diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
index 1d5b696786..83a15b1348 100644
--- a/fast/stages/0-bootstrap/README.md
+++ b/fast/stages/0-bootstrap/README.md
@@ -678,7 +678,7 @@ The remaining configuration is manual, as it regards the repositories themselves
| [org_policies_config](variables.tf#L271) | Organization policies customization. | object({…})
| | {}
| |
| [outputs_location](variables.tf#L299) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string
| | null
| |
| [project_parent_ids](variables.tf#L314) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…})
| | {}
| |
-| [resource_names](variables.tf#L325) | Resource names overrides for specific resources. Check the code to determine which overrides are supported. | object({…})
| | {}
| |
+| [resource_names](variables.tf#L325) | Resource names overrides for specific resources. Prefix is always set via code, except where noted in the variable type. | object({…})
| | {}
| |
| [workforce_identity_providers](variables.tf#L357) | Workforce Identity Federation pools. | map(object({…}))
| | {}
| |
| [workload_identity_providers](variables.tf#L373) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…}))
| | {}
| |
diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf
index ee4262dee1..e1fd0bd9f1 100644
--- a/fast/stages/0-bootstrap/variables.tf
+++ b/fast/stages/0-bootstrap/variables.tf
@@ -323,7 +323,7 @@ variable "project_parent_ids" {
}
variable "resource_names" {
- description = "Resource names overrides for specific resources. Check the code to determine which overrides are supported."
+ description = "Resource names overrides for specific resources. Prefix is always set via code, except where noted in the variable type."
type = object({
bq-billing = optional(string, "billing_export")
bq-logs = optional(string, "logs")
diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md
index f70125fa59..c77e56f7a2 100644
--- a/fast/stages/1-resman/README.md
+++ b/fast/stages/1-resman/README.md
@@ -278,9 +278,10 @@ terraform apply
| [groups](variables-fast.tf#L88) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…})
| | {}
| 0-bootstrap
|
| [locations](variables-fast.tf#L103) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…})
| | {}
| 0-bootstrap
|
| [outputs_location](variables.tf#L31) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string
| | null
| |
+| [resource_names](variables.tf#L37) | Resource names overrides for specific resources. Stage names are interpolated via `$${name}`. Prefix is always set via code, except where noted in the variable type. | object({…})
| | {}
| |
| [root_node](variables-fast.tf#L153) | Root node for the hierarchy, if running in tenant mode. | string
| | null
| 0-bootstrap
|
-| [tag_names](variables.tf#L37) | Customized names for resource management tags. | object({…})
| | {}
| |
-| [tags](variables.tf#L51) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…}))
| | {}
| |
+| [tag_names](variables.tf#L62) | Customized names for resource management tags. | object({…})
| | {}
| |
+| [tags](variables.tf#L76) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…}))
| | {}
| |
| [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…}))
| | {}
| |
## Outputs
diff --git a/fast/stages/1-resman/stage-2-network-security.tf b/fast/stages/1-resman/stage-2-network-security.tf
index e0679a5454..627fe50087 100644
--- a/fast/stages/1-resman/stage-2-network-security.tf
+++ b/fast/stages/1-resman/stage-2-network-security.tf
@@ -17,10 +17,12 @@
# automation service accounts
module "nsec-sa-rw" {
- source = "../../../modules/iam-service-account"
- count = var.fast_stage_2.network_security.enabled ? 1 : 0
- project_id = var.automation.project_id
- name = "resman-${var.fast_stage_2.network_security.short_name}-0"
+ source = "../../../modules/iam-service-account"
+ count = var.fast_stage_2.network_security.enabled ? 1 : 0
+ project_id = var.automation.project_id
+ name = templatestring(var.resource_names["sa-nsec_rw"], {
+ name = var.fast_stage_2.network_security.short_name
+ })
display_name = "Terraform resman network security main service account."
prefix = var.prefix
iam = {
@@ -37,10 +39,12 @@ module "nsec-sa-rw" {
}
module "nsec-sa-ro" {
- source = "../../../modules/iam-service-account"
- count = var.fast_stage_2.network_security.enabled ? 1 : 0
- project_id = var.automation.project_id
- name = "resman-${var.fast_stage_2.network_security.short_name}-0r"
+ source = "../../../modules/iam-service-account"
+ count = var.fast_stage_2.network_security.enabled ? 1 : 0
+ project_id = var.automation.project_id
+ name = templatestring(var.resource_names["sa-nsec_ro"], {
+ name = var.fast_stage_2.network_security.short_name
+ })
display_name = "Terraform resman network security main service account (read-only)."
prefix = var.prefix
iam = {
@@ -62,7 +66,9 @@ module "nsec-bucket" {
source = "../../../modules/gcs"
count = var.fast_stage_2.network_security.enabled ? 1 : 0
project_id = var.automation.project_id
- name = "resman-${var.fast_stage_2.network_security.short_name}-0"
+ name = templatestring(var.resource_names["gcs-nsec"], {
+ name = var.fast_stage_2.network_security.short_name
+ })
prefix = var.prefix
location = var.locations.gcs
versioning = true
diff --git a/fast/stages/1-resman/stage-2-networking.tf b/fast/stages/1-resman/stage-2-networking.tf
index 54579d3ee9..ed11edead2 100644
--- a/fast/stages/1-resman/stage-2-networking.tf
+++ b/fast/stages/1-resman/stage-2-networking.tf
@@ -172,10 +172,12 @@ module "net-folder-dev" {
# automation service accounts
module "net-sa-rw" {
- source = "../../../modules/iam-service-account"
- count = var.fast_stage_2.networking.enabled ? 1 : 0
- project_id = var.automation.project_id
- name = "prod-resman-${var.fast_stage_2.networking.short_name}-0"
+ source = "../../../modules/iam-service-account"
+ count = var.fast_stage_2.networking.enabled ? 1 : 0
+ project_id = var.automation.project_id
+ name = templatestring(var.resource_names["sa-net_rw"], {
+ name = var.fast_stage_2.networking.short_name
+ })
display_name = "Terraform resman networking service account."
prefix = var.prefix
service_account_create = var.root_node == null
@@ -193,10 +195,12 @@ module "net-sa-rw" {
}
module "net-sa-ro" {
- source = "../../../modules/iam-service-account"
- count = var.fast_stage_2.networking.enabled ? 1 : 0
- project_id = var.automation.project_id
- name = "prod-resman-${var.fast_stage_2.networking.short_name}-0r"
+ source = "../../../modules/iam-service-account"
+ count = var.fast_stage_2.networking.enabled ? 1 : 0
+ project_id = var.automation.project_id
+ name = templatestring(var.resource_names["sa-net_ro"], {
+ name = var.fast_stage_2.networking.short_name
+ })
display_name = "Terraform resman networking service account (read-only)."
prefix = var.prefix
iam = {
@@ -218,7 +222,9 @@ module "net-bucket" {
source = "../../../modules/gcs"
count = var.fast_stage_2.networking.enabled ? 1 : 0
project_id = var.automation.project_id
- name = "prod-resman-${var.fast_stage_2.networking.short_name}-0"
+ name = templatestring(var.resource_names["gcs-net"], {
+ name = var.fast_stage_2.networking.short_name
+ })
prefix = var.prefix
location = var.locations.gcs
versioning = true
diff --git a/fast/stages/1-resman/stage-2-project-factory.tf b/fast/stages/1-resman/stage-2-project-factory.tf
index f001c3cd03..8b40daf745 100644
--- a/fast/stages/1-resman/stage-2-project-factory.tf
+++ b/fast/stages/1-resman/stage-2-project-factory.tf
@@ -17,10 +17,12 @@
# automation service accounts
module "pf-sa-rw" {
- source = "../../../modules/iam-service-account"
- count = var.fast_stage_2.project_factory.enabled ? 1 : 0
- project_id = var.automation.project_id
- name = "resman-${var.fast_stage_2.project_factory.short_name}-0"
+ source = "../../../modules/iam-service-account"
+ count = var.fast_stage_2.project_factory.enabled ? 1 : 0
+ project_id = var.automation.project_id
+ name = templatestring(var.resource_names["sa-pf_rw"], {
+ name = var.fast_stage_2.project_factory.short_name
+ })
display_name = "Terraform resman project factory main service account."
prefix = var.prefix
iam = {
@@ -37,10 +39,12 @@ module "pf-sa-rw" {
}
module "pf-sa-ro" {
- source = "../../../modules/iam-service-account"
- count = var.fast_stage_2.project_factory.enabled ? 1 : 0
- project_id = var.automation.project_id
- name = "resman-${var.fast_stage_2.project_factory.short_name}-0r"
+ source = "../../../modules/iam-service-account"
+ count = var.fast_stage_2.project_factory.enabled ? 1 : 0
+ project_id = var.automation.project_id
+ name = templatestring(var.resource_names["sa-pf_ro"], {
+ name = var.fast_stage_2.project_factory.short_name
+ })
display_name = "Terraform resman project factory main service account (read-only)."
prefix = var.prefix
iam = {
@@ -62,7 +66,9 @@ module "pf-bucket" {
source = "../../../modules/gcs"
count = var.fast_stage_2.project_factory.enabled ? 1 : 0
project_id = var.automation.project_id
- name = "resman-${var.fast_stage_2.project_factory.short_name}-0"
+ name = templatestring(var.resource_names["gcs-pf"], {
+ name = var.fast_stage_2.project_factory.short_name
+ })
prefix = var.prefix
location = var.locations.gcs
versioning = true
diff --git a/fast/stages/1-resman/stage-2-security.tf b/fast/stages/1-resman/stage-2-security.tf
index fba63aa60e..70dec2246a 100644
--- a/fast/stages/1-resman/stage-2-security.tf
+++ b/fast/stages/1-resman/stage-2-security.tf
@@ -165,10 +165,12 @@ module "sec-folder-dev" {
# automation service accounts
module "sec-sa-rw" {
- source = "../../../modules/iam-service-account"
- count = var.fast_stage_2.security.enabled ? 1 : 0
- project_id = var.automation.project_id
- name = "prod-resman-${var.fast_stage_2.security.short_name}-0"
+ source = "../../../modules/iam-service-account"
+ count = var.fast_stage_2.security.enabled ? 1 : 0
+ project_id = var.automation.project_id
+ name = templatestring(var.resource_names["sa-sec_rw"], {
+ name = var.fast_stage_2.security.short_name
+ })
display_name = "Terraform resman security service account."
prefix = var.prefix
service_account_create = var.root_node == null
@@ -186,10 +188,12 @@ module "sec-sa-rw" {
}
module "sec-sa-ro" {
- source = "../../../modules/iam-service-account"
- count = var.fast_stage_2.security.enabled ? 1 : 0
- project_id = var.automation.project_id
- name = "prod-resman-${var.fast_stage_2.security.short_name}-0r"
+ source = "../../../modules/iam-service-account"
+ count = var.fast_stage_2.security.enabled ? 1 : 0
+ project_id = var.automation.project_id
+ name = templatestring(var.resource_names["sa-sec_ro"], {
+ name = var.fast_stage_2.security.short_name
+ })
display_name = "Terraform resman security service account (read-only)."
prefix = var.prefix
iam = {
@@ -211,7 +215,9 @@ module "sec-bucket" {
source = "../../../modules/gcs"
count = var.fast_stage_2.security.enabled ? 1 : 0
project_id = var.automation.project_id
- name = "prod-resman-${var.fast_stage_2.security.short_name}-0"
+ name = templatestring(var.resource_names["gcs-sec"], {
+ name = var.fast_stage_2.security.short_name
+ })
prefix = var.prefix
location = var.locations.gcs
versioning = true
diff --git a/fast/stages/1-resman/stage-3.tf b/fast/stages/1-resman/stage-3.tf
index 9e03b48f0d..6f86433a77 100644
--- a/fast/stages/1-resman/stage-3.tf
+++ b/fast/stages/1-resman/stage-3.tf
@@ -156,7 +156,9 @@ module "stage3-sa-rw" {
source = "../../../modules/iam-service-account"
for_each = local.stage3
project_id = var.automation.project_id
- name = "resman-${each.value.short_name}-0"
+ name = templatestring(var.resource_names["sa-stage3_rw"], {
+ name = each.value.short_name
+ })
display_name = (
"Terraform resman ${each.key} service account."
)
@@ -178,7 +180,9 @@ module "stage3-sa-ro" {
source = "../../../modules/iam-service-account"
for_each = local.stage3
project_id = var.automation.project_id
- name = "resman-${each.value.short_name}-0r"
+ name = templatestring(var.resource_names["sa-stage3_ro"], {
+ name = each.value.short_name
+ })
display_name = (
"Terraform resman ${each.key} service account (read-only)."
)
@@ -202,7 +206,9 @@ module "stage3-bucket" {
source = "../../../modules/gcs"
for_each = local.stage3
project_id = var.automation.project_id
- name = "resman-${each.value.short_name}-0"
+ name = templatestring(var.resource_names["gcs-stage3"], {
+ name = each.value.short_name
+ })
prefix = "${var.prefix}-${each.value.environment}"
location = var.locations.gcs
versioning = true
diff --git a/fast/stages/1-resman/stage-cicd.tf b/fast/stages/1-resman/stage-cicd.tf
index 1e44acb295..1ed22407a4 100644
--- a/fast/stages/1-resman/stage-cicd.tf
+++ b/fast/stages/1-resman/stage-cicd.tf
@@ -59,7 +59,9 @@ module "cicd-sa-rw" {
source = "../../../modules/iam-service-account"
for_each = local.cicd_repositories
project_id = var.automation.project_id
- name = "resman-${each.value.short_name}-1"
+ name = templatestring(var.resource_names["sa-cicd_rw"], {
+ name = each.value.short_name
+ })
display_name = (
"CI/CD ${each.value.lvl}-${each.value.short_name} ${each.value.env} service account."
)
@@ -92,7 +94,9 @@ module "cicd-sa-ro" {
source = "../../../modules/iam-service-account"
for_each = local.cicd_repositories
project_id = var.automation.project_id
- name = "resman-${each.value.short_name}-1r"
+ name = templatestring(var.resource_names["sa-cicd_ro"], {
+ name = each.value.short_name
+ })
display_name = (
"CI/CD ${each.value.lvl}-${each.value.short_name} ${each.value.env} service account (read-only)."
)
diff --git a/fast/stages/1-resman/variables.tf b/fast/stages/1-resman/variables.tf
index 6443f02dc8..6c88f052ad 100644
--- a/fast/stages/1-resman/variables.tf
+++ b/fast/stages/1-resman/variables.tf
@@ -34,6 +34,31 @@ variable "outputs_location" {
default = null
}
+variable "resource_names" {
+ description = "Resource names overrides for specific resources. Stage names are interpolated via `$${name}`. Prefix is always set via code, except where noted in the variable type."
+ type = object({
+ gcs-net = optional(string, "prod-resman-$${name}-0")
+ gcs-nsec = optional(string, "resman-$${name}-0")
+ gcs-pf = optional(string, "resman-$${name}-0")
+ gcs-sec = optional(string, "prod-resman-$${name}-0")
+ gcs-stage3 = optional(string, "resman-$${name}-0")
+ sa-cicd_ro = optional(string, "resman-$${name}-1r")
+ sa-cicd_rw = optional(string, "resman-$${name}-1")
+ sa-net_ro = optional(string, "prod-resman-$${name}-0r")
+ sa-net_rw = optional(string, "prod-resman-$${name}-0")
+ sa-pf_ro = optional(string, "resman-$${name}-0r")
+ sa-pf_rw = optional(string, "resman-$${name}-0")
+ sa-nsec_ro = optional(string, "resman-$${name}-0r")
+ sa-nsec_rw = optional(string, "resman-$${name}-0")
+ sa-sec_ro = optional(string, "prod-resman-$${name}-0r")
+ sa-sec_rw = optional(string, "prod-resman-$${name}-0")
+ sa-stage3_ro = optional(string, "resman-$${name}-0r")
+ sa-stage3_rw = optional(string, "resman-$${name}-0")
+ })
+ nullable = false
+ default = {}
+}
+
variable "tag_names" {
description = "Customized names for resource management tags."
type = object({