diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md
index 53ba3316f8..09f90c5b47 100644
--- a/fast/stages/1-resman/README.md
+++ b/fast/stages/1-resman/README.md
@@ -281,7 +281,7 @@ terraform apply
| [root_node](variables-fast.tf#L153) | Root node for the hierarchy, if running in tenant mode. | string
| | null
| 0-bootstrap
|
| [tag_names](variables.tf#L37) | Customized names for resource management tags. | object({…})
| | {}
| |
| [tags](variables.tf#L51) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…}))
| | {}
| |
-| [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…}))
| | {}
| |
+| [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…}))
| | {}
| |
## Outputs
diff --git a/fast/stages/1-resman/data/top-level-folders/gcve.yaml b/fast/stages/1-resman/data/top-level-folders/gcve.yaml
index 0638379972..13af215e2c 100644
--- a/fast/stages/1-resman/data/top-level-folders/gcve.yaml
+++ b/fast/stages/1-resman/data/top-level-folders/gcve.yaml
@@ -15,6 +15,3 @@
# yaml-language-server: $schema=../../schemas/top-level-folder.schema.json
name: GCVE
-# automation is disabled since this is just a "container" for stage 3s
-automation:
- enable: false
diff --git a/fast/stages/1-resman/data/top-level-folders/gke.yaml b/fast/stages/1-resman/data/top-level-folders/gke.yaml
index d41290549d..789a792b23 100644
--- a/fast/stages/1-resman/data/top-level-folders/gke.yaml
+++ b/fast/stages/1-resman/data/top-level-folders/gke.yaml
@@ -15,6 +15,3 @@
# yaml-language-server: $schema=../../schemas/top-level-folder.schema.json
name: GKE
-# automation is disabled since this is just a "container" for stage 3s
-automation:
- enable: false
diff --git a/fast/stages/1-resman/data/top-level-folders/sandbox.yaml b/fast/stages/1-resman/data/top-level-folders/sandbox.yaml
index d8a2920201..de4b902154 100644
--- a/fast/stages/1-resman/data/top-level-folders/sandbox.yaml
+++ b/fast/stages/1-resman/data/top-level-folders/sandbox.yaml
@@ -16,6 +16,5 @@
name: Sandbox
automation:
- enable: true
environment_name: dev
short_name: sbox
diff --git a/fast/stages/1-resman/data/top-level-folders/teams.yaml b/fast/stages/1-resman/data/top-level-folders/teams.yaml
index 6b593b9f40..caa1112c45 100644
--- a/fast/stages/1-resman/data/top-level-folders/teams.yaml
+++ b/fast/stages/1-resman/data/top-level-folders/teams.yaml
@@ -15,9 +15,6 @@
# yaml-language-server: $schema=../../schemas/top-level-folder.schema.json
name: Teams
-# automation is disabled since this is just a "container" for the pf
-automation:
- enable: false
iam:
"roles/owner":
- project-factory
diff --git a/fast/stages/1-resman/schemas/top-level-folder.schema.json b/fast/stages/1-resman/schemas/top-level-folder.schema.json
index 0cde9454c6..6e952a730b 100644
--- a/fast/stages/1-resman/schemas/top-level-folder.schema.json
+++ b/fast/stages/1-resman/schemas/top-level-folder.schema.json
@@ -8,9 +8,6 @@
"type": "object",
"additionalProperties": false,
"properties": {
- "enable": {
- "type": "boolean"
- },
"environment_name": {
"type": "string"
},
@@ -243,4 +240,4 @@
}
}
}
-}
\ No newline at end of file
+}
diff --git a/fast/stages/1-resman/top-level-folders.tf b/fast/stages/1-resman/top-level-folders.tf
index 1ac71f644b..85cff164c4 100644
--- a/fast/stages/1-resman/top-level-folders.tf
+++ b/fast/stages/1-resman/top-level-folders.tf
@@ -32,11 +32,8 @@ locals {
# extract automation configurations for folders that define them
top_level_automation = {
for k, v in local.top_level_folders :
- k => merge(
- { environment_name = "prod", sa_impersonation_principals = [] },
- v.automation
- )
- if try(v.automation.enable, null) == true
+ k => v.automation
+ if v.automation != null
}
# merge top folders from factory and variable data
top_level_folders = merge(
@@ -44,11 +41,11 @@ locals {
{
for k, v in local._top_level_folders : k => merge(v, {
name = try(v.name, k)
- automation = try(v.automation, {
- enable = true
- environment_name = "prod"
- sa_impersonation_principals = []
- })
+ automation = !can(v.automation) ? null : {
+ environment_name = try(v.automation.environment_name, "prod")
+ sa_impersonation_principals = try(v.automation.sa_impersonation_principals, [])
+ short_name = try(v.automation.short_name, null)
+ }
contacts = try(v.contacts, {})
firewall_policy = try(v.firewall_policy, null)
is_fast_context = try(v.is_fast_context, true)
@@ -62,7 +59,6 @@ locals {
iam_by_principals = try(v.iam_by_principals, {})
org_policies = try(v.org_policies, {})
parent_id = try(v.parent_id, null)
- short_name = try(v.short_name, null)
tag_bindings = try(v.tag_bindings, {})
})
},
diff --git a/fast/stages/1-resman/variables-toplevel-folders.tf b/fast/stages/1-resman/variables-toplevel-folders.tf
index d42182e721..a4d5d1ff4f 100644
--- a/fast/stages/1-resman/variables-toplevel-folders.tf
+++ b/fast/stages/1-resman/variables-toplevel-folders.tf
@@ -20,11 +20,10 @@ variable "top_level_folders" {
name = string
parent_id = optional(string)
automation = optional(object({
- enable = optional(bool, true)
environment_name = optional(string, "prod")
sa_impersonation_principals = optional(list(string), [])
short_name = optional(string)
- }), {})
+ }))
contacts = optional(map(list(string)), {})
firewall_policy = optional(object({
name = string
diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml
index 87788397fb..b81b710928 100644
--- a/tests/fast/stages/s1_resman/simple.yaml
+++ b/tests/fast/stages/s1_resman/simple.yaml
@@ -156,6 +156,11 @@ values:
members:
- serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com
role: organizations/123456789012/roles/networkFirewallPoliciesAdmin
+ module.net-folder[0].google_folder_iam_binding.authoritative["organizations/123456789012/roles/projectIamViewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com
+ role: organizations/123456789012/roles/projectIamViewer
module.net-folder[0].google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"]:
condition: []
members:
@@ -416,6 +421,11 @@ values:
member: serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com
org_id: '123456789012'
role: roles/billing.costsManager
+ module.organization[0].google_organization_iam_member.bindings["sa_pf_ro_viewer"]:
+ condition: []
+ member: serviceAccount:fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: organizations/123456789012/roles/billingViewer
module.organization[0].google_organization_iam_member.bindings["sa_sec_asset_viewer"]:
condition: []
member: serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com
@@ -635,6 +645,11 @@ values:
display_name: Security
parent: organizations/123456789012
timeouts: null
+ module.sec-folder[0].google_folder_iam_binding.authoritative["organizations/123456789012/roles/projectIamViewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com
+ role: organizations/123456789012/roles/projectIamViewer
module.sec-folder[0].google_folder_iam_binding.authoritative["roles/cloudkms.cryptoKeyEncrypterDecrypter"]:
condition: []
members:
@@ -1368,6 +1383,80 @@ values:
: bucket: fast2-prod-iac-core-outputs
condition: []
role: roles/storage.objectAdmin
+ module.top-level-bucket["sandbox"].google_storage_bucket.bucket:
+ autoclass: []
+ cors: []
+ custom_placement_config: []
+ default_event_based_hold: null
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ enable_object_retention: null
+ encryption: []
+ force_destroy: false
+ labels: null
+ lifecycle_rule: []
+ location: EU
+ logging: []
+ name: fast2-dev-resman-sbox-0
+ project: fast2-prod-automation
+ requester_pays: null
+ retention_policy: []
+ storage_class: STANDARD
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ uniform_bucket_level_access: true
+ versioning:
+ - enabled: true
+ module.top-level-bucket["sandbox"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+ bucket: fast2-dev-resman-sbox-0
+ condition: []
+ members:
+ - serviceAccount:fast2-dev-resman-sbox-0@fast2-prod-automation.iam.gserviceaccount.com
+ role: roles/storage.objectAdmin
+ module.top-level-bucket["sandbox"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+ bucket: fast2-dev-resman-sbox-0
+ condition: []
+ members:
+ - serviceAccount:fast2-dev-resman-sbox-0@fast2-prod-automation.iam.gserviceaccount.com
+ role: roles/storage.objectViewer
+ module.top-level-bucket["tenants"].google_storage_bucket.bucket:
+ autoclass: []
+ cors: []
+ custom_placement_config: []
+ default_event_based_hold: null
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ enable_object_retention: null
+ encryption: []
+ force_destroy: false
+ labels: null
+ lifecycle_rule: []
+ location: EU
+ logging: []
+ name: fast2-prod-resman-tenants-0
+ project: fast2-prod-automation
+ requester_pays: null
+ retention_policy: []
+ storage_class: STANDARD
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ uniform_bucket_level_access: true
+ versioning:
+ - enabled: true
+ module.top-level-bucket["tenants"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+ bucket: fast2-prod-resman-tenants-0
+ condition: []
+ members:
+ - serviceAccount:fast2-prod-resman-tenants-0@fast2-prod-automation.iam.gserviceaccount.com
+ role: roles/storage.objectAdmin
+ module.top-level-bucket["tenants"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+ bucket: fast2-prod-resman-tenants-0
+ condition: []
+ members:
+ - serviceAccount:fast2-prod-resman-tenants-0@fast2-prod-automation.iam.gserviceaccount.com
+ role: roles/storage.objectViewer
module.top-level-folder["gcve"].google_folder.folder[0]:
deletion_protection: false
display_name: GCVE
@@ -1443,21 +1532,61 @@ values:
timeouts: null
module.top-level-folder["tenants"].google_tags_tag_binding.binding["context"]:
timeouts: null
+ ? module.top-level-sa["sandbox"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+ : condition: []
+ project: fast2-prod-automation
+ role: roles/serviceusage.serviceUsageConsumer
+ module.top-level-sa["sandbox"].google_service_account.service_account[0]:
+ account_id: fast2-dev-resman-sbox-0
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform resman sandbox folder service account.
+ project: fast2-prod-automation
+ timeouts: null
+ module.top-level-sa["sandbox"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ condition: []
+ members: null
+ role: roles/iam.serviceAccountTokenCreator
+ ? module.top-level-sa["sandbox"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"]
+ : bucket: fast2-prod-iac-core-outputs
+ condition: []
+ role: roles/storage.objectAdmin
+ ? module.top-level-sa["tenants"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+ : condition: []
+ project: fast2-prod-automation
+ role: roles/serviceusage.serviceUsageConsumer
+ module.top-level-sa["tenants"].google_service_account.service_account[0]:
+ account_id: fast2-prod-resman-tenants-0
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform resman tenants folder service account.
+ project: fast2-prod-automation
+ timeouts: null
+ module.top-level-sa["tenants"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ condition: []
+ members: null
+ role: roles/iam.serviceAccountTokenCreator
+ ? module.top-level-sa["tenants"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"]
+ : bucket: fast2-prod-iac-core-outputs
+ condition: []
+ role: roles/storage.objectAdmin
counts:
google_folder: 13
google_folder_iam_binding: 74
google_organization_iam_member: 15
- google_project_iam_member: 23
- google_service_account: 23
- google_service_account_iam_binding: 23
- google_storage_bucket: 10
- google_storage_bucket_iam_binding: 20
- google_storage_bucket_iam_member: 23
- google_storage_bucket_object: 22
+ google_project_iam_member: 24
+ google_service_account: 24
+ google_service_account_iam_binding: 24
+ google_storage_bucket: 11
+ google_storage_bucket_iam_binding: 22
+ google_storage_bucket_iam_member: 24
+ google_storage_bucket_object: 23
google_tags_tag_binding: 13
google_tags_tag_key: 2
google_tags_tag_value: 11
google_tags_tag_value_iam_binding: 4
- modules: 47
- resources: 276
+ modules: 49
+ resources: 284