diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index f8146f6290..786cfbcbed 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -44,7 +44,7 @@ jobs: - uses: terraform-linters/setup-tflint@v4 name: Setup TFLint with: - tflint_version: v0.50.3 + tflint_version: v0.54.0 - name: Init TFLint run: | diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md index 1d5b696786..83a15b1348 100644 --- a/fast/stages/0-bootstrap/README.md +++ b/fast/stages/0-bootstrap/README.md @@ -678,7 +678,7 @@ The remaining configuration is manual, as it regards the repositories themselves | [org_policies_config](variables.tf#L271) | Organization policies customization. | object({…}) | | {} | | | [outputs_location](variables.tf#L299) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | | [project_parent_ids](variables.tf#L314) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {} | | -| [resource_names](variables.tf#L325) | Resource names overrides for specific resources. Check the code to determine which overrides are supported. | object({…}) | | {} | | +| [resource_names](variables.tf#L325) | Resource names overrides for specific resources. Prefix is always set via code, except where noted in the variable type. | object({…}) | | {} | | | [workforce_identity_providers](variables.tf#L357) | Workforce Identity Federation pools. | map(object({…})) | | {} | | | [workload_identity_providers](variables.tf#L373) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | | diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf index ee4262dee1..e1fd0bd9f1 100644 --- a/fast/stages/0-bootstrap/variables.tf +++ b/fast/stages/0-bootstrap/variables.tf @@ -323,7 +323,7 @@ variable "project_parent_ids" { } variable "resource_names" { - description = "Resource names overrides for specific resources. Check the code to determine which overrides are supported." + description = "Resource names overrides for specific resources. Prefix is always set via code, except where noted in the variable type." type = object({ bq-billing = optional(string, "billing_export") bq-logs = optional(string, "logs") diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index f70125fa59..c77e56f7a2 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -278,9 +278,10 @@ terraform apply | [groups](variables-fast.tf#L88) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | | [locations](variables-fast.tf#L103) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | | [outputs_location](variables.tf#L31) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | +| [resource_names](variables.tf#L37) | Resource names overrides for specific resources. Stage names are interpolated via `$${name}`. Prefix is always set via code, except where noted in the variable type. | object({…}) | | {} | | | [root_node](variables-fast.tf#L153) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap | -| [tag_names](variables.tf#L37) | Customized names for resource management tags. | object({…}) | | {} | | -| [tags](variables.tf#L51) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | +| [tag_names](variables.tf#L62) | Customized names for resource management tags. | object({…}) | | {} | | +| [tags](variables.tf#L76) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | | [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…})) | | {} | | ## Outputs diff --git a/fast/stages/1-resman/stage-2-network-security.tf b/fast/stages/1-resman/stage-2-network-security.tf index e0679a5454..627fe50087 100644 --- a/fast/stages/1-resman/stage-2-network-security.tf +++ b/fast/stages/1-resman/stage-2-network-security.tf @@ -17,10 +17,12 @@ # automation service accounts module "nsec-sa-rw" { - source = "../../../modules/iam-service-account" - count = var.fast_stage_2.network_security.enabled ? 1 : 0 - project_id = var.automation.project_id - name = "resman-${var.fast_stage_2.network_security.short_name}-0" + source = "../../../modules/iam-service-account" + count = var.fast_stage_2.network_security.enabled ? 1 : 0 + project_id = var.automation.project_id + name = templatestring(var.resource_names["sa-nsec_rw"], { + name = var.fast_stage_2.network_security.short_name + }) display_name = "Terraform resman network security main service account." prefix = var.prefix iam = { @@ -37,10 +39,12 @@ module "nsec-sa-rw" { } module "nsec-sa-ro" { - source = "../../../modules/iam-service-account" - count = var.fast_stage_2.network_security.enabled ? 1 : 0 - project_id = var.automation.project_id - name = "resman-${var.fast_stage_2.network_security.short_name}-0r" + source = "../../../modules/iam-service-account" + count = var.fast_stage_2.network_security.enabled ? 1 : 0 + project_id = var.automation.project_id + name = templatestring(var.resource_names["sa-nsec_ro"], { + name = var.fast_stage_2.network_security.short_name + }) display_name = "Terraform resman network security main service account (read-only)." prefix = var.prefix iam = { @@ -62,7 +66,9 @@ module "nsec-bucket" { source = "../../../modules/gcs" count = var.fast_stage_2.network_security.enabled ? 1 : 0 project_id = var.automation.project_id - name = "resman-${var.fast_stage_2.network_security.short_name}-0" + name = templatestring(var.resource_names["gcs-nsec"], { + name = var.fast_stage_2.network_security.short_name + }) prefix = var.prefix location = var.locations.gcs versioning = true diff --git a/fast/stages/1-resman/stage-2-networking.tf b/fast/stages/1-resman/stage-2-networking.tf index 54579d3ee9..ed11edead2 100644 --- a/fast/stages/1-resman/stage-2-networking.tf +++ b/fast/stages/1-resman/stage-2-networking.tf @@ -172,10 +172,12 @@ module "net-folder-dev" { # automation service accounts module "net-sa-rw" { - source = "../../../modules/iam-service-account" - count = var.fast_stage_2.networking.enabled ? 1 : 0 - project_id = var.automation.project_id - name = "prod-resman-${var.fast_stage_2.networking.short_name}-0" + source = "../../../modules/iam-service-account" + count = var.fast_stage_2.networking.enabled ? 1 : 0 + project_id = var.automation.project_id + name = templatestring(var.resource_names["sa-net_rw"], { + name = var.fast_stage_2.networking.short_name + }) display_name = "Terraform resman networking service account." prefix = var.prefix service_account_create = var.root_node == null @@ -193,10 +195,12 @@ module "net-sa-rw" { } module "net-sa-ro" { - source = "../../../modules/iam-service-account" - count = var.fast_stage_2.networking.enabled ? 1 : 0 - project_id = var.automation.project_id - name = "prod-resman-${var.fast_stage_2.networking.short_name}-0r" + source = "../../../modules/iam-service-account" + count = var.fast_stage_2.networking.enabled ? 1 : 0 + project_id = var.automation.project_id + name = templatestring(var.resource_names["sa-net_ro"], { + name = var.fast_stage_2.networking.short_name + }) display_name = "Terraform resman networking service account (read-only)." prefix = var.prefix iam = { @@ -218,7 +222,9 @@ module "net-bucket" { source = "../../../modules/gcs" count = var.fast_stage_2.networking.enabled ? 1 : 0 project_id = var.automation.project_id - name = "prod-resman-${var.fast_stage_2.networking.short_name}-0" + name = templatestring(var.resource_names["gcs-net"], { + name = var.fast_stage_2.networking.short_name + }) prefix = var.prefix location = var.locations.gcs versioning = true diff --git a/fast/stages/1-resman/stage-2-project-factory.tf b/fast/stages/1-resman/stage-2-project-factory.tf index f001c3cd03..8b40daf745 100644 --- a/fast/stages/1-resman/stage-2-project-factory.tf +++ b/fast/stages/1-resman/stage-2-project-factory.tf @@ -17,10 +17,12 @@ # automation service accounts module "pf-sa-rw" { - source = "../../../modules/iam-service-account" - count = var.fast_stage_2.project_factory.enabled ? 1 : 0 - project_id = var.automation.project_id - name = "resman-${var.fast_stage_2.project_factory.short_name}-0" + source = "../../../modules/iam-service-account" + count = var.fast_stage_2.project_factory.enabled ? 1 : 0 + project_id = var.automation.project_id + name = templatestring(var.resource_names["sa-pf_rw"], { + name = var.fast_stage_2.project_factory.short_name + }) display_name = "Terraform resman project factory main service account." prefix = var.prefix iam = { @@ -37,10 +39,12 @@ module "pf-sa-rw" { } module "pf-sa-ro" { - source = "../../../modules/iam-service-account" - count = var.fast_stage_2.project_factory.enabled ? 1 : 0 - project_id = var.automation.project_id - name = "resman-${var.fast_stage_2.project_factory.short_name}-0r" + source = "../../../modules/iam-service-account" + count = var.fast_stage_2.project_factory.enabled ? 1 : 0 + project_id = var.automation.project_id + name = templatestring(var.resource_names["sa-pf_ro"], { + name = var.fast_stage_2.project_factory.short_name + }) display_name = "Terraform resman project factory main service account (read-only)." prefix = var.prefix iam = { @@ -62,7 +66,9 @@ module "pf-bucket" { source = "../../../modules/gcs" count = var.fast_stage_2.project_factory.enabled ? 1 : 0 project_id = var.automation.project_id - name = "resman-${var.fast_stage_2.project_factory.short_name}-0" + name = templatestring(var.resource_names["gcs-pf"], { + name = var.fast_stage_2.project_factory.short_name + }) prefix = var.prefix location = var.locations.gcs versioning = true diff --git a/fast/stages/1-resman/stage-2-security.tf b/fast/stages/1-resman/stage-2-security.tf index fba63aa60e..70dec2246a 100644 --- a/fast/stages/1-resman/stage-2-security.tf +++ b/fast/stages/1-resman/stage-2-security.tf @@ -165,10 +165,12 @@ module "sec-folder-dev" { # automation service accounts module "sec-sa-rw" { - source = "../../../modules/iam-service-account" - count = var.fast_stage_2.security.enabled ? 1 : 0 - project_id = var.automation.project_id - name = "prod-resman-${var.fast_stage_2.security.short_name}-0" + source = "../../../modules/iam-service-account" + count = var.fast_stage_2.security.enabled ? 1 : 0 + project_id = var.automation.project_id + name = templatestring(var.resource_names["sa-sec_rw"], { + name = var.fast_stage_2.security.short_name + }) display_name = "Terraform resman security service account." prefix = var.prefix service_account_create = var.root_node == null @@ -186,10 +188,12 @@ module "sec-sa-rw" { } module "sec-sa-ro" { - source = "../../../modules/iam-service-account" - count = var.fast_stage_2.security.enabled ? 1 : 0 - project_id = var.automation.project_id - name = "prod-resman-${var.fast_stage_2.security.short_name}-0r" + source = "../../../modules/iam-service-account" + count = var.fast_stage_2.security.enabled ? 1 : 0 + project_id = var.automation.project_id + name = templatestring(var.resource_names["sa-sec_ro"], { + name = var.fast_stage_2.security.short_name + }) display_name = "Terraform resman security service account (read-only)." prefix = var.prefix iam = { @@ -211,7 +215,9 @@ module "sec-bucket" { source = "../../../modules/gcs" count = var.fast_stage_2.security.enabled ? 1 : 0 project_id = var.automation.project_id - name = "prod-resman-${var.fast_stage_2.security.short_name}-0" + name = templatestring(var.resource_names["gcs-sec"], { + name = var.fast_stage_2.security.short_name + }) prefix = var.prefix location = var.locations.gcs versioning = true diff --git a/fast/stages/1-resman/stage-3.tf b/fast/stages/1-resman/stage-3.tf index 9e03b48f0d..6f86433a77 100644 --- a/fast/stages/1-resman/stage-3.tf +++ b/fast/stages/1-resman/stage-3.tf @@ -156,7 +156,9 @@ module "stage3-sa-rw" { source = "../../../modules/iam-service-account" for_each = local.stage3 project_id = var.automation.project_id - name = "resman-${each.value.short_name}-0" + name = templatestring(var.resource_names["sa-stage3_rw"], { + name = each.value.short_name + }) display_name = ( "Terraform resman ${each.key} service account." ) @@ -178,7 +180,9 @@ module "stage3-sa-ro" { source = "../../../modules/iam-service-account" for_each = local.stage3 project_id = var.automation.project_id - name = "resman-${each.value.short_name}-0r" + name = templatestring(var.resource_names["sa-stage3_ro"], { + name = each.value.short_name + }) display_name = ( "Terraform resman ${each.key} service account (read-only)." ) @@ -202,7 +206,9 @@ module "stage3-bucket" { source = "../../../modules/gcs" for_each = local.stage3 project_id = var.automation.project_id - name = "resman-${each.value.short_name}-0" + name = templatestring(var.resource_names["gcs-stage3"], { + name = each.value.short_name + }) prefix = "${var.prefix}-${each.value.environment}" location = var.locations.gcs versioning = true diff --git a/fast/stages/1-resman/stage-cicd.tf b/fast/stages/1-resman/stage-cicd.tf index 1e44acb295..1ed22407a4 100644 --- a/fast/stages/1-resman/stage-cicd.tf +++ b/fast/stages/1-resman/stage-cicd.tf @@ -59,7 +59,9 @@ module "cicd-sa-rw" { source = "../../../modules/iam-service-account" for_each = local.cicd_repositories project_id = var.automation.project_id - name = "resman-${each.value.short_name}-1" + name = templatestring(var.resource_names["sa-cicd_rw"], { + name = each.value.short_name + }) display_name = ( "CI/CD ${each.value.lvl}-${each.value.short_name} ${each.value.env} service account." ) @@ -92,7 +94,9 @@ module "cicd-sa-ro" { source = "../../../modules/iam-service-account" for_each = local.cicd_repositories project_id = var.automation.project_id - name = "resman-${each.value.short_name}-1r" + name = templatestring(var.resource_names["sa-cicd_ro"], { + name = each.value.short_name + }) display_name = ( "CI/CD ${each.value.lvl}-${each.value.short_name} ${each.value.env} service account (read-only)." ) diff --git a/fast/stages/1-resman/variables.tf b/fast/stages/1-resman/variables.tf index 6443f02dc8..6c88f052ad 100644 --- a/fast/stages/1-resman/variables.tf +++ b/fast/stages/1-resman/variables.tf @@ -34,6 +34,31 @@ variable "outputs_location" { default = null } +variable "resource_names" { + description = "Resource names overrides for specific resources. Stage names are interpolated via `$${name}`. Prefix is always set via code, except where noted in the variable type." + type = object({ + gcs-net = optional(string, "prod-resman-$${name}-0") + gcs-nsec = optional(string, "resman-$${name}-0") + gcs-pf = optional(string, "resman-$${name}-0") + gcs-sec = optional(string, "prod-resman-$${name}-0") + gcs-stage3 = optional(string, "resman-$${name}-0") + sa-cicd_ro = optional(string, "resman-$${name}-1r") + sa-cicd_rw = optional(string, "resman-$${name}-1") + sa-net_ro = optional(string, "prod-resman-$${name}-0r") + sa-net_rw = optional(string, "prod-resman-$${name}-0") + sa-pf_ro = optional(string, "resman-$${name}-0r") + sa-pf_rw = optional(string, "resman-$${name}-0") + sa-nsec_ro = optional(string, "resman-$${name}-0r") + sa-nsec_rw = optional(string, "resman-$${name}-0") + sa-sec_ro = optional(string, "prod-resman-$${name}-0r") + sa-sec_rw = optional(string, "prod-resman-$${name}-0") + sa-stage3_ro = optional(string, "resman-$${name}-0r") + sa-stage3_rw = optional(string, "resman-$${name}-0") + }) + nullable = false + default = {} +} + variable "tag_names" { description = "Customized names for resource management tags." type = object({