Skip to content

feat: add confidential space #131

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 76 commits into
base: main
Choose a base branch
from
Open

feat: add confidential space #131

Show file tree
Hide file tree
Changes from 33 commits
Commits
Show all changes
76 commits
Select commit Hold shift + click to select a range
ae79488
add confidential space
renato-rudnicki Jun 18, 2025
836cf18
add variables and update APIs
renato-rudnicki Jun 18, 2025
a728d6f
change kms resource to module
renato-rudnicki Jun 18, 2025
61b95d0
fix remote
renato-rudnicki Jun 18, 2025
ea77081
creates a new module for confidential space
renato-rudnicki Jun 20, 2025
0ba1a7f
code fixes
renato-rudnicki Jun 20, 2025
49332f8
fixes code review
renato-rudnicki Jun 20, 2025
f6c4042
update docker image build
renato-rudnicki Jun 23, 2025
1c6abb5
Updating SAs and CB infra
renato-rudnicki Jun 23, 2025
da0ab4d
remove comment
renato-rudnicki Jun 23, 2025
de42d46
fix worker_pool_id value
renato-rudnicki Jun 24, 2025
ba8333c
update log buckets
renato-rudnicki Jun 27, 2025
bfae511
fix cloudbuild for confidential space
renato-rudnicki Jun 27, 2025
9edc576
allow confidential computing api
renato-rudnicki Jul 1, 2025
1cfb138
allow cloudbuild workpool use
renato-rudnicki Jul 1, 2025
07cf62b
update confidential space
renato-rudnicki Jul 2, 2025
2684d16
sync with local code
renato-rudnicki Jul 4, 2025
7661264
fix roles
renato-rudnicki Jul 16, 2025
d31ee08
fix header
renato-rudnicki Jul 16, 2025
6628e32
add soft link for confidential space
renato-rudnicki Jul 17, 2025
40cfa4f
remove hardcode value
renato-rudnicki Jul 17, 2025
b2f59c1
Improved description for image_digest variable
renato-rudnicki Jul 17, 2025
29b6ff4
remove output
renato-rudnicki Jul 17, 2025
3307062
move workload SA and roles to step-4
renato-rudnicki Jul 18, 2025
8a570b7
remove comment
renato-rudnicki Jul 18, 2025
9fed2c2
update code
renato-rudnicki Aug 1, 2025
8efe5d4
fix lint
renato-rudnicki Aug 4, 2025
164c68c
adds header to salary.go
renato-rudnicki Aug 4, 2025
e3fc96d
add readme for confidential space
renato-rudnicki Aug 4, 2025
bb022da
Update 4-project
renato-rudnicki Aug 4, 2025
38482e7
update README
renato-rudnicki Aug 5, 2025
b86f124
update README
renato-rudnicki Aug 5, 2025
d46463f
add links in the readme
renato-rudnicki Aug 5, 2025
51607af
add integration tests
renato-rudnicki Aug 5, 2025
6028d87
update readme
renato-rudnicki Aug 5, 2025
cff60ba
code update
renato-rudnicki Aug 15, 2025
3016463
update 4-projects/README.md
renato-rudnicki Aug 15, 2025
f33d11c
code update for helper
renato-rudnicki Aug 15, 2025
3f5a009
update README and permissions for helper deploy
renato-rudnicki Aug 20, 2025
71635bf
remove duplicated code
renato-rudnicki Aug 20, 2025
30f19cd
add builder role to tf-cb-builder-sa
renato-rudnicki Aug 21, 2025
9868414
update google_project_iam_member roles
renato-rudnicki Aug 26, 2025
316aa78
fix roles and SA
renato-rudnicki Aug 27, 2025
df74f43
updates 1 from code-review
renato-rudnicki Aug 29, 2025
f8fd2d0
fix code review-2
renato-rudnicki Sep 1, 2025
f471283
remove code not used
renato-rudnicki Sep 1, 2025
ed6904a
update integration tests
renato-rudnicki Sep 4, 2025
9707d23
fix lint
renato-rudnicki Sep 5, 2025
59aab46
Merge branch 'main' into confidential-space
renato-rudnicki Sep 5, 2025
92113e5
fix build submit cmd
renato-rudnicki Sep 8, 2025
a7d8408
fix key value for log_buckets
renato-rudnicki Sep 8, 2025
5a9c174
fix storage bucket project
renato-rudnicki Sep 8, 2025
a04b4c9
fix bucket syntax name
renato-rudnicki Sep 8, 2025
0a81171
fix roles and propagation
renato-rudnicki Sep 10, 2025
339b91d
fix storage role for projects SA
renato-rudnicki Sep 10, 2025
6ad60ab
fix roles for 4-projects
renato-rudnicki Sep 11, 2025
340c7d0
remove cloudbuild_bucket_admin resource -test
renato-rudnicki Sep 11, 2025
ac8bc2e
add missing variable for projects_test.go
renato-rudnicki Sep 12, 2025
1ff8ed8
fix image_digest variable
renato-rudnicki Sep 12, 2025
263c75e
update image_digest variable
renato-rudnicki Sep 12, 2025
5265adf
Merge branch 'main' into confidential-space
renato-rudnicki Sep 12, 2025
834d3e6
Merge branch 'main' into confidential-space
renato-rudnicki Sep 15, 2025
1ae2a99
Merge branch 'main' into confidential-space
renato-rudnicki Sep 18, 2025
d4a9927
fix confidential project ID for integration tests
renato-rudnicki Sep 18, 2025
5c6c8c0
fix confidential instance name
renato-rudnicki Sep 19, 2025
5dad2e7
update app_infra test
renato-rudnicki Sep 22, 2025
3024385
fix integration test app-infra
renato-rudnicki Sep 23, 2025
4ceee3e
fix list for confidential instance output
renato-rudnicki Sep 23, 2025
01e91f6
fix computeInstanceList
renato-rudnicki Sep 24, 2025
ffaafa2
add output for confidential instance
renato-rudnicki Sep 24, 2025
68e6c23
fix workload identity test
renato-rudnicki Sep 24, 2025
16a9fd6
fix test for workload pool
renato-rudnicki Sep 24, 2025
1677a26
fix for workload pool provider
renato-rudnicki Sep 24, 2025
2774bf3
update integration tests app-infra
renato-rudnicki Sep 25, 2025
2a96062
update test
renato-rudnicki Sep 25, 2025
08bb4e0
fix integration test
renato-rudnicki Sep 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions 3-networks-hub-and-spoke/modules/base_env/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ locals {
"cloudtrace.googleapis.com",
"composer.googleapis.com",
"compute.googleapis.com",
"confidentialcomputing.googleapis.com",
"connectgateway.googleapis.com",
"contactcenterinsights.googleapis.com",
"container.googleapis.com",
Expand Down
1 change: 1 addition & 0 deletions 3-networks-svpc/modules/base_env/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ locals {
"cloudtrace.googleapis.com",
"composer.googleapis.com",
"compute.googleapis.com",
"confidentialcomputing.googleapis.com",
"connectgateway.googleapis.com",
"contactcenterinsights.googleapis.com",
"container.googleapis.com",
Expand Down
25 changes: 24 additions & 1 deletion 4-projects/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ For an overview of the architecture and the parts, see the

The purpose of this step is to set up the folder structure, projects, and infrastructure pipelines for applications that are connected as service projects to the shared VPC created in the previous stage.

For each business unit, a shared `infra-pipeline` project is created along with Cloud Build triggers, CSRs for application infrastructure code and Google Cloud Storage buckets for state storage.
For each business unit, a shared `infra-pipeline` project is created along with Cloud Build triggers, CSRs for application infrastructure code and Google Cloud Storage buckets for state storage. A new Docker image will be built for the Confidential Space environment, which will be used in the `5-app-infra` step.
Copy link
Collaborator

@daniel-cit daniel-cit Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
For each business unit, a shared `infra-pipeline` project is created along with Cloud Build triggers, CSRs for application infrastructure code and Google Cloud Storage buckets for state storage. A new Docker image will be built for the Confidential Space environment, which will be used in the `5-app-infra` step.
For each business unit, a shared `infra-pipeline` project is created along with Cloud Build triggers, CSRs for application infrastructure code, a Google Cloud Storage buckets for state storage, and a new Docker image will be built for the [Confidential Space](https://cloud.google.com/confidential-computing/confidential-space/docs/confidential-space-overview) environment, which will be used in the `5-app-infra` step.


This step follows the same [conventions](https://github.com/terraform-google-modules/terraform-example-foundation#branching-strategy) as the Foundation pipeline deployed in [0-bootstrap](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/0-bootstrap/README.md).
A custom [workspace](https://github.com/terraform-google-modules/terraform-google-bootstrap/blob/master/modules/tf_cloudbuild_workspace/README.md) (`bu1-example-app`) is created by this pipeline and necessary roles are granted to the Terraform Service Account of this workspace by enabling variable `sa_roles` as shown in this [example](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/4-projects/modules/base_env/example_shared_vpc_project.tf).
Expand Down Expand Up @@ -201,6 +201,13 @@ grep -rl 10.3.64.0 business_unit_2/ | xargs sed -i 's/10.3.64.0/10.4.64.0/g'
git checkout -b production
git push origin production
```
1. Run `terraform init` in the `production` folder to generate the outputs required by step `5-app-infra`.

```bash
cd business_unit_1/production
terraform init
cd ../..
```
Copy link
Collaborator

@daniel-cit daniel-cit Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

se esse codigo for ser usado para pegar um output gerado pelo cloud build vc tem que esperar ele terminar de rodar para rodar esse codigo.
Isso não pode ser pego pelo remote state?


1. After production has been applied, apply development.
1. Merge changes to development. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch),
Expand All @@ -211,6 +218,14 @@ grep -rl 10.3.64.0 business_unit_2/ | xargs sed -i 's/10.3.64.0/10.4.64.0/g'
git push origin development
```

1. Run `terraform init` in the `development` folder to generate the outputs required by step `5-app-infra`.

```bash
cd business_unit_1/development
terraform init
cd ../..
```
Copy link
Collaborator

@daniel-cit daniel-cit Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

se esse codigo for ser usado para pegar um output gerado pelo cloud build vc tem que esperar ele terminar de rodar para rodar esse codigo.
Isso não pode ser pego pelo remote state?


1. After development has been applied, apply nonproduction.
1. Merge changes to nonproduction. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch),
pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project. https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID
Expand All @@ -220,6 +235,14 @@ grep -rl 10.3.64.0 business_unit_2/ | xargs sed -i 's/10.3.64.0/10.4.64.0/g'
git push origin nonproduction
```

1. Run `terraform init` in the `nonproduction` folder to generate the outputs required by step `5-app-infra`.

```bash
cd business_unit_1/nonproduction
terraform init
cd ../..
```

Copy link
Collaborator

@daniel-cit daniel-cit Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

se esse codigo for ser usado para pegar um output gerado pelo cloud build vc tem que esperar ele terminar de rodar para rodar esse codigo.
Isso não pode ser pego pelo remote state?

1. Before executing the next step, unset the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` environment variable.

```bash
Expand Down
5 changes: 5 additions & 0 deletions 4-projects/business_unit_1/development/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,12 @@
| Name | Description |
|------|-------------|
| access\_context\_manager\_policy\_id | Access Context Manager Policy ID. |
| bootstrap\_cloudbuild\_project\_id | Cloudbuild project ID. |
| bucket | The created storage bucket. |
| cloudbuild\_sa | Cloudbuild Service Account. |
| confidential\_space\_project | Confidential Space project id. |
| confidential\_space\_project\_number | Confidential Space project number. |
| confidential\_space\_workload\_sa | Workload Service Account for confidential space |
| default\_region | The default region for the project. |
| floating\_project | Project sample floating project. |
| iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
Expand Down
85 changes: 85 additions & 0 deletions 4-projects/business_unit_1/development/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,3 +38,88 @@ module "env" {
project_deletion_policy = var.project_deletion_policy
folder_deletion_protection = var.folder_deletion_protection
}

resource "google_service_account" "workload_sa" {
account_id = "confidential-space-workload-sa"
display_name = "Workload Service Account for confidential space"
project = module.env.confidential_space_project
}

resource "google_project_iam_member" "service_usage_admin" {
project = module.env.confidential_space_project
role = "roles/serviceusage.serviceUsageAdmin"
member = google_service_account.workload_sa.member
}

resource "google_project_iam_member" "service_account_admin" {
project = module.env.confidential_space_project
role = "roles/iam.serviceAccountAdmin"
member = google_service_account.workload_sa.member
}

resource "google_project_iam_member" "workload_kms_admin" {
project = module.env.confidential_space_project
role = "roles/cloudkms.admin"
member = google_service_account.workload_sa.member
}

resource "google_project_iam_member" "workload_instance_admin" {
project = module.env.confidential_space_project
role = "roles/compute.instanceAdmin.v1"
member = google_service_account.workload_sa.member
}
Copy link
Collaborator

@daniel-cit daniel-cit Aug 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the google_project_iam_member should be grouped by service account and project with a for each on the roles


resource "google_project_iam_member" "cb_workload_identity_admin" {
project = module.env.confidential_space_project
role = "roles/iam.workloadIdentityPoolAdmin"
member = "serviceAccount:${module.env.cloudbuild_sa}"
}

resource "google_project_iam_member" "cb_service_usage_admin" {
project = module.env.confidential_space_project
role = "roles/serviceusage.serviceUsageAdmin"
member = "serviceAccount:${module.env.cloudbuild_sa}"
}

resource "google_project_iam_member" "cb_service_account_admin" {
project = module.env.confidential_space_project
role = "roles/iam.serviceAccountAdmin"
member = "serviceAccount:${module.env.cloudbuild_sa}"
}

resource "google_project_iam_member" "cloudbuild_kms_admin" {
project = module.env.confidential_space_project
role = "roles/cloudkms.admin"
member = "serviceAccount:${module.env.cloudbuild_sa}"
}

resource "google_project_iam_member" "cloudbuild_instance_admin" {
project = module.env.confidential_space_project
role = "roles/compute.instanceAdmin.v1"
member = "serviceAccount:${module.env.cloudbuild_sa}"
}

resource "google_project_iam_member" "cloudbuild_gcs_admin_sa" {
project = module.env.confidential_space_project
role = "roles/storage.admin"
member = "serviceAccount:${module.env.cloudbuild_sa}"
}

resource "google_project_iam_member" "cloudbuild_project_iam_admin" {
project = module.env.confidential_space_project
role = "roles/resourcemanager.projectIamAdmin"
member = "serviceAccount:${module.env.cloudbuild_sa}"
}

resource "google_project_iam_member" "workload_identity_admin" {
project = module.env.confidential_space_project
role = "roles/iam.workloadIdentityPoolAdmin"
member = "serviceAccount:${google_service_account.workload_sa.email}"
}

resource "google_project_iam_member" "workload_identity_admin_cb" {
project = module.env.confidential_space_project
role = "roles/iam.workloadIdentityPoolAdmin"
member = "serviceAccount:${module.env.cloudbuild_sa}"
}

27 changes: 27 additions & 0 deletions 4-projects/business_unit_1/development/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,3 +93,30 @@ output "default_region" {
description = "The default region for the project."
value = local.default_region
}

output "confidential_space_project" {
description = "Confidential Space project id."
value = module.env.confidential_space_project
}


output "confidential_space_project_number" {
description = "Confidential Space project number."
value = module.env.confidential_space_project_number
}

output "bootstrap_cloudbuild_project_id" {
description = "Cloudbuild project ID."
value = local.cloudbuild_project_id
}

output "cloudbuild_sa" {
description = "Cloudbuild Service Account."
value = module.env.cloudbuild_sa
}

output "confidential_space_workload_sa" {
description = "Workload Service Account for confidential space"
value = google_service_account.workload_sa.email
}

9 changes: 5 additions & 4 deletions 4-projects/business_unit_1/development/remote.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,11 @@
*/

locals {
default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
default_region_2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2
default_region_gcs = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_gcs
default_region_kms = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_kms
default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
default_region_2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2
default_region_gcs = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_gcs
default_region_kms = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_kms
cloudbuild_project_id = data.terraform_remote_state.bootstrap.outputs.cloudbuild_project_id
}

data "terraform_remote_state" "bootstrap" {
Expand Down
5 changes: 5 additions & 0 deletions 4-projects/business_unit_1/nonproduction/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,12 @@
| Name | Description |
|------|-------------|
| access\_context\_manager\_policy\_id | Access Context Manager Policy ID. |
| bootstrap\_cloudbuild\_project\_id | Cloudbuild project ID. |
| bucket | The created storage bucket. |
| cloudbuild\_sa | Cloudbuild Service Account. |
| confidential\_space\_project | Confidential Space project id. |
| confidential\_space\_project\_number | Confidential Space project number. |
| confidential\_space\_workload\_sa | Workload Service Account for confidential space |
| default\_region | The default region for the project. |
| floating\_project | Project sample floating project. |
| iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
Expand Down
85 changes: 85 additions & 0 deletions 4-projects/business_unit_1/nonproduction/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,3 +38,88 @@ module "env" {
project_deletion_policy = var.project_deletion_policy
folder_deletion_protection = var.folder_deletion_protection
}

resource "google_service_account" "workload_sa" {
account_id = "confidential-space-workload-sa"
display_name = "Workload Service Account for confidential space"
project = module.env.confidential_space_project
}

resource "google_project_iam_member" "service_usage_admin" {
project = module.env.confidential_space_project
role = "roles/serviceusage.serviceUsageAdmin"
member = google_service_account.workload_sa.member
}

resource "google_project_iam_member" "service_account_admin" {
project = module.env.confidential_space_project
role = "roles/iam.serviceAccountAdmin"
member = google_service_account.workload_sa.member
}

resource "google_project_iam_member" "workload_kms_admin" {
project = module.env.confidential_space_project
role = "roles/cloudkms.admin"
member = google_service_account.workload_sa.member
}

resource "google_project_iam_member" "workload_instance_admin" {
project = module.env.confidential_space_project
role = "roles/compute.instanceAdmin.v1"
member = google_service_account.workload_sa.member
}

resource "google_project_iam_member" "cb_workload_identity_admin" {
project = module.env.confidential_space_project
role = "roles/iam.workloadIdentityPoolAdmin"
member = "serviceAccount:${module.env.cloudbuild_sa}"
}

resource "google_project_iam_member" "cb_service_usage_admin" {
project = module.env.confidential_space_project
role = "roles/serviceusage.serviceUsageAdmin"
member = "serviceAccount:${module.env.cloudbuild_sa}"
}

resource "google_project_iam_member" "cb_service_account_admin" {
project = module.env.confidential_space_project
role = "roles/iam.serviceAccountAdmin"
member = "serviceAccount:${module.env.cloudbuild_sa}"
}

resource "google_project_iam_member" "cloudbuild_kms_admin" {
project = module.env.confidential_space_project
role = "roles/cloudkms.admin"
member = "serviceAccount:${module.env.cloudbuild_sa}"
}

resource "google_project_iam_member" "cloudbuild_instance_admin" {
project = module.env.confidential_space_project
role = "roles/compute.instanceAdmin.v1"
member = "serviceAccount:${module.env.cloudbuild_sa}"
}

resource "google_project_iam_member" "cloudbuild_gcs_admin_sa" {
project = module.env.confidential_space_project
role = "roles/storage.admin"
member = "serviceAccount:${module.env.cloudbuild_sa}"
}

resource "google_project_iam_member" "cloudbuild_project_iam_admin" {
project = module.env.confidential_space_project
role = "roles/resourcemanager.projectIamAdmin"
member = "serviceAccount:${module.env.cloudbuild_sa}"
}

resource "google_project_iam_member" "workload_identity_admin" {
project = module.env.confidential_space_project
role = "roles/iam.workloadIdentityPoolAdmin"
member = "serviceAccount:${google_service_account.workload_sa.email}"
}

resource "google_project_iam_member" "workload_identity_admin_cb" {
project = module.env.confidential_space_project
role = "roles/iam.workloadIdentityPoolAdmin"
member = "serviceAccount:${module.env.cloudbuild_sa}"
}

27 changes: 27 additions & 0 deletions 4-projects/business_unit_1/nonproduction/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,3 +93,30 @@ output "default_region" {
description = "The default region for the project."
value = local.default_region
}

output "confidential_space_project" {
description = "Confidential Space project id."
value = module.env.confidential_space_project
}


output "confidential_space_project_number" {
description = "Confidential Space project number."
value = module.env.confidential_space_project_number
}

output "bootstrap_cloudbuild_project_id" {
description = "Cloudbuild project ID."
value = local.cloudbuild_project_id
}

output "cloudbuild_sa" {
description = "Cloudbuild Service Account."
value = module.env.cloudbuild_sa
}

output "confidential_space_workload_sa" {
description = "Workload Service Account for confidential space"
value = google_service_account.workload_sa.email
}

9 changes: 5 additions & 4 deletions 4-projects/business_unit_1/nonproduction/remote.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,11 @@
*/

locals {
default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
default_region_2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2
default_region_gcs = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_gcs
default_region_kms = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_kms
default_region = data.terraform_remote_state.bootstrap.outputs.common_config.default_region
default_region_2 = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_2
default_region_gcs = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_gcs
default_region_kms = data.terraform_remote_state.bootstrap.outputs.common_config.default_region_kms
cloudbuild_project_id = data.terraform_remote_state.bootstrap.outputs.cloudbuild_project_id
Copy link
Collaborator

@daniel-cit daniel-cit Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

esse campo deveria estar vindo do shared e não de cada um dos envs

}

data "terraform_remote_state" "bootstrap" {
Expand Down
5 changes: 5 additions & 0 deletions 4-projects/business_unit_1/production/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,12 @@
| Name | Description |
|------|-------------|
| access\_context\_manager\_policy\_id | Access Context Manager Policy ID. |
| bootstrap\_cloudbuild\_project\_id | Cloudbuild project ID. |
| bucket | The created storage bucket. |
| cloudbuild\_sa | Cloudbuild Service Account. |
| confidential\_space\_project | Confidential Space project id. |
| confidential\_space\_project\_number | Confidential Space project number. |
| confidential\_space\_workload\_sa | Workload Service Account for confidential space |
| default\_region | The default region for the project. |
| floating\_project | Project sample floating project. |
| iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
Expand Down
Loading