Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Flexible stage 2s in FAST resource manager #2840

Merged
merged 24 commits into from
Jan 29, 2025
Merged

Flexible stage 2s in FAST resource manager #2840

merged 24 commits into from
Jan 29, 2025

Conversation

ludoo
Copy link
Collaborator

@ludoo ludoo commented Jan 26, 2025
edited
Loading

This PR implements flexible stage 2s in the FAST resource manager stage, where stage 2 can now be arbitrarily defined via the fast_stage_2 variable or the associated factory.

Points of note:

  • this allows defining several project factories, and should supersede Allow multiple stage-2 project factories #2834
  • in principle, this change should also allow running stage 3 code as a stage 2, useful when environment segregation is not needed (e.g. a single GCVE stage)
  • principal interpolation is now done using a single local that combines organization-level principals (groups) and stage service accounts
  • internal stage service account names have been normalized to use -ro and rw instead of using -r for the read-only service account, so as to match what is used in the YAML files
  • in principle (not tested yet) the project factory could be self-reliant and have its own folder created as a regular stage 2 without dependencies on top-level folders, but optionally leveraging them only when an additional folder is needed

Stage IAM is now explicit, instead of scattered across code files, and can be tweaked without code changes:

  • each stage 2 IAM profile is defined via regular iam_ attributes for its own folder and the organization
  • cross-stage permissions in stage 2s are now managed in two different ways:
    • conditional IAM grants scoped to the whole stage 2 are now explicitly defined in the YAML file/tfvar via iam_bindings, e.g. the delegated role grant for the project factories
    • stage 3 grants scoped to the environment (e.g. GCVE stages with iam delegation for dev or prod) are defined in the stage 2 via the stage3_config attribute, instead of in the stage 3 itself like before

Examples of the above IAM configurations from the factory file for the networking stage.

Folder config and folder-level IAM, which now follow our standard IAM interface and should be pretty intuitive:

image

Organization-level IAM, also following our standard interface:

image

Cross-stage IAM for other stage 2 (project factory delegated grant), now also explicit and tweakable:

image

Cross-stage IAM for stage 3:

image

TODO:

  • check resource manager documentation for changes
  • add stage 2 configuration snippets to stage 3s

@ludoo ludoo requested a review from juliocc January 26, 2025 13:29
@juliocc juliocc force-pushed the ludo/fast-abstract-stage2s branch from c342def to 986a2ac Compare January 29, 2025 00:59
juliocc and others added 3 commits January 29, 2025 07:03
@juliocc
Add principal interpolation to iam_by_principals (#2847)
0abb968 
* Add principal interpolation to iam_by_principals

* Fix tests
@ludoo
relax schemas
574e556
@ludoo
relax schemas
af7027b
@ludoo ludoo enabled auto-merge (squash) January 29, 2025 06:19
juliocc
juliocc approved these changes Jan 29, 2025
View reviewed changes
Copy link
Collaborator

@juliocc juliocc left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome PR.

I'll start drafting something to document the schemas in a more human-friendly way. We should also document where interpolation happens

fast/stages/1-resman/variables-stages.tf Outdated Show resolved Hide resolved
@ludoo ludoo merged commit 95ec5ee into fast-dev Jan 29, 2025
18 checks passed
@ludoo ludoo deleted the ludo/fast-abstract-stage2s branch January 29, 2025 12:16
karpok78 pushed a commit to karpok78/cloud-foundation-fabric that referenced this pull request Feb 8, 2025
@ludoo @juliocc @karpok78
Flexible stage 2s in FAST resource manager (GoogleCloudPlatform#2840)
13d9b57 
* wip

* WIP

* wip

* wip

* apply untested

* tests

* support tag expansion for tenant-level installations in IAM conditions

* fix stage config output

* inventories

* remove dev files

* tfdoc

* enable org policies for stage folders

* resman README

* tfdoc

* stage 3 documentation

* inventory

* support extra_dirs in testing franework

* remove org policy files from stage 1

* Add principal interpolation to iam_by_principals (GoogleCloudPlatform#2847)

* Add principal interpolation to iam_by_principals

* Fix tests

* relax schemas

* relax schemas

---------

Co-authored-by: Julio Castillo <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juliocc juliocc juliocc approved these changes

Assignees
No one assigned
Labels
on:FAST
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ludoo @juliocc