diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md
index 854fa6c507..642c9fbc05 100644
--- a/fast/stages/1-resman/README.md
+++ b/fast/stages/1-resman/README.md
@@ -267,18 +267,18 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap |
| [billing_account](variables-fast.tf#L42) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | 0-bootstrap |
-| [logging](variables-fast.tf#L96) | Logging configuration for tenants. | object({…}) | ✓ | | 1-tenant-factory |
-| [organization](variables-fast.tf#L109) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
-| [prefix](variables-fast.tf#L127) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap |
+| [logging](variables-fast.tf#L97) | Logging configuration for tenants. | object({…}) | ✓ | | 1-tenant-factory |
+| [organization](variables-fast.tf#L110) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
+| [prefix](variables-fast.tf#L128) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap |
| [cicd_repositories](variables.tf#L20) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | |
-| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
+| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
| [factories_config](variables.tf#L122) | Configuration for the resource factories or external data. | object({…}) | | {} | |
| [fast_features](variables.tf#L133) | Selective control for top-level FAST features. | object({…}) | | {} | |
| [folder_iam](variables.tf#L146) | Authoritative IAM for top-level folders. | object({…}) | | {} | |
-| [groups](variables-fast.tf#L68) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap |
-| [locations](variables-fast.tf#L83) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap |
+| [groups](variables-fast.tf#L69) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap |
+| [locations](variables-fast.tf#L84) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap |
| [outputs_location](variables.tf#L160) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | |
-| [root_node](variables-fast.tf#L133) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap |
+| [root_node](variables-fast.tf#L134) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap |
| [tag_names](variables.tf#L166) | Customized names for resource management tags. | object({…}) | | {} | |
| [tags](variables.tf#L180) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | |
| [top_level_folders](variables.tf#L201) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…})) | | {} | |
diff --git a/fast/stages/1-resman/branch-nsec.tf b/fast/stages/1-resman/branch-nsec.tf
index 6040335013..08dd2a7c83 100644
--- a/fast/stages/1-resman/branch-nsec.tf
+++ b/fast/stages/1-resman/branch-nsec.tf
@@ -16,13 +16,25 @@
# tfdoc:file:description Network security stage resources.
-# automation service account
+# TODO: remove in v35.0.0
moved {
from = module.branch-nsec-sa
to = module.branch-nsec-sa[0]
}
+moved {
+ from = module.branch-nsec-r-sa
+ to = module.branch-nsec-r-sa[0]
+}
+
+moved {
+ from = module.branch-nsec-gcs
+ to = module.branch-nsec-gcs[0]
+}
+
+# automation service account
+
module "branch-nsec-sa" {
source = "../../../modules/iam-service-account"
count = var.fast_features.nsec ? 1 : 0
@@ -46,11 +58,6 @@ module "branch-nsec-sa" {
# automation read-only service account
-moved {
- from = module.branch-nsec-r-sa
- to = module.branch-nsec-r-sa[0]
-}
-
module "branch-nsec-r-sa" {
source = "../../../modules/iam-service-account"
count = var.fast_features.nsec ? 1 : 0
@@ -73,11 +80,6 @@ module "branch-nsec-r-sa" {
# automation bucket
-moved {
- from = module.branch-nsec-gcs
- to = module.branch-nsec-gcs[0]
-}
-
module "branch-nsec-gcs" {
source = "../../../modules/gcs"
count = var.fast_features.nsec ? 1 : 0
diff --git a/fast/stages/1-resman/branch-project-factory.tf b/fast/stages/1-resman/branch-project-factory.tf
index 46135221da..bb458e3f2d 100644
--- a/fast/stages/1-resman/branch-project-factory.tf
+++ b/fast/stages/1-resman/branch-project-factory.tf
@@ -18,11 +18,6 @@
# automation service accounts
-moved {
- from = module.branch-pf-sa[0]
- to = module.branch-pf-sa
-}
-
module "branch-pf-sa" {
source = "../../../modules/iam-service-account"
project_id = var.automation.project_id
@@ -42,11 +37,6 @@ module "branch-pf-sa" {
}
}
-moved {
- from = module.branch-pf-dev-sa[0]
- to = module.branch-pf-dev-sa
-}
-
module "branch-pf-dev-sa" {
source = "../../../modules/iam-service-account"
project_id = var.automation.project_id
@@ -66,11 +56,6 @@ module "branch-pf-dev-sa" {
}
}
-moved {
- from = module.branch-pf-prod-sa[0]
- to = module.branch-pf-prod-sa
-}
-
module "branch-pf-prod-sa" {
source = "../../../modules/iam-service-account"
project_id = var.automation.project_id
@@ -92,11 +77,6 @@ module "branch-pf-prod-sa" {
# automation read-only service accounts
-moved {
- from = module.branch-pf-r-sa[0]
- to = module.branch-pf-r-sa
-}
-
module "branch-pf-r-sa" {
source = "../../../modules/iam-service-account"
project_id = var.automation.project_id
@@ -116,11 +96,6 @@ module "branch-pf-r-sa" {
}
}
-moved {
- from = module.branch-pf-dev-r-sa[0]
- to = module.branch-pf-dev-r-sa
-}
-
module "branch-pf-dev-r-sa" {
source = "../../../modules/iam-service-account"
project_id = var.automation.project_id
@@ -140,11 +115,6 @@ module "branch-pf-dev-r-sa" {
}
}
-moved {
- from = module.branch-pf-prod-r-sa[0]
- to = module.branch-pf-prod-r-sa
-}
-
module "branch-pf-prod-r-sa" {
source = "../../../modules/iam-service-account"
project_id = var.automation.project_id
@@ -166,11 +136,6 @@ module "branch-pf-prod-r-sa" {
# automation buckets
-moved {
- from = module.branch-pf-gcs[0]
- to = module.branch-pf-gcs
-}
-
module "branch-pf-gcs" {
source = "../../../modules/gcs"
project_id = var.automation.project_id
@@ -184,11 +149,6 @@ module "branch-pf-gcs" {
}
}
-moved {
- from = module.branch-pf-dev-gcs[0]
- to = module.branch-pf-dev-gcs
-}
-
module "branch-pf-dev-gcs" {
source = "../../../modules/gcs"
project_id = var.automation.project_id
@@ -202,11 +162,6 @@ module "branch-pf-dev-gcs" {
}
}
-moved {
- from = module.branch-pf-prod-gcs[0]
- to = module.branch-pf-prod-gcs
-}
-
module "branch-pf-prod-gcs" {
source = "../../../modules/gcs"
project_id = var.automation.project_id
diff --git a/fast/stages/1-resman/moved/v33.0.0-v34.0.0.tf b/fast/stages/1-resman/moved/v33.0.0-v34.0.0.tf
new file mode 100644
index 0000000000..b207830302
--- /dev/null
+++ b/fast/stages/1-resman/moved/v33.0.0-v34.0.0.tf
@@ -0,0 +1,61 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+moved {
+ from = module.branch-pf-sa[0]
+ to = module.branch-pf-sa
+}
+
+moved {
+ from = module.branch-pf-dev-sa[0]
+ to = module.branch-pf-dev-sa
+}
+
+moved {
+ from = module.branch-pf-prod-sa[0]
+ to = module.branch-pf-prod-sa
+}
+
+moved {
+ from = module.branch-pf-r-sa[0]
+ to = module.branch-pf-r-sa
+}
+
+moved {
+ from = module.branch-pf-dev-r-sa[0]
+ to = module.branch-pf-dev-r-sa
+}
+
+moved {
+ from = module.branch-pf-prod-r-sa[0]
+ to = module.branch-pf-prod-r-sa
+}
+
+moved {
+ from = module.branch-pf-gcs[0]
+ to = module.branch-pf-gcs
+}
+
+moved {
+ from = module.branch-pf-dev-gcs[0]
+ to = module.branch-pf-dev-gcs
+}
+
+moved {
+ from = module.branch-pf-prod-gcs[0]
+ to = module.branch-pf-prod-gcs
+}
+
diff --git a/fast/stages/1-resman/variables-fast.tf b/fast/stages/1-resman/variables-fast.tf
index 1418d91ef1..96bfceb560 100644
--- a/fast/stages/1-resman/variables-fast.tf
+++ b/fast/stages/1-resman/variables-fast.tf
@@ -54,13 +54,14 @@ variable "custom_roles" {
# tfdoc:variable:source 0-bootstrap
description = "Custom roles defined at the org level, in key => id format."
type = object({
- gcve_network_admin = string
- network_firewall_policies_admin = string
- ngfw_enterprise_admin = string
- ngfw_enterprise_viewer = string
- organization_admin_viewer = string
- service_project_network_admin = string
- storage_viewer = string
+ gcve_network_admin = string
+ network_firewall_policies_admin = string
+ network_firewall_policies_viewer = string
+ ngfw_enterprise_admin = string
+ ngfw_enterprise_viewer = string
+ organization_admin_viewer = string
+ service_project_network_admin = string
+ storage_viewer = string
})
default = null
}
diff --git a/tests/fast/stages/s1_resman/checklist.tfvars b/tests/fast/stages/s1_resman/checklist.tfvars
index 8099773124..3684f0f770 100644
--- a/tests/fast/stages/s1_resman/checklist.tfvars
+++ b/tests/fast/stages/s1_resman/checklist.tfvars
@@ -13,13 +13,14 @@ billing_account = {
}
custom_roles = {
# organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin",
- gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin"
- network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin"
- ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin"
- ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer"
- organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer"
- service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
- storage_viewer = "organizations/123456789012/roles/storageViewer"
+ gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin"
+ network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin"
+ network_firewall_policies_viewer = "organizations/123456789012/roles/networkFirewallPoliciesViewer"
+ ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin"
+ ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer"
+ organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer"
+ service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
+ storage_viewer = "organizations/123456789012/roles/storageViewer"
}
factories_config = {
checklist_data = "checklist-data.json"
diff --git a/tests/fast/stages/s1_resman/simple.tfvars b/tests/fast/stages/s1_resman/simple.tfvars
index 5a999ff8c1..046f45fdf4 100644
--- a/tests/fast/stages/s1_resman/simple.tfvars
+++ b/tests/fast/stages/s1_resman/simple.tfvars
@@ -13,13 +13,14 @@ billing_account = {
}
custom_roles = {
# organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin",
- gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin"
- network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin"
- ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin"
- ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer"
- organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer"
- service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
- storage_viewer = "organizations/123456789012/roles/storageViewer"
+ gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin"
+ network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin"
+ network_firewall_policies_viewer = "organizations/123456789012/roles/networkFirewallPoliciesViewer"
+ ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin"
+ ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer"
+ organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer"
+ service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
+ storage_viewer = "organizations/123456789012/roles/storageViewer"
}
groups = {
gcp-billing-admins = "gcp-billing-admins",