Custom role factories for organization and project modules (#1912)

* backport custom role factories * backport from fast ci/cd branch * indent * tfdoc * fix module tests
GoogleCloudPlatform · Dec 11, 2023 · bba814c · bba814c
1 parent 886734e
commit bba814c
Show file tree

Hide file tree

Showing 30 changed files with 438 additions and 272 deletions.
diff --git a/blueprints/data-solutions/shielded-folder/main.tf b/blueprints/data-solutions/shielded-folder/main.tf
@@ -71,13 +71,15 @@ locals {
 }
 
 module "folder" {
-  source                 = "../../../modules/folder"
-  folder_create          = var.folder_config.folder_create != null
-  parent                 = try(var.folder_config.folder_create.parent, null)
-  name                   = try(var.folder_config.folder_create.display_name, null)
-  id                     = var.folder_config.folder_create != null ? null : var.folder_config.folder_id
-  group_iam              = local.group_iam
-  org_policies_data_path = var.data_dir != null ? "${var.data_dir}/org-policies" : null
+  source        = "../../../modules/folder"
+  folder_create = var.folder_config.folder_create != null
+  parent        = try(var.folder_config.folder_create.parent, null)
+  name          = try(var.folder_config.folder_create.display_name, null)
+  id            = var.folder_config.folder_create != null ? null : var.folder_config.folder_id
+  group_iam     = local.group_iam
+  factories_config = {
+    org_policies = var.data_dir != null ? "${var.data_dir}/org-policies" : null
+  }
   logging_sinks = var.enable_features.log_sink ? {
     for name, attrs in var.log_sinks : name => {
       bq_partitioned_table = attrs.type == "bigquery"

diff --git a/fast/stages-multitenant/1-resman-tenant/README.md b/fast/stages-multitenant/1-resman-tenant/README.md
@@ -155,21 +155,21 @@ Once the configuration is done just go through the usual `init/apply` cycle. On
 |---|---|:---:|:---:|:---:|:---:|
 | [automation](variables.tf#L20) | Automation resources created by the bootstrap stage. | <code title="object&#40;&#123;&#10;  outputs_bucket           &#61; string&#10;  project_id               &#61; string&#10;  project_number           &#61; string&#10;  federated_identity_pools &#61; list&#40;string&#41;&#10;  federated_identity_providers &#61; map&#40;object&#40;&#123;&#10;    audiences        &#61; list&#40;string&#41;&#10;    issuer           &#61; string&#10;    issuer_uri       &#61; string&#10;    name             &#61; string&#10;    principal_tpl    &#61; string&#10;    principalset_tpl &#61; string&#10;  &#125;&#41;&#41;&#10;  service_accounts &#61; object&#40;&#123;&#10;    networking &#61; string&#10;    resman     &#61; string&#10;    security   &#61; string&#10;    dp-dev     &#61; optional&#40;string&#41;&#10;    dp-prod    &#61; optional&#40;string&#41;&#10;    gke-dev    &#61; optional&#40;string&#41;&#10;    gke-prod   &#61; optional&#40;string&#41;&#10;    pf-dev     &#61; optional&#40;string&#41;&#10;    pf-prod    &#61; optional&#40;string&#41;&#10;    sandbox    &#61; optional&#40;string&#41;&#10;    teams      &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
 | [billing_account](variables.tf#L52) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | <code title="object&#40;&#123;&#10;  id           &#61; string&#10;  is_org_level &#61; optional&#40;bool, true&#41;&#10;  no_iam       &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
-| [organization](variables.tf#L205) | Organization details. | <code title="object&#40;&#123;&#10;  domain      &#61; string&#10;  id          &#61; number&#10;  customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
-| [prefix](variables.tf#L227) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ |  | <code>0-bootstrap</code> |
-| [root_node](variables.tf#L237) | Root folder node for the tenant, in folders/nnnnnn format. | <code>string</code> | ✓ |  |  |
-| [short_name](variables.tf#L242) | Short name used to identify the tenant. | <code>string</code> | ✓ |  |  |
-| [tags](variables.tf#L247) | Resource management tags. | <code title="object&#40;&#123;&#10;  keys &#61; object&#40;&#123;&#10;    context     &#61; string&#10;    environment &#61; string&#10;    tenant      &#61; string&#10;  &#125;&#41;&#10;  names &#61; object&#40;&#123;&#10;    context     &#61; string&#10;    environment &#61; string&#10;    tenant      &#61; string&#10;  &#125;&#41;&#10;  values &#61; map&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |  |
+| [organization](variables.tf#L214) | Organization details. | <code title="object&#40;&#123;&#10;  domain      &#61; string&#10;  id          &#61; number&#10;  customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
+| [prefix](variables.tf#L230) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ |  | <code>0-bootstrap</code> |
+| [root_node](variables.tf#L240) | Root folder node for the tenant, in folders/nnnnnn format. | <code>string</code> | ✓ |  |  |
+| [short_name](variables.tf#L245) | Short name used to identify the tenant. | <code>string</code> | ✓ |  |  |
+| [tags](variables.tf#L250) | Resource management tags. | <code title="object&#40;&#123;&#10;  keys &#61; object&#40;&#123;&#10;    context     &#61; string&#10;    environment &#61; string&#10;    tenant      &#61; string&#10;  &#125;&#41;&#10;  names &#61; object&#40;&#123;&#10;    context     &#61; string&#10;    environment &#61; string&#10;    tenant      &#61; string&#10;  &#125;&#41;&#10;  values &#61; map&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |  |
 | [cicd_repositories](variables.tf#L63) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | <code title="object&#40;&#123;&#10;  data_platform_dev &#61; object&#40;&#123;&#10;    branch            &#61; string&#10;    identity_provider &#61; string&#10;    name              &#61; string&#10;    type              &#61; string&#10;  &#125;&#41;&#10;  data_platform_prod &#61; object&#40;&#123;&#10;    branch            &#61; string&#10;    identity_provider &#61; string&#10;    name              &#61; string&#10;    type              &#61; string&#10;  &#125;&#41;&#10;  gke_dev &#61; object&#40;&#123;&#10;    branch            &#61; string&#10;    identity_provider &#61; string&#10;    name              &#61; string&#10;    type              &#61; string&#10;  &#125;&#41;&#10;  gke_prod &#61; object&#40;&#123;&#10;    branch            &#61; string&#10;    identity_provider &#61; string&#10;    name              &#61; string&#10;    type              &#61; string&#10;  &#125;&#41;&#10;  networking &#61; object&#40;&#123;&#10;    branch            &#61; string&#10;    identity_provider &#61; string&#10;    name              &#61; string&#10;    type              &#61; string&#10;  &#125;&#41;&#10;  project_factory_dev &#61; object&#40;&#123;&#10;    branch            &#61; string&#10;    identity_provider &#61; string&#10;    name              &#61; string&#10;    type              &#61; string&#10;  &#125;&#41;&#10;  project_factory_prod &#61; object&#40;&#123;&#10;    branch            &#61; string&#10;    identity_provider &#61; string&#10;    name              &#61; string&#10;    type              &#61; string&#10;  &#125;&#41;&#10;  security &#61; object&#40;&#123;&#10;    branch            &#61; string&#10;    identity_provider &#61; string&#10;    name              &#61; string&#10;    type              &#61; string&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
 | [custom_roles](variables.tf#L145) | Custom roles defined at the org level, in key => id format. | <code title="object&#40;&#123;&#10;  service_project_network_admin &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> | <code>0-bootstrap</code> |
 | [data_dir](variables.tf#L154) | Relative path for the folder storing configuration data. | <code>string</code> |  | <code>&#34;data&#34;</code> |  |
-| [fast_features](variables.tf#L160) | Selective control for top-level FAST features. | <code title="object&#40;&#123;&#10;  data_platform   &#61; optional&#40;bool, false&#41;&#10;  gke             &#61; optional&#40;bool, false&#41;&#10;  project_factory &#61; optional&#40;bool, false&#41;&#10;  sandbox         &#61; optional&#40;bool, false&#41;&#10;  teams           &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-0-bootstrap</code> |
-| [groups](variables.tf#L174) | Group names to grant organization-level permissions. | <code title="object&#40;&#123;&#10;  gcp-devops          &#61; optional&#40;string&#41;&#10;  gcp-network-admins  &#61; optional&#40;string&#41;&#10;  gcp-security-admins &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
-| [locations](variables.tf#L187) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10;  bq      &#61; string&#10;  gcs     &#61; string&#10;  logging &#61; string&#10;  pubsub  &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  bq      &#61; &#34;EU&#34;&#10;  gcs     &#61; &#34;EU&#34;&#10;  logging &#61; &#34;global&#34;&#10;  pubsub  &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> | <code>0-bootstrap</code> |
-| [organization_policy_data_path](variables.tf#L215) | Path for the data folder used by the organization policies factory. | <code>string</code> |  | <code>null</code> |  |
-| [outputs_location](variables.tf#L221) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> |  | <code>null</code> |  |
-| [team_folders](variables.tf#L265) | Team folders to be created. Format is described in a code comment. | <code title="map&#40;object&#40;&#123;&#10;  descriptive_name     &#61; string&#10;  group_iam            &#61; map&#40;list&#40;string&#41;&#41;&#10;  impersonation_groups &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>null</code> |  |
-| [test_skip_data_sources](variables.tf#L275) | Used when testing to bypass data sources. | <code>bool</code> |  | <code>false</code> |  |
+| [factories_config](variables.tf#L160) | Configuration for the organization policies factory. | <code title="object&#40;&#123;&#10;  org_policy &#61; optional&#40;string, &#34;data&#47;org-policies&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [fast_features](variables.tf#L169) | Selective control for top-level FAST features. | <code title="object&#40;&#123;&#10;  data_platform   &#61; optional&#40;bool, false&#41;&#10;  gke             &#61; optional&#40;bool, false&#41;&#10;  project_factory &#61; optional&#40;bool, false&#41;&#10;  sandbox         &#61; optional&#40;bool, false&#41;&#10;  teams           &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-0-bootstrap</code> |
+| [groups](variables.tf#L183) | Group names to grant organization-level permissions. | <code title="object&#40;&#123;&#10;  gcp-devops          &#61; optional&#40;string&#41;&#10;  gcp-network-admins  &#61; optional&#40;string&#41;&#10;  gcp-security-admins &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
+| [locations](variables.tf#L196) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10;  bq      &#61; string&#10;  gcs     &#61; string&#10;  logging &#61; string&#10;  pubsub  &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  bq      &#61; &#34;EU&#34;&#10;  gcs     &#61; &#34;EU&#34;&#10;  logging &#61; &#34;global&#34;&#10;  pubsub  &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> | <code>0-bootstrap</code> |
+| [outputs_location](variables.tf#L224) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> |  | <code>null</code> |  |
+| [team_folders](variables.tf#L268) | Team folders to be created. Format is described in a code comment. | <code title="map&#40;object&#40;&#123;&#10;  descriptive_name     &#61; string&#10;  group_iam            &#61; map&#40;list&#40;string&#41;&#41;&#10;  impersonation_groups &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>null</code> |  |
+| [test_skip_data_sources](variables.tf#L278) | Used when testing to bypass data sources. | <code>bool</code> |  | <code>false</code> |  |
 
 ## Outputs
 

diff --git a/fast/stages-multitenant/1-resman-tenant/root_node.tf b/fast/stages-multitenant/1-resman-tenant/root_node.tf
@@ -26,6 +26,9 @@ module "root-folder" {
   )
   name = var.test_skip_data_sources ? "Test" : null
   # end test attributes
+  factories_config = {
+    org_policy = var.factories_config.org_policy
+  }
   iam_bindings_additive = {
     sa_net_fw_policy_admin = {
       member = local.automation_sas_iam.networking
@@ -40,5 +43,4 @@ module "root-folder" {
       role   = "roles/accesscontextmanager.policyAdmin"
     }
   }
-  org_policies_data_path = var.organization_policy_data_path
 }
diff --git a/fast/stages-multitenant/1-resman-tenant/variables.tf b/fast/stages-multitenant/1-resman-tenant/variables.tf
@@ -157,6 +157,15 @@ variable "data_dir" {
   default     = "data"
 }
 
+variable "factories_config" {
+  description = "Configuration for the organization policies factory."
+  type = object({
+    org_policy = optional(string, "data/org-policies")
+  })
+  nullable = false
+  default  = {}
+}
+
 variable "fast_features" {
   # tfdoc:variable:source 0-0-bootstrap
   description = "Selective control for top-level FAST features."
@@ -212,12 +221,6 @@ variable "organization" {
   })
 }
 
-variable "organization_policy_data_path" {
-  description = "Path for the data folder used by the organization policies factory."
-  type        = string
-  default     = null
-}
-
 variable "outputs_location" {
   description = "Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable."
   type        = string