Merge branch 'master' into wiktorn-app-lb-neg-fix

CHANGELOG.md

@@ -24,6 +24,7 @@ All notable changes to this project will be documented in this file.
 
 ### FAST
 
+- [[#2353](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2353)] Add main project factory service account ([ludoo](https://github.com/ludoo)) <!-- 2024-06-10 10:23:30+00:00 -->
 - [[#2352](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2352)] **incompatible change:** Remove support for source repositories from FAST CI/CD ([ludoo](https://github.com/ludoo)) <!-- 2024-06-10 09:02:55+00:00 -->
 - [[#2344](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2344)] Fix typos in documentation ([albertogeniola](https://github.com/albertogeniola)) <!-- 2024-06-07 14:32:06+00:00 -->
 - [[#2340](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2340)] Fix wrong documentation reference to tfvars ([albertogeniola](https://github.com/albertogeniola)) <!-- 2024-06-04 14:23:08+00:00 -->

fast/stages/1-resman/billing.tf

@@ -29,6 +29,7 @@ locals {
     local.branch_optional_sa_lists.gke-prod,
     local.branch_optional_sa_lists.gcve-dev,
     local.branch_optional_sa_lists.gcve-prod,
+    local.branch_optional_sa_lists.pf,
     local.branch_optional_sa_lists.pf-dev,
     local.branch_optional_sa_lists.pf-prod,
   )

fast/stages/1-resman/branch-networking.tf

@@ -68,13 +68,15 @@ module "branch-network-prod-folder" {
       local.branch_optional_sa_lists.dp-prod,
       local.branch_optional_sa_lists.gke-prod,
       local.branch_optional_sa_lists.gcve-prod,
+      local.branch_optional_sa_lists.pf,
       local.branch_optional_sa_lists.pf-prod,
     )
     # read-only (plan) automation service accounts
     "roles/compute.networkViewer" = concat(
       local.branch_optional_r_sa_lists.dp-prod,
       local.branch_optional_r_sa_lists.gke-prod,
       local.branch_optional_r_sa_lists.gcve-prod,
+      local.branch_optional_r_sa_lists.pf,
       local.branch_optional_r_sa_lists.pf-prod,
     )
     (local.custom_roles.gcve_network_admin) = local.branch_optional_sa_lists.gcve-prod
@@ -97,13 +99,15 @@ module "branch-network-dev-folder" {
       local.branch_optional_sa_lists.dp-dev,
       local.branch_optional_sa_lists.gke-dev,
       local.branch_optional_sa_lists.gcve-dev,
+      local.branch_optional_sa_lists.pf,
       local.branch_optional_sa_lists.pf-dev,
     )
     # read-only (plan) automation service accounts
     "roles/compute.networkViewer" = concat(
       local.branch_optional_r_sa_lists.dp-dev,
       local.branch_optional_r_sa_lists.gke-dev,
       local.branch_optional_r_sa_lists.gcve-dev,
+      local.branch_optional_r_sa_lists.pf,
       local.branch_optional_r_sa_lists.pf-dev,
     )
     (local.custom_roles.gcve_network_admin) = local.branch_optional_sa_lists.gcve-dev

fast/stages/1-resman/branch-project-factory.tf

@@ -18,6 +18,26 @@
 
 # automation service accounts
 
+module "branch-pf-sa" {
+  source       = "../../../modules/iam-service-account"
+  count        = var.fast_features.project_factory ? 1 : 0
+  project_id   = var.automation.project_id
+  name         = "resman-pf-0"
+  display_name = "Terraform project factory main service account."
+  prefix       = var.prefix
+  iam = {
+    "roles/iam.serviceAccountTokenCreator" = compact([
+      try(module.branch-pf-sa-cicd[0].iam_email, null)
+    ])
+  }
+  iam_project_roles = {
+    (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"]
+  }
+  iam_storage_roles = {
+    (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"]
+  }
+}
+
 module "branch-pf-dev-sa" {
   source       = "../../../modules/iam-service-account"
   count        = var.fast_features.project_factory ? 1 : 0
@@ -60,6 +80,26 @@ module "branch-pf-prod-sa" {
 
 # automation read-only service accounts
 
+module "branch-pf-r-sa" {
+  source       = "../../../modules/iam-service-account"
+  count        = var.fast_features.project_factory ? 1 : 0
+  project_id   = var.automation.project_id
+  name         = "resman-pf-0r"
+  display_name = "Terraform project factory main service account (read-only)."
+  prefix       = var.prefix
+  iam = {
+    "roles/iam.serviceAccountTokenCreator" = compact([
+      try(module.branch-pf-r-sa-cicd[0].iam_email, null)
+    ])
+  }
+  iam_project_roles = {
+    (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"]
+  }
+  iam_storage_roles = {
+    (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]]
+  }
+}
+
 module "branch-pf-dev-r-sa" {
   source       = "../../../modules/iam-service-account"
   count        = var.fast_features.project_factory ? 1 : 0
@@ -102,6 +142,21 @@ module "branch-pf-prod-r-sa" {
 
 # automation buckets
 
+module "branch-pf-gcs" {
+  source        = "../../../modules/gcs"
+  count         = var.fast_features.project_factory ? 1 : 0
+  project_id    = var.automation.project_id
+  name          = "resman-pf-0"
+  prefix        = var.prefix
+  location      = var.locations.gcs
+  storage_class = local.gcs_storage_class
+  versioning    = true
+  iam = {
+    "roles/storage.objectAdmin"  = [module.branch-pf-sa[0].iam_email]
+    "roles/storage.objectViewer" = [module.branch-pf-r-sa[0].iam_email]
+  }
+}
+
 module "branch-pf-dev-gcs" {
   source        = "../../../modules/gcs"
   count         = var.fast_features.project_factory ? 1 : 0

fast/stages/1-resman/cicd-project-factory.tf

@@ -18,6 +18,41 @@
 
 # read-write (apply) SAs used by CI/CD workflows to impersonate automation SAs
 
+module "branch-pf-sa-cicd" {
+  source = "../../../modules/iam-service-account"
+  for_each = (
+    try(local.cicd_repositories.project_factory.name, null) != null
+    ? { 0 = local.cicd_repositories.project_factory }
+    : {}
+  )
+  project_id   = var.automation.project_id
+  name         = "pf-resman-pf-1"
+  display_name = "Terraform CI/CD project factory main service account."
+  prefix       = var.prefix
+  iam = {
+    "roles/iam.workloadIdentityUser" = [
+      each.value.branch == null
+      ? format(
+        local.identity_providers[each.value.identity_provider].principal_repo,
+        var.automation.federated_identity_pool,
+        each.value.name
+      )
+      : format(
+        local.identity_providers[each.value.identity_provider].principal_branch,
+        var.automation.federated_identity_pool,
+        each.value.name,
+        each.value.branch
+      )
+    ]
+  }
+  iam_project_roles = {
+    (var.automation.project_id) = ["roles/logging.logWriter"]
+  }
+  iam_storage_roles = {
+    (var.automation.outputs_bucket) = ["roles/storage.objectViewer"]
+  }
+}
+
 module "branch-pf-dev-sa-cicd" {
   source = "../../../modules/iam-service-account"
   for_each = (
@@ -90,6 +125,34 @@ module "branch-pf-prod-sa-cicd" {
 
 # read-only (plan) SAs used by CI/CD workflows to impersonate automation SAs
 
+module "branch-pf-r-sa-cicd" {
+  source = "../../../modules/iam-service-account"
+  for_each = (
+    try(local.cicd_repositories.project_factory.name, null) != null
+    ? { 0 = local.cicd_repositories.project_factory }
+    : {}
+  )
+  project_id   = var.automation.project_id
+  name         = "resman-pf-1r"
+  display_name = "Terraform CI/CD project factory main service account (read-only)."
+  prefix       = var.prefix
+  iam = {
+    "roles/iam.workloadIdentityUser" = [
+      format(
+        local.identity_providers[each.value.identity_provider].principal_repo,
+        var.automation.federated_identity_pool,
+        each.value.name
+      )
+    ]
+  }
+  iam_project_roles = {
+    (var.automation.project_id) = ["roles/logging.logWriter"]
+  }
+  iam_storage_roles = {
+    (var.automation.outputs_bucket) = ["roles/storage.objectViewer"]
+  }
+}
+
 module "branch-pf-dev-r-sa-cicd" {
   source = "../../../modules/iam-service-account"
   for_each = (

fast/stages/1-resman/iam.tf

@@ -72,6 +72,14 @@ locals {
     },
     # optional billing roles for project factory
     local.billing_mode != "org" || !var.fast_features.project_factory ? {} : {
+      sa_pf_billing = {
+        member = module.branch-pf-sa[0].iam_email
+        role   = "roles/billing.user"
+      }
+      sa_pf_costs_manager = {
+        member = module.branch-pf-sa[0].iam_email
+        role   = "roles/billing.costsManager"
+      }
       sa_pf_dev_billing = {
         member = module.branch-pf-dev-sa[0].iam_email
         role   = "roles/billing.user"
@@ -90,8 +98,19 @@ locals {
       }
     },
     # scoped org policy admin grants for project factory
-    # TODO: exclude security and networking
+    # TODO: change to use context and environment tags, and tag bindings in stage 2s
     !var.fast_features.project_factory || var.root_node != null ? {} : {
+      sa_pf_conditional_org_policy = {
+        member = module.branch-pf-sa[0].iam_email
+        role   = "roles/orgpolicy.policyAdmin"
+        condition = {
+          title       = "org_policy_tag_pf_scoped"
+          description = "Org policy tag scoped grant for project factory main."
+          expression  = <<-END
+            resource.matchTag('${local.tag_root}/${var.tag_names.context}', 'project-factory')
+          END
+        }
+      }
       sa_pf_dev_conditional_org_policy = {
         member = module.branch-pf-dev-sa[0].iam_email
         role   = "roles/orgpolicy.policyAdmin"

fast/stages/1-resman/main.tf

@@ -29,6 +29,7 @@ locals {
     gcve-prod = compact([try(module.branch-gcve-prod-sa[0].iam_email, "")])
     gke-dev   = compact([try(module.branch-gke-dev-sa[0].iam_email, "")])
     gke-prod  = compact([try(module.branch-gke-prod-sa[0].iam_email, "")])
+    pf        = compact([try(module.branch-pf-sa[0].iam_email, "")])
     pf-dev    = compact([try(module.branch-pf-dev-sa[0].iam_email, "")])
     pf-prod   = compact([try(module.branch-pf-prod-sa[0].iam_email, "")])
   }
@@ -39,6 +40,7 @@ locals {
     gcve-prod = compact([try(module.branch-gcve-prod-r-sa[0].iam_email, "")])
     gke-dev   = compact([try(module.branch-gke-dev-r-sa[0].iam_email, "")])
     gke-prod  = compact([try(module.branch-gke-prod-r-sa[0].iam_email, "")])
+    pf        = compact([try(module.branch-pf-r-sa[0].iam_email, "")])
     pf-dev    = compact([try(module.branch-pf-dev-r-sa[0].iam_email, "")])
     pf-prod   = compact([try(module.branch-pf-prod-r-sa[0].iam_email, "")])
   }

fast/stages/1-resman/organization.tf

@@ -61,6 +61,9 @@ module "organization" {
         networking = {
           iam = try(local.tags.context.values.networking.iam, {})
         }
+        project-factory = {
+          iam = try(local.tags.context.values.project-factory.iam, {})
+        }
         sandbox = {
           iam = try(local.tags.context.values.sandbox.iam, {})
         }

fast/stages/1-resman/outputs.tf

@@ -94,6 +94,17 @@ locals {
       }
       tf_var_files = local.cicd_workflow_var_files.stage_2
     }
+    project_factory = {
+      service_accounts = {
+        apply = try(module.branch-pf-sa-cicd[0].email, null)
+        plan  = try(module.branch-pf-r-sa-cicd[0].email, null)
+      }
+      tf_providers_files = {
+        apply = "3-project-factory-providers.tf"
+        plan  = "3-project-factory-r-providers.tf"
+      }
+      tf_var_files = local.cicd_workflow_var_files.stage_3
+    }
     project_factory_dev = {
       service_accounts = {
         apply = try(module.branch-pf-dev-sa-cicd[0].email, null)
@@ -276,28 +287,40 @@ locals {
       })
     },
     !var.fast_features.project_factory ? {} : {
+      "3-project-factory" = templatefile(local._tpl_providers, {
+        backend_extra = null
+        bucket        = module.branch-pf-gcs[0].name
+        name          = "project-factory"
+        sa            = module.branch-pf-sa[0].email
+      })
+      "3-project-factory-r" = templatefile(local._tpl_providers, {
+        backend_extra = null
+        bucket        = module.branch-pf-gcs[0].name
+        name          = "project-factory"
+        sa            = module.branch-pf-r-sa[0].email
+      })
       "3-project-factory-dev" = templatefile(local._tpl_providers, {
         backend_extra = null
         bucket        = module.branch-pf-dev-gcs[0].name
-        name          = "team-dev"
+        name          = "project-factory-dev"
         sa            = module.branch-pf-dev-sa[0].email
       })
       "3-project-factory-dev-r" = templatefile(local._tpl_providers, {
         backend_extra = null
         bucket        = module.branch-pf-dev-gcs[0].name
-        name          = "team-dev"
+        name          = "project-factory-dev"
         sa            = module.branch-pf-dev-r-sa[0].email
       })
       "3-project-factory-prod" = templatefile(local._tpl_providers, {
         backend_extra = null
         bucket        = module.branch-pf-prod-gcs[0].name
-        name          = "team-prod"
+        name          = "project-factory-prod"
         sa            = module.branch-pf-prod-sa[0].email
       })
       "3-project-factory-prod-r" = templatefile(local._tpl_providers, {
         backend_extra = null
         bucket        = module.branch-pf-prod-gcs[0].name
-        name          = "team-prod"
+        name          = "project-factory-prod"
         sa            = module.branch-pf-prod-r-sa[0].email
       })
     },
@@ -326,6 +349,8 @@ locals {
       gke-prod-r             = try(module.branch-gke-prod-r-sa[0].email, null)
       networking             = module.branch-network-sa.email
       networking-r           = module.branch-network-r-sa.email
+      project-factory        = try(module.branch-pf-sa[0].email, null)
+      project-factory-r      = try(module.branch-pf-r-sa[0].email, null)
       project-factory-dev    = try(module.branch-pf-dev-sa[0].email, null)
       project-factory-dev-r  = try(module.branch-pf-dev-r-sa[0].email, null)
       project-factory-prod   = try(module.branch-pf-prod-sa[0].email, null)
@@ -442,6 +467,10 @@ output "project_factories" {
       bucket = module.branch-pf-dev-gcs[0].name
       sa     = module.branch-pf-dev-sa[0].email
     }
+    main = {
+      bucket = module.branch-pf-gcs[0].name
+      sa     = module.branch-pf-sa[0].email
+    }
     prod = {
       bucket = module.branch-pf-prod-gcs[0].name
       sa     = module.branch-pf-prod-sa[0].email

fast/stages/1-resman/variables.tf

@@ -62,6 +62,12 @@ variable "cicd_repositories" {
       branch            = optional(string)
       identity_provider = optional(string)
     }))
+    project_factory = optional(object({
+      name              = string
+      type              = string
+      branch            = optional(string)
+      identity_provider = optional(string)
+    }))
     project_factory_dev = optional(object({
       name              = string
       type              = string