Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: upgrade module version to allow Terraform Google provider v6 #1350

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
ecdd8f2
upgrade simple_bucket module
daniel-cit Nov 1, 2024
ebaf7dd
upgrade bootstrap and project-factory modules
daniel-cit Nov 1, 2024
3e4302d
chore: upgrade module version to allow terraform Google provider v6
daniel-cit Nov 4, 2024
7f29131
chore: upgrade modules to terraform provider v6
daniel-cit Nov 5, 2024
e888cef
comment usage of folder_deletion_protection until update of cloud fun…
daniel-cit Nov 5, 2024
8cb3e20
fix output type for folder_deletion_protection
daniel-cit Nov 5, 2024
6ddcfca
update backends.balancingMode to CONNECTION for an INTERNAL backend s…
daniel-cit Nov 5, 2024
29cbefd
upgrade KMS module
daniel-cit Nov 5, 2024
ffce27b
initialize workflows api service identity
daniel-cit Nov 5, 2024
1c88d60
upgrade lb-internal module version
daniel-cit Nov 6, 2024
7226225
enable storage.googleapis.com in 4-projects base shared vpc project
daniel-cit Nov 6, 2024
012b3b3
update provider restriction
daniel-cit Nov 6, 2024
1c93a04
update modules
daniel-cit Nov 6, 2024
50b9e58
fix lint
daniel-cit Nov 6, 2024
254edb9
set deletion protection to false
daniel-cit Nov 6, 2024
824ea36
Merge remote-tracking branch 'origin/master' into upgrade-modules-ver…
daniel-cit Nov 6, 2024
e7009c6
fix subnetwork_project validation issue
daniel-cit Nov 8, 2024
7b81b9b
configure deletion_policy for env network projects
daniel-cit Nov 9, 2024
46cab67
Update 0-bootstrap/cb.tf
daniel-cit Nov 11, 2024
07ef96e
pin google version to v6.10 until fix in bootstrap module
daniel-cit Nov 11, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions 0-bootstrap/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -361,12 +361,14 @@ Each step has instructions for this change.
| default\_region\_2 | Secondary default region to create resources where applicable. | `string` | `"us-west1"` | no |
| default\_region\_gcs | Case-Sensitive default region to create gcs resources where applicable. | `string` | `"US"` | no |
| default\_region\_kms | Secondary default region to create kms resources where applicable. | `string` | `"us"` | no |
| folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no |
| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no |
| groups | Contain the details of the Groups to be created. | <pre>object({<br> create_required_groups = optional(bool, false)<br> create_optional_groups = optional(bool, false)<br> billing_project = optional(string, null)<br> required_groups = object({<br> group_org_admins = string<br> group_billing_admins = string<br> billing_data_users = string<br> audit_data_users = string<br> })<br> optional_groups = optional(object({<br> gcp_security_reviewer = optional(string, "")<br> gcp_network_viewer = optional(string, "")<br> gcp_scc_admin = optional(string, "")<br> gcp_global_secrets_admin = optional(string, "")<br> gcp_kms_admin = optional(string, "")<br> }), {})<br> })</pre> | n/a | yes |
| initial\_group\_config | Define the group configuration when it is initialized. Valid values are: WITH\_INITIAL\_OWNER, EMPTY and INITIAL\_GROUP\_CONFIG\_UNSPECIFIED. | `string` | `"WITH_INITIAL_OWNER"` | no |
| org\_id | GCP Organization ID | `string` | n/a | yes |
| org\_policy\_admin\_role | Additional Org Policy Admin role for admin group. You can use this for testing purposes. | `bool` | `false` | no |
| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. | `string` | `""` | no |
| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no |
| project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no |

## Outputs
Expand Down
19 changes: 15 additions & 4 deletions 0-bootstrap/cb.tf
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ resource "random_string" "suffix" {

module "gcp_projects_state_bucket" {
source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
version = "~> 6.0"
version = "~> 8.0"

name = "${var.bucket_prefix}-${module.seed_bootstrap.seed_project_id}-gcp-projects-tfstate"
project_id = module.seed_bootstrap.seed_project_id
Expand All @@ -86,7 +86,7 @@ module "gcp_projects_state_bucket" {

module "tf_source" {
source = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_source"
version = "~> 8.0"
version = "~> 9.0"

org_id = var.org_id
folder_id = google_folder.bootstrap.id
Expand All @@ -96,6 +96,8 @@ module "tf_source" {
group_org_admins = var.groups.required_groups.group_org_admins
buckets_force_destroy = var.bucket_force_destroy

project_deletion_policy = var.project_deletion_policy

daniel-cit marked this conversation as resolved.
Show resolved Hide resolved
activate_apis = [
"serviceusage.googleapis.com",
"servicenetworking.googleapis.com",
Expand Down Expand Up @@ -134,6 +136,15 @@ module "tf_source" {
depends_on = [module.seed_bootstrap]
}

resource "google_project_service_identity" "workflows_identity" {
apeabody marked this conversation as resolved.
Show resolved Hide resolved
provider = google-beta

project = module.tf_source.cloudbuild_project_id
service = "workflows.googleapis.com"

depends_on = [module.tf_source]
}

module "tf_private_pool" {
source = "./modules/cb-private-pool"

Expand All @@ -155,7 +166,7 @@ module "tf_private_pool" {

module "tf_cloud_builder" {
source = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_builder"
version = "~> 8.0"
version = "~> 9.0"

project_id = module.tf_source.cloudbuild_project_id
dockerfile_repo_uri = module.tf_source.csr_repos[local.cloudbuilder_repo].url
Expand Down Expand Up @@ -206,7 +217,7 @@ module "build_terraform_image" {

module "tf_workspace" {
source = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_workspace"
version = "~> 8.0"
version = "~> 9.0"
for_each = local.granular_sa

project_id = module.tf_source.cloudbuild_project_id
Expand Down
4 changes: 3 additions & 1 deletion 0-bootstrap/github.tf.example
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ locals {

module "gh_cicd" {
source = "terraform-google-modules/project-factory/google"
version = "~> 15.0"
version = "~> 17.0"

name = "${var.project_prefix}-b-cicd-wif-gh"
random_project_id = true
Expand All @@ -87,6 +87,8 @@ module "gh_cicd" {
"cloudresourcemanager.googleapis.com",
"iamcredentials.googleapis.com",
]

deletion_policy = var.project_deletion_policy
}

module "gh_oidc" {
Expand Down
5 changes: 3 additions & 2 deletions 0-bootstrap/gitlab.tf.example
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ provider "gitlab" {

module "gitlab_cicd" {
source = "terraform-google-modules/project-factory/google"
version = "~> 15.0"
version = "~> 17.0"

name = "${var.project_prefix}-b-cicd-wif-gl"
random_project_id = true
Expand All @@ -100,8 +100,9 @@ module "gitlab_cicd" {
"sts.googleapis.com",
"dns.googleapis.com",
"secretmanager.googleapis.com",

]

deletion_policy = var.project_deletion_policy
}

module "gitlab_oidc" {
Expand Down
4 changes: 2 additions & 2 deletions 0-bootstrap/groups.tf
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ data "google_organization" "org" {

module "required_group" {
source = "terraform-google-modules/group/google"
version = "~> 0.6"
version = "~> 0.7"
for_each = local.required_groups_to_create

id = each.value
Expand All @@ -46,7 +46,7 @@ module "required_group" {

module "optional_group" {
source = "terraform-google-modules/group/google"
version = "~> 0.6"
version = "~> 0.7"
for_each = local.optional_groups_to_create

id = each.value
Expand Down
1 change: 1 addition & 0 deletions 0-bootstrap/jenkins.tf.example
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ module "jenkins_bootstrap" {
tunnel0_bgp_session_range = var.tunnel0_bgp_session_range
tunnel1_bgp_peer_address = var.tunnel1_bgp_peer_address
tunnel1_bgp_session_range = var.tunnel1_bgp_session_range
project_deletion_policy = var.project_deletion_policy
}

resource "google_organization_iam_member" "org_jenkins_sa_browser" {
Expand Down
8 changes: 5 additions & 3 deletions 0-bootstrap/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,14 @@ locals {
}

resource "google_folder" "bootstrap" {
display_name = "${var.folder_prefix}-bootstrap"
parent = local.parent
display_name = "${var.folder_prefix}-bootstrap"
parent = local.parent
deletion_protection = var.folder_deletion_protection
}

module "seed_bootstrap" {
source = "terraform-google-modules/bootstrap/google"
version = "~> 8.0"
version = "~> 9.0"

org_id = var.org_id
folder_id = google_folder.bootstrap.id
Expand All @@ -61,6 +62,7 @@ module "seed_bootstrap" {
encrypt_gcs_bucket_tfstate = true
key_rotation_period = "7776000s"
kms_prevent_destroy = !var.bucket_tfstate_kms_force_destroy
project_deletion_policy = var.project_deletion_policy

project_labels = {
environment = "bootstrap"
Expand Down
2 changes: 1 addition & 1 deletion 0-bootstrap/modules/gitlab-oidc/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ terraform {

google = {
source = "hashicorp/google"
version = ">= 3.64, < 6"
version = ">= 3.64, < 7"
}
}

Expand Down
1 change: 1 addition & 0 deletions 0-bootstrap/modules/jenkins-agent/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ module "jenkins_bootstrap" {
| on\_prem\_vpn\_public\_ip\_address | The public IP Address of the Jenkins Controller. | `string` | n/a | yes |
| on\_prem\_vpn\_public\_ip\_address2 | The secondpublic IP Address of the Jenkins Controller. | `string` | n/a | yes |
| org\_id | GCP Organization ID | `string` | n/a | yes |
| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no |
| project\_labels | Labels to apply to the project. | `map(string)` | `{}` | no |
| project\_prefix | Name prefix to use for projects created. | `string` | `"prj"` | no |
| router\_asn | BGP ASN for cloud routes. | `number` | `"64515"` | no |
Expand Down
4 changes: 3 additions & 1 deletion 0-bootstrap/modules/jenkins-agent/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ resource "random_id" "suffix" {
*******************************************/
module "cicd_project" {
source = "terraform-google-modules/project-factory/google"
version = "~> 15.0"
version = "~> 17.0"

name = local.cicd_project_name
random_project_id = true
Expand All @@ -40,6 +40,8 @@ module "cicd_project" {
billing_account = var.billing_account
activate_apis = local.activate_apis
labels = var.project_labels

deletion_policy = var.project_deletion_policy
}

/******************************************
Expand Down
6 changes: 6 additions & 0 deletions 0-bootstrap/modules/jenkins-agent/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,12 @@ variable "default_region" {
default = "us-central1"
}

variable "project_deletion_policy" {
description = "The deletion policy for the project created."
type = string
default = "PREVENT"
}

/* ----------------------------------------
Specific to CICD Project
---------------------------------------- */
Expand Down
4 changes: 2 additions & 2 deletions 0-bootstrap/modules/tfc-agent-gke/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ resource "google_service_account" "tfc_agent_service_account" {

module "tfc_agent_cluster" {
source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster/"
version = "~> 31.0"
version = "~> 34.0"

project_id = var.project_id
region = var.region
Expand Down Expand Up @@ -394,7 +394,7 @@ resource "google_dns_policy" "default_policy" {

module "hub" {
source = "terraform-google-modules/kubernetes-engine/google//modules/fleet-membership"
version = "~> 31.0"
version = "~> 34.0"

project_id = var.project_id
location = var.region
Expand Down
2 changes: 1 addition & 1 deletion 0-bootstrap/modules/tfc-agent-gke/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ terraform {

google = {
source = "hashicorp/google"
version = ">= 4.3.0, < 6"
version = ">= 4.3.0, < 7"
}

kubernetes = {
Expand Down
4 changes: 3 additions & 1 deletion 0-bootstrap/terraform_cloud.tf.example
Original file line number Diff line number Diff line change
Expand Up @@ -230,7 +230,7 @@ resource "tfe_run_trigger" "projects_bu2_shared_production" {

module "tfc_cicd" {
source = "terraform-google-modules/project-factory/google"
version = "~> 15.0"
version = "~> 17.0"

name = "${var.project_prefix}-b-cicd-wif-tfc"
random_project_id = true
Expand All @@ -251,6 +251,8 @@ module "tfc_cicd" {
"gkehub.googleapis.com",
"connectgateway.googleapis.com"
]

deletion_policy = var.project_deletion_policy
}

module "tfc-oidc" {
Expand Down
12 changes: 12 additions & 0 deletions 0-bootstrap/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,18 @@ variable "bucket_tfstate_kms_force_destroy" {
default = false
}

variable "project_deletion_policy" {
description = "The deletion policy for the project created."
type = string
default = "PREVENT"
}

variable "folder_deletion_protection" {
description = "Prevent Terraform from destroying or recreating the folder."
type = string
default = true
}

/* ----------------------------------------
Specific to Groups creation
---------------------------------------- */
Expand Down
8 changes: 7 additions & 1 deletion 0-bootstrap/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,13 @@ terraform {
google = {
// version 4.31.0 removed because of issue https://github.com/hashicorp/terraform-provider-google/issues/12226
source = "hashicorp/google"
version = ">= 3.50, != 4.31.0"
version = ">= 3.50, != 4.31.0, <= 6.10"
}

google-beta = {
// version 4.31.0 removed because of issue https://github.com/hashicorp/terraform-provider-google/issues/12226
source = "hashicorp/google-beta"
version = ">= 3.50, != 4.31.0, <= 6.10"
}

// Un-comment gitlab required_providers when using gitlab CI/CD
Expand Down
2 changes: 2 additions & 0 deletions 1-org/envs/shared/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,14 @@
| enforce\_allowed\_worker\_pools | Whether to enforce the organization policy restriction on allowed worker pools for Cloud Build. | `bool` | `false` | no |
| essential\_contacts\_domains\_to\_allow | The list of domains that email addresses added to Essential Contacts can have. | `list(string)` | n/a | yes |
| essential\_contacts\_language | Essential Contacts preferred language for notifications, as a ISO 639-1 language code. See [Supported languages](https://cloud.google.com/resource-manager/docs/managing-notification-contacts#supported-languages) for a list of supported languages. | `string` | `"en"` | no |
| folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no |
| gcp\_groups | Groups to grant specific roles in the Organization.<br> platform\_viewer: Google Workspace or Cloud Identity group that have the ability to view resource information across the Google Cloud organization.<br> security\_reviewer: Google Workspace or Cloud Identity group that members are part of the security team responsible for reviewing cloud security<br> network\_viewer: Google Workspace or Cloud Identity group that members are part of the networking team and review network configurations.<br> scc\_admin: Google Workspace or Cloud Identity group that can administer Security Command Center.<br> audit\_viewer: Google Workspace or Cloud Identity group that members are part of an audit team and view audit logs in the logging project.<br> global\_secrets\_admin: Google Workspace or Cloud Identity group that members are responsible for putting secrets into Secrets Manage | <pre>object({<br> audit_viewer = optional(string, null)<br> security_reviewer = optional(string, null)<br> network_viewer = optional(string, null)<br> scc_admin = optional(string, null)<br> global_secrets_admin = optional(string, null)<br> kms_admin = optional(string, null)<br> })</pre> | `{}` | no |
| log\_export\_storage\_force\_destroy | (Optional) If set to true, delete all contents when destroying the resource; otherwise, destroying the resource will fail if contents are present. | `bool` | `false` | no |
| log\_export\_storage\_location | The location of the storage bucket used to export logs. | `string` | `null` | no |
| log\_export\_storage\_retention\_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | <pre>object({<br> is_locked = bool<br> retention_period_days = number<br> })</pre> | `null` | no |
| log\_export\_storage\_versioning | (Optional) Toggles bucket versioning, ability to retain a non-current object version when the live object version gets replaced or deleted. | `bool` | `false` | no |
| project\_budget | Budget configuration for projects.<br> budget\_amount: The amount to use as the budget.<br> alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br> alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br> alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br> dns_hub_budget_amount = optional(number, 1000)<br> dns_hub_alert_spent_percents = optional(list(number), [1.2])<br> dns_hub_alert_pubsub_topic = optional(string, null)<br> dns_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> base_net_hub_budget_amount = optional(number, 1000)<br> base_net_hub_alert_spent_percents = optional(list(number), [1.2])<br> base_net_hub_alert_pubsub_topic = optional(string, null)<br> base_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> base_network_budget_amount = optional(number, 1000)<br> base_network_alert_spent_percents = optional(list(number), [1.2])<br> base_network_alert_pubsub_topic = optional(string, null)<br> base_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> restricted_net_hub_budget_amount = optional(number, 1000)<br> restricted_net_hub_alert_spent_percents = optional(list(number), [1.2])<br> restricted_net_hub_alert_pubsub_topic = optional(string, null)<br> restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> restricted_network_budget_amount = optional(number, 1000)<br> restricted_network_alert_spent_percents = optional(list(number), [1.2])<br> restricted_network_alert_pubsub_topic = optional(string, null)<br> restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> interconnect_budget_amount = optional(number, 1000)<br> interconnect_alert_spent_percents = optional(list(number), [1.2])<br> interconnect_alert_pubsub_topic = optional(string, null)<br> interconnect_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> org_secrets_budget_amount = optional(number, 1000)<br> org_secrets_alert_spent_percents = optional(list(number), [1.2])<br> org_secrets_alert_pubsub_topic = optional(string, null)<br> org_secrets_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> org_billing_export_budget_amount = optional(number, 1000)<br> org_billing_export_alert_spent_percents = optional(list(number), [1.2])<br> org_billing_export_alert_pubsub_topic = optional(string, null)<br> org_billing_export_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> org_audit_logs_budget_amount = optional(number, 1000)<br> org_audit_logs_alert_spent_percents = optional(list(number), [1.2])<br> org_audit_logs_alert_pubsub_topic = optional(string, null)<br> org_audit_logs_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> common_kms_budget_amount = optional(number, 1000)<br> common_kms_alert_spent_percents = optional(list(number), [1.2])<br> common_kms_alert_pubsub_topic = optional(string, null)<br> common_kms_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> scc_notifications_budget_amount = optional(number, 1000)<br> scc_notifications_alert_spent_percents = optional(list(number), [1.2])<br> scc_notifications_alert_pubsub_topic = optional(string, null)<br> scc_notifications_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br> })</pre> | `{}` | no |
| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no |
| remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
| scc\_notification\_filter | Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter | `string` | `"state = \"ACTIVE\""` | no |
| scc\_notification\_name | Name of the Security Command Center Notification. It must be unique in the organization. Run `gcloud scc notifications describe <scc_notification_name> --organization=org_id` to check if it already exists. | `string` | n/a | yes |
Expand Down
2 changes: 2 additions & 0 deletions 1-org/envs/shared/folders.tf
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,11 @@
resource "google_folder" "common" {
display_name = "${local.folder_prefix}-common"
parent = local.parent
# deletion_protection = var.folder_deletion_protection // uncommnet after updating "GoogleCloudPlatform/cloud-functions/google" to provider v6
}

resource "google_folder" "network" {
display_name = "${local.folder_prefix}-network"
parent = local.parent
# deletion_protection = var.folder_deletion_protection // uncommnet after updating "GoogleCloudPlatform/cloud-functions/google" to provider v6
}
Loading