From 11050c46cf9950336172e46928394056c4445bbd Mon Sep 17 00:00:00 2001 From: Simone Ruffilli Date: Fri, 24 May 2024 12:01:55 +0200 Subject: [PATCH] FAST MT: Readme updates and more prefix validation (#2305) This change documents the process of deploying FAST on a tenant-factory bootstrapped tenant. It also fixes changes the validation logic for prefix as follows: - 0-bootstrap: 9 chars or less - 1-resman/1-tenant-factory: 9 chars or less if ran at org-level, else 11 - else 11 It also uniforms across all stages the variables.tf and variables-fast.tf breakdown. --- fast/stage-links.sh | 16 --- fast/stages/0-bootstrap/README.md | 5 +- fast/stages/1-resman/README.md | 10 +- fast/stages/1-resman/variables-fast.tf | 13 +++ fast/stages/1-resman/variables.tf | 11 --- fast/stages/1-tenant-factory/README.md | 31 +++++- .../stages/1-tenant-factory/variables-fast.tf | 12 ++- fast/stages/2-networking-a-simple/README.md | 4 +- .../2-networking-a-simple/variables-fast.tf | 7 +- fast/stages/2-networking-c-nva/README.md | 39 ++++---- .../2-networking-c-nva/variables-fast.tf | 89 +++++++++++++++++ fast/stages/2-networking-c-nva/variables.tf | 75 -------------- .../2-networking-d-separate-envs/README.md | 33 ++++--- .../variables-fast.tf | 90 +++++++++++++++++ .../2-networking-d-separate-envs/variables.tf | 76 -------------- fast/stages/2-networking-e-nva-bgp/README.md | 41 ++++---- .../2-networking-e-nva-bgp/variables-fast.tf | 99 +++++++++++++++++++ .../2-networking-e-nva-bgp/variables.tf | 85 ---------------- fast/stages/2-security/README.md | 8 +- fast/stages/2-security/variables-fast.tf | 10 ++ fast/stages/2-security/variables.tf | 10 -- fast/stages/3-data-platform/dev/README.md | 41 ++++---- .../3-data-platform/dev/variables-fast.tf | 90 +++++++++++++++++ fast/stages/3-data-platform/dev/variables.tf | 77 +-------------- fast/stages/3-gcve/prod/README.md | 27 ++--- fast/stages/3-gcve/prod/variables-fast.tf | 82 +++++++++++++++ fast/stages/3-gcve/prod/variables.tf | 63 ------------ fast/stages/3-gke-multitenant/dev/README.md | 35 +++---- .../3-gke-multitenant/dev/variables-fast.tf | 70 +++++++++++++ .../stages/3-gke-multitenant/dev/variables.tf | 61 +----------- fast/stages/3-project-factory/dev/README.md | 7 +- .../3-project-factory/dev/variables-fast.tf | 38 +++++++ .../stages/3-project-factory/dev/variables.tf | 27 +---- 33 files changed, 754 insertions(+), 628 deletions(-) create mode 100644 fast/stages/2-networking-c-nva/variables-fast.tf create mode 100644 fast/stages/2-networking-d-separate-envs/variables-fast.tf create mode 100644 fast/stages/2-networking-e-nva-bgp/variables-fast.tf create mode 100644 fast/stages/3-data-platform/dev/variables-fast.tf create mode 100644 fast/stages/3-gcve/prod/variables-fast.tf create mode 100644 fast/stages/3-gke-multitenant/dev/variables-fast.tf create mode 100644 fast/stages/3-project-factory/dev/variables-fast.tf diff --git a/fast/stage-links.sh b/fast/stage-links.sh index 5efbc1c57e..a0b5f84d96 100755 --- a/fast/stage-links.sh +++ b/fast/stage-links.sh @@ -53,26 +53,10 @@ case $STAGE_NAME in PROVIDER="providers/0-bootstrap-providers.tf" TFVARS="" ;; -"0-bootstrap-tenant") - MESSAGE="remember to set the prefix in the provider file" - PROVIDER_CMD=$CP_CMD - PROVIDER="providers/0-bootstrap-tenant-providers.tf" - TFVARS="tfvars/0-bootstrap.auto.tfvars.json - tfvars/1-resman.auto.tfvars.json" - ;; "1-resman" | "1-tenant-factory") PROVIDER="providers/${STAGE_NAME}-providers.tf" TFVARS="tfvars/0-bootstrap.auto.tfvars.json" ;; -"1-resman-tenant") - if [[ -z "$TENANT" ]]; then - echo "Please set a \$TENANT variable with the tenant shortname" - exit 1 - fi - unset GLOBALS - PROVIDER="tenants/$TENANT/providers/1-resman-tenant-providers.tf" - TFVARS="tenants/$TENANT/tfvars/0-bootstrap-tenant.auto.tfvars.json" - ;; "2-networking"*) if [[ -z "$TENANT" ]]; then echo "# if this is a tenant stage, set a \$TENANT variable with the tenant shortname and run the command again" diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md index d638a97e90..24e70eed1d 100644 --- a/fast/stages/0-bootstrap/README.md +++ b/fast/stages/0-bootstrap/README.md @@ -151,12 +151,15 @@ We are intentionally not supporting random prefix/suffixes for names, as that is What is implemented here is a fairly common convention, composed of tokens ordered by relative importance: - an organization-level static prefix less or equal to 9 characters (e.g. `myco` or `myco-gcp`) -- an optional tenant-level prefix, if using multitenant stages +- an optional tenant-level prefix, if using tenant factory - an environment identifier (e.g. `prod`) - a team/owner identifier (e.g. `sec` for Security) - a context identifier (e.g. `core` or `kms`) - an arbitrary identifier used to distinguish similar resources (e.g. `0`, `1`) +> [!WARNING] +> When using tenant factory, a tenant prefix will be automatically generated as `{prefix}-{tenant-shortname}`. The maximum length of such prefix must be 11 characters or less, which means that the longer org-level prefix you use, the less chars you'll have available for the `tenant-shortname`. + Tokens are joined by a `-` character, making it easy to separate the individual tokens visually, and to programmatically split them in billing exports to derive initial high-level groupings for cost attribution. The convention is used in its full form only for specific resources with globally unique names (projects, GCS buckets). Other resources adopt a shorter version for legibility, as the full context can always be derived from their project. diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index aa726c87ad..64b7aeb9d9 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -267,7 +267,7 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md | [billing_account](variables-fast.tf#L42) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | 0-bootstrap | | [logging](variables-fast.tf#L93) | Logging configuration for tenants. | object({…}) | ✓ | | 1-tenant-factory | | [organization](variables-fast.tf#L106) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables.tf#L158) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L124) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | | [cicd_repositories](variables.tf#L20) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | | [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [factories_config](variables.tf#L114) | Configuration for the resource factories or external data. | object({…}) | | {} | | @@ -276,10 +276,10 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md | [groups](variables-fast.tf#L65) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | | [locations](variables-fast.tf#L80) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | | [outputs_location](variables.tf#L152) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | -| [root_node](variables-fast.tf#L117) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap | -| [tag_names](variables.tf#L169) | Customized names for resource management tags. | object({…}) | | {} | | -| [tags](variables.tf#L183) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | -| [top_level_folders](variables.tf#L204) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…})) | | {} | | +| [root_node](variables-fast.tf#L130) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap | +| [tag_names](variables.tf#L158) | Customized names for resource management tags. | object({…}) | | {} | | +| [tags](variables.tf#L172) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | +| [top_level_folders](variables.tf#L193) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…})) | | {} | | ## Outputs diff --git a/fast/stages/1-resman/variables-fast.tf b/fast/stages/1-resman/variables-fast.tf index 247cf582e9..cd2b76fb9e 100644 --- a/fast/stages/1-resman/variables-fast.tf +++ b/fast/stages/1-resman/variables-fast.tf @@ -114,6 +114,19 @@ variable "organization" { nullable = false } +check "prefix_validator" { + assert { + condition = (try(length(var.prefix), 0) < 10) || (try(length(var.prefix), 0) < 12 && var.root_node != null) + error_message = "var.prefix must be 9 characters or shorter for organizations, and 11 chars or shorter for tenants." + } +} + +variable "prefix" { + # tfdoc:variable:source 0-bootstrap + description = "Prefix used for resources that need unique names. Use 9 characters or less." + type = string +} + variable "root_node" { # tfdoc:variable:source 0-bootstrap description = "Root node for the hierarchy, if running in tenant mode." diff --git a/fast/stages/1-resman/variables.tf b/fast/stages/1-resman/variables.tf index de19d91510..33b9daadf7 100644 --- a/fast/stages/1-resman/variables.tf +++ b/fast/stages/1-resman/variables.tf @@ -155,17 +155,6 @@ variable "outputs_location" { default = null } -variable "prefix" { - # tfdoc:variable:source 0-bootstrap - description = "Prefix used for resources that need unique names. Use 9 characters or less." - type = string - # real maximum length is 11 but we need to keep at least 2 for tenants - validation { - condition = try(length(var.prefix), 0) < 10 - error_message = "Use a maximum of 9 characters for prefix." - } -} - variable "tag_names" { description = "Customized names for resource management tags." type = object({ diff --git a/fast/stages/1-tenant-factory/README.md b/fast/stages/1-tenant-factory/README.md index e736feb33c..6386cd1ba1 100644 --- a/fast/stages/1-tenant-factory/README.md +++ b/fast/stages/1-tenant-factory/README.md @@ -16,6 +16,7 @@ Typical use cases include large organizations managing a single Cloud subscripti - [Tenant configuration](#tenant-configuration) - [Configurations for both simple and FAST tenants](#configurations-for-both-simple-and-fast-tenants) - [Configurations for FAST tenants](#configurations-for-fast-tenants) + - [Deploying FAST stages](#deploying-fast-stages) - [Files](#files) - [Variables](#variables) - [Outputs](#outputs) @@ -252,6 +253,34 @@ tenant_configs = { } ``` +#### Deploying FAST stages + +Mirroring the regular FAST behavior, the provider and variable files for a bootstrapped tenant will be generated on a tenant-specific storage bucket named `{prefix}-{tenant-shortname}-prod-iac-core-outputs-0` in (also tenant-specific) project `{prefix}-{tenant-shortname}-prod-iac-core-0`. + +Since the tenant is already bootstrapped, a FAST deployment for tenants start from stage `1-resman`, which can be configured as usual, leveraging `stage-links.sh`, which should point to either the tenant-specific `var.outputs_location`, or to the tenant-specific GCS bucket. + +For example: + +```bash +/path/to/stage-links.sh ~/fast-config/tenants/tenant-a + +# copy and paste the following commands for 'tenant-a/1-resman' + +ln -s ~/fast-config/tenants/tenant-a/providers/1-tenant-factory-providers.tf ./ +ln -s ~/fast-config/tenants/tenant-a/tfvars/0-globals.auto.tfvars.json ./ +ln -s ~/fast-config/tenants/tenant-a/tfvars/0-bootstrap.auto.tfvars.json ./ +``` + +```bash +../../stage-links.sh gs://{prefix}-{tenant-shortname}-prod-iac-core-0 + +# copy and paste the following commands for 'tenant-a/1-resman' + +gcloud alpha storage cp gs://{prefix}-{tenant-shortname}-prod-iac-core-0/providers/1-tenant-factory-providers.tf ./ +gcloud alpha storage cp gs://{prefix}-{tenant-shortname}-prod-iac-core-0/tfvars/0-globals.auto.tfvars.json ./ +gcloud alpha storage cp gs://{prefix}-{tenant-shortname}-prod-iac-core-0/tfvars/0-bootstrap.auto.tfvars.json ./ +``` + ## Files @@ -283,7 +312,7 @@ tenant_configs = { | [logging](variables-fast.tf#L94) | Logging resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [org_policy_tags](variables-fast.tf#L113) | Organization policy tags. | object({…}) | ✓ | | 0-bootstrap | | [organization](variables-fast.tf#L103) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L123) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L130) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | | [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [groups](variables-fast.tf#L66) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | | [locations](variables-fast.tf#L81) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | diff --git a/fast/stages/1-tenant-factory/variables-fast.tf b/fast/stages/1-tenant-factory/variables-fast.tf index f4f5beb065..ca67b036ed 100644 --- a/fast/stages/1-tenant-factory/variables-fast.tf +++ b/fast/stages/1-tenant-factory/variables-fast.tf @@ -120,13 +120,15 @@ variable "org_policy_tags" { }) } +check "prefix_validator" { + assert { + condition = (try(length(var.prefix), 0) < 10) || (try(length(var.prefix), 0) < 12 && var.root_node != null) + error_message = "var.prefix must be 9 characters or shorter for organizations, and 11 chars or shorter for tenants." + } +} + variable "prefix" { # tfdoc:variable:source 0-bootstrap description = "Prefix used for resources that need unique names. Use 9 characters or less." type = string - - validation { - condition = try(length(var.prefix), 0) < 10 - error_message = "Use a maximum of 9 characters for prefix." - } } diff --git a/fast/stages/2-networking-a-simple/README.md b/fast/stages/2-networking-a-simple/README.md index b2c30b42f5..17bf8750d7 100644 --- a/fast/stages/2-networking-a-simple/README.md +++ b/fast/stages/2-networking-a-simple/README.md @@ -443,7 +443,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [billing_account](variables-fast.tf#L27) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | | [folder_ids](variables-fast.tf#L59) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | | [organization](variables-fast.tf#L69) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L79) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L79) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | | [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | | | [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | @@ -455,7 +455,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [outputs_location](variables.tf#L92) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L98) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | {} | | | [regions](variables.tf#L118) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables-fast.tf#L90) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [service_accounts](variables-fast.tf#L89) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | | [spoke_configs](variables.tf#L130) | Spoke connectivity configurations. | object({…}) | | {…} | | | [vpn_onprem_primary_config](variables.tf#L180) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | diff --git a/fast/stages/2-networking-a-simple/variables-fast.tf b/fast/stages/2-networking-a-simple/variables-fast.tf index 37d4031b33..71805b067c 100644 --- a/fast/stages/2-networking-a-simple/variables-fast.tf +++ b/fast/stages/2-networking-a-simple/variables-fast.tf @@ -78,12 +78,11 @@ variable "organization" { variable "prefix" { # tfdoc:variable:source 0-bootstrap - description = "Prefix used for resources that need unique names. Use 9 characters or less." + description = "Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants." type = string - validation { - condition = try(length(var.prefix), 0) < 10 - error_message = "Use a maximum of 9 characters for prefix." + condition = try(length(var.prefix), 0) < 12 + error_message = "Use a maximum of 9 chars for organizations, and 11 chars for tenants." } } diff --git a/fast/stages/2-networking-c-nva/README.md b/fast/stages/2-networking-c-nva/README.md index 88f57974d7..1376301da0 100644 --- a/fast/stages/2-networking-c-nva/README.md +++ b/fast/stages/2-networking-c-nva/README.md @@ -449,6 +449,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file | | [regions.tf](./regions.tf) | Compute short names for regions. | | | | [test-resources.tf](./test-resources.tf) | Temporary instances for testing | | | +| [variables-fast.tf](./variables-fast.tf) | None | | | | [variables.tf](./variables.tf) | Module variables. | | | | [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | net-vpn-ha | | @@ -456,26 +457,26 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| -| [automation](variables.tf#L42) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | -| [billing_account](variables.tf#L50) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables.tf#L132) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables.tf#L157) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables.tf#L173) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | +| [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | +| [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | +| [folder_ids](variables-fast.tf#L57) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [organization](variables.tf#L107) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L67) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | -| [create_test_instances](variables.tf#L63) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | | -| [custom_roles](variables.tf#L69) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | -| [dns](variables.tf#L78) | DNS configuration. | object({…}) | | {} | | -| [enable_cloud_nat](variables.tf#L88) | Deploy Cloud NAT. | bool | | false | | -| [essential_contacts](variables.tf#L95) | Email used for essential contacts, unset if null. | string | | null | | -| [factories_config](variables.tf#L101) | Configuration for network resource factories. | object({…}) | | {…} | | -| [fast_features](variables.tf#L122) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | -| [gcp_ranges](variables.tf#L142) | GCP address ranges in name => range format. | map(string) | | {…} | | -| [outputs_location](variables.tf#L167) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | -| [psa_ranges](variables.tf#L184) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | | -| [regions](variables.tf#L204) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables.tf#L216) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [vpn_onprem_primary_config](variables.tf#L230) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | -| [vpn_onprem_secondary_config](variables.tf#L273) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | +| [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | | +| [custom_roles](variables-fast.tf#L38) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | +| [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | | +| [enable_cloud_nat](variables.tf#L58) | Deploy Cloud NAT. | bool | | false | | +| [essential_contacts](variables.tf#L65) | Email used for essential contacts, unset if null. | string | | null | | +| [factories_config](variables.tf#L71) | Configuration for network resource factories. | object({…}) | | {…} | | +| [fast_features](variables-fast.tf#L47) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | +| [gcp_ranges](variables.tf#L92) | GCP address ranges in name => range format. | map(string) | | {…} | | +| [outputs_location](variables.tf#L117) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | +| [psa_ranges](variables.tf#L123) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | | +| [regions](variables.tf#L143) | Region definitions. | object({…}) | | {…} | | +| [service_accounts](variables-fast.tf#L77) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [vpn_onprem_primary_config](variables.tf#L155) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | +| [vpn_onprem_secondary_config](variables.tf#L198) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | ## Outputs diff --git a/fast/stages/2-networking-c-nva/variables-fast.tf b/fast/stages/2-networking-c-nva/variables-fast.tf new file mode 100644 index 0000000000..22c9cffa96 --- /dev/null +++ b/fast/stages/2-networking-c-nva/variables-fast.tf @@ -0,0 +1,89 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "automation" { + # tfdoc:variable:source 0-bootstrap + description = "Automation resources created by the bootstrap stage." + type = object({ + outputs_bucket = string + }) +} + +variable "billing_account" { + # tfdoc:variable:source 0-bootstrap + description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." + type = object({ + id = string + is_org_level = optional(bool, true) + }) + validation { + condition = var.billing_account.is_org_level != null + error_message = "Invalid `null` value for `billing_account.is_org_level`." + } +} + +variable "custom_roles" { + # tfdoc:variable:source 0-bootstrap + description = "Custom roles defined at the org level, in key => id format." + type = object({ + service_project_network_admin = string + }) + default = null +} + +variable "fast_features" { + # tfdoc:variable:source 0-0-bootstrap + description = "Selective control for top-level FAST features." + type = object({ + gcve = optional(bool, false) + }) + default = {} + nullable = false +} + +variable "folder_ids" { + # tfdoc:variable:source 1-resman + description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." + type = object({ + networking = string + networking-dev = string + networking-prod = string + }) +} + +variable "prefix" { + # tfdoc:variable:source 0-bootstrap + description = "Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants." + type = string + validation { + condition = try(length(var.prefix), 0) < 12 + error_message = "Use a maximum of 9 chars for organizations, and 11 chars for tenants." + } +} + +variable "service_accounts" { + # tfdoc:variable:source 1-resman + description = "Automation service accounts in name => email format." + type = object({ + data-platform-dev = string + data-platform-prod = string + gke-dev = string + gke-prod = string + project-factory-dev = string + project-factory-prod = string + }) + default = null +} diff --git a/fast/stages/2-networking-c-nva/variables.tf b/fast/stages/2-networking-c-nva/variables.tf index 835ff2eff5..5e8535c9fe 100644 --- a/fast/stages/2-networking-c-nva/variables.tf +++ b/fast/stages/2-networking-c-nva/variables.tf @@ -39,42 +39,12 @@ variable "alert_config" { } } -variable "automation" { - # tfdoc:variable:source 0-bootstrap - description = "Automation resources created by the bootstrap stage." - type = object({ - outputs_bucket = string - }) -} - -variable "billing_account" { - # tfdoc:variable:source 0-bootstrap - description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." - type = object({ - id = string - is_org_level = optional(bool, true) - }) - validation { - condition = var.billing_account.is_org_level != null - error_message = "Invalid `null` value for `billing_account.is_org_level`." - } -} - variable "create_test_instances" { description = "Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity." type = bool default = false } -variable "custom_roles" { - # tfdoc:variable:source 0-bootstrap - description = "Custom roles defined at the org level, in key => id format." - type = object({ - service_project_network_admin = string - }) - default = null -} - variable "dns" { description = "DNS configuration." type = object({ @@ -119,26 +89,6 @@ variable "factories_config" { } } -variable "fast_features" { - # tfdoc:variable:source 0-0-bootstrap - description = "Selective control for top-level FAST features." - type = object({ - gcve = optional(bool, false) - }) - default = {} - nullable = false -} - -variable "folder_ids" { - # tfdoc:variable:source 1-resman - description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." - type = object({ - networking = string - networking-dev = string - networking-prod = string - }) -} - variable "gcp_ranges" { description = "GCP address ranges in name => range format." type = map(string) @@ -170,17 +120,6 @@ variable "outputs_location" { default = null } -variable "prefix" { - # tfdoc:variable:source 0-bootstrap - description = "Prefix used for resources that need unique names. Use 9 characters or less." - type = string - - validation { - condition = try(length(var.prefix), 0) < 10 - error_message = "Use a maximum of 9 characters for prefix." - } -} - variable "psa_ranges" { description = "IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format." type = object({ @@ -213,20 +152,6 @@ variable "regions" { } } -variable "service_accounts" { - # tfdoc:variable:source 1-resman - description = "Automation service accounts in name => email format." - type = object({ - data-platform-dev = string - data-platform-prod = string - gke-dev = string - gke-prod = string - project-factory-dev = string - project-factory-prod = string - }) - default = null -} - variable "vpn_onprem_primary_config" { description = "VPN gateway configuration for onprem interconnection in the primary region." type = object({ diff --git a/fast/stages/2-networking-d-separate-envs/README.md b/fast/stages/2-networking-d-separate-envs/README.md index ddcfe4b1ae..a01237dec0 100644 --- a/fast/stages/2-networking-d-separate-envs/README.md +++ b/fast/stages/2-networking-d-separate-envs/README.md @@ -323,6 +323,7 @@ Regions are defined via the `regions` variable which sets up a mapping between t | [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file | | [regions.tf](./regions.tf) | Compute short names for regions. | | | | [test-resources.tf](./test-resources.tf) | Temporary instances for testing | compute-vm | | +| [variables-fast.tf](./variables-fast.tf) | None | | | | [variables.tf](./variables.tf) | Module variables. | | | | [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | net-vpn-ha | | @@ -330,23 +331,23 @@ Regions are defined via the `regions` variable which sets up a mapping between t | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| -| [automation](variables.tf#L42) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | -| [billing_account](variables.tf#L50) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables.tf#L118) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables.tf#L128) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables.tf#L144) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | +| [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | +| [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | +| [folder_ids](variables-fast.tf#L48) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [organization](variables-fast.tf#L58) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L68) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | -| [dns](variables.tf#L63) | DNS configuration. | object({…}) | | {} | | -| [enable_cloud_nat](variables.tf#L74) | Deploy Cloud NAT. | bool | | false | | -| [essential_contacts](variables.tf#L81) | Email used for essential contacts, unset if null. | string | | null | | -| [factories_config](variables.tf#L87) | Configuration for network resource factories. | object({…}) | | {…} | | -| [fast_features](variables.tf#L108) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | -| [outputs_location](variables.tf#L138) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | -| [psa_ranges](variables.tf#L155) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {} | | -| [regions](variables.tf#L175) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables.tf#L185) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [vpn_onprem_dev_primary_config](variables.tf#L199) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…}) | | null | | -| [vpn_onprem_prod_primary_config](variables.tf#L242) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…}) | | null | | +| [dns](variables.tf#L42) | DNS configuration. | object({…}) | | {} | | +| [enable_cloud_nat](variables.tf#L53) | Deploy Cloud NAT. | bool | | false | | +| [essential_contacts](variables.tf#L60) | Email used for essential contacts, unset if null. | string | | null | | +| [factories_config](variables.tf#L66) | Configuration for network resource factories. | object({…}) | | {…} | | +| [fast_features](variables-fast.tf#L38) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | +| [outputs_location](variables.tf#L87) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | +| [psa_ranges](variables.tf#L93) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {} | | +| [regions](variables.tf#L113) | Region definitions. | object({…}) | | {…} | | +| [service_accounts](variables-fast.tf#L78) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [vpn_onprem_dev_primary_config](variables.tf#L123) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…}) | | null | | +| [vpn_onprem_prod_primary_config](variables.tf#L166) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…}) | | null | | ## Outputs diff --git a/fast/stages/2-networking-d-separate-envs/variables-fast.tf b/fast/stages/2-networking-d-separate-envs/variables-fast.tf new file mode 100644 index 0000000000..0ec719f9f6 --- /dev/null +++ b/fast/stages/2-networking-d-separate-envs/variables-fast.tf @@ -0,0 +1,90 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "automation" { + # tfdoc:variable:source 0-bootstrap + description = "Automation resources created by the bootstrap stage." + type = object({ + outputs_bucket = string + }) +} + +variable "billing_account" { + # tfdoc:variable:source 0-bootstrap + description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." + type = object({ + id = string + is_org_level = optional(bool, true) + }) + validation { + condition = var.billing_account.is_org_level != null + error_message = "Invalid `null` value for `billing_account.is_org_level`." + } +} + +variable "fast_features" { + # tfdoc:variable:source 0-0-bootstrap + description = "Selective control for top-level FAST features." + type = object({ + gcve = optional(bool, false) + }) + default = {} + nullable = false +} + +variable "folder_ids" { + # tfdoc:variable:source 1-resman + description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." + type = object({ + networking = string + networking-dev = string + networking-prod = string + }) +} + +variable "organization" { + # tfdoc:variable:source 0-bootstrap + description = "Organization details." + type = object({ + domain = string + id = number + customer_id = string + }) +} + +variable "prefix" { + # tfdoc:variable:source 0-bootstrap + description = "Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants." + type = string + validation { + condition = try(length(var.prefix), 0) < 12 + error_message = "Use a maximum of 9 chars for organizations, and 11 chars for tenants." + } +} + +variable "service_accounts" { + # tfdoc:variable:source 1-resman + description = "Automation service accounts in name => email format." + type = object({ + data-platform-dev = string + data-platform-prod = string + gke-dev = string + gke-prod = string + project-factory-dev = string + project-factory-prod = string + }) + default = null +} diff --git a/fast/stages/2-networking-d-separate-envs/variables.tf b/fast/stages/2-networking-d-separate-envs/variables.tf index a6c569c108..aabaab2d98 100644 --- a/fast/stages/2-networking-d-separate-envs/variables.tf +++ b/fast/stages/2-networking-d-separate-envs/variables.tf @@ -39,27 +39,6 @@ variable "alert_config" { } } -variable "automation" { - # tfdoc:variable:source 0-bootstrap - description = "Automation resources created by the bootstrap stage." - type = object({ - outputs_bucket = string - }) -} - -variable "billing_account" { - # tfdoc:variable:source 0-bootstrap - description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." - type = object({ - id = string - is_org_level = optional(bool, true) - }) - validation { - condition = var.billing_account.is_org_level != null - error_message = "Invalid `null` value for `billing_account.is_org_level`." - } -} - variable "dns" { description = "DNS configuration." type = object({ @@ -105,53 +84,12 @@ variable "factories_config" { } } -variable "fast_features" { - # tfdoc:variable:source 0-0-bootstrap - description = "Selective control for top-level FAST features." - type = object({ - gcve = optional(bool, false) - }) - default = {} - nullable = false -} - -variable "folder_ids" { - # tfdoc:variable:source 1-resman - description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." - type = object({ - networking = string - networking-dev = string - networking-prod = string - }) -} - -variable "organization" { - # tfdoc:variable:source 0-bootstrap - description = "Organization details." - type = object({ - domain = string - id = number - customer_id = string - }) -} - variable "outputs_location" { description = "Path where providers and tfvars files for the following stages are written. Leave empty to disable." type = string default = null } -variable "prefix" { - # tfdoc:variable:source 0-bootstrap - description = "Prefix used for resources that need unique names. Use 9 characters or less." - type = string - - validation { - condition = try(length(var.prefix), 0) < 10 - error_message = "Use a maximum of 9 characters for prefix." - } -} - variable "psa_ranges" { description = "IP ranges used for Private Service Access (e.g. CloudSQL)." type = object({ @@ -182,20 +120,6 @@ variable "regions" { } } -variable "service_accounts" { - # tfdoc:variable:source 1-resman - description = "Automation service accounts in name => email format." - type = object({ - data-platform-dev = string - data-platform-prod = string - gke-dev = string - gke-prod = string - project-factory-dev = string - project-factory-prod = string - }) - default = null -} - variable "vpn_onprem_dev_primary_config" { description = "VPN gateway configuration for onprem interconnection from dev in the primary region." type = object({ diff --git a/fast/stages/2-networking-e-nva-bgp/README.md b/fast/stages/2-networking-e-nva-bgp/README.md index 1d50a7548f..8018aa7808 100644 --- a/fast/stages/2-networking-e-nva-bgp/README.md +++ b/fast/stages/2-networking-e-nva-bgp/README.md @@ -475,6 +475,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file | | [regions.tf](./regions.tf) | Compute short names for regions. | | | | [test-resources.tf](./test-resources.tf) | temporary instances for testing | compute-vm | | +| [variables-fast.tf](./variables-fast.tf) | None | | | | [variables.tf](./variables.tf) | Module variables. | | | | [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | net-vpn-ha | | @@ -482,27 +483,27 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| -| [automation](variables.tf#L42) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | -| [billing_account](variables.tf#L50) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables.tf#L126) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables.tf#L162) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables.tf#L178) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | +| [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | +| [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | +| [folder_ids](variables-fast.tf#L57) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [organization](variables-fast.tf#L67) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L77) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | -| [custom_roles](variables.tf#L63) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | -| [dns](variables.tf#L72) | DNS configuration. | object({…}) | | {} | | -| [enable_cloud_nat](variables.tf#L82) | Deploy Cloud NAT. | bool | | false | | -| [essential_contacts](variables.tf#L89) | Email used for essential contacts, unset if null. | string | | null | | -| [factories_config](variables.tf#L95) | Configuration for network resource factories. | object({…}) | | {…} | | -| [fast_features](variables.tf#L116) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | -| [gcp_ranges](variables.tf#L136) | GCP address ranges in name => range format. | map(string) | | {…} | | -| [ncc_asn](variables.tf#L151) | The NCC Cloud Routers ASN configuration. | map(number) | | {…} | | -| [outputs_location](variables.tf#L172) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | -| [psa_ranges](variables.tf#L189) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | | -| [regions](variables.tf#L209) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables.tf#L221) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [vpn_onprem_primary_config](variables.tf#L235) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | -| [vpn_onprem_secondary_config](variables.tf#L278) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | -| [zones](variables.tf#L321) | Zones in which NVAs are deployed. | list(string) | | ["b", "c"] | | +| [custom_roles](variables-fast.tf#L38) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | +| [dns](variables.tf#L42) | DNS configuration. | object({…}) | | {} | | +| [enable_cloud_nat](variables.tf#L52) | Deploy Cloud NAT. | bool | | false | | +| [essential_contacts](variables.tf#L59) | Email used for essential contacts, unset if null. | string | | null | | +| [factories_config](variables.tf#L65) | Configuration for network resource factories. | object({…}) | | {…} | | +| [fast_features](variables-fast.tf#L47) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | +| [gcp_ranges](variables.tf#L86) | GCP address ranges in name => range format. | map(string) | | {…} | | +| [ncc_asn](variables.tf#L101) | The NCC Cloud Routers ASN configuration. | map(number) | | {…} | | +| [outputs_location](variables.tf#L112) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | +| [psa_ranges](variables.tf#L118) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | | +| [regions](variables.tf#L138) | Region definitions. | object({…}) | | {…} | | +| [service_accounts](variables-fast.tf#L87) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [vpn_onprem_primary_config](variables.tf#L150) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | +| [vpn_onprem_secondary_config](variables.tf#L193) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | +| [zones](variables.tf#L236) | Zones in which NVAs are deployed. | list(string) | | ["b", "c"] | | ## Outputs diff --git a/fast/stages/2-networking-e-nva-bgp/variables-fast.tf b/fast/stages/2-networking-e-nva-bgp/variables-fast.tf new file mode 100644 index 0000000000..8185e94f5e --- /dev/null +++ b/fast/stages/2-networking-e-nva-bgp/variables-fast.tf @@ -0,0 +1,99 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "automation" { + # tfdoc:variable:source 0-bootstrap + description = "Automation resources created by the bootstrap stage." + type = object({ + outputs_bucket = string + }) +} + +variable "billing_account" { + # tfdoc:variable:source 0-bootstrap + description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." + type = object({ + id = string + is_org_level = optional(bool, true) + }) + validation { + condition = var.billing_account.is_org_level != null + error_message = "Invalid `null` value for `billing_account.is_org_level`." + } +} + +variable "custom_roles" { + # tfdoc:variable:source 0-bootstrap + description = "Custom roles defined at the org level, in key => id format." + type = object({ + service_project_network_admin = string + }) + default = null +} + +variable "fast_features" { + # tfdoc:variable:source 0-0-bootstrap + description = "Selective control for top-level FAST features." + type = object({ + gcve = optional(bool, false) + }) + default = {} + nullable = false +} + +variable "folder_ids" { + # tfdoc:variable:source 1-resman + description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." + type = object({ + networking = string + networking-dev = string + networking-prod = string + }) +} + +variable "organization" { + # tfdoc:variable:source 0-bootstrap + description = "Organization details." + type = object({ + domain = string + id = number + customer_id = string + }) +} + +variable "prefix" { + # tfdoc:variable:source 0-bootstrap + description = "Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants." + type = string + validation { + condition = try(length(var.prefix), 0) < 12 + error_message = "Use a maximum of 9 chars for organizations, and 11 chars for tenants." + } +} + +variable "service_accounts" { + # tfdoc:variable:source 1-resman + description = "Automation service accounts in name => email format." + type = object({ + data-platform-dev = string + data-platform-prod = string + gke-dev = string + gke-prod = string + project-factory-dev = string + project-factory-prod = string + }) + default = null +} diff --git a/fast/stages/2-networking-e-nva-bgp/variables.tf b/fast/stages/2-networking-e-nva-bgp/variables.tf index 415f02e4cc..920e7a24f9 100644 --- a/fast/stages/2-networking-e-nva-bgp/variables.tf +++ b/fast/stages/2-networking-e-nva-bgp/variables.tf @@ -39,36 +39,6 @@ variable "alert_config" { } } -variable "automation" { - # tfdoc:variable:source 0-bootstrap - description = "Automation resources created by the bootstrap stage." - type = object({ - outputs_bucket = string - }) -} - -variable "billing_account" { - # tfdoc:variable:source 0-bootstrap - description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." - type = object({ - id = string - is_org_level = optional(bool, true) - }) - validation { - condition = var.billing_account.is_org_level != null - error_message = "Invalid `null` value for `billing_account.is_org_level`." - } -} - -variable "custom_roles" { - # tfdoc:variable:source 0-bootstrap - description = "Custom roles defined at the org level, in key => id format." - type = object({ - service_project_network_admin = string - }) - default = null -} - variable "dns" { description = "DNS configuration." type = object({ @@ -113,26 +83,6 @@ variable "factories_config" { } } -variable "fast_features" { - # tfdoc:variable:source 0-0-bootstrap - description = "Selective control for top-level FAST features." - type = object({ - gcve = optional(bool, false) - }) - default = {} - nullable = false -} - -variable "folder_ids" { - # tfdoc:variable:source 1-resman - description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." - type = object({ - networking = string - networking-dev = string - networking-prod = string - }) -} - variable "gcp_ranges" { description = "GCP address ranges in name => range format." type = map(string) @@ -159,33 +109,12 @@ variable "ncc_asn" { } } -variable "organization" { - # tfdoc:variable:source 0-bootstrap - description = "Organization details." - type = object({ - domain = string - id = number - customer_id = string - }) -} - variable "outputs_location" { description = "Path where providers and tfvars files for the following stages are written. Leave empty to disable." type = string default = null } -variable "prefix" { - # tfdoc:variable:source 0-bootstrap - description = "Prefix used for resources that need unique names. Use 9 characters or less." - type = string - - validation { - condition = try(length(var.prefix), 0) < 10 - error_message = "Use a maximum of 9 characters for prefix." - } -} - variable "psa_ranges" { description = "IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format." type = object({ @@ -218,20 +147,6 @@ variable "regions" { } } -variable "service_accounts" { - # tfdoc:variable:source 1-resman - description = "Automation service accounts in name => email format." - type = object({ - data-platform-dev = string - data-platform-prod = string - gke-dev = string - gke-prod = string - project-factory-dev = string - project-factory-prod = string - }) - default = null -} - variable "vpn_onprem_primary_config" { description = "VPN gateway configuration for onprem interconnection in the primary region." type = object({ diff --git a/fast/stages/2-security/README.md b/fast/stages/2-security/README.md index 84d45f08cf..5e6c8af1d1 100644 --- a/fast/stages/2-security/README.md +++ b/fast/stages/2-security/README.md @@ -241,16 +241,16 @@ Some references that might be useful in setting up this stage: | [billing_account](variables-fast.tf#L32) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | | [folder_ids](variables-fast.tf#L45) | Folder name => id mappings, the 'security' folder name must exist. | object({…}) | ✓ | | 1-resman | | [organization](variables-fast.tf#L63) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables.tf#L82) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | -| [service_accounts](variables-fast.tf#L87) | Automation service accounts that can assign the encrypt/decrypt roles on keys. | object({…}) | ✓ | | 1-resman | +| [prefix](variables-fast.tf#L73) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [service_accounts](variables-fast.tf#L97) | Automation service accounts that can assign the encrypt/decrypt roles on keys. | object({…}) | ✓ | | 1-resman | | [access_policy](variables-fast.tf#L17) | Access policy id for tenant-level VPC-SC configurations. | number | | null | 0-bootstrap | | [essential_contacts](variables.tf#L17) | Email used for essential contacts, unset if null. | string | | null | | | [factories_config](variables.tf#L23) | Paths to folders that enable factory functionality. | object({…}) | | {} | | | [kms_keys](variables.tf#L37) | KMS keys to create, keyed by name. | map(object({…})) | | {} | | | [logging](variables-fast.tf#L53) | Log writer identities for organization / folders. | object({…}) | | null | 0-bootstrap | | [outputs_location](variables.tf#L76) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | -| [root_node](variables-fast.tf#L73) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap | -| [vpc_sc](variables.tf#L92) | VPC SC configuration. | object({…}) | | {} | | +| [root_node](variables-fast.tf#L83) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap | +| [vpc_sc](variables.tf#L82) | VPC SC configuration. | object({…}) | | {} | | ## Outputs diff --git a/fast/stages/2-security/variables-fast.tf b/fast/stages/2-security/variables-fast.tf index e3c351cae1..048e2d5328 100644 --- a/fast/stages/2-security/variables-fast.tf +++ b/fast/stages/2-security/variables-fast.tf @@ -70,6 +70,16 @@ variable "organization" { }) } +variable "prefix" { + # tfdoc:variable:source 0-bootstrap + description = "Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants." + type = string + validation { + condition = try(length(var.prefix), 0) < 12 + error_message = "Use a maximum of 9 chars for organizations, and 11 chars for tenants." + } +} + variable "root_node" { # tfdoc:variable:source 0-bootstrap description = "Root node for the hierarchy, if running in tenant mode." diff --git a/fast/stages/2-security/variables.tf b/fast/stages/2-security/variables.tf index d8e4c2a0a0..2459d7f016 100644 --- a/fast/stages/2-security/variables.tf +++ b/fast/stages/2-security/variables.tf @@ -79,16 +79,6 @@ variable "outputs_location" { default = null } -variable "prefix" { - # tfdoc:variable:source 0-bootstrap - description = "Prefix used for resources that need unique names. Use 9 characters or less." - type = string - validation { - condition = try(length(var.prefix), 0) < 10 - error_message = "Use a maximum of 9 characters for prefix." - } -} - variable "vpc_sc" { description = "VPC SC configuration." type = object({ diff --git a/fast/stages/3-data-platform/dev/README.md b/fast/stages/3-data-platform/dev/README.md index 2764a30d3b..bcf9a0464e 100644 --- a/fast/stages/3-data-platform/dev/README.md +++ b/fast/stages/3-data-platform/dev/README.md @@ -177,32 +177,33 @@ You can find examples in the `[demo](../../../../blueprints/data-solutions/data- |---|---|---|---| | [main.tf](./main.tf) | Data Platform. | data-platform-foundations | | | [outputs.tf](./outputs.tf) | Output variables. | | google_storage_bucket_object · local_file | +| [variables-fast.tf](./variables-fast.tf) | Terraform Variables. | | | | [variables.tf](./variables.tf) | Terraform Variables. | | | ## Variables | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| -| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | -| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables.tf#L148) | Folder to be used for the networking resources in folders/nnnn format. | object({…}) | ✓ | | 1-resman | -| [host_project_ids](variables.tf#L166) | Shared VPC project ids. | object({…}) | ✓ | | 2-networking | -| [organization](variables.tf#L196) | Organization details. | object({…}) | ✓ | | 00-globals | -| [prefix](variables.tf#L212) | Unique prefix used for resource names. Not used for projects if 'project_create' is null. | string | ✓ | | 00-globals | -| [composer_config](variables.tf#L38) | Cloud Composer config. | object({…}) | | {…} | | -| [data_catalog_tags](variables.tf#L127) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(object({…})) | | {…} | | -| [deletion_protection](variables.tf#L141) | Prevent Terraform from destroying data storage resources (storage buckets, GKE clusters, CloudSQL instances) in this blueprint. When this field is set in Terraform state, a terraform destroy or terraform apply that would delete data storage resources will fail. | bool | | true | | -| [groups_dp](variables.tf#L156) | Data Platform groups. | map(string) | | {…} | | -| [location](variables.tf#L174) | Location used for multi-regional resources. | string | | "eu" | | -| [network_config_composer](variables.tf#L180) | Network configurations to use for Composer. | object({…}) | | {…} | | -| [outputs_location](variables.tf#L206) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | -| [project_config](variables.tf#L222) | Provide projects configuration. | object({…}) | | {} | | -| [project_services](variables.tf#L242) | List of core services enabled on all projects. | list(string) | | […] | | -| [project_suffix](variables.tf#L253) | Suffix used only for project ids. | string | | null | | -| [region](variables.tf#L259) | Region used for regional resources. | string | | "europe-west1" | | -| [service_encryption_keys](variables.tf#L265) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | null | | -| [subnet_self_links](variables.tf#L277) | Shared VPC subnet self links. | object({…}) | | null | 2-networking | -| [vpc_self_links](variables.tf#L286) | Shared VPC self links. | object({…}) | | null | 2-networking | +| [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | +| [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | +| [folder_ids](variables-fast.tf#L38) | Folder to be used for the networking resources in folders/nnnn format. | object({…}) | ✓ | | 1-resman | +| [host_project_ids](variables-fast.tf#L46) | Shared VPC project ids. | object({…}) | ✓ | | 2-networking | +| [organization](variables-fast.tf#L54) | Organization details. | object({…}) | ✓ | | 00-globals | +| [prefix](variables-fast.tf#L64) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [composer_config](variables.tf#L17) | Cloud Composer config. | object({…}) | | {…} | | +| [data_catalog_tags](variables.tf#L106) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(object({…})) | | {…} | | +| [deletion_protection](variables.tf#L120) | Prevent Terraform from destroying data storage resources (storage buckets, GKE clusters, CloudSQL instances) in this blueprint. When this field is set in Terraform state, a terraform destroy or terraform apply that would delete data storage resources will fail. | bool | | true | | +| [groups_dp](variables.tf#L127) | Data Platform groups. | map(string) | | {…} | | +| [location](variables.tf#L137) | Location used for multi-regional resources. | string | | "eu" | | +| [network_config_composer](variables.tf#L143) | Network configurations to use for Composer. | object({…}) | | {…} | | +| [outputs_location](variables.tf#L159) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | +| [project_config](variables.tf#L165) | Provide projects configuration. | object({…}) | | {} | | +| [project_services](variables.tf#L185) | List of core services enabled on all projects. | list(string) | | […] | | +| [project_suffix](variables.tf#L196) | Suffix used only for project ids. | string | | null | | +| [region](variables.tf#L202) | Region used for regional resources. | string | | "europe-west1" | | +| [service_encryption_keys](variables.tf#L208) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | null | | +| [subnet_self_links](variables-fast.tf#L74) | Shared VPC subnet self links. | object({…}) | | null | 2-networking | +| [vpc_self_links](variables-fast.tf#L83) | Shared VPC self links. | object({…}) | | null | 2-networking | ## Outputs diff --git a/fast/stages/3-data-platform/dev/variables-fast.tf b/fast/stages/3-data-platform/dev/variables-fast.tf new file mode 100644 index 0000000000..bd6ae628df --- /dev/null +++ b/fast/stages/3-data-platform/dev/variables-fast.tf @@ -0,0 +1,90 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# tfdoc:file:description Terraform Variables. + +variable "automation" { + # tfdoc:variable:source 0-bootstrap + description = "Automation resources created by the bootstrap stage." + type = object({ + outputs_bucket = string + }) +} + +variable "billing_account" { + # tfdoc:variable:source 0-bootstrap + description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." + type = object({ + id = string + is_org_level = optional(bool, true) + }) + validation { + condition = var.billing_account.is_org_level != null + error_message = "Invalid `null` value for `billing_account.is_org_level`." + } +} + +variable "folder_ids" { + # tfdoc:variable:source 1-resman + description = "Folder to be used for the networking resources in folders/nnnn format." + type = object({ + data-platform-dev = string + }) +} + +variable "host_project_ids" { + # tfdoc:variable:source 2-networking + description = "Shared VPC project ids." + type = object({ + dev-spoke-0 = string + }) +} + +variable "organization" { + # tfdoc:variable:source 00-globals + description = "Organization details." + type = object({ + domain = string + id = number + customer_id = string + }) +} + +variable "prefix" { + # tfdoc:variable:source 0-bootstrap + description = "Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants." + type = string + validation { + condition = try(length(var.prefix), 0) < 12 + error_message = "Use a maximum of 9 chars for organizations, and 11 chars for tenants." + } +} + +variable "subnet_self_links" { + # tfdoc:variable:source 2-networking + description = "Shared VPC subnet self links." + type = object({ + dev-spoke-0 = map(string) + }) + default = null +} + +variable "vpc_self_links" { + # tfdoc:variable:source 2-networking + description = "Shared VPC self links." + type = object({ + dev-spoke-0 = string + }) + default = null +} diff --git a/fast/stages/3-data-platform/dev/variables.tf b/fast/stages/3-data-platform/dev/variables.tf index 512f94b01c..a2d8271dc1 100644 --- a/fast/stages/3-data-platform/dev/variables.tf +++ b/fast/stages/3-data-platform/dev/variables.tf @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,27 +14,6 @@ # tfdoc:file:description Terraform Variables. -variable "automation" { - # tfdoc:variable:source 0-bootstrap - description = "Automation resources created by the bootstrap stage." - type = object({ - outputs_bucket = string - }) -} - -variable "billing_account" { - # tfdoc:variable:source 0-bootstrap - description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." - type = object({ - id = string - is_org_level = optional(bool, true) - }) - validation { - condition = var.billing_account.is_org_level != null - error_message = "Invalid `null` value for `billing_account.is_org_level`." - } -} - variable "composer_config" { description = "Cloud Composer config." type = object({ @@ -145,14 +124,6 @@ variable "deletion_protection" { nullable = false } -variable "folder_ids" { - # tfdoc:variable:source 1-resman - description = "Folder to be used for the networking resources in folders/nnnn format." - type = object({ - data-platform-dev = string - }) -} - variable "groups_dp" { description = "Data Platform groups." type = map(string) @@ -163,14 +134,6 @@ variable "groups_dp" { } } -variable "host_project_ids" { - # tfdoc:variable:source 2-networking - description = "Shared VPC project ids." - type = object({ - dev-spoke-0 = string - }) -} - variable "location" { description = "Location used for multi-regional resources." type = string @@ -193,32 +156,12 @@ variable "network_config_composer" { } } -variable "organization" { - # tfdoc:variable:source 00-globals - description = "Organization details." - type = object({ - domain = string - id = number - customer_id = string - }) -} - variable "outputs_location" { description = "Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable." type = string default = null } -variable "prefix" { - # tfdoc:variable:source 00-globals - description = "Unique prefix used for resource names. Not used for projects if 'project_create' is null." - type = string - validation { - condition = try(length(var.prefix), 0) < 13 - error_message = "Use a maximum of 12 characters for prefix." - } -} - variable "project_config" { description = "Provide projects configuration." type = object({ @@ -273,21 +216,3 @@ variable "service_encryption_keys" { }) default = null } - -variable "subnet_self_links" { - # tfdoc:variable:source 2-networking - description = "Shared VPC subnet self links." - type = object({ - dev-spoke-0 = map(string) - }) - default = null -} - -variable "vpc_self_links" { - # tfdoc:variable:source 2-networking - description = "Shared VPC self links." - type = object({ - dev-spoke-0 = string - }) - default = null -} diff --git a/fast/stages/3-gcve/prod/README.md b/fast/stages/3-gcve/prod/README.md index e0cb8eb0aa..28a784daf4 100644 --- a/fast/stages/3-gcve/prod/README.md +++ b/fast/stages/3-gcve/prod/README.md @@ -101,25 +101,26 @@ The VPC host project, VPC and subnets should already exist. |---|---|---|---| | [main.tf](./main.tf) | GCVE private cloud for development environment. | pc-minimal | | | [outputs.tf](./outputs.tf) | Output variables. | | google_storage_bucket_object · local_file | +| [variables-fast.tf](./variables-fast.tf) | None | | | | [variables.tf](./variables.tf) | Module variables. | | | ## Variables | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| -| [automation](variables.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | -| [billing_account](variables.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables.tf#L38) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [host_project_ids](variables.tf#L59) | Host project for the shared VPC. | object({…}) | ✓ | | 2-networking | -| [organization](variables.tf#L80) | Organization details. | object({…}) | ✓ | | 00-globals | -| [prefix](variables.tf#L96) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | -| [private_cloud_configs](variables.tf#L102) | The VMware private cloud configurations. The key is the unique private cloud name suffix. | map(object({…})) | ✓ | | | -| [vpc_self_links](variables.tf#L131) | Self link for the shared VPC. | object({…}) | ✓ | | 2-networking | -| [groups_gcve](variables.tf#L46) | GCVE groups. | object({…}) | | {…} | | -| [iam](variables.tf#L67) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | -| [labels](variables.tf#L74) | Project-level labels. | map(string) | | {} | | -| [outputs_location](variables.tf#L90) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | -| [project_services](variables.tf#L124) | Additional project services to enable. | list(string) | | [] | | +| [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | +| [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | +| [folder_ids](variables-fast.tf#L38) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [host_project_ids](variables-fast.tf#L46) | Host project for the shared VPC. | object({…}) | ✓ | | 2-networking | +| [organization](variables-fast.tf#L54) | Organization details. | object({…}) | ✓ | | 00-globals | +| [prefix](variables-fast.tf#L64) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [private_cloud_configs](variables.tf#L49) | The VMware private cloud configurations. The key is the unique private cloud name suffix. | map(object({…})) | ✓ | | | +| [vpc_self_links](variables-fast.tf#L74) | Self link for the shared VPC. | object({…}) | ✓ | | 2-networking | +| [groups_gcve](variables.tf#L17) | GCVE groups. | object({…}) | | {…} | | +| [iam](variables.tf#L30) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | +| [labels](variables.tf#L37) | Project-level labels. | map(string) | | {} | | +| [outputs_location](variables.tf#L43) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | +| [project_services](variables.tf#L71) | Additional project services to enable. | list(string) | | [] | | ## Outputs diff --git a/fast/stages/3-gcve/prod/variables-fast.tf b/fast/stages/3-gcve/prod/variables-fast.tf new file mode 100644 index 0000000000..de32e273c5 --- /dev/null +++ b/fast/stages/3-gcve/prod/variables-fast.tf @@ -0,0 +1,82 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "automation" { + # tfdoc:variable:source 0-bootstrap + description = "Automation resources created by the bootstrap stage." + type = object({ + outputs_bucket = string + }) +} + +variable "billing_account" { + # tfdoc:variable:source 0-bootstrap + description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." + type = object({ + id = string + is_org_level = optional(bool, true) + }) + validation { + condition = var.billing_account.is_org_level != null + error_message = "Invalid `null` value for `billing_account.is_org_level`." + } +} + +variable "folder_ids" { + # tfdoc:variable:source 1-resman + description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." + type = object({ + gcve-prod = string + }) +} + +variable "host_project_ids" { + # tfdoc:variable:source 2-networking + description = "Host project for the shared VPC." + type = object({ + prod-spoke-0 = string + }) +} + +variable "organization" { + # tfdoc:variable:source 00-globals + description = "Organization details." + type = object({ + domain = string + id = number + customer_id = string + }) +} + +variable "prefix" { + # tfdoc:variable:source 0-bootstrap + description = "Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants." + type = string + validation { + condition = try(length(var.prefix), 0) < 12 + error_message = "Use a maximum of 9 chars for organizations, and 11 chars for tenants." + } +} + +variable "vpc_self_links" { + # tfdoc:variable:source 2-networking + description = "Self link for the shared VPC." + type = object({ + prod-spoke-0 = string + }) +} + + diff --git a/fast/stages/3-gcve/prod/variables.tf b/fast/stages/3-gcve/prod/variables.tf index ee48c97079..451485c3d6 100644 --- a/fast/stages/3-gcve/prod/variables.tf +++ b/fast/stages/3-gcve/prod/variables.tf @@ -14,35 +14,6 @@ * limitations under the License. */ -variable "automation" { - # tfdoc:variable:source 0-bootstrap - description = "Automation resources created by the bootstrap stage." - type = object({ - outputs_bucket = string - }) -} - -variable "billing_account" { - # tfdoc:variable:source 0-bootstrap - description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." - type = object({ - id = string - is_org_level = optional(bool, true) - }) - validation { - condition = var.billing_account.is_org_level != null - error_message = "Invalid `null` value for `billing_account.is_org_level`." - } -} - -variable "folder_ids" { - # tfdoc:variable:source 1-resman - description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." - type = object({ - gcve-prod = string - }) -} - variable "groups_gcve" { description = "GCVE groups." type = object({ @@ -56,14 +27,6 @@ variable "groups_gcve" { nullable = false } -variable "host_project_ids" { - # tfdoc:variable:source 2-networking - description = "Host project for the shared VPC." - type = object({ - prod-spoke-0 = string - }) -} - variable "iam" { description = "Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format." type = map(list(string)) @@ -77,28 +40,12 @@ variable "labels" { default = {} } -variable "organization" { - # tfdoc:variable:source 00-globals - description = "Organization details." - type = object({ - domain = string - id = number - customer_id = string - }) -} - variable "outputs_location" { description = "Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable." type = string default = null } -variable "prefix" { - # tfdoc:variable:source 0-bootstrap - description = "Prefix used for resources that need unique names. Use 9 characters or less." - type = string -} - variable "private_cloud_configs" { description = "The VMware private cloud configurations. The key is the unique private cloud name suffix." type = map(object({ @@ -127,13 +74,3 @@ variable "project_services" { default = [] nullable = false } - -variable "vpc_self_links" { - # tfdoc:variable:source 2-networking - description = "Self link for the shared VPC." - type = object({ - prod-spoke-0 = string - }) -} - - diff --git a/fast/stages/3-gke-multitenant/dev/README.md b/fast/stages/3-gke-multitenant/dev/README.md index 6e228835f0..85fb985545 100644 --- a/fast/stages/3-gke-multitenant/dev/README.md +++ b/fast/stages/3-gke-multitenant/dev/README.md @@ -208,29 +208,30 @@ Leave all these variables unset (or set to `null`) to disable fleet management. |---|---|---|---| | [main.tf](./main.tf) | GKE multitenant for development environment. | multitenant-fleet | | | [outputs.tf](./outputs.tf) | Output variables. | | google_storage_bucket_object · local_file | +| [variables-fast.tf](./variables-fast.tf) | None | | | | [variables.tf](./variables.tf) | Module variables. | | | ## Variables | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| -| [automation](variables.tf#L21) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | -| [billing_account](variables.tf#L29) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables.tf#L175) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [host_project_ids](variables.tf#L183) | Host project for the shared VPC. | object({…}) | ✓ | | 2-networking | -| [prefix](variables.tf#L250) | Prefix used for resources that need unique names. | string | ✓ | | | -| [vpc_self_links](variables.tf#L266) | Self link for the shared VPC. | object({…}) | ✓ | | 2-networking | -| [clusters](variables.tf#L42) | Clusters configuration. Refer to the gke-cluster-standard module for type details. | map(object({…})) | | {} | | -| [fleet_configmanagement_clusters](variables.tf#L112) | Config management features enabled on specific sets of member clusters, in config name => [cluster name] format. | map(list(string)) | | {} | | -| [fleet_configmanagement_templates](variables.tf#L120) | Sets of config management configurations that can be applied to member clusters, in config name => {options} format. | map(object({…})) | | {} | | -| [fleet_features](variables.tf#L155) | Enable and configure fleet features. Set to null to disable GKE Hub if fleet workload identity is not used. | object({…}) | | null | | -| [fleet_workload_identity](variables.tf#L168) | Use Fleet Workload Identity for clusters. Enables GKE Hub if set to true. | bool | | false | | -| [iam](variables.tf#L191) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | -| [iam_by_principals](variables.tf#L198) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | -| [labels](variables.tf#L205) | Project-level labels. | map(string) | | {} | | -| [nodepools](variables.tf#L211) | Nodepools configuration. Refer to the gke-nodepool module for type details. | map(map(object({…}))) | | {} | | -| [outputs_location](variables.tf#L244) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | -| [project_services](variables.tf#L259) | Additional project services to enable. | list(string) | | [] | | +| [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | +| [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | +| [folder_ids](variables-fast.tf#L38) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [host_project_ids](variables-fast.tf#L46) | Host project for the shared VPC. | object({…}) | ✓ | | 2-networking | +| [prefix](variables-fast.tf#L54) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [vpc_self_links](variables-fast.tf#L64) | Self link for the shared VPC. | object({…}) | ✓ | | 2-networking | +| [clusters](variables.tf#L17) | Clusters configuration. Refer to the gke-cluster-standard module for type details. | map(object({…})) | | {} | | +| [fleet_configmanagement_clusters](variables.tf#L87) | Config management features enabled on specific sets of member clusters, in config name => [cluster name] format. | map(list(string)) | | {} | | +| [fleet_configmanagement_templates](variables.tf#L94) | Sets of config management configurations that can be applied to member clusters, in config name => {options} format. | map(object({…})) | | {} | | +| [fleet_features](variables.tf#L129) | Enable and configure fleet features. Set to null to disable GKE Hub if fleet workload identity is not used. | object({…}) | | null | | +| [fleet_workload_identity](variables.tf#L142) | Use Fleet Workload Identity for clusters. Enables GKE Hub if set to true. | bool | | false | | +| [iam](variables.tf#L149) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | +| [iam_by_principals](variables.tf#L156) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | +| [labels](variables.tf#L163) | Project-level labels. | map(string) | | {} | | +| [nodepools](variables.tf#L169) | Nodepools configuration. Refer to the gke-nodepool module for type details. | map(map(object({…}))) | | {} | | +| [outputs_location](variables.tf#L202) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | +| [project_services](variables.tf#L208) | Additional project services to enable. | list(string) | | [] | | ## Outputs diff --git a/fast/stages/3-gke-multitenant/dev/variables-fast.tf b/fast/stages/3-gke-multitenant/dev/variables-fast.tf new file mode 100644 index 0000000000..8c8251aef5 --- /dev/null +++ b/fast/stages/3-gke-multitenant/dev/variables-fast.tf @@ -0,0 +1,70 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "automation" { + # tfdoc:variable:source 0-bootstrap + description = "Automation resources created by the bootstrap stage." + type = object({ + outputs_bucket = string + }) +} + +variable "billing_account" { + # tfdoc:variable:source 0-bootstrap + description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." + type = object({ + id = string + is_org_level = optional(bool, true) + }) + validation { + condition = var.billing_account.is_org_level != null + error_message = "Invalid `null` value for `billing_account.is_org_level`." + } +} + +variable "folder_ids" { + # tfdoc:variable:source 1-resman + description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." + type = object({ + gke-dev = string + }) +} + +variable "host_project_ids" { + # tfdoc:variable:source 2-networking + description = "Host project for the shared VPC." + type = object({ + dev-spoke-0 = string + }) +} + +variable "prefix" { + # tfdoc:variable:source 0-bootstrap + description = "Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants." + type = string + validation { + condition = try(length(var.prefix), 0) < 12 + error_message = "Use a maximum of 9 chars for organizations, and 11 chars for tenants." + } +} + +variable "vpc_self_links" { + # tfdoc:variable:source 2-networking + description = "Self link for the shared VPC." + type = object({ + dev-spoke-0 = string + }) +} diff --git a/fast/stages/3-gke-multitenant/dev/variables.tf b/fast/stages/3-gke-multitenant/dev/variables.tf index 092f630431..0002386012 100644 --- a/fast/stages/3-gke-multitenant/dev/variables.tf +++ b/fast/stages/3-gke-multitenant/dev/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2023 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -14,31 +14,6 @@ * limitations under the License. */ -# we deal with one env here -# 1 project, m clusters -# cloud dns for gke? - -variable "automation" { - # tfdoc:variable:source 0-bootstrap - description = "Automation resources created by the bootstrap stage." - type = object({ - outputs_bucket = string - }) -} - -variable "billing_account" { - # tfdoc:variable:source 0-bootstrap - description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." - type = object({ - id = string - is_org_level = optional(bool, true) - }) - validation { - condition = var.billing_account.is_org_level != null - error_message = "Invalid `null` value for `billing_account.is_org_level`." - } -} - variable "clusters" { description = "Clusters configuration. Refer to the gke-cluster-standard module for type details." type = map(object({ @@ -116,7 +91,6 @@ variable "fleet_configmanagement_clusters" { nullable = false } - variable "fleet_configmanagement_templates" { description = "Sets of config management configurations that can be applied to member clusters, in config name => {options} format." type = map(object({ @@ -172,22 +146,6 @@ variable "fleet_workload_identity" { nullable = false } -variable "folder_ids" { - # tfdoc:variable:source 1-resman - description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." - type = object({ - gke-dev = string - }) -} - -variable "host_project_ids" { - # tfdoc:variable:source 2-networking - description = "Host project for the shared VPC." - type = object({ - dev-spoke-0 = string - }) -} - variable "iam" { description = "Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format." type = map(list(string)) @@ -247,26 +205,9 @@ variable "outputs_location" { default = null } -variable "prefix" { - description = "Prefix used for resources that need unique names." - type = string - validation { - condition = try(length(var.prefix), 0) < 13 - error_message = "Use a maximum of 12 characters for prefix." - } -} - variable "project_services" { description = "Additional project services to enable." type = list(string) default = [] nullable = false } - -variable "vpc_self_links" { - # tfdoc:variable:source 2-networking - description = "Self link for the shared VPC." - type = object({ - dev-spoke-0 = string - }) -} diff --git a/fast/stages/3-project-factory/dev/README.md b/fast/stages/3-project-factory/dev/README.md index d4915301a2..9ae2cb1ae0 100644 --- a/fast/stages/3-project-factory/dev/README.md +++ b/fast/stages/3-project-factory/dev/README.md @@ -72,15 +72,16 @@ terraform apply |---|---|---| | [main.tf](./main.tf) | Project factory. | project-factory | | [outputs.tf](./outputs.tf) | Module outputs. | | +| [variables-fast.tf](./variables-fast.tf) | None | | | [variables.tf](./variables.tf) | Module variables. | | ## Variables | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| -| [billing_account](variables.tf#L19) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [factories_config](variables.tf#L32) | Path to folder with YAML resource description data files. | object({…}) | ✓ | | | -| [prefix](variables.tf#L45) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | +| [billing_account](variables-fast.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | +| [factories_config](variables.tf#L17) | Path to folder with YAML resource description data files. | object({…}) | ✓ | | | +| [prefix](variables-fast.tf#L30) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | ## Outputs diff --git a/fast/stages/3-project-factory/dev/variables-fast.tf b/fast/stages/3-project-factory/dev/variables-fast.tf new file mode 100644 index 0000000000..0144aae297 --- /dev/null +++ b/fast/stages/3-project-factory/dev/variables-fast.tf @@ -0,0 +1,38 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "billing_account" { + # tfdoc:variable:source 0-bootstrap + description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." + type = object({ + id = string + is_org_level = optional(bool, true) + }) + validation { + condition = var.billing_account.is_org_level != null + error_message = "Invalid `null` value for `billing_account.is_org_level`." + } +} + +variable "prefix" { + # tfdoc:variable:source 0-bootstrap + description = "Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants." + type = string + validation { + condition = try(length(var.prefix), 0) < 12 + error_message = "Use a maximum of 9 chars for organizations, and 11 chars for tenants." + } +} diff --git a/fast/stages/3-project-factory/dev/variables.tf b/fast/stages/3-project-factory/dev/variables.tf index 26607cdf1f..64111f6c6c 100644 --- a/fast/stages/3-project-factory/dev/variables.tf +++ b/fast/stages/3-project-factory/dev/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -14,21 +14,6 @@ * limitations under the License. */ -#TODO: tfdoc annotations - -variable "billing_account" { - # tfdoc:variable:source 0-bootstrap - description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." - type = object({ - id = string - is_org_level = optional(bool, true) - }) - validation { - condition = var.billing_account.is_org_level != null - error_message = "Invalid `null` value for `billing_account.is_org_level`." - } -} - variable "factories_config" { description = "Path to folder with YAML resource description data files." type = object({ @@ -41,13 +26,3 @@ variable "factories_config" { }) nullable = false } - -variable "prefix" { - # tfdoc:variable:source 0-bootstrap - description = "Prefix used for resources that need unique names. Use 9 characters or less." - type = string - validation { - condition = try(length(var.prefix), 0) < 10 - error_message = "Use a maximum of 9 characters for prefix." - } -}