_id["organization_iam_admin"] - condition = { - expression = format( - "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", - join(",", formatlist("'%s'", [ - "roles/billing.admin", - "roles/billing.costsManager", - "roles/billing.user", - ])) - ) - title = "automation_sa_delegated_grants" - description = "Automation service account delegated grants." - } - } - } - ) - custom_roles = var.custom_roles - context = { - condition_vars = { - organization = var.organization - tags = { - org_policies_tag_name = local.org_policies_tag_name - } - } - } - factories_config = { - custom_roles = var.factories_config.custom_roles - org_policy_custom_constraints = ( - var.bootstrap_user != null ? null : var.factories_config.custom_constraints - ) - org_policies = ( - var.bootstrap_user != null ? null : var.factories_config.org_policies - ) - } - logging_sinks = { - for name, attrs in var.log_sinks : name => { - bq_partitioned_table = attrs.type == "bigquery" - destination = local.log_sink_destinations[name].id - filter = attrs.filter - type = attrs.type - disabled = attrs.disabled - exclusions = attrs.exclusions - } - } - tags = { - (var.org_policies_config.tag_name) = { - description = "Organization policy conditions." - iam = {} - values = merge( - { - allowed-essential-contacts-domains-all = {} - allowed-policy-member-domains-all = {} - }, - var.org_policies_config.tag_values - ) - } - } -} diff --git a/fast/stages/0-bootstrap-legacy/outputs-files.tf b/fast/stages/0-bootstrap-legacy/outputs-files.tf deleted file mode 100644 index 427f858ba..000000000 --- a/fast/stages/0-bootstrap-legacy/outputs-files.tf +++ /dev/null @@ -1,45 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Output files persistence to local filesystem. - -resource "local_file" "providers" { - for_each = var.outputs_location == null ? {} : local.providers - file_permission = "0644" - filename = "${try(pathexpand(var.outputs_location), "")}/providers/${each.key}-providers.tf" - content = try(each.value, null) -} - -resource "local_file" "tfvars" { - for_each = var.outputs_location == null ? {} : { 1 = 1 } - file_permission = "0644" - filename = "${try(pathexpand(var.outputs_location), "")}/tfvars/0-bootstrap.auto.tfvars.json" - content = jsonencode(local.tfvars) -} - -resource "local_file" "tfvars_globals" { - for_each = var.outputs_location == null ? {} : { 1 = 1 } - file_permission = "0644" - filename = "${try(pathexpand(var.outputs_location), "")}/tfvars/0-globals.auto.tfvars.json" - content = jsonencode(local.tfvars_globals) -} - -resource "local_file" "workflows" { - for_each = var.outputs_location == null ? {} : local.cicd_workflows - file_permission = "0644" - filename = "${try(pathexpand(var.outputs_location), "")}/workflows/${each.key}-workflow.yaml" - content = try(each.value, null) -} diff --git a/fast/stages/0-bootstrap-legacy/outputs-gcs.tf b/fast/stages/0-bootstrap-legacy/outputs-gcs.tf deleted file mode 100644 index 3301da6a3..000000000 --- a/fast/stages/0-bootstrap-legacy/outputs-gcs.tf +++ /dev/null @@ -1,51 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Output files persistence to automation GCS bucket. - -resource "google_storage_bucket_object" "providers" { - for_each = local.providers - bucket = module.automation-tf-output-gcs.name - # provider suffix allows excluding via .gitignore when linked from stages - name = "providers/${each.key}-providers.tf" - content = each.value -} - -resource "google_storage_bucket_object" "tfvars" { - bucket = module.automation-tf-output-gcs.name - name = "tfvars/0-bootstrap.auto.tfvars.json" - content = jsonencode(local.tfvars) -} - -resource "google_storage_bucket_object" "tfvars_globals" { - bucket = module.automation-tf-output-gcs.name - name = "tfvars/0-globals.auto.tfvars.json" - content = jsonencode(local.tfvars_globals) -} - -resource "google_storage_bucket_object" "workflows" { - for_each = local.cicd_workflows - bucket = module.automation-tf-output-gcs.name - name = "workflows/${each.key}-workflow.yaml" - content = each.value -} - -resource "google_storage_bucket_object" "version" { - count = fileexists("fast_version.txt") ? 1 : 0 - bucket = module.automation-tf-output-gcs.name - name = "versions/0-bootstrap-version.txt" - source = "fast_version.txt" -} diff --git a/fast/stages/0-bootstrap-legacy/outputs-providers.tf b/fast/stages/0-bootstrap-legacy/outputs-providers.tf deleted file mode 100644 index d22dfba38..000000000 --- a/fast/stages/0-bootstrap-legacy/outputs-providers.tf +++ /dev/null @@ -1,130 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Locals for provider output files. - -# TODO: templates should probably use provider::terraform::encode_expr -# (not jsonencode) to encode extras - -locals { - _parent_stage_resources = { - "1-resman" = { - bucket = module.automation-tf-resman-gcs.name - sa = module.automation-tf-resman-sa.email - sa_r = module.automation-tf-resman-r-sa.email - } - "1-vpcsc" = { - bucket = module.automation-tf-vpcsc-gcs.name - sa = module.automation-tf-vpcsc-sa.email - sa_r = module.automation-tf-vpcsc-r-sa.email - } - } - providers = merge( - # this stage's providers - { - "0-bootstrap" = templatefile(local._tpl_providers, { - bucket = module.automation-tf-bootstrap-gcs.name - name = "bootstrap" - sa = module.automation-tf-bootstrap-sa.email - backend_extra = null - provider_extra = var.universe == null ? null : { - universe_domain = var.universe.domain - } - }) - "0-bootstrap-r" = templatefile(local._tpl_providers, { - bucket = module.automation-tf-bootstrap-gcs.name - name = "bootstrap" - sa = module.automation-tf-bootstrap-r-sa.email - backend_extra = null - provider_extra = var.universe == null ? null : { - universe_domain = var.universe.domain - } - }) - }, - # stage 1 providers - { - "1-resman" = templatefile(local._tpl_providers, { - bucket = module.automation-tf-resman-gcs.name - name = "resman" - sa = module.automation-tf-resman-sa.email - backend_extra = null - provider_extra = var.universe == null ? null : { - universe_domain = var.universe.domain - } - }) - "1-resman-r" = templatefile(local._tpl_providers, { - bucket = module.automation-tf-resman-gcs.name - name = "resman" - sa = module.automation-tf-resman-r-sa.email - backend_extra = null - provider_extra = var.universe == null ? null : { - universe_domain = var.universe.domain - } - }) - "1-vpcsc" = templatefile(local._tpl_providers, { - bucket = module.automation-tf-vpcsc-gcs.name - name = "vpcsc" - sa = module.automation-tf-vpcsc-sa.email - backend_extra = { - prefix = "vpcsc" - } - provider_extra = var.universe == null ? null : { - universe_domain = var.universe.domain - } - }) - "1-vpcsc-r" = templatefile(local._tpl_providers, { - bucket = module.automation-tf-vpcsc-gcs.name - name = "vpcsc" - sa = module.automation-tf-vpcsc-r-sa.email - backend_extra = { - prefix = "vpcsc" - } - provider_extra = var.universe == null ? null : { - universe_domain = var.universe.domain - } - }) - }, - # stage 1 addons - { - for k, v in var.fast_addon : - "${v.parent_stage}-${k}" => templatefile(local._tpl_providers, { - name = "${v.parent_stage}-${k}" - bucket = local._parent_stage_resources[v.parent_stage].bucket - sa = local._parent_stage_resources[v.parent_stage].sa - backend_extra = { - prefix = "addons/${k}" - } - provider_extra = var.universe == null ? null : { - universe_domain = var.universe.domain - } - }) - }, - { - for k, v in var.fast_addon : - "${v.parent_stage}-${k}-r" => templatefile(local._tpl_providers, { - name = "${v.parent_stage}-${k}" - bucket = local._parent_stage_resources[v.parent_stage].bucket - sa = local._parent_stage_resources[v.parent_stage].sa_r - backend_extra = { - prefix = "addons/${k}" - } - provider_extra = var.universe == null ? null : { - universe_domain = var.universe.domain - } - }) - } - ) -} diff --git a/fast/stages/0-bootstrap-legacy/outputs.tf b/fast/stages/0-bootstrap-legacy/outputs.tf deleted file mode 100644 index 8ac8dc5d0..000000000 --- a/fast/stages/0-bootstrap-legacy/outputs.tf +++ /dev/null @@ -1,200 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - _tpl_providers = "${path.module}/templates/providers.tf.tpl" - # render CI/CD workflow templates - cicd_workflows = { - for k, v in local.cicd_repositories : "${v.level}-${k}" => templatefile( - "${path.module}/templates/workflow-${v.repository.type}.yaml", { - # If users give a list of custom audiences we set by default the first element. - # If no audiences are given, we set https://iam.googleapis.com/{PROVIDER_NAME} - audiences = try( - local.cicd_providers[v.identity_provider].audiences, [] - ) - identity_provider = try( - local.cicd_providers[v.identity_provider].name, "" - ) - outputs_bucket = module.automation-tf-output-gcs.name - service_accounts = { - apply = try(module.automation-tf-cicd-sa[k].email, "") - plan = try(module.automation-tf-cicd-r-sa[k].email, "") - } - stage_name = k - tf_providers_files = { - apply = local.cicd_workflow_providers[k] - plan = local.cicd_workflow_providers["${k}-r"] - } - tf_var_files = k == "bootstrap" ? [] : [ - "0-bootstrap.auto.tfvars.json", - "0-globals.auto.tfvars.json" - ] - } - ) - } - tfvars = { - automation = { - federated_identity_pool = try( - google_iam_workload_identity_pool.default[0].name, null - ) - federated_identity_providers = local.cicd_providers - outputs_bucket = module.automation-tf-output-gcs.name - project_id = module.automation-project.project_id - project_number = module.automation-project.number - service_accounts = { - bootstrap = module.automation-tf-bootstrap-sa.email - bootstrap-r = module.automation-tf-bootstrap-r-sa.email - resman = module.automation-tf-resman-sa.email - resman-r = module.automation-tf-resman-r-sa.email - vpcsc = module.automation-tf-vpcsc-sa.email - vpcsc-r = module.automation-tf-vpcsc-r-sa.email - } - } - billing = { - dataset = try(module.billing-export-dataset[0].id, null) - project_id = try(module.billing-export-project[0].project_id, null) - project_number = try(module.billing-export-project[0].number, null) - } - custom_roles = module.organization.custom_role_id - logging = { - project_id = module.log-export-project.project_id - project_number = module.log-export-project.number - writer_identities = module.organization.sink_writer_identities - destinations = { - bigquery = try(module.log-export-dataset[0].id, null) - logging = { for k, v in module.log-export-logbucket : k => v.id } - pubsub = { for k, v in module.log-export-pubsub : k => v.id } - storage = try(module.log-export-gcs[0].id, null) - } - } - org_policy_tags = { - key_id = ( - module.organization.tag_keys[var.org_policies_config.tag_name].id - ) - key_name = var.org_policies_config.tag_name - values = { - for k, v in module.organization.tag_values : - split("/", k)[1] => v.id - } - } - universe = var.universe - } - tfvars_globals = { - billing_account = var.billing_account - groups = local.principals - environments = { - for k, v in var.environments : k => { - is_default = v.is_default - key = k - name = v.name - short_name = v.short_name != null ? v.short_name : k - tag_name = v.tag_name != null ? v.tag_name : lower(v.name) - } - } - locations = local.locations - organization = var.organization - prefix = var.prefix - } -} - -output "automation" { - description = "Automation resources." - value = local.tfvars.automation -} - -output "billing_dataset" { - description = "BigQuery dataset prepared for billing export." - value = try(module.billing-export-dataset[0].id, null) -} - -output "cicd_repositories" { - description = "CI/CD repository configurations." - value = { - for k, v in local.cicd_repositories : k => { - branch = v.repository.branch - name = v.repository.name - provider = try(local.cicd_providers[v.identity_provider].name, null) - service_account = try(module.automation-tf-cicd-sa[k].email, null) - } - } -} - -output "custom_roles" { - description = "Organization-level custom roles." - value = module.organization.custom_role_id -} - -output "outputs_bucket" { - description = "GCS bucket where generated output files are stored." - value = module.automation-tf-output-gcs.name -} - -output "project_ids" { - description = "Projects created by this stage." - value = { - automation = module.automation-project.project_id - billing-export = try(module.billing-export-project[0].project_id, null) - log-export = module.log-export-project.project_id - } -} - -# ready to use provider configurations for subsequent stages when not using files -output "providers" { - # tfdoc:output:consumers stage-01 - description = "Terraform provider files for this stage and dependent stages." - sensitive = true - value = local.providers -} - -output "service_accounts" { - description = "Automation service accounts created by this stage." - value = { - bootstrap = module.automation-tf-bootstrap-sa.email - resman = module.automation-tf-resman-sa.email - } -} - -# ready to use variable values for subsequent stages -output "tfvars" { - description = "Terraform variable files for the following stages." - sensitive = true - value = local.tfvars -} - -output "tfvars_globals" { - description = "Terraform Globals variable files for the following stages." - sensitive = true - value = local.tfvars_globals -} - -output "workforce_identity_pool" { - description = "Workforce Identity Federation pool." - value = { - pool = try( - google_iam_workforce_pool.default[0].name, null - ) - } -} - -output "workload_identity_pool" { - description = "Workload Identity Federation pool and providers." - value = { - pool = try( - google_iam_workload_identity_pool.default[0].name, null - ) - providers = local.cicd_providers - } -} diff --git a/fast/stages/0-bootstrap-legacy/schemas/custom-role.schema.json b/fast/stages/0-bootstrap-legacy/schemas/custom-role.schema.json deleted file mode 120000 index a1d6e5658..000000000 --- a/fast/stages/0-bootstrap-legacy/schemas/custom-role.schema.json +++ /dev/null @@ -1 +0,0 @@ -../../../../modules/organization/schemas/custom-role.schema.json \ No newline at end of file diff --git a/fast/stages/0-bootstrap-legacy/schemas/custom-role.schema.md b/fast/stages/0-bootstrap-legacy/schemas/custom-role.schema.md deleted file mode 100644 index eda065897..000000000 --- a/fast/stages/0-bootstrap-legacy/schemas/custom-role.schema.md +++ /dev/null @@ -1,16 +0,0 @@ -# Custom Role - - - -## Properties - -*additional properties: false* - -- **name**: *string* -- **includedPermissions**: *array* - - items: *string* -
*pattern: ^[a-zA-Z-]+\.[a-zA-Z-]+\.[a-zA-Z-]+$* - -## Definitions - - diff --git a/fast/stages/0-bootstrap-legacy/schemas/org-policies.schema.json b/fast/stages/0-bootstrap-legacy/schemas/org-policies.schema.json deleted file mode 120000 index c5ebcfaf7..000000000 --- a/fast/stages/0-bootstrap-legacy/schemas/org-policies.schema.json +++ /dev/null @@ -1 +0,0 @@ -../../../../modules/organization/schemas/org-policies.schema.json \ No newline at end of file diff --git a/fast/stages/0-bootstrap-legacy/schemas/org-policies.schema.md b/fast/stages/0-bootstrap-legacy/schemas/org-policies.schema.md deleted file mode 100644 index 9503c65c3..000000000 --- a/fast/stages/0-bootstrap-legacy/schemas/org-policies.schema.md +++ /dev/null @@ -1,33 +0,0 @@ -# Organization Policies - - - -## Properties - -*additional properties: false* - -- **`^[a-z-]+[a-zA-Z0-9\.]+$`**: *object* -
*additional properties: false* - - **inherit_from_parent**: *boolean* - - **reset**: *boolean* - - **rules**: *array* - - items: *object* -
*additional properties: false* - - **allow**: *reference([allow-deny](#refs-allow-deny))* - - **deny**: *reference([allow-deny](#refs-allow-deny))* - - **enforce**: *boolean* - - **condition**: *object* -
*additional properties: false* - - **description**: *string* - - **expression**: *string* - - **location**: *string* - - **title**: *string* - - **parameters**: *string* - -## Definitions - -- **allow-deny**: *object* -
*additional properties: false* - - **all**: *boolean* - - **values**: *array* - - items: *string* diff --git a/fast/stages/0-bootstrap-legacy/schemas/org-policy-custom-constraint.schema.json b/fast/stages/0-bootstrap-legacy/schemas/org-policy-custom-constraint.schema.json deleted file mode 100644 index fd7fc5c7f..000000000 --- a/fast/stages/0-bootstrap-legacy/schemas/org-policy-custom-constraint.schema.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "Organization Policy Custom Constraints", - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z-]+\\.[a-zA-Z]+$": { - "type": "object", - "additionalProperties": false, - "required": [ - "action_type", - "condition" - ], - "properties": { - "display_name": { - "type": "string" - }, - "description": { - "type": "string" - }, - "action_type": { - "type": "string" - }, - "condition": { - "type": "string" - }, - "method_types": { - "type": "array", - "items": { - "type": "string" - } - }, - "resource_types": { - "type": "array", - "items": { - "type": "string" - } - } - } - } - } -} \ No newline at end of file diff --git a/fast/stages/0-bootstrap-legacy/schemas/org-policy-custom-constraint.schema.md b/fast/stages/0-bootstrap-legacy/schemas/org-policy-custom-constraint.schema.md deleted file mode 100644 index 6b6f33729..000000000 --- a/fast/stages/0-bootstrap-legacy/schemas/org-policy-custom-constraint.schema.md +++ /dev/null @@ -1,22 +0,0 @@ -# Organization Policy Custom Constraints - - - -## Properties - -*additional properties: false* - -- **`^[a-z-]+\.[a-zA-Z]+$`**: *object* -
*additional properties: false* - - **display_name**: *string* - - **description**: *string* - - ⁺**action_type**: *string* - - ⁺**condition**: *string* - - **method_types**: *array* - - items: *string* - - **resource_types**: *array* - - items: *string* - -## Definitions - - diff --git a/fast/stages/0-bootstrap-legacy/templates/providers.tf.tpl b/fast/stages/0-bootstrap-legacy/templates/providers.tf.tpl deleted file mode 100644 index 717bb129b..000000000 --- a/fast/stages/0-bootstrap-legacy/templates/providers.tf.tpl +++ /dev/null @@ -1,39 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -terraform { - backend "gcs" { - bucket = "${bucket}" - impersonate_service_account = "${sa}" - %{~ for k, v in coalesce(backend_extra, {}) ~} - ${k} = ${jsonencode(v)} - %{~ endfor ~} - } -} -provider "google" { - impersonate_service_account = "${sa}" - %{~ for k, v in coalesce(provider_extra, {}) ~} - ${k} = ${jsonencode(v)} - %{~ endfor ~} -} -provider "google-beta" { - impersonate_service_account = "${sa}" - %{~ for k, v in coalesce(provider_extra, {}) ~} - ${k} = ${jsonencode(v)} - %{~ endfor ~} -} - -# end provider.tf for ${name} diff --git a/fast/stages/0-bootstrap-legacy/templates/providers_terraform.tf.tpl b/fast/stages/0-bootstrap-legacy/templates/providers_terraform.tf.tpl deleted file mode 100644 index b581e50ed..000000000 --- a/fast/stages/0-bootstrap-legacy/templates/providers_terraform.tf.tpl +++ /dev/null @@ -1,44 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -terraform { - cloud { - organization = "${organization}" - %{~ if hostname != null ~} - hostname = "${hostname}" - %{~ endif ~} - workspaces { - %{~ if workspaces.name != null ~} - name = "${workspaces.name}" - %{~ endif ~} - %{~ if workspaces.tags != null ~} - tags = [ %{ for tags in workspaces.tags ~} "${tags}", %{ endfor ~} ] - %{~ endif ~} - %{~ if workspaces.project != null ~} - project = "${workspaces.project}" - %{~ endif ~} - } - } -} - -provider "google" { - impersonate_service_account = "${sa}" -} -provider "google-beta" { - impersonate_service_account = "${sa}" -} - -# end provider.tf for ${name} \ No newline at end of file diff --git a/fast/stages/0-bootstrap-legacy/templates/workflow-github.yaml b/fast/stages/0-bootstrap-legacy/templates/workflow-github.yaml deleted file mode 100644 index 1009cb149..000000000 --- a/fast/stages/0-bootstrap-legacy/templates/workflow-github.yaml +++ /dev/null @@ -1,229 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "FAST ${stage_name} stage" - -on: - pull_request: - branches: - - main - types: - - closed - - opened - - synchronize - -env: - FAST_SERVICE_ACCOUNT: ${service_accounts.apply} - FAST_SERVICE_ACCOUNT_PLAN: ${service_accounts.plan} - FAST_WIF_PROVIDER: ${identity_provider} - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - TF_PROVIDERS_FILE: ${tf_providers_files.apply} - TF_PROVIDERS_FILE_PLAN: ${tf_providers_files.plan} - TF_VERSION: 1.11.4 - -jobs: - fast-pr: - # Skip PRs which are closed without being merged. - if: >- - github.event.action == 'closed' && - github.event.pull_request.merged == true || - github.event.action == 'opened' || - github.event.action == 'synchronize' - permissions: - contents: read - id-token: write - issues: write - pull-requests: write - runs-on: ubuntu-latest - steps: - - id: checkout - name: Checkout repository - uses: actions/checkout@v4 - - # set up SSH key authentication to the modules repository - - - id: ssh-config - name: Configure SSH authentication - run: | - ssh-agent -a "$SSH_AUTH_SOCK" > /dev/null - ssh-add - <<< "$${{ secrets.CICD_MODULES_KEY }}" - - # set up step variables for plan / apply - - - id: vars-plan - if: github.event.pull_request.merged != true && success() - name: Set up plan variables - run: | - echo "plan_opts=-lock=false" >> "$GITHUB_ENV" - echo "provider_file=$${{env.TF_PROVIDERS_FILE_PLAN}}" >> "$GITHUB_ENV" - echo "service_account=$${{env.FAST_SERVICE_ACCOUNT_PLAN}}" >> "$GITHUB_ENV" - - - id: vars-apply - if: github.event.pull_request.merged == true && success() - name: Set up apply variables - run: | - echo "provider_file=$${{env.TF_PROVIDERS_FILE}}" >> "$GITHUB_ENV" - echo "service_account=$${{env.FAST_SERVICE_ACCOUNT}}" >> "$GITHUB_ENV" - - # set up authentication via Workload identity Federation and gcloud - - - id: gcp-auth - name: Authenticate to Google Cloud - uses: google-github-actions/auth@v2 - with: - workload_identity_provider: $${{env.FAST_WIF_PROVIDER}} - service_account: $${{env.service_account}} - access_token_lifetime: 900s - - - id: gcp-sdk - name: Set up Cloud SDK - uses: google-github-actions/setup-gcloud@v2 - with: - install_components: alpha - - # copy provider file - - - id: tf-config-provider - name: Copy Terraform provider file - run: | - gcloud storage cp -r \ - "gs://${outputs_bucket}/providers/$${{env.provider_file}}" ./ - %{~ for f in tf_var_files ~} - gcloud storage cp -r \ - "gs://${outputs_bucket}/tfvars/${f}" ./ - %{~ endfor ~} - - - id: tf-setup - name: Set up Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: $${{env.TF_VERSION}} - - # run Terraform init/validate/plan - - - id: tf-init - name: Terraform init - continue-on-error: true - run: | - terraform init -no-color - - - id: tf-validate - continue-on-error: true - name: Terraform validate - run: terraform validate -no-color - - - id: tf-plan - name: Terraform plan - continue-on-error: true - run: | - terraform plan -input=false -out ../plan.out -no-color $${{env.plan_opts}} - - - id: tf-apply - if: github.event.pull_request.merged == true && success() - name: Terraform apply - continue-on-error: true - run: | - terraform apply -input=false -auto-approve -no-color ../plan.out - - # PR comment with Terraform result from previous steps - # length is checked and trimmed for length so as to stay within the limit - - - id: pr-comment - name: Post comment to Pull Request - continue-on-error: true - uses: actions/github-script@v7 - if: github.event_name == 'pull_request' - env: - PLAN: $${{steps.tf-plan.outputs.stdout}}\n$${{steps.tf-plan.outputs.stderr}} - with: - script: | - const output = `### Terraform Initialization \`$${{steps.tf-init.outcome}}\` - - ### Terraform Validation \`$${{steps.tf-validate.outcome}}\` - -
Validation Output - - \`\`\`\n - $${{steps.tf-validate.outputs.stdout}} - \`\`\` - -
- - ### Terraform Plan \`$${{steps.tf-plan.outcome}}\` - -
Show Plan - - \`\`\`\n - $${process.env.PLAN.split('\n').filter(l => l.match(/^([A-Z\s].*|)$$/)).join('\n')} - \`\`\` - -
- - ### Terraform Apply \`$${{steps.tf-apply.outcome}}\` - - *Pusher: @$${{github.actor}}, Action: \`$${{github.event_name}}\`, Working Directory: \`$${{env.tf_actions_working_dir}}\`, Workflow: \`$${{github.workflow}}\`*`; - - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }) - - - id: pr-short-comment - name: Post comment to Pull Request (abbreviated) - uses: actions/github-script@v7 - if: github.event_name == 'pull_request' && steps.pr-comment.outcome != 'success' - with: - script: | - const output = `### Terraform Initialization \`$${{steps.tf-init.outcome}}\` - - ### Terraform Validation \`$${{steps.tf-validate.outcome}}\` - - ### Terraform Plan \`$${{steps.tf-plan.outcome}}\` - - Plan output is in the action log. - - ### Terraform Apply \`$${{steps.tf-apply.outcome}}\` - - *Pusher: @$${{github.actor}}, Action: \`$${{github.event_name}}\`, Working Directory: \`$${{env.tf_actions_working_dir}}\`, Workflow: \`$${{github.workflow}}\`*`; - - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }) - - # exit on error from previous steps - - - id: check-init - name: Check init failure - if: steps.tf-init.outcome != 'success' - run: exit 1 - - - id: check-validate - name: Check validate failure - if: steps.tf-validate.outcome != 'success' - run: exit 1 - - - id: check-plan - name: Check plan failure - if: steps.tf-plan.outcome != 'success' - run: exit 1 - - - id: check-apply - name: Check apply failure - if: github.event.pull_request.merged == true && steps.tf-apply.outcome != 'success' - run: exit 1 diff --git a/fast/stages/0-bootstrap-legacy/templates/workflow-gitlab.yaml b/fast/stages/0-bootstrap-legacy/templates/workflow-gitlab.yaml deleted file mode 100644 index 150340835..000000000 --- a/fast/stages/0-bootstrap-legacy/templates/workflow-gitlab.yaml +++ /dev/null @@ -1,106 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -variables: - GOOGLE_CREDENTIALS: cicd-sa-credentials.json - FAST_OUTPUTS_BUCKET: ${outputs_bucket} - FAST_WIF_PROVIDER: ${identity_provider} - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - %{~ if tf_var_files != [] ~} - TF_VAR_FILES: ${join("\n ", tf_var_files)} - %{~ endif ~} - -workflow: - rules: - # merge / apply - - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH - variables: - COMMAND: apply - FAST_SERVICE_ACCOUNT: ${service_accounts.apply} - TF_PROVIDERS_FILE: ${tf_providers_files.apply} - # pr / plan - - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - variables: - COMMAND: plan - FAST_SERVICE_ACCOUNT: ${service_accounts.plan} - TF_PROVIDERS_FILE: ${tf_providers_files.plan} - -stages: - - gcp-setup - - tf-plan-apply - -# TODO: document project-level deploy key used to fetch modules - -gcp-setup: - stage: gcp-setup - image: - name: google/cloud-sdk:slim - artifacts: - paths: - - cicd-sa-credentials.json - - providers.tf - %{~ for f in tf_var_files ~} - - ${f} - %{~ endfor ~} - id_tokens: - GITLAB_TOKEN: - aud: - %{~ for aud in audiences ~} - - ${aud} - %{~ endfor ~} - before_script: - - echo "$GITLAB_TOKEN" > token.txt - script: - - | - gcloud iam workload-identity-pools create-cred-config \ - $FAST_WIF_PROVIDER \ - --service-account=$FAST_SERVICE_ACCOUNT \ - --service-account-token-lifetime-seconds=900 \ - --output-file=$GOOGLE_CREDENTIALS \ - --credential-source-file=token.txt - - gcloud config set auth/credential_file_override $GOOGLE_CREDENTIALS - - gcloud storage cp -r "gs://$FAST_OUTPUTS_BUCKET/providers/$TF_PROVIDERS_FILE" ./providers.tf - %{~ for f in tf_var_files ~} - - gcloud storage cp gs://$FAST_OUTPUTS_BUCKET/tfvars/${f} ./ - %{~ endfor ~} - - -tf-plan-apply: - stage: tf-plan-apply - dependencies: - - gcp-setup - id_tokens: - GITLAB_TOKEN: - aud: - %{~ for aud in audiences ~} - - ${aud} - %{~ endfor ~} - image: - name: hashicorp/terraform - entrypoint: - - "/usr/bin/env" - variables: - SSH_AUTH_SOCK: /tmp/ssh-agent.sock - script: - - | - ssh-agent -a $SSH_AUTH_SOCK - echo "$CICD_MODULES_KEY" | ssh-add - - mkdir -p ~/.ssh - ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts - ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts - - echo "$GITLAB_TOKEN" > token.txt - - terraform init - - terraform validate - - "if [ $COMMAND == 'plan' ]; then terraform plan -input=false -no-color -lock=false; fi" - - "if [ $COMMAND == 'apply' ]; then terraform apply -input=false -no-color -auto-approve; fi" diff --git a/fast/stages/0-bootstrap-legacy/terraform.tfvars.sample b/fast/stages/0-bootstrap-legacy/terraform.tfvars.sample deleted file mode 100644 index 564e8113f..000000000 --- a/fast/stages/0-bootstrap-legacy/terraform.tfvars.sample +++ /dev/null @@ -1,25 +0,0 @@ -# use `gcloud beta billing accounts list` -# if you have too many accounts, check the Cloud Console :) -billing_account = { - id = "012345-67890A-BCDEF0" -} - -# locations for GCS, BigQuery, and logging buckets created here -locations = { - bq = "EU" - gcs = "EU" - logging = "global" - pubsub = [] -} - -# use `gcloud organizations list` -organization = { - domain = "example.org" - id = 1234567890 - customer_id = "C000001" -} - -outputs_location = "~/fast-config" - -# use something unique and no longer than 9 characters -prefix = "abcd" diff --git a/fast/stages/0-bootstrap-legacy/variables-addons.tf b/fast/stages/0-bootstrap-legacy/variables-addons.tf deleted file mode 100644 index cc505db46..000000000 --- a/fast/stages/0-bootstrap-legacy/variables-addons.tf +++ /dev/null @@ -1,48 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "fast_addon" { - description = "FAST addons configurations for stages 1. Keys are used as short names for the add-on resources." - type = map(object({ - parent_stage = string - cicd_config = optional(object({ - identity_provider = string - repository = object({ - name = string - branch = optional(string) - type = optional(string, "github") - }) - })) - })) - nullable = false - default = {} - validation { - condition = alltrue([ - for k, v in var.fast_addon : contains(["1-resman", "1-vpcsc"], v.parent_stage) - ]) - error_message = "Bootstrap-defined addons only support '1-resman' and '1-vpcsc' stages." - } - validation { - condition = alltrue([ - for k, v in var.fast_addon : - v.cicd_config == null || contains( - ["github", "gitlab"], - coalesce(try(v.cicd_config.repository.type, null), "-") - ) - ]) - error_message = "Invalid CI/CD repository type." - } -} diff --git a/fast/stages/0-bootstrap-legacy/variables.tf b/fast/stages/0-bootstrap-legacy/variables.tf deleted file mode 100644 index fec2f8a8f..000000000 --- a/fast/stages/0-bootstrap-legacy/variables.tf +++ /dev/null @@ -1,393 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "billing_account" { - description = "Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`." - type = object({ - id = string - force_create = optional(object({ - dataset = optional(bool, false) - project = optional(bool, false) - log_bucket = optional(bool, false) - }), {}) - is_org_level = optional(bool, true) - no_iam = optional(bool, false) - }) - nullable = false - validation { - condition = ( - var.billing_account.force_create.dataset != true || - var.billing_account.force_create.project == true - ) - error_message = "Forced dataset creation also needs project creation." - } -} - -variable "bootstrap_user" { - description = "Email of the nominal user running this stage for the first time." - type = string - default = null -} - -variable "cicd_config" { - description = "CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed." - type = object({ - bootstrap = optional(object({ - identity_provider = string - repository = object({ - name = string - branch = optional(string) - type = optional(string, "github") - }) - })) - resman = optional(object({ - identity_provider = string - repository = object({ - name = string - branch = optional(string) - type = optional(string, "github") - }) - })) - vpcsc = optional(object({ - identity_provider = string - repository = object({ - name = string - branch = optional(string) - type = optional(string, "github") - }) - })) - }) - nullable = false - default = {} - validation { - condition = alltrue([ - for k, v in coalesce(var.cicd_config, {}) : - v == null || ( - contains(["github", "gitlab", "terraform"], coalesce(try(v.repository.type, null), "null")) - ) - ]) - error_message = "Invalid repository type, supported types: 'github', 'gitlab', or 'terraform'." - } -} - -variable "custom_roles" { - description = "Map of role names => list of permissions to additionally create at the organization level." - type = map(list(string)) - nullable = false - default = {} -} - -variable "environments" { - description = "Environment names. When not defined, short name is set to the key and tag name to lower(name)." - type = map(object({ - name = string - is_default = optional(bool, false) - short_name = optional(string) - tag_name = optional(string) - })) - nullable = false - default = { - dev = { - name = "Development" - } - prod = { - name = "Production" - is_default = true - } - } - validation { - condition = anytrue([ - for k, v in var.environments : v.is_default == true - ]) - error_message = "At least one environment should be marked as default." - } - validation { - condition = alltrue([ - for k, v in var.environments : join(" ", regexall( - "[a-zA-Z][a-zA-Z0-9\\s-]+[a-zA-Z0-9]", v.name - )) == v.name - ]) - error_message = "Environment names can only contain letters numbers dashes or spaces." - } - validation { - condition = alltrue([ - for k, v in var.environments : (length(coalesce(v.short_name, k)) <= 4) - ]) - error_message = "If environment key is longer than 4 characters, provide short_name that is at most 4 characters long." - } -} - -variable "essential_contacts" { - description = "Email used for essential contacts, unset if null." - type = string - default = null -} - -variable "factories_config" { - description = "Configuration for the resource factories or external data." - type = object({ - custom_constraints = optional(string, "data/custom-constraints") - custom_roles = optional(string, "data/custom-roles") - org_policies = optional(string, "data/org-policies") - org_policies_iac = optional(string, "data/org-policies-iac") - }) - nullable = false - default = {} -} - -variable "groups" { - # https://cloud.google.com/docs/enterprise/setup-checklist - description = "Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated." - type = object({ - gcp-billing-admins = optional(string, "gcp-billing-admins") - gcp-devops = optional(string, "gcp-devops") - gcp-network-admins = optional(string, "gcp-vpc-network-admins") - gcp-organization-admins = optional(string, "gcp-organization-admins") - gcp-secops-admins = optional(string, "gcp-security-admins") - gcp-security-admins = optional(string, "gcp-security-admins") - # aliased to gcp-devops as the checklist does not create it - gcp-support = optional(string, "gcp-devops") - }) - nullable = false - default = {} -} - -variable "iam" { - description = "Organization-level custom IAM settings in role => [principal] format." - type = map(list(string)) - nullable = false - default = {} -} - -variable "iam_bindings_additive" { - description = "Organization-level custom additive IAM bindings. Keys are arbitrary." - type = map(object({ - member = string - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })) - nullable = false - default = {} -} - -variable "iam_by_principals" { - description = "Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable." - type = map(list(string)) - default = {} - nullable = false -} - -variable "locations" { - description = "Optional locations for GCS, BigQuery, and logging buckets created here." - type = object({ - bq = optional(string, "EU") - gcs = optional(string, "EU") - logging = optional(string, "global") - pubsub = optional(list(string), []) - }) - nullable = false - default = {} -} - -# See https://cloud.google.com/architecture/exporting-stackdriver-logging-for-security-and-access-analytics -# for additional logging filter examples -variable "log_sinks" { - description = "Org-level log sinks, in name => {type, filter} format." - type = map(object({ - filter = string - type = string - disabled = optional(bool, false) - exclusions = optional(map(string), {}) - })) - nullable = false - default = { - audit-logs = { - # activity logs include Google Workspace / Cloud Identity logs - # exclude them via additional filter stanza if needed - filter = <<-FILTER - log_id("cloudaudit.googleapis.com/activity") OR - log_id("cloudaudit.googleapis.com/system_event") OR - log_id("cloudaudit.googleapis.com/policy") OR - log_id("cloudaudit.googleapis.com/access_transparency") - FILTER - type = "logging" - # exclusions = { - # gke-audit = "protoPayload.serviceName=\"k8s.io\"" - # } - } - iam = { - filter = <<-FILTER - protoPayload.serviceName="iamcredentials.googleapis.com" OR - protoPayload.serviceName="iam.googleapis.com" OR - protoPayload.serviceName="sts.googleapis.com" - FILTER - type = "logging" - } - vpc-sc = { - filter = <<-FILTER - protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" - FILTER - type = "logging" - } - workspace-audit-logs = { - filter = <<-FILTER - protoPayload.serviceName="admin.googleapis.com" OR - protoPayload.serviceName="cloudidentity.googleapis.com" OR - protoPayload.serviceName="login.googleapis.com" - FILTER - type = "logging" - } - } - validation { - condition = alltrue([ - for k, v in var.log_sinks : - contains(["bigquery", "logging", "project", "pubsub", "storage"], v.type) - ]) - error_message = "Type must be one of 'bigquery', 'logging', 'project', 'pubsub', 'storage'." - } -} - -variable "org_policies_config" { - description = "Organization policies customization." - type = object({ - iac_policy_member_domains = optional(list(string)) - import_defaults = optional(bool, false) - tag_name = optional(string, "org-policies") - tag_values = optional(map(object({ - description = optional(string, "Managed by the Terraform organization module.") - iam = optional(map(list(string)), {}) - id = optional(string) - })), {}) - }) - default = {} -} - -variable "organization" { - description = "Organization details." - type = object({ - id = number - domain = optional(string) - customer_id = optional(string) - }) -} - -variable "outputs_location" { - description = "Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable." - type = string - default = null -} - -variable "prefix" { - description = "Prefix used for resources that need unique names. Use 9 characters or less." - type = string - validation { - condition = try(length(var.prefix), 0) < 10 - error_message = "Use a maximum of 9 characters for prefix." - } -} - -variable "project_parent_ids" { - description = "Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent." - type = object({ - automation = optional(string) - billing = optional(string) - logging = optional(string) - }) - default = {} - nullable = false -} - -variable "resource_names" { - description = "Resource names overrides for specific resources. Prefix is always set via code, except where noted in the variable type." - type = object({ - bq-billing = optional(string, "billing_export") - bq-logs = optional(string, "logs") - gcs-bootstrap = optional(string, "prod-iac-core-bootstrap-0") - gcs-logs = optional(string, "prod-logs") - gcs-outputs = optional(string, "prod-iac-core-outputs-0") - gcs-resman = optional(string, "prod-iac-core-resman-0") - gcs-vpcsc = optional(string, "prod-iac-core-vpcsc-0") - project-automation = optional(string, "prod-iac-core-0") - project-billing = optional(string, "prod-billing-exp-0") - project-logs = optional(string, "prod-audit-logs-0") - pubsub-logs_template = optional(string, "$${key}") - sa-bootstrap = optional(string, "prod-bootstrap-0") - sa-bootstrap_ro = optional(string, "prod-bootstrap-0r") - sa-cicd_template = optional(string, "prod-$${key}-1") - sa-cicd_template_ro = optional(string, "prod-$${key}-1r") - sa-resman = optional(string, "prod-resman-0") - sa-resman_ro = optional(string, "prod-resman-0r") - sa-vpcsc = optional(string, "prod-vpcsc-0") - sa-vpcsc_ro = optional(string, "prod-vpcsc-0r") - # the identity provider resources also interpolate prefix - wf-bootstrap = optional(string, "$${prefix}-bootstrap") - wf-provider_template = optional(string, "$${prefix}-bootstrap-$${key}") - wif-bootstrap = optional(string, "$${prefix}-bootstrap") - wif-provider_template = optional(string, "$${prefix}-bootstrap-$${key}") - }) - nullable = false - default = {} -} - -variable "universe" { - description = "Target GCP universe." - type = object({ - domain = string - prefix = string - unavailable_services = optional(list(string), []) - }) - default = null -} - -variable "workforce_identity_providers" { - description = "Workforce Identity Federation pools." - type = map(object({ - attribute_condition = optional(string) - issuer = string - display_name = string - description = string - disabled = optional(bool, false) - saml = optional(object({ - idp_metadata_xml = string - }), null) - })) - default = {} - nullable = false -} - -variable "workload_identity_providers" { - description = "Workload Identity Federation pools. The `cicd_repositories` variable references keys here." - type = map(object({ - attribute_condition = optional(string) - issuer = string - custom_settings = optional(object({ - issuer_uri = optional(string) - audiences = optional(list(string), []) - jwks_json = optional(string) - }), {}) - })) - default = {} - nullable = false - # TODO: fix validation - # validation { - # condition = var.federated_identity_providers.custom_settings == null - # error_message = "Custom settings cannot be null." - # } -} diff --git a/fast/stages/0-org-setup/fast_version.txt b/fast/stages/0-org-setup/fast_version.txt index ba9053698..fd8f1b3e0 100644 --- a/fast/stages/0-org-setup/fast_version.txt +++ b/fast/stages/0-org-setup/fast_version.txt @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -# FAST release: v44.2.0 \ No newline at end of file +# FAST release: v45.0.0 \ No newline at end of file diff --git a/fast/stages/1-resman-legacy/.fast-stage.env b/fast/stages/1-resman-legacy/.fast-stage.env deleted file mode 100644 index cbfceb145..000000000 --- a/fast/stages/1-resman-legacy/.fast-stage.env +++ /dev/null @@ -1,5 +0,0 @@ -FAST_STAGE_DESCRIPTION="resource management" -FAST_STAGE_LEVEL=1 -FAST_STAGE_NAME=resman -FAST_STAGE_DEPS="0-globals 0-bootstrap" -# FAST_STAGE_OPTIONAL="" \ No newline at end of file diff --git a/fast/stages/1-resman-legacy/IAM.md b/fast/stages/1-resman-legacy/IAM.md deleted file mode 100644 index aa7fe89eb..000000000 --- a/fast/stages/1-resman-legacy/IAM.md +++ /dev/null @@ -1,111 +0,0 @@ -# IAM bindings reference - -Legend: + additive, conditional. - -## Organization [organization #0] - -| members | roles | -|---|---| -|dev-resman-pf-0
serviceAccount|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +| -|prod-resman-net-0
serviceAccount|[roles/compute.orgFirewallPolicyAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.orgFirewallPolicyAdmin) +
[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) +| -|prod-resman-pf-0
serviceAccount|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +| -|prod-resman-sec-0
serviceAccount|[roles/cloudasset.viewer](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.viewer) +
[roles/accesscontextmanager.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#accesscontextmanager.policyAdmin) +| - -## Folder data platform/development - -| members | roles | -|---|---| -|dev-resman-dp-0
serviceAccount|organizations/[organization #0]/roles/serviceProjectNetworkAdmin
[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) | -|dev-resman-dp-0r
serviceAccount|[roles/resourcemanager.folderViewer](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderViewer)
[roles/viewer](https://cloud.google.com/iam/docs/understanding-roles#viewer) | - -## Folder data platform/production - -| members | roles | -|---|---| -|prod-resman-dp-0
serviceAccount|organizations/[organization #0]/roles/serviceProjectNetworkAdmin
[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) | -|prod-resman-dp-0r
serviceAccount|[roles/resourcemanager.folderViewer](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderViewer)
[roles/viewer](https://cloud.google.com/iam/docs/understanding-roles#viewer) | - -## Folder gke/development - -| members | roles | -|---|---| -|dev-resman-gke-0
serviceAccount|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin)
[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) | -|dev-resman-gke-0r
serviceAccount|[roles/resourcemanager.folderViewer](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderViewer)
[roles/viewer](https://cloud.google.com/iam/docs/understanding-roles#viewer) | - -## Folder gke/production - -| members | roles | -|---|---| -|prod-resman-gke-0
serviceAccount|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin)
[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) | -|prod-resman-gke-0r
serviceAccount|[roles/resourcemanager.folderViewer](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderViewer)
[roles/viewer](https://cloud.google.com/iam/docs/understanding-roles#viewer) | - -## Folder networking - -| members | roles | -|---|---| -|gcp-network-admins
group|[roles/editor](https://cloud.google.com/iam/docs/understanding-roles#editor) | -|prod-resman-net-0
serviceAccount|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin)
[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) | -|prod-resman-net-0r
serviceAccount|[roles/resourcemanager.folderViewer](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderViewer)
[roles/viewer](https://cloud.google.com/iam/docs/understanding-roles#viewer) | - -## Folder networking/development - -| members | roles | -|---|---| -|dev-resman-dp-0
serviceAccount|organizations/[organization #0]/roles/serviceProjectNetworkAdmin | -|dev-resman-dp-0r
serviceAccount|[roles/compute.networkViewer](https://cloud.google.com/iam/docs/understanding-roles#compute.networkViewer) | -|dev-resman-gke-0
serviceAccount|organizations/[organization #0]/roles/serviceProjectNetworkAdmin | -|dev-resman-gke-0r
serviceAccount|[roles/compute.networkViewer](https://cloud.google.com/iam/docs/understanding-roles#compute.networkViewer) | -|dev-resman-pf-0
serviceAccount|organizations/[organization #0]/roles/serviceProjectNetworkAdmin | -|dev-resman-pf-0r
serviceAccount|[roles/compute.networkViewer](https://cloud.google.com/iam/docs/understanding-roles#compute.networkViewer) | - -## Folder networking/production - -| members | roles | -|---|---| -|prod-resman-dp-0
serviceAccount|organizations/[organization #0]/roles/serviceProjectNetworkAdmin | -|prod-resman-dp-0r
serviceAccount|[roles/compute.networkViewer](https://cloud.google.com/iam/docs/understanding-roles#compute.networkViewer) | -|prod-resman-gke-0
serviceAccount|organizations/[organization #0]/roles/serviceProjectNetworkAdmin | -|prod-resman-gke-0r
serviceAccount|[roles/compute.networkViewer](https://cloud.google.com/iam/docs/understanding-roles#compute.networkViewer) | -|prod-resman-pf-0
serviceAccount|organizations/[organization #0]/roles/serviceProjectNetworkAdmin | -|prod-resman-pf-0r
serviceAccount|[roles/compute.networkViewer](https://cloud.google.com/iam/docs/understanding-roles#compute.networkViewer) | - -## Folder sandbox - -| members | roles | -|---|---| -|dev-resman-sbox-0
serviceAccount|[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) | - -## Folder security - -| members | roles | -|---|---| -|gcp-security-admins
group|[roles/editor](https://cloud.google.com/iam/docs/understanding-roles#editor) | -|prod-resman-sec-0
serviceAccount|[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) | -|prod-resman-sec-0r
serviceAccount|[roles/resourcemanager.folderViewer](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderViewer)
[roles/viewer](https://cloud.google.com/iam/docs/understanding-roles#viewer) | - -## Project prod-iac-core-0 - -| members | roles | -|---|---| -|dev-resman-dp-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| -|dev-resman-dp-0r
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| -|dev-resman-gke-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| -|dev-resman-gke-0r
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| -|dev-resman-pf-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| -|dev-resman-pf-0r
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| -|dev-resman-sbox-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| -|prod-resman-dp-0r
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| -|prod-resman-gke-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| -|prod-resman-gke-0r
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| -|prod-resman-net-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| -|prod-resman-net-0r
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| -|prod-resman-net-1
serviceAccount|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) +| -|prod-resman-net-1r
serviceAccount|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) +| -|prod-resman-pf-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| -|prod-resman-pf-0r
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| -|prod-resman-sec-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| -|prod-resman-sec-0r
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| -|prod-resman-sec-1
serviceAccount|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) +| -|prod-resman-sec-1r
serviceAccount|[roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#logging.logWriter) +| -|prod-resman-teams-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| -|prod-resman-test-3-0
serviceAccount|[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) +| diff --git a/fast/stages/1-resman-legacy/README.md b/fast/stages/1-resman-legacy/README.md deleted file mode 100644 index b43434d35..000000000 --- a/fast/stages/1-resman-legacy/README.md +++ /dev/null @@ -1,347 +0,0 @@ -# Resource hierarchy (Legacy) - -This stage manages the upper part of the resource management hierarchy, and decouples later stages (networking, etc.) from the organization via folders, IaC resources and IAM bindings. - -The complete hierarchy is not managed here, as considerations on departments, teams, and applications are too granular and best managed via the [project factory](../2-project-factory/), which this stage enables. - -As many other parts of FAST, this stage implements several factories that allow simplified management and operations of recurring sets of resources. - -The following diagram is a high level reference of the resources created and managed here, and gives an initial representation of its three main configuration elements: top-level folders, FAST stage 2s and stage 3s. - -

- Resource-management diagram -

- - -- [Design overview and choices](#design-overview-and-choices) -- [Resource management primitives](#resource-management-primitives) - - [Top-level folders](#top-level-folders) - - [Stage 2](#stage-2) - - [Stage 3](#stage-3) - - [Project and hierarchy factory](#project-and-hierarchy-factory) -- [Other design considerations](#other-design-considerations) - - [Secure tags](#secure-tags) - - [Organization policy tag values from the bootstrap stage](#organization-policy-tag-values-from-the-bootstrap-stage) - - [Workload Identity Federation and CI/CD](#workload-identity-federation-and-cicd) -- [How to run this stage](#how-to-run-this-stage) - - [Provider and Terraform variables](#provider-and-terraform-variables) - - [Impersonating the automation service account](#impersonating-the-automation-service-account) - - [Variable configuration](#variable-configuration) - - [Running the stage](#running-the-stage) -- [Files](#files) -- [Variables](#variables) -- [Outputs](#outputs) - - -## Design overview and choices - -This stage is designed to offer a good amount of flexibility in laying out the organizational hierarchy, while still providing a default approach that we've seen working across different types of users and organizations. - -The default design provided here splits the hierarchy in two different logical areas: - -- core or shared resources (e.g. networking) which are grouped in dedicated top-level folders that implement centralized management by dedicated teams -- team or application resources which are grouped under one or more top-level "teams" folders, and typically host managed services (storage, etc.) billed and controlled by their distributed teams - -This split approach allows concise mapping of functional and operational patterns to IAM roles and GCP-specific constructs: - -- core services are clearly separated, providing few touchpoints where IAM and security policies need to be applied (typically their top-level folder) -- new sets of core services (fleets of VMs, shared GKE clusters, etc.) are added as a unit, minimizing operational complexity -- team and application resources not subject to centralized management are grouped together, providing a unified view and easy budgeting/cost-allocation -- automation for core resources is segregated via separate service accounts and buckets for each area (shared service, application) effectively minimizing blast radius - -Resource names follow the FAST convention discussed in the [Bootstrap stage documentation](../0-bootstrap-legacy/README.md#naming). - -## Resource management primitives - -This stage allows a certain degree of free-form hierarchy design on top of instead of the default layout, by providing a set of high level primitives that implement specific FAST functionality: top-level folders, centralized stage 2, environment-level stage 3 for shared services, and the project factory. - -### Top-level folders - -Top-level folders, as indicated by their name, are folders directly attached to the organization that can be freely defined via Terraform variables or factory YAML files. They represent a node in the organization, which can be used to partition the hierarchy via IAM or tag bindings, and to implement separate automation stages via their optional IaC resources. - -Top-level folders offer less direct integration into the FAST workflow and machinery, and are meant to solve specific use cases in addition to our standard stage 2 and 3 described in the following section. - -The full interface of the [folder module](../../../modules/folder/) is supported for top-level folders, allowing them to fit in the FAST design in different ways: - -- as supporting folders for the project factory, by granting high level permissions to its service accounts via IAM and tag bindings (see the ["Teams" example in the data folder](./data/top-level-folders/teams.yaml)) -- as standalone folders for custom usage, with or without associated IaC resources (see the ["Sandbox" exanple in the data folder](./data/top-level-folders/sandbox.yaml)) -- as grouping nodes for the environment-specific stage 3 folders (see the ["GCVE" example in the data folder](./data/top-level-folders/gcve.yaml)) -- as grouping nodes for stage 2s, for example via a "Shared Services" top-level folder set as the `folder_config.parent_id` attribute for networking and security stages - -Top-level folders support context-based expansion for service accounts and organization-level tags, which can be referenced by name (e.g. `project-factory` to refer to the project factory service accounts). This allows writing portable organization-independent YAML that can be shared across different FAST installations. - -### Stage 2 - -FAST stage 2s implement core infrastructure services shared across the organization. In the FAST design networking, security, and the project factory are defined as stage 2. Their interface is sufficiently flexible to allow easy definition of custom stages, which can then be integrated in the framework. - -FAST stage 2s are typically managed by dedicated teams, they implement environment separation internally due to the complexity of their designs, and provide resources and specific IAM permissions to other shared services implemented as stage 3s (e.g. Shared VPC networks, IAM delegated grants on host projects/subnets or KMS keys). - -The default configuration enables all stage 2s via factory files in the `data/stage-2` folder. Each stage can be customized via a set of variable-level attributes: - -- `short_name` defines the name used for the stage IaC resources -- `cicd_config` optionally configures built-in CI/CD support for the stage -- `folder_config` controls the name, organization policies, and IAM profile for the stage folder, and allows defining additional environment-level subfolders -- `organization_config` controls the IAM profile for the stage at the organization level -- `stage3_config` allows defining signals that are passed on to the stage via output variables, on specific IAM configurations needed by stage 3s - -Each stage creates its own tag value in the `context` key, which can then be used for conditional roles at the organization level (`context/networking`, `context/project-factory` etc.) when needed. The tag value is assigned to the stage's folder, and can be applied to other folders to enable specific functionality, for example to allow the project factory to manage additional top-level folders. - -Think of stage 2s as "named stages" which can define specific IAM configurations on the organization, and are free to define their own environment-level constraints. - -### Stage 3 - -FAST stage 3s are designed to host shared infrastructure that leverages core services from stage 2 (networking, encryption keys, etc.), and is partitioned by environment and subject to environment-level constraints, with no direct access to organization-level IAM configurations. - -As shared services they are still managed by dedicated teams, but principals and permissions might differ between environments. Stage 3s typically leverage top-level folders, under which the environment-level folders for the stage are then created. - -Configuration can be done either via Terraform variables or factory YAML files. The second option is used by default, providing a set of factory files for top-level folders and stage 3s that mirror the legacy FAST hierarchy implemented via code. - -Configuration is similar to the stage 2 one described above, save that stage 3: - -- need to define the environment for which they will be deployed -- have no way to configure organization-level IAM - -### Project and hierarchy factory - -Despite being itself a stage 2 (and potentially one or more environment-specific stage 3), the project factory is an important primitive to shape the lower level resource hierarchy which implements folder and project management. - -By default FAST configures a single organization-wide project factory with the following characteristics: - -- any top-level folder with the suitable set of roles can be managed as a sub-hierarchy tree by the project factory (see the ["Teams" definition](./data/top-level-folders/teams.yaml) in the data folder) -- organization policy management on its folders and projects by the project factory only requires binding the `context/project-factory` tag value -- networking-related project configuration is available by default, the project factory can grant a limited set of roles on network resources, and attach service projects to VPC host projects -- security-related project configuration is available by default, the project factory can grant the KMS encrypt/decrypt role on centralized KMS key in the security stage - -Additional project factories can of course be defined by cloning the default stage 2 configuration, and changing the stage 2 names and folders. - -## Other design considerations - -### Secure tags - -This stage manages [Secure Tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) at the organization level, via two sets of keys and values: - -- a default set of tags used by FAST itself in specific IAM conditions that allow automation service accounts to gain organization-level privileges or specific access to parts of the resource management hierarchy -- an optional set of user-defined tags that can be used in organization policy or IAM conditions - -The first set of default tags cannot be overridden and defines the following keys and values (key names can be changed via the `tag_names` variable): - -- `context` to identify parts of the resource hierarchy, with `data`, `gke`, `networking`, `sandbox`, `security` and `teams` values -- `environment` to identify folders and projects belonging to specific environments, with `development` and `production` values - -The second set is optional and allows defining a custom tag hierarchy, including IAM bindings that can refer to specific identities, or to the internally defined automation service accounts via their names, like in the following example: - -```tfvars -tags = { - my-custom-tag = { - values = { - eggs = {} - spam = { - description = "Example tag value." - iam = { - "roles/resourcemanager.tagUser" = ["sandbox"] - } - } - } - } -} -``` - -Tags can also be specified via a factory in a similar way to organization policies and policy constraints. This is documented in the [organization module](../../../modules/organization/README.md#tags-factory). - -#### Organization policy tag values from the bootstrap stage - -A specific set of tag values used in org-level organization policy conditions can be optionally defined in the bootstrap stage, and can be referenced here if stage service accounts need specific permissions on those. - -As an example, consider this tag value defined via the bootstrap stage tfvars. - -```tfvars -org_policies_config = { - tag_values = { - storage-public-access-allow = { - description = "Bind this tag to allow public access on storage buckets." - } - } -} -``` - -The tag is then used in the bootstrap stage to modify the behaviour of the relevant organization policy. - -```yaml -storage.publicAccessPrevention: - rules: - - enforce: true - - enforce: false - condition: - title: Allow any member domain - expression: | - resource.matchTag('${tags.org_policies_tag_name}', 'storage-public-access-allow') -``` - -The same tag value can be referenced in this stage to assign usage permissions to specific stage service accounts without the need to specify the explicit tag value id. - -```tfvars -tags = { - org-policies = { - id = "org-policies" - values = { - storage-public-access-allow = { - id = "storage-public-access-allow" - iam = { - "roles/resourcemanager.tagUser" : [ - "project-factory-rw" - ] - "roles/resourcemanager.tagViewer" : [ - "project-factory-ro" - ] - } - } - } - } -} -``` - -### Workload Identity Federation and CI/CD - -This stage also implements optional support for CI/CD, much in the same way as the bootstrap stage. The only difference is on Workload Identity Federation, which is only configured in bootstrap and made available here via stage interface variables (the automatically generated `.tfvars` files). - -For details on how to configure CI/CD please refer to the [relevant section in the bootstrap stage documentation](../0-bootstrap-legacy/README.md#cicd-repositories). - -## How to run this stage - -This stage is meant to be executed after the [bootstrap](../0-bootstrap-legacy) stage has run, as it leverages the automation service account and bucket created there. The relevant user groups must also exist, but that's one of the requirements for the previous stage too, so if you ran that successfully, you're good to go. - -It's of course possible to run this stage in isolation, but that's outside the scope of this document, and you would need to refer to the code for the bootstrap stage for the actual roles needed. - -Before running this stage, you need to make sure you have the correct credentials and permissions, and localize variables by assigning values that match your configuration. - -### Provider and Terraform variables - -As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../0-bootstrap-legacy/README.md#output-files-and-cross-stage-variables) is also leveraged here. - -The commands to link or copy the provider and terraform variable files can be easily derived from the `fast-links.sh` script in the FAST stages folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. - -Using local output files. - -```bash -../fast-links.sh ~/fast-config - -# File linking commands for resource management stage - -# provider file -ln -s ~/fast-config/fast-test-00/providers/1-resman-providers.tf ./ - -# input files from other stages -ln -s ~/fast-config/fast-test-00/tfvars/0-globals.auto.tfvars.json ./ -ln -s ~/fast-config/fast-test-00/tfvars/0-bootstrap-legacy.auto.tfvars.json ./ - -# conventional place for stage tfvars (manually created) -ln -s ~/fast-config/fast-test-00/1-resman.auto.tfvars ./ -``` - -Using the GCS outputs bucket. - -```bash -../fast-links.sh gs://xxx-prod-iac-core-outputs-0 - -# File linking commands for resource management stage - -# provider file -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/1-resman-providers.tf ./ - -# input files from other stages -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap-legacy.auto.tfvars.json ./ - -# conventional place for stage tfvars (manually created) -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/1-resman.auto.tfvars ./ -``` - -### Impersonating the automation service account - -The preconfigured provider file uses impersonation to run with this stage's automation service account's credentials. The `gcp-devops` and `organization-admins` groups have the necessary IAM bindings in place to do that, so make sure the current user is a member of one of those groups. - -### Variable configuration - -Variables in this stage -- like most other FAST stages -- are broadly divided into three separate sets: - -- variables which refer to global values for the whole organization (org id, billing account id, prefix, etc.), which are pre-populated via the `0-globals.auto.tfvars.json` file linked or copied above -- variables which refer to resources managed by previous stage, which are prepopulated here via the `0-bootstrap-legacy.auto.tfvars.json` file linked or copied above -- and finally variables that optionally control this stage's behaviour and customizations, and can to be set in a custom `terraform.tfvars` file - -Note that the `outputs_location` variable is disabled by default, you need to explicitly set it in your `terraform.tfvars` file if you want output files to be generated by this stage. This is a sample `terraform.tfvars` that configures it, refer to the [bootstrap stage documentation](../0-bootstrap-legacy/README.md#output-files-and-cross-stage-variables) for more details: - -```tfvars -outputs_location = "~/fast-config" -``` - -### Running the stage - -Once provider and variable values are in place and the correct user is configured, the stage can be run: - -```bash -terraform init -terraform apply -``` - - - -## Files - -| name | description | modules | resources | -|---|---|---|---| -| [billing.tf](./billing.tf) | Billing resources for external billing use cases. | | google_billing_account_iam_member | -| [main.tf](./main.tf) | Module-level locals and resources. | | | -| [organization-tags.tf](./organization-tags.tf) | Organization-level tag locals. | | | -| [organization.tf](./organization.tf) | Organization-level IAM and org policies. | organization | | -| [outputs-cicd.tf](./outputs-cicd.tf) | Locals for CI/CD workflow files. | | | -| [outputs-files.tf](./outputs-files.tf) | Output files persistence to local filesystem. | | google_storage_bucket_object · local_file | -| [outputs-providers.tf](./outputs-providers.tf) | Locals for provider output files. | | | -| [outputs.tf](./outputs.tf) | Module outputs. | | | -| [stage-2.tf](./stage-2.tf) | Stage 2s locals and resources. | folder · gcs · iam-service-account | | -| [stage-3.tf](./stage-3.tf) | None | folder · gcs · iam-service-account | | -| [stage-cicd.tf](./stage-cicd.tf) | CI/CD locals and resources. | iam-service-account | | -| [tenant-logging.tf](./tenant-logging.tf) | Audit log project and sink for tenant root folder. | bigquery-dataset · gcs · logging-bucket · pubsub | | -| [tenant-root.tf](./tenant-root.tf) | None | folder · project | | -| [top-level-folders.tf](./top-level-folders.tf) | None | folder · gcs · iam-service-account | | -| [variables-addons.tf](./variables-addons.tf) | None | | | -| [variables-fast.tf](./variables-fast.tf) | FAST stage interface. | | | -| [variables-stages.tf](./variables-stages.tf) | None | | | -| [variables-toplevel-folders.tf](./variables-toplevel-folders.tf) | None | | | -| [variables.tf](./variables.tf) | Module variables. | | | - -## Variables - -| name | description | type | required | default | producer | -|---|---|:---:|:---:|:---:|:---:| -| [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | -| [billing_account](variables-fast.tf#L43) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | 0-bootstrap | -| [environments](variables-fast.tf#L75) | Environment names. | map(object({…})) | ✓ | | 0-globals | -| [logging](variables-fast.tf#L122) | Logging configuration for tenants. | object({…}) | ✓ | | 1-tenant-factory | -| [organization](variables-fast.tf#L135) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L165) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | -| [custom_roles](variables-fast.tf#L54) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | -| [factories_config](variables.tf#L20) | Configuration for the resource factories or external data. | object({…}) | | {} | | -| [fast_addon](variables-addons.tf#L17) | FAST addons configurations for stages 2. Keys are used as short names for the add-on resources. | map(object({…})) | | {} | | -| [fast_stage_2](variables-stages.tf#L17) | FAST stages 2 configurations. | map(object({…})) | | {} | | -| [fast_stage_3](variables-stages.tf#L125) | FAST stages 3 configurations. | map(object({…})) | | {} | | -| [groups](variables-fast.tf#L93) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | -| [locations](variables-fast.tf#L109) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | -| [org_policy_tags](variables-fast.tf#L153) | Organization policy tags. | object({…}) | | {} | 0-bootstrap | -| [outputs_location](variables.tf#L38) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | -| [resource_names](variables.tf#L44) | Resource names overrides for specific resources. Stage names are interpolated via `$${name}`. Prefix is always set via code, except where noted in the variable type. | object({…}) | | {} | | -| [root_node](variables-fast.tf#L171) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap | -| [tag_names](variables.tf#L64) | Customized names for resource management tags. | object({…}) | | {} | | -| [tags](variables.tf#L78) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | -| [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…})) | | {} | | - -## Outputs - -| name | description | sensitive | consumers | -|---|---|:---:|---| -| [cicd_repositories](outputs.tf#L65) | WIF configuration for CI/CD repositories. | | | -| [folder_ids](outputs.tf#L77) | Folder ids. | | | -| [providers](outputs.tf#L83) | Terraform provider files for this stage and dependent stages. | ✓ | | -| [service_accounts](outputs.tf#L89) | Service accounts. | | | -| [tag_values](outputs.tf#L94) | Tag values. | | | -| [tfvars](outputs.tf#L100) | Terraform variable files for the following stages. | ✓ | | - diff --git a/fast/stages/1-resman-legacy/billing.tf b/fast/stages/1-resman-legacy/billing.tf deleted file mode 100644 index d9007b425..000000000 --- a/fast/stages/1-resman-legacy/billing.tf +++ /dev/null @@ -1,60 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Billing resources for external billing use cases. - -locals { - billing_iam = merge( - # stage 2 - { - for k, v in local.stage2 : "sa_${v.short_name}_billing" => { - member = module.stage2-sa-rw[k].iam_email - role = "roles/billing.user" - } - }, - { - for k, v in local.stage2 : "sa_${v.short_name}_costs_manager" => { - member = module.stage2-sa-rw[k].iam_email - role = "roles/billing.costsManager" - } - }, - # stage 3 - { - for k, v in local.stage3 : k => { - member = module.stage3-sa-rw[k].iam_email - role = "roles/billing.user" - } - } - ) - billing_mode = ( - var.billing_account.no_iam - ? null - : var.billing_account.is_org_level ? "org" : "resource" - ) -} - -# billing account in same org (resources is in the organization.tf file) - -# standalone billing account - -resource "google_billing_account_iam_member" "default" { - for_each = ( - local.billing_mode != "resource" ? {} : local.billing_iam - ) - billing_account_id = var.billing_account.id - role = each.value.role - member = each.value.member -} diff --git a/fast/stages/1-resman-legacy/data/org-policies/sandbox/compute.yaml b/fast/stages/1-resman-legacy/data/org-policies/sandbox/compute.yaml deleted file mode 100644 index 071fe96c2..000000000 --- a/fast/stages/1-resman-legacy/data/org-policies/sandbox/compute.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# skip boilerplate check -# -# sample subset of useful organization policies, edit to suit requirements - ---- -# Terraform will be unable to decode this file if it does not contain valid YAML -# You can retain `---` (start of the document) to indicate an empty document. - -# yaml-language-server: $schema=../../../schemas/org-policies.schema.json - -compute.vmExternalIpAccess: - rules: - - allow: - all: true diff --git a/fast/stages/1-resman-legacy/data/org-policies/sandbox/sql.yaml b/fast/stages/1-resman-legacy/data/org-policies/sandbox/sql.yaml deleted file mode 100644 index cd1504c87..000000000 --- a/fast/stages/1-resman-legacy/data/org-policies/sandbox/sql.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# skip boilerplate check -# -# sample subset of useful organization policies, edit to suit requirements - ---- -# Terraform will be unable to decode this file if it does not contain valid YAML -# You can retain `---` (start of the document) to indicate an empty document. - -# yaml-language-server: $schema=../../../schemas/org-policies.schema.json - -sql.restrictPublicIp: - rules: - - enforce: true diff --git a/fast/stages/1-resman-legacy/data/stage-2/networking.yaml b/fast/stages/1-resman-legacy/data/stage-2/networking.yaml deleted file mode 100644 index 2189316c2..000000000 --- a/fast/stages/1-resman-legacy/data/stage-2/networking.yaml +++ /dev/null @@ -1,129 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/fast-stage2.schema.json - -short_name: net -folder_config: - name: Networking - create_env_folders: true - iam_by_principals: - rw: - - roles/logging.admin - - roles/owner - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.projectCreator - - roles/compute.xpnAdmin - - roles/resourcemanager.tagUser - ro: - - roles/viewer - - roles/resourcemanager.folderViewer - - roles/resourcemanager.tagViewer - project-factory-rw: - - service_project_network_admin - project-factory-ro: - - roles/compute.networkViewer - - project_iam_viewer - gcp-network-admins: - - roles/editor - # project factory delegated IAM grant - iam_bindings: - project_factory: - role: roles/resourcemanager.projectIamAdmin - members: - - project-factory-rw - condition: - title: Project factory delegated IAM grant. - expression: | - api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([ - 'roles/compute.networkUser', 'roles/composer.sharedVpcAgent', - 'roles/container.hostServiceAgentUser', 'roles/vpcaccess.user', - '${custom_roles.dns_zone_binder}' - ]) - # example conditional grants for stage 3s - iam_bindings_additive: {} - # Data Platform (dev) - # dp_dev_net_admin: - # role: service_project_network_admin - # member: data-platform-dev-rw - # condition: - # title: Data platform dev service project admin. - # expression: | - # resource.matchTag('${organization.id}/${tag_names.environment}', 'development') - # dp_dev_net_viewer: - # role: roles/compute.networkViewer - # member: data-platform-dev-ro - # condition: - # title: Data platform dev network viewer. - # expression: | - # resource.matchTag('${organization.id}/${tag_names.environment}', 'development') - # GCVE (dev) - # gcve_dev_net_admin: - # role: gcve_network_admin - # member: gcve-dev-rw - # condition: - # title: GCVE dev network admin. - # expression: | - # resource.matchTag('${organization.id}/${tag_names.environment}', 'development') - # gcve_dev_net_viewer: - # role: gcve_network_viewer - # member: gcve-dev-ro - # condition: - # title: GCVE dev network viewer. - # expression: | - # resource.matchTag('${organization.id}/${tag_names.environment}', 'development') - # GKE (dev) - # gke_dns_admin: - # role: roles/dns.admin - # member: gke-dev-ro - # condition: - # title: GKE dev DNS admin. - # expression: | - # resource.matchTag('${organization.id}/${tag_names.environment}', 'development') - # gke_dns_reader: - # role: roles/dns.reader - # member: gke-dev-ro - # condition: - # title: GKE dev DNS reader. - # expression: | - # resource.matchTag('${organization.id}/${tag_names.environment}', 'development') -organization_config: - iam_bindings_additive: - sa_net_rw_fw_policy_admin: - member: rw - role: roles/compute.orgFirewallPolicyAdmin - sa_net_rw_ngfw_enterprise_admin: - member: rw - role: ngfw_enterprise_admin - sa_net_rw_xpn_admin: - member: rw - role: roles/compute.xpnAdmin - sa_net_ro_fw_policy_user: - member: ro - role: roles/compute.orgFirewallPolicyUser - sa_net_ro_ngfw_enterprise_viewer: - member: ro - role: ngfw_enterprise_viewer -# example configuration for stage 3s needing environment-level conditional grants -# stage3_config: -# iam_admin_delegated: -# - environment: dev -# principal: gcve-dev-rw -# - environment: dev -# principal: data-platform-dev-rw -# iam_viewer: -# - environment: dev -# principal: gcve-dev-ro -# - environment: dev -# principal: data-platform-dev-ro diff --git a/fast/stages/1-resman-legacy/data/stage-2/project-factory.yaml b/fast/stages/1-resman-legacy/data/stage-2/project-factory.yaml deleted file mode 100644 index cc3fd9e89..000000000 --- a/fast/stages/1-resman-legacy/data/stage-2/project-factory.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/fast-stage2.schema.json - -short_name: pf -organization_config: - iam_bindings_additive: - sa_pf_billing_budget_ro: - member: ro - role: billing_viewer - sa_pf_conditional_org_policy: - member: rw - role: roles/orgpolicy.policyAdmin - condition: - title: org_policy_tag_pf_scoped - description: Org policy tag scoped grant for project factory. - expression: | - resource.matchTag('${organization.id}/${tag_names.context}', 'project-factory') - sa_pf_vpcsc_ro: - member: ro - role: roles/accesscontextmanager.policyReader - sa_pf_vpcsc_rw: - member: rw - role: roles/accesscontextmanager.policyEditor -# CI/CD config for this stage should reference the networking and security -# tfvar output files, like in the following example -# cicd_config: -# identity_provider: my-provider -# repository: -# name: my-org/my-repository -# type: github -# workflows_config: -# extra_files: -# - 2-networking.auto.tfvars.json -# - 2-security.auto.tfvars.json \ No newline at end of file diff --git a/fast/stages/1-resman-legacy/data/stage-2/secops.yaml b/fast/stages/1-resman-legacy/data/stage-2/secops.yaml deleted file mode 100644 index 86b5569e4..000000000 --- a/fast/stages/1-resman-legacy/data/stage-2/secops.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/fast-stage2.schema.json - -short_name: so -folder_config: - name: SecOps - iam_by_principals: - rw: - - roles/logging.admin - - roles/owner - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.projectCreator - - roles/resourcemanager.tagUser - ro: - - roles/viewer - - roles/resourcemanager.folderViewer - - roles/resourcemanager.tagViewer - gcp-secops-admins: - - roles/editor - -organization_config: - iam_bindings_additive: - sa_so_rw_wif: - member: rw - role: roles/iam.workforcePoolAdmin - sa_so_ro_wif: - member: ro - role: roles/iam.workforcePoolViewer diff --git a/fast/stages/1-resman-legacy/data/stage-2/security.yaml b/fast/stages/1-resman-legacy/data/stage-2/security.yaml deleted file mode 100644 index 624ae70f2..000000000 --- a/fast/stages/1-resman-legacy/data/stage-2/security.yaml +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/fast-stage2.schema.json - -short_name: sec -folder_config: - name: Security - iam_by_principals: - rw: - - roles/logging.admin - - roles/owner - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.projectCreator - - roles/resourcemanager.tagUser - ro: - - roles/viewer - - roles/resourcemanager.folderViewer - - roles/resourcemanager.tagViewer - project-factory-ro: - - kms_key_viewer - gcp-security-admins: - - roles/editor - # project factory delegated IAM grant - iam_bindings: - project_factory: - role: kms_key_encryption_admin - members: - - project-factory-rw - condition: - title: Project factory delegated IAM grant. - expression: | - api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([ - 'roles/cloudkms.cryptoKeyEncrypterDecrypter' - ]) -organization_config: - iam_bindings_additive: - sa_sec_cloudasset: - member: rw - role: roles/cloudasset.viewer -# example configuration for stage 3s needing environment-level conditional grants -# stage3_config: - # iam_admin_delegated: - # - environment: dev - # principal: data-platform-dev-rw - # iam_viewer: - # - environment: dev - # principal: data-platform-dev-ro - # - environment: dev - # principal: data-platform-dev-rw diff --git a/fast/stages/1-resman-legacy/data/stage-3/data-platform-dev.yaml b/fast/stages/1-resman-legacy/data/stage-3/data-platform-dev.yaml deleted file mode 100644 index 246f381ee..000000000 --- a/fast/stages/1-resman-legacy/data/stage-3/data-platform-dev.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/fast-stage3.schema.json - -short_name: dp -environment: dev -folder_config: - name: Development - parent_id: data-platform diff --git a/fast/stages/1-resman-legacy/data/stage-3/gcve-dev.yaml b/fast/stages/1-resman-legacy/data/stage-3/gcve-dev.yaml deleted file mode 100644 index 02e830741..000000000 --- a/fast/stages/1-resman-legacy/data/stage-3/gcve-dev.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/fast-stage3.schema.json - -short_name: gcve -environment: dev -folder_config: - name: Development - parent_id: gcve diff --git a/fast/stages/1-resman-legacy/data/stage-3/gke-dev.yaml b/fast/stages/1-resman-legacy/data/stage-3/gke-dev.yaml deleted file mode 100644 index 26caecf43..000000000 --- a/fast/stages/1-resman-legacy/data/stage-3/gke-dev.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/fast-stage3.schema.json - -short_name: gke -environment: dev -folder_config: - name: Development - parent_id: gke diff --git a/fast/stages/1-resman-legacy/data/stage-3/secops-dev.yaml b/fast/stages/1-resman-legacy/data/stage-3/secops-dev.yaml deleted file mode 100644 index 92c357ea8..000000000 --- a/fast/stages/1-resman-legacy/data/stage-3/secops-dev.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/fast-stage3.schema.json - -short_name: secops -environment: dev -folder_config: - name: Development - parent_id: secops diff --git a/fast/stages/1-resman-legacy/data/top-level-folders/data-platform.yaml b/fast/stages/1-resman-legacy/data/top-level-folders/data-platform.yaml deleted file mode 100644 index 850273d3e..000000000 --- a/fast/stages/1-resman-legacy/data/top-level-folders/data-platform.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/top-level-folder.schema.json - -name: Data Platform diff --git a/fast/stages/1-resman-legacy/data/top-level-folders/gcve.yaml b/fast/stages/1-resman-legacy/data/top-level-folders/gcve.yaml deleted file mode 100644 index 13af215e2..000000000 --- a/fast/stages/1-resman-legacy/data/top-level-folders/gcve.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/top-level-folder.schema.json - -name: GCVE diff --git a/fast/stages/1-resman-legacy/data/top-level-folders/gke.yaml b/fast/stages/1-resman-legacy/data/top-level-folders/gke.yaml deleted file mode 100644 index 789a792b2..000000000 --- a/fast/stages/1-resman-legacy/data/top-level-folders/gke.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/top-level-folder.schema.json - -name: GKE diff --git a/fast/stages/1-resman-legacy/data/top-level-folders/sandbox.yaml b/fast/stages/1-resman-legacy/data/top-level-folders/sandbox.yaml deleted file mode 100644 index 1ce256fcf..000000000 --- a/fast/stages/1-resman-legacy/data/top-level-folders/sandbox.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/top-level-folder.schema.json - -name: Sandbox -automation: - environment_name: dev - short_name: sbox -# You can create role bindings referring to the automation service account by -# referring to it using `self` keyword, per the example below -iam: - roles/owner: - - self -factories_config: - org_policies: data/org-policies/sandbox diff --git a/fast/stages/1-resman-legacy/data/top-level-folders/teams.yaml b/fast/stages/1-resman-legacy/data/top-level-folders/teams.yaml deleted file mode 100644 index 227e47639..000000000 --- a/fast/stages/1-resman-legacy/data/top-level-folders/teams.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/top-level-folder.schema.json - -name: Teams -iam_by_principals: - project-factory-rw: - - roles/owner - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.projectCreator - - roles/resourcemanager.tagUser - - service_project_network_admin - project-factory-ro: - - roles/viewer - - roles/resourcemanager.folderViewer - - roles/resourcemanager.tagViewer -iam_bindings: - pf_viewer: - role: organization_admin_viewer - members: - - project-factory-ro - condition: - title: project-factory-scoped - description: Allow to check buckets and contact policies - expression: | - resource.matchTag('${organization.id}/${tag_names.context}', 'project-factory') - -# don't create a context tag since this uses the pf tag -is_fast_context: false -tag_bindings: - context: context/project-factory diff --git a/fast/stages/1-resman-legacy/diagram.png b/fast/stages/1-resman-legacy/diagram.png deleted file mode 100644 index 8d3d9665e..000000000 Binary files a/fast/stages/1-resman-legacy/diagram.png and /dev/null differ diff --git a/fast/stages/1-resman-legacy/fast_version.txt b/fast/stages/1-resman-legacy/fast_version.txt deleted file mode 100644 index ba9053698..000000000 --- a/fast/stages/1-resman-legacy/fast_version.txt +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# FAST release: v44.2.0 \ No newline at end of file diff --git a/fast/stages/1-resman-legacy/main.tf b/fast/stages/1-resman-legacy/main.tf deleted file mode 100644 index 665a5a3bb..000000000 --- a/fast/stages/1-resman-legacy/main.tf +++ /dev/null @@ -1,89 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - environment_default = [ - for k, v in var.environments : v if v.is_default - ][0] - identity_providers = coalesce( - try(var.automation.federated_identity_providers, null), {} - ) - principals = { - for k, v in var.groups : k => ( - can(regex("^[a-zA-Z]+:", v)) - ? v - : "group:${v}@${var.organization.domain}" - ) - } - principals_iam = merge(local.principals, { - for k, v in local.stage_service_accounts : - replace(k, "_", "-") => "serviceAccount:${v}" - }) - root_node = ( - var.root_node == null - ? "organizations/${var.organization.id}" - : var.root_node - ) - # normalize parent stages - stage_addons = { - for k, v in var.fast_addon : k => merge(v, { - short_name = k - stage = regex("^(?P[0-9])-(?P.*?)$", v.parent_stage) - }) - } - # combined list of stage service accounts - stage_service_accounts = merge( - { for k, v in local.stage2 : "${k}-rw" => module.stage2-sa-rw[k].email }, - { for k, v in local.stage2 : "${k}-ro" => module.stage2-sa-ro[k].email }, - { for k, v in local.stage3 : "${k}-rw" => module.stage3-sa-rw[k].email }, - { for k, v in local.stage3 : "${k}-ro" => module.stage3-sa-ro[k].email }, - ) - stage_service_accounts_iam = { - for k, v in local.stage_service_accounts : k => "serviceAccount:${v}" - } - tag_keys = ( - var.root_node == null - ? module.organization[0].tag_keys - : module.automation-project[0].tag_keys - ) - tag_root = ( - var.root_node == null - ? var.organization.id - : var.automation.project_id - ) - tag_values = ( - var.root_node == null - ? module.organization[0].tag_values - : module.automation-project[0].tag_values - ) - top_level_folder_ids = { - for k, v in module.top-level-folder : k => v.id - } - top_level_service_accounts = { - for k, v in module.top-level-sa : k => try(v.email) - } - top_level_service_accounts_iam = { - for k, v in local.top_level_service_accounts : k => "serviceAccount:${v}" - } - # leaving this here to document how to get self identity in a stage - # automation_resman_sa = try( - # data.google_client_openid_userinfo.provider_identity[0].email, null - # ) -} - -# data "google_client_openid_userinfo" "provider_identity" { -# count = length(local.cicd_repositories) > 0 ? 1 : 0 -# } diff --git a/fast/stages/1-resman-legacy/moved/v33.0.0-v34.0.0.tf b/fast/stages/1-resman-legacy/moved/v33.0.0-v34.0.0.tf deleted file mode 100644 index 9b13d9e59..000000000 --- a/fast/stages/1-resman-legacy/moved/v33.0.0-v34.0.0.tf +++ /dev/null @@ -1,53 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -moved { - from = module.branch-pf-sa[0] - to = module.branch-pf-sa -} -moved { - from = module.branch-pf-dev-sa[0] - to = module.branch-pf-dev-sa -} -moved { - from = module.branch-pf-prod-sa[0] - to = module.branch-pf-prod-sa -} -moved { - from = module.branch-pf-r-sa[0] - to = module.branch-pf-r-sa -} -moved { - from = module.branch-pf-dev-r-sa[0] - to = module.branch-pf-dev-r-sa -} -moved { - from = module.branch-pf-prod-r-sa[0] - to = module.branch-pf-prod-r-sa -} -moved { - from = module.branch-pf-gcs[0] - to = module.branch-pf-gcs -} -moved { - from = module.branch-pf-dev-gcs[0] - to = module.branch-pf-dev-gcs -} -moved { - from = module.branch-pf-prod-gcs[0] - to = module.branch-pf-prod-gcs -} - diff --git a/fast/stages/1-resman-legacy/moved/v35.1.0-v36.0.0.tf b/fast/stages/1-resman-legacy/moved/v35.1.0-v36.0.0.tf deleted file mode 100644 index f9934257d..000000000 --- a/fast/stages/1-resman-legacy/moved/v35.1.0-v36.0.0.tf +++ /dev/null @@ -1,238 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# stage 2 networking - -moved { - from = module.branch-network-folder - to = module.net-folder[0] -} -moved { - from = module.branch-network-dev-folder - to = module.net-folder-dev[0] -} -moved { - from = module.branch-network-prod-folder - to = module.net-folder-prod[0] -} -moved { - from = module.branch-network-gcs - to = module.net-bucket[0] -} -moved { - from = module.branch-network-sa - to = module.net-sa-ro[0] -} -moved { - from = module.branch-network-r-sa - to = module.net-sa-rw[0] -} - -# stage 2 network security - -moved { - from = module.branch-nsec-gcs[0] - to = module.nsec-bucket[0] -} -moved { - from = module.branch-nsec-sa[0] - to = module.nsec-sa-rw[0] -} -moved { - from = module.branch-nsec-r-sa[0] - to = module.nsec-sa-ro[0] -} -moved { - from = module.branch-networking-sa-cicd["0"] - to = module.cicd-sa-rw["networking"] -} -moved { - from = module.branch-networking-r-sa-cicd["0"] - to = module.cicd-sa-ro["networking"] -} - -# stage 2 project factory - -moved { - from = module.branch-pf-gcs - to = module.pf-bucket[0] -} -moved { - from = module.branch-pf-sa - to = module.pf-sa-rw[0] -} -moved { - from = module.branch-pf-r-sa - to = module.pf-sa-ro[0] -} -moved { - from = module.branch-pf-sa-cicd - to = module.cicd-sa-rw["project-factory"] -} -moved { - from = module.branch-pf-r-sa-cicd - to = module.cicd-sa-ro["project-factory"] -} - -# stage 2 security - -moved { - from = module.branch-security-folder - to = module.sec-folder[0] -} -moved { - from = module.branch-security-gcs - to = module.sec-bucket[0] -} -moved { - from = module.branch-security-sa - to = module.sec-sa-rw[0] -} -moved { - from = module.branch-security-r-sa - to = module.sec-sa-ro[0] -} -moved { - from = module.branch-security-sa-cicd["0"] - to = module.cicd-sa-rw["security"] -} -moved { - from = module.branch-security-r-sa-cicd["0"] - to = module.cicd-sa-ro["security"] -} - -# project factory dev - -moved { - from = module.branch-pf-dev-gcs - to = module.stage3-bucket["project-factory-dev"] -} -moved { - from = module.branch-pf-dev-sa - to = module.stage3-sa-rw["project-factory-dev"] -} -moved { - from = module.branch-pf-dev-r-sa - to = module.stage3-sa-ro["project-factory-dev"] -} - -# project factory prod - -moved { - from = module.branch-pf-prod-gcs - to = module.stage3-bucket["project-factory-prod"] -} -moved { - from = module.branch-pf-prod-sa - to = module.stage3-sa-rw["project-factory-prod"] -} -moved { - from = module.branch-pf-prod-r-sa - to = module.stage3-sa-ro["project-factory-prod"] -} - -# sandbox - -moved { - from = module.branch-sandbox-folder[0] - to = module.top-level-folder["sandbox"] -} -moved { - from = module.branch-sandbox-gcs[0] - to = module.top-level-bucket["sandbox"] -} -moved { - from = module.branch-sandbox-sa[0] - to = module.top-level-sa["sandbox"] -} - -# stage 3 gke - -moved { - from = module.branch-gke-folder[0] - to = module.top-level-folder["gke"] -} -moved { - from = module.branch-gke-dev-folder[0] - to = module.stage3-folder["gke-dev"] -} -moved { - from = module.branch-gke-prod-folder[0] - to = module.stage3-folder["gke-prod"] -} -moved { - from = module.branch-gke-dev-gcs[0] - to = module.stage3-bucket["gke-dev"] -} -moved { - from = module.branch-gke-prod-gcs[0] - to = module.stage3-bucket["gke-prod"] -} -moved { - from = module.branch-gke-dev-sa[0] - to = module.stage3-sa-rw["gke-dev"] -} -moved { - from = module.branch-gke-prod-sa[0] - to = module.stage3-sa-rw["gke-prod"] -} -moved { - from = module.branch-gke-dev-r-sa[0] - to = module.stage3-sa-ro["gke-dev"] -} -moved { - from = module.branch-gke-prod-r-sa[0] - to = module.stage3-sa-ro["gke-prod"] -} - -# stage 3 gcve - -moved { - from = module.branch-gcve-folder[0] - to = module.top-level-folder["gcve"] -} -moved { - from = module.branch-gcve-dev-folder[0] - to = module.stage3-folder["gcve-dev"] -} -moved { - from = module.branch-gcve-prod-folder[0] - to = module.stage3-folder["gcve-prod"] -} -moved { - from = module.branch-gcve-dev-gcs[0] - to = module.stage3-bucket["gcve-dev"] -} -moved { - from = module.branch-gcve-prod-gcs[0] - to = module.stage3-bucket["gcve-prod"] -} -moved { - from = module.branch-gcve-dev-sa[0] - to = module.stage3-sa-rw["gcve-dev"] -} -moved { - from = module.branch-gcve-prod-sa[0] - to = module.stage3-sa-rw["gcve-prod"] -} -moved { - from = module.branch-gcve-dev-r-sa[0] - to = module.stage3-sa-ro["gcve-dev"] -} -moved { - from = module.branch-gcve-prod-r-sa[0] - to = module.stage3-sa-ro["gcve-prod"] -} diff --git a/fast/stages/1-resman-legacy/moved/v36.0.1-v37.0.0.tf b/fast/stages/1-resman-legacy/moved/v36.0.1-v37.0.0.tf deleted file mode 100644 index 59e198891..000000000 --- a/fast/stages/1-resman-legacy/moved/v36.0.1-v37.0.0.tf +++ /dev/null @@ -1,35 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -moved { - from = module.net-folder-dev[0] - to = module.net-folder-envs["dev"] -} - -moved { - from = module.net-folder-prod[0] - to = module.net-folder-envs["prod"] -} - -moved { - from = module.sec-folder-dev[0] - to = module.sec-folder-envs["dev"] -} - -moved { - from = module.sec-folder-prod[0] - to = module.sec-folder-envs["prod"] -} diff --git a/fast/stages/1-resman-legacy/moved/v37.4.0-v38.0.0.tf b/fast/stages/1-resman-legacy/moved/v37.4.0-v38.0.0.tf deleted file mode 100644 index ae99dcf0a..000000000 --- a/fast/stages/1-resman-legacy/moved/v37.4.0-v38.0.0.tf +++ /dev/null @@ -1,80 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# networking -moved { - from = module.net-folder[0] - to = module.stage2-folder["networking"] -} -moved { - from = module.net-folder-envs["dev"] - to = module.stage2-folder-env["networking-dev"] -} -moved { - from = module.net-folder-envs["prod"] - to = module.stage2-folder-env["networking-prod"] -} -moved { - from = module.net-bucket[0] - to = module.stage2-bucket["networking"] -} -moved { - from = module.net-sa-ro[0] - to = module.stage2-sa-ro["networking"] -} -moved { - from = module.net-sa-rw[0] - to = module.stage2-sa-rw["networking"] -} -# project factory -# resources change prefix and are recreated anyway -moved { - from = module.pf-bucket[0] - to = module.stage2-bucket["project-factory"] -} -moved { - from = module.pf-sa-ro[0] - to = module.stage2-sa-ro["project-factory"] -} -moved { - from = module.pf-sa-rw[0] - to = module.stage2-sa-rw["project-factory"] -} -# security -moved { - from = module.sec-folder[0] - to = module.stage2-folder["security"] -} -moved { - from = module.sec-folder-envs["dev"] - to = module.stage2-folder-env["security-dev"] -} -moved { - from = module.sec-folder-envs["prod"] - to = module.stage2-folder-env["security-prod"] -} -moved { - from = module.sec-bucket[0] - to = module.stage2-bucket["security"] -} -moved { - from = module.sec-sa-ro[0] - to = module.stage2-sa-ro["security"] -} -moved { - from = module.sec-sa-rw[0] - to = module.stage2-sa-rw["security"] -} diff --git a/fast/stages/1-resman-legacy/organization-tags.tf b/fast/stages/1-resman-legacy/organization-tags.tf deleted file mode 100644 index ee5d89cb9..000000000 --- a/fast/stages/1-resman-legacy/organization-tags.tf +++ /dev/null @@ -1,108 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Organization-level tag locals. - -locals { - # context tag values for enabled stage 2s (merged in the final map below) - _context_tag_values_stage2 = { - for k, v in local.stage2 : k => replace(k, "_", "-") - } - # merge all context tag values into a single map - context_tag_values = merge( - # user-defined - try(local.tags["context"]["values"], {}), - # top-level folders - { - for k, v in local.top_level_folders : k => { - iam = try(local.tags.context.values.iam[k], {}) - description = try(local.tags.context.values.description[k], null) - } if v.is_fast_context == true - }, - # stage 2s - { - for k, v in local._context_tag_values_stage2 : v => { - iam = try(local.tags.context.values.iam[v], {}) - description = try(local.tags.context.values.description[v], null) - } - }, - # stage 3 define no context as they attach to a top-level folder - ) - # environment tag values and their IAM bindings for stage 2 service accounts - environment_tag_values = { - for k, v in var.environments : v.tag_name => { - iam = merge( - # user-defined configuration - try(local.tags.environment.values[v.tag_name].iam, {}), - # stage 2 service accounts - { - "roles/resourcemanager.tagUser" = distinct(concat( - try(local.tags.environment.values[v.tag_name].iam["roles/resourcemanager.tagUser"], []), - [for k, v in module.stage2-sa-rw : v.iam_email] - )) - "roles/resourcemanager.tagViewer" = distinct(concat( - try(local.tags.environment.values[v.tag_name].iam["roles/resourcemanager.tagViewer"], []), - [for k, v in module.stage2-sa-ro : v.iam_email] - )) - } - ) - description = try( - local.tags.environment.values[v].description, null - ) - } - } - # organization policy tags managed in stage 0 - org_policy_tags = { - for k, v in var.org_policy_tags.values : - "${var.org_policy_tags.key_name}/${k}" => v - } - # context expansion for user-specified tag values - tags = { - for k, v in var.tags : k => merge(v, { - iam = { - for rk, rv in v.iam : rk => [ - for rm in rv : lookup(local.principals_iam, rm, rm) - ] - } - id = ( - v.id == null || v.id != var.org_policy_tags.key_name - ? v.id - : var.org_policy_tags.key_id - ) - values = { - for vk, vv in v.values : vk => merge(vv, { - iam = { - for rk, rv in vv.iam : rk => [ - for rm in rv : try( - local.principals_iam[rm], - local.stage_service_accounts_iam[rm], - rm - ) - ] - } - id = ( - vv.id == null || v.id != var.org_policy_tags.key_name - ? null - : try( - local.org_policy_tags["${var.org_policy_tags.key_name}/${vv.id}"], - vv.id - ) - ) - }) - } - }) - } -} diff --git a/fast/stages/1-resman-legacy/organization.tf b/fast/stages/1-resman-legacy/organization.tf deleted file mode 100644 index 067036900..000000000 --- a/fast/stages/1-resman-legacy/organization.tf +++ /dev/null @@ -1,83 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Organization-level IAM and org policies. - -locals { - condition_vars = { - organization = var.organization - tag_names = var.tag_names - } - # combine org-level IAM additive from billing and stage 2s - iam_bindings_additive = merge( - merge([ - for k, v in local.stage2 : - v.organization_config.iam_bindings_additive - ]...), - local.billing_mode != "org" ? {} : local.billing_iam - ) -} - -module "organization" { - source = "../../../modules/organization" - count = var.root_node == null ? 1 : 0 - organization_id = "organizations/${var.organization.id}" - # additive bindings leveraging the delegated IAM grant set in stage 0 - iam_bindings_additive = { - for k, v in local.iam_bindings_additive : k => { - role = lookup(var.custom_roles, v.role, v.role) - member = lookup(local.principals_iam, v.member, v.member) - condition = lookup(v, "condition", null) - } - } - context = { - iam_principals = merge( - var.factories_config.context.iam_principals, - local.top_level_service_accounts_iam, - local.stage_service_accounts_iam - ) - tag_keys = merge( - var.factories_config.context.tag_keys, - { - (var.org_policy_tags.key_name) = var.org_policy_tags.key_id - } - ) - tag_values = merge( - var.factories_config.context.tag_values, - { - for k, v in var.org_policy_tags.values : - "${var.org_policy_tags.key_name}/${k}" => v - } - ) - } - factories_config = { - tags = var.factories_config.tags - } - # do not assign tagViewer or tagUser roles here on tag keys and values as - # they are managed authoritatively and will break multitenant stages - tags = merge(local.tags, { - (var.tag_names.context) = { - description = try(local.tags[var.tag_names.context].description, "Resource management context.") - iam = try(local.tags[var.tag_names.context].iam, {}) - values = local.context_tag_values - }, - (var.tag_names.environment) = { - description = try(local.tags[var.tag_names.environment].description, "Environment definition.") - iam = try(local.tags[var.tag_names.environment].iam, {}) - values = local.environment_tag_values - } - }) -} diff --git a/fast/stages/1-resman-legacy/outputs-cicd.tf b/fast/stages/1-resman-legacy/outputs-cicd.tf deleted file mode 100644 index e43d78e87..000000000 --- a/fast/stages/1-resman-legacy/outputs-cicd.tf +++ /dev/null @@ -1,62 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Locals for CI/CD workflow files. - -locals { - # render CI/CD workflow templates - cicd_workflows = { - for k, v in local.cicd_repositories : "${v.level}-${replace(k, "_", "-")}" => templatefile( - "${path.module}/templates/workflow-${v.repository.type}.yaml", { - # If users give a list of custom audiences we set by default the first element. - # If no audiences are given, we set https://iam.googleapis.com/{PROVIDER_NAME} - audiences = try( - local.identity_providers[v.identity_provider].audiences, [] - ) - identity_provider = try( - local.identity_providers[v.identity_provider].name, "" - ) - outputs_bucket = var.automation.outputs_bucket - service_accounts = { - apply = try(module.cicd-sa-rw[k].email, "") - plan = try(module.cicd-sa-ro[k].email, "") - } - stage_name = k - tf_providers_files = { - apply = replace(local.cicd_workflow_providers[k], "_", "-") - plan = replace(local.cicd_workflow_providers["${k}-r"], "_", "-") - } - tf_var_files = concat(( - v.level == 2 ? - [ - "0-bootstrap.auto.tfvars.json", - "1-resman.auto.tfvars.json", - "0-globals.auto.tfvars.json" - ] - : [ - "0-bootstrap.auto.tfvars.json", - "0-globals.auto.tfvars.json", - "1-resman.auto.tfvars.json", - "2-networking.auto.tfvars.json", - "2-security.auto.tfvars.json" - ] - ), - v.workflows_config.extra_files - ) - } - ) - } -} diff --git a/fast/stages/1-resman-legacy/outputs-files.tf b/fast/stages/1-resman-legacy/outputs-files.tf deleted file mode 100644 index 99acd2d04..000000000 --- a/fast/stages/1-resman-legacy/outputs-files.tf +++ /dev/null @@ -1,70 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Output files persistence to local filesystem. - -locals { - _tpl_providers = "${path.module}/templates/providers.tf.tpl" - outputs_location = try(pathexpand(var.outputs_location), "") -} - -resource "local_file" "providers" { - for_each = var.outputs_location == null ? {} : local.providers - file_permission = "0644" - filename = "${local.outputs_location}/providers/${each.key}-providers.tf" - content = try(each.value, null) -} - -resource "local_file" "tfvars" { - for_each = var.outputs_location == null ? {} : { 1 = 1 } - file_permission = "0644" - filename = "${local.outputs_location}/tfvars/1-resman.auto.tfvars.json" - content = jsonencode(local.tfvars) -} - -resource "local_file" "workflows" { - for_each = var.outputs_location == null ? {} : local.cicd_workflows - file_permission = "0644" - filename = "${local.outputs_location}/workflows/${replace(each.key, "_", "-")}-workflow.yaml" - content = try(each.value, null) -} - -resource "google_storage_bucket_object" "providers" { - for_each = local.providers - bucket = var.automation.outputs_bucket - name = "providers/${each.key}-providers.tf" - content = each.value -} - -resource "google_storage_bucket_object" "tfvars" { - bucket = var.automation.outputs_bucket - name = "tfvars/1-resman.auto.tfvars.json" - content = jsonencode(local.tfvars) -} - -resource "google_storage_bucket_object" "workflows" { - for_each = local.cicd_workflows - bucket = var.automation.outputs_bucket - name = "workflows/${replace(each.key, "_", "-")}-workflow.yaml" - content = each.value -} - -resource "google_storage_bucket_object" "version" { - count = fileexists("fast_version.txt") ? 1 : 0 - bucket = var.automation.outputs_bucket - name = "versions/1-resman-version.txt" - source = "fast_version.txt" -} diff --git a/fast/stages/1-resman-legacy/outputs-providers.tf b/fast/stages/1-resman-legacy/outputs-providers.tf deleted file mode 100644 index 87636e80e..000000000 --- a/fast/stages/1-resman-legacy/outputs-providers.tf +++ /dev/null @@ -1,90 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Locals for provider output files. - -locals { - # render provider files from template - providers = merge( - # stage 2 - { - for k, v in local.stage2 : - "2-${k}" => templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.stage2-bucket[k].name - name = k - sa = module.stage2-sa-rw[k].email - }) - }, - { - for k, v in local.stage2 : - "2-${k}-r" => templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.stage2-bucket[k].name - name = k - sa = module.stage2-sa-ro[k].email - }) - }, - # stage 2 addons - { - for k, v in local.stage_addons : - "${v.parent_stage}-${v.short_name}" => templatefile(local._tpl_providers, { - backend_extra = "prefix = \"addons/${k}\"" - bucket = module.stage2-bucket[v.stage.name].name - name = "${v.stage.name}-${v.short_name}" - sa = module.stage2-sa-rw[v.stage.name].email - }) if lookup(local.stage2, v.stage.name, null) != null - }, - { - for k, v in local.stage_addons : - "${v.parent_stage}-${v.short_name}-r" => templatefile(local._tpl_providers, { - backend_extra = "prefix = \"addons/${k}\"" - bucket = module.stage2-bucket[v.stage.name].name - name = "${v.stage.name}-${v.short_name}" - sa = module.stage2-sa-ro[v.stage.name].email - }) if lookup(local.stage2, v.stage.name, null) != null - }, - # stage 3 - { - for k, v in local.stage3 : - "3-${k}" => templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.stage3-bucket[k].name - name = k - sa = module.stage3-sa-rw[k].email - }) - }, - { - for k, v in local.stage3 : - "3-${k}-r" => templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.stage3-bucket[k].name - name = k - sa = module.stage3-sa-ro[k].email - }) - }, - # top-level folders - { - for k, v in module.top-level-sa : - "1-resman-folder-${k}" => templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.top-level-bucket[k].name - name = k - sa = v.email - }) - }, - ) -} diff --git a/fast/stages/1-resman-legacy/outputs.tf b/fast/stages/1-resman-legacy/outputs.tf deleted file mode 100644 index 27f3abdd7..000000000 --- a/fast/stages/1-resman-legacy/outputs.tf +++ /dev/null @@ -1,104 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - folder_ids = merge( - # stage 2 - { for k, v in module.stage2-folder : k => v.id }, - { for k, v in module.stage2-folder-env : k => v.id }, - # stage 3 - { for k, v in module.stage3-folder : k => v.id }, - # top-level folders - local.top_level_folder_ids - ) - service_accounts = merge( - local.stage_service_accounts, - local.top_level_service_accounts - ) - tfvars = { - stage_configs = merge( - { - for k, v in local.stage3 : k => { - environment = v.environment - short_name = v.short_name - } - }, - { - for k, v in local.stage2 : k => { - short_name = v.short_name - iam_admin_delegated = { - for kk in v.stage3_config.iam_admin_delegated : - kk.environment => lookup( - local.principals_iam, kk.principal, kk.principal - )... - } - iam_viewer = { - for kk in v.stage3_config.iam_viewer : - kk.environment => lookup( - local.principals_iam, kk.principal, kk.principal - )... - } - } - } - ) - folder_ids = local.folder_ids - service_accounts = local.service_accounts - tag_keys = { for k, v in try(local.tag_keys, {}) : k => v.id } - tag_names = var.tag_names - tag_values = { for k, v in try(local.tag_values, {}) : k => v.id } - } -} - -output "cicd_repositories" { - description = "WIF configuration for CI/CD repositories." - value = { - for k, v in local.cicd_repositories : k => { - repository = v.repository - provider = try( - local.identity_providers[v.identity_provider].name, null - ) - } - } -} - -output "folder_ids" { - description = "Folder ids." - value = local.folder_ids -} - -# ready to use provider configurations for subsequent stages -output "providers" { - description = "Terraform provider files for this stage and dependent stages." - sensitive = true - value = local.providers -} - -output "service_accounts" { - description = "Service accounts." - value = local.service_accounts -} - -output "tag_values" { - description = "Tag values." - value = local.tfvars.tag_values -} - -# ready to use variable values for subsequent stages -output "tfvars" { - description = "Terraform variable files for the following stages." - sensitive = true - value = local.tfvars -} diff --git a/fast/stages/1-resman-legacy/schemas/fast-stage2.schema.json b/fast/stages/1-resman-legacy/schemas/fast-stage2.schema.json deleted file mode 100644 index d9daf9545..000000000 --- a/fast/stages/1-resman-legacy/schemas/fast-stage2.schema.json +++ /dev/null @@ -1,336 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "FAST stage 2", - "type": "object", - "additionalProperties": false, - "properties": { - "short_name": { - "type": "string" - }, - "cicd_config": { - "type": "object", - "additionalProperties": false, - "required": [ - "identity_provider", - "repository" - ], - "properties": { - "identity_provider": { - "type": "string" - }, - "repository": { - "type": "object", - "additionalProperties": false, - "required": [ - "name" - ], - "properties": { - "name": { - "type": "string" - }, - "branch": { - "type": "string" - }, - "type": { - "type": "string", - "enum": [ - "github", - "gitlab" - ], - "default": "github" - } - } - }, - "workflows_config": { - "type": "object", - "additionalProperties": false, - "properties": { - "extra_files": { - "type": "array", - "items": { - "type": "string" - } - } - } - } - } - }, - "folder_config": { - "type": "object", - "additionalProperties": false, - "required": [ - "name" - ], - "properties": { - "name": { - "type": "string" - }, - "create_env_folders": { - "type": "boolean", - "default": true - }, - "iam": { - "$ref": "#/$defs/iam" - }, - "iam_bindings": { - "$ref": "#/$defs/iam_bindings" - }, - "iam_bindings_additive": { - "$ref": "#/$defs/iam_bindings_additive" - }, - "iam_by_principals": { - "$ref": "#/$defs/iam_by_principals" - }, - "org_policies": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z]+\\.": { - "type": "object", - "additionalProperties": false, - "properties": { - "inherit_from_parent": { - "type": "boolean" - }, - "reset": { - "type": "boolean" - }, - "rules": { - "type": "array", - "items": { - "type": "object", - "additionalProperties": false, - "properties": { - "allow": { - "type": "object", - "additionalProperties": false, - "properties": { - "all": { - "type": "boolean" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "deny": { - "type": "object", - "additionalProperties": false, - "properties": { - "all": { - "type": "boolean" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "enforce": { - "type": "boolean" - }, - "condition": { - "type": "object", - "additionalProperties": false, - "properties": { - "description": { - "type": "string" - }, - "expression": { - "type": "string" - }, - "location": { - "type": "string" - }, - "title": { - "type": "string" - } - } - } - } - } - } - } - } - } - }, - "parent_id": { - "type": "string" - }, - "tag_bindings": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "string" - } - } - } - } - }, - "organization_config": { - "type": "object", - "additionalProperties": false, - "properties": { - "iam_bindings_additive": { - "$ref": "#/$defs/iam_bindings_additive" - }, - "iam_by_principals": { - "$ref": "#/$defs/iam_by_principals" - } - } - }, - "stage3_config": { - "type": "object", - "additionalProperties": false, - "properties": { - "iam_admin_delegated": { - "type": "array", - "items": { - "type": "object", - "additionalProperties": false, - "properties": { - "environment": { - "type": "string" - }, - "principal": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])" - } - } - } - }, - "iam_viewer": { - "type": "array", - "items": { - "type": "object", - "additionalProperties": false, - "properties": { - "environment": { - "type": "string" - }, - "principal": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])" - } - } - } - } - } - } - }, - "$defs": { - "iam": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^(?:roles/|[a-z_]+)": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])" - } - } - } - }, - "iam_bindings": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "object", - "additionalProperties": false, - "properties": { - "members": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])" - } - }, - "role": { - "type": "string", - "pattern": "^(?:roles/|[a-z])" - }, - "condition": { - "type": "object", - "additionalProperties": false, - "required": [ - "expression", - "title" - ], - "properties": { - "expression": { - "type": "string" - }, - "title": { - "type": "string" - }, - "description": { - "type": "string" - } - } - } - } - } - } - }, - "iam_bindings_additive": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "object", - "additionalProperties": false, - "properties": { - "member": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])" - }, - "role": { - "type": "string", - "pattern": "^(?:roles/|[a-z])" - }, - "condition": { - "type": "object", - "additionalProperties": false, - "required": [ - "expression", - "title" - ], - "properties": { - "expression": { - "type": "string" - }, - "title": { - "type": "string" - }, - "description": { - "type": "string" - } - } - } - } - } - } - }, - "iam_by_principals": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z]+[a-z-]+$": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:roles/|[a-z_]+)" - } - } - } - } - } -} \ No newline at end of file diff --git a/fast/stages/1-resman-legacy/schemas/fast-stage2.schema.md b/fast/stages/1-resman-legacy/schemas/fast-stage2.schema.md deleted file mode 100644 index 82d85d2cd..000000000 --- a/fast/stages/1-resman-legacy/schemas/fast-stage2.schema.md +++ /dev/null @@ -1,118 +0,0 @@ -# FAST stage 2 - - - -## Properties - -*additional properties: false* - -- **short_name**: *string* -- **cicd_config**: *object* -
*additional properties: false* - - ⁺**identity_provider**: *string* - - ⁺**repository**: *object* -
*additional properties: false* - - ⁺**name**: *string* - - **branch**: *string* - - **type**: *string* -
*default: github*, *enum: ['github', 'gitlab']* - - **workflows_config**: *object* -
*additional properties: false* - - **extra_files**: *array* - - items: *string* -- **folder_config**: *object* -
*additional properties: false* - - ⁺**name**: *string* - - **create_env_folders**: *boolean* - - **iam**: *reference([iam](#refs-iam))* - - **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))* - - **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* - - **iam_by_principals**: *reference([iam_by_principals](#refs-iam_by_principals))* - - **org_policies**: *object* -
*additional properties: false* - - **`^[a-z]+\.`**: *object* -
*additional properties: false* - - **inherit_from_parent**: *boolean* - - **reset**: *boolean* - - **rules**: *array* - - items: *object* -
*additional properties: false* - - **allow**: *object* -
*additional properties: false* - - **all**: *boolean* - - **values**: *array* - - items: *string* - - **deny**: *object* -
*additional properties: false* - - **all**: *boolean* - - **values**: *array* - - items: *string* - - **enforce**: *boolean* - - **condition**: *object* -
*additional properties: false* - - **description**: *string* - - **expression**: *string* - - **location**: *string* - - **title**: *string* - - **parent_id**: *string* - - **tag_bindings**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *string* -- **organization_config**: *object* -
*additional properties: false* - - **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* - - **iam_by_principals**: *reference([iam_by_principals](#refs-iam_by_principals))* -- **stage3_config**: *object* -
*additional properties: false* - - **iam_admin_delegated**: *array* - - items: *object* -
*additional properties: false* - - **environment**: *string* - - **principal**: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* - - **iam_viewer**: *array* - - items: *object* -
*additional properties: false* - - **environment**: *string* - - **principal**: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* - -## Definitions - -- **iam**: *object* -
*additional properties: false* - - **`^(?:roles/|[a-z_]+)`**: *array* - - items: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* -- **iam_bindings**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *object* -
*additional properties: false* - - **members**: *array* - - items: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* - - **role**: *string* -
*pattern: ^(?:roles/|[a-z])* - - **condition**: *object* -
*additional properties: false* - - ⁺**expression**: *string* - - ⁺**title**: *string* - - **description**: *string* -- **iam_bindings_additive**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *object* -
*additional properties: false* - - **member**: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* - - **role**: *string* -
*pattern: ^(?:roles/|[a-z])* - - **condition**: *object* -
*additional properties: false* - - ⁺**expression**: *string* - - ⁺**title**: *string* - - **description**: *string* -- **iam_by_principals**: *object* -
*additional properties: false* - - **`^[a-z]+[a-z-]+$`**: *array* - - items: *string* -
*pattern: ^(?:roles/|[a-z_]+)* diff --git a/fast/stages/1-resman-legacy/schemas/fast-stage3.schema.json b/fast/stages/1-resman-legacy/schemas/fast-stage3.schema.json deleted file mode 100644 index 5b2bf0808..000000000 --- a/fast/stages/1-resman-legacy/schemas/fast-stage3.schema.json +++ /dev/null @@ -1,292 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "FAST stage 3", - "type": "object", - "additionalProperties": false, - "required": [ - "short_name", - "environment" - ], - "properties": { - "short_name": { - "type": "string" - }, - "environment": { - "type": "string", - "enum": [ - "dev", - "prod" - ] - }, - "cicd_config": { - "type": "object", - "additionalProperties": false, - "required": [ - "identity_provider", - "repository" - ], - "properties": { - "identity_provider": { - "type": "string" - }, - "repository": { - "type": "object", - "additionalProperties": false, - "required": [ - "name" - ], - "properties": { - "name": { - "type": "string" - }, - "branch": { - "type": "string" - }, - "type": { - "type": "string", - "enum": [ - "github", - "gitlab" - ], - "default": "github" - } - } - }, - "workflows_config": { - "type": "object", - "additionalProperties": false, - "properties": { - "extra_files": { - "type": "array", - "items": { - "type": "string" - } - } - } - } - } - }, - "folder_config": { - "type": "object", - "additionalProperties": false, - "required": [ - "name" - ], - "properties": { - "name": { - "type": "string" - }, - "parent_id": { - "type": "string" - }, - "tag_bindings": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "string" - } - } - }, - "iam": { - "$ref": "#/$defs/iam" - }, - "iam_bindings": { - "$ref": "#/$defs/iam_bindings" - }, - "iam_bindings_additive": { - "$ref": "#/$defs/iam_bindings_additive" - }, - "iam_by_principals": { - "$ref": "#/$defs/iam_by_principals" - }, - "org_policies": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z]+\\.": { - "type": "object", - "properties": { - "inherit_from_parent": { - "type": "boolean" - }, - "reset": { - "type": "boolean" - }, - "rules": { - "type": "array", - "items": { - "type": "object", - "additionalProperties": false, - "properties": { - "allow": { - "type": "object", - "additionalProperties": false, - "properties": { - "all": { - "type": "boolean" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "deny": { - "type": "object", - "additionalProperties": false, - "properties": { - "all": { - "type": "boolean" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "enforce": { - "type": "boolean" - }, - "condition": { - "type": "object", - "additionalProperties": false, - "properties": { - "description": { - "type": "string" - }, - "expression": { - "type": "string" - }, - "location": { - "type": "string" - }, - "title": { - "type": "string" - } - } - } - } - } - } - } - } - } - } - } - } - }, - "$defs": { - "iam": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^(?:roles/|[a-z_]+)": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])" - } - } - } - }, - "iam_bindings": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "object", - "additionalProperties": false, - "properties": { - "members": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])" - } - }, - "role": { - "type": "string", - "pattern": "^roles/" - }, - "condition": { - "type": "object", - "additionalProperties": false, - "required": [ - "expression", - "title" - ], - "properties": { - "expression": { - "type": "string" - }, - "title": { - "type": "string" - }, - "description": { - "type": "string" - } - } - } - } - } - } - }, - "iam_bindings_additive": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "object", - "additionalProperties": false, - "properties": { - "member": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])" - }, - "role": { - "type": "string", - "pattern": "^(?:roles/|[a-z])" - }, - "condition": { - "type": "object", - "additionalProperties": false, - "required": [ - "expression", - "title" - ], - "properties": { - "expression": { - "type": "string" - }, - "title": { - "type": "string" - }, - "description": { - "type": "string" - } - } - } - } - } - } - }, - "iam_by_principals": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z]+[a-z-]+$": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:roles/|[a-z_]+)" - } - } - } - } - } -} \ No newline at end of file diff --git a/fast/stages/1-resman-legacy/schemas/fast-stage3.schema.md b/fast/stages/1-resman-legacy/schemas/fast-stage3.schema.md deleted file mode 100644 index 295fd3d25..000000000 --- a/fast/stages/1-resman-legacy/schemas/fast-stage3.schema.md +++ /dev/null @@ -1,100 +0,0 @@ -# FAST stage 3 - - - -## Properties - -*additional properties: false* - -- ⁺**short_name**: *string* -- ⁺**environment**: *string* -
*enum: ['dev', 'prod']* -- **cicd_config**: *object* -
*additional properties: false* - - ⁺**identity_provider**: *string* - - ⁺**repository**: *object* -
*additional properties: false* - - ⁺**name**: *string* - - **branch**: *string* - - **type**: *string* -
*default: github*, *enum: ['github', 'gitlab']* - - **workflows_config**: *object* -
*additional properties: false* - - **extra_files**: *array* - - items: *string* -- **folder_config**: *object* -
*additional properties: false* - - ⁺**name**: *string* - - **parent_id**: *string* - - **tag_bindings**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *string* - - **iam**: *reference([iam](#refs-iam))* - - **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))* - - **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* - - **iam_by_principals**: *reference([iam_by_principals](#refs-iam_by_principals))* - - **org_policies**: *object* -
*additional properties: false* - - **`^[a-z]+\.`**: *object* - - **inherit_from_parent**: *boolean* - - **reset**: *boolean* - - **rules**: *array* - - items: *object* -
*additional properties: false* - - **allow**: *object* -
*additional properties: false* - - **all**: *boolean* - - **values**: *array* - - items: *string* - - **deny**: *object* -
*additional properties: false* - - **all**: *boolean* - - **values**: *array* - - items: *string* - - **enforce**: *boolean* - - **condition**: *object* -
*additional properties: false* - - **description**: *string* - - **expression**: *string* - - **location**: *string* - - **title**: *string* - -## Definitions - -- **iam**: *object* -
*additional properties: false* - - **`^(?:roles/|[a-z_]+)`**: *array* - - items: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* -- **iam_bindings**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *object* -
*additional properties: false* - - **members**: *array* - - items: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* - - **role**: *string* -
*pattern: ^roles/* - - **condition**: *object* -
*additional properties: false* - - ⁺**expression**: *string* - - ⁺**title**: *string* - - **description**: *string* -- **iam_bindings_additive**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *object* -
*additional properties: false* - - **member**: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* - - **role**: *string* -
*pattern: ^(?:roles/|[a-z])* - - **condition**: *object* -
*additional properties: false* - - ⁺**expression**: *string* - - ⁺**title**: *string* - - **description**: *string* -- **iam_by_principals**: *object* -
*additional properties: false* - - **`^[a-z]+[a-z-]+$`**: *array* - - items: *string* -
*pattern: ^(?:roles/|[a-z_]+)* diff --git a/fast/stages/1-resman-legacy/schemas/org-policies.schema.json b/fast/stages/1-resman-legacy/schemas/org-policies.schema.json deleted file mode 120000 index c5ebcfaf7..000000000 --- a/fast/stages/1-resman-legacy/schemas/org-policies.schema.json +++ /dev/null @@ -1 +0,0 @@ -../../../../modules/organization/schemas/org-policies.schema.json \ No newline at end of file diff --git a/fast/stages/1-resman-legacy/schemas/org-policies.schema.md b/fast/stages/1-resman-legacy/schemas/org-policies.schema.md deleted file mode 100644 index 9503c65c3..000000000 --- a/fast/stages/1-resman-legacy/schemas/org-policies.schema.md +++ /dev/null @@ -1,33 +0,0 @@ -# Organization Policies - - - -## Properties - -*additional properties: false* - -- **`^[a-z-]+[a-zA-Z0-9\.]+$`**: *object* -
*additional properties: false* - - **inherit_from_parent**: *boolean* - - **reset**: *boolean* - - **rules**: *array* - - items: *object* -
*additional properties: false* - - **allow**: *reference([allow-deny](#refs-allow-deny))* - - **deny**: *reference([allow-deny](#refs-allow-deny))* - - **enforce**: *boolean* - - **condition**: *object* -
*additional properties: false* - - **description**: *string* - - **expression**: *string* - - **location**: *string* - - **title**: *string* - - **parameters**: *string* - -## Definitions - -- **allow-deny**: *object* -
*additional properties: false* - - **all**: *boolean* - - **values**: *array* - - items: *string* diff --git a/fast/stages/1-resman-legacy/schemas/tags.schema.json b/fast/stages/1-resman-legacy/schemas/tags.schema.json deleted file mode 120000 index 87081ef23..000000000 --- a/fast/stages/1-resman-legacy/schemas/tags.schema.json +++ /dev/null @@ -1 +0,0 @@ -../../../../modules/organization/schemas/tags.schema.json \ No newline at end of file diff --git a/fast/stages/1-resman-legacy/schemas/tags.schema.md b/fast/stages/1-resman-legacy/schemas/tags.schema.md deleted file mode 100644 index d33e47b15..000000000 --- a/fast/stages/1-resman-legacy/schemas/tags.schema.md +++ /dev/null @@ -1,60 +0,0 @@ -# Resource Manager Tags - - - -## Properties - -*additional properties: false* - -- **name**: *string* -- **description**: *string* -- **id**: *string* -- **network**: *string* -- **iam**: *reference([iam](#refs-iam))* -- **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))* -- **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* -- **values**: *object* -
*additional properties: false* - - **`^[a-z-][a-z0-9-]+$`**: *object* -
*additional properties: false* - - **name**: *string* - - **description**: *string* - - **id**: *string* - - **iam**: *reference([iam](#refs-iam))* - - **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))* - - **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* - -## Definitions - -- **iam**: *object* -
*additional properties: false* - - **`^roles/`**: *array* - - items: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* -- **iam_bindings**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *object* -
*additional properties: false* - - **members**: *array* - - items: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* - - **role**: *string* -
*pattern: ^roles/* - - **condition**: *object* -
*additional properties: false* - - ⁺**expression**: *string* - - ⁺**title**: *string* - - **description**: *string* -- **iam_bindings_additive**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *object* -
*additional properties: false* - - **member**: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* - - **role**: *string* -
*pattern: ^[a-zA-Z0-9_/]+$* - - **condition**: *object* -
*additional properties: false* - - ⁺**expression**: *string* - - ⁺**title**: *string* - - **description**: *string* diff --git a/fast/stages/1-resman-legacy/schemas/top-level-folder.schema.json b/fast/stages/1-resman-legacy/schemas/top-level-folder.schema.json deleted file mode 100644 index 377cfa355..000000000 --- a/fast/stages/1-resman-legacy/schemas/top-level-folder.schema.json +++ /dev/null @@ -1,367 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "Folder", - "type": "object", - "additionalProperties": false, - "properties": { - "automation": { - "type": "object", - "additionalProperties": false, - "properties": { - "environment_name": { - "type": "string" - }, - "sa_impersonation_principals": { - "type": "array", - "items": { - "type": "string" - } - }, - "short_name": { - "type": "string" - } - } - }, - "contacts": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "@": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:ALL|SUSPENSION|SECURITY|TECHNICAL|BILLING|LEGAL|PRODUCT_UPDATES)$" - } - } - } - }, - "factories_config": { - "type": "object", - "additionalProperties": false, - "properties": { - "org_policies": { - "type": "string" - } - } - }, - "firewall_policy": { - "type": "object", - "additionalProperties": false, - "required": [ - "name", - "policy" - ], - "properties": { - "name": { - "type": "string" - }, - "policy": { - "type": "string" - } - } - }, - "iam": { - "$ref": "#/$defs/iam" - }, - "iam_bindings": { - "$ref": "#/$defs/iam_bindings" - }, - "iam_bindings_additive": { - "$ref": "#/$defs/iam_bindings_additive" - }, - "iam_by_principals": { - "$ref": "#/$defs/iam_by_principals" - }, - "is_fast_context": { - "type": "boolean", - "default": true - }, - "logging_data_access": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^(?:[a-z_-]+)\\.googleapis\\.com$": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^(?:DATA_READ|DATA_WRITE|ADMIN_READ)$": { - "type": "object", - "additionalProperties": false, - "properties": { - "exempted_members": { - "type": "array", - "items": { - "type": "string", - "pattern": "@" - } - } - } - } - } - } - } - }, - "logging_exclusions": { - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "logging_settings": { - "type": "object", - "additionalProperties": false, - "properties": { - "disable_default_sink": { - "type": "boolean" - }, - "storage_location": { - "type": "string" - } - } - }, - "logging_sinks": { - "type": "object", - "additionalProperties": { - "type": "object", - "additionalProperties": false, - "required": [ - "destination", - "type" - ], - "properties": { - "bq_partitioned_table": { - "type": "boolean" - }, - "description": { - "type": "string" - }, - "destination": { - "type": "string" - }, - "disabled": { - "type": "boolean" - }, - "exclusions": { - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "filter": { - "type": "string" - }, - "iam": { - "type": "boolean" - }, - "include_children": { - "type": "boolean" - }, - "type": { - "type": "string" - } - } - } - }, - "name": { - "type": "string" - }, - "org_policies": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z]+\\.": { - "type": "object", - "properties": { - "inherit_from_parent": { - "type": "boolean" - }, - "reset": { - "type": "boolean" - }, - "rules": { - "type": "array", - "items": { - "type": "object", - "additionalProperties": false, - "properties": { - "allow": { - "type": "object", - "additionalProperties": false, - "properties": { - "all": { - "type": "boolean" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "deny": { - "type": "object", - "additionalProperties": false, - "properties": { - "all": { - "type": "boolean" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "enforce": { - "type": "boolean" - }, - "condition": { - "type": "object", - "additionalProperties": false, - "properties": { - "description": { - "type": "string" - }, - "expression": { - "type": "string" - }, - "location": { - "type": "string" - }, - "title": { - "type": "string" - } - } - } - } - } - } - } - } - } - }, - "parent_id": { - "type": "string" - }, - "tag_bindings": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "string" - } - } - } - }, - "$defs": { - "iam": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^(?:roles/|[a-z_]+)": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|self)" - } - } - } - }, - "iam_bindings": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "object", - "additionalProperties": false, - "properties": { - "members": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|self)" - } - }, - "role": { - "type": "string", - "pattern": "^(?:roles/|[a-z_]+)" - }, - "condition": { - "type": "object", - "additionalProperties": false, - "required": [ - "expression", - "title" - ], - "properties": { - "expression": { - "type": "string" - }, - "title": { - "type": "string" - }, - "description": { - "type": "string" - } - } - } - } - } - } - }, - "iam_bindings_additive": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "object", - "additionalProperties": false, - "properties": { - "member": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|self)" - }, - "role": { - "type": "string", - "pattern": "^(?:roles/|[a-z_]+)" - }, - "condition": { - "type": "object", - "additionalProperties": false, - "required": [ - "expression", - "title" - ], - "properties": { - "expression": { - "type": "string" - }, - "title": { - "type": "string" - }, - "description": { - "type": "string" - } - } - } - } - } - } - }, - "iam_by_principals": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z]+[a-z-]+$": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:roles/|[a-z_]+)" - } - } - } - } - } -} \ No newline at end of file diff --git a/fast/stages/1-resman-legacy/schemas/top-level-folder.schema.md b/fast/stages/1-resman-legacy/schemas/top-level-folder.schema.md deleted file mode 100644 index a14f5a941..000000000 --- a/fast/stages/1-resman-legacy/schemas/top-level-folder.schema.md +++ /dev/null @@ -1,118 +0,0 @@ -# Folder - - - -## Properties - -*additional properties: false* - -- **automation**: *object* -
*additional properties: false* - - **environment_name**: *string* - - **sa_impersonation_principals**: *array* - - items: *string* - - **short_name**: *string* -- **contacts**: *object* -
*additional properties: false* - - **`@`**: *array* - - items: *string* -
*pattern: ^(?:ALL|SUSPENSION|SECURITY|TECHNICAL|BILLING|LEGAL|PRODUCT_UPDATES)$* -- **factories_config**: *object* -
*additional properties: false* - - **org_policies**: *string* -- **firewall_policy**: *object* -
*additional properties: false* - - ⁺**name**: *string* - - ⁺**policy**: *string* -- **iam**: *reference([iam](#refs-iam))* -- **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))* -- **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* -- **iam_by_principals**: *reference([iam_by_principals](#refs-iam_by_principals))* -- **is_fast_context**: *boolean* -- **logging_data_access**: *object* -
*additional properties: false* - - **`^(?:[a-z_-]+)\.googleapis\.com$`**: *object* -
*additional properties: false* - - **`^(?:DATA_READ|DATA_WRITE|ADMIN_READ)$`**: *object* -
*additional properties: false* - - **exempted_members**: *array* - - items: *string* -
*pattern: @* -- **logging_exclusions**: *object* - *additional properties: String* -- **logging_settings**: *object* -
*additional properties: false* - - **disable_default_sink**: *boolean* - - **storage_location**: *string* -- **logging_sinks**: *object* - *additional properties: Object* -- **name**: *string* -- **org_policies**: *object* -
*additional properties: false* - - **`^[a-z]+\.`**: *object* - - **inherit_from_parent**: *boolean* - - **reset**: *boolean* - - **rules**: *array* - - items: *object* -
*additional properties: false* - - **allow**: *object* -
*additional properties: false* - - **all**: *boolean* - - **values**: *array* - - items: *string* - - **deny**: *object* -
*additional properties: false* - - **all**: *boolean* - - **values**: *array* - - items: *string* - - **enforce**: *boolean* - - **condition**: *object* -
*additional properties: false* - - **description**: *string* - - **expression**: *string* - - **location**: *string* - - **title**: *string* -- **parent_id**: *string* -- **tag_bindings**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *string* - -## Definitions - -- **iam**: *object* -
*additional properties: false* - - **`^(?:roles/|[a-z_]+)`**: *array* - - items: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|self)* -- **iam_bindings**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *object* -
*additional properties: false* - - **members**: *array* - - items: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|self)* - - **role**: *string* -
*pattern: ^(?:roles/|[a-z_]+)* - - **condition**: *object* -
*additional properties: false* - - ⁺**expression**: *string* - - ⁺**title**: *string* - - **description**: *string* -- **iam_bindings_additive**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *object* -
*additional properties: false* - - **member**: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|self)* - - **role**: *string* -
*pattern: ^(?:roles/|[a-z_]+)* - - **condition**: *object* -
*additional properties: false* - - ⁺**expression**: *string* - - ⁺**title**: *string* - - **description**: *string* -- **iam_by_principals**: *object* -
*additional properties: false* - - **`^[a-z]+[a-z-]+$`**: *array* - - items: *string* -
*pattern: ^(?:roles/|[a-z_]+)* diff --git a/fast/stages/1-resman-legacy/stage-2.tf b/fast/stages/1-resman-legacy/stage-2.tf deleted file mode 100644 index afc78b18b..000000000 --- a/fast/stages/1-resman-legacy/stage-2.tf +++ /dev/null @@ -1,300 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Stage 2s locals and resources. - -locals { - # read and decode factory files - _stage2_path = try( - pathexpand(var.factories_config.stage_2), null - ) - _stage2_files = try( - fileset(local._stage2_path, "**/*.yaml"), - [] - ) - _stage2_data = { - for f in local._stage2_files : - split(".", f)[0] => yamldecode(file( - "${coalesce(local._stage2_path, "-")}/${f}" - )) - } - # merge stage 2 from factory and variable data - _stage2 = merge( - # normalize factory data attributes with defaults and nulls - { - for k, v in local._stage2_data : k => { - short_name = lookup(v, "short_name", null) - cicd_config = lookup(v, "cicd_config", null) == null ? null : { - identity_provider = v.cicd_config.identity_provider - repository = merge(v.cicd_config.repository, { - branch = try(v.cicd_config.repository.branch, null) - type = try(v.cicd_config.repository.type, "github") - }) - workflows_config = { - extra_files = try(v.cicd_config.workflows_config.extra_files, []) - } - } - folder_config = lookup(v, "folder_config", null) == null ? null : { - name = v.folder_config.name - create_env_folders = try(v.folder_config.create_env_folders, false) - iam = try(v.folder_config.iam, {}) - iam_bindings = try(v.folder_config.iam_bindings, {}) - iam_bindings_additive = try(v.folder_config.iam_bindings_additive, {}) - iam_by_principals = try(v.folder_config.iam_by_principals, {}) - org_policies = try(v.folder_config.org_policies, {}) - parent_id = try(v.folder_config.parent_id, null) - tag_bindings = try(v.folder_config.tag_bindings, {}) - } - organization_config = { - iam = try(v.organization_config.iam, {}) - iam_bindings = try(v.organization_config.iam_bindings, {}) - iam_bindings_additive = try(v.organization_config.iam_bindings_additive, {}) - iam_by_principals = try(v.organization_config.iam_by_principals, {}) - } - stage3_config = { - iam_admin_delegated = try(v.stage3_config.iam_admin_delegated, []) - iam_viewer = try(v.stage3_config.iam_viewer, []) - } - } - }, - var.fast_stage_2 - ) - # normalize attributes - stage2 = { - for k, v in local._stage2 : k => merge(v, { - short_name = replace(coalesce(v.short_name, k), "_", "-") - folder_config = v.folder_config == null ? null : merge(v.folder_config, { - iam = { - for kk, vv in v.folder_config.iam : kk => [ - for m in vv : contains(["ro", "rw"], m) ? "${k}-${m}" : m - ] - } - iam_bindings = { - for kk, vv in v.folder_config.iam_bindings : - kk => { - role = vv.role - members = [ - for m in vv.members : contains(["ro", "rw"], m) ? "${k}-${m}" : m - ] - condition = lookup(vv, "condition", null) == null ? null : { - title = vv.condition.title - expression = templatestring(vv.condition.expression, { - custom_roles = var.custom_roles - organization = var.organization - tag_names = var.tag_names - tag_root = local.tag_root - }) - description = lookup(vv.condition, "description", null) - } - } - } - iam_bindings_additive = { - for kk, vv in v.folder_config.iam_bindings_additive : - kk => { - role = vv.role - member = contains(["ro", "rw"], vv.member) ? "${k}-${vv.member}" : vv.member - condition = lookup(vv, "condition", null) == null ? null : { - title = vv.condition.title - expression = templatestring(vv.condition.expression, { - custom_roles = var.custom_roles - organization = var.organization - tag_names = var.tag_names - tag_root = local.tag_root - }) - description = lookup(vv.condition, "description", null) - } - } - } - iam_by_principals = { - for kk, vv in v.folder_config.iam_by_principals : - (contains(["ro", "rw"], kk) ? "${k}-${kk}" : kk) => vv - } - }) - organization_config = merge(v.organization_config, { - iam_bindings_additive = { - for kk, vv in v.organization_config.iam_bindings_additive : kk => { - member = contains(["ro", "rw"], vv.member) ? "${k}-${vv.member}" : vv.member - role = vv.role - condition = lookup(vv, "condition", null) == null ? null : { - title = vv.condition.title - expression = templatestring(vv.condition.expression, { - custom_roles = var.custom_roles - organization = var.organization - tag_names = var.tag_names - tag_root = local.tag_root - }) - description = lookup(vv.condition, "description", null) - } - } - } - }) - }) - } - # environment folder permutations - stage2_env_folders = flatten([ - for k, v in local.stage2 : [ - for ek, ev in var.environments : { - key = "${k}-${ek}" - name = ev.name - stage = k - tag_name = ev.tag_name - } - ] if try(v.folder_config.create_env_folders, null) == true - ]) - # stage 2 short names used to detect overlap in stage 3s - stage2_shortnames = [for k, v in local.stage2 : v.short_name] -} - -# top-level folder - -module "stage2-folder" { - source = "../../../modules/folder" - for_each = { - for k, v in local.stage2 : k => v if v.folder_config != null - } - parent = ( - each.value.folder_config.parent_id == null - ? local.root_node - : try( - local.top_level_folder_ids[each.value.folder_config.parent_id], - each.value.folder_config.parent_id - ) - ) - name = each.value.folder_config.name - context = { - condition_vars = local.condition_vars - } - iam = { - for k, v in each.value.folder_config.iam : - lookup(var.custom_roles, k, k) => [ - for m in v : lookup(local.principals_iam, m, m) - ] - } - iam_bindings = { - for k, v in each.value.folder_config.iam_bindings : k => merge(v, { - members = [ - for m in v.members : lookup(local.principals_iam, m, m) - ] - role = lookup(var.custom_roles, v.role, v.role) - condition = v.condition - }) - } - iam_bindings_additive = { - for k, v in each.value.folder_config.iam_bindings_additive : k => merge(v, { - member = lookup(local.principals_iam, v.member, v.member) - role = lookup(var.custom_roles, v.role, v.role) - condition = v.condition - }) - } - iam_by_principals = { - for k, v in each.value.folder_config.iam_by_principals : - lookup(local.principals_iam, k, k) => [ - for r in v : lookup(var.custom_roles, r, r) - ] - } - org_policies = each.value.folder_config.org_policies - tag_bindings = merge({ - (var.tag_names.context) = local.tag_values["${var.tag_names.context}/${each.key}"].id - }, { - for k, v in each.value.folder_config.tag_bindings : k => try( - local.tag_values[v].id, v - ) - }) - depends_on = [module.top-level-folder] -} - -# optional per-environment folders - -module "stage2-folder-env" { - source = "../../../modules/folder" - for_each = { for k in local.stage2_env_folders : k.key => k } - parent = module.stage2-folder[each.value.stage].id - name = each.value.name - tag_bindings = { - (var.tag_names.environment) = try( - local.tag_values["${var.tag_names.environment}/${each.value.tag_name}"].id, - null - ) - } -} - -# automation service accounts - -module "stage2-sa-rw" { - source = "../../../modules/iam-service-account" - for_each = local.stage2 - project_id = var.automation.project_id - name = templatestring(var.resource_names["sa-stage2_rw"], { - name = each.value.short_name - }) - display_name = ( - "Terraform resman ${each.key} service account." - ) - prefix = "${var.prefix}-${local.environment_default.short_name}" - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.cicd-sa-rw[each.key].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] - } -} - -module "stage2-sa-ro" { - source = "../../../modules/iam-service-account" - for_each = local.stage2 - project_id = var.automation.project_id - name = templatestring(var.resource_names["sa-stage2_ro"], { - name = each.value.short_name - }) - display_name = ( - "Terraform resman ${each.key} service account (read-only)." - ) - prefix = "${var.prefix}-${local.environment_default.short_name}" - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.cicd-sa-ro[each.key].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] - } -} - -# automation bucket - -module "stage2-bucket" { - source = "../../../modules/gcs" - for_each = local.stage2 - project_id = var.automation.project_id - name = templatestring(var.resource_names["gcs-stage2"], { - name = each.value.short_name - }) - prefix = "${var.prefix}-${local.environment_default.short_name}" - location = var.locations.gcs - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.stage2-sa-rw[each.key].iam_email] - "roles/storage.objectViewer" = [module.stage2-sa-ro[each.key].iam_email] - } -} diff --git a/fast/stages/1-resman-legacy/stage-3.tf b/fast/stages/1-resman-legacy/stage-3.tf deleted file mode 100644 index 430b3d993..000000000 --- a/fast/stages/1-resman-legacy/stage-3.tf +++ /dev/null @@ -1,276 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - # read and decode factory files - _stage3_path = try( - pathexpand(var.factories_config.stage_3), null - ) - _stage3_files = try( - fileset(local._stage3_path, "**/*.yaml"), - [] - ) - _stage3_data = { - for f in local._stage3_files : - split(".", f)[0] => yamldecode(file( - "${coalesce(local._stage3_path, "-")}/${f}" - )) - } - # merge stage 3 from factory and variable data - _stage3 = merge( - # normalize factory data attributes with defaults and nulls - { - for k, v in local._stage3_data : k => { - short_name = v.short_name - environment = try(v.environment, "dev") - cicd_config = lookup(v, "cicd_config", null) == null ? null : { - identity_provider = v.cicd_config.identity_provider - repository = merge(v.cicd_config.repository, { - branch = try(v.cicd_config.repository.branch, null) - type = try(v.cicd_config.repository.type, "github") - }) - workflows_config = { - extra_files = try(v.cicd_config.workflows_config.extra_files, []) - } - } - folder_config = lookup(v, "folder_config", null) == null ? null : { - name = v.folder_config.name - iam = try(v.folder_config.iam, {}) - iam_bindings = try(v.folder_config.iam_bindings, {}) - iam_bindings_additive = try(v.folder_config.iam_bindings_additive, {}) - iam_by_principals = try(v.folder_config.iam_by_principals, {}) - org_policies = try(v.folder_config.org_policies, {}) - parent_id = try(v.folder_config.parent_id, null) - tag_bindings = try(v.folder_config.tag_bindings, {}) - } - } - }, - var.fast_stage_3 - ) - _stage_3_iam = { for k, v in local._stage3 : k => { - "roles/logging.admin" = [module.stage3-sa-rw[k].iam_email] - "roles/owner" = [module.stage3-sa-rw[k].iam_email] - "roles/resourcemanager.folderAdmin" = [module.stage3-sa-rw[k].iam_email] - "roles/resourcemanager.projectCreator" = [module.stage3-sa-rw[k].iam_email] - "roles/compute.xpnAdmin" = [module.stage3-sa-rw[k].iam_email] - "roles/viewer" = [module.stage3-sa-ro[k].iam_email] - "roles/resourcemanager.folderViewer" = [module.stage3-sa-ro[k].iam_email] - } - } - # normalize attributes - stage3 = { - for k, v in local._stage3 : k => merge(v, { - short_name = replace(coalesce(v.short_name, k), "_", "-") - # this code is identical to the one used for stage 2s - folder_config = v.folder_config == null ? null : merge(v.folder_config, { - iam = { - for kk, vv in v.folder_config.iam : kk => [ - for m in vv : contains(["ro", "rw"], m) ? "${k}-${m}" : m - ] - } - iam_bindings = { - for kk, vv in v.folder_config.iam_bindings : - kk => { - role = vv.role - members = [ - for m in vv.members : contains(["ro", "rw"], m) ? "${k}-${m}" : m - ] - condition = lookup(vv, "condition", null) == null ? null : { - title = vv.condition.title - expression = templatestring(vv.condition.expression, { - custom_roles = var.custom_roles - organization = var.organization - tag_names = var.tag_names - tag_root = local.tag_root - }) - description = lookup(vv.condition, "description", null) - } - } - } - iam_bindings_additive = { - for kk, vv in v.folder_config.iam_bindings_additive : - kk => { - role = vv.role - member = contains(["ro", "rw"], vv.member) ? "${k}-${vv.member}" : vv.member - condition = lookup(vv, "condition", null) == null ? null : { - title = vv.condition.title - expression = templatestring(vv.condition.expression, { - custom_roles = var.custom_roles - organization = var.organization - tag_names = var.tag_names - tag_root = local.tag_root - }) - description = lookup(vv.condition, "description", null) - } - } - } - iam_by_principals = { - for kk, vv in v.folder_config.iam_by_principals : - (contains(["ro", "rw"], kk) ? "${k}-${kk}" : kk) => vv - } - }) - }) - if !contains( - local.stage2_shortnames, replace(coalesce(v.short_name, k), "_", "-") - ) - } -} - -check "stage_short_names" { - assert { - condition = alltrue([ - for k, v in local._stage3 : !contains( - local.stage2_shortnames, replace(coalesce(v.short_name, k), "_", "-") - ) - ]) - error_message = "Some stage 3 short names overlap stage 2." - } -} - -# top-level folder - -module "stage3-folder" { - source = "../../../modules/folder" - for_each = { - for k, v in local.stage3 : k => v if v.folder_config != null - } - parent = ( - each.value.folder_config.parent_id == null - ? local.root_node - : try( - local.top_level_folder_ids[each.value.folder_config.parent_id], - module.stage2-folder[each.value.folder_config.parent_id].id, - each.value.folder_config.parent_id - ) - ) - name = each.value.folder_config.name - context = { - condition_vars = local.condition_vars - } - iam = { - # merge inputs/factory bindings with static role bindings in loocal._stage_3_iam - for role in concat(keys(each.value.folder_config.iam), keys(local._stage_3_iam[each.key])) : - lookup(var.custom_roles, role, role) => [ - for m in concat( - lookup(local._stage_3_iam[each.key], role, []), - lookup(each.value.folder_config.iam, role, []) - ) : lookup(local.principals_iam, m, m) - ] - } - iam_bindings = { - for k, v in each.value.folder_config.iam_bindings : k => merge(v, { - members = [ - for m in v.members : lookup(local.principals_iam, m, m) - ] - role = lookup(var.custom_roles, v.role, v.role) - condition = v.condition - }) - } - iam_bindings_additive = { - for k, v in each.value.folder_config.iam_bindings_additive : k => merge(v, { - member = lookup(local.principals_iam, v.member, v.member) - role = lookup(var.custom_roles, v.role, v.role) - condition = v.condition - }) - } - iam_by_principals = { - for k, v in each.value.folder_config.iam_by_principals : - lookup(local.principals_iam, k, k) => [ - for r in v : lookup(var.custom_roles, r, r) - ] - } - - org_policies = each.value.folder_config.org_policies - tag_bindings = merge( - { - (var.tag_names.environment) = local.tag_values["${var.tag_names.environment}/${var.environments[each.value.environment].tag_name}"].id - }, - { - for k, v in each.value.folder_config.tag_bindings : k => try( - local.tag_values[v].id, v - ) - } - ) - depends_on = [module.top-level-folder] -} - -# automation service accounts - -module "stage3-sa-rw" { - source = "../../../modules/iam-service-account" - for_each = local.stage3 - project_id = var.automation.project_id - name = templatestring(var.resource_names["sa-stage3_rw"], { - name = each.value.short_name - }) - display_name = ( - "Terraform resman ${each.key} service account." - ) - prefix = "${var.prefix}-${var.environments[each.value.environment].short_name}" - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.cicd-sa-rw[each.key].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] - } -} - -module "stage3-sa-ro" { - source = "../../../modules/iam-service-account" - for_each = local.stage3 - project_id = var.automation.project_id - name = templatestring(var.resource_names["sa-stage3_ro"], { - name = each.value.short_name - }) - display_name = ( - "Terraform resman ${each.key} service account (read-only)." - ) - prefix = "${var.prefix}-${each.value.environment}" - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.cicd-sa-ro[each.key].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] - } -} - -# automation bucket - -module "stage3-bucket" { - source = "../../../modules/gcs" - for_each = local.stage3 - project_id = var.automation.project_id - name = templatestring(var.resource_names["gcs-stage3"], { - name = each.value.short_name - }) - prefix = "${var.prefix}-${each.value.environment}" - location = var.locations.gcs - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.stage3-sa-rw[each.key].iam_email] - "roles/storage.objectViewer" = [module.stage3-sa-ro[each.key].iam_email] - } -} diff --git a/fast/stages/1-resman-legacy/stage-cicd.tf b/fast/stages/1-resman-legacy/stage-cicd.tf deleted file mode 100644 index 2219aafaf..000000000 --- a/fast/stages/1-resman-legacy/stage-cicd.tf +++ /dev/null @@ -1,129 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description CI/CD locals and resources. - -locals { - _cicd_configs = merge( - # stage 2 - { - for k, v in local.stage2 : k => merge(v.cicd_config, { - env = "prod" - level = 2 - stage = replace(k, "_", "-") - short_name = v.short_name - }) if v.cicd_config != null - }, - # stage 3 - { - for k, v in local.stage3 : k => merge(v.cicd_config, { - env = v.environment - level = 3 - short_name = coalesce(v.short_name, k) - stage = replace(k, "_", "-") - }) if v.cicd_config != null - }, - # addons - { - for k, v in var.fast_addon : k => merge(v.cicd_config, { - env = "prod" - level = 2 - short_name = k - stage = substr(v.parent_stage, 2, -1) - }) if v.cicd_config != null - } - ) - # finalize configurations and filter by valid identity provider and type - cicd_repositories = { - for k, v in local._cicd_configs : k => v if( - contains(keys(local.identity_providers), v.identity_provider) && - fileexists("${path.module}/templates/workflow-${v.repository.type}.yaml") - ) - } - cicd_workflow_providers = merge( - { - for k, v in local.cicd_repositories : - k => "${v.level}-${k}-providers.tf" - }, - { - for k, v in local.cicd_repositories : - "${k}-r" => "${v.level}-${k}-r-providers.tf" - } - ) -} - -module "cicd-sa-rw" { - source = "../../../modules/iam-service-account" - for_each = local.cicd_repositories - project_id = var.automation.project_id - name = templatestring(var.resource_names["sa-cicd_rw"], { - name = each.value.short_name - }) - display_name = ( - "CI/CD ${each.value.level}-${each.value.short_name} ${each.value.env} service account." - ) - prefix = "${var.prefix}-${var.environments[each.value.env].short_name}" - iam = { - "roles/iam.workloadIdentityUser" = [ - each.value.repository.branch == null - ? format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.repository.name - ) - : format( - local.identity_providers[each.value.identity_provider].principal_branch, - var.automation.federated_identity_pool, - each.value.repository.name, - each.value.repository.branch - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} - -module "cicd-sa-ro" { - source = "../../../modules/iam-service-account" - for_each = local.cicd_repositories - project_id = var.automation.project_id - name = templatestring(var.resource_names["sa-cicd_ro"], { - name = each.value.short_name - }) - display_name = ( - "CI/CD ${each.value.level}-${each.value.short_name} ${each.value.env} service account (read-only)." - ) - prefix = "${var.prefix}-${var.environments[each.value.env].short_name}" - iam = { - "roles/iam.workloadIdentityUser" = [ - format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.repository.name - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} diff --git a/fast/stages/1-resman-legacy/templates/providers.tf.tpl b/fast/stages/1-resman-legacy/templates/providers.tf.tpl deleted file mode 100644 index d1c224c5c..000000000 --- a/fast/stages/1-resman-legacy/templates/providers.tf.tpl +++ /dev/null @@ -1,33 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -terraform { - backend "gcs" { - bucket = "${bucket}" - impersonate_service_account = "${sa}" - %{~ if backend_extra != null ~} - ${indent(4, backend_extra)} - %{~ endif ~} - } -} -provider "google" { - impersonate_service_account = "${sa}" -} -provider "google-beta" { - impersonate_service_account = "${sa}" -} - -# end provider.tf for ${name} diff --git a/fast/stages/1-resman-legacy/templates/providers_terraform.tf.tpl b/fast/stages/1-resman-legacy/templates/providers_terraform.tf.tpl deleted file mode 100644 index b581e50ed..000000000 --- a/fast/stages/1-resman-legacy/templates/providers_terraform.tf.tpl +++ /dev/null @@ -1,44 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -terraform { - cloud { - organization = "${organization}" - %{~ if hostname != null ~} - hostname = "${hostname}" - %{~ endif ~} - workspaces { - %{~ if workspaces.name != null ~} - name = "${workspaces.name}" - %{~ endif ~} - %{~ if workspaces.tags != null ~} - tags = [ %{ for tags in workspaces.tags ~} "${tags}", %{ endfor ~} ] - %{~ endif ~} - %{~ if workspaces.project != null ~} - project = "${workspaces.project}" - %{~ endif ~} - } - } -} - -provider "google" { - impersonate_service_account = "${sa}" -} -provider "google-beta" { - impersonate_service_account = "${sa}" -} - -# end provider.tf for ${name} \ No newline at end of file diff --git a/fast/stages/1-resman-legacy/templates/workflow-github.yaml b/fast/stages/1-resman-legacy/templates/workflow-github.yaml deleted file mode 100644 index 1bb0db752..000000000 --- a/fast/stages/1-resman-legacy/templates/workflow-github.yaml +++ /dev/null @@ -1,229 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "FAST ${stage_name} stage" - -on: - pull_request: - branches: - - main - types: - - closed - - opened - - synchronize - -env: - FAST_SERVICE_ACCOUNT: ${service_accounts.apply} - FAST_SERVICE_ACCOUNT_PLAN: ${service_accounts.plan} - FAST_WIF_PROVIDER: ${identity_provider} - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - TF_PROVIDERS_FILE: ${tf_providers_files.apply} - TF_PROVIDERS_FILE_PLAN: ${tf_providers_files.plan} - TF_VERSION: 1.11.4 - -jobs: - fast-pr: - # Skip PRs which are closed without being merged. - if: >- - github.event.action == 'closed' && - github.event.pull_request.merged == true || - github.event.action == 'opened' || - github.event.action == 'synchronize' - permissions: - contents: read - id-token: write - issues: write - pull-requests: write - runs-on: ubuntu-latest - steps: - - id: checkout - name: Checkout repository - uses: actions/checkout@v4 - - # set up SSH key authentication to the modules repository - - - id: ssh-config - name: Configure SSH authentication - run: | - ssh-agent -a "$SSH_AUTH_SOCK" > /dev/null - ssh-add - <<< "$${{ secrets.CICD_MODULES_KEY }}" - - # set up step variables for plan / apply - - - id: vars-plan - if: github.event.pull_request.merged != true && success() - name: Set up plan variables - run: | - echo "plan_opts=-lock=false" >> "$GITHUB_ENV" - echo "provider_file=$${{env.TF_PROVIDERS_FILE_PLAN}}" >> "$GITHUB_ENV" - echo "service_account=$${{env.FAST_SERVICE_ACCOUNT_PLAN}}" >> "$GITHUB_ENV" - - - id: vars-apply - if: github.event.pull_request.merged == true && success() - name: Set up apply variables - run: | - echo "provider_file=$${{env.TF_PROVIDERS_FILE}}" >> "$GITHUB_ENV" - echo "service_account=$${{env.FAST_SERVICE_ACCOUNT}}" >> "$GITHUB_ENV" - - # set up authentication via Workload identity Federation and gcloud - - - id: gcp-auth - name: Authenticate to Google Cloud - uses: google-github-actions/auth@v2 - with: - workload_identity_provider: $${{env.FAST_WIF_PROVIDER}} - service_account: $${{env.service_account}} - access_token_lifetime: 900s - - - id: gcp-sdk - name: Set up Cloud SDK - uses: google-github-actions/setup-gcloud@v2 - with: - install_components: alpha - - # copy provider file - - - id: tf-config-provider - name: Copy Terraform provider file - run: | - gcloud storage cp -r \ - "gs://${outputs_bucket}/providers/$${{env.provider_file}}" ./ - %{~ for f in tf_var_files ~} - gcloud storage cp -r \ - "gs://${outputs_bucket}/tfvars/${f}" ./ - %{~ endfor ~} - - - id: tf-setup - name: Set up Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: $${{env.TF_VERSION}} - - # run Terraform init/validate/plan - - - id: tf-init - name: Terraform init - continue-on-error: true - run: | - terraform init -no-color - - - id: tf-validate - continue-on-error: true - name: Terraform validate - run: terraform validate -no-color - - - id: tf-plan - name: Terraform plan - continue-on-error: true - run: | - terraform plan -input=false -out ../plan.out -no-color $${{env.plan_opts}} - - - id: tf-apply - if: github.event.pull_request.merged == true && success() - name: Terraform apply - continue-on-error: true - run: | - terraform apply -input=false -auto-approve -no-color ../plan.out - - # PR comment with Terraform result from previous steps - # length is checked and trimmed for length so as to stay within the limit - - - id: pr-comment - name: Post comment to Pull Request - continue-on-error: true - uses: actions/github-script@v7 - if: github.event_name == 'pull_request' - env: - PLAN: $${{steps.tf-plan.outputs.stdout}}\n$${{steps.tf-plan.outputs.stderr}} - with: - script: | - const output = `### Terraform Initialization \`$${{steps.tf-init.outcome}}\` - - ### Terraform Validation \`$${{steps.tf-validate.outcome}}\` - -
Validation Output - - \`\`\`\n - $${{steps.tf-validate.outputs.stdout}} - \`\`\` - -
- - ### Terraform Plan \`$${{steps.tf-plan.outcome}}\` - -
Show Plan - - \`\`\`\n - $${process.env.PLAN.split('\n').filter(l => l.match(/^([A-Z\s].*|)$$/)).join('\n')} - \`\`\` - -
- - ### Terraform Apply \`$${{steps.tf-apply.outcome}}\` - - *Pusher: @$${{github.actor}}, Action: \`$${{github.event_name}}\`, Working Directory: \`$${{env.tf_actions_working_dir}}\`, Workflow: \`$${{github.workflow}}\`*`; - - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }) - - - id: pr-short-comment - name: Post comment to Pull Request (abbreviated) - uses: actions/github-script@v7 - if: github.event_name == 'pull_request' && steps.pr-comment.outcome != 'success' - with: - script: | - const output = `### Terraform Initialization \`$${{steps.tf-init.outcome}}\` - - ### Terraform Validation \`$${{steps.tf-validate.outcome}}\` - - ### Terraform Plan \`$${{steps.tf-plan.outcome}}\` - - Plan output is in the action log. - - ### Terraform Apply \`$${{steps.tf-apply.outcome}}\` - - *Pusher: @$${{github.actor}}, Action: \`$${{github.event_name}}\`, Working Directory: \`$${{env.tf_actions_working_dir}}\`, Workflow: \`$${{github.workflow}}\`*`; - - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }) - - # exit on error from previous steps - - - id: check-init - name: Check init failure - if: steps.tf-init.outcome != 'success' - run: exit 1 - - - id: check-validate - name: Check validate failure - if: steps.tf-validate.outcome != 'success' - run: exit 1 - - - id: check-plan - name: Check plan failure - if: steps.tf-plan.outcome != 'success' - run: exit 1 - - - id: check-apply - name: Check apply failure - if: github.event.pull_request.merged == true && steps.tf-apply.outcome != 'success' - run: exit 1 diff --git a/fast/stages/1-resman-legacy/templates/workflow-gitlab.yaml b/fast/stages/1-resman-legacy/templates/workflow-gitlab.yaml deleted file mode 100644 index 150340835..000000000 --- a/fast/stages/1-resman-legacy/templates/workflow-gitlab.yaml +++ /dev/null @@ -1,106 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -variables: - GOOGLE_CREDENTIALS: cicd-sa-credentials.json - FAST_OUTPUTS_BUCKET: ${outputs_bucket} - FAST_WIF_PROVIDER: ${identity_provider} - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - %{~ if tf_var_files != [] ~} - TF_VAR_FILES: ${join("\n ", tf_var_files)} - %{~ endif ~} - -workflow: - rules: - # merge / apply - - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH - variables: - COMMAND: apply - FAST_SERVICE_ACCOUNT: ${service_accounts.apply} - TF_PROVIDERS_FILE: ${tf_providers_files.apply} - # pr / plan - - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - variables: - COMMAND: plan - FAST_SERVICE_ACCOUNT: ${service_accounts.plan} - TF_PROVIDERS_FILE: ${tf_providers_files.plan} - -stages: - - gcp-setup - - tf-plan-apply - -# TODO: document project-level deploy key used to fetch modules - -gcp-setup: - stage: gcp-setup - image: - name: google/cloud-sdk:slim - artifacts: - paths: - - cicd-sa-credentials.json - - providers.tf - %{~ for f in tf_var_files ~} - - ${f} - %{~ endfor ~} - id_tokens: - GITLAB_TOKEN: - aud: - %{~ for aud in audiences ~} - - ${aud} - %{~ endfor ~} - before_script: - - echo "$GITLAB_TOKEN" > token.txt - script: - - | - gcloud iam workload-identity-pools create-cred-config \ - $FAST_WIF_PROVIDER \ - --service-account=$FAST_SERVICE_ACCOUNT \ - --service-account-token-lifetime-seconds=900 \ - --output-file=$GOOGLE_CREDENTIALS \ - --credential-source-file=token.txt - - gcloud config set auth/credential_file_override $GOOGLE_CREDENTIALS - - gcloud storage cp -r "gs://$FAST_OUTPUTS_BUCKET/providers/$TF_PROVIDERS_FILE" ./providers.tf - %{~ for f in tf_var_files ~} - - gcloud storage cp gs://$FAST_OUTPUTS_BUCKET/tfvars/${f} ./ - %{~ endfor ~} - - -tf-plan-apply: - stage: tf-plan-apply - dependencies: - - gcp-setup - id_tokens: - GITLAB_TOKEN: - aud: - %{~ for aud in audiences ~} - - ${aud} - %{~ endfor ~} - image: - name: hashicorp/terraform - entrypoint: - - "/usr/bin/env" - variables: - SSH_AUTH_SOCK: /tmp/ssh-agent.sock - script: - - | - ssh-agent -a $SSH_AUTH_SOCK - echo "$CICD_MODULES_KEY" | ssh-add - - mkdir -p ~/.ssh - ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts - ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts - - echo "$GITLAB_TOKEN" > token.txt - - terraform init - - terraform validate - - "if [ $COMMAND == 'plan' ]; then terraform plan -input=false -no-color -lock=false; fi" - - "if [ $COMMAND == 'apply' ]; then terraform apply -input=false -no-color -auto-approve; fi" diff --git a/fast/stages/1-resman-legacy/tenant-logging.tf b/fast/stages/1-resman-legacy/tenant-logging.tf deleted file mode 100644 index ab9991441..000000000 --- a/fast/stages/1-resman-legacy/tenant-logging.tf +++ /dev/null @@ -1,112 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Audit log project and sink for tenant root folder. - -locals { - log_sink_destinations = merge( - # use the same dataset for all sinks with `bigquery` as destination - { - for k, v in local.log_sinks : - k => module.log-export-dataset[0] if v.type == "bigquery" - }, - # use the same gcs bucket for all sinks with `storage` as destination - { - for k, v in local.log_sinks : - k => module.log-export-gcs[0] if v.type == "storage" - }, - # use separate pubsub topics and logging buckets for sinks with - # destination `pubsub` and `logging` - module.log-export-pubsub, - module.log-export-logbucket - ) - log_sinks = ( - length(var.logging.log_sinks) > 0 || var.root_node == null - ? var.logging.log_sinks - # provide default log sinks to tenants - : { - audit-logs = { - filter = <<-FILTER - log_id("cloudaudit.googleapis.com/activity") OR - log_id("cloudaudit.googleapis.com/system_event") OR - log_id("cloudaudit.googleapis.com/policy") OR - log_id("cloudaudit.googleapis.com/access_transparency") - FILTER - type = "logging" - } - iam = { - filter = <<-FILTER - protoPayload.serviceName="iamcredentials.googleapis.com" OR - protoPayload.serviceName="iam.googleapis.com" OR - protoPayload.serviceName="sts.googleapis.com" - FILTER - type = "logging" - } - vpc-sc = { - filter = <<-FILTER - protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" - FILTER - type = "logging" - } - } - ) - log_types = toset([for k, v in local.log_sinks : v.type]) -} - -# one log export per type, with conditionals to skip those not needed - -module "log-export-dataset" { - source = "../../../modules/bigquery-dataset" - count = ( - var.root_node != null && contains(local.log_types, "bigquery") ? 1 : 0 - ) - project_id = var.logging.project_id - id = "logs" - friendly_name = "Audit logs export." - location = var.locations.bq -} - -module "log-export-gcs" { - source = "../../../modules/gcs" - count = ( - var.root_node != null && contains(local.log_types, "storage") ? 1 : 0 - ) - project_id = var.logging.project_id - name = "logs" - prefix = var.prefix - location = var.locations.gcs -} - -module "log-export-logbucket" { - source = "../../../modules/logging-bucket" - for_each = toset(var.root_node == null ? [] : [ - for k, v in local.log_sinks : k if v.type == "logging" - ]) - parent = var.logging.project_id - name = each.key - location = var.locations.logging - log_analytics = { enable = true } -} - -module "log-export-pubsub" { - source = "../../../modules/pubsub" - for_each = toset(var.root_node == null ? [] : [ - for k, v in local.log_sinks : k if v.type == "pubsub" - ]) - project_id = var.logging.project_id - name = each.key - regions = var.locations.pubsub -} diff --git a/fast/stages/1-resman-legacy/tenant-root.tf b/fast/stages/1-resman-legacy/tenant-root.tf deleted file mode 100644 index bbb30a16a..000000000 --- a/fast/stages/1-resman-legacy/tenant-root.tf +++ /dev/null @@ -1,59 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "root-folder" { - source = "../../../modules/folder" - count = var.root_node != null ? 1 : 0 - id = var.root_node - folder_create = false - # additive bindings via delegated IAM grant set in stage 0 - iam_bindings_additive = { - for k, v in local.iam_bindings_additive : k => { - role = lookup(var.custom_roles, v.role, v.role) - member = lookup(local.principals_iam, v.member, v.member) - condition = lookup(v, "condition", null) - } - } - logging_sinks = { - for name, attrs in local.log_sinks : name => { - bq_partitioned_table = attrs.type == "bigquery" - destination = local.log_sink_destinations[name].id - filter = attrs.filter - type = attrs.type - } - } -} - -module "automation-project" { - source = "../../../modules/project" - count = var.root_node != null ? 1 : 0 - name = var.automation.project_id - project_reuse = {} - # do not assign tagViewer or tagUser roles here on tag keys and values as - # they are managed authoritatively and will break multitenant stages - tags = merge(local.tags, { - (var.tag_names.context) = { - description = "Resource management context." - iam = try(local.tags.context.iam, {}) - values = local.context_tag_values - }, - (var.tag_names.environment) = { - description = "Environment definition." - iam = try(local.tags.environment.iam, {}) - values = local.environment_tag_values - } - }) -} diff --git a/fast/stages/1-resman-legacy/top-level-folders.tf b/fast/stages/1-resman-legacy/top-level-folders.tf deleted file mode 100644 index c927b494f..000000000 --- a/fast/stages/1-resman-legacy/top-level-folders.tf +++ /dev/null @@ -1,172 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - # read and decode factory files - _top_level_path = try( - pathexpand(var.factories_config.top_level_folders), null - ) - _top_level_files = try( - fileset(local._top_level_path, "**/*.yaml"), - [] - ) - _top_level_folders = { - for f in local._top_level_files : - split(".", f)[0] => yamldecode(file( - "${coalesce(local._top_level_path, "-")}/${f}" - )) - } - # extract automation configurations for folders that define them - top_level_automation = { - for k, v in local.top_level_folders : - k => v.automation - if v.automation != null - } - # merge top folders from factory and variable data - top_level_folders = merge( - # normalize factory data attributes with defaults and nulls - { - for k, v in local._top_level_folders : k => merge(v, { - name = try(v.name, k) - automation = !can(v.automation) ? null : { - environment_name = try(v.automation.environment_name, "prod") - sa_impersonation_principals = try(v.automation.sa_impersonation_principals, []) - short_name = try(v.automation.short_name, null) - } - contacts = try(v.contacts, {}) - factories_config = try(v.factories_config, null) - firewall_policy = try(v.firewall_policy, null) - is_fast_context = try(v.is_fast_context, true) - logging_data_access = try(v.logging_data_access, {}) - logging_exclusions = try(v.logging_exclusions, {}) - logging_settings = try(v.logging_settings, null) - logging_sinks = try(v.logging_sinks, {}) - iam = try(v.iam, {}) - iam_bindings = try(v.iam_bindings, {}) - iam_bindings_additive = try(v.iam_bindings_additive, {}) - iam_by_principals = try(v.iam_by_principals, {}) - org_policies = try(v.org_policies, {}) - parent_id = try(v.parent_id, null) - tag_bindings = try(v.tag_bindings, {}) - }) - }, - var.top_level_folders - ) - top_level_sa = { - for k, v in local.stage_service_accounts : - k => "serviceAccount:${v}" if v != null - } -} - -module "top-level-folder" { - source = "../../../modules/folder" - for_each = local.top_level_folders - parent = coalesce(each.value.parent_id, local.root_node) - name = each.value.name - contacts = each.value.contacts - factories_config = each.value.factories_config - firewall_policy = each.value.firewall_policy - logging_data_access = each.value.logging_data_access - logging_exclusions = each.value.logging_exclusions - logging_settings = each.value.logging_settings - logging_sinks = each.value.logging_sinks - context = { - condition_vars = local.condition_vars - } - iam = { - for role, members in each.value.iam : - lookup(var.custom_roles, role, role) => [ - for member in members : - (each.value.automation != null && member == "self") - ? module.top-level-sa[each.key].iam_email - : lookup(local.principals_iam, member, member) - ] - } - iam_bindings = { - for k, v in each.value.iam_bindings : k => { - members = [ - for member in v.members : - (each.value.automation != null && member == "self") - ? module.top-level-sa[each.key].iam_email - : lookup(local.top_level_sa, member, member) - ] - role = lookup(var.custom_roles, v.role, v.role) - condition = v.condition - } - } - iam_bindings_additive = { - for k, v in each.value.iam_bindings_additive : k => merge(v, { - member = ( - each.value.automation != null && v.member == "self" - ? module.top-level-sa[each.key].iam_email - : lookup(local.principals_iam, v.member, v.member) - ) - role = lookup(var.custom_roles, v.role, v.role) - condition = v.condition - }) - } - iam_by_principals = { - for k, v in each.value.iam_by_principals : - ( - (each.value.automation != null && k == "self") - ? module.top-level-sa[each.key].iam_email - : lookup(local.principals_iam, k, k) - ) => [for r in v : lookup(var.custom_roles, r, r)] - } - org_policies = each.value.org_policies - tag_bindings = merge( - # explicit tag bindings - { - for k, v in each.value.tag_bindings : k => try(local.tag_values[v].id, v) - }, - # implicit tag binding on own context tag value - each.value.is_fast_context != true ? {} : { - context = local.tag_values["context/${each.key}"].id - } - ) -} - -module "top-level-sa" { - source = "../../../modules/iam-service-account" - for_each = local.top_level_automation - project_id = var.automation.project_id - name = "${each.value.environment_name}-resman-${coalesce(each.value.short_name, each.key)}-0" - display_name = "Terraform resman ${each.key} folder service account." - prefix = var.prefix - iam = each.value.sa_impersonation_principals == null ? {} : { - "roles/iam.serviceAccountTokenCreator" = each.value.sa_impersonation_principals - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] - } -} - -module "top-level-bucket" { - source = "../../../modules/gcs" - for_each = local.top_level_automation - project_id = var.automation.project_id - name = "${each.value.environment_name}-resman-${coalesce(each.value.short_name, each.key)}-0" - prefix = var.prefix - location = var.locations.gcs - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.top-level-sa[each.key].iam_email] - "roles/storage.objectViewer" = [module.top-level-sa[each.key].iam_email] - } -} diff --git a/fast/stages/1-resman-legacy/variables-addons.tf b/fast/stages/1-resman-legacy/variables-addons.tf deleted file mode 100644 index ff29e9a26..000000000 --- a/fast/stages/1-resman-legacy/variables-addons.tf +++ /dev/null @@ -1,61 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "fast_addon" { - description = "FAST addons configurations for stages 2. Keys are used as short names for the add-on resources." - type = map(object({ - parent_stage = string - cicd_config = optional(object({ - identity_provider = string - repository = object({ - name = string - branch = optional(string) - type = optional(string, "github") - }) - })) - })) - nullable = false - default = {} - validation { - condition = alltrue([ - for k, v in var.fast_addon : - startswith(v.parent_stage, "2-") - ]) - error_message = "The parent stage of resman-defined addons should match '2-'." - } - validation { - condition = alltrue([ - for k, v in var.fast_addon : - v.cicd_config == null || contains( - ["github", "gitlab"], - coalesce(try(v.cicd_config.repository.type, null), "-") - ) - ]) - error_message = "Invalid CI/CD repository type." - } -} - -check "addons_parent_stage" { - assert { - condition = alltrue([ - for k, v in var.fast_addon : contains( - [for x in keys(local.stage2) : "2-${x}"], - v.parent_stage - ) - ]) - error_message = "Resman-defined addons only support stage 2 as parents." - } -} diff --git a/fast/stages/1-resman-legacy/variables-fast.tf b/fast/stages/1-resman-legacy/variables-fast.tf deleted file mode 100644 index 9b433eb2c..000000000 --- a/fast/stages/1-resman-legacy/variables-fast.tf +++ /dev/null @@ -1,183 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description FAST stage interface. - -variable "automation" { - # tfdoc:variable:source 0-bootstrap - description = "Automation resources created by the bootstrap stage." - type = object({ - outputs_bucket = string - project_id = string - project_number = string - federated_identity_pool = string - federated_identity_providers = map(object({ - audiences = list(string) - issuer = string - issuer_uri = string - name = string - principal_branch = string - principal_repo = string - })) - service_accounts = object({ - resman = string - resman-r = string - }) - }) - nullable = false -} - -variable "billing_account" { - # tfdoc:variable:source 0-bootstrap - description = "Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`." - type = object({ - id = string - is_org_level = optional(bool, true) - no_iam = optional(bool, false) - }) - nullable = false -} - -variable "custom_roles" { - # tfdoc:variable:source 0-bootstrap - description = "Custom roles defined at the org level, in key => id format." - type = object({ - billing_viewer = string - dns_zone_binder = string - kms_key_encryption_admin = string - kms_key_viewer = string - organization_admin_viewer = string - project_iam_viewer = string - service_project_network_admin = string - storage_viewer = string - gcve_network_admin = optional(string) - gcve_network_viewer = optional(string) - network_firewall_policies_admin = optional(string) - ngfw_enterprise_admin = optional(string) - ngfw_enterprise_viewer = optional(string) - }) - default = null -} - -variable "environments" { - # tfdoc:variable:source 0-globals - description = "Environment names." - type = map(object({ - name = string - short_name = string - tag_name = string - is_default = optional(bool, false) - })) - nullable = false - validation { - condition = anytrue([ - for k, v in var.environments : v.is_default == true - ]) - error_message = "At least one environment should be marked as default." - } -} - -variable "groups" { - # tfdoc:variable:source 0-bootstrap - # https://cloud.google.com/docs/enterprise/setup-checklist - description = "Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated." - type = object({ - gcp-billing-admins = optional(string, "gcp-billing-admins") - gcp-devops = optional(string, "gcp-devops") - gcp-network-admins = optional(string, "gcp-vpc-network-admins") - gcp-organization-admins = optional(string, "gcp-organization-admins") - gcp-secops-admins = optional(string, "gcp-security-admins") - gcp-security-admins = optional(string, "gcp-security-admins") - }) - nullable = false - default = {} -} - -variable "locations" { - # tfdoc:variable:source 0-bootstrap - description = "Optional locations for GCS, BigQuery, and logging buckets created here." - type = object({ - bq = optional(string, "EU") - gcs = optional(string, "EU") - logging = optional(string, "global") - pubsub = optional(list(string), []) - }) - nullable = false - default = {} -} - -variable "logging" { - # tfdoc:variable:source 1-tenant-factory - description = "Logging configuration for tenants." - type = object({ - project_id = string - log_sinks = optional(map(object({ - filter = string - type = string - })), {}) - }) - nullable = false -} - -variable "organization" { - # tfdoc:variable:source 0-bootstrap - description = "Organization details." - type = object({ - domain = string - id = number - customer_id = string - }) - nullable = false -} - -check "prefix_validator" { - assert { - condition = (try(length(var.prefix), 0) < 10) || (try(length(var.prefix), 0) < 12 && var.root_node != null) - error_message = "var.prefix must be 9 characters or shorter for organizations, and 11 chars or shorter for tenants." - } -} - -variable "org_policy_tags" { - # tfdoc:variable:source 0-bootstrap - description = "Organization policy tags." - type = object({ - key_id = optional(string) - key_name = optional(string, "org-policies") - values = optional(map(string), {}) - }) - nullable = false - default = {} -} - -variable "prefix" { - # tfdoc:variable:source 0-bootstrap - description = "Prefix used for resources that need unique names. Use 9 characters or less." - type = string -} - -variable "root_node" { - # tfdoc:variable:source 0-bootstrap - description = "Root node for the hierarchy, if running in tenant mode." - type = string - default = null - validation { - condition = ( - var.root_node == null || - startswith(coalesce(var.root_node, "-"), "folders/") - ) - error_message = "Root node must be in folders/nnnnn format if specified." - } -} diff --git a/fast/stages/1-resman-legacy/variables-stages.tf b/fast/stages/1-resman-legacy/variables-stages.tf deleted file mode 100644 index ef52cbbac..000000000 --- a/fast/stages/1-resman-legacy/variables-stages.tf +++ /dev/null @@ -1,219 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "fast_stage_2" { - description = "FAST stages 2 configurations." - type = map(object({ - short_name = optional(string) - cicd_config = optional(object({ - identity_provider = string - repository = object({ - name = string - branch = optional(string) - type = optional(string, "github") - }) - workflows_config = optional(object({ - extra_files = optional(list(string), []) - }), {}) - })) - folder_config = optional(object({ - name = string - parent_id = optional(string) - create_env_folders = optional(bool, true) - iam = optional(map(list(string)), {}) - iam_bindings = optional(map(object({ - member = string - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - iam_bindings_additive = optional(map(object({ - member = string - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - iam_by_principals = optional(map(list(string)), {}) - org_policies = optional(map(object({ - inherit_from_parent = optional(bool) # for list policies only. - reset = optional(bool) - rules = optional(list(object({ - allow = optional(object({ - all = optional(bool) - values = optional(list(string)) - })) - deny = optional(object({ - all = optional(bool) - values = optional(list(string)) - })) - enforce = optional(bool) # for boolean policies only. - condition = optional(object({ - description = optional(string) - expression = optional(string) - location = optional(string) - title = optional(string) - }), {}) - })), []) - })), {}) - tag_bindings = optional(map(string), {}) - })) - organization_config = optional(object({ - iam_bindings_additive = optional(map(object({ - member = string - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - iam_by_principals = optional(map(list(string)), {}) - }), {}) - stage3_config = optional(object({ - iam_admin_delegated = optional(list(object({ - environment = string - principal = string - })), []) - iam_viewer = optional(list(object({ - environment = string - principal = string - })), []) - }), {}) - })) - nullable = false - default = {} - validation { - condition = alltrue([ - for k, v in var.fast_stage_2 : - v.cicd_config == null || contains( - ["github", "gitlab"], - coalesce(try(v.cicd_config.repository.type, null), "-") - ) - ]) - error_message = "Invalid CI/CD repository type." - } - validation { - condition = alltrue([ - for k, v in var.fast_stage_2 : (length(coalesce(v.short_name, k)) <= 6) - ]) - error_message = <<-EOM - For stages with names longer than 6 characters, use 'short_name' to provide shorter a name - that is at most 6 characters long. - EOM - } -} - -variable "fast_stage_3" { - description = "FAST stages 3 configurations." - # key is used for file names and loop keys and is like 'data-platfom-dev' - type = map(object({ - short_name = optional(string) - environment = optional(string, "dev") - cicd_config = optional(object({ - identity_provider = string - repository = object({ - name = string - branch = optional(string) - type = optional(string, "github") - }) - workflows_config = optional(object({ - extra_files = optional(list(string), []) - }), {}) - })) - folder_config = optional(object({ - name = string - parent_id = optional(string) - tag_bindings = optional(map(string), {}) - iam = optional(map(list(string)), {}) - iam_bindings = optional(map(object({ - member = string - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - iam_bindings_additive = optional(map(object({ - member = string - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - iam_by_principals = optional(map(list(string)), {}) - org_policies = optional(map(object({ - inherit_from_parent = optional(bool) # for list policies only. - reset = optional(bool) - rules = optional(list(object({ - allow = optional(object({ - all = optional(bool) - values = optional(list(string)) - })) - deny = optional(object({ - all = optional(bool) - values = optional(list(string)) - })) - enforce = optional(bool) # for boolean policies only. - condition = optional(object({ - description = optional(string) - expression = optional(string) - location = optional(string) - title = optional(string) - }), {}) - })), []) - })), {}) - })) - })) - nullable = false - default = {} - validation { - condition = alltrue([ - for k, v in var.fast_stage_3 : contains( - keys(var.environments), - coalesce(v.environment, "-") - ) - ]) - error_message = "Invalid environment value." - } - validation { - condition = alltrue([ - for k, v in var.fast_stage_3 : - v.cicd_config == null || contains( - ["github", "gitlab"], - coalesce(try(v.cicd_config.repository.type, null), "-") - ) - ]) - error_message = "Invalid CI/CD repository type." - } - validation { - condition = alltrue([ - for k, v in var.fast_stage_3 : (length(coalesce(v.short_name, k)) <= 6) - ]) - error_message = <<-EOM - For stages with names longer than 6 characters, use 'short_name' to provide shorter a name - that is at most 6 characters long. - EOM - } -} diff --git a/fast/stages/1-resman-legacy/variables-toplevel-folders.tf b/fast/stages/1-resman-legacy/variables-toplevel-folders.tf deleted file mode 100644 index a0afeaa36..000000000 --- a/fast/stages/1-resman-legacy/variables-toplevel-folders.tf +++ /dev/null @@ -1,103 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "top_level_folders" { - description = "Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute." - type = map(object({ - name = string - parent_id = optional(string) - automation = optional(object({ - environment_name = optional(string, "prod") - sa_impersonation_principals = optional(list(string), []) - short_name = optional(string) - })) - contacts = optional(map(list(string)), {}) - factories_config = optional(object({ - org_policies = optional(string) - })) - firewall_policy = optional(object({ - name = string - policy = string - })) - # TODO: remember to document this, and how to use the same value in other folders - is_fast_context = optional(bool, true) - logging_data_access = optional(map(object({ - ADMIN_READ = optional(object({ exempted_members = optional(list(string)) })), - DATA_READ = optional(object({ exempted_members = optional(list(string)) })), - DATA_WRITE = optional(object({ exempted_members = optional(list(string)) })) - })), {}) - logging_exclusions = optional(map(string), {}) - logging_settings = optional(object({ - disable_default_sink = optional(bool) - storage_location = optional(string) - })) - logging_sinks = optional(map(object({ - bq_partitioned_table = optional(bool, false) - description = optional(string) - destination = string - disabled = optional(bool, false) - exclusions = optional(map(string), {}) - filter = optional(string) - iam = optional(bool, true) - include_children = optional(bool, true) - type = string - })), {}) - iam = optional(map(list(string)), {}) - iam_bindings = optional(map(object({ - members = list(string) - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - iam_bindings_additive = optional(map(object({ - member = string - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - iam_by_principals = optional(map(list(string)), {}) - org_policies = optional(map(object({ - inherit_from_parent = optional(bool) # for list policies only. - reset = optional(bool) - rules = optional(list(object({ - allow = optional(object({ - all = optional(bool) - values = optional(list(string)) - })) - deny = optional(object({ - all = optional(bool) - values = optional(list(string)) - })) - enforce = optional(bool) # for boolean policies only. - condition = optional(object({ - description = optional(string) - expression = optional(string) - location = optional(string) - title = optional(string) - }), {}) - })), []) - })), {}) - tag_bindings = optional(map(string), {}) - })) - nullable = false - default = {} -} diff --git a/fast/stages/1-resman-legacy/variables.tf b/fast/stages/1-resman-legacy/variables.tf deleted file mode 100644 index 8bb0a96d7..000000000 --- a/fast/stages/1-resman-legacy/variables.tf +++ /dev/null @@ -1,98 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# defaults for variables marked with global tfdoc annotations, can be set via -# the tfvars file generated in stage 00 and stored in its outputs - -variable "factories_config" { - description = "Configuration for the resource factories or external data." - type = object({ - stage_2 = optional(string, "data/stage-2") - stage_3 = optional(string, "data/stage-3") - tags = optional(string, "data/tags") - top_level_folders = optional(string, "data/top-level-folders") - context = optional(object({ - iam_principals = optional(map(string), {}) - org_policies = optional(map(map(string)), {}) - tag_keys = optional(map(string), {}) - tag_values = optional(map(string), {}) - }), {}) - }) - nullable = false - default = {} -} - -variable "outputs_location" { - description = "Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable." - type = string - default = null -} - -variable "resource_names" { - description = "Resource names overrides for specific resources. Stage names are interpolated via `$${name}`. Prefix is always set via code, except where noted in the variable type." - type = object({ - gcs-net = optional(string, "prod-resman-$${name}-0") - gcs-nsec = optional(string, "resman-$${name}-0") - gcs-pf = optional(string, "resman-$${name}-0") - gcs-sec = optional(string, "prod-resman-$${name}-0") - gcs-stage2 = optional(string, "resman-$${name}-0") - gcs-stage3 = optional(string, "resman-$${name}-0") - sa-cicd_ro = optional(string, "resman-$${name}-1r") - sa-cicd_rw = optional(string, "resman-$${name}-1") - sa-stage2_ro = optional(string, "resman-$${name}-0r") - sa-stage2_rw = optional(string, "resman-$${name}-0") - sa-stage3_ro = optional(string, "resman-$${name}-0r") - sa-stage3_rw = optional(string, "resman-$${name}-0") - }) - nullable = false - default = {} -} - -variable "tag_names" { - description = "Customized names for resource management tags." - type = object({ - context = optional(string, "context") - environment = optional(string, "environment") - }) - default = {} - nullable = false - validation { - condition = alltrue([for k, v in var.tag_names : v != null]) - error_message = "Tag names cannot be null." - } -} - -variable "tags" { - description = "Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level." - type = map(object({ - description = optional(string, "Managed by the Terraform organization module.") - iam = optional(map(list(string)), {}) - id = optional(string) - values = optional(map(object({ - description = optional(string, "Managed by the Terraform organization module.") - iam = optional(map(list(string)), {}) - id = optional(string) - })), {}) - })) - nullable = false - default = {} - validation { - condition = alltrue([ - for k, v in var.tags : v != null - ]) - error_message = "Use an empty map instead of null as value." - } -} diff --git a/fast/stages/1-vpcsc/fast_version.txt b/fast/stages/1-vpcsc/fast_version.txt index ba9053698..fd8f1b3e0 100644 --- a/fast/stages/1-vpcsc/fast_version.txt +++ b/fast/stages/1-vpcsc/fast_version.txt @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -# FAST release: v44.2.0 \ No newline at end of file +# FAST release: v45.0.0 \ No newline at end of file diff --git a/fast/stages/2-networking-a-simple/fast_version.txt b/fast/stages/2-networking-a-simple/fast_version.txt index ba9053698..fd8f1b3e0 100644 --- a/fast/stages/2-networking-a-simple/fast_version.txt +++ b/fast/stages/2-networking-a-simple/fast_version.txt @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -# FAST release: v44.2.0 \ No newline at end of file +# FAST release: v45.0.0 \ No newline at end of file diff --git a/fast/stages/2-networking-b-nva/fast_version.txt b/fast/stages/2-networking-b-nva/fast_version.txt index ba9053698..fd8f1b3e0 100644 --- a/fast/stages/2-networking-b-nva/fast_version.txt +++ b/fast/stages/2-networking-b-nva/fast_version.txt @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -# FAST release: v44.2.0 \ No newline at end of file +# FAST release: v45.0.0 \ No newline at end of file diff --git a/fast/stages/2-networking-c-separate-envs/fast_version.txt b/fast/stages/2-networking-c-separate-envs/fast_version.txt index ba9053698..fd8f1b3e0 100644 --- a/fast/stages/2-networking-c-separate-envs/fast_version.txt +++ b/fast/stages/2-networking-c-separate-envs/fast_version.txt @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -# FAST release: v44.2.0 \ No newline at end of file +# FAST release: v45.0.0 \ No newline at end of file diff --git a/fast/stages/2-project-factory-legacy/.fast-stage.env b/fast/stages/2-project-factory-legacy/.fast-stage.env deleted file mode 100644 index 24820e777..000000000 --- a/fast/stages/2-project-factory-legacy/.fast-stage.env +++ /dev/null @@ -1,5 +0,0 @@ -FAST_STAGE_DESCRIPTION="project factory (org level)" -FAST_STAGE_LEVEL=2 -FAST_STAGE_NAME=project-factory -FAST_STAGE_DEPS="0-globals 0-bootstrap 1-resman" -FAST_STAGE_OPTIONAL="1-vpcsc 2-networking 2-security" \ No newline at end of file diff --git a/fast/stages/2-project-factory-legacy/README.md b/fast/stages/2-project-factory-legacy/README.md deleted file mode 100644 index 845ac7de6..000000000 --- a/fast/stages/2-project-factory-legacy/README.md +++ /dev/null @@ -1,379 +0,0 @@ -# Project Factory (Legacy) - - -- [Design overview and choices](#design-overview-and-choices) -- [How to run this stage](#how-to-run-this-stage) - - [Resource Management stage configuration](#resource-management-stage-configuration) - - [Factory configuration](#factory-configuration) - - [Stage provider and Terraform variables](#stage-provider-and-terraform-variables) -- [Managing folders and projects](#managing-folders-and-projects) - - [Folder and hierarchy management](#folder-and-hierarchy-management) - - [Folder parent-child relationship and variable substitutions](#folder-parent-child-relationship-and-variable-substitutions) - - [Project Creation](#project-creation) - - [Automation Resources for Projects](#automation-resources-for-projects) -- [Alternative patterns](#alternative-patterns) - - [Per-environment Factories](#per-environment-factories) -- [Files](#files) -- [Variables](#variables) -- [Outputs](#outputs) - - -The Project Factory stage allows simplified management of folder hierarchies and projects via YAML-based configuration files. Multiple project factories can coexist in the same landing zone, and different patterns can be implemented by pointing them at different configuration files. - -The pattern implemented here by default allows management of a teams (or business units, applications, etc.) hierarchy. Different patterns are possible, and this document also tries to provide some guidance on how to implement them. - -

- Project factory teams pattern -

- -## Design overview and choices - -The project factory is "primed" by the resource management stage via - -- a set of service accounts with different scopes -- one or more user-defined top-level folders where those service accounts operate - -This stage does not directly depend on other stage 2 like networking and security, but it can optionally leverage resources created there like Shared VPC host projects, which are used to define service projects. - -The project factory stage is a thin wrapper of the underlying [project-factory module](../../../modules/project-factory/), which in turn exposes the full interface of the [project](../../../modules/project/) and [folder](../../../modules/folder/) modules. - -## How to run this stage - -This stage is meant to be executed after the [bootstrap](../0-bootstrap-legacy) stage has run, as it leverages the automation service account and bucket created there, and additional resources configured there. - -### Resource Management stage configuration - -The resource management stage already contains a sample "Teams" folder defined via YAML, which can be used as-is or modified to provide a top-level folder for the project factory. More folders can of course be added, and Terraform variables used instead of or in addition to YAML files in the resource management stage. - -This is the teams YAML in resource management, leveraging attribute substitutions from provided context for the project factory service account and tag value. - -```yaml -name: Teams -automation: - enable: false -iam: - "roles/owner": - - project-factory - "roles/resourcemanager.folderAdmin": - - project-factory - "roles/resourcemanager.projectCreator": - - project-factory - "roles/resourcemanager.tagUser": - - project-factory - "service_project_network_admin": - - project-factory -tag_bindings: - context: context/project-factory -``` - -This is the alternative version that can be used instead of the YAML file above. - -```tfvars -top_level_folders = { - # more top-level folders might be present here - teams = { - name = "Teams" - iam = { - "roles/owner" = ["project-factory"] - "roles/resourcemanager.folderAdmin" = ["project-factory"] - "roles/resourcemanager.projectCreator" = ["project-factory"] - "roles/resourcemanager.tagUser" = ["project-factory"] - "service_project_network_admin" = ["project-factory"] - } - tag_bindings = { - context = "context/project-factory" - } - } -} -# tftest skip -``` - -You can of course extend these snippets to grant additional roles to groups or other service accounts via the `iam`, `iam_by_principals`, and `iam_bindings` folder-level variables. - -The project factory tag binding on the folder allows management of organization policies in the Teams hierarchy. If this functionality is not needed, the tag binding can be safely omitted. - -### Factory configuration - -The `data` folder in this stage contains factory files that can be used as examples to implement the team-based design shown above. Before running `terraform apply` check the YAML files, as project names and other attributes will need basic editing to match your desired setup. - -### Stage provider and Terraform variables - -As all other FAST stages, the [mechanism](../0-bootstrap-legacy/README.md#output-files-and-cross-stage-variables) used to pass variable values and pre-built provider files from one stage to the next is also leveraged here. - -The commands to link or copy the provider and terraform variable files can be easily derived from the `fast-links.sh` script in the FAST stages folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. - -```bash -../fast-links.sh ~/fast-config - -# File linking commands for project factory (org level) stage - -# provider file -ln -s ~/fast-config/fast-test-00/providers/2-project-factory-providers.tf ./ - -# input files from other stages -ln -s ~/fast-config/fast-test-00/tfvars/0-globals.auto.tfvars.json ./ -ln -s ~/fast-config/fast-test-00/tfvars/0-bootstrap-legacy.auto.tfvars.json ./ -ln -s ~/fast-config/fast-test-00/tfvars/1-resman.auto.tfvars.json ./ - -# conventional place for stage tfvars (manually created) -ln -s ~/fast-config/fast-test-00/2-project-factory.auto.tfvars ./ - -# optional files -ln -s ~/fast-config/fast-test-00/2-networking.auto.tfvars.json ./ -ln -s ~/fast-config/fast-test-00/2-security.auto.tfvars.json ./ -``` - -```bash -../fast-links.sh gs://xxx-prod-iac-core-outputs-0 - -# File linking commands for project factory (org level) stage - -# provider file -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/2-project-factory-providers.tf ./ - -# input files from other stages -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap-legacy.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./ - -# conventional place for stage tfvars (manually created) -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/2-project-factory.auto.tfvars ./ - -# optional files -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/2-networking.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/2-security.auto.tfvars.json ./ -``` - -If you're not using FAST, refer to the [Variables](#variables) table at the bottom of this document for a full list of variables, their origin (e.g., a stage or specific to this one), and descriptions explaining their meaning. - -Besides the values above, the project factory is driven by YAML data files, with one file per project. Please refer to the underlying [project factory module](../../../modules/project-factory/) documentation for details on the format. - -Once the configuration is complete, run the project factory with: - -```bash -terraform init -terraform apply -``` - -## Managing folders and projects - -The YAML data files are self-explanatory and the included [schema files](./schemas/) provide a reliable framework to allow editing the sample data, or starting from scratch to implement a different pattern. This section lists some general considerations on how folder and project files work to help getting up to speed with operations. - -### Folder and hierarchy management - -The project factory manages its folder hierarchy via a filesystem tree, rooted in the path defined via the `factories_config.hierarchy_data` variable. - -Filesystem folders which contain a `_config.yaml` file are mapped to folders in the resource management hierarchy. Their YAML configuration files allow defining folder attributes like descriptive name, IAM bindings, organization policies, tag bindings. - -This is the simple filesystem hierarchy provided here as an example. - -```bash -hierarchy -├── team-a -│   ├── _config.yaml -│   ├── dev -│   │   └── _config.yaml -│   └── prod -│   └── _config.yaml -└── team-b - ├── _config.yaml - ├── dev - │   └── _config.yaml - └── prod - └── _config.yaml -``` - -The approach is intentionally explicit and repetitive in order to simplify operations: copy/pasting an existing set of folders (or an ad hoc template) and changing a few YAML variables allows to quickly define new sub-hierarchy branches. Mass editing via search and replace functionality allows sweeping changes across the whole hierarchy. - -Where inheritance is leveraged in the overall design config files can be deceptively simple: the following is the config file for the dev Team A folder in the provided example. - -```yaml -name: Development -tag_bindings: - environment: environment/development -iam_by_principals: - "group:team-a-admins@example.com": - - roles/editor -``` - -All of the [folder module](../../../modules/folder/) attributes can of course be leveraged in the configuration files. Refer to the [folder schema](./schemas/folder.schema.json) for the complete set of available attributes. - -### Folder parent-child relationship and variable substitutions - -In the example YAML configuration above there's no explicitly specified folder parent: it is derived from the filesystem hierarchy, and set to the "Team A" folder. - -But what about the "Team A" folder itself? From the point of view of the project factory it's a top-level folder attached to the root of its hierarchy (the "Teams" folder), so how does it know where to create it in the GCP hierarchy? - -There are three different ways to pass this information to the project factory: - -- in the YAML file itself, by explicitly setting the folder's `parent` attribute to the explicit numeric id of the "Teams" folder -- in the YAML file itself, by explicitly setting the folder's `parent` attribute to the short name of the "Teams" folder in the resource management stage's outputs -- in the stage Terraform variables, by setting the `default` folder for the project factory to the numeric id of the "Teams" folder - -This flexibility is what allows the project factory to manage folders under multiple roots, and to also be used for folders created outside of FAST. Imagine a scenario where there's no single "Teams" folder, but multiple ones for different subsidiaries, or for internal and external teams, etc. - -The snippets below show how to set the `parent` attribute explicitly or via substitution in the YAML file. - -```yaml -name: Team A -# use the explicit id of the Teams folder -parent: folders/1234567890 -``` - -```yaml -name: Team A -# use variable substitution from stage 1 tfvars (preferred approach) -parent: teams -``` - -The third way explained above does not explicitly define a root folder in the YAML files, but sets a default folder in the Terraform variables for the stage via the `factories_config.substitutions.folder_ids`, by adding a `default` key pointing to the folder id of the root ("Teams") folder. - -```tfvars -factories_config = { - substitutions = { - folder_ids = { - # id of the top-level Teams folder - # derived from the 1-resman.auto.tfvars.json file - default = "folders/12345678" - } - } -} -# tftest skip -``` - -### Project Creation - -Project YAML files can be created in two different filesystem paths: - -- in the filesystem folder defined via the `factories_config.project_data` variable, and then explicitly setting their `parent` attribute in YAML files, or -- in the filesystem hierarchy discussed above, so that their `parent` attribute is automatically derived from the containing folder - -The two approaches can be mixed and matched, but the first approach is safer as is avoids potentially dangerous situations when folders are deleted with project configuration files still inside. - -When specifying projects outside of the folder hierarchy, setting the parent folder works in pretty much the same way as discussed above, with substitutions available for any folder defined in the filesystem hierarchy. This allows writing portable files, by referring to short names instead of resource ids. - -```yaml -# use the explicit id of the parent folder -parent: folders/1234509876 -``` - -```yaml -# use variable substitution from managed folders (preferred approach) -parent: team-a/dev -``` - -All of the [project module](../../../modules/project/) attributes (and some service account attributes) can of course be leveraged in the configuration files. Refer to the [project schema](./schemas/folder.schema.json) for the complete set of available attributes. - -### Automation Resources for Projects - -When created projects are meant to be managed via IaC downstream, an initial set of automation resources can be created in a "controlling project". The preferred pattern is to first create one or more controlling projects for the project factory, and then leverage them for service account and GCS bucket creation. - -```yaml -# controlling project shown in the diagram above -parent: teams -name: xxx-prod-iac-teams-0 -services: - - compute.googleapis.com - - storage.googleapis.com - # ... - # enable all services used by service accounts in this project -``` - -Once a controlling project is in place, it can be used in any other project declaration to host service accounts and bucket for automation. The service accounts can be used in IAM bindings in the same file by referring to their name via substitutions, as shown here. - -```yaml -# team or application-level project with automation resources -parent: team-a/dev -# project prefix is forced via override in `main.tf` -name: dev-ta-app-0 -iam: - roles/owner: - # refer to the rw service account defined below - - rw - roles/viewer: - # refer to the ro service account defined below - - ro -automation: - # no context is possible here - # use the complete project id - project: xxx-prod-iac-teams-0 - service_accounts: - # resulting sa name: xxx-dev-ta-app-0-rw - rw: - description: Read/write automation sa for team a app 0. - # resulting sa name: xxx-dev-ta-app-0-ro - ro: - description: Read-only automation sa for team a app 0. - bucket: - # resulting bucket name: xxx-dev-ta-app-0-state - description: Terraform state bucket for team a app 0. - iam: - # service accounts can use short name substitutions from context - roles/storage.objectCreator: - - rw - roles/storage.objectViewer: - - rw - - ro - - group:devops@example.org -``` - -## Alternative patterns - -Some alternative patterns are captured here, the list will grow as we generalize approaches seen in the field. - -### Per-environment Factories - -A variation of this pattern uses separate project factories for each environment, as in the following diagram. - -

- Project factory team-level per environment. -

- -This approach leverages the per-environment project factory service accounts and tags created by the resource management stage, so that - -- the Teams folder hierarchy and IaC project are managed by a cross-environment factory using the "main" project factory service account -- IAM permissions are set on the environment folders to grant control to the prod and dev project factory service accounts -- one additional factory per environment manages project creation leveraging the folders created above - -The approach is not shown here but reasonably easy to implement. The main project factory output file can also be used to set up folder id susbtitution in the per-environment factories. - - - -## Files - -| name | description | modules | resources | -|---|---|---|---| -| [main.tf](./main.tf) | Project factory. | project-factory-legacy | | -| [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file | -| [variables-fast.tf](./variables-fast.tf) | None | | | -| [variables.tf](./variables.tf) | Module variables. | | | - -## Variables - -| name | description | type | required | default | producer | -|---|---|:---:|:---:|:---:|:---:| -| [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | -| [billing_account](variables-fast.tf#L26) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L109) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | -| [custom_roles](variables-fast.tf#L39) | Custom roles defined at the org level, in key => id format. | map(string) | | {} | 0-bootstrap | -| [factories_config](variables.tf#L17) | Configuration for YAML-based factories. | object({…}) | | {} | | -| [folder_ids](variables-fast.tf#L47) | Folders created in the resource management stage. | map(string) | | {} | 1-resman | -| [groups](variables-fast.tf#L55) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | map(string) | | {} | 0-bootstrap | -| [host_project_ids](variables-fast.tf#L64) | Host project for the shared VPC. | map(string) | | {} | 2-networking | -| [kms_keys](variables-fast.tf#L72) | KMS key ids. | map(string) | | {} | 2-security | -| [locations](variables-fast.tf#L80) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | -| [org_policy_tags](variables-fast.tf#L98) | Optional organization policy tag values. | object({…}) | | {} | 0-bootstrap | -| [outputs_location](variables.tf#L43) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | -| [perimeters](variables-fast.tf#L90) | Optional VPC-SC perimeter ids. | map(string) | | {} | 1-vpcsc | -| [service_accounts](variables-fast.tf#L119) | Automation service accounts in name => email format. | map(string) | | {} | 1-resman | -| [stage_name](variables.tf#L49) | FAST stage name. Used to separate output files across different factories. | string | | "2-project-factory" | | -| [tag_values](variables-fast.tf#L127) | FAST-managed resource manager tag values. | map(string) | | {} | 1-resman | - -## Outputs - -| name | description | sensitive | consumers | -|---|---|:---:|---| -| [buckets](outputs.tf#L31) | Created buckets. | | | -| [projects](outputs.tf#L38) | Created projects. | | | -| [service_accounts](outputs.tf#L50) | Created service accounts. | | | - diff --git a/fast/stages/2-project-factory-legacy/data/hierarchy/team-a/_config.yaml b/fast/stages/2-project-factory-legacy/data/hierarchy/team-a/_config.yaml deleted file mode 100644 index 410d9e86f..000000000 --- a/fast/stages/2-project-factory-legacy/data/hierarchy/team-a/_config.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../../schemas/folder.schema.json - -name: Team A -parent: teams -# iam_by_principals: -# "group:team-a-admins@example.com": -# - roles/viewer diff --git a/fast/stages/2-project-factory-legacy/data/hierarchy/team-a/dev/_config.yaml b/fast/stages/2-project-factory-legacy/data/hierarchy/team-a/dev/_config.yaml deleted file mode 100644 index da77cb7f1..000000000 --- a/fast/stages/2-project-factory-legacy/data/hierarchy/team-a/dev/_config.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../../../schemas/folder.schema.json - -name: Development -tag_bindings: - environment: environment/development -# iam_by_principals: -# "group:team-a-admins@example.com": -# - roles/editor diff --git a/fast/stages/2-project-factory-legacy/data/hierarchy/team-a/prod/_config.yaml b/fast/stages/2-project-factory-legacy/data/hierarchy/team-a/prod/_config.yaml deleted file mode 100644 index a7079ab36..000000000 --- a/fast/stages/2-project-factory-legacy/data/hierarchy/team-a/prod/_config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../../../schemas/folder.schema.json - -name: Production -tag_bindings: - environment: environment/production \ No newline at end of file diff --git a/fast/stages/2-project-factory-legacy/data/hierarchy/team-b/_config.yaml b/fast/stages/2-project-factory-legacy/data/hierarchy/team-b/_config.yaml deleted file mode 100644 index 80d5faa67..000000000 --- a/fast/stages/2-project-factory-legacy/data/hierarchy/team-b/_config.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../../schemas/folder.schema.json - -name: Team B -parent: teams -# iam_by_principals: -# "group:team-b-admins@example.com": -# - roles/viewer diff --git a/fast/stages/2-project-factory-legacy/data/hierarchy/team-b/dev/_config.yaml b/fast/stages/2-project-factory-legacy/data/hierarchy/team-b/dev/_config.yaml deleted file mode 100644 index e50bb7308..000000000 --- a/fast/stages/2-project-factory-legacy/data/hierarchy/team-b/dev/_config.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../../../schemas/folder.schema.json - -name: Development -tag_bindings: - environment: environment/development -# iam_by_principals: -# "group:team-b-admins@example.com": -# - roles/editor diff --git a/fast/stages/2-project-factory-legacy/data/hierarchy/team-b/prod/_config.yaml b/fast/stages/2-project-factory-legacy/data/hierarchy/team-b/prod/_config.yaml deleted file mode 100644 index a7079ab36..000000000 --- a/fast/stages/2-project-factory-legacy/data/hierarchy/team-b/prod/_config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../../../schemas/folder.schema.json - -name: Production -tag_bindings: - environment: environment/production \ No newline at end of file diff --git a/fast/stages/2-project-factory-legacy/data/projects/dev-ta-0.yaml b/fast/stages/2-project-factory-legacy/data/projects/dev-ta-0.yaml deleted file mode 100644 index bfc3477de..000000000 --- a/fast/stages/2-project-factory-legacy/data/projects/dev-ta-0.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/project.schema.json - -parent: team-a/dev -shared_vpc_service_config: - host_project: dev-spoke-0 - network_users: - - gcp-devops diff --git a/fast/stages/2-project-factory-legacy/data/projects/dev-tb-0.yaml b/fast/stages/2-project-factory-legacy/data/projects/dev-tb-0.yaml deleted file mode 100644 index 1dd414fac..000000000 --- a/fast/stages/2-project-factory-legacy/data/projects/dev-tb-0.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/project.schema.json - -parent: team-b/dev -shared_vpc_service_config: - host_project: dev-spoke-0 - network_users: - - gcp-devops \ No newline at end of file diff --git a/fast/stages/2-project-factory-legacy/data/projects/prod-ta-0.yaml b/fast/stages/2-project-factory-legacy/data/projects/prod-ta-0.yaml deleted file mode 100644 index 1bc5c895e..000000000 --- a/fast/stages/2-project-factory-legacy/data/projects/prod-ta-0.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/project.schema.json - -parent: team-a/prod -shared_vpc_service_config: - host_project: prod-spoke-0 - network_users: - - gcp-devops \ No newline at end of file diff --git a/fast/stages/2-project-factory-legacy/data/projects/prod-tb-0.yaml b/fast/stages/2-project-factory-legacy/data/projects/prod-tb-0.yaml deleted file mode 100644 index ee1e12cc1..000000000 --- a/fast/stages/2-project-factory-legacy/data/projects/prod-tb-0.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/project.schema.json - -parent: team-b/prod -shared_vpc_service_config: - host_project: prod-spoke-0 - network_users: - - gcp-devops \ No newline at end of file diff --git a/fast/stages/2-project-factory-legacy/diagram-env.png b/fast/stages/2-project-factory-legacy/diagram-env.png deleted file mode 100644 index f7761028f..000000000 Binary files a/fast/stages/2-project-factory-legacy/diagram-env.png and /dev/null differ diff --git a/fast/stages/2-project-factory-legacy/diagram.png b/fast/stages/2-project-factory-legacy/diagram.png deleted file mode 100644 index b442808b8..000000000 Binary files a/fast/stages/2-project-factory-legacy/diagram.png and /dev/null differ diff --git a/fast/stages/2-project-factory-legacy/fast_version.txt b/fast/stages/2-project-factory-legacy/fast_version.txt deleted file mode 100644 index ba9053698..000000000 --- a/fast/stages/2-project-factory-legacy/fast_version.txt +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# FAST release: v44.2.0 \ No newline at end of file diff --git a/fast/stages/2-project-factory-legacy/main.tf b/fast/stages/2-project-factory-legacy/main.tf deleted file mode 100644 index 22f6c9b79..000000000 --- a/fast/stages/2-project-factory-legacy/main.tf +++ /dev/null @@ -1,70 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Project factory. - -module "projects" { - source = "../../../modules/project-factory-legacy" - data_defaults = { - # more defaults are available, check the project factory variables - billing_account = var.billing_account.id - storage_location = var.locations.gcs - } - data_merges = { - services = [ - "stackdriver.googleapis.com" - ] - } - data_overrides = { - prefix = var.prefix - } - factories_config = merge(var.factories_config, { - context = { - custom_roles = merge( - var.custom_roles, var.factories_config.context.custom_roles - ) - folder_ids = merge( - { for k, v in var.folder_ids : k => v if v != null }, - var.factories_config.context.folder_ids - ) - iam_principals = merge( - { - for k, v in var.service_accounts : - k => "serviceAccount:${v}" if v != null - }, - var.groups, - var.factories_config.context.iam_principals - ) - kms_keys = merge( - var.kms_keys, - var.factories_config.context.kms_keys - ) - perimeters = var.perimeters - tag_values = merge( - { - for k, v in var.org_policy_tags.values : - "${var.org_policy_tags.key_name}/${k}" => v - }, - var.tag_values, - var.factories_config.context.tag_values - ) - vpc_host_projects = merge( - var.host_project_ids, - var.factories_config.context.vpc_host_projects - ) - } - }) -} diff --git a/fast/stages/2-project-factory-legacy/outputs.tf b/fast/stages/2-project-factory-legacy/outputs.tf deleted file mode 100644 index 4c6359f6d..000000000 --- a/fast/stages/2-project-factory-legacy/outputs.tf +++ /dev/null @@ -1,81 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - project_provider_data = flatten([ - for k, v in module.projects.projects : [ - for sk, sv in try(v.automation.service_accounts) : { - key = "${k}-${sk}" - bucket = try(v.automation.bucket, null) - project_id = v.project_id - project_number = v.number - service_account = sv - } - ] if try(v.automation.bucket, null) != null - ]) -} - -output "buckets" { - description = "Created buckets." - value = { - for k, v in module.projects.buckets : k => v - } -} - -output "projects" { - description = "Created projects." - value = { - for k, v in module.projects.projects : k => { - id = v.project_id - number = v.number - automation = v.automation - service_agents = v.service_agents - } - } -} - -output "service_accounts" { - description = "Created service accounts." - value = { - for k, v in module.projects.service_accounts : k => { - email = v.email - iam_email = v.iam_email - } - } -} - -resource "google_storage_bucket_object" "version" { - count = fileexists("fast_version.txt") ? 1 : 0 - bucket = var.automation.outputs_bucket - name = "versions/2-project-factory-version.txt" - source = "fast_version.txt" -} - -# generate tfvars file for subsequent stages - -resource "local_file" "providers" { - for_each = var.outputs_location == null ? {} : { for v in local.project_provider_data : v.key => v } - file_permission = "0644" - filename = "${pathexpand(var.outputs_location)}/providers/${var.stage_name}/${each.key}-providers.tf" - content = templatefile("templates/providers.tf.tpl", each.value) -} - -resource "google_storage_bucket_object" "tfvars" { - for_each = { for v in local.project_provider_data : v.key => v } - bucket = var.automation.outputs_bucket - name = "providers/${var.stage_name}/${each.key}-providers.tf" - content = templatefile("templates/providers.tf.tpl", each.value) -} diff --git a/fast/stages/2-project-factory-legacy/schemas/budget.schema.json b/fast/stages/2-project-factory-legacy/schemas/budget.schema.json deleted file mode 120000 index cc5d28d4d..000000000 --- a/fast/stages/2-project-factory-legacy/schemas/budget.schema.json +++ /dev/null @@ -1 +0,0 @@ -../../../../modules/billing-account/schemas/budget.schema.json \ No newline at end of file diff --git a/fast/stages/2-project-factory-legacy/schemas/budget.schema.md b/fast/stages/2-project-factory-legacy/schemas/budget.schema.md deleted file mode 100644 index 33bb16038..000000000 --- a/fast/stages/2-project-factory-legacy/schemas/budget.schema.md +++ /dev/null @@ -1,62 +0,0 @@ -# Budget - - - -## Properties - -*additional properties: false* - -- ⁺**amount**: *object* -
*additional properties: false* - - **currency_code**: *string* - - **nanos**: *number* - - **units**: *number* - - **use_last_period**: *boolean* -- **display_name**: *string* -- **filter**: *object* -
*additional properties: false* - - **credit_types_treatment**: *object* -
*additional properties: false* - - **exclude_all**: *boolean* - - **include_specified**: *array* - - items: *string* - - **label**: *object* -
*additional properties: false* - - **key**: *string* - - **value**: *string* - - **period**: *object* -
*additional properties: false* - - **calendar**: *string* - - **custom**: *object* -
*additional properties: false* - - **start_date**: *reference([date](#refs-date))* - - **end_date**: *reference([date](#refs-date))* - - **projects**: *array* - - items: *string* - - **resource_ancestors**: *array* - - items: *string* - - **services**: *array* - - items: *string* - - **subaccounts**: *array* - - items: *string* -- **threshold_rules**: *array* - - items: *object* -
*additional properties: false* - - ⁺**percent**: *number* - - **forecasted_spend**: *boolean* -- **update_rules**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *object* -
*additional properties: false* - - **disable_default_iam_recipients**: *boolean* - - **monitoring_notification_channels**: *array* - - items: *string* - - **pubsub_topic**: *string* - -## Definitions - -- **date**: *object* -
*additional properties: false* - - **day**: *number* - - **month**: *number* - - **year**: *number* diff --git a/fast/stages/2-project-factory-legacy/schemas/folder.schema.json b/fast/stages/2-project-factory-legacy/schemas/folder.schema.json deleted file mode 120000 index d58a2759b..000000000 --- a/fast/stages/2-project-factory-legacy/schemas/folder.schema.json +++ /dev/null @@ -1 +0,0 @@ -../../../../modules/project-factory/schemas/folder.schema.json \ No newline at end of file diff --git a/fast/stages/2-project-factory-legacy/schemas/folder.schema.md b/fast/stages/2-project-factory-legacy/schemas/folder.schema.md deleted file mode 100644 index 4c5fac144..000000000 --- a/fast/stages/2-project-factory-legacy/schemas/folder.schema.md +++ /dev/null @@ -1,149 +0,0 @@ -# Folder - - - -## Properties - -*additional properties: false* - -- **automation**: *object* -
*additional properties: false* - - **prefix**: *string* - - ⁺**project**: *string* - - **bucket**: *reference([bucket](#refs-bucket))* - - **service_accounts**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *object* -
*additional properties: false* - - **description**: *string* - - **iam**: *reference([iam](#refs-iam))* - - **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))* - - **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* - - **iam_billing_roles**: *reference([iam_billing_roles](#refs-iam_billing_roles))* - - **iam_folder_roles**: *reference([iam_folder_roles](#refs-iam_folder_roles))* - - **iam_organization_roles**: *reference([iam_organization_roles](#refs-iam_organization_roles))* - - **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))* - - **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))* - - **iam_storage_roles**: *reference([iam_storage_roles](#refs-iam_storage_roles))* -- **iam**: *reference([iam](#refs-iam))* -- **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))* -- **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* -- **iam_by_principals**: *reference([iam_by_principals](#refs-iam_by_principals))* -- **name**: *string* -- **org_policies**: *object* -
*additional properties: false* - - **`^[a-z]+\.`**: *object* - - **inherit_from_parent**: *boolean* - - **reset**: *boolean* - - **rules**: *array* - - items: *object* -
*additional properties: false* - - **allow**: *object* -
*additional properties: false* - - **all**: *boolean* - - **values**: *array* - - items: *string* - - **deny**: *object* -
*additional properties: false* - - **all**: *boolean* - - **values**: *array* - - items: *string* - - **enforce**: *boolean* - - **condition**: *object* -
*additional properties: false* - - **description**: *string* - - **expression**: *string* - - **location**: *string* - - **title**: *string* -- **parent**: *string* -
*pattern: ^(?:folders/[0-9]+|organizations/[0-9]+|\$folder_ids:[a-z0-9_-]+)$* -- **tag_bindings**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *string* - -## Definitions - -- **bucket**: *object* -
*additional properties: false* - - **name**: *string* - - **description**: *string* - - **iam**: *reference([iam](#refs-iam))* - - **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))* - - **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* - - **force_destroy**: *boolean* - - **labels**: *object* - *additional properties: String* - - **location**: *string* - - **managed_folders**: *object* -
*additional properties: false* - - **`^[a-zA-Z0-9][a-zA-Z0-9_/-]+$`**: *object* -
*additional properties: false* - - **force_destroy**: *boolean* - - **iam**: *reference([iam](#refs-iam))* - - **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))* - - **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* - - **prefix**: *string* - - **storage_class**: *string* - - **uniform_bucket_level_access**: *boolean* - - **versioning**: *boolean* -- **iam**: *object* -
*additional properties: false* - - **`^(?:roles/|\$custom_roles:)`**: *array* - - items: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:)* -- **iam_bindings**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *object* -
*additional properties: false* - - **members**: *array* - - items: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:)* - - **role**: *string* -
*pattern: ^roles/* - - **condition**: *object* -
*additional properties: false* - - ⁺**expression**: *string* - - ⁺**title**: *string* - - **description**: *string* -- **iam_bindings_additive**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *object* -
*additional properties: false* - - **member**: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:)* - - **role**: *string* -
*pattern: ^roles/* - - **condition**: *object* -
*additional properties: false* - - ⁺**expression**: *string* - - ⁺**title**: *string* - - **description**: *string* -- **iam_by_principals**: *object* -
*additional properties: false* - - **`^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:)`**: *array* - - items: *string* -
*pattern: ^(?:roles/|\$custom_roles:)* -- **iam_billing_roles**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *array* - - items: *string* -- **iam_folder_roles**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *array* - - items: *string* -- **iam_organization_roles**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *array* - - items: *string* -- **iam_project_roles**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *array* - - items: *string* -- **iam_sa_roles**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *array* - - items: *string* -- **iam_storage_roles**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *array* - - items: *string* diff --git a/fast/stages/2-project-factory-legacy/schemas/project.schema.json b/fast/stages/2-project-factory-legacy/schemas/project.schema.json deleted file mode 120000 index 11f161f17..000000000 --- a/fast/stages/2-project-factory-legacy/schemas/project.schema.json +++ /dev/null @@ -1 +0,0 @@ -../../../../modules/project-factory/schemas/project.schema.json \ No newline at end of file diff --git a/fast/stages/2-project-factory-legacy/schemas/project.schema.md b/fast/stages/2-project-factory-legacy/schemas/project.schema.md deleted file mode 100644 index 900523134..000000000 --- a/fast/stages/2-project-factory-legacy/schemas/project.schema.md +++ /dev/null @@ -1,249 +0,0 @@ -# Project - - - -## Properties - -*additional properties: false* - -- **automation**: *object* -
*additional properties: false* - - **prefix**: *string* - - ⁺**project**: *string* - - **bucket**: *reference([bucket](#refs-bucket))* - - **service_accounts**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *object* -
*additional properties: false* - - **description**: *string* - - **iam**: *reference([iam](#refs-iam))* - - **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))* - - **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* - - **iam_billing_roles**: *reference([iam_billing_roles](#refs-iam_billing_roles))* - - **iam_folder_roles**: *reference([iam_folder_roles](#refs-iam_folder_roles))* - - **iam_organization_roles**: *reference([iam_organization_roles](#refs-iam_organization_roles))* - - **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))* - - **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))* - - **iam_storage_roles**: *reference([iam_storage_roles](#refs-iam_storage_roles))* -- **billing_account**: *string* -- **billing_budgets**: *array* - - items: *string* -- **buckets**: *reference([buckets](#refs-buckets))* -- **contacts**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *array* - - items: *string* -- **deletion_policy**: *string* -
*enum: ['PREVENT', 'DELETE', 'ABANDON']* -- **iam**: *reference([iam](#refs-iam))* -- **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))* -- **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* -- **iam_by_principals**: *reference([iam_by_principals](#refs-iam_by_principals))* -- **labels**: *object* -- **log_buckets**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *reference([log_bucket](#refs-log_bucket))* -- **metric_scopes**: *array* - - items: *string* -- **name**: *string* -- **org_policies**: *object* -
*additional properties: false* - - **`^[a-z]+\.`**: *object* - - **inherit_from_parent**: *boolean* - - **reset**: *boolean* - - **rules**: *array* - - items: *object* -
*additional properties: false* - - **allow**: *object* -
*additional properties: false* - - **all**: *boolean* - - **values**: *array* - - items: *string* - - **deny**: *object* -
*additional properties: false* - - **all**: *boolean* - - **values**: *array* - - items: *string* - - **enforce**: *boolean* - - **condition**: *object* -
*additional properties: false* - - **description**: *string* - - **expression**: *string* - - **location**: *string* - - **title**: *string* -- **quotas**: *object* -
*additional properties: false* - - **`^[a-zA-Z0-9_-]+$`**: *object* -
*additional properties: false* - - ⁺**service**: *string* - - ⁺**quota_id**: *string* - - ⁺**preferred_value**: *number* - - **dimensions**: *object* - *additional properties: String* - - **justification**: *string* - - **contact_email**: *string* - - **annotations**: *object* - *additional properties: String* - - **ignore_safety_checks**: *string* -
*enum: ['QUOTA_DECREASE_BELOW_USAGE', 'QUOTA_DECREASE_PERCENTAGE_TOO_HIGH', 'QUOTA_SAFETY_CHECK_UNSPECIFIED']* -- **parent**: *string* -- **prefix**: *string* -- **project_reuse**: *object* -
*additional properties: false* - - **use_data_source**: *boolean* - - **attributes**: *object* - - ⁺**name**: *string* - - ⁺**number**: *number* - - **services_enabled**: *array* - - items: *string* -- **service_accounts**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *object* -
*additional properties: false* - - **display_name**: *string* - - **iam**: *reference([iam](#refs-iam))* - - **iam_self_roles**: *array* - - items: *string* - - **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))* - - **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))* -- **service_encryption_key_ids**: *object* -
*additional properties: false* - - **`^[a-z-]+\.googleapis\.com$`**: *array* - - items: *string* -- **services**: *array* - - items: *string* -
*pattern: ^[a-z-]+\.googleapis\.com$* -- **shared_vpc_host_config**: *object* -
*additional properties: false* - - ⁺**enabled**: *boolean* - - **service_projects**: *array* - - items: *string* -- **shared_vpc_service_config**: *object* -
*additional properties: false* - - ⁺**host_project**: *string* - - **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* - - **network_users**: *array* - - items: *string* - - **service_agent_iam**: *object* - - **`^[a-z0-9_-]+$`**: *array* - - items: *string* - - **service_agent_subnet_iam**: *object* - - **`^[a-z0-9_-]+$`**: *array* - - items: *string* - - **service_iam_grants**: *array* - - items: *string* - - **network_subnet_users**: *object* - - **`^[a-z0-9_-]+$`**: *array* - - items: *string* -- **tag_bindings**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *string* -- **tags**: *object* - *additional properties: Object* -- **universe**: *object* -
*additional properties: false* - - **prefix**: *string* -- **vpc_sc**: *object* - - ⁺**perimeter_name**: *string* - - **is_dry_run**: *boolean* - -## Definitions - -- **bucket**: *object* -
*additional properties: false* - - **name**: *string* - - **description**: *string* - - **iam**: *reference([iam](#refs-iam))* - - **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))* - - **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* - - **force_destroy**: *boolean* - - **labels**: *object* - *additional properties: String* - - **location**: *string* - - **managed_folders**: *object* -
*additional properties: false* - - **`^[a-zA-Z0-9][a-zA-Z0-9_/-]+$`**: *object* -
*additional properties: false* - - **force_destroy**: *boolean* - - **iam**: *reference([iam](#refs-iam))* - - **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))* - - **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* - - **prefix**: *string* - - **storage_class**: *string* - - **uniform_bucket_level_access**: *boolean* - - **versioning**: *boolean* -- **buckets**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *reference([bucket](#refs-bucket))* -- **iam**: *object* -
*additional properties: false* - - **`^(?:roles/|\$custom_roles:)`**: *array* - - items: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:||\$iam_principals:[a-z0-9_-]+)* -- **iam_bindings**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *object* -
*additional properties: false* - - **members**: *array* - - items: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:[a-z0-9_-]+)* - - **role**: *string* -
*pattern: ^(?:roles/|\$custom_roles:)* - - **condition**: *object* -
*additional properties: false* - - ⁺**expression**: *string* - - ⁺**title**: *string* - - **description**: *string* -- **iam_bindings_additive**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *object* -
*additional properties: false* - - **member**: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:[a-z0-9_-]+)* - - **role**: *string* -
*pattern: ^(?:roles/|\$custom_roles:)* - - **condition**: *object* -
*additional properties: false* - - ⁺**expression**: *string* - - ⁺**title**: *string* - - **description**: *string* -- **iam_by_principals**: *object* -
*additional properties: false* - - **`^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:[a-z0-9_-]+)`**: *array* - - items: *string* -
*pattern: ^(?:roles/|\$custom_roles:)* -- **iam_billing_roles**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *array* - - items: *string* -- **iam_folder_roles**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *array* - - items: *string* -- **iam_organization_roles**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *array* - - items: *string* -- **iam_project_roles**: *object* -
*additional properties: false* - - **`^(?:[a-z0-9-]|\$project_ids:[a-z0-9_-])+$`**: *array* - - items: *string* -- **iam_sa_roles**: *object* -
*additional properties: false* - - **`^(?:\$service_account_ids:|projects/)`**: *array* - - items: *string* -- **iam_storage_roles**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *array* - - items: *string* -- **log_bucket**: *object* -
*additional properties: false* - - **description**: *string* - - **kms_key_name**: *string* - - **location**: *string* - - **log_analytics**: *object* -
*additional properties: false* - - **enable**: *boolean* - - **dataset_link_id**: *string* - - **description**: *string* - - **retention**: *number* diff --git a/fast/stages/2-project-factory-legacy/templates/providers.tf.tpl b/fast/stages/2-project-factory-legacy/templates/providers.tf.tpl deleted file mode 100644 index 0acddcc20..000000000 --- a/fast/stages/2-project-factory-legacy/templates/providers.tf.tpl +++ /dev/null @@ -1,30 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# ${project_id} ${project_number} - -terraform { - backend "gcs" { - bucket = "${bucket}" - impersonate_service_account = "${service_account}" - } -} -provider "google" { - impersonate_service_account = "${service_account}" -} -provider "google-beta" { - impersonate_service_account = "${service_account}" -} diff --git a/fast/stages/2-project-factory-legacy/variables-fast.tf b/fast/stages/2-project-factory-legacy/variables-fast.tf deleted file mode 100644 index f29bd4a53..000000000 --- a/fast/stages/2-project-factory-legacy/variables-fast.tf +++ /dev/null @@ -1,133 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "automation" { - # tfdoc:variable:source 0-bootstrap - description = "Automation resources created by the bootstrap stage." - type = object({ - outputs_bucket = string - }) - nullable = false -} - -variable "billing_account" { - # tfdoc:variable:source 0-bootstrap - description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." - type = object({ - id = string - is_org_level = optional(bool, true) - }) - validation { - condition = var.billing_account.is_org_level != null - error_message = "Invalid `null` value for `billing_account.is_org_level`." - } -} - -variable "custom_roles" { - # tfdoc:variable:source 0-bootstrap - description = "Custom roles defined at the org level, in key => id format." - type = map(string) - nullable = false - default = {} -} - -variable "folder_ids" { - # tfdoc:variable:source 1-resman - description = "Folders created in the resource management stage." - type = map(string) - nullable = false - default = {} -} - -variable "groups" { - # tfdoc:variable:source 0-bootstrap - # https://cloud.google.com/docs/enterprise/setup-checklist - description = "Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated." - type = map(string) - nullable = false - default = {} -} - -variable "host_project_ids" { - # tfdoc:variable:source 2-networking - description = "Host project for the shared VPC." - type = map(string) - nullable = false - default = {} -} - -variable "kms_keys" { - # tfdoc:variable:source 2-security - description = "KMS key ids." - type = map(string) - nullable = false - default = {} -} - -variable "locations" { - # tfdoc:variable:source 0-bootstrap - description = "Optional locations for GCS, BigQuery, and logging buckets created here." - type = object({ - gcs = optional(string) - }) - nullable = false - default = {} -} - -variable "perimeters" { - # tfdoc:variable:source 1-vpcsc - description = "Optional VPC-SC perimeter ids." - type = map(string) - nullable = false - default = {} -} - -variable "org_policy_tags" { - # tfdoc:variable:source 0-bootstrap - description = "Optional organization policy tag values." - type = object({ - key_name = optional(string, "org-policies") - values = optional(map(string), {}) - }) - nullable = false - default = {} -} - -variable "prefix" { - # tfdoc:variable:source 0-bootstrap - description = "Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants." - type = string - validation { - condition = try(length(var.prefix), 0) < 12 - error_message = "Use a maximum of 9 chars for organizations, and 11 chars for tenants." - } -} - -variable "service_accounts" { - # tfdoc:variable:source 1-resman - description = "Automation service accounts in name => email format." - type = map(string) - nullable = false - default = {} -} - -variable "tag_values" { - # tfdoc:variable:source 1-resman - description = "FAST-managed resource manager tag values." - type = map(string) - nullable = false - default = {} -} diff --git a/fast/stages/2-project-factory-legacy/variables.tf b/fast/stages/2-project-factory-legacy/variables.tf deleted file mode 100644 index 3c2996caf..000000000 --- a/fast/stages/2-project-factory-legacy/variables.tf +++ /dev/null @@ -1,54 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "factories_config" { - description = "Configuration for YAML-based factories." - type = object({ - folders_data_path = optional(string, "data/hierarchy") - projects_data_path = optional(string, "data/projects") - budgets = optional(object({ - billing_account = string - budgets_data_path = optional(string, "data/budgets") - notification_channels = optional(map(any), {}) - })) - context = optional(object({ - custom_roles = optional(map(string), {}) - folder_ids = optional(map(string), {}) - kms_keys = optional(map(string), {}) - iam_principals = optional(map(string), {}) - tag_values = optional(map(string), {}) - vpc_host_projects = optional(map(string), {}) - }), {}) - projects_config = optional(object({ - key_ignores_path = optional(bool, false) - }), {}) - }) - nullable = false - default = {} -} - -variable "outputs_location" { - description = "Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable." - type = string - default = null -} - -variable "stage_name" { - description = "FAST stage name. Used to separate output files across different factories." - type = string - nullable = false - default = "2-project-factory" -} diff --git a/fast/stages/2-project-factory/fast_version.txt b/fast/stages/2-project-factory/fast_version.txt index ba9053698..fd8f1b3e0 100644 --- a/fast/stages/2-project-factory/fast_version.txt +++ b/fast/stages/2-project-factory/fast_version.txt @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -# FAST release: v44.2.0 \ No newline at end of file +# FAST release: v45.0.0 \ No newline at end of file diff --git a/fast/stages/2-secops/fast_version.txt b/fast/stages/2-secops/fast_version.txt index ba9053698..fd8f1b3e0 100644 --- a/fast/stages/2-secops/fast_version.txt +++ b/fast/stages/2-secops/fast_version.txt @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -# FAST release: v44.2.0 \ No newline at end of file +# FAST release: v45.0.0 \ No newline at end of file diff --git a/fast/stages/2-security-legacy/README.md b/fast/stages/2-security-legacy/README.md index 03e8da3da..37ca3931b 100644 --- a/fast/stages/2-security-legacy/README.md +++ b/fast/stages/2-security-legacy/README.md @@ -285,15 +285,15 @@ tls_inspection = { |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-org-setup | | [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-org-setup | -| [environments](variables-fast.tf#L38) | Environment names. | map(object({…})) | ✓ | | 0-globals | -| [folder_ids](variables-fast.tf#L56) | Folder name => id mappings, the 'security' folder name must exist. | object({…}) | ✓ | | 1-resman | -| [prefix](variables-fast.tf#L66) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-org-setup | +| [folder_ids](variables-fast.tf#L38) | Folder name => id mappings, the 'security' folder name must exist. | object({…}) | ✓ | | 1-resman | +| [prefix](variables-fast.tf#L48) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-org-setup | | [certificate_authorities](variables.tf#L17) | Certificate Authority Service pool and CAs. If environments is null identical pools and CAs are created in all environments. | map(object({…})) | | {} | | -| [essential_contacts](variables.tf#L98) | Email used for essential contacts, unset if null. | string | | null | | -| [kms_keys](variables.tf#L104) | KMS keys to create, keyed by name. | map(object({…})) | | {} | | -| [outputs_location](variables.tf#L142) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | -| [stage_configs](variables-fast.tf#L76) | FAST stage configuration. | object({…}) | | {} | 1-resman | -| [tag_values](variables-fast.tf#L90) | Root-level tag values. | map(string) | | {} | 1-resman | +| [environments](variables.tf#L98) | Environment names. | map(object({…})) | | {…} | 0-globals | +| [essential_contacts](variables.tf#L129) | Email used for essential contacts, unset if null. | string | | null | | +| [kms_keys](variables.tf#L135) | KMS keys to create, keyed by name. | map(object({…})) | | {} | | +| [outputs_location](variables.tf#L173) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | +| [stage_configs](variables-fast.tf#L58) | FAST stage configuration. | object({…}) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L72) | Root-level tag values. | map(string) | | {} | 1-resman | ## Outputs diff --git a/fast/stages/2-security-legacy/fast_version.txt b/fast/stages/2-security-legacy/fast_version.txt index 9f117e56b..fd8f1b3e0 100644 --- a/fast/stages/2-security-legacy/fast_version.txt +++ b/fast/stages/2-security-legacy/fast_version.txt @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -# FAST release: v44.1.0 \ No newline at end of file +# FAST release: v45.0.0 \ No newline at end of file diff --git a/fast/stages/2-security-legacy/variables-fast.tf b/fast/stages/2-security-legacy/variables-fast.tf index 08e9acc2f..e861e7647 100644 --- a/fast/stages/2-security-legacy/variables-fast.tf +++ b/fast/stages/2-security-legacy/variables-fast.tf @@ -35,24 +35,6 @@ variable "billing_account" { } } -variable "environments" { - # tfdoc:variable:source 0-globals - description = "Environment names." - type = map(object({ - name = string - short_name = string - tag_name = string - is_default = optional(bool, false) - })) - nullable = false - validation { - condition = anytrue([ - for k, v in var.environments : v.is_default == true - ]) - error_message = "At least one environment should be marked as default." - } -} - variable "folder_ids" { # tfdoc:variable:source 1-resman description = "Folder name => id mappings, the 'security' folder name must exist." diff --git a/fast/stages/2-security-legacy/variables.tf b/fast/stages/2-security-legacy/variables.tf index d2b9aaa69..497767236 100644 --- a/fast/stages/2-security-legacy/variables.tf +++ b/fast/stages/2-security-legacy/variables.tf @@ -95,6 +95,37 @@ variable "certificate_authorities" { default = {} } +variable "environments" { + # tfdoc:variable:source 0-globals + description = "Environment names." + type = map(object({ + name = string + short_name = string + tag_name = string + is_default = optional(bool, false) + })) + nullable = false + default = { + dev = { + name = "Development" + short_name = "dev" + tag_name = "development" + } + prod = { + name = "Production" + short_name = "prod" + tag_name = "production" + is_default = true + } + } + validation { + condition = anytrue([ + for k, v in var.environments : v.is_default == true + ]) + error_message = "At least one environment should be marked as default." + } +} + variable "essential_contacts" { description = "Email used for essential contacts, unset if null." type = string diff --git a/fast/stages/2-security/fast_version.txt b/fast/stages/2-security/fast_version.txt index ba9053698..fd8f1b3e0 100644 --- a/fast/stages/2-security/fast_version.txt +++ b/fast/stages/2-security/fast_version.txt @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -# FAST release: v44.2.0 \ No newline at end of file +# FAST release: v45.0.0 \ No newline at end of file diff --git a/fast/stages/3-data-platform-dev/fast_version.txt b/fast/stages/3-data-platform-dev/fast_version.txt index ba9053698..fd8f1b3e0 100644 --- a/fast/stages/3-data-platform-dev/fast_version.txt +++ b/fast/stages/3-data-platform-dev/fast_version.txt @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -# FAST release: v44.2.0 \ No newline at end of file +# FAST release: v45.0.0 \ No newline at end of file diff --git a/fast/stages/3-gcve-dev/fast_version.txt b/fast/stages/3-gcve-dev/fast_version.txt index ba9053698..fd8f1b3e0 100644 --- a/fast/stages/3-gcve-dev/fast_version.txt +++ b/fast/stages/3-gcve-dev/fast_version.txt @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -# FAST release: v44.2.0 \ No newline at end of file +# FAST release: v45.0.0 \ No newline at end of file diff --git a/fast/stages/3-gke-dev/fast_version.txt b/fast/stages/3-gke-dev/fast_version.txt index ba9053698..fd8f1b3e0 100644 --- a/fast/stages/3-gke-dev/fast_version.txt +++ b/fast/stages/3-gke-dev/fast_version.txt @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -# FAST release: v44.2.0 \ No newline at end of file +# FAST release: v45.0.0 \ No newline at end of file diff --git a/fast/stages/3-secops-dev/fast_version.txt b/fast/stages/3-secops-dev/fast_version.txt index ba9053698..fd8f1b3e0 100644 --- a/fast/stages/3-secops-dev/fast_version.txt +++ b/fast/stages/3-secops-dev/fast_version.txt @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -# FAST release: v44.2.0 \ No newline at end of file +# FAST release: v45.0.0 \ No newline at end of file diff --git a/fast/stages/README.md b/fast/stages/README.md index 46833a6ba..93de264ce 100644 --- a/fast/stages/README.md +++ b/fast/stages/README.md @@ -26,17 +26,6 @@ To destroy a previous FAST deployment follow the instructions detailed in [clean - [Organization Setup](./0-org-setup/README.md) This stage combines the legacy bootstrap and resource management stages described below, allowing easy configuration of all related resources via factories. Its flexibility supports any type of organizational design, while still supporting traditional FAST stages like VPC Service Controls, security, networking, and any stage 3. -## Legacy Organization (0 and 1) - -These stages are deprecated and only kept in this release to allow updating modules to our latest changes. They will be dropped from the next release. - -- [Bootstrap](0-bootstrap-legacy/README.md) - Enables critical organization-level functionality that depends on broad permissions. It has two primary purposes. The first is to bootstrap the resources needed for automation of this and the following stages (service accounts, GCS buckets). And secondly, it applies the minimum amount of configuration needed at the organization level to avoid the need of broad permissions later on, and to implement from the start critical auditing or security features like organization policies, sinks and exports.\ - Exports: automation variables, organization-level custom roles -- [Resource Management](1-resman-legacy/README.md) - Creates the base resource hierarchy (folders) and the automation resources that will be required later to delegate deployment of each part of the hierarchy to separate stages. This stage also configures resource management tags used in scoping specific IAM roles on the resource hierarchy.\ - Exports: folder ids, automation service account emails, tags - ## VPC Service Controls (1) - [VPC Service Controls](./1-vpcsc/README.md) @@ -55,8 +44,6 @@ These stages are deprecated and only kept in this release to allow updating modu Exports: host project ids and numbers, vpc self links - [Project Factory](./2-project-factory/) YAML-based factory to create and configure application or team-level projects. Configuration includes VPC-level settings for Shared VPC, service-level configuration for CMEK encryption via centralized keys, and service account creation for workloads and applications. This stage can be cloned if an org-wide or dedicated per-environment factories are needed. -- [Legacy Project Factory](./2-project-factory-legacy/) - More limited version of the project factory, that can be used for backward compatibility. Will be dropped in the next major release. ## Environment-level resources (3) diff --git a/fast/stages/UPGRADING.md b/fast/stages/UPGRADING.md index 39d1d92fa..8c7d6a739 100644 --- a/fast/stages/UPGRADING.md +++ b/fast/stages/UPGRADING.md @@ -10,79 +10,7 @@ As usual, consider this a guideline with no guarantees. Migrations between FAST +> v44.0.0 and v45.0.0 deprecated several legacy stages, refer to those releases or branches for legacy upgrading instructions. Upgrades from legacy to current stages are not directly supported. + -- [v35.1.0 to v36.0.0](#v3510-to-v3600) - - [Bootstrap stage](#bootstrap-stage) - - [Resource Management stage](#resource-management-stage) - - [Networking stages](#networking-stages) - - [Security stage](#security-stage) -- [v34.0.0 to v35.1.0](#v3400-to-v3510) - - [Bootstrap stage](#bootstrap-stage) - - [Resource management stage](#resource-management-stage) - - [Networking](#networking) - -## v35.1.0 to v36.0.0 - -### Bootstrap stage - -**Breaking changes:** - -- the `factories_config.org_policy` variable attribute has been renamed to `factories_config.org_policies` - -**Non-breaking changes:** - -- two new custom roles have been added: `gcveNetworkViewer` and `projectIAMViewer` -- organization policies for the IaC project have been moved to a factory, default policies are in `data/org-policies-iac` -- new `compute.setNewProjectDefaultToZonalDNSOnly` organization policy constraint has been added to mirror default configuration on new organizations - -### Resource Management stage - -The Resource Management stage has been largely refactored, adopting factories to simplify the creation of multiple environments and the creation and deployment of new "Stage 3" stages. Before upgrading it's highly recommended to familiarize yourself with the documentation, to assess whether your specific configurations need to be migrated to the new variables. - -The [file containing moved blocks](./1-resman-legacy/moved/v35.1.0-v36.0.0.tf) for this release can be used to preserve most of the important resources which changed from the previous release. Just link it in the stage and plan/apply to see the remaining changes. - -The moved blocks are not exhaustive and do not include resources that can be dropped and recreated with limited impact like IAM and tag bindings. As usual, proceed with care as we provide no guarantee, just a starting point. - -Given the amount of resource changes at the IAM level, we suggest applying twice in a row to make sure there are no inconsistencies left in IAM policies. - -**Breaking changes:** - -- variables controlling stage 2s and 3s have changed and are now explicit, check their configuration to make sure it matches your current layout - - the `fast_features` variable has been removed - - the `fast_stage_2` and `fast_stage_2` variables control now control stage activation and configuration -- a new factory has been added for stage 3s, with an initial default configuration that matches enabling everything in the old fast features variable -- the "Data Platform" stage 3 has been removed in preparation of a completely revised state, any associated resource (service accounts, folders, buckets, etc.) will be destroyed -- billing IAM bindings will be destroyed and recreated as they are now driven by a loop and their names have changed -- GCVE network IAM bindings will be destroyed and recreated as they are now segregated by environment - -**Non-breaking changes:** - -- GCS and local output files will be recreated - -### Networking stages - -IAM bindings for stage 3 service accounts change and will be dropped and recreated. - -### Security stage - -IAM bindings for stage 3 service accounts change and will be dropped and recreated. - -## v34.0.0 to v35.1.0 - -### Bootstrap stage - -**Non-breaking changes:** - -- new `essentialcontacts.allowedContactDomains` organization policy constraint and `org-policies/allowed-essential-contacts-domains-all` tag; if the policy already exists in your organization, import it via state or delete it using `gcloud org-policy delete essentialcontacts.allowedContactDomains --organization ORGANIZATION_ID` - -### Resource management stage - -**Non-breaking changes:** - -- output files update -- resource attribute updates following provider version change - -### Networking - -- additional DNS response policy for the `gke.goog` domain diff --git a/modules/__experimental_deprecated/alloydb-instance/versions.tf b/modules/__experimental_deprecated/alloydb-instance/versions.tf index 4ceb87e6a..ad7d522a5 100644 --- a/modules/__experimental_deprecated/alloydb-instance/versions.tf +++ b/modules/__experimental_deprecated/alloydb-instance/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/alloydb-instance:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/alloydb-instance:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/alloydb-instance:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/alloydb-instance:v45.0.0-tf" } } diff --git a/modules/__experimental_deprecated/alloydb-instance/versions.tofu b/modules/__experimental_deprecated/alloydb-instance/versions.tofu index 9827f6387..3ebd4ff8c 100644 --- a/modules/__experimental_deprecated/alloydb-instance/versions.tofu +++ b/modules/__experimental_deprecated/alloydb-instance/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/alloydb-instance:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/alloydb-instance:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/alloydb-instance:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/alloydb-instance:v45.0.0-tofu" } } diff --git a/modules/__experimental_deprecated/net-neg/versions.tf b/modules/__experimental_deprecated/net-neg/versions.tf index e85620c79..773a10ea4 100644 --- a/modules/__experimental_deprecated/net-neg/versions.tf +++ b/modules/__experimental_deprecated/net-neg/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/net-neg:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/net-neg:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/net-neg:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/net-neg:v45.0.0-tf" } } diff --git a/modules/__experimental_deprecated/net-neg/versions.tofu b/modules/__experimental_deprecated/net-neg/versions.tofu index 10ef4abb5..e8b2b241f 100644 --- a/modules/__experimental_deprecated/net-neg/versions.tofu +++ b/modules/__experimental_deprecated/net-neg/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/net-neg:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/net-neg:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/net-neg:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/net-neg:v45.0.0-tofu" } } diff --git a/modules/__experimental_deprecated/project-iam-magic/versions.tf b/modules/__experimental_deprecated/project-iam-magic/versions.tf index e4a1c40ed..f3a21eeea 100644 --- a/modules/__experimental_deprecated/project-iam-magic/versions.tf +++ b/modules/__experimental_deprecated/project-iam-magic/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/project-iam-magic:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/project-iam-magic:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/project-iam-magic:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/project-iam-magic:v45.0.0-tf" } } diff --git a/modules/__experimental_deprecated/project-iam-magic/versions.tofu b/modules/__experimental_deprecated/project-iam-magic/versions.tofu index c626a9518..50406f35d 100644 --- a/modules/__experimental_deprecated/project-iam-magic/versions.tofu +++ b/modules/__experimental_deprecated/project-iam-magic/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/project-iam-magic:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/project-iam-magic:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/project-iam-magic:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/__experimental_deprecated/project-iam-magic:v45.0.0-tofu" } } diff --git a/modules/ai-applications/versions.tf b/modules/ai-applications/versions.tf index a3d170437..b5199d0ac 100644 --- a/modules/ai-applications/versions.tf +++ b/modules/ai-applications/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/ai-applications:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/ai-applications:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/ai-applications:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/ai-applications:v45.0.0-tf" } } diff --git a/modules/ai-applications/versions.tofu b/modules/ai-applications/versions.tofu index 514792565..fb217a7f5 100644 --- a/modules/ai-applications/versions.tofu +++ b/modules/ai-applications/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/ai-applications:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/ai-applications:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/ai-applications:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/ai-applications:v45.0.0-tofu" } } diff --git a/modules/alloydb/versions.tf b/modules/alloydb/versions.tf index 2b4d8538d..c4c4637c0 100644 --- a/modules/alloydb/versions.tf +++ b/modules/alloydb/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/alloydb:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/alloydb:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/alloydb:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/alloydb:v45.0.0-tf" } } diff --git a/modules/alloydb/versions.tofu b/modules/alloydb/versions.tofu index 0a4667b72..127796c64 100644 --- a/modules/alloydb/versions.tofu +++ b/modules/alloydb/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/alloydb:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/alloydb:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/alloydb:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/alloydb:v45.0.0-tofu" } } diff --git a/modules/analytics-hub/versions.tf b/modules/analytics-hub/versions.tf index 131624559..4f5c47105 100644 --- a/modules/analytics-hub/versions.tf +++ b/modules/analytics-hub/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/analytics-hub:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/analytics-hub:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/analytics-hub:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/analytics-hub:v45.0.0-tf" } } diff --git a/modules/analytics-hub/versions.tofu b/modules/analytics-hub/versions.tofu index c078b987b..31da0e6dc 100644 --- a/modules/analytics-hub/versions.tofu +++ b/modules/analytics-hub/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/analytics-hub:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/analytics-hub:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/analytics-hub:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/analytics-hub:v45.0.0-tofu" } } diff --git a/modules/api-gateway/versions.tf b/modules/api-gateway/versions.tf index 7edbf6d89..746092cf9 100644 --- a/modules/api-gateway/versions.tf +++ b/modules/api-gateway/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/api-gateway:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/api-gateway:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/api-gateway:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/api-gateway:v45.0.0-tf" } } diff --git a/modules/api-gateway/versions.tofu b/modules/api-gateway/versions.tofu index f14edea41..b945a3285 100644 --- a/modules/api-gateway/versions.tofu +++ b/modules/api-gateway/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/api-gateway:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/api-gateway:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/api-gateway:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/api-gateway:v45.0.0-tofu" } } diff --git a/modules/apigee/versions.tf b/modules/apigee/versions.tf index 73db3aa48..8195a5b1c 100644 --- a/modules/apigee/versions.tf +++ b/modules/apigee/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/apigee:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/apigee:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/apigee:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/apigee:v45.0.0-tf" } } diff --git a/modules/apigee/versions.tofu b/modules/apigee/versions.tofu index 54b80d6a8..07e90517e 100644 --- a/modules/apigee/versions.tofu +++ b/modules/apigee/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/apigee:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/apigee:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/apigee:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/apigee:v45.0.0-tofu" } } diff --git a/modules/artifact-registry/versions.tf b/modules/artifact-registry/versions.tf index 961d442af..d19a20c91 100644 --- a/modules/artifact-registry/versions.tf +++ b/modules/artifact-registry/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/artifact-registry:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/artifact-registry:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/artifact-registry:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/artifact-registry:v45.0.0-tf" } } diff --git a/modules/artifact-registry/versions.tofu b/modules/artifact-registry/versions.tofu index 01b55af7f..3eec4aef3 100644 --- a/modules/artifact-registry/versions.tofu +++ b/modules/artifact-registry/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/artifact-registry:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/artifact-registry:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/artifact-registry:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/artifact-registry:v45.0.0-tofu" } } diff --git a/modules/bigquery-dataset/versions.tf b/modules/bigquery-dataset/versions.tf index 144e6fc91..45348af2a 100644 --- a/modules/bigquery-dataset/versions.tf +++ b/modules/bigquery-dataset/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/bigquery-dataset:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/bigquery-dataset:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/bigquery-dataset:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/bigquery-dataset:v45.0.0-tf" } } diff --git a/modules/bigquery-dataset/versions.tofu b/modules/bigquery-dataset/versions.tofu index e6d85d7d1..2935819ae 100644 --- a/modules/bigquery-dataset/versions.tofu +++ b/modules/bigquery-dataset/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/bigquery-dataset:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/bigquery-dataset:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/bigquery-dataset:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/bigquery-dataset:v45.0.0-tofu" } } diff --git a/modules/bigtable-instance/versions.tf b/modules/bigtable-instance/versions.tf index ffabf29ba..223edc08e 100644 --- a/modules/bigtable-instance/versions.tf +++ b/modules/bigtable-instance/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/bigtable-instance:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/bigtable-instance:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/bigtable-instance:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/bigtable-instance:v45.0.0-tf" } } diff --git a/modules/bigtable-instance/versions.tofu b/modules/bigtable-instance/versions.tofu index 953021869..ffa52be3d 100644 --- a/modules/bigtable-instance/versions.tofu +++ b/modules/bigtable-instance/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/bigtable-instance:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/bigtable-instance:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/bigtable-instance:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/bigtable-instance:v45.0.0-tofu" } } diff --git a/modules/billing-account/versions.tf b/modules/billing-account/versions.tf index ca5879681..898feea23 100644 --- a/modules/billing-account/versions.tf +++ b/modules/billing-account/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/billing-account:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/billing-account:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/billing-account:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/billing-account:v45.0.0-tf" } } diff --git a/modules/billing-account/versions.tofu b/modules/billing-account/versions.tofu index 1a0ebbca1..3ae5bcd46 100644 --- a/modules/billing-account/versions.tofu +++ b/modules/billing-account/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/billing-account:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/billing-account:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/billing-account:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/billing-account:v45.0.0-tofu" } } diff --git a/modules/binauthz/versions.tf b/modules/binauthz/versions.tf index 4db3fbbba..0d3789655 100644 --- a/modules/binauthz/versions.tf +++ b/modules/binauthz/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/binauthz:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/binauthz:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/binauthz:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/binauthz:v45.0.0-tf" } } diff --git a/modules/binauthz/versions.tofu b/modules/binauthz/versions.tofu index 98fa5ad57..7c016fb16 100644 --- a/modules/binauthz/versions.tofu +++ b/modules/binauthz/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/binauthz:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/binauthz:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/binauthz:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/binauthz:v45.0.0-tofu" } } diff --git a/modules/certificate-authority-service/versions.tf b/modules/certificate-authority-service/versions.tf index db9ab10d1..70bd3a469 100644 --- a/modules/certificate-authority-service/versions.tf +++ b/modules/certificate-authority-service/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/certificate-authority-service:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/certificate-authority-service:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/certificate-authority-service:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/certificate-authority-service:v45.0.0-tf" } } diff --git a/modules/certificate-authority-service/versions.tofu b/modules/certificate-authority-service/versions.tofu index b8e3a0cca..66a57c8a4 100644 --- a/modules/certificate-authority-service/versions.tofu +++ b/modules/certificate-authority-service/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/certificate-authority-service:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/certificate-authority-service:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/certificate-authority-service:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/certificate-authority-service:v45.0.0-tofu" } } diff --git a/modules/certificate-manager/versions.tf b/modules/certificate-manager/versions.tf index 2a2924352..d63932340 100644 --- a/modules/certificate-manager/versions.tf +++ b/modules/certificate-manager/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/certificate-manager:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/certificate-manager:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/certificate-manager:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/certificate-manager:v45.0.0-tf" } } diff --git a/modules/certificate-manager/versions.tofu b/modules/certificate-manager/versions.tofu index a1fe30386..810dc1afa 100644 --- a/modules/certificate-manager/versions.tofu +++ b/modules/certificate-manager/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/certificate-manager:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/certificate-manager:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/certificate-manager:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/certificate-manager:v45.0.0-tofu" } } diff --git a/modules/cloud-config-container/__need_fixing/onprem/versions.tf b/modules/cloud-config-container/__need_fixing/onprem/versions.tf index f5df44f3a..ccb7ddfb3 100644 --- a/modules/cloud-config-container/__need_fixing/onprem/versions.tf +++ b/modules/cloud-config-container/__need_fixing/onprem/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/__need_fixing/onprem:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/__need_fixing/onprem:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/__need_fixing/onprem:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/__need_fixing/onprem:v45.0.0-tf" } } diff --git a/modules/cloud-config-container/__need_fixing/onprem/versions.tofu b/modules/cloud-config-container/__need_fixing/onprem/versions.tofu index 5cc80d5cc..eebad60a1 100644 --- a/modules/cloud-config-container/__need_fixing/onprem/versions.tofu +++ b/modules/cloud-config-container/__need_fixing/onprem/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/__need_fixing/onprem:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/__need_fixing/onprem:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/__need_fixing/onprem:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/__need_fixing/onprem:v45.0.0-tofu" } } diff --git a/modules/cloud-config-container/__need_fixing/squid/versions.tf b/modules/cloud-config-container/__need_fixing/squid/versions.tf index ba008bbd3..6a2945275 100644 --- a/modules/cloud-config-container/__need_fixing/squid/versions.tf +++ b/modules/cloud-config-container/__need_fixing/squid/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/__need_fixing/squid:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/__need_fixing/squid:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/__need_fixing/squid:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/__need_fixing/squid:v45.0.0-tf" } } diff --git a/modules/cloud-config-container/__need_fixing/squid/versions.tofu b/modules/cloud-config-container/__need_fixing/squid/versions.tofu index 68550159d..e8ac4a791 100644 --- a/modules/cloud-config-container/__need_fixing/squid/versions.tofu +++ b/modules/cloud-config-container/__need_fixing/squid/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/__need_fixing/squid:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/__need_fixing/squid:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/__need_fixing/squid:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/__need_fixing/squid:v45.0.0-tofu" } } diff --git a/modules/cloud-config-container/bindplane/versions.tf b/modules/cloud-config-container/bindplane/versions.tf index e36624c68..e129456ec 100644 --- a/modules/cloud-config-container/bindplane/versions.tf +++ b/modules/cloud-config-container/bindplane/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/bindplane:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/bindplane:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/bindplane:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/bindplane:v45.0.0-tf" } } diff --git a/modules/cloud-config-container/bindplane/versions.tofu b/modules/cloud-config-container/bindplane/versions.tofu index b8f137388..f1ef30dfa 100644 --- a/modules/cloud-config-container/bindplane/versions.tofu +++ b/modules/cloud-config-container/bindplane/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/bindplane:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/bindplane:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/bindplane:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/bindplane:v45.0.0-tofu" } } diff --git a/modules/cloud-config-container/coredns/versions.tf b/modules/cloud-config-container/coredns/versions.tf index 00aff3c59..b818ef2a9 100644 --- a/modules/cloud-config-container/coredns/versions.tf +++ b/modules/cloud-config-container/coredns/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/coredns:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/coredns:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/coredns:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/coredns:v45.0.0-tf" } } diff --git a/modules/cloud-config-container/coredns/versions.tofu b/modules/cloud-config-container/coredns/versions.tofu index 10d93473f..1faee840b 100644 --- a/modules/cloud-config-container/coredns/versions.tofu +++ b/modules/cloud-config-container/coredns/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/coredns:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/coredns:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/coredns:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/coredns:v45.0.0-tofu" } } diff --git a/modules/cloud-config-container/cos-generic-metadata/versions.tf b/modules/cloud-config-container/cos-generic-metadata/versions.tf index c94608dd9..65d2a36ad 100644 --- a/modules/cloud-config-container/cos-generic-metadata/versions.tf +++ b/modules/cloud-config-container/cos-generic-metadata/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/cos-generic-metadata:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/cos-generic-metadata:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/cos-generic-metadata:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/cos-generic-metadata:v45.0.0-tf" } } diff --git a/modules/cloud-config-container/cos-generic-metadata/versions.tofu b/modules/cloud-config-container/cos-generic-metadata/versions.tofu index 2309f880d..a505ce421 100644 --- a/modules/cloud-config-container/cos-generic-metadata/versions.tofu +++ b/modules/cloud-config-container/cos-generic-metadata/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/cos-generic-metadata:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/cos-generic-metadata:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/cos-generic-metadata:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/cos-generic-metadata:v45.0.0-tofu" } } diff --git a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf index 7ae6e24b8..aa0072a38 100644 --- a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf +++ b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy:v45.0.0-tf" } } diff --git a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tofu b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tofu index 1fbc95015..680d54340 100644 --- a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tofu +++ b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy:v45.0.0-tofu" } } diff --git a/modules/cloud-config-container/envoy-traffic-director/versions.tf b/modules/cloud-config-container/envoy-traffic-director/versions.tf index 5d2117768..91a98d2ae 100644 --- a/modules/cloud-config-container/envoy-traffic-director/versions.tf +++ b/modules/cloud-config-container/envoy-traffic-director/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/envoy-traffic-director:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/envoy-traffic-director:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/envoy-traffic-director:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/envoy-traffic-director:v45.0.0-tf" } } diff --git a/modules/cloud-config-container/envoy-traffic-director/versions.tofu b/modules/cloud-config-container/envoy-traffic-director/versions.tofu index d543125a3..5af65d06b 100644 --- a/modules/cloud-config-container/envoy-traffic-director/versions.tofu +++ b/modules/cloud-config-container/envoy-traffic-director/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/envoy-traffic-director:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/envoy-traffic-director:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/envoy-traffic-director:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/envoy-traffic-director:v45.0.0-tofu" } } diff --git a/modules/cloud-config-container/mysql/versions.tf b/modules/cloud-config-container/mysql/versions.tf index 7334b545e..b1ee1a5a9 100644 --- a/modules/cloud-config-container/mysql/versions.tf +++ b/modules/cloud-config-container/mysql/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/mysql:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/mysql:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/mysql:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/mysql:v45.0.0-tf" } } diff --git a/modules/cloud-config-container/mysql/versions.tofu b/modules/cloud-config-container/mysql/versions.tofu index 7bd056891..d3a6bb8af 100644 --- a/modules/cloud-config-container/mysql/versions.tofu +++ b/modules/cloud-config-container/mysql/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/mysql:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/mysql:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/mysql:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/mysql:v45.0.0-tofu" } } diff --git a/modules/cloud-config-container/nginx-tls/versions.tf b/modules/cloud-config-container/nginx-tls/versions.tf index 41df56782..587d1b228 100644 --- a/modules/cloud-config-container/nginx-tls/versions.tf +++ b/modules/cloud-config-container/nginx-tls/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/nginx-tls:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/nginx-tls:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/nginx-tls:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/nginx-tls:v45.0.0-tf" } } diff --git a/modules/cloud-config-container/nginx-tls/versions.tofu b/modules/cloud-config-container/nginx-tls/versions.tofu index aa06b7830..76dde2fde 100644 --- a/modules/cloud-config-container/nginx-tls/versions.tofu +++ b/modules/cloud-config-container/nginx-tls/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/nginx-tls:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/nginx-tls:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/nginx-tls:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/nginx-tls:v45.0.0-tofu" } } diff --git a/modules/cloud-config-container/nginx/versions.tf b/modules/cloud-config-container/nginx/versions.tf index 4cdfb9c89..beb899157 100644 --- a/modules/cloud-config-container/nginx/versions.tf +++ b/modules/cloud-config-container/nginx/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/nginx:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/nginx:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/nginx:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/nginx:v45.0.0-tf" } } diff --git a/modules/cloud-config-container/nginx/versions.tofu b/modules/cloud-config-container/nginx/versions.tofu index c7b903fa8..5acd1591d 100644 --- a/modules/cloud-config-container/nginx/versions.tofu +++ b/modules/cloud-config-container/nginx/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/nginx:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/nginx:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/nginx:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/nginx:v45.0.0-tofu" } } diff --git a/modules/cloud-config-container/simple-nva/versions.tf b/modules/cloud-config-container/simple-nva/versions.tf index 466d33736..88c9537da 100644 --- a/modules/cloud-config-container/simple-nva/versions.tf +++ b/modules/cloud-config-container/simple-nva/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/simple-nva:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/simple-nva:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/simple-nva:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/simple-nva:v45.0.0-tf" } } diff --git a/modules/cloud-config-container/simple-nva/versions.tofu b/modules/cloud-config-container/simple-nva/versions.tofu index ae5682877..eca53a0a6 100644 --- a/modules/cloud-config-container/simple-nva/versions.tofu +++ b/modules/cloud-config-container/simple-nva/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/simple-nva:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/simple-nva:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/simple-nva:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-config-container/simple-nva:v45.0.0-tofu" } } diff --git a/modules/cloud-deploy/versions.tf b/modules/cloud-deploy/versions.tf index 34501a3a6..79f09c0bb 100644 --- a/modules/cloud-deploy/versions.tf +++ b/modules/cloud-deploy/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-deploy:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-deploy:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-deploy:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-deploy:v45.0.0-tf" } } diff --git a/modules/cloud-deploy/versions.tofu b/modules/cloud-deploy/versions.tofu index 27b2a08f7..72972b10c 100644 --- a/modules/cloud-deploy/versions.tofu +++ b/modules/cloud-deploy/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-deploy:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-deploy:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-deploy:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-deploy:v45.0.0-tofu" } } diff --git a/modules/cloud-function-v1/versions.tf b/modules/cloud-function-v1/versions.tf index 6a268f5fd..7877feb72 100644 --- a/modules/cloud-function-v1/versions.tf +++ b/modules/cloud-function-v1/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-function-v1:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-function-v1:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-function-v1:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-function-v1:v45.0.0-tf" } } diff --git a/modules/cloud-function-v1/versions.tofu b/modules/cloud-function-v1/versions.tofu index 3149b0b39..988ae90e9 100644 --- a/modules/cloud-function-v1/versions.tofu +++ b/modules/cloud-function-v1/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-function-v1:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-function-v1:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-function-v1:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-function-v1:v45.0.0-tofu" } } diff --git a/modules/cloud-function-v2/versions.tf b/modules/cloud-function-v2/versions.tf index ebf24e909..beda65cfe 100644 --- a/modules/cloud-function-v2/versions.tf +++ b/modules/cloud-function-v2/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-function-v2:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-function-v2:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-function-v2:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-function-v2:v45.0.0-tf" } } diff --git a/modules/cloud-function-v2/versions.tofu b/modules/cloud-function-v2/versions.tofu index b1a637457..6efe867b0 100644 --- a/modules/cloud-function-v2/versions.tofu +++ b/modules/cloud-function-v2/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-function-v2:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-function-v2:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-function-v2:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-function-v2:v45.0.0-tofu" } } diff --git a/modules/cloud-identity-group/versions.tf b/modules/cloud-identity-group/versions.tf index 81cbacdea..a7ba1ba00 100644 --- a/modules/cloud-identity-group/versions.tf +++ b/modules/cloud-identity-group/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-identity-group:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-identity-group:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-identity-group:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-identity-group:v45.0.0-tf" } } diff --git a/modules/cloud-identity-group/versions.tofu b/modules/cloud-identity-group/versions.tofu index 5ca10c0c9..8a0fa9410 100644 --- a/modules/cloud-identity-group/versions.tofu +++ b/modules/cloud-identity-group/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-identity-group:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-identity-group:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-identity-group:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-identity-group:v45.0.0-tofu" } } diff --git a/modules/cloud-run-v2/versions.tf b/modules/cloud-run-v2/versions.tf index a603d7315..54c37e798 100644 --- a/modules/cloud-run-v2/versions.tf +++ b/modules/cloud-run-v2/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-run-v2:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-run-v2:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-run-v2:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-run-v2:v45.0.0-tf" } } diff --git a/modules/cloud-run-v2/versions.tofu b/modules/cloud-run-v2/versions.tofu index e94173537..38d5a3af7 100644 --- a/modules/cloud-run-v2/versions.tofu +++ b/modules/cloud-run-v2/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-run-v2:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-run-v2:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-run-v2:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-run-v2:v45.0.0-tofu" } } diff --git a/modules/cloud-run/versions.tf b/modules/cloud-run/versions.tf index dfbdb865e..8d65ab5f6 100644 --- a/modules/cloud-run/versions.tf +++ b/modules/cloud-run/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-run:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-run:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-run:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-run:v45.0.0-tf" } } diff --git a/modules/cloud-run/versions.tofu b/modules/cloud-run/versions.tofu index 68029ccb7..0da31022e 100644 --- a/modules/cloud-run/versions.tofu +++ b/modules/cloud-run/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-run:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-run:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-run:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-run:v45.0.0-tofu" } } diff --git a/modules/cloudsql-instance/versions.tf b/modules/cloudsql-instance/versions.tf index 19bba7984..bd601b133 100644 --- a/modules/cloudsql-instance/versions.tf +++ b/modules/cloudsql-instance/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloudsql-instance:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloudsql-instance:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloudsql-instance:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloudsql-instance:v45.0.0-tf" } } diff --git a/modules/cloudsql-instance/versions.tofu b/modules/cloudsql-instance/versions.tofu index ed1281c8c..506b04c05 100644 --- a/modules/cloudsql-instance/versions.tofu +++ b/modules/cloudsql-instance/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloudsql-instance:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloudsql-instance:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloudsql-instance:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloudsql-instance:v45.0.0-tofu" } } diff --git a/modules/compute-mig/versions.tf b/modules/compute-mig/versions.tf index bd97c54a1..488cf17bf 100644 --- a/modules/compute-mig/versions.tf +++ b/modules/compute-mig/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/compute-mig:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/compute-mig:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/compute-mig:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/compute-mig:v45.0.0-tf" } } diff --git a/modules/compute-mig/versions.tofu b/modules/compute-mig/versions.tofu index b5fdd3da6..02c706dd4 100644 --- a/modules/compute-mig/versions.tofu +++ b/modules/compute-mig/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/compute-mig:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/compute-mig:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/compute-mig:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/compute-mig:v45.0.0-tofu" } } diff --git a/modules/compute-vm/versions.tf b/modules/compute-vm/versions.tf index 192c2902a..be138e3d6 100644 --- a/modules/compute-vm/versions.tf +++ b/modules/compute-vm/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/compute-vm:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/compute-vm:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/compute-vm:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/compute-vm:v45.0.0-tf" } } diff --git a/modules/compute-vm/versions.tofu b/modules/compute-vm/versions.tofu index 7f8b96f42..f0bc0499c 100644 --- a/modules/compute-vm/versions.tofu +++ b/modules/compute-vm/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/compute-vm:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/compute-vm:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/compute-vm:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/compute-vm:v45.0.0-tofu" } } diff --git a/modules/container-registry/versions.tf b/modules/container-registry/versions.tf index 83af473ec..65d0de698 100644 --- a/modules/container-registry/versions.tf +++ b/modules/container-registry/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/container-registry:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/container-registry:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/container-registry:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/container-registry:v45.0.0-tf" } } diff --git a/modules/container-registry/versions.tofu b/modules/container-registry/versions.tofu index 5a5e37970..7e7fb1832 100644 --- a/modules/container-registry/versions.tofu +++ b/modules/container-registry/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/container-registry:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/container-registry:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/container-registry:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/container-registry:v45.0.0-tofu" } } diff --git a/modules/data-catalog-policy-tag/versions.tf b/modules/data-catalog-policy-tag/versions.tf index 35755d4c8..e647519bd 100644 --- a/modules/data-catalog-policy-tag/versions.tf +++ b/modules/data-catalog-policy-tag/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-policy-tag:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-policy-tag:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-policy-tag:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-policy-tag:v45.0.0-tf" } } diff --git a/modules/data-catalog-policy-tag/versions.tofu b/modules/data-catalog-policy-tag/versions.tofu index 7d16bbc13..ba3a1c994 100644 --- a/modules/data-catalog-policy-tag/versions.tofu +++ b/modules/data-catalog-policy-tag/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-policy-tag:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-policy-tag:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-policy-tag:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-policy-tag:v45.0.0-tofu" } } diff --git a/modules/data-catalog-tag-template/versions.tf b/modules/data-catalog-tag-template/versions.tf index ab2277e92..4901b4290 100644 --- a/modules/data-catalog-tag-template/versions.tf +++ b/modules/data-catalog-tag-template/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-tag-template:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-tag-template:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-tag-template:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-tag-template:v45.0.0-tf" } } diff --git a/modules/data-catalog-tag-template/versions.tofu b/modules/data-catalog-tag-template/versions.tofu index 570af749a..fa0d4091a 100644 --- a/modules/data-catalog-tag-template/versions.tofu +++ b/modules/data-catalog-tag-template/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-tag-template:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-tag-template:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-tag-template:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-tag-template:v45.0.0-tofu" } } diff --git a/modules/data-catalog-tag/versions.tf b/modules/data-catalog-tag/versions.tf index 25e7d196e..98d150fcb 100644 --- a/modules/data-catalog-tag/versions.tf +++ b/modules/data-catalog-tag/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-tag:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-tag:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-tag:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-tag:v45.0.0-tf" } } diff --git a/modules/data-catalog-tag/versions.tofu b/modules/data-catalog-tag/versions.tofu index a4a088b96..89c97c452 100644 --- a/modules/data-catalog-tag/versions.tofu +++ b/modules/data-catalog-tag/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-tag:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-tag:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-tag:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/data-catalog-tag:v45.0.0-tofu" } } diff --git a/modules/dataform-repository/versions.tf b/modules/dataform-repository/versions.tf index f4c3ad7f4..0f4ab1675 100644 --- a/modules/dataform-repository/versions.tf +++ b/modules/dataform-repository/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataform-repository:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataform-repository:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataform-repository:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataform-repository:v45.0.0-tf" } } diff --git a/modules/dataform-repository/versions.tofu b/modules/dataform-repository/versions.tofu index f169c88b8..9b5266db4 100644 --- a/modules/dataform-repository/versions.tofu +++ b/modules/dataform-repository/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataform-repository:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataform-repository:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataform-repository:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataform-repository:v45.0.0-tofu" } } diff --git a/modules/datafusion/versions.tf b/modules/datafusion/versions.tf index 82a1f9c3e..9545b71df 100644 --- a/modules/datafusion/versions.tf +++ b/modules/datafusion/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/datafusion:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/datafusion:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/datafusion:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/datafusion:v45.0.0-tf" } } diff --git a/modules/datafusion/versions.tofu b/modules/datafusion/versions.tofu index b73dedb97..44d57b219 100644 --- a/modules/datafusion/versions.tofu +++ b/modules/datafusion/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/datafusion:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/datafusion:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/datafusion:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/datafusion:v45.0.0-tofu" } } diff --git a/modules/dataplex-aspect-types/versions.tf b/modules/dataplex-aspect-types/versions.tf index 3805b5b07..874319dbc 100644 --- a/modules/dataplex-aspect-types/versions.tf +++ b/modules/dataplex-aspect-types/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex-aspect-types:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex-aspect-types:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex-aspect-types:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex-aspect-types:v45.0.0-tf" } } diff --git a/modules/dataplex-aspect-types/versions.tofu b/modules/dataplex-aspect-types/versions.tofu index 79bb4e03c..727294e8b 100644 --- a/modules/dataplex-aspect-types/versions.tofu +++ b/modules/dataplex-aspect-types/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex-aspect-types:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex-aspect-types:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex-aspect-types:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex-aspect-types:v45.0.0-tofu" } } diff --git a/modules/dataplex-datascan/versions.tf b/modules/dataplex-datascan/versions.tf index fc9d0d3bd..3d099be50 100644 --- a/modules/dataplex-datascan/versions.tf +++ b/modules/dataplex-datascan/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex-datascan:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex-datascan:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex-datascan:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex-datascan:v45.0.0-tf" } } diff --git a/modules/dataplex-datascan/versions.tofu b/modules/dataplex-datascan/versions.tofu index 7fa611179..9109e941e 100644 --- a/modules/dataplex-datascan/versions.tofu +++ b/modules/dataplex-datascan/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex-datascan:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex-datascan:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex-datascan:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex-datascan:v45.0.0-tofu" } } diff --git a/modules/dataplex/versions.tf b/modules/dataplex/versions.tf index e21ea6739..f1d12162d 100644 --- a/modules/dataplex/versions.tf +++ b/modules/dataplex/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex:v45.0.0-tf" } } diff --git a/modules/dataplex/versions.tofu b/modules/dataplex/versions.tofu index b78901abc..c195242d9 100644 --- a/modules/dataplex/versions.tofu +++ b/modules/dataplex/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataplex:v45.0.0-tofu" } } diff --git a/modules/dataproc/versions.tf b/modules/dataproc/versions.tf index cbe84e1d0..93400d5ea 100644 --- a/modules/dataproc/versions.tf +++ b/modules/dataproc/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataproc:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataproc:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataproc:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataproc:v45.0.0-tf" } } diff --git a/modules/dataproc/versions.tofu b/modules/dataproc/versions.tofu index 3c13940a4..79812080e 100644 --- a/modules/dataproc/versions.tofu +++ b/modules/dataproc/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataproc:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataproc:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataproc:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dataproc:v45.0.0-tofu" } } diff --git a/modules/dns-response-policy/versions.tf b/modules/dns-response-policy/versions.tf index ee9655159..409bb1736 100644 --- a/modules/dns-response-policy/versions.tf +++ b/modules/dns-response-policy/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dns-response-policy:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dns-response-policy:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dns-response-policy:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dns-response-policy:v45.0.0-tf" } } diff --git a/modules/dns-response-policy/versions.tofu b/modules/dns-response-policy/versions.tofu index 5b4516b53..bd9661b60 100644 --- a/modules/dns-response-policy/versions.tofu +++ b/modules/dns-response-policy/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dns-response-policy:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dns-response-policy:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dns-response-policy:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dns-response-policy:v45.0.0-tofu" } } diff --git a/modules/dns/versions.tf b/modules/dns/versions.tf index cd15efe6a..b8806792b 100644 --- a/modules/dns/versions.tf +++ b/modules/dns/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dns:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dns:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dns:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dns:v45.0.0-tf" } } diff --git a/modules/dns/versions.tofu b/modules/dns/versions.tofu index 0955d1b8f..afe2113ff 100644 --- a/modules/dns/versions.tofu +++ b/modules/dns/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dns:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dns:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/dns:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/dns:v45.0.0-tofu" } } diff --git a/modules/endpoints/versions.tf b/modules/endpoints/versions.tf index 13b0848b5..9435a696e 100644 --- a/modules/endpoints/versions.tf +++ b/modules/endpoints/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/endpoints:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/endpoints:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/endpoints:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/endpoints:v45.0.0-tf" } } diff --git a/modules/endpoints/versions.tofu b/modules/endpoints/versions.tofu index 282dfc33f..0bf567ae3 100644 --- a/modules/endpoints/versions.tofu +++ b/modules/endpoints/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/endpoints:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/endpoints:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/endpoints:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/endpoints:v45.0.0-tofu" } } diff --git a/modules/firestore/versions.tf b/modules/firestore/versions.tf index b5c05d7e9..9af18cbdb 100644 --- a/modules/firestore/versions.tf +++ b/modules/firestore/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/firestore:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/firestore:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/firestore:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/firestore:v45.0.0-tf" } } diff --git a/modules/firestore/versions.tofu b/modules/firestore/versions.tofu index 12bf038d4..9a2936c2d 100644 --- a/modules/firestore/versions.tofu +++ b/modules/firestore/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/firestore:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/firestore:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/firestore:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/firestore:v45.0.0-tofu" } } diff --git a/modules/folder/versions.tf b/modules/folder/versions.tf index 4e28fd2c3..e271dd660 100644 --- a/modules/folder/versions.tf +++ b/modules/folder/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/folder:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/folder:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/folder:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/folder:v45.0.0-tf" } } diff --git a/modules/folder/versions.tofu b/modules/folder/versions.tofu index 58d1e229e..508e2a472 100644 --- a/modules/folder/versions.tofu +++ b/modules/folder/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/folder:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/folder:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/folder:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/folder:v45.0.0-tofu" } } diff --git a/modules/gcs/versions.tf b/modules/gcs/versions.tf index af5c60a26..1255a739d 100644 --- a/modules/gcs/versions.tf +++ b/modules/gcs/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gcs:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gcs:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gcs:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gcs:v45.0.0-tf" } } diff --git a/modules/gcs/versions.tofu b/modules/gcs/versions.tofu index aa1b2890f..1a1449b4a 100644 --- a/modules/gcs/versions.tofu +++ b/modules/gcs/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gcs:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gcs:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gcs:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gcs:v45.0.0-tofu" } } diff --git a/modules/gcve-private-cloud/versions.tf b/modules/gcve-private-cloud/versions.tf index 6b5879d77..9eaeefc60 100644 --- a/modules/gcve-private-cloud/versions.tf +++ b/modules/gcve-private-cloud/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gcve-private-cloud:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gcve-private-cloud:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gcve-private-cloud:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gcve-private-cloud:v45.0.0-tf" } } diff --git a/modules/gcve-private-cloud/versions.tofu b/modules/gcve-private-cloud/versions.tofu index ce0bdecbf..7a1814fce 100644 --- a/modules/gcve-private-cloud/versions.tofu +++ b/modules/gcve-private-cloud/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gcve-private-cloud:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gcve-private-cloud:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gcve-private-cloud:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gcve-private-cloud:v45.0.0-tofu" } } diff --git a/modules/gke-cluster-autopilot/versions.tf b/modules/gke-cluster-autopilot/versions.tf index 0a6279ad4..cc372c6b6 100644 --- a/modules/gke-cluster-autopilot/versions.tf +++ b/modules/gke-cluster-autopilot/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-cluster-autopilot:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-cluster-autopilot:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-cluster-autopilot:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-cluster-autopilot:v45.0.0-tf" } } diff --git a/modules/gke-cluster-autopilot/versions.tofu b/modules/gke-cluster-autopilot/versions.tofu index 0c366fd87..76fb36cd2 100644 --- a/modules/gke-cluster-autopilot/versions.tofu +++ b/modules/gke-cluster-autopilot/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-cluster-autopilot:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-cluster-autopilot:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-cluster-autopilot:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-cluster-autopilot:v45.0.0-tofu" } } diff --git a/modules/gke-cluster-standard/versions.tf b/modules/gke-cluster-standard/versions.tf index 32684f11a..5ef33db1e 100644 --- a/modules/gke-cluster-standard/versions.tf +++ b/modules/gke-cluster-standard/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-cluster-standard:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-cluster-standard:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-cluster-standard:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-cluster-standard:v45.0.0-tf" } } diff --git a/modules/gke-cluster-standard/versions.tofu b/modules/gke-cluster-standard/versions.tofu index 159fc33d7..561f07f73 100644 --- a/modules/gke-cluster-standard/versions.tofu +++ b/modules/gke-cluster-standard/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-cluster-standard:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-cluster-standard:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-cluster-standard:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-cluster-standard:v45.0.0-tofu" } } diff --git a/modules/gke-hub/versions.tf b/modules/gke-hub/versions.tf index 8fd0b22cd..90c9b3617 100644 --- a/modules/gke-hub/versions.tf +++ b/modules/gke-hub/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-hub:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-hub:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-hub:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-hub:v45.0.0-tf" } } diff --git a/modules/gke-hub/versions.tofu b/modules/gke-hub/versions.tofu index 0d8aca807..05bbb9710 100644 --- a/modules/gke-hub/versions.tofu +++ b/modules/gke-hub/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-hub:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-hub:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-hub:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-hub:v45.0.0-tofu" } } diff --git a/modules/gke-nodepool/versions.tf b/modules/gke-nodepool/versions.tf index 233eb107f..88e34648f 100644 --- a/modules/gke-nodepool/versions.tf +++ b/modules/gke-nodepool/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-nodepool:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-nodepool:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-nodepool:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-nodepool:v45.0.0-tf" } } diff --git a/modules/gke-nodepool/versions.tofu b/modules/gke-nodepool/versions.tofu index 0b1cd89de..03e4dfe11 100644 --- a/modules/gke-nodepool/versions.tofu +++ b/modules/gke-nodepool/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-nodepool:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-nodepool:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-nodepool:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/gke-nodepool:v45.0.0-tofu" } } diff --git a/modules/iam-service-account/versions.tf b/modules/iam-service-account/versions.tf index b26b777b8..ad968f046 100644 --- a/modules/iam-service-account/versions.tf +++ b/modules/iam-service-account/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/iam-service-account:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/iam-service-account:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/iam-service-account:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/iam-service-account:v45.0.0-tf" } } diff --git a/modules/iam-service-account/versions.tofu b/modules/iam-service-account/versions.tofu index 0334f8250..58d22927a 100644 --- a/modules/iam-service-account/versions.tofu +++ b/modules/iam-service-account/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/iam-service-account:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/iam-service-account:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/iam-service-account:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/iam-service-account:v45.0.0-tofu" } } diff --git a/modules/kms/versions.tf b/modules/kms/versions.tf index 7b72919ec..6c26bbcfb 100644 --- a/modules/kms/versions.tf +++ b/modules/kms/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/kms:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/kms:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/kms:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/kms:v45.0.0-tf" } } diff --git a/modules/kms/versions.tofu b/modules/kms/versions.tofu index c7f2aaf66..41997b1d2 100644 --- a/modules/kms/versions.tofu +++ b/modules/kms/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/kms:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/kms:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/kms:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/kms:v45.0.0-tofu" } } diff --git a/modules/logging-bucket/versions.tf b/modules/logging-bucket/versions.tf index d4d78590b..612c8f668 100644 --- a/modules/logging-bucket/versions.tf +++ b/modules/logging-bucket/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/logging-bucket:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/logging-bucket:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/logging-bucket:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/logging-bucket:v45.0.0-tf" } } diff --git a/modules/logging-bucket/versions.tofu b/modules/logging-bucket/versions.tofu index 0473c5fb2..870f4df43 100644 --- a/modules/logging-bucket/versions.tofu +++ b/modules/logging-bucket/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/logging-bucket:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/logging-bucket:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/logging-bucket:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/logging-bucket:v45.0.0-tofu" } } diff --git a/modules/looker-core/versions.tf b/modules/looker-core/versions.tf index bf09f3b51..910cef01b 100644 --- a/modules/looker-core/versions.tf +++ b/modules/looker-core/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/looker-core:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/looker-core:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/looker-core:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/looker-core:v45.0.0-tf" } } diff --git a/modules/looker-core/versions.tofu b/modules/looker-core/versions.tofu index 8df1f19f9..04da4bde5 100644 --- a/modules/looker-core/versions.tofu +++ b/modules/looker-core/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/looker-core:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/looker-core:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/looker-core:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/looker-core:v45.0.0-tofu" } } diff --git a/modules/managed-kafka/versions.tf b/modules/managed-kafka/versions.tf index db599aa4d..43d0c9145 100644 --- a/modules/managed-kafka/versions.tf +++ b/modules/managed-kafka/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/managed-kafka:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/managed-kafka:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/managed-kafka:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/managed-kafka:v45.0.0-tf" } } diff --git a/modules/managed-kafka/versions.tofu b/modules/managed-kafka/versions.tofu index 3b69f6599..7596abbd6 100644 --- a/modules/managed-kafka/versions.tofu +++ b/modules/managed-kafka/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/managed-kafka:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/managed-kafka:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/managed-kafka:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/managed-kafka:v45.0.0-tofu" } } diff --git a/modules/ncc-spoke-ra/versions.tf b/modules/ncc-spoke-ra/versions.tf index 5dd1cdc2f..ef6c858f0 100644 --- a/modules/ncc-spoke-ra/versions.tf +++ b/modules/ncc-spoke-ra/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/ncc-spoke-ra:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/ncc-spoke-ra:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/ncc-spoke-ra:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/ncc-spoke-ra:v45.0.0-tf" } } diff --git a/modules/ncc-spoke-ra/versions.tofu b/modules/ncc-spoke-ra/versions.tofu index f48a9b2f9..6b46e396a 100644 --- a/modules/ncc-spoke-ra/versions.tofu +++ b/modules/ncc-spoke-ra/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/ncc-spoke-ra:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/ncc-spoke-ra:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/ncc-spoke-ra:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/ncc-spoke-ra:v45.0.0-tofu" } } diff --git a/modules/net-address/versions.tf b/modules/net-address/versions.tf index fdfc85c76..46a3cf2ec 100644 --- a/modules/net-address/versions.tf +++ b/modules/net-address/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-address:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-address:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-address:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-address:v45.0.0-tf" } } diff --git a/modules/net-address/versions.tofu b/modules/net-address/versions.tofu index 7022d480b..a1885bc49 100644 --- a/modules/net-address/versions.tofu +++ b/modules/net-address/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-address:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-address:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-address:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-address:v45.0.0-tofu" } } diff --git a/modules/net-cloudnat/versions.tf b/modules/net-cloudnat/versions.tf index 7105ac661..d7b4fff48 100644 --- a/modules/net-cloudnat/versions.tf +++ b/modules/net-cloudnat/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-cloudnat:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-cloudnat:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-cloudnat:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-cloudnat:v45.0.0-tf" } } diff --git a/modules/net-cloudnat/versions.tofu b/modules/net-cloudnat/versions.tofu index a923a16a3..c47c66706 100644 --- a/modules/net-cloudnat/versions.tofu +++ b/modules/net-cloudnat/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-cloudnat:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-cloudnat:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-cloudnat:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-cloudnat:v45.0.0-tofu" } } diff --git a/modules/net-firewall-policy/versions.tf b/modules/net-firewall-policy/versions.tf index 5bd94c2db..b163c8ff0 100644 --- a/modules/net-firewall-policy/versions.tf +++ b/modules/net-firewall-policy/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-firewall-policy:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-firewall-policy:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-firewall-policy:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-firewall-policy:v45.0.0-tf" } } diff --git a/modules/net-firewall-policy/versions.tofu b/modules/net-firewall-policy/versions.tofu index 92f4045b4..d19d99062 100644 --- a/modules/net-firewall-policy/versions.tofu +++ b/modules/net-firewall-policy/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-firewall-policy:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-firewall-policy:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-firewall-policy:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-firewall-policy:v45.0.0-tofu" } } diff --git a/modules/net-ipsec-over-interconnect/versions.tf b/modules/net-ipsec-over-interconnect/versions.tf index 0a623c5c8..7adda27d1 100644 --- a/modules/net-ipsec-over-interconnect/versions.tf +++ b/modules/net-ipsec-over-interconnect/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-ipsec-over-interconnect:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-ipsec-over-interconnect:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-ipsec-over-interconnect:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-ipsec-over-interconnect:v45.0.0-tf" } } diff --git a/modules/net-ipsec-over-interconnect/versions.tofu b/modules/net-ipsec-over-interconnect/versions.tofu index 9b9f5b9d2..80069fb95 100644 --- a/modules/net-ipsec-over-interconnect/versions.tofu +++ b/modules/net-ipsec-over-interconnect/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-ipsec-over-interconnect:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-ipsec-over-interconnect:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-ipsec-over-interconnect:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-ipsec-over-interconnect:v45.0.0-tofu" } } diff --git a/modules/net-lb-app-ext-regional/versions.tf b/modules/net-lb-app-ext-regional/versions.tf index 25f4135a9..c6f64b6e1 100644 --- a/modules/net-lb-app-ext-regional/versions.tf +++ b/modules/net-lb-app-ext-regional/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-ext-regional:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-ext-regional:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-ext-regional:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-ext-regional:v45.0.0-tf" } } diff --git a/modules/net-lb-app-ext-regional/versions.tofu b/modules/net-lb-app-ext-regional/versions.tofu index bffc0e976..0146cd09a 100644 --- a/modules/net-lb-app-ext-regional/versions.tofu +++ b/modules/net-lb-app-ext-regional/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-ext-regional:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-ext-regional:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-ext-regional:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-ext-regional:v45.0.0-tofu" } } diff --git a/modules/net-lb-app-ext/versions.tf b/modules/net-lb-app-ext/versions.tf index 21dd6515f..438747691 100644 --- a/modules/net-lb-app-ext/versions.tf +++ b/modules/net-lb-app-ext/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-ext:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-ext:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-ext:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-ext:v45.0.0-tf" } } diff --git a/modules/net-lb-app-ext/versions.tofu b/modules/net-lb-app-ext/versions.tofu index f3a492b49..d024e7097 100644 --- a/modules/net-lb-app-ext/versions.tofu +++ b/modules/net-lb-app-ext/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-ext:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-ext:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-ext:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-ext:v45.0.0-tofu" } } diff --git a/modules/net-lb-app-int-cross-region/versions.tf b/modules/net-lb-app-int-cross-region/versions.tf index 8ea748269..e7cd8de2e 100644 --- a/modules/net-lb-app-int-cross-region/versions.tf +++ b/modules/net-lb-app-int-cross-region/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-int-cross-region:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-int-cross-region:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-int-cross-region:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-int-cross-region:v45.0.0-tf" } } diff --git a/modules/net-lb-app-int-cross-region/versions.tofu b/modules/net-lb-app-int-cross-region/versions.tofu index f350755f5..6e2570f65 100644 --- a/modules/net-lb-app-int-cross-region/versions.tofu +++ b/modules/net-lb-app-int-cross-region/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-int-cross-region:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-int-cross-region:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-int-cross-region:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-int-cross-region:v45.0.0-tofu" } } diff --git a/modules/net-lb-app-int/versions.tf b/modules/net-lb-app-int/versions.tf index 7f3197c41..73436e1f8 100644 --- a/modules/net-lb-app-int/versions.tf +++ b/modules/net-lb-app-int/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-int:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-int:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-int:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-int:v45.0.0-tf" } } diff --git a/modules/net-lb-app-int/versions.tofu b/modules/net-lb-app-int/versions.tofu index b863beead..c9d269eec 100644 --- a/modules/net-lb-app-int/versions.tofu +++ b/modules/net-lb-app-int/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-int:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-int:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-int:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-app-int:v45.0.0-tofu" } } diff --git a/modules/net-lb-ext/versions.tf b/modules/net-lb-ext/versions.tf index e7fda922c..e5485bf11 100644 --- a/modules/net-lb-ext/versions.tf +++ b/modules/net-lb-ext/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-ext:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-ext:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-ext:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-ext:v45.0.0-tf" } } diff --git a/modules/net-lb-ext/versions.tofu b/modules/net-lb-ext/versions.tofu index fcf64b13e..a02cf11fe 100644 --- a/modules/net-lb-ext/versions.tofu +++ b/modules/net-lb-ext/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-ext:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-ext:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-ext:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-ext:v45.0.0-tofu" } } diff --git a/modules/net-lb-int/versions.tf b/modules/net-lb-int/versions.tf index e44e3952f..9345a3584 100644 --- a/modules/net-lb-int/versions.tf +++ b/modules/net-lb-int/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-int:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-int:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-int:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-int:v45.0.0-tf" } } diff --git a/modules/net-lb-int/versions.tofu b/modules/net-lb-int/versions.tofu index 753b4fb6f..3cc178adc 100644 --- a/modules/net-lb-int/versions.tofu +++ b/modules/net-lb-int/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-int:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-int:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-int:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-int:v45.0.0-tofu" } } diff --git a/modules/net-lb-proxy-int/versions.tf b/modules/net-lb-proxy-int/versions.tf index 94436d0aa..c3b72cbbc 100644 --- a/modules/net-lb-proxy-int/versions.tf +++ b/modules/net-lb-proxy-int/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-proxy-int:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-proxy-int:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-proxy-int:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-proxy-int:v45.0.0-tf" } } diff --git a/modules/net-lb-proxy-int/versions.tofu b/modules/net-lb-proxy-int/versions.tofu index 5cbe7ad50..73183e561 100644 --- a/modules/net-lb-proxy-int/versions.tofu +++ b/modules/net-lb-proxy-int/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-proxy-int:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-proxy-int:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-proxy-int:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-lb-proxy-int:v45.0.0-tofu" } } diff --git a/modules/net-swp/versions.tf b/modules/net-swp/versions.tf index b9716d459..20c2e51bc 100644 --- a/modules/net-swp/versions.tf +++ b/modules/net-swp/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-swp:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-swp:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-swp:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-swp:v45.0.0-tf" } } diff --git a/modules/net-swp/versions.tofu b/modules/net-swp/versions.tofu index e2da44bc9..a08dc2158 100644 --- a/modules/net-swp/versions.tofu +++ b/modules/net-swp/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-swp:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-swp:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-swp:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-swp:v45.0.0-tofu" } } diff --git a/modules/net-vlan-attachment/versions.tf b/modules/net-vlan-attachment/versions.tf index d2c40c3df..835ce6c55 100644 --- a/modules/net-vlan-attachment/versions.tf +++ b/modules/net-vlan-attachment/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vlan-attachment:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vlan-attachment:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vlan-attachment:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vlan-attachment:v45.0.0-tf" } } diff --git a/modules/net-vlan-attachment/versions.tofu b/modules/net-vlan-attachment/versions.tofu index 29231568b..893515f18 100644 --- a/modules/net-vlan-attachment/versions.tofu +++ b/modules/net-vlan-attachment/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vlan-attachment:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vlan-attachment:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vlan-attachment:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vlan-attachment:v45.0.0-tofu" } } diff --git a/modules/net-vpc-factory/versions.tf b/modules/net-vpc-factory/versions.tf index 85dbc1f0a..79ebbcb8a 100644 --- a/modules/net-vpc-factory/versions.tf +++ b/modules/net-vpc-factory/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-factory:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-factory:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-factory:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-factory:v45.0.0-tf" } } diff --git a/modules/net-vpc-factory/versions.tofu b/modules/net-vpc-factory/versions.tofu index f4b7a9961..bfe360d63 100644 --- a/modules/net-vpc-factory/versions.tofu +++ b/modules/net-vpc-factory/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-factory:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-factory:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-factory:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-factory:v45.0.0-tofu" } } diff --git a/modules/net-vpc-firewall/versions.tf b/modules/net-vpc-firewall/versions.tf index 7e2ba78a3..e2eaed207 100644 --- a/modules/net-vpc-firewall/versions.tf +++ b/modules/net-vpc-firewall/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-firewall:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-firewall:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-firewall:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-firewall:v45.0.0-tf" } } diff --git a/modules/net-vpc-firewall/versions.tofu b/modules/net-vpc-firewall/versions.tofu index 831904381..a317cef7a 100644 --- a/modules/net-vpc-firewall/versions.tofu +++ b/modules/net-vpc-firewall/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-firewall:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-firewall:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-firewall:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-firewall:v45.0.0-tofu" } } diff --git a/modules/net-vpc-peering/versions.tf b/modules/net-vpc-peering/versions.tf index f0116e832..aa3541cf8 100644 --- a/modules/net-vpc-peering/versions.tf +++ b/modules/net-vpc-peering/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-peering:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-peering:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-peering:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-peering:v45.0.0-tf" } } diff --git a/modules/net-vpc-peering/versions.tofu b/modules/net-vpc-peering/versions.tofu index e576a44b9..9681f4ceb 100644 --- a/modules/net-vpc-peering/versions.tofu +++ b/modules/net-vpc-peering/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-peering:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-peering:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-peering:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc-peering:v45.0.0-tofu" } } diff --git a/modules/net-vpc/versions.tf b/modules/net-vpc/versions.tf index db54c44a2..383ab847c 100644 --- a/modules/net-vpc/versions.tf +++ b/modules/net-vpc/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc:v45.0.0-tf" } } diff --git a/modules/net-vpc/versions.tofu b/modules/net-vpc/versions.tofu index 52e395151..64bcb247b 100644 --- a/modules/net-vpc/versions.tofu +++ b/modules/net-vpc/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpc:v45.0.0-tofu" } } diff --git a/modules/net-vpn-dynamic/versions.tf b/modules/net-vpn-dynamic/versions.tf index 80b08b81e..95f5a44f7 100644 --- a/modules/net-vpn-dynamic/versions.tf +++ b/modules/net-vpn-dynamic/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-dynamic:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-dynamic:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-dynamic:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-dynamic:v45.0.0-tf" } } diff --git a/modules/net-vpn-dynamic/versions.tofu b/modules/net-vpn-dynamic/versions.tofu index f96422177..4a60f42a8 100644 --- a/modules/net-vpn-dynamic/versions.tofu +++ b/modules/net-vpn-dynamic/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-dynamic:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-dynamic:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-dynamic:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-dynamic:v45.0.0-tofu" } } diff --git a/modules/net-vpn-ha/versions.tf b/modules/net-vpn-ha/versions.tf index 78d633ed4..2625f1968 100644 --- a/modules/net-vpn-ha/versions.tf +++ b/modules/net-vpn-ha/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-ha:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-ha:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-ha:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-ha:v45.0.0-tf" } } diff --git a/modules/net-vpn-ha/versions.tofu b/modules/net-vpn-ha/versions.tofu index 241b888ff..29e5d4c3c 100644 --- a/modules/net-vpn-ha/versions.tofu +++ b/modules/net-vpn-ha/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-ha:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-ha:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-ha:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-ha:v45.0.0-tofu" } } diff --git a/modules/net-vpn-static/versions.tf b/modules/net-vpn-static/versions.tf index 70ce7452b..b39cea597 100644 --- a/modules/net-vpn-static/versions.tf +++ b/modules/net-vpn-static/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-static:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-static:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-static:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-static:v45.0.0-tf" } } diff --git a/modules/net-vpn-static/versions.tofu b/modules/net-vpn-static/versions.tofu index 6ea542232..f8018a2ac 100644 --- a/modules/net-vpn-static/versions.tofu +++ b/modules/net-vpn-static/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-static:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-static:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-static:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/net-vpn-static:v45.0.0-tofu" } } diff --git a/modules/organization/versions.tf b/modules/organization/versions.tf index 924559bde..12acea4fd 100644 --- a/modules/organization/versions.tf +++ b/modules/organization/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/organization:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/organization:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/organization:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/organization:v45.0.0-tf" } } diff --git a/modules/organization/versions.tofu b/modules/organization/versions.tofu index 5cbab5bd4..c8daa8243 100644 --- a/modules/organization/versions.tofu +++ b/modules/organization/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/organization:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/organization:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/organization:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/organization:v45.0.0-tofu" } } diff --git a/modules/project-factory-legacy/.gitignore b/modules/project-factory-legacy/.gitignore deleted file mode 100644 index 1269488f7..000000000 --- a/modules/project-factory-legacy/.gitignore +++ /dev/null @@ -1 +0,0 @@ -data diff --git a/modules/project-factory-legacy/README.md b/modules/project-factory-legacy/README.md deleted file mode 100644 index cdc877267..000000000 --- a/modules/project-factory-legacy/README.md +++ /dev/null @@ -1,595 +0,0 @@ -# Project and Folder Factory - -This module implements end-to-end creation processes for a folder hierarchy, projects and billing budgets via YAML data configurations. - -It supports - -- filesystem-driven folder hierarchy exposing the full configuration options available in the [folder module](../folder/) -- multiple project creation and management exposing the full configuration options available in the [project module](../project/), including KMS key grants and VPC-SC perimeter membership -- optional per-project [service account and bucket management](#service-accounts-and-buckets) including basic IAM grants -- optional [billing budgets](#billing-budgets) factory and budget/project associations -- cross-referencing of hierarchy folders in projects -- optional per-project IaC configuration - -The factory is implemented as a thin data translation layer for the underlying modules, so that no "magic" or hidden side effects are implemented in code, and debugging or integration of new features are simple. - -The code is meant to be executed by a high level service accounts with powerful permissions: - -- folder admin permissions for the hierarchy -- project creation on the nodes (folder or org) where projects will be defined -- Shared VPC connection if service project attachment is desired -- billing cost manager permissions to manage budgets and monitoring permissions if notifications should also be managed here - -## Contents - - -- [Folder hierarchy](#folder-hierarchy) -- [Projects](#projects) - - [Factory-wide project defaults, merges, optionals](#factory-wide-project-defaults-merges-optionals) - - [Service accounts and buckets](#service-accounts-and-buckets) - - [Automation project and resources](#automation-project-and-resources) -- [Billing budgets](#billing-budgets) -- [Interpolation in YAML configuration attributes](#interpolation-in-yaml-configuration-attributes) -- [Example](#example) -- [Files](#files) -- [Variables](#variables) -- [Outputs](#outputs) -- [Tests](#tests) - - -## Folder hierarchy - -The hierarchy supports up to three levels of folders, which are defined via filesystem directories each including a `_config.yaml` files detailing their attributes. - -The hierarchy factory is configured via the `factories_config.folders_data_path` variable, which sets the the path containing the YAML definitions for folders. - -Parent ids for top-level folders can either be set explicitly (e.g. `folders/12345678`) or via substitutions, by referring to keys in the `context.folder_ids` variable. The special `default` key in the substitutions folder variable is used if present and no folder id/key has been specified in the YAML. - -Filesystem directories can also contain project definitions in the same YAML format described below. This approach must be used with caution and is best adopted for stable scenarios, as problems in the filesystem hierarchy definitions might result in the project files not being read and the resources being deleted by Terraform. - -Refer to the [example](#example) below for actual examples of the YAML definitions. - -## Projects - -The project factory is configured via the `factories_config.projects_data_path` variable, and project files are also read from the hierarchy describe in the previous section when enabled. The YAML format mirrors the project module, refer to the [example](#example) below for actual examples of the YAML definitions. - -### Factory-wide project defaults, merges, optionals - -In addition to the YAML-based project configurations, the factory accepts three additional sets of inputs via Terraform variables: - -- the `data_defaults` variable allows defining defaults for specific project attributes, which are only used if the attributes are not passed in via YAML -- the `data_overrides` variable works similarly to defaults, but the values specified here take precedence over those in YAML files -- the `data_merges` variable allows specifying additional values for map or set based variables, which are merged with the data coming from YAML - -Some examples on where to use each of the three sets are [provided below](#example). - -### Service accounts and buckets - -Service accounts and GCS buckets can be managed as part of each project's YAML configuration. This allows creation of default service accounts used for GCE instances, in firewall rules, or for application-level credentials without resorting to a separate Terraform configuration. - -Each service account is represented by one key and a set of optional key/value pairs in the `service_accounts` top-level YAML map, which exposes most of the variables available in the `iam-service-account` module. Most of the service accounts attributes are optional. - -```yaml -service_accounts: - be-0: {} - fe-1: - display_name: GCE frontend service account. - iam_self_roles: - - roles/storage.objectViewer - iam_project_roles: - my-host-project: - - roles/compute.networkUser - iam_sa_roles: - be-0: - - roles/iam.serviceAccountUser - terraform-rw: {} -``` - -Each bucket is represented by one key and a set of optional key/value pairs in the `buckets` top-level YAML map, which exposes most of the variables available in the `gcs` module. Bucket location, storage class and a few other attributes can be defaulted/enforced via project factory level variables. - -```yaml -buckets: - state: - location: europe-west8 - iam: - roles/storage.admin: - - terraform-rw -``` - -### Automation project and resources - -Other than creating automation resources within the project via the `service_accounts` and `buckets` attributes, this module also support management of automation resources created in a separate controlling project. This allows grating broad roles on the project, while still making sure that the automation resources used for Terraform cannot be manipulated from the same identities. - -Automation resources are defined via the `automation` attribute in project configurations, which supports: - -- a mandatory `project` attribute to define the external controlling project; this attribute does not support interpolation and needs to be explicit -- an optional `service_accounts` list where each element defines a service account in the controlling project -- an optional `bucket` which defines a bucket in the controlling project, and the map of roles/principals in the corresponding value assigned on the created bucket; principals can refer to the created service accounts by key - -Service accounts and buckets are prefixed with the project name. Service accounts use the key specified in the YAML file as a suffix, while buckets use a default `tf-state` suffix. - -```yaml -# file name: prod-app-example-0 -# prefix via factory defaults: foo -# project id: foo-prod-app-example-0 -billing_account: 012345-67890A-BCDEF0 -parent: folders/12345678 -services: - - compute.googleapis.com - - stackdriver.googleapis.com -iam: - roles/owner: - - rw - roles/viewer: - - ro -automation: - project: foo-prod-iac-core-0 - service_accounts: - # sa name: foo-prod-app-example-0-rw - rw: - description: Read/write automation sa for app example 0. - # sa name: foo-prod-app-example-0-ro - ro: - description: Read-only automation sa for app example 0. - bucket: - # bucket name: foo-prod-app-example-0-tf-state - description: Terraform state bucket for app example 0. - iam: - roles/storage.objectCreator: - - rw - roles/storage.objectViewer: - - rw - - ro - - group:devops@example.org -``` - -## Billing budgets - -The billing budgets factory integrates the `[`billing-account`](../billing-account/) module functionality, and adds support for easy referencing budgets in project files. - -To enable support for billing budgets, set the billing account id, optional notification channels, and the data folder for budgets in the `factories_config.budgets` variable, then create billing budgets using YAML definitions following the format described in the `billing-account` module. - -Once budgets are defined, they can be referenced in a project file using their file name: - -```yaml -billing_account: 012345-67890A-BCDEF0 -labels: - app: app-1 - team: foo -parent: folders/12345678 -services: - - container.googleapis.com - - storage.googleapis.com -billing_budgets: - - test-100 -``` - -A simple billing budget example is show in the [example](#example) below. - -## Interpolation in YAML configuration attributes - -Interpolation allow referring via short mnemonic names to resources which are either created at runtime, or externally managed. - -This feature has two main benefits: - -- being able to refer to resource ids which cannot be known before creation, for example project automation service accounts in IAM bindings -- making YAML configuration files more easily readable and portable, by using mnemonic keys which are not specific to an organization or project - -One example of both types of contexts is in this project snippet. The automation service account is used in IAM bindings via its `rw` key, while the parent folder is set by referring to its path in the hierarchy factory. - -```yaml -parent: teams/team-a -iam: - "roles/owner": - - rw -automation: - project: ta-app0-0 - service_accounts: - rw: - description: Read/write automation sa for team a app 0. - buckets: - state: - description: Terraform state bucket for team a app 0. - iam: - roles/storage.objectCreator: - - rw -``` - -Interpolations leverage contexts from two separate sources: an internal set for resources managed by the project factory (folders, service accounts, etc.), and an external user-defined set passed in via the `factories_config.context` variable. - -The following table lists the available context interpolations. External contexts are passed in via the `factories_config.contexts` variable. IAM principals are interpolated in all IAM attributes except `iam_by_principal`. First two columns show for which attribute of which resource context is interpolated. `external contexts` column show in which map passed as `var.factories_config.context` key will be looked up. - -- Internally created folders creates keys under `${folder_name_1}[/${folder_name_2}/${folder_name_3}]` -- IAM principals are resolved within context of managed project or use `${project}/${service_account}` to refer service account from other projects managed by the same project factory instance. - -| resource | attribute | external contexts | internal contexts | -| ------------------- | -------------------- | ------------------- | ---------------------------------- | -| folder | parent | `folder_ids` | implicit through folder structure | -| folder | IAM principals | `iam_principals` | | -| folder | tag bindings | `tag_values` | | -| project | parent | `folder_ids` | internally created folders | -| project | Shared VPC host | `vpc_host_projects` | | -| project | Shared VPC IAM | `iam_principals` | project service accounts | -| | | | project service agents | -| | | | IaC service accounts | -| | | | other project service accounts | -| | | | other project IaC service accounts | -| | | | project number in principals | -| project | tag bindings | `tag_values` | | -| project | IAM principals | `iam_principals` | project service accounts | -| | | | IaC service accounts | -| | | | other project service accounts | -| | | | other project service agents | -| | | | other project IaC service accounts | -| | | | project number in principals | -| bucket | IAM principals | `iam_principals` | project service accounts | -| | | | IaC service accounts | -| | | | other project service accounts | -| | | | other project IaC service accounts | -| | | | project number in principals | -| service account | IAM projects | `vpc_host_projects` | | -| service account | `iam_sa_roles` | | service accounts in the same project | -| IaC bucket | IAM principals | `iam_principals` | IaC service accounts | -| IaC service account | IAM principals | `iam_principals` | | - -## Example - -The module invocation using all optional features: - -```hcl -module "project-factory" { - source = "./fabric/modules/project-factory-legacy" - # use a default billing account if none is specified via yaml - data_defaults = { - billing_account = var.billing_account_id - storage_location = "EU" - } - # make sure the environment label and stackdriver service are always added - data_merges = { - labels = { - environment = "test" - } - services = [ - "stackdriver.googleapis.com" - ] - } - # always use this contacts and prefix, regardless of what is in the yaml file - data_overrides = { - contacts = { - "admin@example.org" = ["ALL"] - } - prefix = "test-pf" - } - # location where the yaml files are read from - factories_config = { - budgets = { - billing_account = var.billing_account_id - budgets_data_path = "data/budgets" - notification_channels = { - billing-default = { - project_id = "foo-billing-audit" - type = "email" - labels = { - email_address = "gcp-billing-admins@example.org" - } - } - } - } - folders_data_path = "data/hierarchy" - projects_data_path = "data/projects" - context = { - folder_ids = { - default = "folders/5678901234" - teams = "folders/5678901234" - } - kms_keys = { - compute-prod-ew1 = "projects/kms-central-prj/locations/europe-west1/keyRings/my-keyring/cryptoKeys/ew1-compute" - } - iam_principals = { - gcp-devops = "group:gcp-devops@example.org" - } - tag_values = { - "org-policies/drs-allow-all" = "tagValues/123456" - } - vpc_host_projects = { - dev-spoke-0 = "test-pf-dev-net-spoke-0" - } - } - } -} -# tftest files=0,1,2,3,4,5,6,7,8,9 inventory=example.yaml -``` - -A simple hierarchy of folders: - -```yaml -name: Team A -# implicit parent definition via 'default' key -iam: - roles/viewer: - - group:team-a-admins@example.org - - gcp-devops -# tftest-file id=0 path=data/hierarchy/team-a/_config.yaml schema=folder.schema.json -``` - -```yaml -name: Team B -# explicit parent definition via key -parent: teams -# tftest-file id=1 path=data/hierarchy/team-b/_config.yaml schema=folder.schema.json -``` - -```yaml -name: Team C -# explicit parent definition via folder id -parent: folders/5678901234 -# tftest-file id=2 path=data/hierarchy/team-c/_config.yaml schema=folder.schema.json -``` - -```yaml -name: App 0 -# tftest-file id=3 path=data/hierarchy/team-a/app-0/_config.yaml schema=folder.schema.json -``` - -```yaml -name: App 0 -tag_bindings: - drs-allow-all: org-policies/drs-allow-all -# tftest-file id=4 path=data/hierarchy/team-b/app-0/_config.yaml schema=folder.schema.json -``` - -One project defined within the folder hierarchy: - -```yaml -billing_account: 012345-67890A-BCDEF0 -services: - - container.googleapis.com - - storage.googleapis.com -# tftest-file id=5 path=data/hierarchy/teams-iac-0.yaml schema=project.schema.json -``` - -More traditional project definitions via the project factory data: - -```yaml -billing_account: 012345-67890A-BCDEF0 -labels: - app: app-0 - team: team-a -parent: team-a/app-0 -service_encryption_key_ids: - storage.googleapis.com: - - projects/kms-central-prj/locations/europe-west3/keyRings/my-keyring/cryptoKeys/europe3-gce - compute.googleapis.com: - - compute-prod-ew1 -services: - - compute.googleapis.com - - container.googleapis.com - - storage.googleapis.com -iam_by_principals: - app-0-be: - - roles/storage.objectViewer -iam: - roles/cloudkms.cryptoKeyEncrypterDecrypter: - - storage -service_accounts: - app-0-be: - display_name: "Backend instances." - iam_project_roles: - dev-spoke-0: - - roles/compute.networkUser - iam_self_roles: - - roles/logging.logWriter - - roles/monitoring.metricWriter - app-0-fe: - display_name: "Frontend instances." - iam_project_roles: - dev-spoke-0: - - roles/compute.networkUser - iam_self_roles: - - roles/logging.logWriter - - roles/monitoring.metricWriter -shared_vpc_service_config: - host_project: dev-spoke-0 - network_users: - - gcp-devops - service_agent_iam: - "roles/container.hostServiceAgentUser": - - container-engine - "roles/compute.networkUser": - - container-engine -billing_budgets: - - test-100 -tags: - my-tag-key-1: - values: - my-value-1: - description: My value 1 - my-value-2: - description: My value 3 - iam: - roles/resourcemanager.tagUser: - - user:user@example.com -# tftest-file id=6 path=data/projects/dev-ta-app0-be.yaml schema=project.schema.json -``` - -This project defines a controlling project via the `automation` attributes: - -```yaml -parent: team-b/app-0 -services: -- run.googleapis.com -- storage.googleapis.com -iam: - "roles/owner": - - automation/rw - "roles/viewer": - - automation/ro -shared_vpc_host_config: - enabled: true -service_accounts: - vm-default: - display_name: "VM default service account." - iam_self_roles: - - roles/logging.logWriter - - roles/monitoring.metricWriter - iam: - "roles/iam.serviceAccountTokenCreator": - - automation/rw -automation: - project: test-pf-teams-iac-0 - # prefix used for automation resources can be explicitly set if needed - # prefix: test-pf-dev-tb-0-0 - service_accounts: - rw: - description: Team B app 0 read/write automation sa. - ro: - description: Team B app 0 read-only automation sa. - bucket: - description: Team B app 0 Terraform state bucket. - iam: - roles/storage.objectCreator: - - automation/rw - roles/storage.objectViewer: - - gcp-devops - - group:team-b-admins@example.org - - automation/rw - - automation/ro - -# tftest-file id=7 path=data/projects/dev-tb-app0-0.yaml schema=project.schema.json -``` - -A billing budget: - -```yaml -# billing budget test-100 -display_name: 100 dollars in current spend -amount: - units: 100 -filter: - period: - calendar: MONTH - resource_ancestors: - - folders/1234567890 -threshold_rules: -- percent: 0.5 -- percent: 0.75 -update_rules: - default: - disable_default_iam_recipients: true - monitoring_notification_channels: - - billing-default -# tftest-file id=8 path=data/budgets/test-100.yaml schema=budget.schema.json -``` - -Granting permissions to service accounts defined in other project through interpolation: - -```yaml -billing_account: 012345-67890A-BCDEF0 -labels: - app: app-0 - team: team-b -parent: team-b/app-0 -services: - - container.googleapis.com - - storage.googleapis.com -iam: - "roles/run.admin": - - dev-ta-app0-be/app-0-be # interpolate to app-0-be service account in project defined in file dev-ta-app0-be - "roles/run.developer": - - app-0-be # interpolate to app-0-be service account within the same project -service_accounts: - app-0-be: - display_name: "Backend instances." - iam_self_roles: - - roles/logging.logWriter - - roles/monitoring.metricWriter -# tftest-file id=9 path=data/projects/dev-tb-app0-1.yaml schema=project.schema.json -``` - - - -## Files - -| name | description | modules | -|---|---|---| -| [automation.tf](./automation.tf) | Automation projects locals and resources. | gcs · iam-service-account | -| [factory-budgets.tf](./factory-budgets.tf) | Billing budget factory locals. | | -| [factory-folders.tf](./factory-folders.tf) | Folder hierarchy factory locals. | | -| [factory-projects-object.tf](./factory-projects-object.tf) | None | | -| [factory-projects.tf](./factory-projects.tf) | Projects factory locals. | | -| [folders.tf](./folders.tf) | Folder hierarchy factory resources. | folder | -| [main.tf](./main.tf) | Projects and billing budgets factory resources. | billing-account · gcs · iam-service-account · project | -| [outputs.tf](./outputs.tf) | Module outputs. | | -| [variables.tf](./variables.tf) | Module variables. | | - -## Variables - -| name | description | type | required | default | -|---|---|:---:|:---:|:---:| -| [factories_config](variables.tf#L144) | Path to folder with YAML resource description data files. | object({…}) | ✓ | | -| [data_defaults](variables.tf#L17) | Optional default values used when corresponding project data from files are missing. | object({…}) | | {} | -| [data_merges](variables.tf#L84) | Optional values that will be merged with corresponding data from files. Combines with `data_defaults`, file data, and `data_overrides`. | object({…}) | | {} | -| [data_overrides](variables.tf#L103) | Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`. | object({…}) | | {} | -| [factories_data](variables.tf#L172) | Alternate factory data input allowing to use this module as a library. Merged with local YAML data. | object({…}) | | {} | - -## Outputs - -| name | description | sensitive | -|---|---|:---:| -| [buckets](outputs.tf#L17) | Bucket names. | | -| [folders](outputs.tf#L24) | Folder ids. | | -| [projects](outputs.tf#L29) | Created projects. | | -| [service_accounts](outputs.tf#L55) | Service account emails. | | - -## Tests - -These tests validate fixes to the project factory. - -```hcl -module "project-factory" { - source = "./fabric/modules/project-factory-legacy" - data_defaults = { - billing_account = "012345-67890A-ABCDEF" - } - data_merges = { - labels = { - owner = "foo" - } - services = [ - "compute.googleapis.com" - ] - } - data_overrides = { - prefix = "foo" - } - factories_config = { - projects_data_path = "data/projects" - } -} -# tftest modules=4 resources=22 files=test-0,test-1,test-2 -``` - -```yaml -parent: folders/1234567890 -services: - - iam.googleapis.com - - contactcenteraiplatform.googleapis.com - - container.googleapis.com -# tftest-file id=test-0 path=data/projects/test-0.yaml -``` - -```yaml -parent: folders/1234567890 -services: - - iam.googleapis.com - - contactcenteraiplatform.googleapis.com -# tftest-file id=test-1 path=data/projects/test-1.yaml -``` - -```yaml -parent: folders/1234567890 -services: - - iam.googleapis.com - - storage.googleapis.com -# tftest-file id=test-2 path=data/projects/test-2.yaml -``` diff --git a/modules/project-factory-legacy/automation.tf b/modules/project-factory-legacy/automation.tf deleted file mode 100644 index e8d301999..000000000 --- a/modules/project-factory-legacy/automation.tf +++ /dev/null @@ -1,167 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Automation projects locals and resources. - -locals { - automation_buckets = { - for k, v in local.projects : - k => merge(try(v.automation.bucket, {}), { - automation_project = v.automation.project - prefix = coalesce( - try(v.automation.prefix, null), - "${v.prefix}-${v.name}" - ) - project_name = v.name - }) if try(v.automation.bucket, null) != null - } - automation_sa = flatten([ - for k, v in local.projects : [ - for ks, kv in try(v.automation.service_accounts, {}) : merge(kv, { - automation_project = v.automation.project - name = ks - prefix = coalesce( - try(v.automation.prefix, null), - "${v.prefix}-${v.name}" - ) - project = k - project_name = v.name - }) - ] - ]) -} - -module "automation-bucket" { - source = "../gcs" - for_each = local.automation_buckets - # we cannot use interpolation here as we would get a cycle - # from the IAM dependency in the outputs of the main project - project_id = each.value.automation_project - prefix = each.value.prefix - name = "tf-state" - encryption_key = lookup(each.value, "encryption_key", null) - force_destroy = try(coalesce( - var.data_overrides.bucket.force_destroy, - each.value.force_destroy, - var.data_defaults.bucket.force_destroy, - ), null) - iam = { - for k, v in lookup(each.value, "iam", {}) : k => [ - for vv in v : try( - module.automation-service-accounts["${each.key}/automation/${vv}"].iam_email, - module.automation-service-accounts["${each.key}/${vv}"].iam_email, - var.factories_config.context.iam_principals[vv], - vv - ) - ] - } - iam_bindings = { - for k, v in lookup(each.value, "iam_bindings", {}) : k => merge(v, { - members = [ - for vv in v.members : try( - # rw (infer local project and automation prefix) - module.automation-service-accounts["${each.key}/automation/${vv}"].iam_email, - # automation/rw or sa (infer local project) - module.automation-service-accounts["${each.key}/${vv}"].iam_email, - # project/automation/rw project/sa - var.factories_config.context.iam_principals[vv], - # fully specified principal - vv, - # passthrough + error handling using tonumber until Terraform gets fail/raise function - ( - strcontains(vv, ":") - ? vv - : tonumber("[Error] Invalid member: '${vv}' in automation bucket '${each.key}'") - ) - ) - ] - }) - } - iam_bindings_additive = { - for k, v in lookup(each.value, "iam_bindings_additive", {}) : k => merge(v, { - member = try( - module.automation-service-accounts["${each.key}/automation/${v.member}"].iam_email, - module.automation-service-accounts["${each.key}/${v.member}"].iam_email, - var.factories_config.context.iam_principals[v.member], - v.member - ) - }) - } - labels = lookup(each.value, "labels", {}) - location = coalesce( - var.data_overrides.storage_location, - lookup(each.value, "location", null), - var.data_defaults.storage_location - ) - storage_class = lookup( - each.value, "storage_class", "STANDARD" - ) - uniform_bucket_level_access = lookup( - each.value, "uniform_bucket_level_access", true - ) - versioning = lookup( - each.value, "versioning", false - ) -} - -module "automation-service-accounts" { - source = "../iam-service-account" - for_each = { - for k in local.automation_sa : "${k.project}/automation/${k.name}" => k - } - # we cannot use interpolation here as we would get a cycle - # from the IAM dependency in the outputs of the main project - project_id = each.value.automation_project - prefix = each.value.prefix - name = each.value.name - description = lookup(each.value, "description", null) - display_name = lookup( - each.value, - "display_name", - "Service account ${each.value.name} for ${each.value.project}." - ) - # TODO: also support short form for service accounts in this project - iam = { - for k, v in lookup(each.value, "iam", {}) : k => [ - for vv in v : lookup( - var.factories_config.context.iam_principals, vv, vv - ) - ] - } - iam_bindings = { - for k, v in lookup(each.value, "iam_bindings", {}) : k => merge(v, { - members = [ - for vv in v.members : lookup( - var.factories_config.context.iam_principals, vv, vv - ) - ] - }) - } - iam_bindings_additive = { - for k, v in lookup(each.value, "iam_bindings_additive", {}) : k => merge(v, { - member = lookup( - var.factories_config.context.iam_principals, v.member, v.member - ) - }) - } - iam_billing_roles = lookup(each.value, "iam_billing_roles", {}) - iam_folder_roles = lookup(each.value, "iam_folder_roles", {}) - iam_organization_roles = lookup(each.value, "iam_organization_roles", {}) - iam_project_roles = lookup(each.value, "iam_project_roles", {}) - iam_sa_roles = lookup(each.value, "iam_sa_roles", {}) - # we don't interpolate buckets here as we can't use a dynamic key - iam_storage_roles = lookup(each.value, "iam_storage_roles", {}) -} diff --git a/modules/project-factory-legacy/factory-budgets.tf b/modules/project-factory-legacy/factory-budgets.tf deleted file mode 100644 index 512021d16..000000000 --- a/modules/project-factory-legacy/factory-budgets.tf +++ /dev/null @@ -1,77 +0,0 @@ -/** - * Copyright 2023 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Billing budget factory locals. - -locals { - # reimplement the billing account factory here to interpolate projects - _budget_path = try(pathexpand(var.factories_config.budgets.budgets_data_path), null) - _budgets = merge( - var.factories_data.budgets, - { - for f in try(fileset(local._budget_path, "**/*.yaml"), []) : - trimsuffix(f, ".yaml") => yamldecode(file("${local._budget_path}/${f}")) - } - ) - budgets = { - for k, v in local._budgets : k => merge(v, { - amount = merge( - { - currency_code = null - nanos = null - units = null - use_last_period = null - }, - try(v.amount, {}) - ) - display_name = try(v.display_name, null) - filter = try(v.filter, null) == null ? null : { - credit_types_treatment = ( - try(v.filter.credit_types_treatment, null) == null - ? null - : merge( - { exclude_all = null, include_specified = null }, - v.filter.credit_types_treatment - ) - ) - label = try(v.filter.label, null) - projects = concat( - try(v.projects, []), - [ - for p in lookup(local.project_budgets, k, []) : - "projects/${module.projects[p].number}" - ] - ) - resource_ancestors = try(v.filter.resource_ancestors, null) - services = try(v.filter.services, null) - subaccounts = try(v.filter.subaccounts, null) - } - threshold_rules = [ - for vv in try(v.threshold_rules, []) : merge({ - percent = null - forecasted_spend = null - }, vv) - ] - update_rules = { - for kk, vv in try(v.update_rules, {}) : kk => merge({ - disable_default_iam_recipients = null - monitoring_notification_channels = null - pubsub_topic = null - }, vv) - } - }) - } -} diff --git a/modules/project-factory-legacy/factory-folders.tf b/modules/project-factory-legacy/factory-folders.tf deleted file mode 100644 index 3da56dabd..000000000 --- a/modules/project-factory-legacy/factory-folders.tf +++ /dev/null @@ -1,47 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Folder hierarchy factory locals. - -locals { - _folders_path = try( - pathexpand(var.factories_config.folders_data_path), null - ) - _folders = merge( - var.factories_data.hierarchy, - { - for f in local._hierarchy_files : dirname(f) => yamldecode(file( - "${coalesce(var.factories_config.folders_data_path, "-")}/${f}" - )) - } - ) - _hierarchy_files = try( - fileset(local._folders_path, "**/_config.yaml"), - [] - ) - folders = { - for key, data in local._folders : key => merge(data, { - key = key - level = length(split("/", key)) - parent_key = dirname(key) - }) - } - hierarchy = merge( - { for k, v in module.hierarchy-folder-lvl-1 : k => v.id }, - { for k, v in module.hierarchy-folder-lvl-2 : k => v.id }, - { for k, v in module.hierarchy-folder-lvl-3 : k => v.id }, - ) -} diff --git a/modules/project-factory-legacy/factory-projects-object.tf b/modules/project-factory-legacy/factory-projects-object.tf deleted file mode 100644 index 233781939..000000000 --- a/modules/project-factory-legacy/factory-projects-object.tf +++ /dev/null @@ -1,311 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# inputs -# local._projects_input - parsed data from yaml as map -# local._projects_config = object({ -# data_overrides = ... -# data_defaults = ... -# }) -# outputs: -# local._projects_output - map -locals { - __projects_config = { - data_defaults = merge({ - billing_account = null - contacts = {} - deletion_policy = null - factories_config = merge({ - custom_roles = null - observability = null - org_policies = null - quotas = null - }, try(local._projects_config.data_defaults.factories_config, { - custom_roles = null - observability = null - org_policies = null - quotas = null - }) - ) - labels = {} - metric_scopes = [] - parent = null - prefix = null - project_reuse = merge({ - use_data_source = true - attributes = null - }, try(local._projects_config.data_defaults.project_reuse, { - use_data_source = true - attributes = null - }) - ) - service_encryption_key_ids = {} - services = [] - shared_vpc_service_config = merge( - { - host_project = null - iam_bindings_additive = {} - network_users = [] - service_agent_iam = {} - service_agent_subnet_iam = {} - service_iam_grants = [] - network_subnet_users = {} - }, - try(local._projects_config.data_defaults.shared_vpc_service_config, { - host_project = null - iam_bindings_additive = {} - network_users = [] - service_agent_iam = {} - service_agent_subnet_iam = {} - service_iam_grants = [] - network_subnet_users = {} - } - ) - ) - storage_location = null - tag_bindings = {} - service_accounts = {} - vpc_sc = merge({ - perimeter_name = null - is_dry_run = false - }, try(local._projects_config.data_defaults.vpc_sc, { - perimeter_name = null - is_dry_run = false - }) - ) - logging_data_access = {} - }, - try(local._projects_config.data_defaults, {}) - ) - # data_overrides default to null's, to mark that they should not override - data_overrides = merge({ - billing_account = null - contacts = null - deletion_policy = null - factories_config = merge({ - custom_roles = null - observability = null - org_policies = null - quotas = null - }, try(local._projects_config.data_overrides.factories_config, { - custom_roles = null - observability = null - org_policies = null - quotas = null - }) - ) - parent = null - prefix = null - service_encryption_key_ids = null - storage_location = null - tag_bindings = null - services = null - service_accounts = null - vpc_sc = try( - merge( - { - perimeter_name = null - is_dry_run = false - }, - local._projects_config.data_overrides.vpc_sc - ), - null - ) - logging_data_access = null - }, - try(local._projects_config.data_overrides, {}) - ) - } - _projects_output = { - # Semantics of the merges are: - # * if data_overrides. is not null, use this value - # * if _projects_inputs. is not null, use this value - # * use data_default value, which if not set, will provide "empty" type - # This logic is easily implemented using coalesce, even on maps and list and allows to - # set data_overrides. to "", [] or {} to ensure, that empty value is always passed, or do - # the same in _projects_input to prevent falling back to default value - for k, v in local._projects_input : k => merge(v, { - billing_account = try(coalesce( # type: string - local.__projects_config.data_overrides.billing_account, - try(v.billing_account, null), - local.__projects_config.data_defaults.billing_account - ), null) - deletion_policy = try(coalesce( # type: string - local.__projects_config.data_overrides.deletion_policy, - try(v.deletion_policy, null), - local.__projects_config.data_defaults.deletion_policy - ), null) - contacts = coalesce( # type: map - local.__projects_config.data_overrides.contacts, - try(v.contacts, null), - local.__projects_config.data_defaults.contacts - ) - factories_config = { # type: object - custom_roles = try( # type: string - coalesce( - local.__projects_config.data_overrides.factories_config.custom_roles, - try(v.factories_config.custom_roles, null), - local.__projects_config.data_defaults.factories_config.custom_roles - ), - null - ) - observability = try( # type: string - coalesce( - local.__projects_config.data_overrides.factories_config.observability, - try(v.factories_config.observability, null), - local.__projects_config.data_defaults.factories_config.observability - ), - null) - org_policies = try( # type: string - coalesce( - local.__projects_config.data_overrides.factories_config.org_policies, - try(v.factories_config.org_policies, null), - local.__projects_config.data_defaults.factories_config.org_policies - ), - null) - quotas = try( # type: string - coalesce( - local.__projects_config.data_overrides.factories_config.quotas, - try(v.factories_config.quotas, null), - local.__projects_config.data_defaults.factories_config.quotas - ), - null) - } - iam = try(v.iam, {}) # type: map(list(string)) - iam_bindings = try(v.iam_bindings, {}) # type: map(object({...})) - iam_bindings_additive = try(v.iam_bindings_additive, {}) # type: map(object({...})) - iam_by_principals_additive = try(v.iam_by_principals_additive, {}) # type: map(list(string)) - iam_by_principals = try(v.iam_by_principals, {}) # map(list(string)) - labels = coalesce( # type: map(string) - try(v.labels, null), - local.__projects_config.data_defaults.labels - ) - metric_scopes = coalesce( # type: list(string) - try(v.metric_scopes, null), - local.__projects_config.data_defaults.metric_scopes - ) - name = lookup(v, "name", basename(k)) # type: string - org_policies = try(v.org_policies, {}) # type: map(object({...})) - parent = try( # type: string, nullable - coalesce( - local.__projects_config.data_overrides.parent, - try(v.parent, null), - local.__projects_config.data_defaults.parent - ), null - ) - prefix = try( # type: string, nullable - coalesce( - local.__projects_config.data_overrides.prefix, - try(v.prefix, null), - local.__projects_config.data_defaults.prefix - ), null - ) - project_reuse = ( # type: object({...}) - try(v.project_reuse, null) != null - ? merge( - { - use_data_source = true - attributes = null - }, - v.project_reuse - ) - : local.__projects_config.data_defaults.project_reuse - ) - service_encryption_key_ids = coalesce( # type: map(list(string)) - local.__projects_config.data_overrides.service_encryption_key_ids, - try(v.service_encryption_key_ids, null), - local.__projects_config.data_defaults.service_encryption_key_ids - ) - services = coalesce( # type: list(string) - local.__projects_config.data_overrides.services, - try(v.services, null), - local.__projects_config.data_defaults.services - ) - shared_vpc_host_config = ( # type: object({...}) - try(v.shared_vpc_host_config, null) != null - ? merge( - { service_projects = [] }, - v.shared_vpc_host_config - ) - : null - ) - shared_vpc_service_config = ( # type: object({...}) - try(v.shared_vpc_service_config, null) != null - ? merge( - { - host_project = null - iam_bindings_additive = {} - network_users = [] - service_agent_iam = {} - service_agent_subnet_iam = {} - service_iam_grants = [] - network_subnet_users = {} - }, - v.shared_vpc_service_config - ) - : local.__projects_config.data_defaults.shared_vpc_service_config - ) - tag_bindings = coalesce( # type: map(string) - local.__projects_config.data_overrides.tag_bindings, - try(v.tag_bindings, null), - local.__projects_config.data_defaults.tag_bindings - ) - tags = { - for tag_name, tag_data in try(v.tags, {}) : tag_name => { - description = try(tag_data.description, "Managed by the Terraform project-factory module.") - id = try(tag_data.id, null) - iam = try(tag_data.iam, {}) - iam_bindings = try(tag_data.iam_bindings, {}) - iam_bindings_additive = try(tag_data.iam_bindings_additive, {}) - values = { - for value_name, value_data in try(tag_data.values, {}) : value_name => { - description = try(value_data.description, "Managed by the Terraform project-factory module.") - id = try(value_data.id, null) - iam = try(value_data.iam, {}) - iam_bindings = try(value_data.iam_bindings, {}) - iam_bindings_additive = try(value_data.iam_bindings_additive, {}) - } - } - } - } - vpc_sc = ( - local.__projects_config.data_overrides.vpc_sc != null - ? local.__projects_config.data_overrides.vpc_sc - : ( - try(v.vpc_sc, null) != null - ? merge({ - perimeter_name = null - is_dry_run = false - }, v.vpc_sc) - : local.__projects_config.data_defaults.vpc_sc - ) - ) - logging_data_access = coalesce( # type: map(object({...})) - local.__projects_config.data_overrides.logging_data_access, - try(v.logging_data_access, null), - local.__projects_config.data_defaults.logging_data_access - ) - quotas = try(v.quotas, {}) - }) - } - # tflint-ignore: terraform_unused_declarations - _projects_uniqueness_validation = { - # will raise error, if the same project (derived from file name, or provided in the YAML file) - # is used more than once - for k, v in local._projects_output : - "${v.prefix != null ? v.prefix : ""}-${v.name}" => k - } -} diff --git a/modules/project-factory-legacy/factory-projects.tf b/modules/project-factory-legacy/factory-projects.tf deleted file mode 100644 index 0d0d595ce..000000000 --- a/modules/project-factory-legacy/factory-projects.tf +++ /dev/null @@ -1,130 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Projects factory locals. - -locals { - _hierarchy_projects_full_path = ( - { - for f in try(fileset(local._folders_path, "**/*.yaml"), []) : - trimsuffix(f, ".yaml") => merge( - { parent = dirname(f) == "." ? "default" : dirname(f) }, - yamldecode(file("${local._folders_path}/${f}")) - ) if !endswith(f, "/_config.yaml") - } - ) - _project_path = try(pathexpand(var.factories_config.projects_data_path), null) - _projects_full_path = { - for f in try(fileset(local._project_path, "**/*.yaml"), []) : - trimsuffix(f, ".yaml") => yamldecode(file("${local._project_path}/${f}")) - } - _projects_input = { - for k, v in merge( - local._hierarchy_projects_full_path, local._projects_full_path - ) : ( - var.factories_config.projects_config.key_ignores_path == true - ? basename(k) - : k - ) => v - } - _project_budgets = flatten([ - for k, v in local._projects_input : [ - for b in try(v.billing_budgets, []) : { - budget = b - project = lookup(v, "name", k) - } - ] - ]) - _projects_config = { - data_overrides = var.data_overrides - data_defaults = var.data_defaults - } - projects = { - for k, v in local._projects_output : ( - var.factories_config.projects_config.key_ignores_path == true - ? basename(k) - : k - ) => merge({ - buckets = try(v.buckets, {}) - service_accounts = try(v.service_accounts, {}) - }, v) - } - project_budgets = { - for v in local._project_budgets : v.budget => v.project... - } - buckets = flatten([ - for k, v in local.projects : [ - for name, opts in v.buckets : { - project_key = k - project_name = v.name - name = name - description = lookup(opts, "description", "Terraform-managed.") - encryption_key = lookup(opts, "encryption_key", null) - force_destroy = try(coalesce( - var.data_overrides.bucket.force_destroy, - try(opts.force_destroy, null), - var.data_defaults.bucket.force_destroy, - ), null) - iam = lookup(opts, "iam", {}) - iam_bindings = lookup(opts, "iam_bindings", {}) - iam_bindings_additive = lookup(opts, "iam_bindings_additive", {}) - labels = lookup(opts, "labels", {}) - location = lookup(opts, "location", null) - prefix = coalesce( - var.data_overrides.prefix, - try(v.prefix, null), - var.data_defaults.prefix - ) - storage_class = lookup( - opts, "storage_class", "STANDARD" - ) - uniform_bucket_level_access = lookup( - opts, "uniform_bucket_level_access", true - ) - versioning = lookup( - opts, "versioning", false - ) - - } - ] - ]) - service_accounts = flatten([ - for k, project in local.projects : [ - for name, opts in project.service_accounts : { - project_key = k - name = name - display_name = coalesce( - try(var.data_overrides.service_accounts.display_name, null), - try(opts.display_name, null), - try(var.data_defaults.service_accounts.display_name, null), - "Terraform-managed." - ) - iam = try(opts.iam, {}) - iam_billing_roles = try(opts.iam_billing_roles, {}) - iam_organization_roles = try(opts.iam_organization_roles, {}) - iam_sa_roles = try(opts.iam_sa_roles, {}) - iam_project_roles = try(opts.iam_project_roles, {}) - iam_self_roles = distinct(concat( - try(var.data_overrides.service_accounts.iam_self_roles, []), - try(opts.iam_self_roles, []), - try(var.data_defaults.service_accounts.iam_self_roles, []), - )) - iam_storage_roles = try(opts.iam_storage_roles, {}) - opts = opts - } - ] - ]) -} diff --git a/modules/project-factory-legacy/folders.tf b/modules/project-factory-legacy/folders.tf deleted file mode 100644 index 6f4710853..000000000 --- a/modules/project-factory-legacy/folders.tf +++ /dev/null @@ -1,158 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Folder hierarchy factory resources. - -locals { - folder_parent_default = try( - var.factories_config.context.folder_ids.default, null - ) -} - -module "hierarchy-folder-lvl-1" { - source = "../folder" - for_each = { for k, v in local.folders : k => v if v.level == 1 } - parent = try( - # allow the YAML data to set the parent for this level - lookup( - var.factories_config.context.folder_ids, - each.value.parent, - each.value.parent - ), - # use the default value in the initial parents map - local.folder_parent_default - # fail if we don't have an explicit parent - ) - name = each.value.name - iam = { - for k, v in lookup(each.value, "iam", {}) : k => [ - # don't interpolate automation service account to prevent cycles - for vv in v : lookup( - var.factories_config.context.iam_principals, vv, vv - ) - ] - } - iam_bindings = { - for k, v in lookup(each.value, "iam_bindings", {}) : k => merge(v, { - members = [ - # don't interpolate automation service account to prevent cycles - for vv in v.members : lookup( - var.factories_config.context.iam_principals, vv, vv - ) - ] - }) - } - iam_bindings_additive = { - for k, v in lookup(each.value, "iam_bindings_additive", {}) : k => merge(v, { - # don't interpolate automation service account to prevent cycles - member = lookup( - var.factories_config.context.iam_principals, v.member, v.member - ) - }) - } - iam_by_principals = { - for k, v in lookup(each.value, "iam_by_principals", {}) : - lookup( - var.factories_config.context.iam_principals, k, k - ) => v - } - org_policies = lookup(each.value, "org_policies", {}) - tag_bindings = { - for k, v in lookup(each.value, "tag_bindings", {}) : - k => lookup(var.factories_config.context.tag_values, v, v) - } - logging_data_access = lookup(each.value, "logging_data_access", {}) -} - -module "hierarchy-folder-lvl-2" { - source = "../folder" - for_each = { for k, v in local.folders : k => v if v.level == 2 } - parent = module.hierarchy-folder-lvl-1[each.value.parent_key].id - name = each.value.name - iam = { - for k, v in lookup(each.value, "iam", {}) : k => [ - # don't interpolate automation service account to prevent cycles - for vv in v : lookup( - var.factories_config.context.iam_principals, vv, vv - ) - ] - } - iam_bindings = { - for k, v in lookup(each.value, "iam_bindings", {}) : k => merge(v, { - members = [ - # don't interpolate automation service account to prevent cycles - for vv in v.members : lookup( - var.factories_config.context.iam_principals, vv, vv - ) - ] - }) - } - iam_bindings_additive = { - for k, v in lookup(each.value, "iam_bindings_additive", {}) : k => merge(v, { - # don't interpolate automation service account to prevent cycles - member = lookup( - var.factories_config.context.iam_principals, v.member, v.member - ) - }) - } - iam_by_principals = lookup(each.value, "iam_by_principals", {}) - org_policies = lookup(each.value, "org_policies", {}) - tag_bindings = { - for k, v in lookup(each.value, "tag_bindings", {}) : - k => lookup(var.factories_config.context.tag_values, v, v) - } - logging_data_access = lookup(each.value, "logging_data_access", {}) -} - -module "hierarchy-folder-lvl-3" { - source = "../folder" - for_each = { for k, v in local.folders : k => v if v.level == 3 } - parent = module.hierarchy-folder-lvl-2[each.value.parent_key].id - name = each.value.name - iam = { - for k, v in lookup(each.value, "iam", {}) : k => [ - # don't interpolate automation service account to prevent cycles - for vv in v : lookup( - var.factories_config.context.iam_principals, vv, vv - ) - ] - } - iam_bindings = { - for k, v in lookup(each.value, "iam_bindings", {}) : k => merge(v, { - members = [ - # don't interpolate automation service account to prevent cycles - for vv in v.members : lookup( - var.factories_config.context.iam_principals, vv, vv - ) - ] - }) - } - iam_bindings_additive = { - for k, v in lookup(each.value, "iam_bindings_additive", {}) : k => merge(v, { - # don't interpolate automation service account to prevent cycles - member = lookup( - var.factories_config.context.iam_principals, v.member, v.member - ) - }) - } - iam_by_principals = lookup(each.value, "iam_by_principals", {}) - org_policies = lookup(each.value, "org_policies", {}) - tag_bindings = { - for k, v in lookup(each.value, "tag_bindings", {}) : - k => lookup(var.factories_config.context.tag_values, v, v) - } - logging_data_access = lookup(each.value, "logging_data_access", {}) -} diff --git a/modules/project-factory-legacy/main.tf b/modules/project-factory-legacy/main.tf deleted file mode 100644 index 29d15f22c..000000000 --- a/modules/project-factory-legacy/main.tf +++ /dev/null @@ -1,490 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Projects and billing budgets factory resources. - -locals { - _service_agent_emails = flatten([ - for k, v in module.projects : [ - for kk, vv in v.service_agents : { - key = "${k}/${kk}" - value = "serviceAccount:${vv.email}" - } - ] - ]) - context = { - folder_ids = merge( - var.factories_config.context.folder_ids, - local.hierarchy - ) - iam_principals = merge( - var.factories_config.context.iam_principals, - { - for k, v in module.automation-service-accounts : - k => v.iam_email - }, - # module.service-accounts are excluded here, as adding them here results in dependency cycles - ) - } - service_accounts_names = { - for k, v in module.service-accounts : k => v.name - } - service_agents_email = { - for v in local._service_agent_emails : v.key => v.value - } -} - -module "projects" { - source = "../project" - for_each = local.projects - billing_account = each.value.billing_account - deletion_policy = each.value.deletion_policy - name = each.value.name - parent = lookup( - local.context.folder_ids, each.value.parent, each.value.parent - ) - prefix = each.value.prefix - project_reuse = each.value.project_reuse - alerts = try(each.value.alerts, null) - auto_create_network = try(each.value.auto_create_network, false) - compute_metadata = try(each.value.compute_metadata, {}) - # TODO: concat lists for each key - contacts = merge( - each.value.contacts, var.data_merges.contacts - ) - default_service_account = try(each.value.default_service_account, "keep") - descriptive_name = try(each.value.descriptive_name, null) - factories_config = { - custom_roles = each.value.factories_config.custom_roles - observability = each.value.factories_config.observability - org_policies = each.value.factories_config.org_policies - quotas = each.value.factories_config.quotas - context = { - notification_channels = var.factories_config.context.notification_channels - } - } - labels = merge( - each.value.labels, var.data_merges.labels - ) - lien_reason = try(each.value.lien_reason, null) - log_scopes = try(each.value.log_scopes, null) - logging_data_access = try(each.value.logging_data_access, {}) - logging_exclusions = try(each.value.logging_exclusions, {}) - logging_metrics = try(each.value.logging_metrics, null) - logging_sinks = try(each.value.logging_sinks, {}) - metric_scopes = distinct(concat( - each.value.metric_scopes, var.data_merges.metric_scopes - )) - notification_channels = try(each.value.notification_channels, null) - org_policies = each.value.org_policies - service_encryption_key_ids = { - for k, v in merge( - each.value.service_encryption_key_ids, - var.data_merges.service_encryption_key_ids - ) : k => [ - for key in v : lookup(var.factories_config.context.kms_keys, key, key) - ] - } - services = distinct(concat( - each.value.services, - var.data_merges.services - )) - shared_vpc_host_config = each.value.shared_vpc_host_config - tag_bindings = { - for k, v in merge(each.value.tag_bindings, var.data_merges.tag_bindings) : - k => lookup(var.factories_config.context.tag_values, v, v) - } - tags = each.value.tags - vpc_sc = each.value.vpc_sc == null ? null : { - perimeter_name = ( - each.value.vpc_sc.perimeter_name == null - ? null - : lookup( - var.factories_config.context.perimeters, - each.value.vpc_sc.perimeter_name, - each.value.vpc_sc.perimeter_name - ) - ) - is_dry_run = each.value.vpc_sc.is_dry_run - } - quotas = each.value.quotas -} - -module "projects-iam" { - source = "../project" - for_each = local.projects - name = module.projects[each.key].project_id - project_reuse = { - use_data_source = false - attributes = { - name = module.projects[each.key].name - number = module.projects[each.key].number - services_enabled = module.projects[each.key].services - } - } - iam = { - for k, v in lookup(each.value, "iam", {}) : - lookup(var.factories_config.context.custom_roles, k, k) => [ - for vv in v : try( - # project service accounts (sa) - module.service-accounts["${each.key}/${vv}"].iam_email, - # automation service account (rw) - local.context.iam_principals["${each.key}/automation/${vv}"], - # automation service account (automation/rw) - local.context.iam_principals["${each.key}/${vv}"], - # other projects service accounts (project/sa) - module.service-accounts[vv].iam_email, - # other automation service account (project/automation/rw) - local.context.iam_principals[vv], - # project's service identities - local.service_agents_email["${each.key}/${vv}"], - local.service_agents_email[vv], - # passthrough + error handling using tonumber until Terraform gets fail/raise function - ( - strcontains(vv, ":") - ? templatestring( - vv, { project_number = module.projects[each.key].number } - ) - : tonumber("[Error] Invalid member: '${vv}' in project '${each.key}'") - ) - ) - ] - } - iam_bindings = { - for k, v in lookup(each.value, "iam_bindings", {}) : k => merge(v, { - members = [ - for vv in v.members : try( - # project service accounts (sa) - module.service-accounts["${each.key}/${vv}"].iam_email, - # automation service account (rw) - local.context.iam_principals["${each.key}/automation/${vv}"], - # automation service account (automation/rw) - local.context.iam_principals["${each.key}/${vv}"], - # other projects service accounts (project/sa) - module.service-accounts[vv].iam_email, - # other automation service account (project/automation/rw) - local.context.iam_principals[vv], - # project's service identities - local.service_agents_email["${each.key}/${vv}"], - local.service_agents_email[vv], - # passthrough + error handling using tonumber until Terraform gets fail/raise function - ( - strcontains(vv, ":") - ? templatestring( - vv, { project_number = module.projects[each.key].number } - ) - : tonumber("[Error] Invalid member: '${vv}' in project '${each.key}'") - ) - ) - ] - role = lookup(var.factories_config.context.custom_roles, v.role, v.role) - }) - } - iam_bindings_additive = { - for k, v in lookup(each.value, "iam_bindings_additive", {}) : k => merge(v, { - member = try( - # project service accounts (sa) - module.service-accounts["${each.key}/${v.member}"].iam_email, - # automation service account (rw) - local.context.iam_principals["${each.key}/automation/${v.member}"], - # automation service account (automation/rw) - local.context.iam_principals["${each.key}/${v.member}"], - # other projects service accounts (project/sa) - module.service-accounts[v.member].iam_email, - # other automation service account (project/automation/rw) - local.context.iam_principals[v.member], - # project's service identities - local.service_agents_email["${each.key}/${v.member}"], - local.service_agents_email[v.member], - # passthrough + error handling using tonumber until Terraform gets fail/raise function - ( - strcontains(v.member, ":") - ? templatestring( - v.member, { project_number = module.projects[each.key].number } - ) - : tonumber("[Error] Invalid member: '${v.member}' in project '${each.key}'") - ) - ) - role = lookup(var.factories_config.context.custom_roles, v.role, v.role) - }) - } - # IAM by principals would trigger dynamic key errors so we don't interpolate - # iam_by_principals = try(each.value.iam_by_principals, {}) - iam_by_principals = { - for k, v in try(each.value.iam_by_principals, {}) : - try( - # project service accounts (sa) - module.service-accounts["${each.key}/${k}"].iam_email, - # automation service account (rw) - local.context.iam_principals["${each.key}/automation/${k}"], - # automation service account (automation/rw) - local.context.iam_principals["${each.key}/${k}"], - # other projects service accounts (project/sa) - module.service-accounts[k].iam_email, - # other automation service account (project/automation/rw) - local.context.iam_principals[k], - # project's service identities - local.service_agents_email["${each.key}/${k}"], - local.service_agents_email[k], - # passthrough + error handling using tonumber until Terraform gets fail/raise function - ( - strcontains(k, ":") - ? templatestring( - k, { project_number = module.projects[each.key].number } - ) - : tonumber("[Error] Invalid member: '${k}' in project '${each.key}'") - ) - ) => [ - for vv in v : lookup(var.factories_config.context.custom_roles, vv, vv) - ] - } - # Shared VPC configuration is done at stage 2, to avoid dependency cycle between project service accounts and - # IAM grants done for those service accounts - shared_vpc_service_config = ( - try(each.value.shared_vpc_service_config.host_project, null) == null - ? null - : merge(each.value.shared_vpc_service_config, { - host_project = try( - var.factories_config.context.vpc_host_projects[each.value.shared_vpc_service_config.host_project], - module.projects[each.value.shared_vpc_service_config.host_project].project_id, - each.value.shared_vpc_service_config.host_project - ) - iam_bindings_additive = { - for k, v in try(each.value.shared_vpc_service_config.iam_bindings_additive, {}) : k => merge(v, { - member = try( - # project service accounts (sa) - module.service-accounts["${each.key}/${v.member}"].iam_email, - # automation service account (rw) - local.context.iam_principals["${each.key}/automation/${v.member}"], - # automation service account (automation/rw) - local.context.iam_principals["${each.key}/${v.member}"], - # other projects service accounts (project/sa) - module.service-accounts[v.member].iam_email, - # other automation service account (project/automation/rw) - local.context.iam_principals[v.member], - # project's service identities - local.service_agents_email["${each.key}/${v.member}"], - local.service_agents_email[v.member], - # passthrough + error handling using tonumber until Terraform gets fail/raise function - ( - strcontains(v.member, ":") - ? templatestring( - v.member, { project_number = module.projects[each.key].number } - ) - : tonumber("[Error] Invalid member: '${v.member}' in project '${each.key}'") - ) - ) - role = lookup(var.factories_config.context.custom_roles, v.role, v.role) - }) - } - network_users = [ - for vv in try(each.value.shared_vpc_service_config.network_users, []) : - try( - # project service accounts (sa) - module.service-accounts["${each.key}/${vv}"].iam_email, - # automation service account (rw) - local.context.iam_principals["${each.key}/automation/${vv}"], - # automation service account (automation/rw) - local.context.iam_principals["${each.key}/${vv}"], - # other projects service accounts (project/sa) - module.service-accounts[vv].iam_email, - # other automation service account (project/automation/rw) - local.context.iam_principals[vv], - # passthrough + error handling using tonumber until Terraform gets fail/raise function - ( - strcontains(vv, ":") - ? templatestring( - vv, { project_number = module.projects[each.key].number } - ) - : tonumber("[Error] Invalid member: '${vv}' in project '${each.key}'") - ) - ) - ] - }) - ) - # add service agents config, so Service Agents can be referred in the IAM grants - service_agents_config = { - # default roles are granted in module.project - grant_default_roles = false - } -} - -module "buckets" { - source = "../gcs" - for_each = { - for k in local.buckets : "${k.project_key}/${k.name}" => k - } - project_id = module.projects[each.value.project_key].project_id - prefix = each.value.prefix - name = "${each.value.project_name}-${each.value.name}" - encryption_key = each.value.encryption_key - force_destroy = each.value.force_destroy - iam = { - for k, v in each.value.iam : k => [ - for vv in v : try( - # project service accounts (sa) - module.service-accounts["${each.value.project_key}/${vv}"].iam_email, - # automation service account (rw) - local.context.iam_principals["${each.value.project_key}/automation/${vv}"], - # automation service account (automation/rw) - local.context.iam_principals["${each.value.project_key}/${vv}"], - # other projects service accounts (project/sa) - module.service-accounts[vv].iam_email, - # other automation service account (project/automation/rw) - local.context.iam_principals[vv], - # project's service identities - local.service_agents_email["${each.value.project_key}/${vv}"], - local.service_agents_email[vv], - # passthrough + error handling using tonumber until Terraform gets fail/raise function - ( - strcontains(vv, ":") - ? templatestring( - vv, { project_number = module.projects[each.value.project_key].number } - ) - : tonumber("[Error] Invalid member: '${vv}' in bucket '${each.key}'") - ) - ) - ] - } - iam_bindings = { - for k, v in each.value.iam_bindings : k => merge(v, { - members = [ - for vv in v.members : try( - # project service accounts (sa) - module.service-accounts["${each.value.project_key}/${vv}"].iam_email, - # automation service account (rw) - local.context.iam_principals["${each.value.project_key}/automation/${vv}"], - # automation service account (automation/rw) - local.context.iam_principals["${each.value.project_key}/${vv}"], - # other projects service accounts (project/sa) - module.service-accounts[vv].iam_email, - # other automation service account (project/automation/rw) - local.context.iam_principals[vv], - # project's service identities - local.service_agents_email["${each.value.project_key}/${vv}"], - local.service_agents_email[vv], - # passthrough + error handling using tonumber until Terraform gets fail/raise function - ( - strcontains(vv, ":") - ? templatestring( - vv, { project_number = module.projects[each.value.project_key].number } - ) - : tonumber("[Error] Invalid member: '${vv}' in bucket '${each.key}'") - ) - ) - ] - }) - } - iam_bindings_additive = { - for k, v in each.value.iam_bindings_additive : k => merge(v, { - member = try( - # project service accounts (sa) - module.service-accounts["${each.value.project_key}/${v.member}"].iam_email, - # automation service account (rw) - local.context.iam_principals["${each.value.project_key}/automation/${v.member}"], - # automation service account (automation/rw) - local.context.iam_principals["${each.value.project_key}/${v.member}"], - # other projects service accounts (project/sa) - module.service-accounts[v.member].iam_email, - # other automation service account (project/automation/rw) - local.context.iam_principals[v.member], - # project's service identities - local.service_agents_email["${each.value.project_key}/${v.member}"], - local.service_agents_email[v.member], - # passthrough + error handling using tonumber until Terraform gets fail/raise function - ( - strcontains(v.member, ":") - ? templatestring( - v.member, { project_number = module.projects[each.value.project_key].number } - ) - : tonumber("[Error] Invalid member: '${v.member}' in bucket '${each.key}'") - ) - ) - }) - } - labels = each.value.labels - location = coalesce( - var.data_overrides.storage_location, - lookup(each.value, "location", null), - var.data_defaults.storage_location - ) - storage_class = each.value.storage_class - uniform_bucket_level_access = each.value.uniform_bucket_level_access - versioning = each.value.versioning -} - -module "service-accounts" { - source = "../iam-service-account" - for_each = { - for k in local.service_accounts : "${k.project_key}/${k.name}" => k - } - project_id = module.projects[each.value.project_key].project_id - name = each.value.name - display_name = each.value.display_name - iam = { - for k, v in lookup(each.value, "iam", {}) : k => [ - for vv in v : try( - # automation service account (rw) - local.context.iam_principals["${each.value.project_key}/automation/${vv}"], - # automation service account (automation/rw) - local.context.iam_principals["${each.value.project_key}/${vv}"], - # other automation service account (project/automation/rw) - local.context.iam_principals[vv], - # passthrough + error handling using tonumber until Terraform gets fail/raise function - ( - strcontains(vv, ":") - ? vv - : tonumber("[Error] Invalid member: '${vv}' in project '${each.value.project_key}'") - ) - ) - ] - } - iam_project_roles = merge( - { - for k, v in each.value.iam_project_roles : - lookup(var.factories_config.context.vpc_host_projects, k, k) => v - }, - each.value.iam_self_roles == null ? {} : { - (module.projects[each.value.project_key].project_id) = each.value.iam_self_roles - } - ) -} - -module "service_accounts-iam" { - source = "../iam-service-account" - for_each = { - for k in local.service_accounts : "${k.project_key}/${k.name}" => k - if k.iam_sa_roles != {} - } - project_id = module.service-accounts[each.key].service_account.project - name = each.value.name - service_account_create = false - iam_sa_roles = { - for k, v in each.value.iam_sa_roles : lookup( - local.service_accounts_names, "${each.value.project_key}/${k}", k - ) => v - } -} - -module "billing-account" { - source = "../billing-account" - count = var.factories_config.budgets == null ? 0 : 1 - id = var.factories_config.budgets.billing_account - budget_notification_channels = ( - var.factories_config.budgets.notification_channels - ) - budgets = local.budgets -} diff --git a/modules/project-factory-legacy/outputs.tf b/modules/project-factory-legacy/outputs.tf deleted file mode 100644 index 770b89518..000000000 --- a/modules/project-factory-legacy/outputs.tf +++ /dev/null @@ -1,58 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -output "buckets" { - description = "Bucket names." - value = { - for k, v in module.buckets : k => v.name - } -} - -output "folders" { - description = "Folder ids." - value = local.hierarchy -} - -output "projects" { - description = "Created projects." - value = { - for k, v in module.projects : k => { - number = v.number - project_id = v.id - project = v - automation = ( - lookup(local.projects[k], "automation", null) == null - ? null - : { - bucket = try(module.automation-bucket[k].name, null) - service_accounts = { - for kk, vv in module.automation-service-accounts : - trimprefix(kk, "${k}/") => vv.email - if startswith(kk, "${k}/") - } - } - ) - service_agents = { - for k, v in v.service_agents : k => v.email if v.is_primary - } - } - } -} - -output "service_accounts" { - description = "Service account emails." - value = module.service-accounts -} diff --git a/modules/project-factory-legacy/schemas/budget.schema.json b/modules/project-factory-legacy/schemas/budget.schema.json deleted file mode 120000 index 618778222..000000000 --- a/modules/project-factory-legacy/schemas/budget.schema.json +++ /dev/null @@ -1 +0,0 @@ -../../billing-account/schemas/budget.schema.json \ No newline at end of file diff --git a/modules/project-factory-legacy/schemas/budget.schema.md b/modules/project-factory-legacy/schemas/budget.schema.md deleted file mode 100644 index 33bb16038..000000000 --- a/modules/project-factory-legacy/schemas/budget.schema.md +++ /dev/null @@ -1,62 +0,0 @@ -# Budget - - - -## Properties - -*additional properties: false* - -- ⁺**amount**: *object* -
*additional properties: false* - - **currency_code**: *string* - - **nanos**: *number* - - **units**: *number* - - **use_last_period**: *boolean* -- **display_name**: *string* -- **filter**: *object* -
*additional properties: false* - - **credit_types_treatment**: *object* -
*additional properties: false* - - **exclude_all**: *boolean* - - **include_specified**: *array* - - items: *string* - - **label**: *object* -
*additional properties: false* - - **key**: *string* - - **value**: *string* - - **period**: *object* -
*additional properties: false* - - **calendar**: *string* - - **custom**: *object* -
*additional properties: false* - - **start_date**: *reference([date](#refs-date))* - - **end_date**: *reference([date](#refs-date))* - - **projects**: *array* - - items: *string* - - **resource_ancestors**: *array* - - items: *string* - - **services**: *array* - - items: *string* - - **subaccounts**: *array* - - items: *string* -- **threshold_rules**: *array* - - items: *object* -
*additional properties: false* - - ⁺**percent**: *number* - - **forecasted_spend**: *boolean* -- **update_rules**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *object* -
*additional properties: false* - - **disable_default_iam_recipients**: *boolean* - - **monitoring_notification_channels**: *array* - - items: *string* - - **pubsub_topic**: *string* - -## Definitions - -- **date**: *object* -
*additional properties: false* - - **day**: *number* - - **month**: *number* - - **year**: *number* diff --git a/modules/project-factory-legacy/schemas/folder.schema.json b/modules/project-factory-legacy/schemas/folder.schema.json deleted file mode 100644 index 1e87c94c6..000000000 --- a/modules/project-factory-legacy/schemas/folder.schema.json +++ /dev/null @@ -1,221 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "Folder", - "type": "object", - "additionalProperties": false, - "properties": { - "iam": { - "$ref": "#/$defs/iam" - }, - "iam_bindings": { - "$ref": "#/$defs/iam_bindings" - }, - "iam_bindings_additive": { - "$ref": "#/$defs/iam_bindings_additive" - }, - "iam_by_principals": { - "$ref": "#/$defs/iam_by_principals" - }, - "name": { - "type": "string" - }, - "org_policies": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z]+\\.": { - "type": "object", - "properties": { - "inherit_from_parent": { - "type": "boolean" - }, - "reset": { - "type": "boolean" - }, - "rules": { - "type": "array", - "items": { - "type": "object", - "additionalProperties": false, - "properties": { - "allow": { - "type": "object", - "additionalProperties": false, - "properties": { - "all": { - "type": "boolean" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "deny": { - "type": "object", - "additionalProperties": false, - "properties": { - "all": { - "type": "boolean" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "enforce": { - "type": "boolean" - }, - "condition": { - "type": "object", - "additionalProperties": false, - "properties": { - "description": { - "type": "string" - }, - "expression": { - "type": "string" - }, - "location": { - "type": "string" - }, - "title": { - "type": "string" - } - } - } - } - } - } - } - } - } - }, - "parent": { - "type": "string" - }, - "tag_bindings": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "string" - } - } - } - }, - "$defs": { - "iam": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^roles/": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])" - } - } - } - }, - "iam_bindings": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "object", - "additionalProperties": false, - "properties": { - "members": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])" - } - }, - "role": { - "type": "string", - "pattern": "^roles/" - }, - "condition": { - "type": "object", - "additionalProperties": false, - "required": [ - "expression", - "title" - ], - "properties": { - "expression": { - "type": "string" - }, - "title": { - "type": "string" - }, - "description": { - "type": "string" - } - } - } - } - } - } - }, - "iam_bindings_additive": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "object", - "additionalProperties": false, - "properties": { - "member": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])" - }, - "role": { - "type": "string", - "pattern": "^roles/" - }, - "condition": { - "type": "object", - "additionalProperties": false, - "required": [ - "expression", - "title" - ], - "properties": { - "expression": { - "type": "string" - }, - "title": { - "type": "string" - }, - "description": { - "type": "string" - } - } - } - } - } - } - }, - "iam_by_principals": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])": { - "type": "array", - "items": { - "type": "string", - "pattern": "^roles/" - } - } - } - } - } -} \ No newline at end of file diff --git a/modules/project-factory-legacy/schemas/folder.schema.md b/modules/project-factory-legacy/schemas/folder.schema.md deleted file mode 100644 index 7ea4d8c0c..000000000 --- a/modules/project-factory-legacy/schemas/folder.schema.md +++ /dev/null @@ -1,82 +0,0 @@ -# Folder - - - -## Properties - -*additional properties: false* - -- **iam**: *reference([iam](#refs-iam))* -- **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))* -- **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* -- **iam_by_principals**: *reference([iam_by_principals](#refs-iam_by_principals))* -- **name**: *string* -- **org_policies**: *object* -
*additional properties: false* - - **`^[a-z]+\.`**: *object* - - **inherit_from_parent**: *boolean* - - **reset**: *boolean* - - **rules**: *array* - - items: *object* -
*additional properties: false* - - **allow**: *object* -
*additional properties: false* - - **all**: *boolean* - - **values**: *array* - - items: *string* - - **deny**: *object* -
*additional properties: false* - - **all**: *boolean* - - **values**: *array* - - items: *string* - - **enforce**: *boolean* - - **condition**: *object* -
*additional properties: false* - - **description**: *string* - - **expression**: *string* - - **location**: *string* - - **title**: *string* -- **parent**: *string* -- **tag_bindings**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *string* - -## Definitions - -- **iam**: *object* -
*additional properties: false* - - **`^roles/`**: *array* - - items: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* -- **iam_bindings**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *object* -
*additional properties: false* - - **members**: *array* - - items: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* - - **role**: *string* -
*pattern: ^roles/* - - **condition**: *object* -
*additional properties: false* - - ⁺**expression**: *string* - - ⁺**title**: *string* - - **description**: *string* -- **iam_bindings_additive**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *object* -
*additional properties: false* - - **member**: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* - - **role**: *string* -
*pattern: ^roles/* - - **condition**: *object* -
*additional properties: false* - - ⁺**expression**: *string* - - ⁺**title**: *string* - - **description**: *string* -- **iam_by_principals**: *object* -
*additional properties: false* - - **`^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])`**: *array* - - items: *string* -
*pattern: ^roles/* diff --git a/modules/project-factory-legacy/schemas/project.schema.json b/modules/project-factory-legacy/schemas/project.schema.json deleted file mode 100644 index 8f255e909..000000000 --- a/modules/project-factory-legacy/schemas/project.schema.json +++ /dev/null @@ -1,724 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "Project", - "type": "object", - "additionalProperties": false, - "properties": { - "automation": { - "type": "object", - "additionalProperties": false, - "required": [ - "project" - ], - "properties": { - "prefix": { - "type": "string" - }, - "project": { - "type": "string" - }, - "bucket": { - "$ref": "#/$defs/bucket" - }, - "service_accounts": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9-]+$": { - "type": "object", - "additionalProperties": false, - "properties": { - "description": { - "type": "string" - }, - "iam": { - "$ref": "#/$defs/iam" - }, - "iam_bindings": { - "$ref": "#/$defs/iam_bindings" - }, - "iam_bindings_additive": { - "$ref": "#/$defs/iam_bindings_additive" - }, - "iam_billing_roles": { - "$ref": "#/$defs/iam_billing_roles" - }, - "iam_folder_roles": { - "$ref": "#/$defs/iam_folder_roles" - }, - "iam_organization_roles": { - "$ref": "#/$defs/iam_organization_roles" - }, - "iam_project_roles": { - "$ref": "#/$defs/iam_project_roles" - }, - "iam_sa_roles": { - "$ref": "#/$defs/iam_sa_roles" - }, - "iam_storage_roles": { - "$ref": "#/$defs/iam_storage_roles" - } - } - } - } - } - } - }, - "billing_account": { - "type": "string" - }, - "billing_budgets": { - "type": "array", - "items": { - "type": "string" - } - }, - "buckets": { - "$ref": "#/$defs/buckets" - }, - "contacts": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "deletion_policy": { - "type": "string", - "enum": [ - "PREVENT", - "DELETE", - "ABANDON" - ] - }, - "iam": { - "$ref": "#/$defs/iam" - }, - "iam_bindings": { - "$ref": "#/$defs/iam_bindings" - }, - "iam_bindings_additive": { - "$ref": "#/$defs/iam_bindings_additive" - }, - "iam_by_principals": { - "$ref": "#/$defs/iam_by_principals" - }, - "labels": { - "type": "object" - }, - "metric_scopes": { - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "type": "string" - }, - "org_policies": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z]+\\.": { - "type": "object", - "properties": { - "inherit_from_parent": { - "type": "boolean" - }, - "reset": { - "type": "boolean" - }, - "rules": { - "type": "array", - "items": { - "type": "object", - "additionalProperties": false, - "properties": { - "allow": { - "type": "object", - "additionalProperties": false, - "properties": { - "all": { - "type": "boolean" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "deny": { - "type": "object", - "additionalProperties": false, - "properties": { - "all": { - "type": "boolean" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "enforce": { - "type": "boolean" - }, - "condition": { - "type": "object", - "additionalProperties": false, - "properties": { - "description": { - "type": "string" - }, - "expression": { - "type": "string" - }, - "location": { - "type": "string" - }, - "title": { - "type": "string" - } - } - } - } - } - } - } - } - } - }, - "quotas": { - "title": "Quotas", - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-zA-Z0-9_-]+$": { - "type": "object", - "additionalProperties": false, - "required": [ - "service", - "quota_id", - "preferred_value" - ], - "properties": { - "service": { - "type": "string" - }, - "quota_id": { - "type": "string" - }, - "preferred_value": { - "type": "number" - }, - "dimensions": { - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "justification": { - "type": "string" - }, - "contact_email": { - "type": "string" - }, - "annotations": { - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "ignore_safety_checks": { - "type": "string", - "enum": [ - "QUOTA_DECREASE_BELOW_USAGE", - "QUOTA_DECREASE_PERCENTAGE_TOO_HIGH", - "QUOTA_SAFETY_CHECK_UNSPECIFIED" - ] - } - } - } - } - }, - "parent": { - "type": "string" - }, - "prefix": { - "type": "string" - }, - "project_reuse": { - "type": "object", - "additionalProperties": false, - "properties": { - "use_data_source": { - "type": "boolean" - }, - "attributes": { - "type": "object", - "required": [ - "name", - "number" - ], - "properties": { - "name": { - "type": "string" - }, - "number": { - "type": "number" - }, - "services_enabled": { - "type": "array", - "items": { - "type": "string" - } - } - } - } - } - }, - "service_accounts": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9-]+$": { - "type": "object", - "additionalProperties": false, - "properties": { - "display_name": { - "type": "string" - }, - "iam": { - "$ref": "#/$defs/iam" - }, - "iam_self_roles": { - "type": "array", - "items": { - "type": "string" - } - }, - "iam_project_roles": { - "$ref": "#/$defs/iam_project_roles" - }, - "iam_sa_roles": { - "$ref": "#/$defs/iam_sa_roles" - } - } - } - } - }, - "service_encryption_key_ids": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z-]+\\.googleapis\\.com$": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "services": { - "type": "array", - "items": { - "type": "string", - "pattern": "^[a-z-]+\\.googleapis\\.com$" - } - }, - "shared_vpc_host_config": { - "type": "object", - "additionalProperties": false, - "required": [ - "enabled" - ], - "properties": { - "enabled": { - "type": "boolean" - }, - "service_projects": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "shared_vpc_service_config": { - "type": "object", - "additionalProperties": false, - "required": [ - "host_project" - ], - "properties": { - "host_project": { - "type": "string" - }, - "iam_bindings_additive": { - "$ref": "#/$defs/iam_bindings_additive" - }, - "network_users": { - "type": "array", - "items": { - "type": "string" - } - }, - "service_agent_iam": { - "type": "object", - "additionalItems": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "service_agent_subnet_iam": { - "type": "object", - "additionalItems": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "service_iam_grants": { - "type": "array", - "items": { - "type": "string" - } - }, - "network_subnet_users": { - "type": "object", - "additionalItems": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "array", - "items": { - "type": "string" - } - } - } - } - } - }, - "tag_bindings": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "string" - } - } - }, - "tags": { - "type": "object", - "additionalProperties": { - "type": "object", - "additionalProperties": false, - "properties": { - "description": { - "type": "string" - }, - "iam": { - "$ref": "#/$defs/iam" - }, - "iam_bindings": { - "$ref": "#/$defs/iam_bindings" - }, - "iam_bindings_additive": { - "$ref": "#/$defs/iam_bindings_additive" - }, - "id": { - "type": "string" - }, - "values": { - "type": "object", - "additionalProperties": { - "type": "object", - "additionalProperties": false, - "properties": { - "description": { - "type": "string" - }, - "iam": { - "$ref": "#/$defs/iam" - }, - "iam_bindings": { - "$ref": "#/$defs/iam_bindings" - }, - "iam_bindings_additive": { - "$ref": "#/$defs/iam_bindings_additive" - }, - "id": { - "type": "string" - } - } - } - } - } - } - }, - "vpc_sc": { - "type": "object", - "additionalItems": false, - "required": [ - "perimeter_name" - ], - "properties": { - "perimeter_name": { - "type": "string" - }, - "is_dry_run": { - "type": "boolean" - } - } - } - }, - "$defs": { - "bucket": { - "type": "object", - "additionalProperties": false, - "properties": { - "description": { - "type": "string" - }, - "iam": { - "$ref": "#/$defs/iam" - }, - "iam_bindings": { - "$ref": "#/$defs/iam_bindings" - }, - "iam_bindings_additive": { - "$ref": "#/$defs/iam_bindings_additive" - }, - "force_destroy": { - "type": "boolean" - }, - "labels": { - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "location": { - "type": "string" - }, - "prefix": { - "type": "string" - }, - "storage_class": { - "type": "string" - }, - "uniform_bucket_level_access": { - "type": "boolean" - }, - "versioning": { - "type": "boolean" - } - } - }, - "buckets": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9-]+$": { - "$ref": "#/$defs/bucket" - } - } - }, - "iam": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^roles/": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])" - } - } - } - }, - "iam_bindings": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "object", - "additionalProperties": false, - "properties": { - "members": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])" - } - }, - "role": { - "type": "string", - "pattern": "^roles/" - }, - "condition": { - "type": "object", - "additionalProperties": false, - "required": [ - "expression", - "title" - ], - "properties": { - "expression": { - "type": "string" - }, - "title": { - "type": "string" - }, - "description": { - "type": "string" - } - } - } - } - } - } - }, - "iam_bindings_additive": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "object", - "additionalProperties": false, - "properties": { - "member": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])" - }, - "role": { - "type": "string", - "pattern": "^[a-zA-Z0-9_/.]+$" - }, - "condition": { - "type": "object", - "additionalProperties": false, - "required": [ - "expression", - "title" - ], - "properties": { - "expression": { - "type": "string" - }, - "title": { - "type": "string" - }, - "description": { - "type": "string" - } - } - } - } - } - } - }, - "iam_by_principals": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])": { - "type": "array", - "items": { - "type": "string", - "pattern": "^roles/" - } - } - } - }, - "iam_billing_roles": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9-]+$": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "iam_folder_roles": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9-]+$": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "iam_organization_roles": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9-]+$": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "iam_project_roles": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9-]+$": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "iam_sa_roles": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9-]+$": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "iam_storage_roles": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9-]+$": { - "type": "array", - "items": { - "type": "string" - } - } - } - } - } -} diff --git a/modules/project-factory-legacy/schemas/project.schema.md b/modules/project-factory-legacy/schemas/project.schema.md deleted file mode 100644 index 8ff5b23c6..000000000 --- a/modules/project-factory-legacy/schemas/project.schema.md +++ /dev/null @@ -1,223 +0,0 @@ -# Project - - - -## Properties - -*additional properties: false* - -- **automation**: *object* -
*additional properties: false* - - **prefix**: *string* - - ⁺**project**: *string* - - **bucket**: *reference([bucket](#refs-bucket))* - - **service_accounts**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *object* -
*additional properties: false* - - **description**: *string* - - **iam**: *reference([iam](#refs-iam))* - - **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))* - - **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* - - **iam_billing_roles**: *reference([iam_billing_roles](#refs-iam_billing_roles))* - - **iam_folder_roles**: *reference([iam_folder_roles](#refs-iam_folder_roles))* - - **iam_organization_roles**: *reference([iam_organization_roles](#refs-iam_organization_roles))* - - **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))* - - **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))* - - **iam_storage_roles**: *reference([iam_storage_roles](#refs-iam_storage_roles))* -- **billing_account**: *string* -- **billing_budgets**: *array* - - items: *string* -- **buckets**: *reference([buckets](#refs-buckets))* -- **contacts**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *array* - - items: *string* -- **deletion_policy**: *string* -
*enum: ['PREVENT', 'DELETE', 'ABANDON']* -- **iam**: *reference([iam](#refs-iam))* -- **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))* -- **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* -- **iam_by_principals**: *reference([iam_by_principals](#refs-iam_by_principals))* -- **labels**: *object* -- **metric_scopes**: *array* - - items: *string* -- **name**: *string* -- **org_policies**: *object* -
*additional properties: false* - - **`^[a-z]+\.`**: *object* - - **inherit_from_parent**: *boolean* - - **reset**: *boolean* - - **rules**: *array* - - items: *object* -
*additional properties: false* - - **allow**: *object* -
*additional properties: false* - - **all**: *boolean* - - **values**: *array* - - items: *string* - - **deny**: *object* -
*additional properties: false* - - **all**: *boolean* - - **values**: *array* - - items: *string* - - **enforce**: *boolean* - - **condition**: *object* -
*additional properties: false* - - **description**: *string* - - **expression**: *string* - - **location**: *string* - - **title**: *string* -- **quotas**: *object* -
*additional properties: false* - - **`^[a-zA-Z0-9_-]+$`**: *object* -
*additional properties: false* - - ⁺**service**: *string* - - ⁺**quota_id**: *string* - - ⁺**preferred_value**: *number* - - **dimensions**: *object* - *additional properties: String* - - **justification**: *string* - - **contact_email**: *string* - - **annotations**: *object* - *additional properties: String* - - **ignore_safety_checks**: *string* -
*enum: ['QUOTA_DECREASE_BELOW_USAGE', 'QUOTA_DECREASE_PERCENTAGE_TOO_HIGH', 'QUOTA_SAFETY_CHECK_UNSPECIFIED']* -- **parent**: *string* -- **prefix**: *string* -- **project_reuse**: *object* -
*additional properties: false* - - **use_data_source**: *boolean* - - **attributes**: *object* - - ⁺**name**: *string* - - ⁺**number**: *number* - - **services_enabled**: *array* - - items: *string* -- **service_accounts**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *object* -
*additional properties: false* - - **display_name**: *string* - - **iam**: *reference([iam](#refs-iam))* - - **iam_self_roles**: *array* - - items: *string* - - **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))* - - **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))* -- **service_encryption_key_ids**: *object* -
*additional properties: false* - - **`^[a-z-]+\.googleapis\.com$`**: *array* - - items: *string* -- **services**: *array* - - items: *string* -
*pattern: ^[a-z-]+\.googleapis\.com$* -- **shared_vpc_host_config**: *object* -
*additional properties: false* - - ⁺**enabled**: *boolean* - - **service_projects**: *array* - - items: *string* -- **shared_vpc_service_config**: *object* -
*additional properties: false* - - ⁺**host_project**: *string* - - **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* - - **network_users**: *array* - - items: *string* - - **service_agent_iam**: *object* - - **`^[a-z0-9_-]+$`**: *array* - - items: *string* - - **service_agent_subnet_iam**: *object* - - **`^[a-z0-9_-]+$`**: *array* - - items: *string* - - **service_iam_grants**: *array* - - items: *string* - - **network_subnet_users**: *object* - - **`^[a-z0-9_-]+$`**: *array* - - items: *string* -- **tag_bindings**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *string* -- **tags**: *object* - *additional properties: Object* -- **vpc_sc**: *object* - - ⁺**perimeter_name**: *string* - - **is_dry_run**: *boolean* - -## Definitions - -- **bucket**: *object* -
*additional properties: false* - - **description**: *string* - - **iam**: *reference([iam](#refs-iam))* - - **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))* - - **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))* - - **force_destroy**: *boolean* - - **labels**: *object* - *additional properties: String* - - **location**: *string* - - **prefix**: *string* - - **storage_class**: *string* - - **uniform_bucket_level_access**: *boolean* - - **versioning**: *boolean* -- **buckets**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *reference([bucket](#refs-bucket))* -- **iam**: *object* -
*additional properties: false* - - **`^roles/`**: *array* - - items: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* -- **iam_bindings**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *object* -
*additional properties: false* - - **members**: *array* - - items: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* - - **role**: *string* -
*pattern: ^roles/* - - **condition**: *object* -
*additional properties: false* - - ⁺**expression**: *string* - - ⁺**title**: *string* - - **description**: *string* -- **iam_bindings_additive**: *object* -
*additional properties: false* - - **`^[a-z0-9_-]+$`**: *object* -
*additional properties: false* - - **member**: *string* -
*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* - - **role**: *string* -
*pattern: ^[a-zA-Z0-9_/.]+$* - - **condition**: *object* -
*additional properties: false* - - ⁺**expression**: *string* - - ⁺**title**: *string* - - **description**: *string* -- **iam_by_principals**: *object* -
*additional properties: false* - - **`^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])`**: *array* - - items: *string* -
*pattern: ^roles/* -- **iam_billing_roles**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *array* - - items: *string* -- **iam_folder_roles**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *array* - - items: *string* -- **iam_organization_roles**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *array* - - items: *string* -- **iam_project_roles**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *array* - - items: *string* -- **iam_sa_roles**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *array* - - items: *string* -- **iam_storage_roles**: *object* -
*additional properties: false* - - **`^[a-z0-9-]+$`**: *array* - - items: *string* diff --git a/modules/project-factory-legacy/variables.tf b/modules/project-factory-legacy/variables.tf deleted file mode 100644 index 5dbc10c6f..000000000 --- a/modules/project-factory-legacy/variables.tf +++ /dev/null @@ -1,415 +0,0 @@ -/** - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "data_defaults" { - description = "Optional default values used when corresponding project data from files are missing." - type = object({ - billing_account = optional(string) - bucket = optional(object({ - force_destroy = optional(bool) - }), {}) - contacts = optional(map(list(string)), {}) - deletion_policy = optional(string) - factories_config = optional(object({ - custom_roles = optional(string) - observability = optional(string) - org_policies = optional(string) - quotas = optional(string) - }), {}) - labels = optional(map(string), {}) - metric_scopes = optional(list(string), []) - parent = optional(string) - prefix = optional(string) - project_reuse = optional(object({ - use_data_source = optional(bool, true) - attributes = optional(object({ - name = string - number = number - services_enabled = optional(list(string), []) - })) - })) - service_encryption_key_ids = optional(map(list(string)), {}) - services = optional(list(string), []) - shared_vpc_service_config = optional(object({ - host_project = string - iam_bindings_additive = optional(map(object({ - member = string - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - network_users = optional(list(string), []) - service_agent_iam = optional(map(list(string)), {}) - service_agent_subnet_iam = optional(map(list(string)), {}) - service_iam_grants = optional(list(string), []) - network_subnet_users = optional(map(list(string)), {}) - })) - storage_location = optional(string) - tag_bindings = optional(map(string), {}) - # non-project resources - service_accounts = optional(map(object({ - display_name = optional(string, "Terraform-managed.") - iam_self_roles = optional(list(string)) - })), {}) - vpc_sc = optional(object({ - perimeter_name = string - is_dry_run = optional(bool, false) - })) - logging_data_access = optional(map(object({ - ADMIN_READ = optional(object({ exempted_members = optional(list(string)) })), - DATA_READ = optional(object({ exempted_members = optional(list(string)) })), - DATA_WRITE = optional(object({ exempted_members = optional(list(string)) })) - })), {}) - }) - nullable = false - default = {} -} - -variable "data_merges" { - description = "Optional values that will be merged with corresponding data from files. Combines with `data_defaults`, file data, and `data_overrides`." - type = object({ - contacts = optional(map(list(string)), {}) - labels = optional(map(string), {}) - metric_scopes = optional(list(string), []) - service_encryption_key_ids = optional(map(list(string)), {}) - services = optional(list(string), []) - tag_bindings = optional(map(string), {}) - # non-project resources - service_accounts = optional(map(object({ - display_name = optional(string, "Terraform-managed.") - iam_self_roles = optional(list(string)) - })), {}) - }) - nullable = false - default = {} -} - -variable "data_overrides" { - description = "Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`." - type = object({ - # data overrides default to null to mark that they should not override - billing_account = optional(string) - bucket = optional(object({ - force_destroy = optional(bool) - }), {}) - contacts = optional(map(list(string))) - deletion_policy = optional(string) - factories_config = optional(object({ - custom_roles = optional(string) - observability = optional(string) - org_policies = optional(string) - quotas = optional(string) - }), {}) - parent = optional(string) - prefix = optional(string) - service_encryption_key_ids = optional(map(list(string))) - storage_location = optional(string) - tag_bindings = optional(map(string)) - services = optional(list(string)) - # non-project resources - service_accounts = optional(map(object({ - display_name = optional(string, "Terraform-managed.") - iam_self_roles = optional(list(string)) - }))) - vpc_sc = optional(object({ - perimeter_name = string - is_dry_run = optional(bool, false) - })) - logging_data_access = optional(map(object({ - ADMIN_READ = optional(object({ exempted_members = optional(list(string)) })), - DATA_READ = optional(object({ exempted_members = optional(list(string)) })), - DATA_WRITE = optional(object({ exempted_members = optional(list(string)) })) - }))) - }) - nullable = false - default = {} -} - -variable "factories_config" { - description = "Path to folder with YAML resource description data files." - type = object({ - folders_data_path = optional(string) - projects_data_path = optional(string) - budgets = optional(object({ - billing_account = string - budgets_data_path = string - # TODO: allow defining notification channels via YAML files - notification_channels = optional(map(any), {}) - })) - context = optional(object({ - custom_roles = optional(map(string), {}) - folder_ids = optional(map(string), {}) - iam_principals = optional(map(string), {}) - kms_keys = optional(map(string), {}) - perimeters = optional(map(string), {}) - tag_values = optional(map(string), {}) - vpc_host_projects = optional(map(string), {}) - notification_channels = optional(map(string), {}) - }), {}) - projects_config = optional(object({ - key_ignores_path = optional(bool, false) - }), {}) - }) - nullable = false -} - -variable "factories_data" { - description = "Alternate factory data input allowing to use this module as a library. Merged with local YAML data." - type = object({ - budgets = optional(map(object({ - amount = object({ - currency_code = optional(string) - nanos = optional(number) - units = optional(number) - use_last_period = optional(bool) - }) - display_name = optional(string) - filter = optional(object({ - credit_types_treatment = optional(object({ - exclude_all = optional(bool) - include_specified = optional(list(string)) - })) - label = optional(object({ - key = string - value = string - })) - period = optional(object({ - calendar = optional(string) - custom = optional(object({ - start_date = object({ - day = number - month = number - year = number - }) - end_date = optional(object({ - day = number - month = number - year = number - })) - })) - })) - projects = optional(list(string)) - resource_ancestors = optional(list(string)) - services = optional(list(string)) - subaccounts = optional(list(string)) - })) - threshold_rules = optional(list(object({ - percent = number - forecasted_spend = optional(bool) - })), []) - update_rules = optional(map(object({ - disable_default_iam_recipients = optional(bool) - monitoring_notification_channels = optional(list(string)) - pubsub_topic = optional(string) - })), {}) - })), {}) - hierarchy = optional(map(object({ - name = optional(string) - parent = optional(string) - iam = optional(map(list(string)), {}) - iam_bindings = optional(map(object({ - members = list(string) - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - iam_bindings_additive = optional(map(object({ - member = string - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - iam_by_principals = optional(map(list(string)), {}) - tag_bindings = optional(map(string), {}) - })), {}) - projects = optional(map(object({ - automation = optional(object({ - project = string - bucket = optional(object({ - location = string - description = optional(string) - force_destroy = optional(bool) - prefix = optional(string) - storage_class = optional(string, "STANDARD") - uniform_bucket_level_access = optional(bool, true) - versioning = optional(bool) - iam = optional(map(list(string)), {}) - iam_bindings = optional(map(object({ - members = list(string) - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - iam_bindings_additive = optional(map(object({ - member = string - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - labels = optional(map(string), {}) - })) - service_accounts = optional(map(object({ - description = optional(string) - iam = optional(map(list(string)), {}) - iam_bindings = optional(map(object({ - members = list(string) - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - iam_bindings_additive = optional(map(object({ - member = string - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - iam_billing_roles = optional(map(list(string)), {}) - iam_folder_roles = optional(map(list(string)), {}) - iam_organization_roles = optional(map(list(string)), {}) - iam_project_roles = optional(map(list(string)), {}) - iam_sa_roles = optional(map(list(string)), {}) - iam_storage_roles = optional(map(list(string)), {}) - })), {}) - })) - billing_account = optional(string) - billing_budgets = optional(list(string), []) - buckets = optional(map(object({ - location = string - description = optional(string) - force_destroy = optional(bool) - prefix = optional(string) - storage_class = optional(string, "STANDARD") - uniform_bucket_level_access = optional(bool, true) - versioning = optional(bool) - iam = optional(map(list(string)), {}) - iam_bindings = optional(map(object({ - members = list(string) - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - iam_bindings_additive = optional(map(object({ - member = string - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - labels = optional(map(string), {}) - })), {}) - contacts = optional(map(list(string)), {}) - iam = optional(map(list(string)), {}) - iam_bindings = optional(map(object({ - members = list(string) - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - iam_bindings_additive = optional(map(object({ - member = string - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - iam_by_principals = optional(map(list(string)), {}) - labels = optional(map(string), {}) - metric_scopes = optional(list(string), []) - name = optional(string) - org_policies = optional(map(object({ - inherit_from_parent = optional(bool) # for list policies only. - reset = optional(bool) - rules = optional(list(object({ - allow = optional(object({ - all = optional(bool) - values = optional(list(string)) - })) - deny = optional(object({ - all = optional(bool) - values = optional(list(string)) - })) - enforce = optional(bool) # for boolean policies only. - condition = optional(object({ - description = optional(string) - expression = optional(string) - location = optional(string) - title = optional(string) - }), {}) - parameters = optional(string) - })), []) - })), {}) - parent = optional(string) - prefix = optional(string) - service_accounts = optional(map(object({ - display_name = optional(string) - iam_self_roles = optional(list(string), []) - iam_project_roles = optional(map(list(string)), {}) - })), {}) - service_encryption_key_ids = optional(map(list(string)), {}) - services = optional(list(string), []) - shared_vpc_host_config = optional(object({ - enabled = bool - service_projects = optional(list(string), []) - })) - shared_vpc_service_config = optional(object({ - host_project = string - network_users = optional(list(string), []) - service_agent_iam = optional(map(list(string)), {}) - service_agent_subnet_iam = optional(map(list(string)), {}) - service_iam_grants = optional(list(string), []) - network_subnet_users = optional(map(list(string)), {}) - })) - tag_bindings = optional(map(string), {}) - vpc_sc = optional(object({ - perimeter_name = string - is_dry_run = optional(bool, false) - })) - })), {}) - }) - nullable = false - default = {} -} diff --git a/modules/project/versions.tf b/modules/project/versions.tf index 5aab44989..983c968f0 100644 --- a/modules/project/versions.tf +++ b/modules/project/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/project:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/project:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/project:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/project:v45.0.0-tf" } } diff --git a/modules/project/versions.tofu b/modules/project/versions.tofu index 146450629..a0d201845 100644 --- a/modules/project/versions.tofu +++ b/modules/project/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/project:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/project:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/project:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/project:v45.0.0-tofu" } } diff --git a/modules/projects-data-source/versions.tf b/modules/projects-data-source/versions.tf index f365083c2..9445cafe8 100644 --- a/modules/projects-data-source/versions.tf +++ b/modules/projects-data-source/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/projects-data-source:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/projects-data-source:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/projects-data-source:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/projects-data-source:v45.0.0-tf" } } diff --git a/modules/projects-data-source/versions.tofu b/modules/projects-data-source/versions.tofu index 3cff65feb..676c17a5d 100644 --- a/modules/projects-data-source/versions.tofu +++ b/modules/projects-data-source/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/projects-data-source:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/projects-data-source:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/projects-data-source:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/projects-data-source:v45.0.0-tofu" } } diff --git a/modules/pubsub/versions.tf b/modules/pubsub/versions.tf index fd02d7ea1..770672688 100644 --- a/modules/pubsub/versions.tf +++ b/modules/pubsub/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/pubsub:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/pubsub:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/pubsub:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/pubsub:v45.0.0-tf" } } diff --git a/modules/pubsub/versions.tofu b/modules/pubsub/versions.tofu index 758455b43..fd78e2178 100644 --- a/modules/pubsub/versions.tofu +++ b/modules/pubsub/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/pubsub:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/pubsub:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/pubsub:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/pubsub:v45.0.0-tofu" } } diff --git a/modules/secops-rules/versions.tf b/modules/secops-rules/versions.tf index 44c7516b9..388812ec2 100644 --- a/modules/secops-rules/versions.tf +++ b/modules/secops-rules/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/secops-rules:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/secops-rules:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/secops-rules:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/secops-rules:v45.0.0-tf" } } diff --git a/modules/secops-rules/versions.tofu b/modules/secops-rules/versions.tofu index 72b3c791e..c21600d72 100644 --- a/modules/secops-rules/versions.tofu +++ b/modules/secops-rules/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/secops-rules:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/secops-rules:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/secops-rules:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/secops-rules:v45.0.0-tofu" } } diff --git a/modules/secret-manager/versions.tf b/modules/secret-manager/versions.tf index 1d31439b7..b84576f2b 100644 --- a/modules/secret-manager/versions.tf +++ b/modules/secret-manager/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/secret-manager:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/secret-manager:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/secret-manager:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/secret-manager:v45.0.0-tf" } } diff --git a/modules/secret-manager/versions.tofu b/modules/secret-manager/versions.tofu index a46082c63..156184575 100644 --- a/modules/secret-manager/versions.tofu +++ b/modules/secret-manager/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/secret-manager:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/secret-manager:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/secret-manager:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/secret-manager:v45.0.0-tofu" } } diff --git a/modules/secure-source-manager-instance/versions.tf b/modules/secure-source-manager-instance/versions.tf index 0012ea07b..9223ee048 100644 --- a/modules/secure-source-manager-instance/versions.tf +++ b/modules/secure-source-manager-instance/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/secure-source-manager-instance:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/secure-source-manager-instance:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/secure-source-manager-instance:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/secure-source-manager-instance:v45.0.0-tf" } } diff --git a/modules/secure-source-manager-instance/versions.tofu b/modules/secure-source-manager-instance/versions.tofu index c72208033..9a56988f8 100644 --- a/modules/secure-source-manager-instance/versions.tofu +++ b/modules/secure-source-manager-instance/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/secure-source-manager-instance:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/secure-source-manager-instance:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/secure-source-manager-instance:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/secure-source-manager-instance:v45.0.0-tofu" } } diff --git a/modules/service-directory/versions.tf b/modules/service-directory/versions.tf index 173ce0b33..ed4640b00 100644 --- a/modules/service-directory/versions.tf +++ b/modules/service-directory/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/service-directory:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/service-directory:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/service-directory:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/service-directory:v45.0.0-tf" } } diff --git a/modules/service-directory/versions.tofu b/modules/service-directory/versions.tofu index f88c97102..96f79d16d 100644 --- a/modules/service-directory/versions.tofu +++ b/modules/service-directory/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/service-directory:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/service-directory:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/service-directory:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/service-directory:v45.0.0-tofu" } } diff --git a/modules/source-repository/versions.tf b/modules/source-repository/versions.tf index 978c0bb74..3d6efb788 100644 --- a/modules/source-repository/versions.tf +++ b/modules/source-repository/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/source-repository:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/source-repository:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/source-repository:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/source-repository:v45.0.0-tf" } } diff --git a/modules/source-repository/versions.tofu b/modules/source-repository/versions.tofu index fcb4ef697..d04bb5b9a 100644 --- a/modules/source-repository/versions.tofu +++ b/modules/source-repository/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/source-repository:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/source-repository:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/source-repository:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/source-repository:v45.0.0-tofu" } } diff --git a/modules/spanner-instance/versions.tf b/modules/spanner-instance/versions.tf index 447292b5a..0811e8cc9 100644 --- a/modules/spanner-instance/versions.tf +++ b/modules/spanner-instance/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/spanner-instance:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/spanner-instance:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/spanner-instance:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/spanner-instance:v45.0.0-tf" } } diff --git a/modules/spanner-instance/versions.tofu b/modules/spanner-instance/versions.tofu index e8cce0095..896478b01 100644 --- a/modules/spanner-instance/versions.tofu +++ b/modules/spanner-instance/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/spanner-instance:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/spanner-instance:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/spanner-instance:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/spanner-instance:v45.0.0-tofu" } } diff --git a/modules/vpc-sc/versions.tf b/modules/vpc-sc/versions.tf index f1b5a3666..e0c7f7cf1 100644 --- a/modules/vpc-sc/versions.tf +++ b/modules/vpc-sc/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/vpc-sc:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/vpc-sc:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/vpc-sc:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/vpc-sc:v45.0.0-tf" } } diff --git a/modules/vpc-sc/versions.tofu b/modules/vpc-sc/versions.tofu index 6c3f9be4a..8c13d1cc3 100644 --- a/modules/vpc-sc/versions.tofu +++ b/modules/vpc-sc/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/vpc-sc:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/vpc-sc:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/vpc-sc:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/vpc-sc:v45.0.0-tofu" } } diff --git a/modules/workstation-cluster/versions.tf b/modules/workstation-cluster/versions.tf index 04733a811..3f2c9eae1 100644 --- a/modules/workstation-cluster/versions.tf +++ b/modules/workstation-cluster/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/workstation-cluster:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/workstation-cluster:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/workstation-cluster:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/workstation-cluster:v45.0.0-tf" } } diff --git a/modules/workstation-cluster/versions.tofu b/modules/workstation-cluster/versions.tofu index d1ccba7a7..4889ade3b 100644 --- a/modules/workstation-cluster/versions.tofu +++ b/modules/workstation-cluster/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/workstation-cluster:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/workstation-cluster:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/modules/workstation-cluster:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/modules/workstation-cluster:v45.0.0-tofu" } } diff --git a/tests/examples_e2e/setup_module/versions.tf b/tests/examples_e2e/setup_module/versions.tf index 111f901c5..fc5c9f999 100644 --- a/tests/examples_e2e/setup_module/versions.tf +++ b/tests/examples_e2e/setup_module/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/tests/examples_e2e/setup_module:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/tests/examples_e2e/setup_module:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/tests/examples_e2e/setup_module:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/tests/examples_e2e/setup_module:v45.0.0-tf" } } diff --git a/tests/examples_e2e/setup_module/versions.tofu b/tests/examples_e2e/setup_module/versions.tofu index 35c5d66ad..10b1a5636 100644 --- a/tests/examples_e2e/setup_module/versions.tofu +++ b/tests/examples_e2e/setup_module/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/tests/examples_e2e/setup_module:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/tests/examples_e2e/setup_module:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/tests/examples_e2e/setup_module:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/tests/examples_e2e/setup_module:v45.0.0-tofu" } } diff --git a/tests/fast/stages/s0_bootstrap_legacy/__init__.py b/tests/fast/stages/s0_bootstrap_legacy/__init__.py deleted file mode 100644 index c37e93b74..000000000 --- a/tests/fast/stages/s0_bootstrap_legacy/__init__.py +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/tests/fast/stages/s0_bootstrap_legacy/cicd.tfvars b/tests/fast/stages/s0_bootstrap_legacy/cicd.tfvars deleted file mode 100644 index 4e6490266..000000000 --- a/tests/fast/stages/s0_bootstrap_legacy/cicd.tfvars +++ /dev/null @@ -1,58 +0,0 @@ -billing_account = { - id = "000000-111111-222222" -} -essential_contacts = "gcp-organization-admins@fast.example.com" -groups = { - gcp-support = "group:gcp-support@example.com" -} -org_policies_config = { - import_defaults = false -} -organization = { - domain = "fast.example.com" - id = 123456789012 - customer_id = "C00000000" -} -outputs_location = "/fast-config" -prefix = "fast" -cicd_config = { - bootstrap = { - identity_provider = "gh-test" - repository = { - name = "fast/bootstrap" - type = "github" - branch = "main" - } - } - resman = { - identity_provider = "gl-test" - repository = { - name = "fast/resource_management" - type = "gitlab" - branch = "main" - } - } -} -fast_addon = { - resman-tenants = { - parent_stage = "1-resman" - cicd_config = { - identity_provider = "gh-test" - repository = { - name = "fast/tenants" - type = "github" - branch = "main" - } - } - } -} -workload_identity_providers = { - gh-test = { - attribute_condition = "attribute.repository_owner==\"fast\"" - issuer = "github" - } - gl-test = { - attribute_condition = "attribute.namespace_path==\"fast\"" - issuer = "gitlab" - } -} diff --git a/tests/fast/stages/s0_bootstrap_legacy/cicd.yaml b/tests/fast/stages/s0_bootstrap_legacy/cicd.yaml deleted file mode 100644 index 44eda390b..000000000 --- a/tests/fast/stages/s0_bootstrap_legacy/cicd.yaml +++ /dev/null @@ -1,2602 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - google_iam_workload_identity_pool.default[0]: - description: null - disabled: null - display_name: null - project: fast-prod-iac-core-0 - timeouts: null - workload_identity_pool_id: fast-bootstrap - google_iam_workload_identity_pool_provider.default["gh-test"]: - attribute_condition: attribute.repository_owner=="fast" - attribute_mapping: - attribute.actor: assertion.actor - attribute.fast_sub: '"repo:" + assertion.repository + ":ref:" + assertion.ref' - attribute.ref: assertion.ref - attribute.repository: assertion.repository - attribute.repository_owner: assertion.repository_owner - attribute.sub: assertion.sub - google.subject: assertion.sub - aws: [] - description: null - disabled: null - display_name: null - oidc: - - allowed_audiences: [] - issuer_uri: https://token.actions.githubusercontent.com - jwks_json: null - project: fast-prod-iac-core-0 - saml: [] - timeouts: null - workload_identity_pool_id: fast-bootstrap - workload_identity_pool_provider_id: fast-bootstrap-gh-test - x509: [] - google_iam_workload_identity_pool_provider.default["gl-test"]: - attribute_condition: attribute.namespace_path=="fast" - attribute_mapping: - attribute.environment: assertion.environment - attribute.environment_protected: assertion.environment_protected - attribute.namespace_id: assertion.namespace_id - attribute.namespace_path: assertion.namespace_path - attribute.pipeline_id: assertion.pipeline_id - attribute.pipeline_source: assertion.pipeline_source - attribute.project_id: assertion.project_id - attribute.project_path: assertion.project_path - attribute.ref: assertion.ref - attribute.ref_protected: assertion.ref_protected - attribute.ref_type: assertion.ref_type - attribute.repository: assertion.project_path - attribute.sub: assertion.sub - google.subject: assertion.sub - aws: [] - description: null - disabled: null - display_name: null - oidc: - - allowed_audiences: [] - issuer_uri: https://gitlab.com - jwks_json: null - project: fast-prod-iac-core-0 - saml: [] - timeouts: null - workload_identity_pool_id: fast-bootstrap - workload_identity_pool_provider_id: fast-bootstrap-gl-test - x509: [] - module.automation-project.data.google_bigquery_default_service_account.bq_sa[0]: - project: fast-prod-iac-core-0 - module.automation-project.data.google_storage_project_service_account.gcs_sa[0]: - project: fast-prod-iac-core-0 - user_project: null - module.automation-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: - email: gcp-organization-admins@fast.example.com - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/fast-prod-iac-core-0 - timeouts: null - module.automation-project.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: - dry_run_spec: [] - name: projects/fast-prod-iac-core-0/policies/compute.skipDefaultNetworkCreation - parent: projects/fast-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.automation-project.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]: - dry_run_spec: [] - name: projects/fast-prod-iac-core-0/policies/iam.automaticIamGrantsForDefaultServiceAccounts - parent: projects/fast-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.automation-project.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]: - dry_run_spec: [] - name: projects/fast-prod-iac-core-0/policies/iam.disableServiceAccountKeyCreation - parent: projects/fast-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.automation-project.google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: - dry_run_spec: [] - name: projects/fast-prod-iac-core-0/policies/iam.workloadIdentityPoolProviders - parent: projects/fast-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - https://token.actions.githubusercontent.com - - https://gitlab.com - - https://app.terraform.io - denied_values: null - timeouts: null - module.automation-project.google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - folder_id: null - labels: null - name: fast-prod-iac-core-0 - org_id: '123456789012' - project_id: fast-prod-iac-core-0 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.automation-project.google_project_iam_audit_config.default["iam.googleapis.com"]: - audit_log_config: - - exempted_members: [] - log_type: ADMIN_READ - project: fast-prod-iac-core-0 - service: iam.googleapis.com - module.automation-project.google_project_iam_audit_config.default["sts.googleapis.com"]: - audit_log_config: - - exempted_members: [] - log_type: ADMIN_READ - project: fast-prod-iac-core-0 - service: sts.googleapis.com - module.automation-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/storageViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: organizations/123456789012/roles/storageViewer - module.automation-project.google_project_iam_binding.authoritative["roles/browser"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/browser - module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.editor"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/cloudbuild.builds.editor - module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/cloudbuild.builds.viewer - module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountAdmin"]: - condition: [] - members: - - group:gcp-devops@fast.example.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.serviceAccountAdmin - module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: - - group:gcp-devops@fast.example.com - - group:gcp-organization-admins@fast.example.com - project: fast-prod-iac-core-0 - role: roles/iam.serviceAccountTokenCreator - module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.serviceAccountViewer - module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.workloadIdentityPoolAdmin - module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.workloadIdentityPoolViewer - module.automation-project.google_project_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/owner - module.automation-project.google_project_iam_binding.authoritative["roles/source.admin"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/source.admin - module.automation-project.google_project_iam_binding.authoritative["roles/source.reader"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/source.reader - module.automation-project.google_project_iam_binding.authoritative["roles/storage.admin"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/storage.admin - module.automation-project.google_project_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/viewer - module.automation-project.google_project_iam_binding.bindings["delegated_grants_resman"]: - condition: - - description: Resource manager service account delegated grant. - expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/serviceusage.serviceUsageConsumer']) - title: resman_delegated_grant - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/resourcemanager.projectIamAdmin - module.automation-project.google_project_iam_member.bindings["serviceusage_resman"]: - condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/serviceusage.serviceUsageConsumer - module.automation-project.google_project_iam_member.bindings["serviceusage_resman_r"]: - condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/serviceusage.serviceUsageViewer - module.automation-project.google_project_iam_member.service_agents["cloudasset"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudasset.serviceAgent - module.automation-project.google_project_iam_member.service_agents["cloudbuild"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudbuild.serviceAgent - module.automation-project.google_project_iam_member.service_agents["cloudbuild-sa"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudbuild.builds.builder - module.automation-project.google_project_iam_member.service_agents["cloudkms"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudkms.serviceAgent - module.automation-project.google_project_iam_member.service_agents["compute-system"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/compute.serviceAgent - module.automation-project.google_project_iam_member.service_agents["container-engine-robot"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/container.serviceAgent - module.automation-project.google_project_iam_member.service_agents["gkenode"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/container.defaultNodeServiceAgent - module.automation-project.google_project_iam_member.service_agents["monitoring-notification"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/monitoring.notificationServiceAgent - module.automation-project.google_project_iam_member.service_agents["pubsub"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/pubsub.serviceAgent - module.automation-project.google_project_iam_member.service_agents["service-networking"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/servicenetworking.serviceAgent - module.automation-project.google_project_service.project_services["accesscontextmanager.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: accesscontextmanager.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["bigquery.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: bigquery.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["bigqueryreservation.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: bigqueryreservation.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["bigquerystorage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: bigquerystorage.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["billingbudgets.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: billingbudgets.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudasset.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudasset.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudbilling.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudbilling.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudbuild.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudbuild.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudkms.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudkms.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudquotas.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudquotas.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudresourcemanager.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["compute.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: compute.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["container.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: container.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["datacatalog.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: datacatalog.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["essentialcontacts.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: essentialcontacts.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["iam.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: iam.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["iamcredentials.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: iamcredentials.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["logging.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: logging.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["monitoring.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: monitoring.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["networksecurity.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: networksecurity.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["orgpolicy.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: orgpolicy.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["pubsub.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: pubsub.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["servicenetworking.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: servicenetworking.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["serviceusage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: serviceusage.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["storage-component.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: storage-component.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: storage.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["sts.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: sts.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["cloudasset.googleapis.com"]: - project: fast-prod-iac-core-0 - service: cloudasset.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["cloudkms.googleapis.com"]: - project: fast-prod-iac-core-0 - service: cloudkms.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["container.googleapis.com"]: - project: fast-prod-iac-core-0 - service: container.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["monitoring.googleapis.com"]: - project: fast-prod-iac-core-0 - service: monitoring.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["networksecurity.googleapis.com"]: - project: fast-prod-iac-core-0 - service: networksecurity.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["pubsub.googleapis.com"]: - project: fast-prod-iac-core-0 - service: pubsub.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["servicenetworking.googleapis.com"]: - project: fast-prod-iac-core-0 - service: servicenetworking.googleapis.com - timeouts: null - module.automation-tf-bootstrap-gcs.google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast-prod-iac-core-bootstrap-0 - project: fast-prod-iac-core-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"] - : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/organizationAdminViewer - ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"] - : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/tagViewer - module.automation-tf-bootstrap-r-sa.google_service_account.service_account[0]: - account_id: fast-prod-bootstrap-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform organization bootstrap service account (read-only). - email: fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - ? module.automation-tf-bootstrap-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - : condition: [] - members: - - serviceAccount:fast-prod-bootstrap-1r@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-bootstrap-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: organizations/123456789012/roles/storageViewer - module.automation-tf-bootstrap-sa.google_service_account.service_account[0]: - account_id: fast-prod-bootstrap-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform organization bootstrap service account. - email: fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - module.automation-tf-bootstrap-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-1@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-bootstrap-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.admin - ? module.automation-tf-cicd-r-sa["bootstrap"].google_project_iam_member.project-roles["fast-prod-iac-core-0-roles/logging.logWriter"] - : condition: [] - project: fast-prod-iac-core-0 - role: roles/logging.logWriter - module.automation-tf-cicd-r-sa["bootstrap"].google_service_account.service_account[0]: - account_id: fast-prod-bootstrap-1r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform CI/CD bootstrap service account (read-only). - email: fast-prod-bootstrap-1r@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-bootstrap-1r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - ? module.automation-tf-cicd-r-sa["bootstrap"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"] - : condition: [] - role: roles/iam.workloadIdentityUser - ? module.automation-tf-cicd-r-sa["bootstrap"].google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.objectViewer"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.objectViewer - ? module.automation-tf-cicd-r-sa["resman"].google_project_iam_member.project-roles["fast-prod-iac-core-0-roles/logging.logWriter"] - : condition: [] - project: fast-prod-iac-core-0 - role: roles/logging.logWriter - module.automation-tf-cicd-r-sa["resman"].google_service_account.service_account[0]: - account_id: fast-prod-resman-1r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform CI/CD resman service account (read-only). - email: fast-prod-resman-1r@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-resman-1r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - ? module.automation-tf-cicd-r-sa["resman"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"] - : condition: [] - role: roles/iam.workloadIdentityUser - ? module.automation-tf-cicd-r-sa["resman"].google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.objectViewer"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.objectViewer - ? module.automation-tf-cicd-r-sa["resman-tenants"].google_project_iam_member.project-roles["fast-prod-iac-core-0-roles/logging.logWriter"] - : condition: [] - project: fast-prod-iac-core-0 - role: roles/logging.logWriter - module.automation-tf-cicd-r-sa["resman-tenants"].google_service_account.service_account[0]: - account_id: fast-prod-resman-tenants-1r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform CI/CD resman-tenants service account (read-only). - email: fast-prod-resman-tenants-1r@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-resman-tenants-1r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - ? module.automation-tf-cicd-r-sa["resman-tenants"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"] - : condition: [] - role: roles/iam.workloadIdentityUser - ? module.automation-tf-cicd-r-sa["resman-tenants"].google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.objectViewer"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.objectViewer - ? module.automation-tf-cicd-sa["bootstrap"].google_project_iam_member.project-roles["fast-prod-iac-core-0-roles/logging.logWriter"] - : condition: [] - project: fast-prod-iac-core-0 - role: roles/logging.logWriter - module.automation-tf-cicd-sa["bootstrap"].google_service_account.service_account[0]: - account_id: fast-prod-bootstrap-1 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform CI/CD bootstrap service account. - email: fast-prod-bootstrap-1@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-bootstrap-1@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - ? module.automation-tf-cicd-sa["bootstrap"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"] - : condition: [] - role: roles/iam.workloadIdentityUser - ? module.automation-tf-cicd-sa["bootstrap"].google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.objectViewer"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.objectViewer - ? module.automation-tf-cicd-sa["resman"].google_project_iam_member.project-roles["fast-prod-iac-core-0-roles/logging.logWriter"] - : condition: [] - project: fast-prod-iac-core-0 - role: roles/logging.logWriter - module.automation-tf-cicd-sa["resman"].google_service_account.service_account[0]: - account_id: fast-prod-resman-1 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform CI/CD resman service account. - email: fast-prod-resman-1@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-resman-1@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - module.automation-tf-cicd-sa["resman"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]: - condition: [] - role: roles/iam.workloadIdentityUser - ? module.automation-tf-cicd-sa["resman"].google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.objectViewer"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.objectViewer - ? module.automation-tf-cicd-sa["resman-tenants"].google_project_iam_member.project-roles["fast-prod-iac-core-0-roles/logging.logWriter"] - : condition: [] - project: fast-prod-iac-core-0 - role: roles/logging.logWriter - module.automation-tf-cicd-sa["resman-tenants"].google_service_account.service_account[0]: - account_id: fast-prod-resman-tenants-1 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform CI/CD resman-tenants service account. - email: fast-prod-resman-tenants-1@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-resman-tenants-1@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - ? module.automation-tf-cicd-sa["resman-tenants"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"] - : condition: [] - role: roles/iam.workloadIdentityUser - ? module.automation-tf-cicd-sa["resman-tenants"].google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.objectViewer"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.objectViewer - module.automation-tf-output-gcs.google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast-prod-iac-core-outputs-0 - project: fast-prod-iac-core-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.automation-tf-resman-gcs.google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast-prod-iac-core-resman-0 - project: fast-prod-iac-core-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast-prod-iac-core-resman-0 - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast-prod-iac-core-resman-0 - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/storage.objectViewer - ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"] - : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/organizationAdminViewer - ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"] - : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/tagViewer - module.automation-tf-resman-r-sa.google_service_account.service_account[0]: - account_id: fast-prod-resman-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform stage 1 resman service account (read-only). - email: fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - module.automation-tf-resman-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-1r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-tenants-1r@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-resman-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: organizations/123456789012/roles/storageViewer - module.automation-tf-resman-sa.google_service_account.service_account[0]: - account_id: fast-prod-resman-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform stage 1 resman service account. - email: fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - module.automation-tf-resman-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-1@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-tenants-1@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-resman-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.admin - module.automation-tf-vpcsc-gcs.google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast-prod-iac-core-vpcsc-0 - project: fast-prod-iac-core-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast-prod-iac-core-vpcsc-0 - condition: [] - members: - - serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast-prod-iac-core-vpcsc-0 - condition: [] - members: - - serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/storage.objectViewer - module.automation-tf-vpcsc-r-sa.google_service_account.service_account[0]: - account_id: fast-prod-vpcsc-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform stage 1 vpcsc service account (read-only). - email: fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - module.automation-tf-vpcsc-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-vpcsc-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: organizations/123456789012/roles/storageViewer - module.automation-tf-vpcsc-sa.google_service_account.service_account[0]: - account_id: fast-prod-vpcsc-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform stage 1 vpcsc service account. - email: fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - module.automation-tf-vpcsc-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-vpcsc-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.admin - module.billing-export-dataset[0].google_bigquery_dataset.default: - dataset_id: billing_export - default_encryption_configuration: [] - default_partition_expiration_ms: null - default_table_expiration_ms: null - delete_contents_on_destroy: false - description: Terraform managed. - effective_labels: - goog-terraform-provisioned: 'true' - external_catalog_dataset_options: [] - external_dataset_reference: [] - friendly_name: Billing export. - labels: null - location: EU - max_time_travel_hours: '168' - project: fast-prod-billing-exp-0 - resource_tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.billing-export-project[0].data.google_bigquery_default_service_account.bq_sa[0]: - project: fast-prod-billing-exp-0 - module.billing-export-project[0].data.google_storage_project_service_account.gcs_sa[0]: - project: fast-prod-billing-exp-0 - user_project: null - module.billing-export-project[0].google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: - email: gcp-organization-admins@fast.example.com - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/fast-prod-billing-exp-0 - timeouts: null - module.billing-export-project[0].google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - folder_id: null - labels: null - name: fast-prod-billing-exp-0 - org_id: '123456789012' - project_id: fast-prod-billing-exp-0 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.billing-export-project[0].google_project_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-billing-exp-0 - role: roles/owner - module.billing-export-project[0].google_project_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-billing-exp-0 - role: roles/viewer - module.billing-export-project[0].google_project_iam_member.service_agents["bigquerydatatransfer"]: - condition: [] - project: fast-prod-billing-exp-0 - role: roles/bigquerydatatransfer.serviceAgent - module.billing-export-project[0].google_project_service.project_services["bigquery.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-billing-exp-0 - service: bigquery.googleapis.com - timeouts: null - module.billing-export-project[0].google_project_service.project_services["bigquerydatatransfer.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-billing-exp-0 - service: bigquerydatatransfer.googleapis.com - timeouts: null - module.billing-export-project[0].google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-billing-exp-0 - service: storage.googleapis.com - timeouts: null - module.billing-export-project[0].google_project_service_identity.default["bigquerydatatransfer.googleapis.com"]: - project: fast-prod-billing-exp-0 - service: bigquerydatatransfer.googleapis.com - timeouts: null - module.log-export-logbucket["audit-logs"].google_logging_project_bucket_config.bucket[0]: - bucket_id: audit-logs - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: global - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-logbucket["iam"].google_logging_project_bucket_config.bucket[0]: - bucket_id: iam - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: global - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-logbucket["vpc-sc"].google_logging_project_bucket_config.bucket[0]: - bucket_id: vpc-sc - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: global - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-logbucket["workspace-audit-logs"].google_logging_project_bucket_config.bucket[0]: - bucket_id: workspace-audit-logs - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: global - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-project.data.google_bigquery_default_service_account.bq_sa[0]: - project: fast-prod-audit-logs-0 - module.log-export-project.data.google_storage_project_service_account.gcs_sa[0]: - project: fast-prod-audit-logs-0 - user_project: null - module.log-export-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: - email: gcp-organization-admins@fast.example.com - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/fast-prod-audit-logs-0 - timeouts: null - module.log-export-project.google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - folder_id: null - labels: null - name: fast-prod-audit-logs-0 - org_id: '123456789012' - project_id: fast-prod-audit-logs-0 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.log-export-project.google_project_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-audit-logs-0 - role: roles/owner - module.log-export-project.google_project_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-audit-logs-0 - role: roles/viewer - module.log-export-project.google_project_service.project_services["bigquery.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-audit-logs-0 - service: bigquery.googleapis.com - timeouts: null - module.log-export-project.google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-audit-logs-0 - service: stackdriver.googleapis.com - timeouts: null - module.log-export-project.google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-audit-logs-0 - service: storage.googleapis.com - timeouts: null - module.organization-logging.google_logging_organization_settings.default[0]: - organization: '123456789012' - storage_location: global - timeouts: null - module.organization.google_logging_organization_sink.sink["audit-logs"]: - description: audit-logs (Terraform-managed). - disabled: false - exclusions: [] - filter: 'log_id("cloudaudit.googleapis.com/activity") OR - - log_id("cloudaudit.googleapis.com/system_event") OR - - log_id("cloudaudit.googleapis.com/policy") OR - - log_id("cloudaudit.googleapis.com/access_transparency") - - ' - include_children: true - intercept_children: false - name: audit-logs - org_id: '123456789012' - module.organization.google_logging_organization_sink.sink["iam"]: - description: iam (Terraform-managed). - disabled: false - exclusions: [] - filter: 'protoPayload.serviceName="iamcredentials.googleapis.com" OR - - protoPayload.serviceName="iam.googleapis.com" OR - - protoPayload.serviceName="sts.googleapis.com" - - ' - include_children: true - intercept_children: false - name: iam - org_id: '123456789012' - module.organization.google_logging_organization_sink.sink["vpc-sc"]: - description: vpc-sc (Terraform-managed). - disabled: false - exclusions: [] - filter: 'protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" - - ' - include_children: true - intercept_children: false - name: vpc-sc - org_id: '123456789012' - module.organization.google_logging_organization_sink.sink["workspace-audit-logs"]: - description: workspace-audit-logs (Terraform-managed). - disabled: false - exclusions: [] - filter: 'protoPayload.serviceName="admin.googleapis.com" OR - - protoPayload.serviceName="cloudidentity.googleapis.com" OR - - protoPayload.serviceName="login.googleapis.com" - - ' - include_children: true - intercept_children: false - name: workspace-audit-logs - org_id: '123456789012' - module.organization.google_org_policy_custom_constraint.constraint["custom.denyBridgePerimeters"]: - action_type: DENY - condition: resource.perimeterType == 'PERIMETER_TYPE_BRIDGE' - description: Disables the use of perimeter bridges. Instead, use ingress and egress - rules. - display_name: Disable perimeter bridges - method_types: - - CREATE - - UPDATE - name: custom.denyBridgePerimeters - parent: organizations/123456789012 - resource_types: - - accesscontextmanager.googleapis.com/ServicePerimeter - timeouts: null - module.organization.google_org_policy_policy.default["cloudbuild.disableCreateDefaultServiceAccount"]: - dry_run_spec: [] - name: organizations/123456789012/policies/cloudbuild.disableCreateDefaultServiceAccount - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["cloudbuild.useBuildServiceAccount"]: - dry_run_spec: [] - name: organizations/123456789012/policies/cloudbuild.useBuildServiceAccount - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["cloudbuild.useComputeServiceAccount"]: - dry_run_spec: [] - name: organizations/123456789012/policies/cloudbuild.useComputeServiceAccount - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableGuestAttributesAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableInternetNetworkEndpointGroup"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableInternetNetworkEndpointGroup - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableNestedVirtualization"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableNestedVirtualization - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableSerialPortAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableSerialPortAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableVpcExternalIpv6"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableVpcExternalIpv6 - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.requireOsLogin"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.requireOsLogin - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.restrictLoadBalancerCreationForTypes"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.restrictLoadBalancerCreationForTypes - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - in:INTERNAL - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["compute.restrictProtocolForwardingCreationForTypes"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.restrictProtocolForwardingCreationForTypes - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - is:INTERNAL - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["compute.setNewProjectDefaultToZonalDNSOnly"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.setNewProjectDefaultToZonalDNSOnly - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.skipDefaultNetworkCreation - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.trustedImageProjects"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.trustedImageProjects - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - is:projects/centos-cloud - - is:projects/cos-cloud - - is:projects/debian-cloud - - is:projects/fedora-cloud - - is:projects/fedora-coreos-cloud - - is:projects/opensuse-cloud - - is:projects/rhel-cloud - - is:projects/rhel-sap-cloud - - is:projects/rocky-linux-cloud - - is:projects/suse-cloud - - is:projects/suse-sap-cloud - - is:projects/ubuntu-os-cloud - - is:projects/ubuntu-os-pro-cloud - - is:projects/windows-cloud - - is:projects/windows-sql-cloud - - is:projects/confidential-vm-images - - is:projects/confidential-space-images - - is:projects/backupdr-images - - is:projects/deeplearning-platform-release - - is:projects/serverless-vpc-access-images - - is:projects/gke-node-images - - is:projects/gke-windows-node-images - - is:projects/ubuntu-os-gke-cloud - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["compute.vmExternalIpAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.vmExternalIpAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: 'TRUE' - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["container.managed.enablePrivateNodes"]: - dry_run_spec: [] - name: organizations/123456789012/policies/container.managed.enablePrivateNodes - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["custom.denyBridgePerimeters"]: - dry_run_spec: [] - name: organizations/123456789012/policies/custom.denyBridgePerimeters - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["essentialcontacts.allowedContactDomains"]: - dry_run_spec: [] - name: organizations/123456789012/policies/essentialcontacts.allowedContactDomains - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: - - description: null - expression: '!resource.matchTag(''123456789012/org-policies'', ''allowed-essential-contacts-domains-all'') - - ' - location: null - title: Restrict essential contacts domains - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - '@fast.example.com' - denied_values: null - - allow_all: 'TRUE' - condition: - - description: null - expression: 'resource.matchTag(''123456789012/org-policies'', ''allowed-essential-contacts-domains-all'') - - ' - location: null - title: Allow essential contacts from any domain - deny_all: null - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["gcp.resourceLocations"]: - dry_run_spec: [] - name: organizations/123456789012/policies/gcp.resourceLocations - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: 'TRUE' - condition: [] - deny_all: null - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.allowedPolicyMemberDomains - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: - - description: null - expression: '!resource.matchTag(''123456789012/org-policies'', ''allowed-policy-member-domains-all'') - - ' - location: null - title: Restrict member domains - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - is:C00000000 - denied_values: null - - allow_all: 'TRUE' - condition: - - description: null - expression: 'resource.matchTag(''123456789012/org-policies'', ''allowed-policy-member-domains-all'') - - ' - location: null - title: Allow any member domain - deny_all: null - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.automaticIamGrantsForDefaultServiceAccounts - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.disableAuditLoggingExemption"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.disableAuditLoggingExemption - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.disableServiceAccountKeyCreation - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.disableServiceAccountKeyUpload - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.managed.disableServiceAccountApiKeyCreation"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.managed.disableServiceAccountApiKeyCreation - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.serviceAccountKeyExposureResponse"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.serviceAccountKeyExposureResponse - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - is:DISABLE_KEY - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolAwsAccounts"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.workloadIdentityPoolAwsAccounts - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: 'TRUE' - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.workloadIdentityPoolProviders - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: 'TRUE' - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["run.allowedIngress"]: - dry_run_spec: [] - name: organizations/123456789012/policies/run.allowedIngress - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - is:internal-and-cloud-load-balancing - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["run.managed.requireInvokerIam"]: - dry_run_spec: [] - name: organizations/123456789012/policies/run.managed.requireInvokerIam - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["sql.restrictAuthorizedNetworks"]: - dry_run_spec: [] - name: organizations/123456789012/policies/sql.restrictAuthorizedNetworks - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["sql.restrictPublicIp"]: - dry_run_spec: [] - name: organizations/123456789012/policies/sql.restrictPublicIp - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["storage.publicAccessPrevention"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.publicAccessPrevention - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["storage.restrictAuthTypes"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.restrictAuthTypes - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: null - denied_values: - - in:ALL_HMAC_SIGNED_REQUESTS - timeouts: null - module.organization.google_org_policy_policy.default["storage.secureHttpTransport"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.secureHttpTransport - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["storage.uniformBucketLevelAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.uniformBucketLevelAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_organization_iam_binding.authoritative["roles/billing.creator"]: - condition: [] - members: null - org_id: '123456789012' - role: roles/billing.creator - module.organization.google_organization_iam_binding.authoritative["roles/browser"]: - condition: [] - members: - - domain:fast.example.com - org_id: '123456789012' - role: roles/browser - module.organization.google_organization_iam_binding.authoritative["roles/cloudasset.owner"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - group:gcp-security-admins@fast.example.com - - group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/cloudasset.owner - module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.admin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/cloudsupport.admin - module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - - group:gcp-support@example.com - - group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/cloudsupport.techSupportEditor - module.organization.google_organization_iam_binding.authoritative["roles/compute.osAdminLogin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.osAdminLogin - module.organization.google_organization_iam_binding.authoritative["roles/compute.osLoginExternalUser"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.osLoginExternalUser - module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.admin"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/essentialcontacts.admin - module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/essentialcontacts.viewer - module.organization.google_organization_iam_binding.authoritative["roles/iam.securityReviewer"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/iam.securityReviewer - module.organization.google_organization_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/logging.admin - module.organization.google_organization_iam_binding.authoritative["roles/logging.viewer"]: - condition: [] - members: - - group:gcp-support@example.com - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/logging.viewer - module.organization.google_organization_iam_binding.authoritative["roles/monitoring.viewer"]: - condition: [] - members: - - group:gcp-support@example.com - org_id: '123456789012' - role: roles/monitoring.viewer - module.organization.google_organization_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/owner - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.folderAdmin - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.folderViewer - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.organizationAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.organizationAdmin - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.projectCreator - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectMover"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.projectMover - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.tagAdmin - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagUser"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.tagUser - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.tagViewer - module.organization.google_organization_iam_binding.authoritative["roles/securitycenter.admin"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/securitycenter.admin - module.organization.google_organization_iam_binding.authoritative["roles/serviceusage.serviceUsageViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/serviceusage.serviceUsageViewer - module.organization.google_organization_iam_binding.bindings["organization_billing_conditional"]: - condition: - - description: Automation service account delegated grants. - expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/billing.admin','roles/billing.costsManager','roles/billing.user']) - title: automation_sa_delegated_grants - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: organizations/123456789012/roles/organizationIamAdmin - module.organization.google_organization_iam_binding.bindings["organization_iam_admin_conditional"]: - condition: - - description: Automation service account delegated grants. - expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/accesscontextmanager.policyEditor'',''roles/accesscontextmanager.policyReader'',''roles/cloudasset.viewer'',''roles/compute.orgFirewallPolicyAdmin'',''roles/compute.orgFirewallPolicyUser'',''roles/compute.xpnAdmin'',''roles/orgpolicy.policyAdmin'',''roles/orgpolicy.policyViewer'',''roles/resourcemanager.organizationViewer'']) - - || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/iam.workforcePoolAdmin'',''roles/iam.workforcePoolViewer'']) - - || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''organizations/123456789012/roles/billingViewer'',''organizations/123456789012/roles/networkFirewallPoliciesAdmin'',''organizations/123456789012/roles/ngfwEnterpriseAdmin'',''organizations/123456789012/roles/ngfwEnterpriseViewer'',''organizations/123456789012/roles/serviceProjectNetworkAdmin'',''organizations/123456789012/roles/tenantNetworkAdmin'']) - - ' - title: automation_sa_delegated_grants - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: organizations/123456789012/roles/organizationIamAdmin - module.organization.google_organization_iam_custom_role.roles["billing_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - billing.accounts.get - - billing.accounts.getIamPolicy - - billing.accounts.getSpendingInformation - - billing.accounts.getUsageExportSpec - - billing.accounts.list - - billing.budgets.get - - billing.budgets.list - - billing.budgets.update - - billing.credits.list - - billing.resourceAssociations.list - - recommender.costInsights.get - - recommender.costInsights.list - role_id: billingViewer - stage: GA - title: Custom role billingViewer - module.organization.google_organization_iam_custom_role.roles["dns_zone_binder"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - dns.networks.bindPrivateDNSZone - role_id: dnsZoneBinder - stage: GA - title: Custom role dnsZoneBinder - module.organization.google_organization_iam_custom_role.roles["gcve_network_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - vmwareengine.networkPeerings.create - - vmwareengine.networkPeerings.delete - - vmwareengine.networkPeerings.get - - vmwareengine.networkPeerings.list - - vmwareengine.operations.get - role_id: gcveNetworkAdmin - stage: GA - title: Custom role gcveNetworkAdmin - module.organization.google_organization_iam_custom_role.roles["gcve_network_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - vmwareengine.networkPeerings.get - - vmwareengine.networkPeerings.list - - vmwareengine.operations.get - role_id: gcveNetworkViewer - stage: GA - title: Custom role gcveNetworkViewer - module.organization.google_organization_iam_custom_role.roles["kms_key_encryption_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - cloudkms.cryptoKeyVersions.get - - cloudkms.cryptoKeyVersions.list - - cloudkms.cryptoKeys.get - - cloudkms.cryptoKeys.getIamPolicy - - cloudkms.cryptoKeys.list - - cloudkms.cryptoKeys.setIamPolicy - role_id: kmsKeyEncryptionAdmin - stage: GA - title: Custom role kmsKeyEncryptionAdmin - module.organization.google_organization_iam_custom_role.roles["kms_key_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - cloudkms.cryptoKeyVersions.get - - cloudkms.cryptoKeyVersions.list - - cloudkms.cryptoKeys.get - - cloudkms.cryptoKeys.getIamPolicy - - cloudkms.cryptoKeys.list - role_id: kmsKeyViewer - stage: GA - title: Custom role kmsKeyViewer - module.organization.google_organization_iam_custom_role.roles["network_firewall_policies_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - compute.networks.setFirewallPolicy - - networksecurity.firewallEndpointAssociations.create - - networksecurity.firewallEndpointAssociations.delete - - networksecurity.firewallEndpointAssociations.get - - networksecurity.firewallEndpointAssociations.list - - networksecurity.firewallEndpointAssociations.update - role_id: networkFirewallPoliciesAdmin - stage: GA - title: Custom role networkFirewallPoliciesAdmin - module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - networksecurity.firewallEndpoints.create - - networksecurity.firewallEndpoints.delete - - networksecurity.firewallEndpoints.get - - networksecurity.firewallEndpoints.list - - networksecurity.firewallEndpoints.update - - networksecurity.firewallEndpoints.use - - networksecurity.locations.get - - networksecurity.locations.list - - networksecurity.operations.cancel - - networksecurity.operations.delete - - networksecurity.operations.get - - networksecurity.operations.list - - networksecurity.securityProfileGroups.create - - networksecurity.securityProfileGroups.delete - - networksecurity.securityProfileGroups.get - - networksecurity.securityProfileGroups.list - - networksecurity.securityProfileGroups.update - - networksecurity.securityProfileGroups.use - - networksecurity.securityProfiles.create - - networksecurity.securityProfiles.delete - - networksecurity.securityProfiles.get - - networksecurity.securityProfiles.list - - networksecurity.securityProfiles.update - - networksecurity.securityProfiles.use - - networksecurity.tlsInspectionPolicies.create - - networksecurity.tlsInspectionPolicies.delete - - networksecurity.tlsInspectionPolicies.get - - networksecurity.tlsInspectionPolicies.list - - networksecurity.tlsInspectionPolicies.update - - networksecurity.tlsInspectionPolicies.use - role_id: ngfwEnterpriseAdmin - stage: GA - title: Custom role ngfwEnterpriseAdmin - module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - networksecurity.firewallEndpoints.get - - networksecurity.firewallEndpoints.list - - networksecurity.firewallEndpoints.use - - networksecurity.locations.get - - networksecurity.locations.list - - networksecurity.operations.get - - networksecurity.operations.list - - networksecurity.securityProfileGroups.get - - networksecurity.securityProfileGroups.list - - networksecurity.securityProfileGroups.use - - networksecurity.securityProfiles.get - - networksecurity.securityProfiles.list - - networksecurity.securityProfiles.use - - networksecurity.tlsInspectionPolicies.get - - networksecurity.tlsInspectionPolicies.list - - networksecurity.tlsInspectionPolicies.use - role_id: ngfwEnterpriseViewer - stage: GA - title: Custom role ngfwEnterpriseViewer - module.organization.google_organization_iam_custom_role.roles["organization_admin_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - essentialcontacts.contacts.get - - essentialcontacts.contacts.list - - logging.settings.get - - orgpolicy.constraints.list - - orgpolicy.policies.list - - orgpolicy.policy.get - - resourcemanager.folders.get - - resourcemanager.folders.getIamPolicy - - resourcemanager.folders.list - - resourcemanager.organizations.get - - resourcemanager.organizations.getIamPolicy - - resourcemanager.projects.get - - resourcemanager.projects.getIamPolicy - - resourcemanager.projects.list - - storage.buckets.getIamPolicy - role_id: organizationAdminViewer - stage: GA - title: Custom role organizationAdminViewer - module.organization.google_organization_iam_custom_role.roles["organization_iam_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - resourcemanager.organizations.get - - resourcemanager.organizations.getIamPolicy - - resourcemanager.organizations.setIamPolicy - role_id: organizationIamAdmin - stage: GA - title: Custom role organizationIamAdmin - module.organization.google_organization_iam_custom_role.roles["project_iam_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - iam.policybindings.get - - iam.policybindings.list - - resourcemanager.projects.get - - resourcemanager.projects.getIamPolicy - - resourcemanager.projects.searchPolicyBindings - role_id: projectIamViewer - stage: GA - title: Custom role projectIamViewer - module.organization.google_organization_iam_custom_role.roles["service_project_network_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - compute.globalOperations.get - - compute.networks.get - - compute.networks.updatePeering - - compute.organizations.disableXpnResource - - compute.organizations.enableXpnResource - - compute.projects.get - - compute.subnetworks.getIamPolicy - - compute.subnetworks.setIamPolicy - - dns.networks.bindPrivateDNSZone - - resourcemanager.projects.get - role_id: serviceProjectNetworkAdmin - stage: GA - title: Custom role serviceProjectNetworkAdmin - module.organization.google_organization_iam_custom_role.roles["storage_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - storage.buckets.get - - storage.buckets.getIamPolicy - - storage.buckets.getObjectInsights - - storage.buckets.list - - storage.buckets.listEffectiveTags - - storage.buckets.listTagBindings - - storage.managedFolders.get - - storage.managedFolders.getIamPolicy - - storage.managedFolders.list - - storage.multipartUploads.list - - storage.multipartUploads.listParts - - storage.objects.get - - storage.objects.getIamPolicy - - storage.objects.list - role_id: storageViewer - stage: GA - title: Custom role storageViewer - module.organization.google_organization_iam_custom_role.roles["tag_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - resourcemanager.tagHolds.list - - resourcemanager.tagKeys.get - - resourcemanager.tagKeys.getIamPolicy - - resourcemanager.tagKeys.list - - resourcemanager.tagValues.get - - resourcemanager.tagValues.getIamPolicy - - resourcemanager.tagValues.list - role_id: tagViewer - stage: GA - title: Custom role tagViewer - module.organization.google_organization_iam_custom_role.roles["tenant_network_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - compute.globalOperations.get - role_id: tenantNetworkAdmin - stage: GA - title: Custom role tenantNetworkAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyReader - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyReader - ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-group:gcp-billing-admins@fast.example.com"] - : condition: [] - member: group:gcp-billing-admins@fast.example.com - org_id: '123456789012' - role: roles/billing.admin - ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-group:gcp-organization-admins@fast.example.com"] - : condition: [] - member: group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/billing.admin - ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.admin - ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.admin - ? module.organization.google_organization_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.viewer - ? module.organization.google_organization_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.viewer - ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/cloudasset.viewer - ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/cloudasset.viewer - ? module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:gcp-vpc-network-admins@fast.example.com"] - : condition: [] - member: group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.orgFirewallPolicyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/compute.xpnAdmin-group:gcp-vpc-network-admins@fast.example.com"] - : condition: [] - member: group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.xpnAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/iam.organizationRoleAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.organizationRoleAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.organizationRoleViewer - ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolAdmin-group:gcp-organization-admins@fast.example.com"] - : condition: [] - member: group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/iam.workforcePoolAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.workforcePoolAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.workforcePoolViewer - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-organization-admins@fast.example.com"] - : condition: [] - member: group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyViewer - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyViewer - module.organization.google_project_iam_member.bucket-sinks-binding["audit-logs"]: - condition: - - title: audit-logs bucket writer - role: roles/logging.bucketWriter - module.organization.google_project_iam_member.bucket-sinks-binding["iam"]: - condition: - - title: iam bucket writer - role: roles/logging.bucketWriter - module.organization.google_project_iam_member.bucket-sinks-binding["vpc-sc"]: - condition: - - title: vpc-sc bucket writer - role: roles/logging.bucketWriter - module.organization.google_project_iam_member.bucket-sinks-binding["workspace-audit-logs"]: - condition: - - title: workspace-audit-logs bucket writer - role: roles/logging.bucketWriter - module.organization.google_tags_tag_key.default["org-policies"]: - description: Organization policy conditions. - parent: organizations/123456789012 - purpose: null - purpose_data: null - short_name: org-policies - timeouts: null - module.organization.google_tags_tag_value.default["org-policies/allowed-essential-contacts-domains-all"]: - description: Managed by the Terraform organization module. - short_name: allowed-essential-contacts-domains-all - timeouts: null - module.organization.google_tags_tag_value.default["org-policies/allowed-policy-member-domains-all"]: - description: Managed by the Terraform organization module. - short_name: allowed-policy-member-domains-all - timeouts: null - -counts: - google_bigquery_dataset: 1 - google_bigquery_default_service_account: 3 - google_essential_contacts_contact: 3 - google_iam_workload_identity_pool: 1 - google_iam_workload_identity_pool_provider: 2 - google_logging_organization_settings: 1 - google_logging_organization_sink: 4 - google_logging_project_bucket_config: 4 - google_org_policy_custom_constraint: 1 - google_org_policy_policy: 40 - google_organization_iam_binding: 26 - google_organization_iam_custom_role: 16 - google_organization_iam_member: 31 - google_project: 3 - google_project_iam_audit_config: 2 - google_project_iam_binding: 19 - google_project_iam_member: 23 - google_project_service: 33 - google_project_service_identity: 8 - google_service_account: 12 - google_service_account_iam_binding: 12 - google_storage_bucket: 4 - google_storage_bucket_iam_binding: 4 - google_storage_bucket_iam_member: 12 - google_storage_bucket_object: 14 - google_storage_project_service_account: 3 - google_tags_tag_key: 1 - google_tags_tag_value: 2 - local_file: 13 - modules: 26 - resources: 298 - -outputs: - custom_roles: - billing_viewer: organizations/123456789012/roles/billingViewer - dns_zone_binder: organizations/123456789012/roles/dnsZoneBinder - gcve_network_admin: organizations/123456789012/roles/gcveNetworkAdmin - gcve_network_viewer: organizations/123456789012/roles/gcveNetworkViewer - kms_key_encryption_admin: organizations/123456789012/roles/kmsKeyEncryptionAdmin - kms_key_viewer: organizations/123456789012/roles/kmsKeyViewer - network_firewall_policies_admin: organizations/123456789012/roles/networkFirewallPoliciesAdmin - ngfw_enterprise_admin: organizations/123456789012/roles/ngfwEnterpriseAdmin - ngfw_enterprise_viewer: organizations/123456789012/roles/ngfwEnterpriseViewer - organization_admin_viewer: organizations/123456789012/roles/organizationAdminViewer - organization_iam_admin: organizations/123456789012/roles/organizationIamAdmin - project_iam_viewer: organizations/123456789012/roles/projectIamViewer - service_project_network_admin: organizations/123456789012/roles/serviceProjectNetworkAdmin - storage_viewer: organizations/123456789012/roles/storageViewer - tag_viewer: organizations/123456789012/roles/tagViewer - tenant_network_admin: organizations/123456789012/roles/tenantNetworkAdmin - outputs_bucket: fast-prod-iac-core-outputs-0 - project_ids: - automation: fast-prod-iac-core-0 - billing-export: fast-prod-billing-exp-0 - log-export: fast-prod-audit-logs-0 - providers: - 0-bootstrap: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast-prod-iac-core-bootstrap-0\"\n impersonate_service_account\ - \ = \"fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n\ - \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for bootstrap\n" - 0-bootstrap-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast-prod-iac-core-bootstrap-0\"\n impersonate_service_account\ - \ = \"fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n\ - \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for bootstrap\n" - 1-resman: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast-prod-iac-core-resman-0\"\n impersonate_service_account\ - \ = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n\ - }\nprovider \"google\" {\n impersonate_service_account = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for resman\n" - 1-resman-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast-prod-iac-core-resman-0\"\n impersonate_service_account\ - \ = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \ - \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for resman\n" - 1-resman-resman-tenants: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under\ - \ the Apache License, Version 2.0 (the \"License\");\n * you may not use this\ - \ file except in compliance with the License.\n * You may obtain a copy of the\ - \ License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n *\ - \ Unless required by applicable law or agreed to in writing, software\n * distributed\ - \ under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES\ - \ OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License\ - \ for the specific language governing permissions and\n * limitations under\ - \ the License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast-prod-iac-core-resman-0\"\n impersonate_service_account\ - \ = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \ - \ prefix = \"addons/resman-tenants\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ - \ = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\ - provider \"google-beta\" {\n impersonate_service_account = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for 1-resman-resman-tenants\n" - 1-resman-resman-tenants-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed\ - \ under the Apache License, Version 2.0 (the \"License\");\n * you may not use\ - \ this file except in compliance with the License.\n * You may obtain a copy\ - \ of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n\ - \ *\n * Unless required by applicable law or agreed to in writing, software\n\ - \ * distributed under the License is distributed on an \"AS IS\" BASIS,\n *\ - \ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ - \ * See the License for the specific language governing permissions and\n *\ - \ limitations under the License.\n */\n\nterraform {\n backend \"gcs\" {\n\ - \ bucket = \"fast-prod-iac-core-resman-0\"\n impersonate_service_account\ - \ = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \ - \ prefix = \"addons/resman-tenants\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ - \ = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\ - provider \"google-beta\" {\n impersonate_service_account = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for 1-resman-resman-tenants\n" - 1-vpcsc: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast-prod-iac-core-vpcsc-0\"\n impersonate_service_account\ - \ = \"fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \ - \ prefix = \"vpcsc\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ - \ = \"fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\ - provider \"google-beta\" {\n impersonate_service_account = \"fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for vpcsc\n" - 1-vpcsc-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast-prod-iac-core-vpcsc-0\"\n impersonate_service_account\ - \ = \"fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \ - \ prefix = \"vpcsc\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ - \ = \"fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\ - provider \"google-beta\" {\n impersonate_service_account = \"fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for vpcsc\n" - service_accounts: - bootstrap: fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - resman: fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - tfvars_globals: - billing_account: - force_create: - dataset: false - project: false - log_bucket: false - id: 000000-111111-222222 - is_org_level: true - no_iam: false - environments: - dev: - is_default: false - key: dev - name: Development - short_name: dev - tag_name: development - prod: - is_default: true - key: prod - name: Production - short_name: prod - tag_name: production - groups: - gcp-billing-admins: group:gcp-billing-admins@fast.example.com - gcp-devops: group:gcp-devops@fast.example.com - gcp-network-admins: group:gcp-vpc-network-admins@fast.example.com - gcp-organization-admins: group:gcp-organization-admins@fast.example.com - gcp-secops-admins: group:gcp-security-admins@fast.example.com - gcp-security-admins: group:gcp-security-admins@fast.example.com - gcp-support: group:gcp-support@example.com - locations: - bq: EU - gcs: EU - logging: global - pubsub: [] - organization: - customer_id: C00000000 - domain: fast.example.com - id: 123456789012 - prefix: fast - workforce_identity_pool: - pool: null - workload_identity_pool: __missing__ diff --git a/tests/fast/stages/s0_bootstrap_legacy/data/checklist-data.json b/tests/fast/stages/s0_bootstrap_legacy/data/checklist-data.json deleted file mode 100644 index c9ba8aa4a..000000000 --- a/tests/fast/stages/s0_bootstrap_legacy/data/checklist-data.json +++ /dev/null @@ -1,746 +0,0 @@ -{ - "cloud_setup_config": { - "version": "0.1.0", - "organization": { - "id": "123456789012", - "name": "fast.example.com" - }, - "billing_account": {}, - "resource_hierarchy": { - "template": "DIV_TEAM_ENV", - "environments": [ - { - "name": "Production", - "recommendation": "ENV_REC_PROD" - }, - { - "name": "Non-Production", - "recommendation": "ENV_REC_NONPROD" - }, - { - "name": "Development", - "recommendation": "ENV_REC_DEV" - } - ], - "business_units": [ - { - "name": "Department 1", - "teams": [ - { - "name": "Team 1" - }, - { - "name": "Team 2" - }, - { - "name": "Team 3" - }, - { - "name": "Team 4" - } - ] - }, - { - "name": "Department 2", - "teams": [ - { - "name": "Team 1" - }, - { - "name": "Team 2" - }, - { - "name": "Team 3" - }, - { - "name": "Team 4" - } - ] - }, - { - "name": "Department 3", - "teams": [ - { - "name": "Team 1" - }, - { - "name": "Team 2" - }, - { - "name": "Team 3" - }, - { - "name": "Team 4" - } - ] - } - ], - "top_level_teams": [ - { - "name": "Team 1" - }, - { - "name": "Team 2" - }, - { - "name": "Team 3" - } - ] - }, - "folders": [ - { - "reference_id": "Common", - "parent": "ROOT", - "display_name": "Common" - }, - { - "reference_id": "Department 1", - "parent": "ROOT", - "display_name": "Department 1" - }, - { - "reference_id": "Department 1/Team 1", - "parent": "Department 1", - "display_name": "Team 1" - }, - { - "reference_id": "Department 1/Team 1/Production", - "parent": "Department 1/Team 1", - "display_name": "Production" - }, - { - "reference_id": "Department 1/Team 1/Non-Production", - "parent": "Department 1/Team 1", - "display_name": "Non-Production" - }, - { - "reference_id": "Department 1/Team 1/Development", - "parent": "Department 1/Team 1", - "display_name": "Development" - }, - { - "reference_id": "Department 1/Team 2", - "parent": "Department 1", - "display_name": "Team 2" - }, - { - "reference_id": "Department 1/Team 2/Production", - "parent": "Department 1/Team 2", - "display_name": "Production" - }, - { - "reference_id": "Department 1/Team 2/Non-Production", - "parent": "Department 1/Team 2", - "display_name": "Non-Production" - }, - { - "reference_id": "Department 1/Team 2/Development", - "parent": "Department 1/Team 2", - "display_name": "Development" - }, - { - "reference_id": "Department 1/Team 3", - "parent": "Department 1", - "display_name": "Team 3" - }, - { - "reference_id": "Department 1/Team 3/Production", - "parent": "Department 1/Team 3", - "display_name": "Production" - }, - { - "reference_id": "Department 1/Team 3/Non-Production", - "parent": "Department 1/Team 3", - "display_name": "Non-Production" - }, - { - "reference_id": "Department 1/Team 3/Development", - "parent": "Department 1/Team 3", - "display_name": "Development" - }, - { - "reference_id": "Department 1/Team 4", - "parent": "Department 1", - "display_name": "Team 4" - }, - { - "reference_id": "Department 1/Team 4/Production", - "parent": "Department 1/Team 4", - "display_name": "Production" - }, - { - "reference_id": "Department 1/Team 4/Non-Production", - "parent": "Department 1/Team 4", - "display_name": "Non-Production" - }, - { - "reference_id": "Department 1/Team 4/Development", - "parent": "Department 1/Team 4", - "display_name": "Development" - }, - { - "reference_id": "Department 2", - "parent": "ROOT", - "display_name": "Department 2" - }, - { - "reference_id": "Department 2/Team 1", - "parent": "Department 2", - "display_name": "Team 1" - }, - { - "reference_id": "Department 2/Team 1/Production", - "parent": "Department 2/Team 1", - "display_name": "Production" - }, - { - "reference_id": "Department 2/Team 1/Non-Production", - "parent": "Department 2/Team 1", - "display_name": "Non-Production" - }, - { - "reference_id": "Department 2/Team 1/Development", - "parent": "Department 2/Team 1", - "display_name": "Development" - }, - { - "reference_id": "Department 2/Team 2", - "parent": "Department 2", - "display_name": "Team 2" - }, - { - "reference_id": "Department 2/Team 2/Production", - "parent": "Department 2/Team 2", - "display_name": "Production" - }, - { - "reference_id": "Department 2/Team 2/Non-Production", - "parent": "Department 2/Team 2", - "display_name": "Non-Production" - }, - { - "reference_id": "Department 2/Team 2/Development", - "parent": "Department 2/Team 2", - "display_name": "Development" - }, - { - "reference_id": "Department 2/Team 3", - "parent": "Department 2", - "display_name": "Team 3" - }, - { - "reference_id": "Department 2/Team 3/Production", - "parent": "Department 2/Team 3", - "display_name": "Production" - }, - { - "reference_id": "Department 2/Team 3/Non-Production", - "parent": "Department 2/Team 3", - "display_name": "Non-Production" - }, - { - "reference_id": "Department 2/Team 3/Development", - "parent": "Department 2/Team 3", - "display_name": "Development" - }, - { - "reference_id": "Department 2/Team 4", - "parent": "Department 2", - "display_name": "Team 4" - }, - { - "reference_id": "Department 2/Team 4/Production", - "parent": "Department 2/Team 4", - "display_name": "Production" - }, - { - "reference_id": "Department 2/Team 4/Non-Production", - "parent": "Department 2/Team 4", - "display_name": "Non-Production" - }, - { - "reference_id": "Department 2/Team 4/Development", - "parent": "Department 2/Team 4", - "display_name": "Development" - }, - { - "reference_id": "Department 3", - "parent": "ROOT", - "display_name": "Department 3" - }, - { - "reference_id": "Department 3/Team 1", - "parent": "Department 3", - "display_name": "Team 1" - }, - { - "reference_id": "Department 3/Team 1/Production", - "parent": "Department 3/Team 1", - "display_name": "Production" - }, - { - "reference_id": "Department 3/Team 1/Non-Production", - "parent": "Department 3/Team 1", - "display_name": "Non-Production" - }, - { - "reference_id": "Department 3/Team 1/Development", - "parent": "Department 3/Team 1", - "display_name": "Development" - }, - { - "reference_id": "Department 3/Team 2", - "parent": "Department 3", - "display_name": "Team 2" - }, - { - "reference_id": "Department 3/Team 2/Production", - "parent": "Department 3/Team 2", - "display_name": "Production" - }, - { - "reference_id": "Department 3/Team 2/Non-Production", - "parent": "Department 3/Team 2", - "display_name": "Non-Production" - }, - { - "reference_id": "Department 3/Team 2/Development", - "parent": "Department 3/Team 2", - "display_name": "Development" - }, - { - "reference_id": "Department 3/Team 3", - "parent": "Department 3", - "display_name": "Team 3" - }, - { - "reference_id": "Department 3/Team 3/Production", - "parent": "Department 3/Team 3", - "display_name": "Production" - }, - { - "reference_id": "Department 3/Team 3/Non-Production", - "parent": "Department 3/Team 3", - "display_name": "Non-Production" - }, - { - "reference_id": "Department 3/Team 3/Development", - "parent": "Department 3/Team 3", - "display_name": "Development" - }, - { - "reference_id": "Department 3/Team 4", - "parent": "Department 3", - "display_name": "Team 4" - }, - { - "reference_id": "Department 3/Team 4/Production", - "parent": "Department 3/Team 4", - "display_name": "Production" - }, - { - "reference_id": "Department 3/Team 4/Non-Production", - "parent": "Department 3/Team 4", - "display_name": "Non-Production" - }, - { - "reference_id": "Department 3/Team 4/Development", - "parent": "Department 3/Team 4", - "display_name": "Development" - } - ], - "projects": [ - { - "id": "vpc-host-prod-us602-dp794", - "name": "vpc-host-prod", - "parent": "Common", - "recommendation": "PROJ_REC_VPC_HOST_PROD" - }, - { - "id": "vpc-host-nonprod-us602-dp794", - "name": "vpc-host-nonprod", - "parent": "Common", - "recommendation": "PROJ_REC_VPC_HOST_NONPROD" - }, - { - "id": "logging-us602-dp794", - "name": "logging", - "parent": "Common", - "recommendation": "PROJ_REC_LOGGING" - }, - { - "id": "monitoring-prod-us602-dp794", - "name": "monitoring-prod", - "parent": "Common", - "recommendation": "PROJ_REC_MONITORING_PROD" - }, - { - "id": "monitoring-nonprod-us602-dp794", - "name": "monitoring-nonprod", - "parent": "Common", - "recommendation": "PROJ_REC_MONITORING_NONPROD" - }, - { - "id": "monitoring-dev-us602-dp794", - "name": "monitoring-dev", - "parent": "Common", - "recommendation": "PROJ_REC_MONITORING_DEV" - } - ], - "logging": { - "sinks": [ - { - "destination": { - "project_id": "logging-us602-dp794", - "name": "fast-onboarding-0.joonix-logging", - "location": "europe-west1", - "retention_period_seconds": "2592000" - }, - "role": "SINK_LOG_BUCKET" - } - ] - }, - "access_control": [ - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 1/Team 1/Non-Production" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 1/Team 2/Non-Production" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 1/Team 3/Non-Production" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 1/Team 4/Non-Production" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 2/Team 1/Non-Production" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 2/Team 2/Non-Production" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 2/Team 3/Non-Production" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 2/Team 4/Non-Production" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 3/Team 1/Non-Production" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 3/Team 2/Non-Production" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 3/Team 3/Non-Production" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 3/Team 4/Non-Production" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 1/Team 1/Development" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 1/Team 2/Development" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 1/Team 3/Development" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 1/Team 4/Development" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 2/Team 1/Development" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 2/Team 2/Development" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 2/Team 3/Development" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 2/Team 4/Development" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 3/Team 1/Development" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 3/Team 2/Development" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 3/Team 3/Development" - } - }, - { - "principal": "group:gcp-developers@fast.example.com", - "group_id": "DEVELOPERS", - "role": [ - "roles/compute.instanceAdmin.v1", - "roles/container.admin" - ], - "resource": { - "type": "FOLDER", - "id": "Department 3/Team 4/Development" - } - }, - { - "principal": "group:gcp-logging-viewers@fast.example.com", - "group_id": "LOGGING_VIEWERS", - "role": [ - "roles/logging.viewer", - "roles/logging.privateLogViewer", - "roles/bigquery.dataViewer", - "roles/owner" - ], - "resource": { - "type": "ORGANIZATION", - "id": "123456789012" - } - }, - { - "principal": "group:gcp-logging-viewers@fast.example.com", - "group_id": "LOGGING_VIEWERS", - "role": [ - "roles/logging.viewer", - "roles/logging.privateLogViewer", - "roles/bigquery.dataViewer", - "roles/owner" - ], - "resource": { - "type": "PROJECT", - "id": "vpc-host-prod-us602-dp794" - } - }, - { - "principal": "group:gcp-logging-viewers@fast.example.com", - "group_id": "LOGGING_VIEWERS", - "role": [ - "roles/logging.viewer", - "roles/logging.privateLogViewer", - "roles/bigquery.dataViewer" - ], - "resource": { - "type": "PROJECT", - "id": "logging-us602-dp794" - } - }, - { - "principal": "group:gcp-security-admins@fast.example.com", - "group_id": "SECURITY_ADMINS", - "role": [ - "roles/bigquery.dataViewer" - ], - "resource": { - "type": "PROJECT", - "id": "logging-us602-dp794" - } - } - ] - } -} \ No newline at end of file diff --git a/tests/fast/stages/s0_bootstrap_legacy/data/checklist-org-iam.json b/tests/fast/stages/s0_bootstrap_legacy/data/checklist-org-iam.json deleted file mode 100644 index 8e7ba8982..000000000 --- a/tests/fast/stages/s0_bootstrap_legacy/data/checklist-org-iam.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "cloud_setup_org_iam": { - "version": "0.1.0", - "organization": { - "id": "123456789012", - "name": "fast.example.com" - }, - "iam_bindings": [ - { - "principal": "group:gcp-organization-admins@fast.example.com", - "group_id": "ORG_ADMINS", - "role": [ - "roles/storage.objectAdmin", - "roles/resourcemanager.folderAdmin", - "roles/resourcemanager.projectCreator", - "roles/billing.user", - "roles/iam.organizationRoleAdmin", - "roles/orgpolicy.policyAdmin", - "roles/securitycenter.admin", - "roles/cloudsupport.admin" - ], - "resource": { - "type": "ORGANIZATION", - "id": "123456789012" - } - }, - { - "principal": "group:gcp-billing-admins@fast.example.com", - "group_id": "BILLING_ADMINS", - "role": [ - "roles/billing.admin", - "roles/billing.creator", - "roles/resourcemanager.organizationViewer" - ], - "resource": { - "type": "ORGANIZATION", - "id": "123456789012" - } - }, - { - "principal": "group:gcp-network-admins@fast.example.com", - "group_id": "NETWORK_ADMINS", - "role": [ - "roles/compute.networkAdmin", - "roles/compute.xpnAdmin", - "roles/compute.securityAdmin", - "roles/resourcemanager.folderViewer" - ], - "resource": { - "type": "ORGANIZATION", - "id": "123456789012" - } - }, - { - "principal": "group:gcp-logging-admins@fast.example.com", - "group_id": "LOGGING_ADMINS", - "role": [ - "roles/logging.admin" - ], - "resource": { - "type": "ORGANIZATION", - "id": "123456789012" - } - }, - { - "principal": "group:gcp-monitoring-admins@fast.example.com", - "group_id": "MONITORING_ADMINS", - "role": [ - "roles/monitoring.admin" - ], - "resource": { - "type": "ORGANIZATION", - "id": "123456789012" - } - }, - { - "principal": "group:gcp-security-admins@fast.example.com", - "group_id": "SECURITY_ADMINS", - "role": [ - "roles/orgpolicy.policyAdmin", - "roles/iam.securityReviewer", - "roles/iam.organizationRoleViewer", - "roles/securitycenter.admin", - "roles/resourcemanager.folderIamAdmin", - "roles/logging.privateLogViewer", - "roles/logging.configWriter", - "roles/container.viewer", - "roles/compute.viewer" - ], - "resource": { - "type": "ORGANIZATION", - "id": "123456789012" - } - }, - { - "principal": "group:gcp-devops@fast.example.com", - "group_id": "DEVOPS", - "role": [ - "roles/resourcemanager.folderViewer" - ], - "resource": { - "type": "ORGANIZATION", - "id": "123456789012" - } - } - ] - } -} \ No newline at end of file diff --git a/tests/fast/stages/s0_bootstrap_legacy/external_billing_account.tfvars b/tests/fast/stages/s0_bootstrap_legacy/external_billing_account.tfvars deleted file mode 100644 index 6fbca686e..000000000 --- a/tests/fast/stages/s0_bootstrap_legacy/external_billing_account.tfvars +++ /dev/null @@ -1,23 +0,0 @@ -billing_account = { - id = "000000-111111-222222" - is_org_level = false - force_create = { - dataset = true - project = true - log_bucket = true - } -} -essential_contacts = "gcp-organization-admins@fast.example.com" -groups = { - gcp-support = "group:gcp-support@example.com" -} -org_policies_config = { - import_defaults = false -} -organization = { - domain = "fast.example.com" - id = 123456789012 - customer_id = "C00000000" -} -outputs_location = "/fast-config" -prefix = "fast" diff --git a/tests/fast/stages/s0_bootstrap_legacy/external_billing_account.yaml b/tests/fast/stages/s0_bootstrap_legacy/external_billing_account.yaml deleted file mode 100644 index c8ddff64b..000000000 --- a/tests/fast/stages/s0_bootstrap_legacy/external_billing_account.yaml +++ /dev/null @@ -1,2172 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - module.automation-project.data.google_bigquery_default_service_account.bq_sa[0]: - project: fast-prod-iac-core-0 - module.automation-project.data.google_storage_project_service_account.gcs_sa[0]: - project: fast-prod-iac-core-0 - user_project: null - module.automation-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: - email: gcp-organization-admins@fast.example.com - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/fast-prod-iac-core-0 - timeouts: null - module.automation-project.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: - dry_run_spec: [] - name: projects/fast-prod-iac-core-0/policies/compute.skipDefaultNetworkCreation - parent: projects/fast-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.automation-project.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]: - dry_run_spec: [] - name: projects/fast-prod-iac-core-0/policies/iam.automaticIamGrantsForDefaultServiceAccounts - parent: projects/fast-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.automation-project.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]: - dry_run_spec: [] - name: projects/fast-prod-iac-core-0/policies/iam.disableServiceAccountKeyCreation - parent: projects/fast-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.automation-project.google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: - dry_run_spec: [] - name: projects/fast-prod-iac-core-0/policies/iam.workloadIdentityPoolProviders - parent: projects/fast-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - https://token.actions.githubusercontent.com - - https://gitlab.com - - https://app.terraform.io - denied_values: null - timeouts: null - module.automation-project.google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - folder_id: null - labels: null - name: fast-prod-iac-core-0 - org_id: '123456789012' - project_id: fast-prod-iac-core-0 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.automation-project.google_project_iam_audit_config.default["iam.googleapis.com"]: - audit_log_config: - - exempted_members: [] - log_type: ADMIN_READ - project: fast-prod-iac-core-0 - service: iam.googleapis.com - module.automation-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/storageViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: organizations/123456789012/roles/storageViewer - module.automation-project.google_project_iam_binding.authoritative["roles/browser"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/browser - module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.editor"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/cloudbuild.builds.editor - module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/cloudbuild.builds.viewer - module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountAdmin"]: - condition: [] - members: - - group:gcp-devops@fast.example.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.serviceAccountAdmin - module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: - - group:gcp-devops@fast.example.com - - group:gcp-organization-admins@fast.example.com - project: fast-prod-iac-core-0 - role: roles/iam.serviceAccountTokenCreator - module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.serviceAccountViewer - module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.workloadIdentityPoolAdmin - module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.workloadIdentityPoolViewer - module.automation-project.google_project_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/owner - module.automation-project.google_project_iam_binding.authoritative["roles/source.admin"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/source.admin - module.automation-project.google_project_iam_binding.authoritative["roles/source.reader"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/source.reader - module.automation-project.google_project_iam_binding.authoritative["roles/storage.admin"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/storage.admin - module.automation-project.google_project_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/viewer - module.automation-project.google_project_iam_binding.bindings["delegated_grants_resman"]: - condition: - - description: Resource manager service account delegated grant. - expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/serviceusage.serviceUsageConsumer']) - title: resman_delegated_grant - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/resourcemanager.projectIamAdmin - module.automation-project.google_project_iam_member.bindings["serviceusage_resman"]: - condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/serviceusage.serviceUsageConsumer - module.automation-project.google_project_iam_member.bindings["serviceusage_resman_r"]: - condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/serviceusage.serviceUsageViewer - module.automation-project.google_project_iam_member.service_agents["cloudasset"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudasset.serviceAgent - module.automation-project.google_project_iam_member.service_agents["cloudbuild"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudbuild.serviceAgent - module.automation-project.google_project_iam_member.service_agents["cloudbuild-sa"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudbuild.builds.builder - module.automation-project.google_project_iam_member.service_agents["cloudkms"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudkms.serviceAgent - module.automation-project.google_project_iam_member.service_agents["compute-system"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/compute.serviceAgent - module.automation-project.google_project_iam_member.service_agents["container-engine-robot"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/container.serviceAgent - module.automation-project.google_project_iam_member.service_agents["gkenode"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/container.defaultNodeServiceAgent - module.automation-project.google_project_iam_member.service_agents["monitoring-notification"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/monitoring.notificationServiceAgent - module.automation-project.google_project_iam_member.service_agents["pubsub"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/pubsub.serviceAgent - module.automation-project.google_project_iam_member.service_agents["service-networking"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/servicenetworking.serviceAgent - module.automation-project.google_project_service.project_services["accesscontextmanager.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: accesscontextmanager.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["bigquery.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: bigquery.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["bigqueryreservation.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: bigqueryreservation.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["bigquerystorage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: bigquerystorage.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["billingbudgets.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: billingbudgets.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudasset.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudasset.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudbilling.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudbilling.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudbuild.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudbuild.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudkms.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudkms.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudquotas.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudquotas.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudresourcemanager.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["compute.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: compute.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["container.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: container.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["datacatalog.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: datacatalog.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["essentialcontacts.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: essentialcontacts.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["iam.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: iam.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["iamcredentials.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: iamcredentials.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["logging.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: logging.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["monitoring.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: monitoring.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["networksecurity.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: networksecurity.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["orgpolicy.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: orgpolicy.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["pubsub.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: pubsub.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["servicenetworking.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: servicenetworking.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["serviceusage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: serviceusage.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["storage-component.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: storage-component.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: storage.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["sts.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: sts.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["cloudasset.googleapis.com"]: - project: fast-prod-iac-core-0 - service: cloudasset.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["cloudkms.googleapis.com"]: - project: fast-prod-iac-core-0 - service: cloudkms.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["container.googleapis.com"]: - project: fast-prod-iac-core-0 - service: container.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["monitoring.googleapis.com"]: - project: fast-prod-iac-core-0 - service: monitoring.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["networksecurity.googleapis.com"]: - project: fast-prod-iac-core-0 - service: networksecurity.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["pubsub.googleapis.com"]: - project: fast-prod-iac-core-0 - service: pubsub.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["servicenetworking.googleapis.com"]: - project: fast-prod-iac-core-0 - service: servicenetworking.googleapis.com - timeouts: null - module.automation-tf-bootstrap-gcs.google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - ip_filter: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast-prod-iac-core-bootstrap-0 - project: fast-prod-iac-core-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"] - : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/organizationAdminViewer - ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"] - : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/tagViewer - module.automation-tf-bootstrap-r-sa.google_service_account.service_account[0]: - account_id: fast-prod-bootstrap-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform organization bootstrap service account (read-only). - email: fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - ? module.automation-tf-bootstrap-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - : condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-bootstrap-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: organizations/123456789012/roles/storageViewer - module.automation-tf-bootstrap-sa.google_service_account.service_account[0]: - account_id: fast-prod-bootstrap-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform organization bootstrap service account. - email: fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - module.automation-tf-bootstrap-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-bootstrap-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.admin - module.automation-tf-output-gcs.google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - ip_filter: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast-prod-iac-core-outputs-0 - project: fast-prod-iac-core-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.automation-tf-resman-gcs.google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - ip_filter: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast-prod-iac-core-resman-0 - project: fast-prod-iac-core-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast-prod-iac-core-resman-0 - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast-prod-iac-core-resman-0 - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/storage.objectViewer - ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"] - : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/organizationAdminViewer - ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"] - : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/tagViewer - module.automation-tf-resman-r-sa.google_service_account.service_account[0]: - account_id: fast-prod-resman-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform stage 1 resman service account (read-only). - email: fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - module.automation-tf-resman-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-resman-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: organizations/123456789012/roles/storageViewer - module.automation-tf-resman-sa.google_service_account.service_account[0]: - account_id: fast-prod-resman-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform stage 1 resman service account. - email: fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - module.automation-tf-resman-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-resman-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.admin - module.automation-tf-vpcsc-gcs.google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - ip_filter: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast-prod-iac-core-vpcsc-0 - project: fast-prod-iac-core-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast-prod-iac-core-vpcsc-0 - condition: [] - members: - - serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast-prod-iac-core-vpcsc-0 - condition: [] - members: - - serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/storage.objectViewer - module.automation-tf-vpcsc-r-sa.google_service_account.service_account[0]: - account_id: fast-prod-vpcsc-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform stage 1 vpcsc service account (read-only). - email: fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - module.automation-tf-vpcsc-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-vpcsc-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: organizations/123456789012/roles/storageViewer - module.automation-tf-vpcsc-sa.google_service_account.service_account[0]: - account_id: fast-prod-vpcsc-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform stage 1 vpcsc service account. - email: fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - module.automation-tf-vpcsc-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-vpcsc-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.admin - module.billing-account-logbucket[0].google_logging_project_bucket_config.bucket[0]: - bucket_id: billing-account - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: global - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - ? module.billing-account[0].google_billing_account_iam_member.bindings["roles/billing.admin-group:gcp-billing-admins@fast.example.com"] - : billing_account_id: 000000-111111-222222 - condition: [] - member: group:gcp-billing-admins@fast.example.com - role: roles/billing.admin - ? module.billing-account[0].google_billing_account_iam_member.bindings["roles/billing.admin-group:gcp-organization-admins@fast.example.com"] - : billing_account_id: 000000-111111-222222 - condition: [] - member: group:gcp-organization-admins@fast.example.com - role: roles/billing.admin - ? module.billing-account[0].google_billing_account_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : billing_account_id: 000000-111111-222222 - condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/billing.admin - ? module.billing-account[0].google_billing_account_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : billing_account_id: 000000-111111-222222 - condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/billing.admin - ? module.billing-account[0].google_billing_account_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : billing_account_id: 000000-111111-222222 - condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/billing.viewer - ? module.billing-account[0].google_billing_account_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : billing_account_id: 000000-111111-222222 - condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/billing.viewer - ? module.billing-account[0].google_billing_account_iam_member.bindings["roles/logging.configWriter-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : billing_account_id: 000000-111111-222222 - condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/logging.configWriter - module.billing-account[0].google_logging_billing_account_sink.sink["billing_bucket_log_sink"]: - billing_account: 000000-111111-222222 - description: billing-account sink (Terraform-managed). - disabled: false - exclusions: [] - filter: null - name: billing_bucket_log_sink - module.billing-account[0].google_project_iam_member.bucket-sinks-binding["billing_bucket_log_sink"]: - condition: - - title: billing_bucket_log_sink bucket writer - role: roles/logging.bucketWriter - module.billing-export-dataset[0].google_bigquery_dataset.default: - dataset_id: billing_export - default_encryption_configuration: [] - default_partition_expiration_ms: null - default_table_expiration_ms: null - delete_contents_on_destroy: false - description: Terraform managed. - effective_labels: - goog-terraform-provisioned: 'true' - external_catalog_dataset_options: [] - external_dataset_reference: [] - friendly_name: Billing export. - labels: null - location: EU - max_time_travel_hours: '168' - project: fast-prod-billing-exp-0 - resource_tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.billing-export-project[0].data.google_bigquery_default_service_account.bq_sa[0]: - project: fast-prod-billing-exp-0 - module.billing-export-project[0].data.google_storage_project_service_account.gcs_sa[0]: - project: fast-prod-billing-exp-0 - user_project: null - module.billing-export-project[0].google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: - email: gcp-organization-admins@fast.example.com - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/fast-prod-billing-exp-0 - timeouts: null - module.billing-export-project[0].google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - folder_id: null - labels: null - name: fast-prod-billing-exp-0 - org_id: '123456789012' - project_id: fast-prod-billing-exp-0 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.billing-export-project[0].google_project_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-billing-exp-0 - role: roles/owner - module.billing-export-project[0].google_project_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-billing-exp-0 - role: roles/viewer - module.billing-export-project[0].google_project_iam_member.service_agents["bigquerydatatransfer"]: - condition: [] - project: fast-prod-billing-exp-0 - role: roles/bigquerydatatransfer.serviceAgent - module.billing-export-project[0].google_project_service.project_services["bigquery.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-billing-exp-0 - service: bigquery.googleapis.com - timeouts: null - module.billing-export-project[0].google_project_service.project_services["bigquerydatatransfer.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-billing-exp-0 - service: bigquerydatatransfer.googleapis.com - timeouts: null - module.billing-export-project[0].google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-billing-exp-0 - service: storage.googleapis.com - timeouts: null - module.billing-export-project[0].google_project_service_identity.default["bigquerydatatransfer.googleapis.com"]: - project: fast-prod-billing-exp-0 - service: bigquerydatatransfer.googleapis.com - timeouts: null - module.log-export-logbucket["audit-logs"].google_logging_project_bucket_config.bucket[0]: - bucket_id: audit-logs - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: global - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-logbucket["iam"].google_logging_project_bucket_config.bucket[0]: - bucket_id: iam - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: global - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-logbucket["vpc-sc"].google_logging_project_bucket_config.bucket[0]: - bucket_id: vpc-sc - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: global - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-logbucket["workspace-audit-logs"].google_logging_project_bucket_config.bucket[0]: - bucket_id: workspace-audit-logs - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: global - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-project.data.google_bigquery_default_service_account.bq_sa[0]: - project: fast-prod-audit-logs-0 - module.log-export-project.data.google_storage_project_service_account.gcs_sa[0]: - project: fast-prod-audit-logs-0 - user_project: null - module.log-export-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: - email: gcp-organization-admins@fast.example.com - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/fast-prod-audit-logs-0 - timeouts: null - module.log-export-project.google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - folder_id: null - labels: null - name: fast-prod-audit-logs-0 - org_id: '123456789012' - project_id: fast-prod-audit-logs-0 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.log-export-project.google_project_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-audit-logs-0 - role: roles/owner - module.log-export-project.google_project_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-audit-logs-0 - role: roles/viewer - module.log-export-project.google_project_service.project_services["bigquery.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-audit-logs-0 - service: bigquery.googleapis.com - timeouts: null - module.log-export-project.google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-audit-logs-0 - service: stackdriver.googleapis.com - timeouts: null - module.log-export-project.google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-audit-logs-0 - service: storage.googleapis.com - timeouts: null - module.organization-logging.google_logging_organization_settings.default[0]: - organization: '123456789012' - storage_location: global - timeouts: null - module.organization.google_logging_organization_sink.sink["audit-logs"]: - description: audit-logs (Terraform-managed). - disabled: false - exclusions: [] - filter: 'log_id("cloudaudit.googleapis.com/activity") OR - - log_id("cloudaudit.googleapis.com/system_event") OR - - log_id("cloudaudit.googleapis.com/policy") OR - - log_id("cloudaudit.googleapis.com/access_transparency") - - ' - include_children: true - intercept_children: false - name: audit-logs - org_id: '123456789012' - module.organization.google_logging_organization_sink.sink["iam"]: - description: iam (Terraform-managed). - disabled: false - exclusions: [] - filter: 'protoPayload.serviceName="iamcredentials.googleapis.com" OR - - protoPayload.serviceName="iam.googleapis.com" OR - - protoPayload.serviceName="sts.googleapis.com" - - ' - include_children: true - intercept_children: false - name: iam - org_id: '123456789012' - module.organization.google_logging_organization_sink.sink["vpc-sc"]: - description: vpc-sc (Terraform-managed). - disabled: false - exclusions: [] - filter: 'protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" - - ' - include_children: true - intercept_children: false - name: vpc-sc - org_id: '123456789012' - module.organization.google_logging_organization_sink.sink["workspace-audit-logs"]: - description: workspace-audit-logs (Terraform-managed). - disabled: false - exclusions: [] - filter: 'protoPayload.serviceName="admin.googleapis.com" OR - - protoPayload.serviceName="cloudidentity.googleapis.com" OR - - protoPayload.serviceName="login.googleapis.com" - - ' - include_children: true - intercept_children: false - name: workspace-audit-logs - org_id: '123456789012' - module.organization.google_org_policy_custom_constraint.constraint["custom.denyBridgePerimeters"]: - action_type: DENY - condition: resource.perimeterType == 'PERIMETER_TYPE_BRIDGE' - description: Disables the use of perimeter bridges. Instead, use ingress and egress - rules. - display_name: Disable perimeter bridges - method_types: - - CREATE - - UPDATE - name: custom.denyBridgePerimeters - parent: organizations/123456789012 - resource_types: - - accesscontextmanager.googleapis.com/ServicePerimeter - timeouts: null - module.organization.google_org_policy_policy.default["cloudbuild.disableCreateDefaultServiceAccount"]: - dry_run_spec: [] - name: organizations/123456789012/policies/cloudbuild.disableCreateDefaultServiceAccount - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["cloudbuild.useBuildServiceAccount"]: - dry_run_spec: [] - name: organizations/123456789012/policies/cloudbuild.useBuildServiceAccount - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["cloudbuild.useComputeServiceAccount"]: - dry_run_spec: [] - name: organizations/123456789012/policies/cloudbuild.useComputeServiceAccount - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableGuestAttributesAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableInternetNetworkEndpointGroup"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableInternetNetworkEndpointGroup - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableNestedVirtualization"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableNestedVirtualization - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableSerialPortAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableSerialPortAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableVpcExternalIpv6"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableVpcExternalIpv6 - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.requireOsLogin"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.requireOsLogin - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.restrictLoadBalancerCreationForTypes"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.restrictLoadBalancerCreationForTypes - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - in:INTERNAL - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["compute.restrictProtocolForwardingCreationForTypes"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.restrictProtocolForwardingCreationForTypes - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - is:INTERNAL - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["compute.setNewProjectDefaultToZonalDNSOnly"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.setNewProjectDefaultToZonalDNSOnly - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.skipDefaultNetworkCreation - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.trustedImageProjects"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.trustedImageProjects - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - is:projects/centos-cloud - - is:projects/cos-cloud - - is:projects/debian-cloud - - is:projects/fedora-cloud - - is:projects/fedora-coreos-cloud - - is:projects/opensuse-cloud - - is:projects/rhel-cloud - - is:projects/rhel-sap-cloud - - is:projects/rocky-linux-cloud - - is:projects/suse-cloud - - is:projects/suse-sap-cloud - - is:projects/ubuntu-os-cloud - - is:projects/ubuntu-os-pro-cloud - - is:projects/windows-cloud - - is:projects/windows-sql-cloud - - is:projects/confidential-vm-images - - is:projects/confidential-space-images - - is:projects/backupdr-images - - is:projects/deeplearning-platform-release - - is:projects/serverless-vpc-access-images - - is:projects/gke-node-images - - is:projects/gke-windows-node-images - - is:projects/ubuntu-os-gke-cloud - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["compute.vmExternalIpAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.vmExternalIpAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: 'TRUE' - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["custom.denyBridgePerimeters"]: - dry_run_spec: [] - name: organizations/123456789012/policies/custom.denyBridgePerimeters - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["essentialcontacts.allowedContactDomains"]: - dry_run_spec: [] - name: organizations/123456789012/policies/essentialcontacts.allowedContactDomains - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: - - description: null - expression: '!resource.matchTag(''123456789012/org-policies'', ''allowed-essential-contacts-domains-all'') - - ' - location: null - title: Restrict essential contacts domains - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - '@fast.example.com' - denied_values: null - - allow_all: 'TRUE' - condition: - - description: null - expression: 'resource.matchTag(''123456789012/org-policies'', ''allowed-essential-contacts-domains-all'') - - ' - location: null - title: Allow essential contacts from any domain - deny_all: null - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["gcp.resourceLocations"]: - dry_run_spec: [] - name: organizations/123456789012/policies/gcp.resourceLocations - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: 'TRUE' - condition: [] - deny_all: null - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.allowedPolicyMemberDomains - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: - - description: null - expression: '!resource.matchTag(''123456789012/org-policies'', ''allowed-policy-member-domains-all'') - - ' - location: null - title: Restrict member domains - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - is:C00000000 - denied_values: null - - allow_all: 'TRUE' - condition: - - description: null - expression: 'resource.matchTag(''123456789012/org-policies'', ''allowed-policy-member-domains-all'') - - ' - location: null - title: Allow any member domain - deny_all: null - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.automaticIamGrantsForDefaultServiceAccounts - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.disableAuditLoggingExemption"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.disableAuditLoggingExemption - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.disableServiceAccountKeyCreation - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.disableServiceAccountKeyUpload - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.serviceAccountKeyExposureResponse"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.serviceAccountKeyExposureResponse - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - is:DISABLE_KEY - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolAwsAccounts"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.workloadIdentityPoolAwsAccounts - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: 'TRUE' - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.workloadIdentityPoolProviders - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: 'TRUE' - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["run.allowedIngress"]: - dry_run_spec: [] - name: organizations/123456789012/policies/run.allowedIngress - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - is:internal-and-cloud-load-balancing - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["run.managed.requireInvokerIam"]: - dry_run_spec: [] - name: organizations/123456789012/policies/run.managed.requireInvokerIam - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["sql.restrictAuthorizedNetworks"]: - dry_run_spec: [] - name: organizations/123456789012/policies/sql.restrictAuthorizedNetworks - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["sql.restrictPublicIp"]: - dry_run_spec: [] - name: organizations/123456789012/policies/sql.restrictPublicIp - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["storage.publicAccessPrevention"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.publicAccessPrevention - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["storage.restrictAuthTypes"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.restrictAuthTypes - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: null - denied_values: - - in:ALL_HMAC_SIGNED_REQUESTS - timeouts: null - module.organization.google_org_policy_policy.default["storage.secureHttpTransport"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.secureHttpTransport - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["storage.uniformBucketLevelAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.uniformBucketLevelAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_organization_iam_binding.authoritative["roles/billing.creator"]: - condition: [] - members: null - org_id: '123456789012' - role: roles/billing.creator - module.organization.google_organization_iam_binding.authoritative["roles/browser"]: - condition: [] - members: - - domain:fast.example.com - org_id: '123456789012' - role: roles/browser - module.organization.google_organization_iam_binding.authoritative["roles/cloudasset.owner"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - group:gcp-security-admins@fast.example.com - - group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/cloudasset.owner - module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.admin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/cloudsupport.admin - module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - - group:gcp-support@example.com - - group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/cloudsupport.techSupportEditor - module.organization.google_organization_iam_binding.authoritative["roles/compute.osAdminLogin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.osAdminLogin - module.organization.google_organization_iam_binding.authoritative["roles/compute.osLoginExternalUser"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.osLoginExternalUser - module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.admin"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/essentialcontacts.admin - module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/essentialcontacts.viewer - module.organization.google_organization_iam_binding.authoritative["roles/iam.securityReviewer"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/iam.securityReviewer - module.organization.google_organization_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/logging.admin - module.organization.google_organization_iam_binding.authoritative["roles/logging.viewer"]: - condition: [] - members: - - group:gcp-support@example.com - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/logging.viewer - module.organization.google_organization_iam_binding.authoritative["roles/monitoring.viewer"]: - condition: [] - members: - - group:gcp-support@example.com - org_id: '123456789012' - role: roles/monitoring.viewer - module.organization.google_organization_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/owner - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.folderAdmin - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.folderViewer - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.organizationAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.organizationAdmin - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.projectCreator - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectMover"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.projectMover - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.tagAdmin - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagUser"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.tagUser - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.tagViewer - module.organization.google_organization_iam_binding.authoritative["roles/securitycenter.admin"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/securitycenter.admin - module.organization.google_organization_iam_binding.authoritative["roles/serviceusage.serviceUsageViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/serviceusage.serviceUsageViewer - module.organization.google_organization_iam_binding.bindings["organization_iam_admin_conditional"]: - condition: - - description: Automation service account delegated grants. - expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/accesscontextmanager.policyEditor'',''roles/accesscontextmanager.policyReader'',''roles/cloudasset.viewer'',''roles/compute.orgFirewallPolicyAdmin'',''roles/compute.orgFirewallPolicyUser'',''roles/compute.xpnAdmin'',''roles/orgpolicy.policyAdmin'',''roles/orgpolicy.policyViewer'',''roles/resourcemanager.organizationViewer'']) - - || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/iam.workforcePoolAdmin'',''roles/iam.workforcePoolViewer'']) - - || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''organizations/123456789012/roles/billingViewer'',''organizations/123456789012/roles/networkFirewallPoliciesAdmin'',''organizations/123456789012/roles/ngfwEnterpriseAdmin'',''organizations/123456789012/roles/ngfwEnterpriseViewer'',''organizations/123456789012/roles/serviceProjectNetworkAdmin'',''organizations/123456789012/roles/tenantNetworkAdmin'']) - - ' - title: automation_sa_delegated_grants - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: organizations/123456789012/roles/organizationIamAdmin - module.organization.google_organization_iam_custom_role.roles["billing_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - billing.accounts.get - - billing.accounts.getIamPolicy - - billing.accounts.getSpendingInformation - - billing.accounts.getUsageExportSpec - - billing.accounts.list - - billing.budgets.get - - billing.budgets.list - - billing.budgets.update - - billing.credits.list - - billing.resourceAssociations.list - - recommender.costInsights.get - - recommender.costInsights.list - role_id: billingViewer - stage: GA - title: Custom role billingViewer - module.organization.google_organization_iam_custom_role.roles["dns_zone_binder"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - dns.networks.bindPrivateDNSZone - role_id: dnsZoneBinder - stage: GA - title: Custom role dnsZoneBinder - module.organization.google_organization_iam_custom_role.roles["gcve_network_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - vmwareengine.networkPeerings.create - - vmwareengine.networkPeerings.delete - - vmwareengine.networkPeerings.get - - vmwareengine.networkPeerings.list - - vmwareengine.operations.get - role_id: gcveNetworkAdmin - stage: GA - title: Custom role gcveNetworkAdmin - module.organization.google_organization_iam_custom_role.roles["gcve_network_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - vmwareengine.networkPeerings.get - - vmwareengine.networkPeerings.list - - vmwareengine.operations.get - role_id: gcveNetworkViewer - stage: GA - title: Custom role gcveNetworkViewer - module.organization.google_organization_iam_custom_role.roles["kms_key_encryption_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - cloudkms.cryptoKeyVersions.get - - cloudkms.cryptoKeyVersions.list - - cloudkms.cryptoKeys.get - - cloudkms.cryptoKeys.getIamPolicy - - cloudkms.cryptoKeys.list - - cloudkms.cryptoKeys.setIamPolicy - role_id: kmsKeyEncryptionAdmin - stage: GA - title: Custom role kmsKeyEncryptionAdmin - module.organization.google_organization_iam_custom_role.roles["kms_key_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - cloudkms.cryptoKeyVersions.get - - cloudkms.cryptoKeyVersions.list - - cloudkms.cryptoKeys.get - - cloudkms.cryptoKeys.getIamPolicy - - cloudkms.cryptoKeys.list - role_id: kmsKeyViewer - stage: GA - title: Custom role kmsKeyViewer - module.organization.google_organization_iam_custom_role.roles["network_firewall_policies_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - compute.networks.setFirewallPolicy - - networksecurity.firewallEndpointAssociations.create - - networksecurity.firewallEndpointAssociations.delete - - networksecurity.firewallEndpointAssociations.get - - networksecurity.firewallEndpointAssociations.list - - networksecurity.firewallEndpointAssociations.update - role_id: networkFirewallPoliciesAdmin - stage: GA - title: Custom role networkFirewallPoliciesAdmin - module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - networksecurity.firewallEndpoints.create - - networksecurity.firewallEndpoints.delete - - networksecurity.firewallEndpoints.get - - networksecurity.firewallEndpoints.list - - networksecurity.firewallEndpoints.update - - networksecurity.firewallEndpoints.use - - networksecurity.locations.get - - networksecurity.locations.list - - networksecurity.operations.cancel - - networksecurity.operations.delete - - networksecurity.operations.get - - networksecurity.operations.list - - networksecurity.securityProfileGroups.create - - networksecurity.securityProfileGroups.delete - - networksecurity.securityProfileGroups.get - - networksecurity.securityProfileGroups.list - - networksecurity.securityProfileGroups.update - - networksecurity.securityProfileGroups.use - - networksecurity.securityProfiles.create - - networksecurity.securityProfiles.delete - - networksecurity.securityProfiles.get - - networksecurity.securityProfiles.list - - networksecurity.securityProfiles.update - - networksecurity.securityProfiles.use - - networksecurity.tlsInspectionPolicies.create - - networksecurity.tlsInspectionPolicies.delete - - networksecurity.tlsInspectionPolicies.get - - networksecurity.tlsInspectionPolicies.list - - networksecurity.tlsInspectionPolicies.update - - networksecurity.tlsInspectionPolicies.use - role_id: ngfwEnterpriseAdmin - stage: GA - title: Custom role ngfwEnterpriseAdmin - module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - networksecurity.firewallEndpoints.get - - networksecurity.firewallEndpoints.list - - networksecurity.firewallEndpoints.use - - networksecurity.locations.get - - networksecurity.locations.list - - networksecurity.operations.get - - networksecurity.operations.list - - networksecurity.securityProfileGroups.get - - networksecurity.securityProfileGroups.list - - networksecurity.securityProfileGroups.use - - networksecurity.securityProfiles.get - - networksecurity.securityProfiles.list - - networksecurity.securityProfiles.use - - networksecurity.tlsInspectionPolicies.get - - networksecurity.tlsInspectionPolicies.list - - networksecurity.tlsInspectionPolicies.use - role_id: ngfwEnterpriseViewer - stage: GA - title: Custom role ngfwEnterpriseViewer - module.organization.google_organization_iam_custom_role.roles["organization_admin_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - essentialcontacts.contacts.get - - essentialcontacts.contacts.list - - logging.settings.get - - orgpolicy.constraints.list - - orgpolicy.policies.list - - orgpolicy.policy.get - - resourcemanager.folders.get - - resourcemanager.folders.getIamPolicy - - resourcemanager.folders.list - - resourcemanager.organizations.get - - resourcemanager.organizations.getIamPolicy - - resourcemanager.projects.get - - resourcemanager.projects.getIamPolicy - - resourcemanager.projects.list - - storage.buckets.getIamPolicy - role_id: organizationAdminViewer - stage: GA - title: Custom role organizationAdminViewer - module.organization.google_organization_iam_custom_role.roles["organization_iam_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - resourcemanager.organizations.get - - resourcemanager.organizations.getIamPolicy - - resourcemanager.organizations.setIamPolicy - role_id: organizationIamAdmin - stage: GA - title: Custom role organizationIamAdmin - module.organization.google_organization_iam_custom_role.roles["project_iam_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - iam.policybindings.get - - iam.policybindings.list - - resourcemanager.projects.get - - resourcemanager.projects.getIamPolicy - - resourcemanager.projects.searchPolicyBindings - role_id: projectIamViewer - stage: GA - title: Custom role projectIamViewer - module.organization.google_organization_iam_custom_role.roles["service_project_network_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - compute.globalOperations.get - - compute.networks.get - - compute.networks.updatePeering - - compute.organizations.disableXpnResource - - compute.organizations.enableXpnResource - - compute.projects.get - - compute.subnetworks.getIamPolicy - - compute.subnetworks.setIamPolicy - - dns.networks.bindPrivateDNSZone - - resourcemanager.projects.get - role_id: serviceProjectNetworkAdmin - stage: GA - title: Custom role serviceProjectNetworkAdmin - module.organization.google_organization_iam_custom_role.roles["storage_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - storage.buckets.get - - storage.buckets.getIamPolicy - - storage.buckets.getObjectInsights - - storage.buckets.list - - storage.buckets.listEffectiveTags - - storage.buckets.listTagBindings - - storage.managedFolders.get - - storage.managedFolders.getIamPolicy - - storage.managedFolders.list - - storage.multipartUploads.list - - storage.multipartUploads.listParts - - storage.objects.get - - storage.objects.getIamPolicy - - storage.objects.list - role_id: storageViewer - stage: GA - title: Custom role storageViewer - module.organization.google_organization_iam_custom_role.roles["tag_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - resourcemanager.tagHolds.list - - resourcemanager.tagKeys.get - - resourcemanager.tagKeys.getIamPolicy - - resourcemanager.tagKeys.list - - resourcemanager.tagValues.get - - resourcemanager.tagValues.getIamPolicy - - resourcemanager.tagValues.list - role_id: tagViewer - stage: GA - title: Custom role tagViewer - module.organization.google_organization_iam_custom_role.roles["tenant_network_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - compute.globalOperations.get - role_id: tenantNetworkAdmin - stage: GA - title: Custom role tenantNetworkAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyReader - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyReader - ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/cloudasset.viewer - ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/cloudasset.viewer - ? module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:gcp-vpc-network-admins@fast.example.com"] - : condition: [] - member: group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.orgFirewallPolicyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/compute.xpnAdmin-group:gcp-vpc-network-admins@fast.example.com"] - : condition: [] - member: group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.xpnAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/iam.organizationRoleAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.organizationRoleAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.organizationRoleViewer - ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolAdmin-group:gcp-organization-admins@fast.example.com"] - : condition: [] - member: group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/iam.workforcePoolAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.workforcePoolAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.workforcePoolViewer - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-organization-admins@fast.example.com"] - : condition: [] - member: group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyViewer - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyViewer - module.organization.google_project_iam_member.bucket-sinks-binding["audit-logs"]: - condition: - - title: audit-logs bucket writer - role: roles/logging.bucketWriter - module.organization.google_project_iam_member.bucket-sinks-binding["iam"]: - condition: - - title: iam bucket writer - role: roles/logging.bucketWriter - module.organization.google_project_iam_member.bucket-sinks-binding["vpc-sc"]: - condition: - - title: vpc-sc bucket writer - role: roles/logging.bucketWriter - module.organization.google_project_iam_member.bucket-sinks-binding["workspace-audit-logs"]: - condition: - - title: workspace-audit-logs bucket writer - role: roles/logging.bucketWriter - module.organization.google_tags_tag_key.default["org-policies"]: - description: Organization policy conditions. - parent: organizations/123456789012 - purpose: null - purpose_data: null - short_name: org-policies - timeouts: null - module.organization.google_tags_tag_value.default["org-policies/allowed-essential-contacts-domains-all"]: - description: Managed by the Terraform organization module. - short_name: allowed-essential-contacts-domains-all - timeouts: null - module.organization.google_tags_tag_value.default["org-policies/allowed-policy-member-domains-all"]: - description: Managed by the Terraform organization module. - short_name: allowed-policy-member-domains-all - timeouts: null \ No newline at end of file diff --git a/tests/fast/stages/s0_bootstrap_legacy/iam_by_principals.tfvars b/tests/fast/stages/s0_bootstrap_legacy/iam_by_principals.tfvars deleted file mode 100644 index d9ed7eb75..000000000 --- a/tests/fast/stages/s0_bootstrap_legacy/iam_by_principals.tfvars +++ /dev/null @@ -1,20 +0,0 @@ -billing_account = { - id = "000000-111111-222222" -} -essential_contacts = "gcp-organization-admins@fast.example.com" -groups = { - gcp-support = "group:gcp-support@example.com" -} -org_policies_config = { - import_defaults = false -} -organization = { - domain = "fast.example.com" - id = 123456789012 - customer_id = "C00000000" -} -outputs_location = "/fast-config" -prefix = "fast" -iam_by_principals = { - "user:other@fast.example.com" = ["roles/browser"] -} diff --git a/tests/fast/stages/s0_bootstrap_legacy/iam_by_principals.yaml b/tests/fast/stages/s0_bootstrap_legacy/iam_by_principals.yaml deleted file mode 100644 index 83b965d30..000000000 --- a/tests/fast/stages/s0_bootstrap_legacy/iam_by_principals.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - module.organization.google_organization_iam_binding.authoritative["roles/browser"]: - condition: [] - members: - - domain:fast.example.com - - user:other@fast.example.com - org_id: '123456789012' - role: roles/browser diff --git a/tests/fast/stages/s0_bootstrap_legacy/managed_org_policies.tfvars b/tests/fast/stages/s0_bootstrap_legacy/managed_org_policies.tfvars deleted file mode 100644 index ecac88425..000000000 --- a/tests/fast/stages/s0_bootstrap_legacy/managed_org_policies.tfvars +++ /dev/null @@ -1,20 +0,0 @@ -billing_account = { - id = "000000-111111-222222" -} -essential_contacts = "gcp-organization-admins@fast.example.com" -factories_config = { - org_policies = "data/org-policies-managed" -} -groups = { - gcp-support = "group:gcp-support@example.com" -} -org_policies_config = { - import_defaults = false -} -organization = { - domain = "fast.example.com" - id = 123456789012 - customer_id = "C00000000" -} -outputs_location = "/fast-config" -prefix = "fast" diff --git a/tests/fast/stages/s0_bootstrap_legacy/managed_org_policies.yaml b/tests/fast/stages/s0_bootstrap_legacy/managed_org_policies.yaml deleted file mode 100644 index aa39d9cdd..000000000 --- a/tests/fast/stages/s0_bootstrap_legacy/managed_org_policies.yaml +++ /dev/null @@ -1,591 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - module.organization.google_org_policy_policy.default["cloudbuild.disableCreateDefaultServiceAccount"]: - dry_run_spec: [] - name: organizations/123456789012/policies/cloudbuild.disableCreateDefaultServiceAccount - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["cloudbuild.useBuildServiceAccount"]: - dry_run_spec: [] - name: organizations/123456789012/policies/cloudbuild.useBuildServiceAccount - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["cloudbuild.useComputeServiceAccount"]: - dry_run_spec: [] - name: organizations/123456789012/policies/cloudbuild.useComputeServiceAccount - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableGuestAttributesAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableInternetNetworkEndpointGroup"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableInternetNetworkEndpointGroup - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableNestedVirtualization"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableNestedVirtualization - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableSerialPortAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableSerialPortAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableVpcExternalIpv6"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableVpcExternalIpv6 - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.managed.restrictProtocolForwardingCreationForTypes"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.managed.restrictProtocolForwardingCreationForTypes - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: '{"allowedSchemes":["INTERNAL"]}' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.requireOsLogin"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.requireOsLogin - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.restrictLoadBalancerCreationForTypes"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.restrictLoadBalancerCreationForTypes - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - in:INTERNAL - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["compute.setNewProjectDefaultToZonalDNSOnly"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.setNewProjectDefaultToZonalDNSOnly - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.skipDefaultNetworkCreation - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.trustedImageProjects"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.trustedImageProjects - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - is:projects/centos-cloud - - is:projects/cos-cloud - - is:projects/debian-cloud - - is:projects/fedora-cloud - - is:projects/fedora-coreos-cloud - - is:projects/opensuse-cloud - - is:projects/rhel-cloud - - is:projects/rhel-sap-cloud - - is:projects/rocky-linux-cloud - - is:projects/suse-cloud - - is:projects/suse-sap-cloud - - is:projects/ubuntu-os-cloud - - is:projects/ubuntu-os-pro-cloud - - is:projects/windows-cloud - - is:projects/windows-sql-cloud - - is:projects/confidential-vm-images - - is:projects/backupdr-images - - is:projects/deeplearning-platform-release - - is:projects/serverless-vpc-access-images - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["compute.vmExternalIpAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.vmExternalIpAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: 'TRUE' - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["custom.denyBridgePerimeters"]: - dry_run_spec: [] - name: organizations/123456789012/policies/custom.denyBridgePerimeters - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["essentialcontacts.allowedContactDomains"]: - dry_run_spec: [] - name: organizations/123456789012/policies/essentialcontacts.allowedContactDomains - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: - - description: null - expression: '!resource.matchTag(''123456789012/org-policies'', ''allowed-essential-contacts-domains-all'') - - ' - location: null - title: Restrict essential contacts domains - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - '@fast.example.com' - denied_values: null - - allow_all: 'TRUE' - condition: - - description: null - expression: 'resource.matchTag(''123456789012/org-policies'', ''allowed-essential-contacts-domains-all'') - - ' - location: null - title: Allow essential contacts from any domain - deny_all: null - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["gcp.resourceLocations"]: - dry_run_spec: [] - name: organizations/123456789012/policies/gcp.resourceLocations - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: 'TRUE' - condition: [] - deny_all: null - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.disableAuditLoggingExemption"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.disableAuditLoggingExemption - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.managed.allowedPolicyMembers"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.managed.allowedPolicyMembers - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: - - description: null - expression: 'resource.matchTag(''123456789012/org-policies'', ''allowed-policy-member-domains-all'') - - ' - location: null - title: Allow any member domain - deny_all: null - enforce: 'FALSE' - parameters: null - values: [] - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: '{"allowedPrincipalSets":["//cloudresourcemanager.googleapis.com/organizations/123456789012"]}' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.managed.disableServiceAccountKeyCreation"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.managed.disableServiceAccountKeyCreation - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.managed.disableServiceAccountKeyUpload"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.managed.disableServiceAccountKeyUpload - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccounts"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccounts - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.serviceAccountKeyExposureResponse"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.serviceAccountKeyExposureResponse - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - is:DISABLE_KEY - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolAwsAccounts"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.workloadIdentityPoolAwsAccounts - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: 'TRUE' - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.workloadIdentityPoolProviders - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: 'TRUE' - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["run.allowedIngress"]: - dry_run_spec: [] - name: organizations/123456789012/policies/run.allowedIngress - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - is:internal-and-cloud-load-balancing - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["run.managed.requireInvokerIam"]: - dry_run_spec: [] - name: organizations/123456789012/policies/run.managed.requireInvokerIam - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["sql.restrictAuthorizedNetworks"]: - dry_run_spec: [] - name: organizations/123456789012/policies/sql.restrictAuthorizedNetworks - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["sql.restrictPublicIp"]: - dry_run_spec: [] - name: organizations/123456789012/policies/sql.restrictPublicIp - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["storage.publicAccessPrevention"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.publicAccessPrevention - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["storage.restrictAuthTypes"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.restrictAuthTypes - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: null - denied_values: - - in:ALL_HMAC_SIGNED_REQUESTS - timeouts: null - module.organization.google_org_policy_policy.default["storage.secureHttpTransport"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.secureHttpTransport - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["storage.uniformBucketLevelAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.uniformBucketLevelAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null diff --git a/tests/fast/stages/s0_bootstrap_legacy/simple.tfvars b/tests/fast/stages/s0_bootstrap_legacy/simple.tfvars deleted file mode 100644 index 879a044e2..000000000 --- a/tests/fast/stages/s0_bootstrap_legacy/simple.tfvars +++ /dev/null @@ -1,17 +0,0 @@ -billing_account = { - id = "000000-111111-222222" -} -essential_contacts = "gcp-organization-admins@fast.example.com" -groups = { - gcp-support = "group:gcp-support@example.com" -} -org_policies_config = { - import_defaults = false -} -organization = { - domain = "fast.example.com" - id = 123456789012 - customer_id = "C00000000" -} -outputs_location = "/fast-config" -prefix = "fast" diff --git a/tests/fast/stages/s0_bootstrap_legacy/simple.yaml b/tests/fast/stages/s0_bootstrap_legacy/simple.yaml deleted file mode 100644 index 4ae05c234..000000000 --- a/tests/fast/stages/s0_bootstrap_legacy/simple.yaml +++ /dev/null @@ -1,1685 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - module.automation-project.data.google_bigquery_default_service_account.bq_sa[0]: - project: fast-prod-iac-core-0 - module.automation-project.data.google_storage_project_service_account.gcs_sa[0]: - project: fast-prod-iac-core-0 - user_project: null - module.automation-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: - email: gcp-organization-admins@fast.example.com - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/fast-prod-iac-core-0 - timeouts: null - module.automation-project.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: - dry_run_spec: [] - name: projects/fast-prod-iac-core-0/policies/compute.skipDefaultNetworkCreation - parent: projects/fast-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.automation-project.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]: - dry_run_spec: [] - name: projects/fast-prod-iac-core-0/policies/iam.automaticIamGrantsForDefaultServiceAccounts - parent: projects/fast-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.automation-project.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]: - dry_run_spec: [] - name: projects/fast-prod-iac-core-0/policies/iam.disableServiceAccountKeyCreation - parent: projects/fast-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.automation-project.google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: - dry_run_spec: [] - name: projects/fast-prod-iac-core-0/policies/iam.workloadIdentityPoolProviders - parent: projects/fast-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - https://token.actions.githubusercontent.com - - https://gitlab.com - - https://app.terraform.io - denied_values: null - timeouts: null - module.automation-project.google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - folder_id: null - labels: null - name: fast-prod-iac-core-0 - org_id: '123456789012' - project_id: fast-prod-iac-core-0 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.automation-project.google_project_iam_audit_config.default["iam.googleapis.com"]: - audit_log_config: - - exempted_members: [] - log_type: ADMIN_READ - project: fast-prod-iac-core-0 - service: iam.googleapis.com - module.automation-project.google_project_iam_audit_config.default["sts.googleapis.com"]: - audit_log_config: - - exempted_members: [] - log_type: ADMIN_READ - project: fast-prod-iac-core-0 - service: sts.googleapis.com - module.automation-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/storageViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: organizations/123456789012/roles/storageViewer - module.automation-project.google_project_iam_binding.authoritative["roles/browser"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/browser - module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.editor"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/cloudbuild.builds.editor - module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/cloudbuild.builds.viewer - module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountAdmin"]: - condition: [] - members: - - group:gcp-devops@fast.example.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.serviceAccountAdmin - module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: - - group:gcp-devops@fast.example.com - - group:gcp-organization-admins@fast.example.com - project: fast-prod-iac-core-0 - role: roles/iam.serviceAccountTokenCreator - module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.serviceAccountViewer - module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.workloadIdentityPoolAdmin - module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.workloadIdentityPoolViewer - module.automation-project.google_project_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/owner - module.automation-project.google_project_iam_binding.authoritative["roles/source.admin"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/source.admin - module.automation-project.google_project_iam_binding.authoritative["roles/source.reader"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/source.reader - module.automation-project.google_project_iam_binding.authoritative["roles/storage.admin"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/storage.admin - module.automation-project.google_project_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/viewer - module.automation-project.google_project_iam_binding.bindings["delegated_grants_resman"]: - condition: - - description: Resource manager service account delegated grant. - expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/serviceusage.serviceUsageConsumer']) - title: resman_delegated_grant - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/resourcemanager.projectIamAdmin - module.automation-project.google_project_iam_member.bindings["serviceusage_resman"]: - condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/serviceusage.serviceUsageConsumer - module.automation-project.google_project_iam_member.bindings["serviceusage_resman_r"]: - condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/serviceusage.serviceUsageViewer - module.automation-project.google_project_iam_member.service_agents["cloudasset"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudasset.serviceAgent - module.automation-project.google_project_iam_member.service_agents["cloudbuild"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudbuild.serviceAgent - module.automation-project.google_project_iam_member.service_agents["cloudbuild-sa"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudbuild.builds.builder - module.automation-project.google_project_iam_member.service_agents["cloudkms"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudkms.serviceAgent - module.automation-project.google_project_iam_member.service_agents["compute-system"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/compute.serviceAgent - module.automation-project.google_project_iam_member.service_agents["container-engine-robot"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/container.serviceAgent - module.automation-project.google_project_iam_member.service_agents["gkenode"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/container.defaultNodeServiceAgent - module.automation-project.google_project_iam_member.service_agents["monitoring-notification"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/monitoring.notificationServiceAgent - module.automation-project.google_project_iam_member.service_agents["pubsub"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/pubsub.serviceAgent - module.automation-project.google_project_iam_member.service_agents["service-networking"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/servicenetworking.serviceAgent - module.automation-project.google_project_service.project_services["accesscontextmanager.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: accesscontextmanager.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["bigquery.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: bigquery.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["bigqueryreservation.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: bigqueryreservation.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["bigquerystorage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: bigquerystorage.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["billingbudgets.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: billingbudgets.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudasset.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudasset.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudbilling.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudbilling.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudbuild.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudbuild.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudkms.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudkms.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudquotas.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudquotas.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudresourcemanager.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["compute.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: compute.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["container.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: container.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["datacatalog.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: datacatalog.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["essentialcontacts.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: essentialcontacts.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["iam.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: iam.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["iamcredentials.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: iamcredentials.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["logging.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: logging.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["monitoring.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: monitoring.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["networksecurity.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: networksecurity.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["orgpolicy.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: orgpolicy.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["pubsub.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: pubsub.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["servicenetworking.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: servicenetworking.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["serviceusage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: serviceusage.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["storage-component.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: storage-component.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: storage.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["sts.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: sts.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["cloudasset.googleapis.com"]: - project: fast-prod-iac-core-0 - service: cloudasset.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["cloudkms.googleapis.com"]: - project: fast-prod-iac-core-0 - service: cloudkms.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["container.googleapis.com"]: - project: fast-prod-iac-core-0 - service: container.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["monitoring.googleapis.com"]: - project: fast-prod-iac-core-0 - service: monitoring.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["networksecurity.googleapis.com"]: - project: fast-prod-iac-core-0 - service: networksecurity.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["pubsub.googleapis.com"]: - project: fast-prod-iac-core-0 - service: pubsub.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["servicenetworking.googleapis.com"]: - project: fast-prod-iac-core-0 - service: servicenetworking.googleapis.com - timeouts: null - module.automation-tf-bootstrap-gcs.google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast-prod-iac-core-bootstrap-0 - project: fast-prod-iac-core-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"] - : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/organizationAdminViewer - ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"] - : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/tagViewer - module.automation-tf-bootstrap-r-sa.google_service_account.service_account[0]: - account_id: fast-prod-bootstrap-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform organization bootstrap service account (read-only). - email: fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - ? module.automation-tf-bootstrap-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - : condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-bootstrap-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: organizations/123456789012/roles/storageViewer - module.automation-tf-bootstrap-sa.google_service_account.service_account[0]: - account_id: fast-prod-bootstrap-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform organization bootstrap service account. - email: fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - module.automation-tf-bootstrap-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-bootstrap-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.admin - module.automation-tf-output-gcs.google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast-prod-iac-core-outputs-0 - project: fast-prod-iac-core-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.automation-tf-resman-gcs.google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast-prod-iac-core-resman-0 - project: fast-prod-iac-core-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast-prod-iac-core-resman-0 - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast-prod-iac-core-resman-0 - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/storage.objectViewer - ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"] - : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/organizationAdminViewer - ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"] - : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/tagViewer - module.automation-tf-resman-r-sa.google_service_account.service_account[0]: - account_id: fast-prod-resman-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform stage 1 resman service account (read-only). - email: fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - module.automation-tf-resman-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-resman-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: organizations/123456789012/roles/storageViewer - module.automation-tf-resman-sa.google_service_account.service_account[0]: - account_id: fast-prod-resman-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform stage 1 resman service account. - email: fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - module.automation-tf-resman-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-resman-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.admin - module.automation-tf-vpcsc-gcs.google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast-prod-iac-core-vpcsc-0 - project: fast-prod-iac-core-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast-prod-iac-core-vpcsc-0 - condition: [] - members: - - serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast-prod-iac-core-vpcsc-0 - condition: [] - members: - - serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/storage.objectViewer - module.automation-tf-vpcsc-r-sa.google_service_account.service_account[0]: - account_id: fast-prod-vpcsc-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform stage 1 vpcsc service account (read-only). - email: fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - module.automation-tf-vpcsc-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-vpcsc-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: organizations/123456789012/roles/storageViewer - module.automation-tf-vpcsc-sa.google_service_account.service_account[0]: - account_id: fast-prod-vpcsc-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform stage 1 vpcsc service account. - email: fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - timeouts: null - module.automation-tf-vpcsc-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-vpcsc-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.admin - module.billing-export-dataset[0].google_bigquery_dataset.default: - dataset_id: billing_export - default_encryption_configuration: [] - default_partition_expiration_ms: null - default_table_expiration_ms: null - delete_contents_on_destroy: false - description: Terraform managed. - effective_labels: - goog-terraform-provisioned: 'true' - external_catalog_dataset_options: [] - external_dataset_reference: [] - friendly_name: Billing export. - labels: null - location: EU - max_time_travel_hours: '168' - project: fast-prod-billing-exp-0 - resource_tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.billing-export-project[0].data.google_bigquery_default_service_account.bq_sa[0]: - project: fast-prod-billing-exp-0 - module.billing-export-project[0].data.google_storage_project_service_account.gcs_sa[0]: - project: fast-prod-billing-exp-0 - user_project: null - module.billing-export-project[0].google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: - email: gcp-organization-admins@fast.example.com - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/fast-prod-billing-exp-0 - timeouts: null - module.billing-export-project[0].google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - folder_id: null - labels: null - name: fast-prod-billing-exp-0 - org_id: '123456789012' - project_id: fast-prod-billing-exp-0 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.billing-export-project[0].google_project_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-billing-exp-0 - role: roles/owner - module.billing-export-project[0].google_project_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-billing-exp-0 - role: roles/viewer - module.billing-export-project[0].google_project_iam_member.service_agents["bigquerydatatransfer"]: - condition: [] - project: fast-prod-billing-exp-0 - role: roles/bigquerydatatransfer.serviceAgent - module.billing-export-project[0].google_project_service.project_services["bigquery.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-billing-exp-0 - service: bigquery.googleapis.com - timeouts: null - module.billing-export-project[0].google_project_service.project_services["bigquerydatatransfer.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-billing-exp-0 - service: bigquerydatatransfer.googleapis.com - timeouts: null - module.billing-export-project[0].google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-billing-exp-0 - service: storage.googleapis.com - timeouts: null - module.billing-export-project[0].google_project_service_identity.default["bigquerydatatransfer.googleapis.com"]: - project: fast-prod-billing-exp-0 - service: bigquerydatatransfer.googleapis.com - timeouts: null - module.log-export-logbucket["audit-logs"].google_logging_project_bucket_config.bucket[0]: - bucket_id: audit-logs - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: global - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-logbucket["iam"].google_logging_project_bucket_config.bucket[0]: - bucket_id: iam - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: global - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-logbucket["vpc-sc"].google_logging_project_bucket_config.bucket[0]: - bucket_id: vpc-sc - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: global - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-logbucket["workspace-audit-logs"].google_logging_project_bucket_config.bucket[0]: - bucket_id: workspace-audit-logs - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: global - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-project.data.google_bigquery_default_service_account.bq_sa[0]: - project: fast-prod-audit-logs-0 - module.log-export-project.data.google_storage_project_service_account.gcs_sa[0]: - project: fast-prod-audit-logs-0 - user_project: null - module.log-export-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: - email: gcp-organization-admins@fast.example.com - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/fast-prod-audit-logs-0 - timeouts: null - module.log-export-project.google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - folder_id: null - labels: null - name: fast-prod-audit-logs-0 - org_id: '123456789012' - project_id: fast-prod-audit-logs-0 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.log-export-project.google_project_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-audit-logs-0 - role: roles/owner - module.log-export-project.google_project_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-audit-logs-0 - role: roles/viewer - module.log-export-project.google_project_service.project_services["bigquery.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-audit-logs-0 - service: bigquery.googleapis.com - timeouts: null - module.log-export-project.google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-audit-logs-0 - service: stackdriver.googleapis.com - timeouts: null - module.log-export-project.google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-audit-logs-0 - service: storage.googleapis.com - timeouts: null - module.organization-logging.google_logging_organization_settings.default[0]: - organization: '123456789012' - storage_location: global - timeouts: null - module.organization.google_logging_organization_sink.sink["audit-logs"]: - description: audit-logs (Terraform-managed). - disabled: false - exclusions: [] - filter: 'log_id("cloudaudit.googleapis.com/activity") OR - - log_id("cloudaudit.googleapis.com/system_event") OR - - log_id("cloudaudit.googleapis.com/policy") OR - - log_id("cloudaudit.googleapis.com/access_transparency") - - ' - include_children: true - intercept_children: false - name: audit-logs - org_id: '123456789012' - module.organization.google_logging_organization_sink.sink["iam"]: - description: iam (Terraform-managed). - disabled: false - exclusions: [] - filter: 'protoPayload.serviceName="iamcredentials.googleapis.com" OR - - protoPayload.serviceName="iam.googleapis.com" OR - - protoPayload.serviceName="sts.googleapis.com" - - ' - include_children: true - intercept_children: false - name: iam - org_id: '123456789012' - module.organization.google_logging_organization_sink.sink["vpc-sc"]: - description: vpc-sc (Terraform-managed). - disabled: false - exclusions: [] - filter: 'protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" - - ' - include_children: true - intercept_children: false - name: vpc-sc - org_id: '123456789012' - module.organization.google_logging_organization_sink.sink["workspace-audit-logs"]: - description: workspace-audit-logs (Terraform-managed). - disabled: false - exclusions: [] - filter: 'protoPayload.serviceName="admin.googleapis.com" OR - - protoPayload.serviceName="cloudidentity.googleapis.com" OR - - protoPayload.serviceName="login.googleapis.com" - - ' - include_children: true - intercept_children: false - name: workspace-audit-logs - org_id: '123456789012' - module.organization.google_org_policy_custom_constraint.constraint["custom.denyBridgePerimeters"]: - action_type: DENY - condition: resource.perimeterType == 'PERIMETER_TYPE_BRIDGE' - description: Disables the use of perimeter bridges. Instead, use ingress and egress - rules. - display_name: Disable perimeter bridges - method_types: - - CREATE - - UPDATE - name: custom.denyBridgePerimeters - parent: organizations/123456789012 - resource_types: - - accesscontextmanager.googleapis.com/ServicePerimeter - timeouts: null - module.organization.google_org_policy_policy.default["cloudbuild.disableCreateDefaultServiceAccount"]: - dry_run_spec: [] - name: organizations/123456789012/policies/cloudbuild.disableCreateDefaultServiceAccount - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_organization_iam_binding.authoritative["roles/billing.creator"]: - condition: [] - members: null - org_id: '123456789012' - role: roles/billing.creator - module.organization.google_organization_iam_binding.authoritative["roles/browser"]: - condition: [] - members: - - domain:fast.example.com - org_id: '123456789012' - role: roles/browser - module.organization.google_organization_iam_binding.authoritative["roles/cloudasset.owner"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - group:gcp-security-admins@fast.example.com - - group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/cloudasset.owner - module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.admin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/cloudsupport.admin - module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - - group:gcp-support@example.com - - group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/cloudsupport.techSupportEditor - module.organization.google_organization_iam_binding.authoritative["roles/compute.osAdminLogin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.osAdminLogin - module.organization.google_organization_iam_binding.authoritative["roles/compute.osLoginExternalUser"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.osLoginExternalUser - module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.admin"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/essentialcontacts.admin - module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/essentialcontacts.viewer - module.organization.google_organization_iam_binding.authoritative["roles/iam.securityReviewer"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/iam.securityReviewer - module.organization.google_organization_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/logging.admin - module.organization.google_organization_iam_binding.authoritative["roles/logging.viewer"]: - condition: [] - members: - - group:gcp-support@example.com - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/logging.viewer - module.organization.google_organization_iam_binding.authoritative["roles/monitoring.viewer"]: - condition: [] - members: - - group:gcp-support@example.com - org_id: '123456789012' - role: roles/monitoring.viewer - module.organization.google_organization_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/owner - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.folderAdmin - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.folderViewer - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.organizationAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.organizationAdmin - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.projectCreator - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectMover"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.projectMover - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.tagAdmin - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagUser"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.tagUser - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.tagViewer - module.organization.google_organization_iam_binding.authoritative["roles/securitycenter.admin"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/securitycenter.admin - module.organization.google_organization_iam_binding.authoritative["roles/serviceusage.serviceUsageViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/serviceusage.serviceUsageViewer - module.organization.google_organization_iam_binding.bindings["organization_billing_conditional"]: - condition: - - description: Automation service account delegated grants. - expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/billing.admin','roles/billing.costsManager','roles/billing.user']) - title: automation_sa_delegated_grants - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: organizations/123456789012/roles/organizationIamAdmin - module.organization.google_organization_iam_binding.bindings["organization_iam_admin_conditional"]: - condition: - - description: Automation service account delegated grants. - expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/accesscontextmanager.policyEditor'',''roles/accesscontextmanager.policyReader'',''roles/cloudasset.viewer'',''roles/compute.orgFirewallPolicyAdmin'',''roles/compute.orgFirewallPolicyUser'',''roles/compute.xpnAdmin'',''roles/orgpolicy.policyAdmin'',''roles/orgpolicy.policyViewer'',''roles/resourcemanager.organizationViewer'']) - - || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/iam.workforcePoolAdmin'',''roles/iam.workforcePoolViewer'']) - - || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''organizations/123456789012/roles/billingViewer'',''organizations/123456789012/roles/networkFirewallPoliciesAdmin'',''organizations/123456789012/roles/ngfwEnterpriseAdmin'',''organizations/123456789012/roles/ngfwEnterpriseViewer'',''organizations/123456789012/roles/serviceProjectNetworkAdmin'',''organizations/123456789012/roles/tenantNetworkAdmin'']) - - ' - title: automation_sa_delegated_grants - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: organizations/123456789012/roles/organizationIamAdmin - module.organization.google_organization_iam_custom_role.roles["billing_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - billing.accounts.get - - billing.accounts.getIamPolicy - - billing.accounts.getSpendingInformation - - billing.accounts.getUsageExportSpec - - billing.accounts.list - - billing.budgets.get - - billing.budgets.list - - billing.budgets.update - - billing.credits.list - - billing.resourceAssociations.list - - recommender.costInsights.get - - recommender.costInsights.list - role_id: billingViewer - stage: GA - title: Custom role billingViewer - module.organization.google_organization_iam_custom_role.roles["dns_zone_binder"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - dns.networks.bindPrivateDNSZone - role_id: dnsZoneBinder - stage: GA - title: Custom role dnsZoneBinder - module.organization.google_organization_iam_custom_role.roles["gcve_network_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - vmwareengine.networkPeerings.create - - vmwareengine.networkPeerings.delete - - vmwareengine.networkPeerings.get - - vmwareengine.networkPeerings.list - - vmwareengine.operations.get - role_id: gcveNetworkAdmin - stage: GA - title: Custom role gcveNetworkAdmin - module.organization.google_organization_iam_custom_role.roles["gcve_network_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - vmwareengine.networkPeerings.get - - vmwareengine.networkPeerings.list - - vmwareengine.operations.get - role_id: gcveNetworkViewer - stage: GA - title: Custom role gcveNetworkViewer - module.organization.google_organization_iam_custom_role.roles["kms_key_encryption_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - cloudkms.cryptoKeyVersions.get - - cloudkms.cryptoKeyVersions.list - - cloudkms.cryptoKeys.get - - cloudkms.cryptoKeys.getIamPolicy - - cloudkms.cryptoKeys.list - - cloudkms.cryptoKeys.setIamPolicy - role_id: kmsKeyEncryptionAdmin - stage: GA - title: Custom role kmsKeyEncryptionAdmin - module.organization.google_organization_iam_custom_role.roles["kms_key_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - cloudkms.cryptoKeyVersions.get - - cloudkms.cryptoKeyVersions.list - - cloudkms.cryptoKeys.get - - cloudkms.cryptoKeys.getIamPolicy - - cloudkms.cryptoKeys.list - role_id: kmsKeyViewer - stage: GA - title: Custom role kmsKeyViewer - module.organization.google_organization_iam_custom_role.roles["network_firewall_policies_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - compute.networks.setFirewallPolicy - - networksecurity.firewallEndpointAssociations.create - - networksecurity.firewallEndpointAssociations.delete - - networksecurity.firewallEndpointAssociations.get - - networksecurity.firewallEndpointAssociations.list - - networksecurity.firewallEndpointAssociations.update - role_id: networkFirewallPoliciesAdmin - stage: GA - title: Custom role networkFirewallPoliciesAdmin - module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - networksecurity.firewallEndpoints.create - - networksecurity.firewallEndpoints.delete - - networksecurity.firewallEndpoints.get - - networksecurity.firewallEndpoints.list - - networksecurity.firewallEndpoints.update - - networksecurity.firewallEndpoints.use - - networksecurity.locations.get - - networksecurity.locations.list - - networksecurity.operations.cancel - - networksecurity.operations.delete - - networksecurity.operations.get - - networksecurity.operations.list - - networksecurity.securityProfileGroups.create - - networksecurity.securityProfileGroups.delete - - networksecurity.securityProfileGroups.get - - networksecurity.securityProfileGroups.list - - networksecurity.securityProfileGroups.update - - networksecurity.securityProfileGroups.use - - networksecurity.securityProfiles.create - - networksecurity.securityProfiles.delete - - networksecurity.securityProfiles.get - - networksecurity.securityProfiles.list - - networksecurity.securityProfiles.update - - networksecurity.securityProfiles.use - - networksecurity.tlsInspectionPolicies.create - - networksecurity.tlsInspectionPolicies.delete - - networksecurity.tlsInspectionPolicies.get - - networksecurity.tlsInspectionPolicies.list - - networksecurity.tlsInspectionPolicies.update - - networksecurity.tlsInspectionPolicies.use - role_id: ngfwEnterpriseAdmin - stage: GA - title: Custom role ngfwEnterpriseAdmin - module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - networksecurity.firewallEndpoints.get - - networksecurity.firewallEndpoints.list - - networksecurity.firewallEndpoints.use - - networksecurity.locations.get - - networksecurity.locations.list - - networksecurity.operations.get - - networksecurity.operations.list - - networksecurity.securityProfileGroups.get - - networksecurity.securityProfileGroups.list - - networksecurity.securityProfileGroups.use - - networksecurity.securityProfiles.get - - networksecurity.securityProfiles.list - - networksecurity.securityProfiles.use - - networksecurity.tlsInspectionPolicies.get - - networksecurity.tlsInspectionPolicies.list - - networksecurity.tlsInspectionPolicies.use - role_id: ngfwEnterpriseViewer - stage: GA - title: Custom role ngfwEnterpriseViewer - module.organization.google_organization_iam_custom_role.roles["organization_admin_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - essentialcontacts.contacts.get - - essentialcontacts.contacts.list - - logging.settings.get - - orgpolicy.constraints.list - - orgpolicy.policies.list - - orgpolicy.policy.get - - resourcemanager.folders.get - - resourcemanager.folders.getIamPolicy - - resourcemanager.folders.list - - resourcemanager.organizations.get - - resourcemanager.organizations.getIamPolicy - - resourcemanager.projects.get - - resourcemanager.projects.getIamPolicy - - resourcemanager.projects.list - - storage.buckets.getIamPolicy - role_id: organizationAdminViewer - stage: GA - title: Custom role organizationAdminViewer - module.organization.google_organization_iam_custom_role.roles["organization_iam_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - resourcemanager.organizations.get - - resourcemanager.organizations.getIamPolicy - - resourcemanager.organizations.setIamPolicy - role_id: organizationIamAdmin - stage: GA - title: Custom role organizationIamAdmin - module.organization.google_organization_iam_custom_role.roles["project_iam_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - iam.policybindings.get - - iam.policybindings.list - - resourcemanager.projects.get - - resourcemanager.projects.getIamPolicy - - resourcemanager.projects.searchPolicyBindings - role_id: projectIamViewer - stage: GA - title: Custom role projectIamViewer - module.organization.google_organization_iam_custom_role.roles["service_project_network_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - compute.globalOperations.get - - compute.networks.get - - compute.networks.updatePeering - - compute.organizations.disableXpnResource - - compute.organizations.enableXpnResource - - compute.projects.get - - compute.subnetworks.getIamPolicy - - compute.subnetworks.setIamPolicy - - dns.networks.bindPrivateDNSZone - - resourcemanager.projects.get - role_id: serviceProjectNetworkAdmin - stage: GA - title: Custom role serviceProjectNetworkAdmin - module.organization.google_organization_iam_custom_role.roles["storage_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - storage.buckets.get - - storage.buckets.getIamPolicy - - storage.buckets.getObjectInsights - - storage.buckets.list - - storage.buckets.listEffectiveTags - - storage.buckets.listTagBindings - - storage.managedFolders.get - - storage.managedFolders.getIamPolicy - - storage.managedFolders.list - - storage.multipartUploads.list - - storage.multipartUploads.listParts - - storage.objects.get - - storage.objects.getIamPolicy - - storage.objects.list - role_id: storageViewer - stage: GA - title: Custom role storageViewer - module.organization.google_organization_iam_custom_role.roles["tag_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - resourcemanager.tagHolds.list - - resourcemanager.tagKeys.get - - resourcemanager.tagKeys.getIamPolicy - - resourcemanager.tagKeys.list - - resourcemanager.tagValues.get - - resourcemanager.tagValues.getIamPolicy - - resourcemanager.tagValues.list - role_id: tagViewer - stage: GA - title: Custom role tagViewer - module.organization.google_organization_iam_custom_role.roles["tenant_network_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - compute.globalOperations.get - role_id: tenantNetworkAdmin - stage: GA - title: Custom role tenantNetworkAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyReader - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyReader - ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-group:gcp-billing-admins@fast.example.com"] - : condition: [] - member: group:gcp-billing-admins@fast.example.com - org_id: '123456789012' - role: roles/billing.admin - ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-group:gcp-organization-admins@fast.example.com"] - : condition: [] - member: group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/billing.admin - ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.admin - ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.admin - ? module.organization.google_organization_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.viewer - ? module.organization.google_organization_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.viewer - ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/cloudasset.viewer - ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/cloudasset.viewer - ? module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:gcp-vpc-network-admins@fast.example.com"] - : condition: [] - member: group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.orgFirewallPolicyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/compute.xpnAdmin-group:gcp-vpc-network-admins@fast.example.com"] - : condition: [] - member: group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.xpnAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/iam.organizationRoleAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.organizationRoleAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.organizationRoleViewer - ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolAdmin-group:gcp-organization-admins@fast.example.com"] - : condition: [] - member: group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/iam.workforcePoolAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.workforcePoolAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.workforcePoolViewer - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-organization-admins@fast.example.com"] - : condition: [] - member: group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyViewer - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyViewer - module.organization.google_project_iam_member.bucket-sinks-binding["audit-logs"]: - condition: - - title: audit-logs bucket writer - role: roles/logging.bucketWriter - module.organization.google_project_iam_member.bucket-sinks-binding["iam"]: - condition: - - title: iam bucket writer - role: roles/logging.bucketWriter - module.organization.google_project_iam_member.bucket-sinks-binding["vpc-sc"]: - condition: - - title: vpc-sc bucket writer - role: roles/logging.bucketWriter - module.organization.google_project_iam_member.bucket-sinks-binding["workspace-audit-logs"]: - condition: - - title: workspace-audit-logs bucket writer - role: roles/logging.bucketWriter - module.organization.google_tags_tag_key.default["org-policies"]: - description: Organization policy conditions. - parent: organizations/123456789012 - purpose: null - purpose_data: null - short_name: org-policies - timeouts: null - module.organization.google_tags_tag_value.default["org-policies/allowed-essential-contacts-domains-all"]: - description: Managed by the Terraform organization module. - short_name: allowed-essential-contacts-domains-all - timeouts: null - module.organization.google_tags_tag_value.default["org-policies/allowed-policy-member-domains-all"]: - description: Managed by the Terraform organization module. - short_name: allowed-policy-member-domains-all - timeouts: null - -counts: - google_bigquery_dataset: 1 - google_bigquery_default_service_account: 3 - google_essential_contacts_contact: 3 - google_logging_organization_settings: 1 - google_logging_organization_sink: 4 - google_logging_project_bucket_config: 4 - google_org_policy_custom_constraint: 1 - google_org_policy_policy: 40 - google_organization_iam_binding: 26 - google_organization_iam_custom_role: 16 - google_organization_iam_member: 31 - google_project: 3 - google_project_iam_audit_config: 2 - google_project_iam_binding: 19 - google_project_iam_member: 17 - google_project_service: 33 - google_project_service_identity: 8 - google_service_account: 6 - google_service_account_iam_binding: 6 - google_storage_bucket: 4 - google_storage_bucket_iam_binding: 4 - google_storage_bucket_iam_member: 6 - google_storage_bucket_object: 9 - google_storage_project_service_account: 3 - google_tags_tag_key: 1 - google_tags_tag_value: 2 - local_file: 8 - modules: 20 - resources: 261 - -outputs: - cicd_repositories: {} - custom_roles: - billing_viewer: organizations/123456789012/roles/billingViewer - dns_zone_binder: organizations/123456789012/roles/dnsZoneBinder - gcve_network_admin: organizations/123456789012/roles/gcveNetworkAdmin - gcve_network_viewer: organizations/123456789012/roles/gcveNetworkViewer - kms_key_encryption_admin: organizations/123456789012/roles/kmsKeyEncryptionAdmin - kms_key_viewer: organizations/123456789012/roles/kmsKeyViewer - network_firewall_policies_admin: organizations/123456789012/roles/networkFirewallPoliciesAdmin - ngfw_enterprise_admin: organizations/123456789012/roles/ngfwEnterpriseAdmin - ngfw_enterprise_viewer: organizations/123456789012/roles/ngfwEnterpriseViewer - organization_admin_viewer: organizations/123456789012/roles/organizationAdminViewer - organization_iam_admin: organizations/123456789012/roles/organizationIamAdmin - project_iam_viewer: organizations/123456789012/roles/projectIamViewer - service_project_network_admin: organizations/123456789012/roles/serviceProjectNetworkAdmin - storage_viewer: organizations/123456789012/roles/storageViewer - tag_viewer: organizations/123456789012/roles/tagViewer - tenant_network_admin: organizations/123456789012/roles/tenantNetworkAdmin - outputs_bucket: fast-prod-iac-core-outputs-0 - project_ids: - automation: fast-prod-iac-core-0 - billing-export: fast-prod-billing-exp-0 - log-export: fast-prod-audit-logs-0 - service_accounts: - bootstrap: fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - resman: fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - tfvars_globals: - billing_account: - force_create: - dataset: false - project: false - log_bucket: false - id: 000000-111111-222222 - is_org_level: true - no_iam: false - environments: - dev: - is_default: false - key: dev - name: Development - short_name: dev - tag_name: development - prod: - is_default: true - key: prod - name: Production - short_name: prod - tag_name: production - groups: - gcp-billing-admins: group:gcp-billing-admins@fast.example.com - gcp-devops: group:gcp-devops@fast.example.com - gcp-network-admins: group:gcp-vpc-network-admins@fast.example.com - gcp-organization-admins: group:gcp-organization-admins@fast.example.com - gcp-secops-admins: group:gcp-security-admins@fast.example.com - gcp-security-admins: group:gcp-security-admins@fast.example.com - gcp-support: group:gcp-support@example.com - locations: - bq: EU - gcs: EU - logging: global - pubsub: [] - organization: - customer_id: C00000000 - domain: fast.example.com - id: 123456789012 - prefix: fast - workforce_identity_pool: - pool: null - workload_identity_pool: - pool: null - providers: {} diff --git a/tests/fast/stages/s0_bootstrap_legacy/simple_org_policies.yaml b/tests/fast/stages/s0_bootstrap_legacy/simple_org_policies.yaml deleted file mode 100644 index 8053833b3..000000000 --- a/tests/fast/stages/s0_bootstrap_legacy/simple_org_policies.yaml +++ /dev/null @@ -1,622 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - module.organization.google_org_policy_policy.default["cloudbuild.useBuildServiceAccount"]: - dry_run_spec: [] - name: organizations/123456789012/policies/cloudbuild.useBuildServiceAccount - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["cloudbuild.useComputeServiceAccount"]: - dry_run_spec: [] - name: organizations/123456789012/policies/cloudbuild.useComputeServiceAccount - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableGuestAttributesAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableInternetNetworkEndpointGroup"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableInternetNetworkEndpointGroup - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableNestedVirtualization"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableNestedVirtualization - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableSerialPortAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableSerialPortAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableVpcExternalIpv6"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableVpcExternalIpv6 - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.requireOsLogin"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.requireOsLogin - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.restrictLoadBalancerCreationForTypes"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.restrictLoadBalancerCreationForTypes - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - in:INTERNAL - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["compute.restrictProtocolForwardingCreationForTypes"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.restrictProtocolForwardingCreationForTypes - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - is:INTERNAL - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["compute.setNewProjectDefaultToZonalDNSOnly"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.setNewProjectDefaultToZonalDNSOnly - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.skipDefaultNetworkCreation - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.trustedImageProjects"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.trustedImageProjects - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - is:projects/centos-cloud - - is:projects/cos-cloud - - is:projects/debian-cloud - - is:projects/fedora-cloud - - is:projects/fedora-coreos-cloud - - is:projects/opensuse-cloud - - is:projects/rhel-cloud - - is:projects/rhel-sap-cloud - - is:projects/rocky-linux-cloud - - is:projects/suse-cloud - - is:projects/suse-sap-cloud - - is:projects/ubuntu-os-cloud - - is:projects/ubuntu-os-pro-cloud - - is:projects/windows-cloud - - is:projects/windows-sql-cloud - - is:projects/confidential-vm-images - - is:projects/confidential-space-images - - is:projects/backupdr-images - - is:projects/deeplearning-platform-release - - is:projects/serverless-vpc-access-images - - is:projects/gke-node-images - - is:projects/gke-windows-node-images - - is:projects/ubuntu-os-gke-cloud - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["compute.vmExternalIpAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.vmExternalIpAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: 'TRUE' - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["custom.denyBridgePerimeters"]: - dry_run_spec: [] - name: organizations/123456789012/policies/custom.denyBridgePerimeters - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["essentialcontacts.allowedContactDomains"]: - dry_run_spec: [] - name: organizations/123456789012/policies/essentialcontacts.allowedContactDomains - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: - - description: null - expression: '!resource.matchTag(''123456789012/org-policies'', ''allowed-essential-contacts-domains-all'') - - ' - location: null - title: Restrict essential contacts domains - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - '@fast.example.com' - denied_values: null - - allow_all: 'TRUE' - condition: - - description: null - expression: 'resource.matchTag(''123456789012/org-policies'', ''allowed-essential-contacts-domains-all'') - - ' - location: null - title: Allow essential contacts from any domain - deny_all: null - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["gcp.resourceLocations"]: - dry_run_spec: [] - name: organizations/123456789012/policies/gcp.resourceLocations - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: 'TRUE' - condition: [] - deny_all: null - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.allowedPolicyMemberDomains - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: - - description: null - expression: '!resource.matchTag(''123456789012/org-policies'', ''allowed-policy-member-domains-all'') - - ' - location: null - title: Restrict member domains - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - is:C00000000 - denied_values: null - - allow_all: 'TRUE' - condition: - - description: null - expression: 'resource.matchTag(''123456789012/org-policies'', ''allowed-policy-member-domains-all'') - - ' - location: null - title: Allow any member domain - deny_all: null - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.automaticIamGrantsForDefaultServiceAccounts - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.disableAuditLoggingExemption"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.disableAuditLoggingExemption - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.disableServiceAccountKeyCreation - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.disableServiceAccountKeyUpload - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.serviceAccountKeyExposureResponse"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.serviceAccountKeyExposureResponse - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - is:DISABLE_KEY - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolAwsAccounts"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.workloadIdentityPoolAwsAccounts - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: 'TRUE' - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.workloadIdentityPoolProviders - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: 'TRUE' - enforce: null - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["run.allowedIngress"]: - dry_run_spec: [] - name: organizations/123456789012/policies/run.allowedIngress - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - is:internal-and-cloud-load-balancing - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["run.managed.requireInvokerIam"]: - dry_run_spec: [] - name: organizations/123456789012/policies/run.managed.requireInvokerIam - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["sql.restrictAuthorizedNetworks"]: - dry_run_spec: [] - name: organizations/123456789012/policies/sql.restrictAuthorizedNetworks - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["sql.restrictPublicIp"]: - dry_run_spec: [] - name: organizations/123456789012/policies/sql.restrictPublicIp - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["storage.publicAccessPrevention"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.publicAccessPrevention - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["storage.restrictAuthTypes"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.restrictAuthTypes - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: null - denied_values: - - in:ALL_HMAC_SIGNED_REQUESTS - timeouts: null - module.organization.google_org_policy_policy.default["storage.secureHttpTransport"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.secureHttpTransport - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["storage.uniformBucketLevelAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.uniformBucketLevelAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["container.managed.enablePrivateNodes"]: - dry_run_spec: [] - name: organizations/123456789012/policies/container.managed.enablePrivateNodes - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.managed.disableServiceAccountApiKeyCreation"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.managed.disableServiceAccountApiKeyCreation - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null diff --git a/tests/fast/stages/s0_bootstrap_legacy/tftest.yaml b/tests/fast/stages/s0_bootstrap_legacy/tftest.yaml deleted file mode 100644 index 4c29b4455..000000000 --- a/tests/fast/stages/s0_bootstrap_legacy/tftest.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# skip boilerplate check -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -module: fast/stages/0-bootstrap-legacy -tests: - simple: - inventory: - - simple.yaml - - simple_org_policies.yaml - managed_org_policies: - inventory: - - simple.yaml - - managed_org_policies.yaml - external_billing_account: - inventory: - - external_billing_account.yaml - iam_by_principals: - cicd: diff --git a/tests/fast/stages/s1_resman_legacy/__init__.py b/tests/fast/stages/s1_resman_legacy/__init__.py deleted file mode 100644 index c37e93b74..000000000 --- a/tests/fast/stages/s1_resman_legacy/__init__.py +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/tests/fast/stages/s1_resman_legacy/simple.tfvars b/tests/fast/stages/s1_resman_legacy/simple.tfvars deleted file mode 100644 index c18133120..000000000 --- a/tests/fast/stages/s1_resman_legacy/simple.tfvars +++ /dev/null @@ -1,156 +0,0 @@ -# stage variables - -fast_addon = { - ngfw = { - parent_stage = "2-networking" - } -} -fast_stage_2 = { - # replicate one stage 2 via tfvars so as to check CI/CD configuration - project-factory = { - short_name = "pf" - cicd_config = { - identity_provider = "gh-test" - repository = { - name = "cloud-foundation-fabric/1-resman" - branch = "main" - } - workflows_config = { - extra_files = [ - "99-user.auto.tfvars.json" - ] - } - } - organization_config = { - iam_bindings_additive = { - sa_pf_conditional_org_policy = { - member = "rw" - role = "roles/orgpolicy.policyAdmin" - condition = { - title = "org_policy_tag_pf_scoped" - description = "Org policy tag scoped grant for project factory." - expression = "resource.matchTag('$${organization.id}/$${tag_names.context}', 'project-factory')" - } - } - } - } - } -} -tags = { - context = { - values = { - data-platform = {} - gcve = {} - gke = {} - nsec = {} - sandbox = {} - } - } - environment = { - values = { - development = { - iam = { - "roles/resourcemanager.tagUser" = ["gcve-dev-rw"] - "roles/resourcemanager.tagViewer" = ["gcve-dev-ro"] - } - } - } - } -} -top_level_folders = { - tenants = { - name = "Tenants" - iam_by_principals = {} - } - shared = { - name = "Shared Infrastructure" - } -} - -# globals - -billing_account = { - id = "000000-111111-222222" -} -environments = { - dev = { - is_default = false - name = "Development" - short_name = "dev" - tag_name = "development" - } - prod = { - is_default = true - name = "Production" - short_name = "prod" - tag_name = "production" - } -} -groups = { - gcp-billing-admins = "gcp-billing-admins", - gcp-devops = "gcp-devops", - gcp-network-admins = "gcp-vpc-network-admins", - gcp-organization-admins = "gcp-organization-admins", - gcp-security-admins = "gcp-security-admins", - gcp-support = "gcp-support" -} -organization = { - domain = "fast.example.com" - id = 123456789012 - customer_id = "C00000000" -} -prefix = "fast2" - -# stage 0 - -automation = { - federated_identity_pool = "projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap" - federated_identity_providers = { - gh-test = { - audiences = [ - "https://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-github-ludomagno" - ], - issuer = "github", - issuer_uri = "https://token.actions.githubusercontent.com" - name = "projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-github-ludomagno" - principal_branch = "principalSet://iam.googleapis.com/%s/attribute.fast_sub/repo:%s:ref:refs/heads/%s" - principal_repo = "principalSet://iam.googleapis.com/%s/attribute.repository/%s" - } - gl-test = { - audiences = [ - "https://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-gitlab-ludomagno" - ] - issuer = "gitlab" - issuer_uri = "https://gitlab.com" - name = "projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-gitlab-ludomagno" - principal_branch = "principalSet://iam.googleapis.com/%s/attribute.sub/project_path:%s:ref_type:branch:ref:%s" - principal_repo = "principalSet://iam.googleapis.com/%s/attribute.repository/%s" - } - }, - outputs_bucket = "fast2-prod-iac-core-outputs" - project_id = "fast2-prod-automation" - project_number = 123456 - service_accounts = { - resman = "fast2-prod-resman-0@fast2-prod-iac-core-0.iam.gserviceaccount.com" - resman-r = "fast2-prod-resman-0r@fast2-prod-iac-core-0.iam.gserviceaccount.com" - } -} -custom_roles = { - # organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin", - billing_viewer = "organizations/123456789012/roles/billingViewer" - dns_zone_binder = "organizations/123456789012/roles/dnsZoneBinder" - gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin" - gcve_network_viewer = "organizations/123456789012/roles/gcveNetworkViewer" - kms_key_encryption_admin = "organizations/123456789012/roles/kmsKeyEncryptionAdmin" - kms_key_viewer = "organizations/123456789012/roles/kmsKeyViewer" - network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin" - ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin" - ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer" - organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer" - project_iam_viewer = "organizations/123456789012/roles/projectIamViewer" - service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin" - storage_viewer = "organizations/123456789012/roles/storageViewer" -} -logging = { - project_id = "fast-prod-log-audit-0" -} diff --git a/tests/fast/stages/s1_resman_legacy/simple.yaml b/tests/fast/stages/s1_resman_legacy/simple.yaml deleted file mode 100644 index 0bbc15fac..000000000 --- a/tests/fast/stages/s1_resman_legacy/simple.yaml +++ /dev/null @@ -1,1682 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -counts: - google_folder: 16 - google_folder_iam_binding: 72 - google_org_policy_policy: 2 - google_organization_iam_member: 21 - google_project_iam_member: 19 - google_service_account: 19 - google_service_account_iam_binding: 19 - google_storage_bucket: 9 - google_storage_bucket_iam_binding: 18 - google_storage_bucket_iam_member: 19 - google_storage_bucket_object: 22 - google_tags_tag_binding: 16 - google_tags_tag_key: 2 - google_tags_tag_value: 13 - google_tags_tag_value_iam_binding: 4 - modules: 45 - resources: 271 - -values: - google_storage_bucket_object.workflows["2-project-factory"]: - bucket: fast2-prod-iac-core-outputs - cache_control: null - content: "# Copyright 2025 Google LLC\n#\n# Licensed under the Apache License,\ - \ Version 2.0 (the \"License\");\n# you may not use this file except in compliance\ - \ with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n\ - #\n# Unless required by applicable law or agreed to in writing, software\n#\ - \ distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT\ - \ WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the\ - \ License for the specific language governing permissions and\n# limitations\ - \ under the License.\n\nname: \"FAST project-factory stage\"\n\non:\n pull_request:\n\ - \ branches:\n - main\n types:\n - closed\n - opened\n \ - \ - synchronize\n\nenv:\n FAST_SERVICE_ACCOUNT: fast2-prod-resman-pf-1@fast2-prod-automation.iam.gserviceaccount.com\n\ - \ FAST_SERVICE_ACCOUNT_PLAN: fast2-prod-resman-pf-1r@fast2-prod-automation.iam.gserviceaccount.com\n\ - \ FAST_WIF_PROVIDER: projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-github-ludomagno\n\ - \ SSH_AUTH_SOCK: /tmp/ssh_agent.sock\n TF_PROVIDERS_FILE: 2-project-factory-providers.tf\n\ - \ TF_PROVIDERS_FILE_PLAN: 2-project-factory-r-providers.tf\n TF_VERSION: 1.11.4\n\ - \njobs:\n fast-pr:\n # Skip PRs which are closed without being merged.\n\ - \ if: >-\n github.event.action == 'closed' && \n github.event.pull_request.merged\ - \ == true ||\n github.event.action == 'opened' ||\n github.event.action\ - \ == 'synchronize'\n permissions:\n contents: read\n id-token:\ - \ write\n issues: write\n pull-requests: write\n runs-on: ubuntu-latest\n\ - \ steps:\n - id: checkout\n name: Checkout repository\n \ - \ uses: actions/checkout@v4\n\n # set up SSH key authentication to the\ - \ modules repository\n\n - id: ssh-config\n name: Configure SSH\ - \ authentication\n run: |\n ssh-agent -a \"$SSH_AUTH_SOCK\"\ - \ > /dev/null\n ssh-add - <<< \"${{ secrets.CICD_MODULES_KEY }}\"\n\ - \n # set up step variables for plan / apply\n\n - id: vars-plan\n\ - \ if: github.event.pull_request.merged != true && success()\n \ - \ name: Set up plan variables\n run: |\n echo \"plan_opts=-lock=false\"\ - \ >> \"$GITHUB_ENV\"\n echo \"provider_file=${{env.TF_PROVIDERS_FILE_PLAN}}\"\ - \ >> \"$GITHUB_ENV\"\n echo \"service_account=${{env.FAST_SERVICE_ACCOUNT_PLAN}}\"\ - \ >> \"$GITHUB_ENV\"\n\n - id: vars-apply\n if: github.event.pull_request.merged\ - \ == true && success()\n name: Set up apply variables\n run: |\n\ - \ echo \"provider_file=${{env.TF_PROVIDERS_FILE}}\" >> \"$GITHUB_ENV\"\ - \n echo \"service_account=${{env.FAST_SERVICE_ACCOUNT}}\" >> \"$GITHUB_ENV\"\ - \n\n # set up authentication via Workload identity Federation and gcloud\n\ - \n - id: gcp-auth\n name: Authenticate to Google Cloud\n \ - \ uses: google-github-actions/auth@v2\n with:\n workload_identity_provider:\ - \ ${{env.FAST_WIF_PROVIDER}}\n service_account: ${{env.service_account}}\n\ - \ access_token_lifetime: 900s\n\n - id: gcp-sdk\n name:\ - \ Set up Cloud SDK\n uses: google-github-actions/setup-gcloud@v2\n \ - \ with:\n install_components: alpha\n\n # copy provider file\n\ - \n - id: tf-config-provider\n name: Copy Terraform provider file\n\ - \ run: |\n gcloud storage cp -r \\\n \"gs://fast2-prod-iac-core-outputs/providers/${{env.provider_file}}\"\ - \ ./\n gcloud storage cp -r \\\n \"gs://fast2-prod-iac-core-outputs/tfvars/0-bootstrap.auto.tfvars.json\"\ - \ ./\n gcloud storage cp -r \\\n \"gs://fast2-prod-iac-core-outputs/tfvars/1-resman.auto.tfvars.json\"\ - \ ./\n gcloud storage cp -r \\\n \"gs://fast2-prod-iac-core-outputs/tfvars/0-globals.auto.tfvars.json\"\ - \ ./\n gcloud storage cp -r \\\n \"gs://fast2-prod-iac-core-outputs/tfvars/99-user.auto.tfvars.json\"\ - \ ./\n\n - id: tf-setup\n name: Set up Terraform\n uses:\ - \ hashicorp/setup-terraform@v3\n with:\n terraform_version:\ - \ ${{env.TF_VERSION}}\n\n # run Terraform init/validate/plan\n\n -\ - \ id: tf-init\n name: Terraform init\n continue-on-error: true\n\ - \ run: |\n terraform init -no-color\n\n - id: tf-validate\n\ - \ continue-on-error: true\n name: Terraform validate\n \ - \ run: terraform validate -no-color\n\n - id: tf-plan\n name: Terraform\ - \ plan\n continue-on-error: true\n run: |\n terraform\ - \ plan -input=false -out ../plan.out -no-color ${{env.plan_opts}}\n\n -\ - \ id: tf-apply\n if: github.event.pull_request.merged == true && success()\n\ - \ name: Terraform apply\n continue-on-error: true\n run:\ - \ |\n terraform apply -input=false -auto-approve -no-color ../plan.out\n\ - \n # PR comment with Terraform result from previous steps\n # length\ - \ is checked and trimmed for length so as to stay within the limit\n\n \ - \ - id: pr-comment\n name: Post comment to Pull Request\n continue-on-error:\ - \ true\n uses: actions/github-script@v7\n if: github.event_name\ - \ == 'pull_request'\n env:\n PLAN: ${{steps.tf-plan.outputs.stdout}}\\\ - n${{steps.tf-plan.outputs.stderr}}\n with:\n script: |\n \ - \ const output = `### Terraform Initialization \\`${{steps.tf-init.outcome}}\\\ - `\n\n ### Terraform Validation \\`${{steps.tf-validate.outcome}}\\\ - `\n\n
Validation Output\n\n \ - \ \\`\\`\\`\\n\n ${{steps.tf-validate.outputs.stdout}}\n \ - \ \\`\\`\\`\n\n
\n\n ### Terraform Plan\ - \ \\`${{steps.tf-plan.outcome}}\\`\n\n
Show Plan\n\ - \n \\`\\`\\`\\n\n ${process.env.PLAN.split('\\n').filter(l\ - \ => l.match(/^([A-Z\\s].*|)$$/)).join('\\n')}\n \\`\\`\\`\n\n \ - \
\n\n ### Terraform Apply \\`${{steps.tf-apply.outcome}}\\\ - `\n\n *Pusher: @${{github.actor}}, Action: \\`${{github.event_name}}\\\ - `, Working Directory: \\`${{env.tf_actions_working_dir}}\\`, Workflow: \\`${{github.workflow}}\\\ - `*`;\n\n github.rest.issues.createComment({\n issue_number:\ - \ context.issue.number,\n owner: context.repo.owner,\n \ - \ repo: context.repo.repo,\n body: output\n })\n\ - \n - id: pr-short-comment\n name: Post comment to Pull Request (abbreviated)\n\ - \ uses: actions/github-script@v7\n if: github.event_name == 'pull_request'\ - \ && steps.pr-comment.outcome != 'success'\n with:\n script:\ - \ |\n const output = `### Terraform Initialization \\`${{steps.tf-init.outcome}}\\\ - `\n\n ### Terraform Validation \\`${{steps.tf-validate.outcome}}\\\ - `\n\n ### Terraform Plan \\`${{steps.tf-plan.outcome}}\\`\n\n \ - \ Plan output is in the action log.\n\n ### Terraform Apply\ - \ \\`${{steps.tf-apply.outcome}}\\`\n\n *Pusher: @${{github.actor}},\ - \ Action: \\`${{github.event_name}}\\`, Working Directory: \\`${{env.tf_actions_working_dir}}\\\ - `, Workflow: \\`${{github.workflow}}\\`*`;\n\n github.rest.issues.createComment({\n\ - \ issue_number: context.issue.number,\n owner: context.repo.owner,\n\ - \ repo: context.repo.repo,\n body: output\n \ - \ })\n\n # exit on error from previous steps\n\n - id: check-init\n\ - \ name: Check init failure\n if: steps.tf-init.outcome != 'success'\n\ - \ run: exit 1\n\n - id: check-validate\n name: Check validate\ - \ failure\n if: steps.tf-validate.outcome != 'success'\n run:\ - \ exit 1\n\n - id: check-plan\n name: Check plan failure\n \ - \ if: steps.tf-plan.outcome != 'success'\n run: exit 1\n\n - id:\ - \ check-apply\n name: Check apply failure\n if: github.event.pull_request.merged\ - \ == true && steps.tf-apply.outcome != 'success'\n run: exit 1\n" - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - deletion_policy: null - detect_md5hash: different hash - event_based_hold: null - force_empty_content_type: null - metadata: null - name: workflows/2-project-factory-workflow.yaml - retention: [] - source: null - source_md5hash: null - temporary_hold: null - timeouts: null - ? module.cicd-sa-ro["project-factory"].google_project_iam_member.project-roles["fast2-prod-automation-roles/logging.logWriter"] - : condition: [] - project: fast2-prod-automation - role: roles/logging.logWriter - module.cicd-sa-ro["project-factory"].google_service_account.service_account[0]: - account_id: fast2-prod-resman-pf-1r - create_ignore_already_exists: null - description: null - disabled: false - display_name: CI/CD 2-pf prod service account (read-only). - email: fast2-prod-resman-pf-1r@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-prod-resman-pf-1r@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - module.cicd-sa-ro["project-factory"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]: - condition: [] - members: - - principalSet://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/attribute.repository/cloud-foundation-fabric/1-resman - role: roles/iam.workloadIdentityUser - ? module.cicd-sa-ro["project-factory"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectViewer"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: roles/storage.objectViewer - ? module.cicd-sa-rw["project-factory"].google_project_iam_member.project-roles["fast2-prod-automation-roles/logging.logWriter"] - : condition: [] - project: fast2-prod-automation - role: roles/logging.logWriter - module.cicd-sa-rw["project-factory"].google_service_account.service_account[0]: - account_id: fast2-prod-resman-pf-1 - create_ignore_already_exists: null - description: null - disabled: false - display_name: CI/CD 2-pf prod service account. - email: fast2-prod-resman-pf-1@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-prod-resman-pf-1@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - module.cicd-sa-rw["project-factory"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]: - condition: [] - members: - - principalSet://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/attribute.fast_sub/repo:cloud-foundation-fabric/1-resman:ref:refs/heads/main - role: roles/iam.workloadIdentityUser - ? module.cicd-sa-rw["project-factory"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectViewer"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: roles/storage.objectViewer - module.organization[0].google_organization_iam_member.bindings["data-platform-dev"]: - condition: [] - member: serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_organization_iam_member.bindings["gcve-dev"]: - condition: [] - member: serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_organization_iam_member.bindings["gke-dev"]: - condition: [] - member: serviceAccount:fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_organization_iam_member.bindings["sa_net_billing"]: - condition: [] - member: serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_organization_iam_member.bindings["sa_net_costs_manager"]: - condition: [] - member: serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.costsManager - module.organization[0].google_organization_iam_member.bindings["sa_net_ro_fw_policy_user"]: - condition: [] - member: serviceAccount:fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/compute.orgFirewallPolicyUser - module.organization[0].google_organization_iam_member.bindings["sa_net_ro_ngfw_enterprise_viewer"]: - condition: [] - member: serviceAccount:fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: organizations/123456789012/roles/ngfwEnterpriseViewer - module.organization[0].google_organization_iam_member.bindings["sa_net_rw_fw_policy_admin"]: - condition: [] - member: serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/compute.orgFirewallPolicyAdmin - module.organization[0].google_organization_iam_member.bindings["sa_net_rw_ngfw_enterprise_admin"]: - condition: [] - member: serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: organizations/123456789012/roles/ngfwEnterpriseAdmin - module.organization[0].google_organization_iam_member.bindings["sa_net_rw_xpn_admin"]: - condition: [] - member: serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/compute.xpnAdmin - module.organization[0].google_organization_iam_member.bindings["sa_pf_billing"]: - condition: [] - member: serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_organization_iam_member.bindings["sa_pf_conditional_org_policy"]: - condition: - - description: Org policy tag scoped grant for project factory. - expression: resource.matchTag('123456789012/context', 'project-factory') - title: org_policy_tag_pf_scoped - member: serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - module.organization[0].google_organization_iam_member.bindings["sa_pf_costs_manager"]: - condition: [] - member: serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.costsManager - module.organization[0].google_organization_iam_member.bindings["sa_sec_billing"]: - condition: [] - member: serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_organization_iam_member.bindings["sa_sec_cloudasset"]: - condition: [] - member: serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/cloudasset.viewer - module.organization[0].google_organization_iam_member.bindings["sa_sec_costs_manager"]: - condition: [] - member: serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.costsManager - module.organization[0].google_organization_iam_member.bindings["sa_so_billing"]: - condition: [] - member: serviceAccount:fast2-prod-resman-so-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_organization_iam_member.bindings["sa_so_costs_manager"]: - condition: [] - member: serviceAccount:fast2-prod-resman-so-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.costsManager - module.organization[0].google_organization_iam_member.bindings["sa_so_ro_wif"]: - condition: [] - member: serviceAccount:fast2-prod-resman-so-0r@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.workforcePoolViewer - module.organization[0].google_organization_iam_member.bindings["sa_so_rw_wif"]: - condition: [] - member: serviceAccount:fast2-prod-resman-so-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.workforcePoolAdmin - module.organization[0].google_organization_iam_member.bindings["secops-dev"]: - condition: [] - member: serviceAccount:fast2-dev-resman-secops-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_tags_tag_key.default["context"]: - description: Managed by the Terraform organization module. - parent: organizations/123456789012 - purpose: null - purpose_data: null - short_name: context - timeouts: null - module.organization[0].google_tags_tag_key.default["environment"]: - description: Managed by the Terraform organization module. - parent: organizations/123456789012 - purpose: null - purpose_data: null - short_name: environment - timeouts: null - module.organization[0].google_tags_tag_value.default["context/data-platform"]: - description: Managed by the Terraform organization module. - short_name: data-platform - timeouts: null - module.organization[0].google_tags_tag_value.default["context/gcve"]: - description: Managed by the Terraform organization module. - short_name: gcve - timeouts: null - module.organization[0].google_tags_tag_value.default["context/gke"]: - description: Managed by the Terraform organization module. - short_name: gke - timeouts: null - module.organization[0].google_tags_tag_value.default["context/networking"]: - description: Managed by the Terraform organization module. - short_name: networking - timeouts: null - module.organization[0].google_tags_tag_value.default["context/nsec"]: - description: Managed by the Terraform organization module. - short_name: nsec - timeouts: null - module.organization[0].google_tags_tag_value.default["context/project-factory"]: - description: Managed by the Terraform organization module. - short_name: project-factory - timeouts: null - module.organization[0].google_tags_tag_value.default["context/sandbox"]: - description: Managed by the Terraform organization module. - short_name: sandbox - timeouts: null - module.organization[0].google_tags_tag_value.default["context/secops"]: - description: Managed by the Terraform organization module. - short_name: secops - timeouts: null - module.organization[0].google_tags_tag_value.default["context/security"]: - description: Managed by the Terraform organization module. - short_name: security - timeouts: null - module.organization[0].google_tags_tag_value.default["context/shared"]: - description: Managed by the Terraform organization module. - short_name: shared - timeouts: null - module.organization[0].google_tags_tag_value.default["context/tenants"]: - description: Managed by the Terraform organization module. - short_name: tenants - timeouts: null - module.organization[0].google_tags_tag_value.default["environment/development"]: - description: Managed by the Terraform organization module. - short_name: development - timeouts: null - module.organization[0].google_tags_tag_value.default["environment/production"]: - description: Managed by the Terraform organization module. - short_name: production - timeouts: null - module.organization[0].google_tags_tag_value_iam_binding.default["environment/development:roles/resourcemanager.tagUser"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-prod-resman-so-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.tagUser - ? module.organization[0].google_tags_tag_value_iam_binding.default["environment/development:roles/resourcemanager.tagViewer"] - : condition: [] - members: - - serviceAccount:fast2-dev-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-prod-resman-so-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.tagViewer - module.organization[0].google_tags_tag_value_iam_binding.default["environment/production:roles/resourcemanager.tagUser"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-prod-resman-so-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.tagUser - module.organization[0].google_tags_tag_value_iam_binding.default["environment/production:roles/resourcemanager.tagViewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-prod-resman-so-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.tagViewer - module.stage2-bucket["networking"].google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - ip_filter: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-prod-resman-net-0 - project: fast2-prod-automation - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.stage2-bucket["networking"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-prod-resman-net-0 - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.stage2-bucket["networking"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-prod-resman-net-0 - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer - module.stage2-bucket["project-factory"].google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - ip_filter: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-prod-resman-pf-0 - project: fast2-prod-automation - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.stage2-bucket["project-factory"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-prod-resman-pf-0 - condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.stage2-bucket["project-factory"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-prod-resman-pf-0 - condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer - module.stage2-bucket["secops"].google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - ip_filter: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-prod-resman-so-0 - project: fast2-prod-automation - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.stage2-bucket["secops"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-prod-resman-so-0 - condition: [] - members: - - serviceAccount:fast2-prod-resman-so-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.stage2-bucket["secops"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-prod-resman-so-0 - condition: [] - members: - - serviceAccount:fast2-prod-resman-so-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer - module.stage2-bucket["security"].google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - ip_filter: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-prod-resman-sec-0 - project: fast2-prod-automation - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.stage2-bucket["security"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-prod-resman-sec-0 - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.stage2-bucket["security"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-prod-resman-sec-0 - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer - module.stage2-folder-env["networking-dev"].google_folder.folder[0]: - deletion_protection: false - display_name: Development - tags: null - timeouts: null - module.stage2-folder-env["networking-dev"].google_tags_tag_binding.binding["environment"]: - timeouts: null - module.stage2-folder-env["networking-prod"].google_folder.folder[0]: - deletion_protection: false - display_name: Production - tags: null - timeouts: null - module.stage2-folder-env["networking-prod"].google_tags_tag_binding.binding["environment"]: - timeouts: null - module.stage2-folder["networking"].google_folder.folder[0]: - deletion_protection: false - display_name: Networking - parent: organizations/123456789012 - tags: null - timeouts: null - ? module.stage2-folder["networking"].google_folder_iam_binding.authoritative["organizations/123456789012/roles/projectIamViewer"] - : condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com - role: organizations/123456789012/roles/projectIamViewer - ? module.stage2-folder["networking"].google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"] - : condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com - role: organizations/123456789012/roles/xpnServiceAdmin - module.stage2-folder["networking"].google_folder_iam_binding.authoritative["roles/compute.networkViewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/compute.networkViewer - module.stage2-folder["networking"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/compute.xpnAdmin - module.stage2-folder["networking"].google_folder_iam_binding.authoritative["roles/editor"]: - condition: [] - members: - - group:gcp-vpc-network-admins@fast.example.com - role: roles/editor - module.stage2-folder["networking"].google_folder_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/logging.admin - module.stage2-folder["networking"].google_folder_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/owner - module.stage2-folder["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderAdmin - module.stage2-folder["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderViewer - module.stage2-folder["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.projectCreator - module.stage2-folder["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.tagUser - module.stage2-folder["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.tagViewer - module.stage2-folder["networking"].google_folder_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/viewer - module.stage2-folder["networking"].google_folder_iam_binding.bindings["project_factory"]: - condition: - - description: null - expression: "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\n\ - \ 'roles/compute.networkUser', 'roles/composer.sharedVpcAgent',\n 'roles/container.hostServiceAgentUser',\ - \ 'roles/vpcaccess.user',\n 'organizations/123456789012/roles/dnsZoneBinder'\n\ - ])\n" - title: Project factory delegated IAM grant. - members: - - serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.projectIamAdmin - module.stage2-folder["networking"].google_tags_tag_binding.binding["context"]: - timeouts: null - module.stage2-folder["secops"].google_folder.folder[0]: - deletion_protection: false - display_name: SecOps - parent: organizations/123456789012 - tags: null - timeouts: null - module.stage2-folder["secops"].google_folder_iam_binding.authoritative["roles/editor"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - role: roles/editor - module.stage2-folder["secops"].google_folder_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-so-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/logging.admin - module.stage2-folder["secops"].google_folder_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-so-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/owner - module.stage2-folder["secops"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-so-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderAdmin - module.stage2-folder["secops"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-so-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderViewer - module.stage2-folder["secops"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-so-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.projectCreator - module.stage2-folder["secops"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-so-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.tagUser - module.stage2-folder["secops"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-so-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.tagViewer - module.stage2-folder["secops"].google_folder_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-so-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/viewer - module.stage2-folder["secops"].google_tags_tag_binding.binding["context"]: - timeouts: null - module.stage2-folder["security"].google_folder.folder[0]: - deletion_protection: false - display_name: Security - parent: organizations/123456789012 - tags: null - timeouts: null - module.stage2-folder["security"].google_folder_iam_binding.authoritative["organizations/123456789012/roles/kmsKeyViewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com - role: organizations/123456789012/roles/kmsKeyViewer - module.stage2-folder["security"].google_folder_iam_binding.authoritative["roles/editor"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - role: roles/editor - module.stage2-folder["security"].google_folder_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/logging.admin - module.stage2-folder["security"].google_folder_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/owner - module.stage2-folder["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderAdmin - module.stage2-folder["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderViewer - module.stage2-folder["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.projectCreator - module.stage2-folder["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.tagUser - module.stage2-folder["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.tagViewer - module.stage2-folder["security"].google_folder_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/viewer - module.stage2-folder["security"].google_folder_iam_binding.bindings["project_factory"]: - condition: - - description: null - expression: "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\n\ - \ 'roles/cloudkms.cryptoKeyEncrypterDecrypter'\n])\n" - title: Project factory delegated IAM grant. - members: - - serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com - role: organizations/123456789012/roles/kmsKeyEncryptionAdmin - module.stage2-folder["security"].google_tags_tag_binding.binding["context"]: - timeouts: null - ? module.stage2-sa-ro["networking"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage2-sa-ro["networking"].google_service_account.service_account[0]: - account_id: fast2-prod-resman-net-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman networking service account (read-only). - email: fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - module.stage2-sa-ro["networking"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage2-sa-ro["networking"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: organizations/123456789012/roles/storageViewer - ? module.stage2-sa-ro["project-factory"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage2-sa-ro["project-factory"].google_service_account.service_account[0]: - account_id: fast2-prod-resman-pf-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman project-factory service account (read-only). - email: fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - ? module.stage2-sa-ro["project-factory"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - : condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-1r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/iam.serviceAccountTokenCreator - ? module.stage2-sa-ro["project-factory"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: organizations/123456789012/roles/storageViewer - ? module.stage2-sa-ro["secops"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage2-sa-ro["secops"].google_service_account.service_account[0]: - account_id: fast2-prod-resman-so-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman secops service account (read-only). - email: fast2-prod-resman-so-0r@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-prod-resman-so-0r@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - module.stage2-sa-ro["secops"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage2-sa-ro["secops"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: organizations/123456789012/roles/storageViewer - ? module.stage2-sa-ro["security"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage2-sa-ro["security"].google_service_account.service_account[0]: - account_id: fast2-prod-resman-sec-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman security service account (read-only). - email: fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - module.stage2-sa-ro["security"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage2-sa-ro["security"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: organizations/123456789012/roles/storageViewer - ? module.stage2-sa-rw["networking"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage2-sa-rw["networking"].google_service_account.service_account[0]: - account_id: fast2-prod-resman-net-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman networking service account. - email: fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - module.stage2-sa-rw["networking"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage2-sa-rw["networking"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: roles/storage.objectAdmin - ? module.stage2-sa-rw["project-factory"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage2-sa-rw["project-factory"].google_service_account.service_account[0]: - account_id: fast2-prod-resman-pf-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman project-factory service account. - email: fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - ? module.stage2-sa-rw["project-factory"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - : condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-1@fast2-prod-automation.iam.gserviceaccount.com - role: roles/iam.serviceAccountTokenCreator - ? module.stage2-sa-rw["project-factory"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: roles/storage.objectAdmin - ? module.stage2-sa-rw["secops"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage2-sa-rw["secops"].google_service_account.service_account[0]: - account_id: fast2-prod-resman-so-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman secops service account. - email: fast2-prod-resman-so-0@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-prod-resman-so-0@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - module.stage2-sa-rw["secops"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage2-sa-rw["secops"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: roles/storage.objectAdmin - ? module.stage2-sa-rw["security"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage2-sa-rw["security"].google_service_account.service_account[0]: - account_id: fast2-prod-resman-sec-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman security service account. - email: fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - module.stage2-sa-rw["security"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage2-sa-rw["security"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: roles/storage.objectAdmin - module.stage3-bucket["data-platform-dev"].google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - ip_filter: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-dev-resman-dp-0 - project: fast2-prod-automation - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.stage3-bucket["data-platform-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-dev-resman-dp-0 - condition: [] - members: - - serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.stage3-bucket["data-platform-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-dev-resman-dp-0 - condition: [] - members: - - serviceAccount:fast2-dev-resman-dp-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer - module.stage3-bucket["gcve-dev"].google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - ip_filter: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-dev-resman-gcve-0 - project: fast2-prod-automation - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.stage3-bucket["gcve-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-dev-resman-gcve-0 - condition: [] - members: - - serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.stage3-bucket["gcve-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-dev-resman-gcve-0 - condition: [] - members: - - serviceAccount:fast2-dev-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer - module.stage3-bucket["gke-dev"].google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - ip_filter: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-dev-resman-gke-0 - project: fast2-prod-automation - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.stage3-bucket["gke-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-dev-resman-gke-0 - condition: [] - members: - - serviceAccount:fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.stage3-bucket["gke-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-dev-resman-gke-0 - condition: [] - members: - - serviceAccount:fast2-dev-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer - module.stage3-bucket["secops-dev"].google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - ip_filter: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-dev-resman-secops-0 - project: fast2-prod-automation - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.stage3-bucket["secops-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-dev-resman-secops-0 - condition: [] - members: - - serviceAccount:fast2-dev-resman-secops-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.stage3-bucket["secops-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-dev-resman-secops-0 - condition: [] - members: - - serviceAccount:fast2-dev-resman-secops-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer - module.stage3-folder["data-platform-dev"].google_folder.folder[0]: - deletion_protection: false - display_name: Development - tags: null - timeouts: null - module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/compute.xpnAdmin - module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/logging.admin - module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/owner - module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderAdmin - module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-dp-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderViewer - module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.projectCreator - module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-dp-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/viewer - module.stage3-folder["data-platform-dev"].google_tags_tag_binding.binding["environment"]: - timeouts: null - module.stage3-folder["gcve-dev"].google_folder.folder[0]: - deletion_protection: false - display_name: Development - tags: null - timeouts: null - module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/compute.xpnAdmin - module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/logging.admin - module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/owner - module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderAdmin - module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderViewer - module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.projectCreator - module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/viewer - module.stage3-folder["gcve-dev"].google_tags_tag_binding.binding["environment"]: - timeouts: null - module.stage3-folder["gke-dev"].google_folder.folder[0]: - deletion_protection: false - display_name: Development - tags: null - timeouts: null - module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/compute.xpnAdmin - module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/logging.admin - module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/owner - module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderAdmin - module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderViewer - module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.projectCreator - module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/viewer - module.stage3-folder["gke-dev"].google_tags_tag_binding.binding["environment"]: - timeouts: null - module.stage3-folder["secops-dev"].google_folder.folder[0]: - deletion_protection: false - display_name: Development - tags: null - timeouts: null - module.stage3-folder["secops-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-secops-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/compute.xpnAdmin - module.stage3-folder["secops-dev"].google_folder_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-secops-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/logging.admin - module.stage3-folder["secops-dev"].google_folder_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-secops-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/owner - module.stage3-folder["secops-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-secops-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderAdmin - module.stage3-folder["secops-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-secops-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderViewer - module.stage3-folder["secops-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-secops-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.projectCreator - module.stage3-folder["secops-dev"].google_folder_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-secops-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/viewer - module.stage3-folder["secops-dev"].google_tags_tag_binding.binding["environment"]: - timeouts: null - ? module.stage3-sa-ro["data-platform-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage3-sa-ro["data-platform-dev"].google_service_account.service_account[0]: - account_id: fast2-dev-resman-dp-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman data-platform-dev service account (read-only). - email: fast2-dev-resman-dp-0r@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-dev-resman-dp-0r@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - ? module.stage3-sa-ro["data-platform-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - : condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-ro["data-platform-dev"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: organizations/123456789012/roles/storageViewer - ? module.stage3-sa-ro["gcve-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage3-sa-ro["gcve-dev"].google_service_account.service_account[0]: - account_id: fast2-dev-resman-gcve-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman gcve-dev service account (read-only). - email: fast2-dev-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-dev-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - module.stage3-sa-ro["gcve-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-ro["gcve-dev"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: organizations/123456789012/roles/storageViewer - ? module.stage3-sa-ro["gke-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage3-sa-ro["gke-dev"].google_service_account.service_account[0]: - account_id: fast2-dev-resman-gke-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman gke-dev service account (read-only). - email: fast2-dev-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-dev-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - module.stage3-sa-ro["gke-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-ro["gke-dev"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: organizations/123456789012/roles/storageViewer - ? module.stage3-sa-ro["secops-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage3-sa-ro["secops-dev"].google_service_account.service_account[0]: - account_id: fast2-dev-resman-secops-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman secops-dev service account (read-only). - email: fast2-dev-resman-secops-0r@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-dev-resman-secops-0r@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - module.stage3-sa-ro["secops-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-ro["secops-dev"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: organizations/123456789012/roles/storageViewer - ? module.stage3-sa-rw["data-platform-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage3-sa-rw["data-platform-dev"].google_service_account.service_account[0]: - account_id: fast2-dev-resman-dp-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman data-platform-dev service account. - email: fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - ? module.stage3-sa-rw["data-platform-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - : condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-rw["data-platform-dev"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: roles/storage.objectAdmin - ? module.stage3-sa-rw["gcve-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage3-sa-rw["gcve-dev"].google_service_account.service_account[0]: - account_id: fast2-dev-resman-gcve-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman gcve-dev service account. - email: fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - module.stage3-sa-rw["gcve-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-rw["gcve-dev"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: roles/storage.objectAdmin - ? module.stage3-sa-rw["gke-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage3-sa-rw["gke-dev"].google_service_account.service_account[0]: - account_id: fast2-dev-resman-gke-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman gke-dev service account. - email: fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - module.stage3-sa-rw["gke-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-rw["gke-dev"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: roles/storage.objectAdmin - ? module.stage3-sa-rw["secops-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage3-sa-rw["secops-dev"].google_service_account.service_account[0]: - account_id: fast2-dev-resman-secops-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman secops-dev service account. - email: fast2-dev-resman-secops-0@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-dev-resman-secops-0@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - module.stage3-sa-rw["secops-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-rw["secops-dev"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: roles/storage.objectAdmin - module.top-level-bucket["sandbox"].google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - ip_filter: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-dev-resman-sbox-0 - project: fast2-prod-automation - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.top-level-bucket["sandbox"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-dev-resman-sbox-0 - condition: [] - members: - - serviceAccount:fast2-dev-resman-sbox-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.top-level-bucket["sandbox"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-dev-resman-sbox-0 - condition: [] - members: - - serviceAccount:fast2-dev-resman-sbox-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer - module.top-level-folder["data-platform"].google_folder.folder[0]: - deletion_protection: false - display_name: Data Platform - parent: organizations/123456789012 - tags: null - timeouts: null - module.top-level-folder["data-platform"].google_tags_tag_binding.binding["context"]: - timeouts: null - module.top-level-folder["gcve"].google_folder.folder[0]: - deletion_protection: false - display_name: GCVE - parent: organizations/123456789012 - tags: null - timeouts: null - module.top-level-folder["gcve"].google_tags_tag_binding.binding["context"]: - timeouts: null - module.top-level-folder["gke"].google_folder.folder[0]: - deletion_protection: false - display_name: GKE - parent: organizations/123456789012 - tags: null - timeouts: null - module.top-level-folder["gke"].google_tags_tag_binding.binding["context"]: - timeouts: null - module.top-level-folder["sandbox"].google_folder.folder[0]: - deletion_protection: false - display_name: Sandbox - parent: organizations/123456789012 - tags: null - timeouts: null - module.top-level-folder["sandbox"].google_folder_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-sbox-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/owner - module.top-level-folder["sandbox"].google_org_policy_policy.default["compute.vmExternalIpAccess"]: - dry_run_spec: [] - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: 'TRUE' - condition: [] - deny_all: null - enforce: null - parameters: null - values: [] - timeouts: null - module.top-level-folder["sandbox"].google_org_policy_policy.default["sql.restrictPublicIp"]: - dry_run_spec: [] - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null - module.top-level-folder["sandbox"].google_tags_tag_binding.binding["context"]: - timeouts: null - module.top-level-folder["shared"].google_folder.folder[0]: - deletion_protection: false - display_name: Shared Infrastructure - parent: organizations/123456789012 - tags: null - timeouts: null - module.top-level-folder["shared"].google_tags_tag_binding.binding["context"]: - timeouts: null - module.top-level-folder["teams"].google_folder.folder[0]: - deletion_protection: false - display_name: Teams - parent: organizations/123456789012 - tags: null - timeouts: null - ? module.top-level-folder["teams"].google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"] - : condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com - role: organizations/123456789012/roles/xpnServiceAdmin - module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/owner - module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderAdmin - module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderViewer - module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.projectCreator - module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.tagUser - module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.tagViewer - module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/viewer - module.top-level-folder["teams"].google_folder_iam_binding.bindings["pf_viewer"]: - condition: - - description: Allow to check buckets and contact policies - expression: 'resource.matchTag(''123456789012/context'', ''project-factory'') - - ' - title: project-factory-scoped - members: - - serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com - role: organizations/123456789012/roles/organizationAdminViewer - module.top-level-folder["teams"].google_tags_tag_binding.binding["context"]: - timeouts: null - module.top-level-folder["tenants"].google_folder.folder[0]: - deletion_protection: false - display_name: Tenants - parent: organizations/123456789012 - tags: null - timeouts: null - module.top-level-folder["tenants"].google_tags_tag_binding.binding["context"]: - timeouts: null - ? module.top-level-sa["sandbox"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.top-level-sa["sandbox"].google_service_account.service_account[0]: - account_id: fast2-dev-resman-sbox-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman sandbox folder service account. - email: fast2-dev-resman-sbox-0@fast2-prod-automation.iam.gserviceaccount.com - member: serviceAccount:fast2-dev-resman-sbox-0@fast2-prod-automation.iam.gserviceaccount.com - project: fast2-prod-automation - timeouts: null - module.top-level-sa["sandbox"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.top-level-sa["sandbox"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: roles/storage.objectAdmin - -outputs: - cicd_repositories: - project-factory: - provider: projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-github-ludomagno - repository: - branch: main - name: cloud-foundation-fabric/1-resman - type: github - service_accounts: - data-platform-dev-ro: fast2-dev-resman-dp-0r@fast2-prod-automation.iam.gserviceaccount.com - data-platform-dev-rw: fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - gcve-dev-ro: fast2-dev-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com - gcve-dev-rw: fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com - gke-dev-ro: fast2-dev-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com - gke-dev-rw: fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com - networking-ro: fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com - networking-rw: fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com - project-factory-ro: fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com - project-factory-rw: fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com - sandbox: fast2-dev-resman-sbox-0@fast2-prod-automation.iam.gserviceaccount.com - secops-dev-ro: fast2-dev-resman-secops-0r@fast2-prod-automation.iam.gserviceaccount.com - secops-dev-rw: fast2-dev-resman-secops-0@fast2-prod-automation.iam.gserviceaccount.com - secops-ro: fast2-prod-resman-so-0r@fast2-prod-automation.iam.gserviceaccount.com - secops-rw: fast2-prod-resman-so-0@fast2-prod-automation.iam.gserviceaccount.com - security-ro: fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com - security-rw: fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com - diff --git a/tests/fast/stages/s1_resman_legacy/tftest.yaml b/tests/fast/stages/s1_resman_legacy/tftest.yaml deleted file mode 100644 index 765516efd..000000000 --- a/tests/fast/stages/s1_resman_legacy/tftest.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -module: fast/stages/1-resman-legacy - -tests: - simple: - # extra_dirs: - # - ../../../tests/fast/stages/s1_resman/test-data diff --git a/tests/fast/stages/s2_project_factory_legacy/simple.tfvars b/tests/fast/stages/s2_project_factory_legacy/simple.tfvars deleted file mode 100644 index b50077fda..000000000 --- a/tests/fast/stages/s2_project_factory_legacy/simple.tfvars +++ /dev/null @@ -1,16 +0,0 @@ -automation = { - outputs_bucket = "fast2-prod-iac-core-outputs" -} -prefix = "test" -billing_account = { - id = "000000-111111-222222" -} -folder_ids = { - teams = "folders/1234567890" -} -groups = { - gcp-devops = "group:gcp-devops@example.org" -} -tag_values = { - "environment/development" = "tagValues/1234567890" -} diff --git a/tests/fast/stages/s2_project_factory_legacy/simple.yaml b/tests/fast/stages/s2_project_factory_legacy/simple.yaml deleted file mode 100644 index cd35b778e..000000000 --- a/tests/fast/stages/s2_project_factory_legacy/simple.yaml +++ /dev/null @@ -1,191 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - module.projects.module.hierarchy-folder-lvl-1["team-a"].google_folder.folder[0]: - deletion_protection: false - display_name: Team A - parent: folders/1234567890 - tags: null - timeouts: null - module.projects.module.hierarchy-folder-lvl-1["team-b"].google_folder.folder[0]: - deletion_protection: false - display_name: Team B - parent: folders/1234567890 - tags: null - timeouts: null - module.projects.module.hierarchy-folder-lvl-2["team-a/dev"].google_folder.folder[0]: - deletion_protection: false - display_name: Development - tags: null - timeouts: null - module.projects.module.hierarchy-folder-lvl-2["team-a/dev"].google_tags_tag_binding.binding["environment"]: - tag_value: tagValues/1234567890 - timeouts: null - module.projects.module.hierarchy-folder-lvl-2["team-a/prod"].google_folder.folder[0]: - deletion_protection: false - display_name: Production - tags: null - timeouts: null - module.projects.module.hierarchy-folder-lvl-2["team-a/prod"].google_tags_tag_binding.binding["environment"]: - tag_value: environment/production - timeouts: null - module.projects.module.hierarchy-folder-lvl-2["team-b/dev"].google_folder.folder[0]: - deletion_protection: false - display_name: Development - tags: null - timeouts: null - module.projects.module.hierarchy-folder-lvl-2["team-b/dev"].google_tags_tag_binding.binding["environment"]: - tag_value: tagValues/1234567890 - timeouts: null - module.projects.module.hierarchy-folder-lvl-2["team-b/prod"].google_folder.folder[0]: - deletion_protection: false - display_name: Production - tags: null - timeouts: null - module.projects.module.hierarchy-folder-lvl-2["team-b/prod"].google_tags_tag_binding.binding["environment"]: - tag_value: environment/production - timeouts: null - module.projects.module.projects-iam["dev-ta-0"].google_compute_shared_vpc_service_project.shared_vpc_service[0]: - deletion_policy: null - host_project: dev-spoke-0 - service_project: test-dev-ta-0 - timeouts: null - ? module.projects.module.projects-iam["dev-ta-0"].google_project_iam_member.shared_vpc_host_iam["group:gcp-devops@example.org"] - : condition: [] - member: group:gcp-devops@example.org - project: dev-spoke-0 - role: roles/compute.networkUser - module.projects.module.projects-iam["dev-tb-0"].google_compute_shared_vpc_service_project.shared_vpc_service[0]: - deletion_policy: null - host_project: dev-spoke-0 - service_project: test-dev-tb-0 - timeouts: null - ? module.projects.module.projects-iam["dev-tb-0"].google_project_iam_member.shared_vpc_host_iam["group:gcp-devops@example.org"] - : condition: [] - member: group:gcp-devops@example.org - project: dev-spoke-0 - role: roles/compute.networkUser - module.projects.module.projects-iam["prod-ta-0"].google_compute_shared_vpc_service_project.shared_vpc_service[0]: - deletion_policy: null - host_project: prod-spoke-0 - service_project: test-prod-ta-0 - timeouts: null - ? module.projects.module.projects-iam["prod-ta-0"].google_project_iam_member.shared_vpc_host_iam["group:gcp-devops@example.org"] - : condition: [] - member: group:gcp-devops@example.org - project: prod-spoke-0 - role: roles/compute.networkUser - module.projects.module.projects-iam["prod-tb-0"].google_compute_shared_vpc_service_project.shared_vpc_service[0]: - deletion_policy: null - host_project: prod-spoke-0 - service_project: test-prod-tb-0 - timeouts: null - ? module.projects.module.projects-iam["prod-tb-0"].google_project_iam_member.shared_vpc_host_iam["group:gcp-devops@example.org"] - : condition: [] - member: group:gcp-devops@example.org - project: prod-spoke-0 - role: roles/compute.networkUser - module.projects.module.projects["dev-ta-0"].google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - labels: null - name: test-dev-ta-0 - project_id: test-dev-ta-0 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.projects.module.projects["dev-ta-0"].google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-dev-ta-0 - service: stackdriver.googleapis.com - timeouts: null - module.projects.module.projects["dev-tb-0"].google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - labels: null - name: test-dev-tb-0 - project_id: test-dev-tb-0 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.projects.module.projects["dev-tb-0"].google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-dev-tb-0 - service: stackdriver.googleapis.com - timeouts: null - module.projects.module.projects["prod-ta-0"].google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - labels: null - name: test-prod-ta-0 - project_id: test-prod-ta-0 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.projects.module.projects["prod-ta-0"].google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-prod-ta-0 - service: stackdriver.googleapis.com - timeouts: null - module.projects.module.projects["prod-tb-0"].google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - labels: null - name: test-prod-tb-0 - project_id: test-prod-tb-0 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.projects.module.projects["prod-tb-0"].google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-prod-tb-0 - service: stackdriver.googleapis.com - timeouts: null - -counts: - google_compute_shared_vpc_service_project: 4 - google_folder: 6 - google_project: 4 - google_project_iam_member: 4 - google_project_service: 4 - google_storage_bucket_object: 1 - google_tags_tag_binding: 4 - modules: 15 - resources: 27 - -outputs: - buckets: {} - projects: __missing__ - service_accounts: {} diff --git a/tests/fast/stages/s2_project_factory_legacy/tftest.yaml b/tests/fast/stages/s2_project_factory_legacy/tftest.yaml deleted file mode 100644 index 6cc4c769e..000000000 --- a/tests/fast/stages/s2_project_factory_legacy/tftest.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -module: fast/stages/2-project-factory-legacy - -tests: - simple: diff --git a/tests/modules/project_factory_legacy/bucket_iam.tfvars b/tests/modules/project_factory_legacy/bucket_iam.tfvars deleted file mode 100644 index c9163d0f8..000000000 --- a/tests/modules/project_factory_legacy/bucket_iam.tfvars +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -data_defaults = { - billing_account = "1245-5678-9012" - storage_location = "EU" -} -# make sure the environment label and stackdriver service are always added -data_merges = { - labels = { - environment = "test" - } - services = [ - "stackdriver.googleapis.com" - ] -} -# always use this contacts and prefix, regardless of what is in the yaml file -data_overrides = { - contacts = { - "admin@example.org" = ["ALL"] - } - prefix = "test-pf" -} -# location where the yaml files are read from -factories_config = { - folders_data_path = "bucket_iam/hierarchy" - projects_data_path = "bucket_iam/projects" - context = { - folder_ids = { - default = "folders/5678901234" - teams = "folders/5678901234" - } - iam_principals = { - gcp-devops = "group:gcp-devops@example.org" - } - tag_values = { - "org-policies/drs-allow-all" = "tagValues/123456" - } - vpc_host_projects = { - dev-spoke-0 = "test-pf-dev-net-spoke-0" - } - } -} diff --git a/tests/modules/project_factory_legacy/bucket_iam.yaml b/tests/modules/project_factory_legacy/bucket_iam.yaml deleted file mode 100644 index d065543e8..000000000 --- a/tests/modules/project_factory_legacy/bucket_iam.yaml +++ /dev/null @@ -1,505 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - module.buckets["project2/state"].google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - labels: null - lifecycle_rule: [] - location: EUROPE-WEST8 - logging: [] - name: test-pf-project2-state - project: test-pf-project2 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: false - module.buckets["team-a/project1/state"].google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - labels: null - lifecycle_rule: [] - location: EUROPE-WEST8 - logging: [] - name: test-pf-project1-state - project: test-pf-project1 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: false - module.buckets["team-a/project1/state"].google_storage_bucket_iam_binding.authoritative["roles/storage.admin"]: - bucket: test-pf-project1-state - condition: [] - members: - - serviceAccount:terraform-rw@test-pf-project1.iam.gserviceaccount.com - role: roles/storage.admin - module.hierarchy-folder-lvl-1["team-a"].google_folder.folder[0]: - deletion_protection: false - display_name: Team A - parent: folders/5678901234 - tags: null - timeouts: null - module.hierarchy-folder-lvl-1["team-a"].google_folder_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - group:gcp-devops@example.org - - group:team-a-admins@example.org - role: roles/viewer - module.hierarchy-folder-lvl-1["team-b"].google_folder.folder[0]: - deletion_protection: false - display_name: Team B - parent: folders/5678901234 - tags: null - timeouts: null - module.projects["project2"].google_essential_contacts_contact.contact["admin@example.org"]: - email: admin@example.org - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/test-pf-project2 - timeouts: null - module.projects["project2"].google_project.project[0]: - auto_create_network: false - billing_account: 012345-67890A-BCDEF0 - deletion_policy: DELETE - effective_labels: - app: app-0 - environment: test - goog-terraform-provisioned: 'true' - team: team-a - labels: - app: app-0 - environment: test - team: team-a - name: test-pf-project2 - project_id: test-pf-project2 - tags: null - terraform_labels: - app: app-0 - environment: test - goog-terraform-provisioned: 'true' - team: team-a - timeouts: null - module.projects["project2"].google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-project2 - service: stackdriver.googleapis.com - timeouts: null - module.projects["project3"].data.google_storage_project_service_account.gcs_sa[0]: - project: test-pf-top-project3 - user_project: null - module.projects["project3"].google_essential_contacts_contact.contact["admin@example.org"]: - email: admin@example.org - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/test-pf-top-project3 - timeouts: null - module.projects["project3"].google_project.project[0]: - auto_create_network: false - billing_account: 012345-67890A-BCDEF0 - deletion_policy: DELETE - effective_labels: - environment: test - goog-terraform-provisioned: 'true' - labels: - environment: test - name: test-pf-top-project3 - project_id: test-pf-top-project3 - tags: null - terraform_labels: - environment: test - goog-terraform-provisioned: 'true' - timeouts: null - module.projects["project3"].google_project_iam_member.service_agents["container-engine-robot"]: - condition: [] - project: test-pf-top-project3 - role: roles/container.serviceAgent - module.projects["project3"].google_project_iam_member.service_agents["gkenode"]: - condition: [] - project: test-pf-top-project3 - role: roles/container.defaultNodeServiceAgent - module.projects["project3"].google_project_service.project_services["container.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-top-project3 - service: container.googleapis.com - timeouts: null - module.projects["project3"].google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-top-project3 - service: stackdriver.googleapis.com - timeouts: null - module.projects["project3"].google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-top-project3 - service: storage.googleapis.com - timeouts: null - module.projects["project3"].google_project_service_identity.default["container.googleapis.com"]: - project: test-pf-top-project3 - service: container.googleapis.com - timeouts: null - module.projects["team-a/automation"].data.google_storage_project_service_account.gcs_sa[0]: - project: test-pf-auto-team-a - user_project: null - module.projects["team-a/automation"].google_essential_contacts_contact.contact["admin@example.org"]: - email: admin@example.org - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/test-pf-auto-team-a - timeouts: null - module.projects["team-a/automation"].google_project.project[0]: - auto_create_network: false - billing_account: 012345-67890A-BCDEF0 - deletion_policy: DELETE - effective_labels: - environment: test - goog-terraform-provisioned: 'true' - labels: - environment: test - name: test-pf-auto-team-a - project_id: test-pf-auto-team-a - tags: null - terraform_labels: - environment: test - goog-terraform-provisioned: 'true' - timeouts: null - module.projects["team-a/automation"].google_project_iam_member.service_agents["container-engine-robot"]: - condition: [] - project: test-pf-auto-team-a - role: roles/container.serviceAgent - module.projects["team-a/automation"].google_project_iam_member.service_agents["gkenode"]: - condition: [] - project: test-pf-auto-team-a - role: roles/container.defaultNodeServiceAgent - module.projects["team-a/automation"].google_project_service.project_services["container.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-auto-team-a - service: container.googleapis.com - timeouts: null - module.projects["team-a/automation"].google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-auto-team-a - service: stackdriver.googleapis.com - timeouts: null - module.projects["team-a/automation"].google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-auto-team-a - service: storage.googleapis.com - timeouts: null - module.projects["team-a/automation"].google_project_service_identity.default["container.googleapis.com"]: - project: test-pf-auto-team-a - service: container.googleapis.com - timeouts: null - module.projects["team-a/project1"].data.google_storage_project_service_account.gcs_sa[0]: - project: test-pf-project1 - user_project: null - module.projects["team-a/project1"].google_essential_contacts_contact.contact["admin@example.org"]: - email: admin@example.org - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/test-pf-project1 - timeouts: null - module.projects["team-a/project1"].google_project.project[0]: - auto_create_network: false - billing_account: 012345-67890A-BCDEF0 - deletion_policy: DELETE - effective_labels: - environment: test - goog-terraform-provisioned: 'true' - labels: - environment: test - name: test-pf-project1 - project_id: test-pf-project1 - tags: null - terraform_labels: - environment: test - goog-terraform-provisioned: 'true' - timeouts: null - module.projects["team-a/project1"].google_project_iam_member.service_agents["container-engine-robot"]: - condition: [] - project: test-pf-project1 - role: roles/container.serviceAgent - module.projects["team-a/project1"].google_project_iam_member.service_agents["gkenode"]: - condition: [] - project: test-pf-project1 - role: roles/container.defaultNodeServiceAgent - module.projects["team-a/project1"].google_project_service.project_services["container.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-project1 - service: container.googleapis.com - timeouts: null - module.projects["team-a/project1"].google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-project1 - service: stackdriver.googleapis.com - timeouts: null - module.projects["team-a/project1"].google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-project1 - service: storage.googleapis.com - timeouts: null - module.projects["team-a/project1"].google_project_service_identity.default["container.googleapis.com"]: - project: test-pf-project1 - service: container.googleapis.com - timeouts: null - module.projects["team-b/automation"].data.google_storage_project_service_account.gcs_sa[0]: - project: test-pf-auto-team-b - user_project: null - module.projects["team-b/automation"].google_essential_contacts_contact.contact["admin@example.org"]: - email: admin@example.org - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/test-pf-auto-team-b - timeouts: null - module.projects["team-b/automation"].google_project.project[0]: - auto_create_network: false - billing_account: 012345-67890A-BCDEF0 - deletion_policy: DELETE - effective_labels: - environment: test - goog-terraform-provisioned: 'true' - labels: - environment: test - name: test-pf-auto-team-b - project_id: test-pf-auto-team-b - tags: null - terraform_labels: - environment: test - goog-terraform-provisioned: 'true' - timeouts: null - module.projects["team-b/automation"].google_project_iam_member.service_agents["container-engine-robot"]: - condition: [] - project: test-pf-auto-team-b - role: roles/container.serviceAgent - module.projects["team-b/automation"].google_project_iam_member.service_agents["gkenode"]: - condition: [] - project: test-pf-auto-team-b - role: roles/container.defaultNodeServiceAgent - module.projects["team-b/automation"].google_project_service.project_services["container.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-auto-team-b - service: container.googleapis.com - timeouts: null - module.projects["team-b/automation"].google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-auto-team-b - service: stackdriver.googleapis.com - timeouts: null - module.projects["team-b/automation"].google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-auto-team-b - service: storage.googleapis.com - timeouts: null - module.projects["team-b/automation"].google_project_service_identity.default["container.googleapis.com"]: - project: test-pf-auto-team-b - service: container.googleapis.com - timeouts: null - module.projects["team-b/project3"].data.google_storage_project_service_account.gcs_sa[0]: - project: test-pf-project3 - user_project: null - module.projects["team-b/project3"].google_essential_contacts_contact.contact["admin@example.org"]: - email: admin@example.org - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/test-pf-project3 - timeouts: null - module.projects["team-b/project3"].google_project.project[0]: - auto_create_network: false - billing_account: 012345-67890A-BCDEF0 - deletion_policy: DELETE - effective_labels: - environment: test - goog-terraform-provisioned: 'true' - labels: - environment: test - name: test-pf-project3 - project_id: test-pf-project3 - tags: null - terraform_labels: - environment: test - goog-terraform-provisioned: 'true' - timeouts: null - module.projects["team-b/project3"].google_project_iam_member.service_agents["container-engine-robot"]: - condition: [] - project: test-pf-project3 - role: roles/container.serviceAgent - module.projects["team-b/project3"].google_project_iam_member.service_agents["gkenode"]: - condition: [] - project: test-pf-project3 - role: roles/container.defaultNodeServiceAgent - module.projects["team-b/project3"].google_project_service.project_services["container.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-project3 - service: container.googleapis.com - timeouts: null - module.projects["team-b/project3"].google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-project3 - service: stackdriver.googleapis.com - timeouts: null - module.projects["team-b/project3"].google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-project3 - service: storage.googleapis.com - timeouts: null - module.projects["team-b/project3"].google_project_service_identity.default["container.googleapis.com"]: - project: test-pf-project3 - service: container.googleapis.com - timeouts: null - module.service-accounts["project2/app-be-0"].google_service_account.service_account[0]: - account_id: app-be-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform-managed. - email: app-be-0@test-pf-project2.iam.gserviceaccount.com - member: serviceAccount:app-be-0@test-pf-project2.iam.gserviceaccount.com - project: test-pf-project2 - timeouts: null - ? module.service-accounts["project2/app-fe-1"].google_project_iam_member.project-roles["my-host-project-roles/compute.networkUser"] - : condition: [] - project: my-host-project - role: roles/compute.networkUser - ? module.service-accounts["project2/app-fe-1"].google_project_iam_member.project-roles["test-pf-project2-roles/storage.objectViewer"] - : condition: [] - project: test-pf-project2 - role: roles/storage.objectViewer - module.service-accounts["project2/app-fe-1"].google_service_account.service_account[0]: - account_id: app-fe-1 - create_ignore_already_exists: null - description: null - disabled: false - display_name: GCE frontend service account. - email: app-fe-1@test-pf-project2.iam.gserviceaccount.com - member: serviceAccount:app-fe-1@test-pf-project2.iam.gserviceaccount.com - project: test-pf-project2 - timeouts: null - module.service-accounts["project2/terraform-rw"].google_service_account.service_account[0]: - account_id: terraform-rw - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform-managed. - email: terraform-rw@test-pf-project2.iam.gserviceaccount.com - member: serviceAccount:terraform-rw@test-pf-project2.iam.gserviceaccount.com - project: test-pf-project2 - timeouts: null - module.service-accounts["team-a/project1/app-be-0"].google_service_account.service_account[0]: - account_id: app-be-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform-managed. - email: app-be-0@test-pf-project1.iam.gserviceaccount.com - member: serviceAccount:app-be-0@test-pf-project1.iam.gserviceaccount.com - project: test-pf-project1 - timeouts: null - ? module.service-accounts["team-a/project1/app-fe-1"].google_project_iam_member.project-roles["my-host-project-roles/compute.networkUser"] - : condition: [] - project: my-host-project - role: roles/compute.networkUser - ? module.service-accounts["team-a/project1/app-fe-1"].google_project_iam_member.project-roles["test-pf-project1-roles/storage.objectViewer"] - : condition: [] - project: test-pf-project1 - role: roles/storage.objectViewer - module.service-accounts["team-a/project1/app-fe-1"].google_service_account.service_account[0]: - account_id: app-fe-1 - create_ignore_already_exists: null - description: null - disabled: false - display_name: GCE frontend service account. - email: app-fe-1@test-pf-project1.iam.gserviceaccount.com - member: serviceAccount:app-fe-1@test-pf-project1.iam.gserviceaccount.com - project: test-pf-project1 - timeouts: null - module.service-accounts["team-a/project1/terraform-rw"].google_service_account.service_account[0]: - account_id: terraform-rw - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform-managed. - email: terraform-rw@test-pf-project1.iam.gserviceaccount.com - member: serviceAccount:terraform-rw@test-pf-project1.iam.gserviceaccount.com - project: test-pf-project1 - timeouts: null - -counts: - google_essential_contacts_contact: 6 - google_folder: 2 - google_folder_iam_binding: 1 - google_project: 6 - google_project_iam_member: 14 - google_project_service: 16 - google_project_service_identity: 5 - google_service_account: 6 - google_storage_bucket: 2 - google_storage_bucket_iam_binding: 1 - google_storage_project_service_account: 5 - modules: 16 - resources: 64 - -outputs: - buckets: - project2/state: test-pf-project2-state - team-a/project1/state: test-pf-project1-state - folders: __missing__ - projects: __missing__ - service_accounts: __missing__ diff --git a/tests/modules/project_factory_legacy/data/bucket_iam/hierarchy/team-a/_config.yaml b/tests/modules/project_factory_legacy/data/bucket_iam/hierarchy/team-a/_config.yaml deleted file mode 100644 index 906fec0d8..000000000 --- a/tests/modules/project_factory_legacy/data/bucket_iam/hierarchy/team-a/_config.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Team A -# implicit parent definition via 'default' key -iam: - roles/viewer: - - group:team-a-admins@example.org - - gcp-devops diff --git a/tests/modules/project_factory_legacy/data/bucket_iam/hierarchy/team-a/automation.yaml b/tests/modules/project_factory_legacy/data/bucket_iam/hierarchy/team-a/automation.yaml deleted file mode 100644 index 0a744e97f..000000000 --- a/tests/modules/project_factory_legacy/data/bucket_iam/hierarchy/team-a/automation.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -billing_account: 012345-67890A-BCDEF0 -services: - - container.googleapis.com - - storage.googleapis.com - -name: auto-team-a diff --git a/tests/modules/project_factory_legacy/data/bucket_iam/hierarchy/team-a/project1.yaml b/tests/modules/project_factory_legacy/data/bucket_iam/hierarchy/team-a/project1.yaml deleted file mode 100644 index 16965ce89..000000000 --- a/tests/modules/project_factory_legacy/data/bucket_iam/hierarchy/team-a/project1.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -billing_account: 012345-67890A-BCDEF0 -services: - - container.googleapis.com - - storage.googleapis.com - -service_accounts: - app-be-0: {} - app-fe-1: - display_name: GCE frontend service account. - iam_self_roles: - - roles/storage.objectViewer - iam_project_roles: - my-host-project: - - roles/compute.networkUser - terraform-rw: {} -buckets: - state: - location: europe-west8 - iam: - roles/storage.admin: - - terraform-rw diff --git a/tests/modules/project_factory_legacy/data/bucket_iam/hierarchy/team-b/_config.yaml b/tests/modules/project_factory_legacy/data/bucket_iam/hierarchy/team-b/_config.yaml deleted file mode 100644 index fbdc4437e..000000000 --- a/tests/modules/project_factory_legacy/data/bucket_iam/hierarchy/team-b/_config.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Team B diff --git a/tests/modules/project_factory_legacy/data/bucket_iam/hierarchy/team-b/automation.yaml b/tests/modules/project_factory_legacy/data/bucket_iam/hierarchy/team-b/automation.yaml deleted file mode 100644 index 58a698cd7..000000000 --- a/tests/modules/project_factory_legacy/data/bucket_iam/hierarchy/team-b/automation.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -billing_account: 012345-67890A-BCDEF0 -services: - - container.googleapis.com - - storage.googleapis.com - -name: auto-team-b diff --git a/tests/modules/project_factory_legacy/data/bucket_iam/hierarchy/team-b/project3.yaml b/tests/modules/project_factory_legacy/data/bucket_iam/hierarchy/team-b/project3.yaml deleted file mode 100644 index c953163bd..000000000 --- a/tests/modules/project_factory_legacy/data/bucket_iam/hierarchy/team-b/project3.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -billing_account: 012345-67890A-BCDEF0 -services: - - container.googleapis.com - - storage.googleapis.com - -prefix: team-b diff --git a/tests/modules/project_factory_legacy/data/bucket_iam/projects/project2.yaml b/tests/modules/project_factory_legacy/data/bucket_iam/projects/project2.yaml deleted file mode 100644 index d169831d9..000000000 --- a/tests/modules/project_factory_legacy/data/bucket_iam/projects/project2.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -billing_account: 012345-67890A-BCDEF0 -labels: - app: app-0 - team: team-a -parent: team-a -buckets: - state: - location: europe-west8 -# iam: -# roles/storage.admin: -# - terraform-rw - -service_accounts: - app-be-0: {} - app-fe-1: - display_name: GCE frontend service account. - iam_self_roles: - - roles/storage.objectViewer - iam_project_roles: - my-host-project: - - roles/compute.networkUser - terraform-rw: {} diff --git a/tests/modules/project_factory_legacy/data/bucket_iam/projects/project3.yaml b/tests/modules/project_factory_legacy/data/bucket_iam/projects/project3.yaml deleted file mode 100644 index e6b2fdd4c..000000000 --- a/tests/modules/project_factory_legacy/data/bucket_iam/projects/project3.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -billing_account: 012345-67890A-BCDEF0 -services: - - container.googleapis.com - - storage.googleapis.com - -name: top-project3 -parent: team-b diff --git a/tests/modules/project_factory_legacy/data/data_overrides_defaults/projects/service1.yaml b/tests/modules/project_factory_legacy/data/data_overrides_defaults/projects/service1.yaml deleted file mode 100644 index e34bb85c9..000000000 --- a/tests/modules/project_factory_legacy/data/data_overrides_defaults/projects/service1.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -billing_account: 012345-67890A-BCDEF0 - -contacts: # this should be overridden by value - admin-default@example.org: - - "ALL" - -tag_bindings: # this should be overridden with empty value - name1: project_id1 - -services: - - run.googleapis.com diff --git a/tests/modules/project_factory_legacy/data/data_overrides_defaults/projects/service2.yaml b/tests/modules/project_factory_legacy/data/data_overrides_defaults/projects/service2.yaml deleted file mode 100644 index fb254a9d2..000000000 --- a/tests/modules/project_factory_legacy/data/data_overrides_defaults/projects/service2.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -billing_account: 012345-67890A-BCDEF0 - -# take defaults + overrides only diff --git a/tests/modules/project_factory_legacy/data/key_ignores_path/hierarchy/team-a/_config.yaml b/tests/modules/project_factory_legacy/data/key_ignores_path/hierarchy/team-a/_config.yaml deleted file mode 100644 index 410d9e86f..000000000 --- a/tests/modules/project_factory_legacy/data/key_ignores_path/hierarchy/team-a/_config.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../../schemas/folder.schema.json - -name: Team A -parent: teams -# iam_by_principals: -# "group:team-a-admins@example.com": -# - roles/viewer diff --git a/tests/modules/project_factory_legacy/data/key_ignores_path/hierarchy/team-a/dev/_config.yaml b/tests/modules/project_factory_legacy/data/key_ignores_path/hierarchy/team-a/dev/_config.yaml deleted file mode 100644 index da77cb7f1..000000000 --- a/tests/modules/project_factory_legacy/data/key_ignores_path/hierarchy/team-a/dev/_config.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../../../schemas/folder.schema.json - -name: Development -tag_bindings: - environment: environment/development -# iam_by_principals: -# "group:team-a-admins@example.com": -# - roles/editor diff --git a/tests/modules/project_factory_legacy/data/key_ignores_path/hierarchy/team-a/prod/_config.yaml b/tests/modules/project_factory_legacy/data/key_ignores_path/hierarchy/team-a/prod/_config.yaml deleted file mode 100644 index a7079ab36..000000000 --- a/tests/modules/project_factory_legacy/data/key_ignores_path/hierarchy/team-a/prod/_config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../../../schemas/folder.schema.json - -name: Production -tag_bindings: - environment: environment/production \ No newline at end of file diff --git a/tests/modules/project_factory_legacy/data/key_ignores_path/hierarchy/team-b/_config.yaml b/tests/modules/project_factory_legacy/data/key_ignores_path/hierarchy/team-b/_config.yaml deleted file mode 100644 index 80d5faa67..000000000 --- a/tests/modules/project_factory_legacy/data/key_ignores_path/hierarchy/team-b/_config.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../../schemas/folder.schema.json - -name: Team B -parent: teams -# iam_by_principals: -# "group:team-b-admins@example.com": -# - roles/viewer diff --git a/tests/modules/project_factory_legacy/data/key_ignores_path/hierarchy/team-b/dev/_config.yaml b/tests/modules/project_factory_legacy/data/key_ignores_path/hierarchy/team-b/dev/_config.yaml deleted file mode 100644 index e50bb7308..000000000 --- a/tests/modules/project_factory_legacy/data/key_ignores_path/hierarchy/team-b/dev/_config.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../../../schemas/folder.schema.json - -name: Development -tag_bindings: - environment: environment/development -# iam_by_principals: -# "group:team-b-admins@example.com": -# - roles/editor diff --git a/tests/modules/project_factory_legacy/data/key_ignores_path/hierarchy/team-b/prod/_config.yaml b/tests/modules/project_factory_legacy/data/key_ignores_path/hierarchy/team-b/prod/_config.yaml deleted file mode 100644 index a7079ab36..000000000 --- a/tests/modules/project_factory_legacy/data/key_ignores_path/hierarchy/team-b/prod/_config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../../../schemas/folder.schema.json - -name: Production -tag_bindings: - environment: environment/production \ No newline at end of file diff --git a/tests/modules/project_factory_legacy/data/key_ignores_path/projects/dev-tb-0.yaml b/tests/modules/project_factory_legacy/data/key_ignores_path/projects/dev-tb-0.yaml deleted file mode 100644 index 655c55547..000000000 --- a/tests/modules/project_factory_legacy/data/key_ignores_path/projects/dev-tb-0.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../../../../../modules/project-factory/schemas/project.schema.json - -parent: team-b/dev -shared_vpc_service_config: - host_project: dev-spoke-0 - network_users: - - gcp-devops \ No newline at end of file diff --git a/tests/modules/project_factory_legacy/data/key_ignores_path/projects/prod-tb-0.yaml b/tests/modules/project_factory_legacy/data/key_ignores_path/projects/prod-tb-0.yaml deleted file mode 100644 index dbb0ceb05..000000000 --- a/tests/modules/project_factory_legacy/data/key_ignores_path/projects/prod-tb-0.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../../../../../modules/project-factory/schemas/project.schema.json - -parent: team-b/prod -shared_vpc_service_config: - host_project: prod-spoke-0 - network_users: - - gcp-devops \ No newline at end of file diff --git a/tests/modules/project_factory_legacy/data/key_ignores_path/projects/team-a/dev-ta-0.yaml b/tests/modules/project_factory_legacy/data/key_ignores_path/projects/team-a/dev-ta-0.yaml deleted file mode 100644 index d6367411a..000000000 --- a/tests/modules/project_factory_legacy/data/key_ignores_path/projects/team-a/dev-ta-0.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../../../../../../modules/project-factory/schemas/project.schema.json - -parent: team-a/dev -shared_vpc_service_config: - host_project: dev-spoke-0 - network_users: - - gcp-devops diff --git a/tests/modules/project_factory_legacy/data/key_ignores_path/projects/team-a/prod-ta-0.yaml b/tests/modules/project_factory_legacy/data/key_ignores_path/projects/team-a/prod-ta-0.yaml deleted file mode 100644 index e8ac47ce9..000000000 --- a/tests/modules/project_factory_legacy/data/key_ignores_path/projects/team-a/prod-ta-0.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../../../../../../modules/project-factory/schemas/project.schema.json - -parent: team-a/prod -shared_vpc_service_config: - host_project: prod-spoke-0 - network_users: - - gcp-devops \ No newline at end of file diff --git a/tests/modules/project_factory_legacy/data/shared_vpc_network_user/projects/service1.yaml b/tests/modules/project_factory_legacy/data/shared_vpc_network_user/projects/service1.yaml deleted file mode 100644 index 5f38e4606..000000000 --- a/tests/modules/project_factory_legacy/data/shared_vpc_network_user/projects/service1.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -billing_account: 012345-67890A-BCDEF0 - -service_accounts: - app-be-0: {} - terraform-rw: {} - -automation: - project: service-iac - service_accounts: - rw: - description: Service read/write automation sa. - ro: - description: Service read-only automation sa. - - -shared_vpc_service_config: - host_project: dev-spoke-0 - network_users: - - terraform-rw - - ro - - rw diff --git a/tests/modules/project_factory_legacy/data/shared_vpc_network_user/projects/service2.yaml b/tests/modules/project_factory_legacy/data/shared_vpc_network_user/projects/service2.yaml deleted file mode 100644 index 64adb5bb8..000000000 --- a/tests/modules/project_factory_legacy/data/shared_vpc_network_user/projects/service2.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -billing_account: 012345-67890A-BCDEF0 -services: - - compute.googleapis.com - - storage.googleapis.com - -service_accounts: - app-be-0: {} - terraform-rw: {} diff --git a/tests/modules/project_factory_legacy/data_overrides_defaults.tfvars b/tests/modules/project_factory_legacy/data_overrides_defaults.tfvars deleted file mode 100644 index 168bd8f0b..000000000 --- a/tests/modules/project_factory_legacy/data_overrides_defaults.tfvars +++ /dev/null @@ -1,51 +0,0 @@ -data_defaults = { - billing_account = "1245-5678-9012" - parent = "folders/1234" - storage_location = "EU" - contacts = { - "admin-default@example.org" = ["ALL"] # should not surface, as overrides provide value - } - tag_bindings = { # should not surface, as overrides provide empty value - name1 = "default-id1" - name2 = "default-id2" - } - services = [ - "default-service.googleapis.com" - ] -} -# make sure the environment label and stackdriver service are always added -data_merges = { - labels = { - environment = "test" - } - services = [ - "stackdriver.googleapis.com" - ] -} -# always use this contacts and prefix, regardless of what is in the yaml file -data_overrides = { - contacts = { - "admin@example.org" = ["ALL"] - } - tag_bindings = {} # prevent setting any encryption keys - prefix = "test-pf" -} -# location where the yaml files are read from -factories_config = { - projects_data_path = "projects" - context = { - folder_ids = { - default = "folders/5678901234" - teams = "folders/5678901234" - } - iam_principals = { - gcp-devops = "group:gcp-devops@example.org" - } - tag_values = { - "org-policies/drs-allow-all" = "tagValues/123456" - } - vpc_host_projects = { - dev-spoke-0 = "test-pf-dev-net-spoke-0" - } - } -} diff --git a/tests/modules/project_factory_legacy/data_overrides_defaults.yaml b/tests/modules/project_factory_legacy/data_overrides_defaults.yaml deleted file mode 100644 index 9250d9189..000000000 --- a/tests/modules/project_factory_legacy/data_overrides_defaults.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - module.projects["service1"].google_essential_contacts_contact.contact["admin@example.org"]: - email: admin@example.org - parent: projects/test-pf-service1 - module.projects["service1"].google_project.project[0]: - billing_account: 012345-67890A-BCDEF0 - folder_id: '1234' - labels: - environment: test - name: test-pf-service1 - project_id: test-pf-service1 - module.projects["service1"].google_project_service.project_services["run.googleapis.com"]: - project: test-pf-service1 - service: run.googleapis.com - module.projects["service1"].google_project_service.project_services["stackdriver.googleapis.com"]: - project: test-pf-service1 - service: stackdriver.googleapis.com - module.projects["service2"].google_essential_contacts_contact.contact["admin@example.org"]: - email: admin@example.org - parent: projects/test-pf-service2 - module.projects["service2"].google_project.project[0]: - billing_account: 012345-67890A-BCDEF0 - folder_id: '1234' - labels: - environment: test - name: test-pf-service2 - project_id: test-pf-service2 - module.projects["service2"].google_project_service.project_services["default-service.googleapis.com"]: - project: test-pf-service2 - service: default-service.googleapis.com - module.projects["service2"].google_project_service.project_services["stackdriver.googleapis.com"]: - project: test-pf-service2 - service: stackdriver.googleapis.com - -counts: - google_essential_contacts_contact: 2 - google_project: 2 - google_project_iam_member: 1 - google_project_service: 4 - google_project_service_identity: 1 - google_tags_tag_binding: 0 # keep this, to ensure that tag_bindings are not created - modules: 2 - resources: 10 - -outputs: - buckets: {} - folders: {} - projects: __missing__ - service_accounts: {} diff --git a/tests/modules/project_factory_legacy/empty_vpc_defaults.tfvars b/tests/modules/project_factory_legacy/empty_vpc_defaults.tfvars deleted file mode 100644 index acf42163e..000000000 --- a/tests/modules/project_factory_legacy/empty_vpc_defaults.tfvars +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -data_defaults = { - billing_account = "1245-5678-9012" - storage_location = "EU" - prefix = "my-prefix" - parent = "folders/1234" - shared_vpc_service_config = null -} -data_merges = { - services = [ - "stackdriver.googleapis.com" - ] -} -data_overrides = { - prefix = "myprefix" -} -# location where the yaml files are read from -factories_config = { - projects_data_path = "projects" - context = { - folder_ids = { - default = "folders/5678901234" - teams = "folders/4321056789" - } - vpc_host_projects = { - dev-spoke-0 = "test-pf-dev-net-spoke-0" - } - } -} diff --git a/tests/modules/project_factory_legacy/empty_vpc_defaults.yaml b/tests/modules/project_factory_legacy/empty_vpc_defaults.yaml deleted file mode 100644 index c45202289..000000000 --- a/tests/modules/project_factory_legacy/empty_vpc_defaults.yaml +++ /dev/null @@ -1,173 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - module.automation-service-accounts["service1/ro"].google_service_account.service_account[0]: - account_id: myprefix-service1-ro - create_ignore_already_exists: null - description: Service read-only automation sa. - disabled: false - display_name: Service account ro for service1. - email: myprefix-service1-ro@service-iac.iam.gserviceaccount.com - member: serviceAccount:myprefix-service1-ro@service-iac.iam.gserviceaccount.com - project: service-iac - timeouts: null - module.automation-service-accounts["service1/rw"].google_service_account.service_account[0]: - account_id: myprefix-service1-rw - create_ignore_already_exists: null - description: Service read/write automation sa. - disabled: false - display_name: Service account rw for service1. - email: myprefix-service1-rw@service-iac.iam.gserviceaccount.com - member: serviceAccount:myprefix-service1-rw@service-iac.iam.gserviceaccount.com - project: service-iac - timeouts: null - module.projects-iam["service1"].google_compute_shared_vpc_service_project.shared_vpc_service[0]: - deletion_policy: null - host_project: test-pf-dev-net-spoke-0 - service_project: myprefix-service1 - timeouts: null - ? module.projects-iam["service1"].google_project_iam_member.shared_vpc_host_iam["serviceAccount:myprefix-service1-ro@service-iac.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:myprefix-service1-ro@service-iac.iam.gserviceaccount.com - project: test-pf-dev-net-spoke-0 - role: roles/compute.networkUser - ? module.projects-iam["service1"].google_project_iam_member.shared_vpc_host_iam["serviceAccount:myprefix-service1-rw@service-iac.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:myprefix-service1-rw@service-iac.iam.gserviceaccount.com - project: test-pf-dev-net-spoke-0 - role: roles/compute.networkUser - ? module.projects-iam["service1"].google_project_iam_member.shared_vpc_host_iam["serviceAccount:terraform-rw@myprefix-service1.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:terraform-rw@myprefix-service1.iam.gserviceaccount.com - project: test-pf-dev-net-spoke-0 - role: roles/compute.networkUser - module.projects["service1"].google_project.project[0]: - auto_create_network: false - billing_account: 012345-67890A-BCDEF0 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - folder_id: '1234' - labels: null - name: myprefix-service1 - org_id: null - project_id: myprefix-service1 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.projects["service1"].google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: myprefix-service1 - service: stackdriver.googleapis.com - timeouts: null - module.projects["service2"].data.google_storage_project_service_account.gcs_sa[0]: - project: myprefix-service2 - user_project: null - module.projects["service2"].google_project.project[0]: - auto_create_network: false - billing_account: 012345-67890A-BCDEF0 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - folder_id: '1234' - labels: null - name: myprefix-service2 - org_id: null - project_id: myprefix-service2 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.projects["service2"].google_project_iam_member.service_agents["compute-system"]: - condition: [] - project: myprefix-service2 - role: roles/compute.serviceAgent - module.projects["service2"].google_project_service.project_services["compute.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: myprefix-service2 - service: compute.googleapis.com - timeouts: null - module.projects["service2"].google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: myprefix-service2 - service: stackdriver.googleapis.com - timeouts: null - module.projects["service2"].google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: myprefix-service2 - service: storage.googleapis.com - timeouts: null - module.service-accounts["service1/app-be-0"].google_service_account.service_account[0]: - account_id: app-be-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform-managed. - email: app-be-0@myprefix-service1.iam.gserviceaccount.com - member: serviceAccount:app-be-0@myprefix-service1.iam.gserviceaccount.com - project: myprefix-service1 - timeouts: null - module.service-accounts["service1/terraform-rw"].google_service_account.service_account[0]: - account_id: terraform-rw - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform-managed. - email: terraform-rw@myprefix-service1.iam.gserviceaccount.com - member: serviceAccount:terraform-rw@myprefix-service1.iam.gserviceaccount.com - project: myprefix-service1 - timeouts: null - module.service-accounts["service2/app-be-0"].google_service_account.service_account[0]: - account_id: app-be-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform-managed. - email: app-be-0@myprefix-service2.iam.gserviceaccount.com - member: serviceAccount:app-be-0@myprefix-service2.iam.gserviceaccount.com - project: myprefix-service2 - timeouts: null - module.service-accounts["service2/terraform-rw"].google_service_account.service_account[0]: - account_id: terraform-rw - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform-managed. - email: terraform-rw@myprefix-service2.iam.gserviceaccount.com - member: serviceAccount:terraform-rw@myprefix-service2.iam.gserviceaccount.com - project: myprefix-service2 - timeouts: null - -counts: - google_compute_shared_vpc_service_project: 1 - google_project: 2 - google_project_iam_member: 4 - google_project_service: 4 - google_service_account: 6 - google_storage_project_service_account: 1 - modules: 9 - resources: 18 - -outputs: - buckets: {} - folders: {} - foo: {} - projects: __missing__ - service_accounts: __missing__ diff --git a/tests/modules/project_factory_legacy/examples/example.yaml b/tests/modules/project_factory_legacy/examples/example.yaml deleted file mode 100644 index 881813b7a..000000000 --- a/tests/modules/project_factory_legacy/examples/example.yaml +++ /dev/null @@ -1,571 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - module.project-factory.module.automation-bucket["dev-tb-app0-0"].google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: test-pf-dev-tb-app0-0-tf-state - project: test-pf-teams-iac-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: false - ? module.project-factory.module.automation-bucket["dev-tb-app0-0"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectCreator"] - : bucket: test-pf-dev-tb-app0-0-tf-state - condition: [] - members: - - serviceAccount:test-pf-dev-tb-app0-0-rw@test-pf-teams-iac-0.iam.gserviceaccount.com - role: roles/storage.objectCreator - ? module.project-factory.module.automation-bucket["dev-tb-app0-0"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] - : bucket: test-pf-dev-tb-app0-0-tf-state - condition: [] - members: - - group:gcp-devops@example.org - - group:team-b-admins@example.org - - serviceAccount:test-pf-dev-tb-app0-0-ro@test-pf-teams-iac-0.iam.gserviceaccount.com - - serviceAccount:test-pf-dev-tb-app0-0-rw@test-pf-teams-iac-0.iam.gserviceaccount.com - role: roles/storage.objectViewer - ? module.project-factory.module.automation-service-accounts["dev-tb-app0-0/automation/ro"].google_service_account.service_account[0] - : account_id: test-pf-dev-tb-app0-0-ro - create_ignore_already_exists: null - description: Team B app 0 read-only automation sa. - disabled: false - display_name: Service account ro for dev-tb-app0-0. - email: test-pf-dev-tb-app0-0-ro@test-pf-teams-iac-0.iam.gserviceaccount.com - member: serviceAccount:test-pf-dev-tb-app0-0-ro@test-pf-teams-iac-0.iam.gserviceaccount.com - project: test-pf-teams-iac-0 - timeouts: null - ? module.project-factory.module.automation-service-accounts["dev-tb-app0-0/automation/rw"].google_service_account.service_account[0] - : account_id: test-pf-dev-tb-app0-0-rw - create_ignore_already_exists: null - description: Team B app 0 read/write automation sa. - disabled: false - display_name: Service account rw for dev-tb-app0-0. - email: test-pf-dev-tb-app0-0-rw@test-pf-teams-iac-0.iam.gserviceaccount.com - member: serviceAccount:test-pf-dev-tb-app0-0-rw@test-pf-teams-iac-0.iam.gserviceaccount.com - project: test-pf-teams-iac-0 - timeouts: null - module.project-factory.module.billing-account[0].google_billing_budget.default["test-100"]: - all_updates_rule: - - disable_default_iam_recipients: true - enable_project_level_recipients: false - pubsub_topic: null - schema_version: '1.0' - amount: - - last_period_amount: null - specified_amount: - - nanos: null - units: '100' - billing_account: 123456-123456-123456 - budget_filter: - - calendar_period: null - credit_types_treatment: INCLUDE_ALL_CREDITS - custom_period: [] - resource_ancestors: - - folders/1234567890 - display_name: 100 dollars in current spend - ownership_scope: null - threshold_rules: - - spend_basis: CURRENT_SPEND - threshold_percent: 0.5 - - spend_basis: CURRENT_SPEND - threshold_percent: 0.75 - timeouts: null - module.project-factory.module.billing-account[0].google_monitoring_notification_channel.default["billing-default"]: - description: null - display_name: Budget email notification billing-default. - enabled: true - force_delete: false - labels: - email_address: gcp-billing-admins@example.org - project: foo-billing-audit - sensitive_labels: [] - timeouts: null - type: email - user_labels: null - module.project-factory.module.hierarchy-folder-lvl-1["team-a"].google_folder.folder[0]: - deletion_protection: false - display_name: Team A - parent: folders/5678901234 - tags: null - timeouts: null - module.project-factory.module.hierarchy-folder-lvl-1["team-a"].google_folder_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - group:gcp-devops@example.org - - group:team-a-admins@example.org - role: roles/viewer - module.project-factory.module.hierarchy-folder-lvl-1["team-b"].google_folder.folder[0]: - deletion_protection: false - display_name: Team B - parent: folders/5678901234 - tags: null - timeouts: null - module.project-factory.module.hierarchy-folder-lvl-1["team-c"].google_folder.folder[0]: - deletion_protection: false - display_name: Team C - parent: folders/5678901234 - tags: null - timeouts: null - module.project-factory.module.hierarchy-folder-lvl-2["team-a/app-0"].google_folder.folder[0]: - deletion_protection: false - display_name: App 0 - tags: null - timeouts: null - module.project-factory.module.hierarchy-folder-lvl-2["team-b/app-0"].google_folder.folder[0]: - deletion_protection: false - display_name: App 0 - tags: null - timeouts: null - module.project-factory.module.hierarchy-folder-lvl-2["team-b/app-0"].google_tags_tag_binding.binding["drs-allow-all"]: - tag_value: tagValues/123456 - timeouts: null - ? module.project-factory.module.projects-iam["dev-ta-app0-be"].google_compute_shared_vpc_service_project.shared_vpc_service[0] - : deletion_policy: null - host_project: test-pf-dev-net-spoke-0 - service_project: test-pf-dev-ta-app0-be - timeouts: null - ? module.project-factory.module.projects-iam["dev-ta-app0-be"].google_project_iam_member.shared_vpc_host_iam["group:gcp-devops@example.org"] - : condition: [] - member: group:gcp-devops@example.org - project: test-pf-dev-net-spoke-0 - role: roles/compute.networkUser - ? module.project-factory.module.projects-iam["dev-ta-app0-be"].google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:container-engine"] - : condition: [] - project: test-pf-dev-net-spoke-0 - role: roles/compute.networkUser - ? module.project-factory.module.projects-iam["dev-ta-app0-be"].google_project_iam_member.shared_vpc_host_robots["roles/container.hostServiceAgentUser:container-engine"] - : condition: [] - project: test-pf-dev-net-spoke-0 - role: roles/container.hostServiceAgentUser - module.project-factory.module.projects-iam["dev-tb-app0-0"].google_project_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:test-pf-dev-tb-app0-0-rw@test-pf-teams-iac-0.iam.gserviceaccount.com - project: test-pf-dev-tb-app0-0 - role: roles/owner - module.project-factory.module.projects-iam["dev-tb-app0-0"].google_project_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:test-pf-dev-tb-app0-0-ro@test-pf-teams-iac-0.iam.gserviceaccount.com - project: test-pf-dev-tb-app0-0 - role: roles/viewer - module.project-factory.module.projects-iam["dev-tb-app0-1"].google_project_iam_binding.authoritative["roles/run.admin"]: - condition: [] - members: - - serviceAccount:app-0-be@test-pf-dev-ta-app0-be.iam.gserviceaccount.com - project: test-pf-dev-tb-app0-1 - role: roles/run.admin - ? module.project-factory.module.projects-iam["dev-tb-app0-1"].google_project_iam_binding.authoritative["roles/run.developer"] - : condition: [] - members: - - serviceAccount:app-0-be@test-pf-dev-tb-app0-1.iam.gserviceaccount.com - project: test-pf-dev-tb-app0-1 - role: roles/run.developer - module.project-factory.module.projects["dev-ta-app0-be"].data.google_storage_project_service_account.gcs_sa[0]: - project: test-pf-dev-ta-app0-be - user_project: null - module.project-factory.module.projects["dev-ta-app0-be"].google_essential_contacts_contact.contact["admin@example.org"]: - email: admin@example.org - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/test-pf-dev-ta-app0-be - timeouts: null - ? module.project-factory.module.projects["dev-ta-app0-be"].google_kms_crypto_key_iam_member.service_agent_cmek["key-0.compute-system"] - : condition: [] - crypto_key_id: projects/kms-central-prj/locations/europe-west1/keyRings/my-keyring/cryptoKeys/ew1-compute - role: roles/cloudkms.cryptoKeyEncrypterDecrypter - ? module.project-factory.module.projects["dev-ta-app0-be"].google_kms_crypto_key_iam_member.service_agent_cmek["key-0.gs-project-accounts"] - : condition: [] - crypto_key_id: projects/kms-central-prj/locations/europe-west3/keyRings/my-keyring/cryptoKeys/europe3-gce - role: roles/cloudkms.cryptoKeyEncrypterDecrypter - module.project-factory.module.projects["dev-ta-app0-be"].google_project.project[0]: - auto_create_network: false - billing_account: 012345-67890A-BCDEF0 - deletion_policy: DELETE - effective_labels: - app: app-0 - environment: test - goog-terraform-provisioned: 'true' - team: team-a - labels: - app: app-0 - environment: test - team: team-a - name: test-pf-dev-ta-app0-be - project_id: test-pf-dev-ta-app0-be - tags: null - terraform_labels: - app: app-0 - environment: test - goog-terraform-provisioned: 'true' - team: team-a - timeouts: null - ? module.project-factory.module.projects["dev-ta-app0-be"].google_project_iam_member.service_agents["container-engine-robot"] - : condition: [] - project: test-pf-dev-ta-app0-be - role: roles/container.serviceAgent - module.project-factory.module.projects["dev-ta-app0-be"].google_project_iam_member.service_agents["gkenode"]: - condition: [] - project: test-pf-dev-ta-app0-be - role: roles/container.defaultNodeServiceAgent - ? module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["container.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: test-pf-dev-ta-app0-be - service: container.googleapis.com - timeouts: null - ? module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["stackdriver.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: test-pf-dev-ta-app0-be - service: stackdriver.googleapis.com - timeouts: null - module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-dev-ta-app0-be - service: storage.googleapis.com - timeouts: null - ? module.project-factory.module.projects["dev-ta-app0-be"].google_project_service_identity.default["container.googleapis.com"] - : project: test-pf-dev-ta-app0-be - service: container.googleapis.com - timeouts: null - module.project-factory.module.projects["dev-ta-app0-be"].google_tags_tag_key.default["my-tag-key-1"]: - description: Managed by the Terraform project-factory module. - parent: projects/test-pf-dev-ta-app0-be - purpose: null - purpose_data: null - short_name: my-tag-key-1 - timeouts: null - module.project-factory.module.projects["dev-ta-app0-be"].google_tags_tag_value.default["my-tag-key-1/my-value-1"]: - description: My value 1 - short_name: my-value-1 - timeouts: null - module.project-factory.module.projects["dev-ta-app0-be"].google_tags_tag_value.default["my-tag-key-1/my-value-2"]: - description: My value 3 - short_name: my-value-2 - timeouts: null - ? module.project-factory.module.projects["dev-ta-app0-be"].google_tags_tag_value_iam_binding.default["my-tag-key-1/my-value-2:roles/resourcemanager.tagUser"] - : condition: [] - members: - - user:user@example.com - role: roles/resourcemanager.tagUser - module.project-factory.module.projects["dev-tb-app0-0"].data.google_storage_project_service_account.gcs_sa[0]: - project: test-pf-dev-tb-app0-0 - user_project: null - module.project-factory.module.projects["dev-tb-app0-0"].google_compute_shared_vpc_host_project.shared_vpc_host[0]: - project: test-pf-dev-tb-app0-0 - timeouts: null - module.project-factory.module.projects["dev-tb-app0-0"].google_essential_contacts_contact.contact["admin@example.org"]: - email: admin@example.org - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/test-pf-dev-tb-app0-0 - timeouts: null - module.project-factory.module.projects["dev-tb-app0-0"].google_project.project[0]: - auto_create_network: false - billing_account: 123456-123456-123456 - deletion_policy: DELETE - effective_labels: - environment: test - goog-terraform-provisioned: 'true' - labels: - environment: test - name: test-pf-dev-tb-app0-0 - project_id: test-pf-dev-tb-app0-0 - tags: null - terraform_labels: - environment: test - goog-terraform-provisioned: 'true' - timeouts: null - module.project-factory.module.projects["dev-tb-app0-0"].google_project_iam_member.service_agents["serverless-robot-prod"]: - condition: [] - project: test-pf-dev-tb-app0-0 - role: roles/run.serviceAgent - module.project-factory.module.projects["dev-tb-app0-0"].google_project_service.project_services["run.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-dev-tb-app0-0 - service: run.googleapis.com - timeouts: null - ? module.project-factory.module.projects["dev-tb-app0-0"].google_project_service.project_services["stackdriver.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: test-pf-dev-tb-app0-0 - service: stackdriver.googleapis.com - timeouts: null - module.project-factory.module.projects["dev-tb-app0-0"].google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-dev-tb-app0-0 - service: storage.googleapis.com - timeouts: null - module.project-factory.module.projects["dev-tb-app0-0"].google_project_service_identity.default["run.googleapis.com"]: - project: test-pf-dev-tb-app0-0 - service: run.googleapis.com - timeouts: null - module.project-factory.module.projects["dev-tb-app0-1"].data.google_storage_project_service_account.gcs_sa[0]: - project: test-pf-dev-tb-app0-1 - user_project: null - module.project-factory.module.projects["dev-tb-app0-1"].google_essential_contacts_contact.contact["admin@example.org"]: - email: admin@example.org - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/test-pf-dev-tb-app0-1 - timeouts: null - module.project-factory.module.projects["dev-tb-app0-1"].google_project.project[0]: - auto_create_network: false - billing_account: 012345-67890A-BCDEF0 - deletion_policy: DELETE - effective_labels: - app: app-0 - environment: test - goog-terraform-provisioned: 'true' - team: team-b - labels: - app: app-0 - environment: test - team: team-b - name: test-pf-dev-tb-app0-1 - project_id: test-pf-dev-tb-app0-1 - tags: null - terraform_labels: - app: app-0 - environment: test - goog-terraform-provisioned: 'true' - team: team-b - timeouts: null - module.project-factory.module.projects["dev-tb-app0-1"].google_project_iam_member.service_agents["container-engine-robot"]: - condition: [] - project: test-pf-dev-tb-app0-1 - role: roles/container.serviceAgent - module.project-factory.module.projects["dev-tb-app0-1"].google_project_iam_member.service_agents["gkenode"]: - condition: [] - project: test-pf-dev-tb-app0-1 - role: roles/container.defaultNodeServiceAgent - ? module.project-factory.module.projects["dev-tb-app0-1"].google_project_service.project_services["container.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: test-pf-dev-tb-app0-1 - service: container.googleapis.com - timeouts: null - ? module.project-factory.module.projects["dev-tb-app0-1"].google_project_service.project_services["stackdriver.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: test-pf-dev-tb-app0-1 - service: stackdriver.googleapis.com - timeouts: null - module.project-factory.module.projects["dev-tb-app0-1"].google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-dev-tb-app0-1 - service: storage.googleapis.com - timeouts: null - ? module.project-factory.module.projects["dev-tb-app0-1"].google_project_service_identity.default["container.googleapis.com"] - : project: test-pf-dev-tb-app0-1 - service: container.googleapis.com - timeouts: null - module.project-factory.module.projects["teams-iac-0"].data.google_storage_project_service_account.gcs_sa[0]: - project: test-pf-teams-iac-0 - user_project: null - module.project-factory.module.projects["teams-iac-0"].google_essential_contacts_contact.contact["admin@example.org"]: - email: admin@example.org - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/test-pf-teams-iac-0 - timeouts: null - module.project-factory.module.projects["teams-iac-0"].google_project.project[0]: - auto_create_network: false - billing_account: 012345-67890A-BCDEF0 - deletion_policy: DELETE - effective_labels: - environment: test - goog-terraform-provisioned: 'true' - folder_id: '5678901234' - labels: - environment: test - name: test-pf-teams-iac-0 - org_id: null - project_id: test-pf-teams-iac-0 - tags: null - terraform_labels: - environment: test - goog-terraform-provisioned: 'true' - timeouts: null - module.project-factory.module.projects["teams-iac-0"].google_project_iam_member.service_agents["container-engine-robot"]: - condition: [] - project: test-pf-teams-iac-0 - role: roles/container.serviceAgent - module.project-factory.module.projects["teams-iac-0"].google_project_iam_member.service_agents["gkenode"]: - condition: [] - project: test-pf-teams-iac-0 - role: roles/container.defaultNodeServiceAgent - module.project-factory.module.projects["teams-iac-0"].google_project_service.project_services["container.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-teams-iac-0 - service: container.googleapis.com - timeouts: null - ? module.project-factory.module.projects["teams-iac-0"].google_project_service.project_services["stackdriver.googleapis.com"] - : disable_dependent_services: false - disable_on_destroy: false - project: test-pf-teams-iac-0 - service: stackdriver.googleapis.com - timeouts: null - module.project-factory.module.projects["teams-iac-0"].google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-teams-iac-0 - service: storage.googleapis.com - timeouts: null - module.project-factory.module.projects["teams-iac-0"].google_project_service_identity.default["container.googleapis.com"]: - project: test-pf-teams-iac-0 - service: container.googleapis.com - timeouts: null - ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-be"].google_project_iam_member.project-roles["test-pf-dev-net-spoke-0-roles/compute.networkUser"] - : condition: [] - project: test-pf-dev-net-spoke-0 - role: roles/compute.networkUser - ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-be"].google_project_iam_member.project-roles["test-pf-dev-ta-app0-be-roles/logging.logWriter"] - : condition: [] - project: test-pf-dev-ta-app0-be - role: roles/logging.logWriter - ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-be"].google_project_iam_member.project-roles["test-pf-dev-ta-app0-be-roles/monitoring.metricWriter"] - : condition: [] - project: test-pf-dev-ta-app0-be - role: roles/monitoring.metricWriter - module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-be"].google_service_account.service_account[0]: - account_id: app-0-be - create_ignore_already_exists: null - description: null - disabled: false - display_name: Backend instances. - email: app-0-be@test-pf-dev-ta-app0-be.iam.gserviceaccount.com - member: serviceAccount:app-0-be@test-pf-dev-ta-app0-be.iam.gserviceaccount.com - project: test-pf-dev-ta-app0-be - timeouts: null - ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-fe"].google_project_iam_member.project-roles["test-pf-dev-net-spoke-0-roles/compute.networkUser"] - : condition: [] - project: test-pf-dev-net-spoke-0 - role: roles/compute.networkUser - ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-fe"].google_project_iam_member.project-roles["test-pf-dev-ta-app0-be-roles/logging.logWriter"] - : condition: [] - project: test-pf-dev-ta-app0-be - role: roles/logging.logWriter - ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-fe"].google_project_iam_member.project-roles["test-pf-dev-ta-app0-be-roles/monitoring.metricWriter"] - : condition: [] - project: test-pf-dev-ta-app0-be - role: roles/monitoring.metricWriter - module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-fe"].google_service_account.service_account[0]: - account_id: app-0-fe - create_ignore_already_exists: null - description: null - disabled: false - display_name: Frontend instances. - email: app-0-fe@test-pf-dev-ta-app0-be.iam.gserviceaccount.com - member: serviceAccount:app-0-fe@test-pf-dev-ta-app0-be.iam.gserviceaccount.com - project: test-pf-dev-ta-app0-be - timeouts: null - ? module.project-factory.module.service-accounts["dev-tb-app0-1/app-0-be"].google_project_iam_member.project-roles["test-pf-dev-tb-app0-1-roles/logging.logWriter"] - : condition: [] - project: test-pf-dev-tb-app0-1 - role: roles/logging.logWriter - ? module.project-factory.module.service-accounts["dev-tb-app0-1/app-0-be"].google_project_iam_member.project-roles["test-pf-dev-tb-app0-1-roles/monitoring.metricWriter"] - : condition: [] - project: test-pf-dev-tb-app0-1 - role: roles/monitoring.metricWriter - module.project-factory.module.service-accounts["dev-tb-app0-0/vm-default"].google_service_account.service_account[0]: - account_id: vm-default - create_ignore_already_exists: null - description: null - disabled: false - display_name: VM default service account. - email: vm-default@test-pf-dev-tb-app0-0.iam.gserviceaccount.com - member: serviceAccount:vm-default@test-pf-dev-tb-app0-0.iam.gserviceaccount.com - project: test-pf-dev-tb-app0-0 - timeouts: null - ? module.project-factory.module.service-accounts["dev-tb-app0-0/vm-default"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - : condition: [] - members: - - serviceAccount:test-pf-dev-tb-app0-0-rw@test-pf-teams-iac-0.iam.gserviceaccount.com - role: roles/iam.serviceAccountTokenCreator - ? module.project-factory.module.service-accounts["dev-tb-app0-1/app-0-be"].google_project_iam_member.project-roles["test-pf-dev-tb-app0-1-roles/logging.logWriter"] - : condition: [] - project: test-pf-dev-tb-app0-1 - role: roles/logging.logWriter - ? module.project-factory.module.service-accounts["dev-tb-app0-1/app-0-be"].google_project_iam_member.project-roles["test-pf-dev-tb-app0-1-roles/monitoring.metricWriter"] - : condition: [] - project: test-pf-dev-tb-app0-1 - role: roles/monitoring.metricWriter - module.project-factory.module.service-accounts["dev-tb-app0-1/app-0-be"].google_service_account.service_account[0]: - account_id: app-0-be - create_ignore_already_exists: null - description: null - disabled: false - display_name: Backend instances. - email: app-0-be@test-pf-dev-tb-app0-1.iam.gserviceaccount.com - member: serviceAccount:app-0-be@test-pf-dev-tb-app0-1.iam.gserviceaccount.com - project: test-pf-dev-tb-app0-1 - timeouts: null - -counts: - google_billing_budget: 1 - google_compute_shared_vpc_host_project: 1 - google_compute_shared_vpc_service_project: 1 - google_essential_contacts_contact: 4 - google_folder: 5 - google_folder_iam_binding: 1 - google_kms_crypto_key_iam_member: 2 - google_monitoring_notification_channel: 1 - google_project: 4 - google_project_iam_binding: 6 - google_project_iam_member: 21 - google_project_service: 13 - google_project_service_identity: 4 - google_service_account: 6 - google_service_account_iam_binding: 1 - google_storage_bucket: 1 - google_storage_bucket_iam_binding: 2 - google_storage_project_service_account: 4 - google_tags_tag_binding: 1 - google_tags_tag_key: 1 - google_tags_tag_value: 2 - google_tags_tag_value_iam_binding: 1 - modules: 21 - resources: 83 - -outputs: {} diff --git a/tests/modules/project_factory_legacy/key_ignores_path.tfvars b/tests/modules/project_factory_legacy/key_ignores_path.tfvars deleted file mode 100644 index 80876e14b..000000000 --- a/tests/modules/project_factory_legacy/key_ignores_path.tfvars +++ /dev/null @@ -1,40 +0,0 @@ -data_defaults = { - billing_account = "1245-5678-9012" - parent = "folders/1234" - storage_location = "EU" - contacts = { - "admin-default@example.org" = ["ALL"] - } - tag_bindings = { - name1 = "default-id1" - name2 = "default-id2" - } - services = [ - "default-service.googleapis.com" - ] -} -data_overrides = { - prefix = "test-pf" -} -factories_config = { - folders_data_path = "key_ignores_path/hierarchy" - projects_data_path = "key_ignores_path/projects" - projects_config = { - key_ignores_path = true - } - context = { - folder_ids = { - default = "folders/5678901234" - teams = "folders/5678901234" - } - iam_principals = { - gcp-devops = "group:gcp-devops@example.org" - } - tag_values = { - "org-policies/drs-allow-all" = "tagValues/123456" - } - vpc_host_projects = { - dev-spoke-0 = "test-pf-dev-net-spoke-0" - } - } -} diff --git a/tests/modules/project_factory_legacy/key_ignores_path.yaml b/tests/modules/project_factory_legacy/key_ignores_path.yaml deleted file mode 100644 index 4c5cb0ae4..000000000 --- a/tests/modules/project_factory_legacy/key_ignores_path.yaml +++ /dev/null @@ -1,238 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - module.hierarchy-folder-lvl-1["team-a"].google_folder.folder[0]: - deletion_protection: false - display_name: Team A - parent: folders/5678901234 - tags: null - timeouts: null - module.hierarchy-folder-lvl-1["team-b"].google_folder.folder[0]: - deletion_protection: false - display_name: Team B - parent: folders/5678901234 - tags: null - timeouts: null - module.hierarchy-folder-lvl-2["team-a/dev"].google_folder.folder[0]: - deletion_protection: false - display_name: Development - tags: null - timeouts: null - module.hierarchy-folder-lvl-2["team-a/dev"].google_tags_tag_binding.binding["environment"]: - tag_value: environment/development - timeouts: null - module.hierarchy-folder-lvl-2["team-a/prod"].google_folder.folder[0]: - deletion_protection: false - display_name: Production - tags: null - timeouts: null - module.hierarchy-folder-lvl-2["team-a/prod"].google_tags_tag_binding.binding["environment"]: - tag_value: environment/production - timeouts: null - module.hierarchy-folder-lvl-2["team-b/dev"].google_folder.folder[0]: - deletion_protection: false - display_name: Development - tags: null - timeouts: null - module.hierarchy-folder-lvl-2["team-b/dev"].google_tags_tag_binding.binding["environment"]: - tag_value: environment/development - timeouts: null - module.hierarchy-folder-lvl-2["team-b/prod"].google_folder.folder[0]: - deletion_protection: false - display_name: Production - tags: null - timeouts: null - module.hierarchy-folder-lvl-2["team-b/prod"].google_tags_tag_binding.binding["environment"]: - tag_value: environment/production - timeouts: null - module.projects-iam["dev-ta-0"].google_compute_shared_vpc_service_project.shared_vpc_service[0]: - deletion_policy: null - host_project: test-pf-dev-net-spoke-0 - service_project: test-pf-dev-ta-0 - timeouts: null - module.projects-iam["dev-ta-0"].google_project_iam_member.shared_vpc_host_iam["group:gcp-devops@example.org"]: - condition: [] - member: group:gcp-devops@example.org - project: test-pf-dev-net-spoke-0 - role: roles/compute.networkUser - module.projects-iam["dev-tb-0"].google_compute_shared_vpc_service_project.shared_vpc_service[0]: - deletion_policy: null - host_project: test-pf-dev-net-spoke-0 - service_project: test-pf-dev-tb-0 - timeouts: null - module.projects-iam["dev-tb-0"].google_project_iam_member.shared_vpc_host_iam["group:gcp-devops@example.org"]: - condition: [] - member: group:gcp-devops@example.org - project: test-pf-dev-net-spoke-0 - role: roles/compute.networkUser - module.projects-iam["prod-ta-0"].google_compute_shared_vpc_service_project.shared_vpc_service[0]: - deletion_policy: null - host_project: prod-spoke-0 - service_project: test-pf-prod-ta-0 - timeouts: null - module.projects-iam["prod-ta-0"].google_project_iam_member.shared_vpc_host_iam["group:gcp-devops@example.org"]: - condition: [] - member: group:gcp-devops@example.org - project: prod-spoke-0 - role: roles/compute.networkUser - module.projects-iam["prod-tb-0"].google_compute_shared_vpc_service_project.shared_vpc_service[0]: - deletion_policy: null - host_project: prod-spoke-0 - service_project: test-pf-prod-tb-0 - timeouts: null - module.projects-iam["prod-tb-0"].google_project_iam_member.shared_vpc_host_iam["group:gcp-devops@example.org"]: - condition: [] - member: group:gcp-devops@example.org - project: prod-spoke-0 - role: roles/compute.networkUser - module.projects["dev-ta-0"].google_essential_contacts_contact.contact["admin-default@example.org"]: - email: admin-default@example.org - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/test-pf-dev-ta-0 - timeouts: null - module.projects["dev-ta-0"].google_project.project[0]: - auto_create_network: false - billing_account: 1245-5678-9012 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - labels: null - name: test-pf-dev-ta-0 - project_id: test-pf-dev-ta-0 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.projects["dev-ta-0"].google_project_service.project_services["default-service.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-dev-ta-0 - service: default-service.googleapis.com - timeouts: null - module.projects["dev-ta-0"].google_tags_tag_binding.binding["name1"]: - tag_value: default-id1 - timeouts: null - module.projects["dev-ta-0"].google_tags_tag_binding.binding["name2"]: - tag_value: default-id2 - timeouts: null - module.projects["dev-tb-0"].google_essential_contacts_contact.contact["admin-default@example.org"]: - email: admin-default@example.org - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/test-pf-dev-tb-0 - timeouts: null - module.projects["dev-tb-0"].google_project.project[0]: - auto_create_network: false - billing_account: 1245-5678-9012 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - labels: null - name: test-pf-dev-tb-0 - project_id: test-pf-dev-tb-0 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.projects["dev-tb-0"].google_project_service.project_services["default-service.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-dev-tb-0 - service: default-service.googleapis.com - timeouts: null - module.projects["dev-tb-0"].google_tags_tag_binding.binding["name1"]: - tag_value: default-id1 - timeouts: null - module.projects["dev-tb-0"].google_tags_tag_binding.binding["name2"]: - tag_value: default-id2 - timeouts: null - module.projects["prod-ta-0"].google_essential_contacts_contact.contact["admin-default@example.org"]: - email: admin-default@example.org - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/test-pf-prod-ta-0 - timeouts: null - module.projects["prod-ta-0"].google_project.project[0]: - auto_create_network: false - billing_account: 1245-5678-9012 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - labels: null - name: test-pf-prod-ta-0 - project_id: test-pf-prod-ta-0 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.projects["prod-ta-0"].google_project_service.project_services["default-service.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-prod-ta-0 - service: default-service.googleapis.com - timeouts: null - module.projects["prod-ta-0"].google_tags_tag_binding.binding["name1"]: - tag_value: default-id1 - timeouts: null - module.projects["prod-ta-0"].google_tags_tag_binding.binding["name2"]: - tag_value: default-id2 - timeouts: null - module.projects["prod-tb-0"].google_essential_contacts_contact.contact["admin-default@example.org"]: - email: admin-default@example.org - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/test-pf-prod-tb-0 - timeouts: null - module.projects["prod-tb-0"].google_project.project[0]: - auto_create_network: false - billing_account: 1245-5678-9012 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - labels: null - name: test-pf-prod-tb-0 - project_id: test-pf-prod-tb-0 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.projects["prod-tb-0"].google_project_service.project_services["default-service.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: test-pf-prod-tb-0 - service: default-service.googleapis.com - timeouts: null - module.projects["prod-tb-0"].google_tags_tag_binding.binding["name1"]: - tag_value: default-id1 - timeouts: null - module.projects["prod-tb-0"].google_tags_tag_binding.binding["name2"]: - tag_value: default-id2 - timeouts: null - -counts: - google_compute_shared_vpc_service_project: 4 - google_essential_contacts_contact: 4 - google_folder: 6 - google_project: 4 - google_project_iam_member: 4 - google_project_service: 4 - google_tags_tag_binding: 12 - modules: 14 - resources: 38 diff --git a/tests/modules/project_factory_legacy/shared_vpc_network_user.tfvars b/tests/modules/project_factory_legacy/shared_vpc_network_user.tfvars deleted file mode 100644 index 6eff1d58e..000000000 --- a/tests/modules/project_factory_legacy/shared_vpc_network_user.tfvars +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -data_defaults = { - billing_account = "1245-5678-9012" - storage_location = "EU" - prefix = "my-prefix" - parent = "folders/1234" -} -# location where the yaml files are read from -factories_config = { - projects_data_path = "projects" - context = { - folder_ids = { - default = "folders/5678901234" - teams = "folders/5678901234" - } - iam_principals = { - gcp-devops = "group:gcp-devops@example.org" - } - tag_values = { - "org-policies/drs-allow-all" = "tagValues/123456" - } - vpc_host_projects = { - dev-spoke-0 = "test-pf-dev-net-spoke-0" - } - } -} diff --git a/tests/modules/project_factory_legacy/shared_vpc_network_user.yaml b/tests/modules/project_factory_legacy/shared_vpc_network_user.yaml deleted file mode 100644 index 35418a119..000000000 --- a/tests/modules/project_factory_legacy/shared_vpc_network_user.yaml +++ /dev/null @@ -1,160 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - module.automation-service-accounts["service1/automation/ro"].google_service_account.service_account[0]: - account_id: my-prefix-service1-ro - create_ignore_already_exists: null - description: Service read-only automation sa. - disabled: false - display_name: Service account ro for service1. - email: my-prefix-service1-ro@service-iac.iam.gserviceaccount.com - member: serviceAccount:my-prefix-service1-ro@service-iac.iam.gserviceaccount.com - project: service-iac - timeouts: null - module.automation-service-accounts["service1/automation/rw"].google_service_account.service_account[0]: - account_id: my-prefix-service1-rw - create_ignore_already_exists: null - description: Service read/write automation sa. - disabled: false - display_name: Service account rw for service1. - email: my-prefix-service1-rw@service-iac.iam.gserviceaccount.com - member: serviceAccount:my-prefix-service1-rw@service-iac.iam.gserviceaccount.com - project: service-iac - timeouts: null - module.projects-iam["service1"].google_compute_shared_vpc_service_project.shared_vpc_service[0]: - deletion_policy: null - host_project: test-pf-dev-net-spoke-0 - service_project: my-prefix-service1 - timeouts: null - ? module.projects-iam["service1"].google_project_iam_member.shared_vpc_host_iam["serviceAccount:my-prefix-service1-ro@service-iac.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:my-prefix-service1-ro@service-iac.iam.gserviceaccount.com - project: test-pf-dev-net-spoke-0 - role: roles/compute.networkUser - ? module.projects-iam["service1"].google_project_iam_member.shared_vpc_host_iam["serviceAccount:my-prefix-service1-rw@service-iac.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:my-prefix-service1-rw@service-iac.iam.gserviceaccount.com - project: test-pf-dev-net-spoke-0 - role: roles/compute.networkUser - ? module.projects-iam["service1"].google_project_iam_member.shared_vpc_host_iam["serviceAccount:terraform-rw@my-prefix-service1.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:terraform-rw@my-prefix-service1.iam.gserviceaccount.com - project: test-pf-dev-net-spoke-0 - role: roles/compute.networkUser - module.projects["service1"].google_project.project[0]: - auto_create_network: false - billing_account: 012345-67890A-BCDEF0 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - folder_id: '1234' - labels: null - name: my-prefix-service1 - org_id: null - project_id: my-prefix-service1 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.projects["service2"].data.google_storage_project_service_account.gcs_sa[0]: - project: my-prefix-service2 - user_project: null - module.projects["service2"].google_project.project[0]: - auto_create_network: false - billing_account: 012345-67890A-BCDEF0 - deletion_policy: DELETE - effective_labels: - goog-terraform-provisioned: 'true' - folder_id: '1234' - labels: null - name: my-prefix-service2 - org_id: null - project_id: my-prefix-service2 - tags: null - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - module.projects["service2"].google_project_iam_member.service_agents["compute-system"]: - condition: [] - project: my-prefix-service2 - role: roles/compute.serviceAgent - module.projects["service2"].google_project_service.project_services["compute.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: my-prefix-service2 - service: compute.googleapis.com - timeouts: null - module.projects["service2"].google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: my-prefix-service2 - service: storage.googleapis.com - timeouts: null - module.service-accounts["service1/app-be-0"].google_service_account.service_account[0]: - account_id: app-be-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform-managed. - email: app-be-0@my-prefix-service1.iam.gserviceaccount.com - member: serviceAccount:app-be-0@my-prefix-service1.iam.gserviceaccount.com - project: my-prefix-service1 - timeouts: null - module.service-accounts["service1/terraform-rw"].google_service_account.service_account[0]: - account_id: terraform-rw - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform-managed. - email: terraform-rw@my-prefix-service1.iam.gserviceaccount.com - member: serviceAccount:terraform-rw@my-prefix-service1.iam.gserviceaccount.com - project: my-prefix-service1 - timeouts: null - module.service-accounts["service2/app-be-0"].google_service_account.service_account[0]: - account_id: app-be-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform-managed. - email: app-be-0@my-prefix-service2.iam.gserviceaccount.com - member: serviceAccount:app-be-0@my-prefix-service2.iam.gserviceaccount.com - project: my-prefix-service2 - timeouts: null - module.service-accounts["service2/terraform-rw"].google_service_account.service_account[0]: - account_id: terraform-rw - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform-managed. - email: terraform-rw@my-prefix-service2.iam.gserviceaccount.com - member: serviceAccount:terraform-rw@my-prefix-service2.iam.gserviceaccount.com - project: my-prefix-service2 - timeouts: null - -counts: - google_compute_shared_vpc_service_project: 1 - google_project: 2 - google_project_iam_member: 4 - google_project_service: 2 - google_service_account: 6 - google_storage_project_service_account: 1 - modules: 9 - resources: 16 - -outputs: - buckets: {} - folders: {} - projects: __missing__ - service_accounts: __missing__ diff --git a/tests/modules/project_factory_legacy/tftest.yaml b/tests/modules/project_factory_legacy/tftest.yaml deleted file mode 100644 index 29342bf4d..000000000 --- a/tests/modules/project_factory_legacy/tftest.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -module: modules/project-factory-legacy - -tests: - bucket_iam: - extra_dirs: - - ../../tests/modules/project_factory_legacy/data/bucket_iam - shared_vpc_network_user: - extra_dirs: - - ../../tests/modules/project_factory_legacy/data/shared_vpc_network_user/projects - data_overrides_defaults: - extra_dirs: - - ../../tests/modules/project_factory_legacy/data/data_overrides_defaults/projects - key_ignores_path: - extra_dirs: - - ../../tests/modules/project_factory_legacy/data/key_ignores_path diff --git a/tools/lockfile/versions.tf b/tools/lockfile/versions.tf index 7b004e7d0..f00c5ecfc 100644 --- a/tools/lockfile/versions.tf +++ b/tools/lockfile/versions.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.11.4" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/tools/lockfile:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/tools/lockfile:v45.0.0-tf" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/tools/lockfile:v44.2.0-tf" + module_name = "google-pso-tool/cloud-foundation-fabric/tools/lockfile:v45.0.0-tf" } } diff --git a/tools/lockfile/versions.tofu b/tools/lockfile/versions.tofu index 93121bcf7..b39f13ab6 100644 --- a/tools/lockfile/versions.tofu +++ b/tools/lockfile/versions.tofu @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Fabric release: v44.2.0 +# Fabric release: v45.0.0 terraform { required_version = ">= 1.9.0" @@ -27,9 +27,9 @@ terraform { } } provider_meta "google" { - module_name = "google-pso-tool/cloud-foundation-fabric/tools/lockfile:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/tools/lockfile:v45.0.0-tofu" } provider_meta "google-beta" { - module_name = "google-pso-tool/cloud-foundation-fabric/tools/lockfile:v44.2.0-tofu" + module_name = "google-pso-tool/cloud-foundation-fabric/tools/lockfile:v45.0.0-tofu" } }