Skip to content

Commit

Permalink
[FAST] Rename netsec stage to nsec (#2482)
Browse files Browse the repository at this point in the history
  • Loading branch information
LucaPrete authored Aug 8, 2024
1 parent 092053b commit cb2add1
Show file tree
Hide file tree
Showing 9 changed files with 50 additions and 50 deletions.
4 changes: 2 additions & 2 deletions fast/stage-links.sh
Original file line number Diff line number Diff line change
Expand Up @@ -90,13 +90,13 @@ case $STAGE_NAME in
"3-network-security"*)
if [[ -z "$TENANT" ]]; then
echo "# if this is a tenant stage, set a \$TENANT variable with the tenant shortname and run the command again"
PROVIDER="providers/3-netsec-providers.tf"
PROVIDER="providers/3-network-security-providers.tf"
TFVARS="tfvars/0-bootstrap.auto.tfvars.json
tfvars/1-resman.auto.tfvars.json
tfvars/2-networking.auto.tfvars.json"
else
unset GLOBALS
PROVIDER="tenants/$TENANT/providers/3-netsec-providers.tf"
PROVIDER="tenants/$TENANT/providers/3-network-security-providers.tf"
TFVARS="tenants/$TENANT/tfvars/0-bootstrap-tenant.auto.tfvars.json
tenants/$TENANT/tfvars/1-resman.auto.tfvars.json
tenants/$TENANT/tfvars/2-networking.auto.tfvars.json"
Expand Down
6 changes: 3 additions & 3 deletions fast/stages/1-resman/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -236,8 +236,8 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md
| [branch-data-platform.tf](./branch-data-platform.tf) | Data Platform stages resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
| [branch-gcve.tf](./branch-gcve.tf) | GCVE stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
| [branch-gke.tf](./branch-gke.tf) | GKE multitenant stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
| [branch-netsec.tf](./branch-netsec.tf) | Network security stage resources. | <code>gcs</code> · <code>iam-service-account</code> | |
| [branch-networking.tf](./branch-networking.tf) | Networking stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
| [branch-nsec.tf](./branch-nsec.tf) | Network security stage resources. | <code>gcs</code> · <code>iam-service-account</code> | |
| [branch-project-factory.tf](./branch-project-factory.tf) | Project factory stage resources. | <code>gcs</code> · <code>iam-service-account</code> | |
| [branch-sandbox.tf](./branch-sandbox.tf) | Sandbox stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
| [branch-security.tf](./branch-security.tf) | Security stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
Expand Down Expand Up @@ -270,7 +270,7 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md
| [logging](variables-fast.tf#L95) | Logging configuration for tenants. | <code title="object&#40;&#123;&#10; project_id &#61; string&#10; log_sinks &#61; optional&#40;map&#40;object&#40;&#123;&#10; filter &#61; string&#10; type &#61; string&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | | <code>1-tenant-factory</code> |
| [organization](variables-fast.tf#L108) | Organization details. | <code title="object&#40;&#123;&#10; domain &#61; string&#10; id &#61; number&#10; customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | | <code>0-bootstrap</code> |
| [prefix](variables-fast.tf#L126) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
| [cicd_repositories](variables.tf#L20) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | <code title="object&#40;&#123;&#10; data_platform_dev &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; data_platform_prod &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; gke_dev &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; gke_prod &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; gcve_dev &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; gcve_prod &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; netsec &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; networking &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; project_factory &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; project_factory_dev &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; project_factory_prod &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; security &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | |
| [cicd_repositories](variables.tf#L20) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | <code title="object&#40;&#123;&#10; data_platform_dev &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; data_platform_prod &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; gke_dev &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; gke_prod &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; gcve_dev &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; gcve_prod &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; nsec &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; networking &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; project_factory &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; project_factory_dev &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; project_factory_prod &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; security &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; type &#61; string&#10; branch &#61; optional&#40;string&#41;&#10; identity_provider &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | |
| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | <code title="object&#40;&#123;&#10; gcve_network_admin &#61; string&#10; network_firewall_policies_admin &#61; string&#10; ngfw_enterprise_admin &#61; string&#10; organization_admin_viewer &#61; string&#10; service_project_network_admin &#61; string&#10; storage_viewer &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | <code>0-bootstrap</code> |
| [factories_config](variables.tf#L122) | Configuration for the resource factories or external data. | <code title="object&#40;&#123;&#10; checklist_data &#61; optional&#40;string&#41;&#10; org_policies &#61; optional&#40;string, &#34;data&#47;org-policies&#34;&#41;&#10; top_level_folders &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | |
| [fast_features](variables.tf#L133) | Selective control for top-level FAST features. | <code title="object&#40;&#123;&#10; data_platform &#61; optional&#40;bool, false&#41;&#10; gke &#61; optional&#40;bool, false&#41;&#10; gcve &#61; optional&#40;bool, false&#41;&#10; project_factory &#61; optional&#40;bool, false&#41;&#10; sandbox &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | |
Expand All @@ -294,7 +294,7 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md
| [gke_multitenant](outputs.tf#L458) | Data for the GKE multitenant stage. | | <code>03-gke-multitenant</code> |
| [networking](outputs.tf#L479) | Data for the networking stage. | | |
| [project_factories](outputs.tf#L488) | Data for the project factories stage. | | |
| [providers](outputs.tf#L507) | Terraform provider files for this stage and dependent stages. | ✓ | <code>02-networking</code> · <code>02-security</code> · <code>03-dataplatform</code> · <code>03-netsec</code> |
| [providers](outputs.tf#L507) | Terraform provider files for this stage and dependent stages. | ✓ | <code>02-networking</code> · <code>02-security</code> · <code>03-dataplatform</code> · <code>03-network-security</code> |
| [sandbox](outputs.tf#L514) | Data for the sandbox stage. | | <code>xx-sandbox</code> |
| [security](outputs.tf#L528) | Data for the networking stage. | | <code>02-security</code> |
| [tfvars](outputs.tf#L539) | Terraform variable files for the following stages. | ✓ | |
Expand Down
6 changes: 3 additions & 3 deletions fast/stages/1-resman/branch-networking.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,9 @@ locals {
# read-only (plan) automation service account
"roles/viewer" = [module.branch-network-r-sa.iam_email]
"roles/resourcemanager.folderViewer" = [module.branch-network-r-sa.iam_email]
# netsec service account
"roles/serviceusage.serviceUsageAdmin" = [module.branch-netsec-sa.iam_email]
(var.custom_roles["network_firewall_policies_admin"]) = [module.branch-netsec-sa.iam_email]
# nsec service account
"roles/serviceusage.serviceUsageAdmin" = [module.branch-nsec-sa.iam_email]
(var.custom_roles["network_firewall_policies_admin"]) = [module.branch-nsec-sa.iam_email]
}
# deep-merge FAST-specific IAM with user-provided bindings in var.folder_iam
_network_folder_iam = merge(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,16 +18,16 @@

# automation service account

module "branch-netsec-sa" {
module "branch-nsec-sa" {
source = "../../../modules/iam-service-account"
project_id = var.automation.project_id
name = "prod-resman-netsec-0"
name = "prod-resman-nsec-0"
display_name = "Terraform resman network security service account."
prefix = var.prefix
service_account_create = var.root_node == null
iam = {
"roles/iam.serviceAccountTokenCreator" = compact([
try(module.branch-netsec-sa-cicd[0].iam_email, null)
try(module.branch-nsec-sa-cicd[0].iam_email, null)
])
}
iam_project_roles = {
Expand All @@ -40,15 +40,15 @@ module "branch-netsec-sa" {

# automation read-only service account

module "branch-netsec-r-sa" {
module "branch-nsec-r-sa" {
source = "../../../modules/iam-service-account"
project_id = var.automation.project_id
name = "prod-resman-netsec-0r"
name = "prod-resman-nsec-0r"
display_name = "Terraform resman network security service account (read-only)."
prefix = var.prefix
iam = {
"roles/iam.serviceAccountTokenCreator" = compact([
try(module.branch-netsec-r-sa-cicd[0].iam_email, null)
try(module.branch-nsec-r-sa-cicd[0].iam_email, null)
])
}
iam_project_roles = {
Expand All @@ -61,16 +61,16 @@ module "branch-netsec-r-sa" {

# automation bucket

module "branch-netsec-gcs" {
module "branch-nsec-gcs" {
source = "../../../modules/gcs"
project_id = var.automation.project_id
name = "prod-resman-netsec-0"
name = "prod-resman-nsec-0"
prefix = var.prefix
location = var.locations.gcs
storage_class = local.gcs_storage_class
versioning = true
iam = {
"roles/storage.objectAdmin" = [module.branch-netsec-sa.iam_email]
"roles/storage.objectViewer" = [module.branch-netsec-r-sa.iam_email]
"roles/storage.objectAdmin" = [module.branch-nsec-sa.iam_email]
"roles/storage.objectViewer" = [module.branch-nsec-r-sa.iam_email]
}
}
20 changes: 10 additions & 10 deletions fast/stages/1-resman/cicd-netsec.tf
Original file line number Diff line number Diff line change
Expand Up @@ -17,17 +17,17 @@
# tfdoc:file:description CI/CD resources for the networking branch.

# read-write (apply) SA used by CI/CD workflows
# to impersonate netsec automation SA
# to impersonate nsec automation SA

module "branch-netsec-sa-cicd" {
module "branch-nsec-sa-cicd" {
source = "../../../modules/iam-service-account"
for_each = (
try(local.cicd_repositories.netsec.name, null) != null
? { 0 = local.cicd_repositories.netsec }
try(local.cicd_repositories.nsec.name, null) != null
? { 0 = local.cicd_repositories.nsec }
: {}
)
project_id = var.automation.project_id
name = "prod-resman-netsec-1"
name = "prod-resman-nsec-1"
display_name = "Terraform CI/CD stage 2 network security service account."
prefix = var.prefix
iam = {
Expand All @@ -54,17 +54,17 @@ module "branch-netsec-sa-cicd" {
}
}

# read-only (plan) SA used by CI/CD workflows to impersonate netsec automation SA
# read-only (plan) SA used by CI/CD workflows to impersonate nsec automation SA

module "branch-netsec-r-sa-cicd" {
module "branch-nsec-r-sa-cicd" {
source = "../../../modules/iam-service-account"
for_each = (
try(local.cicd_repositories.netsec.name, null) != null
? { 0 = local.cicd_repositories.netsec }
try(local.cicd_repositories.nsec.name, null) != null
? { 0 = local.cicd_repositories.nsec }
: {}
)
project_id = var.automation.project_id
name = "prod-resman-netsec-1r"
name = "prod-resman-nsec-1r"
display_name = "Terraform CI/CD stage 2 network security service account (read-only)."
prefix = var.prefix
iam = {
Expand Down
8 changes: 4 additions & 4 deletions fast/stages/1-resman/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -24,12 +24,12 @@ locals {
member = module.branch-network-sa.iam_email
role = "roles/compute.orgFirewallPolicyAdmin"
}
sa_net_netsec_fw_policy_admin = {
member = module.branch-netsec-sa.iam_email
sa_net_nsec_fw_policy_admin = {
member = module.branch-nsec-sa.iam_email
role = "roles/compute.orgFirewallPolicyAdmin"
}
sa_net_netsec_ngfw_enterprise_admin = {
member = module.branch-netsec-sa.iam_email
sa_net_nsec_ngfw_enterprise_admin = {
member = module.branch-nsec-sa.iam_email
role = local.custom_roles["ngfw_enterprise_admin"],
}
sa_net_xpn_admin = {
Expand Down
Loading

0 comments on commit cb2add1

Please sign in to comment.