* docs(organization): document external IAM management for logging sinks at scale
* Update TOC
---------
Co-authored-by: Julio Castillo <jccb@google.com>
Error: Error creating AlertPolicy: googleapi: Error 404: Cannot find metric(s) that match type = "logging.googleapis.com/user/sa-impersonation". If a metric was created recently, it could take up to 10 minutes to become available. Please try again soon.
* Added bucket_name for project-factory module
* Added new key attribute to projects_buckets local
---------
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
Co-authored-by: Julio Castillo <jccb@google.com>
Refactor subnets mgmt in net-vpc-factory
This commit removes the ability to define subnets inline within the VPC `.config.yaml` across `net-vpc-factory` and enforces file-based subnet definitions using the `subnets/` subdirectory pattern.
Key changes include:
- **Module Updates:** Removed standard and non-standard inline subnet arguments (`subnets`, `subnets_private_nat`, `subnets_proxy_only`, `subnets_psc`) from the factory module's internal `vpcs` instantiation.
- **Schema & Docs:** Renamed `vpc.schema.json` to `vpc-factory.schema.json`, stripping inline subnet definitions from the JSON schema, and updated the module `README.md` to reflect the new file-based only approach.
- **Stage 2 Networking Configs:** Refactored datasets to migrate inline `subnets_proxy_only` definitions into standalone files like `subnets/prod-proxy.yaml`. Added a new exported output `subnet_ips` for downstream usage.
<!--
**Breaking Changes**
```upgrade-note
`fast/stages/2-networking`: Proxy-only subnets have been renamed for consistency - unfortunately this results in a nasty create-before-destroy which needs to be handled manually (i.e. delete the existing proxy-only-subnet first, either manually or with a targeted apply, then apply again)
```
-->
Error:
com.google.apps.framework.request.StatusException: <eye3 title='INVALID_ARGUMENT'/> generic::INVALID_ARGUMENT: Invalid value for field 'resource.router': 'projects/<PREFIX>-prod-net-core-0/regions/europe-north1/routers/encrypted-vlan-attachment-b-underlay'. The Cloud Router used by PARTNER type interconnect attachments must be assigned a local ASN of '16550'
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
* fix(project-factory): Correctly interpolate IAM principals in tags
Moves the processing of `tags` and `tag_bindings` from the `projects` module instance to the `projects-iam` instance.
This fixes a bug where IAM principals for automation service accounts, referenced via `$iam_principals:service_accounts/...`, were not being interpolated within `tags` IAM definitions. The `projects` module was called before the automation service account context was available, leading to the literal string being used instead of the service account email. Processing tags in the `projects-iam` module ensures the full context is available for interpolation.
Adds new tests for both the `project` and `project-factory` modules to validate the fix.
* fix(project-factory): Tag creation is now done in 2 steps.
1st step(projects): Creation of the tags without IAM bindings
2nd step(projects-iam): IAM bindings without creating the tags again
That way we are more backwards compatible as tags and tags values are back to be under module.project-factory.module.projects["*"].google_tags_tag_*
* fix(modules/project-factory): introduce fix suggested by @ludoo, fix logs
* fix(modules/project-factory): fix linting
---------
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
This PR (re :D)introduces module net-vpc-factory, a minimal factory that deals with vpcs, subnets, and firewall rules creation, meant to be embedded into other factories, starting with 2-data-platform and 2-networking.
