Merge new modules list and environments foundation example

.ci/cloudbuild.test.yaml

@@ -44,7 +44,7 @@ steps:
       - PYTHONDONTWRITEBYTECODE=true
 
 substitutions:
-  _TERRAFORM_VERSION: 0.12.8
+  _TERRAFORM_VERSION: 0.12.19
 
 tags:
   - "ci"

foundations/business-units/README.md

@@ -25,45 +25,44 @@ The number of resources in this sample is kept to a minimum so as to make it gen
 
 This sample uses a top-level folder to encapsulate projects that host resources that are not specific to a single environment. If no shared services are needed,the Terraform and audit modules can be easily attached to the root node, and the shared services folder and project removed from `main.tf`.
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-## Inputs
+<!-- BEGIN TFDOC -->
+## Variables
 
-| Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| audit\_viewers | Audit project viewers, in IAM format. | list | `<list>` | no |
-| billing\_account\_id | Billing account id used as default for new projects. | string | n/a | yes |
-| business\_unit\_1\_name | Business unit 1 short name. | string | n/a | yes |
-| business\_unit\_2\_name | Business unit 2 short name. | string | n/a | yes |
-| business\_unit\_3\_name | Business unit 3 short name. | string | n/a | yes |
-| environments | Environment short names. | list(string) | n/a | yes |
-| gcs\_location | GCS bucket location. | string | `"EU"` | no |
-| generate\_service\_account\_keys | Generate and store service account keys in the state file. | string | `"false"` | no |
-| organization\_id | Organization id. | string | n/a | yes |
-| prefix | Prefix used for resources that need unique names. | string | n/a | yes |
-| project\_services | Service APIs enabled by default in new projects. | list | `<list>` | no |
-| root\_node | Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. | string | n/a | yes |
-| shared\_bindings\_members | List of comma-delimited IAM-format members for the additional shared project bindings. | list | `<list>` | no |
-| shared\_bindings\_roles | List of roles for additional shared project bindings. | list | `<list>` | no |
-| terraform\_owners | Terraform project owners, in IAM format. | list | `<list>` | no |
+| name | description | type | required | default |
+|---|---|:---: |:---:|:---:|
+| billing_account_id | Billing account id used as default for new projects. | <code title="">string</code> | ✓ |  |
+| business_unit_1_name | Business unit 1 short name. | <code title="">string</code> | ✓ |  |
+| business_unit_2_name | Business unit 2 short name. | <code title="">string</code> | ✓ |  |
+| business_unit_3_name | Business unit 3 short name. | <code title="">string</code> | ✓ |  |
+| environments | Environment short names. | <code title="list&#40;string&#41;">list(string)</code> | ✓ |  |
+| organization_id | Organization id. | <code title="">string</code> | ✓ |  |
+| prefix | Prefix used for resources that need unique names. | <code title="">string</code> | ✓ |  |
+| root_node | Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. | <code title="">string</code> | ✓ |  |
+| *audit_viewers* | Audit project viewers, in IAM format. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *gcs_location* | GCS bucket location. | <code title="">string</code> |  | <code title="">EU</code> |
+| *generate_service_account_keys* | Generate and store service account keys in the state file. | <code title="">bool</code> |  | <code title="">false</code> |
+| *project_services* | Service APIs enabled by default in new projects. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="&#91;&#10;&#34;resourceviews.googleapis.com&#34;,&#10;&#34;stackdriver.googleapis.com&#34;,&#10;&#93;">...</code> |
+| *shared_bindings_members* | List of comma-delimited IAM-format members for the additional shared project bindings. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *shared_bindings_roles* | List of roles for additional shared project bindings. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *terraform_owners* | Terraform project owners, in IAM format. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
 
 ## Outputs
 
-| Name | Description |
-|------|-------------|
-| audit\_logs\_bq\_dataset | Bigquery dataset for the audit logs export. |
-| audit\_logs\_project | Project that holds the audit logs export resources. |
-| bootstrap\_tf\_gcs\_bucket | GCS bucket used for the bootstrap Terraform state. |
-| business\_unit\_1\_environment\_folders\_ids | Business unit 1 environment folders. |
-| business\_unit\_1\_folder\_id | Business unit 1 top-level folder ID. |
-| business\_unit\_2\_environment\_folders\_ids | Business unit 2 environment folders. |
-| business\_unit\_2\_folder\_id | Business unit 2 top-level folder ID. |
-| business\_unit\_3\_environment\_folders\_ids | Business unit 3 environment folders. |
-| business\_unit\_3\_folder\_id | Business unit 3 top-level folder ID. |
-| environment\_service\_account\_keys | Service account keys used to run each environment Terraform modules. |
-| environment\_service\_accounts | Service accounts used to run each environment Terraform modules. |
-| environment\_tf\_gcs\_buckets | GCS buckets used for each environment Terraform state. |
-| shared\_folder\_id | Shared folder ID. |
-| shared\_resources\_project | Project that holdes resources shared across business units. |
-| terraform\_project | Project that holds the base Terraform resources. |
-
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+| name | description | sensitive |
+|---|---|:---:|
+| audit_logs_bq_dataset | Bigquery dataset for the audit logs export. |  |
+| audit_logs_project | Project that holds the audit logs export resources. |  |
+| bootstrap_tf_gcs_bucket | GCS bucket used for the bootstrap Terraform state. |  |
+| business_unit_1_environment_folders_ids | Business unit 1 environment folders. |  |
+| business_unit_1_folder_id | Business unit 1 top-level folder ID. |  |
+| business_unit_2_environment_folders_ids | Business unit 2 environment folders. |  |
+| business_unit_2_folder_id | Business unit 2 top-level folder ID. |  |
+| business_unit_3_environment_folders_ids | Business unit 3 environment folders. |  |
+| business_unit_3_folder_id | Business unit 3 top-level folder ID. |  |
+| environment_service_account_keys | Service account keys used to run each environment Terraform modules. | ✓ |
+| environment_service_accounts | Service accounts used to run each environment Terraform modules. |  |
+| environment_tf_gcs_buckets | GCS buckets used for each environment Terraform state. |  |
+| shared_folder_id | Shared folder ID. |  |
+| shared_resources_project | Project that holdes resources shared across business units. |  |
+| terraform_project | Project that holds the base Terraform resources. |  |
+<!-- END TFDOC -->

foundations/business-units/main.tf

@@ -26,7 +26,7 @@ locals {
 
 module "shared-folder" {
   source  = "terraform-google-modules/folders/google"
-  version = "2.0.0"
+  version = "2.0.2"
   parent  = var.root_node
   names   = ["shared"]
 }
@@ -53,7 +53,7 @@ module "project-tf" {
 
 module "service-accounts-tf-environments" {
   source             = "terraform-google-modules/service-accounts/google"
-  version            = "2.0.1"
+  version            = "2.0.2"
   project_id         = module.project-tf.project_id
   org_id             = var.organization_id
   billing_account_id = var.billing_account_id
@@ -151,7 +151,7 @@ module "project-audit" {
 
 module "bq-audit-export" {
   source                   = "terraform-google-modules/log-export/google//modules/bigquery"
-  version                  = "3.1.0"
+  version                  = "3.2.0"
   project_id               = module.project-audit.project_id
   dataset_name             = "${replace(local.log_sink_name, "-", "_")}"
   log_sink_writer_identity = module.log-sink-audit.writer_identity
@@ -161,7 +161,7 @@ module "bq-audit-export" {
 
 module "log-sink-audit" {
   source                 = "terraform-google-modules/log-export/google"
-  version                = "3.1.0"
+  version                = "3.2.0"
   filter                 = "logName: \"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName: \"/logs/cloudaudit.googleapis.com%2Fsystem_event\""
   log_sink_name          = local.log_sink_name
   parent_resource_type   = local.log_sink_parent_resource_type

foundations/business-units/modules/business-unit-folders/main.tf

@@ -18,7 +18,7 @@
 
 module "business-unit-folder" {
   source  = "terraform-google-modules/folders/google"
-  version = "2.0.0"
+  version = "2.0.2"
   parent  = var.root_node
   names   = [var.business_unit_folder_name]
 }
@@ -29,7 +29,7 @@ module "business-unit-folder" {
 
 module "environment-folders" {
   source            = "terraform-google-modules/folders/google"
-  version           = "2.0.0"
+  version           = "2.0.2"
   parent            = module.business-unit-folder.id
   names             = var.environments
   set_roles         = true
@@ -41,4 +41,4 @@ module "environment-folders" {
     "roles/compute.networkAdmin",
     "roles/compute.xpnAdmin"
   ]
-}
+}

foundations/business-units/variables.tf

@@ -14,6 +14,7 @@
 
 variable "audit_viewers" {
   description = "Audit project viewers, in IAM format."
+  type        = list(string)
   default     = []
 }
 
@@ -44,11 +45,13 @@ variable "environments" {
 
 variable "generate_service_account_keys" {
   description = "Generate and store service account keys in the state file."
+  type        = bool
   default     = false
 }
 
 variable "gcs_location" {
   description = "GCS bucket location."
+  type        = string
   default     = "EU"
 }
 
@@ -70,21 +73,25 @@ variable "root_node" {
 variable "shared_bindings_members" {
   description = "List of comma-delimited IAM-format members for the additional shared project bindings."
   # example: ["user:[email protected],[email protected]", "user:[email protected]"]
+  type    = list(string)
   default = []
 }
 variable "shared_bindings_roles" {
   description = "List of roles for additional shared project bindings."
   # example: ["roles/storage.objectViewer", "roles/storage.admin"]
+  type    = list(string)
   default = []
 }
 
 variable "terraform_owners" {
   description = "Terraform project owners, in IAM format."
+  type        = list(string)
   default     = []
 }
 
 variable "project_services" {
   description = "Service APIs enabled by default in new projects."
+  type        = list(string)
   default = [
     "resourceviews.googleapis.com",
     "stackdriver.googleapis.com",

foundations/environments/README.md

@@ -27,38 +27,37 @@ For more complex setups where multiple shared services projects are needed to en
 
 If no shared services are needed, the shared service project module can of course be removed from `main.tf`.
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| audit\_viewers | Audit project viewers, in IAM format. | list | `<list>` | no |
-| billing\_account\_id | Billing account id used as default for new projects. | string | n/a | yes |
-| environments | Environment short names. | list(string) | n/a | yes |
-| gcs\_location | GCS bucket location. | string | `"EU"` | no |
-| generate\_service\_account\_keys | Generate and store service account keys in the state file. | string | `"false"` | no |
-| grant\_xpn\_folder\_roles | Grant roles needed for Shared VPC creation to service accounts at the environment folder level. | string | `"true"` | no |
-| grant\_xpn\_org\_roles | Grant roles needed for Shared VPC creation to service accounts at the organization level. | string | `"false"` | no |
-| organization\_id | Organization id. | string | n/a | yes |
-| prefix | Prefix used for resources that need unique names. | string | n/a | yes |
-| project\_services | Service APIs enabled by default in new projects. | list | `<list>` | no |
-| root\_node | Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. | string | n/a | yes |
-| shared\_bindings\_members | List of comma-delimited IAM-format members for the additional shared project bindings. | list | `<list>` | no |
-| shared\_bindings\_roles | List of roles for additional shared project bindings. | list | `<list>` | no |
-| terraform\_owners | Terraform project owners, in IAM format. | list | `<list>` | no |
+<!-- BEGIN TFDOC -->
+## Variables
+
+| name | description | type | required | default |
+|---|---|:---: |:---:|:---:|
+| billing_account_id | Billing account id used as default for new projects. | <code title="">string</code> | ✓ |  |
+| environments | Environment short names. | <code title="list&#40;string&#41;">list(string)</code> | ✓ |  |
+| organization_id | Organization id. | <code title="">string</code> | ✓ |  |
+| prefix | Prefix used for resources that need unique names. | <code title="">string</code> | ✓ |  |
+| root_node | Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. | <code title="">string</code> | ✓ |  |
+| *audit_viewers* | Audit project viewers, in IAM format. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *gcs_location* | GCS bucket location. | <code title="">string</code> |  | <code title="">EU</code> |
+| *generate_service_account_keys* | Generate and store service account keys in the state file. | <code title="">bool</code> |  | <code title="">false</code> |
+| *grant_xpn_folder_roles* | Grant roles needed for Shared VPC creation to service accounts at the environment folder level. | <code title="">bool</code> |  | <code title="">true</code> |
+| *grant_xpn_org_roles* | Grant roles needed for Shared VPC creation to service accounts at the organization level. | <code title="">bool</code> |  | <code title="">false</code> |
+| *project_services* | Service APIs enabled by default in new projects. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="&#91;&#10;&#34;resourceviews.googleapis.com&#34;,&#10;&#34;stackdriver.googleapis.com&#34;,&#10;&#93;">...</code> |
+| *shared_bindings_members* | List of comma-delimited IAM-format members for the additional shared project bindings. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *shared_bindings_roles* | List of roles for additional shared project bindings. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *terraform_owners* | Terraform project owners, in IAM format. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
 
 ## Outputs
 
-| Name | Description |
-|------|-------------|
-| audit\_logs\_bq\_dataset | Bigquery dataset for the audit logs export. |
-| audit\_logs\_project | Project that holds the audit logs export resources. |
-| bootstrap\_tf\_gcs\_bucket | GCS bucket used for the bootstrap Terraform state. |
-| environment\_folders | Top-level environment folders. |
-| environment\_service\_account\_keys | Service account keys used to run each environment Terraform modules. |
-| environment\_service\_accounts | Service accounts used to run each environment Terraform modules. |
-| environment\_tf\_gcs\_buckets | GCS buckets used for each environment Terraform state. |
-| shared\_resources\_project | Project that holdes resources shared across environments. |
-| terraform\_project | Project that holds the base Terraform resources. |
-
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+| name | description | sensitive |
+|---|---|:---:|
+| audit_logs_bq_dataset | Bigquery dataset for the audit logs export. |  |
+| audit_logs_project | Project that holds the audit logs export resources. |  |
+| bootstrap_tf_gcs_bucket | GCS bucket used for the bootstrap Terraform state. |  |
+| environment_folders | Top-level environment folders. |  |
+| environment_service_account_keys | Service account keys used to run each environment Terraform modules. | ✓ |
+| environment_service_accounts | Service accounts used to run each environment Terraform modules. |  |
+| environment_tf_gcs_buckets | GCS buckets used for each environment Terraform state. |  |
+| shared_resources_project | Project that holdes resources shared across environments. |  |
+| terraform_project | Project that holds the base Terraform resources. |  |
+<!-- END TFDOC -->

foundations/environments/locals.tf

@@ -0,0 +1,38 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  folder_roles = concat(var.iam_folder_roles, local.sa_xpn_folder_role)
+  sa_billing_account_role = (
+    var.iam_billing_config.target_org ? [] : ["roles/billing.user"]
+  )
+  sa_billing_org_role = (
+    ! var.iam_billing_config.target_org ? [] : ["roles/billing.user"]
+  )
+  sa_xpn_folder_role = (
+    local.sa_xpn_target_org ? [] : ["roles/compute.xpnAdmin"]
+  )
+  sa_xpn_org_roles = (
+    local.sa_xpn_target_org
+    ? ["roles/compute.xpnAdmin", "roles/resourcemanager.organizationViewer"]
+    : ["roles/resourcemanager.organizationViewer"]
+  )
+  sa_xpn_target_org = (
+    var.iam_xpn_config.target_org
+    ||
+    substr(var.root_node, 0, 13) == "organizations"
+  )
+}