From 7cf9caa2c6606476194f94df9687ea82b13e155a Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 8 Sep 2022 14:12:22 +0200 Subject: [PATCH 1/2] FAST: add support for project parents to bootstrap stage --- fast/stages/00-bootstrap/README.md | 1 + fast/stages/00-bootstrap/automation.tf | 6 ++++-- fast/stages/00-bootstrap/billing.tf | 6 ++++-- fast/stages/00-bootstrap/log-export.tf | 8 +++++--- fast/stages/00-bootstrap/variables.tf | 15 +++++++++++++++ 5 files changed, 29 insertions(+), 7 deletions(-) diff --git a/fast/stages/00-bootstrap/README.md b/fast/stages/00-bootstrap/README.md index 5b7f495d79..312d5712d5 100644 --- a/fast/stages/00-bootstrap/README.md +++ b/fast/stages/00-bootstrap/README.md @@ -473,6 +473,7 @@ The remaining configuration is manual, as it regards the repositories themselves | [iam_additive](variables.tf#L146) | Organization-level custom IAM settings in role => [principal] format for non-authoritative bindings. | map(list(string)) | | {} | | | [log_sinks](variables.tf#L154) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | | | [outputs_location](variables.tf#L188) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | string | | null | | +| [project_parents](variables.tf#L204) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {…} | | ## Outputs diff --git a/fast/stages/00-bootstrap/automation.tf b/fast/stages/00-bootstrap/automation.tf index 3244899035..844650d6a9 100644 --- a/fast/stages/00-bootstrap/automation.tf +++ b/fast/stages/00-bootstrap/automation.tf @@ -20,8 +20,10 @@ module "automation-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "iac-core-0" - parent = "organizations/${var.organization.id}" - prefix = local.prefix + parent = coalesce( + var.project_parents.automation, "organizations/${var.organization.id}" + ) + prefix = local.prefix # human (groups) IAM bindings group_iam = { (local.groups.gcp-devops) = [ diff --git a/fast/stages/00-bootstrap/billing.tf b/fast/stages/00-bootstrap/billing.tf index 4fc74ce2b7..340848f3be 100644 --- a/fast/stages/00-bootstrap/billing.tf +++ b/fast/stages/00-bootstrap/billing.tf @@ -33,8 +33,10 @@ module "billing-export-project" { count = local.billing_org ? 1 : 0 billing_account = var.billing_account.id name = "billing-exp-0" - parent = "organizations/${var.organization.id}" - prefix = local.prefix + parent = coalesce( + var.project_parents.billing, "organizations/${var.organization.id}" + ) + prefix = local.prefix iam = { "roles/owner" = [module.automation-tf-bootstrap-sa.iam_email] } diff --git a/fast/stages/00-bootstrap/log-export.tf b/fast/stages/00-bootstrap/log-export.tf index a0019914ea..f11da65d5f 100644 --- a/fast/stages/00-bootstrap/log-export.tf +++ b/fast/stages/00-bootstrap/log-export.tf @@ -21,9 +21,11 @@ locals { } module "log-export-project" { - source = "../../../modules/project" - name = "audit-logs-0" - parent = "organizations/${var.organization.id}" + source = "../../../modules/project" + name = "audit-logs-0" + parent = coalesce( + var.project_parents.logging, "organizations/${var.organization.id}" + ) prefix = local.prefix billing_account = var.billing_account.id iam = { diff --git a/fast/stages/00-bootstrap/variables.tf b/fast/stages/00-bootstrap/variables.tf index e9cc26e352..c3611735c3 100644 --- a/fast/stages/00-bootstrap/variables.tf +++ b/fast/stages/00-bootstrap/variables.tf @@ -200,3 +200,18 @@ variable "prefix" { error_message = "Use a maximum of 9 characters for prefix." } } + +variable "project_parents" { + description = "Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent." + type = object({ + automation = string + billing = string + logging = string + }) + default = { + automation = null + billing = null + logging = null + } + nullable = false +} From 9a35ae7917b4442fa3271f52110e2774ab79f08d Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 8 Sep 2022 14:30:01 +0200 Subject: [PATCH 2/2] change as per review comments --- fast/stages/00-bootstrap/README.md | 2 +- fast/stages/00-bootstrap/automation.tf | 2 +- fast/stages/00-bootstrap/billing.tf | 2 +- fast/stages/00-bootstrap/log-export.tf | 2 +- fast/stages/00-bootstrap/organization.tf | 3 +++ fast/stages/00-bootstrap/variables.tf | 2 +- 6 files changed, 8 insertions(+), 5 deletions(-) diff --git a/fast/stages/00-bootstrap/README.md b/fast/stages/00-bootstrap/README.md index 312d5712d5..6fb5d9c5d2 100644 --- a/fast/stages/00-bootstrap/README.md +++ b/fast/stages/00-bootstrap/README.md @@ -473,7 +473,7 @@ The remaining configuration is manual, as it regards the repositories themselves | [iam_additive](variables.tf#L146) | Organization-level custom IAM settings in role => [principal] format for non-authoritative bindings. | map(list(string)) | | {} | | | [log_sinks](variables.tf#L154) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | | | [outputs_location](variables.tf#L188) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | string | | null | | -| [project_parents](variables.tf#L204) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {…} | | +| [project_parent_ids](variables.tf#L204) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {…} | | ## Outputs diff --git a/fast/stages/00-bootstrap/automation.tf b/fast/stages/00-bootstrap/automation.tf index 844650d6a9..41ba44e4e7 100644 --- a/fast/stages/00-bootstrap/automation.tf +++ b/fast/stages/00-bootstrap/automation.tf @@ -21,7 +21,7 @@ module "automation-project" { billing_account = var.billing_account.id name = "iac-core-0" parent = coalesce( - var.project_parents.automation, "organizations/${var.organization.id}" + var.project_parent_ids.automation, "organizations/${var.organization.id}" ) prefix = local.prefix # human (groups) IAM bindings diff --git a/fast/stages/00-bootstrap/billing.tf b/fast/stages/00-bootstrap/billing.tf index 340848f3be..1291ef4267 100644 --- a/fast/stages/00-bootstrap/billing.tf +++ b/fast/stages/00-bootstrap/billing.tf @@ -34,7 +34,7 @@ module "billing-export-project" { billing_account = var.billing_account.id name = "billing-exp-0" parent = coalesce( - var.project_parents.billing, "organizations/${var.organization.id}" + var.project_parent_ids.billing, "organizations/${var.organization.id}" ) prefix = local.prefix iam = { diff --git a/fast/stages/00-bootstrap/log-export.tf b/fast/stages/00-bootstrap/log-export.tf index f11da65d5f..6844985e92 100644 --- a/fast/stages/00-bootstrap/log-export.tf +++ b/fast/stages/00-bootstrap/log-export.tf @@ -24,7 +24,7 @@ module "log-export-project" { source = "../../../modules/project" name = "audit-logs-0" parent = coalesce( - var.project_parents.logging, "organizations/${var.organization.id}" + var.project_parent_ids.logging, "organizations/${var.organization.id}" ) prefix = local.prefix billing_account = var.billing_account.id diff --git a/fast/stages/00-bootstrap/organization.tf b/fast/stages/00-bootstrap/organization.tf index 0e69681d81..e2bdbde54b 100644 --- a/fast/stages/00-bootstrap/organization.tf +++ b/fast/stages/00-bootstrap/organization.tf @@ -41,6 +41,9 @@ locals { [module.automation-tf-bootstrap-sa.iam_email], local._iam_bootstrap_user ) + "roles/resourcemanager.projectMover" = [ + module.automation-tf-bootstrap-sa.iam_email + ] "roles/resourcemanager.tagAdmin" = [ module.automation-tf-resman-sa.iam_email ] diff --git a/fast/stages/00-bootstrap/variables.tf b/fast/stages/00-bootstrap/variables.tf index c3611735c3..3946fcf94e 100644 --- a/fast/stages/00-bootstrap/variables.tf +++ b/fast/stages/00-bootstrap/variables.tf @@ -201,7 +201,7 @@ variable "prefix" { } } -variable "project_parents" { +variable "project_parent_ids" { description = "Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent." type = object({ automation = string