Merge remote-tracking branch 'upstream/master' into remove-env-monito…

…ring-projects
terraform-google-modules · May 30, 2024 · dcfc755 · dcfc755
2 parents 2e6f982 + f22eb66
commit dcfc755
Show file tree

Hide file tree

Showing 68 changed files with 202 additions and 1,387 deletions.
diff --git a/.github/workflows/go-lint.yaml b/.github/workflows/go-lint.yaml
@@ -36,13 +36,13 @@ jobs:
       matrix:
         folder: [helpers/foundation-deployer]
     steps:
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version-file: ${{ matrix.folder }}/go.mod
           cache-dependency-path: ${{ matrix.folder }}/go.sum
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@9d1e0624a798bb64f6c3cea93db47765312263dc # v5.1.0
+        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
         with:
           version: latest
           working-directory: ${{ matrix.folder }}

diff --git a/.github/workflows/go-test.yaml b/.github/workflows/go-test.yaml
@@ -38,7 +38,7 @@ jobs:
       matrix:
         folder: [helpers/foundation-deployer]
     steps:
-    - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
     - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         go-version-file: ${{ matrix.folder }}/go.mod

diff --git a/0-bootstrap/README-GitHub.md b/0-bootstrap/README-GitHub.md
@@ -823,6 +823,8 @@ An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set with th
    cd gcp-projects
    ```
 
+
+
 1. Seed the repository if it has not been initialized yet.
 
    ```bash
@@ -878,6 +880,20 @@ An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set with th
    sed -i'' -e "s/REMOTE_STATE_BUCKET/${remote_state_bucket}/" ./common.auto.tfvars
    ```
 
+1. (Optional) If you want additional subfolders for separate business units or entities, make additional copies of the folder `business_unit_1` and modify any values that vary across business unit like `business_code`, `business_unit`, or `subnet_ip_range`.
+
+For example, to create a new business unit similar to business_unit_1, run the following:
+
+   ```bash
+   #copy the business_unit_1 folder and it's contents to a new folder business_unit_2
+   cp -r  business_unit_1 business_unit_2
+
+   # search all files under the folder `business_unit_2` and replace strings for business_unit_1 with strings for business_unit_2
+   grep -rl bu1 business_unit_2/ | xargs sed -i 's/bu1/bu2/g'
+   grep -rl business_unit_1 business_unit_2/ | xargs sed -i 's/business_unit_1/business_unit_2/g'
+   ```
+
+
 1. Commit changes.
 
    ```bash

diff --git a/0-bootstrap/README-GitLab.md b/0-bootstrap/README-GitLab.md
@@ -837,6 +837,20 @@ An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set with th
    sed -i'' -e "s/REMOTE_STATE_BUCKET/${remote_state_bucket}/" ./common.auto.tfvars
    ```
 
+1. (Optional) If you want additional subfolders for separate business units or entities, make additional copies of the folder `business_unit_1` and modify any values that vary across business unit like `business_code`, `business_unit`, or `subnet_ip_range`.
+
+For example, to create a new business unit similar to business_unit_1, run the following:
+
+   ```bash
+   #copy the business_unit_1 folder and it's contents to a new folder business_unit_2
+   cp -r  business_unit_1 business_unit_2
+
+   # search all files under the folder `business_unit_2` and replace strings for business_unit_1 with strings for business_unit_2
+   grep -rl bu1 business_unit_2/ | xargs sed -i 's/bu1/bu2/g'
+   grep -rl business_unit_1 business_unit_2/ | xargs sed -i 's/business_unit_1/business_unit_2/g'
+   ```
+
+
 1. Commit changes.
 
    ```bash

diff --git a/0-bootstrap/README-Jenkins.md b/0-bootstrap/README-Jenkins.md
@@ -886,6 +886,20 @@ Here you will configure a VPN Network tunnel to enable connectivity between the
    sed -i'' -e "s/REMOTE_STATE_BUCKET/${backend_bucket}/" ./common.auto.tfvars
    ```
 
+1. (Optional) If you want additional subfolders for separate business units or entities, make additional copies of the folder `business_unit_1` and modify any values that vary across business unit like `business_code`, `business_unit`, or `subnet_ip_range`.
+
+For example, to create a new business unit similar to business_unit_1, run the following:
+
+   ```bash
+   #copy the business_unit_1 folder and it's contents to a new folder business_unit_2
+   cp -r  business_unit_1 business_unit_2
+
+   # search all files under the folder `business_unit_2` and replace strings for business_unit_1 with strings for business_unit_2
+   grep -rl bu1 business_unit_2/ | xargs sed -i 's/bu1/bu2/g'
+   grep -rl business_unit_1 business_unit_2/ | xargs sed -i 's/business_unit_1/business_unit_2/g'
+   ```
+
+
 1. Commit changes.
 
    ```bash

diff --git a/0-bootstrap/README-Terraform-Cloud.md b/0-bootstrap/README-Terraform-Cloud.md
@@ -862,6 +862,20 @@ An environment variable `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` will be set with th
    terraform -chdir="business_unit_2/shared/" init
    ```
 
+1. (Optional) If you want additional subfolders for separate business units or entities, make additional copies of the folder `business_unit_1` and modify any values that vary across business unit like `business_code`, `business_unit`, or `subnet_ip_range`.
+
+For example, to create a new business unit similar to business_unit_1, run the following:
+
+   ```bash
+   #copy the business_unit_1 folder and it's contents to a new folder business_unit_2
+   cp -r  business_unit_1 business_unit_2
+
+   # search all files under the folder `business_unit_2` and replace strings for business_unit_1 with strings for business_unit_2
+   grep -rl bu1 business_unit_2/ | xargs sed -i 's/bu1/bu2/g'
+   grep -rl business_unit_1 business_unit_2/ | xargs sed -i 's/business_unit_1/business_unit_2/g'
+   ```
+
+
 1. Commit changes
 
    ```bash

diff --git a/0-bootstrap/github.tf.example b/0-bootstrap/github.tf.example
@@ -38,7 +38,7 @@ locals {
     }
   }
 
-  commom_secrets = {
+  common_secrets = {
     "PROJECT_ID" : module.gh_cicd.project_id,
     "WIF_PROVIDER_NAME" : module.gh_oidc.provider_name,
     "TF_BACKEND" : module.seed_bootstrap.gcs_bucket_tfstate,
@@ -47,7 +47,7 @@ locals {
 
   secrets_list = flatten([
     for k, v in local.gh_config : [
-      for secret, plaintext in local.commom_secrets : {
+      for secret, plaintext in local.common_secrets : {
         config          = k
         secret_name     = secret
         plaintext_value = plaintext

diff --git a/0-bootstrap/modules/jenkins-agent/main.tf b/0-bootstrap/modules/jenkins-agent/main.tf
@@ -29,7 +29,7 @@ resource "random_id" "suffix" {
 *******************************************/
 module "cicd_project" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 14.0"
+  version = "~> 15.0"
 
   name                        = local.cicd_project_name
   random_project_id           = true

diff --git a/1-org/envs/shared/cai_monitoring.tf b/1-org/envs/shared/cai_monitoring.tf
@@ -28,11 +28,10 @@ module "kms" {
 module "cai_monitoring" {
   source = "../../modules/cai-monitoring"
 
-  org_id               = local.org_id
-  billing_account      = local.billing_account
-  project_id           = module.scc_notifications.project_id
-  location             = local.default_region
-  enable_cmek          = true
-  encryption_key       = module.kms.keys["key-cai-monitoring"]
-  impersonate_sa_email = local.org_step_terraform_service_account_email
+  org_id          = local.org_id
+  billing_account = local.billing_account
+  project_id      = module.scc_notifications.project_id
+  location        = local.default_region
+  enable_cmek     = true
+  encryption_key  = module.kms.keys["key-cai-monitoring"]
 }
diff --git a/1-org/envs/shared/projects.tf b/1-org/envs/shared/projects.tf
@@ -34,7 +34,7 @@ locals {
 
 module "org_audit_logs" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 14.0"
+  version = "~> 15.0"
 
   random_project_id        = true
   random_project_id_length = 4
@@ -63,7 +63,7 @@ module "org_audit_logs" {
 
 module "org_billing_logs" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 14.0"
+  version = "~> 15.0"
 
   random_project_id        = true
   random_project_id_length = 4
@@ -96,7 +96,7 @@ module "org_billing_logs" {
 
 module "org_kms" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 14.0"
+  version = "~> 15.0"
 
   random_project_id        = true
   random_project_id_length = 4
@@ -130,7 +130,7 @@ module "org_kms" {
 
 module "org_secrets" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 14.0"
+  version = "~> 15.0"
 
   random_project_id        = true
   random_project_id_length = 4
@@ -163,7 +163,7 @@ module "org_secrets" {
 
 module "interconnect" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 14.0"
+  version = "~> 15.0"
 
   random_project_id        = true
   random_project_id_length = 4
@@ -196,7 +196,7 @@ module "interconnect" {
 
 module "scc_notifications" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 14.0"
+  version = "~> 15.0"
 
   random_project_id        = true
   random_project_id_length = 4
@@ -229,7 +229,7 @@ module "scc_notifications" {
 
 module "dns_hub" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 14.0"
+  version = "~> 15.0"
 
   random_project_id        = true
   random_project_id_length = 4
@@ -270,7 +270,7 @@ module "dns_hub" {
 
 module "base_network_hub" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 14.0"
+  version = "~> 15.0"
   count   = var.enable_hub_and_spoke ? 1 : 0
 
   random_project_id        = true
@@ -320,7 +320,7 @@ resource "google_project_iam_member" "network_sa_base" {
 
 module "restricted_network_hub" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 14.0"
+  version = "~> 15.0"
   count   = var.enable_hub_and_spoke ? 1 : 0
 
   random_project_id        = true

diff --git a/1-org/modules/cai-monitoring/README.md b/1-org/modules/cai-monitoring/README.md
@@ -13,7 +13,6 @@ module "secure_cai_notification" {
   region               = <REGION>
   encryption_key       = <CMEK KEY>
   labels               = <LABELS>
-  impersonate_sa_email = <SA TO IMPERSONATE>
   roles_to_monitor     = <ROLES TO MONITOR>
 }
 ```
@@ -26,7 +25,6 @@ module "secure_cai_notification" {
 | billing\_account | The ID of the billing account to associate projects with. | `string` | n/a | yes |
 | enable\_cmek | The KMS Key to Encrypt Artifact Registry repository, Cloud Storage Bucket and Pub/Sub. | `bool` | `false` | no |
 | encryption\_key | The KMS Key to Encrypt Artifact Registry repository, Cloud Storage Bucket and Pub/Sub. | `string` | `null` | no |
-| impersonate\_sa\_email | The Service Account email who will execute terraform code. | `string` | n/a | yes |
 | labels | Labels to be assigned to resources. | `map(any)` | `{}` | no |
 | location | Default location to create resources where applicable. | `string` | `"us-central1"` | no |
 | org\_id | GCP Organization ID | `string` | n/a | yes |

diff --git a/1-org/modules/cai-monitoring/main.tf b/1-org/modules/cai-monitoring/main.tf
@@ -142,7 +142,7 @@ resource "google_scc_source" "cai_monitoring" {
 // Cloud Function
 module "cloud_function" {
   source  = "GoogleCloudPlatform/cloud-functions/google"
-  version = "0.4.1"
+  version = "~> 0.5"
 
   function_name     = "caiMonitoring"
   description       = "Check on the Organization for members (users, groups and service accounts) that contains the IAM roles listed."

diff --git a/1-org/modules/cai-monitoring/providers.tf b/1-org/modules/cai-monitoring/providers.tf
diff --git a/1-org/modules/cai-monitoring/variables.tf b/1-org/modules/cai-monitoring/variables.tf
@@ -53,11 +53,6 @@ variable "labels" {
   default     = {}
 }
 
-variable "impersonate_sa_email" {
-  description = "The Service Account email who will execute terraform code."
-  type        = string
-}
-
 variable "roles_to_monitor" {
   description = "List of roles that will save a SCC Finding if granted to any member (service account, user or group) on an update in the IAM Policy."
   type        = list(string)

diff --git a/1-org/modules/network/main.tf b/1-org/modules/network/main.tf
@@ -20,7 +20,7 @@
 
 module "base_shared_vpc_host_project" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 14.0"
+  version = "~> 15.0"
 
   random_project_id           = true
   random_project_id_length    = 4
@@ -56,7 +56,7 @@ module "base_shared_vpc_host_project" {
 
 module "restricted_shared_vpc_host_project" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 14.0"
+  version = "~> 15.0"
 
   random_project_id           = true
   random_project_id_length    = 4

diff --git a/2-environments/modules/env_baseline/kms.tf b/2-environments/modules/env_baseline/kms.tf
@@ -21,7 +21,7 @@
 
 module "env_kms" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 14.0"
+  version = "~> 15.0"
 
   random_project_id           = true
   random_project_id_length    = 4

diff --git a/2-environments/modules/env_baseline/secrets.tf b/2-environments/modules/env_baseline/secrets.tf
@@ -21,7 +21,7 @@
 
 module "env_secrets" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 14.0"
+  version = "~> 15.0"
 
   random_project_id           = true
   random_project_id_length    = 4

diff --git a/3-networks-hub-and-spoke/modules/transitivity/main.tf b/3-networks-hub-and-spoke/modules/transitivity/main.tf
@@ -90,7 +90,7 @@ module "migs" {
 
 module "ilbs" {
   source   = "GoogleCloudPlatform/lb-internal/google"
-  version  = "~> 5.0"
+  version  = "~> 6.0"
   for_each = toset(var.regions)
 
   region                  = each.key

diff --git a/4-projects/README.md b/4-projects/README.md
@@ -134,6 +134,20 @@ Run `terraform output cloudbuild_project_id` in the `0-bootstrap` folder to get
    sed -i'' -e "s/REMOTE_STATE_BUCKET/${remote_state_bucket}/" ./common.auto.tfvars
    ```
 
+1. (Optional) If you want additional subfolders for separate business units or entities, make additional copies of the folder `business_unit_1` and modify any values that vary across business unit like `business_code`, `business_unit`, or `subnet_ip_range`.
+
+For example, to create a new business unit similar to business_unit_1, run the following:
+
+   ```bash
+   #copy the business_unit_1 folder and it's contents to a new folder business_unit_2
+   cp -r  business_unit_1 business_unit_2
+
+   # search all files under the folder `business_unit_2` and replace strings for business_unit_1 with strings for business_unit_2
+   grep -rl bu1 business_unit_2/ | xargs sed -i 's/bu1/bu2/g'
+   grep -rl business_unit_1 business_unit_2/ | xargs sed -i 's/business_unit_1/business_unit_2/g'
+   ```
+
+
 1. Commit changes.
 
    ```bash
@@ -268,6 +282,20 @@ To use the `validate` option of the `tf-wrapper.sh` script, please follow the [i
    echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT}
    ```
 
+1. (Optional) If you want additional subfolders for separate business units or entities, make additional copies of the folder `business_unit_1` and modify any values that vary across business unit like `business_code`, `business_unit`, or `subnet_ip_range`.
+
+For example, to create a new business unit similar to business_unit_1, run the following:
+
+   ```bash
+   #copy the business_unit_1 folder and it's contents to a new folder business_unit_2
+   cp -r  business_unit_1 business_unit_2
+
+   # search all files under the folder `business_unit_2` and replace strings for business_unit_1 with strings for business_unit_2
+   grep -rl bu1 business_unit_2/ | xargs sed -i 's/bu1/bu2/g'
+   grep -rl business_unit_1 business_unit_2/ | xargs sed -i 's/business_unit_1/business_unit_2/g'
+   ```
+
+
 1. Run `init` and `plan` and review output for environment shared.
 
    ```bash