diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index 53ba3316f8..09f90c5b47 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -281,7 +281,7 @@ terraform apply | [root_node](variables-fast.tf#L153) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap | | [tag_names](variables.tf#L37) | Customized names for resource management tags. | object({…}) | | {} | | | [tags](variables.tf#L51) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | -| [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…})) | | {} | | +| [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…})) | | {} | | ## Outputs diff --git a/fast/stages/1-resman/data/top-level-folders/gcve.yaml b/fast/stages/1-resman/data/top-level-folders/gcve.yaml index 0638379972..13af215e2c 100644 --- a/fast/stages/1-resman/data/top-level-folders/gcve.yaml +++ b/fast/stages/1-resman/data/top-level-folders/gcve.yaml @@ -15,6 +15,3 @@ # yaml-language-server: $schema=../../schemas/top-level-folder.schema.json name: GCVE -# automation is disabled since this is just a "container" for stage 3s -automation: - enable: false diff --git a/fast/stages/1-resman/data/top-level-folders/gke.yaml b/fast/stages/1-resman/data/top-level-folders/gke.yaml index d41290549d..789a792b23 100644 --- a/fast/stages/1-resman/data/top-level-folders/gke.yaml +++ b/fast/stages/1-resman/data/top-level-folders/gke.yaml @@ -15,6 +15,3 @@ # yaml-language-server: $schema=../../schemas/top-level-folder.schema.json name: GKE -# automation is disabled since this is just a "container" for stage 3s -automation: - enable: false diff --git a/fast/stages/1-resman/data/top-level-folders/sandbox.yaml b/fast/stages/1-resman/data/top-level-folders/sandbox.yaml index d8a2920201..de4b902154 100644 --- a/fast/stages/1-resman/data/top-level-folders/sandbox.yaml +++ b/fast/stages/1-resman/data/top-level-folders/sandbox.yaml @@ -16,6 +16,5 @@ name: Sandbox automation: - enable: true environment_name: dev short_name: sbox diff --git a/fast/stages/1-resman/data/top-level-folders/teams.yaml b/fast/stages/1-resman/data/top-level-folders/teams.yaml index 6b593b9f40..caa1112c45 100644 --- a/fast/stages/1-resman/data/top-level-folders/teams.yaml +++ b/fast/stages/1-resman/data/top-level-folders/teams.yaml @@ -15,9 +15,6 @@ # yaml-language-server: $schema=../../schemas/top-level-folder.schema.json name: Teams -# automation is disabled since this is just a "container" for the pf -automation: - enable: false iam: "roles/owner": - project-factory diff --git a/fast/stages/1-resman/schemas/top-level-folder.schema.json b/fast/stages/1-resman/schemas/top-level-folder.schema.json index 0cde9454c6..6e952a730b 100644 --- a/fast/stages/1-resman/schemas/top-level-folder.schema.json +++ b/fast/stages/1-resman/schemas/top-level-folder.schema.json @@ -8,9 +8,6 @@ "type": "object", "additionalProperties": false, "properties": { - "enable": { - "type": "boolean" - }, "environment_name": { "type": "string" }, @@ -243,4 +240,4 @@ } } } -} \ No newline at end of file +} diff --git a/fast/stages/1-resman/top-level-folders.tf b/fast/stages/1-resman/top-level-folders.tf index 1ac71f644b..85cff164c4 100644 --- a/fast/stages/1-resman/top-level-folders.tf +++ b/fast/stages/1-resman/top-level-folders.tf @@ -32,11 +32,8 @@ locals { # extract automation configurations for folders that define them top_level_automation = { for k, v in local.top_level_folders : - k => merge( - { environment_name = "prod", sa_impersonation_principals = [] }, - v.automation - ) - if try(v.automation.enable, null) == true + k => v.automation + if v.automation != null } # merge top folders from factory and variable data top_level_folders = merge( @@ -44,11 +41,11 @@ locals { { for k, v in local._top_level_folders : k => merge(v, { name = try(v.name, k) - automation = try(v.automation, { - enable = true - environment_name = "prod" - sa_impersonation_principals = [] - }) + automation = !can(v.automation) ? null : { + environment_name = try(v.automation.environment_name, "prod") + sa_impersonation_principals = try(v.automation.sa_impersonation_principals, []) + short_name = try(v.automation.short_name, null) + } contacts = try(v.contacts, {}) firewall_policy = try(v.firewall_policy, null) is_fast_context = try(v.is_fast_context, true) @@ -62,7 +59,6 @@ locals { iam_by_principals = try(v.iam_by_principals, {}) org_policies = try(v.org_policies, {}) parent_id = try(v.parent_id, null) - short_name = try(v.short_name, null) tag_bindings = try(v.tag_bindings, {}) }) }, diff --git a/fast/stages/1-resman/variables-toplevel-folders.tf b/fast/stages/1-resman/variables-toplevel-folders.tf index d42182e721..a4d5d1ff4f 100644 --- a/fast/stages/1-resman/variables-toplevel-folders.tf +++ b/fast/stages/1-resman/variables-toplevel-folders.tf @@ -20,11 +20,10 @@ variable "top_level_folders" { name = string parent_id = optional(string) automation = optional(object({ - enable = optional(bool, true) environment_name = optional(string, "prod") sa_impersonation_principals = optional(list(string), []) short_name = optional(string) - }), {}) + })) contacts = optional(map(list(string)), {}) firewall_policy = optional(object({ name = string diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml index 87788397fb..b81b710928 100644 --- a/tests/fast/stages/s1_resman/simple.yaml +++ b/tests/fast/stages/s1_resman/simple.yaml @@ -156,6 +156,11 @@ values: members: - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com role: organizations/123456789012/roles/networkFirewallPoliciesAdmin + module.net-folder[0].google_folder_iam_binding.authoritative["organizations/123456789012/roles/projectIamViewer"]: + condition: [] + members: + - serviceAccount:fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com + role: organizations/123456789012/roles/projectIamViewer module.net-folder[0].google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"]: condition: [] members: @@ -416,6 +421,11 @@ values: member: serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/billing.costsManager + module.organization[0].google_organization_iam_member.bindings["sa_pf_ro_viewer"]: + condition: [] + member: serviceAccount:fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: organizations/123456789012/roles/billingViewer module.organization[0].google_organization_iam_member.bindings["sa_sec_asset_viewer"]: condition: [] member: serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com @@ -635,6 +645,11 @@ values: display_name: Security parent: organizations/123456789012 timeouts: null + module.sec-folder[0].google_folder_iam_binding.authoritative["organizations/123456789012/roles/projectIamViewer"]: + condition: [] + members: + - serviceAccount:fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com + role: organizations/123456789012/roles/projectIamViewer module.sec-folder[0].google_folder_iam_binding.authoritative["roles/cloudkms.cryptoKeyEncrypterDecrypter"]: condition: [] members: @@ -1368,6 +1383,80 @@ values: : bucket: fast2-prod-iac-core-outputs condition: [] role: roles/storage.objectAdmin + module.top-level-bucket["sandbox"].google_storage_bucket.bucket: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' + enable_object_retention: null + encryption: [] + force_destroy: false + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast2-dev-resman-sbox-0 + project: fast2-prod-automation + requester_pays: null + retention_policy: [] + storage_class: STANDARD + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.top-level-bucket["sandbox"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-dev-resman-sbox-0 + condition: [] + members: + - serviceAccount:fast2-dev-resman-sbox-0@fast2-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.top-level-bucket["sandbox"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-dev-resman-sbox-0 + condition: [] + members: + - serviceAccount:fast2-dev-resman-sbox-0@fast2-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + module.top-level-bucket["tenants"].google_storage_bucket.bucket: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' + enable_object_retention: null + encryption: [] + force_destroy: false + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast2-prod-resman-tenants-0 + project: fast2-prod-automation + requester_pays: null + retention_policy: [] + storage_class: STANDARD + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.top-level-bucket["tenants"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-prod-resman-tenants-0 + condition: [] + members: + - serviceAccount:fast2-prod-resman-tenants-0@fast2-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.top-level-bucket["tenants"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-prod-resman-tenants-0 + condition: [] + members: + - serviceAccount:fast2-prod-resman-tenants-0@fast2-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer module.top-level-folder["gcve"].google_folder.folder[0]: deletion_protection: false display_name: GCVE @@ -1443,21 +1532,61 @@ values: timeouts: null module.top-level-folder["tenants"].google_tags_tag_binding.binding["context"]: timeouts: null + ? module.top-level-sa["sandbox"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast2-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.top-level-sa["sandbox"].google_service_account.service_account[0]: + account_id: fast2-dev-resman-sbox-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman sandbox folder service account. + project: fast2-prod-automation + timeouts: null + module.top-level-sa["sandbox"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.top-level-sa["sandbox"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] + : bucket: fast2-prod-iac-core-outputs + condition: [] + role: roles/storage.objectAdmin + ? module.top-level-sa["tenants"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast2-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.top-level-sa["tenants"].google_service_account.service_account[0]: + account_id: fast2-prod-resman-tenants-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman tenants folder service account. + project: fast2-prod-automation + timeouts: null + module.top-level-sa["tenants"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.top-level-sa["tenants"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] + : bucket: fast2-prod-iac-core-outputs + condition: [] + role: roles/storage.objectAdmin counts: google_folder: 13 google_folder_iam_binding: 74 google_organization_iam_member: 15 - google_project_iam_member: 23 - google_service_account: 23 - google_service_account_iam_binding: 23 - google_storage_bucket: 10 - google_storage_bucket_iam_binding: 20 - google_storage_bucket_iam_member: 23 - google_storage_bucket_object: 22 + google_project_iam_member: 24 + google_service_account: 24 + google_service_account_iam_binding: 24 + google_storage_bucket: 11 + google_storage_bucket_iam_binding: 22 + google_storage_bucket_iam_member: 24 + google_storage_bucket_object: 23 google_tags_tag_binding: 13 google_tags_tag_key: 2 google_tags_tag_value: 11 google_tags_tag_value_iam_binding: 4 - modules: 47 - resources: 276 + modules: 49 + resources: 284