Merge branch 'ludo/net-vpc-fw-order' of github.com:GoogleCloudPlatfor…

…m/cloud-foundation-fabric into ludo/net-vpc-fw-order

fast/stages/1-resman/README.md

@@ -288,8 +288,8 @@ terraform apply
 
 | name | description | sensitive | consumers |
 |---|---|:---:|---|
-| [cicd_repositories](outputs.tf#L76) | WIF configuration for CI/CD repositories. |  |  |
-| [folder_ids](outputs.tf#L88) | Folder ids. |  |  |
-| [providers](outputs.tf#L94) | Terraform provider files for this stage and dependent stages. | ✓ |  |
-| [tfvars](outputs.tf#L101) | Terraform variable files for the following stages. | ✓ |  |
+| [cicd_repositories](outputs.tf#L74) | WIF configuration for CI/CD repositories. |  |  |
+| [folder_ids](outputs.tf#L86) | Folder ids. |  |  |
+| [providers](outputs.tf#L92) | Terraform provider files for this stage and dependent stages. | ✓ |  |
+| [tfvars](outputs.tf#L99) | Terraform variable files for the following stages. | ✓ |  |
 <!-- END TFDOC -->

fast/stages/1-resman/moved/v36.0.1-v37.0.0.tf

@@ -0,0 +1,35 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+moved {
+  from = module.net-folder-dev[0]
+  to   = module.net-folder-envs["dev"]
+}
+
+moved {
+  from = module.net-folder-prod[0]
+  to   = module.net-folder-envs["prod"]
+}
+
+moved {
+  from = module.sec-folder-dev[0]
+  to   = module.sec-folder-envs["dev"]
+}
+
+moved {
+  from = module.sec-folder-prod[0]
+  to   = module.sec-folder-envs["prod"]
+}

fast/stages/1-resman/outputs.tf

@@ -17,16 +17,14 @@
 locals {
   folder_ids = merge(
     # stage 2
-    !var.fast_stage_2.networking.enabled ? {} : {
-      networking      = module.net-folder[0].id
-      networking-dev  = try(module.net-folder-dev[0].id, null)
-      networking-prod = try(module.net-folder-prod[0].id, null)
-    },
-    !var.fast_stage_2.security.enabled ? {} : {
-      security      = module.sec-folder[0].id
-      security-dev  = try(module.sec-folder-dev[0].id, null)
-      security-prod = try(module.sec-folder-prod[0].id, null)
-    },
+    !var.fast_stage_2.networking.enabled ? {} : merge(
+      { networking = module.net-folder[0].id },
+      { for k, v in module.net-folder-envs : "networking-${k}" => v.id }
+    ),
+    !var.fast_stage_2.security.enabled ? {} : merge(
+      { security = module.sec-folder[0].id },
+      { for k, v in module.sec-folder-envs : "security-${k}" => v.id }
+    ),
     # stage 3
     { for k, v in module.stage3-folder : k => v.id },
     # top-level folders

fast/stages/1-resman/stage-2-networking.tf

@@ -15,7 +15,7 @@
  */
 
 locals {
-  # normalize IAM bindings for stage 3 service accounts
+  # filter and normalize stage 3 roles applied to this stage's top-level folder
   net_s3_iam = !var.fast_stage_2.networking.enabled ? {} : {
     for v in local.stage3_iam_in_stage2 : "${v.role}:${v.env}" => (
       v.sa == "rw"
@@ -143,27 +143,14 @@ module "net-folder" {
 
 # optional per-environment folders
 
-module "net-folder-prod" {
-  source = "../../../modules/folder"
-  count  = local.net_use_env_folders ? 1 : 0
-  parent = module.net-folder[0].id
-  name   = var.environments["prod"].name
-  tag_bindings = {
-    environment = try(
-      local.tag_values["${var.tag_names.environment}/${var.environments["prod"].tag_name}"].id,
-      null
-    )
-  }
-}
-
-module "net-folder-dev" {
-  source = "../../../modules/folder"
-  count  = local.net_use_env_folders ? 1 : 0
-  parent = module.net-folder[0].id
-  name   = var.environments["dev"].name
+module "net-folder-envs" {
+  source   = "../../../modules/folder"
+  for_each = local.net_use_env_folders ? var.environments : {}
+  parent   = module.net-folder[0].id
+  name     = each.value.name
   tag_bindings = {
     environment = try(
-      local.tag_values["${var.tag_names.environment}/${var.environments["dev"].tag_name}"].id,
+      local.tag_values["${var.tag_names.environment}/${each.value.tag_name}"].id,
       null
     )
   }

fast/stages/1-resman/stage-2-security.tf

@@ -15,10 +15,7 @@
  */
 
 locals {
-  sec_use_env_folders = (
-    var.fast_stage_2.security.enabled &&
-    var.fast_stage_2.security.folder_config.create_env_folders
-  )
+  # filter and normalize stage 3 roles applied to this stage's top-level folder
   sec_s3_iam = !var.fast_stage_2.security.enabled ? {} : {
     for v in local.stage3_iam_in_stage2 : "${v.role}:${v.env}" => (
       v.sa == "rw"
@@ -27,6 +24,10 @@ locals {
     )...
     if v.s2 == "security"
   }
+  sec_use_env_folders = (
+    var.fast_stage_2.security.enabled &&
+    var.fast_stage_2.security.folder_config.create_env_folders
+  )
 }
 
 # top-level folder
@@ -116,47 +117,14 @@ module "sec-folder" {
 
 # optional per-environment folders
 
-module "sec-folder-prod" {
-  source = "../../../modules/folder"
-  count  = local.sec_use_env_folders ? 1 : 0
-  parent = module.sec-folder[0].id
-  name   = var.environments["prod"].name
-  iam = {
-    # stage 3s service accounts
-    for role, attrs in local.sec_s3_iam.prod : role => [
-      for v in attrs : (
-        v.sa == "ro"
-        ? module.stage3-sa-ro[v.s3].iam_email
-        : module.stage3-sa-rw[v.s3].iam_email
-      )
-    ]
-  }
-  tag_bindings = {
-    environment = try(
-      local.tag_values["${var.tag_names.environment}/${var.environments["prod"].tag_name}"].id,
-      null
-    )
-  }
-}
-
-module "sec-folder-dev" {
-  source = "../../../modules/folder"
-  count  = local.sec_use_env_folders ? 1 : 0
-  parent = module.sec-folder[0].id
-  name   = var.environments["dev"].name
-  iam = {
-    # stage 3s service accounts
-    for role, attrs in local.sec_s3_iam.dev : role => [
-      for v in attrs : (
-        v.sa == "ro"
-        ? module.stage3-sa-ro[v.s3].iam_email
-        : module.stage3-sa-rw[v.s3].iam_email
-      )
-    ]
-  }
+module "sec-folder-envs" {
+  source   = "../../../modules/folder"
+  for_each = local.sec_use_env_folders ? var.environments : {}
+  parent   = module.sec-folder[0].id
+  name     = each.value.name
   tag_bindings = {
     environment = try(
-      local.tag_values["${var.tag_names.environment}/${var.environments["dev"].tag_name}"].id,
+      local.tag_values["${var.tag_names.environment}/${each.value.tag_name}"].id,
       null
     )
   }

fast/stages/2-security/certs.tf

@@ -0,0 +1,90 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# tfdoc:file:description Per-environment certificate resources.
+
+locals {
+  cas = flatten([
+    for k, v in var.certificate_authorities : [
+      for e in coalesce(v.environments, keys(var.environments)) : merge(v, {
+        environment = e
+        key         = "${e}-${k}"
+        name        = k
+        netsec_iam  = contains(var.trust_configs.keys.dev.cas, k)
+      })
+    ]
+  ])
+  trust_configs = flatten([
+    for k, v in var.trust_configs : [
+      for e in coalesce(v.environments, keys(var.environments)) : merge(v, {
+        environment = e
+        key         = "${e}-${k}"
+        name        = k
+      })
+    ]
+  ])
+}
+
+module "cas" {
+  source         = "../../../modules/certificate-authority-service"
+  for_each       = { for k in local.cas : k.key => k }
+  project_id     = module.project[each.value.environment].project_id
+  ca_configs     = each.value.ca_configs
+  ca_pool_config = each.value.ca_pool_config
+  iam            = each.value.iam
+  iam_bindings   = each.value.iam_bindings
+  iam_bindings_additive = merge(
+    each.value.iam_bindings_additive,
+    !each.value.netsec_iam ? {} : {
+      nsec_agent = {
+        member = module.project[each.value.environment].service_agents["networksecurity"].iam_email
+        role   = "roles/privateca.certificateManager"
+      }
+  })
+  iam_by_principals = each.value.iam_by_principals
+  location          = each.value.location
+}
+
+resource "google_certificate_manager_trust_config" "default" {
+  for_each    = { for k in local.trust_configs : k.key => k }
+  name        = each.value.name
+  project     = module.project[each.value.environment].project_id
+  description = each.value.description
+  location    = each.value.location
+  dynamic "allowlisted_certificates" {
+    for_each = each.value.allowlisted_certificates
+    content {
+      pem_certificate = file(allowlisted_certificates.value)
+    }
+  }
+  dynamic "trust_stores" {
+    for_each = each.value.trust_stores
+    content {
+      dynamic "intermediate_cas" {
+        for_each = trust_stores.value.intermediate_cas
+        content {
+          pem_certificate = file(intermediate_cas.value)
+        }
+      }
+      dynamic "trust_anchors" {
+        for_each = trust_stores.value.trust_anchors
+        content {
+          pem_certificate = file(trust_anchors.value)
+        }
+      }
+    }
+  }
+}