Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge from GoogleCloudPlatform #2

Merged
merged 32 commits into from
May 14, 2024
Merged
Changes from 1 commit
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
dd213ea
Fix permissions for branch network dev - read sa (#2233)
LucaPrete Apr 23, 2024
d901992
Added build env vars in cloud function v1 (#2234)
luigi-bitonti Apr 23, 2024
99129d5
Update FAST logging (#2235)
juliocc Apr 25, 2024
2446b4d
Update README.md (#2239)
vicenteg Apr 25, 2024
64ac89d
fix: allow disabling node autoprovisioning (#2238)
kumadee Apr 26, 2024
d831d32
Use default labels on pubsub subscription when no override is provided
wiktorn Apr 27, 2024
a95e681
Removed BFD settings from net-vpn-ha module as it is not supported (#…
apichick Apr 28, 2024
ab17427
Added new attributes Apigee organization and bumped up providers vers…
apichick Apr 28, 2024
be966c4
Fixed issue with service networking DNS peering (#2246)
apichick Apr 28, 2024
e122667
Added missing identity when connectors API is enabled (#2248)
jnahelou Apr 30, 2024
27a055a
fix factory ingress policies (#2251)
ludoo May 1, 2024
fdcd309
add support for labels to GKE backup plans (#2252)
ludoo May 1, 2024
dccf573
fis issues with private workstation-cluster module and persistent_dir…
simonebruzzechesse May 2, 2024
94c32c1
Misc FAST fixes (#2253)
juliocc May 2, 2024
7aa6c7e
Style fixes to FAST log sinks expressions
juliocc May 2, 2024
c9503d5
Remove data source from folder module (#2260)
ludoo May 9, 2024
c58850c
Add Hybrid NAT support (#2261)
juliocc May 9, 2024
d838c4a
Make Simple NVA route IAP traffic through NIC 0 (#2262)
juliocc May 9, 2024
01533a4
update changelog
ludoo May 10, 2024
2b6c81f
Update docs - gcp-network-admins -> gcp-vpc-network-admins
wiktorn May 10, 2024
5b3ed10
Fix bug from output typo in new project-factory module (#2264)
JanCVanB May 10, 2024
35a17a4
Fix failing E2E tests
wiktorn May 11, 2024
6a3c7fe
CloudSQL PSC Endpoints support (#2242)
wiktorn May 12, 2024
af253c9
Fix 0-bootstrap iam_by_principals not taking into account all princip…
wiktorn May 12, 2024
604920d
add logging settings to folder module (#2268)
ludoo May 13, 2024
e4941c2
Implement the full IAM interface for tags (#2269)
ludoo May 13, 2024
4d1d3c6
New Bindplane cloud-config-container setup (#2272)
simonebruzzechesse May 14, 2024
a14ed9a
Cloud function CMEK key support (#2270)
luigi-bitonti May 14, 2024
c854057
update changelog
ludoo May 14, 2024
ff6f6bb
Added apigee-x-foundations blueprint (#2274)
apichick May 14, 2024
95d0ccc
update changelog
ludoo May 14, 2024
c494715
Merge branch 'master' of github.com:GoogleCloudPlatform/cloud-foundat…
ludoo May 14, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Misc FAST fixes (GoogleCloudPlatform#2253)
* Misc FAST fixes

* Fix readme

* Fix FAST nva bgp tests
juliocc authored May 2, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
commit 94c32c1d71e96d8332b8e74f71045aa4e4b5e0a6
2 changes: 1 addition & 1 deletion fast/stages-multitenant/0-bootstrap-tenant/README.md
Original file line number Diff line number Diff line change
@@ -208,7 +208,7 @@ This configuration is possible but unsupported and only exists for development p
| [custom_roles](variables.tf#L95) | Custom roles defined at the organization level, in key => id format. | <code title="object&#40;&#123;&#10; service_project_network_admin &#61; string&#10; tenant_network_admin &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | <code>0-bootstrap</code> |
| [fast_features](variables.tf#L105) | Selective control for top-level FAST features. | <code title="object&#40;&#123;&#10; data_platform &#61; optional&#40;bool, true&#41;&#10; gke &#61; optional&#40;bool, true&#41;&#10; project_factory &#61; optional&#40;bool, true&#41;&#10; sandbox &#61; optional&#40;bool, true&#41;&#10; teams &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
| [federated_identity_providers](variables.tf#L119) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | <code title="map&#40;object&#40;&#123;&#10; attribute_condition &#61; optional&#40;string&#41;&#10; issuer &#61; string&#10; custom_settings &#61; optional&#40;object&#40;&#123;&#10; issuer_uri &#61; optional&#40;string&#41;&#10; audiences &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
| [groups](variables.tf#L133) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10; gcp-devops &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10; gcp-network-admins &#61; optional&#40;string, &#34;gcp-network-admins&#34;&#41;&#10; gcp-security-admins &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
| [groups](variables.tf#L133) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10; gcp-devops &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10; gcp-network-admins &#61; optional&#40;string, &#34;gcp-vpc-network-admins&#34;&#41;&#10; gcp-security-admins &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
| [iam](variables.tf#L146) | Tenant-level custom IAM settings in role => [principal] format. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
| [iam_bindings_additive](variables.tf#L152) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10; member &#61; string&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
| [iam_by_principals](variables.tf#L167) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
4 changes: 2 additions & 2 deletions fast/stages-multitenant/0-bootstrap-tenant/variables.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/**
* Copyright 2023 Google LLC
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -136,7 +136,7 @@ variable "groups" {
description = "Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated."
type = object({
gcp-devops = optional(string, "gcp-devops")
gcp-network-admins = optional(string, "gcp-network-admins")
gcp-network-admins = optional(string, "gcp-vpc-network-admins")
gcp-security-admins = optional(string, "gcp-security-admins")
})
nullable = false
18 changes: 16 additions & 2 deletions fast/stages/0-bootstrap/README.md
Original file line number Diff line number Diff line change
@@ -39,6 +39,7 @@ Use the following diagram as a simple high level reference for the following sec
- [Log sinks and log destinations](#log-sinks-and-log-destinations)
- [Names and naming convention](#names-and-naming-convention)
- [Workload Identity Federation](#workload-identity-federation)
- [Project folders](#project-folders)
- [CI/CD repositories](#cicd-repositories)
- [Toggling features](#toggling-features)
- [Files](#files)
@@ -533,6 +534,18 @@ workload_identity_providers = {
}
```

### Project folders

By default this stage creates all its projects directly under the orgaization node. If desired, projects can be moved under a folder using the `project_parent_ids` variable.

```tfvars
project_parent_ids = {
automation = "folders/1234567890"
billing = "folders/9876543210"
logging = "folders/1234567890"
}
```

### CI/CD repositories

FAST is designed to directly support running in automated workflows from separate repositories for each stage. The `cicd_repositories` variable allows you to configure impersonation from external repositories leveraging Workload identity Federation, and pre-configures a FAST workflow file that can be used to validate and apply the code in each repository.
@@ -595,9 +608,10 @@ The remaining configuration is manual, as it regards the repositories themselves

Some FAST features can be enabled or disabled using the `fast_features` variables. While this variable is not directly used in the bootstrap stage, it can instruct the following stages to create certain resources only if needed.

The `fast_features` variable consists of 4 toggles:
The `fast_features` variable consists of 6 toggles:

- **`data_platform`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-data-platform](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-data-platform) stage
- **`gcve`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-gcve](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-gcve) stage
- **`gke`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-gke-multitenant](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-gke-multitenant) stage
- **`project_factory`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-project-factory](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-project-factory) stage
- **`sandbox`** controls the creation of a "Sandbox" top level folder with relaxed policies, intended for sandbox environments where users can experiment
@@ -636,7 +650,7 @@ The `fast_features` variable consists of 4 toggles:
| [essential_contacts](variables.tf#L86) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
| [factories_config](variables.tf#L92) | Configuration for the resource factories or external data. | <code title="object&#40;&#123;&#10; checklist_data &#61; optional&#40;string&#41;&#10; checklist_org_iam &#61; optional&#40;string&#41;&#10; custom_roles &#61; optional&#40;string, &#34;data&#47;custom-roles&#34;&#41;&#10; org_policy &#61; optional&#40;string, &#34;data&#47;org-policies&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | |
| [fast_features](variables.tf#L104) | Selective control for top-level FAST features. | <code title="object&#40;&#123;&#10; data_platform &#61; optional&#40;bool, false&#41;&#10; gcve &#61; optional&#40;bool, false&#41;&#10; gke &#61; optional&#40;bool, false&#41;&#10; project_factory &#61; optional&#40;bool, false&#41;&#10; sandbox &#61; optional&#40;bool, false&#41;&#10; teams &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | |
| [groups](variables.tf#L118) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10; gcp-billing-admins &#61; optional&#40;string, &#34;gcp-billing-admins&#34;&#41;&#10; gcp-devops &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10; gcp-network-admins &#61; optional&#40;string, &#34;gcp-network-admins&#34;&#41;&#10; gcp-organization-admins &#61; optional&#40;string, &#34;gcp-organization-admins&#34;&#41;&#10; gcp-security-admins &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10; gcp-support &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | |
| [groups](variables.tf#L118) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10; gcp-billing-admins &#61; optional&#40;string, &#34;gcp-billing-admins&#34;&#41;&#10; gcp-devops &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10; gcp-network-admins &#61; optional&#40;string, &#34;gcp-vpc-network-admins&#34;&#41;&#10; gcp-organization-admins &#61; optional&#40;string, &#34;gcp-organization-admins&#34;&#41;&#10; gcp-security-admins &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10; gcp-support &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | |
| [iam](variables.tf#L134) | Organization-level custom IAM settings in role => [principal] format. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
| [iam_bindings_additive](variables.tf#L141) | Organization-level custom additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10; member &#61; string&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
| [iam_by_principals](variables.tf#L156) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
2 changes: 1 addition & 1 deletion fast/stages/0-bootstrap/variables.tf
Original file line number Diff line number Diff line change
@@ -121,7 +121,7 @@ variable "groups" {
type = object({
gcp-billing-admins = optional(string, "gcp-billing-admins")
gcp-devops = optional(string, "gcp-devops")
gcp-network-admins = optional(string, "gcp-network-admins")
gcp-network-admins = optional(string, "gcp-vpc-network-admins")
gcp-organization-admins = optional(string, "gcp-organization-admins")
gcp-security-admins = optional(string, "gcp-security-admins")
# aliased to gcp-devops as the checklist does not create it
Loading