fix: adds parent on secret project filter for VPN module (#214)

amandakarina · web-flow · commit 53a674b14e2c · 2020-08-07T07:58:47.000+10:00
diff --git a/3-networks/envs/development/vpn.tf.example b/3-networks/envs/development/vpn.tf.example
@@ -26,6 +26,8 @@ module "shared_base_vpn" {
   region2_router1_name = module.base_shared_vpc.region2_router1.router.name
   region2_router2_name = module.base_shared_vpc.region2_router2.router.name
   environment          = "development"
+  parent_folder        = var.parent_folder
+  org_id               = var.org_id
   vpn_psk_secret_name  = "<VPN_PRIVATE_PSK_SECRET_NAME>"
 
 
@@ -70,6 +72,8 @@ module "shared_restricted_vpn" {
   region2_router1_name = module.restricted_shared_vpc.region2_router1.router.name
   region2_router2_name = module.restricted_shared_vpc.region2_router2.router.name
   environment          = "development"
+  parent_folder        = var.parent_folder
+  org_id               = var.org_id
   vpn_psk_secret_name  = "<VPN_RESTRICTED_PSK_SECRET_NAME>"
 
   on_prem_router_ip_address1 = "<8.8.8.8>" # on-prem router ip address 1
diff --git a/3-networks/envs/non-production/vpn.tf.example b/3-networks/envs/non-production/vpn.tf.example
@@ -26,6 +26,8 @@ module "shared_base_vpn" {
   region2_router1_name = module.base_shared_vpc.region2_router1.router.name
   region2_router2_name = module.base_shared_vpc.region2_router2.router.name
   environment          = "non-production"
+  parent_folder        = var.parent_folder
+  org_id               = var.org_id
   vpn_psk_secret_name  = "<VPN_PRIVATE_PSK_SECRET_NAME>"
 
   on_prem_router_ip_address1 = "<8.8.8.8>" # on-prem router ip address 1
@@ -69,6 +71,8 @@ module "shared_restricted_vpn" {
   region2_router1_name = module.restricted_shared_vpc.region2_router1.router.name
   region2_router2_name = module.restricted_shared_vpc.region2_router2.router.name
   environment          = "non-production"
+  parent_folder        = var.parent_folder
+  org_id               = var.org_id
   vpn_psk_secret_name  = "<VPN_RESTRICTED_PSK_SECRET_NAME>"
 
   on_prem_router_ip_address1 = "<8.8.8.8>" # on-prem router ip address 1
diff --git a/3-networks/envs/production/vpn.tf.example b/3-networks/envs/production/vpn.tf.example
@@ -26,6 +26,8 @@ module "shared_base_vpn" {
   region2_router1_name = module.base_shared_vpc.region2_router1.router.name
   region2_router2_name = module.base_shared_vpc.region2_router2.router.name
   environment          = "production"
+  parent_folder        = var.parent_folder
+  org_id               = var.org_id
   vpn_psk_secret_name  = "<VPN_PRIVATE_PSK_SECRET_NAME>"
 
   on_prem_router_ip_address1 = "<8.8.8.8>" # on-prem router ip address 1
@@ -69,6 +71,8 @@ module "shared_restricted_vpn" {
   region2_router1_name = module.restricted_shared_vpc.region2_router1.router.name
   region2_router2_name = module.restricted_shared_vpc.region2_router2.router.name
   environment          = "production"
+  parent_folder        = var.parent_folder
+  org_id               = var.org_id
   vpn_psk_secret_name  = "<VPN_RESTRICTED_PSK_SECRET_NAME>"
 
   on_prem_router_ip_address1 = "<8.8.8.8>" # on-prem router ip address 1
diff --git a/3-networks/modules/vpn-ha/README.md b/3-networks/modules/vpn-ha/README.md
@@ -27,6 +27,8 @@ If you don't have Dedicated Interconnect you can use High Availability VPN to co
 | environment | Environment for the VPN configuration. Valid options are development, non-production, production | string | n/a | yes |
 | on\_prem\_router\_ip\_address1 | On-Prem Router IP address | string | n/a | yes |
 | on\_prem\_router\_ip\_address2 | On-Prem Router IP address | string | n/a | yes |
+| org\_id | Organization ID | string | n/a | yes |
+| parent\_folder | Optional - if using a folder for testing. | string | `""` | no |
 | project\_id | VPC Project ID | string | n/a | yes |
 | region1\_router1\_name | Name of the Router 1 for Region 1 where the attachment resides. | string | n/a | yes |
 | region1\_router1\_tunnel0\_bgp\_peer\_address | BGP session address for router 1 in region 1 tunnel 0 | string | n/a | yes |
diff --git a/3-networks/modules/vpn-ha/main.tf b/3-networks/modules/vpn-ha/main.tf
@@ -19,13 +19,19 @@
  *****************************************/
 
 locals {
+  parent_id             = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}"
   network_name          = "vpc-${var.vpc_name}"
   env_secret_project_id = data.google_projects.env_secrets.projects[0].project_id
   psk_secret_data       = chomp(data.google_secret_manager_secret_version.psk.secret_data)
 }
 
+data "google_active_folder" "env" {
+  display_name = "fldr-${var.environment}"
+  parent       = local.parent_id
+}
+
 data "google_projects" "env_secrets" {
-  filter = "labels.application_name=env-secrets labels.environment=${var.environment} lifecycleState=ACTIVE"
+  filter = "parent.id:${split("/", data.google_active_folder.env.name)[1]} labels.application_name=env-secrets labels.environment=${var.environment} lifecycleState=ACTIVE"
 }
 
 data "google_secret_manager_secret_version" "psk" {
diff --git a/3-networks/modules/vpn-ha/variables.tf b/3-networks/modules/vpn-ha/variables.tf
@@ -34,6 +34,11 @@ variable "environment" {
   description = "Environment for the VPN configuration. Valid options are development, non-production, production"
 }
 
+variable "org_id" {
+  type        = string
+  description = "Organization ID"
+}
+
 variable "vpn_psk_secret_name" {
   type        = string
   description = "The name of the secret to retrieve from secret manager. This will be retrieved from the environment secrets project."
@@ -158,3 +163,9 @@ variable "region2_router2_tunnel1_bgp_peer_range" {
   type        = string
   description = "BGP session range for router 2 in region 1 tunnel 1"
 }
+
+variable "parent_folder" {
+  description = "Optional - if using a folder for testing."
+  type        = string
+  default     = ""
+}
