feat: create subfolders for business units in 4-projects step (#1039)

Co-authored-by: Grant Sorbo <[email protected]> Co-authored-by: Daniel Andrade <[email protected]>
terraform-google-modules · Dec 14, 2023 · 06084be · 06084be
1 parent 25c61c4
commit 06084be
Show file tree

Hide file tree

Showing 11 changed files with 113 additions and 71 deletions.
diff --git a/0-bootstrap/sa.tf b/0-bootstrap/sa.tf
@@ -84,8 +84,7 @@ locals {
       "roles/dns.admin",
     ],
     "proj" = [
-      "roles/resourcemanager.folderViewer",
-      "roles/resourcemanager.folderIamAdmin",
+      "roles/resourcemanager.folderAdmin",
       "roles/artifactregistry.admin",
       "roles/compute.networkAdmin",
       "roles/compute.xpnAdmin",

diff --git a/4-projects/modules/base_env/README.md b/4-projects/modules/base_env/README.md
@@ -7,6 +7,7 @@
 | business\_unit | The business (ex. business\_unit\_1). | `string` | n/a | yes |
 | env | The environment to prepare (ex. development). | `string` | n/a | yes |
 | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
+| folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no |
 | gcs\_bucket\_prefix | Name prefix to be used for GCS Bucket | `string` | `"bkt"` | no |
 | key\_name | Name to be used for KMS Key | `string` | `"crypto-key-example"` | no |
 | key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no |

diff --git a/4-projects/modules/base_env/business_unit_folder.tf b/4-projects/modules/base_env/business_unit_folder.tf
@@ -0,0 +1,24 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  env_business_unit_folder_name = "${var.folder_prefix}-${var.env}-${var.business_code}"
+}
+
+resource "google_folder" "env_business_unit" {
+  display_name = local.env_business_unit_folder_name
+  parent       = local.env_folder_name
+}
diff --git a/4-projects/modules/base_env/example_base_shared_vpc_project.tf b/4-projects/modules/base_env/example_base_shared_vpc_project.tf
@@ -19,7 +19,7 @@ module "base_shared_vpc_project" {
 
   org_id                              = local.org_id
   billing_account                     = local.billing_account
-  folder_id                           = local.env_folder_name
+  folder_id                           = google_folder.env_business_unit.name
   environment                         = var.env
   vpc_type                            = "base"
   shared_vpc_host_project_id          = local.base_host_project_id

diff --git a/4-projects/modules/base_env/example_floating_project.tf b/4-projects/modules/base_env/example_floating_project.tf
@@ -19,7 +19,7 @@ module "floating_project" {
 
   org_id          = local.org_id
   billing_account = local.billing_account
-  folder_id       = local.env_folder_name
+  folder_id       = google_folder.env_business_unit.name
   environment     = var.env
   project_budget  = var.project_budget
   project_prefix  = local.project_prefix

diff --git a/4-projects/modules/base_env/example_peering_project.tf b/4-projects/modules/base_env/example_peering_project.tf
@@ -35,7 +35,7 @@ module "peering_project" {
 
   org_id          = local.org_id
   billing_account = local.billing_account
-  folder_id       = local.env_folder_name
+  folder_id       = google_folder.env_business_unit.name
   environment     = var.env
   project_budget  = var.project_budget
   project_prefix  = local.project_prefix

diff --git a/4-projects/modules/base_env/example_restricted_shared_vpc_project.tf b/4-projects/modules/base_env/example_restricted_shared_vpc_project.tf
@@ -19,7 +19,7 @@ module "restricted_shared_vpc_project" {
 
   org_id                     = local.org_id
   billing_account            = local.billing_account
-  folder_id                  = local.env_folder_name
+  folder_id                  = google_folder.env_business_unit.name
   environment                = var.env
   vpc_type                   = "restricted"
   shared_vpc_host_project_id = local.restricted_host_project_id

diff --git a/4-projects/modules/base_env/example_storage_cmek.tf b/4-projects/modules/base_env/example_storage_cmek.tf
@@ -19,7 +19,7 @@ module "env_secrets_project" {
 
   org_id          = local.org_id
   billing_account = local.billing_account
-  folder_id       = local.env_folder_name
+  folder_id       = google_folder.env_business_unit.name
   environment     = var.env
   project_budget  = var.project_budget
   project_suffix  = var.secrets_prj_suffix

diff --git a/4-projects/modules/base_env/variables.tf b/4-projects/modules/base_env/variables.tf
@@ -152,3 +152,9 @@ variable "subnet_ip_range" {
   type        = string
   default     = null
 }
+
+variable "folder_prefix" {
+  description = "Name prefix to use for folders created. Should be the same in all steps."
+  type        = string
+  default     = "fldr"
+}
diff --git a/4-projects/modules/single_project/main.tf b/4-projects/modules/single_project/main.tf
@@ -51,7 +51,7 @@ module "project" {
   random_project_id        = true
   random_project_id_length = 4
   activate_apis            = distinct(concat(var.activate_apis, ["billingbudgets.googleapis.com"]))
-  name                     = "${var.project_prefix}-${var.business_code}-${local.env_code}-${var.project_suffix}"
+  name                     = "${var.project_prefix}-${local.env_code}-${var.business_code}${var.project_suffix}"
   org_id                   = var.org_id
   billing_account          = var.billing_account
   folder_id                = var.folder_id

diff --git a/README.md b/README.md
@@ -178,38 +178,44 @@ Running this code as-is should generate a structure as shown below:
 ```
 example-organization/
 └── fldr-development
-    ├── prj-bu1-d-env-secrets
-    ├── prj-bu1-d-sample-floating
-    ├── prj-bu1-d-sample-base
-    ├── prj-bu1-d-sample-restrict
-    ├── prj-bu1-d-sample-peering
-    ├── prj-bu2-d-env-secrets
-    ├── prj-bu2-d-sample-floating
-    ├── prj-bu2-d-sample-base
-    ├── prj-bu2-d-sample-restrict
-    └── prj-bu2-d-sample-peering
+    └── fldr-bu1-development
+        ├── prj-d-env-bu1secrets
+        ├── prj-d-bu1sample-floating
+        ├── prj-d-bu1sample-base
+        ├── prj-d-bu1sample-restrict
+        ├── prj-d-bu1sample-peering
+    └── fldr-bu2-development
+        ├── prj-d-env-bu2secrets
+        ├── prj-d-sample-bu2floating
+        ├── prj-d-sample-bu2base
+        ├── prj-d-sample-bu2restrict
+        └── prj-d-sample-bu2peering
 └── fldr-non-production
-    ├── prj-bu1-n-env-secrets
-    ├── prj-bu1-n-sample-floating
-    ├── prj-bu1-n-sample-base
-    ├── prj-bu1-n-sample-restrict
-    ├── prj-bu1-n-sample-peering
-    ├── prj-bu2-n-env-secrets
-    ├── prj-bu2-n-sample-floating
-    ├── prj-bu2-n-sample-base
-    ├── prj-bu2-n-sample-restrict
-    └── prj-bu2-n-sample-peering
+    └── fldr-bu1-non-production
+        ├── prj-n-env-bu1secrets
+        ├── prj-n-bu1sample-floating
+        ├── prj-n-bu1sample-base
+        ├── prj-n-bu1sample-restrict
+        ├── prj-n-bu1sample-peering
+    └── fldr-bu2-non-production
+        ├── prj-n-env-bu2secrets
+        ├── prj-n-sample-bu2floating
+        ├── prj-n-sample-bu2base
+        ├── prj-n-sample-bu2restrict
+        └── prj-n-sample-bu2peering
 └── fldr-production
-    ├── prj-bu1-p-env-secrets
-    ├── prj-bu1-p-sample-floating
-    ├── prj-bu1-p-sample-base
-    ├── prj-bu1-p-sample-restrict
-    ├── prj-bu1-p-sample-peering
-    ├── prj-bu2-p-env-secrets
-    ├── prj-bu2-p-sample-floating
-    ├── prj-bu2-p-sample-base
-    ├── prj-bu2-p-sample-restrict
-    └── prj-bu2-p-sample-peering
+    └── fldr-bu1-production
+        ├── prj-p-env-bu1secrets
+        ├── prj-p-bu1sample-floating
+        ├── prj-p-bu1sample-base
+        ├── prj-p-bu1sample-restrict
+        ├── prj-p-bu1sample-peering
+    └── fldr-bu2-production
+        ├── prj-p-env-bu2secrets
+        ├── prj-p-sample-bu2floating
+        ├── prj-p-sample-bu2base
+        ├── prj-p-sample-bu2restrict
+        └── prj-p-sample-bu2peering
 └── fldr-common
     ├── prj-bu1-c-infra-pipeline
     └── prj-bu2-c-infra-pipeline
@@ -252,44 +258,50 @@ example-organization
     ├── prj-p-shared-base
     └── prj-p-shared-restricted
 └── fldr-development
-    ├── prj-bu1-d-env-secrets
-    ├── prj-bu1-d-sample-floating
-    ├── prj-bu1-d-sample-base
-    ├── prj-bu1-d-sample-restrict
-    ├── prj-bu1-d-sample-peering
-    ├── prj-bu2-d-env-secrets
-    ├── prj-bu2-d-sample-floating
-    ├── prj-bu2-d-sample-base
-    ├── prj-bu2-d-sample-restrict
-    ├── prj-bu2-d-sample-peering
     ├── prj-d-monitoring
-    └── prj-d-secrets
+    ├── prj-d-secrets
+    └── fldr-bu1-development
+        ├── prj-d-env-bu1secrets
+        ├── prj-d-bu1sample-floating
+        ├── prj-d-bu1sample-base
+        ├── prj-d-bu1sample-restrict
+        └── prj-d-bu1sample-peering
+    └── fldr-bu2-development
+        ├── prj-d-env-bu2secrets
+        ├── prj-d-sample-bu2floating
+        ├── prj-d-sample-bu2base
+        ├── prj-d-sample-bu2restrict
+        └── prj-d-sample-bu2peering
 └── fldr-non-production
-    ├── prj-bu1-n-env-secrets
-    ├── prj-bu1-n-sample-floating
-    ├── prj-bu1-n-sample-base
-    ├── prj-bu1-n-sample-restrict
-    ├── prj-bu1-n-sample-peering
-    ├── prj-bu2-n-env-secrets
-    ├── prj-bu2-n-sample-floating
-    ├── prj-bu2-n-sample-base
-    ├── prj-bu2-n-sample-restrict
-    ├── prj-bu2-n-sample-peering
     ├── prj-n-monitoring
-    └── prj-n-secrets
+    ├── prj-n-secrets
+    └── fldr-bu1-non-production
+        ├── prj-n-env-bu1secrets
+        ├── prj-n-bu1sample-floating
+        ├── prj-n-bu1sample-base
+        ├── prj-n-bu1sample-restrict
+        └── prj-n-bu1sample-peering
+    └── fldr-bu2-non-production
+        ├── prj-n-env-bu2secrets
+        ├── prj-n-sample-bu2floating
+        ├── prj-n-sample-bu2base
+        ├── prj-n-sample-bu2restrict
+        └── prj-n-sample-bu2peering
 └── fldr-production
-    ├── prj-bu1-p-env-secrets
-    ├── prj-bu1-p-sample-floating
-    ├── prj-bu1-p-sample-base
-    ├── prj-bu1-p-sample-restrict
-    ├── prj-bu1-p-sample-peering
-    ├── prj-bu2-p-env-secrets
-    ├── prj-bu2-p-sample-floating
-    ├── prj-bu2-p-sample-base
-    ├── prj-bu2-p-sample-restrict
-    ├── prj-bu2-p-sample-peering
     ├── prj-p-monitoring
-    └── prj-p-secrets
+    ├── prj-p-secrets
+    └── fldr-bu1-production
+        ├── prj-p-env-bu1secrets
+        ├── prj-p-bu1sample-floating
+        ├── prj-p-bu1sample-base
+        ├── prj-p-bu1sample-restrict
+        └── prj-p-bu1sample-peering
+    └── fldr-bu2-production
+        ├── prj-p-env-bu2secrets
+        ├── prj-p-sample-bu2floating
+        ├── prj-p-sample-bu2base
+        ├── prj-p-sample-bu2restrict
+        └── prj-p-sample-bu2peering
 └── fldr-bootstrap
     ├── prj-b-cicd
     └── prj-b-seed