Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

move hardcoded services from module audit_project into tfvars #284

Closed
fmichaelobrien opened this issue Aug 8, 2023 · 4 comments
Closed

move hardcoded services from module audit_project into tfvars #284

fmichaelobrien opened this issue Aug 8, 2023 · 4 comments
Assignees
@fmichaelobrien
Labels
2024-pre-tef-v4

Comments

@fmichaelobrien
Copy link
Contributor

fmichaelobrien commented Aug 8, 2023
edited
Loading

Client observation:
(check all 3 audit, logs, guardrails)
For hard-coded service enablement in modules instead of in the tfvars for some projects like audit - yes, good point, these all need to be moved out of the modules section.

move secondary module definition against embedded module
https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/modules/audit-bunker/main.tf#L31

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/modules/audit-bunker/modules/audit/main.tf#L19C1-L36C2

module "audit_project" {
  source                         = "../project"
  billing_account                = var.billing_account
  department_code                = var.department_code
  user_defined_string            = var.user_defined_string
  additional_user_defined_string = var.additional_user_defined_string
  labels                         = local.labels
  owner                          = var.owner
  environment                    = var.environment
  location                       = var.region
  parent                         = var.parent
  tf_service_account_email       = var.tf_service_account_email
  services = [
    "logging.googleapis.com",
    "bigquery.googleapis.com",
    "accesscontextmanager.googleapis.com"
  ]
}

to a tfvars in env
@fmichaelobrien fmichaelobrien self-assigned this Aug 8, 2023
obriensystems added a commit to obriensystems/pbmm-on-gcp-onboarding that referenced this issue Sep 13, 2023
@obriensystems
GoogleCloudPlatform#284 - Update variables.tf for services list
bab9579
obriensystems added a commit to obriensystems/pbmm-on-gcp-onboarding that referenced this issue Sep 13, 2023
@obriensystems
GoogleCloudPlatform#284 - Update common.auto.tfvars
c9fdbcc
obriensystems added a commit to obriensystems/pbmm-on-gcp-onboarding that referenced this issue Sep 13, 2023
@obriensystems
GoogleCloudPlatform#284 - Update main.tf
61d3e11
obriensystems added a commit to obriensystems/pbmm-on-gcp-onboarding that referenced this issue Sep 13, 2023
@obriensystems
GoogleCloudPlatform#284 - un hardcode services in audit
ce6cd65
@obriensystems
Copy link
Collaborator

obriensystems commented Sep 13, 2023
edited
Loading

changes

        modified:   environments/common/common.auto.tfvars
        modified:   environments/common/main.tf
        modified:   environments/common/variables.tf
        modified:   modules/audit-bunker/main.tf
        modified:   modules/audit-bunker/variables.tf

testing - added an extra service
Step #3 - "tf plan": 
Step #3 - "tf plan":   # module.core-audit-bunker.module.audit_project.google_project.project will be updated in-place
Step #3 - "tf plan":   ~ resource "google_project" "project" {
Step #3 - "tf plan":         id                  = "projects/tzpe-tlz-audittlz-tlz"
Step #3 - "tf plan":       ~ labels              = {
Step #3 - "tf plan":           - "date_modified" = "2023-09-06"
Step #3 - "tf plan":         } -> (known after apply)
Step #3 - "tf plan":         name                = "TzPe-tlz-audittlz-tlz"
Step #3 - "tf plan":         # (5 unchanged attributes hidden)
Step #3 - "tf plan":     }
Step #3 - "tf plan": 
Step #3 - "tf plan":   # module.core-audit-bunker.module.audit_project.google_project_service.project_services["bigquerystorage.googleapis.com"] will be created
Step #3 - "tf plan":   + resource "google_project_service" "project_services" {
Step #3 - "tf plan":       + disable_dependent_services = true
Step #3 - "tf plan":       + disable_on_destroy         = true
Step #3 - "tf plan":       + id                         = (known after apply)
Step #3 - "tf plan":       + project                    = "tzpe-tlz-audittlz-tlz"
Step #3 - "tf plan":       + service                    = "bigquerystorage.googleapis.com"
Step #3 - "tf plan":     }
Step #3 - "tf plan": 
Step #3 - "tf plan":   # module.net-perimeter-prj.module.project.google_project.project will be updated in-place
Step #3 - "tf plan":   ~ resource "google_project" "project" {
Step #3 - "tf plan":         id                  = "projects/tzpe-tlz-tlz-perim"
Step #3 - "tf plan":       ~ labels              = {
Step #3 - "tf plan":           - "date_modified" = "2023-09-06"
Step #3 - "tf plan":         } -> (known after apply)
Step #3 - "tf plan":         name                = "TzPe-tlz-tlz-perim"
Step #3 - "tf plan":         # (5 unchanged attributes hidden)
Step #3 - "tf plan":     }
Step #3 - "tf plan": 
Step #3 - "tf plan": Plan: 1 to add, 2 to change, 0 to destroy.

obriensystems added a commit to obriensystems/pbmm-on-gcp-onboarding that referenced this issue Sep 13, 2023
@obriensystems
GoogleCloudPlatform#284 - Update variables.tf
7b29ad6
obriensystems added a commit to obriensystems/pbmm-on-gcp-onboarding that referenced this issue Sep 13, 2023
@obriensystems
GoogleCloudPlatform#284 - Update main.tf
38193a2
obriensystems added a commit to obriensystems/pbmm-on-gcp-onboarding that referenced this issue Sep 13, 2023
@obriensystems
GoogleCloudPlatform#284 - Update variables.tf rename
ee33ec6
obriensystems added a commit to obriensystems/pbmm-on-gcp-onboarding that referenced this issue Sep 13, 2023
@obriensystems
GoogleCloudPlatform#284 - Update common.auto.tfvars rename
bba51fd
@obriensystems obriensystems mentioned this issue Sep 13, 2023
Merged
fmichaelobrien added a commit that referenced this issue Sep 13, 2023
@fmichaelobrien
Merge pull request #310 from obriensystems/main
8c92d1f 
#284 - move hardcoded audit services out of the module
@fmichaelobrien
Copy link
Contributor Author

fmichaelobrien commented Sep 13, 2023
edited by obriensystems
Loading

add refactoring for the following 2 additional areas
https://github.com/obriensystems/pbmm-on-gcp-onboarding/blob/main/modules/guardrails/main.tf#L29

tpe-org-audit = modules/audit-bunker/main.tf => module "audit_project" - services
itpe-org-guardrails = modules/guardrails/main.tf => module "guardrails_project" - services

 

modules/logging-center/main.tf => module "logging_center_project" - services
itpe-org-lognonprod =
itpe-org-logorg =
itpe-org-logprod =

@obriensystems
Copy link
Collaborator

obriensystems commented Sep 18, 2023
edited
Loading

Guardrails refactor first

root_@cloudshell:~/lz-tls/_lz2/pbmm-on-gcp-onboarding (lz-tls)$ git diff
diff --git a/environments/common/common.auto.tfvars b/environments/common/common.auto.tfvars
index 17cbbcd..47c0c71 100644
--- a/environments/common/common.auto.tfvars
+++ b/environments/common/common.auto.tfvars
@@ -136,7 +136,17 @@ guardrails = {
   org_id_scan_list = [     # REQUIRED EDIT. Organization Id list for service account to have cloud asset viewer permission
   ]
   org_client = false #Set to true if deploying remote client landing zone.  Otherwise set to false if deploying for core organization landing zone.
-
+  guardrails_services   = [
+    "artifactregistry.googleapis.com",
+    "appengine.googleapis.com",
+    "cloudfunctions.googleapis.com",
+    "cloudasset.googleapis.com",
+    "cloudbuild.googleapis.com",
+    "cloudscheduler.googleapis.com",
+    "containerregistry.googleapis.com",
+    "sourcerepo.googleapis.com",
+    "storage.googleapis.com"
+  ]
 }
 
 
diff --git a/environments/common/main.tf b/environments/common/main.tf
index b9eb901..638a811 100644
--- a/environments/common/main.tf
+++ b/environments/common/main.tf
@@ -117,6 +117,7 @@ module "core-guardrails" {
   environment          = local.organization_config.environment
   owner                = local.organization_config.owner
   terraform_sa_project = data.terraform_remote_state.bootstrap.outputs.project_id
+  services             = var.guardrails.guardrails_services
 }
 
 ###############################################################################
diff --git a/environments/common/variables.tf b/environments/common/variables.tf
index 8a982f4..f48ed98 100644
--- a/environments/common/variables.tf
+++ b/environments/common/variables.tf
@@ -300,6 +300,7 @@ variable "guardrails" {
     org_id_scan_list    = list(string)
     org_client          = bool
     user_defined_string = string
+    guardrails_services      = optional(list(string))
   })
   description = "GCP guard rails are created using rego based policies in this project"
 }
diff --git a/modules/guardrails/main.tf b/modules/guardrails/main.tf
index 92b3cfe..3ff655e 100644
--- a/modules/guardrails/main.tf
+++ b/modules/guardrails/main.tf
@@ -26,17 +26,7 @@ module "guardrails_project" {
   location                       = var.region
   parent                         = var.parent
   tf_service_account_email       = var.tf_service_account_email
-  services = [
-    "artifactregistry.googleapis.com",
-    "appengine.googleapis.com",
-    "cloudfunctions.googleapis.com",
-    "cloudasset.googleapis.com",
-    "cloudbuild.googleapis.com",
-    "cloudscheduler.googleapis.com",
-    "containerregistry.googleapis.com",
-    "sourcerepo.googleapis.com",
-    "storage.googleapis.com"
-  ]
+  services                       = var.services
 }
 
 # Create guardrails if this is the main org
diff --git a/modules/guardrails/variables.tf b/modules/guardrails/variables.tf
index 3828384..a84a4d9 100644
--- a/modules/guardrails/variables.tf
+++ b/modules/guardrails/variables.tf
@@ -79,4 +79,10 @@ variable "additional_user_defined_string" {
    variable "terraform_sa_project" {
   description = "GCP Project where the Terraform Service Account(s) exist"
   type        = string
+}
+
+variable "services" {
+  description = "Service APIs to enable."
+  type        = list(string)
+  default     = []
 }
\ No newline at end of file

test results

Step #3 - "tf plan": Terraform will perform the following actions:
Step #3 - "tf plan": 
Step #3 - "tf plan":   # module.core-audit-bunker.module.audit_project.google_project.project will be updated in-place
Step #3 - "tf plan":   ~ resource "google_project" "project" {
Step #3 - "tf plan":         id                  = "projects/tzpe-tlz-audittlz-tlz"
Step #3 - "tf plan":       ~ labels              = {
Step #3 - "tf plan":           - "date_modified" = "2023-09-13"
Step #3 - "tf plan":         } -> (known after apply)
Step #3 - "tf plan":         name                = "TzPe-tlz-audittlz-tlz"
Step #3 - "tf plan":         # (5 unchanged attributes hidden)
Step #3 - "tf plan":     }
Step #3 - "tf plan": 
Step #3 - "tf plan":   # module.net-perimeter-prj.module.project.google_project.project will be updated in-place
Step #3 - "tf plan":   ~ resource "google_project" "project" {
Step #3 - "tf plan":         id                  = "projects/tzpe-tlz-tlz-perim"
Step #3 - "tf plan":       ~ labels              = {
Step #3 - "tf plan":           - "date_modified" = "2023-09-13"
Step #3 - "tf plan":         } -> (known after apply)
Step #3 - "tf plan":         name                = "TzPe-tlz-tlz-perim"
Step #3 - "tf plan":         # (5 unchanged attributes hidden)
Step #3 - "tf plan":     }
Step #3 - "tf plan": 
Step #3 - "tf plan": Plan: 0 to add, 2 to change, 0 to destroy.

obriensystems added a commit to obriensystems/pbmm-on-gcp-onboarding that referenced this issue Sep 18, 2023
@obriensystems
GoogleCloudPlatform#284 - Update main.tf
13914a2
obriensystems added a commit to obriensystems/pbmm-on-gcp-onboarding that referenced this issue Sep 18, 2023
@obriensystems
GoogleCloudPlatform#284 - Update variables.tf
3c29391
obriensystems added a commit to obriensystems/pbmm-on-gcp-onboarding that referenced this issue Sep 18, 2023
@obriensystems
GoogleCloudPlatform#284 - Update variables.tf
5755e1e
obriensystems added a commit to obriensystems/pbmm-on-gcp-onboarding that referenced this issue Sep 18, 2023
@obriensystems
GoogleCloudPlatform#284 - Update common main.tf
eff87f8
obriensystems added a commit to obriensystems/pbmm-on-gcp-onboarding that referenced this issue Sep 18, 2023
@obriensystems
GoogleCloudPlatform#284 - Update common.auto.tfvars
e3b31b9
@obriensystems obriensystems mentioned this issue Sep 18, 2023
Merged
fmichaelobrien added a commit that referenced this issue Sep 18, 2023
@fmichaelobrien
Merge pull request #313 from obriensystems/main
968fb01 
#284 - refactor module guardrails hardcoded services list to env
@obriensystems obriensystems mentioned this issue Sep 18, 2023
Closed
@fmichaelobrien fmichaelobrien mentioned this issue Sep 18, 2023
Merged
@fmichaelobrien
Copy link
Contributor Author

20240406: Closing issue during retrofit/rebase of this TEF V1 based/modified repo to TEF V4 standards
This issue may participate in the LZ refactor after rebase
Query on all issues related to the older V1 version via the tag
2024-pre-tef-v4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fmichaelobrien fmichaelobrien

Labels
2024-pre-tef-v4
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@obriensystems @fmichaelobrien