diff --git a/fast/stage-links.sh b/fast/stage-links.sh
index a814fa0f55..b690066d3b 100755
--- a/fast/stage-links.sh
+++ b/fast/stage-links.sh
@@ -90,13 +90,13 @@ case $STAGE_NAME in
"3-network-security"*)
if [[ -z "$TENANT" ]]; then
echo "# if this is a tenant stage, set a \$TENANT variable with the tenant shortname and run the command again"
- PROVIDER="providers/3-netsec-providers.tf"
+ PROVIDER="providers/3-network-security-providers.tf"
TFVARS="tfvars/0-bootstrap.auto.tfvars.json
tfvars/1-resman.auto.tfvars.json
tfvars/2-networking.auto.tfvars.json"
else
unset GLOBALS
- PROVIDER="tenants/$TENANT/providers/3-netsec-providers.tf"
+ PROVIDER="tenants/$TENANT/providers/3-network-security-providers.tf"
TFVARS="tenants/$TENANT/tfvars/0-bootstrap-tenant.auto.tfvars.json
tenants/$TENANT/tfvars/1-resman.auto.tfvars.json
tenants/$TENANT/tfvars/2-networking.auto.tfvars.json"
diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md
index 7159e6f7d5..3e9ad6dc34 100644
--- a/fast/stages/1-resman/README.md
+++ b/fast/stages/1-resman/README.md
@@ -236,8 +236,8 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md
| [branch-data-platform.tf](./branch-data-platform.tf) | Data Platform stages resources. | folder
· gcs
· iam-service-account
| |
| [branch-gcve.tf](./branch-gcve.tf) | GCVE stage resources. | folder
· gcs
· iam-service-account
| |
| [branch-gke.tf](./branch-gke.tf) | GKE multitenant stage resources. | folder
· gcs
· iam-service-account
| |
-| [branch-netsec.tf](./branch-netsec.tf) | Network security stage resources. | gcs
· iam-service-account
| |
| [branch-networking.tf](./branch-networking.tf) | Networking stage resources. | folder
· gcs
· iam-service-account
| |
+| [branch-nsec.tf](./branch-nsec.tf) | Network security stage resources. | gcs
· iam-service-account
| |
| [branch-project-factory.tf](./branch-project-factory.tf) | Project factory stage resources. | gcs
· iam-service-account
| |
| [branch-sandbox.tf](./branch-sandbox.tf) | Sandbox stage resources. | folder
· gcs
· iam-service-account
| |
| [branch-security.tf](./branch-security.tf) | Security stage resources. | folder
· gcs
· iam-service-account
| |
@@ -270,7 +270,7 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md
| [logging](variables-fast.tf#L95) | Logging configuration for tenants. | object({…})
| ✓ | | 1-tenant-factory
|
| [organization](variables-fast.tf#L108) | Organization details. | object({…})
| ✓ | | 0-bootstrap
|
| [prefix](variables-fast.tf#L126) | Prefix used for resources that need unique names. Use 9 characters or less. | string
| ✓ | | 0-bootstrap
|
-| [cicd_repositories](variables.tf#L20) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…})
| | null
| |
+| [cicd_repositories](variables.tf#L20) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…})
| | null
| |
| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…})
| | null
| 0-bootstrap
|
| [factories_config](variables.tf#L122) | Configuration for the resource factories or external data. | object({…})
| | {}
| |
| [fast_features](variables.tf#L133) | Selective control for top-level FAST features. | object({…})
| | {}
| |
@@ -294,7 +294,7 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md
| [gke_multitenant](outputs.tf#L458) | Data for the GKE multitenant stage. | | 03-gke-multitenant
|
| [networking](outputs.tf#L479) | Data for the networking stage. | | |
| [project_factories](outputs.tf#L488) | Data for the project factories stage. | | |
-| [providers](outputs.tf#L507) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking
· 02-security
· 03-dataplatform
· 03-netsec
|
+| [providers](outputs.tf#L507) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking
· 02-security
· 03-dataplatform
· 03-network-security
|
| [sandbox](outputs.tf#L514) | Data for the sandbox stage. | | xx-sandbox
|
| [security](outputs.tf#L528) | Data for the networking stage. | | 02-security
|
| [tfvars](outputs.tf#L539) | Terraform variable files for the following stages. | ✓ | |
diff --git a/fast/stages/1-resman/branch-networking.tf b/fast/stages/1-resman/branch-networking.tf
index cc6cac29c5..263d1c4aeb 100644
--- a/fast/stages/1-resman/branch-networking.tf
+++ b/fast/stages/1-resman/branch-networking.tf
@@ -28,9 +28,9 @@ locals {
# read-only (plan) automation service account
"roles/viewer" = [module.branch-network-r-sa.iam_email]
"roles/resourcemanager.folderViewer" = [module.branch-network-r-sa.iam_email]
- # netsec service account
- "roles/serviceusage.serviceUsageAdmin" = [module.branch-netsec-sa.iam_email]
- (var.custom_roles["network_firewall_policies_admin"]) = [module.branch-netsec-sa.iam_email]
+ # nsec service account
+ "roles/serviceusage.serviceUsageAdmin" = [module.branch-nsec-sa.iam_email]
+ (var.custom_roles["network_firewall_policies_admin"]) = [module.branch-nsec-sa.iam_email]
}
# deep-merge FAST-specific IAM with user-provided bindings in var.folder_iam
_network_folder_iam = merge(
diff --git a/fast/stages/1-resman/branch-netsec.tf b/fast/stages/1-resman/branch-nsec.tf
similarity index 81%
rename from fast/stages/1-resman/branch-netsec.tf
rename to fast/stages/1-resman/branch-nsec.tf
index 3d941e1f6e..0fb0299c3c 100644
--- a/fast/stages/1-resman/branch-netsec.tf
+++ b/fast/stages/1-resman/branch-nsec.tf
@@ -18,16 +18,16 @@
# automation service account
-module "branch-netsec-sa" {
+module "branch-nsec-sa" {
source = "../../../modules/iam-service-account"
project_id = var.automation.project_id
- name = "prod-resman-netsec-0"
+ name = "prod-resman-nsec-0"
display_name = "Terraform resman network security service account."
prefix = var.prefix
service_account_create = var.root_node == null
iam = {
"roles/iam.serviceAccountTokenCreator" = compact([
- try(module.branch-netsec-sa-cicd[0].iam_email, null)
+ try(module.branch-nsec-sa-cicd[0].iam_email, null)
])
}
iam_project_roles = {
@@ -40,15 +40,15 @@ module "branch-netsec-sa" {
# automation read-only service account
-module "branch-netsec-r-sa" {
+module "branch-nsec-r-sa" {
source = "../../../modules/iam-service-account"
project_id = var.automation.project_id
- name = "prod-resman-netsec-0r"
+ name = "prod-resman-nsec-0r"
display_name = "Terraform resman network security service account (read-only)."
prefix = var.prefix
iam = {
"roles/iam.serviceAccountTokenCreator" = compact([
- try(module.branch-netsec-r-sa-cicd[0].iam_email, null)
+ try(module.branch-nsec-r-sa-cicd[0].iam_email, null)
])
}
iam_project_roles = {
@@ -61,16 +61,16 @@ module "branch-netsec-r-sa" {
# automation bucket
-module "branch-netsec-gcs" {
+module "branch-nsec-gcs" {
source = "../../../modules/gcs"
project_id = var.automation.project_id
- name = "prod-resman-netsec-0"
+ name = "prod-resman-nsec-0"
prefix = var.prefix
location = var.locations.gcs
storage_class = local.gcs_storage_class
versioning = true
iam = {
- "roles/storage.objectAdmin" = [module.branch-netsec-sa.iam_email]
- "roles/storage.objectViewer" = [module.branch-netsec-r-sa.iam_email]
+ "roles/storage.objectAdmin" = [module.branch-nsec-sa.iam_email]
+ "roles/storage.objectViewer" = [module.branch-nsec-r-sa.iam_email]
}
}
diff --git a/fast/stages/1-resman/cicd-netsec.tf b/fast/stages/1-resman/cicd-netsec.tf
index 42810bd942..335acf18d2 100644
--- a/fast/stages/1-resman/cicd-netsec.tf
+++ b/fast/stages/1-resman/cicd-netsec.tf
@@ -17,17 +17,17 @@
# tfdoc:file:description CI/CD resources for the networking branch.
# read-write (apply) SA used by CI/CD workflows
-# to impersonate netsec automation SA
+# to impersonate nsec automation SA
-module "branch-netsec-sa-cicd" {
+module "branch-nsec-sa-cicd" {
source = "../../../modules/iam-service-account"
for_each = (
- try(local.cicd_repositories.netsec.name, null) != null
- ? { 0 = local.cicd_repositories.netsec }
+ try(local.cicd_repositories.nsec.name, null) != null
+ ? { 0 = local.cicd_repositories.nsec }
: {}
)
project_id = var.automation.project_id
- name = "prod-resman-netsec-1"
+ name = "prod-resman-nsec-1"
display_name = "Terraform CI/CD stage 2 network security service account."
prefix = var.prefix
iam = {
@@ -54,17 +54,17 @@ module "branch-netsec-sa-cicd" {
}
}
-# read-only (plan) SA used by CI/CD workflows to impersonate netsec automation SA
+# read-only (plan) SA used by CI/CD workflows to impersonate nsec automation SA
-module "branch-netsec-r-sa-cicd" {
+module "branch-nsec-r-sa-cicd" {
source = "../../../modules/iam-service-account"
for_each = (
- try(local.cicd_repositories.netsec.name, null) != null
- ? { 0 = local.cicd_repositories.netsec }
+ try(local.cicd_repositories.nsec.name, null) != null
+ ? { 0 = local.cicd_repositories.nsec }
: {}
)
project_id = var.automation.project_id
- name = "prod-resman-netsec-1r"
+ name = "prod-resman-nsec-1r"
display_name = "Terraform CI/CD stage 2 network security service account (read-only)."
prefix = var.prefix
iam = {
diff --git a/fast/stages/1-resman/iam.tf b/fast/stages/1-resman/iam.tf
index a37946f862..a5ff698c5f 100644
--- a/fast/stages/1-resman/iam.tf
+++ b/fast/stages/1-resman/iam.tf
@@ -24,12 +24,12 @@ locals {
member = module.branch-network-sa.iam_email
role = "roles/compute.orgFirewallPolicyAdmin"
}
- sa_net_netsec_fw_policy_admin = {
- member = module.branch-netsec-sa.iam_email
+ sa_net_nsec_fw_policy_admin = {
+ member = module.branch-nsec-sa.iam_email
role = "roles/compute.orgFirewallPolicyAdmin"
}
- sa_net_netsec_ngfw_enterprise_admin = {
- member = module.branch-netsec-sa.iam_email
+ sa_net_nsec_ngfw_enterprise_admin = {
+ member = module.branch-nsec-sa.iam_email
role = local.custom_roles["ngfw_enterprise_admin"],
}
sa_net_xpn_admin = {
diff --git a/fast/stages/1-resman/outputs.tf b/fast/stages/1-resman/outputs.tf
index 975cbbde9a..4dac75cef8 100644
--- a/fast/stages/1-resman/outputs.tf
+++ b/fast/stages/1-resman/outputs.tf
@@ -83,14 +83,14 @@ locals {
}
tf_var_files = local.cicd_workflow_var_files.stage_3
}
- netsec = {
+ nsec = {
service_accounts = {
- apply = try(module.branch-netsec-sa-cicd[0].email, null)
- plan = try(module.branch-netsec-r-sa-cicd[0].email, null)
+ apply = try(module.branch-nsec-sa-cicd[0].email, null)
+ plan = try(module.branch-nsec-r-sa-cicd[0].email, null)
}
tf_providers_files = {
- apply = "3-netsec-providers.tf"
- plan = "3-netsec-r-providers.tf"
+ apply = "3-network-security-providers.tf"
+ plan = "3-network-security-r-providers.tf"
}
tf_var_files = local.cicd_workflow_var_files.stage_3
}
@@ -209,17 +209,17 @@ locals {
name = "security"
sa = module.branch-security-r-sa.email
})
- "3-netsec" = templatefile(local._tpl_providers, {
+ "3-network-security" = templatefile(local._tpl_providers, {
backend_extra = null
- bucket = module.branch-netsec-gcs.name
- name = "netsec"
- sa = module.branch-netsec-sa.email
+ bucket = module.branch-nsec-gcs.name
+ name = "network-security"
+ sa = module.branch-nsec-sa.email
})
- "3-netsec-r" = templatefile(local._tpl_providers, {
+ "3-network-security-r" = templatefile(local._tpl_providers, {
backend_extra = null
bucket = module.branch-network-gcs.name
- name = "netsec"
- sa = module.branch-netsec-r-sa.email
+ name = "network-security"
+ sa = module.branch-nsec-r-sa.email
})
},
{
@@ -370,8 +370,8 @@ locals {
gke-dev-r = try(module.branch-gke-dev-r-sa[0].email, null)
gke-prod = try(module.branch-gke-prod-sa[0].email, null)
gke-prod-r = try(module.branch-gke-prod-r-sa[0].email, null)
- netsec = module.branch-netsec-sa.email
- netsec-r = module.branch-netsec-r-sa.email
+ nsec = module.branch-nsec-sa.email
+ nsec-r = module.branch-nsec-r-sa.email
networking = module.branch-network-sa.email
networking-r = module.branch-network-r-sa.email
project-factory = try(module.branch-pf-sa[0].email, null)
@@ -505,7 +505,7 @@ output "project_factories" {
# ready to use provider configurations for subsequent stages
output "providers" {
- # tfdoc:output:consumers 02-networking 02-security 03-dataplatform 03-netsec
+ # tfdoc:output:consumers 02-networking 02-security 03-dataplatform 03-network-security
description = "Terraform provider files for this stage and dependent stages."
sensitive = true
value = local.providers
diff --git a/fast/stages/1-resman/variables.tf b/fast/stages/1-resman/variables.tf
index f5d8bf90f1..f9f39ea14e 100644
--- a/fast/stages/1-resman/variables.tf
+++ b/fast/stages/1-resman/variables.tf
@@ -56,7 +56,7 @@ variable "cicd_repositories" {
branch = optional(string)
identity_provider = optional(string)
}))
- netsec = optional(object({
+ nsec = optional(object({
name = string
type = string
branch = optional(string)
diff --git a/fast/stages/3-network-security/README.md b/fast/stages/3-network-security/README.md
index 9e5cf2ad22..6e9a519059 100644
--- a/fast/stages/3-network-security/README.md
+++ b/fast/stages/3-network-security/README.md
@@ -57,7 +57,7 @@ The commands to link or copy the provider and terraform variable files can be ea
# copy and paste the following commands for '3-network-security'
-ln -s ~/fast-config/providers/3-netsec-providers.tf ./
+ln -s ~/fast-config/providers/3-network-security-providers.tf ./
ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./
ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./
ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./
@@ -69,7 +69,7 @@ ln -s ~/fast-config/tfvars/2-networking.auto.tfvars.json ./
# copy and paste the following commands for '3-network-security'
-gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/3-netsec-providers.tf ./
+gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/3-network-security-providers.tf ./
gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./
gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./
gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./