diff --git a/fast/stage-links.sh b/fast/stage-links.sh index a814fa0f55..b690066d3b 100755 --- a/fast/stage-links.sh +++ b/fast/stage-links.sh @@ -90,13 +90,13 @@ case $STAGE_NAME in "3-network-security"*) if [[ -z "$TENANT" ]]; then echo "# if this is a tenant stage, set a \$TENANT variable with the tenant shortname and run the command again" - PROVIDER="providers/3-netsec-providers.tf" + PROVIDER="providers/3-network-security-providers.tf" TFVARS="tfvars/0-bootstrap.auto.tfvars.json tfvars/1-resman.auto.tfvars.json tfvars/2-networking.auto.tfvars.json" else unset GLOBALS - PROVIDER="tenants/$TENANT/providers/3-netsec-providers.tf" + PROVIDER="tenants/$TENANT/providers/3-network-security-providers.tf" TFVARS="tenants/$TENANT/tfvars/0-bootstrap-tenant.auto.tfvars.json tenants/$TENANT/tfvars/1-resman.auto.tfvars.json tenants/$TENANT/tfvars/2-networking.auto.tfvars.json" diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index 7159e6f7d5..3e9ad6dc34 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -236,8 +236,8 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md | [branch-data-platform.tf](./branch-data-platform.tf) | Data Platform stages resources. | folder · gcs · iam-service-account | | | [branch-gcve.tf](./branch-gcve.tf) | GCVE stage resources. | folder · gcs · iam-service-account | | | [branch-gke.tf](./branch-gke.tf) | GKE multitenant stage resources. | folder · gcs · iam-service-account | | -| [branch-netsec.tf](./branch-netsec.tf) | Network security stage resources. | gcs · iam-service-account | | | [branch-networking.tf](./branch-networking.tf) | Networking stage resources. | folder · gcs · iam-service-account | | +| [branch-nsec.tf](./branch-nsec.tf) | Network security stage resources. | gcs · iam-service-account | | | [branch-project-factory.tf](./branch-project-factory.tf) | Project factory stage resources. | gcs · iam-service-account | | | [branch-sandbox.tf](./branch-sandbox.tf) | Sandbox stage resources. | folder · gcs · iam-service-account | | | [branch-security.tf](./branch-security.tf) | Security stage resources. | folder · gcs · iam-service-account | | @@ -270,7 +270,7 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md | [logging](variables-fast.tf#L95) | Logging configuration for tenants. | object({…}) | ✓ | | 1-tenant-factory | | [organization](variables-fast.tf#L108) | Organization details. | object({…}) | ✓ | | 0-bootstrap | | [prefix](variables-fast.tf#L126) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | -| [cicd_repositories](variables.tf#L20) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | +| [cicd_repositories](variables.tf#L20) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | | [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [factories_config](variables.tf#L122) | Configuration for the resource factories or external data. | object({…}) | | {} | | | [fast_features](variables.tf#L133) | Selective control for top-level FAST features. | object({…}) | | {} | | @@ -294,7 +294,7 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md | [gke_multitenant](outputs.tf#L458) | Data for the GKE multitenant stage. | | 03-gke-multitenant | | [networking](outputs.tf#L479) | Data for the networking stage. | | | | [project_factories](outputs.tf#L488) | Data for the project factories stage. | | | -| [providers](outputs.tf#L507) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · 03-netsec | +| [providers](outputs.tf#L507) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · 03-network-security | | [sandbox](outputs.tf#L514) | Data for the sandbox stage. | | xx-sandbox | | [security](outputs.tf#L528) | Data for the networking stage. | | 02-security | | [tfvars](outputs.tf#L539) | Terraform variable files for the following stages. | ✓ | | diff --git a/fast/stages/1-resman/branch-networking.tf b/fast/stages/1-resman/branch-networking.tf index cc6cac29c5..263d1c4aeb 100644 --- a/fast/stages/1-resman/branch-networking.tf +++ b/fast/stages/1-resman/branch-networking.tf @@ -28,9 +28,9 @@ locals { # read-only (plan) automation service account "roles/viewer" = [module.branch-network-r-sa.iam_email] "roles/resourcemanager.folderViewer" = [module.branch-network-r-sa.iam_email] - # netsec service account - "roles/serviceusage.serviceUsageAdmin" = [module.branch-netsec-sa.iam_email] - (var.custom_roles["network_firewall_policies_admin"]) = [module.branch-netsec-sa.iam_email] + # nsec service account + "roles/serviceusage.serviceUsageAdmin" = [module.branch-nsec-sa.iam_email] + (var.custom_roles["network_firewall_policies_admin"]) = [module.branch-nsec-sa.iam_email] } # deep-merge FAST-specific IAM with user-provided bindings in var.folder_iam _network_folder_iam = merge( diff --git a/fast/stages/1-resman/branch-netsec.tf b/fast/stages/1-resman/branch-nsec.tf similarity index 81% rename from fast/stages/1-resman/branch-netsec.tf rename to fast/stages/1-resman/branch-nsec.tf index 3d941e1f6e..0fb0299c3c 100644 --- a/fast/stages/1-resman/branch-netsec.tf +++ b/fast/stages/1-resman/branch-nsec.tf @@ -18,16 +18,16 @@ # automation service account -module "branch-netsec-sa" { +module "branch-nsec-sa" { source = "../../../modules/iam-service-account" project_id = var.automation.project_id - name = "prod-resman-netsec-0" + name = "prod-resman-nsec-0" display_name = "Terraform resman network security service account." prefix = var.prefix service_account_create = var.root_node == null iam = { "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-netsec-sa-cicd[0].iam_email, null) + try(module.branch-nsec-sa-cicd[0].iam_email, null) ]) } iam_project_roles = { @@ -40,15 +40,15 @@ module "branch-netsec-sa" { # automation read-only service account -module "branch-netsec-r-sa" { +module "branch-nsec-r-sa" { source = "../../../modules/iam-service-account" project_id = var.automation.project_id - name = "prod-resman-netsec-0r" + name = "prod-resman-nsec-0r" display_name = "Terraform resman network security service account (read-only)." prefix = var.prefix iam = { "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-netsec-r-sa-cicd[0].iam_email, null) + try(module.branch-nsec-r-sa-cicd[0].iam_email, null) ]) } iam_project_roles = { @@ -61,16 +61,16 @@ module "branch-netsec-r-sa" { # automation bucket -module "branch-netsec-gcs" { +module "branch-nsec-gcs" { source = "../../../modules/gcs" project_id = var.automation.project_id - name = "prod-resman-netsec-0" + name = "prod-resman-nsec-0" prefix = var.prefix location = var.locations.gcs storage_class = local.gcs_storage_class versioning = true iam = { - "roles/storage.objectAdmin" = [module.branch-netsec-sa.iam_email] - "roles/storage.objectViewer" = [module.branch-netsec-r-sa.iam_email] + "roles/storage.objectAdmin" = [module.branch-nsec-sa.iam_email] + "roles/storage.objectViewer" = [module.branch-nsec-r-sa.iam_email] } } diff --git a/fast/stages/1-resman/cicd-netsec.tf b/fast/stages/1-resman/cicd-netsec.tf index 42810bd942..335acf18d2 100644 --- a/fast/stages/1-resman/cicd-netsec.tf +++ b/fast/stages/1-resman/cicd-netsec.tf @@ -17,17 +17,17 @@ # tfdoc:file:description CI/CD resources for the networking branch. # read-write (apply) SA used by CI/CD workflows -# to impersonate netsec automation SA +# to impersonate nsec automation SA -module "branch-netsec-sa-cicd" { +module "branch-nsec-sa-cicd" { source = "../../../modules/iam-service-account" for_each = ( - try(local.cicd_repositories.netsec.name, null) != null - ? { 0 = local.cicd_repositories.netsec } + try(local.cicd_repositories.nsec.name, null) != null + ? { 0 = local.cicd_repositories.nsec } : {} ) project_id = var.automation.project_id - name = "prod-resman-netsec-1" + name = "prod-resman-nsec-1" display_name = "Terraform CI/CD stage 2 network security service account." prefix = var.prefix iam = { @@ -54,17 +54,17 @@ module "branch-netsec-sa-cicd" { } } -# read-only (plan) SA used by CI/CD workflows to impersonate netsec automation SA +# read-only (plan) SA used by CI/CD workflows to impersonate nsec automation SA -module "branch-netsec-r-sa-cicd" { +module "branch-nsec-r-sa-cicd" { source = "../../../modules/iam-service-account" for_each = ( - try(local.cicd_repositories.netsec.name, null) != null - ? { 0 = local.cicd_repositories.netsec } + try(local.cicd_repositories.nsec.name, null) != null + ? { 0 = local.cicd_repositories.nsec } : {} ) project_id = var.automation.project_id - name = "prod-resman-netsec-1r" + name = "prod-resman-nsec-1r" display_name = "Terraform CI/CD stage 2 network security service account (read-only)." prefix = var.prefix iam = { diff --git a/fast/stages/1-resman/iam.tf b/fast/stages/1-resman/iam.tf index a37946f862..a5ff698c5f 100644 --- a/fast/stages/1-resman/iam.tf +++ b/fast/stages/1-resman/iam.tf @@ -24,12 +24,12 @@ locals { member = module.branch-network-sa.iam_email role = "roles/compute.orgFirewallPolicyAdmin" } - sa_net_netsec_fw_policy_admin = { - member = module.branch-netsec-sa.iam_email + sa_net_nsec_fw_policy_admin = { + member = module.branch-nsec-sa.iam_email role = "roles/compute.orgFirewallPolicyAdmin" } - sa_net_netsec_ngfw_enterprise_admin = { - member = module.branch-netsec-sa.iam_email + sa_net_nsec_ngfw_enterprise_admin = { + member = module.branch-nsec-sa.iam_email role = local.custom_roles["ngfw_enterprise_admin"], } sa_net_xpn_admin = { diff --git a/fast/stages/1-resman/outputs.tf b/fast/stages/1-resman/outputs.tf index 975cbbde9a..4dac75cef8 100644 --- a/fast/stages/1-resman/outputs.tf +++ b/fast/stages/1-resman/outputs.tf @@ -83,14 +83,14 @@ locals { } tf_var_files = local.cicd_workflow_var_files.stage_3 } - netsec = { + nsec = { service_accounts = { - apply = try(module.branch-netsec-sa-cicd[0].email, null) - plan = try(module.branch-netsec-r-sa-cicd[0].email, null) + apply = try(module.branch-nsec-sa-cicd[0].email, null) + plan = try(module.branch-nsec-r-sa-cicd[0].email, null) } tf_providers_files = { - apply = "3-netsec-providers.tf" - plan = "3-netsec-r-providers.tf" + apply = "3-network-security-providers.tf" + plan = "3-network-security-r-providers.tf" } tf_var_files = local.cicd_workflow_var_files.stage_3 } @@ -209,17 +209,17 @@ locals { name = "security" sa = module.branch-security-r-sa.email }) - "3-netsec" = templatefile(local._tpl_providers, { + "3-network-security" = templatefile(local._tpl_providers, { backend_extra = null - bucket = module.branch-netsec-gcs.name - name = "netsec" - sa = module.branch-netsec-sa.email + bucket = module.branch-nsec-gcs.name + name = "network-security" + sa = module.branch-nsec-sa.email }) - "3-netsec-r" = templatefile(local._tpl_providers, { + "3-network-security-r" = templatefile(local._tpl_providers, { backend_extra = null bucket = module.branch-network-gcs.name - name = "netsec" - sa = module.branch-netsec-r-sa.email + name = "network-security" + sa = module.branch-nsec-r-sa.email }) }, { @@ -370,8 +370,8 @@ locals { gke-dev-r = try(module.branch-gke-dev-r-sa[0].email, null) gke-prod = try(module.branch-gke-prod-sa[0].email, null) gke-prod-r = try(module.branch-gke-prod-r-sa[0].email, null) - netsec = module.branch-netsec-sa.email - netsec-r = module.branch-netsec-r-sa.email + nsec = module.branch-nsec-sa.email + nsec-r = module.branch-nsec-r-sa.email networking = module.branch-network-sa.email networking-r = module.branch-network-r-sa.email project-factory = try(module.branch-pf-sa[0].email, null) @@ -505,7 +505,7 @@ output "project_factories" { # ready to use provider configurations for subsequent stages output "providers" { - # tfdoc:output:consumers 02-networking 02-security 03-dataplatform 03-netsec + # tfdoc:output:consumers 02-networking 02-security 03-dataplatform 03-network-security description = "Terraform provider files for this stage and dependent stages." sensitive = true value = local.providers diff --git a/fast/stages/1-resman/variables.tf b/fast/stages/1-resman/variables.tf index f5d8bf90f1..f9f39ea14e 100644 --- a/fast/stages/1-resman/variables.tf +++ b/fast/stages/1-resman/variables.tf @@ -56,7 +56,7 @@ variable "cicd_repositories" { branch = optional(string) identity_provider = optional(string) })) - netsec = optional(object({ + nsec = optional(object({ name = string type = string branch = optional(string) diff --git a/fast/stages/3-network-security/README.md b/fast/stages/3-network-security/README.md index 9e5cf2ad22..6e9a519059 100644 --- a/fast/stages/3-network-security/README.md +++ b/fast/stages/3-network-security/README.md @@ -57,7 +57,7 @@ The commands to link or copy the provider and terraform variable files can be ea # copy and paste the following commands for '3-network-security' -ln -s ~/fast-config/providers/3-netsec-providers.tf ./ +ln -s ~/fast-config/providers/3-network-security-providers.tf ./ ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./ ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./ @@ -69,7 +69,7 @@ ln -s ~/fast-config/tfvars/2-networking.auto.tfvars.json ./ # copy and paste the following commands for '3-network-security' -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/3-netsec-providers.tf ./ +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/3-network-security-providers.tf ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./