* docs(organization): document external IAM management for logging sinks at scale
* Update TOC
---------
Co-authored-by: Julio Castillo <jccb@google.com>
Refactor subnets mgmt in net-vpc-factory
This commit removes the ability to define subnets inline within the VPC `.config.yaml` across `net-vpc-factory` and enforces file-based subnet definitions using the `subnets/` subdirectory pattern.
Key changes include:
- **Module Updates:** Removed standard and non-standard inline subnet arguments (`subnets`, `subnets_private_nat`, `subnets_proxy_only`, `subnets_psc`) from the factory module's internal `vpcs` instantiation.
- **Schema & Docs:** Renamed `vpc.schema.json` to `vpc-factory.schema.json`, stripping inline subnet definitions from the JSON schema, and updated the module `README.md` to reflect the new file-based only approach.
- **Stage 2 Networking Configs:** Refactored datasets to migrate inline `subnets_proxy_only` definitions into standalone files like `subnets/prod-proxy.yaml`. Added a new exported output `subnet_ips` for downstream usage.
<!--
**Breaking Changes**
```upgrade-note
`fast/stages/2-networking`: Proxy-only subnets have been renamed for consistency - unfortunately this results in a nasty create-before-destroy which needs to be handled manually (i.e. delete the existing proxy-only-subnet first, either manually or with a targeted apply, then apply again)
```
-->
* fix(project-factory): Correctly interpolate IAM principals in tags
Moves the processing of `tags` and `tag_bindings` from the `projects` module instance to the `projects-iam` instance.
This fixes a bug where IAM principals for automation service accounts, referenced via `$iam_principals:service_accounts/...`, were not being interpolated within `tags` IAM definitions. The `projects` module was called before the automation service account context was available, leading to the literal string being used instead of the service account email. Processing tags in the `projects-iam` module ensures the full context is available for interpolation.
Adds new tests for both the `project` and `project-factory` modules to validate the fix.
* fix(project-factory): Tag creation is now done in 2 steps.
1st step(projects): Creation of the tags without IAM bindings
2nd step(projects-iam): IAM bindings without creating the tags again
That way we are more backwards compatible as tags and tags values are back to be under module.project-factory.module.projects["*"].google_tags_tag_*
* fix(modules/project-factory): introduce fix suggested by @ludoo, fix logs
* fix(modules/project-factory): fix linting
---------
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
This PR (re :D)introduces module net-vpc-factory, a minimal factory that deals with vpcs, subnets, and firewall rules creation, meant to be embedded into other factories, starting with 2-data-platform and 2-networking.
* fixed bug where label field is ignored for policy based routes
* Fix example and inventory
* Add missing schema
---------
Co-authored-by: Julio Castillo <jccb@google.com>
* Fix workforce identity federation provider configuration
Remove redundant 'organizations/' prefix from parent parameter as
var.organization_id already contains the full organization path.
* Update test to match corrected parent parameter
The test expected the redundant 'organizations/' prefix, but the fix
correctly removes this duplication.
---------
Co-authored-by: Julio Castillo <jccb@google.com>
* fix(compute-vm): prevent instance recreation for key_revocation_action_type
The `key_revocation_action_type` attribute in the `google_compute_instance`
resource defaults to `NONE` on the provider side.
When this optional attribute was not explicitly set in the module's
`options` variable, it resolved to `null` in the Terraform configuration.
This caused Terraform to detect a change from `null` to `NONE` on every
plan, leading to unnecessary instance recreation.
This change applies `coalesce` to
`var.options.key_revocation_action_type` in the resource definition so
that it defaults to `NONE` when unset, aligning the configuration with
provider behavior and preventing a permadiff.
* updated the regional compute template too with the key_revocation_action_type
* fixed the formatting
* add support for pubsub to project factory
* remove duplicate data access log definitions from folders
* tfdoc
* schemas
* fix example
* add pubsub topics context to org in stage 0
