Merge branch 'master' into RS-469-Allow-Fabric-Organization-Module-to…

…-Intercept-Child-Logging

.github/actions/fabric-tests/action.yml

@@ -72,7 +72,7 @@ runs:
       shell: bash
       run: |
         for f in $(find . -name versions.tf); do
-          sed -i -e 's/>=\(.*# tftest\)/=\1/g' -e 's/required_version = .*$/required_version = ">= ${{ inputs.TERRAFORM_VERSION }}"/g' $f;
+          sed -i 's/>=\(.*# tftest\)/=\1/g' $f;
         done
     - name: Install Python Dependencies
       shell: bash

.github/workflows/linting.yml

@@ -105,6 +105,18 @@ jobs:
       - name: Check modules versions
         id: versions
         run: |
-          OUTPUT=$(find . -type f -name 'versions.tf' -exec diff -ub default-versions.tf {} \;)
-          echo "${OUTPUT}"
-          [[ -z "${OUTPUT}" ]]
+          OUTPUT_TF=$(find . -type f -name 'versions.tf' -exec diff -ub default-versions.tf {} \;)
+          if [[ -n "${OUTPUT_TF}" ]] ; then
+            echo "Terraform versions.tf:"
+            echo "${OUTPUT_TF}"
+          fi
+          OUTPUT_TOFU=$(find . -type f -name 'versions.tofu' -exec diff -ub default-versions.tofu {} \;)
+          if [[ -n "${OUTPUT_TOFU}" ]] ; then
+            echo "Terraform versions.tofu:"
+            echo "${OUTPUT_TOFU}"
+          fi
+          grep -v required_version default-versions.tf > /tmp/versions.tf
+          grep -v required_version default-versions.tofu > /tmp/versions.tofu
+          diff -rub /tmp/versions.tf /tmp/versions.tofu
+          DIFF_EC=$?
+          [[ "${DIFF_EC}" -eq "0" ||  -z "${OUTPUT_TF}" || -z "${OUTPUT_TOFU}" ]]

.github/workflows/tests.yml

@@ -38,7 +38,7 @@ env:
   TFTEST_COPY: 1
   DEFAULT_TERRAFORM_FLAVOUR: terraform
   DEFAULT_TERRAFORM_VERSION: ${{ inputs.terraform_version || '1.10.2' }}
-  DEFAULT_TOFU_VERSION: "1.7.2"
+  DEFAULT_TOFU_VERSION: "1.8.0"
 
 jobs:
   compute-matrix:

.pre-commit-config.yaml

@@ -56,6 +56,12 @@ repos:
     files: (versions.tf|^default-versions.tf)$
     pass_filenames: false
     entry: /usr/bin/find . -type f -name 'versions.tf' -exec cp default-versions.tf {} \;
+  - id: versions_tofu
+    name: Align OpenTofu provider versions
+    language: script
+    files: (versions.tofu|^default-versions.tofu)$
+    pass_filenames: false
+    entry: /usr/bin/find . -type f -name 'versions.tofu' -exec cp default-versions.tofu {} \;
   - id: validate_metadata
     name: Validate blueprints metadata
     language: system

CHANGELOG.md

@@ -4,9 +4,12 @@ All notable changes to this project will be documented in this file.
 <!-- markdownlint-disable MD024 -->
 
 ## [Unreleased] <!-- from: 2024-11-23 11:24:55+00:00 to: None since: v36.0.1 -->
+- [[#2777](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2777)] Document `tag_bindings` definition as `map(string)` ([juliocc](https://github.com/juliocc)) <!-- 2024-12-19 13:47:32+00:00 -->
 
 ### BLUEPRINTS
 
+- [[#2721](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2721)] New BindPlane OP Management console on GKE SecOps blueprint ([simonebruzzechesse](https://github.com/simonebruzzechesse)) <!-- 2024-12-17 21:16:40+00:00 -->
+- [[#2771](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2771)] Use separate versions.tofu for OpenTofu constraints ([wiktorn](https://github.com/wiktorn)) <!-- 2024-12-17 11:29:04+00:00 -->
 - [[#2768](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2768)] Support customizable resource names in FAST stage 0 ([ludoo](https://github.com/ludoo)) <!-- 2024-12-16 16:46:34+00:00 -->
 - [[#2761](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2761)] Refactor GKE cluster modules access configurations, add support for DNS endpoint ([ludoo](https://github.com/ludoo)) <!-- 2024-12-12 10:02:24+00:00 -->
 - [[#2736](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2736)] Add confidential compute support to google_dataproc_cluster module, bump provider versions ([steenblik](https://github.com/steenblik)) <!-- 2024-12-10 15:39:48+00:00 -->
@@ -17,6 +20,7 @@ All notable changes to this project will be documented in this file.
 
 ### FAST
 
+- [[#2774](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2774)] [FAST] Remove unused stage 1 CICD variables ([LucaPrete](https://github.com/LucaPrete)) <!-- 2024-12-17 16:26:02+00:00 -->
 - [[#2769](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2769)] Support customizable resource names to fast stage 1 ([ludoo](https://github.com/ludoo)) <!-- 2024-12-16 18:07:28+00:00 -->
 - [[#2768](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2768)] Support customizable resource names in FAST stage 0 ([ludoo](https://github.com/ludoo)) <!-- 2024-12-16 16:46:34+00:00 -->
 - [[#2767](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2767)] Fix workspace logs sink in FAST bootstrap stage ([ludoo](https://github.com/ludoo)) <!-- 2024-12-13 13:22:42+00:00 -->
@@ -27,6 +31,13 @@ All notable changes to this project will be documented in this file.
 
 ### MODULES
 
+- [[#2784](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2784)] Fix validation message in cas module ([ludoo](https://github.com/ludoo)) <!-- 2024-12-25 07:25:07+00:00 -->
+- [[#2783](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2783)] Update net-lb-app-ext security_settings variables ([wenzizone](https://github.com/wenzizone)) <!-- 2024-12-25 06:52:31+00:00 -->
+- [[#2781](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2781)] Fix bindplane cos module ([simonebruzzechesse](https://github.com/simonebruzzechesse)) <!-- 2024-12-23 09:37:09+00:00 -->
+- [[#2780](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2780)] Fix handling of SSL certificates in external load balancer modules ([rodriguezsergio](https://github.com/rodriguezsergio)) <!-- 2024-12-21 10:26:29+00:00 -->
+- [[#2776](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2776)] Add support for log views and log scopes ([juliocc](https://github.com/juliocc)) <!-- 2024-12-18 17:29:45+00:00 -->
+- [[#2772](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2772)] Fix for perma-diff when using PSC NEGs. ([wiktorn](https://github.com/wiktorn)) <!-- 2024-12-17 13:28:48+00:00 -->
+- [[#2771](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2771)] Use separate versions.tofu for OpenTofu constraints ([wiktorn](https://github.com/wiktorn)) <!-- 2024-12-17 11:29:04+00:00 -->
 - [[#2768](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2768)] Support customizable resource names in FAST stage 0 ([ludoo](https://github.com/ludoo)) <!-- 2024-12-16 16:46:34+00:00 -->
 - [[#2761](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2761)] **incompatible change:** Refactor GKE cluster modules access configurations, add support for DNS endpoint ([ludoo](https://github.com/ludoo)) <!-- 2024-12-12 10:02:24+00:00 -->
 - [[#2764](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2764)] Ignore ssl certificates if none are passed in net-lb-app-int module ([ludoo](https://github.com/ludoo)) <!-- 2024-12-12 09:37:37+00:00 -->
@@ -47,6 +58,9 @@ All notable changes to this project will be documented in this file.
 
 ### TOOLS
 
+- [[#2778](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2778)] Fix failing tests for OpenTofu ([wiktorn](https://github.com/wiktorn)) <!-- 2024-12-20 09:19:01+00:00 -->
+- [[#2721](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2721)] New BindPlane OP Management console on GKE SecOps blueprint ([simonebruzzechesse](https://github.com/simonebruzzechesse)) <!-- 2024-12-17 21:16:40+00:00 -->
+- [[#2771](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2771)] Use separate versions.tofu for OpenTofu constraints ([wiktorn](https://github.com/wiktorn)) <!-- 2024-12-17 11:29:04+00:00 -->
 - [[#2769](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2769)] Support customizable resource names to fast stage 1 ([ludoo](https://github.com/ludoo)) <!-- 2024-12-16 18:07:28+00:00 -->
 - [[#2768](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2768)] Support customizable resource names in FAST stage 0 ([ludoo](https://github.com/ludoo)) <!-- 2024-12-16 16:46:34+00:00 -->
 - [[#2765](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2765)] Update issue templates ([juliocc](https://github.com/juliocc)) <!-- 2024-12-12 12:40:47+00:00 -->

adrs/20241029-versioning.md

@@ -1,6 +1,6 @@
 # Versioning Scheme Tied to FAST Releases
 
-**authors:** [Ludo](https://github.com/ludoo),  [Julio](https://github.com/jccb), [Simone](https://github.com/sruffilli) \
+**authors:** [Ludo](https://github.com/ludoo),  [Julio](https://github.com/juliocc), [Simone](https://github.com/sruffilli) \
 **date:** Oct 29, 2024
 **last update**: Oct 30, 2024
 

adrs/20241219-tag-bindings.md

@@ -0,0 +1,35 @@
+# Using `map(string)` for `tag_bindings` variables
+
+**authors:** [Julio](https://github.com/juliocc)
+**date:** Dec 19, 2024
+
+## Status
+
+Accepted and implemented.
+
+## Context
+
+We need to define a variable to manage tag bindings in our Terraform modules. This variable will be used across various modules and within the FAST framework to attach tags to resources via the `google_tags_tag_binding` resource.  This variable needs to support both statically defined tags and tags that are dynamically generated during the apply phase of Terraform.
+
+## Decision:
+
+We will use the `map(string)` type for the `tag_bindings` variable across all modules where it's needed. 
+
+## Consequences
+
+Minimal. This is already an established practice across the repository.
+
+Note that the keys of the map are ignored by our code and only used to bypass Terraform limitations with dynamic values in a `for_each` argument.  See [Using Expressions in for_each](https://developer.hashicorp.com/terraform/language/meta-arguments/for_each#using-expressions-in-for_each) in Terraform's documentation for more details.
+
+## Reasoning
+
+The primary reason for choosing `map(string)` is to enable the use of dynamic tags without encountering Terraform errors related to dynamic values.  By using a map, we avoid the limitations imposed by lists or sets and ensure that our modules and FAST can handle both static and dynamic tag values.
+
+## Alternatives Considered:
+
+- `list(string)`: Lists would enforce a fixed number of tags defined at plan time, limiting flexibility and hindering the management of dynamic tags.
+- `set(string)`: Similar to lists, sets would require all tag values to be known at plan time, which is not suitable for scenarios with dynamic tag generation.
+
+## Implementation:
+
+At the time of writing this ADR, all modules and FAST stages already use `map(string)`. The purpose of this ADR is to document an existing practice.

adrs/fast/1-network-ranges.md

@@ -1,6 +1,6 @@
 # IP ranges for network stages
 
-**authors:** [Ludo](https://github.com/ludoo), [Roberto](https://github.com/drebes), [Julio](https://github.com/jccb) \
+**authors:** [Ludo](https://github.com/ludoo), [Roberto](https://github.com/drebes), [Julio](https://github.com/juliocc) \
 **date:** Sept 20, 2023
 
 ## Status

adrs/fast/addon-stages.md

@@ -0,0 +1,76 @@
+# Add-on stages
+
+**authors:** [Ludo](https://github.com/ludoo), [Julio](https://github.com/juliocc)  
+**date:** Jan 5, 2025
+
+## Status
+
+Under implementation
+
+## Context
+
+Some optional features are too complex to directly embed in stages, as they would complicate the variable scope, need to be replicated across parallel stages, and introduce a lot of nested code for the benefit of a small subset of users.
+
+This need has surfaced with the network security stage, which has taken the approach of spreading its resources across different stages (security, networking, and its own netsec) and resulted in very layered, complicated code which is not easy to deploy or maintain.
+
+This is how the current netsec stage looks like from a resource perspective:
+
+![image](https://github.com/user-attachments/assets/c9778cd8-8dd4-4f7c-b74b-c5d8ad7e7d30)
+
+Furthermore, the stage also tries to do "too much", by behaving as a full stage and adopting a design that statically maps its resources onto all FAST environments and networks. This results in code that is really hard to adapt for real life use cases and impossible to keep forward compatible, as changes are extensive and spread out across three stages.
+
+## Proposal
+
+The proposal is to adopt a completely different approach, where large optional featuresets that we don't want to embed in our default stages should become "addon stages" that:
+
+- reuse the IaC service account and bucket of the stage they interact with (e.g. networking for network security) to eliminate the need for custom IAM
+- encapsulate all their resources in a single root module (the add-on stage)
+- don't implement a static design but deal with the smallest possible unit of work, so that they can be cloned to implement different designs via tfvars
+- provide optional FAST output variables for the main stages
+
+This is what the network security stage looks like, once refactored according this proposal:
+
+![image](https://github.com/user-attachments/assets/748b8b53-8df7-444e-9c71-f74e462a96f1)
+
+With this approach
+
+- there are no dependencies in resman except for a providers file that adds a prefix to the state backend and reuses networking service accounts and bucket
+- the stage design does not deal with environments, but simply implements one complete set of NGFW resources in a given project (typically the net landing or shared environment project) and allows free configuration of zones and VPC attachments
+- any relevant resource already defined in the "main" stages can be referred to via interpolation, by using the stages outputs as contexts
+
+The code then becomes really simple to use, read and evolve since it's essentially decoupled from the main stages except for a handful of FAST interface variables.
+
+Add-on stages should live in a separate folder from stages, and once we finally manage to reafctor networking into a simple stage, we go back to having a clear progression for main stages that should make it easier for users to get to grips with FAST's complexity. We might also want to scrap the plugins folder, and replace with a short document explaining the pattern.
+
+```bash
+fast
+├── addons
+    ├── 1-tenant-factory
+    └── 2-network-security
+├── assets
+│   └── templates
+├── extras
+│   ├── 0-cicd-github
+│   └── 0-cicd-gitlab
+├── plugins
+│   └── 2-networking-serverless-connector
+└── stages
+    ├── 0-bootstrap
+    ├── 1-resman
+    ├── 1-vpcsc
+    ├── 2-networking-a-simple
+    ├── 2-networking-b-nva
+    ├── 2-networking-c-separate-envs
+    ├── 2-project-factory
+    ├── 2-security
+    ├── 3-gcve-dev
+    └── 3-gke-dev
+```
+
+## Decision
+
+TBD
+
+## Consequences
+
+This approach also maps well to the current tenant factory stage, which essentially acts as a parallel resman stage reusing the same set of IaC resources.

adrs/modules/20231106-factories.md

@@ -5,7 +5,7 @@
 
 ## Status
 
-Under discussion.
+Accepted and implemented.
 
 ## Context
 

blueprints/data-solutions/bq-ml/README.md

@@ -97,5 +97,5 @@ module "test" {
   prefix     = "prefix"
 }
 
-# tftest modules=9 resources=68
+# tftest modules=9 resources=69
 ```

blueprints/data-solutions/data-playground/README.md

@@ -84,5 +84,5 @@ module "test" {
     parent             = "folders/467898377"
   }
 }
-# tftest modules=8 resources=67
+# tftest modules=8 resources=68
 ```

blueprints/data-solutions/vertex-mlops/README.md

@@ -72,7 +72,7 @@ module "test" {
     project_id         = "test-dev"
   }
 }
-# tftest modules=11 resources=89
+# tftest modules=11 resources=90
 ```
 <!-- BEGIN TFDOC -->
 ## Variables
@@ -128,5 +128,5 @@ module "test" {
     project_id         = "test-dev"
   }
 }
-# tftest modules=13 resources=94 e2e
+# tftest modules=13 resources=95 e2e
 ```

blueprints/data-solutions/vertex-mlops/vertex.tf

@@ -124,4 +124,7 @@ resource "google_workbench_instance" "playground" {
   depends_on = [
     google_project_iam_member.shared_vpc,
   ]
+  lifecycle {
+    ignore_changes = [gce_setup[0].metadata["resource-url"]]
+  }
 }

blueprints/gke/patterns/autopilot-cluster/cluster.tf

@@ -22,7 +22,7 @@ locals {
   )
   cluster_sa = (
     local._cluster_sa == "default"
-    ? module.project.service_accounts.default.compute
+    ? module.project.default_service_accounts.compute
     : local._cluster_sa
   )
   cluster_sa_roles = [

blueprints/gke/patterns/autopilot-cluster/versions.tofu

@@ -0,0 +1,29 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Fabric release: v36.0.1
+
+terraform {
+  required_version = ">= 1.8.0"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 6.13.0, < 7.0.0" # tftest
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 6.13.0, < 7.0.0" # tftest
+    }
+  }
+}

blueprints/gke/patterns/batch/versions.tofu

@@ -0,0 +1,29 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Fabric release: v36.0.1
+
+terraform {
+  required_version = ">= 1.8.0"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 6.13.0, < 7.0.0" # tftest
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 6.13.0, < 7.0.0" # tftest
+    }
+  }
+}

blueprints/gke/patterns/kafka/versions.tofu

@@ -0,0 +1,29 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Fabric release: v36.0.1
+
+terraform {
+  required_version = ">= 1.8.0"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 6.13.0, < 7.0.0" # tftest
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 6.13.0, < 7.0.0" # tftest
+    }
+  }
+}