diff --git a/fast/stages-multitenant/0-bootstrap-tenant/templates/workflow-github.yaml b/fast/stages-multitenant/0-bootstrap-tenant/templates/workflow-github.yaml index 2d92cce0b3..56fb0719f4 100644 --- a/fast/stages-multitenant/0-bootstrap-tenant/templates/workflow-github.yaml +++ b/fast/stages-multitenant/0-bootstrap-tenant/templates/workflow-github.yaml @@ -28,11 +28,11 @@ env: FAST_SERVICE_ACCOUNT: ${service_account} FAST_WIF_PROVIDER: ${identity_provider} SSH_AUTH_SOCK: /tmp/ssh_agent.sock - %{~ if tf_providers_file != "" ~} TF_PROVIDERS_FILE: ${tf_providers_file} + %{~ if tf_var_files != [] ~} + TF_VAR_FILES: ${join("\n ", tf_var_files)} %{~ endif ~} - TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n ", tf_var_files)} - TF_VERSION: 1.4.4 + TF_VERSION: 1.5.1 jobs: fast-pr: @@ -57,7 +57,7 @@ jobs: # set up authentication via Workload identity Federation - id: gcp-auth name: Authenticate to Google Cloud - uses: google-github-actions/auth@v0 + uses: google-github-actions/auth@v2 with: workload_identity_provider: $${{ env.FAST_WIF_PROVIDER }} service_account: $${{ env.FAST_SERVICE_ACCOUNT }} @@ -73,15 +73,15 @@ jobs: - id: tf-config name: Copy Terraform output files run: | - %{~ if tf_providers_file != "" ~} gcloud alpha storage cp -r \ "gs://$${{env.FAST_OUTPUTS_BUCKET}}/providers/$${{env.TF_PROVIDERS_FILE}}" ./ - %{~ endif ~} + %{~ if tf_var_files != [] ~} gcloud alpha storage cp -r \ "gs://$${{env.FAST_OUTPUTS_BUCKET}}/tfvars" ./ for f in $${{env.TF_VAR_FILES}}; do ln -s "tfvars/$f" ./ done + %{~ endif ~} - id: tf-setup name: Set up Terraform @@ -97,8 +97,8 @@ jobs: terraform init -no-color - id: tf-validate - name: Terraform validate continue-on-error: true + name: Terraform validate run: terraform validate -no-color - id: tf-plan diff --git a/fast/stages-multitenant/1-resman-tenant/templates/workflow-github.yaml b/fast/stages-multitenant/1-resman-tenant/templates/workflow-github.yaml index 9266a134a8..56fb0719f4 100644 --- a/fast/stages-multitenant/1-resman-tenant/templates/workflow-github.yaml +++ b/fast/stages-multitenant/1-resman-tenant/templates/workflow-github.yaml @@ -29,8 +29,10 @@ env: FAST_WIF_PROVIDER: ${identity_provider} SSH_AUTH_SOCK: /tmp/ssh_agent.sock TF_PROVIDERS_FILE: ${tf_providers_file} - TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n ", tf_var_files)} - TF_VERSION: 1.4.4 + %{~ if tf_var_files != [] ~} + TF_VAR_FILES: ${join("\n ", tf_var_files)} + %{~ endif ~} + TF_VERSION: 1.5.1 jobs: fast-pr: @@ -55,7 +57,7 @@ jobs: # set up authentication via Workload identity Federation - id: gcp-auth name: Authenticate to Google Cloud - uses: google-github-actions/auth@v0 + uses: google-github-actions/auth@v2 with: workload_identity_provider: $${{ env.FAST_WIF_PROVIDER }} service_account: $${{ env.FAST_SERVICE_ACCOUNT }} @@ -73,11 +75,13 @@ jobs: run: | gcloud alpha storage cp -r \ "gs://$${{env.FAST_OUTPUTS_BUCKET}}/providers/$${{env.TF_PROVIDERS_FILE}}" ./ + %{~ if tf_var_files != [] ~} gcloud alpha storage cp -r \ "gs://$${{env.FAST_OUTPUTS_BUCKET}}/tfvars" ./ for f in $${{env.TF_VAR_FILES}}; do ln -s "tfvars/$f" ./ done + %{~ endif ~} - id: tf-setup name: Set up Terraform @@ -93,8 +97,8 @@ jobs: terraform init -no-color - id: tf-validate - name: Terraform validate continue-on-error: true + name: Terraform validate run: terraform validate -no-color - id: tf-plan diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md index c10b2bf321..076586099a 100644 --- a/fast/stages/0-bootstrap/README.md +++ b/fast/stages/0-bootstrap/README.md @@ -597,7 +597,7 @@ The `fast_features` variable consists of 4 toggles: | [organization](variables.tf#L235) | Organization details. | object({…}) | ✓ | | | | [prefix](variables.tf#L250) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | | | [bootstrap_user](variables.tf#L27) | Email of the nominal user running this stage for the first time. | string | | null | | -| [cicd_repositories](variables.tf#L33) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | +| [cicd_repositories](variables.tf#L33) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | | [custom_roles](variables.tf#L79) | Map of role names => list of permissions to additionally create at the organization level. | map(list(string)) | | {} | | | [factories_config](variables.tf#L86) | Configuration for the organization policies factory. | object({…}) | | {} | | | [fast_features](variables.tf#L96) | Selective control for top-level FAST features. | object({…}) | | {} | | diff --git a/fast/stages/0-bootstrap/identity-providers.tf b/fast/stages/0-bootstrap/identity-providers.tf index f648f965a8..ca0783597e 100644 --- a/fast/stages/0-bootstrap/identity-providers.tf +++ b/fast/stages/0-bootstrap/identity-providers.tf @@ -33,9 +33,10 @@ locals { "attribute.repository" = "assertion.repository" "attribute.repository_owner" = "assertion.repository_owner" "attribute.ref" = "assertion.ref" + "attribute.fast_sub" = "\"repo:\" + assertion.repository + \":ref:\" + assertion.ref" } issuer_uri = "https://token.actions.githubusercontent.com" - principal_tpl = "principal://iam.googleapis.com/%s/subject/repo:%s:ref:refs/heads/%s" + principal_tpl = "principalSet://iam.googleapis.com/%s/attribute.fast_sub/repo:%s:ref:refs/heads/%s" principalset_tpl = "principalSet://iam.googleapis.com/%s/attribute.repository/%s" } # https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload @@ -89,7 +90,7 @@ resource "google_iam_workload_identity_pool_provider" "default" { ? each.value.custom_settings.issuer_uri : try(each.value.issuer_uri, null) ) - # OIDC JWKs in JSON String format. If no value is provided, they key is + # OIDC JWKs in JSON String format. If no value is provided, they key is # fetched from the `.well-known` path for the issuer_uri jwks_json = each.value.custom_settings.jwks_json } diff --git a/fast/stages/0-bootstrap/templates/workflow-github.yaml b/fast/stages/0-bootstrap/templates/workflow-github.yaml index 74a2e1f8b0..56fb0719f4 100644 --- a/fast/stages/0-bootstrap/templates/workflow-github.yaml +++ b/fast/stages/0-bootstrap/templates/workflow-github.yaml @@ -32,7 +32,7 @@ env: %{~ if tf_var_files != [] ~} TF_VAR_FILES: ${join("\n ", tf_var_files)} %{~ endif ~} - TF_VERSION: 1.4.4 + TF_VERSION: 1.5.1 jobs: fast-pr: diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf index 9980c11893..a20c4465ee 100644 --- a/fast/stages/0-bootstrap/variables.tf +++ b/fast/stages/0-bootstrap/variables.tf @@ -34,16 +34,16 @@ variable "cicd_repositories" { description = "CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed." type = object({ bootstrap = optional(object({ - branch = string - identity_provider = string name = string type = string + branch = optional(string) + identity_provider = optional(string) })) resman = optional(object({ - branch = string - identity_provider = string name = string type = string + branch = optional(string) + identity_provider = optional(string) })) }) default = null diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index 8cbaa7f5c5..e1a4637a50 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -357,7 +357,7 @@ Due to its simplicity, this stage lends itself easily to customizations: adding | [billing_account](variables.tf#L39) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | 0-bootstrap | | [organization](variables.tf#L198) | Organization details. | object({…}) | ✓ | | 0-bootstrap | | [prefix](variables.tf#L214) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | -| [cicd_repositories](variables.tf#L50) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | +| [cicd_repositories](variables.tf#L50) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | | [custom_roles](variables.tf#L132) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [fast_features](variables.tf#L141) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | | [groups](variables.tf#L155) | Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed. | object({…}) | | {} | 0-bootstrap | diff --git a/fast/stages/1-resman/templates/workflow-github.yaml b/fast/stages/1-resman/templates/workflow-github.yaml index 1d8a555a15..56fb0719f4 100644 --- a/fast/stages/1-resman/templates/workflow-github.yaml +++ b/fast/stages/1-resman/templates/workflow-github.yaml @@ -29,8 +29,10 @@ env: FAST_WIF_PROVIDER: ${identity_provider} SSH_AUTH_SOCK: /tmp/ssh_agent.sock TF_PROVIDERS_FILE: ${tf_providers_file} - TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n ", tf_var_files)} - TF_VERSION: 1.4.4 + %{~ if tf_var_files != [] ~} + TF_VAR_FILES: ${join("\n ", tf_var_files)} + %{~ endif ~} + TF_VERSION: 1.5.1 jobs: fast-pr: @@ -73,11 +75,13 @@ jobs: run: | gcloud alpha storage cp -r \ "gs://$${{env.FAST_OUTPUTS_BUCKET}}/providers/$${{env.TF_PROVIDERS_FILE}}" ./ + %{~ if tf_var_files != [] ~} gcloud alpha storage cp -r \ "gs://$${{env.FAST_OUTPUTS_BUCKET}}/tfvars" ./ for f in $${{env.TF_VAR_FILES}}; do ln -s "tfvars/$f" ./ done + %{~ endif ~} - id: tf-setup name: Set up Terraform diff --git a/fast/stages/1-resman/variables.tf b/fast/stages/1-resman/variables.tf index 849fc6ef7c..d3099f456c 100644 --- a/fast/stages/1-resman/variables.tf +++ b/fast/stages/1-resman/variables.tf @@ -51,52 +51,52 @@ variable "cicd_repositories" { description = "CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed." type = object({ data_platform_dev = optional(object({ - branch = string - identity_provider = string name = string type = string + branch = optional(string) + identity_provider = optional(string) })) data_platform_prod = optional(object({ - branch = string - identity_provider = string name = string type = string + branch = optional(string) + identity_provider = optional(string) })) gke_dev = optional(object({ - branch = string - identity_provider = string name = string type = string + branch = optional(string) + identity_provider = optional(string) })) gke_prod = optional(object({ - branch = string - identity_provider = string name = string type = string + branch = optional(string) + identity_provider = optional(string) })) networking = optional(object({ - branch = string - identity_provider = string name = string type = string + branch = optional(string) + identity_provider = optional(string) })) project_factory_dev = optional(object({ - branch = string - identity_provider = string name = string type = string + branch = optional(string) + identity_provider = optional(string) })) project_factory_prod = optional(object({ - branch = string - identity_provider = string name = string type = string + branch = optional(string) + identity_provider = optional(string) })) security = optional(object({ - branch = string - identity_provider = string name = string type = string + branch = optional(string) + identity_provider = optional(string) })) }) default = null