GoogleCloudPlatform · ludoo · Aug 3, 2022 · Aug 3, 2022 · Aug 3, 2022
diff --git a/fast/stages/01-resman/README.md b/fast/stages/01-resman/README.md
@@ -195,14 +195,14 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
 
 | name | description | sensitive | consumers |
 |---|---|:---:|---|
-| [cicd_repositories](outputs.tf#L154) | WIF configuration for CI/CD repositories. |  |  |
-| [dataplatform](outputs.tf#L168) | Data for the Data Platform stage. |  |  |
-| [networking](outputs.tf#L184) | Data for the networking stage. |  |  |
-| [project_factories](outputs.tf#L193) | Data for the project factories stage. |  |  |
-| [providers](outputs.tf#L209) | Terraform provider files for this stage and dependent stages. | ✓ | <code>02-networking</code> · <code>02-security</code> · <code>03-dataplatform</code> · <code>xx-sandbox</code> · <code>xx-teams</code> |
-| [sandbox](outputs.tf#L216) | Data for the sandbox stage. |  | <code>xx-sandbox</code> |
-| [security](outputs.tf#L230) | Data for the networking stage. |  | <code>02-security</code> |
-| [teams](outputs.tf#L240) | Data for the teams stage. |  |  |
-| [tfvars](outputs.tf#L253) | Terraform variable files for the following stages. | ✓ |  |
+| [cicd_repositories](outputs.tf#L171) | WIF configuration for CI/CD repositories. |  |  |
+| [dataplatform](outputs.tf#L185) | Data for the Data Platform stage. |  |  |
+| [networking](outputs.tf#L201) | Data for the networking stage. |  |  |
+| [project_factories](outputs.tf#L210) | Data for the project factories stage. |  |  |
+| [providers](outputs.tf#L226) | Terraform provider files for this stage and dependent stages. | ✓ | <code>02-networking</code> · <code>02-security</code> · <code>03-dataplatform</code> · <code>xx-sandbox</code> · <code>xx-teams</code> |
+| [sandbox](outputs.tf#L233) | Data for the sandbox stage. |  | <code>xx-sandbox</code> |
+| [security](outputs.tf#L247) | Data for the networking stage. |  | <code>02-security</code> |
+| [teams](outputs.tf#L257) | Data for the teams stage. |  |  |
+| [tfvars](outputs.tf#L270) | Terraform variable files for the following stages. | ✓ |  |
 
 <!-- END TFDOC -->
diff --git a/fast/stages/01-resman/billing.tf b/fast/stages/01-resman/billing.tf
@@ -23,12 +23,10 @@ locals {
       module.branch-network-sa.iam_email,
       module.branch-security-sa.iam_email,
     ],
-    local.branch_dataplatform_sa_iam_emails,
-    # enable if individual teams can create their own projects
-    # [
-    #   for k, v in module.branch-teams-team-sa : v.iam_email
-    # ],
-    local.branch_teams_pf_sa_iam_emails,
+    local.branch_optional_sa_lists.dp-dev,
+    local.branch_optional_sa_lists.dp-prod,
+    local.branch_optional_sa_lists.pf-dev,
+    local.branch_optional_sa_lists.pf-prod,
   )
 }
 

diff --git a/fast/stages/01-resman/branch-networking.tf b/fast/stages/01-resman/branch-networking.tf
@@ -50,10 +50,10 @@ module "branch-network-prod-folder" {
   parent = module.branch-network-folder.id
   name   = "Production"
   iam = {
-    "roles/compute.xpnAdmin" = compact([
-      try(module.branch-dp-prod-sa.0.iam_email, ""),
-      try(module.branch-pf-prod-sa.0.iam_email, ""),
-    ])
+    (local.custom_roles.service_project_network_admin) = concat(
+      local.branch_optional_sa_lists.dp-prod,
+      local.branch_optional_sa_lists.pf-prod,
+    )
   }
   tag_bindings = {
     environment = try(
@@ -67,10 +67,10 @@ module "branch-network-dev-folder" {
   parent = module.branch-network-folder.id
   name   = "Development"
   iam = {
-    (local.custom_roles.service_project_network_admin) = compact([
-      try(module.branch-dp-dev-sa.0.iam_email, ""),
-      try(module.branch-pf-dev-sa.0.iam_email, ""),
-    ])
+    (local.custom_roles.service_project_network_admin) = concat(
+      local.branch_optional_sa_lists.dp-dev,
+      local.branch_optional_sa_lists.pf-dev,
+    )
   }
   tag_bindings = {
     environment = try(

diff --git a/fast/stages/01-resman/branch-teams.tf b/fast/stages/01-resman/branch-teams.tf
@@ -21,39 +21,67 @@ moved {
   to   = module.branch-teams-folder.0
 }
 
+# TODO(ludo): add support for CI/CD
+
+############### top-level Teams branch and automation resources ###############
+
 module "branch-teams-folder" {
   source = "../../../modules/folder"
   count  = var.fast_features.teams ? 1 : 0
   parent = "organizations/${var.organization.id}"
   name   = "Teams"
+  iam = {
+    "roles/logging.admin"                  = [module.branch-teams-sa.0.iam_email]
+    "roles/owner"                          = [module.branch-teams-sa.0.iam_email]
+    "roles/resourcemanager.folderAdmin"    = [module.branch-teams-sa.0.iam_email]
+    "roles/resourcemanager.projectCreator" = [module.branch-teams-sa.0.iam_email]
+    "roles/compute.xpnAdmin"               = [module.branch-teams-sa.0.iam_email]
+  }
   tag_bindings = {
     context = try(
       module.organization.tag_values["${var.tag_names.context}/teams"].id, null
     )
   }
 }
 
-moved {
-  from = module.branch-teams-prod-sa
-  to   = module.branch-teams-prod-sa.0
-}
-
-module "branch-teams-prod-sa" {
+module "branch-teams-sa" {
   source      = "../../../modules/iam-service-account"
   count       = var.fast_features.teams ? 1 : 0
   project_id  = var.automation.project_id
   name        = "prod-resman-teams-0"
-  description = "Terraform resman production service account."
+  description = "Terraform resman teams service account."
   prefix      = var.prefix
+  iam_storage_roles = {
+    (var.automation.outputs_bucket) = ["roles/storage.admin"]
+  }
+}
+
+module "branch-teams-gcs" {
+  source     = "../../../modules/gcs"
+  count      = var.fast_features.teams ? 1 : 0
+  project_id = var.automation.project_id
+  name       = "prod-resman-teams-0"
+  prefix     = var.prefix
+  versioning = true
+  iam = {
+    "roles/storage.objectAdmin" = [module.branch-teams-sa.0.iam_email]
+  }
 }
 
-# Team-level folders, service accounts and buckets for each individual team
+################## per-team folders and automation resources ##################
 
 module "branch-teams-team-folder" {
-  source    = "../../../modules/folder"
-  for_each  = var.fast_features.teams ? coalesce(var.team_folders, {}) : {}
-  parent    = module.branch-teams-folder.0.id
-  name      = each.value.descriptive_name
+  source   = "../../../modules/folder"
+  for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {}
+  parent   = module.branch-teams-folder.0.id
+  name     = each.value.descriptive_name
+  iam = {
+    "roles/logging.admin"                  = [module.branch-teams-team-sa[each.key].iam_email]
+    "roles/owner"                          = [module.branch-teams-team-sa[each.key].iam_email]
+    "roles/resourcemanager.folderAdmin"    = [module.branch-teams-team-sa[each.key].iam_email]
+    "roles/resourcemanager.projectCreator" = [module.branch-teams-team-sa[each.key].iam_email]
+    "roles/compute.xpnAdmin"               = [module.branch-teams-team-sa[each.key].iam_email]
+  }
   group_iam = each.value.group_iam == null ? {} : each.value.group_iam
 }
 
@@ -85,7 +113,7 @@ module "branch-teams-team-gcs" {
   }
 }
 
-# project factory per-team environment folders
+# per-team environment folders where project factory SAs can create projects
 
 module "branch-teams-team-dev-folder" {
   source   = "../../../modules/folder"
@@ -96,12 +124,14 @@ module "branch-teams-team-dev-folder" {
   # environment-wide human permissions on the whole teams environment
   group_iam = {}
   iam = {
-    (local.custom_roles.service_project_network_admin) = [module.branch-pf-dev-sa.0.iam_email]
+    (local.custom_roles.service_project_network_admin) = (
+      local.branch_optional_sa_lists.pf-dev
+    )
     # remove owner here and at project level if SA does not manage project resources
-    "roles/owner"                          = [module.branch-pf-dev-sa.0.iam_email]
-    "roles/logging.admin"                  = [module.branch-pf-dev-sa.0.iam_email]
-    "roles/resourcemanager.folderAdmin"    = [module.branch-pf-dev-sa.0.iam_email]
-    "roles/resourcemanager.projectCreator" = [module.branch-pf-dev-sa.0.iam_email]
+    "roles/owner"                          = local.branch_optional_sa_lists.pf-dev
+    "roles/logging.admin"                  = local.branch_optional_sa_lists.pf-dev
+    "roles/resourcemanager.folderAdmin"    = local.branch_optional_sa_lists.pf-dev
+    "roles/resourcemanager.projectCreator" = local.branch_optional_sa_lists.pf-dev
   }
   tag_bindings = {
     environment = try(
@@ -119,12 +149,14 @@ module "branch-teams-team-prod-folder" {
   # environment-wide human permissions on the whole teams environment
   group_iam = {}
   iam = {
-    (local.custom_roles.service_project_network_admin) = [module.branch-pf-prod-sa.0.iam_email]
+    (local.custom_roles.service_project_network_admin) = (
+      local.branch_optional_sa_lists.pf-prod
+    )
     # remove owner here and at project level if SA does not manage project resources
-    "roles/owner"                          = [module.branch-pf-prod-sa.0.iam_email]
-    "roles/logging.admin"                  = [module.branch-pf-prod-sa.0.iam_email]
-    "roles/resourcemanager.folderAdmin"    = [module.branch-pf-prod-sa.0.iam_email]
-    "roles/resourcemanager.projectCreator" = [module.branch-pf-prod-sa.0.iam_email]
+    "roles/owner"                          = local.branch_optional_sa_lists.pf-prod
+    "roles/logging.admin"                  = local.branch_optional_sa_lists.pf-prod
+    "roles/resourcemanager.folderAdmin"    = local.branch_optional_sa_lists.pf-prod
+    "roles/resourcemanager.projectCreator" = local.branch_optional_sa_lists.pf-prod
   }
   tag_bindings = {
     environment = try(

diff --git a/fast/stages/01-resman/main.tf b/fast/stages/01-resman/main.tf
@@ -26,6 +26,12 @@ locals {
   billing_ext     = var.billing_account.organization_id == null
   billing_org     = var.billing_account.organization_id == var.organization.id
   billing_org_ext = !local.billing_ext && !local.billing_org
+  branch_optional_sa_lists = {
+    dp-dev  = compact([try(module.branch-dp-dev-sa.0.iam_email, "")])
+    dp-prod = compact([try(module.branch-dp-prod-sa.0.iam_email, "")])
+    pf-dev  = compact([try(module.branch-pf-dev-sa.0.iam_email, "")])
+    pf-prod = compact([try(module.branch-pf-prod-sa.0.iam_email, "")])
+  }
   cicd_repositories = {
     for k, v in coalesce(var.cicd_repositories, {}) : k => v
     if(
@@ -57,7 +63,6 @@ locals {
       "02-security.auto.tfvars.json"
     ]
   }
-
   custom_roles = coalesce(var.custom_roles, {})
   groups = {
     for k, v in var.groups :

diff --git a/fast/stages/01-resman/organization.tf b/fast/stages/01-resman/organization.tf
@@ -18,23 +18,6 @@
 
 
 locals {
-  branch_dataplatform_sa_iam_emails = (
-    var.fast_features.data_platform
-    ? [
-      module.branch-dp-dev-sa.0.iam_email,
-      module.branch-dp-prod-sa.0.iam_email
-    ]
-    : []
-  )
-  # set to the empty list if you remove the teams branch
-  branch_teams_pf_sa_iam_emails = (
-    var.fast_features.project_factory
-    ? [
-      module.branch-pf-dev-sa.0.iam_email,
-      module.branch-pf-prod-sa.0.iam_email
-    ]
-    : []
-  )
   list_allow = {
     inherit_from_parent = false
     suggested_value     = null
@@ -72,18 +55,19 @@ module "organization" {
       ]
     },
     local.billing_org ? {
-      "roles/billing.costsManager" = local.branch_teams_pf_sa_iam_emails
+      "roles/billing.costsManager" = concat(
+        local.branch_optional_sa_lists.pf-dev,
+        local.branch_optional_sa_lists.pf-prod
+      )
       "roles/billing.user" = concat(
         [
           module.branch-network-sa.iam_email,
           module.branch-security-sa.iam_email,
         ],
-        local.branch_dataplatform_sa_iam_emails,
-        # enable if individual teams can create their own projects
-        # [
-        #   for k, v in module.branch-teams-team-sa : v.iam_email
-        # ],
-        local.branch_teams_pf_sa_iam_emails
+        local.branch_optional_sa_lists.dp-dev,
+        local.branch_optional_sa_lists.dp-prod,
+        local.branch_optional_sa_lists.pf-dev,
+        local.branch_optional_sa_lists.pf-prod,
       )
     } : {}
   )

diff --git a/fast/stages/01-resman/outputs.tf b/fast/stages/01-resman/outputs.tf
@@ -127,7 +127,24 @@ locals {
         name   = "sandbox"
         sa     = module.branch-sandbox-sa.0.email
       })
-    }
+    },
+    !var.fast_features.teams ? {} : merge(
+      {
+        "03-teams" = templatefile(local._tpl_providers, {
+          bucket = module.branch-teams-gcs.0.name
+          name   = "teams"
+          sa     = module.branch-teams-sa.0.email
+        })
+      },
+      {
+        for k, v in module.branch-teams-team-sa :
+        "03-teams-${k}" => templatefile(local._tpl_providers, {
+          bucket = module.branch-teams-team-gcs[k].name
+          name   = "teams"
+          sa     = v.email
+        })
+      }
+    )
   )
   service_accounts = merge(
     {
@@ -138,7 +155,7 @@ locals {
       project-factory-prod = try(module.branch-pf-prod-sa.0.email, null)
       sandbox              = try(module.branch-sandbox-sa.0.email, null)
       security             = module.branch-security-sa.email
-      teams                = try(module.branch-teams-prod-sa.0.email, null)
+      teams                = try(module.branch-teams-sa.0.email, null)
     },
     {
       for k, v in module.branch-teams-team-sa : "team-${k}" => v.email