From ed234bfb4655438899e7677f2544b11b4ca43f75 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 14 May 2026 16:36:23 +0200 Subject: [PATCH] Fix unresolved variables in starter-gcd and customizations tests (#3967) * Fix unresolved variables in starter-gcd dataset (#3961) * Fix unresolved variables in customizations test (#3961) * leftover files for the fix --- .../datasets/starter-gcd/defaults.yaml | 3 - .../organization/tags/environment.yaml | 36 +- .../datasets/starter-gcd/projects/iac-0.yaml | 2 - .../stages/s0_org_setup/customizations.tfvars | 1 + .../stages/s0_org_setup/customizations.yaml | 1540 +++++++---------- .../data-customizations/defaults.yaml | 19 - .../organization/tags/environment.yaml | 18 - .../fast/stages/s0_org_setup/starter-gcd.yaml | 73 +- 8 files changed, 606 insertions(+), 1086 deletions(-) diff --git a/fast/stages/0-org-setup/datasets/starter-gcd/defaults.yaml b/fast/stages/0-org-setup/datasets/starter-gcd/defaults.yaml index b7acfc6ac..35b385bf8 100644 --- a/fast/stages/0-org-setup/datasets/starter-gcd/defaults.yaml +++ b/fast/stages/0-org-setup/datasets/starter-gcd/defaults.yaml @@ -56,6 +56,3 @@ output_files: 0-org-setup: bucket: $storage_buckets:iac-0/iac-org-state service_account: $iam_principals:service_accounts/iac-0/iac-org-rw - 0-org-setup-ro: - bucket: $storage_buckets:iac-0/iac-org-state - service_account: $iam_principals:service_accounts/iac-0/iac-org-ro diff --git a/fast/stages/0-org-setup/datasets/starter-gcd/organization/tags/environment.yaml b/fast/stages/0-org-setup/datasets/starter-gcd/organization/tags/environment.yaml index 4580772b4..7cd17b3ef 100644 --- a/fast/stages/0-org-setup/datasets/starter-gcd/organization/tags/environment.yaml +++ b/fast/stages/0-org-setup/datasets/starter-gcd/organization/tags/environment.yaml @@ -21,23 +21,23 @@ description: "Organization-level environments." values: development: description: "Development." - iam: - "roles/resourcemanager.tagUser": - - $iam_principals:service_accounts/iac-0/iac-networking-rw - - $iam_principals:service_accounts/iac-0/iac-security-rw - - $iam_principals:service_accounts/iac-0/iac-pf-rw - "roles/resourcemanager.tagViewer": - - $iam_principals:service_accounts/iac-0/iac-networking-ro - - $iam_principals:service_accounts/iac-0/iac-security-ro - - $iam_principals:service_accounts/iac-0/iac-pf-ro + # iam: + # "roles/resourcemanager.tagUser": + # - $iam_principals:service_accounts/iac-0/iac-networking-rw + # - $iam_principals:service_accounts/iac-0/iac-security-rw + # - $iam_principals:service_accounts/iac-0/iac-pf-rw + # "roles/resourcemanager.tagViewer": + # - $iam_principals:service_accounts/iac-0/iac-networking-ro + # - $iam_principals:service_accounts/iac-0/iac-security-ro + # - $iam_principals:service_accounts/iac-0/iac-pf-ro production: description: "Production." - iam: - "roles/resourcemanager.tagUser": - - $iam_principals:service_accounts/iac-0/iac-networking-rw - - $iam_principals:service_accounts/iac-0/iac-security-rw - - $iam_principals:service_accounts/iac-0/iac-pf-rw - "roles/resourcemanager.tagViewer": - - $iam_principals:service_accounts/iac-0/iac-networking-ro - - $iam_principals:service_accounts/iac-0/iac-security-ro - - $iam_principals:service_accounts/iac-0/iac-pf-ro + # iam: + # "roles/resourcemanager.tagUser": + # - $iam_principals:service_accounts/iac-0/iac-networking-rw + # - $iam_principals:service_accounts/iac-0/iac-security-rw + # - $iam_principals:service_accounts/iac-0/iac-pf-rw + # "roles/resourcemanager.tagViewer": + # - $iam_principals:service_accounts/iac-0/iac-networking-ro + # - $iam_principals:service_accounts/iac-0/iac-security-ro + # - $iam_principals:service_accounts/iac-0/iac-pf-ro diff --git a/fast/stages/0-org-setup/datasets/starter-gcd/projects/iac-0.yaml b/fast/stages/0-org-setup/datasets/starter-gcd/projects/iac-0.yaml index 1ad613537..1feabbf12 100644 --- a/fast/stages/0-org-setup/datasets/starter-gcd/projects/iac-0.yaml +++ b/fast/stages/0-org-setup/datasets/starter-gcd/projects/iac-0.yaml @@ -52,8 +52,6 @@ buckets: iam: roles/storage.admin: - $iam_principals:service_accounts/iac-0/iac-org-rw - $custom_roles:storage_viewer: - - $iam_principals:service_accounts/iac-0/iac-org-ro iac-outputs: description: Terraform state for the org-level automation. versioning: true diff --git a/tests/fast/stages/s0_org_setup/customizations.tfvars b/tests/fast/stages/s0_org_setup/customizations.tfvars index 5d101d0bd..0eb13246d 100644 --- a/tests/fast/stages/s0_org_setup/customizations.tfvars +++ b/tests/fast/stages/s0_org_setup/customizations.tfvars @@ -1,4 +1,5 @@ factories_config = { + dataset = "datasets/starter-gcd" paths = { defaults = "./data-customizations/defaults.yaml" organization = "./data-customizations/organization" diff --git a/tests/fast/stages/s0_org_setup/customizations.yaml b/tests/fast/stages/s0_org_setup/customizations.yaml index f6c2ce114..8d9082adf 100644 --- a/tests/fast/stages/s0_org_setup/customizations.yaml +++ b/tests/fast/stages/s0_org_setup/customizations.yaml @@ -45,170 +45,6 @@ values: source: null temporary_hold: null timeouts: null - google_storage_bucket_object.providers["0-org-setup-ro"]: - bucket: ft0-prod-iac-core-0-iac-outputs - cache_control: null - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"ft0-prod-iac-core-0-iac-org-state\"\n impersonate_service_account\ - \ = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n}\nprovider\ - \ \"google\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n" - content_disposition: null - content_encoding: null - content_language: null - contexts: [] - customer_encryption: [] - deletion_policy: null - detect_md5hash: null - event_based_hold: null - force_empty_content_type: null - metadata: null - name: providers/0-org-setup-ro-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["1-vpcsc"]: - bucket: ft0-prod-iac-core-0-iac-outputs - cache_control: null - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ - \ = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\ - \ = \"1-vpcsc\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ - \ = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\ - \ \"google-beta\" {\n impersonate_service_account = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n" - content_disposition: null - content_encoding: null - content_language: null - contexts: [] - customer_encryption: [] - deletion_policy: null - detect_md5hash: null - event_based_hold: null - force_empty_content_type: null - metadata: null - name: providers/1-vpcsc-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-networking"]: - bucket: ft0-prod-iac-core-0-iac-outputs - cache_control: null - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ - \ = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\ - \ = \"2-networking\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ - \ = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\ - \ \"google-beta\" {\n impersonate_service_account = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n" - content_disposition: null - content_encoding: null - content_language: null - contexts: [] - customer_encryption: [] - deletion_policy: null - detect_md5hash: null - event_based_hold: null - force_empty_content_type: null - metadata: null - name: providers/2-networking-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-project-factory"]: - bucket: ft0-prod-iac-core-0-iac-outputs - cache_control: null - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ - \ = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix =\ - \ \"2-project-factory\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ - \ = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider \"\ - google-beta\" {\n impersonate_service_account = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n" - content_disposition: null - content_encoding: null - content_language: null - contexts: [] - customer_encryption: [] - deletion_policy: null - detect_md5hash: null - event_based_hold: null - force_empty_content_type: null - metadata: null - name: providers/2-project-factory-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-security"]: - bucket: ft0-prod-iac-core-0-iac-outputs - cache_control: null - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ - \ = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\ - \ = \"2-security\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ - \ = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\ - \ \"google-beta\" {\n impersonate_service_account = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n" - content_disposition: null - content_encoding: null - content_language: null - contexts: [] - customer_encryption: [] - deletion_policy: null - detect_md5hash: null - event_based_hold: null - force_empty_content_type: null - metadata: null - name: providers/2-security-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null google_storage_bucket_object.tfvars["globals"]: bucket: ft0-prod-iac-core-0-iac-outputs cache_control: null @@ -285,115 +121,6 @@ values: filename: /tmp/fast-config/providers/0-org-setup-providers.tf sensitive_content: null source: null - local_file.providers["0-org-setup-ro"]: - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"ft0-prod-iac-core-0-iac-org-state\"\n impersonate_service_account\ - \ = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n}\nprovider\ - \ \"google\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n" - content_base64: null - directory_permission: '0777' - file_permission: '0644' - filename: /tmp/fast-config/providers/0-org-setup-ro-providers.tf - sensitive_content: null - source: null - local_file.providers["1-vpcsc"]: - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ - \ = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\ - \ = \"1-vpcsc\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ - \ = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\ - \ \"google-beta\" {\n impersonate_service_account = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n" - content_base64: null - directory_permission: '0777' - file_permission: '0644' - filename: /tmp/fast-config/providers/1-vpcsc-providers.tf - sensitive_content: null - source: null - local_file.providers["2-networking"]: - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ - \ = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\ - \ = \"2-networking\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ - \ = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\ - \ \"google-beta\" {\n impersonate_service_account = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n" - content_base64: null - directory_permission: '0777' - file_permission: '0644' - filename: /tmp/fast-config/providers/2-networking-providers.tf - sensitive_content: null - source: null - local_file.providers["2-project-factory"]: - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ - \ = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix =\ - \ \"2-project-factory\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ - \ = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider \"\ - google-beta\" {\n impersonate_service_account = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n" - content_base64: null - directory_permission: '0777' - file_permission: '0644' - filename: /tmp/fast-config/providers/2-project-factory-providers.tf - sensitive_content: null - source: null - local_file.providers["2-security"]: - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ - \ = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\ - \ = \"2-security\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ - \ = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\ - \ \"google-beta\" {\n impersonate_service_account = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n" - content_base64: null - directory_permission: '0777' - file_permission: '0644' - filename: /tmp/fast-config/providers/2-security-providers.tf - sensitive_content: null - source: null local_file.tfvars["globals"]: content: '{"billing_account":{"id":"012345-012345-012345"},"groups":{"domain":"domain:example.org","gcp-billing-admins":"group:gcp-billing-admins@example.org","gcp-devops":"group:gcp-devops@example.org","gcp-network-admins":"group:gcp-network-admins@example.org","gcp-organization-admins":"group:fabric-fast-owners@google.com","gcp-secops-admins":"group:gcp-secops-admins@example.org","gcp-security-admins":"group:gcp-security-admins@example.org","gcp-support":"group:gcp-support@example.org"},"organization":{"customer_id":"abcd123456","domain":"example.org","id":"1234567890"},"prefix":"ft0","universe":null}' content_base64: null @@ -409,37 +136,7 @@ values: filename: /tmp/fast-config/tfvars/0-org-setup.auto.tfvars.json sensitive_content: null source: null - module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_admin_org_admins"]: - billing_account_id: 012345-012345-012345 - condition: [] - member: group:fabric-fast-owners@google.com - role: roles/billing.admin - module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_admin_org_sa"]: - billing_account_id: 012345-012345-012345 - condition: [] - member: serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - role: roles/billing.admin - module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_user_networking_sa"]: - billing_account_id: 012345-012345-012345 - condition: [] - member: serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - role: roles/billing.user - module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_user_pf_sa"]: - billing_account_id: 012345-012345-012345 - condition: [] - member: serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - role: roles/billing.user - module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_user_security_sa"]: - billing_account_id: 012345-012345-012345 - condition: [] - member: serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - role: roles/billing.user - module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_viewer_org_ro"]: - billing_account_id: 012345-012345-012345 - condition: [] - member: serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - role: roles/billing.viewer - module.factory.module.bigquery-datasets["billing-0/billing_export"].google_bigquery_dataset.default: + module.factory.module.bigquery-datasets["iac-0/billing_export"].google_bigquery_dataset.default: dataset_id: billing_export default_encryption_configuration: [] default_partition_expiration_ms: null @@ -454,7 +151,7 @@ values: labels: null location: europe-west1 max_time_travel_hours: '168' - project: ft0-prod-billing-exp-0 + project: ft0-prod-iac-core-0 resource_tags: null terraform_labels: goog-terraform-provisioned: 'true' @@ -486,11 +183,6 @@ values: uniform_bucket_level_access: true versioning: - enabled: true - ? module.factory.module.buckets["iac-0/iac-org-state"].google_storage_bucket_iam_binding.authoritative["$custom_roles:storage_viewer"] - : bucket: ft0-prod-iac-core-0-iac-org-state - condition: [] - role: $custom_roles:storage_viewer - timeouts: null ? module.factory.module.buckets["iac-0/iac-org-state"].google_storage_bucket_iam_binding.authoritative["roles/storage.admin"] : bucket: ft0-prod-iac-core-0-iac-org-state condition: [] @@ -523,355 +215,48 @@ values: uniform_bucket_level_access: true versioning: - enabled: true - ? module.factory.module.buckets["iac-0/iac-outputs"].google_storage_bucket_iam_binding.authoritative["$custom_roles:storage_viewer"] - : bucket: ft0-prod-iac-core-0-iac-outputs - condition: [] - role: $custom_roles:storage_viewer - timeouts: null module.factory.module.buckets["iac-0/iac-outputs"].google_storage_bucket_iam_binding.authoritative["roles/storage.admin"]: bucket: ft0-prod-iac-core-0-iac-outputs condition: [] role: roles/storage.admin timeouts: null - module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_bucket.bucket[0]: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - hierarchical_namespace: [] - ip_filter: [] - labels: null - lifecycle_rule: [] - location: EUROPE-WEST1 - logging: [] - name: ft0-prod-iac-core-0-iac-stage-state - project: ft0-prod-iac-core-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - terraform_labels: - goog-terraform-provisioned: 'true' + module.factory.module.folder-1-iam["dev"].google_tags_tag_binding.binding["environment"]: timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder.folder["1-vpcsc/"]: - bucket: ft0-prod-iac-core-0-iac-stage-state - force_destroy: false - name: 1-vpcsc/ + module.factory.module.folder-1-iam["prod"].google_tags_tag_binding.binding["environment"]: timeouts: null - module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder.folder["2-networking/"]: - bucket: ft0-prod-iac-core-0-iac-stage-state - force_destroy: false - name: 2-networking/ - timeouts: null - module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder.folder["2-project-factory/"]: - bucket: ft0-prod-iac-core-0-iac-stage-state - force_destroy: false - name: 2-project-factory/ - timeouts: null - module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder.folder["2-security/"]: - bucket: ft0-prod-iac-core-0-iac-stage-state - force_destroy: false - name: 2-security/ - timeouts: null - ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["1-vpcsc/$custom_roles:storage_viewer"] - : bucket: ft0-prod-iac-core-0-iac-stage-state - condition: [] - managed_folder: 1-vpcsc/ - role: $custom_roles:storage_viewer - ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["1-vpcsc/roles/storage.admin"] - : bucket: ft0-prod-iac-core-0-iac-stage-state - condition: [] - managed_folder: 1-vpcsc/ - role: roles/storage.admin - ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-networking/$custom_roles:storage_viewer"] - : bucket: ft0-prod-iac-core-0-iac-stage-state - condition: [] - managed_folder: 2-networking/ - role: $custom_roles:storage_viewer - ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-networking/roles/storage.admin"] - : bucket: ft0-prod-iac-core-0-iac-stage-state - condition: [] - managed_folder: 2-networking/ - role: roles/storage.admin - ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-project-factory/$custom_roles:storage_viewer"] - : bucket: ft0-prod-iac-core-0-iac-stage-state - condition: [] - managed_folder: 2-project-factory/ - role: $custom_roles:storage_viewer - ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-project-factory/roles/storage.admin"] - : bucket: ft0-prod-iac-core-0-iac-stage-state - condition: [] - managed_folder: 2-project-factory/ - role: roles/storage.admin - ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-security/$custom_roles:storage_viewer"] - : bucket: ft0-prod-iac-core-0-iac-stage-state - condition: [] - managed_folder: 2-security/ - role: $custom_roles:storage_viewer - ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-security/roles/storage.admin"] - : bucket: ft0-prod-iac-core-0-iac-stage-state - condition: [] - managed_folder: 2-security/ - role: roles/storage.admin - ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["$custom_roles:project_iam_viewer"] - : condition: [] - role: $custom_roles:project_iam_viewer - ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["$custom_roles:service_project_network_admin"] - : condition: [] - role: $custom_roles:service_project_network_admin - module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/compute.viewer"]: - condition: [] - role: roles/compute.viewer - module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: - condition: [] - role: roles/compute.xpnAdmin - module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - role: roles/logging.admin - module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/owner"]: - condition: [] - role: roles/owner - ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] - : condition: [] - role: roles/resourcemanager.folderAdmin - ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] - : condition: [] - role: roles/resourcemanager.folderViewer - ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] - : condition: [] - role: roles/resourcemanager.projectCreator - module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: - condition: [] - role: roles/resourcemanager.tagUser - ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"] - : condition: [] - role: roles/resourcemanager.tagViewer - module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/viewer"]: - condition: [] - role: roles/viewer - module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.bindings["project_factory"]: - condition: - - description: null - expression: "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\n\ - \ 'roles/compute.networkUser', 'roles/composer.sharedVpcAgent',\n 'roles/container.hostServiceAgentUser',\ - \ 'roles/vpcaccess.user'\n])\n" - title: Project factory delegated IAM grant. - role: roles/resourcemanager.projectIamAdmin - module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["$custom_roles:project_iam_viewer"]: - condition: [] - role: $custom_roles:project_iam_viewer - ? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/cloudkms.cryptoKeyEncrypterDecrypter"] - : condition: [] - role: roles/cloudkms.cryptoKeyEncrypterDecrypter - module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/cloudkms.viewer"]: - condition: [] - role: roles/cloudkms.viewer - module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - role: roles/logging.admin - module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/owner"]: - condition: [] - role: roles/owner - ? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] - : condition: [] - role: roles/resourcemanager.folderAdmin - ? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] - : condition: [] - role: roles/resourcemanager.folderViewer - ? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] - : condition: [] - role: roles/resourcemanager.projectCreator - module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: - condition: [] - role: roles/resourcemanager.tagUser - module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: - condition: [] - role: roles/resourcemanager.tagViewer - module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/viewer"]: - condition: [] - role: roles/viewer - module.factory.module.folder-1-iam["security"].google_folder_iam_binding.bindings["project_factory"]: - condition: - - description: null - expression: "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\n\ - \ 'roles/cloudkms.cryptoKeyEncrypterDecrypter'\n])\n" - title: Project factory delegated IAM grant. - role: roles/resourcemanager.projectIamAdmin - ? module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["$custom_roles:service_project_network_admin"] - : condition: [] - role: $custom_roles:service_project_network_admin - module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/owner"]: - condition: [] - role: roles/owner - module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - role: roles/resourcemanager.folderAdmin - module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: - condition: [] - role: roles/resourcemanager.folderViewer - ? module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] - : condition: [] - role: roles/resourcemanager.projectCreator - module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: - condition: [] - role: roles/resourcemanager.tagUser - module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: - condition: [] - role: roles/resourcemanager.tagViewer - module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/viewer"]: - condition: [] - role: roles/viewer - module.factory.module.folder-1-iam["teams"].google_tags_tag_binding.binding["context"]: - tag_value: $tag_values:context/project-factory - timeouts: null - module.factory.module.folder-1["networking"].google_folder.folder[0]: - deletion_protection: false - display_name: Networking - parent: organizations/1234567890 - tags: null - timeouts: null - module.factory.module.folder-1["security"].google_folder.folder[0]: - deletion_protection: false - display_name: Security - parent: organizations/1234567890 - tags: null - timeouts: null - module.factory.module.folder-1["teams"].google_folder.folder[0]: - deletion_protection: false - display_name: Teams - parent: organizations/1234567890 - tags: null - timeouts: null - module.factory.module.folder-2-iam["networking/dev"].google_tags_tag_binding.binding["environment"]: - timeouts: null - module.factory.module.folder-2-iam["networking/prod"].google_tags_tag_binding.binding["environment"]: - timeouts: null - module.factory.module.folder-2-iam["security/dev"].google_tags_tag_binding.binding["environment"]: - timeouts: null - module.factory.module.folder-2-iam["security/prod"].google_tags_tag_binding.binding["environment"]: - timeouts: null - module.factory.module.folder-2["networking/dev"].google_folder.folder[0]: + module.factory.module.folder-1["dev"].google_folder.folder[0]: deletion_protection: false display_name: Development + parent: organizations/1234567890 tags: null timeouts: null - module.factory.module.folder-2["networking/prod"].google_folder.folder[0]: + module.factory.module.folder-1["prod"].google_folder.folder[0]: deletion_protection: false display_name: Production + parent: organizations/1234567890 tags: null timeouts: null - module.factory.module.folder-2["security/dev"].google_folder.folder[0]: - deletion_protection: false - display_name: Development - tags: null - timeouts: null - module.factory.module.folder-2["security/prod"].google_folder.folder[0]: - deletion_protection: false - display_name: Production - tags: null - timeouts: null - module.factory.module.log-buckets["log-0/audit-logs"].google_logging_project_bucket_config.bucket[0]: + module.factory.module.log-buckets["iac-0/audit-logs"].google_logging_project_bucket_config.bucket[0]: bucket_id: audit-logs cmek_settings: [] - enable_analytics: false - index_configs: [] - location: europe-west1 - locked: null - project: ft0-prod-audit-logs-0 - retention_days: 30 - module.factory.module.log-buckets["log-0/iam"].google_logging_project_bucket_config.bucket[0]: - bucket_id: iam - cmek_settings: [] - enable_analytics: false - index_configs: [] - location: europe-west1 - locked: null - project: ft0-prod-audit-logs-0 - retention_days: 30 - module.factory.module.log-buckets["log-0/vpc-sc"].google_logging_project_bucket_config.bucket[0]: - bucket_id: vpc-sc - cmek_settings: [] enable_analytics: true index_configs: [] location: europe-west1 locked: null - project: ft0-prod-audit-logs-0 + project: ft0-prod-iac-core-0 retention_days: 31 - module.factory.module.projects-iam["billing-0"].google_project_iam_binding.authoritative["roles/owner"]: - condition: [] - project: ft0-prod-billing-exp-0 - role: roles/owner - module.factory.module.projects-iam["billing-0"].google_project_iam_binding.authoritative["roles/viewer"]: - condition: [] - project: ft0-prod-billing-exp-0 - role: roles/viewer - module.factory.module.projects-iam["iac-0"].google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: - dry_run_spec: [] - name: projects/ft0-prod-iac-core-0/policies/iam.workloadIdentityPoolProviders - parent: projects/ft0-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - parameters: null - values: - - allowed_values: - - https://token.actions.githubusercontent.com - - https://gitlab.com - - https://app.terraform.io - denied_values: null + module.factory.module.projects-iam["dev-app-0"].google_compute_shared_vpc_service_project.shared_vpc_service[0]: + deletion_policy: null + host_project: ft0-dev-net-shared-0 + service_project: ft0-dev-app-example-0 + timeouts: null + module.factory.module.projects-iam["dev-net-0"].google_compute_shared_vpc_host_project.shared_vpc_host[0]: + project: ft0-dev-net-shared-0 timeouts: null - module.factory.module.projects-iam["iac-0"].google_project_iam_audit_config.default["iam.googleapis.com"]: - audit_log_config: - - exempted_members: [] - log_type: DATA_READ - - exempted_members: [] - log_type: DATA_WRITE - project: ft0-prod-iac-core-0 - service: iam.googleapis.com - module.factory.module.projects-iam["iac-0"].google_project_iam_audit_config.default["storage.googleapis.com"]: - audit_log_config: - - exempted_members: [] - log_type: DATA_READ - - exempted_members: [] - log_type: DATA_WRITE - project: ft0-prod-iac-core-0 - service: storage.googleapis.com - module.factory.module.projects-iam["iac-0"].google_project_iam_audit_config.default["sts.googleapis.com"]: - audit_log_config: - - exempted_members: [] - log_type: DATA_READ - - exempted_members: [] - log_type: DATA_WRITE - project: ft0-prod-iac-core-0 - service: sts.googleapis.com - module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["$custom_roles:storage_viewer"]: - condition: [] - project: ft0-prod-iac-core-0 - role: $custom_roles:storage_viewer - module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/browser"]: - condition: [] - project: ft0-prod-iac-core-0 - role: roles/browser module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/cloudbuild.builds.editor"]: condition: [] project: ft0-prod-iac-core-0 role: roles/cloudbuild.builds.editor - module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/cloudbuild.builds.viewer"]: - condition: [] - project: ft0-prod-iac-core-0 - role: roles/cloudbuild.builds.viewer module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.serviceAccountAdmin"]: condition: [] project: ft0-prod-iac-core-0 @@ -880,87 +265,176 @@ values: : condition: [] project: ft0-prod-iac-core-0 role: roles/iam.serviceAccountTokenCreator - module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.serviceAccountViewer"]: - condition: [] - project: ft0-prod-iac-core-0 - role: roles/iam.serviceAccountViewer ? module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolAdmin"] : condition: [] project: ft0-prod-iac-core-0 role: roles/iam.workloadIdentityPoolAdmin - ? module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolViewer"] - : condition: [] - project: ft0-prod-iac-core-0 - role: roles/iam.workloadIdentityPoolViewer module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/owner"]: condition: [] project: ft0-prod-iac-core-0 role: roles/owner - ? module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: ft0-prod-iac-core-0 - role: roles/serviceusage.serviceUsageConsumer module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/storage.admin"]: condition: [] project: ft0-prod-iac-core-0 role: roles/storage.admin - module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/viewer"]: - condition: [] - project: ft0-prod-iac-core-0 - role: roles/viewer - module.factory.module.projects-iam["log-0"].google_project_iam_binding.authoritative["roles/owner"]: - condition: [] - project: ft0-prod-audit-logs-0 - role: roles/owner - module.factory.module.projects-iam["log-0"].google_project_iam_binding.authoritative["roles/viewer"]: - condition: [] - project: ft0-prod-audit-logs-0 - role: roles/viewer - module.factory.module.projects["billing-0"].data.google_bigquery_default_service_account.bq_sa[0]: - project: ft0-prod-billing-exp-0 - module.factory.module.projects["billing-0"].data.google_storage_project_service_account.gcs_sa[0]: - project: ft0-prod-billing-exp-0 + module.factory.module.projects-iam["prod-app-0"].google_compute_shared_vpc_service_project.shared_vpc_service[0]: + deletion_policy: null + host_project: ft0-prod-net-shared-0 + service_project: ft0-prod-app-example-0 + timeouts: null + module.factory.module.projects-iam["prod-net-0"].google_compute_shared_vpc_host_project.shared_vpc_host[0]: + project: ft0-prod-net-shared-0 + timeouts: null + module.factory.module.projects["dev-app-0"].data.google_bigquery_default_service_account.bq_sa[0]: + project: ft0-dev-app-example-0 + module.factory.module.projects["dev-app-0"].data.google_logging_project_settings.logging_sa[0]: + project: ft0-dev-app-example-0 + module.factory.module.projects["dev-app-0"].data.google_storage_project_service_account.gcs_sa[0]: + project: ft0-dev-app-example-0 user_project: null - module.factory.module.projects["billing-0"].google_project.project[0]: + module.factory.module.projects["dev-app-0"].google_project.project[0]: auto_create_network: false billing_account: 012345-012345-012345 deletion_policy: DELETE effective_labels: goog-terraform-provisioned: 'true' - folder_id: null labels: null - name: ft0-prod-billing-exp-0 - org_id: '1234567890' - project_id: ft0-prod-billing-exp-0 + name: ft0-dev-app-example-0 + org_id: null + project_id: ft0-dev-app-example-0 tags: null terraform_labels: goog-terraform-provisioned: 'true' timeouts: null - module.factory.module.projects["billing-0"].google_project_iam_member.service_agents["bigquerydatatransfer"]: + module.factory.module.projects["dev-app-0"].google_project_iam_member.service_agents["compute-system"]: condition: [] - project: ft0-prod-billing-exp-0 - role: roles/bigquerydatatransfer.serviceAgent - module.factory.module.projects["billing-0"].google_project_service.project_services["bigquery.googleapis.com"]: + project: ft0-dev-app-example-0 + role: roles/compute.serviceAgent + module.factory.module.projects["dev-app-0"].google_project_iam_member.service_agents["monitoring-notification"]: + condition: [] + project: ft0-dev-app-example-0 + role: roles/monitoring.notificationServiceAgent + module.factory.module.projects["dev-app-0"].google_project_service.project_services["bigquery.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false - project: ft0-prod-billing-exp-0 + project: ft0-dev-app-example-0 service: bigquery.googleapis.com timeouts: null - module.factory.module.projects["billing-0"].google_project_service.project_services["bigquerydatatransfer.googleapis.com"]: + module.factory.module.projects["dev-app-0"].google_project_service.project_services["compute.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false - project: ft0-prod-billing-exp-0 - service: bigquerydatatransfer.googleapis.com + project: ft0-dev-app-example-0 + service: compute.googleapis.com timeouts: null - module.factory.module.projects["billing-0"].google_project_service.project_services["storage.googleapis.com"]: + module.factory.module.projects["dev-app-0"].google_project_service.project_services["logging.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false - project: ft0-prod-billing-exp-0 + project: ft0-dev-app-example-0 + service: logging.googleapis.com + timeouts: null + module.factory.module.projects["dev-app-0"].google_project_service.project_services["monitoring.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-dev-app-example-0 + service: monitoring.googleapis.com + timeouts: null + module.factory.module.projects["dev-app-0"].google_project_service.project_services["storage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-dev-app-example-0 service: storage.googleapis.com timeouts: null - module.factory.module.projects["billing-0"].google_project_service_identity.default["bigquerydatatransfer.googleapis.com"]: - project: ft0-prod-billing-exp-0 - service: bigquerydatatransfer.googleapis.com + module.factory.module.projects["dev-app-0"].google_project_service_identity.default["monitoring.googleapis.com"]: + project: ft0-dev-app-example-0 + service: monitoring.googleapis.com + timeouts: null + module.factory.module.projects["dev-net-0"].data.google_logging_project_settings.logging_sa[0]: + project: ft0-dev-net-shared-0 + module.factory.module.projects["dev-net-0"].google_project.project[0]: + auto_create_network: false + billing_account: 012345-012345-012345 + deletion_policy: DELETE + effective_labels: + goog-terraform-provisioned: 'true' + labels: null + name: ft0-dev-net-shared-0 + org_id: null + project_id: ft0-dev-net-shared-0 + tags: null + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + module.factory.module.projects["dev-net-0"].google_project_iam_member.service_agents["compute-system"]: + condition: [] + project: ft0-dev-net-shared-0 + role: roles/compute.serviceAgent + module.factory.module.projects["dev-net-0"].google_project_iam_member.service_agents["container-engine-robot"]: + condition: [] + project: ft0-dev-net-shared-0 + role: roles/container.serviceAgent + module.factory.module.projects["dev-net-0"].google_project_iam_member.service_agents["dns"]: + condition: [] + project: ft0-dev-net-shared-0 + role: roles/dns.serviceAgent + module.factory.module.projects["dev-net-0"].google_project_iam_member.service_agents["gkenode"]: + condition: [] + project: ft0-dev-net-shared-0 + role: roles/container.defaultNodeServiceAgent + module.factory.module.projects["dev-net-0"].google_project_iam_member.service_agents["monitoring-notification"]: + condition: [] + project: ft0-dev-net-shared-0 + role: roles/monitoring.notificationServiceAgent + module.factory.module.projects["dev-net-0"].google_project_service.project_services["compute.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-dev-net-shared-0 + service: compute.googleapis.com + timeouts: null + module.factory.module.projects["dev-net-0"].google_project_service.project_services["container.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-dev-net-shared-0 + service: container.googleapis.com + timeouts: null + module.factory.module.projects["dev-net-0"].google_project_service.project_services["dns.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-dev-net-shared-0 + service: dns.googleapis.com + timeouts: null + module.factory.module.projects["dev-net-0"].google_project_service.project_services["iap.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-dev-net-shared-0 + service: iap.googleapis.com + timeouts: null + module.factory.module.projects["dev-net-0"].google_project_service.project_services["logging.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-dev-net-shared-0 + service: logging.googleapis.com + timeouts: null + module.factory.module.projects["dev-net-0"].google_project_service.project_services["monitoring.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-dev-net-shared-0 + service: monitoring.googleapis.com + timeouts: null + module.factory.module.projects["dev-net-0"].google_project_service_identity.default["container.googleapis.com"]: + project: ft0-dev-net-shared-0 + service: container.googleapis.com + timeouts: null + module.factory.module.projects["dev-net-0"].google_project_service_identity.default["dns.googleapis.com"]: + project: ft0-dev-net-shared-0 + service: dns.googleapis.com + timeouts: null + module.factory.module.projects["dev-net-0"].google_project_service_identity.default["iap.googleapis.com"]: + project: ft0-dev-net-shared-0 + service: iap.googleapis.com + timeouts: null + module.factory.module.projects["dev-net-0"].google_project_service_identity.default["monitoring.googleapis.com"]: + project: ft0-dev-net-shared-0 + service: monitoring.googleapis.com timeouts: null module.factory.module.projects["iac-0"].data.google_bigquery_default_service_account.bq_sa[0]: project: ft0-prod-iac-core-0 @@ -984,18 +458,6 @@ values: terraform_labels: goog-terraform-provisioned: 'true' timeouts: null - module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["cloudasset"]: - condition: [] - project: ft0-prod-iac-core-0 - role: roles/cloudasset.serviceAgent - module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["cloudbuild"]: - condition: [] - project: ft0-prod-iac-core-0 - role: roles/cloudbuild.serviceAgent - module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["cloudbuild-sa"]: - condition: [] - project: ft0-prod-iac-core-0 - role: roles/cloudbuild.builds.builder module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["cloudkms"]: condition: [] project: ft0-prod-iac-core-0 @@ -1020,10 +482,6 @@ values: condition: [] project: ft0-prod-iac-core-0 role: roles/pubsub.serviceAgent - module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["service-networking"]: - condition: [] - project: ft0-prod-iac-core-0 - role: roles/servicenetworking.serviceAgent module.factory.module.projects["iac-0"].google_project_service.org_policy_service[0]: disable_dependent_services: false disable_on_destroy: false @@ -1042,54 +500,24 @@ values: project: ft0-prod-iac-core-0 service: bigquery.googleapis.com timeouts: null - module.factory.module.projects["iac-0"].google_project_service.project_services["bigqueryreservation.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: ft0-prod-iac-core-0 - service: bigqueryreservation.googleapis.com - timeouts: null module.factory.module.projects["iac-0"].google_project_service.project_services["bigquerystorage.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: ft0-prod-iac-core-0 service: bigquerystorage.googleapis.com timeouts: null - module.factory.module.projects["iac-0"].google_project_service.project_services["billingbudgets.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: ft0-prod-iac-core-0 - service: billingbudgets.googleapis.com - timeouts: null - module.factory.module.projects["iac-0"].google_project_service.project_services["cloudasset.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: ft0-prod-iac-core-0 - service: cloudasset.googleapis.com - timeouts: null module.factory.module.projects["iac-0"].google_project_service.project_services["cloudbilling.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: ft0-prod-iac-core-0 service: cloudbilling.googleapis.com timeouts: null - module.factory.module.projects["iac-0"].google_project_service.project_services["cloudbuild.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: ft0-prod-iac-core-0 - service: cloudbuild.googleapis.com - timeouts: null module.factory.module.projects["iac-0"].google_project_service.project_services["cloudkms.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: ft0-prod-iac-core-0 service: cloudkms.googleapis.com timeouts: null - module.factory.module.projects["iac-0"].google_project_service.project_services["cloudquotas.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: ft0-prod-iac-core-0 - service: cloudquotas.googleapis.com - timeouts: null module.factory.module.projects["iac-0"].google_project_service.project_services["cloudresourcemanager.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false @@ -1108,12 +536,6 @@ values: project: ft0-prod-iac-core-0 service: container.googleapis.com timeouts: null - module.factory.module.projects["iac-0"].google_project_service.project_services["datacatalog.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: ft0-prod-iac-core-0 - service: datacatalog.googleapis.com - timeouts: null module.factory.module.projects["iac-0"].google_project_service.project_services["essentialcontacts.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false @@ -1144,24 +566,12 @@ values: project: ft0-prod-iac-core-0 service: monitoring.googleapis.com timeouts: null - module.factory.module.projects["iac-0"].google_project_service.project_services["networksecurity.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: ft0-prod-iac-core-0 - service: networksecurity.googleapis.com - timeouts: null module.factory.module.projects["iac-0"].google_project_service.project_services["pubsub.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: ft0-prod-iac-core-0 service: pubsub.googleapis.com timeouts: null - module.factory.module.projects["iac-0"].google_project_service.project_services["servicenetworking.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: ft0-prod-iac-core-0 - service: servicenetworking.googleapis.com - timeouts: null module.factory.module.projects["iac-0"].google_project_service.project_services["serviceusage.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false @@ -1186,10 +596,6 @@ values: project: ft0-prod-iac-core-0 service: sts.googleapis.com timeouts: null - module.factory.module.projects["iac-0"].google_project_service_identity.default["cloudasset.googleapis.com"]: - project: ft0-prod-iac-core-0 - service: cloudasset.googleapis.com - timeouts: null module.factory.module.projects["iac-0"].google_project_service_identity.default["cloudkms.googleapis.com"]: project: ft0-prod-iac-core-0 service: cloudkms.googleapis.com @@ -1202,129 +608,160 @@ values: project: ft0-prod-iac-core-0 service: monitoring.googleapis.com timeouts: null - module.factory.module.projects["iac-0"].google_project_service_identity.default["networksecurity.googleapis.com"]: - project: ft0-prod-iac-core-0 - service: networksecurity.googleapis.com - timeouts: null module.factory.module.projects["iac-0"].google_project_service_identity.default["pubsub.googleapis.com"]: project: ft0-prod-iac-core-0 service: pubsub.googleapis.com timeouts: null - module.factory.module.projects["iac-0"].google_project_service_identity.default["servicenetworking.googleapis.com"]: - project: ft0-prod-iac-core-0 - service: servicenetworking.googleapis.com - timeouts: null - module.factory.module.projects["log-0"].data.google_logging_project_settings.logging_sa[0]: - project: ft0-prod-audit-logs-0 - module.factory.module.projects["log-0"].data.google_storage_project_service_account.gcs_sa[0]: - project: ft0-prod-audit-logs-0 + module.factory.module.projects["prod-app-0"].data.google_bigquery_default_service_account.bq_sa[0]: + project: ft0-prod-app-example-0 + module.factory.module.projects["prod-app-0"].data.google_logging_project_settings.logging_sa[0]: + project: ft0-prod-app-example-0 + module.factory.module.projects["prod-app-0"].data.google_storage_project_service_account.gcs_sa[0]: + project: ft0-prod-app-example-0 user_project: null - module.factory.module.projects["log-0"].google_project.project[0]: + module.factory.module.projects["prod-app-0"].google_project.project[0]: auto_create_network: false billing_account: 012345-012345-012345 deletion_policy: DELETE effective_labels: goog-terraform-provisioned: 'true' - folder_id: null labels: null - name: ft0-prod-audit-logs-0 - org_id: '1234567890' - project_id: ft0-prod-audit-logs-0 + name: ft0-prod-app-example-0 + org_id: null + project_id: ft0-prod-app-example-0 tags: null terraform_labels: goog-terraform-provisioned: 'true' timeouts: null - module.factory.module.projects["log-0"].google_project_iam_member.service_agents["pubsub"]: + module.factory.module.projects["prod-app-0"].google_project_iam_member.service_agents["compute-system"]: condition: [] - project: ft0-prod-audit-logs-0 - role: roles/pubsub.serviceAgent - module.factory.module.projects["log-0"].google_project_service.project_services["logging.googleapis.com"]: + project: ft0-prod-app-example-0 + role: roles/compute.serviceAgent + module.factory.module.projects["prod-app-0"].google_project_iam_member.service_agents["monitoring-notification"]: + condition: [] + project: ft0-prod-app-example-0 + role: roles/monitoring.notificationServiceAgent + module.factory.module.projects["prod-app-0"].google_project_service.project_services["bigquery.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false - project: ft0-prod-audit-logs-0 + project: ft0-prod-app-example-0 + service: bigquery.googleapis.com + timeouts: null + module.factory.module.projects["prod-app-0"].google_project_service.project_services["compute.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-app-example-0 + service: compute.googleapis.com + timeouts: null + module.factory.module.projects["prod-app-0"].google_project_service.project_services["logging.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-app-example-0 service: logging.googleapis.com timeouts: null - module.factory.module.projects["log-0"].google_project_service.project_services["pubsub.googleapis.com"]: + module.factory.module.projects["prod-app-0"].google_project_service.project_services["monitoring.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false - project: ft0-prod-audit-logs-0 - service: pubsub.googleapis.com + project: ft0-prod-app-example-0 + service: monitoring.googleapis.com timeouts: null - module.factory.module.projects["log-0"].google_project_service.project_services["storage.googleapis.com"]: + module.factory.module.projects["prod-app-0"].google_project_service.project_services["storage.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false - project: ft0-prod-audit-logs-0 + project: ft0-prod-app-example-0 service: storage.googleapis.com timeouts: null - module.factory.module.projects["log-0"].google_project_service_identity.default["pubsub.googleapis.com"]: - project: ft0-prod-audit-logs-0 - service: pubsub.googleapis.com + module.factory.module.projects["prod-app-0"].google_project_service_identity.default["monitoring.googleapis.com"]: + project: ft0-prod-app-example-0 + service: monitoring.googleapis.com timeouts: null - ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-ro"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-ro-roles/iam.serviceAccountTokenCreator"] - : condition: [] - role: roles/iam.serviceAccountTokenCreator - service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-ro"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-ro-roles/iam.workloadIdentityUser"] - : condition: [] - role: roles/iam.workloadIdentityUser - service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-rw"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-rw-roles/iam.serviceAccountTokenCreator"] - : condition: [] - role: roles/iam.serviceAccountTokenCreator - service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-rw"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-rw-roles/iam.workloadIdentityUser"] - : condition: [] - role: roles/iam.workloadIdentityUser - service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - module.factory.module.service-accounts["iac-0/iac-networking-ro"].google_service_account.service_account[0]: - account_id: iac-networking-ro - create_ignore_already_exists: null - description: null - disabled: false - display_name: IaC service account for networking (read-only). - email: iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - project: ft0-prod-iac-core-0 + module.factory.module.projects["prod-net-0"].data.google_logging_project_settings.logging_sa[0]: + project: ft0-prod-net-shared-0 + module.factory.module.projects["prod-net-0"].google_project.project[0]: + auto_create_network: false + billing_account: 012345-012345-012345 + deletion_policy: DELETE + effective_labels: + goog-terraform-provisioned: 'true' + labels: null + name: ft0-prod-net-shared-0 + org_id: null + project_id: ft0-prod-net-shared-0 + tags: null + terraform_labels: + goog-terraform-provisioned: 'true' timeouts: null - module.factory.module.service-accounts["iac-0/iac-networking-rw"].google_service_account.service_account[0]: - account_id: iac-networking-rw - create_ignore_already_exists: null - description: null - disabled: false - display_name: IaC service account for networking (read-write). - email: iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - project: ft0-prod-iac-core-0 + module.factory.module.projects["prod-net-0"].google_project_iam_member.service_agents["compute-system"]: + condition: [] + project: ft0-prod-net-shared-0 + role: roles/compute.serviceAgent + module.factory.module.projects["prod-net-0"].google_project_iam_member.service_agents["container-engine-robot"]: + condition: [] + project: ft0-prod-net-shared-0 + role: roles/container.serviceAgent + module.factory.module.projects["prod-net-0"].google_project_iam_member.service_agents["dns"]: + condition: [] + project: ft0-prod-net-shared-0 + role: roles/dns.serviceAgent + module.factory.module.projects["prod-net-0"].google_project_iam_member.service_agents["gkenode"]: + condition: [] + project: ft0-prod-net-shared-0 + role: roles/container.defaultNodeServiceAgent + module.factory.module.projects["prod-net-0"].google_project_iam_member.service_agents["monitoring-notification"]: + condition: [] + project: ft0-prod-net-shared-0 + role: roles/monitoring.notificationServiceAgent + module.factory.module.projects["prod-net-0"].google_project_service.project_services["compute.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-net-shared-0 + service: compute.googleapis.com timeouts: null - module.factory.module.service-accounts["iac-0/iac-org-cicd-ro"].google_service_account.service_account[0]: - account_id: iac-org-cicd-ro - create_ignore_already_exists: null - description: null - disabled: false - display_name: IaC service account for org setup CI/CD (read-only). - email: iac-org-cicd-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:iac-org-cicd-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - project: ft0-prod-iac-core-0 + module.factory.module.projects["prod-net-0"].google_project_service.project_services["container.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-net-shared-0 + service: container.googleapis.com timeouts: null - module.factory.module.service-accounts["iac-0/iac-org-cicd-rw"].google_service_account.service_account[0]: - account_id: iac-org-cicd-rw - create_ignore_already_exists: null - description: null - disabled: false - display_name: IaC service account for org setup CI/CD (read-write). - email: iac-org-cicd-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:iac-org-cicd-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - project: ft0-prod-iac-core-0 + module.factory.module.projects["prod-net-0"].google_project_service.project_services["dns.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-net-shared-0 + service: dns.googleapis.com timeouts: null - module.factory.module.service-accounts["iac-0/iac-org-ro"].google_service_account.service_account[0]: - account_id: iac-org-ro - create_ignore_already_exists: null - description: null - disabled: false - display_name: IaC service account for org setup (read-only). - email: iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - project: ft0-prod-iac-core-0 + module.factory.module.projects["prod-net-0"].google_project_service.project_services["iap.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-net-shared-0 + service: iap.googleapis.com + timeouts: null + module.factory.module.projects["prod-net-0"].google_project_service.project_services["logging.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-net-shared-0 + service: logging.googleapis.com + timeouts: null + module.factory.module.projects["prod-net-0"].google_project_service.project_services["monitoring.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-net-shared-0 + service: monitoring.googleapis.com + timeouts: null + module.factory.module.projects["prod-net-0"].google_project_service_identity.default["container.googleapis.com"]: + project: ft0-prod-net-shared-0 + service: container.googleapis.com + timeouts: null + module.factory.module.projects["prod-net-0"].google_project_service_identity.default["dns.googleapis.com"]: + project: ft0-prod-net-shared-0 + service: dns.googleapis.com + timeouts: null + module.factory.module.projects["prod-net-0"].google_project_service_identity.default["iap.googleapis.com"]: + project: ft0-prod-net-shared-0 + service: iap.googleapis.com + timeouts: null + module.factory.module.projects["prod-net-0"].google_project_service_identity.default["monitoring.googleapis.com"]: + project: ft0-prod-net-shared-0 + service: monitoring.googleapis.com timeouts: null module.factory.module.service-accounts["iac-0/iac-org-rw"].google_service_account.service_account[0]: account_id: iac-org-rw @@ -1336,66 +773,6 @@ values: member: serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com project: ft0-prod-iac-core-0 timeouts: null - module.factory.module.service-accounts["iac-0/iac-pf-ro"].google_service_account.service_account[0]: - account_id: iac-pf-ro - create_ignore_already_exists: null - description: null - disabled: false - display_name: IaC service account for project factory (read-only). - email: iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - project: ft0-prod-iac-core-0 - timeouts: null - module.factory.module.service-accounts["iac-0/iac-pf-rw"].google_service_account.service_account[0]: - account_id: iac-pf-rw - create_ignore_already_exists: null - description: null - disabled: false - display_name: IaC service account for project factory (read-write). - email: iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - project: ft0-prod-iac-core-0 - timeouts: null - module.factory.module.service-accounts["iac-0/iac-security-ro"].google_service_account.service_account[0]: - account_id: iac-security-ro - create_ignore_already_exists: null - description: null - disabled: false - display_name: IaC service account for security (read-only). - email: iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - project: ft0-prod-iac-core-0 - timeouts: null - module.factory.module.service-accounts["iac-0/iac-security-rw"].google_service_account.service_account[0]: - account_id: iac-security-rw - create_ignore_already_exists: null - description: null - disabled: false - display_name: IaC service account for security (read-write). - email: iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - project: ft0-prod-iac-core-0 - timeouts: null - module.factory.module.service-accounts["iac-0/iac-vpcsc-ro"].google_service_account.service_account[0]: - account_id: iac-vpcsc-ro - create_ignore_already_exists: null - description: null - disabled: false - display_name: IaC service account for VPC service controls (read-only). - email: iac-vpcsc-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:iac-vpcsc-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - project: ft0-prod-iac-core-0 - timeouts: null - module.factory.module.service-accounts["iac-0/iac-vpcsc-rw"].google_service_account.service_account[0]: - account_id: iac-vpcsc-rw - create_ignore_already_exists: null - description: null - disabled: false - display_name: IaC service account for VPC service controls (read-write). - email: iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - member: serviceAccount:iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - project: ft0-prod-iac-core-0 - timeouts: null module.factory.terraform_data.defaults_preconditions: input: null output: null @@ -1406,7 +783,6 @@ values: triggers_replace: null module.organization-iam[0].google_logging_organization_sink.sink["audit-logs"]: description: audit-logs (Terraform-managed). - destination: logging.googleapis.com/$log_buckets:iac-0/audit-logs disabled: false exclusions: [] filter: 'log_id("cloudaudit.googleapis.com/activity") OR @@ -1567,38 +943,8 @@ values: role: roles/viewer module.organization-iam[0].google_project_iam_member.bucket_sinks_binding["audit-logs"]: condition: - - expression: resource.name.endsWith('$log_buckets:iac-0/audit-logs') - title: audit-logs bucket writer - project: audit-logs + - title: audit-logs bucket writer role: roles/logging.bucketWriter - ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/development:roles/resourcemanager.tagUser"] - : condition: [] - members: - - serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - role: roles/resourcemanager.tagUser - ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/development:roles/resourcemanager.tagViewer"] - : condition: [] - members: - - serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - role: roles/resourcemanager.tagViewer - ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/production:roles/resourcemanager.tagUser"] - : condition: [] - members: - - serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com - role: roles/resourcemanager.tagUser - ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/production:roles/resourcemanager.tagViewer"] - : condition: [] - members: - - serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com - role: roles/resourcemanager.tagViewer module.organization[0].google_logging_organization_settings.default[0]: organization: '1234567890' timeouts: null @@ -1622,6 +968,284 @@ values: description: Production. short_name: production timeouts: null + module.vpcs.module.firewall["dev"].google_compute_firewall.custom_rules["ingress-default-allow-healthchecks"]: + allow: + - ports: [] + protocol: all + deny: [] + description: Allow GCP Healthcheck Ranges. + direction: INGRESS + disabled: false + log_config: [] + name: ingress-default-allow-healthchecks + network: dev-shared-0 + params: [] + priority: 1000 + project: ft0-dev-net-shared-0 + source_ranges: + - 130.211.0.0/22 + - 209.85.152.0/22 + - 209.85.204.0/22 + - 35.191.0.0/16 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.vpcs.module.firewall["dev"].google_compute_firewall.custom_rules["ingress-default-allow-iap"]: + allow: + - ports: [] + protocol: all + deny: [] + description: Allow IAP. + direction: INGRESS + disabled: false + log_config: [] + name: ingress-default-allow-iap + network: dev-shared-0 + params: [] + priority: 1000 + project: ft0-dev-net-shared-0 + source_ranges: + - 35.235.240.0/20 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.vpcs.module.firewall["dev"].google_compute_firewall.custom_rules["ingress-default-allow-icmp"]: + allow: + - ports: [] + protocol: icmp + deny: [] + description: Allow ICMP. + direction: INGRESS + disabled: false + log_config: [] + name: ingress-default-allow-icmp + network: dev-shared-0 + params: [] + priority: 1000 + project: ft0-dev-net-shared-0 + source_ranges: + - 0.0.0.0/0 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.vpcs.module.firewall["prod"].google_compute_firewall.custom_rules["ingress-default-allow-healthchecks"]: + allow: + - ports: [] + protocol: all + deny: [] + description: Allow GCP Healthcheck Ranges. + direction: INGRESS + disabled: false + log_config: [] + name: ingress-default-allow-healthchecks + network: prod-shared-0 + params: [] + priority: 1000 + project: ft0-prod-net-shared-0 + source_ranges: + - 130.211.0.0/22 + - 209.85.152.0/22 + - 209.85.204.0/22 + - 35.191.0.0/16 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.vpcs.module.firewall["prod"].google_compute_firewall.custom_rules["ingress-default-allow-iap"]: + allow: + - ports: [] + protocol: all + deny: [] + description: Allow IAP. + direction: INGRESS + disabled: false + log_config: [] + name: ingress-default-allow-iap + network: prod-shared-0 + params: [] + priority: 1000 + project: ft0-prod-net-shared-0 + source_ranges: + - 35.235.240.0/20 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.vpcs.module.firewall["prod"].google_compute_firewall.custom_rules["ingress-default-allow-icmp"]: + allow: + - ports: [] + protocol: icmp + deny: [] + description: Allow ICMP. + direction: INGRESS + disabled: false + log_config: [] + name: ingress-default-allow-icmp + network: prod-shared-0 + params: [] + priority: 1000 + project: ft0-prod-net-shared-0 + source_ranges: + - 0.0.0.0/0 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.vpcs.module.vpcs["dev"].google_compute_network.network[0]: + auto_create_subnetworks: false + delete_bgp_always_compare_med: false + delete_default_routes_on_create: true + description: Terraform managed + enable_ula_internal_ipv6: null + mtu: 1500 + name: dev-shared-0 + network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL + network_profile: null + params: [] + project: ft0-dev-net-shared-0 + routing_mode: GLOBAL + timeouts: null + module.vpcs.module.vpcs["dev"].google_compute_route.gateway["directpath-googleapis"]: + description: Terraform-managed. + dest_range: 34.126.0.0/18 + name: dev-shared-0-directpath-googleapis + network: dev-shared-0 + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + params: [] + priority: 1000 + project: ft0-dev-net-shared-0 + tags: null + timeouts: null + module.vpcs.module.vpcs["dev"].google_compute_route.gateway["private-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.8/30 + name: dev-shared-0-private-googleapis + network: dev-shared-0 + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + params: [] + priority: 1000 + project: ft0-dev-net-shared-0 + tags: null + timeouts: null + module.vpcs.module.vpcs["dev"].google_compute_route.gateway["restricted-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.4/30 + name: dev-shared-0-restricted-googleapis + network: dev-shared-0 + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + params: [] + priority: 1000 + project: ft0-dev-net-shared-0 + tags: null + timeouts: null + module.vpcs.module.vpcs["dev"].google_compute_subnetwork.subnetwork["europe-west1/default"]: + description: Default primary-region subnet for dev + ip_cidr_range: 10.0.0.0/24 + ip_collection: null + ipv6_access_type: null + log_config: [] + name: default + network: dev-shared-0 + params: [] + private_ip_google_access: true + project: ft0-dev-net-shared-0 + region: europe-west1 + reserved_internal_range: null + resolve_subnet_mask: null + role: null + send_secondary_ip_range_if_empty: true + timeouts: null + module.vpcs.module.vpcs["prod"].google_compute_network.network[0]: + auto_create_subnetworks: false + delete_bgp_always_compare_med: false + delete_default_routes_on_create: true + description: Terraform managed + enable_ula_internal_ipv6: null + mtu: 1500 + name: prod-shared-0 + network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL + network_profile: null + params: [] + project: ft0-prod-net-shared-0 + routing_mode: GLOBAL + timeouts: null + module.vpcs.module.vpcs["prod"].google_compute_route.gateway["directpath-googleapis"]: + description: Terraform-managed. + dest_range: 34.126.0.0/18 + name: prod-shared-0-directpath-googleapis + network: prod-shared-0 + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + params: [] + priority: 1000 + project: ft0-prod-net-shared-0 + tags: null + timeouts: null + module.vpcs.module.vpcs["prod"].google_compute_route.gateway["private-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.8/30 + name: prod-shared-0-private-googleapis + network: prod-shared-0 + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + params: [] + priority: 1000 + project: ft0-prod-net-shared-0 + tags: null + timeouts: null + module.vpcs.module.vpcs["prod"].google_compute_route.gateway["restricted-googleapis"]: + description: Terraform-managed. + dest_range: 199.36.153.4/30 + name: prod-shared-0-restricted-googleapis + network: prod-shared-0 + next_hop_gateway: default-internet-gateway + next_hop_ilb: null + next_hop_instance: null + next_hop_vpn_tunnel: null + params: [] + priority: 1000 + project: ft0-prod-net-shared-0 + tags: null + timeouts: null + module.vpcs.module.vpcs["prod"].google_compute_subnetwork.subnetwork["europe-west1/default"]: + description: Default primary-region subnet for prod + ip_cidr_range: 10.0.0.0/24 + ip_collection: null + ipv6_access_type: null + log_config: [] + name: default + network: prod-shared-0 + params: [] + private_ip_google_access: true + project: ft0-prod-net-shared-0 + region: europe-west1 + reserved_internal_range: null + resolve_subnet_mask: null + role: null + send_secondary_ip_range_if_empty: true + timeouts: null terraform_data.precondition: input: null output: null @@ -1633,38 +1257,36 @@ values: counts: google_bigquery_dataset: 1 - google_bigquery_default_service_account: 2 - google_billing_account_iam_member: 6 - google_folder: 7 - google_folder_iam_binding: 33 + google_bigquery_default_service_account: 3 + google_compute_firewall: 6 + google_compute_network: 2 + google_compute_route: 6 + google_compute_shared_vpc_host_project: 2 + google_compute_shared_vpc_service_project: 2 + google_compute_subnetwork: 2 + google_folder: 2 google_logging_organization_settings: 1 google_logging_organization_sink: 1 - google_logging_project_bucket_config: 3 - google_logging_project_settings: 2 - google_org_policy_policy: 1 + google_logging_project_bucket_config: 1 + google_logging_project_settings: 5 google_organization_iam_binding: 23 google_organization_service_identity: 1 - google_project: 3 - google_project_iam_audit_config: 3 - google_project_iam_binding: 17 - google_project_iam_member: 13 - google_project_service: 33 - google_project_service_identity: 9 - google_service_account: 12 - google_service_account_iam_member: 4 - google_storage_bucket: 3 - google_storage_bucket_iam_binding: 4 - google_storage_bucket_object: 9 - google_storage_managed_folder: 4 - google_storage_managed_folder_iam_binding: 8 + google_project: 5 + google_project_iam_binding: 6 + google_project_iam_member: 21 + google_project_service: 41 + google_project_service_identity: 14 + google_service_account: 1 + google_storage_bucket: 2 + google_storage_bucket_iam_binding: 2 + google_storage_bucket_object: 4 google_storage_project_service_account: 3 - google_tags_tag_binding: 5 + google_tags_tag_binding: 2 google_tags_tag_key: 1 google_tags_tag_value: 2 - google_tags_tag_value_iam_binding: 4 - local_file: 8 - modules: 45 - resources: 230 + local_file: 3 + modules: 27 + resources: 169 terraform_data: 4 outputs: @@ -1678,7 +1300,11 @@ outputs: gcp-security-admins: group:gcp-security-admins@example.org gcp-support: group:gcp-support@example.org projects: __missing__ - subnet_ips: {} - subnet_self_links: {} + subnet_ips: + dev: + europe-west1/default: 10.0.0.0/24 + prod: + europe-west1/default: 10.0.0.0/24 + subnet_self_links: __missing__ tfvars: __missing__ - vpc_self_links: {} + vpc_self_links: __missing__ diff --git a/tests/fast/stages/s0_org_setup/data-customizations/defaults.yaml b/tests/fast/stages/s0_org_setup/data-customizations/defaults.yaml index 0640dac5f..f46182a47 100644 --- a/tests/fast/stages/s0_org_setup/data-customizations/defaults.yaml +++ b/tests/fast/stages/s0_org_setup/data-customizations/defaults.yaml @@ -37,25 +37,6 @@ output_files: 0-org-setup: bucket: $storage_buckets:iac-0/iac-org-state service_account: $iam_principals:service_accounts/iac-0/iac-org-rw - 0-org-setup-ro: - bucket: $storage_buckets:iac-0/iac-org-state - service_account: $iam_principals:service_accounts/iac-0/iac-org-rw - 1-vpcsc: - bucket: $storage_buckets:iac-0/iac-stage-state - prefix: 1-vpcsc - service_account: $iam_principals:service_accounts/iac-0/iac-vpcsc-rw - 2-networking: - bucket: $storage_buckets:iac-0/iac-stage-state - prefix: 2-networking - service_account: $iam_principals:service_accounts/iac-0/iac-networking-rw - 2-security: - bucket: $storage_buckets:iac-0/iac-stage-state - prefix: 2-security - service_account: $iam_principals:service_accounts/iac-0/iac-security-rw - 2-project-factory: - bucket: $storage_buckets:iac-0/iac-stage-state - prefix: 2-project-factory - service_account: $iam_principals:service_accounts/iac-0/iac-pf-rw context: iam_principals: gcp-organization-admins: group:fabric-fast-owners@google.com diff --git a/tests/fast/stages/s0_org_setup/data-customizations/organization/tags/environment.yaml b/tests/fast/stages/s0_org_setup/data-customizations/organization/tags/environment.yaml index 4580772b4..43be8ec8f 100644 --- a/tests/fast/stages/s0_org_setup/data-customizations/organization/tags/environment.yaml +++ b/tests/fast/stages/s0_org_setup/data-customizations/organization/tags/environment.yaml @@ -21,23 +21,5 @@ description: "Organization-level environments." values: development: description: "Development." - iam: - "roles/resourcemanager.tagUser": - - $iam_principals:service_accounts/iac-0/iac-networking-rw - - $iam_principals:service_accounts/iac-0/iac-security-rw - - $iam_principals:service_accounts/iac-0/iac-pf-rw - "roles/resourcemanager.tagViewer": - - $iam_principals:service_accounts/iac-0/iac-networking-ro - - $iam_principals:service_accounts/iac-0/iac-security-ro - - $iam_principals:service_accounts/iac-0/iac-pf-ro production: description: "Production." - iam: - "roles/resourcemanager.tagUser": - - $iam_principals:service_accounts/iac-0/iac-networking-rw - - $iam_principals:service_accounts/iac-0/iac-security-rw - - $iam_principals:service_accounts/iac-0/iac-pf-rw - "roles/resourcemanager.tagViewer": - - $iam_principals:service_accounts/iac-0/iac-networking-ro - - $iam_principals:service_accounts/iac-0/iac-security-ro - - $iam_principals:service_accounts/iac-0/iac-pf-ro diff --git a/tests/fast/stages/s0_org_setup/starter-gcd.yaml b/tests/fast/stages/s0_org_setup/starter-gcd.yaml index 2a277d39a..37ea3af3d 100644 --- a/tests/fast/stages/s0_org_setup/starter-gcd.yaml +++ b/tests/fast/stages/s0_org_setup/starter-gcd.yaml @@ -4,7 +4,7 @@ # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # -# http://www.apache.org/licenses/LICENSE-2.0 +# https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, @@ -45,38 +45,6 @@ values: source: null temporary_hold: null timeouts: null - google_storage_bucket_object.providers["0-org-setup-ro"]: - bucket: ft0-prod-iac-core-0-iac-outputs - cache_control: null - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"ft0-prod-iac-core-0-iac-org-state\"\n impersonate_service_account\ - \ = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n}\nprovider\ - \ \"google\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n" - content_disposition: null - content_encoding: null - content_language: null - contexts: [] - customer_encryption: [] - deletion_policy: null - detect_md5hash: null - event_based_hold: null - force_empty_content_type: null - metadata: null - name: providers/0-org-setup-ro-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null google_storage_bucket_object.tfvars["globals"]: bucket: ft0-prod-iac-core-0-iac-outputs cache_control: null @@ -236,11 +204,6 @@ values: uniform_bucket_level_access: true versioning: - enabled: true - ? module.factory.module.buckets["iac-0/iac-org-state"].google_storage_bucket_iam_binding.authoritative["$custom_roles:storage_viewer"] - : bucket: ft0-prod-iac-core-0-iac-org-state - condition: [] - role: $custom_roles:storage_viewer - timeouts: null ? module.factory.module.buckets["iac-0/iac-org-state"].google_storage_bucket_iam_binding.authoritative["roles/storage.admin"] : bucket: ft0-prod-iac-core-0-iac-org-state condition: [] @@ -991,34 +954,6 @@ values: condition: - title: audit-logs bucket writer role: roles/logging.bucketWriter - ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/development:roles/resourcemanager.tagUser"] - : condition: [] - members: - - $iam_principals:service_accounts/iac-0/iac-networking-rw - - $iam_principals:service_accounts/iac-0/iac-pf-rw - - $iam_principals:service_accounts/iac-0/iac-security-rw - role: roles/resourcemanager.tagUser - ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/development:roles/resourcemanager.tagViewer"] - : condition: [] - members: - - $iam_principals:service_accounts/iac-0/iac-networking-ro - - $iam_principals:service_accounts/iac-0/iac-pf-ro - - $iam_principals:service_accounts/iac-0/iac-security-ro - role: roles/resourcemanager.tagViewer - ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/production:roles/resourcemanager.tagUser"] - : condition: [] - members: - - $iam_principals:service_accounts/iac-0/iac-networking-rw - - $iam_principals:service_accounts/iac-0/iac-pf-rw - - $iam_principals:service_accounts/iac-0/iac-security-rw - role: roles/resourcemanager.tagUser - ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/production:roles/resourcemanager.tagViewer"] - : condition: [] - members: - - $iam_principals:service_accounts/iac-0/iac-networking-ro - - $iam_principals:service_accounts/iac-0/iac-pf-ro - - $iam_principals:service_accounts/iac-0/iac-security-ro - role: roles/resourcemanager.tagViewer module.organization[0].google_logging_organization_settings.default[0]: organization: '1234567890' timeouts: null @@ -1324,6 +1259,7 @@ values: input: null output: null triggers_replace: null + counts: google_bigquery_dataset: 1 google_bigquery_default_service_account: 3 @@ -1346,16 +1282,15 @@ counts: google_project_service_identity: 14 google_service_account: 1 google_storage_bucket: 2 - google_storage_bucket_iam_binding: 3 + google_storage_bucket_iam_binding: 2 google_storage_bucket_object: 5 google_storage_project_service_account: 3 google_tags_tag_binding: 2 google_tags_tag_key: 1 google_tags_tag_value: 2 - google_tags_tag_value_iam_binding: 4 local_file: 4 modules: 27 - resources: 173 + resources: 168 terraform_data: 4 outputs: