diff --git a/fast/stages/00-bootstrap/README.md b/fast/stages/00-bootstrap/README.md
index 5b7f495d79..6fb5d9c5d2 100644
--- a/fast/stages/00-bootstrap/README.md
+++ b/fast/stages/00-bootstrap/README.md
@@ -473,6 +473,7 @@ The remaining configuration is manual, as it regards the repositories themselves
| [iam_additive](variables.tf#L146) | Organization-level custom IAM settings in role => [principal] format for non-authoritative bindings. | map(list(string)) | | {} | |
| [log_sinks](variables.tf#L154) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | |
| [outputs_location](variables.tf#L188) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | string | | null | |
+| [project_parent_ids](variables.tf#L204) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {…} | |
## Outputs
diff --git a/fast/stages/00-bootstrap/automation.tf b/fast/stages/00-bootstrap/automation.tf
index 3244899035..41ba44e4e7 100644
--- a/fast/stages/00-bootstrap/automation.tf
+++ b/fast/stages/00-bootstrap/automation.tf
@@ -20,8 +20,10 @@ module "automation-project" {
source = "../../../modules/project"
billing_account = var.billing_account.id
name = "iac-core-0"
- parent = "organizations/${var.organization.id}"
- prefix = local.prefix
+ parent = coalesce(
+ var.project_parent_ids.automation, "organizations/${var.organization.id}"
+ )
+ prefix = local.prefix
# human (groups) IAM bindings
group_iam = {
(local.groups.gcp-devops) = [
diff --git a/fast/stages/00-bootstrap/billing.tf b/fast/stages/00-bootstrap/billing.tf
index 4fc74ce2b7..1291ef4267 100644
--- a/fast/stages/00-bootstrap/billing.tf
+++ b/fast/stages/00-bootstrap/billing.tf
@@ -33,8 +33,10 @@ module "billing-export-project" {
count = local.billing_org ? 1 : 0
billing_account = var.billing_account.id
name = "billing-exp-0"
- parent = "organizations/${var.organization.id}"
- prefix = local.prefix
+ parent = coalesce(
+ var.project_parent_ids.billing, "organizations/${var.organization.id}"
+ )
+ prefix = local.prefix
iam = {
"roles/owner" = [module.automation-tf-bootstrap-sa.iam_email]
}
diff --git a/fast/stages/00-bootstrap/log-export.tf b/fast/stages/00-bootstrap/log-export.tf
index a0019914ea..6844985e92 100644
--- a/fast/stages/00-bootstrap/log-export.tf
+++ b/fast/stages/00-bootstrap/log-export.tf
@@ -21,9 +21,11 @@ locals {
}
module "log-export-project" {
- source = "../../../modules/project"
- name = "audit-logs-0"
- parent = "organizations/${var.organization.id}"
+ source = "../../../modules/project"
+ name = "audit-logs-0"
+ parent = coalesce(
+ var.project_parent_ids.logging, "organizations/${var.organization.id}"
+ )
prefix = local.prefix
billing_account = var.billing_account.id
iam = {
diff --git a/fast/stages/00-bootstrap/organization.tf b/fast/stages/00-bootstrap/organization.tf
index 0e69681d81..e2bdbde54b 100644
--- a/fast/stages/00-bootstrap/organization.tf
+++ b/fast/stages/00-bootstrap/organization.tf
@@ -41,6 +41,9 @@ locals {
[module.automation-tf-bootstrap-sa.iam_email],
local._iam_bootstrap_user
)
+ "roles/resourcemanager.projectMover" = [
+ module.automation-tf-bootstrap-sa.iam_email
+ ]
"roles/resourcemanager.tagAdmin" = [
module.automation-tf-resman-sa.iam_email
]
diff --git a/fast/stages/00-bootstrap/variables.tf b/fast/stages/00-bootstrap/variables.tf
index e9cc26e352..3946fcf94e 100644
--- a/fast/stages/00-bootstrap/variables.tf
+++ b/fast/stages/00-bootstrap/variables.tf
@@ -200,3 +200,18 @@ variable "prefix" {
error_message = "Use a maximum of 9 characters for prefix."
}
}
+
+variable "project_parent_ids" {
+ description = "Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent."
+ type = object({
+ automation = string
+ billing = string
+ logging = string
+ })
+ default = {
+ automation = null
+ billing = null
+ logging = null
+ }
+ nullable = false
+}