feat: add confidential space (#1435)

Author: renato-rudnicki

0-bootstrap/cb.tf

@@ -178,6 +178,8 @@ module "tf_cloud_builder" {
   worker_pool_id               = module.tf_private_pool.private_worker_pool_id
   bucket_name                  = "${var.bucket_prefix}-${module.tf_source.cloudbuild_project_id}-tf-cloudbuilder-build-logs"
   workflow_deletion_protection = var.workflow_deletion_protection
+
+  depends_on = [module.tf_source]
 }
 
 module "bootstrap_csr_repo" {

0-bootstrap/sa.tf

@@ -111,6 +111,7 @@ locals {
     ],
     "proj" = [
       "roles/storage.objectAdmin",
+      "roles/storage.admin",
     ],
   }
 

3-networks-hub-and-spoke/modules/base_env/main.tf

@@ -57,6 +57,7 @@ locals {
     "cloudtrace.googleapis.com",
     "composer.googleapis.com",
     "compute.googleapis.com",
+    "confidentialcomputing.googleapis.com",
     "connectgateway.googleapis.com",
     "contactcenterinsights.googleapis.com",
     "container.googleapis.com",

3-networks-svpc/modules/base_env/main.tf

@@ -39,7 +39,7 @@ locals {
     "adsdatahub.googleapis.com",
     "aiplatform.googleapis.com",
     "alloydb.googleapis.com",
-    "alpha-documentai.googleapis.com",
+    "documentai.googleapis.com",
     "analyticshub.googleapis.com",
     "apigee.googleapis.com",
     "apigeeconnect.googleapis.com",
@@ -70,6 +70,7 @@ locals {
     "cloudtrace.googleapis.com",
     "composer.googleapis.com",
     "compute.googleapis.com",
+    "confidentialcomputing.googleapis.com",
     "connectgateway.googleapis.com",
     "contactcenterinsights.googleapis.com",
     "container.googleapis.com",

4-projects/README.md

@@ -57,7 +57,7 @@ For an overview of the architecture and the parts, see the
 
 The purpose of this step is to set up the folder structure, projects, and infrastructure pipelines for applications that are connected as service projects to the shared VPC created in the previous stage.
 
-For each business unit, a shared `infra-pipeline` project is created along with Cloud Build triggers, CSRs for application infrastructure code and Google Cloud Storage buckets for state storage.
+For each business unit, a shared `infra-pipeline` project is created along with Cloud Build triggers, CSRs for application infrastructure code, Google Cloud Storage buckets for state storage, and a new Docker image will be built for the [Confidential Space](https://cloud.google.com/confidential-computing/confidential-space/docs/confidential-space-overview) environment, which will be used in the `5-app-infra` step.
 
 This step follows the same [conventions](https://github.com/terraform-google-modules/terraform-example-foundation#branching-strategy) as the Foundation pipeline deployed in [0-bootstrap](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/0-bootstrap/README.md).
 A custom [workspace](https://github.com/terraform-google-modules/terraform-google-bootstrap/blob/master/modules/tf_cloudbuild_workspace/README.md) (`bu1-example-app`) is created by this pipeline and necessary roles are granted to the Terraform Service Account of this workspace by enabling variable `sa_roles` as shown in this [example](https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/4-projects/modules/base_env/example_shared_vpc_project.tf).
@@ -201,7 +201,6 @@ grep -rl 10.3.64.0 business_unit_2/ | xargs sed -i 's/10.3.64.0/10.4.64.0/g'
    git checkout -b production
    git push origin production
    ```
-
 1. After production has been applied, apply development.
 1. Merge changes to development. Because this is a [named environment branch](../docs/FAQ.md#what-is-a-named-branch),
    pushing to this branch triggers both _terraform plan_ and _terraform apply_. Review the apply output in your Cloud Build project https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID

4-projects/business_unit_1/development/README.md

@@ -19,6 +19,9 @@
 |------|-------------|
 | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. |
 | bucket | The created storage bucket. |
+| confidential\_space\_project | Confidential Space project id. |
+| confidential\_space\_project\_number | Confidential Space project number. |
+| confidential\_space\_workload\_sa | Workload Service Account for confidential space from base\_env |
 | default\_region | The default region for the project. |
 | floating\_project | Project sample floating project. |
 | iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |

4-projects/business_unit_1/development/main.tf

@@ -38,3 +38,4 @@ module "env" {
   project_deletion_policy      = var.project_deletion_policy
   folder_deletion_protection   = var.folder_deletion_protection
 }
+

4-projects/business_unit_1/development/outputs.tf

@@ -93,3 +93,18 @@ output "default_region" {
   description = "The default region for the project."
   value       = local.default_region
 }
+
+output "confidential_space_project" {
+  description = "Confidential Space project id."
+  value       = module.env.confidential_space_project
+}
+
+output "confidential_space_project_number" {
+  description = "Confidential Space project number."
+  value       = module.env.confidential_space_project_number
+}
+
+output "confidential_space_workload_sa" {
+  description = "Workload Service Account for confidential space from base_env"
+  value       = module.env.confidential_space_workload_sa
+}

4-projects/business_unit_1/development/remote.tf

@@ -29,3 +29,4 @@ data "terraform_remote_state" "bootstrap" {
     prefix = "terraform/bootstrap/state"
   }
 }
+

4-projects/business_unit_1/nonproduction/README.md

@@ -19,6 +19,9 @@
 |------|-------------|
 | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. |
 | bucket | The created storage bucket. |
+| confidential\_space\_project | Confidential Space project id. |
+| confidential\_space\_project\_number | Confidential Space project number. |
+| confidential\_space\_workload\_sa | Workload Service Account for confidential space from base\_env |
 | default\_region | The default region for the project. |
 | floating\_project | Project sample floating project. |
 | iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |