diff --git a/4-projects/business_unit_1/shared/example_infra_pipeline.tf b/4-projects/business_unit_1/shared/example_infra_pipeline.tf index 9a37a62aa..ff427d043 100644 --- a/4-projects/business_unit_1/shared/example_infra_pipeline.tf +++ b/4-projects/business_unit_1/shared/example_infra_pipeline.tf @@ -50,6 +50,7 @@ module "infra_pipelines" { project_prefix = var.project_prefix billing_account = var.billing_account default_region = var.default_region + bucket_region = var.default_region app_infra_repos = ["bu1-example-app"] } diff --git a/4-projects/business_unit_2/shared/example_infra_pipeline.tf b/4-projects/business_unit_2/shared/example_infra_pipeline.tf index ab3a3aaad..f24d13ce4 100644 --- a/4-projects/business_unit_2/shared/example_infra_pipeline.tf +++ b/4-projects/business_unit_2/shared/example_infra_pipeline.tf @@ -49,6 +49,7 @@ module "infra_pipelines" { project_prefix = var.project_prefix billing_account = var.billing_account default_region = var.default_region + bucket_region = var.default_region app_infra_repos = ["bu2-example-app"] } diff --git a/4-projects/modules/infra_pipelines/main.tf b/4-projects/modules/infra_pipelines/main.tf index 5d16ea97b..e7b7cf352 100644 --- a/4-projects/modules/infra_pipelines/main.tf +++ b/4-projects/modules/infra_pipelines/main.tf @@ -15,12 +15,14 @@ */ locals { - gar_repo_name = var.gar_repo_name != "" ? var.gar_repo_name : format("%s-%s", var.project_prefix, "tf-runners") - gar_name = split("/", google_artifact_registry_repository.tf-image-repo.name)[length(split("/", google_artifact_registry_repository.tf-image-repo.name)) - 1] - created_csrs = toset([for repo in google_sourcerepo_repository.app_infra_repo : repo.name]) - artifact_buckets = { for created_csr in local.created_csrs : "${created_csr}-ab" => format("%s-%s-%s", created_csr, "cloudbuild-artifacts", random_id.suffix.hex) } - state_buckets = { for created_csr in local.created_csrs : "${created_csr}-tfstate" => format("%s-%s-%s", created_csr, "tfstate", random_id.suffix.hex) } - apply_branches_regex = "^(${join("|", var.terraform_apply_branches)})$" + gar_repo_name = var.gar_repo_name != "" ? var.gar_repo_name : format("%s-%s", var.project_prefix, "tf-runners") + gar_name = split("/", google_artifact_registry_repository.tf-image-repo.name)[length(split("/", google_artifact_registry_repository.tf-image-repo.name)) - 1] + created_csrs = toset([for repo in google_sourcerepo_repository.app_infra_repo : repo.name]) + artifact_buckets = { for created_csr in local.created_csrs : "${created_csr}-ab" => format("%s-%s-%s", created_csr, "cloudbuild-artifacts", random_id.suffix.hex) } + state_buckets = { for created_csr in local.created_csrs : "${created_csr}-tfstate" => format("%s-%s-%s", created_csr, "tfstate", random_id.suffix.hex) } + apply_branches_regex = "^(${join("|", var.terraform_apply_branches)})$" + cloudbuild_bucket_name = "${var.cloudbuild_project_id}_cloudbuild" + cloudbuild_bucket = { "cloudbuild" = local.cloudbuild_bucket_name } } # Create CSRs @@ -44,23 +46,15 @@ resource "random_id" "suffix" { byte_length = 2 } -resource "google_storage_bucket" "tfstate" { - for_each = local.state_buckets - project = var.cloudbuild_project_id - name = each.value - location = var.bucket_region - uniform_bucket_level_access = true - versioning { - enabled = true - } -} +resource "google_storage_bucket" "pipeline_infra" { + for_each = merge(local.artifact_buckets, local.state_buckets, local.cloudbuild_bucket) + + project = var.cloudbuild_project_id + name = each.value + location = var.bucket_region -resource "google_storage_bucket" "cloudbuild_artifacts" { - for_each = local.artifact_buckets - project = var.cloudbuild_project_id - name = each.value - location = var.bucket_region uniform_bucket_level_access = true + force_destroy = true versioning { enabled = true } @@ -68,11 +62,14 @@ resource "google_storage_bucket" "cloudbuild_artifacts" { # IAM for Cloud Build SA to access cloudbuild_artifacts and tfstate buckets resource "google_storage_bucket_iam_member" "cloudbuild_artifacts_iam" { - for_each = merge(local.artifact_buckets, local.state_buckets) - bucket = each.value - role = "roles/storage.admin" - member = "serviceAccount:${data.google_project.cloudbuild_project.number}@cloudbuild.gserviceaccount.com" - depends_on = [google_storage_bucket.cloudbuild_artifacts, google_storage_bucket.tfstate] + for_each = merge(local.artifact_buckets, local.state_buckets, local.cloudbuild_bucket) + bucket = each.value + role = "roles/storage.admin" + member = "serviceAccount:${data.google_project.cloudbuild_project.number}@cloudbuild.gserviceaccount.com" + + depends_on = [ + google_storage_bucket.pipeline_infra + ] } # Cloud Build plan/apply triggers @@ -90,8 +87,8 @@ resource "google_cloudbuild_trigger" "main_trigger" { _BILLING_ID = var.billing_account _DEFAULT_REGION = var.default_region _GAR_REPOSITORY = local.gar_name - _STATE_BUCKET_NAME = google_storage_bucket.tfstate["${each.value}-tfstate"].name - _ARTIFACT_BUCKET_NAME = google_storage_bucket.cloudbuild_artifacts["${each.value}-ab"].name + _STATE_BUCKET_NAME = google_storage_bucket.pipeline_infra["${each.value}-tfstate"].name + _ARTIFACT_BUCKET_NAME = google_storage_bucket.pipeline_infra["${each.value}-ab"].name _TF_ACTION = "apply" } @@ -116,8 +113,8 @@ resource "google_cloudbuild_trigger" "non_main_trigger" { _BILLING_ID = var.billing_account _DEFAULT_REGION = var.default_region _GAR_REPOSITORY = local.gar_name - _STATE_BUCKET_NAME = google_storage_bucket.tfstate["${each.value}-tfstate"].name - _ARTIFACT_BUCKET_NAME = google_storage_bucket.cloudbuild_artifacts["${each.value}-ab"].name + _STATE_BUCKET_NAME = google_storage_bucket.pipeline_infra["${each.value}-tfstate"].name + _ARTIFACT_BUCKET_NAME = google_storage_bucket.pipeline_infra["${each.value}-ab"].name _TF_ACTION = "plan" }