fix!: use bootstrap.outputs.common_config as default region (#1181)

Co-authored-by: Daniel Andrade <[email protected]>
terraform-google-modules · May 29, 2024 · 105fe52 · 105fe52
1 parent e23f95e
commit 105fe52
Show file tree

Hide file tree

Showing 83 changed files with 902 additions and 138 deletions.
diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md
@@ -307,6 +307,9 @@ Each step has instructions for this change.
 | bucket\_prefix | Name prefix to use for state bucket created. | `string` | `"bkt"` | no |
 | bucket\_tfstate\_kms\_force\_destroy | When deleting a bucket, this boolean option will delete the KMS keys used for the Terraform state bucket. | `bool` | `false` | no |
 | default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no |
+| default\_region\_2 | Secondary default region to create resources where applicable. | `string` | `"us-west1"` | no |
+| default\_region\_gcs | Case-Sensitive default region to create gcs resources where applicable. | `string` | `"US"` | no |
+| default\_region\_kms | Secondary default region to create kms resources where applicable. | `string` | `"us"` | no |
 | folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no |
 | groups | Contain the details of the Groups to be created. | <pre>object({<br>    create_required_groups = optional(bool, false)<br>    create_optional_groups = optional(bool, false)<br>    billing_project        = optional(string, null)<br>    required_groups = object({<br>      group_org_admins           = string<br>      group_billing_admins       = string<br>      billing_data_users         = string<br>      audit_data_users           = string<br>      monitoring_workspace_users = string<br>    })<br>    optional_groups = optional(object({<br>      gcp_security_reviewer    = optional(string, "")<br>      gcp_network_viewer       = optional(string, "")<br>      gcp_scc_admin            = optional(string, "")<br>      gcp_global_secrets_admin = optional(string, "")<br>      gcp_kms_admin            = optional(string, "")<br>    }), {})<br>  })</pre> | n/a | yes |
 | initial\_group\_config | Define the group configuration when it is initialized. Valid values are: WITH\_INITIAL\_OWNER, EMPTY and INITIAL\_GROUP\_CONFIG\_UNSPECIFIED. | `string` | `"WITH_INITIAL_OWNER"` | no |

diff --git a/0-bootstrap/modules/tfc-agent-gke/main.tf b/0-bootstrap/modules/tfc-agent-gke/main.tf
@@ -372,7 +372,7 @@ resource "google_compute_firewall" "allow_private_api_egress" {
 
 module "private_service_connect" {
   source  = "terraform-google-modules/network/google//modules/private-service-connect"
-  version = "~> 9.0"
+  version = "~> 9.1"
 
   project_id                 = var.project_id
   dns_code                   = "dz-${local.vpc_name}"

diff --git a/0-bootstrap/outputs.tf b/0-bootstrap/outputs.tf
@@ -56,6 +56,9 @@ output "common_config" {
     parent_folder         = var.parent_folder,
     billing_account       = var.billing_account,
     default_region        = var.default_region,
+    default_region_2      = var.default_region_2,
+    default_region_gcs    = var.default_region_gcs,
+    default_region_kms    = var.default_region_kms,
     project_prefix        = var.project_prefix,
     folder_prefix         = var.folder_prefix
     parent_id             = local.parent

diff --git a/0-bootstrap/terraform.example.tfvars b/0-bootstrap/terraform.example.tfvars
@@ -40,7 +40,10 @@ groups = {
   # }
 }
 
-default_region = "us-central1"
+default_region     = "us-central1"
+default_region_2   = "us-west1"
+default_region_gcs = "US"
+default_region_kms = "us"
 
 # Optional - for an organization with existing projects or for development/validation.
 # Uncomment this variable to place all the example foundation resources under

diff --git a/0-bootstrap/variables.tf b/0-bootstrap/variables.tf
@@ -30,6 +30,24 @@ variable "default_region" {
   default     = "us-central1"
 }
 
+variable "default_region_2" {
+  description = "Secondary default region to create resources where applicable."
+  type        = string
+  default     = "us-west1"
+}
+
+variable "default_region_gcs" {
+  description = "Case-Sensitive default region to create gcs resources where applicable."
+  type        = string
+  default     = "US"
+}
+
+variable "default_region_kms" {
+  description = "Secondary default region to create kms resources where applicable."
+  type        = string
+  default     = "us"
+}
+
 variable "parent_folder" {
   description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist."
   type        = string

diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md
@@ -3,7 +3,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| billing\_export\_dataset\_location | The location of the dataset for billing data export. | `string` | `"US"` | no |
+| billing\_export\_dataset\_location | The location of the dataset for billing data export. | `string` | `null` | no |
 | cai\_monitoring\_kms\_force\_destroy | If set to true, delete KMS keyring and keys when destroying the module; otherwise, destroying the module will fail if KMS keys are present. | `bool` | `false` | no |
 | create\_access\_context\_manager\_access\_policy | Whether to create access context manager access policy. | `bool` | `true` | no |
 | create\_unique\_tag\_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | `bool` | `false` | no |
@@ -15,7 +15,7 @@
 | essential\_contacts\_language | Essential Contacts preferred language for notifications, as a ISO 639-1 language code. See [Supported languages](https://cloud.google.com/resource-manager/docs/managing-notification-contacts#supported-languages) for a list of supported languages. | `string` | `"en"` | no |
 | gcp\_groups | Groups to grant specific roles in the Organization.<br>  platform\_viewer: Google Workspace or Cloud Identity group that have the ability to view resource information across the Google Cloud organization.<br>  security\_reviewer: Google Workspace or Cloud Identity group that members are part of the security team responsible for reviewing cloud security<br>  network\_viewer: Google Workspace or Cloud Identity group that members are part of the networking team and review network configurations.<br>  scc\_admin: Google Workspace or Cloud Identity group that can administer Security Command Center.<br>  audit\_viewer: Google Workspace or Cloud Identity group that members are part of an audit team and view audit logs in the logging project.<br>  global\_secrets\_admin: Google Workspace or Cloud Identity group that members are responsible for putting secrets into Secrets Manage | <pre>object({<br>    audit_viewer         = optional(string, null)<br>    security_reviewer    = optional(string, null)<br>    network_viewer       = optional(string, null)<br>    scc_admin            = optional(string, null)<br>    global_secrets_admin = optional(string, null)<br>    kms_admin            = optional(string, null)<br>  })</pre> | `{}` | no |
 | log\_export\_storage\_force\_destroy | (Optional) If set to true, delete all contents when destroying the resource; otherwise, destroying the resource will fail if contents are present. | `bool` | `false` | no |
-| log\_export\_storage\_location | The location of the storage bucket used to export logs. | `string` | `"US"` | no |
+| log\_export\_storage\_location | The location of the storage bucket used to export logs. | `string` | `null` | no |
 | log\_export\_storage\_retention\_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | <pre>object({<br>    is_locked             = bool<br>    retention_period_days = number<br>  })</pre> | `null` | no |
 | log\_export\_storage\_versioning | (Optional) Toggles bucket versioning, ability to retain a non-current object version when the live object version gets replaced or deleted. | `bool` | `false` | no |
 | project\_budget | Budget configuration for projects.<br>  budget\_amount: The amount to use as the budget.<br>  alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br>  alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br>  alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br>    dns_hub_budget_amount                       = optional(number, 1000)<br>    dns_hub_alert_spent_percents                = optional(list(number), [1.2])<br>    dns_hub_alert_pubsub_topic                  = optional(string, null)<br>    dns_hub_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")<br>    base_net_hub_budget_amount                  = optional(number, 1000)<br>    base_net_hub_alert_spent_percents           = optional(list(number), [1.2])<br>    base_net_hub_alert_pubsub_topic             = optional(string, null)<br>    base_net_hub_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    base_network_budget_amount                  = optional(number, 1000)<br>    base_network_alert_spent_percents           = optional(list(number), [1.2])<br>    base_network_alert_pubsub_topic             = optional(string, null)<br>    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    restricted_net_hub_budget_amount            = optional(number, 1000)<br>    restricted_net_hub_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_net_hub_alert_pubsub_topic       = optional(string, null)<br>    restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    restricted_network_budget_amount            = optional(number, 1000)<br>    restricted_network_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_network_alert_pubsub_topic       = optional(string, null)<br>    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    interconnect_budget_amount                  = optional(number, 1000)<br>    interconnect_alert_spent_percents           = optional(list(number), [1.2])<br>    interconnect_alert_pubsub_topic             = optional(string, null)<br>    interconnect_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    org_secrets_budget_amount                   = optional(number, 1000)<br>    org_secrets_alert_spent_percents            = optional(list(number), [1.2])<br>    org_secrets_alert_pubsub_topic              = optional(string, null)<br>    org_secrets_budget_alert_spend_basis        = optional(string, "FORECASTED_SPEND")<br>    org_billing_logs_budget_amount              = optional(number, 1000)<br>    org_billing_logs_alert_spent_percents       = optional(list(number), [1.2])<br>    org_billing_logs_alert_pubsub_topic         = optional(string, null)<br>    org_billing_logs_budget_alert_spend_basis   = optional(string, "FORECASTED_SPEND")<br>    org_audit_logs_budget_amount                = optional(number, 1000)<br>    org_audit_logs_alert_spent_percents         = optional(list(number), [1.2])<br>    org_audit_logs_alert_pubsub_topic           = optional(string, null)<br>    org_audit_logs_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")<br>    org_kms_budget_amount                       = optional(number, 1000)<br>    org_kms_alert_spent_percents                = optional(list(number), [1.2])<br>    org_kms_alert_pubsub_topic                  = optional(string, null)<br>    org_kms_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")<br>    scc_notifications_budget_amount             = optional(number, 1000)<br>    scc_notifications_alert_spent_percents      = optional(list(number), [1.2])<br>    scc_notifications_alert_pubsub_topic        = optional(string, null)<br>    scc_notifications_budget_alert_spend_basis  = optional(string, "FORECASTED_SPEND")<br>  })</pre> | `{}` | no |

diff --git a/1-org/envs/shared/log_sinks.tf b/1-org/envs/shared/log_sinks.tf
@@ -53,7 +53,7 @@ module "logs_export" {
     logging_sink_filter          = local.logs_filter
     logging_sink_name            = "sk-c-logging-bkt"
     storage_bucket_name          = "bkt-${module.org_audit_logs.project_id}-org-logs-${random_string.suffix.result}"
-    location                     = var.log_export_storage_location
+    location                     = coalesce(var.log_export_storage_location, local.default_region)
     retention_policy_enabled     = var.log_export_storage_retention_policy != null
     retention_policy_is_locked   = var.log_export_storage_retention_policy == null ? null : var.log_export_storage_retention_policy.is_locked
     retention_policy_period_days = var.log_export_storage_retention_policy == null ? null : var.log_export_storage_retention_policy.retention_period_days
@@ -93,5 +93,5 @@ resource "google_bigquery_dataset" "billing_dataset" {
   dataset_id    = "billing_data"
   project       = module.org_billing_logs.project_id
   friendly_name = "GCP Billing Data"
-  location      = var.billing_export_dataset_location
+  location      = coalesce(var.billing_export_dataset_location, local.default_region)
 }
diff --git a/1-org/envs/shared/terraform.example.tfvars b/1-org/envs/shared/terraform.example.tfvars
@@ -23,6 +23,10 @@ scc_notification_name = "scc-notify"
 
 remote_state_bucket = "REMOTE_STATE_BUCKET"
 
+log_export_storage_location = "US"
+
+billing_export_dataset_location = "US"
+
 //scc_notification_filter = "state=\\\"ACTIVE\\\""
 
 //enable_hub_and_spoke = true

diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf
@@ -57,13 +57,13 @@ variable "data_access_logs_enabled" {
 variable "log_export_storage_location" {
   description = "The location of the storage bucket used to export logs."
   type        = string
-  default     = "US"
+  default     = null
 }
 
 variable "billing_export_dataset_location" {
   description = "The location of the dataset for billing data export."
   type        = string
-  default     = "US"
+  default     = null
 }
 
 variable "log_export_storage_force_destroy" {

diff --git a/3-networks-dual-svpc/envs/development/main.tf b/3-networks-dual-svpc/envs/development/main.tf
@@ -17,8 +17,6 @@
 locals {
   env              = "development"
   environment_code = substr(local.env, 0, 1)
-  default_region1  = "us-west1"
-  default_region2  = "us-central1"
   /*
    * Base network ranges
    */

diff --git a/3-networks-dual-svpc/envs/development/remote.tf b/3-networks-dual-svpc/envs/development/remote.tf
@@ -0,0 +1,29 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
+  default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2
+}
+
+data "terraform_remote_state" "bootstrap" {
+  backend = "gcs"
+
+  config = {
+    bucket = var.remote_state_bucket
+    prefix = "terraform/bootstrap/state"
+  }
+}
diff --git a/3-networks-dual-svpc/envs/development/remote.tf.cloud.example b/3-networks-dual-svpc/envs/development/remote.tf.cloud.example
@@ -0,0 +1,25 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  default_region1  = data.tfe_outputs.bootstrap.outputs.common_config.default_region
+  default_region2  = data.tfe_outputs.bootstrap.outputs.common_config.default_region_2
+}
+
+data "tfe_outputs" "bootstrap" {
+  organization = var.tfc_org_name
+  workspace    = "0-shared"
+}
diff --git a/3-networks-dual-svpc/envs/nonproduction/main.tf b/3-networks-dual-svpc/envs/nonproduction/main.tf
@@ -17,8 +17,6 @@
 locals {
   env              = "nonproduction"
   environment_code = substr(local.env, 0, 1)
-  default_region1  = "us-west1"
-  default_region2  = "us-central1"
   /*
    * Base network ranges
    */

diff --git a/3-networks-dual-svpc/envs/nonproduction/remote.tf b/3-networks-dual-svpc/envs/nonproduction/remote.tf
@@ -0,0 +1,29 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
+  default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2
+}
+
+data "terraform_remote_state" "bootstrap" {
+  backend = "gcs"
+
+  config = {
+    bucket = var.remote_state_bucket
+    prefix = "terraform/bootstrap/state"
+  }
+}
diff --git a/3-networks-dual-svpc/envs/nonproduction/remote.tf.cloud.example b/3-networks-dual-svpc/envs/nonproduction/remote.tf.cloud.example
@@ -0,0 +1,25 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  default_region1  = data.tfe_outputs.bootstrap.outputs.common_config.default_region
+  default_region2  = data.tfe_outputs.bootstrap.outputs.common_config.default_region_2
+}
+
+data "tfe_outputs" "bootstrap" {
+  organization = var.tfc_org_name
+  workspace    = "0-shared"
+}
diff --git a/3-networks-dual-svpc/envs/production/main.tf b/3-networks-dual-svpc/envs/production/main.tf
@@ -17,8 +17,6 @@
 locals {
   env              = "production"
   environment_code = substr(local.env, 0, 1)
-  default_region1  = "us-west1"
-  default_region2  = "us-central1"
   /*
    * Base network ranges
    */

diff --git a/3-networks-dual-svpc/envs/production/remote.tf b/3-networks-dual-svpc/envs/production/remote.tf
@@ -0,0 +1,29 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  default_region1 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
+  default_region2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2
+}
+
+data "terraform_remote_state" "bootstrap" {
+  backend = "gcs"
+
+  config = {
+    bucket = var.remote_state_bucket
+    prefix = "terraform/bootstrap/state"
+  }
+}
diff --git a/3-networks-dual-svpc/envs/production/remote.tf.cloud.example b/3-networks-dual-svpc/envs/production/remote.tf.cloud.example
@@ -0,0 +1,25 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  default_region1  = data.tfe_outputs.bootstrap.outputs.common_config.default_region
+  default_region2  = data.tfe_outputs.bootstrap.outputs.common_config.default_region_2
+}
+
+data "tfe_outputs" "bootstrap" {
+  organization = var.tfc_org_name
+  workspace    = "0-shared"
+}