From 8f16176c2182e178cac2f66fbde6566eef8dcb77 Mon Sep 17 00:00:00 2001 From: Joshua Wright Date: Tue, 10 Dec 2024 17:25:04 +0000 Subject: [PATCH] Update Documentation --- fast/stages/0-bootstrap/README.md | 57 ++++++++++--------- fast/stages/1-resman/README.md | 23 ++++---- fast/stages/2-network-security/README.md | 19 ++++--- fast/stages/2-networking-a-simple/README.md | 23 ++++---- fast/stages/2-networking-b-nva/README.md | 27 ++++----- .../2-networking-c-separate-envs/README.md | 23 ++++---- fast/stages/2-project-factory/README.md | 17 +++--- fast/stages/2-security/README.md | 20 ++++--- modules/project-factory/README.md | 2 +- modules/project/README.md | 56 +++++++++--------- modules/project/variables.tf | 12 ++-- 11 files changed, 146 insertions(+), 133 deletions(-) diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md index 14f61f818b..8300ab764c 100644 --- a/fast/stages/0-bootstrap/README.md +++ b/fast/stages/0-bootstrap/README.md @@ -661,40 +661,41 @@ The remaining configuration is manual, as it regards the repositories themselves | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| | [billing_account](variables.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | | -| [organization](variables.tf#L275) | Organization details. | object({…}) | ✓ | | | -| [prefix](variables.tf#L290) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | | +| [default_alerts_email](variables.tf#L94) | Default email address for alerting. | string | ✓ | | | +| [organization](variables.tf#L283) | Organization details. | object({…}) | ✓ | | | +| [prefix](variables.tf#L298) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | | | [bootstrap_user](variables.tf#L27) | Email of the nominal user running this stage for the first time. | string | | null | | | [cicd_repositories](variables.tf#L33) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | | [custom_roles](variables.tf#L87) | Map of role names => list of permissions to additionally create at the organization level. | map(list(string)) | | {} | | -| [environments](variables.tf#L94) | Environment names. | map(object({…})) | | {…} | | -| [essential_contacts](variables.tf#L127) | Email used for essential contacts, unset if null. | string | | null | | -| [factories_config](variables.tf#L133) | Configuration for the resource factories or external data. | object({…}) | | {} | | -| [groups](variables.tf#L144) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | | -| [iam](variables.tf#L160) | Organization-level custom IAM settings in role => [principal] format. | map(list(string)) | | {} | | -| [iam_bindings_additive](variables.tf#L167) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | | -| [iam_by_principals](variables.tf#L182) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | -| [locations](variables.tf#L189) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | | -| [log_sinks](variables.tf#L203) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | | -| [org_policies_config](variables.tf#L256) | Organization policies customization. | object({…}) | | {} | | -| [outputs_location](variables.tf#L284) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | -| [project_parent_ids](variables.tf#L299) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {} | | -| [workforce_identity_providers](variables.tf#L310) | Workforce Identity Federation pools. | map(object({…})) | | {} | | -| [workload_identity_providers](variables.tf#L326) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | | +| [environments](variables.tf#L100) | Environment names. | map(object({…})) | | {…} | | +| [essential_contacts](variables.tf#L133) | Email used for essential contacts, unset if null. | string | | null | | +| [factories_config](variables.tf#L139) | Configuration for the resource factories or external data. | object({…}) | | {} | | +| [groups](variables.tf#L152) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | | +| [iam](variables.tf#L168) | Organization-level custom IAM settings in role => [principal] format. | map(list(string)) | | {} | | +| [iam_bindings_additive](variables.tf#L175) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | | +| [iam_by_principals](variables.tf#L190) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | +| [locations](variables.tf#L197) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | | +| [log_sinks](variables.tf#L211) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | | +| [org_policies_config](variables.tf#L264) | Organization policies customization. | object({…}) | | {} | | +| [outputs_location](variables.tf#L292) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | +| [project_parent_ids](variables.tf#L307) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {} | | +| [workforce_identity_providers](variables.tf#L318) | Workforce Identity Federation pools. | map(object({…})) | | {} | | +| [workload_identity_providers](variables.tf#L334) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | | ## Outputs | name | description | sensitive | consumers | |---|---|:---:|---| -| [automation](outputs.tf#L153) | Automation resources. | | | -| [billing_dataset](outputs.tf#L158) | BigQuery dataset prepared for billing export. | | | -| [cicd_repositories](outputs.tf#L163) | CI/CD repository configurations. | | | -| [custom_roles](outputs.tf#L175) | Organization-level custom roles. | | | -| [outputs_bucket](outputs.tf#L180) | GCS bucket where generated output files are stored. | | | -| [project_ids](outputs.tf#L185) | Projects created by this stage. | | | -| [providers](outputs.tf#L195) | Terraform provider files for this stage and dependent stages. | ✓ | stage-01 | -| [service_accounts](outputs.tf#L202) | Automation service accounts created by this stage. | | | -| [tfvars](outputs.tf#L211) | Terraform variable files for the following stages. | ✓ | | -| [tfvars_globals](outputs.tf#L217) | Terraform Globals variable files for the following stages. | ✓ | | -| [workforce_identity_pool](outputs.tf#L223) | Workforce Identity Federation pool. | | | -| [workload_identity_pool](outputs.tf#L232) | Workload Identity Federation pool and providers. | | | +| [automation](outputs.tf#L154) | Automation resources. | | | +| [billing_dataset](outputs.tf#L159) | BigQuery dataset prepared for billing export. | | | +| [cicd_repositories](outputs.tf#L164) | CI/CD repository configurations. | | | +| [custom_roles](outputs.tf#L176) | Organization-level custom roles. | | | +| [outputs_bucket](outputs.tf#L181) | GCS bucket where generated output files are stored. | | | +| [project_ids](outputs.tf#L186) | Projects created by this stage. | | | +| [providers](outputs.tf#L196) | Terraform provider files for this stage and dependent stages. | ✓ | stage-01 | +| [service_accounts](outputs.tf#L203) | Automation service accounts created by this stage. | | | +| [tfvars](outputs.tf#L212) | Terraform variable files for the following stages. | ✓ | | +| [tfvars_globals](outputs.tf#L218) | Terraform Globals variable files for the following stages. | ✓ | | +| [workforce_identity_pool](outputs.tf#L224) | Workforce Identity Federation pool. | | | +| [workload_identity_pool](outputs.tf#L233) | Workload Identity Federation pool and providers. | | | diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index f70125fa59..97f2517ce2 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -267,20 +267,21 @@ terraform apply |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L42) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | 0-bootstrap | -| [environments](variables-fast.tf#L71) | Environment names. | map(object({…})) | ✓ | | 0-globals | -| [logging](variables-fast.tf#L116) | Logging configuration for tenants. | object({…}) | ✓ | | 1-tenant-factory | -| [organization](variables-fast.tf#L129) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L147) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | +| [default_alerts_email](variables-fast.tf#L71) | Default email address for alerting. | string | ✓ | | | +| [environments](variables-fast.tf#L77) | Environment names. | map(object({…})) | ✓ | | 0-globals | +| [logging](variables-fast.tf#L122) | Logging configuration for tenants. | object({…}) | ✓ | | 1-tenant-factory | +| [organization](variables-fast.tf#L135) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L153) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | | [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | -| [factories_config](variables.tf#L20) | Configuration for the resource factories or external data. | object({…}) | | {} | | +| [factories_config](variables.tf#L20) | Configuration for the resource factories or external data. | object({…}) | | {} | | | [fast_stage_2](variables-stages.tf#L17) | FAST stages 2 configurations. | object({…}) | | {} | | | [fast_stage_3](variables-stages.tf#L97) | FAST stages 3 configurations. | map(object({…})) | | {} | | -| [groups](variables-fast.tf#L88) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | -| [locations](variables-fast.tf#L103) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | -| [outputs_location](variables.tf#L31) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | -| [root_node](variables-fast.tf#L153) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap | -| [tag_names](variables.tf#L37) | Customized names for resource management tags. | object({…}) | | {} | | -| [tags](variables.tf#L51) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | +| [groups](variables-fast.tf#L94) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | +| [locations](variables-fast.tf#L109) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | +| [outputs_location](variables.tf#L34) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | +| [root_node](variables-fast.tf#L159) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap | +| [tag_names](variables.tf#L40) | Customized names for resource management tags. | object({…}) | | {} | | +| [tags](variables.tf#L54) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | | [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…})) | | {} | | ## Outputs diff --git a/fast/stages/2-network-security/README.md b/fast/stages/2-network-security/README.md index ebad676156..1e205ec814 100644 --- a/fast/stages/2-network-security/README.md +++ b/fast/stages/2-network-security/README.md @@ -180,15 +180,16 @@ Make sure the CAs and the trusted configs created for NGFW Enterprise in the [2- |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L27) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables-fast.tf#L40) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables-fast.tf#L82) | Organization details. | object({…}) | ✓ | | 00-globals | -| [prefix](variables-fast.tf#L92) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | -| [vpc_self_links](variables-fast.tf#L102) | Self link for the shared VPC. | object({…}) | ✓ | | 2-networking | -| [factories_config](variables.tf#L17) | Configuration for network resource factories. | object({…}) | | {…} | | -| [host_project_ids](variables-fast.tf#L51) | Host project for the shared VPC. | object({…}) | | {} | 2-networking | -| [ngfw_enterprise_config](variables.tf#L35) | NGFW Enterprise configuration. | object({…}) | | {…} | | -| [ngfw_tls_configs](variables-fast.tf#L62) | The NGFW Enterprise TLS configurations. | object({…}) | | {…} | 2-security | -| [outputs_location](variables.tf#L51) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | +| [default_alerts_email](variables-fast.tf#L40) | Default email address for alerting. | string | ✓ | | | +| [folder_ids](variables-fast.tf#L46) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [organization](variables-fast.tf#L88) | Organization details. | object({…}) | ✓ | | 00-globals | +| [prefix](variables-fast.tf#L98) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [vpc_self_links](variables-fast.tf#L108) | Self link for the shared VPC. | object({…}) | ✓ | | 2-networking | +| [factories_config](variables.tf#L17) | Configuration for network resource factories. | object({…}) | | {…} | | +| [host_project_ids](variables-fast.tf#L57) | Host project for the shared VPC. | object({…}) | | {} | 2-networking | +| [ngfw_enterprise_config](variables.tf#L38) | NGFW Enterprise configuration. | object({…}) | | {…} | | +| [ngfw_tls_configs](variables-fast.tf#L68) | The NGFW Enterprise TLS configurations. | object({…}) | | {…} | 2-security | +| [outputs_location](variables.tf#L54) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | ## Outputs diff --git a/fast/stages/2-networking-a-simple/README.md b/fast/stages/2-networking-a-simple/README.md index 574689ef2d..be27767b36 100644 --- a/fast/stages/2-networking-a-simple/README.md +++ b/fast/stages/2-networking-a-simple/README.md @@ -501,23 +501,24 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L27) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [environments](variables-fast.tf#L49) | Environment names. | map(object({…})) | ✓ | | 0-globals | -| [folder_ids](variables-fast.tf#L66) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. | object({…}) | ✓ | | 1-resman | -| [prefix](variables-fast.tf#L76) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [default_alerts_email](variables-fast.tf#L49) | Default email address for alerting. | string | ✓ | | | +| [environments](variables-fast.tf#L55) | Environment names. | map(object({…})) | ✓ | | 0-globals | +| [folder_ids](variables-fast.tf#L72) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. | object({…}) | ✓ | | 1-resman | +| [prefix](variables-fast.tf#L82) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | | [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | | | [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | | | [enable_cloud_nat](variables.tf#L58) | Deploy Cloud NAT. | bool | | false | | | [essential_contacts](variables.tf#L65) | Email used for essential contacts, unset if null. | string | | null | | -| [factories_config](variables.tf#L71) | Configuration for network resource factories. | object({…}) | | {…} | | -| [outputs_location](variables.tf#L92) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | -| [psa_ranges](variables.tf#L98) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | {} | | -| [regions](variables.tf#L118) | Region definitions. | object({…}) | | {…} | | -| [spoke_configs](variables.tf#L130) | Spoke connectivity configurations. | object({…}) | | {…} | | -| [stage_config](variables-fast.tf#L86) | FAST stage configuration. | object({…}) | | {} | 1-resman | -| [tag_values](variables-fast.tf#L100) | Root-level tag values. | map(string) | | {} | 1-resman | -| [vpn_onprem_primary_config](variables.tf#L199) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | +| [factories_config](variables.tf#L71) | Configuration for network resource factories. | object({…}) | | {…} | | +| [outputs_location](variables.tf#L95) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | +| [psa_ranges](variables.tf#L101) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | {} | | +| [regions](variables.tf#L121) | Region definitions. | object({…}) | | {…} | | +| [spoke_configs](variables.tf#L133) | Spoke connectivity configurations. | object({…}) | | {…} | | +| [stage_config](variables-fast.tf#L92) | FAST stage configuration. | object({…}) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L106) | Root-level tag values. | map(string) | | {} | 1-resman | +| [vpn_onprem_primary_config](variables.tf#L202) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | ## Outputs diff --git a/fast/stages/2-networking-b-nva/README.md b/fast/stages/2-networking-b-nva/README.md index c8f9b78bb1..c64fa6d669 100644 --- a/fast/stages/2-networking-b-nva/README.md +++ b/fast/stages/2-networking-b-nva/README.md @@ -562,25 +562,26 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L27) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [environments](variables-fast.tf#L49) | Environment names. | map(object({…})) | ✓ | | 0-globals | -| [folder_ids](variables-fast.tf#L66) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. | object({…}) | ✓ | | 1-resman | -| [prefix](variables-fast.tf#L76) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [default_alerts_email](variables-fast.tf#L49) | Default email address for alerting. | string | ✓ | | | +| [environments](variables-fast.tf#L55) | Environment names. | map(object({…})) | ✓ | | 0-globals | +| [folder_ids](variables-fast.tf#L72) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. | object({…}) | ✓ | | 1-resman | +| [prefix](variables-fast.tf#L82) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | | [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | | | [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | | | [enable_cloud_nat](variables.tf#L58) | Deploy Cloud NAT. | bool | | false | | | [essential_contacts](variables.tf#L65) | Email used for essential contacts, unset if null. | string | | null | | -| [factories_config](variables.tf#L71) | Configuration for network resource factories. | object({…}) | | {…} | | -| [gcp_ranges](variables.tf#L92) | GCP address ranges in name => range format. | map(string) | | {…} | | -| [network_mode](variables.tf#L109) | Selection of the network design to deploy. | string | | "simple" | | -| [outputs_location](variables.tf#L120) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | -| [psa_ranges](variables.tf#L126) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | | -| [regions](variables.tf#L146) | Region definitions. | object({…}) | | {…} | | -| [stage_config](variables-fast.tf#L86) | FAST stage configuration. | object({…}) | | {} | 1-resman | -| [tag_values](variables-fast.tf#L100) | Root-level tag values. | map(string) | | {} | 1-resman | -| [vpn_onprem_primary_config](variables.tf#L158) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | -| [vpn_onprem_secondary_config](variables.tf#L201) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | +| [factories_config](variables.tf#L71) | Configuration for network resource factories. | object({…}) | | {…} | | +| [gcp_ranges](variables.tf#L95) | GCP address ranges in name => range format. | map(string) | | {…} | | +| [network_mode](variables.tf#L112) | Selection of the network design to deploy. | string | | "simple" | | +| [outputs_location](variables.tf#L123) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | +| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | | +| [regions](variables.tf#L149) | Region definitions. | object({…}) | | {…} | | +| [stage_config](variables-fast.tf#L92) | FAST stage configuration. | object({…}) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L106) | Root-level tag values. | map(string) | | {} | 1-resman | +| [vpn_onprem_primary_config](variables.tf#L161) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | +| [vpn_onprem_secondary_config](variables.tf#L204) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | ## Outputs diff --git a/fast/stages/2-networking-c-separate-envs/README.md b/fast/stages/2-networking-c-separate-envs/README.md index 71d8487c66..757977d87a 100644 --- a/fast/stages/2-networking-c-separate-envs/README.md +++ b/fast/stages/2-networking-c-separate-envs/README.md @@ -360,22 +360,23 @@ Regions are defined via the `regions` variable which sets up a mapping between t |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L27) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [environments](variables-fast.tf#L49) | Environment names. | map(object({…})) | ✓ | | 0-globals | -| [folder_ids](variables-fast.tf#L66) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. | object({…}) | ✓ | | 1-resman | -| [prefix](variables-fast.tf#L76) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [default_alerts_email](variables-fast.tf#L49) | Default email address for alerting. | string | ✓ | | | +| [environments](variables-fast.tf#L55) | Environment names. | map(object({…})) | ✓ | | 0-globals | +| [folder_ids](variables-fast.tf#L72) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. | object({…}) | ✓ | | 1-resman | +| [prefix](variables-fast.tf#L82) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | | [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [dns](variables.tf#L42) | DNS configuration. | object({…}) | | {} | | | [enable_cloud_nat](variables.tf#L53) | Deploy Cloud NAT. | bool | | false | | | [essential_contacts](variables.tf#L60) | Email used for essential contacts, unset if null. | string | | null | | -| [factories_config](variables.tf#L66) | Configuration for network resource factories. | object({…}) | | {…} | | -| [outputs_location](variables.tf#L87) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | -| [psa_ranges](variables.tf#L93) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {} | | -| [regions](variables.tf#L113) | Region definitions. | object({…}) | | {…} | | -| [stage_config](variables-fast.tf#L86) | FAST stage configuration. | object({…}) | | {} | 1-resman | -| [tag_values](variables-fast.tf#L100) | Root-level tag values. | map(string) | | {} | 1-resman | -| [vpn_onprem_dev_primary_config](variables.tf#L123) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…}) | | null | | -| [vpn_onprem_prod_primary_config](variables.tf#L166) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…}) | | null | | +| [factories_config](variables.tf#L66) | Configuration for network resource factories. | object({…}) | | {…} | | +| [outputs_location](variables.tf#L90) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | +| [psa_ranges](variables.tf#L96) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {} | | +| [regions](variables.tf#L116) | Region definitions. | object({…}) | | {…} | | +| [stage_config](variables-fast.tf#L92) | FAST stage configuration. | object({…}) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L106) | Root-level tag values. | map(string) | | {} | 1-resman | +| [vpn_onprem_dev_primary_config](variables.tf#L126) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…}) | | null | | +| [vpn_onprem_prod_primary_config](variables.tf#L169) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…}) | | null | | ## Outputs diff --git a/fast/stages/2-project-factory/README.md b/fast/stages/2-project-factory/README.md index 159fa54fde..9edbbc1f66 100644 --- a/fast/stages/2-project-factory/README.md +++ b/fast/stages/2-project-factory/README.md @@ -354,14 +354,15 @@ The approach is not shown here but reasonably easy to implement. The main projec | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| | [billing_account](variables-fast.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L65) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | -| [factories_config](variables.tf#L17) | Configuration for YAML-based factories. | object({…}) | | {} | | -| [folder_ids](variables-fast.tf#L30) | Folders created in the resource management stage. | map(string) | | {} | 1-resman | -| [groups](variables-fast.tf#L38) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | map(string) | | {} | 0-bootstrap | -| [host_project_ids](variables-fast.tf#L47) | Host project for the shared VPC. | map(string) | | {} | 2-networking | -| [locations](variables-fast.tf#L55) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | -| [service_accounts](variables-fast.tf#L75) | Automation service accounts in name => email format. | map(string) | | {} | 1-resman | -| [tag_values](variables-fast.tf#L83) | FAST-managed resource manager tag values. | map(string) | | {} | 1-resman | +| [default_alerts_email](variables-fast.tf#L30) | Default email address for alerting. | string | ✓ | | | +| [prefix](variables-fast.tf#L71) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [factories_config](variables.tf#L17) | Configuration for YAML-based factories. | object({…}) | | {} | | +| [folder_ids](variables-fast.tf#L36) | Folders created in the resource management stage. | map(string) | | {} | 1-resman | +| [groups](variables-fast.tf#L44) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | map(string) | | {} | 0-bootstrap | +| [host_project_ids](variables-fast.tf#L53) | Host project for the shared VPC. | map(string) | | {} | 2-networking | +| [locations](variables-fast.tf#L61) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | +| [service_accounts](variables-fast.tf#L81) | Automation service accounts in name => email format. | map(string) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L89) | FAST-managed resource manager tag values. | map(string) | | {} | 1-resman | ## Outputs diff --git a/fast/stages/2-security/README.md b/fast/stages/2-security/README.md index aa13a0a152..9faa028b36 100644 --- a/fast/stages/2-security/README.md +++ b/fast/stages/2-security/README.md @@ -299,18 +299,20 @@ tls_inspection = { |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [environments](variables-fast.tf#L47) | Environment names. | map(object({…})) | ✓ | | 0-globals | -| [folder_ids](variables-fast.tf#L64) | Folder name => id mappings, the 'security' folder name must exist. | object({…}) | ✓ | | 1-resman | -| [prefix](variables-fast.tf#L74) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [default_alerts_email](variables-fast.tf#L47) | Default email address for alerting. | string | ✓ | | | +| [environments](variables-fast.tf#L53) | Environment names. | map(object({…})) | ✓ | | 0-globals | +| [factories_config](variables.tf#L184) | Configuration for network resource factories. | object({…}) | ✓ | | | +| [folder_ids](variables-fast.tf#L70) | Folder name => id mappings, the 'security' folder name must exist. | object({…}) | ✓ | | 1-resman | +| [prefix](variables-fast.tf#L80) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [cas_configs](variables.tf#L17) | The CAS CAs to add to each environment. | object({…}) | | {…} | | | [custom_roles](variables-fast.tf#L38) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [essential_contacts](variables.tf#L178) | Email used for essential contacts, unset if null. | string | | null | | -| [kms_keys](variables.tf#L184) | KMS keys to create, keyed by name. | map(object({…})) | | {} | | -| [ngfw_tls_configs](variables.tf#L223) | The CAS and trust configurations key names to be used for NGFW Enterprise. | object({…}) | | {…} | | -| [outputs_location](variables.tf#L249) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | -| [stage_config](variables-fast.tf#L84) | FAST stage configuration. | object({…}) | | {} | 1-resman | -| [tag_values](variables-fast.tf#L98) | Root-level tag values. | map(string) | | {} | 1-resman | -| [trust_configs](variables.tf#L255) | The trust configs grouped by environment. | object({…}) | | {…} | | +| [kms_keys](variables.tf#L194) | KMS keys to create, keyed by name. | map(object({…})) | | {} | | +| [ngfw_tls_configs](variables.tf#L233) | The CAS and trust configurations key names to be used for NGFW Enterprise. | object({…}) | | {…} | | +| [outputs_location](variables.tf#L259) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | +| [stage_config](variables-fast.tf#L90) | FAST stage configuration. | object({…}) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L104) | Root-level tag values. | map(string) | | {} | 1-resman | +| [trust_configs](variables.tf#L265) | The trust configs grouped by environment. | object({…}) | | {…} | | ## Outputs diff --git a/modules/project-factory/README.md b/modules/project-factory/README.md index c2242c3a39..bb0ff1de75 100644 --- a/modules/project-factory/README.md +++ b/modules/project-factory/README.md @@ -440,7 +440,7 @@ update_rules: | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [factories_config](variables.tf#L106) | Path to folder with YAML resource description data files. | object({…}) | ✓ | | +| [factories_config](variables.tf#L106) | Path to folder with YAML resource description data files. | object({…}) | ✓ | | | [data_defaults](variables.tf#L17) | Optional default values used when corresponding project data from files are missing. | object({…}) | | {} | | [data_merges](variables.tf#L54) | Optional values that will be merged with corresponding data from files. Combines with `data_defaults`, file data, and `data_overrides`. | object({…}) | | {} | | [data_overrides](variables.tf#L73) | Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`. | object({…}) | | {} | diff --git a/modules/project/README.md b/modules/project/README.md index 4db45d1135..46277cbc28 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -1366,11 +1366,13 @@ module "bucket" { | name | description | resources | |---|---|---| -| [alert-metrics.tf](./alert-metrics.tf) | None | google_logging_metric · google_monitoring_alert_policy · google_monitoring_notification_channel | +| [alerts-factory.tf](./alerts-factory.tf) | None | google_monitoring_alert_policy | | [cmek.tf](./cmek.tf) | Service Agent IAM Bindings for CMEK | google_kms_crypto_key_iam_member | | [iam.tf](./iam.tf) | IAM bindings. | google_project_iam_binding · google_project_iam_custom_role · google_project_iam_member | +| [logging-metrics-factory.tf](./logging-metrics-factory.tf) | None | google_logging_metric | | [logging.tf](./logging.tf) | Log sinks and supporting resources. | google_bigquery_dataset_iam_member · google_logging_project_exclusion · google_logging_project_sink · google_project_iam_audit_config · google_project_iam_member · google_pubsub_topic_iam_member · google_storage_bucket_iam_member | | [main.tf](./main.tf) | Module-level locals and resources. | google_compute_project_metadata_item · google_essential_contacts_contact · google_monitoring_monitored_project · google_project · google_project_service · google_resource_manager_lien | +| [notifications-factory.tf](./notifications-factory.tf) | None | google_monitoring_notification_channel | | [organization-policies.tf](./organization-policies.tf) | Project-level organization policies. | google_org_policy_policy | | [outputs.tf](./outputs.tf) | Module outputs. | | | [quotas.tf](./quotas.tf) | None | google_cloud_quotas_quota_preference | @@ -1389,44 +1391,46 @@ module "bucket" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [name](variables.tf#L172) | Project name and id suffix. | string | ✓ | | +| [name](variables.tf#L174) | Project name and id suffix. | string | ✓ | | +| [alerts](variables-metrics-alerts.tf#L1) | Logging metrics alerts configuration. | map(object({…})) | | {} | | [auto_create_network](variables.tf#L17) | Whether to create the default network for the project. | bool | | false | | [billing_account](variables.tf#L23) | Billing account id. | string | | null | +| [channels](variables-metrics-alerts.tf#L135) | Logging metrics alerts configuration. | map(object({…})) | | {} | | [compute_metadata](variables.tf#L29) | Optional compute metadata key/values. Only usable if compute API has been enabled. | map(string) | | {} | | [contacts](variables.tf#L36) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | map(list(string)) | | {} | | [custom_roles](variables.tf#L43) | Map of role name => list of permissions to create in this project. | map(list(string)) | | {} | -| [default_alerts_email](variables.tf#L81) | Default email address for alerting. | string | | null | -| [default_service_account](variables.tf#L50) | Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`. | string | | "keep" | -| [deletion_policy](variables.tf#L64) | Deletion policy setting for this project. | string | | "DELETE" | -| [descriptive_name](variables.tf#L75) | Name of the project name. Used for project name instead of `name` variable. | string | | null | -| [factories_config](variables.tf#L87) | Paths to data files and folders that enable factory functionality. | object({…}) | | {} | +| [default_alerts_email](variables.tf#L50) | Default email address for alerting. | string | | null | +| [default_service_account](variables.tf#L56) | Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`. | string | | "keep" | +| [deletion_policy](variables.tf#L70) | Deletion policy setting for this project. | string | | "DELETE" | +| [descriptive_name](variables.tf#L81) | Name of the project name. Used for project name instead of `name` variable. | string | | null | +| [factories_config](variables.tf#L87) | Paths to data files and folders that enable factory functionality. | object({…}) | | {} | | [iam](variables-iam.tf#L17) | Authoritative IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | [iam_bindings](variables-iam.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…})) | | {} | | [iam_bindings_additive](variables-iam.tf#L39) | Individual additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | | [iam_by_principals](variables-iam.tf#L54) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | -| [labels](variables.tf#L99) | Resource labels. | map(string) | | {} | -| [lien_reason](variables.tf#L106) | If non-empty, creates a project lien with this description. | string | | null | -| [logging_data_access](variables.tf#L112) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | map(map(list(string))) | | {} | -| [logging_exclusions](variables.tf#L127) | Logging exclusions for this project in the form {NAME -> FILTER}. | map(string) | | {} | -| [logging_metrics_alerts](variables-metrics-alerts.tf#L1) | Logging metrics alerts configuration. | map(object({…})) | | {} | -| [logging_sinks](variables.tf#L134) | Logging sinks to create for this project. | map(object({…})) | | {} | -| [metric_scopes](variables.tf#L165) | List of projects that will act as metric scopes for this project. | list(string) | | [] | +| [labels](variables.tf#L101) | Resource labels. | map(string) | | {} | +| [lien_reason](variables.tf#L108) | If non-empty, creates a project lien with this description. | string | | null | +| [logging_data_access](variables.tf#L114) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | map(map(list(string))) | | {} | +| [logging_exclusions](variables.tf#L129) | Logging exclusions for this project in the form {NAME -> FILTER}. | map(string) | | {} | +| [logging_metrics](variables-metrics-alerts.tf#L96) | Logging metrics alerts configuration. | map(object({…})) | | {} | +| [logging_sinks](variables.tf#L136) | Logging sinks to create for this project. | map(object({…})) | | {} | +| [metric_scopes](variables.tf#L167) | List of projects that will act as metric scopes for this project. | list(string) | | [] | | [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | -| [org_policies](variables.tf#L177) | Organization policies applied to this project keyed by policy name. | map(object({…})) | | {} | -| [parent](variables.tf#L204) | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | string | | null | -| [prefix](variables.tf#L214) | Optional prefix used to generate project id and name. | string | | null | -| [project_create](variables.tf#L224) | Create project. When set to false, uses a data source to reference existing project. | bool | | true | +| [org_policies](variables.tf#L179) | Organization policies applied to this project keyed by policy name. | map(object({…})) | | {} | +| [parent](variables.tf#L206) | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | string | | null | +| [prefix](variables.tf#L216) | Optional prefix used to generate project id and name. | string | | null | +| [project_create](variables.tf#L226) | Create project. When set to false, uses a data source to reference existing project. | bool | | true | | [quotas](variables-quotas.tf#L17) | Service quota configuration. | map(object({…})) | | {} | -| [service_agents_config](variables.tf#L230) | Automatic service agent configuration options. | object({…}) | | {} | -| [service_config](variables.tf#L241) | Configure service API activation. | object({…}) | | {…} | -| [service_encryption_key_ids](variables.tf#L253) | Service Agents to be granted encryption/decryption permissions over Cloud KMS encryption keys. Format {SERVICE_AGENT => [KEY_ID]}. | map(list(string)) | | {} | -| [services](variables.tf#L260) | Service APIs to enable. | list(string) | | [] | -| [shared_vpc_host_config](variables.tf#L266) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | object({…}) | | null | -| [shared_vpc_service_config](variables.tf#L275) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | object({…}) | | {…} | -| [skip_delete](variables.tf#L303) | Deprecated. Use deletion_policy. | bool | | null | +| [service_agents_config](variables.tf#L232) | Automatic service agent configuration options. | object({…}) | | {} | +| [service_config](variables.tf#L243) | Configure service API activation. | object({…}) | | {…} | +| [service_encryption_key_ids](variables.tf#L255) | Service Agents to be granted encryption/decryption permissions over Cloud KMS encryption keys. Format {SERVICE_AGENT => [KEY_ID]}. | map(list(string)) | | {} | +| [services](variables.tf#L262) | Service APIs to enable. | list(string) | | [] | +| [shared_vpc_host_config](variables.tf#L268) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | object({…}) | | null | +| [shared_vpc_service_config](variables.tf#L277) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | object({…}) | | {…} | +| [skip_delete](variables.tf#L305) | Deprecated. Use deletion_policy. | bool | | null | | [tag_bindings](variables-tags.tf#L81) | Tag bindings for this project, in key => tag value id format. | map(string) | | null | | [tags](variables-tags.tf#L88) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | -| [vpc_sc](variables.tf#L315) | VPC-SC configuration for the project, use when `ignore_changes` for resources is set in the VPC-SC module. | object({…}) | | null | +| [vpc_sc](variables.tf#L317) | VPC-SC configuration for the project, use when `ignore_changes` for resources is set in the VPC-SC module. | object({…}) | | null | ## Outputs diff --git a/modules/project/variables.tf b/modules/project/variables.tf index fb3759ee81..8234c530ce 100644 --- a/modules/project/variables.tf +++ b/modules/project/variables.tf @@ -47,6 +47,12 @@ variable "custom_roles" { nullable = false } +variable "default_alerts_email" { + description = "Default email address for alerting." + type = string + default = null +} + variable "default_service_account" { description = "Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`." default = "keep" @@ -78,12 +84,6 @@ variable "descriptive_name" { default = null } -variable "default_alerts_email" { - description = "Default email address for alerting." - type = string - default = null -} - variable "factories_config" { description = "Paths to data files and folders that enable factory functionality." type = object({