This reverts commit f6a8190946.
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
680d68411a
commit
fcb4ff54ee
@@ -278,7 +278,7 @@ terraform apply
|
||||
| [custom_roles](variables-fast.tf#L54) | Custom roles defined at the org level, in key => id format. | <code title="object({ billing_viewer = string organization_admin_viewer = string project_iam_viewer = string service_project_network_admin = string storage_viewer = string gcve_network_admin = optional(string) gcve_network_viewer = optional(string) network_firewall_policies_admin = optional(string) ngfw_enterprise_admin = optional(string) ngfw_enterprise_viewer = optional(string) })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [factories_config](variables.tf#L20) | Configuration for the resource factories or external data. | <code title="object({ org_policies = optional(string, "data/org-policies") stage_3 = optional(string, "data/stage-3") top_level_folders = optional(string, "data/top-level-folders") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [fast_addon](variables-addons.tf#L17) | FAST addons configurations for stages 2. Keys are used as short names for the add-on resources. | <code title="map(object({ parent_stage = string cicd_config = optional(object({ identity_provider = string repository = object({ name = string branch = optional(string) type = optional(string, "github") }) })) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [fast_stage_2](variables-stages.tf#L17) | FAST stages 2 configurations. | <code title="object({ networking = optional(object({ enabled = optional(bool, true) short_name = optional(string, "net") cicd_config = optional(object({ identity_provider = string repository = object({ name = string branch = optional(string) type = optional(string, "github") }) })) folder_config = optional(object({ create_env_folders = optional(bool, true) iam_by_principals = optional(map(list(string)), {}) name = optional(string, "Networking") parent_id = optional(string) }), {}) }), {}) project_factory = optional(object({ enabled = optional(bool, true) short_name = optional(list(string), ["teams"]) cicd_config = optional(object({ identity_provider = string repository = object({ name = string branch = optional(string) type = optional(string, "github") }) })) }), {}) security = optional(object({ enabled = optional(bool, true) short_name = optional(string, "sec") cicd_config = optional(object({ identity_provider = string repository = object({ name = string branch = optional(string) type = optional(string, "github") }) })) folder_config = optional(object({ create_env_folders = optional(bool, false) iam_by_principals = optional(map(list(string)), {}) name = optional(string, "Security") parent_id = optional(string) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [fast_stage_2](variables-stages.tf#L17) | FAST stages 2 configurations. | <code title="object({ networking = optional(object({ enabled = optional(bool, true) short_name = optional(string, "net") cicd_config = optional(object({ identity_provider = string repository = object({ name = string branch = optional(string) type = optional(string, "github") }) })) folder_config = optional(object({ create_env_folders = optional(bool, true) iam_by_principals = optional(map(list(string)), {}) name = optional(string, "Networking") parent_id = optional(string) }), {}) }), {}) project_factory = optional(object({ enabled = optional(bool, true) short_name = optional(string, "pf") cicd_config = optional(object({ identity_provider = string repository = object({ name = string branch = optional(string) type = optional(string, "github") }) })) }), {}) security = optional(object({ enabled = optional(bool, true) short_name = optional(string, "sec") cicd_config = optional(object({ identity_provider = string repository = object({ name = string branch = optional(string) type = optional(string, "github") }) })) folder_config = optional(object({ create_env_folders = optional(bool, false) iam_by_principals = optional(map(list(string)), {}) name = optional(string, "Security") parent_id = optional(string) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [fast_stage_3](variables-stages.tf#L83) | FAST stages 3 configurations. | <code title="map(object({ short_name = string environment = optional(string, "dev") cicd_config = optional(object({ identity_provider = string repository = object({ name = string branch = optional(string) type = optional(string, "github") }) })) folder_config = optional(object({ name = string iam_by_principals = optional(map(list(string)), {}) parent_id = optional(string) tag_bindings = optional(map(string), {}) })) organization_iam = optional(object({ context_tag_value = string sa_roles = object({ ro = optional(list(string), []) rw = optional(list(string), []) }) })) stage2_iam = optional(object({ networking = optional(object({ iam_admin_delegated = optional(bool, false) sa_roles = optional(object({ ro = optional(list(string), []) rw = optional(list(string), []) }), {}) }), {}) security = optional(object({ iam_admin_delegated = optional(bool, false) sa_roles = optional(object({ ro = optional(list(string), []) rw = optional(list(string), []) }), {}) }), {}) }), {}) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [groups](variables-fast.tf#L90) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object({ gcp-billing-admins = optional(string, "gcp-billing-admins") gcp-devops = optional(string, "gcp-devops") gcp-network-admins = optional(string, "gcp-vpc-network-admins") gcp-organization-admins = optional(string, "gcp-organization-admins") gcp-security-admins = optional(string, "gcp-security-admins") })">object({…})</code> | | <code>{}</code> | <code>0-bootstrap</code> |
|
||||
| [locations](variables-fast.tf#L105) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object({ bq = optional(string, "EU") gcs = optional(string, "EU") logging = optional(string, "global") pubsub = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | <code>0-bootstrap</code> |
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Copyright 2025 Google LLC
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -31,26 +31,24 @@ locals {
|
||||
role = "roles/billing.user"
|
||||
}
|
||||
},
|
||||
merge([
|
||||
for k in keys(module.pf-sa-rw) : merge(
|
||||
{
|
||||
"sa_pf_${k}_billing" = {
|
||||
member = module.pf-sa-rw[k].iam_email
|
||||
role = "roles/billing.user"
|
||||
},
|
||||
"sa_pf_${k}_costs_manager" = {
|
||||
member = module.pf-sa-rw[k].iam_email
|
||||
role = "roles/billing.costsManager"
|
||||
}
|
||||
var.fast_stage_2.project_factory.enabled != true ? {} : merge(
|
||||
{
|
||||
sa_pf_billing = {
|
||||
member = module.pf-sa-rw[0].iam_email
|
||||
role = "roles/billing.user"
|
||||
},
|
||||
var.billing_account.is_org_level != true ? {} : {
|
||||
"sa_pf_${k}_ro_viewer" = {
|
||||
member = module.pf-sa-ro[k].iam_email
|
||||
role = var.custom_roles.billing_viewer
|
||||
}
|
||||
sa_pf_costs_manager = {
|
||||
member = module.pf-sa-rw[0].iam_email
|
||||
role = "roles/billing.costsManager"
|
||||
}
|
||||
)
|
||||
]...),
|
||||
},
|
||||
var.billing_account.is_org_level != true ? {} : {
|
||||
sa_pf_ro_viewer = {
|
||||
member = module.pf-sa-ro[0].iam_email
|
||||
role = var.custom_roles.billing_viewer
|
||||
}
|
||||
}
|
||||
),
|
||||
# stage 3
|
||||
{
|
||||
for k, v in local.stage3 : k => {
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Copyright 2025 Google LLC
|
||||
# Copyright 2024 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
@@ -17,21 +17,21 @@
|
||||
name: Teams
|
||||
iam:
|
||||
"roles/owner":
|
||||
- project-factory-teams
|
||||
- project-factory
|
||||
"roles/resourcemanager.folderAdmin":
|
||||
- project-factory-teams
|
||||
- project-factory
|
||||
"roles/resourcemanager.projectCreator":
|
||||
- project-factory-teams
|
||||
- project-factory
|
||||
"roles/resourcemanager.tagUser":
|
||||
- project-factory-teams
|
||||
- project-factory
|
||||
"service_project_network_admin":
|
||||
- project-factory-teams
|
||||
- project-factory
|
||||
"roles/viewer":
|
||||
- project-factory-teams-r
|
||||
- project-factory-r
|
||||
"roles/resourcemanager.folderViewer":
|
||||
- project-factory-teams-r
|
||||
- project-factory-r
|
||||
"roles/resourcemanager.tagViewer":
|
||||
- project-factory-teams-r
|
||||
- project-factory-r
|
||||
# don't create a context tag since this uses the pf tag
|
||||
is_fast_context: false
|
||||
tag_bindings:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Copyright 2025 Google LLC
|
||||
* Copyright 2024 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -50,20 +50,19 @@ locals {
|
||||
}
|
||||
},
|
||||
# stage 2 project factory
|
||||
var.root_node != null || var.fast_stage_2.project_factory.enabled != true ? {} : merge([
|
||||
for k, v in module.pf-sa-rw : {
|
||||
"sa_pf_${k}_conditional_org_policy" = {
|
||||
member = v.iam_email
|
||||
role = "roles/orgpolicy.policyAdmin"
|
||||
condition = {
|
||||
title = "org_policy_tag_pf_${k}_scoped"
|
||||
description = "Org policy tag scoped grant for ${k} project factory."
|
||||
expression = <<-END
|
||||
var.root_node != null || var.fast_stage_2.project_factory.enabled != true ? {} : {
|
||||
sa_pf_conditional_org_policy = {
|
||||
member = module.pf-sa-rw[0].iam_email
|
||||
role = "roles/orgpolicy.policyAdmin"
|
||||
condition = {
|
||||
title = "org_policy_tag_pf_scoped"
|
||||
description = "Org policy tag scoped grant for project factory."
|
||||
expression = <<-END
|
||||
resource.matchTag('${local.tag_root}/${var.tag_names.context}', 'project-factory')
|
||||
END
|
||||
}
|
||||
}
|
||||
}]...),
|
||||
}
|
||||
},
|
||||
# stage 3
|
||||
{
|
||||
for v in local.stage3_sa_roles_in_org : join("/", values(v)) => {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Copyright 2025 Google LLC
|
||||
* Copyright 2024 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -47,8 +47,10 @@ locals {
|
||||
security = module.sec-sa-rw[0].email
|
||||
security-r = module.sec-sa-ro[0].email
|
||||
},
|
||||
{ for k, v in module.pf-sa-rw : "project-factory-${k}" => module.pf-sa-rw[k].email },
|
||||
{ for k, v in module.pf-sa-ro : "project-factory-${k}-r" => module.pf-sa-ro[k].email },
|
||||
!var.fast_stage_2.project_factory.enabled ? {} : {
|
||||
project-factory = module.pf-sa-rw[0].email
|
||||
project-factory-r = module.pf-sa-ro[0].email
|
||||
},
|
||||
{ for k, v in local.stage3 : k => module.stage3-sa-rw[k].email },
|
||||
{ for k, v in local.stage3 : "${k}-r" => module.stage3-sa-ro[k].email },
|
||||
)
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Copyright 2025 Google LLC
|
||||
* Copyright 2024 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -33,18 +33,3 @@ moved {
|
||||
from = module.sec-folder-prod[0]
|
||||
to = module.sec-folder-envs["prod"]
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.pf-sa-rw[0]
|
||||
to = module.pf-sa-rw["pf"]
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.pf-sa-ro[0]
|
||||
to = module.pf-sa-ro["pf"]
|
||||
}
|
||||
|
||||
moved {
|
||||
from = module.pf-bucket[0]
|
||||
to = module.pf-bucket["pf"]
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Copyright 2025 Google LLC
|
||||
* Copyright 2024 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -52,13 +52,13 @@ locals {
|
||||
{
|
||||
"roles/resourcemanager.tagUser" = distinct(concat(
|
||||
try(local.tags.environment.values[v.tag_name].iam["roles/resourcemanager.tagUser"], []),
|
||||
[for _, v in values(module.pf-sa-rw) : v.iam_email],
|
||||
!var.fast_stage_2.project_factory.enabled ? [] : [module.pf-sa-rw[0].iam_email],
|
||||
!var.fast_stage_2.networking.enabled ? [] : [module.net-sa-rw[0].iam_email],
|
||||
!var.fast_stage_2.security.enabled ? [] : [module.sec-sa-rw[0].iam_email],
|
||||
))
|
||||
"roles/resourcemanager.tagViewer" = distinct(concat(
|
||||
try(local.tags.environment.values[v.tag_name].iam["roles/resourcemanager.tagViewer"], []),
|
||||
[for v in values(module.pf-sa-ro) : v.iam_email],
|
||||
!var.fast_stage_2.project_factory.enabled ? [] : [module.pf-sa-ro[0].iam_email],
|
||||
!var.fast_stage_2.networking.enabled ? [] : [module.net-sa-ro[0].iam_email],
|
||||
!var.fast_stage_2.security.enabled ? [] : [module.sec-sa-ro[0].iam_email],
|
||||
))
|
||||
|
||||
@@ -28,16 +28,15 @@ locals {
|
||||
}
|
||||
}
|
||||
},
|
||||
merge([
|
||||
for k in keys(module.pf-sa-rw) : {
|
||||
"project_factory_${k}" = {
|
||||
bucket = module.pf-bucket[k].name
|
||||
sa = {
|
||||
apply = module.pf-sa-rw[k].email
|
||||
plan = module.pf-sa-ro[k].email
|
||||
}
|
||||
var.fast_stage_2["project_factory"].enabled != true ? {} : {
|
||||
project_factory = {
|
||||
bucket = module.pf-bucket[0].name
|
||||
sa = {
|
||||
apply = module.pf-sa-rw[0].email
|
||||
plan = module.pf-sa-ro[0].email
|
||||
}
|
||||
}]...),
|
||||
}
|
||||
},
|
||||
var.fast_stage_2["security"].enabled != true ? {} : {
|
||||
security = {
|
||||
bucket = module.sec-bucket[0].name
|
||||
@@ -60,14 +59,14 @@ locals {
|
||||
} if v.parent_stage == "2-networking"
|
||||
},
|
||||
var.fast_stage_2["project_factory"].enabled != true ? {} : {
|
||||
for k, v in local.stage_addons : "project-factory-${k}" => {
|
||||
bucket = module.pf-bucket[trimprefix(v.parent_stage, "2-project-factory-")].name
|
||||
for k, v in local.stage_addons : "pf-${k}" => {
|
||||
bucket = module.pf-bucket[0].name
|
||||
backend_extra = "prefix = \"addons/${k}\""
|
||||
sa = {
|
||||
apply = module.pf-sa-rw[trimprefix(v.parent_stage, "2-project-factory-")].email
|
||||
plan = module.pf-sa-ro[trimprefix(v.parent_stage, "2-project-factory-")].email
|
||||
apply = module.pf-sa-rw[0].email
|
||||
plan = module.pf-sa-ro[0].email
|
||||
}
|
||||
} if startswith(v.parent_stage, "2-project-factory")
|
||||
} if v.parent_stage == "2-project-factory"
|
||||
},
|
||||
var.fast_stage_2["security"].enabled != true ? {} : {
|
||||
for k, v in local.stage_addons : "security-${k}" => {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Copyright 2025 Google LLC
|
||||
* Copyright 2024 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -69,13 +69,13 @@ module "net-folder" {
|
||||
# project factory service accounts
|
||||
(var.fast_stage_2.project_factory.enabled) != true ? {} : {
|
||||
(var.custom_roles.service_project_network_admin) = [
|
||||
for v in values(module.pf-sa-rw) : v.iam_email
|
||||
module.pf-sa-rw[0].iam_email
|
||||
]
|
||||
(var.custom_roles.project_iam_viewer) = [
|
||||
for v in values(module.pf-sa-ro) : v.iam_email
|
||||
module.pf-sa-ro[0].iam_email
|
||||
]
|
||||
"roles/compute.networkViewer" = [
|
||||
for v in values(module.pf-sa-ro) : v.iam_email
|
||||
module.pf-sa-ro[0].iam_email
|
||||
]
|
||||
}
|
||||
)
|
||||
@@ -84,7 +84,7 @@ module "net-folder" {
|
||||
var.fast_stage_2.project_factory.enabled != true ? {} : {
|
||||
pf_delegated_grant = {
|
||||
role = "roles/resourcemanager.projectIamAdmin"
|
||||
members = [for v in values(module.pf-sa-rw) : v.iam_email]
|
||||
members = [module.pf-sa-rw[0].iam_email]
|
||||
condition = {
|
||||
expression = format(
|
||||
"api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Copyright 2025 Google LLC
|
||||
* Copyright 2024 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -14,22 +14,14 @@
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
locals {
|
||||
_pf_short_names = (
|
||||
var.fast_stage_2.project_factory.enabled
|
||||
? toset(var.fast_stage_2.project_factory.short_name)
|
||||
: toset([])
|
||||
)
|
||||
}
|
||||
|
||||
# automation service accounts
|
||||
|
||||
module "pf-sa-rw" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
for_each = local._pf_short_names
|
||||
count = var.fast_stage_2.project_factory.enabled ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = templatestring(var.resource_names["sa-pf_rw"], {
|
||||
name = each.value
|
||||
name = var.fast_stage_2.project_factory.short_name
|
||||
})
|
||||
display_name = "Terraform resman project factory main service account."
|
||||
prefix = var.prefix
|
||||
@@ -49,10 +41,10 @@ module "pf-sa-rw" {
|
||||
|
||||
module "pf-sa-ro" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
for_each = local._pf_short_names
|
||||
count = var.fast_stage_2.project_factory.enabled ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = templatestring(var.resource_names["sa-pf_ro"], {
|
||||
name = each.value
|
||||
name = var.fast_stage_2.project_factory.short_name
|
||||
})
|
||||
display_name = "Terraform resman project factory main service account (read-only)."
|
||||
prefix = var.prefix
|
||||
@@ -74,16 +66,16 @@ module "pf-sa-ro" {
|
||||
|
||||
module "pf-bucket" {
|
||||
source = "../../../modules/gcs"
|
||||
for_each = local._pf_short_names
|
||||
count = var.fast_stage_2.project_factory.enabled ? 1 : 0
|
||||
project_id = var.automation.project_id
|
||||
name = templatestring(var.resource_names["gcs-pf"], {
|
||||
name = each.value
|
||||
name = var.fast_stage_2.project_factory.short_name
|
||||
})
|
||||
prefix = var.prefix
|
||||
location = var.locations.gcs
|
||||
versioning = true
|
||||
iam = {
|
||||
"roles/storage.objectAdmin" = [module.pf-sa-rw[each.value].iam_email]
|
||||
"roles/storage.objectViewer" = [module.pf-sa-ro[each.value].iam_email]
|
||||
"roles/storage.objectAdmin" = [module.pf-sa-rw[0].iam_email]
|
||||
"roles/storage.objectViewer" = [module.pf-sa-ro[0].iam_email]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -62,13 +62,13 @@ module "sec-folder" {
|
||||
# project factory service accounts
|
||||
(var.fast_stage_2.project_factory.enabled) != true ? {} : {
|
||||
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
|
||||
for v in values(module.pf-sa-rw) : v.iam_email
|
||||
module.pf-sa-rw[0].iam_email
|
||||
]
|
||||
(var.custom_roles.project_iam_viewer) = [
|
||||
for v in values(module.pf-sa-ro) : v.iam_email
|
||||
module.pf-sa-ro[0].iam_email
|
||||
]
|
||||
"roles/cloudkms.viewer" = [
|
||||
for v in values(module.pf-sa-ro) : v.iam_email
|
||||
module.pf-sa-ro[0].iam_email
|
||||
]
|
||||
}
|
||||
)
|
||||
@@ -76,7 +76,7 @@ module "sec-folder" {
|
||||
var.fast_stage_2.project_factory.enabled != true ? {} : {
|
||||
pf_delegated_grant = {
|
||||
role = "roles/resourcemanager.projectIamAdmin"
|
||||
members = [for v in values(module.pf-sa-rw) : v.iam_email]
|
||||
members = [module.pf-sa-rw[0].iam_email]
|
||||
condition = {
|
||||
expression = format(
|
||||
"api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
|
||||
|
||||
@@ -32,14 +32,11 @@ variable "fast_addon" {
|
||||
validation {
|
||||
condition = alltrue([
|
||||
for k, v in var.fast_addon : contains(
|
||||
concat(
|
||||
["2-networking", "2-security"],
|
||||
[for s in var.fast_stage_2.project_factory.short_name : "2-project-factory-${s}"]
|
||||
),
|
||||
["2-networking", "2-project-factory", "2-security"],
|
||||
v.parent_stage
|
||||
)
|
||||
])
|
||||
error_message = "Resman-defined addons only support '2-networking', '2-project-factory-*' and '2-security' stages."
|
||||
error_message = "Resman-defined addons only support '2-networking', '2-project-factory' and '2-security' stages."
|
||||
}
|
||||
validation {
|
||||
condition = alltrue([
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Copyright 2025 Google LLC
|
||||
* Copyright 2024 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -37,7 +37,7 @@ variable "fast_stage_2" {
|
||||
}), {})
|
||||
project_factory = optional(object({
|
||||
enabled = optional(bool, true)
|
||||
short_name = optional(list(string), ["teams"])
|
||||
short_name = optional(string, "pf")
|
||||
cicd_config = optional(object({
|
||||
identity_provider = string
|
||||
repository = object({
|
||||
|
||||
Reference in New Issue
Block a user