fix integration tests, shared files and root README

1-org/envs/shared/README.md

@@ -25,8 +25,8 @@
 | log\_export\_storage\_location | The location of the storage bucket used to export logs. | `string` | `null` | no |
 | log\_export\_storage\_retention\_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | <pre>object({<br>    is_locked             = bool<br>    retention_period_days = number<br>  })</pre> | `null` | no |
 | log\_export\_storage\_versioning | (Optional) Toggles bucket versioning, ability to retain a non-current object version when the live object version gets replaced or deleted. | `bool` | `false` | no |
-| perimeter\_additional\_members | The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:[email protected]` or `serviceAccount:[email protected]`. | `list(string)` | `[]` | no |
-| perimeter\_additional\_members\_dry\_run | The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:[email protected]` or `serviceAccount:[email protected]`. | `list(string)` | `[]` | no |
+| perimeter\_additional\_members | The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the perimeter, add your user in this list. Entries must be in the standard GCP form: `user:[email protected]` or `serviceAccount:[email protected]`. | `list(string)` | `[]` | no |
+| perimeter\_additional\_members\_dry\_run | The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the perimeter, add your user in this list. Entries must be in the standard GCP form: `user:[email protected]` or `serviceAccount:[email protected]`. | `list(string)` | `[]` | no |
 | project\_budget | Budget configuration for projects.<br>  budget\_amount: The amount to use as the budget.<br>  alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br>  alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br>  alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br>    dns_hub_budget_amount                       = optional(number, 1000)<br>    dns_hub_alert_spent_percents                = optional(list(number), [1.2])<br>    dns_hub_alert_pubsub_topic                  = optional(string, null)<br>    dns_hub_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")<br>    net_hub_budget_amount                       = optional(number, 1000)<br>    net_hub_alert_spent_percents                = optional(list(number), [1.2])<br>    net_hub_alert_pubsub_topic                  = optional(string, null)<br>    net_hub_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")<br>    network_budget_amount                       = optional(number, 1000)<br>    network_alert_spent_percents                = optional(list(number), [1.2])<br>    network_alert_pubsub_topic                  = optional(string, null)<br>    network_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")<br>    interconnect_budget_amount                  = optional(number, 1000)<br>    interconnect_alert_spent_percents           = optional(list(number), [1.2])<br>    interconnect_alert_pubsub_topic             = optional(string, null)<br>    interconnect_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    org_secrets_budget_amount                   = optional(number, 1000)<br>    org_secrets_alert_spent_percents            = optional(list(number), [1.2])<br>    org_secrets_alert_pubsub_topic              = optional(string, null)<br>    org_secrets_budget_alert_spend_basis        = optional(string, "FORECASTED_SPEND")<br>    org_billing_export_budget_amount            = optional(number, 1000)<br>    org_billing_export_alert_spent_percents     = optional(list(number), [1.2])<br>    org_billing_export_alert_pubsub_topic       = optional(string, null)<br>    org_billing_export_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    org_audit_logs_budget_amount                = optional(number, 1000)<br>    org_audit_logs_alert_spent_percents         = optional(list(number), [1.2])<br>    org_audit_logs_alert_pubsub_topic           = optional(string, null)<br>    org_audit_logs_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")<br>    common_kms_budget_amount                    = optional(number, 1000)<br>    common_kms_alert_spent_percents             = optional(list(number), [1.2])<br>    common_kms_alert_pubsub_topic               = optional(string, null)<br>    common_kms_budget_alert_spend_basis         = optional(string, "FORECASTED_SPEND")<br>    scc_notifications_budget_amount             = optional(number, 1000)<br>    scc_notifications_alert_spent_percents      = optional(list(number), [1.2])<br>    scc_notifications_alert_pubsub_topic        = optional(string, null)<br>    scc_notifications_budget_alert_spend_basis  = optional(string, "FORECASTED_SPEND")<br>  })</pre> | `{}` | no |
 | project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no |
 | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |

1-org/envs/shared/variables.tf

@@ -252,13 +252,13 @@ variable "access_context_manager_policy_id" {
 }
 
 variable "perimeter_additional_members" {
-  description = "The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:[email protected]` or `serviceAccount:[email protected]`."
+  description = "The list of additional members to be added to the enforced perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the perimeter, add your user in this list. Entries must be in the standard GCP form: `user:[email protected]` or `serviceAccount:[email protected]`."
   type        = list(string)
   default     = []
 }
 
 variable "perimeter_additional_members_dry_run" {
-  description = "The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the restricted perimeter, add your user in this list. Entries must be in the standard GCP form: `user:[email protected]` or `serviceAccount:[email protected]`."
+  description = "The list of additional members to be added to the dry-run perimeter access level members list. To be able to see the resources protected by the VPC Service Controls in the perimeter, add your user in this list. Entries must be in the standard GCP form: `user:[email protected]` or `serviceAccount:[email protected]`."
   type        = list(string)
   default     = []
 }

README.md

@@ -74,8 +74,8 @@ Usage instructions are available in the 0-bootstrap [README](./0-bootstrap/READM
 
 The purpose of this stage is:
 - Set up the common folder used to house projects that contain shared resources such as Security Command Center notification, Cloud Key Management Service (KMS), org level secrets, and org level logging.
-This stage also sets up the network folder used to house network related projects such as DNS Hub, Interconnect, network hub, and restricted projects for each environment  (`development`, `nonproduction` or `production`).
-- Set up the Restricted Shared VPC with [restricted.googleapis.com](https://cloud.google.com/vpc-service-controls/docs/supported-products) configured for restricted access to googleapis.com and gcr.io. Route added for VIP so no internet access is required to access APIs.
+This stage also sets up the network folder used to house network related projects such as DNS Hub, Interconnect, network hub, and projects for each environment  (`development`, `nonproduction` or `production`).
+- Set up the Shared VPC with [restricted.googleapis.com](https://cloud.google.com/vpc-service-controls/docs/supported-products) configured for restricted access to googleapis.com and gcr.io. Route added for VIP so no internet access is required to access APIs.
 
 This will create the following folder and project structure:
 
@@ -88,7 +88,7 @@ example-organization
     ├── prj-c-kms
     └── prj-c-secrets
 └── fldr-network
-    ├── prj-net-hub-restricted
+    ├── prj-net-hub
     ├── prj-net-dns
     ├── prj-net-interconnect
     ├── prj-d-svpc
@@ -136,7 +136,7 @@ Another project created under the network folder. This project will host the Ded
 
 #### Networking
 
-Under the network folder, one project for restricted network, are created per environment (`development`, `nonproduction`, and `production`) which is intended to be used as a [Shared VPC host project](https://cloud.google.com/vpc/docs/shared-vpc) for all projects in that environment.
+Under the network folder, one project for network are created per environment (`development`, `nonproduction`, and `production`) which is intended to be used as a [Shared VPC host project](https://cloud.google.com/vpc/docs/shared-vpc) for all projects in that environment.
 This stage only creates the projects and enables the correct APIs, the following networks stages, [3-networks-svpc](./3-networks-svpc/) and [3-networks-hub-and-spoke](./3-networks-hub-and-spoke/), create the actual Shared VPC networks.
 
 ### [2. environments](./2-environments/)
@@ -256,7 +256,7 @@ example-organization
     ├── prj-c-bu1-infra-pipeline
     └── prj-c-bu2-infra-pipeline
 └── fldr-network
-    ├── prj-net-hub-restricted
+    ├── prj-net-hub
     ├── prj-net-dns
     ├── prj-net-interconnect
     ├── prj-d-svpc

test/integration/networks/networks_test.go

@@ -348,13 +348,13 @@ func TestNetworks(t *testing.T) {
 					// Resource issue: https://github.com/hashicorp/terraform-provider-google/issues/16804
 					// networks.DefaultVerify(assert)
 
-					servicePerimeterLink := fmt.Sprintf("accessPolicies/%s/servicePerimeters/%s", policyID, networks.GetStringOutput("restricted_service_perimeter_name"))
+					servicePerimeterLink := fmt.Sprintf("accessPolicies/%s/servicePerimeters/%s", policyID, networks.GetStringOutput("service_perimeter_name"))
 					accessLevel := fmt.Sprintf("accessPolicies/%s/accessLevels/%s", policyID, networks.GetStringOutput("access_level_name_dry_run"))
 					networkNames := getNetworkResourceNames(envCode, networkMode, firewallMode)
 
 					servicePerimeter, err := gcloud.RunCmdE(t, fmt.Sprintf("access-context-manager perimeters dry-run describe %s --policy %s", servicePerimeterLink, policyID))
 					assert.NoError(err)
-					perimeterName := networks.GetStringOutput("restricted_service_perimeter_name")
+					perimeterName := networks.GetStringOutput("service_perimeter_name")
 					assert.True(strings.Contains(servicePerimeter, perimeterName), fmt.Sprintf("service perimeter %s should exist", perimeterName))
 					assert.True(strings.Contains(servicePerimeter, accessLevel), fmt.Sprintf("service perimeter %s should have access level %s", servicePerimeterLink, accessLevel))
 					for _, service := range restrictedServices {

test/integration/org/org_test.go

@@ -472,7 +472,7 @@ func TestOrg(t *testing.T) {
 					apis          []string
 				}{
 					{
-						projectOutput: "restricted_shared_vpc_project_id",
+						projectOutput: "shared_vpc_project_id",
 						apis: []string{
 							"compute.googleapis.com",
 							"dns.googleapis.com",

test/integration/projects/projects_test.go

@@ -74,26 +74,25 @@ func TestProjects(t *testing.T) {
 		name              string
 		repo              string
 		baseDir           string
-		baseNetwork       string
-		restrictedNetwork string
+		sharedNetwork string
 	}{
 		{
 			name:              "bu1_development",
 			repo:              "bu1-example-app",
 			baseDir:           "../../../4-projects/business_unit_1/%s",
-			restrictedNetwork: fmt.Sprintf("vpc-d-svpc%s", networkMode),
+			sharedNetwork: fmt.Sprintf("vpc-d-svpc%s", networkMode),
 		},
 		{
 			name:              "bu1_nonproduction",
 			repo:              "bu1-example-app",
 			baseDir:           "../../../4-projects/business_unit_1/%s",
-			restrictedNetwork: fmt.Sprintf("vpc-n-svpc%s", networkMode),
+			sharedNetwork: fmt.Sprintf("vpc-n-svpc%s", networkMode),
 		},
 		{
 			name:              "bu1_production",
 			repo:              "bu1-example-app",
 			baseDir:           "../../../4-projects/business_unit_1/%s",
-			restrictedNetwork: fmt.Sprintf("vpc-p-svpc%s", networkMode),
+			sharedNetwork: fmt.Sprintf("vpc-p-svpc%s", networkMode),
 		},
 	} {
 		tt := tt
@@ -117,7 +116,7 @@ func TestProjects(t *testing.T) {
 				tft.WithTFDir(fmt.Sprintf(networkTFDir, env)),
 				tft.WithVars(netVars),
 			)
-			perimeterName := networks.GetStringOutput("restricted_service_perimeter_name")
+			perimeterName := networks.GetStringOutput("service_perimeter_name")
 
 			shared := tft.NewTFBlueprintTest(t,
 				tft.WithTFDir(fmt.Sprintf(tt.baseDir, "shared")),
@@ -144,33 +143,33 @@ func TestProjects(t *testing.T) {
 					for _, projectOutput := range []string{
 						"floating_project",
 						"peering_project",
-						"restricted_shared_vpc_project",
+						"shared_vpc_project",
 					} {
 						projectID := projects.GetStringOutput(projectOutput)
 						prj := gcloud.Runf(t, "projects describe %s", projectID)
 						assert.Equal("ACTIVE", prj.Get("lifecycleState").String(), fmt.Sprintf("project %s should be ACTIVE", projectID))
 
-						if projectOutput == "restricted_shared_vpc_project" {
+						if projectOutput == "shared_vpc_project" {
 
 							enabledAPIS := gcloud.Runf(t, "services list --project %s --impersonate-service-account %s", projectID, terraformSA).Array()
 							listApis := testutils.GetResultFieldStrSlice(enabledAPIS, "config.name")
 							assert.Subset(listApis, restrictedApisEnabled, "APIs should have been enabled")
 
-							restrictedProjectNumber := projects.GetStringOutput("restricted_shared_vpc_project_number")
+							sharedProjectNumber := projects.GetStringOutput("shared_vpc_project_number")
 							perimeter, err := gcloud.RunCmdE(t, fmt.Sprintf("access-context-manager perimeters dry-run describe %s --policy %s", perimeterName, policyID))
 							assert.NoError(err)
-							assert.True(strings.Contains(perimeter, restrictedProjectNumber), fmt.Sprintf("dry-run service perimeter %s should contain project %s", perimeterName, restrictedProjectNumber))
+							assert.True(strings.Contains(perimeter, sharedProjectNumber), fmt.Sprintf("dry-run service perimeter %s should contain project %s", perimeterName, sharedProjectNumber))
 
 							sharedVPC := gcloud.Runf(t, "compute shared-vpc get-host-project %s --impersonate-service-account %s", projectID, terraformSA)
 							assert.NotEmpty(sharedVPC.Map())
 
 							hostProjectID := sharedVPC.Get("name").String()
 							hostProject := gcloud.Runf(t, "projects describe %s --impersonate-service-account %s", hostProjectID, terraformSA)
-							assert.Equal("restricted-shared-vpc-host", hostProject.Get("labels.application_name").String(), "host project should have application_name label equals to base-shared-vpc-host")
+							assert.Equal("shared-vpc-host", hostProject.Get("labels.application_name").String(), "host project should have application_name label equals to base-shared-vpc-host")
 							assert.Equal(env, hostProject.Get("labels.environment").String(), fmt.Sprintf("project should have environment label %s", env))
 
 							hostNetwork := gcloud.Runf(t, "compute networks list --project %s --impersonate-service-account %s", hostProjectID, terraformSA).Array()[0]
-							assert.Equal(tt.restrictedNetwork, hostNetwork.Get("name").String(), "should have a shared vpc")
+							assert.Equal(tt.sharedNetwork, hostNetwork.Get("name").String(), "should have a shared vpc")
 
 						}
 
@@ -188,9 +187,6 @@ func TestProjects(t *testing.T) {
 							listRoles := testutils.GetResultFieldStrSlice(projectPolicy, "bindings.role")
 							assert.Subset(listRoles, peeringProjectSaRoles, fmt.Sprintf("service account %s should have project level roles", sharedCloudBuildSA))
 
-							peering := gcloud.Runf(t, "compute networks peerings list --project %s", projectID).Array()[0]
-							assert.Contains(peering.Get("peerings.0.network").String(), tt.baseNetwork, "should have a peering network")
-
 							instanceRegion := terraform.OutputMap(t, bootstrap.GetTFOptions(), "common_config")["default_region"]
 							peeringSubnetworkSelfLink := projects.GetStringOutput("peering_subnetwork_self_link")
 							peeringSubnetworkSelfLinkSplitted := strings.Split(peeringSubnetworkSelfLink, "/")