From 4fa893e0e75b99cc1b9cb4a2a14230ee1e6c8b2d Mon Sep 17 00:00:00 2001 From: mariammartins Date: Wed, 11 Sep 2024 17:09:36 -0300 Subject: [PATCH 01/17] changing two org policies to bootstrap step --- 0-bootstrap/org_policy.tf | 39 +++++++++++++++++++++++++++++++++ 1-org/envs/shared/org_policy.tf | 2 -- 2 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 0-bootstrap/org_policy.tf diff --git a/0-bootstrap/org_policy.tf b/0-bootstrap/org_policy.tf new file mode 100644 index 000000000..ce5fdcf3f --- /dev/null +++ b/0-bootstrap/org_policy.tf @@ -0,0 +1,39 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + organization_id = var.parent_folder != "" ? null : var.org_id + folder_id = var.parent_folder != "" ? var.parent_folder : null + policy_for = var.parent_folder != "" ? "folder" : "organization" + + boolean_type_organization_policies = toset([ + "compute.skipDefaultNetworkCreation", + "iam.automaticIamGrantsForDefaultServiceAccounts" + ]) +} + +module "organization_policies_type_boolean" { + source = "terraform-google-modules/org-policy/google" + version = "~> 5.1" + for_each = local.boolean_type_organization_policies + + organization_id = local.organization_id + folder_id = local.folder_id + policy_for = local.policy_for + policy_type = "boolean" + enforce = "true" + constraint = "constraints/${each.value}" +} diff --git a/1-org/envs/shared/org_policy.tf b/1-org/envs/shared/org_policy.tf index 5c43dbbc1..a6a0bf012 100644 --- a/1-org/envs/shared/org_policy.tf +++ b/1-org/envs/shared/org_policy.tf @@ -27,7 +27,6 @@ locals { boolean_type_organization_policies = toset([ "compute.disableNestedVirtualization", "compute.disableSerialPortAccess", - "compute.skipDefaultNetworkCreation", "compute.restrictXpnProjectLienRemoval", "compute.disableVpcExternalIpv6", "compute.setNewProjectDefaultToZonalDNSOnly", @@ -35,7 +34,6 @@ locals { "sql.restrictPublicIp", "sql.restrictAuthorizedNetworks", "iam.disableServiceAccountKeyCreation", - "iam.automaticIamGrantsForDefaultServiceAccounts", "iam.disableServiceAccountKeyUpload", "storage.uniformBucketLevelAccess", "storage.publicAccessPrevention" From 2027e04e9dd9ce85a276731fe0a6c9cce03bc375 Mon Sep 17 00:00:00 2001 From: mariammartins Date: Wed, 11 Sep 2024 17:24:14 -0300 Subject: [PATCH 02/17] set auto_create_network variable to true --- 1-org/envs/shared/projects.tf | 9 +++++++++ 1-org/envs/shared/variables.tf | 5 +++++ 1-org/modules/network/main.tf | 2 ++ 1-org/modules/network/variables.tf | 5 +++++ 4 files changed, 21 insertions(+) diff --git a/1-org/envs/shared/projects.tf b/1-org/envs/shared/projects.tf index 60e9e9e87..767f763a2 100644 --- a/1-org/envs/shared/projects.tf +++ b/1-org/envs/shared/projects.tf @@ -44,6 +44,7 @@ module "org_audit_logs" { billing_account = local.billing_account folder_id = google_folder.common.id activate_apis = ["logging.googleapis.com", "bigquery.googleapis.com", "billingbudgets.googleapis.com"] + auto_create_network = var.auto_create_network labels = { environment = "common" @@ -77,6 +78,7 @@ module "org_billing_export" { billing_account = local.billing_account folder_id = google_folder.common.id activate_apis = ["logging.googleapis.com", "bigquery.googleapis.com", "billingbudgets.googleapis.com"] + auto_create_network = var.auto_create_network labels = { environment = "common" @@ -110,6 +112,7 @@ module "common_kms" { billing_account = local.billing_account folder_id = google_folder.common.id activate_apis = ["logging.googleapis.com", "cloudkms.googleapis.com", "billingbudgets.googleapis.com"] + auto_create_network = var.auto_create_network labels = { environment = "common" @@ -144,6 +147,7 @@ module "org_secrets" { billing_account = local.billing_account folder_id = google_folder.common.id activate_apis = ["logging.googleapis.com", "secretmanager.googleapis.com", "billingbudgets.googleapis.com"] + auto_create_network = var.auto_create_network labels = { environment = "common" @@ -177,6 +181,7 @@ module "interconnect" { billing_account = local.billing_account folder_id = google_folder.network.id activate_apis = ["billingbudgets.googleapis.com", "compute.googleapis.com"] + auto_create_network = var.auto_create_network labels = { environment = "network" @@ -210,6 +215,7 @@ module "scc_notifications" { billing_account = local.billing_account folder_id = google_folder.common.id activate_apis = ["logging.googleapis.com", "pubsub.googleapis.com", "securitycenter.googleapis.com", "billingbudgets.googleapis.com", "cloudkms.googleapis.com"] + auto_create_network = var.auto_create_network labels = { environment = "common" @@ -242,6 +248,7 @@ module "dns_hub" { org_id = local.org_id billing_account = local.billing_account folder_id = google_folder.network.id + auto_create_network = var.auto_create_network activate_apis = [ "compute.googleapis.com", @@ -284,6 +291,7 @@ module "base_network_hub" { org_id = local.org_id billing_account = local.billing_account folder_id = google_folder.network.id + auto_create_network = var.auto_create_network activate_apis = [ "compute.googleapis.com", @@ -334,6 +342,7 @@ module "restricted_network_hub" { org_id = local.org_id billing_account = local.billing_account folder_id = google_folder.network.id + auto_create_network = var.auto_create_network activate_apis = [ "compute.googleapis.com", diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf index 01ba2a832..f1a35b9ef 100644 --- a/1-org/envs/shared/variables.tf +++ b/1-org/envs/shared/variables.tf @@ -193,3 +193,8 @@ variable "tfc_org_name" { type = string default = "" } + +variable "auto_create_network" { + description = "Control whether the 'default' network will be created in the project." + default = true +} \ No newline at end of file diff --git a/1-org/modules/network/main.tf b/1-org/modules/network/main.tf index 15c771d00..41f8ef0b9 100644 --- a/1-org/modules/network/main.tf +++ b/1-org/modules/network/main.tf @@ -29,6 +29,7 @@ module "base_shared_vpc_host_project" { billing_account = var.billing_account folder_id = var.folder_id disable_services_on_destroy = false + auto_create_network = var.auto_create_network activate_apis = [ "compute.googleapis.com", @@ -65,6 +66,7 @@ module "restricted_shared_vpc_host_project" { billing_account = var.billing_account folder_id = var.folder_id disable_services_on_destroy = false + auto_create_network = var.auto_create_network activate_apis = [ "compute.googleapis.com", diff --git a/1-org/modules/network/variables.tf b/1-org/modules/network/variables.tf index 9de1cfc26..03c53dcb3 100644 --- a/1-org/modules/network/variables.tf +++ b/1-org/modules/network/variables.tf @@ -64,3 +64,8 @@ variable "project_budget" { }) default = {} } + +variable "auto_create_network" { + description = "Control whether the 'default' network will be created in the project." + default = true +} From 2127a31e0b2be87c74b05597728b2d40a4a4e941 Mon Sep 17 00:00:00 2001 From: mariammartins Date: Wed, 11 Sep 2024 17:31:38 -0300 Subject: [PATCH 03/17] fix lint --- 1-org/envs/shared/README.md | 1 + 1-org/envs/shared/variables.tf | 4 ++-- 1-org/modules/network/variables.tf | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md index e260c67ca..7975ee92e 100644 --- a/1-org/envs/shared/README.md +++ b/1-org/envs/shared/README.md @@ -3,6 +3,7 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| auto\_create\_network | Control whether the 'default' network will be created in the project. | `bool` | `true` | no | | billing\_export\_dataset\_location | The location of the dataset for billing data export. | `string` | `null` | no | | create\_access\_context\_manager\_access\_policy | Whether to create access context manager access policy. | `bool` | `true` | no | | create\_unique\_tag\_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | `bool` | `false` | no | diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf index f1a35b9ef..8b117ea7a 100644 --- a/1-org/envs/shared/variables.tf +++ b/1-org/envs/shared/variables.tf @@ -196,5 +196,5 @@ variable "tfc_org_name" { variable "auto_create_network" { description = "Control whether the 'default' network will be created in the project." - default = true -} \ No newline at end of file + default = true +} diff --git a/1-org/modules/network/variables.tf b/1-org/modules/network/variables.tf index 03c53dcb3..f4e8cb589 100644 --- a/1-org/modules/network/variables.tf +++ b/1-org/modules/network/variables.tf @@ -67,5 +67,5 @@ variable "project_budget" { variable "auto_create_network" { description = "Control whether the 'default' network will be created in the project." - default = true + default = true } From b3dcc2d2589800685c987bf67d5e3c2356ee6b0b Mon Sep 17 00:00:00 2001 From: mariammartins Date: Wed, 11 Sep 2024 17:42:06 -0300 Subject: [PATCH 04/17] add auto_create_network in modules --- 2-environments/modules/env_baseline/kms.tf | 1 + 2-environments/modules/env_baseline/secrets.tf | 1 + 4-projects/modules/single_project/main.tf | 1 + test/integration/org/org_test.go | 2 -- test/setup/main.tf | 1 + 5 files changed, 4 insertions(+), 2 deletions(-) diff --git a/2-environments/modules/env_baseline/kms.tf b/2-environments/modules/env_baseline/kms.tf index e6e4d992f..737cf29fa 100644 --- a/2-environments/modules/env_baseline/kms.tf +++ b/2-environments/modules/env_baseline/kms.tf @@ -33,6 +33,7 @@ module "env_kms" { disable_services_on_destroy = false depends_on = [time_sleep.wait_60_seconds] activate_apis = ["logging.googleapis.com", "cloudkms.googleapis.com", "billingbudgets.googleapis.com"] + auto_create_network = "true" labels = { environment = var.env diff --git a/2-environments/modules/env_baseline/secrets.tf b/2-environments/modules/env_baseline/secrets.tf index fa875c67a..af723eb1e 100644 --- a/2-environments/modules/env_baseline/secrets.tf +++ b/2-environments/modules/env_baseline/secrets.tf @@ -33,6 +33,7 @@ module "env_secrets" { disable_services_on_destroy = false depends_on = [time_sleep.wait_60_seconds] activate_apis = ["logging.googleapis.com", "secretmanager.googleapis.com"] + auto_create_network = "true" labels = { environment = var.env diff --git a/4-projects/modules/single_project/main.tf b/4-projects/modules/single_project/main.tf index 529eb24a9..c540e5969 100644 --- a/4-projects/modules/single_project/main.tf +++ b/4-projects/modules/single_project/main.tf @@ -55,6 +55,7 @@ module "project" { org_id = var.org_id billing_account = var.billing_account folder_id = var.folder_id + auto_create_network = "true" svpc_host_project_id = var.shared_vpc_host_project_id shared_vpc_subnets = var.shared_vpc_subnets # Optional: To enable subnetting, replace to "module.networking_project.subnetwork_self_link" diff --git a/test/integration/org/org_test.go b/test/integration/org/org_test.go index 00c6b7b85..a7b42c1d1 100644 --- a/test/integration/org/org_test.go +++ b/test/integration/org/org_test.go @@ -158,14 +158,12 @@ func TestOrg(t *testing.T) { for _, booleanConstraint := range []string{ "constraints/compute.disableNestedVirtualization", "constraints/compute.disableSerialPortAccess", - "constraints/compute.skipDefaultNetworkCreation", "constraints/compute.restrictXpnProjectLienRemoval", "constraints/sql.restrictPublicIp", "constraints/sql.restrictAuthorizedNetworks", "constraints/iam.disableServiceAccountKeyCreation", "constraints/storage.uniformBucketLevelAccess", "constraints/storage.publicAccessPrevention", - "constraints/iam.automaticIamGrantsForDefaultServiceAccounts", } { orgPolicy := gcloud.Runf(t, "resource-manager org-policies describe %s --folder %s", booleanConstraint, parentFolder) assert.True(orgPolicy.Get("booleanPolicy.enforced").Bool(), fmt.Sprintf("org policy %s should be enforced", booleanConstraint)) diff --git a/test/setup/main.tf b/test/setup/main.tf index 7b85df91d..003e68d52 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -54,6 +54,7 @@ module "project" { org_id = var.org_id folder_id = var.folder_id billing_account = var.billing_account + auto_create_network = "true" activate_apis = [ "cloudresourcemanager.googleapis.com", From 7f5b8955151fd7217556a017b0055851e01ca170 Mon Sep 17 00:00:00 2001 From: mariammartins Date: Wed, 11 Sep 2024 17:50:34 -0300 Subject: [PATCH 05/17] fix test and variable type --- 1-org/envs/shared/variables.tf | 1 + 1-org/modules/network/variables.tf | 1 + test/integration/bootstrap/bootstrap_test.go | 10 ++++++++++ 3 files changed, 12 insertions(+) diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf index 8b117ea7a..401f78521 100644 --- a/1-org/envs/shared/variables.tf +++ b/1-org/envs/shared/variables.tf @@ -196,5 +196,6 @@ variable "tfc_org_name" { variable "auto_create_network" { description = "Control whether the 'default' network will be created in the project." + type = bool default = true } diff --git a/1-org/modules/network/variables.tf b/1-org/modules/network/variables.tf index f4e8cb589..d58b194fa 100644 --- a/1-org/modules/network/variables.tf +++ b/1-org/modules/network/variables.tf @@ -67,5 +67,6 @@ variable "project_budget" { variable "auto_create_network" { description = "Control whether the 'default' network will be created in the project." + type = bool default = true } diff --git a/test/integration/bootstrap/bootstrap_test.go b/test/integration/bootstrap/bootstrap_test.go index 41e46466b..b4820e619 100644 --- a/test/integration/bootstrap/bootstrap_test.go +++ b/test/integration/bootstrap/bootstrap_test.go @@ -306,6 +306,16 @@ func TestBootstrap(t *testing.T) { } }) + // boolean organization policies + for _, booleanConstraint := range []string{ + "constraints/compute.skipDefaultNetworkCreation", + "constraints/iam.disableServiceAccountKeyCreation", + + } { + orgPolicy := gcloud.Runf(t, "resource-manager org-policies describe %s --folder %s", booleanConstraint, parentFolder) + assert.True(orgPolicy.Get("booleanPolicy.enforced").Bool(), fmt.Sprintf("org policy %s should be enforced", booleanConstraint)) + } + bootstrap.DefineTeardown(func(assert *assert.Assertions) { // configure options to pull state from GCS bucket cwd, err := os.Getwd() From e8d555838a696862378f0d0e49bf517c929c51aa Mon Sep 17 00:00:00 2001 From: mariammartins Date: Wed, 11 Sep 2024 17:54:59 -0300 Subject: [PATCH 06/17] fixes --- 2-environments/modules/env_baseline/README.md | 1 + 2-environments/modules/env_baseline/kms.tf | 2 +- 2-environments/modules/env_baseline/secrets.tf | 2 +- 2-environments/modules/env_baseline/variables.tf | 6 ++++++ 4-projects/modules/single_project/README.md | 1 + 4-projects/modules/single_project/main.tf | 2 +- 4-projects/modules/single_project/variables.tf | 6 ++++++ test/setup/main.tf | 2 +- test/setup/variables.tf | 6 ++++++ 9 files changed, 24 insertions(+), 4 deletions(-) diff --git a/2-environments/modules/env_baseline/README.md b/2-environments/modules/env_baseline/README.md index 1dfb1317a..4cc5fcbc2 100644 --- a/2-environments/modules/env_baseline/README.md +++ b/2-environments/modules/env_baseline/README.md @@ -4,6 +4,7 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | assured\_workload\_configuration | Assured Workload configuration. See https://cloud.google.com/assured-workloads ."
enabled: If the assured workload should be created.
location: The location where the workload will be created.
display\_name: User-assigned resource display name.
compliance\_regime: Supported Compliance Regimes. See https://cloud.google.com/assured-workloads/docs/reference/rest/Shared.Types/ComplianceRegime .
resource\_type: The type of resource. One of CONSUMER\_FOLDER, KEYRING, or ENCRYPTION\_KEYS\_PROJECT. | 
object({
    enabled           = optional(bool, false)
    location          = optional(string, "us-central1")
    display_name      = optional(string, "FEDRAMP-MODERATE")
    compliance_regime = optional(string, "FEDRAMP_MODERATE")
    resource_type     = optional(string, "CONSUMER_FOLDER")
  })
| `{}` | no | +| auto\_create\_network | Control whether the 'default' network will be created in the project. | `bool` | `true` | no | | env | The environment to prepare (ex. development) | `string` | n/a | yes | | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization (ex. d). | `string` | n/a | yes | | project\_budget | Budget configuration for projects.
budget\_amount: The amount to use as the budget.
alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.
alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | 
object({
    base_network_budget_amount                  = optional(number, 1000)
    base_network_alert_spent_percents           = optional(list(number), [1.2])
    base_network_alert_pubsub_topic             = optional(string, null)
    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    restricted_network_budget_amount            = optional(number, 1000)
    restricted_network_alert_spent_percents     = optional(list(number), [1.2])
    restricted_network_alert_pubsub_topic       = optional(string, null)
    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    secret_budget_amount                        = optional(number, 1000)
    secret_alert_spent_percents                 = optional(list(number), [1.2])
    secret_alert_pubsub_topic                   = optional(string, null)
    secret_budget_alert_spend_basis             = optional(string, "FORECASTED_SPEND")
    kms_budget_amount                           = optional(number, 1000)
    kms_alert_spent_percents                    = optional(list(number), [1.2])
    kms_alert_pubsub_topic                      = optional(string, null)
    kms_budget_alert_spend_basis                = optional(string, "FORECASTED_SPEND")
  })
| `{}` | no | diff --git a/2-environments/modules/env_baseline/kms.tf b/2-environments/modules/env_baseline/kms.tf index 737cf29fa..5c10308f6 100644 --- a/2-environments/modules/env_baseline/kms.tf +++ b/2-environments/modules/env_baseline/kms.tf @@ -33,7 +33,7 @@ module "env_kms" { disable_services_on_destroy = false depends_on = [time_sleep.wait_60_seconds] activate_apis = ["logging.googleapis.com", "cloudkms.googleapis.com", "billingbudgets.googleapis.com"] - auto_create_network = "true" + auto_create_network = var.auto_create_network labels = { environment = var.env diff --git a/2-environments/modules/env_baseline/secrets.tf b/2-environments/modules/env_baseline/secrets.tf index af723eb1e..d217fef9b 100644 --- a/2-environments/modules/env_baseline/secrets.tf +++ b/2-environments/modules/env_baseline/secrets.tf @@ -33,7 +33,7 @@ module "env_secrets" { disable_services_on_destroy = false depends_on = [time_sleep.wait_60_seconds] activate_apis = ["logging.googleapis.com", "secretmanager.googleapis.com"] - auto_create_network = "true" + auto_create_network = var.auto_create_network labels = { environment = var.env diff --git a/2-environments/modules/env_baseline/variables.tf b/2-environments/modules/env_baseline/variables.tf index 400479c0e..384768bd3 100644 --- a/2-environments/modules/env_baseline/variables.tf +++ b/2-environments/modules/env_baseline/variables.tf @@ -81,3 +81,9 @@ variable "assured_workload_configuration" { }) default = {} } + +variable "auto_create_network" { + description = "Control whether the 'default' network will be created in the project." + type = bool + default = true +} diff --git a/4-projects/modules/single_project/README.md b/4-projects/modules/single_project/README.md index b92f4b388..7e0de5b2b 100644 --- a/4-projects/modules/single_project/README.md +++ b/4-projects/modules/single_project/README.md @@ -6,6 +6,7 @@ | activate\_apis | The api to activate for the GCP project | `list(string)` | `[]` | no | | app\_infra\_pipeline\_service\_accounts | The Service Accounts from App Infra Pipeline. | `map(string)` | `{}` | no | | application\_name | The name of application where GCP resources relate | `string` | n/a | yes | +| auto\_create\_network | Control whether the 'default' network will be created in the project. | `bool` | `true` | no | | billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | | billing\_code | The code that's used to provide chargeback information | `string` | n/a | yes | | business\_code | The code that describes which business unit owns the project | `string` | `"shared"` | no | diff --git a/4-projects/modules/single_project/main.tf b/4-projects/modules/single_project/main.tf index c540e5969..2e62df3a0 100644 --- a/4-projects/modules/single_project/main.tf +++ b/4-projects/modules/single_project/main.tf @@ -55,7 +55,7 @@ module "project" { org_id = var.org_id billing_account = var.billing_account folder_id = var.folder_id - auto_create_network = "true" + auto_create_network = var.auto_create_network svpc_host_project_id = var.shared_vpc_host_project_id shared_vpc_subnets = var.shared_vpc_subnets # Optional: To enable subnetting, replace to "module.networking_project.subnetwork_self_link" diff --git a/4-projects/modules/single_project/variables.tf b/4-projects/modules/single_project/variables.tf index 429f6d08f..92bf3d460 100644 --- a/4-projects/modules/single_project/variables.tf +++ b/4-projects/modules/single_project/variables.tf @@ -160,3 +160,9 @@ variable "enable_cloudbuild_deploy" { type = bool default = false } + +variable "auto_create_network" { + description = "Control whether the 'default' network will be created in the project." + type = bool + default = true +} diff --git a/test/setup/main.tf b/test/setup/main.tf index 003e68d52..577a8f58e 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -54,7 +54,7 @@ module "project" { org_id = var.org_id folder_id = var.folder_id billing_account = var.billing_account - auto_create_network = "true" + auto_create_network = var.auto_create_network activate_apis = [ "cloudresourcemanager.googleapis.com", diff --git a/test/setup/variables.tf b/test/setup/variables.tf index f06cfdfa6..463fd15af 100644 --- a/test/setup/variables.tf +++ b/test/setup/variables.tf @@ -37,3 +37,9 @@ variable "example_foundations_mode" { variable "domain_to_allow" { description = "The test domain_to_allow allow users from in IAM." } + +variable "auto_create_network" { + description = "Control whether the 'default' network will be created in the project." + type = bool + default = true +} From 351d028c89015d7cbb9a663e536a876397ae7eff Mon Sep 17 00:00:00 2001 From: mariammartins Date: Wed, 11 Sep 2024 19:57:19 -0300 Subject: [PATCH 07/17] fix variable and add depends on --- 0-bootstrap/cb.tf | 2 +- 0-bootstrap/main.tf | 3 +-- 0-bootstrap/org_policy.tf | 2 +- 1-org/envs/shared/README.md | 1 - 1-org/envs/shared/projects.tf | 25 ++++++++++++------- 1-org/envs/shared/variables.tf | 6 ----- 1-org/modules/network/main.tf | 4 +-- 1-org/modules/network/variables.tf | 6 ----- 2-environments/modules/env_baseline/README.md | 1 - 2-environments/modules/env_baseline/kms.tf | 2 +- .../modules/env_baseline/secrets.tf | 2 +- .../modules/env_baseline/variables.tf | 6 ----- 4-projects/modules/single_project/README.md | 1 - 4-projects/modules/single_project/main.tf | 2 +- .../modules/single_project/variables.tf | 6 ----- test/setup/main.tf | 2 +- test/setup/variables.tf | 6 ----- 17 files changed, 25 insertions(+), 52 deletions(-) diff --git a/0-bootstrap/cb.tf b/0-bootstrap/cb.tf index 8c2ba91b4..041456c16 100644 --- a/0-bootstrap/cb.tf +++ b/0-bootstrap/cb.tf @@ -131,7 +131,7 @@ module "tf_source" { } # Remove after github.com/terraform-google-modules/terraform-google-bootstrap/issues/160 - depends_on = [module.seed_bootstrap] + depends_on = [module.seed_bootstrap, module.organization_policies_type_boolean] } module "tf_private_pool" { diff --git a/0-bootstrap/main.tf b/0-bootstrap/main.tf index f61eb8c77..20f210fe5 100644 --- a/0-bootstrap/main.tf +++ b/0-bootstrap/main.tf @@ -99,6 +99,5 @@ module "seed_bootstrap" { sa_org_iam_permissions = [] - depends_on = [module.required_group] + depends_on = [module.required_group, module.organization_policies_type_boolean] } - diff --git a/0-bootstrap/org_policy.tf b/0-bootstrap/org_policy.tf index ce5fdcf3f..989e8ae87 100644 --- a/0-bootstrap/org_policy.tf +++ b/0-bootstrap/org_policy.tf @@ -1,5 +1,5 @@ /** - * Copyright 2021 Google LLC + * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md index 7975ee92e..e260c67ca 100644 --- a/1-org/envs/shared/README.md +++ b/1-org/envs/shared/README.md @@ -3,7 +3,6 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| auto\_create\_network | Control whether the 'default' network will be created in the project. | `bool` | `true` | no | | billing\_export\_dataset\_location | The location of the dataset for billing data export. | `string` | `null` | no | | create\_access\_context\_manager\_access\_policy | Whether to create access context manager access policy. | `bool` | `true` | no | | create\_unique\_tag\_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | `bool` | `false` | no | diff --git a/1-org/envs/shared/projects.tf b/1-org/envs/shared/projects.tf index 767f763a2..af309b5e4 100644 --- a/1-org/envs/shared/projects.tf +++ b/1-org/envs/shared/projects.tf @@ -44,7 +44,7 @@ module "org_audit_logs" { billing_account = local.billing_account folder_id = google_folder.common.id activate_apis = ["logging.googleapis.com", "bigquery.googleapis.com", "billingbudgets.googleapis.com"] - auto_create_network = var.auto_create_network + auto_create_network = true labels = { environment = "common" @@ -78,7 +78,7 @@ module "org_billing_export" { billing_account = local.billing_account folder_id = google_folder.common.id activate_apis = ["logging.googleapis.com", "bigquery.googleapis.com", "billingbudgets.googleapis.com"] - auto_create_network = var.auto_create_network + auto_create_network = true labels = { environment = "common" @@ -112,7 +112,8 @@ module "common_kms" { billing_account = local.billing_account folder_id = google_folder.common.id activate_apis = ["logging.googleapis.com", "cloudkms.googleapis.com", "billingbudgets.googleapis.com"] - auto_create_network = var.auto_create_network + auto_create_network = true + labels = { environment = "common" @@ -147,7 +148,8 @@ module "org_secrets" { billing_account = local.billing_account folder_id = google_folder.common.id activate_apis = ["logging.googleapis.com", "secretmanager.googleapis.com", "billingbudgets.googleapis.com"] - auto_create_network = var.auto_create_network + auto_create_network = true + labels = { environment = "common" @@ -181,7 +183,8 @@ module "interconnect" { billing_account = local.billing_account folder_id = google_folder.network.id activate_apis = ["billingbudgets.googleapis.com", "compute.googleapis.com"] - auto_create_network = var.auto_create_network + auto_create_network = true + labels = { environment = "network" @@ -215,7 +218,8 @@ module "scc_notifications" { billing_account = local.billing_account folder_id = google_folder.common.id activate_apis = ["logging.googleapis.com", "pubsub.googleapis.com", "securitycenter.googleapis.com", "billingbudgets.googleapis.com", "cloudkms.googleapis.com"] - auto_create_network = var.auto_create_network + auto_create_network = true + labels = { environment = "common" @@ -248,7 +252,8 @@ module "dns_hub" { org_id = local.org_id billing_account = local.billing_account folder_id = google_folder.network.id - auto_create_network = var.auto_create_network + auto_create_network = true + activate_apis = [ "compute.googleapis.com", @@ -291,7 +296,8 @@ module "base_network_hub" { org_id = local.org_id billing_account = local.billing_account folder_id = google_folder.network.id - auto_create_network = var.auto_create_network + auto_create_network = true + activate_apis = [ "compute.googleapis.com", @@ -342,7 +348,8 @@ module "restricted_network_hub" { org_id = local.org_id billing_account = local.billing_account folder_id = google_folder.network.id - auto_create_network = var.auto_create_network + auto_create_network = true + activate_apis = [ "compute.googleapis.com", diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf index 401f78521..01ba2a832 100644 --- a/1-org/envs/shared/variables.tf +++ b/1-org/envs/shared/variables.tf @@ -193,9 +193,3 @@ variable "tfc_org_name" { type = string default = "" } - -variable "auto_create_network" { - description = "Control whether the 'default' network will be created in the project." - type = bool - default = true -} diff --git a/1-org/modules/network/main.tf b/1-org/modules/network/main.tf index 41f8ef0b9..3f2a692c9 100644 --- a/1-org/modules/network/main.tf +++ b/1-org/modules/network/main.tf @@ -29,7 +29,7 @@ module "base_shared_vpc_host_project" { billing_account = var.billing_account folder_id = var.folder_id disable_services_on_destroy = false - auto_create_network = var.auto_create_network + auto_create_network = true activate_apis = [ "compute.googleapis.com", @@ -66,7 +66,7 @@ module "restricted_shared_vpc_host_project" { billing_account = var.billing_account folder_id = var.folder_id disable_services_on_destroy = false - auto_create_network = var.auto_create_network + auto_create_network = true activate_apis = [ "compute.googleapis.com", diff --git a/1-org/modules/network/variables.tf b/1-org/modules/network/variables.tf index d58b194fa..9de1cfc26 100644 --- a/1-org/modules/network/variables.tf +++ b/1-org/modules/network/variables.tf @@ -64,9 +64,3 @@ variable "project_budget" { }) default = {} } - -variable "auto_create_network" { - description = "Control whether the 'default' network will be created in the project." - type = bool - default = true -} diff --git a/2-environments/modules/env_baseline/README.md b/2-environments/modules/env_baseline/README.md index 4cc5fcbc2..1dfb1317a 100644 --- a/2-environments/modules/env_baseline/README.md +++ b/2-environments/modules/env_baseline/README.md @@ -4,7 +4,6 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | assured\_workload\_configuration | Assured Workload configuration. See https://cloud.google.com/assured-workloads ."
enabled: If the assured workload should be created.
location: The location where the workload will be created.
display\_name: User-assigned resource display name.
compliance\_regime: Supported Compliance Regimes. See https://cloud.google.com/assured-workloads/docs/reference/rest/Shared.Types/ComplianceRegime .
resource\_type: The type of resource. One of CONSUMER\_FOLDER, KEYRING, or ENCRYPTION\_KEYS\_PROJECT. | 
object({
    enabled           = optional(bool, false)
    location          = optional(string, "us-central1")
    display_name      = optional(string, "FEDRAMP-MODERATE")
    compliance_regime = optional(string, "FEDRAMP_MODERATE")
    resource_type     = optional(string, "CONSUMER_FOLDER")
  })
| `{}` | no | -| auto\_create\_network | Control whether the 'default' network will be created in the project. | `bool` | `true` | no | | env | The environment to prepare (ex. development) | `string` | n/a | yes | | environment\_code | A short form of the folder level resources (environment) within the Google Cloud organization (ex. d). | `string` | n/a | yes | | project\_budget | Budget configuration for projects.
budget\_amount: The amount to use as the budget.
alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.
alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | 
object({
    base_network_budget_amount                  = optional(number, 1000)
    base_network_alert_spent_percents           = optional(list(number), [1.2])
    base_network_alert_pubsub_topic             = optional(string, null)
    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")
    restricted_network_budget_amount            = optional(number, 1000)
    restricted_network_alert_spent_percents     = optional(list(number), [1.2])
    restricted_network_alert_pubsub_topic       = optional(string, null)
    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
    secret_budget_amount                        = optional(number, 1000)
    secret_alert_spent_percents                 = optional(list(number), [1.2])
    secret_alert_pubsub_topic                   = optional(string, null)
    secret_budget_alert_spend_basis             = optional(string, "FORECASTED_SPEND")
    kms_budget_amount                           = optional(number, 1000)
    kms_alert_spent_percents                    = optional(list(number), [1.2])
    kms_alert_pubsub_topic                      = optional(string, null)
    kms_budget_alert_spend_basis                = optional(string, "FORECASTED_SPEND")
  })
| `{}` | no | diff --git a/2-environments/modules/env_baseline/kms.tf b/2-environments/modules/env_baseline/kms.tf index 5c10308f6..593773257 100644 --- a/2-environments/modules/env_baseline/kms.tf +++ b/2-environments/modules/env_baseline/kms.tf @@ -33,7 +33,7 @@ module "env_kms" { disable_services_on_destroy = false depends_on = [time_sleep.wait_60_seconds] activate_apis = ["logging.googleapis.com", "cloudkms.googleapis.com", "billingbudgets.googleapis.com"] - auto_create_network = var.auto_create_network + auto_create_network = true labels = { environment = var.env diff --git a/2-environments/modules/env_baseline/secrets.tf b/2-environments/modules/env_baseline/secrets.tf index d217fef9b..759ade4e9 100644 --- a/2-environments/modules/env_baseline/secrets.tf +++ b/2-environments/modules/env_baseline/secrets.tf @@ -33,7 +33,7 @@ module "env_secrets" { disable_services_on_destroy = false depends_on = [time_sleep.wait_60_seconds] activate_apis = ["logging.googleapis.com", "secretmanager.googleapis.com"] - auto_create_network = var.auto_create_network + auto_create_network = true labels = { environment = var.env diff --git a/2-environments/modules/env_baseline/variables.tf b/2-environments/modules/env_baseline/variables.tf index 384768bd3..400479c0e 100644 --- a/2-environments/modules/env_baseline/variables.tf +++ b/2-environments/modules/env_baseline/variables.tf @@ -81,9 +81,3 @@ variable "assured_workload_configuration" { }) default = {} } - -variable "auto_create_network" { - description = "Control whether the 'default' network will be created in the project." - type = bool - default = true -} diff --git a/4-projects/modules/single_project/README.md b/4-projects/modules/single_project/README.md index 7e0de5b2b..b92f4b388 100644 --- a/4-projects/modules/single_project/README.md +++ b/4-projects/modules/single_project/README.md @@ -6,7 +6,6 @@ | activate\_apis | The api to activate for the GCP project | `list(string)` | `[]` | no | | app\_infra\_pipeline\_service\_accounts | The Service Accounts from App Infra Pipeline. | `map(string)` | `{}` | no | | application\_name | The name of application where GCP resources relate | `string` | n/a | yes | -| auto\_create\_network | Control whether the 'default' network will be created in the project. | `bool` | `true` | no | | billing\_account | The ID of the billing account to associated this project with | `string` | n/a | yes | | billing\_code | The code that's used to provide chargeback information | `string` | n/a | yes | | business\_code | The code that describes which business unit owns the project | `string` | `"shared"` | no | diff --git a/4-projects/modules/single_project/main.tf b/4-projects/modules/single_project/main.tf index 2e62df3a0..b985dc524 100644 --- a/4-projects/modules/single_project/main.tf +++ b/4-projects/modules/single_project/main.tf @@ -55,7 +55,7 @@ module "project" { org_id = var.org_id billing_account = var.billing_account folder_id = var.folder_id - auto_create_network = var.auto_create_network + auto_create_network = true svpc_host_project_id = var.shared_vpc_host_project_id shared_vpc_subnets = var.shared_vpc_subnets # Optional: To enable subnetting, replace to "module.networking_project.subnetwork_self_link" diff --git a/4-projects/modules/single_project/variables.tf b/4-projects/modules/single_project/variables.tf index 92bf3d460..429f6d08f 100644 --- a/4-projects/modules/single_project/variables.tf +++ b/4-projects/modules/single_project/variables.tf @@ -160,9 +160,3 @@ variable "enable_cloudbuild_deploy" { type = bool default = false } - -variable "auto_create_network" { - description = "Control whether the 'default' network will be created in the project." - type = bool - default = true -} diff --git a/test/setup/main.tf b/test/setup/main.tf index 577a8f58e..cf1f81c10 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -54,7 +54,7 @@ module "project" { org_id = var.org_id folder_id = var.folder_id billing_account = var.billing_account - auto_create_network = var.auto_create_network + auto_create_network = true activate_apis = [ "cloudresourcemanager.googleapis.com", diff --git a/test/setup/variables.tf b/test/setup/variables.tf index 463fd15af..f06cfdfa6 100644 --- a/test/setup/variables.tf +++ b/test/setup/variables.tf @@ -37,9 +37,3 @@ variable "example_foundations_mode" { variable "domain_to_allow" { description = "The test domain_to_allow allow users from in IAM." } - -variable "auto_create_network" { - description = "Control whether the 'default' network will be created in the project." - type = bool - default = true -} From 259c381017b50bddab245f14016d78d36c4b65a4 Mon Sep 17 00:00:00 2001 From: mariammartins Date: Thu, 12 Sep 2024 12:32:25 -0300 Subject: [PATCH 08/17] add time sleep --- 0-bootstrap/cb.tf | 2 +- 0-bootstrap/main.tf | 2 +- 0-bootstrap/org_policy.tf | 7 +++++++ 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/0-bootstrap/cb.tf b/0-bootstrap/cb.tf index 041456c16..19c6e3f34 100644 --- a/0-bootstrap/cb.tf +++ b/0-bootstrap/cb.tf @@ -131,7 +131,7 @@ module "tf_source" { } # Remove after github.com/terraform-google-modules/terraform-google-bootstrap/issues/160 - depends_on = [module.seed_bootstrap, module.organization_policies_type_boolean] + depends_on = [module.seed_bootstrap, time_sleep.wait_organization_policies] } module "tf_private_pool" { diff --git a/0-bootstrap/main.tf b/0-bootstrap/main.tf index 20f210fe5..e42cc3ece 100644 --- a/0-bootstrap/main.tf +++ b/0-bootstrap/main.tf @@ -99,5 +99,5 @@ module "seed_bootstrap" { sa_org_iam_permissions = [] - depends_on = [module.required_group, module.organization_policies_type_boolean] + depends_on = [module.required_group, time_sleep.wait_organization_policies] } diff --git a/0-bootstrap/org_policy.tf b/0-bootstrap/org_policy.tf index 989e8ae87..49a95889d 100644 --- a/0-bootstrap/org_policy.tf +++ b/0-bootstrap/org_policy.tf @@ -37,3 +37,10 @@ module "organization_policies_type_boolean" { enforce = "true" constraint = "constraints/${each.value}" } + +resource "time_sleep" "wait_organization_policies" { + create_duration = "30s" + depends_on = [ + module.organization_policies_type_boolean + ] +} From 113ed63b5d2247ef3bb234861c9d531bbfb2942c Mon Sep 17 00:00:00 2001 From: mariammartins Date: Thu, 12 Sep 2024 17:17:17 -0300 Subject: [PATCH 09/17] increasing waiting time --- 0-bootstrap/org_policy.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/0-bootstrap/org_policy.tf b/0-bootstrap/org_policy.tf index 49a95889d..85207520c 100644 --- a/0-bootstrap/org_policy.tf +++ b/0-bootstrap/org_policy.tf @@ -39,7 +39,7 @@ module "organization_policies_type_boolean" { } resource "time_sleep" "wait_organization_policies" { - create_duration = "30s" + create_duration = "60s" depends_on = [ module.organization_policies_type_boolean ] From 14e81ec399e31f9f0cd71dfa11a912db924b062c Mon Sep 17 00:00:00 2001 From: mariammartins Date: Tue, 24 Sep 2024 17:37:46 -0300 Subject: [PATCH 10/17] fix bootstrap test --- test/integration/bootstrap/bootstrap_test.go | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/test/integration/bootstrap/bootstrap_test.go b/test/integration/bootstrap/bootstrap_test.go index b4820e619..659a541b8 100644 --- a/test/integration/bootstrap/bootstrap_test.go +++ b/test/integration/bootstrap/bootstrap_test.go @@ -147,6 +147,8 @@ func TestBootstrap(t *testing.T) { bootstrap.DefineVerify( func(assert *assert.Assertions) { + parentFolder := terraform.OutputMap(t, bootstrap.GetTFOptions(), "common_config")["parent_folder"] + // cloud build project cbProjectID := bootstrap.GetStringOutput("cloudbuild_project_id") artifactsBktName := terraform.OutputMap(t, bootstrap.GetTFOptions(), "gcs_bucket_cloudbuild_artifacts") @@ -304,17 +306,17 @@ func TestBootstrap(t *testing.T) { assert.Subset(listRoles, sa.orgRoles, fmt.Sprintf("service account %s should have organization level roles", terraformSAEmail)) } } + // boolean organization policies + for _, booleanConstraint := range []string{ + "constraints/compute.skipDefaultNetworkCreation", + "constraints/iam.automaticIamGrantsForDefaultServiceAccounts", + } { + orgPolicy := gcloud.Runf(t, "resource-manager org-policies describe %s --folder %s", booleanConstraint, parentFolder) + assert.True(orgPolicy.Get("booleanPolicy.enforced").Bool(), fmt.Sprintf("org policy %s should be enforced", booleanConstraint)) + } }) - // boolean organization policies - for _, booleanConstraint := range []string{ - "constraints/compute.skipDefaultNetworkCreation", - "constraints/iam.disableServiceAccountKeyCreation", - } { - orgPolicy := gcloud.Runf(t, "resource-manager org-policies describe %s --folder %s", booleanConstraint, parentFolder) - assert.True(orgPolicy.Get("booleanPolicy.enforced").Bool(), fmt.Sprintf("org policy %s should be enforced", booleanConstraint)) - } bootstrap.DefineTeardown(func(assert *assert.Assertions) { // configure options to pull state from GCS bucket From da273ff6031b2a2390ccc6b84794650936af24fb Mon Sep 17 00:00:00 2001 From: mariammartins Date: Wed, 25 Sep 2024 13:17:47 -0300 Subject: [PATCH 11/17] fix source and version of gcs_bucket module --- 4-projects/modules/base_env/example_storage_cmek.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/4-projects/modules/base_env/example_storage_cmek.tf b/4-projects/modules/base_env/example_storage_cmek.tf index 8b40250a7..16ddb97bd 100644 --- a/4-projects/modules/base_env/example_storage_cmek.tf +++ b/4-projects/modules/base_env/example_storage_cmek.tf @@ -43,8 +43,9 @@ resource "random_string" "bucket_name" { } module "gcs_buckets" { - source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 6.0" + source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" + # Open Issue on version 6.1.0: https://github.com/terraform-google-modules/terraform-google-cloud-storage/issues/339 + version = "~> 6.0.0" project_id = module.base_shared_vpc_project.project_id location = var.location_gcs From 7b29d4205f5f10f8de5b636e3553713eb804d8ae Mon Sep 17 00:00:00 2001 From: mariammartins Date: Wed, 25 Sep 2024 16:10:37 -0300 Subject: [PATCH 12/17] test depends on --- 0-bootstrap/modules/cb-private-pool/network.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/0-bootstrap/modules/cb-private-pool/network.tf b/0-bootstrap/modules/cb-private-pool/network.tf index 308f56a9f..9d382c306 100644 --- a/0-bootstrap/modules/cb-private-pool/network.tf +++ b/0-bootstrap/modules/cb-private-pool/network.tf @@ -86,6 +86,8 @@ resource "google_compute_network_peering_routes_config" "peering_routes" { import_custom_routes = true export_custom_routes = true + + depends_on = [google_service_networking_connection.worker_pool_conn] } module "firewall_rules" { From d9ccfe736d063c438b5f20c67a57caba3530c24b Mon Sep 17 00:00:00 2001 From: mariammartins Date: Thu, 26 Sep 2024 14:09:04 -0300 Subject: [PATCH 13/17] fix parentFolder --- test/integration/bootstrap/bootstrap_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/bootstrap/bootstrap_test.go b/test/integration/bootstrap/bootstrap_test.go index 659a541b8..9539ff5c6 100644 --- a/test/integration/bootstrap/bootstrap_test.go +++ b/test/integration/bootstrap/bootstrap_test.go @@ -147,7 +147,7 @@ func TestBootstrap(t *testing.T) { bootstrap.DefineVerify( func(assert *assert.Assertions) { - parentFolder := terraform.OutputMap(t, bootstrap.GetTFOptions(), "common_config")["parent_folder"] + parentFolder := terraform.OutputMap(t, bootstrap.GetTFOptions(), "common_config")["parent_id"] // cloud build project cbProjectID := bootstrap.GetStringOutput("cloudbuild_project_id") From 688c755f4b04afb0b40f98fa4d06d5ed376c2cb4 Mon Sep 17 00:00:00 2001 From: mariammartins Date: Thu, 26 Sep 2024 14:57:21 -0300 Subject: [PATCH 14/17] refix parentFolder variable --- test/integration/bootstrap/bootstrap_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/bootstrap/bootstrap_test.go b/test/integration/bootstrap/bootstrap_test.go index 9539ff5c6..659a541b8 100644 --- a/test/integration/bootstrap/bootstrap_test.go +++ b/test/integration/bootstrap/bootstrap_test.go @@ -147,7 +147,7 @@ func TestBootstrap(t *testing.T) { bootstrap.DefineVerify( func(assert *assert.Assertions) { - parentFolder := terraform.OutputMap(t, bootstrap.GetTFOptions(), "common_config")["parent_id"] + parentFolder := terraform.OutputMap(t, bootstrap.GetTFOptions(), "common_config")["parent_folder"] // cloud build project cbProjectID := bootstrap.GetStringOutput("cloudbuild_project_id") From b8885e0cfcfb312475392d34bc53249f5af1fc88 Mon Sep 17 00:00:00 2001 From: mariammartins Date: Thu, 26 Sep 2024 15:46:52 -0300 Subject: [PATCH 15/17] back with constraint/iam.automaticIamGrantsForDefaultServiceAccounts to org step --- 0-bootstrap/org_policy.tf | 3 +-- 1-org/envs/shared/org_policy.tf | 1 + test/integration/bootstrap/bootstrap_test.go | 1 - test/integration/org/org_test.go | 1 + 4 files changed, 3 insertions(+), 3 deletions(-) diff --git a/0-bootstrap/org_policy.tf b/0-bootstrap/org_policy.tf index 85207520c..be569af22 100644 --- a/0-bootstrap/org_policy.tf +++ b/0-bootstrap/org_policy.tf @@ -20,8 +20,7 @@ locals { policy_for = var.parent_folder != "" ? "folder" : "organization" boolean_type_organization_policies = toset([ - "compute.skipDefaultNetworkCreation", - "iam.automaticIamGrantsForDefaultServiceAccounts" + "compute.skipDefaultNetworkCreation" ]) } diff --git a/1-org/envs/shared/org_policy.tf b/1-org/envs/shared/org_policy.tf index a6a0bf012..b49e69f71 100644 --- a/1-org/envs/shared/org_policy.tf +++ b/1-org/envs/shared/org_policy.tf @@ -34,6 +34,7 @@ locals { "sql.restrictPublicIp", "sql.restrictAuthorizedNetworks", "iam.disableServiceAccountKeyCreation", + "iam.automaticIamGrantsForDefaultServiceAccounts", "iam.disableServiceAccountKeyUpload", "storage.uniformBucketLevelAccess", "storage.publicAccessPrevention" diff --git a/test/integration/bootstrap/bootstrap_test.go b/test/integration/bootstrap/bootstrap_test.go index 659a541b8..346305730 100644 --- a/test/integration/bootstrap/bootstrap_test.go +++ b/test/integration/bootstrap/bootstrap_test.go @@ -309,7 +309,6 @@ func TestBootstrap(t *testing.T) { // boolean organization policies for _, booleanConstraint := range []string{ "constraints/compute.skipDefaultNetworkCreation", - "constraints/iam.automaticIamGrantsForDefaultServiceAccounts", } { orgPolicy := gcloud.Runf(t, "resource-manager org-policies describe %s --folder %s", booleanConstraint, parentFolder) assert.True(orgPolicy.Get("booleanPolicy.enforced").Bool(), fmt.Sprintf("org policy %s should be enforced", booleanConstraint)) diff --git a/test/integration/org/org_test.go b/test/integration/org/org_test.go index a7b42c1d1..77f99ef0b 100644 --- a/test/integration/org/org_test.go +++ b/test/integration/org/org_test.go @@ -164,6 +164,7 @@ func TestOrg(t *testing.T) { "constraints/iam.disableServiceAccountKeyCreation", "constraints/storage.uniformBucketLevelAccess", "constraints/storage.publicAccessPrevention", + "constraints/iam.automaticIamGrantsForDefaultServiceAccounts", } { orgPolicy := gcloud.Runf(t, "resource-manager org-policies describe %s --folder %s", booleanConstraint, parentFolder) assert.True(orgPolicy.Get("booleanPolicy.enforced").Bool(), fmt.Sprintf("org policy %s should be enforced", booleanConstraint)) From ad47f694e8d005e378175f725d1b14ad33bb14a5 Mon Sep 17 00:00:00 2001 From: mariammartins Date: Mon, 30 Sep 2024 18:27:03 -0300 Subject: [PATCH 16/17] add worker_pool_conn depends_on and remove module seed_boostratp depends_on --- 0-bootstrap/cb.tf | 2 +- 0-bootstrap/modules/cb-private-pool/network.tf | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/0-bootstrap/cb.tf b/0-bootstrap/cb.tf index 19c6e3f34..a0a63ffc3 100644 --- a/0-bootstrap/cb.tf +++ b/0-bootstrap/cb.tf @@ -131,7 +131,7 @@ module "tf_source" { } # Remove after github.com/terraform-google-modules/terraform-google-bootstrap/issues/160 - depends_on = [module.seed_bootstrap, time_sleep.wait_organization_policies] + depends_on = [time_sleep.wait_organization_policies] } module "tf_private_pool" { diff --git a/0-bootstrap/modules/cb-private-pool/network.tf b/0-bootstrap/modules/cb-private-pool/network.tf index 9d382c306..82e120b5f 100644 --- a/0-bootstrap/modules/cb-private-pool/network.tf +++ b/0-bootstrap/modules/cb-private-pool/network.tf @@ -77,6 +77,13 @@ resource "google_service_networking_connection" "worker_pool_conn" { reserved_peering_ranges = [google_compute_global_address.worker_pool_range[0].name] } +resource "time_sleep" "wait_worker_pool_conn" { + create_duration = "30s" + depends_on = [ + google_service_networking_connection.worker_pool_conn + ] +} + resource "google_compute_network_peering_routes_config" "peering_routes" { count = var.private_worker_pool.enable_network_peering ? 1 : 0 @@ -87,7 +94,7 @@ resource "google_compute_network_peering_routes_config" "peering_routes" { import_custom_routes = true export_custom_routes = true - depends_on = [google_service_networking_connection.worker_pool_conn] + depends_on = [time_sleep.wait_worker_pool_conn] } module "firewall_rules" { From 91ea10e10f5dcd457d94a0434c75ae5c2bf263d2 Mon Sep 17 00:00:00 2001 From: mariammartins Date: Tue, 1 Oct 2024 16:35:37 -0300 Subject: [PATCH 17/17] remove depends_on --- 0-bootstrap/cb.tf | 2 +- 0-bootstrap/modules/cb-private-pool/network.tf | 9 --------- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/0-bootstrap/cb.tf b/0-bootstrap/cb.tf index a0a63ffc3..19c6e3f34 100644 --- a/0-bootstrap/cb.tf +++ b/0-bootstrap/cb.tf @@ -131,7 +131,7 @@ module "tf_source" { } # Remove after github.com/terraform-google-modules/terraform-google-bootstrap/issues/160 - depends_on = [time_sleep.wait_organization_policies] + depends_on = [module.seed_bootstrap, time_sleep.wait_organization_policies] } module "tf_private_pool" { diff --git a/0-bootstrap/modules/cb-private-pool/network.tf b/0-bootstrap/modules/cb-private-pool/network.tf index 82e120b5f..308f56a9f 100644 --- a/0-bootstrap/modules/cb-private-pool/network.tf +++ b/0-bootstrap/modules/cb-private-pool/network.tf @@ -77,13 +77,6 @@ resource "google_service_networking_connection" "worker_pool_conn" { reserved_peering_ranges = [google_compute_global_address.worker_pool_range[0].name] } -resource "time_sleep" "wait_worker_pool_conn" { - create_duration = "30s" - depends_on = [ - google_service_networking_connection.worker_pool_conn - ] -} - resource "google_compute_network_peering_routes_config" "peering_routes" { count = var.private_worker_pool.enable_network_peering ? 1 : 0 @@ -93,8 +86,6 @@ resource "google_compute_network_peering_routes_config" "peering_routes" { import_custom_routes = true export_custom_routes = true - - depends_on = [time_sleep.wait_worker_pool_conn] } module "firewall_rules" {