Refactoring business-units example, add billing and org IAM handling

foundations/business-units/README.md

@@ -19,7 +19,7 @@ This sample creates several distinct groups of resources:
 - one project in the shared folder to set up and host centralized audit log exports
 - one project in the shared folder to hold services used across environments like GCS, GCR, KMS, Cloud Build, etc.
 
-The number of resources in this sample is kept to a minimum so as to make it generally applicable, more resources can be easily added by leveraging the full array of [Cloud Foundation Toolkit modules](https://github.com/terraform-google-modules), especially in the shared services project.
+The number of resources in this sample is kept to a minimum so as to make it generally applicable, more resources can be easily added by leveraging other [modules from our bundle](../../modules/), or from other sources like the [CFT suite](https://github.com/terraform-google-modules).
 
 ## Shared services
 
@@ -31,37 +31,34 @@ This sample uses a top-level folder to encapsulate projects that host resources
 | name | description | type | required | default |
 |---|---|:---: |:---:|:---:|
 | billing_account_id | Billing account id used as default for new projects. | <code title="">string</code> | ✓ |  |
-| business_unit_1_name | Business unit 1 short name. | <code title="">string</code> | ✓ |  |
-| business_unit_2_name | Business unit 2 short name. | <code title="">string</code> | ✓ |  |
-| business_unit_3_name | Business unit 3 short name. | <code title="">string</code> | ✓ |  |
-| environments | Environment short names. | <code title="list&#40;string&#41;">list(string)</code> | ✓ |  |
 | organization_id | Organization id. | <code title="">string</code> | ✓ |  |
 | prefix | Prefix used for resources that need unique names. | <code title="">string</code> | ✓ |  |
 | root_node | Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. | <code title="">string</code> | ✓ |  |
-| *audit_viewers* | Audit project viewers, in IAM format. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
-| *gcs_location* | GCS bucket location. | <code title="">string</code> |  | <code title="">EU</code> |
+| *audit_filter* | Audit log filter used for the log sink. | <code title="">string</code> |  | <code title="&#60;&#60;END&#10;logName: &#34;&#47;logs&#47;cloudaudit.googleapis.com&#37;2Factivity&#34;&#10;OR&#10;logName: &#34;&#47;logs&#47;cloudaudit.googleapis.com&#37;2Fsystem_event&#34;&#10;END">...</code> |
+| *business_unit_bi* | Business unit BI configuration. | <code title="object&#40;&#123;&#10;name                  &#61; string&#10;short_name            &#61; string&#10;iam_roles             &#61; list&#40;string&#41;&#10;iam_members           &#61; map&#40;list&#40;string&#41;&#41;&#10;environment_iam_roles &#61; list&#40;string&#41;&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;name        &#61; &#34;Business Intelligence&#34;,&#10;short_name  &#61; &#34;bi&#34;&#10;iam_roles   &#61; &#91;&#93;,&#10;iam_members &#61; &#123;&#125;,&#10;environment_iam_roles &#61; &#91;&#10;&#34;roles&#47;compute.networkAdmin&#34;,&#10;&#34;roles&#47;owner&#34;,&#10;&#34;roles&#47;resourcemanager.folderAdmin&#34;,&#10;&#34;roles&#47;resourcemanager.projectCreator&#34;,&#10;&#93;&#10;&#125;">...</code> |
+| *business_unit_ml* | Business unit ML configuration. | <code title="object&#40;&#123;&#10;name                  &#61; string&#10;short_name            &#61; string&#10;iam_roles             &#61; list&#40;string&#41;&#10;iam_members           &#61; map&#40;list&#40;string&#41;&#41;&#10;environment_iam_roles &#61; list&#40;string&#41;&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;name        &#61; &#34;Machine Learning&#34;,&#10;short_name  &#61; &#34;ml&#34;&#10;iam_roles   &#61; &#91;&#93;,&#10;iam_members &#61; &#123;&#125;,&#10;environment_iam_roles &#61; &#91;&#10;&#34;roles&#47;compute.networkAdmin&#34;,&#10;&#34;roles&#47;owner&#34;,&#10;&#34;roles&#47;resourcemanager.folderAdmin&#34;,&#10;&#34;roles&#47;resourcemanager.projectCreator&#34;,&#10;&#93;&#10;&#125;">...</code> |
+| *environments* | Environment short names. | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="&#123;&#10;dev &#61; &#34;Development&#34;, &#10;test &#61; &#34;Testing&#34;, &#10;prod &#61; &#34;Production&#34;&#10;&#125;">...</code> |
+| *gcs_defaults* | Defaults use for the state GCS buckets. | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="&#123;&#10;location      &#61; &#34;EU&#34;&#10;storage_class &#61; &#34;MULTI_REGIONAL&#34;&#10;&#125;">...</code> |
 | *generate_service_account_keys* | Generate and store service account keys in the state file. | <code title="">bool</code> |  | <code title="">false</code> |
+| *iam_audit_viewers* | Audit project viewers, in IAM format. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *iam_billing_config* | Control granting billing user role to service accounts. Target the billing account by default. | <code title="object&#40;&#123;&#10;grant      &#61; bool&#10;target_org &#61; bool&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;grant      &#61; true&#10;target_org &#61; false&#10;&#125;">...</code> |
+| *iam_shared_owners* | Shared services project owners, in IAM format. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *iam_terraform_owners* | Terraform project owners, in IAM format. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *iam_xpn_config* | Control granting Shared VPC creation roles to service accounts. Target the root node by default. | <code title="object&#40;&#123;&#10;grant      &#61; bool&#10;target_org &#61; bool&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;grant      &#61; true&#10;target_org &#61; false&#10;&#125;">...</code> |
 | *project_services* | Service APIs enabled by default in new projects. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="&#91;&#10;&#34;resourceviews.googleapis.com&#34;,&#10;&#34;stackdriver.googleapis.com&#34;,&#10;&#93;">...</code> |
-| *shared_bindings_members* | List of comma-delimited IAM-format members for the additional shared project bindings. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
-| *shared_bindings_roles* | List of roles for additional shared project bindings. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *service_account_keys* | Generate and store service account keys in the state file. | <code title="">bool</code> |  | <code title="">false</code> |
 | *terraform_owners* | Terraform project owners, in IAM format. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
 
 ## Outputs
 
 | name | description | sensitive |
 |---|---|:---:|
-| audit_logs_bq_dataset | Bigquery dataset for the audit logs export. |  |
 | audit_logs_project | Project that holds the audit logs export resources. |  |
 | bootstrap_tf_gcs_bucket | GCS bucket used for the bootstrap Terraform state. |  |
-| business_unit_1_environment_folders_ids | Business unit 1 environment folders. |  |
-| business_unit_1_folder_id | Business unit 1 top-level folder ID. |  |
-| business_unit_2_environment_folders_ids | Business unit 2 environment folders. |  |
-| business_unit_2_folder_id | Business unit 2 top-level folder ID. |  |
-| business_unit_3_environment_folders_ids | Business unit 3 environment folders. |  |
-| business_unit_3_folder_id | Business unit 3 top-level folder ID. |  |
-| environment_service_account_keys | Service account keys used to run each environment Terraform modules. | ✓ |
-| environment_service_accounts | Service accounts used to run each environment Terraform modules. |  |
-| environment_tf_gcs_buckets | GCS buckets used for each environment Terraform state. |  |
+| bu_bi | Business Unit BI attributes. |  |
+| bu_bi_sa_keys | Business Unit BI Service Accoutns keys. | ✓ |
+| bu_ml | Business Unit ML attributes. |  |
+| bu_ml_sa_keys | Business Unit ML Service Accoutns keys. | ✓ |
 | shared_folder_id | Shared folder ID. |  |
 | shared_resources_project | Project that holdes resources shared across business units. |  |
 | terraform_project | Project that holds the base Terraform resources. |  |

foundations/business-units/main.tf

@@ -1,18 +1,18 @@
-# Copyright 2019 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# TODO(averbukh): simplify log-sink parameters once https://github.com/terraform-google-modules/terraform-google-log-export/issues/28 is done.
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 
 locals {
   parent_numeric_id             = element(split("/", var.root_node), 1)
@@ -37,14 +37,14 @@ module "shared-folder" {
 # Terraform project
 
 module "tf-project" {
-  source              = "../../modules/project"
-  name                = "terraform"
-  parent              = module.shared-folder.id
-  prefix              = var.prefix
-  billing_account     = var.billing_account_id
-  iam_nonauth_members = { "roles/owner" = var.iam_terraform_owners }
-  iam_nonauth_roles   = ["roles/owner"]
-  services            = var.project_services
+  source               = "../../modules/project"
+  name                 = "terraform"
+  parent               = module.shared-folder.id
+  prefix               = var.prefix
+  billing_account      = var.billing_account_id
+  iam_additive_members = { "roles/owner" = var.iam_terraform_owners }
+  iam_additive_roles   = ["roles/owner"]
+  services             = var.project_services
 }
 
 # Bootstrap Terraform state GCS bucket
@@ -73,11 +73,13 @@ module "busines-unit-bi" {
   gcs_defaults          = var.gcs_defaults
   iam_roles             = var.business_unit_bi.iam_roles
   iam_members           = var.business_unit_bi.iam_members
+  iam_xpn_config        = var.iam_xpn_config
+  iam_billing_config    = var.iam_billing_config
   organization_id       = var.organization_id
-  parent                = var.root_node
+  root_node             = var.root_node
   prefix                = var.prefix
   environments          = var.environments
-  generate_keys         = var.generate_keys
+  service_account_keys  = var.service_account_keys
 }
 
 # Business unit ML
@@ -92,11 +94,13 @@ module "busines-unit-ml" {
   gcs_defaults          = var.gcs_defaults
   iam_roles             = var.business_unit_ml.iam_roles
   iam_members           = var.business_unit_ml.iam_members
+  iam_xpn_config        = var.iam_xpn_config
+  iam_billing_config    = var.iam_billing_config
   organization_id       = var.organization_id
-  parent                = var.root_node
+  root_node             = var.root_node
   prefix                = var.prefix
   environments          = var.environments
-  generate_keys         = var.generate_keys
+  service_account_keys  = var.service_account_keys
 }
 
 ###############################################################################
@@ -163,10 +167,10 @@ module "shared-project" {
   parent          = module.shared-folder.id
   prefix          = var.prefix
   billing_account = var.billing_account_id
-  iam_members = {
+  iam_additive_members = {
     "roles/owner" = var.iam_shared_owners
   }
-  iam_roles = [
+  iam_additive_roles = [
     "roles/owner"
   ]
   services = var.project_services

foundations/business-units/outputs.tf

@@ -1,16 +1,18 @@
-# Copyright 2019 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 
 output "terraform_project" {
   description = "Project that holds the base Terraform resources."
@@ -29,24 +31,34 @@ output "shared_folder_id" {
 
 output "bu_ml" {
   description = "Business Unit ML attributes."
-  value = module.busines-unit-ml.unit
+  value = {
+    unit_folder          = module.busines-unit-ml.unit_folder,
+    env_gcs_buckets      = module.busines-unit-ml.env_gcs_buckets
+    env_folders          = module.busines-unit-ml.env_folders
+    env_service_accounts = module.busines-unit-ml.env_service_accounts
+  }
 }
 
 output "bu_ml_sa_keys" {
   description = "Business Unit ML Service Accoutns keys."
-  sensitive = true
-  value = module.busines-unit-ml.keys
+  sensitive   = true
+  value       = module.busines-unit-ml.env_sa_keys
 }
 
 output "bu_bi" {
   description = "Business Unit BI attributes."
-  value = module.busines-unit-bi.unit
+  value = {
+    unit_folder          = module.busines-unit-bi.unit_folder,
+    env_gcs_buckets      = module.busines-unit-bi.env_gcs_buckets
+    env_folders          = module.busines-unit-bi.env_folders
+    env_service_accounts = module.busines-unit-bi.env_service_accounts
+  }
 }
 
 output "bu_bi_sa_keys" {
   description = "Business Unit BI Service Accoutns keys."
-  sensitive = true
-  value = module.busines-unit-bi.keys
+  sensitive   = true
+  value       = module.busines-unit-bi.env_sa_keys
 }
 
 output "audit_logs_project" {
@@ -60,4 +72,4 @@ output "shared_resources_project" {
 }
 
 # Add further outputs here for the additional modules that manage shared
-# resources, like GCR, GCS buckets, KMS, etc.
+# resources, like GCR, GCS buckets, KMS, etc.

foundations/business-units/providers.tf

@@ -1,15 +1,17 @@
-# Copyright 2019 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 
-provider "google" {}
+provider "google" {}

foundations/business-units/terraform.tfvars.sample

@@ -0,0 +1,19 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+billing_account_id = "014617-19UCBC-AF02D9"
+organization_id= "500001140800"
+prefix = "xyz"
+root_node = "folders/9572793983696"
+generate_keys = true

foundations/business-units/variables.tf

@@ -1,16 +1,18 @@
-# Copyright 2019 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 
 variable "audit_filter" {
   description = "Audit log filter used for the log sink."
@@ -84,8 +86,8 @@ variable "environments" {
   description = "Environment short names."
   type        = map(string)
   default = {
-    dev = "Development", 
-    test = "Testing", 
+    dev  = "Development",
+    test = "Testing",
     prod = "Production"
   }
 }
@@ -147,8 +149,32 @@ variable "iam_terraform_owners" {
   default     = []
 }
 
-variable "generate_keys" {
-  description = "Generate keys for service accounts."
+variable "service_account_keys" {
+  description = "Generate and store service account keys in the state file."
   type        = bool
   default     = false
 }
+
+variable "iam_xpn_config" {
+  description = "Control granting Shared VPC creation roles to service accounts. Target the root node by default."
+  type = object({
+    grant      = bool
+    target_org = bool
+  })
+  default = {
+    grant      = true
+    target_org = false
+  }
+}
+
+variable "iam_billing_config" {
+  description = "Control granting billing user role to service accounts. Target the billing account by default."
+  type = object({
+    grant      = bool
+    target_org = bool
+  })
+  default = {
+    grant      = true
+    target_org = false
+  }
+}