diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
index 3b3d6ce601..83031f5d2a 100644
--- a/fast/stages/0-bootstrap/README.md
+++ b/fast/stages/0-bootstrap/README.md
@@ -626,26 +626,25 @@ The `fast_features` variable consists of 4 toggles:
| name | description | type | required | default | producer |
|---|---|:---:|:---:|:---:|:---:|
| [billing_account](variables.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…})
| ✓ | | |
-| [organization](variables.tf#L230) | Organization details. | object({…})
| ✓ | | |
-| [prefix](variables.tf#L245) | Prefix used for resources that need unique names. Use 9 characters or less. | string
| ✓ | | |
+| [organization](variables.tf#L223) | Organization details. | object({…})
| ✓ | | |
+| [prefix](variables.tf#L238) | Prefix used for resources that need unique names. Use 9 characters or less. | string
| ✓ | | |
| [bootstrap_user](variables.tf#L27) | Email of the nominal user running this stage for the first time. | string
| | null
| |
| [cicd_repositories](variables.tf#L33) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…})
| | null
| |
| [custom_roles](variables.tf#L79) | Map of role names => list of permissions to additionally create at the organization level. | map(list(string))
| | {}
| |
| [essential_contacts](variables.tf#L86) | Email used for essential contacts, unset if null. | string
| | null
| |
| [factories_config](variables.tf#L92) | Configuration for the resource factories or external data. | object({…})
| | {}
| |
| [fast_features](variables.tf#L104) | Selective control for top-level FAST features. | object({…})
| | {}
| |
-| [group_iam](variables.tf#L118) | Organization-level authoritative IAM binding for groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | map(list(string))
| | {}
| |
-| [groups](variables.tf#L125) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…})
| | {}
| |
-| [iam](variables.tf#L141) | Organization-level custom IAM settings in role => [principal] format. | map(list(string))
| | {}
| |
-| [iam_bindings_additive](variables.tf#L148) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…}))
| | {}
| |
-| [iam_by_principals](variables.tf#L163) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string))
| | {}
| |
-| [locations](variables.tf#L170) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…})
| | {}
| |
-| [log_sinks](variables.tf#L184) | Org-level log sinks, in name => {type, filter} format. | map(object({…}))
| | {…}
| |
-| [org_policies_config](variables.tf#L213) | Organization policies customization. | object({…})
| | {}
| |
-| [outputs_location](variables.tf#L239) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string
| | null
| |
-| [project_parent_ids](variables.tf#L254) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…})
| | {}
| |
-| [workforce_identity_providers](variables.tf#L265) | Workforce Identity Federation pools. | map(object({…}))
| | {}
| |
-| [workload_identity_providers](variables.tf#L281) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…}))
| | {}
| |
+| [groups](variables.tf#L118) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…})
| | {}
| |
+| [iam](variables.tf#L134) | Organization-level custom IAM settings in role => [principal] format. | map(list(string))
| | {}
| |
+| [iam_bindings_additive](variables.tf#L141) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…}))
| | {}
| |
+| [iam_by_principals](variables.tf#L156) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string))
| | {}
| |
+| [locations](variables.tf#L163) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…})
| | {}
| |
+| [log_sinks](variables.tf#L177) | Org-level log sinks, in name => {type, filter} format. | map(object({…}))
| | {…}
| |
+| [org_policies_config](variables.tf#L206) | Organization policies customization. | object({…})
| | {}
| |
+| [outputs_location](variables.tf#L232) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string
| | null
| |
+| [project_parent_ids](variables.tf#L247) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…})
| | {}
| |
+| [workforce_identity_providers](variables.tf#L258) | Workforce Identity Federation pools. | map(object({…}))
| | {}
| |
+| [workload_identity_providers](variables.tf#L274) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…}))
| | {}
| |
## Outputs
diff --git a/fast/stages/0-bootstrap/organization.tf b/fast/stages/0-bootstrap/organization.tf
index e263e54a57..f91b4e8c14 100644
--- a/fast/stages/0-bootstrap/organization.tf
+++ b/fast/stages/0-bootstrap/organization.tf
@@ -50,14 +50,7 @@ locals {
var.org_policies_config.constraints.allowed_policy_member_domains
)
drs_tag_name = "${var.organization.id}/${var.org_policies_config.tag_name}"
- fast_custom_roles = [
- "organization_admin_viewer",
- "organization_iam_admin",
- "service_project_network_admin",
- "storage_viewer",
- "tag_viewer",
- "tenant_network_admin",
- ]
+
# intermediate values before we merge in what comes from the checklist
_iam_principals = {
for k, v in local.iam_principal_bindings : k => v.authoritative
@@ -101,9 +94,6 @@ locals {
flatten(values(local._iam_principals)),
keys(local._iam)
))
- iam_roles_additive = distinct([
- for k, v in local._iam_bindings_additive : v.role
- ])
}
# TODO: add a check block to ensure our custom roles exist in the factory files
diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf
index 5493f5d628..64978dc30f 100644
--- a/fast/stages/0-bootstrap/variables.tf
+++ b/fast/stages/0-bootstrap/variables.tf
@@ -115,13 +115,6 @@ variable "fast_features" {
nullable = false
}
-variable "group_iam" {
- description = "Organization-level authoritative IAM binding for groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable."
- type = map(list(string))
- default = {}
- nullable = false
-}
-
variable "groups" {
# https://cloud.google.com/docs/enterprise/setup-checklist
description = "Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated."
diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md
index 9f9d8ce306..6b7836fd8b 100644
--- a/fast/stages/1-resman/README.md
+++ b/fast/stages/1-resman/README.md
@@ -358,8 +358,8 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables.tf#L20) | Automation resources created by the bootstrap stage. | object({…})
| ✓ | | 0-bootstrap
|
| [billing_account](variables.tf#L42) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…})
| ✓ | | 0-bootstrap
|
-| [organization](variables.tf#L244) | Organization details. | object({…})
| ✓ | | 0-bootstrap
|
-| [prefix](variables.tf#L260) | Prefix used for resources that need unique names. Use 9 characters or less. | string
| ✓ | | 0-bootstrap
|
+| [organization](variables.tf#L232) | Organization details. | object({…})
| ✓ | | 0-bootstrap
|
+| [prefix](variables.tf#L248) | Prefix used for resources that need unique names. Use 9 characters or less. | string
| ✓ | | 0-bootstrap
|
| [cicd_repositories](variables.tf#L53) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…})
| | null
| |
| [custom_roles](variables.tf#L147) | Custom roles defined at the org level, in key => id format. | object({…})
| | null
| 0-bootstrap
|
| [factories_config](variables.tf#L159) | Configuration for the resource factories or external data. | object({…})
| | {}
| |
@@ -367,13 +367,12 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
| [folder_iam](variables.tf#L183) | Authoritative IAM for top-level folders. | object({…})
| | {}
| |
| [groups](variables.tf#L199) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…})
| | {}
| 0-bootstrap
|
| [locations](variables.tf#L214) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…})
| | {…}
| 0-bootstrap
|
-| [org_policy_tags](variables.tf#L232) | Resource management tags for organization policy exceptions. | object({…})
| | {}
| 0-bootstrap
|
-| [outputs_location](variables.tf#L254) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string
| | null
| |
-| [tag_names](variables.tf#L271) | Customized names for resource management tags. | object({…})
| | {}
| |
-| [tags](variables.tf#L286) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…}))
| | {}
| |
-| [team_folders](variables.tf#L307) | Team folders to be created. Format is described in a code comment. | map(object({…}))
| | null
| |
-| [tenants](variables.tf#L323) | Lightweight tenant definitions. | map(object({…}))
| | {}
| |
-| [tenants_config](variables.tf#L339) | Lightweight tenants shared configuration. Roles will be assigned to tenant admin group and service accounts. | object({…})
| | {}
| |
+| [outputs_location](variables.tf#L242) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string
| | null
| |
+| [tag_names](variables.tf#L259) | Customized names for resource management tags. | object({…})
| | {}
| |
+| [tags](variables.tf#L274) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…}))
| | {}
| |
+| [team_folders](variables.tf#L295) | Team folders to be created. Format is described in a code comment. | map(object({…}))
| | null
| |
+| [tenants](variables.tf#L311) | Lightweight tenant definitions. | map(object({…}))
| | {}
| |
+| [tenants_config](variables.tf#L327) | Lightweight tenants shared configuration. Roles will be assigned to tenant admin group and service accounts. | object({…})
| | {}
| |
## Outputs
diff --git a/fast/stages/1-resman/variables.tf b/fast/stages/1-resman/variables.tf
index a3ccd523f9..8417466730 100644
--- a/fast/stages/1-resman/variables.tf
+++ b/fast/stages/1-resman/variables.tf
@@ -229,18 +229,6 @@ variable "locations" {
nullable = false
}
-variable "org_policy_tags" {
- # tfdoc:variable:source 0-bootstrap
- description = "Resource management tags for organization policy exceptions."
- type = object({
- key_id = optional(string)
- key_name = optional(string)
- values = optional(map(string), {})
- })
- nullable = false
- default = {}
-}
-
variable "organization" {
# tfdoc:variable:source 0-bootstrap
description = "Organization details."
diff --git a/fast/stages/2-networking-d-separate-envs/README.md b/fast/stages/2-networking-d-separate-envs/README.md
index a31423a493..14c0a63c3d 100644
--- a/fast/stages/2-networking-d-separate-envs/README.md
+++ b/fast/stages/2-networking-d-separate-envs/README.md
@@ -332,22 +332,21 @@ Regions are defined via the `regions` variable which sets up a mapping between t
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables.tf#L42) | Automation resources created by the bootstrap stage. | object({…})
| ✓ | | 0-bootstrap
|
| [billing_account](variables.tf#L50) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…})
| ✓ | | 0-bootstrap
|
-| [folder_ids](variables.tf#L127) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…})
| ✓ | | 1-resman
|
-| [organization](variables.tf#L137) | Organization details. | object({…})
| ✓ | | 0-bootstrap
|
-| [prefix](variables.tf#L153) | Prefix used for resources that need unique names. Use 9 characters or less. | string
| ✓ | | 0-bootstrap
|
+| [folder_ids](variables.tf#L118) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…})
| ✓ | | 1-resman
|
+| [organization](variables.tf#L128) | Organization details. | object({…})
| ✓ | | 0-bootstrap
|
+| [prefix](variables.tf#L144) | Prefix used for resources that need unique names. Use 9 characters or less. | string
| ✓ | | 0-bootstrap
|
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…})
| | {…}
| |
-| [custom_roles](variables.tf#L63) | Custom roles defined at the org level, in key => id format. | object({…})
| | null
| 0-bootstrap
|
-| [dns](variables.tf#L72) | DNS configuration. | object({…})
| | {}
| |
-| [enable_cloud_nat](variables.tf#L83) | Deploy Cloud NAT. | bool
| | false
| |
-| [essential_contacts](variables.tf#L90) | Email used for essential contacts, unset if null. | string
| | null
| |
-| [factories_config](variables.tf#L96) | Configuration for network resource factories. | object({…})
| | {…}
| |
-| [fast_features](variables.tf#L117) | Selective control for top-level FAST features. | object({…})
| | {}
| 0-0-bootstrap
|
-| [outputs_location](variables.tf#L147) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string
| | null
| |
-| [psa_ranges](variables.tf#L164) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…})
| | null
| |
-| [regions](variables.tf#L183) | Region definitions. | object({…})
| | {…}
| |
-| [service_accounts](variables.tf#L193) | Automation service accounts in name => email format. | object({…})
| | null
| 1-resman
|
-| [vpn_onprem_dev_primary_config](variables.tf#L207) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…})
| | null
| |
-| [vpn_onprem_prod_primary_config](variables.tf#L250) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…})
| | null
| |
+| [dns](variables.tf#L63) | DNS configuration. | object({…})
| | {}
| |
+| [enable_cloud_nat](variables.tf#L74) | Deploy Cloud NAT. | bool
| | false
| |
+| [essential_contacts](variables.tf#L81) | Email used for essential contacts, unset if null. | string
| | null
| |
+| [factories_config](variables.tf#L87) | Configuration for network resource factories. | object({…})
| | {…}
| |
+| [fast_features](variables.tf#L108) | Selective control for top-level FAST features. | object({…})
| | {}
| 0-0-bootstrap
|
+| [outputs_location](variables.tf#L138) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string
| | null
| |
+| [psa_ranges](variables.tf#L155) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…})
| | null
| |
+| [regions](variables.tf#L174) | Region definitions. | object({…})
| | {…}
| |
+| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | object({…})
| | null
| 1-resman
|
+| [vpn_onprem_dev_primary_config](variables.tf#L198) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…})
| | null
| |
+| [vpn_onprem_prod_primary_config](variables.tf#L241) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…})
| | null
| |
## Outputs
diff --git a/fast/stages/2-networking-d-separate-envs/main.tf b/fast/stages/2-networking-d-separate-envs/main.tf
index 928969abde..fd7b76e4d2 100644
--- a/fast/stages/2-networking-d-separate-envs/main.tf
+++ b/fast/stages/2-networking-d-separate-envs/main.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -17,7 +17,6 @@
# tfdoc:file:description Networking folder and hierarchical policy.
locals {
- custom_roles = coalesce(var.custom_roles, {})
# combine all regions from variables and subnets
regions = distinct(concat(
values(var.regions),
diff --git a/fast/stages/2-networking-d-separate-envs/variables.tf b/fast/stages/2-networking-d-separate-envs/variables.tf
index 8beb832043..0c4165b3ab 100644
--- a/fast/stages/2-networking-d-separate-envs/variables.tf
+++ b/fast/stages/2-networking-d-separate-envs/variables.tf
@@ -60,15 +60,6 @@ variable "billing_account" {
}
}
-variable "custom_roles" {
- # tfdoc:variable:source 0-bootstrap
- description = "Custom roles defined at the org level, in key => id format."
- type = object({
- service_project_network_admin = string
- })
- default = null
-}
-
variable "dns" {
description = "DNS configuration."
type = object({