diff --git a/fast/stages/1-resman/tenant-root.tf b/fast/stages/1-resman/tenant-root.tf
index 7c00bc806a..c65bb0c02c 100644
--- a/fast/stages/1-resman/tenant-root.tf
+++ b/fast/stages/1-resman/tenant-root.tf
@@ -41,22 +41,62 @@ module "automation-project" {
tags = merge(local.tags, {
(var.tag_names.context) = {
description = "Resource management context."
- iam = {}
+ iam = try(local.tags.context.iam, {})
values = {
- data = {}
- gke = {}
- gcve = {}
- networking = {}
- sandbox = {}
- security = {}
+ data = {
+ iam = try(local.tags.context.values.data.iam, {})
+ description = try(local.tags.context.values.data.description, null)
+ }
+ gke = {
+ iam = try(local.tags.context.values.gke.iam, {})
+ description = try(local.tags.context.values.gke.description, null)
+ }
+ gcve = {
+ iam = try(local.tags.context.values.gcve.iam, {})
+ description = try(local.tags.context.values.gcve.description, null)
+ }
+ networking = {
+ iam = try(local.tags.context.values.networking.iam, {})
+ description = try(local.tags.context.values.networking.description, null)
+ }
+ project-factory = {
+ iam = try(local.tags.context.values.project-factory.iam, {})
+ description = try(local.tags.context.values.project-factory.description, null)
+ }
+ sandbox = {
+ iam = try(local.tags.context.values.sandbox.iam, {})
+ description = try(local.tags.context.values.sandbox.description, null)
+ }
+ security = {
+ iam = try(local.tags.context.values.security.iam, {})
+ description = try(local.tags.context.values.security.description, null)
+ }
}
}
(var.tag_names.environment) = {
description = "Environment definition."
- iam = {}
+ iam = try(local.tags.environment.iam, {})
values = {
- development = {}
- production = {}
+ development = {
+ iam = try(local.tags.environment.values.development.iam, {})
+ iam_bindings = {
+ pf = {
+ members = [module.branch-pf-sa.iam_email]
+ role = "roles/resourcemanager.tagUser"
+ }
+ }
+ description = try(local.tags.environment.values.development.description, null)
+ }
+ production = {
+ iam = try(local.tags.environment.values.production.iam, {})
+ iam_bindings = {
+ pf = {
+ members = [module.branch-pf-sa.iam_email]
+ role = "roles/resourcemanager.tagUser"
+ }
+ }
+ description = try(local.tags.environment.values.production.description, null)
+ }
}
}
})
diff --git a/fast/stages/1-resman/top-level-folders.tf b/fast/stages/1-resman/top-level-folders.tf
index 2668468104..e2e8901cfc 100644
--- a/fast/stages/1-resman/top-level-folders.tf
+++ b/fast/stages/1-resman/top-level-folders.tf
@@ -68,7 +68,7 @@ locals {
module "top-level-folder" {
source = "../../../modules/folder"
for_each = local.top_level_folders
- parent = "organizations/${var.organization.id}"
+ parent = local.root_node
name = each.value.name
contacts = each.value.contacts
firewall_policy = each.value.firewall_policy
diff --git a/fast/stages/1-tenant-factory/README.md b/fast/stages/1-tenant-factory/README.md
index 2716f2f032..c253bf9dc4 100644
--- a/fast/stages/1-tenant-factory/README.md
+++ b/fast/stages/1-tenant-factory/README.md
@@ -309,13 +309,13 @@ gcloud storage cp gs://{prefix}-{tenant-shortname}-prod-iac-core-0/tfvars/0-boot
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap |
| [billing_account](variables-fast.tf#L42) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | 0-bootstrap |
-| [logging](variables-fast.tf#L96) | Logging resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap |
-| [org_policy_tags](variables-fast.tf#L115) | Organization policy tags. | object({…}) | ✓ | | 0-bootstrap |
-| [organization](variables-fast.tf#L105) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
-| [prefix](variables-fast.tf#L132) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap |
-| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
-| [groups](variables-fast.tf#L68) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap |
-| [locations](variables-fast.tf#L83) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap |
+| [logging](variables-fast.tf#L99) | Logging resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap |
+| [org_policy_tags](variables-fast.tf#L118) | Organization policy tags. | object({…}) | ✓ | | 0-bootstrap |
+| [organization](variables-fast.tf#L108) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
+| [prefix](variables-fast.tf#L135) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap |
+| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
+| [groups](variables-fast.tf#L71) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap |
+| [locations](variables-fast.tf#L86) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap |
| [outputs_location](variables.tf#L17) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
| [root_node](variables.tf#L23) | Root folder under which tenants are created, in folders/nnnn format. Defaults to the organization if null. | string | | null | |
| [tag_names](variables.tf#L36) | Customized names for resource management tags. | object({…}) | | {} | |
diff --git a/fast/stages/1-tenant-factory/variables-fast.tf b/fast/stages/1-tenant-factory/variables-fast.tf
index b7eb168cfd..be76b320a9 100644
--- a/fast/stages/1-tenant-factory/variables-fast.tf
+++ b/fast/stages/1-tenant-factory/variables-fast.tf
@@ -56,11 +56,14 @@ variable "custom_roles" {
type = object({
gcve_network_admin = string
network_firewall_policies_admin = string
- ngfw_enterprise_admin = string
- organization_admin_viewer = string
- service_project_network_admin = string
- storage_viewer = string
- tenant_network_admin = string
+ # TODO: remove after v34.0.0
+ network_firewall_policies_viewer = optional(string)
+ ngfw_enterprise_admin = optional(string)
+ ngfw_enterprise_viewer = optional(string)
+ organization_admin_viewer = string
+ service_project_network_admin = string
+ storage_viewer = string
+ tenant_network_admin = string
})
default = null
}