terraform-google-modules
diff --git a/‎1-org/envs/shared/README.md‎
Lines changed: 1 addition & 0 deletions b/‎1-org/envs/shared/README.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎1-org/envs/shared/remote.tf‎
Lines changed: 39 additions & 0 deletions b/‎1-org/envs/shared/remote.tf‎
Lines changed: 39 additions & 0 deletions
@@ -18,6 +18,7 @@
 | enable\_kms\_key\_usage\_tracking | Enable KMS centralized key usage tracking system. | `bool` | `true` | no |
 | enable\_scc\_resources\_in\_terraform | Create Security Command Center resources in Terraform. Security Command Center must be activated before the creation of the resources. See [Overview of activating Security Command Center](https://cloud.google.com/security-command-center/docs/activate-scc-overview) before enabling this feature. | `bool` | `false` | no |
 | enforce\_allowed\_worker\_pools | Whether to enforce the organization policy restriction on allowed worker pools for Cloud Build. | `bool` | `false` | no |
+| envs | n/a | `map(bool)` | <pre>{<br>  "development": true,<br>  "nonproduction": true,<br>  "production": true<br>}</pre> | no |
 | essential\_contacts\_domains\_to\_allow | The list of domains that email addresses added to Essential Contacts can have. | `list(string)` | n/a | yes |
 | essential\_contacts\_language | Essential Contacts preferred language for notifications, as a ISO 639-1 language code. See [Supported languages](https://cloud.google.com/resource-manager/docs/managing-notification-contacts#supported-languages) for a list of supported languages. | `string` | `"en"` | no |
 | folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no |
 
@@ -39,6 +39,23 @@ locals {
   seed_project_id                               = data.terraform_remote_state.bootstrap.outputs.seed_project_id
   seed_project_number                           = data.terraform_remote_state.bootstrap.outputs.seed_project_number
   parent_id                                     = data.terraform_remote_state.bootstrap.outputs.parent_id
+  projects_gcs_bucket_tfstate                   = data.terraform_remote_state.bootstrap.outputs.projects_gcs_bucket_tfstate
+  peering_projects_numbers                      = compact([for s in data.terraform_remote_state.projects_env : try(s.outputs.peering_project_number, null)])
+  shared_vpc_project_numbers                    = compact([for s in data.terraform_remote_state.projects_env : try(s.outputs.shared_vpc_project_number, null)])
+  app_infra_project_id                          = try(data.terraform_remote_state.projects_app_infra[0].outputs.cloudbuild_project_id, null)
+  app_infra_project_number                      = try(data.terraform_remote_state.projects_app_infra[0].outputs.cloudbuild_project_number, null)
+
+  app_infra_pipeline_identity        = local.app_infra_project_number != null ? "serviceAccount:${local.app_infra_project_number}@cloudbuild.gserviceaccount.com" : null
+  app_infra_pipeline_source_projects = local.app_infra_project_number != null ? ["projects/${local.app_infra_project_number}"] : []
+  app_infra_targets = distinct(concat(
+    [for n in local.shared_vpc_project_numbers : "projects/${n}"],
+    [for n in local.peering_projects_numbers : "projects/${n}"]
+  ))
+  app_infra_cicd_identity = (
+    local.app_infra_project_id != null
+    ? "serviceAccount:sa-tf-cb-bu1-example-app@${local.app_infra_project_id}.iam.gserviceaccount.com"
+    : null
+  )
 }
 
 data "terraform_remote_state" "bootstrap" {
@@ -49,3 +66,25 @@ data "terraform_remote_state" "bootstrap" {
     prefix = "terraform/bootstrap/state"
   }
 }
+
+data "terraform_remote_state" "projects_env" {
+  backend = "gcs"
+
+  for_each = (var.required_egress_rules_app_infra_dry_run && var.required_ingress_rules_app_infra_dry_run) || (var.required_egress_rules_app_infra && var.required_ingress_rules_app_infra) ? var.envs : {}
+
+  config = {
+    bucket = local.projects_gcs_bucket_tfstate
+    prefix = "terraform/projects/business_unit_1/${each.key}"
+  }
+}
+
+data "terraform_remote_state" "projects_app_infra" {
+  backend = "gcs"
+
+  count = (var.required_egress_rules_app_infra_dry_run && var.required_ingress_rules_app_infra_dry_run) || (var.required_egress_rules_app_infra && var.required_ingress_rules_app_infra) ? 1 : 0
+
+  config = {
+    bucket = local.projects_gcs_bucket_tfstate
+    prefix = "terraform/projects/business_unit_1/shared"
+  }
+}