From 58184da59292a834f4b0f5b05324b89f120a4f4f Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Mon, 25 Jul 2022 13:56:25 -0300 Subject: [PATCH 01/30] add output for remote state information --- 0-bootstrap/README.md | 1 + 0-bootstrap/outputs.tf | 14 ++++++++++++++ 2 files changed, 15 insertions(+) diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md index 5318ca71d..fba127488 100644 --- a/0-bootstrap/README.md +++ b/0-bootstrap/README.md @@ -187,6 +187,7 @@ the following steps: | Name | Description | |------|-------------| | cloudbuild\_project\_id | Project where CloudBuild configuration and terraform container image will reside. | +| common\_config | Common configuration data to be used in other steps. | | csr\_repos | List of Cloud Source Repos created by the module, linked to Cloud Build triggers. | | gcs\_bucket\_cloudbuild\_artifacts | Bucket used to store Cloud/Build artifacts in CloudBuild project. | | gcs\_bucket\_tfstate | Bucket used for storing terraform state for foundations pipelines in seed project. | diff --git a/0-bootstrap/outputs.tf b/0-bootstrap/outputs.tf index b6e30a5c0..4ab8b5a7d 100644 --- a/0-bootstrap/outputs.tf +++ b/0-bootstrap/outputs.tf @@ -34,6 +34,20 @@ output "gcs_bucket_tfstate" { value = module.seed_bootstrap.gcs_bucket_tfstate } +output "common_config" { + description = "Common configuration data to be used in other steps." + value = { + org_id = var.org_id, + parent_folder = var.parent_folder, + billing_account = var.billing_account, + default_region = var.default_region, + project_prefix = var.project_prefix, + folder_prefix = var.folder_prefix + parent_id = local.parent + bootstrap_folder_name = google_folder.bootstrap.name + } +} + /* ---------------------------------------- Specific to cloudbuild_module ---------------------------------------- */ From 3f1164f1af61b5e190efcf529a209b13ca3bbabf Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Mon, 25 Jul 2022 13:56:57 -0300 Subject: [PATCH 02/30] use remote state in step 1-org --- 1-org/envs/shared/README.md | 7 +--- 1-org/envs/shared/folders.tf | 6 +-- 1-org/envs/shared/iam.tf | 48 +++++++++++----------- 1-org/envs/shared/log_sinks.tf | 6 +-- 1-org/envs/shared/main.tf | 26 ++++++++++++ 1-org/envs/shared/org_policy.tf | 8 ++-- 1-org/envs/shared/outputs.tf | 2 +- 1-org/envs/shared/projects.tf | 48 +++++++++++----------- 1-org/envs/shared/providers.tf | 4 -- 1-org/envs/shared/remote_state.tf | 26 ++++++++++++ 1-org/envs/shared/scc_notification.tf | 2 +- 1-org/envs/shared/terraform.example.tfvars | 10 +---- 1-org/envs/shared/variables.tf | 38 +++-------------- 13 files changed, 117 insertions(+), 114 deletions(-) create mode 100644 1-org/envs/shared/main.tf create mode 100644 1-org/envs/shared/remote_state.tf diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md index 976c09799..8383733da 100644 --- a/1-org/envs/shared/README.md +++ b/1-org/envs/shared/README.md @@ -6,21 +6,19 @@ | audit\_data\_users | Google Workspace or Cloud Identity group that have access to audit logs. | `string` | n/a | yes | | audit\_logs\_table\_delete\_contents\_on\_destroy | (Optional) If set to true, delete all the tables in the dataset when destroying the resource; otherwise, destroying the resource will fail if tables are present. | `bool` | `false` | no | | audit\_logs\_table\_expiration\_days | Period before tables expire for all audit logs in milliseconds. Default is 30 days. | `number` | `30` | no | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | base\_net\_hub\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the base net hub project. | `string` | `null` | no | | base\_net\_hub\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the base net hub project. | `list(number)` | 
[
  0.5,
  0.75,
  0.9,
  0.95
]
| no | | base\_net\_hub\_project\_budget\_amount | The amount to use as the budget for the base net hub project. | `number` | `1000` | no | -| billing\_account | The ID of the billing account to associate this project with | `string` | n/a | yes | | billing\_data\_users | Google Workspace or Cloud Identity group that have access to billing data set. | `string` | n/a | yes | | create\_access\_context\_manager\_access\_policy | Whether to create access context manager access policy | `bool` | `true` | no | | data\_access\_logs\_enabled | Enable Data Access logs of types DATA\_READ, DATA\_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN\_READ logs are enabled by default. | `bool` | `false` | no | -| default\_region | Default region for BigQuery resources. | `string` | n/a | yes | | dns\_hub\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the DNS hub project. | `string` | `null` | no | | dns\_hub\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the DNS hub project. | `list(number)` | 
[
  0.5,
  0.75,
  0.9,
  0.95
]
| no | | dns\_hub\_project\_budget\_amount | The amount to use as the budget for the DNS hub project. | `number` | `1000` | no | | domains\_to\_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the terraform service account used in the deploy. | `list(string)` | n/a | yes | | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | | enable\_os\_login\_policy | Enable OS Login Organization Policy. | `bool` | `false` | no | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | | gcp\_audit\_viewer | Members are part of an audit team and view audit logs in the logging project. | `string` | `null` | no | | gcp\_billing\_admin\_user | Identity that has billing administrator permissions | `string` | `null` | no | | gcp\_billing\_creator\_user | Identity that can create billing accounts. | `string` | `null` | no | @@ -43,12 +41,9 @@ | org\_billing\_logs\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the org billing logs project. | `string` | `null` | no | | org\_billing\_logs\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the org billing logs project. | `list(number)` | 
[
  0.5,
  0.75,
  0.9,
  0.95
]
| no | | org\_billing\_logs\_project\_budget\_amount | The amount to use as the budget for the org billing logs project. | `number` | `1000` | no | -| org\_id | The organization id for the associated services | `string` | n/a | yes | | org\_secrets\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the org secrets project. | `string` | `null` | no | | org\_secrets\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the org secrets project. | `list(number)` | 
[
  0.5,
  0.75,
  0.9,
  0.95
]
| no | | org\_secrets\_project\_budget\_amount | The amount to use as the budget for the org secrets project. | `number` | `1000` | no | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | -| project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | | restricted\_net\_hub\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the restricted net hub project. | `string` | `null` | no | | restricted\_net\_hub\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the restricted net hub project. | `list(number)` | 
[
  0.5,
  0.75,
  0.9,
  0.95
]
| no | | restricted\_net\_hub\_project\_budget\_amount | The amount to use as the budget for the restricted net hub project. | `number` | `1000` | no | diff --git a/1-org/envs/shared/folders.tf b/1-org/envs/shared/folders.tf index c956d7263..a4e829d56 100644 --- a/1-org/envs/shared/folders.tf +++ b/1-org/envs/shared/folders.tf @@ -14,15 +14,11 @@ * limitations under the License. */ -locals { - parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" -} - /****************************************** Top level folders *****************************************/ resource "google_folder" "common" { - display_name = "${var.folder_prefix}-common" + display_name = "${local.folder_prefix}-common" parent = local.parent } diff --git a/1-org/envs/shared/iam.tf b/1-org/envs/shared/iam.tf index ffc44e83e..78464d0b7 100644 --- a/1-org/envs/shared/iam.tf +++ b/1-org/envs/shared/iam.tf @@ -23,8 +23,8 @@ locals { } resource "google_organization_iam_audit_config" "org_config" { - count = var.parent_folder == "" ? 1 : 0 - org_id = var.org_id + count = local.parent_folder == "" ? 1 : 0 + org_id = local.org_id service = "allServices" ################################################################################################### @@ -44,8 +44,8 @@ resource "google_organization_iam_audit_config" "org_config" { } resource "google_folder_iam_audit_config" "folder_config" { - count = var.parent_folder != "" ? 1 : 0 - folder = "folders/${var.parent_folder}" + count = local.parent_folder != "" ? 1 : 0 + folder = "folders/${local.parent_folder}" service = "allServices" ################################################################################################### @@ -97,7 +97,7 @@ resource "google_project_iam_member" "billing_bq_viewer" { *****************************************/ resource "google_organization_iam_member" "billing_viewer" { - org_id = var.org_id + org_id = local.org_id role = "roles/billing.viewer" member = "group:${var.billing_data_users}" } @@ -107,43 +107,43 @@ resource "google_organization_iam_member" "billing_viewer" { *****************************************/ resource "google_organization_iam_member" "organization_viewer" { - count = var.gcp_platform_viewer != null && var.parent_folder == "" ? 1 : 0 - org_id = var.org_id + count = var.gcp_platform_viewer != null && local.parent_folder == "" ? 1 : 0 + org_id = local.org_id role = "roles/viewer" member = "group:${var.gcp_platform_viewer}" } resource "google_folder_iam_member" "organization_viewer" { - count = var.gcp_platform_viewer != null && var.parent_folder != "" ? 1 : 0 - folder = "folders/${var.parent_folder}" + count = var.gcp_platform_viewer != null && local.parent_folder != "" ? 1 : 0 + folder = "folders/${local.parent_folder}" role = "roles/viewer" member = "group:${var.gcp_platform_viewer}" } resource "google_organization_iam_member" "security_reviewer" { - count = var.gcp_security_reviewer != null && var.parent_folder == "" ? 1 : 0 - org_id = var.org_id + count = var.gcp_security_reviewer != null && local.parent_folder == "" ? 1 : 0 + org_id = local.org_id role = "roles/iam.securityReviewer" member = "group:${var.gcp_security_reviewer}" } resource "google_folder_iam_member" "security_reviewer" { - count = var.gcp_security_reviewer != null && var.parent_folder != "" ? 1 : 0 - folder = "folders/${var.parent_folder}" + count = var.gcp_security_reviewer != null && local.parent_folder != "" ? 1 : 0 + folder = "folders/${local.parent_folder}" role = "roles/iam.securityReviewer" member = "group:${var.gcp_security_reviewer}" } resource "google_organization_iam_member" "network_viewer" { - count = var.gcp_network_viewer != null && var.parent_folder == "" ? 1 : 0 - org_id = var.org_id + count = var.gcp_network_viewer != null && local.parent_folder == "" ? 1 : 0 + org_id = local.org_id role = "roles/compute.networkViewer" member = "group:${var.gcp_network_viewer}" } resource "google_folder_iam_member" "network_viewer" { - count = var.gcp_network_viewer != null && var.parent_folder != "" ? 1 : 0 - folder = "folders/${var.parent_folder}" + count = var.gcp_network_viewer != null && local.parent_folder != "" ? 1 : 0 + folder = "folders/${local.parent_folder}" role = "roles/compute.networkViewer" member = "group:${var.gcp_network_viewer}" } @@ -188,29 +188,29 @@ resource "google_project_iam_member" "global_secrets_admin" { *****************************************/ resource "google_organization_iam_member" "org_admin_user" { - count = var.gcp_org_admin_user != null && var.parent_folder == "" ? 1 : 0 - org_id = var.org_id + count = var.gcp_org_admin_user != null && local.parent_folder == "" ? 1 : 0 + org_id = local.org_id role = "roles/resourcemanager.organizationAdmin" member = "user:${var.gcp_org_admin_user}" } resource "google_folder_iam_member" "org_admin_user" { - count = var.gcp_org_admin_user != null && var.parent_folder != "" ? 1 : 0 - folder = "folders/${var.parent_folder}" + count = var.gcp_org_admin_user != null && local.parent_folder != "" ? 1 : 0 + folder = "folders/${local.parent_folder}" role = "roles/resourcemanager.folderAdmin" member = "user:${var.gcp_org_admin_user}" } resource "google_organization_iam_member" "billing_creator_user" { - count = var.gcp_billing_creator_user != null && var.parent_folder == "" ? 1 : 0 - org_id = var.org_id + count = var.gcp_billing_creator_user != null && local.parent_folder == "" ? 1 : 0 + org_id = local.org_id role = "roles/billing.creator" member = "user:${var.gcp_billing_creator_user}" } resource "google_billing_account_iam_member" "billing_admin_user" { count = var.gcp_billing_admin_user != null ? 1 : 0 - billing_account_id = var.billing_account + billing_account_id = local.billing_account role = "roles/billing.admin" member = "user:${var.gcp_billing_admin_user}" } diff --git a/1-org/envs/shared/log_sinks.tf b/1-org/envs/shared/log_sinks.tf index 02dccc000..e88ceca79 100644 --- a/1-org/envs/shared/log_sinks.tf +++ b/1-org/envs/shared/log_sinks.tf @@ -15,8 +15,8 @@ */ locals { - parent_resource_id = var.parent_folder != "" ? var.parent_folder : var.org_id - parent_resource_type = var.parent_folder != "" ? "folder" : "organization" + parent_resource_id = local.parent_folder != "" ? local.parent_folder : local.org_id + parent_resource_type = local.parent_folder != "" ? "folder" : "organization" main_logs_filter = < Date: Wed, 3 Aug 2022 00:51:52 -0300 Subject: [PATCH 03/30] fix integration test --- 0-bootstrap/README.md | 1 + 0-bootstrap/modules/parent-iam-member/main.tf | 13 +- .../modules/parent-iam-member/variables.tf | 6 +- 0-bootstrap/outputs.tf | 17 +- 0-bootstrap/sa.tf | 25 +++ 0-bootstrap/variables.tf | 6 + 1-org/envs/shared/README.md | 1 - 1-org/envs/shared/main.tf | 17 +- 1-org/envs/shared/org_policy.tf | 2 +- 1-org/envs/shared/terraform.example.tfvars | 2 - 1-org/envs/shared/variables.tf | 6 - test/integration/bootstrap/bootstrap_test.go | 23 ++- test/integration/go.mod | 2 +- test/integration/go.sum | 145 +----------------- test/integration/org/org_test.go | 22 ++- test/setup/outputs.tf | 6 +- 16 files changed, 109 insertions(+), 185 deletions(-) diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md index 1c8463768..13423cfe7 100644 --- a/0-bootstrap/README.md +++ b/0-bootstrap/README.md @@ -172,6 +172,7 @@ the following steps: | billing\_account | The ID of the billing account to associate projects with. | `string` | n/a | yes | | bucket\_prefix | Name prefix to use for state bucket created. | `string` | `"bkt"` | no | | cloud\_source\_repos | List of Cloud Source Repositories created during bootstrap project build stage for use with Cloud Build. | `list(string)` | 
[
  "gcp-org",
  "gcp-environments",
  "gcp-networks",
  "gcp-projects"
]
| no | +| create\_access\_context\_manager\_access\_policy | Whether to create access context manager access policy | `bool` | `true` | no | | default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no | | folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | | group\_billing\_admins | Google Group for GCP Billing Administrators | `string` | n/a | yes | diff --git a/0-bootstrap/modules/parent-iam-member/main.tf b/0-bootstrap/modules/parent-iam-member/main.tf index ab94eaefc..df9681f11 100644 --- a/0-bootstrap/modules/parent-iam-member/main.tf +++ b/0-bootstrap/modules/parent-iam-member/main.tf @@ -15,8 +15,9 @@ */ locals { - org_id = var.parent_type == "organization" ? var.parent_id : "" - folder_id = var.parent_type == "folder" ? var.parent_id : "" + org_id = var.parent_type == "organization" ? var.parent_id : "" + folder_id = var.parent_type == "folder" ? var.parent_id : "" + project_id = var.parent_type == "project" ? var.parent_id : "" } resource "google_organization_iam_member" "org_parent_iam" { @@ -34,3 +35,11 @@ resource "google_folder_iam_member" "folder_parent_iam" { role = each.key member = var.member } + +resource "google_project_iam_member" "project_parent_iam" { + for_each = toset(local.project_id != "" ? var.roles : []) + + project = local.project_id + role = each.key + member = var.member +} diff --git a/0-bootstrap/modules/parent-iam-member/variables.tf b/0-bootstrap/modules/parent-iam-member/variables.tf index d1aa44fd2..9bcbea63a 100644 --- a/0-bootstrap/modules/parent-iam-member/variables.tf +++ b/0-bootstrap/modules/parent-iam-member/variables.tf @@ -15,12 +15,12 @@ */ variable "parent_type" { - description = "Type of the parent resource. valid values are `organization` and `folder`." + description = "Type of the parent resource. valid values are `organization`, `folder`, and `project`." type = string validation { - condition = var.parent_type == "organization" || var.parent_type == "folder" - error_message = "For parent_type only `organization` and `folder` are valid." + condition = var.parent_type == "organization" || var.parent_type == "folder" || var.parent_type == "project" + error_message = "For parent_type only `organization`, `folder`, and `project` are valid." } } diff --git a/0-bootstrap/outputs.tf b/0-bootstrap/outputs.tf index f482404fa..a24d21c49 100644 --- a/0-bootstrap/outputs.tf +++ b/0-bootstrap/outputs.tf @@ -57,14 +57,15 @@ output "gcs_bucket_tfstate" { output "common_config" { description = "Common configuration data to be used in other steps." value = { - org_id = var.org_id, - parent_folder = var.parent_folder, - billing_account = var.billing_account, - default_region = var.default_region, - project_prefix = var.project_prefix, - folder_prefix = var.folder_prefix - parent_id = local.parent - bootstrap_folder_name = google_folder.bootstrap.name + org_id = var.org_id, + parent_folder = var.parent_folder, + billing_account = var.billing_account, + default_region = var.default_region, + project_prefix = var.project_prefix, + folder_prefix = var.folder_prefix + create_access_context_manager_access_policy = var.create_access_context_manager_access_policy + parent_id = local.parent + bootstrap_folder_name = google_folder.bootstrap.name } } diff --git a/0-bootstrap/sa.tf b/0-bootstrap/sa.tf index e81ec1999..d5a4676b8 100644 --- a/0-bootstrap/sa.tf +++ b/0-bootstrap/sa.tf @@ -67,6 +67,21 @@ locals { "roles/compute.xpnAdmin", ], } + + granular_sa_seed_project = { + "org" = [ + "roles/storage.objectAdmin", + ], + "env" = [ + "roles/storage.objectAdmin" + ], + "net" = [ + "roles/storage.objectAdmin", + ], + "proj" = [ + "roles/storage.objectAdmin", + ], + } } resource "google_service_account" "terraform-env-sa" { @@ -97,6 +112,16 @@ module "parent_iam_member" { roles = each.value } +module "project_iam_member" { + source = "./modules/parent-iam-member" + for_each = local.granular_sa_seed_project + + member = "serviceAccount:${google_service_account.terraform-env-sa[each.key].email}" + parent_type = "project" + parent_id = module.seed_bootstrap.seed_project_id + roles = each.value +} + resource "google_billing_account_iam_member" "tf_billing_user" { for_each = local.granular_sa diff --git a/0-bootstrap/variables.tf b/0-bootstrap/variables.tf index c377c8572..f68eed4c0 100644 --- a/0-bootstrap/variables.tf +++ b/0-bootstrap/variables.tf @@ -82,6 +82,12 @@ variable "cloud_source_repos" { default = ["gcp-org", "gcp-environments", "gcp-networks", "gcp-projects"] } +variable "create_access_context_manager_access_policy" { + description = "Whether to create access context manager access policy" + type = bool + default = true +} + /* ---------------------------------------- Specific to jenkins_bootstrap module ---------------------------------------- */ diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md index 4fa82549d..ff56b21b7 100644 --- a/1-org/envs/shared/README.md +++ b/1-org/envs/shared/README.md @@ -11,7 +11,6 @@ | base\_net\_hub\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the base net hub project. | `list(number)` | 
[
  0.5,
  0.75,
  0.9,
  0.95
]
| no | | base\_net\_hub\_project\_budget\_amount | The amount to use as the budget for the base net hub project. | `number` | `1000` | no | | billing\_data\_users | Google Workspace or Cloud Identity group that have access to billing data set. | `string` | n/a | yes | -| create\_access\_context\_manager\_access\_policy | Whether to create access context manager access policy | `bool` | `true` | no | | data\_access\_logs\_enabled | Enable Data Access logs of types DATA\_READ, DATA\_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN\_READ logs are enabled by default. | `bool` | `false` | no | | dns\_hub\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the DNS hub project. | `string` | `null` | no | | dns\_hub\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the DNS hub project. | `list(number)` | 
[
  0.5,
  0.75,
  0.9,
  0.95
]
| no | diff --git a/1-org/envs/shared/main.tf b/1-org/envs/shared/main.tf index ffc7d02a6..c67dad119 100644 --- a/1-org/envs/shared/main.tf +++ b/1-org/envs/shared/main.tf @@ -15,12 +15,13 @@ */ locals { - parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder - org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id - billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account - default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region - project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix - folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix - parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id - tf_sa = var.terraform_service_account + parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder + org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id + billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account + default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region + project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix + folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix + parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id + create_access_policy = data.terraform_remote_state.bootstrap.outputs.common_config.create_access_context_manager_access_policy + tf_sa = var.terraform_service_account } diff --git a/1-org/envs/shared/org_policy.tf b/1-org/envs/shared/org_policy.tf index 5f5c253b2..833742075 100644 --- a/1-org/envs/shared/org_policy.tf +++ b/1-org/envs/shared/org_policy.tf @@ -173,7 +173,7 @@ module "org_enforce_bucket_level_access" { *******************************************/ resource "google_access_context_manager_access_policy" "access_policy" { - count = var.create_access_context_manager_access_policy ? 1 : 0 + count = local.create_access_policy ? 1 : 0 parent = "organizations/${local.org_id}" title = "default policy" } diff --git a/1-org/envs/shared/terraform.example.tfvars b/1-org/envs/shared/terraform.example.tfvars index 2c2d0d64e..0e0f702d8 100644 --- a/1-org/envs/shared/terraform.example.tfvars +++ b/1-org/envs/shared/terraform.example.tfvars @@ -29,8 +29,6 @@ backend_bucket = "" //scc_notification_filter = "state=\\\"ACTIVE\\\"" -//create_access_context_manager_access_policy = false - //enable_hub_and_spoke = true // if you enable hub and spoke you need to provide diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf index 7592daf57..0899ea42e 100644 --- a/1-org/envs/shared/variables.tf +++ b/1-org/envs/shared/variables.tf @@ -74,12 +74,6 @@ variable "scc_notification_filter" { default = "state = \"ACTIVE\"" } -variable "create_access_context_manager_access_policy" { - description = "Whether to create access context manager access policy" - type = bool - default = true -} - variable "data_access_logs_enabled" { description = "Enable Data Access logs of types DATA_READ, DATA_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN_READ logs are enabled by default." type = bool diff --git a/test/integration/bootstrap/bootstrap_test.go b/test/integration/bootstrap/bootstrap_test.go index 51ea50f96..935f72200 100644 --- a/test/integration/bootstrap/bootstrap_test.go +++ b/test/integration/bootstrap/bootstrap_test.go @@ -16,12 +16,16 @@ package bootstrap import ( "fmt" + "os" + "os/exec" + "path" "testing" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" - "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" + "github.com/gruntwork-io/terratest/modules/terraform" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "github.com/tidwall/gjson" ) @@ -75,8 +79,6 @@ func TestBootstrap(t *testing.T) { "accesscontextmanager.googleapis.com", } - orgID := utils.ValFromEnv(t, "TF_VAR_org_id") - bootstrap.DefineVerify( func(assert *assert.Assertions) { @@ -166,6 +168,7 @@ func TestBootstrap(t *testing.T) { iamFilter := fmt.Sprintf("bindings.members:'serviceAccount:%s'", terraformSAEmail) iamOpts := gcloud.WithCommonArgs([]string{"--flatten", "bindings", "--filter", iamFilter, "--format", "json"}) + orgID := bootstrap.GetTFSetupStringOutput("org_id") orgIamPolicyRoles := gcloud.Run(t, fmt.Sprintf("organizations get-iam-policy %s", orgID), iamOpts).Array() listRoles := getResultFieldStrSlice(orgIamPolicyRoles, "bindings.role") if len(sa.orgRoles) == 0 { @@ -174,6 +177,20 @@ func TestBootstrap(t *testing.T) { assert.Subset(listRoles, sa.orgRoles, fmt.Sprintf("service account %s should have organization level roles", terraformSAEmail)) } } + + // push state to GCS bucket + temOptions := bootstrap.GetTFOptions() + temOptions.BackendConfig = map[string]interface{}{ + "bucket": bootstrap.GetStringOutput("gcs_bucket_tfstate"), + } + temOptions.MigrateState = true + cwd, err := os.Getwd() + require.NoError(t, err) + srcFile := path.Join(cwd, "../../../0-bootstrap/backend.tf.example") + destFile := path.Join(cwd, "../../../0-bootstrap/backend.tf") + _, err2 := exec.Command("cp", srcFile, destFile).CombinedOutput() + require.NoError(t, err2) + terraform.Init(t, temOptions) }) bootstrap.Test() } diff --git a/test/integration/go.mod b/test/integration/go.mod index b625311db..3681da338 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -3,7 +3,7 @@ module github.com/terraform-google-modules/terraform-example-foundation/test/int go 1.17 require ( - github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.0.1 + github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.1.1-0.20220802155302-a13ee7fb1c62 github.com/gruntwork-io/terratest v0.40.7 github.com/stretchr/testify v1.7.1 github.com/tidwall/gjson v1.12.1 diff --git a/test/integration/go.sum b/test/integration/go.sum index c74619d05..47043255b 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -7,7 +7,6 @@ cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxK cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= -cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw= cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= @@ -43,58 +42,33 @@ cloud.google.com/go/storage v1.10.0 h1:STgFzyU5/8miMl0//zKh2aQeTyeaUH3WN9bSUiJ09 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v46.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v50.2.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-autorest v10.8.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= -github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0= -github.com/Azure/go-autorest/autorest v0.9.6/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630= -github.com/Azure/go-autorest/autorest v0.11.0/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= -github.com/Azure/go-autorest/autorest v0.11.5/go.mod h1:foo3aIXRQ90zFve3r0QiDsrjGDUwWhKl0ZOQy1CT14k= github.com/Azure/go-autorest/autorest v0.11.17/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw= github.com/Azure/go-autorest/autorest v0.11.20/go.mod h1:o3tqFY+QR40VOlk+pV4d77mORO64jOXSgEnPQgLK6JY= -github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= -github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= -github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= -github.com/Azure/go-autorest/autorest/adal v0.8.2/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= -github.com/Azure/go-autorest/autorest/adal v0.9.2/go.mod h1:/3SMAM86bP6wC9Ev35peQDUeqFZBMH07vvUOmg4z/fE= github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= github.com/Azure/go-autorest/autorest/adal v0.9.11/go.mod h1:nBKAnTomx8gDtl+3ZCJv2v0KACFHWTB2drffI1B68Pk= github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= -github.com/Azure/go-autorest/autorest/azure/auth v0.5.1/go.mod h1:ea90/jvmnAwDrSooLH4sRIehEPtG/EPUXavDh31MnA4= github.com/Azure/go-autorest/autorest/azure/auth v0.5.8/go.mod h1:kxyKZTSfKh8OVFWPAgOgQ/frrJgeYQJPyR5fLFmXko4= -github.com/Azure/go-autorest/autorest/azure/cli v0.4.0/go.mod h1:JljT387FplPzBA31vUcvsetLKF3pec5bdAxjVU4kI2s= github.com/Azure/go-autorest/autorest/azure/cli v0.4.2/go.mod h1:7qkJkT+j6b+hIpzMOwPChJhTqS8VbsqqgULzMNRugoM= -github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= -github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g= github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= -github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= -github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= -github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM= github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= -github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc= -github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE= -github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8= -github.com/Azure/go-autorest/autorest/validation v0.3.0/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= -github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= -github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.0.1 h1:QJGGu6xDZeYpvrojayqG4Mj/2KGown/FraDniI62bxY= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.0.1/go.mod h1:ZA21UTC1O82Y8uUfWFDe9rll4pZD/1kpPCC1HSpL2T0= -github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.1.0 h1:DxZVAPSG0jJO0thdDEJ3pIL+sX3jl00o/Iwp56e7SiI= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.1.0/go.mod h1:E655Ka0BfIYALBmqU9ZbemLk/nutxw4vU6wkLEjshSA= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.1.1-0.20220802155302-a13ee7fb1c62 h1:uDiVwwTc7caRf6k2+MBKf3Ia+Z9nWu9diaJQUN3oGdA= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.1.1-0.20220802155302-a13ee7fb1c62/go.mod h1:E655Ka0BfIYALBmqU9ZbemLk/nutxw4vU6wkLEjshSA= github.com/GoogleContainerTools/kpt-functions-sdk/go v0.0.0-20220301220754-6964a09d6cd2/go.mod h1:lJYiqfBOl6AOiefK9kmkhinbffIysu+nnclOBwKEPlQ= github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA= github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= @@ -116,10 +90,8 @@ github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5 github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= -github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= @@ -135,7 +107,6 @@ github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kd github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM= github.com/apparentlymart/go-textseg v1.0.0 h1:rRmlIsPEEhUTIKQb7T++Nz/A5Q6C9IuX2wFoYVvnCs0= github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk= -github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec= github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= @@ -146,9 +117,6 @@ github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:l github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0= github.com/aws/aws-sdk-go v1.15.78/go.mod h1:E3/ieXAlvM0XWO57iftYVDLLvQ824smPP3ATZkfNZeM= -github.com/aws/aws-sdk-go v1.16.26/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= -github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= -github.com/aws/aws-sdk-go v1.38.28/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/aws/aws-sdk-go v1.40.56 h1:FM2yjR0UUYFzDTMx+mH9Vyw1k1EUUxsAFzk+BjkzANA= github.com/aws/aws-sdk-go v1.40.56/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= @@ -161,7 +129,6 @@ github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kB github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA= github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM= github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= -github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4= github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= @@ -271,7 +238,6 @@ github.com/containers/ocicrypt v1.1.0/go.mod h1:b8AOe0YR67uU8OqfVNcznfFpAzu3rdgU github.com/containers/ocicrypt v1.1.1/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= -github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= @@ -284,9 +250,7 @@ github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+ github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= -github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= -github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= @@ -296,7 +260,6 @@ github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1S github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s= github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8= github.com/d2g/hardwareaddr v0.0.0-20190221164911-e7d9fbe030e4/go.mod h1:bMl4RjIciD2oAxI7DmWRx6gbeqrkoLqv3MV0vzNad+I= -github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -307,14 +270,10 @@ github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8 github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= -github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= -github.com/docker/cli v0.0.0-20200109221225-a4f60165b7a3/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/cli v20.10.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY= github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v20.10.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= @@ -329,7 +288,6 @@ github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c/go.mod h1:Qh8CwZ github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8= @@ -342,7 +300,6 @@ github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5y github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= @@ -367,17 +324,13 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= -github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= github.com/go-openapi/jsonpointer v0.19.3 h1:gihV7YNZK1iK6Tgwwsxo2rJbD1GTbdm72325Bq8FI3w= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= github.com/go-openapi/jsonreference v0.19.3 h1:5cxNfTy0UVC3X8JL5ymxzyoUZmo8iZb+jeTWn7tUa8o= github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= -github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= -github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= github.com/go-openapi/swag v0.19.5 h1:lTz6Ys4CmqqCQmZPBlbQENR1/GucA2bzYTE12Pw4tFY= github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= @@ -414,7 +367,6 @@ github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= -github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -451,9 +403,7 @@ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-containerregistry v0.0.0-20200110202235-f4fb41bf00a3/go.mod h1:2wIuQute9+hhWqvL3vEI7YB0EKluF4WcPzI1eAliazk= github.com/google/go-containerregistry v0.6.0/go.mod h1:euCCtNbZ6tKqi1E72vwDj2xZcN5ttKpZLfa/wSo5iLw= -github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= @@ -482,11 +432,8 @@ github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= -github.com/googleapis/gnostic v0.2.2/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= -github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/handlers v0.0.0-20150720190736-60c7bfde3e33/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ= github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= @@ -502,7 +449,6 @@ github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78= -github.com/gruntwork-io/terratest v0.35.6/go.mod h1:GIVJGBV1WIv1vxIG31Ycy0CuHYfXuvvkilNQuC9Wi+o= github.com/gruntwork-io/terratest v0.40.7 h1:kp6Ymc3hPMdsCoV2Ij2C5QqooCCwELuIopKXhWho/jE= github.com/gruntwork-io/terratest v0.40.7/go.mod h1:CjHsEgP1Pe987X5N8K5qEqCuLtu1bqERGIAF8bTj1s0= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= @@ -534,24 +480,20 @@ github.com/hashicorp/go-version v1.3.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09 github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/hashicorp/hcl/v2 v2.8.2/go.mod h1:bQTN5mpo+jewjJgh8jr0JUguIi7qPHUF6yIfAEN3jqY= github.com/hashicorp/hcl/v2 v2.9.1 h1:eOy4gREY0/ZQHNItlfuEZqtcQbXIxzojlP301hDpnac= github.com/hashicorp/hcl/v2 v2.9.1/go.mod h1:FwWsfWEjyV/CMj8s/gqAuiviY72rJ1/oayI9WftqcKg= github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= -github.com/hashicorp/terraform-json v0.9.0/go.mod h1:3defM4kkMfttwiE7VakJDwCd4R+umhSQnvJwORXbprE= github.com/hashicorp/terraform-json v0.13.0 h1:Li9L+lKD1FO5RVFRM1mMMIBDoUHslOniyEi5CM+FWGY= github.com/hashicorp/terraform-json v0.13.0/go.mod h1:y5OdLBCT+rxbwnpxZs9kGL7R9ExU76+cpdY8zHwoazk= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= -github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= @@ -561,17 +503,13 @@ github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a h1:zPPuIq2jAWWPTrGt7 github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a/go.mod h1:yL958EeXv8Ylng6IfnvG4oflryUi3vgA3xPs9hmII1s= github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= -github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= -github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= -github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= @@ -608,7 +546,6 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= -github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.0 h1:aizVhC/NAAcKWb+5QsU1iNOZb4Yws5UO2I+aIprQITM= @@ -628,7 +565,6 @@ github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 h1:ofNAzWCcyTALn2 github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= -github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.31/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= @@ -642,7 +578,6 @@ github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eI github.com/mitchellh/go-testing-interface v1.14.2-0.20210217184823-a52172cd2f64 h1:+9bM6qWXndPx7+czi9+Jj6zHPioFpfdhwVGOYOgujMY= github.com/mitchellh/go-testing-interface v1.14.2-0.20210217184823-a52172cd2f64/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8= github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= -github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= @@ -659,7 +594,6 @@ github.com/moby/sys/symlink v0.1.0/go.mod h1:GGDODQmbFOjFsXvfLVn3+ZRxkch54RkSiGq github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= @@ -678,14 +612,12 @@ github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:v github.com/onsi/ginkgo v0.0.0-20151202141238-7f8ab55aaf3b/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= -github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc= @@ -725,7 +657,6 @@ github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= -github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= @@ -760,19 +691,15 @@ github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= -github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rubiojr/go-vhd v0.0.0-20160810183302-0bfd3b39853c/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto= -github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= -github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= github.com/sebdah/goldie v1.0.0/go.mod h1:jXP4hmWywNEwZzhMuv2ccnqTSFpuq8iyQhtQdkkZBH4= github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= @@ -799,7 +726,6 @@ github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkU github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= -github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= @@ -810,7 +736,6 @@ github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnIn github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8= @@ -819,7 +744,6 @@ github.com/stretchr/objx v0.0.0-20180129172003-8a3f7159479f/go.mod h1:HFkY916IF+ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= -github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v0.0.0-20180303142811-b89eecf5ca5d/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= @@ -847,14 +771,12 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1 github.com/tmccombs/hcl2json v0.3.3 h1:+DLNYqpWE0CsOQiEZu+OZm5ZBImake3wtITYxQ8uLFQ= github.com/tmccombs/hcl2json v0.3.3/go.mod h1:Y2chtz2x9bAeRTvSibVRVgbLJhLJXKlUeIvjeVdnm4w= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= -github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= github.com/ulikunitz/xz v0.5.8 h1:ERv8V6GKqVi23rgu5cj9pVfVzJbOqAY2Ntl88O6c2nQ= github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= -github.com/vdemeester/k8s-pkg-credentialprovider v0.0.0-20200107171650-7c61ffa44238/go.mod h1:JwQJCMWpUDqjZrB5jpw0f5VbN7U95zxFy1ZDpoEarGo= github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk= github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= @@ -864,7 +786,6 @@ github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1 github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk= github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4= github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI= -github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= @@ -882,7 +803,6 @@ github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA= github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg= github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= -github.com/zclconf/go-cty v1.2.1/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= github.com/zclconf/go-cty v1.8.1/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= github.com/zclconf/go-cty v1.9.1 h1:viqrgQwFl5UpSxc046qblj78wZXVDFnSOufaOTER+cc= @@ -891,7 +811,6 @@ github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRK go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= -go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3CSBatqGNg7GRmsnfLWtoW60w4eDYfh7vHDg= go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= @@ -917,8 +836,6 @@ golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181009213950-7c1a557ab941/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= @@ -927,18 +844,14 @@ golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a h1:kr2P4QFmQr29mSLA43kwrOcgcReGTfbE9N577tCTuBc= golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= @@ -974,7 +887,6 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1054,7 +966,6 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1062,8 +973,6 @@ golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1079,7 +988,6 @@ golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190812073006-9eafafc0a87e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1090,7 +998,6 @@ golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1144,11 +1051,9 @@ golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603125802-9665404d3644 h1:CA1DEQ4NdKphKeL70tvsWNdT5oFh1lOjihRcEDROi0I= golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d h1:SZxvLBoTP5yHO3Frd4z4vrF+DBX9vMVanchswa69toE= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1165,10 +1070,8 @@ golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= @@ -1182,10 +1085,8 @@ golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgw golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= @@ -1193,7 +1094,6 @@ golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191205215504-7b8c8591a921/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= @@ -1218,7 +1118,6 @@ golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201110201400-7099162a900a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= @@ -1232,12 +1131,8 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0= -gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= -gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ= google.golang.org/api v0.0.0-20160322025152-9bf6e6e569ff/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= -google.golang.org/api v0.6.1-0.20190607001116-5213b8090861/go.mod h1:btoxGiFvQNVUZQ8W08zLtrVS08CNpINPEfxXxgJL1Q4= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= @@ -1369,7 +1264,6 @@ gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qS gopkg.in/cheggaaa/pb.v1 v1.0.27/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= -gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= @@ -1379,7 +1273,6 @@ gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76 gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= -gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -1404,28 +1297,18 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI= -k8s.io/api v0.19.3/go.mod h1:VF+5FT1B74Pw3KxMdKyinLo+zynBaMBiAfGMuldcNDs= k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo= k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ= k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8= -k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg= -k8s.io/apimachinery v0.19.3/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA= k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc= -k8s.io/apiserver v0.17.0/go.mod h1:ABM+9x/prjINN6iiffRVNCBR2Wk7uY4z+EtEGZD48cg= k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU= k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM= k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q= -k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k= -k8s.io/client-go v0.19.3/go.mod h1:+eEMktZM+MG0KO+PTkci8xnbCZHvj9TqR6Q1XDUIJOM= k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y= k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k= k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0= -k8s.io/cloud-provider v0.17.0/go.mod h1:Ze4c3w2C0bRsjkBUoHpFi+qWe3ob1wI2/7cUn+YQIDE= -k8s.io/code-generator v0.0.0-20191121015212-c4c8f8345c7e/go.mod h1:DVmfPQgxQENqDIzVR2ddLXMH34qeszkKSdH/N+s+38s= -k8s.io/component-base v0.17.0/go.mod h1:rKuRAokNMY2nn2A6LP/MiwpoaMRHpfRnrPaUJJj1Yoc= k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk= k8s.io/component-base v0.20.4/go.mod h1:t4p9EdiagbVCJKrQ1RsA5/V4rFQNDfRlevJajlGwgjI= k8s.io/component-base v0.20.6/go.mod h1:6f1MPBAeI+mvuts3sIdtpjljHWBQ2cIy38oBIWMYnrM= @@ -1433,31 +1316,14 @@ k8s.io/cri-api v0.17.3/go.mod h1:X1sbHmuXhwaHs9xxYffLqJogVsnI+f6cPRcgPel7ywM= k8s.io/cri-api v0.20.1/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= k8s.io/cri-api v0.20.4/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= k8s.io/cri-api v0.20.6/go.mod h1:ew44AjNXwyn1s0U4xCKGodU7J1HzBeZ1MpGrpa5r8Yc= -k8s.io/csi-translation-lib v0.17.0/go.mod h1:HEF7MEz7pOLJCnxabi45IPkhSsE/KmxPQksuCrHKWls= -k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= -k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= -k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= -k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= -k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= -k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E= -k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e h1:KLHHjkdQFomZy8+06csTWZ0m1343QqxZhR2LJ1OxCYM= k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= -k8s.io/legacy-cloud-providers v0.17.0/go.mod h1:DdzaepJ3RtRy+e5YhNtrCYwlgyK87j/5+Yfp0L9Syp8= -k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= -k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw= -modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk= -modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k= -modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs= -modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= @@ -1465,9 +1331,6 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.14/go.mod h1:LEScyz sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= sigs.k8s.io/kustomize/kyaml v0.11.0 h1:9KhiCPKaVyuPcgOLJXkvytOvjMJLoxpjodiycb4gHsA= sigs.k8s.io/kustomize/kyaml v0.11.0/go.mod h1:GNMwjim4Ypgp/MueD3zXHLRJEjz7RvtPae0AwlvEMFM= -sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= -sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18= -sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= diff --git a/test/integration/org/org_test.go b/test/integration/org/org_test.go index 75acebc2a..698532293 100644 --- a/test/integration/org/org_test.go +++ b/test/integration/org/org_test.go @@ -16,20 +16,17 @@ package org import ( "fmt" + "strconv" "strings" "testing" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" - "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "github.com/tidwall/gjson" ) -func isHubAndSpoke(t *testing.T) bool { - return "HubAndSpoke" == utils.ValFromEnv(t, "TF_VAR_example_foundations_mode") -} - func getLastSplitElement(value string, sep string) string { splitted := strings.Split(value, sep) return splitted[len(splitted)-1] @@ -52,15 +49,22 @@ func TestOrg(t *testing.T) { terraformSA := bootstrap.GetStringOutput("organization_step_terraform_service_account_email") networksTerraformSA := bootstrap.GetStringOutput("networks_step_terraform_service_account_email") + backend_bucket := bootstrap.GetStringOutput("gcs_bucket_tfstate") vars := map[string]interface{}{ - "terraform_service_account": terraformSA, + "backend_bucket": backend_bucket, + "terraform_service_account": terraformSA, "networks_step_terraform_service_account_email": networksTerraformSA, } + backendConfig := map[string]interface{}{ + "bucket": backend_bucket, + } + org := tft.NewTFBlueprintTest(t, tft.WithTFDir("../../../1-org/envs/shared"), tft.WithVars(vars), + tft.WithBackendConfig(backendConfig), ) org.DefineVerify( @@ -114,7 +118,7 @@ func TestOrg(t *testing.T) { subscription := gcloud.Runf(t, "pubsub subscriptions describe %s --project %s", subscriptionName, sccProjectID) assert.Equal(subscriptionFullName, subscription.Get("name").String(), fmt.Sprintf("subscription %s should have been created", subscriptionName)) - orgID := utils.ValFromEnv(t, "TF_VAR_org_id") + orgID := bootstrap.GetTFSetupStringOutput("org_id") notificationName := org.GetStringOutput("scc_notification_name") notification := gcloud.Runf(t, "scc notifications describe %s --organization %s", notificationName, orgID) assert.Equal(topicFullName, notification.Get("pubsubTopic").String(), fmt.Sprintf("notification %s should use topic %s", notificationName, topicName)) @@ -187,7 +191,9 @@ func TestOrg(t *testing.T) { } // hub and spoke infrastructure - if isHubAndSpoke(t) { + enable_hub_and_spoke, err := strconv.ParseBool(bootstrap.GetTFSetupStringOutput("enable_hub_and_spoke")) + require.NoError(t, err) + if enable_hub_and_spoke { for _, hubAndSpokeProjectOutput := range []string{ "base_net_hub_project_id", "restricted_net_hub_project_id", diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index d823aa990..390e9bc44 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -69,7 +69,7 @@ output "monitoring_workspace_users" { } output "domains_to_allow" { - value = [var.domain_to_allow] + value = tolist([var.domain_to_allow]) } output "target_name_server_addresses" { @@ -87,3 +87,7 @@ output "enable_hub_and_spoke" { output "enable_hub_and_spoke_transitivity" { value = var.example_foundations_mode == "HubAndSpoke" ? "true" : "false" } + +output "create_access_context_manager_access_policy" { + value = false +} \ No newline at end of file From 3eb48efe9f12f8ada22a13dbb12ed958d42efab9 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Thu, 4 Aug 2022 19:54:06 -0300 Subject: [PATCH 04/30] use remote state date in step 5 --- 5-app-infra/README.md | 10 +--- .../business_unit_1/development/README.md | 6 +-- .../development/bu1-development.auto.tfvars | 1 - .../development/common.auto.tfvars | 1 - .../business_unit_1/development/main.tf | 30 ++++++------ .../business_unit_1/development/providers.tf | 8 +--- .../development/remote_state.tf} | 13 +++-- .../development/terraform.tfvars | 1 + .../business_unit_1/development/variables.tf | 20 ++------ .../business_unit_1/non-production/README.md | 6 +-- .../bu1-non-production.auto.tfvars | 1 - .../non-production/common.auto.tfvars | 1 - .../business_unit_1/non-production/main.tf | 28 ++++++----- .../non-production/providers.tf | 8 +--- .../non-production/remote_state.tf} | 13 +++-- .../non-production/terraform.tfvars | 1 + .../non-production/variables.tf | 20 ++------ .../business_unit_1/production/README.md | 6 +-- .../production/bu1-production.auto.tfvars | 1 - .../production/common.auto.tfvars | 1 - .../business_unit_1/production/main.tf | 30 ++++++------ .../business_unit_1/production/providers.tf | 8 +--- .../production/remote_state.tf} | 13 +++-- .../production/terraform.tfvars | 1 + .../business_unit_1/production/variables.tf | 20 ++------ 5-app-infra/common.auto.example.tfvars | 23 --------- 5-app-infra/modules/env_base/README.md | 7 +-- 5-app-infra/modules/env_base/data.tf | 42 ---------------- 5-app-infra/modules/env_base/main.tf | 23 ++++++--- 5-app-infra/modules/env_base/outputs.tf | 2 +- 5-app-infra/modules/env_base/remote_state.tf | 48 +++++++++++++++++++ 5-app-infra/modules/env_base/variables.tf | 22 +++++---- 5-app-infra/terraform.tfvars | 1 + 33 files changed, 192 insertions(+), 224 deletions(-) delete mode 120000 5-app-infra/business_unit_1/development/bu1-development.auto.tfvars delete mode 120000 5-app-infra/business_unit_1/development/common.auto.tfvars rename 5-app-infra/{bu1-production.auto.example.tfvars => business_unit_1/development/remote_state.tf} (67%) create mode 120000 5-app-infra/business_unit_1/development/terraform.tfvars delete mode 120000 5-app-infra/business_unit_1/non-production/bu1-non-production.auto.tfvars delete mode 120000 5-app-infra/business_unit_1/non-production/common.auto.tfvars rename 5-app-infra/{bu1-development.auto.example.tfvars => business_unit_1/non-production/remote_state.tf} (67%) create mode 120000 5-app-infra/business_unit_1/non-production/terraform.tfvars delete mode 120000 5-app-infra/business_unit_1/production/bu1-production.auto.tfvars delete mode 120000 5-app-infra/business_unit_1/production/common.auto.tfvars rename 5-app-infra/{bu1-non-production.auto.example.tfvars => business_unit_1/production/remote_state.tf} (67%) create mode 120000 5-app-infra/business_unit_1/production/terraform.tfvars delete mode 100644 5-app-infra/common.auto.example.tfvars delete mode 100644 5-app-infra/modules/env_base/data.tf create mode 100644 5-app-infra/modules/env_base/remote_state.tf create mode 120000 5-app-infra/terraform.tfvars diff --git a/5-app-infra/README.md b/5-app-infra/README.md index d83c94428..80b9f11cd 100644 --- a/5-app-infra/README.md +++ b/5-app-infra/README.md @@ -147,10 +147,7 @@ commands. The `-T` flag is needed for Linux, but causes problems for MacOS. ``` chmod 755 ./tf-wrapper.sh ``` -1. Rename `common.auto.example.tfvars` to `common.auto.tfvars` and update the file with values from your environment and 0-bootstrap. See any of the business unit 1 envs folders [README.md](./business_unit_1/development/README.md) files for additional information on the values in the `common.auto.tfvars` file. -1. Rename `bu1-development.auto.example.tfvars` to `bu1-development.auto.tfvars` and update the file with values from your environment. -1. Rename `bu1-non-production.auto.example.tfvars` to `bu1-non-production.auto.tfvars` and update the file with values from your environment. -1. Rename `bu1-production.auto.example.tfvars` to `bu1-production.auto.tfvars` and update the file with values from your environment. +1. Rename `terraform.example.tfvars` to `terraform.tfvars` and update the file with values from 0-bootstrap. 1. Commit changes. ``` git add . @@ -190,10 +187,7 @@ commands. The `-T` flag is needed for Linux, but causes problems for MacOS. 1. Change into the `5-app-infra` folder. 1. Run `cp ../build/tf-wrapper.sh .` 1. Run `chmod 755 ./tf-wrapper.sh`. -1. Rename `common.auto.example.tfvars` to `common.auto.tfvars` and update the file with values from your environment and 0-bootstrap. -1. Rename `bu1-development.auto.example.tfvars` to `bu1-development.auto.tfvars` and update the file with values from your environment. -1. Rename `bu1-non-production.auto.example.tfvars` to `bu1-non-production.auto.tfvars` and update the file with values from your environment. -1. Rename `bu1-production.auto.example.tfvars` to `bu1-production.auto.tfvars` and update the file with values from your environment. +1. Rename `terraform.example.tfvars` to `terraform.tfvars` and update the file with values from 0-bootstrap. 1. Provide the user that will be running `./tf-wrapper.sh` the Service Account Token Creator role to the bu1 project service accounts 1. Provide the user permissions to run the terraform locally with the `serviceAccountTokenCreator` permission. ``` diff --git a/5-app-infra/business_unit_1/development/README.md b/5-app-infra/business_unit_1/development/README.md index 19618db4b..52e99692e 100644 --- a/5-app-infra/business_unit_1/development/README.md +++ b/5-app-infra/business_unit_1/development/README.md @@ -3,11 +3,9 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | instance\_region | The region where compute instance will be created. A subnetwork must exists in the instance region. | `string` | n/a | yes | -| org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | -| project\_service\_account | Email of the service account created on step 4-projects for the business unit 1 sample base project where the GCE instance will be created | `string` | n/a | yes | +| terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | ## Outputs diff --git a/5-app-infra/business_unit_1/development/bu1-development.auto.tfvars b/5-app-infra/business_unit_1/development/bu1-development.auto.tfvars deleted file mode 120000 index 69c1030b8..000000000 --- a/5-app-infra/business_unit_1/development/bu1-development.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../bu1-development.auto.tfvars \ No newline at end of file diff --git a/5-app-infra/business_unit_1/development/common.auto.tfvars b/5-app-infra/business_unit_1/development/common.auto.tfvars deleted file mode 120000 index 39aaa4621..000000000 --- a/5-app-infra/business_unit_1/development/common.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../common.auto.tfvars \ No newline at end of file diff --git a/5-app-infra/business_unit_1/development/main.tf b/5-app-infra/business_unit_1/development/main.tf index ecf5a8f4d..67451017a 100644 --- a/5-app-infra/business_unit_1/development/main.tf +++ b/5-app-infra/business_unit_1/development/main.tf @@ -14,21 +14,23 @@ * limitations under the License. */ - - -data "google_active_folder" "env" { - display_name = "${var.folder_prefix}-development" - parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" +locals { + business_unit = "business_unit_1" + environment = "development" + terraform_service_account = var.terraform_service_account + project_service_account = "project-service-account@${data.terraform_remote_state.projects_env.outputs.base_shared_vpc_project}.iam.gserviceaccount.com" } module "base_shared_gce_instance" { - source = "../../modules/env_base" - environment = "development" - vpc_type = "base" - num_instances = 1 - machine_type = "f1-micro" - folder_id = data.google_active_folder.env.name - business_code = "bu1" - project_suffix = "sample-base" - region = var.instance_region + source = "../../modules/env_base" + + environment = local.environment + business_code = "bu1" + business_unit = local.business_unit + project_suffix = "sample-base" + region = var.instance_region + num_instances = 1 + machine_type = "f1-micro" + backend_bucket = var.backend_bucket + terraform_service_account = local.terraform_service_account } diff --git a/5-app-infra/business_unit_1/development/providers.tf b/5-app-infra/business_unit_1/development/providers.tf index e5420f442..dbee49361 100644 --- a/5-app-infra/business_unit_1/development/providers.tf +++ b/5-app-infra/business_unit_1/development/providers.tf @@ -14,17 +14,13 @@ * limitations under the License. */ -locals { - tf_sa = var.project_service_account -} - /****************************************** Provider credential configuration *****************************************/ provider "google" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.project_service_account } provider "google-beta" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.project_service_account } diff --git a/5-app-infra/bu1-production.auto.example.tfvars b/5-app-infra/business_unit_1/development/remote_state.tf similarity index 67% rename from 5-app-infra/bu1-production.auto.example.tfvars rename to 5-app-infra/business_unit_1/development/remote_state.tf index ecce1bbf7..a49f79443 100644 --- a/5-app-infra/bu1-production.auto.example.tfvars +++ b/5-app-infra/business_unit_1/development/remote_state.tf @@ -14,6 +14,13 @@ * limitations under the License. */ -// Email of the service account created on step 4-projects for the sample base project in the production environment -// of the business unit 1 where the GCE instance will be created -project_service_account = "project-service-account@prj-bu1-p-sample-base-.iam.gserviceaccount.com" +data "terraform_remote_state" "projects_env" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/projects/${local.business_unit}/${local.environment}" + + impersonate_service_account = local.terraform_service_account + } +} diff --git a/5-app-infra/business_unit_1/development/terraform.tfvars b/5-app-infra/business_unit_1/development/terraform.tfvars new file mode 120000 index 000000000..00f385765 --- /dev/null +++ b/5-app-infra/business_unit_1/development/terraform.tfvars @@ -0,0 +1 @@ +../../terraform.tfvars \ No newline at end of file diff --git a/5-app-infra/business_unit_1/development/variables.tf b/5-app-infra/business_unit_1/development/variables.tf index a1ddce5be..269bb2fea 100644 --- a/5-app-infra/business_unit_1/development/variables.tf +++ b/5-app-infra/business_unit_1/development/variables.tf @@ -14,13 +14,8 @@ * limitations under the License. */ -variable "project_service_account" { - description = "Email of the service account created on step 4-projects for the business unit 1 sample base project where the GCE instance will be created" - type = string -} - -variable "org_id" { - description = "The organization id for the associated services" +variable "terraform_service_account" { + description = "Service account email of the account to impersonate to run Terraform" type = string } @@ -29,14 +24,7 @@ variable "instance_region" { type = string } -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string - default = "" } diff --git a/5-app-infra/business_unit_1/non-production/README.md b/5-app-infra/business_unit_1/non-production/README.md index 19618db4b..52e99692e 100644 --- a/5-app-infra/business_unit_1/non-production/README.md +++ b/5-app-infra/business_unit_1/non-production/README.md @@ -3,11 +3,9 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | instance\_region | The region where compute instance will be created. A subnetwork must exists in the instance region. | `string` | n/a | yes | -| org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | -| project\_service\_account | Email of the service account created on step 4-projects for the business unit 1 sample base project where the GCE instance will be created | `string` | n/a | yes | +| terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | ## Outputs diff --git a/5-app-infra/business_unit_1/non-production/bu1-non-production.auto.tfvars b/5-app-infra/business_unit_1/non-production/bu1-non-production.auto.tfvars deleted file mode 120000 index f98c6be57..000000000 --- a/5-app-infra/business_unit_1/non-production/bu1-non-production.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../bu1-non-production.auto.tfvars \ No newline at end of file diff --git a/5-app-infra/business_unit_1/non-production/common.auto.tfvars b/5-app-infra/business_unit_1/non-production/common.auto.tfvars deleted file mode 120000 index 39aaa4621..000000000 --- a/5-app-infra/business_unit_1/non-production/common.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../common.auto.tfvars \ No newline at end of file diff --git a/5-app-infra/business_unit_1/non-production/main.tf b/5-app-infra/business_unit_1/non-production/main.tf index 418162fcf..a93ff36f6 100644 --- a/5-app-infra/business_unit_1/non-production/main.tf +++ b/5-app-infra/business_unit_1/non-production/main.tf @@ -16,19 +16,23 @@ -data "google_active_folder" "env" { - display_name = "${var.folder_prefix}-non-production" - parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" +locals { + business_unit = "business_unit_1" + environment = "non-production" + terraform_service_account = var.terraform_service_account + project_service_account = "project-service-account@${data.terraform_remote_state.projects_env.outputs.base_shared_vpc_project}.iam.gserviceaccount.com" } module "base_shared_gce_instance" { - source = "../../modules/env_base" - environment = "non-production" - vpc_type = "base" - num_instances = 1 - machine_type = "f1-micro" - folder_id = data.google_active_folder.env.name - business_code = "bu1" - project_suffix = "sample-base" - region = var.instance_region + source = "../../modules/env_base" + + environment = local.environment + business_code = "bu1" + business_unit = local.business_unit + project_suffix = "sample-base" + region = var.instance_region + backend_bucket = var.backend_bucket + num_instances = 1 + machine_type = "f1-micro" + terraform_service_account = local.terraform_service_account } diff --git a/5-app-infra/business_unit_1/non-production/providers.tf b/5-app-infra/business_unit_1/non-production/providers.tf index e5420f442..dbee49361 100644 --- a/5-app-infra/business_unit_1/non-production/providers.tf +++ b/5-app-infra/business_unit_1/non-production/providers.tf @@ -14,17 +14,13 @@ * limitations under the License. */ -locals { - tf_sa = var.project_service_account -} - /****************************************** Provider credential configuration *****************************************/ provider "google" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.project_service_account } provider "google-beta" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.project_service_account } diff --git a/5-app-infra/bu1-development.auto.example.tfvars b/5-app-infra/business_unit_1/non-production/remote_state.tf similarity index 67% rename from 5-app-infra/bu1-development.auto.example.tfvars rename to 5-app-infra/business_unit_1/non-production/remote_state.tf index bcd9853cf..a49f79443 100644 --- a/5-app-infra/bu1-development.auto.example.tfvars +++ b/5-app-infra/business_unit_1/non-production/remote_state.tf @@ -14,6 +14,13 @@ * limitations under the License. */ -// Email of the service account created on step 4-projects for the sample base project in the development environment -// of the business unit 1 where the GCE instance will be created -project_service_account = "project-service-account@prj-bu1-d-sample-base-.iam.gserviceaccount.com" +data "terraform_remote_state" "projects_env" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/projects/${local.business_unit}/${local.environment}" + + impersonate_service_account = local.terraform_service_account + } +} diff --git a/5-app-infra/business_unit_1/non-production/terraform.tfvars b/5-app-infra/business_unit_1/non-production/terraform.tfvars new file mode 120000 index 000000000..00f385765 --- /dev/null +++ b/5-app-infra/business_unit_1/non-production/terraform.tfvars @@ -0,0 +1 @@ +../../terraform.tfvars \ No newline at end of file diff --git a/5-app-infra/business_unit_1/non-production/variables.tf b/5-app-infra/business_unit_1/non-production/variables.tf index a1ddce5be..269bb2fea 100644 --- a/5-app-infra/business_unit_1/non-production/variables.tf +++ b/5-app-infra/business_unit_1/non-production/variables.tf @@ -14,13 +14,8 @@ * limitations under the License. */ -variable "project_service_account" { - description = "Email of the service account created on step 4-projects for the business unit 1 sample base project where the GCE instance will be created" - type = string -} - -variable "org_id" { - description = "The organization id for the associated services" +variable "terraform_service_account" { + description = "Service account email of the account to impersonate to run Terraform" type = string } @@ -29,14 +24,7 @@ variable "instance_region" { type = string } -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string - default = "" } diff --git a/5-app-infra/business_unit_1/production/README.md b/5-app-infra/business_unit_1/production/README.md index 19618db4b..52e99692e 100644 --- a/5-app-infra/business_unit_1/production/README.md +++ b/5-app-infra/business_unit_1/production/README.md @@ -3,11 +3,9 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | instance\_region | The region where compute instance will be created. A subnetwork must exists in the instance region. | `string` | n/a | yes | -| org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | -| project\_service\_account | Email of the service account created on step 4-projects for the business unit 1 sample base project where the GCE instance will be created | `string` | n/a | yes | +| terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | ## Outputs diff --git a/5-app-infra/business_unit_1/production/bu1-production.auto.tfvars b/5-app-infra/business_unit_1/production/bu1-production.auto.tfvars deleted file mode 120000 index 5d3678edd..000000000 --- a/5-app-infra/business_unit_1/production/bu1-production.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../bu1-production.auto.tfvars \ No newline at end of file diff --git a/5-app-infra/business_unit_1/production/common.auto.tfvars b/5-app-infra/business_unit_1/production/common.auto.tfvars deleted file mode 120000 index 39aaa4621..000000000 --- a/5-app-infra/business_unit_1/production/common.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../common.auto.tfvars \ No newline at end of file diff --git a/5-app-infra/business_unit_1/production/main.tf b/5-app-infra/business_unit_1/production/main.tf index f28ad5921..984ceb0fd 100644 --- a/5-app-infra/business_unit_1/production/main.tf +++ b/5-app-infra/business_unit_1/production/main.tf @@ -14,21 +14,23 @@ * limitations under the License. */ - - -data "google_active_folder" "env" { - display_name = "${var.folder_prefix}-production" - parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" +locals { + business_unit = "business_unit_1" + environment = "production" + terraform_service_account = var.terraform_service_account + project_service_account = "project-service-account@${data.terraform_remote_state.projects_env.outputs.base_shared_vpc_project}.iam.gserviceaccount.com" } module "base_shared_gce_instance" { - source = "../../modules/env_base" - environment = "production" - vpc_type = "base" - num_instances = 1 - machine_type = "f1-micro" - folder_id = data.google_active_folder.env.name - business_code = "bu1" - project_suffix = "sample-base" - region = var.instance_region + source = "../../modules/env_base" + + environment = local.environment + business_code = "bu1" + business_unit = local.business_unit + project_suffix = "sample-base" + region = var.instance_region + num_instances = 1 + machine_type = "f1-micro" + backend_bucket = var.backend_bucket + terraform_service_account = local.terraform_service_account } diff --git a/5-app-infra/business_unit_1/production/providers.tf b/5-app-infra/business_unit_1/production/providers.tf index e5420f442..dbee49361 100644 --- a/5-app-infra/business_unit_1/production/providers.tf +++ b/5-app-infra/business_unit_1/production/providers.tf @@ -14,17 +14,13 @@ * limitations under the License. */ -locals { - tf_sa = var.project_service_account -} - /****************************************** Provider credential configuration *****************************************/ provider "google" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.project_service_account } provider "google-beta" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.project_service_account } diff --git a/5-app-infra/bu1-non-production.auto.example.tfvars b/5-app-infra/business_unit_1/production/remote_state.tf similarity index 67% rename from 5-app-infra/bu1-non-production.auto.example.tfvars rename to 5-app-infra/business_unit_1/production/remote_state.tf index 7e93b0364..a49f79443 100644 --- a/5-app-infra/bu1-non-production.auto.example.tfvars +++ b/5-app-infra/business_unit_1/production/remote_state.tf @@ -14,6 +14,13 @@ * limitations under the License. */ -// Email of the service account created on step 4-projects for the sample base project in the non-production environment -// of the business unit 1 where the GCE instance will be created -project_service_account = "project-service-account@prj-bu1-n-sample-base-.iam.gserviceaccount.com" +data "terraform_remote_state" "projects_env" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/projects/${local.business_unit}/${local.environment}" + + impersonate_service_account = local.terraform_service_account + } +} diff --git a/5-app-infra/business_unit_1/production/terraform.tfvars b/5-app-infra/business_unit_1/production/terraform.tfvars new file mode 120000 index 000000000..00f385765 --- /dev/null +++ b/5-app-infra/business_unit_1/production/terraform.tfvars @@ -0,0 +1 @@ +../../terraform.tfvars \ No newline at end of file diff --git a/5-app-infra/business_unit_1/production/variables.tf b/5-app-infra/business_unit_1/production/variables.tf index f15ffdb8c..269bb2fea 100644 --- a/5-app-infra/business_unit_1/production/variables.tf +++ b/5-app-infra/business_unit_1/production/variables.tf @@ -14,29 +14,17 @@ * limitations under the License. */ -variable "project_service_account" { - description = "Email of the service account created on step 4-projects for the business unit 1 sample base project where the GCE instance will be created" +variable "terraform_service_account" { + description = "Service account email of the account to impersonate to run Terraform" type = string } -variable "org_id" { - description = "The organization id for the associated services" - type = string -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - variable "instance_region" { description = "The region where compute instance will be created. A subnetwork must exists in the instance region." type = string } -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string - default = "" } diff --git a/5-app-infra/common.auto.example.tfvars b/5-app-infra/common.auto.example.tfvars deleted file mode 100644 index 05ca19031..000000000 --- a/5-app-infra/common.auto.example.tfvars +++ /dev/null @@ -1,23 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -org_id = "000000000000" - -instance_region = "us-central1" // should be one of the regions used to create network on step 3-networks - -// Optional - for an organization with existing projects or for development/validation. -// Must be the same value used in previous steps. -//parent_folder = "000000000000" diff --git a/5-app-infra/modules/env_base/README.md b/5-app-infra/modules/env_base/README.md index 24d986bee..b4908e435 100644 --- a/5-app-infra/modules/env_base/README.md +++ b/5-app-infra/modules/env_base/README.md @@ -3,16 +3,17 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | business\_code | The code that describes which business unit owns the project | `string` | `"abcd"` | no | +| business\_unit | The business (ex. business\_unit\_1). | `string` | `"business_unit_1"` | no | | environment | The environment the single project belongs to | `string` | n/a | yes | -| folder\_id | The folder id where project will be created | `string` | n/a | yes | | hostname | Hostname of instances | `string` | `"example-app"` | no | | machine\_type | Machine type to create, e.g. n1-standard-1 | `string` | `"f1-micro"` | no | | num\_instances | Number of instances to create | `number` | n/a | yes | -| project\_suffix | The name of the GCP project. Max 16 characters with 3 character business unit code. | `string` | n/a | yes | +| project\_suffix | The name of the GCP project. Max 16 characters with 3 character business unit code. Valid options are `sample-base` or `sample-restrict`. | `string` | n/a | yes | | region | The GCP region to create and test resources in | `string` | `"us-central1"` | no | | service\_account | Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template.html#service_account. | 
object({
    email  = string,
    scopes = set(string)
  })
| `null` | no | -| vpc\_type | The type of VPC to attach the project to. Possible options are base or restricted. | `string` | n/a | yes | +| terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | ## Outputs diff --git a/5-app-infra/modules/env_base/data.tf b/5-app-infra/modules/env_base/data.tf deleted file mode 100644 index 12106910e..000000000 --- a/5-app-infra/modules/env_base/data.tf +++ /dev/null @@ -1,42 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -data "google_projects" "network_projects" { - filter = "parent.id:${split("/", var.folder_id)[1]} labels.application_name=${var.vpc_type}-shared-vpc-host labels.environment=${var.environment} lifecycleState=ACTIVE" -} - -data "google_project" "network_project" { - project_id = data.google_projects.network_projects.projects[0].project_id -} - -data "google_projects" "environment_projects" { - filter = "parent.id:${split("/", var.folder_id)[1]} name:*${var.project_suffix}* labels.application_name=${var.business_code}-sample-application labels.environment=${var.environment} lifecycleState=ACTIVE" -} - -data "google_project" "env_project" { - project_id = data.google_projects.environment_projects.projects[0].project_id -} - -data "google_compute_network" "shared_vpc" { - name = "vpc-${local.environment_code}-shared-${var.vpc_type}" - project = data.google_project.network_project.project_id -} - -data "google_compute_subnetwork" "subnetwork" { - name = "sb-${local.environment_code}-shared-${var.vpc_type}-${var.region}" - region = var.region - project = data.google_project.network_project.project_id -} diff --git a/5-app-infra/modules/env_base/main.tf b/5-app-infra/modules/env_base/main.tf index a64f05a4f..d520468be 100644 --- a/5-app-infra/modules/env_base/main.tf +++ b/5-app-infra/modules/env_base/main.tf @@ -15,11 +15,22 @@ */ locals { - environment_code = element(split("", var.environment), 0) + environment_code = element(split("", var.environment), 0) + terraform_service_account = var.terraform_service_account + env_project_ids = { + "sample-base" = data.terraform_remote_state.projects_env.outputs.base_shared_vpc_project, + "sample-restrict" = data.terraform_remote_state.projects_env.outputs.restricted_shared_vpc_project, + } + subnets_self_links = { + "sample-base" = data.terraform_remote_state.network_env.outputs.base_subnets_self_links, + "sample-restrict" = data.terraform_remote_state.network_env.outputs.restricted_subnets_self_links, + } + env_project_id = local.env_project_ids[var.project_suffix] + subnetwork_self_links = local.subnets_self_links[var.project_suffix] + subnetwork_self_link = [for subnet in local.subnetwork_self_links : subnet if length(regexall("regions/${var.region}/subnetworks", subnet)) > 0][0] } - resource "google_service_account" "compute_engine_service_account" { - project = data.google_project.env_project.project_id + project = local.env_project_id account_id = "sa-example-app" display_name = "Example app service Account" } @@ -29,8 +40,8 @@ module "instance_template" { version = "7.8.0" machine_type = var.machine_type region = var.region - project_id = data.google_project.env_project.project_id - subnetwork = data.google_compute_subnetwork.subnetwork.self_link + project_id = local.env_project_id + subnetwork = local.subnetwork_self_link service_account = { email = google_service_account.compute_engine_service_account.email scopes = ["compute-rw"] @@ -41,7 +52,7 @@ module "compute_instance" { source = "terraform-google-modules/vm/google//modules/compute_instance" version = "6.2.0" region = var.region - subnetwork = data.google_compute_subnetwork.subnetwork.self_link + subnetwork = local.subnetwork_self_link num_instances = var.num_instances hostname = var.hostname instance_template = module.instance_template.self_link diff --git a/5-app-infra/modules/env_base/outputs.tf b/5-app-infra/modules/env_base/outputs.tf index 983f1329f..e802b439f 100644 --- a/5-app-infra/modules/env_base/outputs.tf +++ b/5-app-infra/modules/env_base/outputs.tf @@ -31,7 +31,7 @@ output "available_zones" { output "project_id" { description = "Project where compute instance was created" - value = data.google_project.env_project.project_id + value = local.env_project_id } output "region" { diff --git a/5-app-infra/modules/env_base/remote_state.tf b/5-app-infra/modules/env_base/remote_state.tf new file mode 100644 index 000000000..2de9c26cd --- /dev/null +++ b/5-app-infra/modules/env_base/remote_state.tf @@ -0,0 +1,48 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +data "terraform_remote_state" "bootstrap" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/bootstrap/state" + + impersonate_service_account = local.terraform_service_account + } +} + +data "terraform_remote_state" "network_env" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/networks/${var.environment}" + + impersonate_service_account = local.terraform_service_account + } +} + +data "terraform_remote_state" "projects_env" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/projects/${var.business_unit}/${var.environment}" + + impersonate_service_account = local.terraform_service_account + } +} diff --git a/5-app-infra/modules/env_base/variables.tf b/5-app-infra/modules/env_base/variables.tf index b90c5ed21..6edecc4c8 100644 --- a/5-app-infra/modules/env_base/variables.tf +++ b/5-app-infra/modules/env_base/variables.tf @@ -14,14 +14,20 @@ * limitations under the License. */ +variable "terraform_service_account" { + description = "Service account email of the account to impersonate to run Terraform" + type = string +} + variable "environment" { description = "The environment the single project belongs to" type = string } -variable "vpc_type" { - description = "The type of VPC to attach the project to. Possible options are base or restricted." +variable "business_unit" { + description = "The business (ex. business_unit_1)." type = string + default = "business_unit_1" } variable "region" { @@ -54,11 +60,6 @@ variable "service_account" { description = "Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template.html#service_account." } -variable "folder_id" { - description = "The folder id where project will be created" - type = string -} - variable "business_code" { description = "The code that describes which business unit owns the project" type = string @@ -66,6 +67,11 @@ variable "business_code" { } variable "project_suffix" { - description = "The name of the GCP project. Max 16 characters with 3 character business unit code." + description = "The name of the GCP project. Max 16 characters with 3 character business unit code. Valid options are `sample-base` or `sample-restrict`." + type = string +} + +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string } diff --git a/5-app-infra/terraform.tfvars b/5-app-infra/terraform.tfvars new file mode 120000 index 000000000..174bcacf9 --- /dev/null +++ b/5-app-infra/terraform.tfvars @@ -0,0 +1 @@ +terraform.tfvars \ No newline at end of file From 7bd8f3506690e500fde075896e4bb8b48b7338e7 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Thu, 4 Aug 2022 19:54:51 -0300 Subject: [PATCH 05/30] fix disable script --- build/int.cloudbuild.yaml | 4 ++-- test/disable_tf_files.sh | 37 ------------------------------------- 2 files changed, 2 insertions(+), 39 deletions(-) diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index ce1cec1bc..775c07734 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -44,7 +44,7 @@ steps: - id: create-org name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', './test/disable_tf_files.sh --org && cft test run TestOrg --stage init --verbose --test-dir /workspace/test/integration'] + args: ['/bin/bash', '-c', 'cft test run TestOrg --stage init --verbose --test-dir /workspace/test/integration'] - id: converge-org name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' @@ -56,7 +56,7 @@ steps: - id: create-envs name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', './test/disable_tf_files.sh --envs && cft test run TestEnvs --stage init --verbose --test-dir /workspace/test/integration'] + args: ['/bin/bash', '-c', 'cft test run TestEnvs --stage init --verbose --test-dir /workspace/test/integration'] - id: converge-envs name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' diff --git a/test/disable_tf_files.sh b/test/disable_tf_files.sh index e14cece51..cef97eba0 100755 --- a/test/disable_tf_files.sh +++ b/test/disable_tf_files.sh @@ -16,18 +16,6 @@ set -e -function org(){ - # disable backend configs in main module - mv 1-org/envs/shared/backend.tf 1-org/envs/shared/backend.tf.disabled -} - -function envs(){ - # disable backend configs in main module - mv 2-environments/envs/development/backend.tf 2-environments/envs/development/backend.tf.disabled - mv 2-environments/envs/non-production/backend.tf 2-environments/envs/non-production/backend.tf.disabled - mv 2-environments/envs/production/backend.tf 2-environments/envs/production/backend.tf.disabled -} - function networks(){ # shellcheck disable=SC2154 @@ -37,11 +25,6 @@ function networks(){ network_dir="3-networks-dual-svpc" fi - # disable backend configs in main module - mv $network_dir/envs/development/backend.tf $network_dir/envs/development/backend.tf.disabled - mv $network_dir/envs/non-production/backend.tf $network_dir/envs/non-production/backend.tf.disabled - mv $network_dir/envs/production/backend.tf $network_dir/envs/production/backend.tf.disabled - # disable access_context.auto.tfvars in main module mv $network_dir/envs/development/access_context.auto.tfvars $network_dir/envs/development/access_context.auto.tfvars.disabled mv $network_dir/envs/non-production/access_context.auto.tfvars $network_dir/envs/non-production/access_context.auto.tfvars.disabled @@ -61,9 +44,6 @@ function shared(){ network_dir="3-networks-dual-svpc" fi - # disable backend configs in main module - mv $network_dir/envs/shared/backend.tf $network_dir/envs/shared/backend.tf.disabled - # disable access_context.auto.tfvars in main module mv $network_dir/envs/shared/access_context.auto.tfvars $network_dir/envs/shared/access_context.auto.tfvars.disabled @@ -75,15 +55,6 @@ function shared(){ } function projects(){ - # disable backend configs in main module - mv 4-projects/business_unit_1/development/backend.tf 4-projects/business_unit_1/development/backend.tf.disabled - mv 4-projects/business_unit_1/non-production/backend.tf 4-projects/business_unit_1/non-production/backend.tf.disabled - mv 4-projects/business_unit_1/production/backend.tf 4-projects/business_unit_1/production/backend.tf.disabled - mv 4-projects/business_unit_1/shared/backend.tf 4-projects/business_unit_1/shared/backend.tf.disabled - mv 4-projects/business_unit_2/development/backend.tf 4-projects/business_unit_2/development/backend.tf.disabled - mv 4-projects/business_unit_2/non-production/backend.tf 4-projects/business_unit_2/non-production/backend.tf.disabled - mv 4-projects/business_unit_2/production/backend.tf 4-projects/business_unit_2/production/backend.tf.disabled - mv 4-projects/business_unit_2/shared/backend.tf 4-projects/business_unit_2/shared/backend.tf.disabled # disable access_context.auto.tfvars in main module mv 4-projects/business_unit_1/development/access_context.auto.tfvars 4-projects/business_unit_1/development/access_context.auto.tfvars.disabled @@ -155,14 +126,6 @@ do shared shift ;; - -o|--org) - org - shift - ;; - -e|--envs) - envs - shift - ;; -a|--appinfra) appinfra shift From 3a20bdfd3b6df75e69667da9065a09ab9eec077c Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Thu, 4 Aug 2022 19:56:06 -0300 Subject: [PATCH 06/30] add force destroy on bootstrap --- 0-bootstrap/README.md | 1 + 0-bootstrap/main.tf | 1 + 0-bootstrap/modules/parent-iam-member/main.tf | 6 +++--- 0-bootstrap/variables.tf | 6 ++++++ 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md index 13423cfe7..ef4d83d43 100644 --- a/0-bootstrap/README.md +++ b/0-bootstrap/README.md @@ -182,6 +182,7 @@ the following steps: | org\_project\_creators | Additional list of members to have project creator role across the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no | | parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. | `string` | `""` | no | | project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | +| tfstate\_storage\_force\_destroy | (Optional) If set to true, delete all contents when destroying the resource; otherwise, destroying the resource will fail if contents are present. | `bool` | `false` | no | ## Outputs diff --git a/0-bootstrap/main.tf b/0-bootstrap/main.tf index a3636b573..e706f310a 100644 --- a/0-bootstrap/main.tf +++ b/0-bootstrap/main.tf @@ -52,6 +52,7 @@ module "seed_bootstrap" { default_region = var.default_region org_project_creators = local.org_project_creators sa_enable_impersonation = true + force_destroy = var.tfstate_storage_force_destroy parent_folder = var.parent_folder == "" ? "" : local.parent org_admins_org_iam_permissions = local.org_admins_org_iam_permissions project_prefix = var.project_prefix diff --git a/0-bootstrap/modules/parent-iam-member/main.tf b/0-bootstrap/modules/parent-iam-member/main.tf index df9681f11..164f20b84 100644 --- a/0-bootstrap/modules/parent-iam-member/main.tf +++ b/0-bootstrap/modules/parent-iam-member/main.tf @@ -21,7 +21,7 @@ locals { } resource "google_organization_iam_member" "org_parent_iam" { - for_each = toset(local.org_id != "" ? var.roles : []) + for_each = toset(var.parent_type == "organization" ? var.roles : []) org_id = local.org_id role = each.key @@ -29,7 +29,7 @@ resource "google_organization_iam_member" "org_parent_iam" { } resource "google_folder_iam_member" "folder_parent_iam" { - for_each = toset(local.folder_id != "" ? var.roles : []) + for_each = toset(var.parent_type == "folder" ? var.roles : []) folder = local.folder_id role = each.key @@ -37,7 +37,7 @@ resource "google_folder_iam_member" "folder_parent_iam" { } resource "google_project_iam_member" "project_parent_iam" { - for_each = toset(local.project_id != "" ? var.roles : []) + for_each = toset(var.parent_type == "project" ? var.roles : []) project = local.project_id role = each.key diff --git a/0-bootstrap/variables.tf b/0-bootstrap/variables.tf index f68eed4c0..033e4c9e6 100644 --- a/0-bootstrap/variables.tf +++ b/0-bootstrap/variables.tf @@ -88,6 +88,12 @@ variable "create_access_context_manager_access_policy" { default = true } +variable "tfstate_storage_force_destroy" { + description = "(Optional) If set to true, delete all contents when destroying the resource; otherwise, destroying the resource will fail if contents are present." + type = bool + default = false +} + /* ---------------------------------------- Specific to jenkins_bootstrap module ---------------------------------------- */ From e56803e30486b96dacdcbd5a332795e7ddcc003c Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Thu, 4 Aug 2022 19:56:52 -0300 Subject: [PATCH 07/30] update outputs for step 1-org --- 1-org/envs/shared/README.md | 1 + 1-org/envs/shared/outputs.tf | 5 +++++ 1-org/envs/shared/variables.tf | 2 +- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md index ff56b21b7..a619490dc 100644 --- a/1-org/envs/shared/README.md +++ b/1-org/envs/shared/README.md @@ -73,6 +73,7 @@ | parent\_resource\_id | The parent resource id | | parent\_resource\_type | The parent resource type | | restricted\_net\_hub\_project\_id | The Restricted Network hub project ID | +| restricted\_net\_hub\_project\_number | The Restricted Network hub project number | | scc\_notification\_name | Name of SCC Notification | | scc\_notifications\_project\_id | The SCC notifications project ID | diff --git a/1-org/envs/shared/outputs.tf b/1-org/envs/shared/outputs.tf index 2a37a80d7..63cbdf2c9 100644 --- a/1-org/envs/shared/outputs.tf +++ b/1-org/envs/shared/outputs.tf @@ -79,6 +79,11 @@ output "restricted_net_hub_project_id" { description = "The Restricted Network hub project ID" } +output "restricted_net_hub_project_number" { + value = try(module.restricted_network_hub[0].project_number, null) + description = "The Restricted Network hub project number" +} + output "domains_to_allow" { value = var.domains_to_allow description = "The list of domains to allow users from in IAM." diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf index 0899ea42e..d2bbb183b 100644 --- a/1-org/envs/shared/variables.tf +++ b/1-org/envs/shared/variables.tf @@ -18,6 +18,7 @@ variable "terraform_service_account" { description = "Service account email of the account to impersonate to run Terraform." type = string } + variable "networks_step_terraform_service_account_email" { description = "Service account email of the account to impersonate to run Terraform in the network step." type = string @@ -203,7 +204,6 @@ variable "org_secrets_project_budget_amount" { default = 1000 } - variable "org_billing_logs_project_alert_spent_percents" { description = "A list of percentages of the budget to alert on when threshold is exceeded for the org billing logs project." type = list(number) From c9ffd7657d62dcfe12dcd1572825fcf4d09a5edf Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Thu, 4 Aug 2022 19:57:38 -0300 Subject: [PATCH 08/30] update tests --- test/integration/bootstrap/bootstrap_test.go | 58 +++++++++++++++++--- test/integration/go.sum | 2 - test/integration/org/org_test.go | 2 + test/setup/outputs.tf | 2 +- 4 files changed, 54 insertions(+), 10 deletions(-) diff --git a/test/integration/bootstrap/bootstrap_test.go b/test/integration/bootstrap/bootstrap_test.go index 935f72200..379fcf555 100644 --- a/test/integration/bootstrap/bootstrap_test.go +++ b/test/integration/bootstrap/bootstrap_test.go @@ -38,10 +38,27 @@ func getResultFieldStrSlice(rs []gjson.Result, field string) []string { return s } +// fileExists check if a give file exists +func fileExists(filePath string) (bool, error) { + _, err := os.Stat(filePath) + if err == nil { + return true, nil + } + if os.IsNotExist(err) { + return false, nil + } + return false, err +} + func TestBootstrap(t *testing.T) { + vars := map[string]interface{}{ + "tfstate_storage_force_destroy": "true", + } + bootstrap := tft.NewTFBlueprintTest(t, tft.WithTFDir("../../../0-bootstrap"), + tft.WithVars(vars), ) cloudSourceRepos := []string{ @@ -178,19 +195,46 @@ func TestBootstrap(t *testing.T) { } } - // push state to GCS bucket - temOptions := bootstrap.GetTFOptions() - temOptions.BackendConfig = map[string]interface{}{ + // configure options to push state to GCS bucket + tempOptions := bootstrap.GetTFOptions() + tempOptions.BackendConfig = map[string]interface{}{ "bucket": bootstrap.GetStringOutput("gcs_bucket_tfstate"), } - temOptions.MigrateState = true + tempOptions.MigrateState = true + // create backend file cwd, err := os.Getwd() require.NoError(t, err) - srcFile := path.Join(cwd, "../../../0-bootstrap/backend.tf.example") destFile := path.Join(cwd, "../../../0-bootstrap/backend.tf") - _, err2 := exec.Command("cp", srcFile, destFile).CombinedOutput() + fExists, err2 := fileExists(destFile) require.NoError(t, err2) - terraform.Init(t, temOptions) + if !fExists { + srcFile := path.Join(cwd, "../../../0-bootstrap/backend.tf.example") + _, err3 := exec.Command("cp", srcFile, destFile).CombinedOutput() + require.NoError(t, err3) + } + terraform.Init(t, tempOptions) }) + + bootstrap.DefineTeardown(func(assert *assert.Assertions) { + // configure options to pull state from GCS bucket + cwd, err := os.Getwd() + require.NoError(t, err) + statePath := path.Join(cwd, "../../../0-bootstrap/local_backend.tfstate") + tempOptions := bootstrap.GetTFOptions() + tempOptions.BackendConfig = map[string]interface{}{ + "path": statePath, + } + tempOptions.MigrateState = true + // remove backend file + backendFile := path.Join(cwd, "../../../0-bootstrap/backend.tf") + fExists, err2 := fileExists(backendFile) + require.NoError(t, err2) + if fExists { + _, err3 := exec.Command("rm", backendFile).CombinedOutput() + require.NoError(t, err3) + } + terraform.Init(t, tempOptions) + bootstrap.DefaultTeardown(assert) + }) bootstrap.Test() } diff --git a/test/integration/go.sum b/test/integration/go.sum index 47043255b..031066e2e 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -65,8 +65,6 @@ github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.1.0 h1:DxZVAPSG0jJO0thdDEJ3pIL+sX3jl00o/Iwp56e7SiI= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.1.0/go.mod h1:E655Ka0BfIYALBmqU9ZbemLk/nutxw4vU6wkLEjshSA= github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.1.1-0.20220802155302-a13ee7fb1c62 h1:uDiVwwTc7caRf6k2+MBKf3Ia+Z9nWu9diaJQUN3oGdA= github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.1.1-0.20220802155302-a13ee7fb1c62/go.mod h1:E655Ka0BfIYALBmqU9ZbemLk/nutxw4vU6wkLEjshSA= github.com/GoogleContainerTools/kpt-functions-sdk/go v0.0.0-20220301220754-6964a09d6cd2/go.mod h1:lJYiqfBOl6AOiefK9kmkhinbffIysu+nnclOBwKEPlQ= diff --git a/test/integration/org/org_test.go b/test/integration/org/org_test.go index 698532293..e2c29f761 100644 --- a/test/integration/org/org_test.go +++ b/test/integration/org/org_test.go @@ -55,6 +55,8 @@ func TestOrg(t *testing.T) { "backend_bucket": backend_bucket, "terraform_service_account": terraformSA, "networks_step_terraform_service_account_email": networksTerraformSA, + "log_export_storage_force_destroy": "true", + "audit_logs_table_delete_contents_on_destroy": "true", } backendConfig := map[string]interface{}{ diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index 390e9bc44..d61552c92 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -90,4 +90,4 @@ output "enable_hub_and_spoke_transitivity" { output "create_access_context_manager_access_policy" { value = false -} \ No newline at end of file +} From 15da669b07aace60d3dcfc7a6931fe2a513ad7ea Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Thu, 4 Aug 2022 23:56:00 -0300 Subject: [PATCH 09/30] add remote state to step 2-envs --- 2-environments/envs/development/README.md | 7 ++--- 2-environments/envs/development/main.tf | 16 +++++------ 2-environments/envs/development/outputs.tf | 5 ++++ 2-environments/envs/development/providers.tf | 4 --- 2-environments/envs/development/variables.tf | 27 ++----------------- 2-environments/envs/non-production/README.md | 7 ++--- 2-environments/envs/non-production/main.tf | 16 +++++------ 2-environments/envs/non-production/outputs.tf | 5 ++++ .../envs/non-production/providers.tf | 4 --- .../envs/non-production/variables.tf | 27 ++----------------- 2-environments/envs/production/README.md | 7 ++--- 2-environments/envs/production/main.tf | 16 +++++------ 2-environments/envs/production/outputs.tf | 5 ++++ 2-environments/envs/production/providers.tf | 4 --- 2-environments/envs/production/variables.tf | 27 ++----------------- 2-environments/modules/env_baseline/README.md | 8 +++--- .../modules/env_baseline/folders.tf | 11 +------- 2-environments/modules/env_baseline/main.tf | 9 ++++++- .../modules/env_baseline/monitoring.tf | 6 ++--- .../modules/env_baseline/networking.tf | 12 ++++----- .../modules/env_baseline/outputs.tf | 5 ++++ .../modules/env_baseline/remote_state.tf | 26 ++++++++++++++++++ .../modules/env_baseline/secrets.tf | 6 ++--- .../modules/env_baseline/variables.tf | 25 +++-------------- 2-environments/terraform.example.tfvars | 7 +---- test/integration/envs/envs_test.go | 16 ++++++++--- 26 files changed, 123 insertions(+), 185 deletions(-) create mode 100644 2-environments/modules/env_baseline/remote_state.tf diff --git a/2-environments/envs/development/README.md b/2-environments/envs/development/README.md index 34fdb7bb8..8ddc9b6b2 100644 --- a/2-environments/envs/development/README.md +++ b/2-environments/envs/development/README.md @@ -3,12 +3,8 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| billing\_account | The ID of the billing account to associate this project with | `string` | n/a | yes | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | monitoring\_workspace\_users | Google Workspace or Cloud Identity group that have access to Monitoring Workspaces. | `string` | n/a | yes | -| org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | -| project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes | ## Outputs @@ -20,5 +16,6 @@ | env\_secrets\_project\_id | Project for environment related secrets. | | monitoring\_project\_id | Project for monitoring infra. | | restricted\_shared\_vpc\_project\_id | Project for restricted shared VPC. | +| restricted\_shared\_vpc\_project\_number | Project number for restricted shared VPC. | diff --git a/2-environments/envs/development/main.tf b/2-environments/envs/development/main.tf index edb4ef56a..59bb2035d 100644 --- a/2-environments/envs/development/main.tf +++ b/2-environments/envs/development/main.tf @@ -14,16 +14,16 @@ * limitations under the License. */ +locals { + tf_sa = var.terraform_service_account +} + module "env" { source = "../../modules/env_baseline" - env = "development" - environment_code = "d" - - parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" - org_id = var.org_id - billing_account = var.billing_account + env = "development" + environment_code = "d" monitoring_workspace_users = var.monitoring_workspace_users - project_prefix = var.project_prefix - folder_prefix = var.folder_prefix + backend_bucket = var.backend_bucket + terraform_service_account = local.tf_sa } diff --git a/2-environments/envs/development/outputs.tf b/2-environments/envs/development/outputs.tf index 7b759fbc9..3b6b62b29 100644 --- a/2-environments/envs/development/outputs.tf +++ b/2-environments/envs/development/outputs.tf @@ -34,6 +34,11 @@ output "restricted_shared_vpc_project_id" { value = module.env.restricted_shared_vpc_project_id } +output "restricted_shared_vpc_project_number" { + description = "Project number for restricted shared VPC." + value = module.env.restricted_shared_vpc_project_number +} + output "env_secrets_project_id" { description = "Project for environment related secrets." value = module.env.env_secrets_project_id diff --git a/2-environments/envs/development/providers.tf b/2-environments/envs/development/providers.tf index b44fb4ed9..f2730794d 100644 --- a/2-environments/envs/development/providers.tf +++ b/2-environments/envs/development/providers.tf @@ -14,10 +14,6 @@ * limitations under the License. */ -locals { - tf_sa = var.terraform_service_account -} - /****************************************** Provider credential configuration *****************************************/ diff --git a/2-environments/envs/development/variables.tf b/2-environments/envs/development/variables.tf index 82b2659b9..c893dee12 100644 --- a/2-environments/envs/development/variables.tf +++ b/2-environments/envs/development/variables.tf @@ -14,40 +14,17 @@ * limitations under the License. */ -variable "org_id" { - description = "The organization id for the associated services" - type = string -} - -variable "billing_account" { - description = "The ID of the billing account to associate this project with" - type = string -} - variable "terraform_service_account" { description = "Service account email of the account to impersonate to run Terraform." type = string } -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - variable "monitoring_workspace_users" { description = "Google Workspace or Cloud Identity group that have access to Monitoring Workspaces." type = string } -variable "project_prefix" { - description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." - type = string - default = "prj" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string - default = "fldr" } diff --git a/2-environments/envs/non-production/README.md b/2-environments/envs/non-production/README.md index 34fdb7bb8..8ddc9b6b2 100644 --- a/2-environments/envs/non-production/README.md +++ b/2-environments/envs/non-production/README.md @@ -3,12 +3,8 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| billing\_account | The ID of the billing account to associate this project with | `string` | n/a | yes | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | monitoring\_workspace\_users | Google Workspace or Cloud Identity group that have access to Monitoring Workspaces. | `string` | n/a | yes | -| org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | -| project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes | ## Outputs @@ -20,5 +16,6 @@ | env\_secrets\_project\_id | Project for environment related secrets. | | monitoring\_project\_id | Project for monitoring infra. | | restricted\_shared\_vpc\_project\_id | Project for restricted shared VPC. | +| restricted\_shared\_vpc\_project\_number | Project number for restricted shared VPC. | diff --git a/2-environments/envs/non-production/main.tf b/2-environments/envs/non-production/main.tf index 0a6c9ef98..333816b16 100644 --- a/2-environments/envs/non-production/main.tf +++ b/2-environments/envs/non-production/main.tf @@ -14,16 +14,16 @@ * limitations under the License. */ +locals { + tf_sa = var.terraform_service_account +} + module "env" { source = "../../modules/env_baseline" - env = "non-production" - environment_code = "n" - - parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" - org_id = var.org_id - billing_account = var.billing_account + env = "non-production" + environment_code = "n" monitoring_workspace_users = var.monitoring_workspace_users - project_prefix = var.project_prefix - folder_prefix = var.folder_prefix + backend_bucket = var.backend_bucket + terraform_service_account = local.tf_sa } diff --git a/2-environments/envs/non-production/outputs.tf b/2-environments/envs/non-production/outputs.tf index 7b759fbc9..3b6b62b29 100644 --- a/2-environments/envs/non-production/outputs.tf +++ b/2-environments/envs/non-production/outputs.tf @@ -34,6 +34,11 @@ output "restricted_shared_vpc_project_id" { value = module.env.restricted_shared_vpc_project_id } +output "restricted_shared_vpc_project_number" { + description = "Project number for restricted shared VPC." + value = module.env.restricted_shared_vpc_project_number +} + output "env_secrets_project_id" { description = "Project for environment related secrets." value = module.env.env_secrets_project_id diff --git a/2-environments/envs/non-production/providers.tf b/2-environments/envs/non-production/providers.tf index b44fb4ed9..f2730794d 100644 --- a/2-environments/envs/non-production/providers.tf +++ b/2-environments/envs/non-production/providers.tf @@ -14,10 +14,6 @@ * limitations under the License. */ -locals { - tf_sa = var.terraform_service_account -} - /****************************************** Provider credential configuration *****************************************/ diff --git a/2-environments/envs/non-production/variables.tf b/2-environments/envs/non-production/variables.tf index 82b2659b9..c893dee12 100644 --- a/2-environments/envs/non-production/variables.tf +++ b/2-environments/envs/non-production/variables.tf @@ -14,40 +14,17 @@ * limitations under the License. */ -variable "org_id" { - description = "The organization id for the associated services" - type = string -} - -variable "billing_account" { - description = "The ID of the billing account to associate this project with" - type = string -} - variable "terraform_service_account" { description = "Service account email of the account to impersonate to run Terraform." type = string } -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - variable "monitoring_workspace_users" { description = "Google Workspace or Cloud Identity group that have access to Monitoring Workspaces." type = string } -variable "project_prefix" { - description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." - type = string - default = "prj" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string - default = "fldr" } diff --git a/2-environments/envs/production/README.md b/2-environments/envs/production/README.md index 879896dcf..df191cab9 100644 --- a/2-environments/envs/production/README.md +++ b/2-environments/envs/production/README.md @@ -3,12 +3,8 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| billing\_account | The ID of the billing account to associate this project with | `string` | n/a | yes | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | monitoring\_workspace\_users | Google Workspace or Cloud Identity group that have access to Monitoring Workspaces. | `string` | n/a | yes | -| org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | -| project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes | ## Outputs @@ -20,6 +16,7 @@ | env\_secrets\_project\_id | Project for environment related secrets. | | monitoring\_project\_id | Project for monitoring infra. | | restricted\_shared\_vpc\_project\_id | Project for restricted shared VPC. | +| restricted\_shared\_vpc\_project\_number | Project number for restricted shared VPC. | diff --git a/2-environments/envs/production/main.tf b/2-environments/envs/production/main.tf index 126b36334..1e6a2c490 100644 --- a/2-environments/envs/production/main.tf +++ b/2-environments/envs/production/main.tf @@ -14,16 +14,16 @@ * limitations under the License. */ +locals { + tf_sa = var.terraform_service_account +} + module "env" { source = "../../modules/env_baseline" - env = "production" - environment_code = "p" - - parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" - org_id = var.org_id - billing_account = var.billing_account + env = "production" + environment_code = "p" monitoring_workspace_users = var.monitoring_workspace_users - project_prefix = var.project_prefix - folder_prefix = var.folder_prefix + backend_bucket = var.backend_bucket + terraform_service_account = local.tf_sa } diff --git a/2-environments/envs/production/outputs.tf b/2-environments/envs/production/outputs.tf index 7b759fbc9..3b6b62b29 100644 --- a/2-environments/envs/production/outputs.tf +++ b/2-environments/envs/production/outputs.tf @@ -34,6 +34,11 @@ output "restricted_shared_vpc_project_id" { value = module.env.restricted_shared_vpc_project_id } +output "restricted_shared_vpc_project_number" { + description = "Project number for restricted shared VPC." + value = module.env.restricted_shared_vpc_project_number +} + output "env_secrets_project_id" { description = "Project for environment related secrets." value = module.env.env_secrets_project_id diff --git a/2-environments/envs/production/providers.tf b/2-environments/envs/production/providers.tf index b44fb4ed9..f2730794d 100644 --- a/2-environments/envs/production/providers.tf +++ b/2-environments/envs/production/providers.tf @@ -14,10 +14,6 @@ * limitations under the License. */ -locals { - tf_sa = var.terraform_service_account -} - /****************************************** Provider credential configuration *****************************************/ diff --git a/2-environments/envs/production/variables.tf b/2-environments/envs/production/variables.tf index 82b2659b9..c893dee12 100644 --- a/2-environments/envs/production/variables.tf +++ b/2-environments/envs/production/variables.tf @@ -14,40 +14,17 @@ * limitations under the License. */ -variable "org_id" { - description = "The organization id for the associated services" - type = string -} - -variable "billing_account" { - description = "The ID of the billing account to associate this project with" - type = string -} - variable "terraform_service_account" { description = "Service account email of the account to impersonate to run Terraform." type = string } -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - variable "monitoring_workspace_users" { description = "Google Workspace or Cloud Identity group that have access to Monitoring Workspaces." type = string } -variable "project_prefix" { - description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." - type = string - default = "prj" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string - default = "fldr" } diff --git a/2-environments/modules/env_baseline/README.md b/2-environments/modules/env_baseline/README.md index 78ddd849e..a3a57ecca 100644 --- a/2-environments/modules/env_baseline/README.md +++ b/2-environments/modules/env_baseline/README.md @@ -3,26 +3,23 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | base\_network\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the base networks project | `string` | `null` | no | | base\_network\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the base networks project | `list(number)` | 
[
  0.5,
  0.75,
  0.9,
  0.95
]
| no | | base\_network\_project\_budget\_amount | The amount to use as the budget for the base networks project | `number` | `1000` | no | -| billing\_account | The ID of the billing account to associate this project with | `string` | n/a | yes | | env | The environment to prepare (ex. development) | `string` | n/a | yes | | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization (ex. d). | `string` | n/a | yes | -| folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no | | monitoring\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the monitoring project. | `string` | `null` | no | | monitoring\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the monitoring project. | `list(number)` | 
[
  0.5,
  0.75,
  0.9,
  0.95
]
| no | | monitoring\_project\_budget\_amount | The amount to use as the budget for the monitoring project. | `number` | `1000` | no | | monitoring\_workspace\_users | Google Workspace or Cloud Identity group that have access to Monitoring Workspaces. | `string` | n/a | yes | -| org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_id | The parent folder or org for environments | `string` | n/a | yes | -| project\_prefix | Name prefix to use for projects created. | `string` | `"prj"` | no | | restricted\_network\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the restricted networks project | `string` | `null` | no | | restricted\_network\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the restricted networks project. | `list(number)` | 
[
  0.5,
  0.75,
  0.9,
  0.95
]
| no | | restricted\_network\_project\_budget\_amount | The amount to use as the budget for the restricted networks project. | `number` | `1000` | no | | secret\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the secrets project. | `string` | `null` | no | | secret\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the secrets project. | `list(number)` | 
[
  0.5,
  0.75,
  0.9,
  0.95
]
| no | | secret\_project\_budget\_amount | The amount to use as the budget for the secrets project. | `number` | `1000` | no | +| terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes | ## Outputs @@ -33,5 +30,6 @@ | env\_secrets\_project\_id | Project for environment secrets. | | monitoring\_project\_id | Project for monitoring infra. | | restricted\_shared\_vpc\_project\_id | Project for restricted shared VPC network. | +| restricted\_shared\_vpc\_project\_number | Project number for restricted shared VPC. | diff --git a/2-environments/modules/env_baseline/folders.tf b/2-environments/modules/env_baseline/folders.tf index 01b23db9c..1974e68e8 100644 --- a/2-environments/modules/env_baseline/folders.tf +++ b/2-environments/modules/env_baseline/folders.tf @@ -14,21 +14,12 @@ * limitations under the License. */ -/****************************************** - Folder lookups -*****************************************/ - -data "google_active_folder" "common" { - display_name = "${var.folder_prefix}-common" - parent = local.parent -} - /****************************************** Environment Folder *****************************************/ resource "google_folder" "env" { - display_name = "${var.folder_prefix}-${var.env}" + display_name = "${local.folder_prefix}-${var.env}" parent = local.parent } diff --git a/2-environments/modules/env_baseline/main.tf b/2-environments/modules/env_baseline/main.tf index 2e96b2b24..61d96e0f2 100644 --- a/2-environments/modules/env_baseline/main.tf +++ b/2-environments/modules/env_baseline/main.tf @@ -15,5 +15,12 @@ */ locals { - parent = var.parent_id + parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder + org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id + billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account + default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region + project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix + folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix + parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id + terraform_service_account = var.terraform_service_account } diff --git a/2-environments/modules/env_baseline/monitoring.tf b/2-environments/modules/env_baseline/monitoring.tf index 6e8b9cf27..26eb37a09 100644 --- a/2-environments/modules/env_baseline/monitoring.tf +++ b/2-environments/modules/env_baseline/monitoring.tf @@ -22,9 +22,9 @@ module "monitoring_project" { source = "terraform-google-modules/project-factory/google" version = "~> 13.0" random_project_id = true - name = "${var.project_prefix}-${var.environment_code}-monitoring" - org_id = var.org_id - billing_account = var.billing_account + name = "${local.project_prefix}-${var.environment_code}-monitoring" + org_id = local.org_id + billing_account = local.billing_account folder_id = google_folder.env.id disable_services_on_destroy = false depends_on = [time_sleep.wait_30_seconds] diff --git a/2-environments/modules/env_baseline/networking.tf b/2-environments/modules/env_baseline/networking.tf index a1b93dbd6..e9315694f 100644 --- a/2-environments/modules/env_baseline/networking.tf +++ b/2-environments/modules/env_baseline/networking.tf @@ -22,9 +22,9 @@ module "base_shared_vpc_host_project" { source = "terraform-google-modules/project-factory/google" version = "~> 13.0" random_project_id = true - name = format("%s-%s-shared-base", var.project_prefix, var.environment_code) - org_id = var.org_id - billing_account = var.billing_account + name = format("%s-%s-shared-base", local.project_prefix, var.environment_code) + org_id = local.org_id + billing_account = local.billing_account folder_id = google_folder.env.id disable_services_on_destroy = false depends_on = [time_sleep.wait_30_seconds] @@ -55,9 +55,9 @@ module "restricted_shared_vpc_host_project" { source = "terraform-google-modules/project-factory/google" version = "~> 13.0" random_project_id = true - name = format("%s-%s-shared-restricted", var.project_prefix, var.environment_code) - org_id = var.org_id - billing_account = var.billing_account + name = format("%s-%s-shared-restricted", local.project_prefix, var.environment_code) + org_id = local.org_id + billing_account = local.billing_account folder_id = google_folder.env.id disable_services_on_destroy = false depends_on = [time_sleep.wait_30_seconds] diff --git a/2-environments/modules/env_baseline/outputs.tf b/2-environments/modules/env_baseline/outputs.tf index 9f242ac37..ca8b01447 100644 --- a/2-environments/modules/env_baseline/outputs.tf +++ b/2-environments/modules/env_baseline/outputs.tf @@ -34,6 +34,11 @@ output "restricted_shared_vpc_project_id" { value = module.restricted_shared_vpc_host_project.project_id } +output "restricted_shared_vpc_project_number" { + description = "Project number for restricted shared VPC." + value = module.restricted_shared_vpc_host_project.project_number +} + output "env_secrets_project_id" { description = "Project for environment secrets." value = module.env_secrets.project_id diff --git a/2-environments/modules/env_baseline/remote_state.tf b/2-environments/modules/env_baseline/remote_state.tf new file mode 100644 index 000000000..dea4a23f4 --- /dev/null +++ b/2-environments/modules/env_baseline/remote_state.tf @@ -0,0 +1,26 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +data "terraform_remote_state" "bootstrap" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/bootstrap/state" + + impersonate_service_account = local.terraform_service_account + } +} diff --git a/2-environments/modules/env_baseline/secrets.tf b/2-environments/modules/env_baseline/secrets.tf index aa89ab71f..aaa7f542c 100644 --- a/2-environments/modules/env_baseline/secrets.tf +++ b/2-environments/modules/env_baseline/secrets.tf @@ -24,9 +24,9 @@ module "env_secrets" { version = "~> 13.0" random_project_id = true default_service_account = "deprivilege" - name = "${var.project_prefix}-${var.environment_code}-secrets" - org_id = var.org_id - billing_account = var.billing_account + name = "${local.project_prefix}-${var.environment_code}-secrets" + org_id = local.org_id + billing_account = local.billing_account folder_id = google_folder.env.id disable_services_on_destroy = false activate_apis = ["logging.googleapis.com", "secretmanager.googleapis.com"] diff --git a/2-environments/modules/env_baseline/variables.tf b/2-environments/modules/env_baseline/variables.tf index 2f61cda88..7e9806b0d 100644 --- a/2-environments/modules/env_baseline/variables.tf +++ b/2-environments/modules/env_baseline/variables.tf @@ -24,18 +24,13 @@ variable "environment_code" { description = "A short form of the folder level resources (environment) within the Google Cloud organization (ex. d)." } -variable "parent_id" { - description = "The parent folder or org for environments" +variable "terraform_service_account" { + description = "Service account email of the account to impersonate to run Terraform." type = string } -variable "org_id" { - description = "The organization id for the associated services" - type = string -} - -variable "billing_account" { - description = "The ID of the billing account to associate this project with" +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string } @@ -115,15 +110,3 @@ variable "secret_project_budget_amount" { type = number default = 1000 } - -variable "project_prefix" { - description = "Name prefix to use for projects created." - type = string - default = "prj" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created." - type = string - default = "fldr" -} diff --git a/2-environments/terraform.example.tfvars b/2-environments/terraform.example.tfvars index ce0d2ee49..280828b78 100644 --- a/2-environments/terraform.example.tfvars +++ b/2-environments/terraform.example.tfvars @@ -14,14 +14,9 @@ * limitations under the License. */ -org_id = "000000000000" - -billing_account = "000000-000000-000000" terraform_service_account = "org-terraform@example-project-2334.iam.gserviceaccount.com" monitoring_workspace_users = "gcp-monitoring-admins@example.com" -// Optional - for an organization with existing projects or for development/validation. -// Must be the same value used in previous steps. -//parent_folder = "01234567890" +backend_bucket = "" diff --git a/test/integration/envs/envs_test.go b/test/integration/envs/envs_test.go index b89ccdf21..7fd4ed43e 100644 --- a/test/integration/envs/envs_test.go +++ b/test/integration/envs/envs_test.go @@ -47,9 +47,17 @@ func TestEnvs(t *testing.T) { ) terraformSA := bootstrap.GetStringOutput("environment_step_terraform_service_account_email") + backend_bucket := bootstrap.GetStringOutput("gcs_bucket_tfstate") + monitoringWorkspaceUsers := bootstrap.GetTFSetupStringOutput("monitoring_workspace_users") vars := map[string]interface{}{ - "terraform_service_account": terraformSA, + "backend_bucket": backend_bucket, + "terraform_service_account": terraformSA, + "monitoring_workspace_users": monitoringWorkspaceUsers, + } + + backendConfig := map[string]interface{}{ + "bucket": backend_bucket, } for _, envName := range []string{ @@ -61,6 +69,7 @@ func TestEnvs(t *testing.T) { envs := tft.NewTFBlueprintTest(t, tft.WithTFDir(fmt.Sprintf("../../../2-environments/envs/%s", envName)), tft.WithVars(vars), + tft.WithBackendConfig(backendConfig), ) envs.DefineVerify( func(assert *assert.Assertions) { @@ -81,7 +90,7 @@ func TestEnvs(t *testing.T) { { projectOutput: "monitoring_project_id", role: "roles/monitoring.editor", - group: "TF_VAR_group_email", + group: monitoringWorkspaceUsers, apis: []string{ "logging.googleapis.com", "monitoring.googleapis.com", @@ -132,9 +141,8 @@ func TestEnvs(t *testing.T) { if projectEnvOutput.role != "" { iamOpts := gcloud.WithCommonArgs([]string{"--flatten", "bindings", "--filter", fmt.Sprintf("bindings.role:%s", projectEnvOutput.role), "--format", "json"}) iamPolicy := gcloud.Run(t, fmt.Sprintf("projects get-iam-policy %s", projectID), iamOpts).Array()[0] - group := utils.ValFromEnv(t, projectEnvOutput.group) listMembers := utils.GetResultStrSlice(iamPolicy.Get("bindings.members").Array()) - assert.Contains(listMembers, fmt.Sprintf("group:%s", group), fmt.Sprintf("group %s should have role %s", group, projectEnvOutput.role)) + assert.Contains(listMembers, fmt.Sprintf("group:%s", projectEnvOutput.group), fmt.Sprintf("group %s should have role %s", projectEnvOutput.group, projectEnvOutput.role)) } } From c107e82e6b27d77edc28f5d0758c1c45f7c43d83 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Thu, 4 Aug 2022 23:56:39 -0300 Subject: [PATCH 10/30] move backend initialization to the end of apply phase --- test/integration/bootstrap/bootstrap_test.go | 43 +++++++++++--------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/test/integration/bootstrap/bootstrap_test.go b/test/integration/bootstrap/bootstrap_test.go index 379fcf555..b9a281c19 100644 --- a/test/integration/bootstrap/bootstrap_test.go +++ b/test/integration/bootstrap/bootstrap_test.go @@ -96,6 +96,30 @@ func TestBootstrap(t *testing.T) { "accesscontextmanager.googleapis.com", } + bootstrap.DefineApply( + func(assert *assert.Assertions){ + + bootstrap.DefaultApply(assert) + // configure options to push state to GCS bucket + tempOptions := bootstrap.GetTFOptions() + tempOptions.BackendConfig = map[string]interface{}{ + "bucket": bootstrap.GetStringOutput("gcs_bucket_tfstate"), + } + tempOptions.MigrateState = true + // create backend file + cwd, err := os.Getwd() + require.NoError(t, err) + destFile := path.Join(cwd, "../../../0-bootstrap/backend.tf") + fExists, err2 := fileExists(destFile) + require.NoError(t, err2) + if !fExists { + srcFile := path.Join(cwd, "../../../0-bootstrap/backend.tf.example") + _, err3 := exec.Command("cp", srcFile, destFile).CombinedOutput() + require.NoError(t, err3) + } + terraform.Init(t, tempOptions) + }) + bootstrap.DefineVerify( func(assert *assert.Assertions) { @@ -194,25 +218,6 @@ func TestBootstrap(t *testing.T) { assert.Subset(listRoles, sa.orgRoles, fmt.Sprintf("service account %s should have organization level roles", terraformSAEmail)) } } - - // configure options to push state to GCS bucket - tempOptions := bootstrap.GetTFOptions() - tempOptions.BackendConfig = map[string]interface{}{ - "bucket": bootstrap.GetStringOutput("gcs_bucket_tfstate"), - } - tempOptions.MigrateState = true - // create backend file - cwd, err := os.Getwd() - require.NoError(t, err) - destFile := path.Join(cwd, "../../../0-bootstrap/backend.tf") - fExists, err2 := fileExists(destFile) - require.NoError(t, err2) - if !fExists { - srcFile := path.Join(cwd, "../../../0-bootstrap/backend.tf.example") - _, err3 := exec.Command("cp", srcFile, destFile).CombinedOutput() - require.NoError(t, err3) - } - terraform.Init(t, tempOptions) }) bootstrap.DefineTeardown(func(assert *assert.Assertions) { From 375a85b33d8a81f123707ff5a157c0a2b12fe0e0 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Fri, 5 Aug 2022 18:26:55 -0300 Subject: [PATCH 11/30] user remote state in step 4-projects --- 4-projects/access_context.auto.example.tfvars | 17 ------ .../business_unit_1.auto.example.tfvars | 17 ------ .../business_unit_1/development/README.md | 12 +--- .../development/access_context.auto.tfvars | 1 - .../development/business_unit_1.auto.tfvars | 1 - .../business_unit_1/development/main.tf | 24 ++++---- .../business_unit_1/development/outputs.tf | 4 +- .../business_unit_1/development/providers.tf | 9 +-- .../business_unit_1/development/variables.tf | 48 +++------------ .../business_unit_1/non-production/README.md | 12 +--- .../non-production/access_context.auto.tfvars | 1 - .../business_unit_1.auto.tfvars | 1 - .../business_unit_1/non-production/main.tf | 24 ++++---- .../business_unit_1/non-production/outputs.tf | 4 +- .../non-production/providers.tf | 8 +-- .../non-production/variables.tf | 48 +++------------ .../business_unit_1/production/README.md | 12 +--- .../production/access_context.auto.tfvars | 1 - .../production/business_unit_1.auto.tfvars | 1 - 4-projects/business_unit_1/production/main.tf | 24 ++++---- .../business_unit_1/production/outputs.tf | 4 +- .../business_unit_1/production/providers.tf | 9 +-- .../business_unit_1/production/variables.tf | 48 +++------------ 4-projects/business_unit_1/shared/README.md | 6 +- .../shared/example_infra_pipeline.tf | 14 ++--- 4-projects/business_unit_1/shared/folder.tf | 20 ------- 4-projects/business_unit_1/shared/main.tf | 27 +++++++++ .../business_unit_1/shared/providers.tf | 8 +-- .../shared/remote_state.tf} | 22 ++++++- .../business_unit_1/shared/variables.tf | 27 +-------- .../business_unit_2.auto.example.tfvars | 17 ------ .../business_unit_2/development/README.md | 12 +--- .../development/access_context.auto.tfvars | 1 - .../development/business_unit_2.auto.tfvars | 1 - .../business_unit_2/development/main.tf | 24 ++++---- .../business_unit_2/development/outputs.tf | 4 +- .../business_unit_2/development/providers.tf | 8 +-- .../business_unit_2/development/variables.tf | 48 +++------------ .../business_unit_2/non-production/README.md | 12 +--- .../non-production/access_context.auto.tfvars | 1 - .../business_unit_2.auto.tfvars | 1 - .../business_unit_2/non-production/main.tf | 24 ++++---- .../business_unit_2/non-production/outputs.tf | 4 +- .../non-production/providers.tf | 9 +-- .../non-production/variables.tf | 48 +++------------ .../business_unit_2/production/README.md | 12 +--- .../production/access_context.auto.tfvars | 1 - .../production/business_unit_2.auto.tfvars | 1 - 4-projects/business_unit_2/production/main.tf | 24 ++++---- .../business_unit_2/production/outputs.tf | 4 +- .../business_unit_2/production/providers.tf | 8 +-- .../business_unit_2/production/variables.tf | 48 +++------------ 4-projects/business_unit_2/shared/README.md | 6 +- .../shared/example_infra_pipeline.tf | 14 ++--- 4-projects/business_unit_2/shared/main.tf | 27 +++++++++ .../business_unit_2/shared/providers.tf | 8 +-- .../shared/{folder.tf => remote_state.tf} | 23 +++++++- .../business_unit_2/shared/variables.tf | 27 +-------- 4-projects/common.auto.example.tfvars | 10 +--- 4-projects/development.auto.example.tfvars | 5 +- 4-projects/modules/base_env/README.md | 13 ++-- .../example_base_shared_vpc_project.tf | 30 +++++----- .../base_env/example_floating_project.tf | 11 ++-- .../base_env/example_peering_project.tf | 25 +++----- .../example_restricted_shared_vpc_project.tf | 27 +++++---- .../modules/base_env/example_storage_cmek.tf | 11 ++-- 4-projects/modules/base_env/main.tf | 35 +++++++++++ 4-projects/modules/base_env/outputs.tf | 10 ++++ 4-projects/modules/base_env/remote_state.tf | 58 ++++++++++++++++++ 4-projects/modules/base_env/variables.tf | 59 ++++--------------- 4-projects/modules/single_project/README.md | 2 + 4-projects/modules/single_project/data.tf | 26 -------- 4-projects/modules/single_project/main.tf | 4 +- .../modules/single_project/variables.tf | 12 ++++ 4-projects/non-production.auto.example.tfvars | 5 +- 4-projects/production.auto.example.tfvars | 5 +- 76 files changed, 465 insertions(+), 754 deletions(-) delete mode 100644 4-projects/access_context.auto.example.tfvars delete mode 100644 4-projects/business_unit_1.auto.example.tfvars delete mode 120000 4-projects/business_unit_1/development/access_context.auto.tfvars delete mode 120000 4-projects/business_unit_1/development/business_unit_1.auto.tfvars delete mode 120000 4-projects/business_unit_1/non-production/access_context.auto.tfvars delete mode 120000 4-projects/business_unit_1/non-production/business_unit_1.auto.tfvars delete mode 120000 4-projects/business_unit_1/production/access_context.auto.tfvars delete mode 120000 4-projects/business_unit_1/production/business_unit_1.auto.tfvars delete mode 100644 4-projects/business_unit_1/shared/folder.tf create mode 100644 4-projects/business_unit_1/shared/main.tf rename 4-projects/{modules/base_env/folder.tf => business_unit_1/shared/remote_state.tf} (57%) delete mode 100644 4-projects/business_unit_2.auto.example.tfvars delete mode 120000 4-projects/business_unit_2/development/access_context.auto.tfvars delete mode 120000 4-projects/business_unit_2/development/business_unit_2.auto.tfvars delete mode 120000 4-projects/business_unit_2/non-production/access_context.auto.tfvars delete mode 120000 4-projects/business_unit_2/non-production/business_unit_2.auto.tfvars delete mode 120000 4-projects/business_unit_2/production/access_context.auto.tfvars delete mode 120000 4-projects/business_unit_2/production/business_unit_2.auto.tfvars create mode 100644 4-projects/business_unit_2/shared/main.tf rename 4-projects/business_unit_2/shared/{folder.tf => remote_state.tf} (57%) create mode 100644 4-projects/modules/base_env/main.tf create mode 100644 4-projects/modules/base_env/remote_state.tf delete mode 100644 4-projects/modules/single_project/data.tf diff --git a/4-projects/access_context.auto.example.tfvars b/4-projects/access_context.auto.example.tfvars deleted file mode 100644 index dd6c65108..000000000 --- a/4-projects/access_context.auto.example.tfvars +++ /dev/null @@ -1,17 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -access_context_manager_policy_id = 000000000000 diff --git a/4-projects/business_unit_1.auto.example.tfvars b/4-projects/business_unit_1.auto.example.tfvars deleted file mode 100644 index 2f150efee..000000000 --- a/4-projects/business_unit_1.auto.example.tfvars +++ /dev/null @@ -1,17 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -app_infra_pipeline_cloudbuild_sa = "@cloudbuild.gserviceaccount.com" diff --git a/4-projects/business_unit_1/development/README.md b/4-projects/business_unit_1/development/README.md index d986568dc..818c46852 100644 --- a/4-projects/business_unit_1/development/README.md +++ b/4-projects/business_unit_1/development/README.md @@ -3,16 +3,10 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `string` | n/a | yes | -| app\_infra\_pipeline\_cloudbuild\_sa | Cloud Build SA used for deploying infrastructure | `string` | n/a | yes | -| billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | -| enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | +| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no | +| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no | -| perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | `string` | n/a | yes | -| project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | ## Outputs diff --git a/4-projects/business_unit_1/development/access_context.auto.tfvars b/4-projects/business_unit_1/development/access_context.auto.tfvars deleted file mode 120000 index b0cccce77..000000000 --- a/4-projects/business_unit_1/development/access_context.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../access_context.auto.tfvars \ No newline at end of file diff --git a/4-projects/business_unit_1/development/business_unit_1.auto.tfvars b/4-projects/business_unit_1/development/business_unit_1.auto.tfvars deleted file mode 120000 index bb874fea3..000000000 --- a/4-projects/business_unit_1/development/business_unit_1.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../business_unit_1.auto.tfvars \ No newline at end of file diff --git a/4-projects/business_unit_1/development/main.tf b/4-projects/business_unit_1/development/main.tf index 1da1cfde3..a75a4a759 100644 --- a/4-projects/business_unit_1/development/main.tf +++ b/4-projects/business_unit_1/development/main.tf @@ -14,21 +14,19 @@ * limitations under the License. */ +locals { + terraform_service_account = var.terraform_service_account +} module "env" { source = "../../modules/base_env" - env = "development" - business_code = "bu1" - business_unit = "business_unit_1" - org_id = var.org_id - billing_account = var.billing_account - access_context_manager_policy_id = var.access_context_manager_policy_id - parent_folder = var.parent_folder - perimeter_name = var.perimeter_name - peering_module_depends_on = var.peering_module_depends_on - project_prefix = var.project_prefix - folder_prefix = var.folder_prefix - enable_hub_and_spoke = var.enable_hub_and_spoke - app_infra_pipeline_cloudbuild_sa = var.app_infra_pipeline_cloudbuild_sa + env = "development" + business_code = "bu1" + business_unit = "business_unit_1" + backend_bucket = var.backend_bucket + location_kms = var.location_kms + location_gcs = var.location_gcs + terraform_service_account = local.terraform_service_account + peering_module_depends_on = var.peering_module_depends_on } diff --git a/4-projects/business_unit_1/development/outputs.tf b/4-projects/business_unit_1/development/outputs.tf index 77681648a..4098ad611 100644 --- a/4-projects/business_unit_1/development/outputs.tf +++ b/4-projects/business_unit_1/development/outputs.tf @@ -51,7 +51,7 @@ output "restricted_shared_vpc_project_number" { output "vpc_service_control_perimeter_name" { description = "VPC Service Control name." - value = var.perimeter_name + value = module.env.vpc_service_control_perimeter_name } output "restricted_enabled_apis" { @@ -61,7 +61,7 @@ output "restricted_enabled_apis" { output "access_context_manager_policy_id" { description = "Access Context Manager Policy ID." - value = var.access_context_manager_policy_id + value = module.env.access_context_manager_policy_id } output "peering_complete" { diff --git a/4-projects/business_unit_1/development/providers.tf b/4-projects/business_unit_1/development/providers.tf index b063f6b0f..e2ceefc09 100644 --- a/4-projects/business_unit_1/development/providers.tf +++ b/4-projects/business_unit_1/development/providers.tf @@ -14,18 +14,13 @@ * limitations under the License. */ -locals { - tf_sa = var.terraform_service_account -} - - /****************************************** Provider credential configuration *****************************************/ provider "google" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.terraform_service_account } provider "google-beta" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.terraform_service_account } diff --git a/4-projects/business_unit_1/development/variables.tf b/4-projects/business_unit_1/development/variables.tf index be54660c8..db418e5dd 100644 --- a/4-projects/business_unit_1/development/variables.tf +++ b/4-projects/business_unit_1/development/variables.tf @@ -19,30 +19,21 @@ variable "terraform_service_account" { type = string } -variable "org_id" { - description = "The organization id for the associated services" +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string } -variable "billing_account" { - description = "The ID of the billing account to associated this project with" +variable "location_kms" { + description = "Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket)" type = string + default = "us" } -variable "access_context_manager_policy_id" { - type = string - description = "The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`." -} - -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - -variable "perimeter_name" { - description = "Access context manager service perimeter name to attach the restricted svpc project." +variable "location_gcs" { + description = "Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring)" type = string + default = "US" } variable "peering_module_depends_on" { @@ -50,26 +41,3 @@ variable "peering_module_depends_on" { type = list(any) default = [] } - -variable "project_prefix" { - description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." - type = string - default = "prj" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - -variable "enable_hub_and_spoke" { - description = "Enable Hub-and-Spoke architecture." - type = bool - default = false -} - -variable "app_infra_pipeline_cloudbuild_sa" { - description = "Cloud Build SA used for deploying infrastructure" - type = string -} diff --git a/4-projects/business_unit_1/non-production/README.md b/4-projects/business_unit_1/non-production/README.md index d986568dc..818c46852 100644 --- a/4-projects/business_unit_1/non-production/README.md +++ b/4-projects/business_unit_1/non-production/README.md @@ -3,16 +3,10 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `string` | n/a | yes | -| app\_infra\_pipeline\_cloudbuild\_sa | Cloud Build SA used for deploying infrastructure | `string` | n/a | yes | -| billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | -| enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | +| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no | +| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no | -| perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | `string` | n/a | yes | -| project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | ## Outputs diff --git a/4-projects/business_unit_1/non-production/access_context.auto.tfvars b/4-projects/business_unit_1/non-production/access_context.auto.tfvars deleted file mode 120000 index b0cccce77..000000000 --- a/4-projects/business_unit_1/non-production/access_context.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../access_context.auto.tfvars \ No newline at end of file diff --git a/4-projects/business_unit_1/non-production/business_unit_1.auto.tfvars b/4-projects/business_unit_1/non-production/business_unit_1.auto.tfvars deleted file mode 120000 index bb874fea3..000000000 --- a/4-projects/business_unit_1/non-production/business_unit_1.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../business_unit_1.auto.tfvars \ No newline at end of file diff --git a/4-projects/business_unit_1/non-production/main.tf b/4-projects/business_unit_1/non-production/main.tf index 097ec2744..fd5eefe9a 100644 --- a/4-projects/business_unit_1/non-production/main.tf +++ b/4-projects/business_unit_1/non-production/main.tf @@ -14,21 +14,19 @@ * limitations under the License. */ +locals { + terraform_service_account = var.terraform_service_account +} module "env" { source = "../../modules/base_env" - env = "non-production" - business_code = "bu1" - business_unit = "business_unit_1" - org_id = var.org_id - billing_account = var.billing_account - access_context_manager_policy_id = var.access_context_manager_policy_id - parent_folder = var.parent_folder - perimeter_name = var.perimeter_name - peering_module_depends_on = var.peering_module_depends_on - project_prefix = var.project_prefix - folder_prefix = var.folder_prefix - enable_hub_and_spoke = var.enable_hub_and_spoke - app_infra_pipeline_cloudbuild_sa = var.app_infra_pipeline_cloudbuild_sa + env = "non-production" + business_code = "bu1" + business_unit = "business_unit_1" + backend_bucket = var.backend_bucket + location_kms = var.location_kms + location_gcs = var.location_gcs + terraform_service_account = local.terraform_service_account + peering_module_depends_on = var.peering_module_depends_on } diff --git a/4-projects/business_unit_1/non-production/outputs.tf b/4-projects/business_unit_1/non-production/outputs.tf index 77681648a..4098ad611 100644 --- a/4-projects/business_unit_1/non-production/outputs.tf +++ b/4-projects/business_unit_1/non-production/outputs.tf @@ -51,7 +51,7 @@ output "restricted_shared_vpc_project_number" { output "vpc_service_control_perimeter_name" { description = "VPC Service Control name." - value = var.perimeter_name + value = module.env.vpc_service_control_perimeter_name } output "restricted_enabled_apis" { @@ -61,7 +61,7 @@ output "restricted_enabled_apis" { output "access_context_manager_policy_id" { description = "Access Context Manager Policy ID." - value = var.access_context_manager_policy_id + value = module.env.access_context_manager_policy_id } output "peering_complete" { diff --git a/4-projects/business_unit_1/non-production/providers.tf b/4-projects/business_unit_1/non-production/providers.tf index b44fb4ed9..e2ceefc09 100644 --- a/4-projects/business_unit_1/non-production/providers.tf +++ b/4-projects/business_unit_1/non-production/providers.tf @@ -14,17 +14,13 @@ * limitations under the License. */ -locals { - tf_sa = var.terraform_service_account -} - /****************************************** Provider credential configuration *****************************************/ provider "google" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.terraform_service_account } provider "google-beta" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.terraform_service_account } diff --git a/4-projects/business_unit_1/non-production/variables.tf b/4-projects/business_unit_1/non-production/variables.tf index be54660c8..db418e5dd 100644 --- a/4-projects/business_unit_1/non-production/variables.tf +++ b/4-projects/business_unit_1/non-production/variables.tf @@ -19,30 +19,21 @@ variable "terraform_service_account" { type = string } -variable "org_id" { - description = "The organization id for the associated services" +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string } -variable "billing_account" { - description = "The ID of the billing account to associated this project with" +variable "location_kms" { + description = "Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket)" type = string + default = "us" } -variable "access_context_manager_policy_id" { - type = string - description = "The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`." -} - -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - -variable "perimeter_name" { - description = "Access context manager service perimeter name to attach the restricted svpc project." +variable "location_gcs" { + description = "Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring)" type = string + default = "US" } variable "peering_module_depends_on" { @@ -50,26 +41,3 @@ variable "peering_module_depends_on" { type = list(any) default = [] } - -variable "project_prefix" { - description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." - type = string - default = "prj" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - -variable "enable_hub_and_spoke" { - description = "Enable Hub-and-Spoke architecture." - type = bool - default = false -} - -variable "app_infra_pipeline_cloudbuild_sa" { - description = "Cloud Build SA used for deploying infrastructure" - type = string -} diff --git a/4-projects/business_unit_1/production/README.md b/4-projects/business_unit_1/production/README.md index d986568dc..818c46852 100644 --- a/4-projects/business_unit_1/production/README.md +++ b/4-projects/business_unit_1/production/README.md @@ -3,16 +3,10 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `string` | n/a | yes | -| app\_infra\_pipeline\_cloudbuild\_sa | Cloud Build SA used for deploying infrastructure | `string` | n/a | yes | -| billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | -| enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | +| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no | +| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no | -| perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | `string` | n/a | yes | -| project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | ## Outputs diff --git a/4-projects/business_unit_1/production/access_context.auto.tfvars b/4-projects/business_unit_1/production/access_context.auto.tfvars deleted file mode 120000 index b0cccce77..000000000 --- a/4-projects/business_unit_1/production/access_context.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../access_context.auto.tfvars \ No newline at end of file diff --git a/4-projects/business_unit_1/production/business_unit_1.auto.tfvars b/4-projects/business_unit_1/production/business_unit_1.auto.tfvars deleted file mode 120000 index bb874fea3..000000000 --- a/4-projects/business_unit_1/production/business_unit_1.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../business_unit_1.auto.tfvars \ No newline at end of file diff --git a/4-projects/business_unit_1/production/main.tf b/4-projects/business_unit_1/production/main.tf index 965db24fc..5400ffdfd 100644 --- a/4-projects/business_unit_1/production/main.tf +++ b/4-projects/business_unit_1/production/main.tf @@ -14,21 +14,19 @@ * limitations under the License. */ +locals { + terraform_service_account = var.terraform_service_account +} module "env" { source = "../../modules/base_env" - env = "production" - business_code = "bu1" - business_unit = "business_unit_1" - org_id = var.org_id - billing_account = var.billing_account - access_context_manager_policy_id = var.access_context_manager_policy_id - parent_folder = var.parent_folder - perimeter_name = var.perimeter_name - peering_module_depends_on = var.peering_module_depends_on - project_prefix = var.project_prefix - folder_prefix = var.folder_prefix - enable_hub_and_spoke = var.enable_hub_and_spoke - app_infra_pipeline_cloudbuild_sa = var.app_infra_pipeline_cloudbuild_sa + env = "production" + business_code = "bu1" + business_unit = "business_unit_1" + backend_bucket = var.backend_bucket + location_kms = var.location_kms + location_gcs = var.location_gcs + terraform_service_account = local.terraform_service_account + peering_module_depends_on = var.peering_module_depends_on } diff --git a/4-projects/business_unit_1/production/outputs.tf b/4-projects/business_unit_1/production/outputs.tf index 77681648a..4098ad611 100644 --- a/4-projects/business_unit_1/production/outputs.tf +++ b/4-projects/business_unit_1/production/outputs.tf @@ -51,7 +51,7 @@ output "restricted_shared_vpc_project_number" { output "vpc_service_control_perimeter_name" { description = "VPC Service Control name." - value = var.perimeter_name + value = module.env.vpc_service_control_perimeter_name } output "restricted_enabled_apis" { @@ -61,7 +61,7 @@ output "restricted_enabled_apis" { output "access_context_manager_policy_id" { description = "Access Context Manager Policy ID." - value = var.access_context_manager_policy_id + value = module.env.access_context_manager_policy_id } output "peering_complete" { diff --git a/4-projects/business_unit_1/production/providers.tf b/4-projects/business_unit_1/production/providers.tf index b063f6b0f..e2ceefc09 100644 --- a/4-projects/business_unit_1/production/providers.tf +++ b/4-projects/business_unit_1/production/providers.tf @@ -14,18 +14,13 @@ * limitations under the License. */ -locals { - tf_sa = var.terraform_service_account -} - - /****************************************** Provider credential configuration *****************************************/ provider "google" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.terraform_service_account } provider "google-beta" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.terraform_service_account } diff --git a/4-projects/business_unit_1/production/variables.tf b/4-projects/business_unit_1/production/variables.tf index be54660c8..db418e5dd 100644 --- a/4-projects/business_unit_1/production/variables.tf +++ b/4-projects/business_unit_1/production/variables.tf @@ -19,30 +19,21 @@ variable "terraform_service_account" { type = string } -variable "org_id" { - description = "The organization id for the associated services" +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string } -variable "billing_account" { - description = "The ID of the billing account to associated this project with" +variable "location_kms" { + description = "Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket)" type = string + default = "us" } -variable "access_context_manager_policy_id" { - type = string - description = "The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`." -} - -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - -variable "perimeter_name" { - description = "Access context manager service perimeter name to attach the restricted svpc project." +variable "location_gcs" { + description = "Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring)" type = string + default = "US" } variable "peering_module_depends_on" { @@ -50,26 +41,3 @@ variable "peering_module_depends_on" { type = list(any) default = [] } - -variable "project_prefix" { - description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." - type = string - default = "prj" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - -variable "enable_hub_and_spoke" { - description = "Enable Hub-and-Spoke architecture." - type = bool - default = false -} - -variable "app_infra_pipeline_cloudbuild_sa" { - description = "Cloud Build SA used for deploying infrastructure" - type = string -} diff --git a/4-projects/business_unit_1/shared/README.md b/4-projects/business_unit_1/shared/README.md index 117de1ce6..fc7272ae2 100644 --- a/4-projects/business_unit_1/shared/README.md +++ b/4-projects/business_unit_1/shared/README.md @@ -5,13 +5,9 @@ |------|-------------|------|---------|:--------:| | alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` | `string` | `null` | no | | alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded | `list(number)` | 
[
  0.5,
  0.75,
  0.9,
  0.95
]
| no | -| billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | budget\_amount | The amount to use as the budget | `number` | `1000` | no | | default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | -| project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | ## Outputs diff --git a/4-projects/business_unit_1/shared/example_infra_pipeline.tf b/4-projects/business_unit_1/shared/example_infra_pipeline.tf index dc50e1a44..b140bb919 100644 --- a/4-projects/business_unit_1/shared/example_infra_pipeline.tf +++ b/4-projects/business_unit_1/shared/example_infra_pipeline.tf @@ -16,14 +16,14 @@ module "app_infra_cloudbuild_project" { source = "../../modules/single_project" - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.common.name + org_id = local.org_id + billing_account = local.billing_account + folder_id = local.common_folder_name environment = "common" alert_spent_percents = var.alert_spent_percents alert_pubsub_topic = var.alert_pubsub_topic budget_amount = var.budget_amount - project_prefix = var.project_prefix + project_prefix = local.project_prefix activate_apis = [ "cloudbuild.googleapis.com", "sourcerepo.googleapis.com", @@ -43,10 +43,10 @@ module "app_infra_cloudbuild_project" { module "infra_pipelines" { source = "../../modules/infra_pipelines" - impersonate_service_account = var.terraform_service_account + impersonate_service_account = local.terraform_service_account cloudbuild_project_id = module.app_infra_cloudbuild_project.project_id - project_prefix = var.project_prefix - billing_account = var.billing_account + project_prefix = local.project_prefix + billing_account = local.billing_account default_region = var.default_region bucket_region = var.default_region app_infra_repos = ["bu1-example-app"] diff --git a/4-projects/business_unit_1/shared/folder.tf b/4-projects/business_unit_1/shared/folder.tf deleted file mode 100644 index 7e7311605..000000000 --- a/4-projects/business_unit_1/shared/folder.tf +++ /dev/null @@ -1,20 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -data "google_active_folder" "common" { - display_name = "${var.folder_prefix}-common" - parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" -} diff --git a/4-projects/business_unit_1/shared/main.tf b/4-projects/business_unit_1/shared/main.tf new file mode 100644 index 000000000..c75d133dd --- /dev/null +++ b/4-projects/business_unit_1/shared/main.tf @@ -0,0 +1,27 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + terraform_service_account = var.terraform_service_account + parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder + org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id + billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account + default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region + project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix + folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix + parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id + common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name +} diff --git a/4-projects/business_unit_1/shared/providers.tf b/4-projects/business_unit_1/shared/providers.tf index b44fb4ed9..e2ceefc09 100644 --- a/4-projects/business_unit_1/shared/providers.tf +++ b/4-projects/business_unit_1/shared/providers.tf @@ -14,17 +14,13 @@ * limitations under the License. */ -locals { - tf_sa = var.terraform_service_account -} - /****************************************** Provider credential configuration *****************************************/ provider "google" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.terraform_service_account } provider "google-beta" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.terraform_service_account } diff --git a/4-projects/modules/base_env/folder.tf b/4-projects/business_unit_1/shared/remote_state.tf similarity index 57% rename from 4-projects/modules/base_env/folder.tf rename to 4-projects/business_unit_1/shared/remote_state.tf index 2b81adfe8..13e896eab 100644 --- a/4-projects/modules/base_env/folder.tf +++ b/4-projects/business_unit_1/shared/remote_state.tf @@ -14,8 +14,24 @@ * limitations under the License. */ -data "google_active_folder" "env" { - display_name = "${var.folder_prefix}-${var.env}" - parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" +data "terraform_remote_state" "bootstrap" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/bootstrap/state" + + impersonate_service_account = local.terraform_service_account + } } +data "terraform_remote_state" "org" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/org/state" + + impersonate_service_account = local.terraform_service_account + } +} diff --git a/4-projects/business_unit_1/shared/variables.tf b/4-projects/business_unit_1/shared/variables.tf index 07f814ffc..1f5d41cd5 100644 --- a/4-projects/business_unit_1/shared/variables.tf +++ b/4-projects/business_unit_1/shared/variables.tf @@ -25,22 +25,6 @@ variable "terraform_service_account" { type = string } -variable "org_id" { - description = "The organization id for the associated services" - type = string -} - -variable "billing_account" { - description = "The ID of the billing account to associated this project with" - type = string -} - -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - variable "alert_spent_percents" { description = "A list of percentages of the budget to alert on when threshold is exceeded" type = list(number) @@ -59,14 +43,7 @@ variable "budget_amount" { default = 1000 } -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - -variable "project_prefix" { - description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string - default = "prj" } diff --git a/4-projects/business_unit_2.auto.example.tfvars b/4-projects/business_unit_2.auto.example.tfvars deleted file mode 100644 index 03f2a179b..000000000 --- a/4-projects/business_unit_2.auto.example.tfvars +++ /dev/null @@ -1,17 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -app_infra_pipeline_cloudbuild_sa = "@cloudbuild.gserviceaccount.com" diff --git a/4-projects/business_unit_2/development/README.md b/4-projects/business_unit_2/development/README.md index d986568dc..818c46852 100644 --- a/4-projects/business_unit_2/development/README.md +++ b/4-projects/business_unit_2/development/README.md @@ -3,16 +3,10 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `string` | n/a | yes | -| app\_infra\_pipeline\_cloudbuild\_sa | Cloud Build SA used for deploying infrastructure | `string` | n/a | yes | -| billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | -| enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | +| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no | +| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no | -| perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | `string` | n/a | yes | -| project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | ## Outputs diff --git a/4-projects/business_unit_2/development/access_context.auto.tfvars b/4-projects/business_unit_2/development/access_context.auto.tfvars deleted file mode 120000 index b0cccce77..000000000 --- a/4-projects/business_unit_2/development/access_context.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../access_context.auto.tfvars \ No newline at end of file diff --git a/4-projects/business_unit_2/development/business_unit_2.auto.tfvars b/4-projects/business_unit_2/development/business_unit_2.auto.tfvars deleted file mode 120000 index 36de0895f..000000000 --- a/4-projects/business_unit_2/development/business_unit_2.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../business_unit_2.auto.tfvars \ No newline at end of file diff --git a/4-projects/business_unit_2/development/main.tf b/4-projects/business_unit_2/development/main.tf index 88c031e4c..7f33128d3 100644 --- a/4-projects/business_unit_2/development/main.tf +++ b/4-projects/business_unit_2/development/main.tf @@ -14,21 +14,19 @@ * limitations under the License. */ +locals { + terraform_service_account = var.terraform_service_account +} module "env" { source = "../../modules/base_env" - env = "development" - business_code = "bu2" - business_unit = "business_unit_2" - org_id = var.org_id - billing_account = var.billing_account - access_context_manager_policy_id = var.access_context_manager_policy_id - parent_folder = var.parent_folder - perimeter_name = var.perimeter_name - peering_module_depends_on = var.peering_module_depends_on - project_prefix = var.project_prefix - folder_prefix = var.folder_prefix - enable_hub_and_spoke = var.enable_hub_and_spoke - app_infra_pipeline_cloudbuild_sa = var.app_infra_pipeline_cloudbuild_sa + env = "development" + business_code = "bu2" + business_unit = "business_unit_2" + backend_bucket = var.backend_bucket + location_kms = var.location_kms + location_gcs = var.location_gcs + terraform_service_account = local.terraform_service_account + peering_module_depends_on = var.peering_module_depends_on } diff --git a/4-projects/business_unit_2/development/outputs.tf b/4-projects/business_unit_2/development/outputs.tf index 77681648a..4098ad611 100644 --- a/4-projects/business_unit_2/development/outputs.tf +++ b/4-projects/business_unit_2/development/outputs.tf @@ -51,7 +51,7 @@ output "restricted_shared_vpc_project_number" { output "vpc_service_control_perimeter_name" { description = "VPC Service Control name." - value = var.perimeter_name + value = module.env.vpc_service_control_perimeter_name } output "restricted_enabled_apis" { @@ -61,7 +61,7 @@ output "restricted_enabled_apis" { output "access_context_manager_policy_id" { description = "Access Context Manager Policy ID." - value = var.access_context_manager_policy_id + value = module.env.access_context_manager_policy_id } output "peering_complete" { diff --git a/4-projects/business_unit_2/development/providers.tf b/4-projects/business_unit_2/development/providers.tf index b44fb4ed9..e2ceefc09 100644 --- a/4-projects/business_unit_2/development/providers.tf +++ b/4-projects/business_unit_2/development/providers.tf @@ -14,17 +14,13 @@ * limitations under the License. */ -locals { - tf_sa = var.terraform_service_account -} - /****************************************** Provider credential configuration *****************************************/ provider "google" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.terraform_service_account } provider "google-beta" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.terraform_service_account } diff --git a/4-projects/business_unit_2/development/variables.tf b/4-projects/business_unit_2/development/variables.tf index be54660c8..db418e5dd 100644 --- a/4-projects/business_unit_2/development/variables.tf +++ b/4-projects/business_unit_2/development/variables.tf @@ -19,30 +19,21 @@ variable "terraform_service_account" { type = string } -variable "org_id" { - description = "The organization id for the associated services" +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string } -variable "billing_account" { - description = "The ID of the billing account to associated this project with" +variable "location_kms" { + description = "Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket)" type = string + default = "us" } -variable "access_context_manager_policy_id" { - type = string - description = "The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`." -} - -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - -variable "perimeter_name" { - description = "Access context manager service perimeter name to attach the restricted svpc project." +variable "location_gcs" { + description = "Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring)" type = string + default = "US" } variable "peering_module_depends_on" { @@ -50,26 +41,3 @@ variable "peering_module_depends_on" { type = list(any) default = [] } - -variable "project_prefix" { - description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." - type = string - default = "prj" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - -variable "enable_hub_and_spoke" { - description = "Enable Hub-and-Spoke architecture." - type = bool - default = false -} - -variable "app_infra_pipeline_cloudbuild_sa" { - description = "Cloud Build SA used for deploying infrastructure" - type = string -} diff --git a/4-projects/business_unit_2/non-production/README.md b/4-projects/business_unit_2/non-production/README.md index d986568dc..818c46852 100644 --- a/4-projects/business_unit_2/non-production/README.md +++ b/4-projects/business_unit_2/non-production/README.md @@ -3,16 +3,10 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `string` | n/a | yes | -| app\_infra\_pipeline\_cloudbuild\_sa | Cloud Build SA used for deploying infrastructure | `string` | n/a | yes | -| billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | -| enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | +| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no | +| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no | -| perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | `string` | n/a | yes | -| project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | ## Outputs diff --git a/4-projects/business_unit_2/non-production/access_context.auto.tfvars b/4-projects/business_unit_2/non-production/access_context.auto.tfvars deleted file mode 120000 index b0cccce77..000000000 --- a/4-projects/business_unit_2/non-production/access_context.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../access_context.auto.tfvars \ No newline at end of file diff --git a/4-projects/business_unit_2/non-production/business_unit_2.auto.tfvars b/4-projects/business_unit_2/non-production/business_unit_2.auto.tfvars deleted file mode 120000 index 36de0895f..000000000 --- a/4-projects/business_unit_2/non-production/business_unit_2.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../business_unit_2.auto.tfvars \ No newline at end of file diff --git a/4-projects/business_unit_2/non-production/main.tf b/4-projects/business_unit_2/non-production/main.tf index a1dc7908e..233a88825 100644 --- a/4-projects/business_unit_2/non-production/main.tf +++ b/4-projects/business_unit_2/non-production/main.tf @@ -14,21 +14,19 @@ * limitations under the License. */ +locals { + terraform_service_account = var.terraform_service_account +} module "env" { source = "../../modules/base_env" - env = "non-production" - business_code = "bu2" - business_unit = "business_unit_2" - org_id = var.org_id - billing_account = var.billing_account - access_context_manager_policy_id = var.access_context_manager_policy_id - parent_folder = var.parent_folder - perimeter_name = var.perimeter_name - peering_module_depends_on = var.peering_module_depends_on - project_prefix = var.project_prefix - folder_prefix = var.folder_prefix - enable_hub_and_spoke = var.enable_hub_and_spoke - app_infra_pipeline_cloudbuild_sa = var.app_infra_pipeline_cloudbuild_sa + env = "non-production" + business_code = "bu2" + business_unit = "business_unit_2" + backend_bucket = var.backend_bucket + location_kms = var.location_kms + location_gcs = var.location_gcs + terraform_service_account = local.terraform_service_account + peering_module_depends_on = var.peering_module_depends_on } diff --git a/4-projects/business_unit_2/non-production/outputs.tf b/4-projects/business_unit_2/non-production/outputs.tf index 77681648a..4098ad611 100644 --- a/4-projects/business_unit_2/non-production/outputs.tf +++ b/4-projects/business_unit_2/non-production/outputs.tf @@ -51,7 +51,7 @@ output "restricted_shared_vpc_project_number" { output "vpc_service_control_perimeter_name" { description = "VPC Service Control name." - value = var.perimeter_name + value = module.env.vpc_service_control_perimeter_name } output "restricted_enabled_apis" { @@ -61,7 +61,7 @@ output "restricted_enabled_apis" { output "access_context_manager_policy_id" { description = "Access Context Manager Policy ID." - value = var.access_context_manager_policy_id + value = module.env.access_context_manager_policy_id } output "peering_complete" { diff --git a/4-projects/business_unit_2/non-production/providers.tf b/4-projects/business_unit_2/non-production/providers.tf index b063f6b0f..e2ceefc09 100644 --- a/4-projects/business_unit_2/non-production/providers.tf +++ b/4-projects/business_unit_2/non-production/providers.tf @@ -14,18 +14,13 @@ * limitations under the License. */ -locals { - tf_sa = var.terraform_service_account -} - - /****************************************** Provider credential configuration *****************************************/ provider "google" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.terraform_service_account } provider "google-beta" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.terraform_service_account } diff --git a/4-projects/business_unit_2/non-production/variables.tf b/4-projects/business_unit_2/non-production/variables.tf index be54660c8..db418e5dd 100644 --- a/4-projects/business_unit_2/non-production/variables.tf +++ b/4-projects/business_unit_2/non-production/variables.tf @@ -19,30 +19,21 @@ variable "terraform_service_account" { type = string } -variable "org_id" { - description = "The organization id for the associated services" +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string } -variable "billing_account" { - description = "The ID of the billing account to associated this project with" +variable "location_kms" { + description = "Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket)" type = string + default = "us" } -variable "access_context_manager_policy_id" { - type = string - description = "The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`." -} - -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - -variable "perimeter_name" { - description = "Access context manager service perimeter name to attach the restricted svpc project." +variable "location_gcs" { + description = "Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring)" type = string + default = "US" } variable "peering_module_depends_on" { @@ -50,26 +41,3 @@ variable "peering_module_depends_on" { type = list(any) default = [] } - -variable "project_prefix" { - description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." - type = string - default = "prj" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - -variable "enable_hub_and_spoke" { - description = "Enable Hub-and-Spoke architecture." - type = bool - default = false -} - -variable "app_infra_pipeline_cloudbuild_sa" { - description = "Cloud Build SA used for deploying infrastructure" - type = string -} diff --git a/4-projects/business_unit_2/production/README.md b/4-projects/business_unit_2/production/README.md index d986568dc..818c46852 100644 --- a/4-projects/business_unit_2/production/README.md +++ b/4-projects/business_unit_2/production/README.md @@ -3,16 +3,10 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `string` | n/a | yes | -| app\_infra\_pipeline\_cloudbuild\_sa | Cloud Build SA used for deploying infrastructure | `string` | n/a | yes | -| billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | -| enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | +| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no | +| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no | -| perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | `string` | n/a | yes | -| project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | ## Outputs diff --git a/4-projects/business_unit_2/production/access_context.auto.tfvars b/4-projects/business_unit_2/production/access_context.auto.tfvars deleted file mode 120000 index b0cccce77..000000000 --- a/4-projects/business_unit_2/production/access_context.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../access_context.auto.tfvars \ No newline at end of file diff --git a/4-projects/business_unit_2/production/business_unit_2.auto.tfvars b/4-projects/business_unit_2/production/business_unit_2.auto.tfvars deleted file mode 120000 index 36de0895f..000000000 --- a/4-projects/business_unit_2/production/business_unit_2.auto.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../business_unit_2.auto.tfvars \ No newline at end of file diff --git a/4-projects/business_unit_2/production/main.tf b/4-projects/business_unit_2/production/main.tf index 4dbdc00f9..c459d2848 100644 --- a/4-projects/business_unit_2/production/main.tf +++ b/4-projects/business_unit_2/production/main.tf @@ -14,21 +14,19 @@ * limitations under the License. */ +locals { + terraform_service_account = var.terraform_service_account +} module "env" { source = "../../modules/base_env" - env = "production" - business_code = "bu2" - business_unit = "business_unit_2" - org_id = var.org_id - billing_account = var.billing_account - access_context_manager_policy_id = var.access_context_manager_policy_id - parent_folder = var.parent_folder - perimeter_name = var.perimeter_name - peering_module_depends_on = var.peering_module_depends_on - project_prefix = var.project_prefix - folder_prefix = var.folder_prefix - enable_hub_and_spoke = var.enable_hub_and_spoke - app_infra_pipeline_cloudbuild_sa = var.app_infra_pipeline_cloudbuild_sa + env = "production" + business_code = "bu2" + business_unit = "business_unit_2" + backend_bucket = var.backend_bucket + location_kms = var.location_kms + location_gcs = var.location_gcs + terraform_service_account = local.terraform_service_account + peering_module_depends_on = var.peering_module_depends_on } diff --git a/4-projects/business_unit_2/production/outputs.tf b/4-projects/business_unit_2/production/outputs.tf index 77681648a..4098ad611 100644 --- a/4-projects/business_unit_2/production/outputs.tf +++ b/4-projects/business_unit_2/production/outputs.tf @@ -51,7 +51,7 @@ output "restricted_shared_vpc_project_number" { output "vpc_service_control_perimeter_name" { description = "VPC Service Control name." - value = var.perimeter_name + value = module.env.vpc_service_control_perimeter_name } output "restricted_enabled_apis" { @@ -61,7 +61,7 @@ output "restricted_enabled_apis" { output "access_context_manager_policy_id" { description = "Access Context Manager Policy ID." - value = var.access_context_manager_policy_id + value = module.env.access_context_manager_policy_id } output "peering_complete" { diff --git a/4-projects/business_unit_2/production/providers.tf b/4-projects/business_unit_2/production/providers.tf index b44fb4ed9..e2ceefc09 100644 --- a/4-projects/business_unit_2/production/providers.tf +++ b/4-projects/business_unit_2/production/providers.tf @@ -14,17 +14,13 @@ * limitations under the License. */ -locals { - tf_sa = var.terraform_service_account -} - /****************************************** Provider credential configuration *****************************************/ provider "google" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.terraform_service_account } provider "google-beta" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.terraform_service_account } diff --git a/4-projects/business_unit_2/production/variables.tf b/4-projects/business_unit_2/production/variables.tf index be54660c8..db418e5dd 100644 --- a/4-projects/business_unit_2/production/variables.tf +++ b/4-projects/business_unit_2/production/variables.tf @@ -19,30 +19,21 @@ variable "terraform_service_account" { type = string } -variable "org_id" { - description = "The organization id for the associated services" +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string } -variable "billing_account" { - description = "The ID of the billing account to associated this project with" +variable "location_kms" { + description = "Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket)" type = string + default = "us" } -variable "access_context_manager_policy_id" { - type = string - description = "The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`." -} - -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - -variable "perimeter_name" { - description = "Access context manager service perimeter name to attach the restricted svpc project." +variable "location_gcs" { + description = "Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring)" type = string + default = "US" } variable "peering_module_depends_on" { @@ -50,26 +41,3 @@ variable "peering_module_depends_on" { type = list(any) default = [] } - -variable "project_prefix" { - description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." - type = string - default = "prj" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - -variable "enable_hub_and_spoke" { - description = "Enable Hub-and-Spoke architecture." - type = bool - default = false -} - -variable "app_infra_pipeline_cloudbuild_sa" { - description = "Cloud Build SA used for deploying infrastructure" - type = string -} diff --git a/4-projects/business_unit_2/shared/README.md b/4-projects/business_unit_2/shared/README.md index 117de1ce6..fc7272ae2 100644 --- a/4-projects/business_unit_2/shared/README.md +++ b/4-projects/business_unit_2/shared/README.md @@ -5,13 +5,9 @@ |------|-------------|------|---------|:--------:| | alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` | `string` | `null` | no | | alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded | `list(number)` | 
[
  0.5,
  0.75,
  0.9,
  0.95
]
| no | -| billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | budget\_amount | The amount to use as the budget | `number` | `1000` | no | | default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | -| project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | ## Outputs diff --git a/4-projects/business_unit_2/shared/example_infra_pipeline.tf b/4-projects/business_unit_2/shared/example_infra_pipeline.tf index 8ea6e1aee..1eca63833 100644 --- a/4-projects/business_unit_2/shared/example_infra_pipeline.tf +++ b/4-projects/business_unit_2/shared/example_infra_pipeline.tf @@ -16,14 +16,14 @@ module "app_infra_cloudbuild_project" { source = "../../modules/single_project" - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.common.name + org_id = local.org_id + billing_account = local.billing_account + folder_id = local.common_folder_name environment = "common" alert_spent_percents = var.alert_spent_percents alert_pubsub_topic = var.alert_pubsub_topic budget_amount = var.budget_amount - project_prefix = var.project_prefix + project_prefix = local.project_prefix activate_apis = [ "cloudbuild.googleapis.com", "sourcerepo.googleapis.com", @@ -43,10 +43,10 @@ module "app_infra_cloudbuild_project" { module "infra_pipelines" { source = "../../modules/infra_pipelines" - impersonate_service_account = var.terraform_service_account + impersonate_service_account = local.terraform_service_account cloudbuild_project_id = module.app_infra_cloudbuild_project.project_id - project_prefix = var.project_prefix - billing_account = var.billing_account + project_prefix = local.project_prefix + billing_account = local.billing_account default_region = var.default_region bucket_region = var.default_region app_infra_repos = ["bu2-example-app"] diff --git a/4-projects/business_unit_2/shared/main.tf b/4-projects/business_unit_2/shared/main.tf new file mode 100644 index 000000000..c75d133dd --- /dev/null +++ b/4-projects/business_unit_2/shared/main.tf @@ -0,0 +1,27 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + terraform_service_account = var.terraform_service_account + parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder + org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id + billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account + default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region + project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix + folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix + parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id + common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name +} diff --git a/4-projects/business_unit_2/shared/providers.tf b/4-projects/business_unit_2/shared/providers.tf index b44fb4ed9..e2ceefc09 100644 --- a/4-projects/business_unit_2/shared/providers.tf +++ b/4-projects/business_unit_2/shared/providers.tf @@ -14,17 +14,13 @@ * limitations under the License. */ -locals { - tf_sa = var.terraform_service_account -} - /****************************************** Provider credential configuration *****************************************/ provider "google" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.terraform_service_account } provider "google-beta" { - impersonate_service_account = local.tf_sa + impersonate_service_account = local.terraform_service_account } diff --git a/4-projects/business_unit_2/shared/folder.tf b/4-projects/business_unit_2/shared/remote_state.tf similarity index 57% rename from 4-projects/business_unit_2/shared/folder.tf rename to 4-projects/business_unit_2/shared/remote_state.tf index 7e7311605..13e896eab 100644 --- a/4-projects/business_unit_2/shared/folder.tf +++ b/4-projects/business_unit_2/shared/remote_state.tf @@ -14,7 +14,24 @@ * limitations under the License. */ -data "google_active_folder" "common" { - display_name = "${var.folder_prefix}-common" - parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" +data "terraform_remote_state" "bootstrap" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/bootstrap/state" + + impersonate_service_account = local.terraform_service_account + } +} + +data "terraform_remote_state" "org" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/org/state" + + impersonate_service_account = local.terraform_service_account + } } diff --git a/4-projects/business_unit_2/shared/variables.tf b/4-projects/business_unit_2/shared/variables.tf index 07f814ffc..1f5d41cd5 100644 --- a/4-projects/business_unit_2/shared/variables.tf +++ b/4-projects/business_unit_2/shared/variables.tf @@ -25,22 +25,6 @@ variable "terraform_service_account" { type = string } -variable "org_id" { - description = "The organization id for the associated services" - type = string -} - -variable "billing_account" { - description = "The ID of the billing account to associated this project with" - type = string -} - -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - variable "alert_spent_percents" { description = "A list of percentages of the budget to alert on when threshold is exceeded" type = list(number) @@ -59,14 +43,7 @@ variable "budget_amount" { default = 1000 } -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - -variable "project_prefix" { - description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string - default = "prj" } diff --git a/4-projects/common.auto.example.tfvars b/4-projects/common.auto.example.tfvars index dc64efb15..e1037eaec 100644 --- a/4-projects/common.auto.example.tfvars +++ b/4-projects/common.auto.example.tfvars @@ -14,12 +14,6 @@ * limitations under the License. */ -billing_account = "000000-000000-000000" +terraform_service_account = "org-terraform@prj-b-seed-2334.iam.gserviceaccount.com" -org_id = "000000000000" - -terraform_service_account = "org-terraform@example-project-2334.iam.gserviceaccount.com" - -// Optional - for an organization with existing projects or for development/validation. -// Must be the same value used in previous steps. -//parent_folder = "01234567890" +backend_bucket = "" diff --git a/4-projects/development.auto.example.tfvars b/4-projects/development.auto.example.tfvars index e440bc16b..f63111f83 100644 --- a/4-projects/development.auto.example.tfvars +++ b/4-projects/development.auto.example.tfvars @@ -14,6 +14,5 @@ * limitations under the License. */ -perimeter_name = "sp_d_shared_restricted_default_perimeter_????" - -//enable_hub_and_spoke = true +location_kms = "us" +location_gcs = "US" diff --git a/4-projects/modules/base_env/README.md b/4-projects/modules/base_env/README.md index 2e56c7fe6..73cd55a0a 100644 --- a/4-projects/modules/base_env/README.md +++ b/4-projects/modules/base_env/README.md @@ -3,18 +3,14 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| access\_context\_manager\_policy\_id | The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `string` | n/a | yes | | alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` | `string` | `null` | no | | alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded | `list(number)` | 
[
  0.5,
  0.75,
  0.9,
  0.95
]
| no | -| app\_infra\_pipeline\_cloudbuild\_sa | Cloud Build SA used for deploying infrastructure | `string` | n/a | yes | -| billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | budget\_amount | The amount to use as the budget | `number` | `1000` | no | | business\_code | The business code (ex. bu1). | `string` | n/a | yes | | business\_unit | The business (ex. business\_unit\_1). | `string` | n/a | yes | -| enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | | env | The environment to prepare (ex. development). | `string` | n/a | yes | | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | | gcs\_bucket\_prefix | Name prefix to be used for GCS Bucket | `string` | `"cmek-encrypted-bucket"` | no | | key\_name | Name to be used for KMS Key | `string` | `"crypto-key-example"` | no | | key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no | @@ -22,18 +18,16 @@ | location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no | | location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no | | optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no | -| org\_id | The organization id for the associated services | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list(any)` | `[]` | no | -| perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | `string` | n/a | yes | -| project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | | secrets\_prj\_suffix | Name suffix to use for secrets project created. | `string` | `"env-secrets"` | no | +| terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no | ## Outputs | Name | Description | |------|-------------| +| access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | base\_shared\_vpc\_project | Project sample base project. | | base\_shared\_vpc\_project\_sa | Project sample base project SA. | | bucket | The created storage bucket | @@ -47,5 +41,6 @@ | restricted\_enabled\_apis | Activated APIs. | | restricted\_shared\_vpc\_project | Project sample restricted project id. | | restricted\_shared\_vpc\_project\_number | Project sample restricted project. | +| vpc\_service\_control\_perimeter\_name | VPC Service Control name. | diff --git a/4-projects/modules/base_env/example_base_shared_vpc_project.tf b/4-projects/modules/base_env/example_base_shared_vpc_project.tf index da3af98bf..178693a4a 100644 --- a/4-projects/modules/base_env/example_base_shared_vpc_project.tf +++ b/4-projects/modules/base_env/example_base_shared_vpc_project.tf @@ -15,20 +15,22 @@ */ module "base_shared_vpc_project" { - source = "../single_project" - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = var.env - vpc_type = "base" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_prefix = var.project_prefix - enable_hub_and_spoke = var.enable_hub_and_spoke - sa_roles = ["roles/editor"] - enable_cloudbuild_deploy = true - cloudbuild_sa = var.app_infra_pipeline_cloudbuild_sa + source = "../single_project" + + org_id = local.org_id + billing_account = local.billing_account + folder_id = local.env_folder_name + environment = var.env + vpc_type = "base" + shared_vpc_host_project_id = local.base_host_project_id + shared_vpc_subnets = local.base_subnets_self_links + alert_spent_percents = var.alert_spent_percents + alert_pubsub_topic = var.alert_pubsub_topic + budget_amount = var.budget_amount + project_prefix = local.project_prefix + sa_roles = ["roles/editor"] + enable_cloudbuild_deploy = true + cloudbuild_sa = local.app_infra_pipeline_cloudbuild_sa activate_apis = [ "iam.googleapis.com", "cloudresourcemanager.googleapis.com" diff --git a/4-projects/modules/base_env/example_floating_project.tf b/4-projects/modules/base_env/example_floating_project.tf index 305d816e4..35d2fc233 100644 --- a/4-projects/modules/base_env/example_floating_project.tf +++ b/4-projects/modules/base_env/example_floating_project.tf @@ -15,15 +15,16 @@ */ module "floating_project" { - source = "../single_project" - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name + source = "../single_project" + + org_id = local.org_id + billing_account = local.billing_account + folder_id = local.env_folder_name environment = var.env alert_spent_percents = var.alert_spent_percents alert_pubsub_topic = var.alert_pubsub_topic budget_amount = var.budget_amount - project_prefix = var.project_prefix + project_prefix = local.project_prefix # Metadata project_suffix = "sample-floating" diff --git a/4-projects/modules/base_env/example_peering_project.tf b/4-projects/modules/base_env/example_peering_project.tf index 9e8af9158..6d8f3d1ab 100644 --- a/4-projects/modules/base_env/example_peering_project.tf +++ b/4-projects/modules/base_env/example_peering_project.tf @@ -15,17 +15,7 @@ */ locals { - shared_vpc_mode = var.enable_hub_and_spoke ? "-spoke" : "" - env_code = substr(var.env, 0, 1) -} - -data "google_projects" "projects" { - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=${var.env} lifecycleState=ACTIVE" -} - -data "google_compute_network" "shared_vpc" { - name = "vpc-${local.env_code}-shared-base${local.shared_vpc_mode}" - project = data.google_projects.projects.projects[0].project_id + env_code = substr(var.env, 0, 1) } data "google_netblock_ip_ranges" "legacy_health_checkers" { @@ -41,12 +31,13 @@ data "google_netblock_ip_ranges" "iap_forwarders" { } module "peering_project" { - source = "../single_project" - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name + source = "../single_project" + + org_id = local.org_id + billing_account = local.billing_account + folder_id = local.env_folder_name environment = var.env - project_prefix = var.project_prefix + project_prefix = local.project_prefix # Metadata project_suffix = "sample-peering" @@ -72,7 +63,7 @@ module "peering" { version = "~> 5.0" prefix = "${var.business_code}-${local.env_code}" local_network = module.peering_network.network_self_link - peer_network = data.google_compute_network.shared_vpc.self_link + peer_network = local.base_network_self_link module_depends_on = var.peering_module_depends_on } diff --git a/4-projects/modules/base_env/example_restricted_shared_vpc_project.tf b/4-projects/modules/base_env/example_restricted_shared_vpc_project.tf index 1f40e3929..2894b149c 100644 --- a/4-projects/modules/base_env/example_restricted_shared_vpc_project.tf +++ b/4-projects/modules/base_env/example_restricted_shared_vpc_project.tf @@ -15,21 +15,24 @@ */ module "restricted_shared_vpc_project" { - source = "../single_project" - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name - environment = var.env - vpc_type = "restricted" - alert_spent_percents = var.alert_spent_percents - alert_pubsub_topic = var.alert_pubsub_topic - budget_amount = var.budget_amount - project_prefix = var.project_prefix - enable_hub_and_spoke = var.enable_hub_and_spoke + source = "../single_project" + + org_id = local.org_id + billing_account = local.billing_account + folder_id = local.env_folder_name + environment = var.env + vpc_type = "restricted" + shared_vpc_host_project_id = local.restricted_host_project_id + shared_vpc_subnets = local.restricted_subnets_self_links + alert_spent_percents = var.alert_spent_percents + alert_pubsub_topic = var.alert_pubsub_topic + budget_amount = var.budget_amount + project_prefix = local.project_prefix + activate_apis = ["accesscontextmanager.googleapis.com"] vpc_service_control_attach_enabled = "true" - vpc_service_control_perimeter_name = "accessPolicies/${var.access_context_manager_policy_id}/servicePerimeters/${var.perimeter_name}" + vpc_service_control_perimeter_name = "accessPolicies/${local.access_context_manager_policy_id}/servicePerimeters/${local.perimeter_name}" # Metadata project_suffix = "sample-restrict" diff --git a/4-projects/modules/base_env/example_storage_cmek.tf b/4-projects/modules/base_env/example_storage_cmek.tf index 152185f13..e5d431843 100644 --- a/4-projects/modules/base_env/example_storage_cmek.tf +++ b/4-projects/modules/base_env/example_storage_cmek.tf @@ -15,16 +15,17 @@ */ module "env_secrets_project" { - source = "../single_project" - org_id = var.org_id - billing_account = var.billing_account - folder_id = data.google_active_folder.env.name + source = "../single_project" + + org_id = local.org_id + billing_account = local.billing_account + folder_id = local.env_folder_name environment = var.env alert_spent_percents = var.alert_spent_percents alert_pubsub_topic = var.alert_pubsub_topic budget_amount = var.budget_amount project_suffix = var.secrets_prj_suffix - project_prefix = var.project_prefix + project_prefix = local.project_prefix activate_apis = ["logging.googleapis.com", "secretmanager.googleapis.com", "cloudkms.googleapis.com"] diff --git a/4-projects/modules/base_env/main.tf b/4-projects/modules/base_env/main.tf new file mode 100644 index 000000000..0d7a5417d --- /dev/null +++ b/4-projects/modules/base_env/main.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + terraform_service_account = var.terraform_service_account + parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder + org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id + billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account + default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region + project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix + folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix + parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id + perimeter_name = data.terraform_remote_state.network_env.outputs.restricted_service_perimeter_name + base_network_self_link = data.terraform_remote_state.network_env.outputs.base_network_self_link + base_subnets_self_links = data.terraform_remote_state.network_env.outputs.base_subnets_self_links + base_host_project_id = data.terraform_remote_state.network_env.outputs.base_host_project_id + restricted_host_project_id = data.terraform_remote_state.network_env.outputs.restricted_host_project_id + restricted_subnets_self_links = data.terraform_remote_state.network_env.outputs.restricted_subnets_self_links + access_context_manager_policy_id = data.terraform_remote_state.network_env.outputs.access_context_manager_policy_id + env_folder_name = data.terraform_remote_state.environments_env.outputs.env_folder + app_infra_pipeline_cloudbuild_sa = data.terraform_remote_state.business_unit_shared.outputs.cloudbuild_sa +} diff --git a/4-projects/modules/base_env/outputs.tf b/4-projects/modules/base_env/outputs.tf index 52a1786b6..692a71a6b 100644 --- a/4-projects/modules/base_env/outputs.tf +++ b/4-projects/modules/base_env/outputs.tf @@ -49,6 +49,16 @@ output "restricted_shared_vpc_project_number" { value = module.restricted_shared_vpc_project.project_number } +output "vpc_service_control_perimeter_name" { + description = "VPC Service Control name." + value = local.perimeter_name +} + +output "access_context_manager_policy_id" { + description = "Access Context Manager Policy ID." + value = local.access_context_manager_policy_id +} + output "restricted_enabled_apis" { description = "Activated APIs." value = module.restricted_shared_vpc_project.enabled_apis diff --git a/4-projects/modules/base_env/remote_state.tf b/4-projects/modules/base_env/remote_state.tf new file mode 100644 index 000000000..d278fe4b5 --- /dev/null +++ b/4-projects/modules/base_env/remote_state.tf @@ -0,0 +1,58 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +data "terraform_remote_state" "bootstrap" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/bootstrap/state" + + impersonate_service_account = local.terraform_service_account + } +} + +data "terraform_remote_state" "network_env" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/networks/${var.env}" + + impersonate_service_account = local.terraform_service_account + } +} + +data "terraform_remote_state" "environments_env" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/environments/${var.env}" + + impersonate_service_account = local.terraform_service_account + } +} + + +data "terraform_remote_state" "business_unit_shared" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/projects/${var.business_unit}/shared" + } +} diff --git a/4-projects/modules/base_env/variables.tf b/4-projects/modules/base_env/variables.tf index a8940c757..c880c18e2 100644 --- a/4-projects/modules/base_env/variables.tf +++ b/4-projects/modules/base_env/variables.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +variable "terraform_service_account" { + description = "Service account email of the account to impersonate to run Terraform" + type = string +} + variable "business_code" { description = "The business code (ex. bu1)." type = string @@ -29,32 +34,6 @@ variable "env" { type = string } -variable "org_id" { - description = "The organization id for the associated services" - type = string -} - -variable "billing_account" { - description = "The ID of the billing account to associated this project with" - type = string -} - -variable "access_context_manager_policy_id" { - type = string - description = "The ID of the access context manager policy the perimeter lies in. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`." -} - -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - -variable "perimeter_name" { - description = "Access context manager service perimeter name to attach the restricted svpc project." - type = string -} - variable "peering_module_depends_on" { description = "List of modules or resources peering module depends on." type = list(any) @@ -97,29 +76,6 @@ variable "budget_amount" { default = 1000 } -variable "project_prefix" { - description = "Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters." - type = string - default = "prj" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - -variable "enable_hub_and_spoke" { - description = "Enable Hub-and-Spoke architecture." - type = bool - default = false -} - -variable "app_infra_pipeline_cloudbuild_sa" { - description = "Cloud Build SA used for deploying infrastructure" - type = string -} - variable "secrets_prj_suffix" { description = "Name suffix to use for secrets project created." type = string @@ -161,3 +117,8 @@ variable "gcs_bucket_prefix" { type = string default = "cmek-encrypted-bucket" } + +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." + type = string +} diff --git a/4-projects/modules/single_project/README.md b/4-projects/modules/single_project/README.md index b8453dfa6..14f4c8fb6 100644 --- a/4-projects/modules/single_project/README.md +++ b/4-projects/modules/single_project/README.md @@ -22,6 +22,8 @@ | project\_suffix | The name of the GCP project. Max 16 characters with 3 character business unit code. | `string` | n/a | yes | | sa\_roles | A list of roles to give the Service Account for the project (defaults to none) | `list(string)` | `[]` | no | | secondary\_contact | The secondary email contact for the project | `string` | `""` | no | +| shared\_vpc\_host\_project\_id | Shared VPC host project ID | `string` | `""` | no | +| shared\_vpc\_subnets | List of the shared vpc subnets self links. | `list(string)` | `[]` | no | | vpc\_service\_control\_attach\_enabled | Whether the project will be attached to a VPC Service Control Perimeter | `bool` | `false` | no | | vpc\_service\_control\_perimeter\_name | The name of a VPC Service Control Perimeter to add the created project to | `string` | `null` | no | | vpc\_type | The type of VPC to attach the project to. Possible options are base or restricted. | `string` | `""` | no | diff --git a/4-projects/modules/single_project/data.tf b/4-projects/modules/single_project/data.tf deleted file mode 100644 index bce53ed9d..000000000 --- a/4-projects/modules/single_project/data.tf +++ /dev/null @@ -1,26 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -data "google_projects" "projects" { - count = var.vpc_type == "" ? 0 : 1 - filter = "parent.id:${split("/", var.folder_id)[1]} labels.application_name=${var.vpc_type}-shared-vpc-host labels.environment=${var.environment} lifecycleState=ACTIVE" -} - -data "google_compute_network" "shared_vpc" { - count = var.vpc_type == "" ? 0 : 1 - name = "vpc-${local.env_code}-shared-${var.vpc_type}${local.shared_vpc_mode}" - project = data.google_projects.projects[0].projects[0].project_id -} diff --git a/4-projects/modules/single_project/main.tf b/4-projects/modules/single_project/main.tf index 34019cd6a..5f7712d36 100644 --- a/4-projects/modules/single_project/main.tf +++ b/4-projects/modules/single_project/main.tf @@ -29,8 +29,8 @@ module "project" { billing_account = var.billing_account folder_id = var.folder_id - svpc_host_project_id = var.vpc_type == "" ? "" : data.google_compute_network.shared_vpc[0].project - shared_vpc_subnets = var.vpc_type == "" ? [] : data.google_compute_network.shared_vpc[0].subnetworks_self_links # Optional: To enable subnetting, replace to "module.networking_project.subnetwork_self_link" + svpc_host_project_id = var.shared_vpc_host_project_id + shared_vpc_subnets = var.shared_vpc_subnets # Optional: To enable subnetting, replace to "module.networking_project.subnetwork_self_link" vpc_service_control_attach_enabled = var.vpc_service_control_attach_enabled vpc_service_control_perimeter_name = var.vpc_service_control_perimeter_name diff --git a/4-projects/modules/single_project/variables.tf b/4-projects/modules/single_project/variables.tf index 0c07cf986..1adbb7192 100644 --- a/4-projects/modules/single_project/variables.tf +++ b/4-projects/modules/single_project/variables.tf @@ -78,6 +78,18 @@ variable "vpc_type" { default = "" } +variable "shared_vpc_host_project_id" { + description = "Shared VPC host project ID" + type = string + default = "" +} + +variable "shared_vpc_subnets" { + description = "List of the shared vpc subnets self links." + type = list(string) + default = [] +} + variable "vpc_service_control_attach_enabled" { description = "Whether the project will be attached to a VPC Service Control Perimeter" type = bool diff --git a/4-projects/non-production.auto.example.tfvars b/4-projects/non-production.auto.example.tfvars index fb4c2af42..f63111f83 100644 --- a/4-projects/non-production.auto.example.tfvars +++ b/4-projects/non-production.auto.example.tfvars @@ -14,6 +14,5 @@ * limitations under the License. */ -perimeter_name = "sp_n_shared_restricted_default_perimeter_????" - -//enable_hub_and_spoke = true +location_kms = "us" +location_gcs = "US" diff --git a/4-projects/production.auto.example.tfvars b/4-projects/production.auto.example.tfvars index 5444ff2d3..f63111f83 100644 --- a/4-projects/production.auto.example.tfvars +++ b/4-projects/production.auto.example.tfvars @@ -14,6 +14,5 @@ * limitations under the License. */ -perimeter_name = "sp_p_shared_restricted_default_perimeter_????" - -//enable_hub_and_spoke = true +location_kms = "us" +location_gcs = "US" From 4077aa3d1b91a1f9ac869622f2eabeda16aa6592 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Tue, 23 Aug 2022 16:59:40 -0300 Subject: [PATCH 12/30] add remote state to 3-networks-dual-svpc --- .../common.auto.example.tfvars | 7 -- .../envs/development/README.md | 5 +- 3-networks-dual-svpc/envs/development/main.tf | 3 +- .../envs/development/outputs.tf | 5 ++ .../envs/development/variables.tf | 16 +---- .../envs/non-production/README.md | 5 +- .../envs/non-production/main.tf | 3 +- .../envs/non-production/outputs.tf | 5 ++ .../envs/non-production/variables.tf | 17 +---- .../envs/production/README.md | 5 +- 3-networks-dual-svpc/envs/production/main.tf | 3 +- .../envs/production/outputs.tf | 5 ++ .../envs/production/variables.tf | 16 +---- 3-networks-dual-svpc/envs/shared/README.md | 4 +- 3-networks-dual-svpc/envs/shared/dns-hub.tf | 33 --------- .../envs/shared/hierarchical_firewall.tf | 12 ++-- .../envs/shared/interconnect.tf.example | 5 +- 3-networks-dual-svpc/envs/shared/main.tf | 25 ++++--- .../shared/partner_interconnect.tf.example | 28 +++----- .../envs/shared/remote_state.tf | 70 +++++++++++++++++++ 3-networks-dual-svpc/envs/shared/variables.tf | 16 +---- .../modules/base_env/README.md | 4 +- .../modules/base_env/interconnect.tf.example | 10 ++- 3-networks-dual-svpc/modules/base_env/main.tf | 48 ++++++------- .../base_env/partner_interconnect.tf.example | 24 +++---- .../modules/base_env/remote_state.tf | 59 ++++++++++++++++ .../modules/base_env/variables.tf | 22 ++---- .../modules/base_env/vpn.tf.example | 45 ++++++------ .../modules/base_shared_vpc/README.md | 1 + .../modules/base_shared_vpc/dns.tf | 27 ++----- .../modules/base_shared_vpc/variables.tf | 5 ++ .../modules/dedicated_interconnect/README.md | 3 +- .../modules/dedicated_interconnect/main.tf | 27 +++---- .../dedicated_interconnect/variables.tf | 10 +-- .../modules/partner_interconnect/README.md | 4 +- .../modules/partner_interconnect/main.tf | 31 +++----- .../modules/partner_interconnect/variables.tf | 16 +---- .../modules/restricted_shared_vpc/README.md | 1 + .../modules/restricted_shared_vpc/dns.tf | 27 ++----- .../restricted_shared_vpc/variables.tf | 5 ++ 3-networks-dual-svpc/modules/vpn-ha/README.md | 3 +- 3-networks-dual-svpc/modules/vpn-ha/main.tf | 17 +---- .../modules/vpn-ha/variables.tf | 15 ++-- 43 files changed, 309 insertions(+), 383 deletions(-) create mode 100644 3-networks-dual-svpc/envs/shared/remote_state.tf create mode 100644 3-networks-dual-svpc/modules/base_env/remote_state.tf diff --git a/3-networks-dual-svpc/common.auto.example.tfvars b/3-networks-dual-svpc/common.auto.example.tfvars index dd1729399..c337a684a 100644 --- a/3-networks-dual-svpc/common.auto.example.tfvars +++ b/3-networks-dual-svpc/common.auto.example.tfvars @@ -14,14 +14,7 @@ * limitations under the License. */ -org_id = "000000000000" - terraform_service_account = "org-terraform@prj-b-seed-2334.iam.gserviceaccount.com" // The DNS name of peering managed zone. Must end with a period. domain = "example.com." - -// Optional - for an organization with existing projects or for development/validation. -// Must be the same value used in previous steps. -//parent_folder = "000000000000" - diff --git a/3-networks-dual-svpc/envs/development/README.md b/3-networks-dual-svpc/envs/development/README.md index 7fd10b78b..ccb03c129 100644 --- a/3-networks-dual-svpc/envs/development/README.md +++ b/3-networks-dual-svpc/envs/development/README.md @@ -16,16 +16,15 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | domain | The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period. | `string` | n/a | yes | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| +| access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | base\_host\_project\_id | The base host project ID | | base\_network\_name | The name of the VPC being created | | base\_network\_self\_link | The URI of the VPC being created | diff --git a/3-networks-dual-svpc/envs/development/main.tf b/3-networks-dual-svpc/envs/development/main.tf index 462695f6d..d7998e894 100644 --- a/3-networks-dual-svpc/envs/development/main.tf +++ b/3-networks-dual-svpc/envs/development/main.tf @@ -66,13 +66,11 @@ module "base_env" { env = local.env environment_code = local.environment_code - org_id = var.org_id access_context_manager_policy_id = var.access_context_manager_policy_id terraform_service_account = var.terraform_service_account default_region1 = local.default_region1 default_region2 = local.default_region2 domain = var.domain - parent_folder = var.parent_folder enable_partner_interconnect = false base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges @@ -80,5 +78,6 @@ module "base_env" { restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges + backend_bucket = var.backend_bucket } diff --git a/3-networks-dual-svpc/envs/development/outputs.tf b/3-networks-dual-svpc/envs/development/outputs.tf index 470ab53ee..bcf18cd1d 100644 --- a/3-networks-dual-svpc/envs/development/outputs.tf +++ b/3-networks-dual-svpc/envs/development/outputs.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +output "access_context_manager_policy_id" { + description = "Access Context Manager Policy ID." + value = var.access_context_manager_policy_id +} + /********************* Restricted Outputs *********************/ diff --git a/3-networks-dual-svpc/envs/development/variables.tf b/3-networks-dual-svpc/envs/development/variables.tf index a4c3d07d4..4bffbe126 100644 --- a/3-networks-dual-svpc/envs/development/variables.tf +++ b/3-networks-dual-svpc/envs/development/variables.tf @@ -14,9 +14,9 @@ * limitations under the License. */ -variable "org_id" { +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string - description = "Organization ID" } variable "access_context_manager_policy_id" { @@ -33,15 +33,3 @@ variable "domain" { type = string description = "The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period." } - -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} diff --git a/3-networks-dual-svpc/envs/non-production/README.md b/3-networks-dual-svpc/envs/non-production/README.md index 5246bef37..daa5be151 100644 --- a/3-networks-dual-svpc/envs/non-production/README.md +++ b/3-networks-dual-svpc/envs/non-production/README.md @@ -16,16 +16,15 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | domain | The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period. | `string` | n/a | yes | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| +| access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | base\_host\_project\_id | The base host project ID | | base\_network\_name | The name of the VPC being created | | base\_network\_self\_link | The URI of the VPC being created | diff --git a/3-networks-dual-svpc/envs/non-production/main.tf b/3-networks-dual-svpc/envs/non-production/main.tf index 5aeb6286f..318fa1ef8 100644 --- a/3-networks-dual-svpc/envs/non-production/main.tf +++ b/3-networks-dual-svpc/envs/non-production/main.tf @@ -66,13 +66,11 @@ module "base_env" { env = local.env environment_code = local.environment_code - org_id = var.org_id access_context_manager_policy_id = var.access_context_manager_policy_id terraform_service_account = var.terraform_service_account default_region1 = local.default_region1 default_region2 = local.default_region2 domain = var.domain - parent_folder = var.parent_folder enable_partner_interconnect = false base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges @@ -80,4 +78,5 @@ module "base_env" { restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges + backend_bucket = var.backend_bucket } diff --git a/3-networks-dual-svpc/envs/non-production/outputs.tf b/3-networks-dual-svpc/envs/non-production/outputs.tf index 470ab53ee..bcf18cd1d 100644 --- a/3-networks-dual-svpc/envs/non-production/outputs.tf +++ b/3-networks-dual-svpc/envs/non-production/outputs.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +output "access_context_manager_policy_id" { + description = "Access Context Manager Policy ID." + value = var.access_context_manager_policy_id +} + /********************* Restricted Outputs *********************/ diff --git a/3-networks-dual-svpc/envs/non-production/variables.tf b/3-networks-dual-svpc/envs/non-production/variables.tf index 82e3d849a..4bffbe126 100644 --- a/3-networks-dual-svpc/envs/non-production/variables.tf +++ b/3-networks-dual-svpc/envs/non-production/variables.tf @@ -14,9 +14,9 @@ * limitations under the License. */ -variable "org_id" { +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string - description = "Organization ID" } variable "access_context_manager_policy_id" { @@ -33,16 +33,3 @@ variable "domain" { type = string description = "The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period." } - -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - diff --git a/3-networks-dual-svpc/envs/production/README.md b/3-networks-dual-svpc/envs/production/README.md index f79ef4dbe..77c467a35 100644 --- a/3-networks-dual-svpc/envs/production/README.md +++ b/3-networks-dual-svpc/envs/production/README.md @@ -16,16 +16,15 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | domain | The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period. | `string` | n/a | yes | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| +| access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | base\_host\_project\_id | The base host project ID | | base\_network\_name | The name of the VPC being created | | base\_network\_self\_link | The URI of the VPC being created | diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf index 660f35234..fce1cf55e 100644 --- a/3-networks-dual-svpc/envs/production/main.tf +++ b/3-networks-dual-svpc/envs/production/main.tf @@ -66,13 +66,11 @@ module "base_env" { env = local.env environment_code = local.environment_code - org_id = var.org_id access_context_manager_policy_id = var.access_context_manager_policy_id terraform_service_account = var.terraform_service_account default_region1 = local.default_region1 default_region2 = local.default_region2 domain = var.domain - parent_folder = var.parent_folder enable_partner_interconnect = false base_private_service_cidr = local.base_private_service_cidr base_subnet_primary_ranges = local.base_subnet_primary_ranges @@ -80,4 +78,5 @@ module "base_env" { restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges + backend_bucket = var.backend_bucket } diff --git a/3-networks-dual-svpc/envs/production/outputs.tf b/3-networks-dual-svpc/envs/production/outputs.tf index 470ab53ee..bcf18cd1d 100644 --- a/3-networks-dual-svpc/envs/production/outputs.tf +++ b/3-networks-dual-svpc/envs/production/outputs.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +output "access_context_manager_policy_id" { + description = "Access Context Manager Policy ID." + value = var.access_context_manager_policy_id +} + /********************* Restricted Outputs *********************/ diff --git a/3-networks-dual-svpc/envs/production/variables.tf b/3-networks-dual-svpc/envs/production/variables.tf index a4c3d07d4..4bffbe126 100644 --- a/3-networks-dual-svpc/envs/production/variables.tf +++ b/3-networks-dual-svpc/envs/production/variables.tf @@ -14,9 +14,9 @@ * limitations under the License. */ -variable "org_id" { +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string - description = "Organization ID" } variable "access_context_manager_policy_id" { @@ -33,15 +33,3 @@ variable "domain" { type = string description = "The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period." } - -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} diff --git a/3-networks-dual-svpc/envs/shared/README.md b/3-networks-dual-svpc/envs/shared/README.md index 60111ac4a..4433f235f 100644 --- a/3-networks-dual-svpc/envs/shared/README.md +++ b/3-networks-dual-svpc/envs/shared/README.md @@ -13,6 +13,7 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | base\_hub\_dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for Base Hub VPC DNS. | `bool` | `true` | no | | base\_hub\_dns\_enable\_logging | Toggle DNS logging for Base Hub VPC DNS. | `bool` | `true` | no | | base\_hub\_firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls in Base Hub VPC. | `bool` | `true` | no | @@ -25,9 +26,6 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google. | domain | The DNS name of forwarding managed zone, for instance 'example.com'. Must end with a period. | `string` | n/a | yes | | enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no | | firewall\_policies\_enable\_logging | Toggle hierarchical firewall logging. | `bool` | `true` | no | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | | preactivate\_partner\_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | `bool` | `false` | no | | restricted\_hub\_dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for Restricted Hub VPC DNS. | `bool` | `true` | no | | restricted\_hub\_dns\_enable\_logging | Toggle DNS logging for Restricted Hub VPC DNS. | `bool` | `true` | no | diff --git a/3-networks-dual-svpc/envs/shared/dns-hub.tf b/3-networks-dual-svpc/envs/shared/dns-hub.tf index 343a0a45e..efdce62f1 100644 --- a/3-networks-dual-svpc/envs/shared/dns-hub.tf +++ b/3-networks-dual-svpc/envs/shared/dns-hub.tf @@ -14,39 +14,6 @@ * limitations under the License. */ -locals { - dns_hub_project_id = data.google_projects.dns_hub.projects[0].project_id -} - -data "google_active_folder" "bootstrap" { - display_name = "${var.folder_prefix}-bootstrap" - parent = local.parent_id -} - -data "google_active_folder" "development" { - display_name = "${var.folder_prefix}-development" - parent = local.parent_id -} - -data "google_active_folder" "production" { - display_name = "${var.folder_prefix}-production" - parent = local.parent_id -} - -data "google_active_folder" "non-production" { - display_name = "${var.folder_prefix}-non-production" - parent = local.parent_id -} - -/****************************************** - DNS Hub Project -*****************************************/ - -data "google_projects" "dns_hub" { - filter = "parent.id:${split("/", data.google_active_folder.common.name)[1]} labels.application_name=org-dns-hub lifecycleState=ACTIVE" -} - - /****************************************** DNS Hub VPC *****************************************/ diff --git a/3-networks-dual-svpc/envs/shared/hierarchical_firewall.tf b/3-networks-dual-svpc/envs/shared/hierarchical_firewall.tf index f859dc5f1..d03fc4e38 100644 --- a/3-networks-dual-svpc/envs/shared/hierarchical_firewall.tf +++ b/3-networks-dual-svpc/envs/shared/hierarchical_firewall.tf @@ -16,14 +16,14 @@ module "hierarchical_firewall_policy" { source = "../../modules/hierarchical_firewall_policy/" - parent = data.google_active_folder.common.name + parent = local.common_folder_name name = "common-firewall-rules" associations = [ - data.google_active_folder.common.name, - data.google_active_folder.bootstrap.name, - data.google_active_folder.development.name, - data.google_active_folder.production.name, - data.google_active_folder.non-production.name, + local.common_folder_name, + local.bootstrap_folder_name, + local.development_folder_name, + local.production_folder_name, + local.non_production_folder_name, ] rules = { delegate-rfc1918-ingress = { diff --git a/3-networks-dual-svpc/envs/shared/interconnect.tf.example b/3-networks-dual-svpc/envs/shared/interconnect.tf.example index 783e353ec..2fbf40e3f 100644 --- a/3-networks-dual-svpc/envs/shared/interconnect.tf.example +++ b/3-networks-dual-svpc/envs/shared/interconnect.tf.example @@ -17,9 +17,8 @@ module "dns_hub_interconnect" { source = "../../modules/dedicated_interconnect" - org_id = var.org_id - parent_folder = var.parent_folder - vpc_name = "c-dns-hub" + vpc_name = "c-dns-hub" + interconnect_project_id = local.interconnect_project_id region1 = local.default_region1 region1_router1_name = module.dns_hub_region1_router1.router.name diff --git a/3-networks-dual-svpc/envs/shared/main.tf b/3-networks-dual-svpc/envs/shared/main.tf index b5816257f..32f7aa04d 100644 --- a/3-networks-dual-svpc/envs/shared/main.tf +++ b/3-networks-dual-svpc/envs/shared/main.tf @@ -15,15 +15,18 @@ */ locals { - parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" - env = "common" - environment_code = "c" - bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514" - default_region1 = "us-west1" - default_region2 = "us-central1" -} - -data "google_active_folder" "common" { - display_name = "${var.folder_prefix}-${local.env}" - parent = local.parent_id + env = "common" + environment_code = "c" + bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514" + default_region1 = "us-west1" + default_region2 = "us-central1" + folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix + dns_hub_project_id = data.terraform_remote_state.org.outputs.dns_hub_project_id + interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id + parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id + bootstrap_folder_name = data.terraform_remote_state.bootstrap.outputs.common_config.bootstrap_folder_name + common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name + development_folder_name = data.terraform_remote_state.env_development.outputs.env_folder + non_production_folder_name = data.terraform_remote_state.env_non_production.outputs.env_folder + production_folder_name = data.terraform_remote_state.env_production.outputs.env_folder } diff --git a/3-networks-dual-svpc/envs/shared/partner_interconnect.tf.example b/3-networks-dual-svpc/envs/shared/partner_interconnect.tf.example index 49edebb0d..25ec9e5b2 100644 --- a/3-networks-dual-svpc/envs/shared/partner_interconnect.tf.example +++ b/3-networks-dual-svpc/envs/shared/partner_interconnect.tf.example @@ -15,14 +15,12 @@ */ module "shared_restricted_interconnect" { - source = "../../modules/partner_interconnect" + source = "../../modules/partner_interconnect" - org_id = var.org_id - parent_folder = var.parent_folder - vpc_name = "${local.environment_code}-shared-restricted" - environment = local.env - vpc_type = "restricted" - preactivate = var.preactivate_partner_interconnect + attachment_project_id = local.restricted_net_hub_project_id + vpc_name = "${local.environment_code}-shared-restricted" + vpc_type = "restricted" + preactivate = var.preactivate_partner_interconnect region1 = local.default_region1 region1_router1_name = module.restricted_shared_vpc[0].region1_router1.router.name @@ -36,8 +34,6 @@ module "shared_restricted_interconnect" { region2_router2_name = module.restricted_shared_vpc[0].region2_router2.router.name region2_interconnect2_location = "lax-zone1-403" - folder_prefix = var.folder_prefix - cloud_router_labels = { vlan_1 = "cr5", vlan_2 = "cr6", @@ -47,14 +43,12 @@ module "shared_restricted_interconnect" { } module "shared_base_interconnect" { - source = "../../modules/partner_interconnect" + source = "../../modules/partner_interconnect" - org_id = var.org_id - parent_folder = var.parent_folder - vpc_name = "${local.environment_code}-shared-base" - environment = local.env - vpc_type = "base" - preactivate = var.preactivate_partner_interconnect + attachment_project_id = local.base_net_hub_project_id + vpc_name = "${local.environment_code}-shared-base" + vpc_type = "base" + preactivate = var.preactivate_partner_interconnect region1 = local.default_region1 region1_router1_name = module.base_shared_vpc[0].region1_router1.router.name @@ -68,8 +62,6 @@ module "shared_base_interconnect" { region2_router2_name = module.base_shared_vpc[0].region2_router2.router.name region2_interconnect2_location = "lax-zone1-403" - folder_prefix = var.folder_prefix - cloud_router_labels = { vlan_1 = "cr1", vlan_2 = "cr2", diff --git a/3-networks-dual-svpc/envs/shared/remote_state.tf b/3-networks-dual-svpc/envs/shared/remote_state.tf new file mode 100644 index 000000000..9a1235a40 --- /dev/null +++ b/3-networks-dual-svpc/envs/shared/remote_state.tf @@ -0,0 +1,70 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +data "terraform_remote_state" "bootstrap" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/bootstrap/state" + + impersonate_service_account = var.terraform_service_account + } +} + +data "terraform_remote_state" "org" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/org/state" + + impersonate_service_account = var.terraform_service_account + } +} + +data "terraform_remote_state" "env_development" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/environments/development" + + impersonate_service_account = var.terraform_service_account + } +} + +data "terraform_remote_state" "env_non_production" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/environments/non-production" + + impersonate_service_account = var.terraform_service_account + } +} + +data "terraform_remote_state" "env_production" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/environments/production" + + impersonate_service_account = var.terraform_service_account + } +} diff --git a/3-networks-dual-svpc/envs/shared/variables.tf b/3-networks-dual-svpc/envs/shared/variables.tf index c0f61370b..78d0fdab1 100644 --- a/3-networks-dual-svpc/envs/shared/variables.tf +++ b/3-networks-dual-svpc/envs/shared/variables.tf @@ -14,9 +14,9 @@ * limitations under the License. */ -variable "org_id" { +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string - description = "Organization ID" } variable "terraform_service_account" { @@ -57,18 +57,6 @@ variable "target_name_server_addresses" { type = list(string) } -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - variable "restricted_hub_windows_activation_enabled" { type = bool description = "Enable Windows license activation for Windows workloads in Restricted Hub." diff --git a/3-networks-dual-svpc/modules/base_env/README.md b/3-networks-dual-svpc/modules/base_env/README.md index 95f0ad4d7..16043560a 100644 --- a/3-networks-dual-svpc/modules/base_env/README.md +++ b/3-networks-dual-svpc/modules/base_env/README.md @@ -4,6 +4,7 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | base\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Base Shared Vpc. | `string` | n/a | yes | | base\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Base Shared Vpc. | `map(string)` | n/a | yes | | base\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Base Shared Vpc. | `map(list(map(string)))` | n/a | yes | @@ -13,9 +14,6 @@ | enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no | | env | The environment to prepare (ex. development) | `string` | n/a | yes | | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization (ex. d). | `string` | n/a | yes | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | | restricted\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Restricted Shared Vpc. | `string` | n/a | yes | | restricted\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes | | restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes | diff --git a/3-networks-dual-svpc/modules/base_env/interconnect.tf.example b/3-networks-dual-svpc/modules/base_env/interconnect.tf.example index 75c29ceb0..1cd9df56e 100644 --- a/3-networks-dual-svpc/modules/base_env/interconnect.tf.example +++ b/3-networks-dual-svpc/modules/base_env/interconnect.tf.example @@ -17,9 +17,8 @@ module "shared_restricted_interconnect" { source = "../dedicated_interconnect" - org_id = var.org_id - parent_folder = var.parent_folder - vpc_name = "${var.environment_code}-shared-restricted" + vpc_name = "${var.environment_code}-shared-restricted" + interconnect_project_id = local.interconnect_project_id region1 = var.default_region1 region1_router1_name = module.restricted_shared_vpc.region1_router1.router.name @@ -59,9 +58,8 @@ module "shared_restricted_interconnect" { module "shared_base_interconnect" { source = "../dedicated_interconnect" - org_id = var.org_id - parent_folder = var.parent_folder - vpc_name = "${var.environment_code}-shared-base" + vpc_name = "${var.environment_code}-shared-base" + interconnect_project_id = local.interconnect_project_id region1 = var.default_region1 region1_router1_name = module.base_shared_vpc.region1_router1.router.name diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index dba48e392..750929e6c 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -15,11 +15,21 @@ */ locals { - restricted_project_id = data.google_projects.restricted_host_project.projects[0].project_id - restricted_project_number = data.google_project.restricted_host_project.number - base_project_id = data.google_projects.base_host_project.projects[0].project_id - parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" - bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514" + parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder + org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id + billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account + default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region + folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix + parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id + restricted_project_id = data.terraform_remote_state.environments_env.outputs.restricted_shared_vpc_project_id + restricted_project_number = data.terraform_remote_state.environments_env.outputs.restricted_shared_vpc_project_number + base_project_id = data.terraform_remote_state.environments_env.outputs.base_shared_vpc_project_id + env_secret_project_id = data.terraform_remote_state.environments_env.outputs.env_secrets_project_id + interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id + dns_hub_project_id = data.terraform_remote_state.org.outputs.dns_hub_project_id + + + bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514" /* * Base network ranges */ @@ -33,40 +43,25 @@ locals { } data "google_active_folder" "env" { - display_name = "${var.folder_prefix}-${var.env}" + display_name = "${local.folder_prefix}-${var.env}" parent = local.parent_id } -/****************************************** - VPC Host Projects -*****************************************/ - -data "google_projects" "restricted_host_project" { - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=restricted-shared-vpc-host labels.environment=${var.env} lifecycleState=ACTIVE" -} - -data "google_project" "restricted_host_project" { - project_id = data.google_projects.restricted_host_project.projects[0].project_id -} - -data "google_projects" "base_host_project" { - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=${var.env} lifecycleState=ACTIVE" -} - /****************************************** Restricted shared VPC *****************************************/ module "restricted_shared_vpc" { source = "../restricted_shared_vpc" project_id = local.restricted_project_id + dns_hub_project_id = local.dns_hub_project_id project_number = local.restricted_project_number environment_code = var.environment_code access_context_manager_policy_id = var.access_context_manager_policy_id restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"] members = ["serviceAccount:${var.terraform_service_account}"] private_service_cidr = var.restricted_private_service_cidr - org_id = var.org_id - parent_folder = var.parent_folder + org_id = local.org_id + parent_folder = local.parent_folder bgp_asn_subnet = local.bgp_asn_number default_region1 = var.default_region1 default_region2 = var.default_region2 @@ -104,10 +99,11 @@ module "restricted_shared_vpc" { module "base_shared_vpc" { source = "../base_shared_vpc" project_id = local.base_project_id + dns_hub_project_id = local.dns_hub_project_id environment_code = var.environment_code private_service_cidr = var.base_private_service_cidr - org_id = var.org_id - parent_folder = var.parent_folder + org_id = local.org_id + parent_folder = local.parent_folder default_region1 = var.default_region1 default_region2 = var.default_region2 domain = var.domain diff --git a/3-networks-dual-svpc/modules/base_env/partner_interconnect.tf.example b/3-networks-dual-svpc/modules/base_env/partner_interconnect.tf.example index 4db0be5ea..e6b656a4e 100644 --- a/3-networks-dual-svpc/modules/base_env/partner_interconnect.tf.example +++ b/3-networks-dual-svpc/modules/base_env/partner_interconnect.tf.example @@ -15,14 +15,12 @@ */ module "shared_restricted_interconnect" { - source = "../partner_interconnect" + source = "../partner_interconnect" - org_id = var.org_id - parent_folder = var.parent_folder - vpc_name = "${var.environment_code}-shared-restricted" - environment = var.env - vpc_type = "restricted" - preactivate = true + attachment_project_id = local.restricted_project_id + vpc_name = "${var.environment_code}-shared-restricted" + vpc_type = "restricted" + preactivate = true region1 = var.default_region1 region1_router1_name = module.restricted_shared_vpc.region1_router1.router.name @@ -45,14 +43,12 @@ module "shared_restricted_interconnect" { } module "shared_base_interconnect" { - source = "../partner_interconnect" + source = "../partner_interconnect" - org_id = var.org_id - parent_folder = var.parent_folder - vpc_name = "${var.environment_code}-shared-base" - environment = var.env - vpc_type = "base" - preactivate = true + attachment_project_id = local.base_project_id + vpc_name = "${var.environment_code}-shared-base" + vpc_type = "base" + preactivate = true region1 = var.default_region1 region1_router1_name = module.base_shared_vpc.region1_router1.router.name diff --git a/3-networks-dual-svpc/modules/base_env/remote_state.tf b/3-networks-dual-svpc/modules/base_env/remote_state.tf new file mode 100644 index 000000000..0bd3f715f --- /dev/null +++ b/3-networks-dual-svpc/modules/base_env/remote_state.tf @@ -0,0 +1,59 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +data "terraform_remote_state" "bootstrap" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/bootstrap/state" + + impersonate_service_account = var.terraform_service_account + } +} + +data "terraform_remote_state" "org" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/org/state" + + impersonate_service_account = var.terraform_service_account + } +} + +data "terraform_remote_state" "network_shared" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/networks/envs/shared" + + impersonate_service_account = var.terraform_service_account + } +} + +data "terraform_remote_state" "environments_env" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/environments/${var.env}" + + impersonate_service_account = var.terraform_service_account + } +} diff --git a/3-networks-dual-svpc/modules/base_env/variables.tf b/3-networks-dual-svpc/modules/base_env/variables.tf index 0db9d2880..2f37d0079 100644 --- a/3-networks-dual-svpc/modules/base_env/variables.tf +++ b/3-networks-dual-svpc/modules/base_env/variables.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." + type = string +} + variable "env" { description = "The environment to prepare (ex. development)" type = string @@ -24,11 +29,6 @@ variable "environment_code" { description = "A short form of the folder level resources (environment) within the Google Cloud organization (ex. d)." } -variable "org_id" { - type = string - description = "Organization ID" -} - variable "access_context_manager_policy_id" { type = number description = "The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`." @@ -54,18 +54,6 @@ variable "domain" { description = "The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period." } -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - variable "enable_partner_interconnect" { description = "Enable Partner Interconnect in the environment." type = bool diff --git a/3-networks-dual-svpc/modules/base_env/vpn.tf.example b/3-networks-dual-svpc/modules/base_env/vpn.tf.example index ca6190c69..f4e69cb08 100644 --- a/3-networks-dual-svpc/modules/base_env/vpn.tf.example +++ b/3-networks-dual-svpc/modules/base_env/vpn.tf.example @@ -17,19 +17,16 @@ module "shared_base_vpn" { source = "../vpn-ha" - project_id = local.base_project_id - default_region1 = var.default_region1 - default_region2 = var.default_region2 - vpc_name = "${var.environment_code}-shared-base" - region1_router1_name = module.base_shared_vpc.region1_router1.router.name - region1_router2_name = module.base_shared_vpc.region1_router2.router.name - region2_router1_name = module.base_shared_vpc.region2_router1.router.name - region2_router2_name = module.base_shared_vpc.region2_router2.router.name - environment = var.env - parent_folder = var.parent_folder - org_id = var.org_id - vpn_psk_secret_name = "" - folder_prefix = var.folder_prefix + project_id = local.base_project_id + env_secret_project_id = local.env_secret_project_id + default_region1 = var.default_region1 + default_region2 = var.default_region2 + vpc_name = "${var.environment_code}-shared-base" + region1_router1_name = module.base_shared_vpc.region1_router1.router.name + region1_router2_name = module.base_shared_vpc.region1_router2.router.name + region2_router1_name = module.base_shared_vpc.region2_router1.router.name + region2_router2_name = module.base_shared_vpc.region2_router2.router.name + vpn_psk_secret_name = "" on_prem_router_ip_address1 = "<8.8.8.8>" # on-prem router ip address 1 on_prem_router_ip_address2 = "<8.8.8.8>" # on-prem router ip address 2 @@ -63,18 +60,16 @@ module "shared_base_vpn" { module "shared_restricted_vpn" { source = "../vpn-ha" - project_id = local.restricted_project_id - default_region1 = var.default_region1 - default_region2 = var.default_region2 - vpc_name = "${var.environment_code}-shared-restricted" - region1_router1_name = module.restricted_shared_vpc.region1_router1.router.name - region1_router2_name = module.restricted_shared_vpc.region1_router2.router.name - region2_router1_name = module.restricted_shared_vpc.region2_router1.router.name - region2_router2_name = module.restricted_shared_vpc.region2_router2.router.name - environment = var.env - parent_folder = var.parent_folder - org_id = var.org_id - vpn_psk_secret_name = "" + project_id = local.restricted_project_id + env_secret_project_id = local.env_secret_project_id + default_region1 = var.default_region1 + default_region2 = var.default_region2 + vpc_name = "${var.environment_code}-shared-restricted" + region1_router1_name = module.restricted_shared_vpc.region1_router1.router.name + region1_router2_name = module.restricted_shared_vpc.region1_router2.router.name + region2_router1_name = module.restricted_shared_vpc.region2_router1.router.name + region2_router2_name = module.restricted_shared_vpc.region2_router2.router.name + vpn_psk_secret_name = "" on_prem_router_ip_address1 = "<8.8.8.8>" # on-prem router ip address 1 on_prem_router_ip_address2 = "<8.8.8.8>" # on-prem router ip address 2 diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/README.md b/3-networks-dual-svpc/modules/base_shared_vpc/README.md index e8c207265..83f5c5608 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/base_shared_vpc/README.md @@ -10,6 +10,7 @@ | default\_region2 | Default region 2 for subnets and Cloud Routers | `string` | n/a | yes | | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no | | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | +| dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes | | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization. | `string` | n/a | yes | | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf index 039cbd0f1..0a6b62f48 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/dns.tf @@ -14,28 +14,6 @@ * limitations under the License. */ -locals { - parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" -} - -data "google_active_folder" "common" { - display_name = "${var.folder_prefix}-common" - parent = local.parent_id -} - -/****************************************** - DNS Hub Project -*****************************************/ - -data "google_projects" "dns_hub" { - filter = "parent.id:${split("/", data.google_active_folder.common.name)[1]} labels.application_name=org-dns-hub lifecycleState=ACTIVE" -} - -data "google_compute_network" "vpc_dns_hub" { - name = "vpc-c-dns-hub" - project = data.google_projects.dns_hub.projects[0].project_id -} - /****************************************** Default DNS Policy *****************************************/ @@ -53,6 +31,11 @@ resource "google_dns_policy" "default_policy" { /****************************************** Creates DNS Peering to DNS HUB *****************************************/ +data "google_compute_network" "vpc_dns_hub" { + name = "vpc-c-dns-hub" + project = var.dns_hub_project_id +} + module "peering_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 3.1" diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf index ba675a184..1c28e38ee 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/variables.tf @@ -24,6 +24,11 @@ variable "project_id" { description = "Project ID for Private Shared VPC." } +variable "dns_hub_project_id" { + type = string + description = "The DNS hub project ID" +} + variable "environment_code" { type = string description = "A short form of the folder level resources (environment) within the Google Cloud organization." diff --git a/3-networks-dual-svpc/modules/dedicated_interconnect/README.md b/3-networks-dual-svpc/modules/dedicated_interconnect/README.md index f4924c200..803fa7662 100644 --- a/3-networks-dual-svpc/modules/dedicated_interconnect/README.md +++ b/3-networks-dual-svpc/modules/dedicated_interconnect/README.md @@ -19,8 +19,7 @@ This module implements the recommendation proposed in [Establishing 99.99% Avail |------|-------------|------|---------|:--------:| | cloud\_router\_labels | A map of suffixes for labelling vlans with four entries like "vlan\_1" => "suffix1" with keys from `vlan_1` to `vlan_4`. | `map(string)` | `{}` | no | | folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no | -| org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | +| interconnect\_project\_id | Interconnect project ID. | `string` | n/a | yes | | peer\_asn | Peer BGP Autonomous System Number (ASN). | `number` | n/a | yes | | peer\_name | Name of this BGP peer. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]\*[a-z0-9])? | `string` | n/a | yes | | region1 | First subnet region. The Dedicated Interconnect module only configures two regions. | `string` | n/a | yes | diff --git a/3-networks-dual-svpc/modules/dedicated_interconnect/main.tf b/3-networks-dual-svpc/modules/dedicated_interconnect/main.tf index 23d3118e3..0eb62bc83 100644 --- a/3-networks-dual-svpc/modules/dedicated_interconnect/main.tf +++ b/3-networks-dual-svpc/modules/dedicated_interconnect/main.tf @@ -15,21 +15,10 @@ */ locals { - parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" - interconnect_project_id = data.google_projects.interconnect_project.projects[0].project_id - suffix1 = lookup(var.cloud_router_labels, "vlan_1", "cr1") - suffix2 = lookup(var.cloud_router_labels, "vlan_2", "cr2") - suffix3 = lookup(var.cloud_router_labels, "vlan_3", "cr3") - suffix4 = lookup(var.cloud_router_labels, "vlan_4", "cr4") -} - -data "google_active_folder" "common" { - display_name = "${var.folder_prefix}-common" - parent = local.parent_id -} - -data "google_projects" "interconnect_project" { - filter = "parent.id:${split("/", data.google_active_folder.common.name)[1]} labels.application_name=org-interconnect lifecycleState=ACTIVE" + suffix1 = lookup(var.cloud_router_labels, "vlan_1", "cr1") + suffix2 = lookup(var.cloud_router_labels, "vlan_2", "cr2") + suffix3 = lookup(var.cloud_router_labels, "vlan_3", "cr3") + suffix4 = lookup(var.cloud_router_labels, "vlan_4", "cr4") } module "interconnect_attachment1_region1" { @@ -37,7 +26,7 @@ module "interconnect_attachment1_region1" { version = "~> 2.0.0" name = "vl-${var.region1_interconnect1_location}-${var.vpc_name}-${var.region1}-${local.suffix1}" - project = local.interconnect_project_id + project = var.interconnect_project_id region = var.region1 router = var.region1_router1_name @@ -60,7 +49,7 @@ module "interconnect_attachment2_region1" { version = "~> 0.4.0" name = "vl-${var.region1_interconnect2_location}-${var.vpc_name}-${var.region1}-${local.suffix2}" - project = local.interconnect_project_id + project = var.interconnect_project_id region = var.region1 router = var.region1_router2_name @@ -83,7 +72,7 @@ module "interconnect_attachment1_region2" { version = "~> 0.4.0" name = "vl-${var.region2_interconnect1_location}-${var.vpc_name}-${var.region2}-${local.suffix3}" - project = local.interconnect_project_id + project = var.interconnect_project_id region = var.region2 router = var.region2_router1_name @@ -106,7 +95,7 @@ module "interconnect_attachment2_region2" { version = "~> 0.4.0" name = "vl-${var.region2_interconnect2_location}-${var.vpc_name}-${var.region2}-${local.suffix4}" - project = local.interconnect_project_id + project = var.interconnect_project_id region = var.region2 router = var.region2_router2_name diff --git a/3-networks-dual-svpc/modules/dedicated_interconnect/variables.tf b/3-networks-dual-svpc/modules/dedicated_interconnect/variables.tf index 4589e1660..74b21562c 100644 --- a/3-networks-dual-svpc/modules/dedicated_interconnect/variables.tf +++ b/3-networks-dual-svpc/modules/dedicated_interconnect/variables.tf @@ -14,15 +14,9 @@ * limitations under the License. */ -variable "org_id" { +variable "interconnect_project_id" { type = string - description = "Organization ID" -} - -variable "parent_folder" { - description = "Optional - if using a folder for testing." - type = string - default = "" + description = "Interconnect project ID." } variable "vpc_name" { diff --git a/3-networks-dual-svpc/modules/partner_interconnect/README.md b/3-networks-dual-svpc/modules/partner_interconnect/README.md index e3e6583a4..16decf715 100644 --- a/3-networks-dual-svpc/modules/partner_interconnect/README.md +++ b/3-networks-dual-svpc/modules/partner_interconnect/README.md @@ -19,11 +19,9 @@ Without Hub and Spoke enabled VLAN attachments will be created in `prj-{p|n|d}-s | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| attachment\_project\_id | the Interconnect project ID. | `string` | n/a | yes | | cloud\_router\_labels | A map of suffixes for labelling vlans with four entries like "vlan\_1" => "suffix1" with keys from `vlan_1` to `vlan_4`. | `map(string)` | `{}` | no | -| environment | Environment in which to deploy the Partner Interconnect, must be 'common' if enable\_hub\_and\_spoke=true | `string` | `null` | no | | folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no | -| org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | | preactivate | Preactivate Partner Interconnect attachments, works only for level3 Partner Interconnect | `string` | `false` | no | | region1 | First subnet region. The Partner Interconnect module only configures two regions. | `string` | n/a | yes | | region1\_interconnect1\_location | Name of the interconnect location used in the creation of the Interconnect for the first location of region1 | `string` | n/a | yes | diff --git a/3-networks-dual-svpc/modules/partner_interconnect/main.tf b/3-networks-dual-svpc/modules/partner_interconnect/main.tf index e7b81a908..795695093 100644 --- a/3-networks-dual-svpc/modules/partner_interconnect/main.tf +++ b/3-networks-dual-svpc/modules/partner_interconnect/main.tf @@ -15,30 +15,15 @@ */ locals { - parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" - suffix1 = lookup(var.cloud_router_labels, "vlan_1", "cr1") - suffix2 = lookup(var.cloud_router_labels, "vlan_2", "cr2") - suffix3 = lookup(var.cloud_router_labels, "vlan_3", "cr3") - suffix4 = lookup(var.cloud_router_labels, "vlan_4", "cr4") - - attachment_project_id = data.google_projects.attachment_project.projects[0].project_id - - app_label = "${var.vpc_type}-shared-vpc-host" - environment_label = var.environment -} - -data "google_active_folder" "environment" { - display_name = "${var.folder_prefix}-${var.environment}" - parent = local.parent_id -} - -data "google_projects" "attachment_project" { - filter = "parent.id:${split("/", data.google_active_folder.environment.name)[1]} labels.application_name=${local.app_label} labels.environment=${local.environment_label} lifecycleState=ACTIVE" + suffix1 = lookup(var.cloud_router_labels, "vlan_1", "cr1") + suffix2 = lookup(var.cloud_router_labels, "vlan_2", "cr2") + suffix3 = lookup(var.cloud_router_labels, "vlan_3", "cr3") + suffix4 = lookup(var.cloud_router_labels, "vlan_4", "cr4") } resource "google_compute_interconnect_attachment" "interconnect_attachment1_region1" { name = "vl-${var.region1_interconnect1_location}-${var.vpc_name}-${var.region1}-${local.suffix1}" - project = local.attachment_project_id + project = var.attachment_project_id region = var.region1 router = var.region1_router1_name @@ -49,7 +34,7 @@ resource "google_compute_interconnect_attachment" "interconnect_attachment1_regi resource "google_compute_interconnect_attachment" "interconnect_attachment2_region1" { name = "vl-${var.region1_interconnect2_location}-${var.vpc_name}-${var.region1}-${local.suffix2}" - project = local.attachment_project_id + project = var.attachment_project_id region = var.region1 router = var.region1_router2_name @@ -60,7 +45,7 @@ resource "google_compute_interconnect_attachment" "interconnect_attachment2_regi resource "google_compute_interconnect_attachment" "interconnect_attachment1_region2" { name = "vl-${var.region2_interconnect1_location}-${var.vpc_name}-${var.region2}-${local.suffix1}" - project = local.attachment_project_id + project = var.attachment_project_id region = var.region2 router = var.region2_router1_name @@ -71,7 +56,7 @@ resource "google_compute_interconnect_attachment" "interconnect_attachment1_regi resource "google_compute_interconnect_attachment" "interconnect_attachment2_region2" { name = "vl-${var.region2_interconnect2_location}-${var.vpc_name}-${var.region2}-${local.suffix2}" - project = local.attachment_project_id + project = var.attachment_project_id region = var.region2 router = var.region2_router2_name diff --git a/3-networks-dual-svpc/modules/partner_interconnect/variables.tf b/3-networks-dual-svpc/modules/partner_interconnect/variables.tf index de0cc447f..326fb26b3 100644 --- a/3-networks-dual-svpc/modules/partner_interconnect/variables.tf +++ b/3-networks-dual-svpc/modules/partner_interconnect/variables.tf @@ -14,15 +14,9 @@ * limitations under the License. */ -variable "org_id" { +variable "attachment_project_id" { type = string - description = "Organization ID" -} - -variable "parent_folder" { - description = "Optional - if using a folder for testing." - type = string - default = "" + description = "the Interconnect project ID." } variable "vpc_name" { @@ -98,12 +92,6 @@ variable "preactivate" { default = false } -variable "environment" { - description = "Environment in which to deploy the Partner Interconnect, must be 'common' if enable_hub_and_spoke=true" - type = string - default = null -} - variable "vpc_type" { description = "To which Shared VPC Host attach the Partner Interconnect - base/restricted" type = string diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md index 8d51f09e9..f79a75e91 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/README.md @@ -11,6 +11,7 @@ | default\_region2 | Second subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes | | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no | | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | +| dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes | | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization. | `string` | n/a | yes | | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf index dc90068a2..6ac8a6457 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/dns.tf @@ -14,28 +14,6 @@ * limitations under the License. */ -locals { - parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" -} - -data "google_active_folder" "common" { - display_name = "${var.folder_prefix}-common" - parent = local.parent_id -} - -/****************************************** - DNS Hub Project -*****************************************/ - -data "google_projects" "dns_hub" { - filter = "parent.id:${split("/", data.google_active_folder.common.name)[1]} labels.application_name=org-dns-hub lifecycleState=ACTIVE" -} - -data "google_compute_network" "vpc_dns_hub" { - name = "vpc-c-dns-hub" - project = data.google_projects.dns_hub.projects[0].project_id -} - /****************************************** Default DNS Policy *****************************************/ @@ -53,6 +31,11 @@ resource "google_dns_policy" "default_policy" { /****************************************** Creates DNS Peering to DNS HUB *****************************************/ +data "google_compute_network" "vpc_dns_hub" { + name = "vpc-c-dns-hub" + project = var.dns_hub_project_id +} + module "peering_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 3.1" diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf index 734359236..c5fce20c2 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/variables.tf @@ -34,6 +34,11 @@ variable "project_number" { description = "Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter." } +variable "dns_hub_project_id" { + type = string + description = "The DNS hub project ID" +} + variable "environment_code" { type = string description = "A short form of the folder level resources (environment) within the Google Cloud organization." diff --git a/3-networks-dual-svpc/modules/vpn-ha/README.md b/3-networks-dual-svpc/modules/vpn-ha/README.md index 311b772aa..ef51f800c 100755 --- a/3-networks-dual-svpc/modules/vpn-ha/README.md +++ b/3-networks-dual-svpc/modules/vpn-ha/README.md @@ -23,11 +23,10 @@ If you are not able to use Dedicated Interconnect or Partner Interconnect you ca | bgp\_peer\_asn | BGP ASN for cloud routes. | `number` | n/a | yes | | default\_region1 | Default region 1 for Cloud Routers | `string` | n/a | yes | | default\_region2 | Default region 2 for Cloud Routers | `string` | n/a | yes | -| environment | Environment for the VPN configuration. Valid options are development, non-production, production | `string` | n/a | yes | +| env\_secret\_project\_id | the environment secrets project ID | `string` | n/a | yes | | folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no | | on\_prem\_router\_ip\_address1 | On-Prem Router IP address | `string` | n/a | yes | | on\_prem\_router\_ip\_address2 | On-Prem Router IP address | `string` | n/a | yes | -| org\_id | Organization ID | `string` | n/a | yes | | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | | project\_id | VPC Project ID | `string` | n/a | yes | | region1\_router1\_name | Name of the Router 1 for Region 1 where the attachment resides. | `string` | n/a | yes | diff --git a/3-networks-dual-svpc/modules/vpn-ha/main.tf b/3-networks-dual-svpc/modules/vpn-ha/main.tf index f6fe3532f..77a48279d 100755 --- a/3-networks-dual-svpc/modules/vpn-ha/main.tf +++ b/3-networks-dual-svpc/modules/vpn-ha/main.tf @@ -19,23 +19,12 @@ *****************************************/ locals { - parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" - network_name = "vpc-${var.vpc_name}" - env_secret_project_id = data.google_projects.env_secrets.projects[0].project_id - psk_secret_data = chomp(data.google_secret_manager_secret_version.psk.secret_data) -} - -data "google_active_folder" "env" { - display_name = "${var.folder_prefix}-${var.environment}" - parent = local.parent_id -} - -data "google_projects" "env_secrets" { - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=env-secrets labels.environment=${var.environment} lifecycleState=ACTIVE" + network_name = "vpc-${var.vpc_name}" + psk_secret_data = chomp(data.google_secret_manager_secret_version.psk.secret_data) } data "google_secret_manager_secret_version" "psk" { - project = local.env_secret_project_id + project = var.env_secret_project_id secret = var.vpn_psk_secret_name } diff --git a/3-networks-dual-svpc/modules/vpn-ha/variables.tf b/3-networks-dual-svpc/modules/vpn-ha/variables.tf index 9cef8fc6e..b7ec1900b 100644 --- a/3-networks-dual-svpc/modules/vpn-ha/variables.tf +++ b/3-networks-dual-svpc/modules/vpn-ha/variables.tf @@ -19,6 +19,11 @@ variable "project_id" { description = "VPC Project ID" } +variable "env_secret_project_id" { + type = string + description = "the environment secrets project ID" +} + variable "default_region1" { type = string description = "Default region 1 for Cloud Routers" @@ -29,16 +34,6 @@ variable "default_region2" { description = "Default region 2 for Cloud Routers" } -variable "environment" { - type = string - description = "Environment for the VPN configuration. Valid options are development, non-production, production" -} - -variable "org_id" { - type = string - description = "Organization ID" -} - variable "vpn_psk_secret_name" { type = string description = "The name of the secret to retrieve from secret manager. This will be retrieved from the environment secrets project." From 8bb1a44e9c51c34d53a2835d92bbe580f6746c84 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Tue, 23 Aug 2022 17:00:10 -0300 Subject: [PATCH 13/30] add remote state to 3-networks-hub-and-spoke --- .../common.auto.example.tfvars | 6 -- .../envs/development/README.md | 5 +- .../envs/development/main.tf | 4 +- .../envs/development/outputs.tf | 5 + .../envs/development/variables.tf | 16 +-- .../envs/non-production/README.md | 5 +- .../envs/non-production/main.tf | 3 +- .../envs/non-production/outputs.tf | 5 + .../envs/non-production/variables.tf | 16 +-- .../envs/production/README.md | 5 +- .../envs/production/main.tf | 3 +- .../envs/production/outputs.tf | 5 + .../envs/production/variables.tf | 16 +-- .../envs/shared/README.md | 4 +- .../envs/shared/dns-hub.tf | 33 ------- .../envs/shared/hierarchical_firewall.tf | 12 +-- .../envs/shared/interconnect.tf.example | 5 +- 3-networks-hub-and-spoke/envs/shared/main.tf | 33 ++++--- .../envs/shared/net-hubs.tf | 29 +----- .../shared/partner_interconnect.tf.example | 28 ++---- .../envs/shared/remote_state.tf | 70 +++++++++++++ .../envs/shared/variables.tf | 16 +-- .../modules/base_env/README.md | 4 +- .../modules/base_env/interconnect.tf.example | 9 +- .../modules/base_env/main.tf | 99 +++++++++---------- .../base_env/partner_interconnect.tf.example | 24 ++--- .../modules/base_env/remote_state.tf | 59 +++++++++++ .../modules/base_env/variables.tf | 22 +---- .../modules/base_env/vpn.tf.example | 45 ++++----- .../modules/base_shared_vpc/README.md | 4 +- .../modules/base_shared_vpc/dns.tf | 27 +---- .../modules/base_shared_vpc/main.tf | 20 +--- .../modules/base_shared_vpc/variables.tf | 23 +++-- .../modules/dedicated_interconnect/README.md | 4 +- .../modules/dedicated_interconnect/main.tf | 27 ++--- .../dedicated_interconnect/variables.tf | 16 +-- .../modules/partner_interconnect/README.md | 5 +- .../modules/partner_interconnect/main.tf | 30 ++---- .../modules/partner_interconnect/variables.tf | 22 +---- .../modules/restricted_shared_vpc/README.md | 5 +- .../modules/restricted_shared_vpc/dns.tf | 27 +---- .../modules/restricted_shared_vpc/main.tf | 20 +--- .../restricted_shared_vpc/service_control.tf | 7 +- .../restricted_shared_vpc/variables.tf | 29 +++--- .../modules/vpn-ha/README.md | 5 +- .../modules/vpn-ha/main.tf | 17 +--- .../modules/vpn-ha/variables.tf | 27 +---- 47 files changed, 376 insertions(+), 525 deletions(-) create mode 100644 3-networks-hub-and-spoke/envs/shared/remote_state.tf create mode 100644 3-networks-hub-and-spoke/modules/base_env/remote_state.tf diff --git a/3-networks-hub-and-spoke/common.auto.example.tfvars b/3-networks-hub-and-spoke/common.auto.example.tfvars index 7ae89273f..ddc4f8906 100644 --- a/3-networks-hub-and-spoke/common.auto.example.tfvars +++ b/3-networks-hub-and-spoke/common.auto.example.tfvars @@ -14,15 +14,9 @@ * limitations under the License. */ -org_id = "000000000000" - terraform_service_account = "org-terraform@prj-b-seed-2334.iam.gserviceaccount.com" // The DNS name of peering managed zone. Must end with a period. domain = "example.com." -// Optional - for an organization with existing projects or for development/validation. -// Must be the same value used in previous steps. -//parent_folder = "000000000000" - //enable_hub_and_spoke_transitivity = true diff --git a/3-networks-hub-and-spoke/envs/development/README.md b/3-networks-hub-and-spoke/envs/development/README.md index c69da5279..ac117c171 100644 --- a/3-networks-hub-and-spoke/envs/development/README.md +++ b/3-networks-hub-and-spoke/envs/development/README.md @@ -16,17 +16,16 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | domain | The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period. | `string` | n/a | yes | | enable\_hub\_and\_spoke\_transitivity | Enable transitivity via gateway VMs on Hub-and-Spoke architecture. | `bool` | `false` | no | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| +| access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | base\_host\_project\_id | The base host project ID | | base\_network\_name | The name of the VPC being created | | base\_network\_self\_link | The URI of the VPC being created | diff --git a/3-networks-hub-and-spoke/envs/development/main.tf b/3-networks-hub-and-spoke/envs/development/main.tf index bcbe2b8e8..d437e2f06 100644 --- a/3-networks-hub-and-spoke/envs/development/main.tf +++ b/3-networks-hub-and-spoke/envs/development/main.tf @@ -66,13 +66,11 @@ module "base_env" { env = local.env environment_code = local.environment_code - org_id = var.org_id access_context_manager_policy_id = var.access_context_manager_policy_id terraform_service_account = var.terraform_service_account default_region1 = local.default_region1 default_region2 = local.default_region2 domain = var.domain - parent_folder = var.parent_folder enable_partner_interconnect = false enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity base_private_service_cidr = local.base_private_service_cidr @@ -81,5 +79,5 @@ module "base_env" { restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges - + backend_bucket = var.backend_bucket } diff --git a/3-networks-hub-and-spoke/envs/development/outputs.tf b/3-networks-hub-and-spoke/envs/development/outputs.tf index 673db1adf..3adb70885 100644 --- a/3-networks-hub-and-spoke/envs/development/outputs.tf +++ b/3-networks-hub-and-spoke/envs/development/outputs.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +output "access_context_manager_policy_id" { + description = "Access Context Manager Policy ID." + value = var.access_context_manager_policy_id +} + /********************* Restricted Outputs *********************/ diff --git a/3-networks-hub-and-spoke/envs/development/variables.tf b/3-networks-hub-and-spoke/envs/development/variables.tf index 54db4c2b8..18d26348d 100644 --- a/3-networks-hub-and-spoke/envs/development/variables.tf +++ b/3-networks-hub-and-spoke/envs/development/variables.tf @@ -14,9 +14,9 @@ * limitations under the License. */ -variable "org_id" { +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string - description = "Organization ID" } variable "access_context_manager_policy_id" { @@ -34,18 +34,6 @@ variable "domain" { description = "The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period." } -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - variable "enable_hub_and_spoke_transitivity" { description = "Enable transitivity via gateway VMs on Hub-and-Spoke architecture." type = bool diff --git a/3-networks-hub-and-spoke/envs/non-production/README.md b/3-networks-hub-and-spoke/envs/non-production/README.md index 4d4ba7002..8a6500909 100644 --- a/3-networks-hub-and-spoke/envs/non-production/README.md +++ b/3-networks-hub-and-spoke/envs/non-production/README.md @@ -16,17 +16,16 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | domain | The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period. | `string` | n/a | yes | | enable\_hub\_and\_spoke\_transitivity | Enable transitivity via gateway VMs on Hub-and-Spoke architecture. | `bool` | `false` | no | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| +| access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | base\_host\_project\_id | The base host project ID | | base\_network\_name | The name of the VPC being created | | base\_network\_self\_link | The URI of the VPC being created | diff --git a/3-networks-hub-and-spoke/envs/non-production/main.tf b/3-networks-hub-and-spoke/envs/non-production/main.tf index c66ec87f0..450968ede 100644 --- a/3-networks-hub-and-spoke/envs/non-production/main.tf +++ b/3-networks-hub-and-spoke/envs/non-production/main.tf @@ -66,13 +66,11 @@ module "base_env" { env = local.env environment_code = local.environment_code - org_id = var.org_id access_context_manager_policy_id = var.access_context_manager_policy_id terraform_service_account = var.terraform_service_account default_region1 = local.default_region1 default_region2 = local.default_region2 domain = var.domain - parent_folder = var.parent_folder enable_partner_interconnect = false enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity base_private_service_cidr = local.base_private_service_cidr @@ -81,4 +79,5 @@ module "base_env" { restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges + backend_bucket = var.backend_bucket } diff --git a/3-networks-hub-and-spoke/envs/non-production/outputs.tf b/3-networks-hub-and-spoke/envs/non-production/outputs.tf index 673db1adf..3adb70885 100644 --- a/3-networks-hub-and-spoke/envs/non-production/outputs.tf +++ b/3-networks-hub-and-spoke/envs/non-production/outputs.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +output "access_context_manager_policy_id" { + description = "Access Context Manager Policy ID." + value = var.access_context_manager_policy_id +} + /********************* Restricted Outputs *********************/ diff --git a/3-networks-hub-and-spoke/envs/non-production/variables.tf b/3-networks-hub-and-spoke/envs/non-production/variables.tf index 54db4c2b8..18d26348d 100644 --- a/3-networks-hub-and-spoke/envs/non-production/variables.tf +++ b/3-networks-hub-and-spoke/envs/non-production/variables.tf @@ -14,9 +14,9 @@ * limitations under the License. */ -variable "org_id" { +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string - description = "Organization ID" } variable "access_context_manager_policy_id" { @@ -34,18 +34,6 @@ variable "domain" { description = "The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period." } -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - variable "enable_hub_and_spoke_transitivity" { description = "Enable transitivity via gateway VMs on Hub-and-Spoke architecture." type = bool diff --git a/3-networks-hub-and-spoke/envs/production/README.md b/3-networks-hub-and-spoke/envs/production/README.md index 8c462d3a8..d2562a65f 100644 --- a/3-networks-hub-and-spoke/envs/production/README.md +++ b/3-networks-hub-and-spoke/envs/production/README.md @@ -16,17 +16,16 @@ The purpose of this step is to set up base and restricted shared VPCs with defau | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | domain | The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period. | `string` | n/a | yes | | enable\_hub\_and\_spoke\_transitivity | Enable transitivity via gateway VMs on Hub-and-Spoke architecture. | `bool` | `false` | no | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| +| access\_context\_manager\_policy\_id | Access Context Manager Policy ID. | | base\_host\_project\_id | The base host project ID | | base\_network\_name | The name of the VPC being created | | base\_network\_self\_link | The URI of the VPC being created | diff --git a/3-networks-hub-and-spoke/envs/production/main.tf b/3-networks-hub-and-spoke/envs/production/main.tf index 0cb2acc2e..3226e1111 100644 --- a/3-networks-hub-and-spoke/envs/production/main.tf +++ b/3-networks-hub-and-spoke/envs/production/main.tf @@ -66,13 +66,11 @@ module "base_env" { env = local.env environment_code = local.environment_code - org_id = var.org_id access_context_manager_policy_id = var.access_context_manager_policy_id terraform_service_account = var.terraform_service_account default_region1 = local.default_region1 default_region2 = local.default_region2 domain = var.domain - parent_folder = var.parent_folder enable_partner_interconnect = false enable_hub_and_spoke_transitivity = var.enable_hub_and_spoke_transitivity base_private_service_cidr = local.base_private_service_cidr @@ -81,4 +79,5 @@ module "base_env" { restricted_private_service_cidr = local.restricted_private_service_cidr restricted_subnet_primary_ranges = local.restricted_subnet_primary_ranges restricted_subnet_secondary_ranges = local.restricted_subnet_secondary_ranges + backend_bucket = var.backend_bucket } diff --git a/3-networks-hub-and-spoke/envs/production/outputs.tf b/3-networks-hub-and-spoke/envs/production/outputs.tf index 673db1adf..3adb70885 100644 --- a/3-networks-hub-and-spoke/envs/production/outputs.tf +++ b/3-networks-hub-and-spoke/envs/production/outputs.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +output "access_context_manager_policy_id" { + description = "Access Context Manager Policy ID." + value = var.access_context_manager_policy_id +} + /********************* Restricted Outputs *********************/ diff --git a/3-networks-hub-and-spoke/envs/production/variables.tf b/3-networks-hub-and-spoke/envs/production/variables.tf index 54db4c2b8..18d26348d 100644 --- a/3-networks-hub-and-spoke/envs/production/variables.tf +++ b/3-networks-hub-and-spoke/envs/production/variables.tf @@ -14,9 +14,9 @@ * limitations under the License. */ -variable "org_id" { +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string - description = "Organization ID" } variable "access_context_manager_policy_id" { @@ -34,18 +34,6 @@ variable "domain" { description = "The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period." } -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - variable "enable_hub_and_spoke_transitivity" { description = "Enable transitivity via gateway VMs on Hub-and-Spoke architecture." type = bool diff --git a/3-networks-hub-and-spoke/envs/shared/README.md b/3-networks-hub-and-spoke/envs/shared/README.md index af1760d1d..9ae169b4e 100644 --- a/3-networks-hub-and-spoke/envs/shared/README.md +++ b/3-networks-hub-and-spoke/envs/shared/README.md @@ -13,6 +13,7 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | base\_hub\_dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for Base Hub VPC DNS. | `bool` | `true` | no | | base\_hub\_dns\_enable\_logging | Toggle DNS logging for Base Hub VPC DNS. | `bool` | `true` | no | | base\_hub\_firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls in Base Hub VPC. | `bool` | `true` | no | @@ -27,9 +28,6 @@ The purpose of this step is to set up the global [DNS Hub](https://cloud.google. | enable\_hub\_and\_spoke\_transitivity | Enable transitivity via gateway VMs on Hub-and-Spoke architecture. | `bool` | `false` | no | | enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no | | firewall\_policies\_enable\_logging | Toggle hierarchical firewall logging. | `bool` | `true` | no | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | | preactivate\_partner\_interconnect | Preactivate Partner Interconnect VLAN attachment in the environment. | `bool` | `false` | no | | restricted\_hub\_dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for Restricted Hub VPC DNS. | `bool` | `true` | no | | restricted\_hub\_dns\_enable\_logging | Toggle DNS logging for Restricted Hub VPC DNS. | `bool` | `true` | no | diff --git a/3-networks-hub-and-spoke/envs/shared/dns-hub.tf b/3-networks-hub-and-spoke/envs/shared/dns-hub.tf index 848cfab11..36484a1b2 100644 --- a/3-networks-hub-and-spoke/envs/shared/dns-hub.tf +++ b/3-networks-hub-and-spoke/envs/shared/dns-hub.tf @@ -14,39 +14,6 @@ * limitations under the License. */ -locals { - dns_hub_project_id = data.google_projects.dns_hub.projects[0].project_id -} - -data "google_active_folder" "bootstrap" { - display_name = "${var.folder_prefix}-bootstrap" - parent = local.parent_id -} - -data "google_active_folder" "development" { - display_name = "${var.folder_prefix}-development" - parent = local.parent_id -} - -data "google_active_folder" "production" { - display_name = "${var.folder_prefix}-production" - parent = local.parent_id -} - -data "google_active_folder" "non-production" { - display_name = "${var.folder_prefix}-non-production" - parent = local.parent_id -} - -/****************************************** - DNS Hub Project -*****************************************/ - -data "google_projects" "dns_hub" { - filter = "parent.id:${split("/", data.google_active_folder.common.name)[1]} labels.application_name=org-dns-hub lifecycleState=ACTIVE" -} - - /****************************************** DNS Hub VPC *****************************************/ diff --git a/3-networks-hub-and-spoke/envs/shared/hierarchical_firewall.tf b/3-networks-hub-and-spoke/envs/shared/hierarchical_firewall.tf index db9202fb8..d924ff582 100644 --- a/3-networks-hub-and-spoke/envs/shared/hierarchical_firewall.tf +++ b/3-networks-hub-and-spoke/envs/shared/hierarchical_firewall.tf @@ -16,14 +16,14 @@ module "hierarchical_firewall_policy" { source = "../../modules/hierarchical_firewall_policy/" - parent = data.google_active_folder.common.name + parent = local.common_folder_name name = "common-firewall-rules" associations = [ - data.google_active_folder.common.name, - data.google_active_folder.bootstrap.name, - data.google_active_folder.development.name, - data.google_active_folder.production.name, - data.google_active_folder.non-production.name, + local.common_folder_name, + local.bootstrap_folder_name, + local.development_folder_name, + local.production_folder_name, + local.non_production_folder_name, ] rules = { delegate-rfc1918-ingress = { diff --git a/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example b/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example index c412743a9..906ce70cb 100644 --- a/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example +++ b/3-networks-hub-and-spoke/envs/shared/interconnect.tf.example @@ -17,9 +17,8 @@ module "dns_hub_interconnect" { source = "../../modules/dedicated_interconnect" - org_id = var.org_id - parent_folder = var.parent_folder - vpc_name = "c-dns-hub" + vpc_name = "c-dns-hub" + interconnect_project_id = local.interconnect_project_id region1 = local.default_region1 region1_router1_name = module.dns_hub_region1_router1.router.name diff --git a/3-networks-hub-and-spoke/envs/shared/main.tf b/3-networks-hub-and-spoke/envs/shared/main.tf index 7636dc61d..dc6736caa 100644 --- a/3-networks-hub-and-spoke/envs/shared/main.tf +++ b/3-networks-hub-and-spoke/envs/shared/main.tf @@ -15,15 +15,26 @@ */ locals { - parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" - env = "common" - environment_code = "c" - bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514" - default_region1 = "us-west1" - default_region2 = "us-central1" -} - -data "google_active_folder" "common" { - display_name = "${var.folder_prefix}-${local.env}" - parent = local.parent_id + env = "common" + environment_code = "c" + bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514" + default_region1 = "us-west1" + default_region2 = "us-central1" + dns_hub_project_id = data.terraform_remote_state.org.outputs.dns_hub_project_id + interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id + parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder + org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id + billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account + default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region + project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix + folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix + parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id + bootstrap_folder_name = data.terraform_remote_state.bootstrap.outputs.common_config.bootstrap_folder_name + common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name + development_folder_name = data.terraform_remote_state.env_development.outputs.env_folder + non_production_folder_name = data.terraform_remote_state.env_non_production.outputs.env_folder + production_folder_name = data.terraform_remote_state.env_production.outputs.env_folder + base_net_hub_project_id = data.terraform_remote_state.org.outputs.base_net_hub_project_id + restricted_net_hub_project_id = data.terraform_remote_state.org.outputs.restricted_net_hub_project_id + restricted_net_hub_project_number = data.terraform_remote_state.org.outputs.restricted_net_hub_project_number } diff --git a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf index 7e730cfb3..4f67c351b 100644 --- a/3-networks-hub-and-spoke/envs/shared/net-hubs.tf +++ b/3-networks-hub-and-spoke/envs/shared/net-hubs.tf @@ -15,9 +15,6 @@ */ locals { - base_net_hub_project_id = data.google_projects.base_net_hub.projects[0].project_id - restricted_net_hub_project_id = data.google_projects.restricted_net_hub.projects[0].project_id - restricted_net_hub_project_number = data.google_projects.restricted_net_hub.projects[0].number /* * Base network ranges */ @@ -34,22 +31,6 @@ locals { } } -/****************************************** - Base Network Hub Project -*****************************************/ - -data "google_projects" "base_net_hub" { - filter = "parent.id:${split("/", data.google_active_folder.common.name)[1]} labels.application_name=org-base-net-hub lifecycleState=ACTIVE" -} - -/****************************************** - Restricted Network Hub Project -*****************************************/ - -data "google_projects" "restricted_net_hub" { - filter = "parent.id:${split("/", data.google_active_folder.common.name)[1]} labels.application_name=org-restricted-net-hub lifecycleState=ACTIVE" -} - /****************************************** Base Network VPC *****************************************/ @@ -57,9 +38,9 @@ data "google_projects" "restricted_net_hub" { module "base_shared_vpc" { source = "../../modules/base_shared_vpc" project_id = local.base_net_hub_project_id + dns_hub_project_id = local.dns_hub_project_id environment_code = local.environment_code - org_id = var.org_id - parent_folder = var.parent_folder + org_id = local.org_id bgp_asn_subnet = local.bgp_asn_number default_region1 = local.default_region1 default_region2 = local.default_region2 @@ -72,7 +53,6 @@ module "base_shared_vpc" { nat_num_addresses_region1 = var.base_hub_nat_num_addresses_region1 nat_num_addresses_region2 = var.base_hub_nat_num_addresses_region2 windows_activation_enabled = var.base_hub_windows_activation_enabled - folder_prefix = var.folder_prefix mode = "hub" subnets = [ @@ -106,12 +86,12 @@ module "restricted_shared_vpc" { source = "../../modules/restricted_shared_vpc" project_id = local.restricted_net_hub_project_id project_number = local.restricted_net_hub_project_number + dns_hub_project_id = local.dns_hub_project_id environment_code = local.environment_code access_context_manager_policy_id = var.access_context_manager_policy_id restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"] members = ["serviceAccount:${var.terraform_service_account}"] - org_id = var.org_id - parent_folder = var.parent_folder + org_id = local.org_id bgp_asn_subnet = local.bgp_asn_number default_region1 = local.default_region1 default_region2 = local.default_region2 @@ -123,7 +103,6 @@ module "restricted_shared_vpc" { nat_bgp_asn = var.restricted_hub_nat_bgp_asn nat_num_addresses_region1 = var.restricted_hub_nat_num_addresses_region1 nat_num_addresses_region2 = var.restricted_hub_nat_num_addresses_region2 - folder_prefix = var.folder_prefix windows_activation_enabled = var.restricted_hub_windows_activation_enabled mode = "hub" diff --git a/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example b/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example index 2b4a07a20..49e342901 100644 --- a/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example +++ b/3-networks-hub-and-spoke/envs/shared/partner_interconnect.tf.example @@ -15,14 +15,12 @@ */ module "shared_restricted_interconnect" { - source = "../../modules/partner_interconnect" + source = "../../modules/partner_interconnect" - org_id = var.org_id - parent_folder = var.parent_folder - vpc_name = "${local.environment_code}-shared-restricted" - environment = local.env - vpc_type = "restricted" - preactivate = var.preactivate_partner_interconnect + attachment_project_id = local.restricted_net_hub_project_id + vpc_name = "${local.environment_code}-shared-restricted" + vpc_type = "restricted" + preactivate = var.preactivate_partner_interconnect region1 = local.default_region1 region1_router1_name = module.restricted_shared_vpc[0].region1_router1.router.name @@ -36,8 +34,6 @@ module "shared_restricted_interconnect" { region2_router2_name = module.restricted_shared_vpc[0].region2_router2.router.name region2_interconnect2_location = "lax-zone1-403" - folder_prefix = var.folder_prefix - cloud_router_labels = { vlan_1 = "cr5", vlan_2 = "cr6", @@ -47,14 +43,12 @@ module "shared_restricted_interconnect" { } module "shared_base_interconnect" { - source = "../../modules/partner_interconnect" + source = "../../modules/partner_interconnect" - org_id = var.org_id - parent_folder = var.parent_folder - vpc_name = "${local.environment_code}-shared-base" - environment = local.env - vpc_type = "base" - preactivate = var.preactivate_partner_interconnect + attachment_project_id = local.base_net_hub_project_id + vpc_name = "${local.environment_code}-shared-base" + vpc_type = "base" + preactivate = var.preactivate_partner_interconnect region1 = local.default_region1 region1_router1_name = module.base_shared_vpc[0].region1_router1.router.name @@ -68,8 +62,6 @@ module "shared_base_interconnect" { region2_router2_name = module.base_shared_vpc[0].region2_router2.router.name region2_interconnect2_location = "lax-zone1-403" - folder_prefix = var.folder_prefix - cloud_router_labels = { vlan_1 = "cr1", vlan_2 = "cr2", diff --git a/3-networks-hub-and-spoke/envs/shared/remote_state.tf b/3-networks-hub-and-spoke/envs/shared/remote_state.tf new file mode 100644 index 000000000..9a1235a40 --- /dev/null +++ b/3-networks-hub-and-spoke/envs/shared/remote_state.tf @@ -0,0 +1,70 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +data "terraform_remote_state" "bootstrap" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/bootstrap/state" + + impersonate_service_account = var.terraform_service_account + } +} + +data "terraform_remote_state" "org" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/org/state" + + impersonate_service_account = var.terraform_service_account + } +} + +data "terraform_remote_state" "env_development" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/environments/development" + + impersonate_service_account = var.terraform_service_account + } +} + +data "terraform_remote_state" "env_non_production" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/environments/non-production" + + impersonate_service_account = var.terraform_service_account + } +} + +data "terraform_remote_state" "env_production" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/environments/production" + + impersonate_service_account = var.terraform_service_account + } +} diff --git a/3-networks-hub-and-spoke/envs/shared/variables.tf b/3-networks-hub-and-spoke/envs/shared/variables.tf index 6d4009666..acc20c9e8 100644 --- a/3-networks-hub-and-spoke/envs/shared/variables.tf +++ b/3-networks-hub-and-spoke/envs/shared/variables.tf @@ -14,9 +14,9 @@ * limitations under the License. */ -variable "org_id" { +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." type = string - description = "Organization ID" } variable "terraform_service_account" { @@ -57,18 +57,6 @@ variable "target_name_server_addresses" { type = list(string) } -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - variable "base_hub_windows_activation_enabled" { type = bool description = "Enable Windows license activation for Windows workloads in Base Hub" diff --git a/3-networks-hub-and-spoke/modules/base_env/README.md b/3-networks-hub-and-spoke/modules/base_env/README.md index e95a982d9..8a08642ce 100644 --- a/3-networks-hub-and-spoke/modules/base_env/README.md +++ b/3-networks-hub-and-spoke/modules/base_env/README.md @@ -4,6 +4,7 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_context\_manager\_policy\_id | The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)"`. | `number` | n/a | yes | +| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | base\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Base Shared Vpc. | `string` | n/a | yes | | base\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Base Shared Vpc. | `map(string)` | n/a | yes | | base\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Base Shared Vpc. | `map(list(map(string)))` | n/a | yes | @@ -14,9 +15,6 @@ | enable\_partner\_interconnect | Enable Partner Interconnect in the environment. | `bool` | `false` | no | | env | The environment to prepare (ex. development) | `string` | n/a | yes | | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization (ex. d). | `string` | n/a | yes | -| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | -| org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | | restricted\_private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services in the Restricted Shared Vpc. | `string` | n/a | yes | | restricted\_subnet\_primary\_ranges | The base subnet primary IPTs ranges to the Restricted Shared Vpc. | `map(string)` | n/a | yes | | restricted\_subnet\_secondary\_ranges | The base subnet secondary IPTs ranges to the Restricted Shared Vpc | `map(list(map(string)))` | n/a | yes | diff --git a/3-networks-hub-and-spoke/modules/base_env/interconnect.tf.example b/3-networks-hub-and-spoke/modules/base_env/interconnect.tf.example index 9c59be696..68fe4dd8d 100644 --- a/3-networks-hub-and-spoke/modules/base_env/interconnect.tf.example +++ b/3-networks-hub-and-spoke/modules/base_env/interconnect.tf.example @@ -17,9 +17,7 @@ module "shared_restricted_interconnect" { source = "../dedicated_interconnect" - org_id = var.org_id - parent_folder = var.parent_folder - vpc_name = "${var.environment_code}-shared-restricted" + vpc_name = "${var.environment_code}-shared-restricted" region1 = var.default_region1 region1_router1_name = module.restricted_shared_vpc.region1_router1.router.name @@ -59,9 +57,8 @@ module "shared_restricted_interconnect" { module "shared_base_interconnect" { source = "../dedicated_interconnect" - org_id = var.org_id - parent_folder = var.parent_folder - vpc_name = "${var.environment_code}-shared-base" + vpc_name = "${var.environment_code}-shared-base" + interconnect_project_id = local.interconnect_project_id region1 = var.default_region1 region1_router1_name = module.base_shared_vpc.region1_router1.router.name diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf index 91aa9d60b..3bf0d9cf2 100644 --- a/3-networks-hub-and-spoke/modules/base_env/main.tf +++ b/3-networks-hub-and-spoke/modules/base_env/main.tf @@ -15,12 +15,23 @@ */ locals { - restricted_project_id = data.google_projects.restricted_host_project.projects[0].project_id - restricted_project_number = data.google_project.restricted_host_project.number - base_project_id = data.google_projects.base_host_project.projects[0].project_id - parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" - bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514" - enable_transitivity = var.enable_hub_and_spoke_transitivity + parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder + org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id + billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account + default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region + folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix + parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id + restricted_project_id = data.terraform_remote_state.environments_env.outputs.restricted_shared_vpc_project_id + restricted_project_number = data.terraform_remote_state.environments_env.outputs.restricted_shared_vpc_project_number + base_project_id = data.terraform_remote_state.environments_env.outputs.base_shared_vpc_project_id + env_secret_project_id = data.terraform_remote_state.environments_env.outputs.env_secrets_project_id + interconnect_project_id = data.terraform_remote_state.org.outputs.interconnect_project_id + dns_hub_project_id = data.terraform_remote_state.org.outputs.dns_hub_project_id + base_net_hub_project_id = data.terraform_remote_state.org.outputs.base_net_hub_project_id + restricted_net_hub_project_id = data.terraform_remote_state.org.outputs.restricted_net_hub_project_id + restricted_net_hub_project_number = data.terraform_remote_state.org.outputs.restricted_net_hub_project_number + bgp_asn_number = var.enable_partner_interconnect ? "16550" : "64514" + enable_transitivity = var.enable_hub_and_spoke_transitivity /* * Base network ranges */ @@ -33,46 +44,27 @@ locals { restricted_hub_subnet_ranges = ["10.8.0.0/24", "10.9.0.0/24"] } -data "google_active_folder" "env" { - display_name = "${var.folder_prefix}-${var.env}" - parent = local.parent_id -} - -/****************************************** - VPC Host Projects -*****************************************/ - -data "google_projects" "restricted_host_project" { - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=restricted-shared-vpc-host labels.environment=${var.env} lifecycleState=ACTIVE" -} - -data "google_project" "restricted_host_project" { - project_id = data.google_projects.restricted_host_project.projects[0].project_id -} - -data "google_projects" "base_host_project" { - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=base-shared-vpc-host labels.environment=${var.env} lifecycleState=ACTIVE" -} - /****************************************** Restricted shared VPC *****************************************/ module "restricted_shared_vpc" { - source = "../restricted_shared_vpc" - project_id = local.restricted_project_id - project_number = local.restricted_project_number - environment_code = var.environment_code - access_context_manager_policy_id = var.access_context_manager_policy_id - restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"] - members = ["serviceAccount:${var.terraform_service_account}"] - private_service_cidr = var.restricted_private_service_cidr - org_id = var.org_id - parent_folder = var.parent_folder - bgp_asn_subnet = local.bgp_asn_number - default_region1 = var.default_region1 - default_region2 = var.default_region2 - domain = var.domain - mode = "spoke" + source = "../restricted_shared_vpc" + project_id = local.restricted_project_id + project_number = local.restricted_project_number + dns_hub_project_id = local.dns_hub_project_id + restricted_net_hub_project_id = local.restricted_net_hub_project_id + restricted_net_hub_project_number = local.restricted_net_hub_project_number + environment_code = var.environment_code + access_context_manager_policy_id = var.access_context_manager_policy_id + restricted_services = ["bigquery.googleapis.com", "storage.googleapis.com"] + members = ["serviceAccount:${var.terraform_service_account}"] + private_service_cidr = var.restricted_private_service_cidr + org_id = local.org_id + bgp_asn_subnet = local.bgp_asn_number + default_region1 = var.default_region1 + default_region2 = var.default_region2 + domain = var.domain + mode = "spoke" subnets = [ { @@ -104,17 +96,18 @@ module "restricted_shared_vpc" { *****************************************/ module "base_shared_vpc" { - source = "../base_shared_vpc" - project_id = local.base_project_id - environment_code = var.environment_code - private_service_cidr = var.base_private_service_cidr - org_id = var.org_id - parent_folder = var.parent_folder - default_region1 = var.default_region1 - default_region2 = var.default_region2 - domain = var.domain - bgp_asn_subnet = local.bgp_asn_number - mode = "spoke" + source = "../base_shared_vpc" + project_id = local.base_project_id + dns_hub_project_id = local.dns_hub_project_id + base_net_hub_project_id = local.base_net_hub_project_id + environment_code = var.environment_code + private_service_cidr = var.base_private_service_cidr + org_id = local.org_id + default_region1 = var.default_region1 + default_region2 = var.default_region2 + domain = var.domain + bgp_asn_subnet = local.bgp_asn_number + mode = "spoke" subnets = [ { diff --git a/3-networks-hub-and-spoke/modules/base_env/partner_interconnect.tf.example b/3-networks-hub-and-spoke/modules/base_env/partner_interconnect.tf.example index 2d531cbee..8b86d9567 100644 --- a/3-networks-hub-and-spoke/modules/base_env/partner_interconnect.tf.example +++ b/3-networks-hub-and-spoke/modules/base_env/partner_interconnect.tf.example @@ -15,14 +15,12 @@ */ module "shared_restricted_interconnect" { - source = "../partner_interconnect" + source = "../partner_interconnect" - org_id = var.org_id - parent_folder = var.parent_folder - vpc_name = "${var.environment_code}-shared-restricted" - environment = var.env - vpc_type = "restricted" - preactivate = true + attachment_project_id = local.restricted_net_hub_project_id + vpc_name = "${var.environment_code}-shared-restricted" + vpc_type = "restricted" + preactivate = true region1 = var.default_region1 region1_router1_name = module.restricted_shared_vpc.region1_router1.router.name @@ -45,14 +43,12 @@ module "shared_restricted_interconnect" { } module "shared_base_interconnect" { - source = "../partner_interconnect" + source = "../partner_interconnect" - org_id = var.org_id - parent_folder = var.parent_folder - vpc_name = "${var.environment_code}-shared-base" - environment = var.env - vpc_type = "base" - preactivate = true + attachment_project_id = local.base_net_hub_project_id + vpc_name = "${var.environment_code}-shared-base" + vpc_type = "base" + preactivate = true region1 = var.default_region1 region1_router1_name = module.base_shared_vpc.region1_router1.router.name diff --git a/3-networks-hub-and-spoke/modules/base_env/remote_state.tf b/3-networks-hub-and-spoke/modules/base_env/remote_state.tf new file mode 100644 index 000000000..0bd3f715f --- /dev/null +++ b/3-networks-hub-and-spoke/modules/base_env/remote_state.tf @@ -0,0 +1,59 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +data "terraform_remote_state" "bootstrap" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/bootstrap/state" + + impersonate_service_account = var.terraform_service_account + } +} + +data "terraform_remote_state" "org" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/org/state" + + impersonate_service_account = var.terraform_service_account + } +} + +data "terraform_remote_state" "network_shared" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/networks/envs/shared" + + impersonate_service_account = var.terraform_service_account + } +} + +data "terraform_remote_state" "environments_env" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/environments/${var.env}" + + impersonate_service_account = var.terraform_service_account + } +} diff --git a/3-networks-hub-and-spoke/modules/base_env/variables.tf b/3-networks-hub-and-spoke/modules/base_env/variables.tf index ec81d484b..58865429c 100644 --- a/3-networks-hub-and-spoke/modules/base_env/variables.tf +++ b/3-networks-hub-and-spoke/modules/base_env/variables.tf @@ -14,6 +14,11 @@ * limitations under the License. */ +variable "backend_bucket" { + description = "Backend bucket to load remote state information from previous steps." + type = string +} + variable "env" { description = "The environment to prepare (ex. development)" type = string @@ -24,11 +29,6 @@ variable "environment_code" { description = "A short form of the folder level resources (environment) within the Google Cloud organization (ex. d)." } -variable "org_id" { - type = string - description = "Organization ID" -} - variable "access_context_manager_policy_id" { type = number description = "The id of the default Access Context Manager policy created in step `1-org`. Can be obtained by running `gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format=\"value(name)\"`." @@ -54,18 +54,6 @@ variable "domain" { description = "The DNS name of peering managed zone, for instance 'example.com.'. Must end with a period." } -variable "parent_folder" { - description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." - type = string - default = "" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created. Should be the same in all steps." - type = string - default = "fldr" -} - variable "enable_partner_interconnect" { description = "Enable Partner Interconnect in the environment." type = bool diff --git a/3-networks-hub-and-spoke/modules/base_env/vpn.tf.example b/3-networks-hub-and-spoke/modules/base_env/vpn.tf.example index f04d89f4f..9b165ec4d 100644 --- a/3-networks-hub-and-spoke/modules/base_env/vpn.tf.example +++ b/3-networks-hub-and-spoke/modules/base_env/vpn.tf.example @@ -17,19 +17,16 @@ module "shared_base_vpn" { source = "../vpn-ha" - project_id = local.base_project_id - default_region1 = var.default_region1 - default_region2 = var.default_region2 - vpc_name = "${var.environment_code}-shared-base" - region1_router1_name = module.base_shared_vpc.region1_router1.router.name - region1_router2_name = module.base_shared_vpc.region1_router2.router.name - region2_router1_name = module.base_shared_vpc.region2_router1.router.name - region2_router2_name = module.base_shared_vpc.region2_router2.router.name - environment = var.env - parent_folder = var.parent_folder - org_id = var.org_id - vpn_psk_secret_name = "" - folder_prefix = var.folder_prefix + project_id = local.base_project_id + env_secret_project_id = local.env_secret_project_id + default_region1 = var.default_region1 + default_region2 = var.default_region2 + vpc_name = "${var.environment_code}-shared-base" + region1_router1_name = module.base_shared_vpc.region1_router1.router.name + region1_router2_name = module.base_shared_vpc.region1_router2.router.name + region2_router1_name = module.base_shared_vpc.region2_router1.router.name + region2_router2_name = module.base_shared_vpc.region2_router2.router.name + vpn_psk_secret_name = "" on_prem_router_ip_address1 = "<8.8.8.8>" # on-prem router ip address 1 on_prem_router_ip_address2 = "<8.8.8.8>" # on-prem router ip address 2 @@ -63,18 +60,16 @@ module "shared_base_vpn" { module "shared_restricted_vpn" { source = "../vpn-ha" - project_id = local.restricted_project_id - default_region1 = var.default_region1 - default_region2 = var.default_region2 - vpc_name = "${var.environment_code}-shared-restricted" - region1_router1_name = module.restricted_shared_vpc.region1_router1.router.name - region1_router2_name = module.restricted_shared_vpc.region1_router2.router.name - region2_router1_name = module.restricted_shared_vpc.region2_router1.router.name - region2_router2_name = module.restricted_shared_vpc.region2_router2.router.name - environment = var.env - parent_folder = var.parent_folder - org_id = var.org_id - vpn_psk_secret_name = "" + project_id = local.restricted_project_id + env_secret_project_id = local.env_secret_project_id + default_region1 = var.default_region1 + default_region2 = var.default_region2 + vpc_name = "${var.environment_code}-shared-restricted" + region1_router1_name = module.restricted_shared_vpc.region1_router1.router.name + region1_router2_name = module.restricted_shared_vpc.region1_router2.router.name + region2_router1_name = module.restricted_shared_vpc.region2_router1.router.name + region2_router2_name = module.restricted_shared_vpc.region2_router2.router.name + vpn_psk_secret_name = "" on_prem_router_ip_address1 = "<8.8.8.8>" # on-prem router ip address 1 on_prem_router_ip_address2 = "<8.8.8.8>" # on-prem router ip address 2 diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md index 14155fb65..e2bd1b315 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/README.md @@ -5,15 +5,16 @@ |------|-------------|------|---------|:--------:| | allow\_all\_egress\_ranges | List of network ranges to which all egress traffic will be allowed | `any` | `null` | no | | allow\_all\_ingress\_ranges | List of network ranges from which all ingress traffic will be allowed | `any` | `null` | no | +| base\_net\_hub\_project\_id | The base net hub project ID | `string` | `""` | no | | bgp\_asn\_subnet | BGP ASN for Subnets cloud routers. | `number` | n/a | yes | | default\_region1 | Default region 1 for subnets and Cloud Routers | `string` | n/a | yes | | default\_region2 | Default region 2 for subnets and Cloud Routers | `string` | n/a | yes | | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no | | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | +| dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes | | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization. | `string` | n/a | yes | | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | -| folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no | | mode | Network deployment mode, should be set to `hub` or `spoke` when `enable_hub_and_spoke` architecture chosen, keep as `null` otherwise. | `string` | `null` | no | | nat\_bgp\_asn | BGP ASN for first NAT cloud routes. | `number` | `64514` | no | | nat\_enabled | Toggle creation of NAT cloud router. | `bool` | `false` | no | @@ -21,7 +22,6 @@ | nat\_num\_addresses\_region1 | Number of external IPs to reserve for first Cloud NAT. | `number` | `2` | no | | nat\_num\_addresses\_region2 | Number of external IPs to reserve for second Cloud NAT. | `number` | `2` | no | | org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | | project\_id | Project ID for Private Shared VPC. | `string` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf index 63689fe60..83f3a051c 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/dns.tf @@ -14,28 +14,6 @@ * limitations under the License. */ -locals { - parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" -} - -data "google_active_folder" "common" { - display_name = "${var.folder_prefix}-common" - parent = local.parent_id -} - -/****************************************** - DNS Hub Project -*****************************************/ - -data "google_projects" "dns_hub" { - filter = "parent.id:${split("/", data.google_active_folder.common.name)[1]} labels.application_name=org-dns-hub lifecycleState=ACTIVE" -} - -data "google_compute_network" "vpc_dns_hub" { - name = "vpc-c-dns-hub" - project = data.google_projects.dns_hub.projects[0].project_id -} - /****************************************** Default DNS Policy *****************************************/ @@ -53,6 +31,11 @@ resource "google_dns_policy" "default_policy" { /****************************************** Creates DNS Peering to DNS HUB *****************************************/ +data "google_compute_network" "vpc_dns_hub" { + name = "vpc-c-dns-hub" + project = var.dns_hub_project_id +} + module "peering_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 3.1" diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf index 0130f5530..7d4276052 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf @@ -21,21 +21,6 @@ locals { private_googleapis_cidr = module.private_service_connect.private_service_connect_ip } -/****************************************** - Base Network Hub -*****************************************/ - -data "google_projects" "base_net_hub" { - count = var.mode == "spoke" ? 1 : 0 - filter = "parent.id:${split("/", data.google_active_folder.common.name)[1]} labels.application_name=org-base-net-hub lifecycleState=ACTIVE" -} - -data "google_compute_network" "vpc_base_net_hub" { - count = var.mode == "spoke" ? 1 : 0 - name = "vpc-c-shared-base-hub" - project = data.google_projects.base_net_hub[0].projects[0].project_id -} - /****************************************** Shared VPC configuration *****************************************/ @@ -80,6 +65,11 @@ module "main" { /*************************************************************** VPC Peering Configuration **************************************************************/ +data "google_compute_network" "vpc_base_net_hub" { + count = var.mode == "spoke" ? 1 : 0 + name = "vpc-c-shared-base-hub" + project = var.base_net_hub_project_id +} module "peering" { source = "terraform-google-modules/network/google//modules/network-peering" diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf index ab7d2c075..c575cd077 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/variables.tf @@ -24,6 +24,17 @@ variable "project_id" { description = "Project ID for Private Shared VPC." } +variable "dns_hub_project_id" { + type = string + description = "The DNS hub project ID" +} + +variable "base_net_hub_project_id" { + type = string + description = "The base net hub project ID" + default = "" +} + variable "mode" { type = string description = "Network deployment mode, should be set to `hub` or `spoke` when `enable_hub_and_spoke` architecture chosen, keep as `null` otherwise." @@ -127,18 +138,6 @@ variable "nat_num_addresses" { default = 2 } -variable "parent_folder" { - description = "Optional - if using a folder for testing." - type = string - default = "" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created." - type = string - default = "fldr" -} - variable "allow_all_egress_ranges" { description = "List of network ranges to which all egress traffic will be allowed" default = null diff --git a/3-networks-hub-and-spoke/modules/dedicated_interconnect/README.md b/3-networks-hub-and-spoke/modules/dedicated_interconnect/README.md index 746335121..18b1d0bc5 100644 --- a/3-networks-hub-and-spoke/modules/dedicated_interconnect/README.md +++ b/3-networks-hub-and-spoke/modules/dedicated_interconnect/README.md @@ -18,9 +18,7 @@ This module implements the recommendation proposed in [Establishing 99.99% Avail | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | cloud\_router\_labels | A map of suffixes for labelling vlans with four entries like "vlan\_1" => "suffix1" with keys from `vlan_1` to `vlan_4`. | `map(string)` | `{}` | no | -| folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no | -| org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | +| interconnect\_project\_id | Interconnect project ID. | `string` | n/a | yes | | peer\_asn | Peer BGP Autonomous System Number (ASN). | `number` | n/a | yes | | peer\_name | Name of this BGP peer. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]\*[a-z0-9])? | `string` | n/a | yes | | region1 | First subnet region. The Dedicated Interconnect module only configures two regions. | `string` | n/a | yes | diff --git a/3-networks-hub-and-spoke/modules/dedicated_interconnect/main.tf b/3-networks-hub-and-spoke/modules/dedicated_interconnect/main.tf index 0380a69ac..f82b466f0 100644 --- a/3-networks-hub-and-spoke/modules/dedicated_interconnect/main.tf +++ b/3-networks-hub-and-spoke/modules/dedicated_interconnect/main.tf @@ -15,21 +15,10 @@ */ locals { - parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" - interconnect_project_id = data.google_projects.interconnect_project.projects[0].project_id - suffix1 = lookup(var.cloud_router_labels, "vlan_1", "cr1") - suffix2 = lookup(var.cloud_router_labels, "vlan_2", "cr2") - suffix3 = lookup(var.cloud_router_labels, "vlan_3", "cr3") - suffix4 = lookup(var.cloud_router_labels, "vlan_4", "cr4") -} - -data "google_active_folder" "common" { - display_name = "${var.folder_prefix}-common" - parent = local.parent_id -} - -data "google_projects" "interconnect_project" { - filter = "parent.id:${split("/", data.google_active_folder.common.name)[1]} labels.application_name=org-interconnect lifecycleState=ACTIVE" + suffix1 = lookup(var.cloud_router_labels, "vlan_1", "cr1") + suffix2 = lookup(var.cloud_router_labels, "vlan_2", "cr2") + suffix3 = lookup(var.cloud_router_labels, "vlan_3", "cr3") + suffix4 = lookup(var.cloud_router_labels, "vlan_4", "cr4") } module "interconnect_attachment1_region1" { @@ -37,7 +26,7 @@ module "interconnect_attachment1_region1" { version = "~> 2.0.0" name = "vl-${var.region1_interconnect1_location}-${var.vpc_name}-${var.region1}-${local.suffix1}" - project = local.interconnect_project_id + project = var.interconnect_project_id region = var.region1 router = var.region1_router1_name @@ -60,7 +49,7 @@ module "interconnect_attachment2_region1" { version = "~> 0.4.0" name = "vl-${var.region1_interconnect2_location}-${var.vpc_name}-${var.region1}-${local.suffix2}" - project = local.interconnect_project_id + project = var.interconnect_project_id region = var.region1 router = var.region1_router2_name @@ -83,7 +72,7 @@ module "interconnect_attachment1_region2" { version = "~> 0.4.0" name = "vl-${var.region2_interconnect1_location}-${var.vpc_name}-${var.region2}-${local.suffix3}" - project = local.interconnect_project_id + project = var.interconnect_project_id region = var.region2 router = var.region2_router1_name @@ -106,7 +95,7 @@ module "interconnect_attachment2_region2" { version = "~> 0.4.0" name = "vl-${var.region2_interconnect2_location}-${var.vpc_name}-${var.region2}-${local.suffix4}" - project = local.interconnect_project_id + project = var.interconnect_project_id region = var.region2 router = var.region2_router2_name diff --git a/3-networks-hub-and-spoke/modules/dedicated_interconnect/variables.tf b/3-networks-hub-and-spoke/modules/dedicated_interconnect/variables.tf index 3a3f71259..2244dcd42 100644 --- a/3-networks-hub-and-spoke/modules/dedicated_interconnect/variables.tf +++ b/3-networks-hub-and-spoke/modules/dedicated_interconnect/variables.tf @@ -14,15 +14,9 @@ * limitations under the License. */ -variable "org_id" { +variable "interconnect_project_id" { type = string - description = "Organization ID" -} - -variable "parent_folder" { - description = "Optional - if using a folder for testing." - type = string - default = "" + description = "Interconnect project ID." } variable "vpc_name" { @@ -161,9 +155,3 @@ variable "region2_interconnect2_vlan_tag8021q" { description = "The IEEE 802.1Q VLAN tag for this attachment, in the range 2-4094." default = null } - -variable "folder_prefix" { - description = "Name prefix to use for folders created." - type = string - default = "fldr" -} diff --git a/3-networks-hub-and-spoke/modules/partner_interconnect/README.md b/3-networks-hub-and-spoke/modules/partner_interconnect/README.md index a89753d97..8d3b2afb8 100644 --- a/3-networks-hub-and-spoke/modules/partner_interconnect/README.md +++ b/3-networks-hub-and-spoke/modules/partner_interconnect/README.md @@ -19,11 +19,8 @@ Without Hub and Spoke enabled VLAN attachments will be created in `prj-{p|n|d}-s | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| attachment\_project\_id | the Interconnect project ID. | `string` | n/a | yes | | cloud\_router\_labels | A map of suffixes for labelling vlans with four entries like "vlan\_1" => "suffix1" with keys from `vlan_1` to `vlan_4`. | `map(string)` | `{}` | no | -| environment | Environment in which to deploy the Partner Interconnect, must be 'common' if enable\_hub\_and\_spoke=true | `string` | `null` | no | -| folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no | -| org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | | preactivate | Preactivate Partner Interconnect attachments, works only for level3 Partner Interconnect | `string` | `false` | no | | region1 | First subnet region. The Partner Interconnect module only configures two regions. | `string` | n/a | yes | | region1\_interconnect1\_location | Name of the interconnect location used in the creation of the Interconnect for the first location of region1 | `string` | n/a | yes | diff --git a/3-networks-hub-and-spoke/modules/partner_interconnect/main.tf b/3-networks-hub-and-spoke/modules/partner_interconnect/main.tf index f5f53e854..9e3274f4e 100644 --- a/3-networks-hub-and-spoke/modules/partner_interconnect/main.tf +++ b/3-networks-hub-and-spoke/modules/partner_interconnect/main.tf @@ -15,30 +15,16 @@ */ locals { - parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" - suffix1 = lookup(var.cloud_router_labels, "vlan_1", "cr1") - suffix2 = lookup(var.cloud_router_labels, "vlan_2", "cr2") - suffix3 = lookup(var.cloud_router_labels, "vlan_3", "cr3") - suffix4 = lookup(var.cloud_router_labels, "vlan_4", "cr4") - - attachment_project_id = data.google_projects.attachment_project.projects[0].project_id - - app_label = "org-${var.vpc_type}-net-hub" - environment_label = "production" + suffix1 = lookup(var.cloud_router_labels, "vlan_1", "cr1") + suffix2 = lookup(var.cloud_router_labels, "vlan_2", "cr2") + suffix3 = lookup(var.cloud_router_labels, "vlan_3", "cr3") + suffix4 = lookup(var.cloud_router_labels, "vlan_4", "cr4") } -data "google_active_folder" "environment" { - display_name = "${var.folder_prefix}-${var.environment}" - parent = local.parent_id -} - -data "google_projects" "attachment_project" { - filter = "parent.id:${split("/", data.google_active_folder.environment.name)[1]} labels.application_name=${local.app_label} labels.environment=${local.environment_label} lifecycleState=ACTIVE" -} resource "google_compute_interconnect_attachment" "interconnect_attachment1_region1" { name = "vl-${var.region1_interconnect1_location}-${var.vpc_name}-${var.region1}-${local.suffix1}" - project = local.attachment_project_id + project = var.attachment_project_id region = var.region1 router = var.region1_router1_name @@ -49,7 +35,7 @@ resource "google_compute_interconnect_attachment" "interconnect_attachment1_regi resource "google_compute_interconnect_attachment" "interconnect_attachment2_region1" { name = "vl-${var.region1_interconnect2_location}-${var.vpc_name}-${var.region1}-${local.suffix2}" - project = local.attachment_project_id + project = var.attachment_project_id region = var.region1 router = var.region1_router2_name @@ -60,7 +46,7 @@ resource "google_compute_interconnect_attachment" "interconnect_attachment2_regi resource "google_compute_interconnect_attachment" "interconnect_attachment1_region2" { name = "vl-${var.region2_interconnect1_location}-${var.vpc_name}-${var.region2}-${local.suffix1}" - project = local.attachment_project_id + project = var.attachment_project_id region = var.region2 router = var.region2_router1_name @@ -71,7 +57,7 @@ resource "google_compute_interconnect_attachment" "interconnect_attachment1_regi resource "google_compute_interconnect_attachment" "interconnect_attachment2_region2" { name = "vl-${var.region2_interconnect2_location}-${var.vpc_name}-${var.region2}-${local.suffix2}" - project = local.attachment_project_id + project = var.attachment_project_id region = var.region2 router = var.region2_router2_name diff --git a/3-networks-hub-and-spoke/modules/partner_interconnect/variables.tf b/3-networks-hub-and-spoke/modules/partner_interconnect/variables.tf index cfadab154..069da8846 100644 --- a/3-networks-hub-and-spoke/modules/partner_interconnect/variables.tf +++ b/3-networks-hub-and-spoke/modules/partner_interconnect/variables.tf @@ -14,15 +14,9 @@ * limitations under the License. */ -variable "org_id" { +variable "attachment_project_id" { type = string - description = "Organization ID" -} - -variable "parent_folder" { - description = "Optional - if using a folder for testing." - type = string - default = "" + description = "the Interconnect project ID." } variable "vpc_name" { @@ -86,24 +80,12 @@ variable "cloud_router_labels" { default = {} } -variable "folder_prefix" { - description = "Name prefix to use for folders created." - type = string - default = "fldr" -} - variable "preactivate" { description = "Preactivate Partner Interconnect attachments, works only for level3 Partner Interconnect" type = string default = false } -variable "environment" { - description = "Environment in which to deploy the Partner Interconnect, must be 'common' if enable_hub_and_spoke=true" - type = string - default = null -} - variable "vpc_type" { description = "To which Shared VPC Host attach the Partner Interconnect - base/restricted" type = string diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md index 4e7fb1702..f047746b1 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/README.md @@ -11,10 +11,10 @@ | default\_region2 | Second subnet region. The shared vpc modules only configures two regions. | `string` | n/a | yes | | dns\_enable\_inbound\_forwarding | Toggle inbound query forwarding for VPC DNS. | `bool` | `true` | no | | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | +| dns\_hub\_project\_id | The DNS hub project ID | `string` | n/a | yes | | domain | The DNS name of peering managed zone, for instance 'example.com.' | `string` | n/a | yes | | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization. | `string` | n/a | yes | | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no | -| folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no | | members | An allowed list of members (users, service accounts). The signed-in identity originating the request must be a part of one of the provided members. If not specified, a request may come from any user (logged in/not logged in, etc.). Formats: user:{emailid}, serviceAccount:{emailid} | `list(string)` | n/a | yes | | mode | Network deployment mode, should be set to `hub` or `spoke` when `enable_hub_and_spoke` architecture chosen, keep as `null` otherwise. | `string` | `null` | no | | nat\_bgp\_asn | BGP ASN for NAT cloud routes. If NAT is enabled this variable value must be a value in ranges [64512..65534] or [4200000000..4294967294]. | `number` | `64512` | no | @@ -22,10 +22,11 @@ | nat\_num\_addresses\_region1 | Number of external IPs to reserve for region 1 Cloud NAT. | `number` | `2` | no | | nat\_num\_addresses\_region2 | Number of external IPs to reserve for region 2 Cloud NAT. | `number` | `2` | no | | org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | | private\_service\_cidr | CIDR range for private service networking. Used for Cloud SQL and other managed services. | `string` | `null` | no | | project\_id | Project ID for Restricted Shared VPC. | `string` | n/a | yes | | project\_number | Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter. | `number` | n/a | yes | +| restricted\_net\_hub\_project\_id | The restricted net hub project ID | `string` | `""` | no | +| restricted\_net\_hub\_project\_number | The restricted net hub project number | `string` | `""` | no | | restricted\_services | List of services to restrict. | `list(string)` | n/a | yes | | secondary\_ranges | Secondary ranges that will be used in some of the subnets | `map(list(object({ range_name = string, ip_cidr_range = string })))` | `{}` | no | | subnets | The list of subnets being created | `list(map(string))` | `[]` | no | diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf index 75180046b..440c178f2 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/dns.tf @@ -14,28 +14,6 @@ * limitations under the License. */ -locals { - parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" -} - -data "google_active_folder" "common" { - display_name = "${var.folder_prefix}-common" - parent = local.parent_id -} - -/****************************************** - DNS Hub Project -*****************************************/ - -data "google_projects" "dns_hub" { - filter = "parent.id:${split("/", data.google_active_folder.common.name)[1]} labels.application_name=org-dns-hub lifecycleState=ACTIVE" -} - -data "google_compute_network" "vpc_dns_hub" { - name = "vpc-c-dns-hub" - project = data.google_projects.dns_hub.projects[0].project_id -} - /****************************************** Default DNS Policy *****************************************/ @@ -53,6 +31,11 @@ resource "google_dns_policy" "default_policy" { /****************************************** Creates DNS Peering to DNS HUB *****************************************/ +data "google_compute_network" "vpc_dns_hub" { + name = "vpc-c-dns-hub" + project = var.dns_hub_project_id +} + module "peering_zone" { source = "terraform-google-modules/cloud-dns/google" version = "~> 3.1" diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf index 717d62926..71239e083 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf @@ -21,21 +21,6 @@ locals { restricted_googleapis_cidr = module.private_service_connect.private_service_connect_ip } -/****************************************** - Restricted Network Hub -*****************************************/ - -data "google_projects" "restricted_net_hub" { - count = var.mode == "spoke" ? 1 : 0 - filter = "parent.id:${split("/", data.google_active_folder.common.name)[1]} labels.application_name=org-restricted-net-hub lifecycleState=ACTIVE" -} - -data "google_compute_network" "vpc_restricted_net_hub" { - count = var.mode == "spoke" ? 1 : 0 - name = "vpc-c-shared-restricted-hub" - project = data.google_projects.restricted_net_hub[0].projects[0].project_id -} - /****************************************** Shared VPC configuration *****************************************/ @@ -81,6 +66,11 @@ module "main" { /*************************************************************** VPC Peering Configuration **************************************************************/ +data "google_compute_network" "vpc_restricted_net_hub" { + count = var.mode == "spoke" ? 1 : 0 + name = "vpc-c-shared-restricted-hub" + project = var.restricted_net_hub_project_id +} module "peering" { source = "terraform-google-modules/network/google//modules/network-peering" diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/service_control.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/service_control.tf index 5009ff3e6..7abbc958d 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/service_control.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/service_control.tf @@ -21,11 +21,6 @@ locals { bridge_name = "spb_c_to_${local.prefix}_bridge_${random_id.random_access_level_suffix.hex}" } -data "google_project" "restricted_net_hub" { - count = var.mode == "spoke" ? 1 : 0 - project_id = data.google_projects.restricted_net_hub[0].projects[0].project_id -} - resource "random_id" "random_access_level_suffix" { byte_length = 2 } @@ -69,7 +64,7 @@ resource "google_access_context_manager_service_perimeter" "bridge_to_network_hu title = local.bridge_name status { - resources = formatlist("projects/%s", [var.project_number, data.google_project.restricted_net_hub[0].number]) + resources = formatlist("projects/%s", [var.project_number, var.restricted_net_hub_project_number]) } depends_on = [google_access_context_manager_service_perimeter.regular_service_perimeter] diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf index 0c01ce81c..792ee8bd7 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/variables.tf @@ -34,6 +34,23 @@ variable "project_number" { description = "Project number for Restricted Shared VPC. It is the project INSIDE the regular service perimeter." } +variable "dns_hub_project_id" { + type = string + description = "The DNS hub project ID" +} + +variable "restricted_net_hub_project_id" { + type = string + description = "The restricted net hub project ID" + default = "" +} + +variable "restricted_net_hub_project_number" { + type = string + description = "The restricted net hub project number" + default = "" +} + variable "mode" { type = string description = "Network deployment mode, should be set to `hub` or `spoke` when `enable_hub_and_spoke` architecture chosen, keep as `null` otherwise." @@ -141,18 +158,6 @@ variable "restricted_services" { description = "List of services to restrict." } -variable "parent_folder" { - description = "Optional - if using a folder for testing." - type = string - default = "" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created." - type = string - default = "fldr" -} - variable "allow_all_egress_ranges" { description = "List of network ranges to which all egress traffic will be allowed" default = null diff --git a/3-networks-hub-and-spoke/modules/vpn-ha/README.md b/3-networks-hub-and-spoke/modules/vpn-ha/README.md index 0480eef1a..5d8374695 100755 --- a/3-networks-hub-and-spoke/modules/vpn-ha/README.md +++ b/3-networks-hub-and-spoke/modules/vpn-ha/README.md @@ -23,12 +23,9 @@ If you are not able to use Dedicated Interconnect or Partner Interconnect you ca | bgp\_peer\_asn | BGP ASN for cloud routes. | `number` | n/a | yes | | default\_region1 | Default region 1 for Cloud Routers | `string` | n/a | yes | | default\_region2 | Default region 2 for Cloud Routers | `string` | n/a | yes | -| environment | Environment for the VPN configuration. Valid options are development, non-production, production | `string` | n/a | yes | -| folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no | +| env\_secret\_project\_id | the environment secrets project ID | `string` | n/a | yes | | on\_prem\_router\_ip\_address1 | On-Prem Router IP address | `string` | n/a | yes | | on\_prem\_router\_ip\_address2 | On-Prem Router IP address | `string` | n/a | yes | -| org\_id | Organization ID | `string` | n/a | yes | -| parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no | | project\_id | VPC Project ID | `string` | n/a | yes | | region1\_router1\_name | Name of the Router 1 for Region 1 where the attachment resides. | `string` | n/a | yes | | region1\_router1\_tunnel0\_bgp\_peer\_address | BGP session address for router 1 in region 1 tunnel 0 | `string` | n/a | yes | diff --git a/3-networks-hub-and-spoke/modules/vpn-ha/main.tf b/3-networks-hub-and-spoke/modules/vpn-ha/main.tf index e10cf1c49..93fdf68ee 100755 --- a/3-networks-hub-and-spoke/modules/vpn-ha/main.tf +++ b/3-networks-hub-and-spoke/modules/vpn-ha/main.tf @@ -19,23 +19,12 @@ *****************************************/ locals { - parent_id = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" - network_name = "vpc-${var.vpc_name}" - env_secret_project_id = data.google_projects.env_secrets.projects[0].project_id - psk_secret_data = chomp(data.google_secret_manager_secret_version.psk.secret_data) -} - -data "google_active_folder" "env" { - display_name = "${var.folder_prefix}-${var.environment}" - parent = local.parent_id -} - -data "google_projects" "env_secrets" { - filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=env-secrets labels.environment=${var.environment} lifecycleState=ACTIVE" + network_name = "vpc-${var.vpc_name}" + psk_secret_data = chomp(data.google_secret_manager_secret_version.psk.secret_data) } data "google_secret_manager_secret_version" "psk" { - project = local.env_secret_project_id + project = var.env_secret_project_id secret = var.vpn_psk_secret_name } diff --git a/3-networks-hub-and-spoke/modules/vpn-ha/variables.tf b/3-networks-hub-and-spoke/modules/vpn-ha/variables.tf index 6b426f129..e85f6f85d 100644 --- a/3-networks-hub-and-spoke/modules/vpn-ha/variables.tf +++ b/3-networks-hub-and-spoke/modules/vpn-ha/variables.tf @@ -19,6 +19,11 @@ variable "project_id" { description = "VPC Project ID" } +variable "env_secret_project_id" { + type = string + description = "the environment secrets project ID" +} + variable "default_region1" { type = string description = "Default region 1 for Cloud Routers" @@ -29,16 +34,6 @@ variable "default_region2" { description = "Default region 2 for Cloud Routers" } -variable "environment" { - type = string - description = "Environment for the VPN configuration. Valid options are development, non-production, production" -} - -variable "org_id" { - type = string - description = "Organization ID" -} - variable "vpn_psk_secret_name" { type = string description = "The name of the secret to retrieve from secret manager. This will be retrieved from the environment secrets project." @@ -163,15 +158,3 @@ variable "region2_router2_tunnel1_bgp_peer_range" { type = string description = "BGP session range for router 2 in region 1 tunnel 1" } - -variable "parent_folder" { - description = "Optional - if using a folder for testing." - type = string - default = "" -} - -variable "folder_prefix" { - description = "Name prefix to use for folders created." - type = string - default = "fldr" -} From 64ae32319efa6f94957f17bff124927ed355dd9f Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Tue, 23 Aug 2022 17:00:54 -0300 Subject: [PATCH 14/30] update test to use remote state in step 3-networks --- test/integration/networks/networks_test.go | 7 +++++++ test/integration/projects/projects_test.go | 9 +++++++++ test/integration/shared/shared_test.go | 7 +++++++ 3 files changed, 23 insertions(+) diff --git a/test/integration/networks/networks_test.go b/test/integration/networks/networks_test.go index d20bb1a64..156d2b888 100644 --- a/test/integration/networks/networks_test.go +++ b/test/integration/networks/networks_test.go @@ -88,6 +88,11 @@ func TestNetworks(t *testing.T) { ) terraformSA := bootstrap.GetStringOutput("networks_step_terraform_service_account_email") + backend_bucket := bootstrap.GetStringOutput("gcs_bucket_tfstate") + + backendConfig := map[string]interface{}{ + "bucket": backend_bucket, + } restrictedServices := []string{ "bigquery.googleapis.com", @@ -123,6 +128,7 @@ func TestNetworks(t *testing.T) { vars := map[string]interface{}{ "access_context_manager_policy_id": policyID, + "backend_bucket": backend_bucket, "terraform_service_account": terraformSA, } @@ -137,6 +143,7 @@ func TestNetworks(t *testing.T) { networks := tft.NewTFBlueprintTest(t, tft.WithTFDir(fmt.Sprintf(tfdDir, envName)), tft.WithVars(vars), + tft.WithBackendConfig(backendConfig), ) networks.DefineVerify( func(assert *assert.Assertions) { diff --git a/test/integration/projects/projects_test.go b/test/integration/projects/projects_test.go index c108583f0..3daa27a94 100644 --- a/test/integration/projects/projects_test.go +++ b/test/integration/projects/projects_test.go @@ -53,6 +53,11 @@ func TestProjects(t *testing.T) { ) terraformSA := bootstrap.GetStringOutput("projects_step_terraform_service_account_email") + backend_bucket := bootstrap.GetStringOutput("gcs_bucket_tfstate") + + backendConfig := map[string]interface{}{ + "bucket": backend_bucket, + } var sharedCloudBuildSA = map[string]string{ "bu1": "", @@ -87,11 +92,13 @@ func TestProjects(t *testing.T) { sharedVars := map[string]interface{}{ "terraform_service_account": terraformSA, + "backend_bucket": backend_bucket, } shared := tft.NewTFBlueprintTest(t, tft.WithTFDir(tts.tfDir), tft.WithVars(sharedVars), + tft.WithBackendConfig(backendConfig), ) shared.DefineApply( @@ -197,11 +204,13 @@ func TestProjects(t *testing.T) { "perimeter_name": perimeterName, "access_context_manager_policy_id": policyID, "terraform_service_account": terraformSA, + "backend_bucket": backend_bucket, } projects := tft.NewTFBlueprintTest(t, tft.WithTFDir(tt.tfDir), tft.WithVars(vars), + tft.WithBackendConfig(backendConfig), ) projects.DefineApply( func(assert *assert.Assertions) { diff --git a/test/integration/shared/shared_test.go b/test/integration/shared/shared_test.go index 6561d556c..f46b0f773 100644 --- a/test/integration/shared/shared_test.go +++ b/test/integration/shared/shared_test.go @@ -48,12 +48,18 @@ func TestShared(t *testing.T) { ) terraformSA := bootstrap.GetStringOutput("networks_step_terraform_service_account_email") + backend_bucket := bootstrap.GetStringOutput("gcs_bucket_tfstate") vars := map[string]interface{}{ "access_context_manager_policy_id": policyID, + "backend_bucket": backend_bucket, "terraform_service_account": terraformSA, } + backendConfig := map[string]interface{}{ + "bucket": backend_bucket, + } + var tfdDir string if getNetworkMode(t) { tfdDir = "../../../3-networks-hub-and-spoke/envs/shared" @@ -64,6 +70,7 @@ func TestShared(t *testing.T) { shared := tft.NewTFBlueprintTest(t, tft.WithTFDir(tfdDir), tft.WithVars(vars), + tft.WithBackendConfig(backendConfig), ) shared.DefineVerify( func(assert *assert.Assertions) { From 13dd1f5c0445313673d0d2758f728386aa393f31 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Tue, 23 Aug 2022 20:11:46 -0300 Subject: [PATCH 15/30] fix bootstrap apply stage in integration test --- test/integration/bootstrap/bootstrap_test.go | 44 +++++++++----------- 1 file changed, 20 insertions(+), 24 deletions(-) diff --git a/test/integration/bootstrap/bootstrap_test.go b/test/integration/bootstrap/bootstrap_test.go index 06a5c2487..69102efde 100644 --- a/test/integration/bootstrap/bootstrap_test.go +++ b/test/integration/bootstrap/bootstrap_test.go @@ -92,30 +92,7 @@ func TestBootstrap(t *testing.T) { bootstrap.DefineApply( func(assert *assert.Assertions) { - - bootstrap.DefaultApply(assert) - // configure options to push state to GCS bucket - tempOptions := bootstrap.GetTFOptions() - tempOptions.BackendConfig = map[string]interface{}{ - "bucket": bootstrap.GetStringOutput("gcs_bucket_tfstate"), - } - tempOptions.MigrateState = true - // create backend file - cwd, err := os.Getwd() - require.NoError(t, err) - destFile := path.Join(cwd, "../../../0-bootstrap/backend.tf") - fExists, err2 := fileExists(destFile) - require.NoError(t, err2) - if !fExists { - srcFile := path.Join(cwd, "../../../0-bootstrap/backend.tf.example") - _, err3 := exec.Command("cp", srcFile, destFile).CombinedOutput() - require.NoError(t, err3) - } - terraform.Init(t, tempOptions) - }) - - bootstrap.DefineApply( - func(assert *assert.Assertions) { + // check APIs projectID := bootstrap.GetTFSetupStringOutput("project_id") for _, api := range []string{ "cloudresourcemanager.googleapis.com", @@ -136,6 +113,25 @@ func TestBootstrap(t *testing.T) { } bootstrap.DefaultApply(assert) + + // configure options to push state to GCS bucket + tempOptions := bootstrap.GetTFOptions() + tempOptions.BackendConfig = map[string]interface{}{ + "bucket": bootstrap.GetStringOutput("gcs_bucket_tfstate"), + } + tempOptions.MigrateState = true + // create backend file + cwd, err := os.Getwd() + require.NoError(t, err) + destFile := path.Join(cwd, "../../../0-bootstrap/backend.tf") + fExists, err2 := fileExists(destFile) + require.NoError(t, err2) + if !fExists { + srcFile := path.Join(cwd, "../../../0-bootstrap/backend.tf.example") + _, err3 := exec.Command("cp", srcFile, destFile).CombinedOutput() + require.NoError(t, err3) + } + terraform.Init(t, tempOptions) }) bootstrap.DefineVerify( From 432dbfa5152a34c288dcee368054f91488acddc8 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Wed, 24 Aug 2022 00:03:17 -0300 Subject: [PATCH 16/30] fix soft link cyclo --- 5-app-infra/terraform.example.tfvars | 21 +++++++++++++++++++++ 5-app-infra/terraform.tfvars | 1 - 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 5-app-infra/terraform.example.tfvars delete mode 120000 5-app-infra/terraform.tfvars diff --git a/5-app-infra/terraform.example.tfvars b/5-app-infra/terraform.example.tfvars new file mode 100644 index 000000000..6e505bb8a --- /dev/null +++ b/5-app-infra/terraform.example.tfvars @@ -0,0 +1,21 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform_service_account = "org-terraform@prj-b-seed-2334.iam.gserviceaccount.com" + +instance_region = "us-central1" // should be one of the regions used to create network on step 3-networks + +backend_bucket = "" diff --git a/5-app-infra/terraform.tfvars b/5-app-infra/terraform.tfvars deleted file mode 120000 index 174bcacf9..000000000 --- a/5-app-infra/terraform.tfvars +++ /dev/null @@ -1 +0,0 @@ -terraform.tfvars \ No newline at end of file From ba40a202a0b4d7d3d57ae4724dd405c142b1717d Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Wed, 24 Aug 2022 00:23:38 -0300 Subject: [PATCH 17/30] update script to disable tf files --- test/disable_tf_files.sh | 29 +++-------------------------- 1 file changed, 3 insertions(+), 26 deletions(-) diff --git a/test/disable_tf_files.sh b/test/disable_tf_files.sh index cef97eba0..ad4861abe 100755 --- a/test/disable_tf_files.sh +++ b/test/disable_tf_files.sh @@ -56,24 +56,6 @@ function shared(){ function projects(){ - # disable access_context.auto.tfvars in main module - mv 4-projects/business_unit_1/development/access_context.auto.tfvars 4-projects/business_unit_1/development/access_context.auto.tfvars.disabled - mv 4-projects/business_unit_1/non-production/access_context.auto.tfvars 4-projects/business_unit_1/non-production/access_context.auto.tfvars.disabled - mv 4-projects/business_unit_1/production/access_context.auto.tfvars 4-projects/business_unit_1/production/access_context.auto.tfvars.disabled - mv 4-projects/business_unit_2/development/access_context.auto.tfvars 4-projects/business_unit_2/development/access_context.auto.tfvars.disabled - mv 4-projects/business_unit_2/non-production/access_context.auto.tfvars 4-projects/business_unit_2/non-production/access_context.auto.tfvars.disabled - mv 4-projects/business_unit_2/production/access_context.auto.tfvars 4-projects/business_unit_2/production/access_context.auto.tfvars.disabled - - # disable business_unit_1.auto.tfvars in main module - mv 4-projects/business_unit_1/development/business_unit_1.auto.tfvars 4-projects/business_unit_1/development/business_unit_1.auto.tfvars.disabled - mv 4-projects/business_unit_1/non-production/business_unit_1.auto.tfvars 4-projects/business_unit_1/non-production/business_unit_1.auto.tfvars.disabled - mv 4-projects/business_unit_1/production/business_unit_1.auto.tfvars 4-projects/business_unit_1/production/business_unit_1.auto.tfvars.disabled - - # disable business_unit_2.auto.tfvars in main module - mv 4-projects/business_unit_2/development/business_unit_2.auto.tfvars 4-projects/business_unit_2/development/business_unit_2.auto.tfvars.disabled - mv 4-projects/business_unit_2/non-production/business_unit_2.auto.tfvars 4-projects/business_unit_2/non-production/business_unit_2.auto.tfvars.disabled - mv 4-projects/business_unit_2/production/business_unit_2.auto.tfvars 4-projects/business_unit_2/production/business_unit_2.auto.tfvars.disabled - # disable ENVS.auto.tfvars in main module mv 4-projects/business_unit_1/development/development.auto.tfvars 4-projects/business_unit_1/development/development.auto.tfvars.disabled mv 4-projects/business_unit_2/development/development.auto.tfvars 4-projects/business_unit_2/development/development.auto.tfvars.disabled @@ -102,15 +84,10 @@ function appinfra(){ mv 5-app-infra/business_unit_1/non-production/backend.tf 5-app-infra/business_unit_1/non-production/backend.tf.disabled mv 5-app-infra/business_unit_1/production/backend.tf 5-app-infra/business_unit_1/production/backend.tf.disabled - # disable ENVS.auto.tfvars in main module - mv 5-app-infra/business_unit_1/development/bu1-development.auto.tfvars 5-app-infra/business_unit_1/development/bu1-development.auto.tfvars.disabled - mv 5-app-infra/business_unit_1/non-production/bu1-non-production.auto.tfvars 5-app-infra/business_unit_1/non-production/bu1-non-production.auto.tfvars.disabled - mv 5-app-infra/business_unit_1/production/bu1-production.auto.tfvars 5-app-infra/business_unit_1/production/bu1-production.auto.tfvars.disabled - # disable common.auto.tfvars in main module - mv 5-app-infra/business_unit_1/development/common.auto.tfvars 5-app-infra/business_unit_1/development/common.auto.tfvars.disabled - mv 5-app-infra/business_unit_1/non-production/common.auto.tfvars 5-app-infra/business_unit_1/non-production/common.auto.tfvars.disabled - mv 5-app-infra/business_unit_1/production/common.auto.tfvars 5-app-infra/business_unit_1/production/common.auto.tfvars.disabled + mv 5-app-infra/business_unit_1/development/terraform.tfvars 5-app-infra/business_unit_1/development/terraform.tfvars.disabled + mv 5-app-infra/business_unit_1/non-production/terraform.tfvars 5-app-infra/business_unit_1/non-production/terraform.tfvars.disabled + mv 5-app-infra/business_unit_1/production/terraform.tfvars 5-app-infra/business_unit_1/production/terraform.tfvars.disabled } From dbc360eba0148af2024b302235f8ab90622ca037 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Wed, 24 Aug 2022 00:24:34 -0300 Subject: [PATCH 18/30] fix step 5-app-infra test --- test/integration/app-infra/app_infra_test.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/test/integration/app-infra/app_infra_test.go b/test/integration/app-infra/app_infra_test.go index 6c777ee70..ea7dfddc7 100644 --- a/test/integration/app-infra/app_infra_test.go +++ b/test/integration/app-infra/app_infra_test.go @@ -26,6 +26,11 @@ import ( func TestAppInfra(t *testing.T) { + bootstrap := tft.NewTFBlueprintTest(t, + tft.WithTFDir("../../../0-bootstrap"), + ) + backend_bucket := bootstrap.GetStringOutput("gcs_bucket_tfstate") + for _, envName := range []string{ "development", "non-production", @@ -39,6 +44,7 @@ func TestAppInfra(t *testing.T) { vars := map[string]interface{}{ "project_service_account": projects.GetStringOutput("base_shared_vpc_project_sa"), + "backend_bucket": backend_bucket, } appInfra := tft.NewTFBlueprintTest(t, From 58db361fe6a0238ef20105ecce2f26ce34a25d13 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Wed, 24 Aug 2022 08:05:35 -0300 Subject: [PATCH 19/30] remove extra vars from test initialization --- test/integration/projects/projects_test.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/test/integration/projects/projects_test.go b/test/integration/projects/projects_test.go index 3daa27a94..b71814798 100644 --- a/test/integration/projects/projects_test.go +++ b/test/integration/projects/projects_test.go @@ -200,9 +200,6 @@ func TestProjects(t *testing.T) { perimeterName := networks.GetStringOutput("restricted_service_perimeter_name") vars := map[string]interface{}{ - "app_infra_pipeline_cloudbuild_sa": sharedCloudBuildSA[env[0]], - "perimeter_name": perimeterName, - "access_context_manager_policy_id": policyID, "terraform_service_account": terraformSA, "backend_bucket": backend_bucket, } From 9d15021a61cf7adb1dfc189cd1e598545d3cc7a9 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Wed, 24 Aug 2022 21:46:25 -0300 Subject: [PATCH 20/30] remove terraform service account from the var in step 4 integration test --- test/integration/projects/projects_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/test/integration/projects/projects_test.go b/test/integration/projects/projects_test.go index 51f425f6f..2e835b00d 100644 --- a/test/integration/projects/projects_test.go +++ b/test/integration/projects/projects_test.go @@ -202,7 +202,6 @@ func TestProjects(t *testing.T) { perimeterName := networks.GetStringOutput("restricted_service_perimeter_name") vars := map[string]interface{}{ - "terraform_service_account": terraformSA, "backend_bucket": backend_bucket, } From 2886dba9b6967684426ea2352c38af574c98021c Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Thu, 25 Aug 2022 02:08:37 -0300 Subject: [PATCH 21/30] remove project service account from test vars --- test/integration/app-infra/app_infra_test.go | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/test/integration/app-infra/app_infra_test.go b/test/integration/app-infra/app_infra_test.go index ea7dfddc7..e88ca71cf 100644 --- a/test/integration/app-infra/app_infra_test.go +++ b/test/integration/app-infra/app_infra_test.go @@ -38,13 +38,8 @@ func TestAppInfra(t *testing.T) { } { t.Run(envName, func(t *testing.T) { - projects := tft.NewTFBlueprintTest(t, - tft.WithTFDir(fmt.Sprintf("../../../4-projects/business_unit_1/%s", envName)), - ) - vars := map[string]interface{}{ - "project_service_account": projects.GetStringOutput("base_shared_vpc_project_sa"), - "backend_bucket": backend_bucket, + "backend_bucket": backend_bucket, } appInfra := tft.NewTFBlueprintTest(t, From df858ea4e1af71c50a662d41f798f44aa364e357 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Thu, 25 Aug 2022 10:23:43 -0300 Subject: [PATCH 22/30] split projects test into test for shared and test for envs --- build/int.cloudbuild.yaml | 16 +++ test/disable_tf_files.sh | 20 ++- .../projects-shared/projects_shared_test.go | 100 +++++++++++++++ test/integration/projects/projects_test.go | 116 +++--------------- 4 files changed, 149 insertions(+), 103 deletions(-) create mode 100644 test/integration/projects-shared/projects_shared_test.go diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 5c42cc3f9..131ef8580 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -90,6 +90,18 @@ steps: name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestNetworks --stage verify --verbose --test-dir /workspace/test/integration'] +- id: create-projects-shared + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', './test/disable_tf_files.sh --projectsshared && cft test run TestProjectsShared --stage init --verbose --test-dir /workspace/test/integration'] + +- id: converge-projects-shared + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestProjectsShared --stage apply --verbose --test-dir /workspace/test/integration'] + +- id: verify-projects-shared + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestProjectsShared --stage verify --verbose --test-dir /workspace/test/integration'] + - id: create-projects name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', './test/disable_tf_files.sh --projects && cft test run TestProjects --stage init --verbose --test-dir /workspace/test/integration'] @@ -122,6 +134,10 @@ steps: name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestProjects --stage destroy --verbose --test-dir /workspace/test/integration'] +- id: destroy-projects-shared + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestProjectsShared --stage destroy --verbose --test-dir /workspace/test/integration'] + - id: destroy-networks name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestNetworks --stage destroy --verbose --test-dir /workspace/test/integration'] diff --git a/test/disable_tf_files.sh b/test/disable_tf_files.sh index ad4861abe..c9772b861 100755 --- a/test/disable_tf_files.sh +++ b/test/disable_tf_files.sh @@ -54,8 +54,17 @@ function shared(){ mv $network_dir/envs/shared/shared.auto.tfvars $network_dir/envs/shared/shared.auto.tfvars.disabled } -function projects(){ +function projectsshared(){ + # disable shared.auto.tfvars + mv 4-projects/business_unit_1/shared/shared.auto.tfvars 4-projects/business_unit_1/shared/shared.auto.tfvars.disabled + mv 4-projects/business_unit_2/shared/shared.auto.tfvars 4-projects/business_unit_2/shared/shared.auto.tfvars.disabled + + # disable common.auto.tfvars + mv 4-projects/business_unit_1/shared/common.auto.tfvars 4-projects/business_unit_1/shared/common.auto.tfvars.disabled + mv 4-projects/business_unit_2/shared/common.auto.tfvars 4-projects/business_unit_2/shared/common.auto.tfvars.disabled +} +function projects(){ # disable ENVS.auto.tfvars in main module mv 4-projects/business_unit_1/development/development.auto.tfvars 4-projects/business_unit_1/development/development.auto.tfvars.disabled mv 4-projects/business_unit_2/development/development.auto.tfvars 4-projects/business_unit_2/development/development.auto.tfvars.disabled @@ -63,19 +72,14 @@ function projects(){ mv 4-projects/business_unit_2/non-production/non-production.auto.tfvars 4-projects/business_unit_2/non-production/non-production.auto.tfvars.disabled mv 4-projects/business_unit_1/production/production.auto.tfvars 4-projects/business_unit_1/production/production.auto.tfvars.disabled mv 4-projects/business_unit_2/production/production.auto.tfvars 4-projects/business_unit_2/production/production.auto.tfvars.disabled - mv 4-projects/business_unit_1/shared/shared.auto.tfvars 4-projects/business_unit_1/shared/shared.auto.tfvars.disabled - mv 4-projects/business_unit_2/shared/shared.auto.tfvars 4-projects/business_unit_2/shared/shared.auto.tfvars.disabled # disable common.auto.tfvars in main module mv 4-projects/business_unit_1/development/common.auto.tfvars 4-projects/business_unit_1/development/common.auto.tfvars.disabled mv 4-projects/business_unit_1/non-production/common.auto.tfvars 4-projects/business_unit_1/non-production/common.auto.tfvars.disabled mv 4-projects/business_unit_1/production/common.auto.tfvars 4-projects/business_unit_1/production/common.auto.tfvars.disabled - mv 4-projects/business_unit_1/shared/common.auto.tfvars 4-projects/business_unit_1/shared/common.auto.tfvars.disabled mv 4-projects/business_unit_2/development/common.auto.tfvars 4-projects/business_unit_2/development/common.auto.tfvars.disabled mv 4-projects/business_unit_2/non-production/common.auto.tfvars 4-projects/business_unit_2/non-production/common.auto.tfvars.disabled mv 4-projects/business_unit_2/production/common.auto.tfvars 4-projects/business_unit_2/production/common.auto.tfvars.disabled - mv 4-projects/business_unit_2/shared/common.auto.tfvars 4-projects/business_unit_2/shared/common.auto.tfvars.disabled - } function appinfra(){ @@ -107,6 +111,10 @@ do appinfra shift ;; + -d|--projectsshared) + projectsshared + shift + ;; -p|--projects) projects shift diff --git a/test/integration/projects-shared/projects_shared_test.go b/test/integration/projects-shared/projects_shared_test.go new file mode 100644 index 000000000..4bfc14e19 --- /dev/null +++ b/test/integration/projects-shared/projects_shared_test.go @@ -0,0 +1,100 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package projectsshared + +import ( + "fmt" + "testing" + + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" + "github.com/stretchr/testify/assert" + + "github.com/terraform-google-modules/terraform-example-foundation/test/integration/testutils" +) + +func TestProjectsShared(t *testing.T) { + + bootstrap := tft.NewTFBlueprintTest(t, + tft.WithTFDir("../../../0-bootstrap"), + ) + + // Configure impersonation for test execution + terraformSA := bootstrap.GetStringOutput("projects_step_terraform_service_account_email") + utils.SetEnv(t, "GOOGLE_IMPERSONATE_SERVICE_ACCOUNT", terraformSA) + + backend_bucket := bootstrap.GetStringOutput("gcs_bucket_tfstate") + backendConfig := map[string]interface{}{ + "bucket": backend_bucket, + } + + var sharedApisEnabled = []string{ + "cloudbuild.googleapis.com", + "sourcerepo.googleapis.com", + "cloudkms.googleapis.com", + } + + for _, tts := range []struct { + name string + tfDir string + }{ + { + name: "bu1", + tfDir: "../../../4-projects/business_unit_1/shared", + }, + { + name: "bu2", + tfDir: "../../../4-projects/business_unit_2/shared", + }, + } { + t.Run(tts.name, func(t *testing.T) { + + sharedVars := map[string]interface{}{ + "backend_bucket": backend_bucket, + "impersonate_service_account": terraformSA, + } + + shared := tft.NewTFBlueprintTest(t, + tft.WithTFDir(tts.tfDir), + tft.WithVars(sharedVars), + tft.WithBackendConfig(backendConfig), + ) + + shared.DefineVerify( + func(assert *assert.Assertions) { + // perform default verification ensuring Terraform reports no additional changes on an applied blueprint + shared.DefaultVerify(assert) + + projectID := shared.GetStringOutput("cloudbuild_project_id") + prj := gcloud.Runf(t, "projects describe %s", projectID) + assert.Equal("ACTIVE", prj.Get("lifecycleState").String(), fmt.Sprintf("project %s should be ACTIVE", projectID)) + + enabledAPIS := gcloud.Runf(t, "services list --project %s", projectID).Array() + listApis := testutils.GetResultFieldStrSlice(enabledAPIS, "config.name") + assert.Subset(listApis, sharedApisEnabled, "APIs should have been enabled") + + defaultRegion := shared.GetStringOutput("default_region") + tfRepo := shared.GetStringOutput("tf_runner_artifact_repo") + arOpts := gcloud.WithCommonArgs([]string{"--project", projectID, "--location", defaultRegion, "--format", "json"}) + artifactRegistry := gcloud.Run(t, fmt.Sprintf("artifacts repositories describe %s", tfRepo), arOpts) + repoName := fmt.Sprintf("projects/%s/locations/%s/repositories/%s", projectID, defaultRegion, tfRepo) + assert.Equal(repoName, artifactRegistry.Get("name").String(), fmt.Sprintf("artifact registry %s should exist", repoName)) + }) + shared.Test() + }) + + } +} diff --git a/test/integration/projects/projects_test.go b/test/integration/projects/projects_test.go index 2e835b00d..ac6be57ec 100644 --- a/test/integration/projects/projects_test.go +++ b/test/integration/projects/projects_test.go @@ -16,14 +16,12 @@ package projects import ( "fmt" - "strings" "testing" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" "github.com/terraform-google-modules/terraform-example-foundation/test/integration/testutils" ) @@ -61,128 +59,57 @@ func TestProjects(t *testing.T) { "bucket": backend_bucket, } - var sharedCloudBuildSA = map[string]string{ - "bu1": "", - "bu2": "", - } - var restrictedApisEnabled = []string{ "accesscontextmanager.googleapis.com", "billingbudgets.googleapis.com", } - var sharedApisEnabled = []string{ - "cloudbuild.googleapis.com", - "sourcerepo.googleapis.com", - "cloudkms.googleapis.com", - } - - for _, tts := range []struct { - name string - tfDir string - }{ - { - name: "bu1", - tfDir: "../../../4-projects/business_unit_1/shared", - }, - { - name: "bu2", - tfDir: "../../../4-projects/business_unit_2/shared", - }, - } { - t.Run(tts.name, func(t *testing.T) { - - sharedVars := map[string]interface{}{ - "backend_bucket": backend_bucket, - "impersonate_service_account": terraformSA, - } - - shared := tft.NewTFBlueprintTest(t, - tft.WithTFDir(tts.tfDir), - tft.WithVars(sharedVars), - tft.WithBackendConfig(backendConfig), - ) - - shared.DefineApply( - func(assert *assert.Assertions) { - // perform default apply of the blueprint - shared.DefaultApply(assert) - // save the value of the "cloudbuild_sa" to be used in the envs tests - sharedCloudBuildSA[tts.name] = shared.GetStringOutput("cloudbuild_sa") - }) - shared.DefineVerify( - func(assert *assert.Assertions) { - // perform default verification ensuring Terraform reports no additional changes on an applied blueprint - shared.DefaultVerify(assert) - // save the value of the "cloudbuild_sa" to be used in the envs tests - sharedCloudBuildSA[tts.name] = shared.GetStringOutput("cloudbuild_sa") - - projectID := shared.GetStringOutput("cloudbuild_project_id") - prj := gcloud.Runf(t, "projects describe %s", projectID) - assert.Equal("ACTIVE", prj.Get("lifecycleState").String(), fmt.Sprintf("project %s should be ACTIVE", projectID)) - - enabledAPIS := gcloud.Runf(t, "services list --project %s", projectID).Array() - listApis := testutils.GetResultFieldStrSlice(enabledAPIS, "config.name") - assert.Subset(listApis, sharedApisEnabled, "APIs should have been enabled") - - defaultRegion := shared.GetStringOutput("default_region") - tfRepo := shared.GetStringOutput("tf_runner_artifact_repo") - arOpts := gcloud.WithCommonArgs([]string{"--project", projectID, "--location", defaultRegion, "--format", "json"}) - artifactRegistry := gcloud.Run(t, fmt.Sprintf("artifacts repositories describe %s", tfRepo), arOpts) - repoName := fmt.Sprintf("projects/%s/locations/%s/repositories/%s", projectID, defaultRegion, tfRepo) - assert.Equal(repoName, artifactRegistry.Get("name").String(), fmt.Sprintf("artifact registry %s should exist", repoName)) - }) - shared.Test() - }) - - } - for _, tt := range []struct { name string - tfDir string + baseDir string baseNetwork string restrictedNetwork string }{ { name: "bu1_development", - tfDir: "../../../4-projects/business_unit_1/development", + baseDir: "../../../4-projects/business_unit_1/%s", baseNetwork: fmt.Sprintf("vpc-d-shared-base%s", networkMode), restrictedNetwork: fmt.Sprintf("vpc-d-shared-restricted%s", networkMode), }, { name: "bu1_non-production", - tfDir: "../../../4-projects/business_unit_1/non-production", + baseDir: "../../../4-projects/business_unit_1/%s", baseNetwork: fmt.Sprintf("vpc-n-shared-base%s", networkMode), restrictedNetwork: fmt.Sprintf("vpc-n-shared-restricted%s", networkMode), }, { name: "bu1_production", - tfDir: "../../../4-projects/business_unit_1/production", + baseDir: "../../../4-projects/business_unit_1/%s", baseNetwork: fmt.Sprintf("vpc-p-shared-base%s", networkMode), restrictedNetwork: fmt.Sprintf("vpc-p-shared-restricted%s", networkMode), }, { name: "bu2_development", - tfDir: "../../../4-projects/business_unit_2/development", + baseDir: "../../../4-projects/business_unit_2/%s", baseNetwork: fmt.Sprintf("vpc-d-shared-base%s", networkMode), restrictedNetwork: fmt.Sprintf("vpc-d-shared-restricted%s", networkMode), }, { name: "bu2_non-production", - tfDir: "../../../4-projects/business_unit_2/non-production", + baseDir: "../../../4-projects/business_unit_2/%s", baseNetwork: fmt.Sprintf("vpc-n-shared-base%s", networkMode), restrictedNetwork: fmt.Sprintf("vpc-n-shared-restricted%s", networkMode), }, { name: "bu2_production", - tfDir: "../../../4-projects/business_unit_2/production", + baseDir: "../../../4-projects/business_unit_2/%s", baseNetwork: fmt.Sprintf("vpc-p-shared-base%s", networkMode), restrictedNetwork: fmt.Sprintf("vpc-p-shared-restricted%s", networkMode), }, } { t.Run(tt.name, func(t *testing.T) { - env := strings.Split(tt.name, "_") + env := testutils.GetLastSplitElement(tt.name, "_") netVars := map[string]interface{}{ "access_context_manager_policy_id": policyID, } @@ -196,30 +123,25 @@ func TestProjects(t *testing.T) { } networks := tft.NewTFBlueprintTest(t, - tft.WithTFDir(fmt.Sprintf(networkTFDir, env[1])), + tft.WithTFDir(fmt.Sprintf(networkTFDir, env)), tft.WithVars(netVars), ) perimeterName := networks.GetStringOutput("restricted_service_perimeter_name") + shared := tft.NewTFBlueprintTest(t, + tft.WithTFDir(fmt.Sprintf(tt.baseDir, "shared")), + ) + sharedCloudBuildSA := shared.GetStringOutput("cloudbuild_sa") + vars := map[string]interface{}{ - "backend_bucket": backend_bucket, + "backend_bucket": backend_bucket, } projects := tft.NewTFBlueprintTest(t, - tft.WithTFDir(tt.tfDir), + tft.WithTFDir(fmt.Sprintf(tt.baseDir, env)), tft.WithVars(vars), tft.WithBackendConfig(backendConfig), ) - projects.DefineApply( - func(assert *assert.Assertions) { - // validate requirements - require.NotEmpty(t, sharedCloudBuildSA[env[0]], "app_infra_pipeline_cloudbuild_sa should not be empty") - require.NotEmpty(t, perimeterName, "perimeter_name should not be empty") - require.NotEmpty(t, policyID, "access_context_manager_policy_id should not be empty") - require.NotEmpty(t, terraformSA, "terraform_service_account should not be empty") - - projects.DefaultApply(assert) - }) projects.DefineVerify( func(assert *assert.Assertions) { @@ -251,7 +173,7 @@ func TestProjects(t *testing.T) { hostProjectID := sharedVPC.Get("name").String() hostProject := gcloud.Runf(t, "projects describe %s", hostProjectID) assert.Equal("restricted-shared-vpc-host", hostProject.Get("labels.application_name").String(), "host project should have application_name label equals to base-shared-vpc-host") - assert.Equal(env[1], hostProject.Get("labels.environment").String(), fmt.Sprintf("project should have environment label %s", env[1])) + assert.Equal(env, hostProject.Get("labels.environment").String(), fmt.Sprintf("project should have environment label %s", env)) hostNetwork := gcloud.Runf(t, "compute networks list --project %s", hostProjectID).Array()[0] assert.Equal(tt.restrictedNetwork, hostNetwork.Get("name").String(), "should have a shared vpc") @@ -263,7 +185,7 @@ func TestProjects(t *testing.T) { saName := projects.GetStringOutput("base_shared_vpc_project_sa") saPolicy := gcloud.Runf(t, "iam service-accounts get-iam-policy %s", saName) listSaMembers := utils.GetResultStrSlice(saPolicy.Get("bindings.0.members").Array()) - assert.Contains(listSaMembers, fmt.Sprintf("serviceAccount:%s", sharedCloudBuildSA[env[0]]), "service account should be member of the binding") + assert.Contains(listSaMembers, fmt.Sprintf("serviceAccount:%s", sharedCloudBuildSA), "service account should be member of the binding") assert.Equal("roles/iam.serviceAccountTokenCreator", saPolicy.Get("bindings.0.role").String(), "service account should have role serviceAccountTokenCreator") iamOpts := gcloud.WithCommonArgs([]string{"--flatten", "bindings", "--filter", "bindings.role:roles/editor", "--format", "json"}) @@ -277,7 +199,7 @@ func TestProjects(t *testing.T) { hostProjectID := sharedVPC.Get("name").String() hostProject := gcloud.Runf(t, "projects describe %s", hostProjectID) assert.Equal("base-shared-vpc-host", hostProject.Get("labels.application_name").String(), "host project should have application_name label equals to base-shared-vpc-host") - assert.Equal(env[1], hostProject.Get("labels.environment").String(), fmt.Sprintf("project should have environment label %s", env[1])) + assert.Equal(env, hostProject.Get("labels.environment").String(), fmt.Sprintf("project should have environment label %s", env)) hostNetwork := gcloud.Runf(t, "compute networks list --project %s", hostProjectID).Array()[0] assert.Equal(tt.baseNetwork, hostNetwork.Get("name").String(), "should have a shared vpc") From c96d661a7c14dc5382c592c6a6ed505d927d4939 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Fri, 26 Aug 2022 01:01:46 -0300 Subject: [PATCH 23/30] fix READMEs and tfvars files --- 0-bootstrap/README.md | 1 - 0-bootstrap/outputs.tf | 17 ++++--- 0-bootstrap/variables.tf | 6 --- 1-org/envs/shared/README.md | 1 + 1-org/envs/shared/main.tf | 15 +++--- 1-org/envs/shared/org_policy.tf | 2 +- 1-org/envs/shared/terraform.example.tfvars | 2 + 1-org/envs/shared/variables.tf | 6 +++ .../common.auto.example.tfvars | 2 + .../common.auto.example.tfvars | 2 + 4-projects/README.md | 46 ++----------------- 5-app-infra/README.md | 4 +- 12 files changed, 34 insertions(+), 70 deletions(-) diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md index d587b0cb6..95b4ec6a4 100644 --- a/0-bootstrap/README.md +++ b/0-bootstrap/README.md @@ -177,7 +177,6 @@ the following steps: | billing\_account | The ID of the billing account to associate projects with. | `string` | n/a | yes | | bucket\_force\_destroy | When deleting a bucket, this boolean option will delete all contained objects. If false, Terraform will fail to delete buckets which contain objects. | `bool` | `false` | no | | bucket\_prefix | Name prefix to use for state bucket created. | `string` | `"bkt"` | no | -| create\_access\_context\_manager\_access\_policy | Whether to create access context manager access policy | `bool` | `true` | no | | default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no | | folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | | group\_billing\_admins | Google Group for GCP Billing Administrators | `string` | n/a | yes | diff --git a/0-bootstrap/outputs.tf b/0-bootstrap/outputs.tf index 2b42935a3..841d5a1e6 100644 --- a/0-bootstrap/outputs.tf +++ b/0-bootstrap/outputs.tf @@ -52,15 +52,14 @@ output "gcs_bucket_tfstate" { output "common_config" { description = "Common configuration data to be used in other steps." value = { - org_id = var.org_id, - parent_folder = var.parent_folder, - billing_account = var.billing_account, - default_region = var.default_region, - project_prefix = var.project_prefix, - folder_prefix = var.folder_prefix - create_access_context_manager_access_policy = var.create_access_context_manager_access_policy - parent_id = local.parent - bootstrap_folder_name = google_folder.bootstrap.name + org_id = var.org_id, + parent_folder = var.parent_folder, + billing_account = var.billing_account, + default_region = var.default_region, + project_prefix = var.project_prefix, + folder_prefix = var.folder_prefix + parent_id = local.parent + bootstrap_folder_name = google_folder.bootstrap.name } } diff --git a/0-bootstrap/variables.tf b/0-bootstrap/variables.tf index 37d3330a4..effdb2aae 100644 --- a/0-bootstrap/variables.tf +++ b/0-bootstrap/variables.tf @@ -82,12 +82,6 @@ variable "bucket_force_destroy" { default = false } -variable "create_access_context_manager_access_policy" { - description = "Whether to create access context manager access policy" - type = bool - default = true -} - /* ---------------------------------------- Specific to jenkins_bootstrap module ---------------------------------------- */ diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md index 03327d28c..a14166507 100644 --- a/1-org/envs/shared/README.md +++ b/1-org/envs/shared/README.md @@ -11,6 +11,7 @@ | base\_net\_hub\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the base net hub project. | `list(number)` | 
[
  0.5,
  0.75,
  0.9,
  0.95
]
| no | | base\_net\_hub\_project\_budget\_amount | The amount to use as the budget for the base net hub project. | `number` | `1000` | no | | billing\_data\_users | Google Workspace or Cloud Identity group that have access to billing data set. | `string` | n/a | yes | +| create\_access\_context\_manager\_access\_policy | Whether to create access context manager access policy | `bool` | `true` | no | | data\_access\_logs\_enabled | Enable Data Access logs of types DATA\_READ, DATA\_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN\_READ logs are enabled by default. | `bool` | `false` | no | | dns\_hub\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the DNS hub project. | `string` | `null` | no | | dns\_hub\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the DNS hub project. | `list(number)` | 
[
  0.5,
  0.75,
  0.9,
  0.95
]
| no | diff --git a/1-org/envs/shared/main.tf b/1-org/envs/shared/main.tf index a99f35822..e2fca8d8d 100644 --- a/1-org/envs/shared/main.tf +++ b/1-org/envs/shared/main.tf @@ -15,12 +15,11 @@ */ locals { - parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder - org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id - billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account - default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region - project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix - folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix - parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id - create_access_policy = data.terraform_remote_state.bootstrap.outputs.common_config.create_access_context_manager_access_policy + parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder + org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id + billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account + default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region + project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix + folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix + parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id } diff --git a/1-org/envs/shared/org_policy.tf b/1-org/envs/shared/org_policy.tf index 833742075..5f5c253b2 100644 --- a/1-org/envs/shared/org_policy.tf +++ b/1-org/envs/shared/org_policy.tf @@ -173,7 +173,7 @@ module "org_enforce_bucket_level_access" { *******************************************/ resource "google_access_context_manager_access_policy" "access_policy" { - count = local.create_access_policy ? 1 : 0 + count = var.create_access_context_manager_access_policy ? 1 : 0 parent = "organizations/${local.org_id}" title = "default policy" } diff --git a/1-org/envs/shared/terraform.example.tfvars b/1-org/envs/shared/terraform.example.tfvars index d1b505500..c17d87d4a 100644 --- a/1-org/envs/shared/terraform.example.tfvars +++ b/1-org/envs/shared/terraform.example.tfvars @@ -29,6 +29,8 @@ backend_bucket = "" //enable_hub_and_spoke = true +//create_access_context_manager_access_policy = false + // if you enable hub and spoke you need to provide // the service account that will be used in the network step //networks_step_terraform_service_account = "terraform-net-sa@example-project-2334.iam.gserviceaccount.com" diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf index 315dc0973..9b1faf218 100644 --- a/1-org/envs/shared/variables.tf +++ b/1-org/envs/shared/variables.tf @@ -64,6 +64,12 @@ variable "skip_gcloud_download" { default = true } +variable "create_access_context_manager_access_policy" { + description = "Whether to create access context manager access policy" + type = bool + default = true +} + variable "scc_notification_filter" { description = "Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter" type = string diff --git a/3-networks-dual-svpc/common.auto.example.tfvars b/3-networks-dual-svpc/common.auto.example.tfvars index 8804ef354..395729456 100644 --- a/3-networks-dual-svpc/common.auto.example.tfvars +++ b/3-networks-dual-svpc/common.auto.example.tfvars @@ -18,3 +18,5 @@ terraform_service_account = "terraform-net-sa@prj-b-seed-2334.iam.gserviceaccoun // The DNS name of peering managed zone. Must end with a period. domain = "example.com." + +backend_bucket = "" diff --git a/3-networks-hub-and-spoke/common.auto.example.tfvars b/3-networks-hub-and-spoke/common.auto.example.tfvars index ad3880d0c..fad68457d 100644 --- a/3-networks-hub-and-spoke/common.auto.example.tfvars +++ b/3-networks-hub-and-spoke/common.auto.example.tfvars @@ -19,4 +19,6 @@ terraform_service_account = "terraform-net-sa@prj-b-seed-2334.iam.gserviceaccoun // The DNS name of peering managed zone. Must end with a period. domain = "example.com." +backend_bucket = "" + //enable_hub_and_spoke_transitivity = true diff --git a/4-projects/README.md b/4-projects/README.md index c93e3635c..1864ea7f9 100644 --- a/4-projects/README.md +++ b/4-projects/README.md @@ -68,53 +68,17 @@ This pipeline can be utilized for deploying resources in projects across develop 1. 1-org executed successfully. 1. 2-environments executed successfully. 1. 3-networks executed successfully. -1. Obtain the value for the `access_context_manager_policy_id` variable. - - ```bash - gcloud access-context-manager policies list --organization YOUR_ORGANIZATION_ID --format="value(name)" - ``` 1. For the manual step described in this document, you need [Terraform](https://www.terraform.io/downloads.html) version 1.0.0 or later to be installed. **Note:** Make sure that you use version 1.0.0 or later of Terraform throughout this series. Otherwise, you might experience Terraform state snapshot lock errors. -1. Obtain the values for the `perimeter_name` for each environment variable. - - ```bash - gcloud access-context-manager perimeters list --policy ACCESS_CONTEXT_MANAGER_POLICY_ID --format="value(name)" - ``` - - **Note:** If you have more than one service perimeter for each environment, you can also get the values from the `restricted_service_perimeter_name` output from each of the`3-networks` environments. - - If you are using Cloud Build you can also search for the values in the outputs from the build logs: - - ```console - gcloud builds list \ - --project=YOUR_CLOUD_BUILD_PROJECT_ID \ - --filter="status=SUCCESS \ - AND source.repoSource.repoName=gcp-networks \ - AND substitutions.BRANCH_NAME=development" \ - --format="value(id)" - ``` - - Use the result of this command as the `BUILD_ID` value in the next command: - - ```console - gcloud builds log BUILD_ID \ - --project=YOUR_CLOUD_BUILD_PROJECT_ID | \ - grep "restricted_service_perimeter_name = " - ``` - - Change the `BRANCH_NAME` from `development` to `non-production` or `production` for the other two service perimeters. - ### Troubleshooting Please refer to [troubleshooting](../docs/TROUBLESHOOTING.md) if you run into issues during this step. ## Usage -**Note:** You need to set variable `enable_hub_and_spoke` to `true` to be able to use the **Hub-and-Spoke** architecture detailed in the **Networking** section of the [google cloud security foundations guide](https://services.google.com/fh/files/misc/google-cloud-security-foundations-guide.pdf). - **Note:** If you are using MacOS, replace `cp -RT` with `cp -R` in the relevant commands. The `-T` flag is needed for Linux, but causes problems for MacOS. @@ -147,10 +111,9 @@ commands. The `-T` flag is needed for Linux, but causes problems for MacOS. ``` 1. Rename `common.auto.example.tfvars` to `common.auto.tfvars` and update the file with values from your environment and bootstrap. See any of the business unit envs folders [README.md](./business_unit_1/development/README.md) files for additional information on the values in the `common.auto.tfvars` file. 1. Rename `shared.auto.example.tfvars` to `shared.auto.tfvars` and update the file with values from your environment and bootstrap. See any of the business unit shared envs folders [README.md](./business_unit_1/shared/README.md) files for additional information on the values in the `shared.auto.example.tfvars`. -1. Rename `development.auto.example.tfvars` to `development.auto.tfvars` and update the file with the `perimeter_name` that starts with `sp_d_shared_restricted`. -1. Rename `non-production.auto.example.tfvars` to `non-production.auto.tfvars` and update the file with the `perimeter_name` that starts with `sp_n_shared_restricted`. -1. Rename `production.auto.example.tfvars` to `production.auto.tfvars` and update the file with the `perimeter_name` that starts with `sp_p_shared_restricted`. -1. Rename `access_context.auto.example.tfvars` to `access_context.auto.tfvars` and update the file with the `access_context_manager_policy_id`. +1. Rename `development.auto.example.tfvars` to `development.auto.tfvars`. +1. Rename `non-production.auto.example.tfvars` to `non-production.auto.tfvars`. +1. Rename `production.auto.example.tfvars` to `production.auto.tfvars`. 1. You need to manually plan and apply only once the `business_unit_1/shared` environment since `development`, `non-production`, and `production` depend on it. 1. Run `cd ./business_unit_1/shared/`. 1. Update `backend.tf` with your bucket name from the 0-bootstrap step. @@ -158,11 +121,8 @@ commands. The `-T` flag is needed for Linux, but causes problems for MacOS. 1. Run `terraform init`. 1. Run `terraform plan` and review output. 1. Run `terraform apply`. - 1. Run `terraform output cloudbuild_sa` to get the cloud build service account from the apply step. 1. If you would like the bucket to be replaced by cloud build at run time, change the bucket name back to `UPDATE_ME` 1. Once you have done the instructions for the `business_unit_1`, you need to repeat same steps for `business_unit_2` folder. -1. Rename `business_unit_1.auto.example.tfvars` to `business_unit_1.auto.tfvars` and update the file with the `app_infra_pipeline_cloudbuild_sa` which is the output of `cloudbuild_sa` from `business_unit_1/shared` steps. -1. Rename `business_unit_2.auto.example.tfvars` to `business_unit_2.auto.tfvars` and update the file with the `app_infra_pipeline_cloudbuild_sa` which is the output of `cloudbuild_sa` from `business_unit_2/shared` steps. 1. Commit changes. ``` git add . diff --git a/5-app-infra/README.md b/5-app-infra/README.md index 80b9f11cd..68b688a8b 100644 --- a/5-app-infra/README.md +++ b/5-app-infra/README.md @@ -94,7 +94,7 @@ commands. The `-T` flag is needed for Linux, but causes problems for MacOS. gcloud source repos clone gcp-policies --project=YOUR_INFRA_PIPELINE_PROJECT_ID ``` 1. Navigate into the repo. All subsequent steps assume you are running them - from the gcp-environments directory. If you run them from another directory, + from the `gcp-policies` directory. If you run them from another directory, adjust your copy paths accordingly. ``` cd gcp-policies @@ -122,7 +122,7 @@ commands. The `-T` flag is needed for Linux, but causes problems for MacOS. gcloud source repos clone bu1-example-app --project=YOUR_INFRA_PIPELINE_PROJECT_ID ``` 1. Navigate into the repo. All subsequent steps assume you are running them - from the gcp-environments directory. If you run them from another directory, + from the `bu1-example-app` directory. If you run them from another directory, adjust your copy paths accordingly. ``` cd bu1-example-app From 05e567adf7a099d85085974e6bea1a82d11de559 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Fri, 26 Aug 2022 18:19:50 -0300 Subject: [PATCH 24/30] restore 5-app-infra --- 5-app-infra/README.md | 16 +++++-- ...tf => bu1-development.auto.example.tfvars} | 13 ++--- ...=> bu1-non-production.auto.example.tfvars} | 13 ++--- ....tf => bu1-production.auto.example.tfvars} | 13 ++--- .../business_unit_1/development/README.md | 6 ++- .../development/bu1-development.auto.tfvars | 1 + .../development/common.auto.tfvars | 1 + .../business_unit_1/development/main.tf | 30 ++++++------ .../business_unit_1/development/providers.tf | 8 +++- .../development/terraform.tfvars | 1 - .../business_unit_1/development/variables.tf | 20 ++++++-- .../business_unit_1/non-production/README.md | 6 ++- .../bu1-non-production.auto.tfvars | 1 + .../non-production/common.auto.tfvars | 1 + .../business_unit_1/non-production/main.tf | 28 +++++------ .../non-production/providers.tf | 8 +++- .../non-production/terraform.tfvars | 1 - .../non-production/variables.tf | 20 ++++++-- .../business_unit_1/production/README.md | 6 ++- .../production/bu1-production.auto.tfvars | 1 + .../production/common.auto.tfvars | 1 + .../business_unit_1/production/main.tf | 30 ++++++------ .../business_unit_1/production/providers.tf | 8 +++- .../production/terraform.tfvars | 1 - .../business_unit_1/production/variables.tf | 20 ++++++-- .../business_unit_1/production/versions.tf | 2 +- ...mple.tfvars => common.auto.example.tfvars} | 6 ++- 5-app-infra/modules/env_base/README.md | 7 ++- 5-app-infra/modules/env_base/data.tf | 42 ++++++++++++++++ 5-app-infra/modules/env_base/main.tf | 23 +++------ 5-app-infra/modules/env_base/outputs.tf | 2 +- 5-app-infra/modules/env_base/remote_state.tf | 48 ------------------- 5-app-infra/modules/env_base/variables.tf | 22 ++++----- 5-app-infra/modules/env_base/versions.tf | 2 +- test/disable_tf_files.sh | 11 +++-- test/integration/app-infra/app_infra_test.go | 11 ++--- 36 files changed, 223 insertions(+), 207 deletions(-) rename 5-app-infra/{business_unit_1/production/remote_state.tf => bu1-development.auto.example.tfvars} (67%) rename 5-app-infra/{business_unit_1/non-production/remote_state.tf => bu1-non-production.auto.example.tfvars} (67%) rename 5-app-infra/{business_unit_1/development/remote_state.tf => bu1-production.auto.example.tfvars} (67%) create mode 120000 5-app-infra/business_unit_1/development/bu1-development.auto.tfvars create mode 120000 5-app-infra/business_unit_1/development/common.auto.tfvars delete mode 120000 5-app-infra/business_unit_1/development/terraform.tfvars create mode 120000 5-app-infra/business_unit_1/non-production/bu1-non-production.auto.tfvars create mode 120000 5-app-infra/business_unit_1/non-production/common.auto.tfvars delete mode 120000 5-app-infra/business_unit_1/non-production/terraform.tfvars create mode 120000 5-app-infra/business_unit_1/production/bu1-production.auto.tfvars create mode 120000 5-app-infra/business_unit_1/production/common.auto.tfvars delete mode 120000 5-app-infra/business_unit_1/production/terraform.tfvars rename 5-app-infra/{terraform.example.tfvars => common.auto.example.tfvars} (78%) create mode 100644 5-app-infra/modules/env_base/data.tf delete mode 100644 5-app-infra/modules/env_base/remote_state.tf diff --git a/5-app-infra/README.md b/5-app-infra/README.md index 68b688a8b..62c1731e0 100644 --- a/5-app-infra/README.md +++ b/5-app-infra/README.md @@ -94,7 +94,7 @@ commands. The `-T` flag is needed for Linux, but causes problems for MacOS. gcloud source repos clone gcp-policies --project=YOUR_INFRA_PIPELINE_PROJECT_ID ``` 1. Navigate into the repo. All subsequent steps assume you are running them - from the `gcp-policies` directory. If you run them from another directory, + from the gcp-environments directory. If you run them from another directory, adjust your copy paths accordingly. ``` cd gcp-policies @@ -122,7 +122,7 @@ commands. The `-T` flag is needed for Linux, but causes problems for MacOS. gcloud source repos clone bu1-example-app --project=YOUR_INFRA_PIPELINE_PROJECT_ID ``` 1. Navigate into the repo. All subsequent steps assume you are running them - from the `bu1-example-app` directory. If you run them from another directory, + from the gcp-environments directory. If you run them from another directory, adjust your copy paths accordingly. ``` cd bu1-example-app @@ -147,7 +147,10 @@ commands. The `-T` flag is needed for Linux, but causes problems for MacOS. ``` chmod 755 ./tf-wrapper.sh ``` -1. Rename `terraform.example.tfvars` to `terraform.tfvars` and update the file with values from 0-bootstrap. +1. Rename `common.auto.example.tfvars` to `common.auto.tfvars` and update the file with values from your environment and 0-bootstrap. See any of the business unit 1 envs folders [README.md](./business_unit_1/development/README.md) files for additional information on the values in the `common.auto.tfvars` file. +1. Rename `bu1-development.auto.example.tfvars` to `bu1-development.auto.tfvars` and update the file with values from your environment. +1. Rename `bu1-non-production.auto.example.tfvars` to `bu1-non-production.auto.tfvars` and update the file with values from your environment. +1. Rename `bu1-production.auto.example.tfvars` to `bu1-production.auto.tfvars` and update the file with values from your environment. 1. Commit changes. ``` git add . @@ -187,7 +190,10 @@ commands. The `-T` flag is needed for Linux, but causes problems for MacOS. 1. Change into the `5-app-infra` folder. 1. Run `cp ../build/tf-wrapper.sh .` 1. Run `chmod 755 ./tf-wrapper.sh`. -1. Rename `terraform.example.tfvars` to `terraform.tfvars` and update the file with values from 0-bootstrap. +1. Rename `common.auto.example.tfvars` to `common.auto.tfvars` and update the file with values from your environment and 0-bootstrap. +1. Rename `bu1-development.auto.example.tfvars` to `bu1-development.auto.tfvars` and update the file with values from your environment. +1. Rename `bu1-non-production.auto.example.tfvars` to `bu1-non-production.auto.tfvars` and update the file with values from your environment. +1. Rename `bu1-production.auto.example.tfvars` to `bu1-production.auto.tfvars` and update the file with values from your environment. 1. Provide the user that will be running `./tf-wrapper.sh` the Service Account Token Creator role to the bu1 project service accounts 1. Provide the user permissions to run the terraform locally with the `serviceAccountTokenCreator` permission. ``` @@ -201,7 +207,7 @@ commands. The `-T` flag is needed for Linux, but causes problems for MacOS. We will now deploy each of our environments (development/production/non-production) using this script. When using Cloud Build or Jenkins as your CI/CD tool, each environment corresponds to a branch in the repository for the `5-app-infra` step. Only the corresponding environment is applied. -To use the `validate` option of the `tf-wrapper.sh` script, please follow the [instructions](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) to install the terraform-tools component. +To use the `validate` option of the `tf-wrapper.sh` script, please follow the [instructions](https://github.com/GoogleCloudPlatform/terraform-validator/blob/main/docs/install.md) in the **Install Terraform Validator** section and install version `v0.4.0` in your system. You will also need to rename the binary from `terraform-validator-` to `terraform-validator` and the `terraform-validator` binary must be in your `PATH`. 1. Run `./tf-wrapper.sh init production`. 1. Run `./tf-wrapper.sh plan production` and review output. diff --git a/5-app-infra/business_unit_1/production/remote_state.tf b/5-app-infra/bu1-development.auto.example.tfvars similarity index 67% rename from 5-app-infra/business_unit_1/production/remote_state.tf rename to 5-app-infra/bu1-development.auto.example.tfvars index a49f79443..bcd9853cf 100644 --- a/5-app-infra/business_unit_1/production/remote_state.tf +++ b/5-app-infra/bu1-development.auto.example.tfvars @@ -14,13 +14,6 @@ * limitations under the License. */ -data "terraform_remote_state" "projects_env" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/projects/${local.business_unit}/${local.environment}" - - impersonate_service_account = local.terraform_service_account - } -} +// Email of the service account created on step 4-projects for the sample base project in the development environment +// of the business unit 1 where the GCE instance will be created +project_service_account = "project-service-account@prj-bu1-d-sample-base-.iam.gserviceaccount.com" diff --git a/5-app-infra/business_unit_1/non-production/remote_state.tf b/5-app-infra/bu1-non-production.auto.example.tfvars similarity index 67% rename from 5-app-infra/business_unit_1/non-production/remote_state.tf rename to 5-app-infra/bu1-non-production.auto.example.tfvars index a49f79443..7e93b0364 100644 --- a/5-app-infra/business_unit_1/non-production/remote_state.tf +++ b/5-app-infra/bu1-non-production.auto.example.tfvars @@ -14,13 +14,6 @@ * limitations under the License. */ -data "terraform_remote_state" "projects_env" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/projects/${local.business_unit}/${local.environment}" - - impersonate_service_account = local.terraform_service_account - } -} +// Email of the service account created on step 4-projects for the sample base project in the non-production environment +// of the business unit 1 where the GCE instance will be created +project_service_account = "project-service-account@prj-bu1-n-sample-base-.iam.gserviceaccount.com" diff --git a/5-app-infra/business_unit_1/development/remote_state.tf b/5-app-infra/bu1-production.auto.example.tfvars similarity index 67% rename from 5-app-infra/business_unit_1/development/remote_state.tf rename to 5-app-infra/bu1-production.auto.example.tfvars index a49f79443..ecce1bbf7 100644 --- a/5-app-infra/business_unit_1/development/remote_state.tf +++ b/5-app-infra/bu1-production.auto.example.tfvars @@ -14,13 +14,6 @@ * limitations under the License. */ -data "terraform_remote_state" "projects_env" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/projects/${local.business_unit}/${local.environment}" - - impersonate_service_account = local.terraform_service_account - } -} +// Email of the service account created on step 4-projects for the sample base project in the production environment +// of the business unit 1 where the GCE instance will be created +project_service_account = "project-service-account@prj-bu1-p-sample-base-.iam.gserviceaccount.com" diff --git a/5-app-infra/business_unit_1/development/README.md b/5-app-infra/business_unit_1/development/README.md index 52e99692e..19618db4b 100644 --- a/5-app-infra/business_unit_1/development/README.md +++ b/5-app-infra/business_unit_1/development/README.md @@ -3,9 +3,11 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | +| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | | instance\_region | The region where compute instance will be created. A subnetwork must exists in the instance region. | `string` | n/a | yes | -| terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | +| org\_id | The organization id for the associated services | `string` | n/a | yes | +| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | +| project\_service\_account | Email of the service account created on step 4-projects for the business unit 1 sample base project where the GCE instance will be created | `string` | n/a | yes | ## Outputs diff --git a/5-app-infra/business_unit_1/development/bu1-development.auto.tfvars b/5-app-infra/business_unit_1/development/bu1-development.auto.tfvars new file mode 120000 index 000000000..69c1030b8 --- /dev/null +++ b/5-app-infra/business_unit_1/development/bu1-development.auto.tfvars @@ -0,0 +1 @@ +../../bu1-development.auto.tfvars \ No newline at end of file diff --git a/5-app-infra/business_unit_1/development/common.auto.tfvars b/5-app-infra/business_unit_1/development/common.auto.tfvars new file mode 120000 index 000000000..39aaa4621 --- /dev/null +++ b/5-app-infra/business_unit_1/development/common.auto.tfvars @@ -0,0 +1 @@ +../../common.auto.tfvars \ No newline at end of file diff --git a/5-app-infra/business_unit_1/development/main.tf b/5-app-infra/business_unit_1/development/main.tf index 67451017a..ecf5a8f4d 100644 --- a/5-app-infra/business_unit_1/development/main.tf +++ b/5-app-infra/business_unit_1/development/main.tf @@ -14,23 +14,21 @@ * limitations under the License. */ -locals { - business_unit = "business_unit_1" - environment = "development" - terraform_service_account = var.terraform_service_account - project_service_account = "project-service-account@${data.terraform_remote_state.projects_env.outputs.base_shared_vpc_project}.iam.gserviceaccount.com" + + +data "google_active_folder" "env" { + display_name = "${var.folder_prefix}-development" + parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" } module "base_shared_gce_instance" { - source = "../../modules/env_base" - - environment = local.environment - business_code = "bu1" - business_unit = local.business_unit - project_suffix = "sample-base" - region = var.instance_region - num_instances = 1 - machine_type = "f1-micro" - backend_bucket = var.backend_bucket - terraform_service_account = local.terraform_service_account + source = "../../modules/env_base" + environment = "development" + vpc_type = "base" + num_instances = 1 + machine_type = "f1-micro" + folder_id = data.google_active_folder.env.name + business_code = "bu1" + project_suffix = "sample-base" + region = var.instance_region } diff --git a/5-app-infra/business_unit_1/development/providers.tf b/5-app-infra/business_unit_1/development/providers.tf index dbee49361..e5420f442 100644 --- a/5-app-infra/business_unit_1/development/providers.tf +++ b/5-app-infra/business_unit_1/development/providers.tf @@ -14,13 +14,17 @@ * limitations under the License. */ +locals { + tf_sa = var.project_service_account +} + /****************************************** Provider credential configuration *****************************************/ provider "google" { - impersonate_service_account = local.project_service_account + impersonate_service_account = local.tf_sa } provider "google-beta" { - impersonate_service_account = local.project_service_account + impersonate_service_account = local.tf_sa } diff --git a/5-app-infra/business_unit_1/development/terraform.tfvars b/5-app-infra/business_unit_1/development/terraform.tfvars deleted file mode 120000 index 00f385765..000000000 --- a/5-app-infra/business_unit_1/development/terraform.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../terraform.tfvars \ No newline at end of file diff --git a/5-app-infra/business_unit_1/development/variables.tf b/5-app-infra/business_unit_1/development/variables.tf index 269bb2fea..a1ddce5be 100644 --- a/5-app-infra/business_unit_1/development/variables.tf +++ b/5-app-infra/business_unit_1/development/variables.tf @@ -14,8 +14,13 @@ * limitations under the License. */ -variable "terraform_service_account" { - description = "Service account email of the account to impersonate to run Terraform" +variable "project_service_account" { + description = "Email of the service account created on step 4-projects for the business unit 1 sample base project where the GCE instance will be created" + type = string +} + +variable "org_id" { + description = "The organization id for the associated services" type = string } @@ -24,7 +29,14 @@ variable "instance_region" { type = string } -variable "backend_bucket" { - description = "Backend bucket to load remote state information from previous steps." +variable "folder_prefix" { + description = "Name prefix to use for folders created. Should be the same in all steps." + type = string + default = "fldr" +} + +variable "parent_folder" { + description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." type = string + default = "" } diff --git a/5-app-infra/business_unit_1/non-production/README.md b/5-app-infra/business_unit_1/non-production/README.md index 52e99692e..19618db4b 100644 --- a/5-app-infra/business_unit_1/non-production/README.md +++ b/5-app-infra/business_unit_1/non-production/README.md @@ -3,9 +3,11 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | +| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | | instance\_region | The region where compute instance will be created. A subnetwork must exists in the instance region. | `string` | n/a | yes | -| terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | +| org\_id | The organization id for the associated services | `string` | n/a | yes | +| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | +| project\_service\_account | Email of the service account created on step 4-projects for the business unit 1 sample base project where the GCE instance will be created | `string` | n/a | yes | ## Outputs diff --git a/5-app-infra/business_unit_1/non-production/bu1-non-production.auto.tfvars b/5-app-infra/business_unit_1/non-production/bu1-non-production.auto.tfvars new file mode 120000 index 000000000..f98c6be57 --- /dev/null +++ b/5-app-infra/business_unit_1/non-production/bu1-non-production.auto.tfvars @@ -0,0 +1 @@ +../../bu1-non-production.auto.tfvars \ No newline at end of file diff --git a/5-app-infra/business_unit_1/non-production/common.auto.tfvars b/5-app-infra/business_unit_1/non-production/common.auto.tfvars new file mode 120000 index 000000000..39aaa4621 --- /dev/null +++ b/5-app-infra/business_unit_1/non-production/common.auto.tfvars @@ -0,0 +1 @@ +../../common.auto.tfvars \ No newline at end of file diff --git a/5-app-infra/business_unit_1/non-production/main.tf b/5-app-infra/business_unit_1/non-production/main.tf index a93ff36f6..418162fcf 100644 --- a/5-app-infra/business_unit_1/non-production/main.tf +++ b/5-app-infra/business_unit_1/non-production/main.tf @@ -16,23 +16,19 @@ -locals { - business_unit = "business_unit_1" - environment = "non-production" - terraform_service_account = var.terraform_service_account - project_service_account = "project-service-account@${data.terraform_remote_state.projects_env.outputs.base_shared_vpc_project}.iam.gserviceaccount.com" +data "google_active_folder" "env" { + display_name = "${var.folder_prefix}-non-production" + parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" } module "base_shared_gce_instance" { - source = "../../modules/env_base" - - environment = local.environment - business_code = "bu1" - business_unit = local.business_unit - project_suffix = "sample-base" - region = var.instance_region - backend_bucket = var.backend_bucket - num_instances = 1 - machine_type = "f1-micro" - terraform_service_account = local.terraform_service_account + source = "../../modules/env_base" + environment = "non-production" + vpc_type = "base" + num_instances = 1 + machine_type = "f1-micro" + folder_id = data.google_active_folder.env.name + business_code = "bu1" + project_suffix = "sample-base" + region = var.instance_region } diff --git a/5-app-infra/business_unit_1/non-production/providers.tf b/5-app-infra/business_unit_1/non-production/providers.tf index dbee49361..e5420f442 100644 --- a/5-app-infra/business_unit_1/non-production/providers.tf +++ b/5-app-infra/business_unit_1/non-production/providers.tf @@ -14,13 +14,17 @@ * limitations under the License. */ +locals { + tf_sa = var.project_service_account +} + /****************************************** Provider credential configuration *****************************************/ provider "google" { - impersonate_service_account = local.project_service_account + impersonate_service_account = local.tf_sa } provider "google-beta" { - impersonate_service_account = local.project_service_account + impersonate_service_account = local.tf_sa } diff --git a/5-app-infra/business_unit_1/non-production/terraform.tfvars b/5-app-infra/business_unit_1/non-production/terraform.tfvars deleted file mode 120000 index 00f385765..000000000 --- a/5-app-infra/business_unit_1/non-production/terraform.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../terraform.tfvars \ No newline at end of file diff --git a/5-app-infra/business_unit_1/non-production/variables.tf b/5-app-infra/business_unit_1/non-production/variables.tf index 269bb2fea..a1ddce5be 100644 --- a/5-app-infra/business_unit_1/non-production/variables.tf +++ b/5-app-infra/business_unit_1/non-production/variables.tf @@ -14,8 +14,13 @@ * limitations under the License. */ -variable "terraform_service_account" { - description = "Service account email of the account to impersonate to run Terraform" +variable "project_service_account" { + description = "Email of the service account created on step 4-projects for the business unit 1 sample base project where the GCE instance will be created" + type = string +} + +variable "org_id" { + description = "The organization id for the associated services" type = string } @@ -24,7 +29,14 @@ variable "instance_region" { type = string } -variable "backend_bucket" { - description = "Backend bucket to load remote state information from previous steps." +variable "folder_prefix" { + description = "Name prefix to use for folders created. Should be the same in all steps." + type = string + default = "fldr" +} + +variable "parent_folder" { + description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." type = string + default = "" } diff --git a/5-app-infra/business_unit_1/production/README.md b/5-app-infra/business_unit_1/production/README.md index 52e99692e..19618db4b 100644 --- a/5-app-infra/business_unit_1/production/README.md +++ b/5-app-infra/business_unit_1/production/README.md @@ -3,9 +3,11 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | +| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no | | instance\_region | The region where compute instance will be created. A subnetwork must exists in the instance region. | `string` | n/a | yes | -| terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | +| org\_id | The organization id for the associated services | `string` | n/a | yes | +| parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. | `string` | `""` | no | +| project\_service\_account | Email of the service account created on step 4-projects for the business unit 1 sample base project where the GCE instance will be created | `string` | n/a | yes | ## Outputs diff --git a/5-app-infra/business_unit_1/production/bu1-production.auto.tfvars b/5-app-infra/business_unit_1/production/bu1-production.auto.tfvars new file mode 120000 index 000000000..5d3678edd --- /dev/null +++ b/5-app-infra/business_unit_1/production/bu1-production.auto.tfvars @@ -0,0 +1 @@ +../../bu1-production.auto.tfvars \ No newline at end of file diff --git a/5-app-infra/business_unit_1/production/common.auto.tfvars b/5-app-infra/business_unit_1/production/common.auto.tfvars new file mode 120000 index 000000000..39aaa4621 --- /dev/null +++ b/5-app-infra/business_unit_1/production/common.auto.tfvars @@ -0,0 +1 @@ +../../common.auto.tfvars \ No newline at end of file diff --git a/5-app-infra/business_unit_1/production/main.tf b/5-app-infra/business_unit_1/production/main.tf index 984ceb0fd..f28ad5921 100644 --- a/5-app-infra/business_unit_1/production/main.tf +++ b/5-app-infra/business_unit_1/production/main.tf @@ -14,23 +14,21 @@ * limitations under the License. */ -locals { - business_unit = "business_unit_1" - environment = "production" - terraform_service_account = var.terraform_service_account - project_service_account = "project-service-account@${data.terraform_remote_state.projects_env.outputs.base_shared_vpc_project}.iam.gserviceaccount.com" + + +data "google_active_folder" "env" { + display_name = "${var.folder_prefix}-production" + parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}" } module "base_shared_gce_instance" { - source = "../../modules/env_base" - - environment = local.environment - business_code = "bu1" - business_unit = local.business_unit - project_suffix = "sample-base" - region = var.instance_region - num_instances = 1 - machine_type = "f1-micro" - backend_bucket = var.backend_bucket - terraform_service_account = local.terraform_service_account + source = "../../modules/env_base" + environment = "production" + vpc_type = "base" + num_instances = 1 + machine_type = "f1-micro" + folder_id = data.google_active_folder.env.name + business_code = "bu1" + project_suffix = "sample-base" + region = var.instance_region } diff --git a/5-app-infra/business_unit_1/production/providers.tf b/5-app-infra/business_unit_1/production/providers.tf index dbee49361..e5420f442 100644 --- a/5-app-infra/business_unit_1/production/providers.tf +++ b/5-app-infra/business_unit_1/production/providers.tf @@ -14,13 +14,17 @@ * limitations under the License. */ +locals { + tf_sa = var.project_service_account +} + /****************************************** Provider credential configuration *****************************************/ provider "google" { - impersonate_service_account = local.project_service_account + impersonate_service_account = local.tf_sa } provider "google-beta" { - impersonate_service_account = local.project_service_account + impersonate_service_account = local.tf_sa } diff --git a/5-app-infra/business_unit_1/production/terraform.tfvars b/5-app-infra/business_unit_1/production/terraform.tfvars deleted file mode 120000 index 00f385765..000000000 --- a/5-app-infra/business_unit_1/production/terraform.tfvars +++ /dev/null @@ -1 +0,0 @@ -../../terraform.tfvars \ No newline at end of file diff --git a/5-app-infra/business_unit_1/production/variables.tf b/5-app-infra/business_unit_1/production/variables.tf index 269bb2fea..f15ffdb8c 100644 --- a/5-app-infra/business_unit_1/production/variables.tf +++ b/5-app-infra/business_unit_1/production/variables.tf @@ -14,17 +14,29 @@ * limitations under the License. */ -variable "terraform_service_account" { - description = "Service account email of the account to impersonate to run Terraform" +variable "project_service_account" { + description = "Email of the service account created on step 4-projects for the business unit 1 sample base project where the GCE instance will be created" type = string } +variable "org_id" { + description = "The organization id for the associated services" + type = string +} + +variable "folder_prefix" { + description = "Name prefix to use for folders created. Should be the same in all steps." + type = string + default = "fldr" +} + variable "instance_region" { description = "The region where compute instance will be created. A subnetwork must exists in the instance region." type = string } -variable "backend_bucket" { - description = "Backend bucket to load remote state information from previous steps." +variable "parent_folder" { + description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step." type = string + default = "" } diff --git a/5-app-infra/business_unit_1/production/versions.tf b/5-app-infra/business_unit_1/production/versions.tf index c9b0c3d5f..3fa6d9206 100644 --- a/5-app-infra/business_unit_1/production/versions.tf +++ b/5-app-infra/business_unit_1/production/versions.tf @@ -31,7 +31,7 @@ terraform { null = { source = "hashicorp/null" - version = "~> 3.0" + version = "~> 2.1" } random = { diff --git a/5-app-infra/terraform.example.tfvars b/5-app-infra/common.auto.example.tfvars similarity index 78% rename from 5-app-infra/terraform.example.tfvars rename to 5-app-infra/common.auto.example.tfvars index 6e505bb8a..05ca19031 100644 --- a/5-app-infra/terraform.example.tfvars +++ b/5-app-infra/common.auto.example.tfvars @@ -14,8 +14,10 @@ * limitations under the License. */ -terraform_service_account = "org-terraform@prj-b-seed-2334.iam.gserviceaccount.com" +org_id = "000000000000" instance_region = "us-central1" // should be one of the regions used to create network on step 3-networks -backend_bucket = "" +// Optional - for an organization with existing projects or for development/validation. +// Must be the same value used in previous steps. +//parent_folder = "000000000000" diff --git a/5-app-infra/modules/env_base/README.md b/5-app-infra/modules/env_base/README.md index b4908e435..24d986bee 100644 --- a/5-app-infra/modules/env_base/README.md +++ b/5-app-infra/modules/env_base/README.md @@ -3,17 +3,16 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| backend\_bucket | Backend bucket to load remote state information from previous steps. | `string` | n/a | yes | | business\_code | The code that describes which business unit owns the project | `string` | `"abcd"` | no | -| business\_unit | The business (ex. business\_unit\_1). | `string` | `"business_unit_1"` | no | | environment | The environment the single project belongs to | `string` | n/a | yes | +| folder\_id | The folder id where project will be created | `string` | n/a | yes | | hostname | Hostname of instances | `string` | `"example-app"` | no | | machine\_type | Machine type to create, e.g. n1-standard-1 | `string` | `"f1-micro"` | no | | num\_instances | Number of instances to create | `number` | n/a | yes | -| project\_suffix | The name of the GCP project. Max 16 characters with 3 character business unit code. Valid options are `sample-base` or `sample-restrict`. | `string` | n/a | yes | +| project\_suffix | The name of the GCP project. Max 16 characters with 3 character business unit code. | `string` | n/a | yes | | region | The GCP region to create and test resources in | `string` | `"us-central1"` | no | | service\_account | Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template.html#service_account. | 
object({
    email  = string,
    scopes = set(string)
  })
| `null` | no | -| terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes | +| vpc\_type | The type of VPC to attach the project to. Possible options are base or restricted. | `string` | n/a | yes | ## Outputs diff --git a/5-app-infra/modules/env_base/data.tf b/5-app-infra/modules/env_base/data.tf new file mode 100644 index 000000000..12106910e --- /dev/null +++ b/5-app-infra/modules/env_base/data.tf @@ -0,0 +1,42 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +data "google_projects" "network_projects" { + filter = "parent.id:${split("/", var.folder_id)[1]} labels.application_name=${var.vpc_type}-shared-vpc-host labels.environment=${var.environment} lifecycleState=ACTIVE" +} + +data "google_project" "network_project" { + project_id = data.google_projects.network_projects.projects[0].project_id +} + +data "google_projects" "environment_projects" { + filter = "parent.id:${split("/", var.folder_id)[1]} name:*${var.project_suffix}* labels.application_name=${var.business_code}-sample-application labels.environment=${var.environment} lifecycleState=ACTIVE" +} + +data "google_project" "env_project" { + project_id = data.google_projects.environment_projects.projects[0].project_id +} + +data "google_compute_network" "shared_vpc" { + name = "vpc-${local.environment_code}-shared-${var.vpc_type}" + project = data.google_project.network_project.project_id +} + +data "google_compute_subnetwork" "subnetwork" { + name = "sb-${local.environment_code}-shared-${var.vpc_type}-${var.region}" + region = var.region + project = data.google_project.network_project.project_id +} diff --git a/5-app-infra/modules/env_base/main.tf b/5-app-infra/modules/env_base/main.tf index d520468be..a64f05a4f 100644 --- a/5-app-infra/modules/env_base/main.tf +++ b/5-app-infra/modules/env_base/main.tf @@ -15,22 +15,11 @@ */ locals { - environment_code = element(split("", var.environment), 0) - terraform_service_account = var.terraform_service_account - env_project_ids = { - "sample-base" = data.terraform_remote_state.projects_env.outputs.base_shared_vpc_project, - "sample-restrict" = data.terraform_remote_state.projects_env.outputs.restricted_shared_vpc_project, - } - subnets_self_links = { - "sample-base" = data.terraform_remote_state.network_env.outputs.base_subnets_self_links, - "sample-restrict" = data.terraform_remote_state.network_env.outputs.restricted_subnets_self_links, - } - env_project_id = local.env_project_ids[var.project_suffix] - subnetwork_self_links = local.subnets_self_links[var.project_suffix] - subnetwork_self_link = [for subnet in local.subnetwork_self_links : subnet if length(regexall("regions/${var.region}/subnetworks", subnet)) > 0][0] + environment_code = element(split("", var.environment), 0) } + resource "google_service_account" "compute_engine_service_account" { - project = local.env_project_id + project = data.google_project.env_project.project_id account_id = "sa-example-app" display_name = "Example app service Account" } @@ -40,8 +29,8 @@ module "instance_template" { version = "7.8.0" machine_type = var.machine_type region = var.region - project_id = local.env_project_id - subnetwork = local.subnetwork_self_link + project_id = data.google_project.env_project.project_id + subnetwork = data.google_compute_subnetwork.subnetwork.self_link service_account = { email = google_service_account.compute_engine_service_account.email scopes = ["compute-rw"] @@ -52,7 +41,7 @@ module "compute_instance" { source = "terraform-google-modules/vm/google//modules/compute_instance" version = "6.2.0" region = var.region - subnetwork = local.subnetwork_self_link + subnetwork = data.google_compute_subnetwork.subnetwork.self_link num_instances = var.num_instances hostname = var.hostname instance_template = module.instance_template.self_link diff --git a/5-app-infra/modules/env_base/outputs.tf b/5-app-infra/modules/env_base/outputs.tf index e802b439f..983f1329f 100644 --- a/5-app-infra/modules/env_base/outputs.tf +++ b/5-app-infra/modules/env_base/outputs.tf @@ -31,7 +31,7 @@ output "available_zones" { output "project_id" { description = "Project where compute instance was created" - value = local.env_project_id + value = data.google_project.env_project.project_id } output "region" { diff --git a/5-app-infra/modules/env_base/remote_state.tf b/5-app-infra/modules/env_base/remote_state.tf deleted file mode 100644 index 2de9c26cd..000000000 --- a/5-app-infra/modules/env_base/remote_state.tf +++ /dev/null @@ -1,48 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -data "terraform_remote_state" "bootstrap" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/bootstrap/state" - - impersonate_service_account = local.terraform_service_account - } -} - -data "terraform_remote_state" "network_env" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/networks/${var.environment}" - - impersonate_service_account = local.terraform_service_account - } -} - -data "terraform_remote_state" "projects_env" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/projects/${var.business_unit}/${var.environment}" - - impersonate_service_account = local.terraform_service_account - } -} diff --git a/5-app-infra/modules/env_base/variables.tf b/5-app-infra/modules/env_base/variables.tf index 6edecc4c8..b90c5ed21 100644 --- a/5-app-infra/modules/env_base/variables.tf +++ b/5-app-infra/modules/env_base/variables.tf @@ -14,20 +14,14 @@ * limitations under the License. */ -variable "terraform_service_account" { - description = "Service account email of the account to impersonate to run Terraform" - type = string -} - variable "environment" { description = "The environment the single project belongs to" type = string } -variable "business_unit" { - description = "The business (ex. business_unit_1)." +variable "vpc_type" { + description = "The type of VPC to attach the project to. Possible options are base or restricted." type = string - default = "business_unit_1" } variable "region" { @@ -60,6 +54,11 @@ variable "service_account" { description = "Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template.html#service_account." } +variable "folder_id" { + description = "The folder id where project will be created" + type = string +} + variable "business_code" { description = "The code that describes which business unit owns the project" type = string @@ -67,11 +66,6 @@ variable "business_code" { } variable "project_suffix" { - description = "The name of the GCP project. Max 16 characters with 3 character business unit code. Valid options are `sample-base` or `sample-restrict`." - type = string -} - -variable "backend_bucket" { - description = "Backend bucket to load remote state information from previous steps." + description = "The name of the GCP project. Max 16 characters with 3 character business unit code." type = string } diff --git a/5-app-infra/modules/env_base/versions.tf b/5-app-infra/modules/env_base/versions.tf index c0d71ce88..607c66c7e 100644 --- a/5-app-infra/modules/env_base/versions.tf +++ b/5-app-infra/modules/env_base/versions.tf @@ -27,7 +27,7 @@ terraform { } null = { source = "hashicorp/null" - version = "~> 3.0" + version = "~> 2.1" } random = { diff --git a/test/disable_tf_files.sh b/test/disable_tf_files.sh index c9772b861..d00d48dff 100755 --- a/test/disable_tf_files.sh +++ b/test/disable_tf_files.sh @@ -88,10 +88,15 @@ function appinfra(){ mv 5-app-infra/business_unit_1/non-production/backend.tf 5-app-infra/business_unit_1/non-production/backend.tf.disabled mv 5-app-infra/business_unit_1/production/backend.tf 5-app-infra/business_unit_1/production/backend.tf.disabled + # disable ENVS.auto.tfvars in main module + mv 5-app-infra/business_unit_1/development/bu1-development.auto.tfvars 5-app-infra/business_unit_1/development/bu1-development.auto.tfvars.disabled + mv 5-app-infra/business_unit_1/non-production/bu1-non-production.auto.tfvars 5-app-infra/business_unit_1/non-production/bu1-non-production.auto.tfvars.disabled + mv 5-app-infra/business_unit_1/production/bu1-production.auto.tfvars 5-app-infra/business_unit_1/production/bu1-production.auto.tfvars.disabled + # disable common.auto.tfvars in main module - mv 5-app-infra/business_unit_1/development/terraform.tfvars 5-app-infra/business_unit_1/development/terraform.tfvars.disabled - mv 5-app-infra/business_unit_1/non-production/terraform.tfvars 5-app-infra/business_unit_1/non-production/terraform.tfvars.disabled - mv 5-app-infra/business_unit_1/production/terraform.tfvars 5-app-infra/business_unit_1/production/terraform.tfvars.disabled + mv 5-app-infra/business_unit_1/development/common.auto.tfvars 5-app-infra/business_unit_1/development/common.auto.tfvars.disabled + mv 5-app-infra/business_unit_1/non-production/common.auto.tfvars 5-app-infra/business_unit_1/non-production/common.auto.tfvars.disabled + mv 5-app-infra/business_unit_1/production/common.auto.tfvars 5-app-infra/business_unit_1/production/common.auto.tfvars.disabled } diff --git a/test/integration/app-infra/app_infra_test.go b/test/integration/app-infra/app_infra_test.go index e88ca71cf..6c777ee70 100644 --- a/test/integration/app-infra/app_infra_test.go +++ b/test/integration/app-infra/app_infra_test.go @@ -26,11 +26,6 @@ import ( func TestAppInfra(t *testing.T) { - bootstrap := tft.NewTFBlueprintTest(t, - tft.WithTFDir("../../../0-bootstrap"), - ) - backend_bucket := bootstrap.GetStringOutput("gcs_bucket_tfstate") - for _, envName := range []string{ "development", "non-production", @@ -38,8 +33,12 @@ func TestAppInfra(t *testing.T) { } { t.Run(envName, func(t *testing.T) { + projects := tft.NewTFBlueprintTest(t, + tft.WithTFDir(fmt.Sprintf("../../../4-projects/business_unit_1/%s", envName)), + ) + vars := map[string]interface{}{ - "backend_bucket": backend_bucket, + "project_service_account": projects.GetStringOutput("base_shared_vpc_project_sa"), } appInfra := tft.NewTFBlueprintTest(t, From 03ecd129211506eef5c6438b50b770f2a086a2e5 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Fri, 26 Aug 2022 19:19:23 -0300 Subject: [PATCH 25/30] remove remote_state.tf file --- 1-org/envs/shared/main.tf | 9 ++++ 1-org/envs/shared/remote_state.tf | 24 --------- 2-environments/modules/env_baseline/main.tf | 9 ++++ .../modules/env_baseline/remote_state.tf | 24 --------- 3-networks-dual-svpc/modules/base_env/main.tf | 37 +++++++++++-- .../modules/base_env/remote_state.tf | 51 ------------------ .../modules/base_env/main.tf | 36 +++++++++++++ .../modules/base_env/remote_state.tf | 51 ------------------ 4-projects/modules/base_env/main.tf | 36 +++++++++++++ 4-projects/modules/base_env/remote_state.tf | 52 ------------------- 10 files changed, 124 insertions(+), 205 deletions(-) delete mode 100644 1-org/envs/shared/remote_state.tf delete mode 100644 2-environments/modules/env_baseline/remote_state.tf delete mode 100644 3-networks-dual-svpc/modules/base_env/remote_state.tf delete mode 100644 3-networks-hub-and-spoke/modules/base_env/remote_state.tf delete mode 100644 4-projects/modules/base_env/remote_state.tf diff --git a/1-org/envs/shared/main.tf b/1-org/envs/shared/main.tf index e2fca8d8d..489ff11ca 100644 --- a/1-org/envs/shared/main.tf +++ b/1-org/envs/shared/main.tf @@ -23,3 +23,12 @@ locals { folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id } + +data "terraform_remote_state" "bootstrap" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/bootstrap/state" + } +} diff --git a/1-org/envs/shared/remote_state.tf b/1-org/envs/shared/remote_state.tf deleted file mode 100644 index 6bcb836aa..000000000 --- a/1-org/envs/shared/remote_state.tf +++ /dev/null @@ -1,24 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -data "terraform_remote_state" "bootstrap" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/bootstrap/state" - } -} diff --git a/2-environments/modules/env_baseline/main.tf b/2-environments/modules/env_baseline/main.tf index 600f3361b..70d199499 100644 --- a/2-environments/modules/env_baseline/main.tf +++ b/2-environments/modules/env_baseline/main.tf @@ -23,3 +23,12 @@ locals { folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id } + +data "terraform_remote_state" "bootstrap" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/bootstrap/state" + } +} diff --git a/2-environments/modules/env_baseline/remote_state.tf b/2-environments/modules/env_baseline/remote_state.tf deleted file mode 100644 index 6bcb836aa..000000000 --- a/2-environments/modules/env_baseline/remote_state.tf +++ /dev/null @@ -1,24 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -data "terraform_remote_state" "bootstrap" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/bootstrap/state" - } -} diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index e1f0f3682..978ba0451 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -42,9 +42,40 @@ locals { restricted_hub_subnet_ranges = ["10.8.0.0/24", "10.9.0.0/24"] } -data "google_active_folder" "env" { - display_name = "${local.folder_prefix}-${var.env}" - parent = local.parent_id +data "terraform_remote_state" "bootstrap" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/bootstrap/state" + } +} + +data "terraform_remote_state" "org" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/org/state" + } +} + +data "terraform_remote_state" "network_shared" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/networks/envs/shared" + } +} + +data "terraform_remote_state" "environments_env" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/environments/${var.env}" + } } /****************************************** diff --git a/3-networks-dual-svpc/modules/base_env/remote_state.tf b/3-networks-dual-svpc/modules/base_env/remote_state.tf deleted file mode 100644 index c05b17536..000000000 --- a/3-networks-dual-svpc/modules/base_env/remote_state.tf +++ /dev/null @@ -1,51 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -data "terraform_remote_state" "bootstrap" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/bootstrap/state" - } -} - -data "terraform_remote_state" "org" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/org/state" - } -} - -data "terraform_remote_state" "network_shared" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/networks/envs/shared" - } -} - -data "terraform_remote_state" "environments_env" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/environments/${var.env}" - } -} diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf index 5f7d89250..272f45109 100644 --- a/3-networks-hub-and-spoke/modules/base_env/main.tf +++ b/3-networks-hub-and-spoke/modules/base_env/main.tf @@ -44,6 +44,42 @@ locals { restricted_hub_subnet_ranges = ["10.8.0.0/24", "10.9.0.0/24"] } +data "terraform_remote_state" "bootstrap" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/bootstrap/state" + } +} + +data "terraform_remote_state" "org" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/org/state" + } +} + +data "terraform_remote_state" "network_shared" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/networks/envs/shared" + } +} + +data "terraform_remote_state" "environments_env" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/environments/${var.env}" + } +} + /****************************************** Restricted shared VPC *****************************************/ diff --git a/3-networks-hub-and-spoke/modules/base_env/remote_state.tf b/3-networks-hub-and-spoke/modules/base_env/remote_state.tf deleted file mode 100644 index c05b17536..000000000 --- a/3-networks-hub-and-spoke/modules/base_env/remote_state.tf +++ /dev/null @@ -1,51 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -data "terraform_remote_state" "bootstrap" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/bootstrap/state" - } -} - -data "terraform_remote_state" "org" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/org/state" - } -} - -data "terraform_remote_state" "network_shared" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/networks/envs/shared" - } -} - -data "terraform_remote_state" "environments_env" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/environments/${var.env}" - } -} diff --git a/4-projects/modules/base_env/main.tf b/4-projects/modules/base_env/main.tf index 76275d775..91182d54e 100644 --- a/4-projects/modules/base_env/main.tf +++ b/4-projects/modules/base_env/main.tf @@ -32,3 +32,39 @@ locals { env_folder_name = data.terraform_remote_state.environments_env.outputs.env_folder app_infra_pipeline_cloudbuild_sa = data.terraform_remote_state.business_unit_shared.outputs.cloudbuild_sa } + +data "terraform_remote_state" "bootstrap" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/bootstrap/state" + } +} + +data "terraform_remote_state" "network_env" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/networks/${var.env}" + } +} + +data "terraform_remote_state" "environments_env" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/environments/${var.env}" + } +} + +data "terraform_remote_state" "business_unit_shared" { + backend = "gcs" + + config = { + bucket = "${var.backend_bucket}" + prefix = "terraform/projects/${var.business_unit}/shared" + } +} diff --git a/4-projects/modules/base_env/remote_state.tf b/4-projects/modules/base_env/remote_state.tf deleted file mode 100644 index 8a5b96fb5..000000000 --- a/4-projects/modules/base_env/remote_state.tf +++ /dev/null @@ -1,52 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -data "terraform_remote_state" "bootstrap" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/bootstrap/state" - } -} - -data "terraform_remote_state" "network_env" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/networks/${var.env}" - } -} - -data "terraform_remote_state" "environments_env" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/environments/${var.env}" - } -} - - -data "terraform_remote_state" "business_unit_shared" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/projects/${var.business_unit}/shared" - } -} From 5378ee2dada5089028085aa6fe9c2152ef757050 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Fri, 26 Aug 2022 19:23:31 -0300 Subject: [PATCH 26/30] fix null provider version --- 5-app-infra/business_unit_1/production/versions.tf | 2 +- 5-app-infra/modules/env_base/versions.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/5-app-infra/business_unit_1/production/versions.tf b/5-app-infra/business_unit_1/production/versions.tf index 3fa6d9206..c9b0c3d5f 100644 --- a/5-app-infra/business_unit_1/production/versions.tf +++ b/5-app-infra/business_unit_1/production/versions.tf @@ -31,7 +31,7 @@ terraform { null = { source = "hashicorp/null" - version = "~> 2.1" + version = "~> 3.0" } random = { diff --git a/5-app-infra/modules/env_base/versions.tf b/5-app-infra/modules/env_base/versions.tf index 607c66c7e..c0d71ce88 100644 --- a/5-app-infra/modules/env_base/versions.tf +++ b/5-app-infra/modules/env_base/versions.tf @@ -27,7 +27,7 @@ terraform { } null = { source = "hashicorp/null" - version = "~> 2.1" + version = "~> 3.0" } random = { From c8ec10c45c81ee6d971cc95ff1cf457304971fde Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Fri, 26 Aug 2022 19:27:04 -0300 Subject: [PATCH 27/30] restore gcloud beta terraform vet info --- 5-app-infra/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/5-app-infra/README.md b/5-app-infra/README.md index 62c1731e0..d83c94428 100644 --- a/5-app-infra/README.md +++ b/5-app-infra/README.md @@ -207,7 +207,7 @@ commands. The `-T` flag is needed for Linux, but causes problems for MacOS. We will now deploy each of our environments (development/production/non-production) using this script. When using Cloud Build or Jenkins as your CI/CD tool, each environment corresponds to a branch in the repository for the `5-app-infra` step. Only the corresponding environment is applied. -To use the `validate` option of the `tf-wrapper.sh` script, please follow the [instructions](https://github.com/GoogleCloudPlatform/terraform-validator/blob/main/docs/install.md) in the **Install Terraform Validator** section and install version `v0.4.0` in your system. You will also need to rename the binary from `terraform-validator-` to `terraform-validator` and the `terraform-validator` binary must be in your `PATH`. +To use the `validate` option of the `tf-wrapper.sh` script, please follow the [instructions](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) to install the terraform-tools component. 1. Run `./tf-wrapper.sh init production`. 1. Run `./tf-wrapper.sh plan production` and review output. From 28d7f9490a14338f33a74556794c46fd6eccdff7 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Fri, 26 Aug 2022 22:29:41 -0300 Subject: [PATCH 28/30] remove interpolation from backend_bucket usage --- 1-org/envs/shared/main.tf | 2 +- 2-environments/modules/env_baseline/main.tf | 2 +- 3-networks-dual-svpc/envs/shared/main.tf | 45 ++++++++++++++ .../envs/shared/remote_state.tf | 60 ------------------- 3-networks-dual-svpc/modules/base_env/main.tf | 8 +-- 3-networks-hub-and-spoke/envs/shared/main.tf | 45 ++++++++++++++ .../envs/shared/remote_state.tf | 60 ------------------- .../modules/base_env/main.tf | 8 +-- 4-projects/business_unit_1/shared/main.tf | 18 ++++++ .../business_unit_1/shared/remote_state.tf | 33 ---------- 4-projects/business_unit_2/shared/main.tf | 18 ++++++ .../business_unit_2/shared/remote_state.tf | 33 ---------- 4-projects/modules/base_env/main.tf | 8 +-- 13 files changed, 140 insertions(+), 200 deletions(-) delete mode 100644 3-networks-dual-svpc/envs/shared/remote_state.tf delete mode 100644 3-networks-hub-and-spoke/envs/shared/remote_state.tf delete mode 100644 4-projects/business_unit_1/shared/remote_state.tf delete mode 100644 4-projects/business_unit_2/shared/remote_state.tf diff --git a/1-org/envs/shared/main.tf b/1-org/envs/shared/main.tf index 489ff11ca..3f43ff075 100644 --- a/1-org/envs/shared/main.tf +++ b/1-org/envs/shared/main.tf @@ -28,7 +28,7 @@ data "terraform_remote_state" "bootstrap" { backend = "gcs" config = { - bucket = "${var.backend_bucket}" + bucket = var.backend_bucket prefix = "terraform/bootstrap/state" } } diff --git a/2-environments/modules/env_baseline/main.tf b/2-environments/modules/env_baseline/main.tf index 70d199499..b8fd681bf 100644 --- a/2-environments/modules/env_baseline/main.tf +++ b/2-environments/modules/env_baseline/main.tf @@ -28,7 +28,7 @@ data "terraform_remote_state" "bootstrap" { backend = "gcs" config = { - bucket = "${var.backend_bucket}" + bucket = var.backend_bucket prefix = "terraform/bootstrap/state" } } diff --git a/3-networks-dual-svpc/envs/shared/main.tf b/3-networks-dual-svpc/envs/shared/main.tf index 32f7aa04d..220224a42 100644 --- a/3-networks-dual-svpc/envs/shared/main.tf +++ b/3-networks-dual-svpc/envs/shared/main.tf @@ -30,3 +30,48 @@ locals { non_production_folder_name = data.terraform_remote_state.env_non_production.outputs.env_folder production_folder_name = data.terraform_remote_state.env_production.outputs.env_folder } + +data "terraform_remote_state" "bootstrap" { + backend = "gcs" + + config = { + bucket = var.backend_bucket + prefix = "terraform/bootstrap/state" + } +} + +data "terraform_remote_state" "org" { + backend = "gcs" + + config = { + bucket = var.backend_bucket + prefix = "terraform/org/state" + } +} + +data "terraform_remote_state" "env_development" { + backend = "gcs" + + config = { + bucket = var.backend_bucket + prefix = "terraform/environments/development" + } +} + +data "terraform_remote_state" "env_non_production" { + backend = "gcs" + + config = { + bucket = var.backend_bucket + prefix = "terraform/environments/non-production" + } +} + +data "terraform_remote_state" "env_production" { + backend = "gcs" + + config = { + bucket = var.backend_bucket + prefix = "terraform/environments/production" + } +} diff --git a/3-networks-dual-svpc/envs/shared/remote_state.tf b/3-networks-dual-svpc/envs/shared/remote_state.tf deleted file mode 100644 index d5b48c378..000000000 --- a/3-networks-dual-svpc/envs/shared/remote_state.tf +++ /dev/null @@ -1,60 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -data "terraform_remote_state" "bootstrap" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/bootstrap/state" - } -} - -data "terraform_remote_state" "org" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/org/state" - } -} - -data "terraform_remote_state" "env_development" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/environments/development" - } -} - -data "terraform_remote_state" "env_non_production" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/environments/non-production" - } -} - -data "terraform_remote_state" "env_production" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/environments/production" - } -} diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index 978ba0451..6e18f23aa 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -46,7 +46,7 @@ data "terraform_remote_state" "bootstrap" { backend = "gcs" config = { - bucket = "${var.backend_bucket}" + bucket = var.backend_bucket prefix = "terraform/bootstrap/state" } } @@ -55,7 +55,7 @@ data "terraform_remote_state" "org" { backend = "gcs" config = { - bucket = "${var.backend_bucket}" + bucket = var.backend_bucket prefix = "terraform/org/state" } } @@ -64,7 +64,7 @@ data "terraform_remote_state" "network_shared" { backend = "gcs" config = { - bucket = "${var.backend_bucket}" + bucket = var.backend_bucket prefix = "terraform/networks/envs/shared" } } @@ -73,7 +73,7 @@ data "terraform_remote_state" "environments_env" { backend = "gcs" config = { - bucket = "${var.backend_bucket}" + bucket = var.backend_bucket prefix = "terraform/environments/${var.env}" } } diff --git a/3-networks-hub-and-spoke/envs/shared/main.tf b/3-networks-hub-and-spoke/envs/shared/main.tf index dc6736caa..34b2dd6bd 100644 --- a/3-networks-hub-and-spoke/envs/shared/main.tf +++ b/3-networks-hub-and-spoke/envs/shared/main.tf @@ -38,3 +38,48 @@ locals { restricted_net_hub_project_id = data.terraform_remote_state.org.outputs.restricted_net_hub_project_id restricted_net_hub_project_number = data.terraform_remote_state.org.outputs.restricted_net_hub_project_number } + +data "terraform_remote_state" "bootstrap" { + backend = "gcs" + + config = { + bucket = var.backend_bucket + prefix = "terraform/bootstrap/state" + } +} + +data "terraform_remote_state" "org" { + backend = "gcs" + + config = { + bucket = var.backend_bucket + prefix = "terraform/org/state" + } +} + +data "terraform_remote_state" "env_development" { + backend = "gcs" + + config = { + bucket = var.backend_bucket + prefix = "terraform/environments/development" + } +} + +data "terraform_remote_state" "env_non_production" { + backend = "gcs" + + config = { + bucket = var.backend_bucket + prefix = "terraform/environments/non-production" + } +} + +data "terraform_remote_state" "env_production" { + backend = "gcs" + + config = { + bucket = var.backend_bucket + prefix = "terraform/environments/production" + } +} diff --git a/3-networks-hub-and-spoke/envs/shared/remote_state.tf b/3-networks-hub-and-spoke/envs/shared/remote_state.tf deleted file mode 100644 index d5b48c378..000000000 --- a/3-networks-hub-and-spoke/envs/shared/remote_state.tf +++ /dev/null @@ -1,60 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -data "terraform_remote_state" "bootstrap" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/bootstrap/state" - } -} - -data "terraform_remote_state" "org" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/org/state" - } -} - -data "terraform_remote_state" "env_development" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/environments/development" - } -} - -data "terraform_remote_state" "env_non_production" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/environments/non-production" - } -} - -data "terraform_remote_state" "env_production" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/environments/production" - } -} diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf index 272f45109..81690b6d2 100644 --- a/3-networks-hub-and-spoke/modules/base_env/main.tf +++ b/3-networks-hub-and-spoke/modules/base_env/main.tf @@ -48,7 +48,7 @@ data "terraform_remote_state" "bootstrap" { backend = "gcs" config = { - bucket = "${var.backend_bucket}" + bucket = var.backend_bucket prefix = "terraform/bootstrap/state" } } @@ -57,7 +57,7 @@ data "terraform_remote_state" "org" { backend = "gcs" config = { - bucket = "${var.backend_bucket}" + bucket = var.backend_bucket prefix = "terraform/org/state" } } @@ -66,7 +66,7 @@ data "terraform_remote_state" "network_shared" { backend = "gcs" config = { - bucket = "${var.backend_bucket}" + bucket = var.backend_bucket prefix = "terraform/networks/envs/shared" } } @@ -75,7 +75,7 @@ data "terraform_remote_state" "environments_env" { backend = "gcs" config = { - bucket = "${var.backend_bucket}" + bucket = var.backend_bucket prefix = "terraform/environments/${var.env}" } } diff --git a/4-projects/business_unit_1/shared/main.tf b/4-projects/business_unit_1/shared/main.tf index aa1951ff3..073b44b08 100644 --- a/4-projects/business_unit_1/shared/main.tf +++ b/4-projects/business_unit_1/shared/main.tf @@ -24,3 +24,21 @@ locals { parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name } + +data "terraform_remote_state" "bootstrap" { + backend = "gcs" + + config = { + bucket = var.backend_bucket + prefix = "terraform/bootstrap/state" + } +} + +data "terraform_remote_state" "org" { + backend = "gcs" + + config = { + bucket = var.backend_bucket + prefix = "terraform/org/state" + } +} diff --git a/4-projects/business_unit_1/shared/remote_state.tf b/4-projects/business_unit_1/shared/remote_state.tf deleted file mode 100644 index cf8c36118..000000000 --- a/4-projects/business_unit_1/shared/remote_state.tf +++ /dev/null @@ -1,33 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -data "terraform_remote_state" "bootstrap" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/bootstrap/state" - } -} - -data "terraform_remote_state" "org" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/org/state" - } -} diff --git a/4-projects/business_unit_2/shared/main.tf b/4-projects/business_unit_2/shared/main.tf index aa1951ff3..073b44b08 100644 --- a/4-projects/business_unit_2/shared/main.tf +++ b/4-projects/business_unit_2/shared/main.tf @@ -24,3 +24,21 @@ locals { parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name } + +data "terraform_remote_state" "bootstrap" { + backend = "gcs" + + config = { + bucket = var.backend_bucket + prefix = "terraform/bootstrap/state" + } +} + +data "terraform_remote_state" "org" { + backend = "gcs" + + config = { + bucket = var.backend_bucket + prefix = "terraform/org/state" + } +} diff --git a/4-projects/business_unit_2/shared/remote_state.tf b/4-projects/business_unit_2/shared/remote_state.tf deleted file mode 100644 index cf8c36118..000000000 --- a/4-projects/business_unit_2/shared/remote_state.tf +++ /dev/null @@ -1,33 +0,0 @@ -/** - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -data "terraform_remote_state" "bootstrap" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/bootstrap/state" - } -} - -data "terraform_remote_state" "org" { - backend = "gcs" - - config = { - bucket = "${var.backend_bucket}" - prefix = "terraform/org/state" - } -} diff --git a/4-projects/modules/base_env/main.tf b/4-projects/modules/base_env/main.tf index 91182d54e..de4b4353f 100644 --- a/4-projects/modules/base_env/main.tf +++ b/4-projects/modules/base_env/main.tf @@ -37,7 +37,7 @@ data "terraform_remote_state" "bootstrap" { backend = "gcs" config = { - bucket = "${var.backend_bucket}" + bucket = var.backend_bucket prefix = "terraform/bootstrap/state" } } @@ -46,7 +46,7 @@ data "terraform_remote_state" "network_env" { backend = "gcs" config = { - bucket = "${var.backend_bucket}" + bucket = var.backend_bucket prefix = "terraform/networks/${var.env}" } } @@ -55,7 +55,7 @@ data "terraform_remote_state" "environments_env" { backend = "gcs" config = { - bucket = "${var.backend_bucket}" + bucket = var.backend_bucket prefix = "terraform/environments/${var.env}" } } @@ -64,7 +64,7 @@ data "terraform_remote_state" "business_unit_shared" { backend = "gcs" config = { - bucket = "${var.backend_bucket}" + bucket = var.backend_bucket prefix = "terraform/projects/${var.business_unit}/shared" } } From 8d17600d35a4c3a5c569fbfa54826238a98e3de3 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Fri, 26 Aug 2022 23:02:33 -0300 Subject: [PATCH 29/30] organize remote state values --- 1-org/envs/shared/main.tf | 4 ++-- 2-environments/modules/env_baseline/main.tf | 4 ++-- 3-networks-dual-svpc/modules/base_env/main.tf | 4 ++-- 3-networks-hub-and-spoke/modules/base_env/main.tf | 4 ++-- 4-projects/business_unit_1/shared/main.tf | 6 +++--- 4-projects/business_unit_2/shared/main.tf | 6 +++--- 4-projects/modules/base_env/main.tf | 4 ++-- 7 files changed, 16 insertions(+), 16 deletions(-) diff --git a/1-org/envs/shared/main.tf b/1-org/envs/shared/main.tf index 3f43ff075..aa518aaf7 100644 --- a/1-org/envs/shared/main.tf +++ b/1-org/envs/shared/main.tf @@ -15,13 +15,13 @@ */ locals { - parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id + parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder + parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix - parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id } data "terraform_remote_state" "bootstrap" { diff --git a/2-environments/modules/env_baseline/main.tf b/2-environments/modules/env_baseline/main.tf index b8fd681bf..36e7003d7 100644 --- a/2-environments/modules/env_baseline/main.tf +++ b/2-environments/modules/env_baseline/main.tf @@ -15,13 +15,13 @@ */ locals { - parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id + parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder + parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix - parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id } data "terraform_remote_state" "bootstrap" { diff --git a/3-networks-dual-svpc/modules/base_env/main.tf b/3-networks-dual-svpc/modules/base_env/main.tf index 6e18f23aa..02bd8ccf4 100644 --- a/3-networks-dual-svpc/modules/base_env/main.tf +++ b/3-networks-dual-svpc/modules/base_env/main.tf @@ -15,12 +15,12 @@ */ locals { - parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id + parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder + parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix - parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id restricted_project_id = data.terraform_remote_state.environments_env.outputs.restricted_shared_vpc_project_id restricted_project_number = data.terraform_remote_state.environments_env.outputs.restricted_shared_vpc_project_number base_project_id = data.terraform_remote_state.environments_env.outputs.base_shared_vpc_project_id diff --git a/3-networks-hub-and-spoke/modules/base_env/main.tf b/3-networks-hub-and-spoke/modules/base_env/main.tf index 81690b6d2..aca6f124c 100644 --- a/3-networks-hub-and-spoke/modules/base_env/main.tf +++ b/3-networks-hub-and-spoke/modules/base_env/main.tf @@ -15,12 +15,12 @@ */ locals { - parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id + parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder + parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix - parent_id = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id restricted_project_id = data.terraform_remote_state.environments_env.outputs.restricted_shared_vpc_project_id restricted_project_number = data.terraform_remote_state.environments_env.outputs.restricted_shared_vpc_project_number base_project_id = data.terraform_remote_state.environments_env.outputs.base_shared_vpc_project_id diff --git a/4-projects/business_unit_1/shared/main.tf b/4-projects/business_unit_1/shared/main.tf index 073b44b08..26ebb3071 100644 --- a/4-projects/business_unit_1/shared/main.tf +++ b/4-projects/business_unit_1/shared/main.tf @@ -15,14 +15,14 @@ */ locals { - parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id + parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder + parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account + common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix - parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id - common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name } data "terraform_remote_state" "bootstrap" { diff --git a/4-projects/business_unit_2/shared/main.tf b/4-projects/business_unit_2/shared/main.tf index 073b44b08..26ebb3071 100644 --- a/4-projects/business_unit_2/shared/main.tf +++ b/4-projects/business_unit_2/shared/main.tf @@ -15,14 +15,14 @@ */ locals { - parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id + parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder + parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account + common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix - parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id - common_folder_name = data.terraform_remote_state.org.outputs.common_folder_name } data "terraform_remote_state" "bootstrap" { diff --git a/4-projects/modules/base_env/main.tf b/4-projects/modules/base_env/main.tf index de4b4353f..692cde451 100644 --- a/4-projects/modules/base_env/main.tf +++ b/4-projects/modules/base_env/main.tf @@ -15,13 +15,13 @@ */ locals { - parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id + parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder + parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id billing_account = data.terraform_remote_state.bootstrap.outputs.common_config.billing_account default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region project_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.project_prefix folder_prefix = data.terraform_remote_state.bootstrap.outputs.common_config.folder_prefix - parent = data.terraform_remote_state.bootstrap.outputs.common_config.parent_id perimeter_name = data.terraform_remote_state.network_env.outputs.restricted_service_perimeter_name base_network_self_link = data.terraform_remote_state.network_env.outputs.base_network_self_link base_subnets_self_links = data.terraform_remote_state.network_env.outputs.base_subnets_self_links From c763021d040c9b237bcda7a541c901b792a39eb5 Mon Sep 17 00:00:00 2001 From: Daniel da Silva Andrade Date: Fri, 26 Aug 2022 23:07:18 -0300 Subject: [PATCH 30/30] add explanation of usage of remote state output values --- 1-org/envs/shared/main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/1-org/envs/shared/main.tf b/1-org/envs/shared/main.tf index aa518aaf7..e00b4b2d1 100644 --- a/1-org/envs/shared/main.tf +++ b/1-org/envs/shared/main.tf @@ -14,6 +14,10 @@ * limitations under the License. */ +// These values are retrieved from the saved terraform state of the execution +// of step 0-bootstrap using the terraform_remote_state data source. +// These values can be overridden here if needed. +// Some values, like org_id, parent_folder, and parent, must be consistent in all steps. locals { org_id = data.terraform_remote_state.bootstrap.outputs.common_config.org_id parent_folder = data.terraform_remote_state.bootstrap.outputs.common_config.parent_folder