feat: Added dev_folder construct (#46)

* Added dev_folder construct

* Moved to local, renamed parent_folder

* Removing extra check-in

Author: mikelaramie

0-bootstrap/README.md

@@ -31,6 +31,7 @@ Further details of permissions required and resources created, can be found in t
 | group\_billing\_admins | Google Group for GCP Billing Administrators | string | n/a | yes |
 | group\_org\_admins | Google Group for GCP Organization Administrators | string | n/a | yes |
 | org\_id | GCP Organization ID | string | n/a | yes |
+| parent\_folder | Optional - if using a folder for testing. | string | `""` | no |
 
 ## Outputs
 

0-bootstrap/main.tf

@@ -33,11 +33,20 @@ provider "random" {
 /*************************************************
   Bootstrap GCP Organization.
 *************************************************/
+locals {
+  parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}"
+}
+
+resource "google_folder" "seed" {
+  display_name = "seed"
+  parent       = local.parent
+}
 
 module "seed_bootstrap" {
   source                  = "terraform-google-modules/bootstrap/google"
   version                 = "~> 1.0"
   org_id                  = var.org_id
+  folder_id               = google_folder.seed.id
   billing_account         = var.billing_account
   group_org_admins        = var.group_org_admins
   group_billing_admins    = var.group_billing_admins
@@ -49,6 +58,7 @@ module "cloudbuild_bootstrap" {
   source                  = "terraform-google-modules/bootstrap/google//modules/cloudbuild"
   version                 = "~> 1.0"
   org_id                  = var.org_id
+  folder_id               = google_folder.seed.id
   billing_account         = var.billing_account
   group_org_admins        = var.group_org_admins
   default_region          = var.default_region

0-bootstrap/terraform.example.tfvars

@@ -23,3 +23,6 @@ group_org_admins = "[email protected]"
 group_billing_admins = "[email protected]"
 
 default_region = "australia-southeast1"
+
+//Optional - for development.  Will place all resources under a specific folder instead of org root
+//parent_folder = "01234567890"

0-bootstrap/variables.tf

@@ -40,3 +40,8 @@ variable "default_region" {
   default     = "us-central1"
 }
 
+variable "parent_folder" {
+  description = "Optional - if using a folder for testing."
+  type        = string
+  default     = ""
+}

1-org/README.md

@@ -44,6 +44,7 @@ The purpose of this step is to setup top level shared folders, monitoring & netw
 | domains\_to\_allow | The list of domains to allow users from in IAM. | list(string) | n/a | yes |
 | monitoring\_workspace\_users | Gsuite or Cloud Identity group that have access to Monitoring Workspaces. | string | n/a | yes |
 | org\_id | The organization id for the associated services | string | n/a | yes |
+| parent\_folder | Optional - if using a folder for testing. | string | `""` | no |
 | system\_event\_table\_expiration\_ms | Period before tables expire for system event logs in milliseconds. Default is 400 days. | number | `"34560000000"` | no |
 | terraform\_service\_account | Service account email of the account to impersonate to run Terraform. | string | n/a | yes |
 

1-org/folders.tf

@@ -14,13 +14,17 @@
  * limitations under the License.
  */
 
+locals {
+  parent = var.parent_folder != "" ? "folders/${var.parent_folder}" : "organizations/${var.org_id}"
+}
+
 /******************************************
   Top level folders
  *****************************************/
 
 resource "google_folder" "common" {
   display_name = "common"
-  parent       = "organizations/${var.org_id}"
+  parent       = local.parent
 }
 
 /******************************************

1-org/log_sinks.tf

@@ -14,6 +14,11 @@
  * limitations under the License.
  */
 
+locals {
+  parent_resource_id   = var.parent_folder != "" ? var.parent_folder : var.org_id
+  parent_resource_type = var.parent_folder != "" ? "folder" : "organization"
+}
+
 /******************************************
   Audit Logs - Activity
 *****************************************/
@@ -24,8 +29,8 @@ module "log_export_activity_logs" {
   destination_uri        = module.bq_activity_logs.destination_uri
   filter                 = "logName: \"/logs/cloudaudit.googleapis.com%2Factivity\""
   log_sink_name          = "bigquery_activity_logs"
-  parent_resource_id     = var.org_id
-  parent_resource_type   = "organization"
+  parent_resource_id     = local.parent_resource_id
+  parent_resource_type   = local.parent_resource_type
   unique_writer_identity = true
 }
 
@@ -48,8 +53,8 @@ module "log_export_system_event_logs" {
   destination_uri        = module.bq_system_event_logs.destination_uri
   filter                 = "logName: \"/logs/cloudaudit.googleapis.com%2Fsystem_event\""
   log_sink_name          = "bigquery_system_event_logs"
-  parent_resource_id     = var.org_id
-  parent_resource_type   = "organization"
+  parent_resource_id     = local.parent_resource_id
+  parent_resource_type   = local.parent_resource_type
   unique_writer_identity = true
 }
 
@@ -73,8 +78,8 @@ module "log_export_data_access_logs" {
   destination_uri        = module.bq_data_access_logs.destination_uri
   filter                 = "logName: \"/logs/cloudaudit.googleapis.com%2Fdata_access\""
   log_sink_name          = "bigquery_data_access_logs"
-  parent_resource_id     = var.org_id
-  parent_resource_type   = "organization"
+  parent_resource_id     = local.parent_resource_id
+  parent_resource_type   = local.parent_resource_type
   unique_writer_identity = true
 }
 

1-org/org_policy.tf

@@ -14,15 +14,23 @@
  * limitations under the License.
  */
 
+locals {
+  organization_id = var.parent_folder != "" ? null : var.org_id
+  folder_id       = var.parent_folder != "" ? var.parent_folder : null
+  policy_for      = var.parent_folder != "" ? "folder" : "organization"
+}
+
+
 /******************************************
   Compute org policies
 *******************************************/
 
 module "org_disable_nested_virtualization" {
   source          = "terraform-google-modules/org-policy/google"
   version         = "~> 3.0"
-  organization_id = var.org_id
-  policy_for      = "organization"
+  organization_id = local.organization_id
+  folder_id       = local.folder_id
+  policy_for      = local.policy_for
   policy_type     = "boolean"
   enforce         = "true"
   constraint      = "constraints/compute.disableNestedVirtualization"
@@ -31,8 +39,9 @@ module "org_disable_nested_virtualization" {
 module "org_disable_serial_port_access" {
   source          = "terraform-google-modules/org-policy/google"
   version         = "~> 3.0"
-  organization_id = var.org_id
-  policy_for      = "organization"
+  organization_id = local.organization_id
+  folder_id       = local.folder_id
+  policy_for      = local.policy_for
   policy_type     = "boolean"
   enforce         = "true"
   constraint      = "compute.disableSerialPortAccess"
@@ -41,8 +50,9 @@ module "org_disable_serial_port_access" {
 module "org_compute_disable_guest_attributes_access" {
   source          = "terraform-google-modules/org-policy/google"
   version         = "~> 3.0"
-  organization_id = var.org_id
-  policy_for      = "organization"
+  organization_id = local.organization_id
+  folder_id       = local.folder_id
+  policy_for      = local.policy_for
   policy_type     = "boolean"
   enforce         = "true"
   constraint      = "constraints/compute.disableGuestAttributesAccess"
@@ -51,8 +61,9 @@ module "org_compute_disable_guest_attributes_access" {
 module "org_vm_external_ip_access" {
   source          = "terraform-google-modules/org-policy/google"
   version         = "~> 3.0"
-  organization_id = var.org_id
-  policy_for      = "organization"
+  organization_id = local.organization_id
+  folder_id       = local.folder_id
+  policy_for      = local.policy_for
   policy_type     = "list"
   enforce         = "true"
   constraint      = "constraints/compute.vmExternalIpAccess"
@@ -61,8 +72,9 @@ module "org_vm_external_ip_access" {
 module "org_skip_default_network" {
   source          = "terraform-google-modules/org-policy/google"
   version         = "~> 3.0"
-  organization_id = var.org_id
-  policy_for      = "organization"
+  organization_id = local.organization_id
+  folder_id       = local.folder_id
+  policy_for      = local.policy_for
   policy_type     = "boolean"
   enforce         = "true"
   constraint      = "constraints/compute.skipDefaultNetworkCreation"
@@ -71,8 +83,9 @@ module "org_skip_default_network" {
 module "org_shared_vpc_lien_removal" {
   source          = "terraform-google-modules/org-policy/google"
   version         = "~> 3.0"
-  organization_id = var.org_id
-  policy_for      = "organization"
+  organization_id = local.organization_id
+  folder_id       = local.folder_id
+  policy_for      = local.policy_for
   policy_type     = "boolean"
   enforce         = "true"
   constraint      = "constraints/compute.restrictXpnProjectLienRemoval"
@@ -85,8 +98,9 @@ module "org_shared_vpc_lien_removal" {
 module "org_cloudsql_external_ip_access" {
   source          = "terraform-google-modules/org-policy/google"
   version         = "~> 3.0"
-  organization_id = var.org_id
-  policy_for      = "organization"
+  organization_id = local.organization_id
+  folder_id       = local.folder_id
+  policy_for      = local.policy_for
   policy_type     = "boolean"
   enforce         = "true"
   constraint      = "constraints/sql.restrictPublicIp"
@@ -99,16 +113,18 @@ module "org_cloudsql_external_ip_access" {
 module "org_domain_restricted_sharing" {
   source           = "terraform-google-modules/org-policy/google//modules/domain_restricted_sharing"
   version          = "~> 3.0"
-  organization_id  = var.org_id
-  policy_for       = "organization"
+  organization_id  = local.organization_id
+  folder_id        = local.folder_id
+  policy_for       = local.policy_for
   domains_to_allow = var.domains_to_allow
 }
 
 module "org_disable_sa_key_creation" {
   source          = "terraform-google-modules/org-policy/google"
   version         = "~> 3.0"
-  organization_id = var.org_id
-  policy_for      = "organization"
+  organization_id = local.organization_id
+  folder_id       = local.folder_id
+  policy_for      = local.policy_for
   policy_type     = "boolean"
   enforce         = "true"
   constraint      = "constraints/iam.disableServiceAccountKeyCreation"
@@ -121,8 +137,9 @@ module "org_disable_sa_key_creation" {
 module "org_enforce_bucket_level_access" {
   source          = "terraform-google-modules/org-policy/google"
   version         = "~> 3.0"
-  organization_id = var.org_id
-  policy_for      = "organization"
+  organization_id = local.organization_id
+  folder_id       = local.folder_id
+  policy_for      = local.policy_for
   policy_type     = "boolean"
   enforce         = "true"
   constraint      = "constraints/storage.uniformBucketLevelAccess"

1-org/terraform.example.tfvars

@@ -29,3 +29,6 @@ billing_account = "000000-000000-000000"
 terraform_service_account = "[email protected]"
 
 default_region = "australia-southeast1"
+
+//Optional - for development.  Will place all resources under a specific folder instead of org root
+//parent_folder = "01234567890"

1-org/variables.tf

@@ -72,3 +72,8 @@ variable "data_access_table_expiration_ms" {
   default     = 2592000000
 }
 
+variable "parent_folder" {
+  description = "Optional - if using a folder for testing."
+  type        = string
+  default     = ""
+}