Merge branch 'master' into adfs

GoogleCloudPlatform · Jul 10, 2022 · fc0ae05 · fc0ae05
2 parents 0faad72 + e21a0f7
commit fc0ae05
Show file tree

Hide file tree

Showing 29 changed files with 681 additions and 37 deletions.
diff --git a/README.md b/README.md
@@ -29,7 +29,7 @@ The current list of modules supports most of the core foundational and networkin
 
 Currently available modules:
 
-- **foundational** - [folder](./modules/folder), [organization](./modules/organization), [project](./modules/project), [service accounts](./modules/iam-service-account), [logging bucket](./modules/logging-bucket), [billing budget](./modules/billing-budget), [naming convention](./modules/naming-convention), [projects-data-source](./modules/projects-data-source)
+- **foundational** - [folder](./modules/folder), [organization](./modules/organization), [project](./modules/project), [service accounts](./modules/iam-service-account), [logging bucket](./modules/logging-bucket), [billing budget](./modules/billing-budget), [naming convention](./modules/naming-convention), [projects-data-source](./modules/projects-data-source), [organization-policy](./modules/organization-policy)
 - **networking** - [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC peering](./modules/net-vpc-peering), [VPN static](./modules/net-vpn-static), [VPN dynamic](./modules/net-vpn-dynamic), [HA VPN](./modules/net-vpn-ha), [NAT](./modules/net-cloudnat), [address reservation](./modules/net-address), [DNS](./modules/dns), [L4 ILB](./modules/net-ilb), [L7 ILB](./modules/net-ilb-l7), [Service Directory](./modules/service-directory), [Cloud Endpoints](./modules/endpoints)
 - **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [GKE cluster](./modules/gke-cluster), [GKE nodepool](./modules/gke-nodepool), [GKE hub](./modules/gke-hub), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid)
 - **data** - [GCS](./modules/gcs), [BigQuery dataset](./modules/bigquery-dataset), [Pub/Sub](./modules/pubsub), [Datafusion](./modules/datafusion), [Bigtable instance](./modules/bigtable-instance), [Cloud SQL instance](./modules/cloudsql-instance), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag)

diff --git a/examples/factories/net-vpc-firewall-yaml/README.md b/examples/factories/net-vpc-firewall-yaml/README.md
@@ -12,7 +12,7 @@ Nested folder structure for yaml configurations is optionally supported, which a
 
 ```hcl
 module "prod-firewall" {
-  source = "./modules/net-vpc-firewall-yaml"
+  source = "./examples/factories/net-vpc-firewall-yaml"
   
   project_id         = "my-prod-project"
   network            = "my-prod-network"
@@ -27,7 +27,7 @@ module "prod-firewall" {
 }
 
 module "dev-firewall" {
-  source = "./modules/net-vpc-firewall-yaml"
+  source = "./examples/factories/net-vpc-firewall-yaml"
   
   project_id         = "my-dev-project"
   network            = "my-dev-network"

diff --git a/fast/stages/01-resman/billing.tf b/fast/stages/01-resman/billing.tf
@@ -41,7 +41,8 @@ module "billing-organization-ext" {
   count           = local.billing_org_ext ? 1 : 0
   organization_id = "organizations/${var.billing_account.organization_id}"
   iam_additive = {
-    "roles/billing.user" = local.billing_ext_users
+    "roles/billing.user"         = local.billing_ext_users
+    "roles/billing.costsManager" = local.billing_ext_users
   }
 }
 
@@ -55,3 +56,12 @@ resource "google_billing_account_iam_member" "billing_ext_admin" {
   role               = "roles/billing.user"
   member             = each.key
 }
+
+resource "google_billing_account_iam_member" "billing_ext_costsmanager" {
+  for_each = toset(
+    local.billing_ext ? local.billing_ext_users : []
+  )
+  billing_account_id = var.billing_account.id
+  role               = "roles/billing.costsManager"
+  member             = each.key
+}
diff --git a/fast/stages/01-resman/cicd-project-factory.tf b/fast/stages/01-resman/cicd-project-factory.tf
@@ -122,10 +122,12 @@ module "branch-pf-dev-sa-cicd" {
         each.value.branch == null
         ? format(
           local.identity_providers[each.value.identity_provider].principalset_tpl,
+          var.automation.federated_identity_pool,
           each.value.name
         )
         : format(
           local.identity_providers[each.value.identity_provider].principal_tpl,
+          var.automation.federated_identity_pool,
           each.value.name,
           each.value.branch
         )

diff --git a/fast/stages/02-networking-nva/landing.tf b/fast/stages/02-networking-nva/landing.tf
@@ -38,10 +38,12 @@ module "landing-project" {
     service_projects = []
   }
   iam = {
-    "roles/dns.admin" = [local.service_accounts.project-factory-prod]
-    (local.custom_roles.service_project_network_admin) = [
-      local.service_accounts.project-factory-prod
-    ]
+    "roles/dns.admin" = compact([
+      try(local.service_accounts.project-factory-prod, null)
+    ])
+    (local.custom_roles.service_project_network_admin) = compact([
+      try(local.service_accounts.project-factory-prod, null)
+    ])
   }
 }
 

diff --git a/fast/stages/02-networking-nva/main.tf b/fast/stages/02-networking-nva/main.tf
@@ -25,7 +25,8 @@ locals {
     })]
   }
   service_accounts = {
-    for k, v in coalesce(var.service_accounts, {}) : k => "serviceAccount:${v}"
+    for k, v in coalesce(var.service_accounts, {}) :
+    k => "serviceAccount:${v}" if v != null
   }
   stage3_sas_delegated_grants = [
     "roles/composer.sharedVpcAgent",

diff --git a/fast/stages/02-networking-nva/spoke-dev.tf b/fast/stages/02-networking-nva/spoke-dev.tf
@@ -40,7 +40,9 @@ module "dev-spoke-project" {
   }
   metric_scopes = [module.landing-project.project_id]
   iam = {
-    "roles/dns.admin" = compact([local.service_accounts.project-factory-dev])
+    "roles/dns.admin" = compact([
+      try(local.service_accounts.project-factory-dev, null)
+    ])
   }
 }
 
@@ -124,8 +126,8 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
   project = module.dev-spoke-project.project_id
   role    = "roles/resourcemanager.projectIamAdmin"
   members = compact([
-    local.service_accounts.data-platform-dev,
-    local.service_accounts.project-factory-dev,
+    try(local.service_accounts.data-platform-dev, null),
+    try(local.service_accounts.project-factory-dev, null),
   ])
   condition {
     title       = "dev_stage3_sa_delegated_grants"

diff --git a/fast/stages/02-networking-nva/spoke-prod.tf b/fast/stages/02-networking-nva/spoke-prod.tf
@@ -40,7 +40,9 @@ module "prod-spoke-project" {
   }
   metric_scopes = [module.landing-project.project_id]
   iam = {
-    "roles/dns.admin" = compact([local.service_accounts.project-factory-prod])
+    "roles/dns.admin" = compact([
+      try(local.service_accounts.project-factory-prod, null)
+    ])
   }
 }
 
@@ -124,8 +126,8 @@ resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
   project = module.prod-spoke-project.project_id
   role    = "roles/resourcemanager.projectIamAdmin"
   members = compact([
-    local.service_accounts.data-platform-prod,
-    local.service_accounts.project-factory-prod,
+    try(local.service_accounts.data-platform-prod, null),
+    try(local.service_accounts.project-factory-prod, null),
   ])
   condition {
     title       = "prod_stage3_sa_delegated_grants"

diff --git a/fast/stages/02-networking-peering/landing.tf b/fast/stages/02-networking-peering/landing.tf
@@ -38,10 +38,12 @@ module "landing-project" {
     service_projects = []
   }
   iam = {
-    "roles/dns.admin" = [local.service_accounts.project-factory-prod]
-    (local.custom_roles.service_project_network_admin) = [
-      local.service_accounts.project-factory-prod
-    ]
+    "roles/dns.admin" = compact([
+      try(local.service_accounts.project-factory-prod, null)
+    ])
+    (local.custom_roles.service_project_network_admin) = compact([
+      try(local.service_accounts.project-factory-prod, null)
+    ])
   }
 }
 

diff --git a/fast/stages/02-networking-peering/main.tf b/fast/stages/02-networking-peering/main.tf
@@ -36,7 +36,8 @@ locals {
     "roles/vpcaccess.user",
   ]
   service_accounts = {
-    for k, v in coalesce(var.service_accounts, {}) : k => "serviceAccount:${v}"
+    for k, v in coalesce(var.service_accounts, {}) :
+    k => "serviceAccount:${v}" if v != null
   }
 }
 

diff --git a/fast/stages/02-networking-peering/spoke-dev.tf b/fast/stages/02-networking-peering/spoke-dev.tf
@@ -41,7 +41,9 @@ module "dev-spoke-project" {
   }
   metric_scopes = [module.landing-project.project_id]
   iam = {
-    "roles/dns.admin" = compact([local.service_accounts.project-factory-dev])
+    "roles/dns.admin" = compact([
+      try(local.service_accounts.project-factory-dev, null)
+    ])
   }
 }
 
@@ -101,8 +103,8 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
   project = module.dev-spoke-project.project_id
   role    = "roles/resourcemanager.projectIamAdmin"
   members = compact([
-    local.service_accounts.data-platform-dev,
-    local.service_accounts.project-factory-dev,
+    try(local.service_accounts.data-platform-dev, null),
+    try(local.service_accounts.project-factory-dev, null),
   ])
   condition {
     title       = "dev_stage3_sa_delegated_grants"

diff --git a/fast/stages/02-networking-peering/spoke-prod.tf b/fast/stages/02-networking-peering/spoke-prod.tf
@@ -41,7 +41,9 @@ module "prod-spoke-project" {
   }
   metric_scopes = [module.landing-project.project_id]
   iam = {
-    "roles/dns.admin" = compact([local.service_accounts.project-factory-prod])
+    "roles/dns.admin" = compact([
+      try(local.service_accounts.project-factory-prod, null)
+    ])
   }
 }
 
@@ -101,8 +103,8 @@ resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
   project = module.prod-spoke-project.project_id
   role    = "roles/resourcemanager.projectIamAdmin"
   members = compact([
-    local.service_accounts.data-platform-prod,
-    local.service_accounts.project-factory-prod,
+    try(local.service_accounts.data-platform-prod, null),
+    try(local.service_accounts.project-factory-prod, null),
   ])
   condition {
     title       = "prod_stage3_sa_delegated_grants"

diff --git a/fast/stages/02-networking-vpn/landing.tf b/fast/stages/02-networking-vpn/landing.tf
@@ -38,10 +38,12 @@ module "landing-project" {
     service_projects = []
   }
   iam = {
-    "roles/dns.admin" = [local.service_accounts.project-factory-prod]
-    (local.custom_roles.service_project_network_admin) = [
-      local.service_accounts.project-factory-prod
-    ]
+    "roles/dns.admin" = compact([
+      try(local.service_accounts.project-factory-prod, null)
+    ])
+    (local.custom_roles.service_project_network_admin) = compact([
+      try(local.service_accounts.project-factory-prod, null)
+    ])
   }
 }
 

diff --git a/fast/stages/02-networking-vpn/main.tf b/fast/stages/02-networking-vpn/main.tf
@@ -36,7 +36,8 @@ locals {
     "roles/vpcaccess.user",
   ]
   service_accounts = {
-    for k, v in coalesce(var.service_accounts, {}) : k => "serviceAccount:${v}"
+    for k, v in coalesce(var.service_accounts, {}) :
+    k => "serviceAccount:${v}" if v != null
   }
 }
 

diff --git a/fast/stages/02-networking-vpn/spoke-dev.tf b/fast/stages/02-networking-vpn/spoke-dev.tf
@@ -41,7 +41,9 @@ module "dev-spoke-project" {
   }
   metric_scopes = [module.landing-project.project_id]
   iam = {
-    "roles/dns.admin" = compact([local.service_accounts.project-factory-dev])
+    "roles/dns.admin" = compact([
+      try(local.service_accounts.project-factory-dev, null)
+    ])
   }
 }
 
@@ -101,8 +103,8 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
   project = module.dev-spoke-project.project_id
   role    = "roles/resourcemanager.projectIamAdmin"
   members = compact([
-    local.service_accounts.data-platform-dev,
-    local.service_accounts.project-factory-dev,
+    try(local.service_accounts.data-platform-dev, null),
+    try(local.service_accounts.project-factory-dev, null),
   ])
   condition {
     title       = "dev_stage3_sa_delegated_grants"

diff --git a/fast/stages/02-networking-vpn/spoke-prod.tf b/fast/stages/02-networking-vpn/spoke-prod.tf
@@ -41,7 +41,9 @@ module "prod-spoke-project" {
   }
   metric_scopes = [module.landing-project.project_id]
   iam = {
-    "roles/dns.admin" = compact([local.service_accounts.project-factory-prod])
+    "roles/dns.admin" = compact([
+      try(local.service_accounts.project-factory-prod, null)
+    ])
   }
 }
 
@@ -101,8 +103,8 @@ resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
   project = module.prod-spoke-project.project_id
   role    = "roles/resourcemanager.projectIamAdmin"
   members = compact([
-    local.service_accounts.data-platform-prod,
-    local.service_accounts.project-factory-prod,
+    try(local.service_accounts.data-platform-prod, null),
+    try(local.service_accounts.project-factory-prod, null),
   ])
   condition {
     title       = "prod_stage3_sa_delegated_grants"

diff --git a/modules/README.md b/modules/README.md
@@ -37,6 +37,7 @@ These modules are used in the examples included in this repository. If you are u
 - [project](./project)
 - [projects-data-source](./projects-data-source)
 - [service account](./iam-service-account)
+- [organization policy](./organization-policy)
 
 ## Networking modules