From 8cf29cd3559f4bcbff3dc69d605b5d519948d0c1 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Sun, 18 Aug 2019 07:46:51 +0200 Subject: [PATCH 1/4] org env: update gcs, sa, project modules --- organization-bootstrap/environments/main.tf | 38 +++++++++---------- .../environments/outputs.tf | 12 ++++-- .../environments/variables.tf | 19 ++++++---- 3 files changed, 38 insertions(+), 31 deletions(-) diff --git a/organization-bootstrap/environments/main.tf b/organization-bootstrap/environments/main.tf index 8ae7cfa786..248ff08648 100644 --- a/organization-bootstrap/environments/main.tf +++ b/organization-bootstrap/environments/main.tf @@ -20,10 +20,9 @@ module "project-tf" { source = "terraform-google-modules/project-factory/google//modules/fabric-project" - version = "3.1.0" + version = "3.2.0" #source = "github.com/terraform-google-modules/terraform-google-project-factory//modules/fabric-project?ref=32a539a" - parent_type = var.root_type - parent_id = var.org_id + parent = var.root_node billing_account = var.billing_account_id prefix = var.prefix name = "terraform" @@ -38,21 +37,21 @@ module "service-accounts-tf-environments" { source = "terraform-google-modules/service-accounts/google" version = "2.0.0" project_id = module.project-tf.project_id - org_id = var.org_id + org_id = var.organization_id billing_account_id = var.billing_account_id prefix = var.prefix names = var.environments grant_billing_role = true grant_xpn_roles = true - generate_keys = true + generate_keys = var.generate_service_account_keys } # bootstrap Terraform state GCS bucket module "gcs-tf-bootstrap" { - # source = "terraform-google-modules/cloud-storage/google" - # version = "2.0.0" - source = "github.com/terraform-google-modules/terraform-google-cloud-storage?ref=e7243fd" + source = "terraform-google-modules/cloud-storage/google" + version = "1.0.0" + # source = "github.com/terraform-google-modules/terraform-google-cloud-storage?ref=e7243fd" project_id = module.project-tf.project_id prefix = "${var.prefix}-tf" names = ["tf-bootstrap"] @@ -62,9 +61,9 @@ module "gcs-tf-bootstrap" { # per-environment Terraform state GCS buckets module "gcs-tf-environments" { - # source = "terraform-google-modules/cloud-storage/google" - # version = "2.0.0" - source = "github.com/terraform-google-modules/terraform-google-cloud-storage?ref=e7243fd" + source = "terraform-google-modules/cloud-storage/google" + version = "1.0.0" + # source = "github.com/terraform-google-modules/terraform-google-cloud-storage?ref=e7243fd" project_id = module.project-tf.project_id prefix = "${var.prefix}-tf" names = var.environments @@ -85,9 +84,8 @@ module "gcs-tf-environments" { module "folders-top-level" { # source = "terraform-google-modules/folders/google" # version = "2.0.0" - source = "github.com/terraform-google-modules/terraform-google-folders?ref=26db794564" - parent_type = var.root_type - parent_id = var.org_id + source = "github.com/terraform-google-modules/terraform-google-folders?ref=2cd6a08" + parent = var.root_node names = var.environments set_roles = true per_folder_admins = module.service-accounts-tf-environments.iam_emails_list @@ -107,9 +105,8 @@ module "folders-top-level" { module "project-audit" { source = "terraform-google-modules/project-factory/google//modules/fabric-project" - version = "3.1.0" - parent_type = var.root_type - parent_id = var.org_id + version = "3.2.0" + parent = var.root_node billing_account = var.billing_account_id prefix = var.prefix name = "audit" @@ -136,7 +133,7 @@ module "log-sink-audit" { filter = "logName: \"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName: \"/logs/cloudaudit.googleapis.com%2Fsystem_event\"" log_sink_name = "logs-audit-${var.environments[0]}" parent_resource_type = "folder" - parent_resource_id = module.folders-top-level.ids[0] + parent_resource_id = module.folders-top-level.ids_list[0] include_children = "true" unique_writer_identity = "true" destination_uri = "${module.bq-audit-export.destination_uri}" @@ -150,9 +147,8 @@ module "log-sink-audit" { module "project-shared-resources" { source = "terraform-google-modules/project-factory/google//modules/fabric-project" - version = "3.1.0" - parent_type = var.root_type - parent_id = var.org_id + version = "3.2.0" + parent = var.root_node billing_account = var.billing_account_id prefix = var.prefix name = "shared" diff --git a/organization-bootstrap/environments/outputs.tf b/organization-bootstrap/environments/outputs.tf index dcf061ba54..cca71987d0 100644 --- a/organization-bootstrap/environments/outputs.tf +++ b/organization-bootstrap/environments/outputs.tf @@ -24,17 +24,23 @@ output "bootstrap_tf_gcs_bucket" { output "environment_folders" { description = "Top-level environment folders." - value = zipmap(var.environments, module.folders-top-level.ids) + value = module.folders-top-level.ids } output "environment_tf_gcs_buckets" { description = "GCS buckets used for each environment Terraform state." - value = zipmap(var.environments, module.gcs-tf-environments.names) + value = module.gcs-tf-environments.names +} + +output "environment_service_account_keys" { + description = "Service account keys used to run each environment Terraform modules." + sensitive = true + value = module.service-accounts-tf-environments.keys } output "environment_service_accounts" { description = "Service accounts used to run each environment Terraform modules." - value = module.service-accounts-tf-environments + value = module.service-accounts-tf-environments.emails } output "audit_logs_bq_dataset" { diff --git a/organization-bootstrap/environments/variables.tf b/organization-bootstrap/environments/variables.tf index 80ea02d111..a53b07113b 100644 --- a/organization-bootstrap/environments/variables.tf +++ b/organization-bootstrap/environments/variables.tf @@ -8,23 +8,28 @@ variable "environments" { type = list(string) } +variable "generate_service_account_keys" { + description = "Generate and store service account keys in the state file." + default = false +} + variable "gcs_location" { description = "GCS bucket location." default = "EU" } -variable "prefix" { - description = "Prefix used for resources that need unique names." +variable "organization_id" { + description = "Organization id." type = string } -variable "root_type" { - description = "Type of the root for the new hierarchy." - default = "organization" +variable "prefix" { + description = "Prefix used for resources that need unique names." + type = string } -variable "org_id" { - description = "Organization id." +variable "root_node" { + description = "Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'." type = string } From a65bd503546d6c2c1113159d5bd410dec3012a97 Mon Sep 17 00:00:00 2001 From: Aleksandr Averbukh Date: Mon, 19 Aug 2019 19:29:55 +0200 Subject: [PATCH 2/4] Use correct folder ID in format without prefix --- organization-bootstrap/environments/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/organization-bootstrap/environments/main.tf b/organization-bootstrap/environments/main.tf index 248ff08648..790dc8f7f8 100644 --- a/organization-bootstrap/environments/main.tf +++ b/organization-bootstrap/environments/main.tf @@ -133,7 +133,7 @@ module "log-sink-audit" { filter = "logName: \"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName: \"/logs/cloudaudit.googleapis.com%2Fsystem_event\"" log_sink_name = "logs-audit-${var.environments[0]}" parent_resource_type = "folder" - parent_resource_id = module.folders-top-level.ids_list[0] + parent_resource_id = split("/", module.folders-top-level.ids_list[0])[1] include_children = "true" unique_writer_identity = "true" destination_uri = "${module.bq-audit-export.destination_uri}" From 7cc6c73f303e14c90bd648c6810b14cf7f1299e2 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Mon, 19 Aug 2019 19:52:29 +0200 Subject: [PATCH 3/4] org env: bring over changes from main repo (update module versions) --- organization-bootstrap/environments/main.tf | 36 ++++++++++--------- .../environments/outputs.tf | 12 ++----- .../environments/variables.tf | 19 ++++------ 3 files changed, 30 insertions(+), 37 deletions(-) diff --git a/organization-bootstrap/environments/main.tf b/organization-bootstrap/environments/main.tf index 790dc8f7f8..480a9d7fc7 100644 --- a/organization-bootstrap/environments/main.tf +++ b/organization-bootstrap/environments/main.tf @@ -20,9 +20,10 @@ module "project-tf" { source = "terraform-google-modules/project-factory/google//modules/fabric-project" - version = "3.2.0" + version = "3.1.0" #source = "github.com/terraform-google-modules/terraform-google-project-factory//modules/fabric-project?ref=32a539a" - parent = var.root_node + parent_type = var.root_type + parent_id = var.org_id billing_account = var.billing_account_id prefix = var.prefix name = "terraform" @@ -37,21 +38,21 @@ module "service-accounts-tf-environments" { source = "terraform-google-modules/service-accounts/google" version = "2.0.0" project_id = module.project-tf.project_id - org_id = var.organization_id + org_id = var.org_id billing_account_id = var.billing_account_id prefix = var.prefix names = var.environments grant_billing_role = true grant_xpn_roles = true - generate_keys = var.generate_service_account_keys + generate_keys = true } # bootstrap Terraform state GCS bucket module "gcs-tf-bootstrap" { - source = "terraform-google-modules/cloud-storage/google" - version = "1.0.0" - # source = "github.com/terraform-google-modules/terraform-google-cloud-storage?ref=e7243fd" + # source = "terraform-google-modules/cloud-storage/google" + # version = "2.0.0" + source = "github.com/terraform-google-modules/terraform-google-cloud-storage?ref=e7243fd" project_id = module.project-tf.project_id prefix = "${var.prefix}-tf" names = ["tf-bootstrap"] @@ -61,9 +62,9 @@ module "gcs-tf-bootstrap" { # per-environment Terraform state GCS buckets module "gcs-tf-environments" { - source = "terraform-google-modules/cloud-storage/google" - version = "1.0.0" - # source = "github.com/terraform-google-modules/terraform-google-cloud-storage?ref=e7243fd" + # source = "terraform-google-modules/cloud-storage/google" + # version = "2.0.0" + source = "github.com/terraform-google-modules/terraform-google-cloud-storage?ref=e7243fd" project_id = module.project-tf.project_id prefix = "${var.prefix}-tf" names = var.environments @@ -84,8 +85,9 @@ module "gcs-tf-environments" { module "folders-top-level" { # source = "terraform-google-modules/folders/google" # version = "2.0.0" - source = "github.com/terraform-google-modules/terraform-google-folders?ref=2cd6a08" - parent = var.root_node + source = "github.com/terraform-google-modules/terraform-google-folders?ref=26db794564" + parent_type = var.root_type + parent_id = var.org_id names = var.environments set_roles = true per_folder_admins = module.service-accounts-tf-environments.iam_emails_list @@ -105,8 +107,9 @@ module "folders-top-level" { module "project-audit" { source = "terraform-google-modules/project-factory/google//modules/fabric-project" - version = "3.2.0" - parent = var.root_node + version = "3.1.0" + parent_type = var.root_type + parent_id = var.org_id billing_account = var.billing_account_id prefix = var.prefix name = "audit" @@ -147,8 +150,9 @@ module "log-sink-audit" { module "project-shared-resources" { source = "terraform-google-modules/project-factory/google//modules/fabric-project" - version = "3.2.0" - parent = var.root_node + version = "3.1.0" + parent_type = var.root_type + parent_id = var.org_id billing_account = var.billing_account_id prefix = var.prefix name = "shared" diff --git a/organization-bootstrap/environments/outputs.tf b/organization-bootstrap/environments/outputs.tf index cca71987d0..dcf061ba54 100644 --- a/organization-bootstrap/environments/outputs.tf +++ b/organization-bootstrap/environments/outputs.tf @@ -24,23 +24,17 @@ output "bootstrap_tf_gcs_bucket" { output "environment_folders" { description = "Top-level environment folders." - value = module.folders-top-level.ids + value = zipmap(var.environments, module.folders-top-level.ids) } output "environment_tf_gcs_buckets" { description = "GCS buckets used for each environment Terraform state." - value = module.gcs-tf-environments.names -} - -output "environment_service_account_keys" { - description = "Service account keys used to run each environment Terraform modules." - sensitive = true - value = module.service-accounts-tf-environments.keys + value = zipmap(var.environments, module.gcs-tf-environments.names) } output "environment_service_accounts" { description = "Service accounts used to run each environment Terraform modules." - value = module.service-accounts-tf-environments.emails + value = module.service-accounts-tf-environments } output "audit_logs_bq_dataset" { diff --git a/organization-bootstrap/environments/variables.tf b/organization-bootstrap/environments/variables.tf index a53b07113b..80ea02d111 100644 --- a/organization-bootstrap/environments/variables.tf +++ b/organization-bootstrap/environments/variables.tf @@ -8,28 +8,23 @@ variable "environments" { type = list(string) } -variable "generate_service_account_keys" { - description = "Generate and store service account keys in the state file." - default = false -} - variable "gcs_location" { description = "GCS bucket location." default = "EU" } -variable "organization_id" { - description = "Organization id." - type = string -} - variable "prefix" { description = "Prefix used for resources that need unique names." type = string } -variable "root_node" { - description = "Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'." +variable "root_type" { + description = "Type of the root for the new hierarchy." + default = "organization" +} + +variable "org_id" { + description = "Organization id." type = string } From 8d43d6a4507330578f03c3912960872388faf54b Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Mon, 19 Aug 2019 19:56:57 +0200 Subject: [PATCH 4/4] Revert "org env: bring over changes from main repo (update module versions)" This reverts commit 7cc6c73f303e14c90bd648c6810b14cf7f1299e2. --- organization-bootstrap/environments/main.tf | 36 +++++++++---------- .../environments/outputs.tf | 12 +++++-- .../environments/variables.tf | 19 ++++++---- 3 files changed, 37 insertions(+), 30 deletions(-) diff --git a/organization-bootstrap/environments/main.tf b/organization-bootstrap/environments/main.tf index 480a9d7fc7..790dc8f7f8 100644 --- a/organization-bootstrap/environments/main.tf +++ b/organization-bootstrap/environments/main.tf @@ -20,10 +20,9 @@ module "project-tf" { source = "terraform-google-modules/project-factory/google//modules/fabric-project" - version = "3.1.0" + version = "3.2.0" #source = "github.com/terraform-google-modules/terraform-google-project-factory//modules/fabric-project?ref=32a539a" - parent_type = var.root_type - parent_id = var.org_id + parent = var.root_node billing_account = var.billing_account_id prefix = var.prefix name = "terraform" @@ -38,21 +37,21 @@ module "service-accounts-tf-environments" { source = "terraform-google-modules/service-accounts/google" version = "2.0.0" project_id = module.project-tf.project_id - org_id = var.org_id + org_id = var.organization_id billing_account_id = var.billing_account_id prefix = var.prefix names = var.environments grant_billing_role = true grant_xpn_roles = true - generate_keys = true + generate_keys = var.generate_service_account_keys } # bootstrap Terraform state GCS bucket module "gcs-tf-bootstrap" { - # source = "terraform-google-modules/cloud-storage/google" - # version = "2.0.0" - source = "github.com/terraform-google-modules/terraform-google-cloud-storage?ref=e7243fd" + source = "terraform-google-modules/cloud-storage/google" + version = "1.0.0" + # source = "github.com/terraform-google-modules/terraform-google-cloud-storage?ref=e7243fd" project_id = module.project-tf.project_id prefix = "${var.prefix}-tf" names = ["tf-bootstrap"] @@ -62,9 +61,9 @@ module "gcs-tf-bootstrap" { # per-environment Terraform state GCS buckets module "gcs-tf-environments" { - # source = "terraform-google-modules/cloud-storage/google" - # version = "2.0.0" - source = "github.com/terraform-google-modules/terraform-google-cloud-storage?ref=e7243fd" + source = "terraform-google-modules/cloud-storage/google" + version = "1.0.0" + # source = "github.com/terraform-google-modules/terraform-google-cloud-storage?ref=e7243fd" project_id = module.project-tf.project_id prefix = "${var.prefix}-tf" names = var.environments @@ -85,9 +84,8 @@ module "gcs-tf-environments" { module "folders-top-level" { # source = "terraform-google-modules/folders/google" # version = "2.0.0" - source = "github.com/terraform-google-modules/terraform-google-folders?ref=26db794564" - parent_type = var.root_type - parent_id = var.org_id + source = "github.com/terraform-google-modules/terraform-google-folders?ref=2cd6a08" + parent = var.root_node names = var.environments set_roles = true per_folder_admins = module.service-accounts-tf-environments.iam_emails_list @@ -107,9 +105,8 @@ module "folders-top-level" { module "project-audit" { source = "terraform-google-modules/project-factory/google//modules/fabric-project" - version = "3.1.0" - parent_type = var.root_type - parent_id = var.org_id + version = "3.2.0" + parent = var.root_node billing_account = var.billing_account_id prefix = var.prefix name = "audit" @@ -150,9 +147,8 @@ module "log-sink-audit" { module "project-shared-resources" { source = "terraform-google-modules/project-factory/google//modules/fabric-project" - version = "3.1.0" - parent_type = var.root_type - parent_id = var.org_id + version = "3.2.0" + parent = var.root_node billing_account = var.billing_account_id prefix = var.prefix name = "shared" diff --git a/organization-bootstrap/environments/outputs.tf b/organization-bootstrap/environments/outputs.tf index dcf061ba54..cca71987d0 100644 --- a/organization-bootstrap/environments/outputs.tf +++ b/organization-bootstrap/environments/outputs.tf @@ -24,17 +24,23 @@ output "bootstrap_tf_gcs_bucket" { output "environment_folders" { description = "Top-level environment folders." - value = zipmap(var.environments, module.folders-top-level.ids) + value = module.folders-top-level.ids } output "environment_tf_gcs_buckets" { description = "GCS buckets used for each environment Terraform state." - value = zipmap(var.environments, module.gcs-tf-environments.names) + value = module.gcs-tf-environments.names +} + +output "environment_service_account_keys" { + description = "Service account keys used to run each environment Terraform modules." + sensitive = true + value = module.service-accounts-tf-environments.keys } output "environment_service_accounts" { description = "Service accounts used to run each environment Terraform modules." - value = module.service-accounts-tf-environments + value = module.service-accounts-tf-environments.emails } output "audit_logs_bq_dataset" { diff --git a/organization-bootstrap/environments/variables.tf b/organization-bootstrap/environments/variables.tf index 80ea02d111..a53b07113b 100644 --- a/organization-bootstrap/environments/variables.tf +++ b/organization-bootstrap/environments/variables.tf @@ -8,23 +8,28 @@ variable "environments" { type = list(string) } +variable "generate_service_account_keys" { + description = "Generate and store service account keys in the state file." + default = false +} + variable "gcs_location" { description = "GCS bucket location." default = "EU" } -variable "prefix" { - description = "Prefix used for resources that need unique names." +variable "organization_id" { + description = "Organization id." type = string } -variable "root_type" { - description = "Type of the root for the new hierarchy." - default = "organization" +variable "prefix" { + description = "Prefix used for resources that need unique names." + type = string } -variable "org_id" { - description = "Organization id." +variable "root_node" { + description = "Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'." type = string }