diff --git a/fast/stages-multitenant/0-bootstrap-tenant/templates/workflow-github.yaml b/fast/stages-multitenant/0-bootstrap-tenant/templates/workflow-github.yaml
index 2d92cce0b3..56fb0719f4 100644
--- a/fast/stages-multitenant/0-bootstrap-tenant/templates/workflow-github.yaml
+++ b/fast/stages-multitenant/0-bootstrap-tenant/templates/workflow-github.yaml
@@ -28,11 +28,11 @@ env:
FAST_SERVICE_ACCOUNT: ${service_account}
FAST_WIF_PROVIDER: ${identity_provider}
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
- %{~ if tf_providers_file != "" ~}
TF_PROVIDERS_FILE: ${tf_providers_file}
+ %{~ if tf_var_files != [] ~}
+ TF_VAR_FILES: ${join("\n ", tf_var_files)}
%{~ endif ~}
- TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n ", tf_var_files)}
- TF_VERSION: 1.4.4
+ TF_VERSION: 1.5.1
jobs:
fast-pr:
@@ -57,7 +57,7 @@ jobs:
# set up authentication via Workload identity Federation
- id: gcp-auth
name: Authenticate to Google Cloud
- uses: google-github-actions/auth@v0
+ uses: google-github-actions/auth@v2
with:
workload_identity_provider: $${{ env.FAST_WIF_PROVIDER }}
service_account: $${{ env.FAST_SERVICE_ACCOUNT }}
@@ -73,15 +73,15 @@ jobs:
- id: tf-config
name: Copy Terraform output files
run: |
- %{~ if tf_providers_file != "" ~}
gcloud alpha storage cp -r \
"gs://$${{env.FAST_OUTPUTS_BUCKET}}/providers/$${{env.TF_PROVIDERS_FILE}}" ./
- %{~ endif ~}
+ %{~ if tf_var_files != [] ~}
gcloud alpha storage cp -r \
"gs://$${{env.FAST_OUTPUTS_BUCKET}}/tfvars" ./
for f in $${{env.TF_VAR_FILES}}; do
ln -s "tfvars/$f" ./
done
+ %{~ endif ~}
- id: tf-setup
name: Set up Terraform
@@ -97,8 +97,8 @@ jobs:
terraform init -no-color
- id: tf-validate
- name: Terraform validate
continue-on-error: true
+ name: Terraform validate
run: terraform validate -no-color
- id: tf-plan
diff --git a/fast/stages-multitenant/1-resman-tenant/templates/workflow-github.yaml b/fast/stages-multitenant/1-resman-tenant/templates/workflow-github.yaml
index 9266a134a8..56fb0719f4 100644
--- a/fast/stages-multitenant/1-resman-tenant/templates/workflow-github.yaml
+++ b/fast/stages-multitenant/1-resman-tenant/templates/workflow-github.yaml
@@ -29,8 +29,10 @@ env:
FAST_WIF_PROVIDER: ${identity_provider}
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
TF_PROVIDERS_FILE: ${tf_providers_file}
- TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n ", tf_var_files)}
- TF_VERSION: 1.4.4
+ %{~ if tf_var_files != [] ~}
+ TF_VAR_FILES: ${join("\n ", tf_var_files)}
+ %{~ endif ~}
+ TF_VERSION: 1.5.1
jobs:
fast-pr:
@@ -55,7 +57,7 @@ jobs:
# set up authentication via Workload identity Federation
- id: gcp-auth
name: Authenticate to Google Cloud
- uses: google-github-actions/auth@v0
+ uses: google-github-actions/auth@v2
with:
workload_identity_provider: $${{ env.FAST_WIF_PROVIDER }}
service_account: $${{ env.FAST_SERVICE_ACCOUNT }}
@@ -73,11 +75,13 @@ jobs:
run: |
gcloud alpha storage cp -r \
"gs://$${{env.FAST_OUTPUTS_BUCKET}}/providers/$${{env.TF_PROVIDERS_FILE}}" ./
+ %{~ if tf_var_files != [] ~}
gcloud alpha storage cp -r \
"gs://$${{env.FAST_OUTPUTS_BUCKET}}/tfvars" ./
for f in $${{env.TF_VAR_FILES}}; do
ln -s "tfvars/$f" ./
done
+ %{~ endif ~}
- id: tf-setup
name: Set up Terraform
@@ -93,8 +97,8 @@ jobs:
terraform init -no-color
- id: tf-validate
- name: Terraform validate
continue-on-error: true
+ name: Terraform validate
run: terraform validate -no-color
- id: tf-plan
diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
index c10b2bf321..076586099a 100644
--- a/fast/stages/0-bootstrap/README.md
+++ b/fast/stages/0-bootstrap/README.md
@@ -597,7 +597,7 @@ The `fast_features` variable consists of 4 toggles:
| [organization](variables.tf#L235) | Organization details. | object({…})
| ✓ | | |
| [prefix](variables.tf#L250) | Prefix used for resources that need unique names. Use 9 characters or less. | string
| ✓ | | |
| [bootstrap_user](variables.tf#L27) | Email of the nominal user running this stage for the first time. | string
| | null
| |
-| [cicd_repositories](variables.tf#L33) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…})
| | null
| |
+| [cicd_repositories](variables.tf#L33) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…})
| | null
| |
| [custom_roles](variables.tf#L79) | Map of role names => list of permissions to additionally create at the organization level. | map(list(string))
| | {}
| |
| [factories_config](variables.tf#L86) | Configuration for the organization policies factory. | object({…})
| | {}
| |
| [fast_features](variables.tf#L96) | Selective control for top-level FAST features. | object({…})
| | {}
| |
diff --git a/fast/stages/0-bootstrap/identity-providers.tf b/fast/stages/0-bootstrap/identity-providers.tf
index f648f965a8..ca0783597e 100644
--- a/fast/stages/0-bootstrap/identity-providers.tf
+++ b/fast/stages/0-bootstrap/identity-providers.tf
@@ -33,9 +33,10 @@ locals {
"attribute.repository" = "assertion.repository"
"attribute.repository_owner" = "assertion.repository_owner"
"attribute.ref" = "assertion.ref"
+ "attribute.fast_sub" = "\"repo:\" + assertion.repository + \":ref:\" + assertion.ref"
}
issuer_uri = "https://token.actions.githubusercontent.com"
- principal_tpl = "principal://iam.googleapis.com/%s/subject/repo:%s:ref:refs/heads/%s"
+ principal_tpl = "principalSet://iam.googleapis.com/%s/attribute.fast_sub/repo:%s:ref:refs/heads/%s"
principalset_tpl = "principalSet://iam.googleapis.com/%s/attribute.repository/%s"
}
# https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload
@@ -89,7 +90,7 @@ resource "google_iam_workload_identity_pool_provider" "default" {
? each.value.custom_settings.issuer_uri
: try(each.value.issuer_uri, null)
)
- # OIDC JWKs in JSON String format. If no value is provided, they key is
+ # OIDC JWKs in JSON String format. If no value is provided, they key is
# fetched from the `.well-known` path for the issuer_uri
jwks_json = each.value.custom_settings.jwks_json
}
diff --git a/fast/stages/0-bootstrap/templates/workflow-github.yaml b/fast/stages/0-bootstrap/templates/workflow-github.yaml
index 74a2e1f8b0..56fb0719f4 100644
--- a/fast/stages/0-bootstrap/templates/workflow-github.yaml
+++ b/fast/stages/0-bootstrap/templates/workflow-github.yaml
@@ -32,7 +32,7 @@ env:
%{~ if tf_var_files != [] ~}
TF_VAR_FILES: ${join("\n ", tf_var_files)}
%{~ endif ~}
- TF_VERSION: 1.4.4
+ TF_VERSION: 1.5.1
jobs:
fast-pr:
diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf
index 9980c11893..a20c4465ee 100644
--- a/fast/stages/0-bootstrap/variables.tf
+++ b/fast/stages/0-bootstrap/variables.tf
@@ -34,16 +34,16 @@ variable "cicd_repositories" {
description = "CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed."
type = object({
bootstrap = optional(object({
- branch = string
- identity_provider = string
name = string
type = string
+ branch = optional(string)
+ identity_provider = optional(string)
}))
resman = optional(object({
- branch = string
- identity_provider = string
name = string
type = string
+ branch = optional(string)
+ identity_provider = optional(string)
}))
})
default = null
diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md
index 8cbaa7f5c5..e1a4637a50 100644
--- a/fast/stages/1-resman/README.md
+++ b/fast/stages/1-resman/README.md
@@ -357,7 +357,7 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
| [billing_account](variables.tf#L39) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…})
| ✓ | | 0-bootstrap
|
| [organization](variables.tf#L198) | Organization details. | object({…})
| ✓ | | 0-bootstrap
|
| [prefix](variables.tf#L214) | Prefix used for resources that need unique names. Use 9 characters or less. | string
| ✓ | | 0-bootstrap
|
-| [cicd_repositories](variables.tf#L50) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…})
| | null
| |
+| [cicd_repositories](variables.tf#L50) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…})
| | null
| |
| [custom_roles](variables.tf#L132) | Custom roles defined at the org level, in key => id format. | object({…})
| | null
| 0-bootstrap
|
| [fast_features](variables.tf#L141) | Selective control for top-level FAST features. | object({…})
| | {}
| 0-0-bootstrap
|
| [groups](variables.tf#L155) | Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed. | object({…})
| | {}
| 0-bootstrap
|
diff --git a/fast/stages/1-resman/templates/workflow-github.yaml b/fast/stages/1-resman/templates/workflow-github.yaml
index 1d8a555a15..56fb0719f4 100644
--- a/fast/stages/1-resman/templates/workflow-github.yaml
+++ b/fast/stages/1-resman/templates/workflow-github.yaml
@@ -29,8 +29,10 @@ env:
FAST_WIF_PROVIDER: ${identity_provider}
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
TF_PROVIDERS_FILE: ${tf_providers_file}
- TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n ", tf_var_files)}
- TF_VERSION: 1.4.4
+ %{~ if tf_var_files != [] ~}
+ TF_VAR_FILES: ${join("\n ", tf_var_files)}
+ %{~ endif ~}
+ TF_VERSION: 1.5.1
jobs:
fast-pr:
@@ -73,11 +75,13 @@ jobs:
run: |
gcloud alpha storage cp -r \
"gs://$${{env.FAST_OUTPUTS_BUCKET}}/providers/$${{env.TF_PROVIDERS_FILE}}" ./
+ %{~ if tf_var_files != [] ~}
gcloud alpha storage cp -r \
"gs://$${{env.FAST_OUTPUTS_BUCKET}}/tfvars" ./
for f in $${{env.TF_VAR_FILES}}; do
ln -s "tfvars/$f" ./
done
+ %{~ endif ~}
- id: tf-setup
name: Set up Terraform
diff --git a/fast/stages/1-resman/variables.tf b/fast/stages/1-resman/variables.tf
index 849fc6ef7c..d3099f456c 100644
--- a/fast/stages/1-resman/variables.tf
+++ b/fast/stages/1-resman/variables.tf
@@ -51,52 +51,52 @@ variable "cicd_repositories" {
description = "CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed."
type = object({
data_platform_dev = optional(object({
- branch = string
- identity_provider = string
name = string
type = string
+ branch = optional(string)
+ identity_provider = optional(string)
}))
data_platform_prod = optional(object({
- branch = string
- identity_provider = string
name = string
type = string
+ branch = optional(string)
+ identity_provider = optional(string)
}))
gke_dev = optional(object({
- branch = string
- identity_provider = string
name = string
type = string
+ branch = optional(string)
+ identity_provider = optional(string)
}))
gke_prod = optional(object({
- branch = string
- identity_provider = string
name = string
type = string
+ branch = optional(string)
+ identity_provider = optional(string)
}))
networking = optional(object({
- branch = string
- identity_provider = string
name = string
type = string
+ branch = optional(string)
+ identity_provider = optional(string)
}))
project_factory_dev = optional(object({
- branch = string
- identity_provider = string
name = string
type = string
+ branch = optional(string)
+ identity_provider = optional(string)
}))
project_factory_prod = optional(object({
- branch = string
- identity_provider = string
name = string
type = string
+ branch = optional(string)
+ identity_provider = optional(string)
}))
security = optional(object({
- branch = string
- identity_provider = string
name = string
type = string
+ branch = optional(string)
+ identity_provider = optional(string)
}))
})
default = null