Merge branch 'master' into remove-env-monitoring-projects

terraform-google-modules · May 7, 2024 · 4a73242 · 4a73242
2 parents 2c669cc + 9b7874d
commit 4a73242
Show file tree

Hide file tree

Showing 19 changed files with 182 additions and 97 deletions.
diff --git a/.github/workflows/go-lint.yaml b/.github/workflows/go-lint.yaml
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: lint
+name: go-lint
 on:
   pull_request:
     branches:
@@ -29,20 +29,20 @@ concurrency:
 
 jobs:
   golangci:
-    name: lint
+    name: golangci-lint
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         folder: [helpers/foundation-deployer]
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version-file: ${{ matrix.folder }}/go.mod
           cache-dependency-path: ${{ matrix.folder }}/go.sum
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
+        uses: golangci/golangci-lint-action@9d1e0624a798bb64f6c3cea93db47765312263dc # v5.1.0
         with:
           version: latest
           working-directory: ${{ matrix.folder }}

diff --git a/.github/workflows/go-test.yaml b/.github/workflows/go-test.yaml
@@ -0,0 +1,51 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: go-test
+
+on:
+  pull_request:
+    branches:
+      - 'master'
+    paths:
+      - 'helpers/foundation-deployer/**'
+      - '.github/workflows/go-test.yaml'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: '${{github.workflow}}-${{ github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
+jobs:
+  go-test:
+    name: go-test
+    runs-on: 'ubuntu-latest'
+    strategy:
+      fail-fast: false
+      matrix:
+        folder: [helpers/foundation-deployer]
+    steps:
+    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      with:
+        go-version-file: ${{ matrix.folder }}/go.mod
+        cache-dependency-path: ${{ matrix.folder }}/go.sum
+    - run: |-
+        git config --global user.name 'Cloud Foundation Bot'
+        git config --global user.email '[email protected]'
+        go test ./... -v
+      shell: bash
+      working-directory: ${{ matrix.folder }}
diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md
@@ -83,6 +83,20 @@ Set the variables in **terraform.tfvars** (`groups` block) to use the specific g
    - The `roles/resourcemanager.projectCreator` role on the Google Cloud organization.
    - The `roles/billing.admin` role on the billing account.
    - The `roles/resourcemanager.folderCreator` role.
+   - The `roles/securitycenter.admin` role.
+
+     ```bash
+     # example:
+     gcloud organizations add-iam-policy-binding ${ORG_ID}  --member=user:$SUPER_ADMIN_EMAIL --role=roles/securitycenter.admin --quiet > /dev/null 1>&1
+     ```
+1. Enable the following additional services on your current bootstrap project:
+     ```bash
+     gcloud services enable cloudresourcemanager.googleapis.com
+     gcloud services enable cloudbilling.googleapis.com
+     gcloud services enable iam.googleapis.com
+     gcloud services enable cloudkms.googleapis.com
+     gcloud services enable servicenetworking.googleapis.com
+     ```
 
 ### Optional - Automatic creation of Google Cloud Identity groups
 

diff --git a/1-org/envs/shared/terraform.example.tfvars b/1-org/envs/shared/terraform.example.tfvars
@@ -19,10 +19,6 @@ domains_to_allow = ["example.com"]
 
 essential_contacts_domains_to_allow = ["@example.com"]
 
-billing_data_users = "[email protected]"
-
-audit_data_users = "[email protected]"
-
 scc_notification_name = "scc-notify"
 
 remote_state_bucket = "REMOTE_STATE_BUCKET"

diff --git a/2-environments/envs/nonproduction/terraform.tfvars b/2-environments/envs/nonproduction/terraform.tfvars
@@ -1 +1 @@
-../../terraform.example.tfvars
+../../terraform.tfvars
diff --git a/4-projects/business_unit_1/nonproduction/nonproduction.auto.tfvars b/4-projects/business_unit_1/nonproduction/nonproduction.auto.tfvars
@@ -1 +1 @@
-../../nonproduction.auto.example.tfvars
+../../nonproduction.auto.tfvars
diff --git a/4-projects/business_unit_2/nonproduction/nonproduction.auto.tfvars b/4-projects/business_unit_2/nonproduction/nonproduction.auto.tfvars
@@ -1 +1 @@
-../../nonproduction.auto.example.tfvars
+../../nonproduction.auto.tfvars
diff --git a/Makefile b/Makefile
@@ -18,7 +18,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.19
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.20
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 

diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # terraform-example-foundation
 
-This example repository shows how the CFT Terraform modules can build a secure Google Cloud foundation, following the [Google Cloud security foundations guide](https://cloud.google.com/architecture/security-foundations).
+This example repository shows how the CFT Terraform modules can build a secure Google Cloud foundation, following the [Google Cloud Enterprise Foundations Blueprint](https://cloud.google.com/architecture/security-foundations) (previously called the _Security Foundations Guide_).
 The supplied structure and code is intended to form a starting point for building your own foundation with pragmatic defaults that you can customize to meet your own requirements. Currently, the step 0 is manually executed.
 From step 1 onwards, the Terraform code is deployed by using either Google Cloud Build (default) or Jenkins.
 Cloud Build has been chosen by default to allow you to quickly get started without having to deploy a CI/CD tool, although it is worth noting the code can easily be executed by your preferred tool.

diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
@@ -178,4 +178,4 @@ options:
   - 'TF_IN_AUTOMATION=true'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.19'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.20'
diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml
@@ -24,7 +24,7 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.19'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.20'
 options:
   machineType: 'N1_HIGHCPU_8'
   env:

diff --git a/go.work b/go.work
@@ -1,4 +1,4 @@
-go 1.21
+go 1.21.0
 
 use (
   ./test/integration

diff --git a/helpers/foundation-deployer/README.md b/helpers/foundation-deployer/README.md
@@ -6,15 +6,15 @@ Helper tool to deploy the Terraform example foundation using Cloud Build and Clo
 
 ## Requirements
 
-- [Go](https://go.dev/doc/install) 1.18+
+- [Go](https://go.dev/doc/install) 1.21+
 - [Google Cloud SDK](https://cloud.google.com/sdk/install) version 393.0.0+
 - [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) version 2.28.0+
 - [Terraform](https://www.terraform.io/downloads.html) version 1.3.0+
 - See `0-bootstrap` README for additional IAM [requirements](../../0-bootstrap/README.md#prerequisites) on the user deploying the Foundation.
 
 ### Validate required tools
 
-- Check if required tools, Go 1.18+, Terraform 1.3.0+, gcloud 393.0.0+, and Git 2.28.0+, are installed:
+- Check if required tools, Go 1.21.0+, Terraform 1.3.0+, gcloud 393.0.0+, and Git 2.28.0+, are installed:
 
     ```bash
     go version

diff --git a/helpers/foundation-deployer/go.mod b/helpers/foundation-deployer/go.mod
@@ -1,15 +1,15 @@
 module github.com/terraform-google-modules/terraform-example-foundation/helpers/foundation-deployer
 
-go 1.21
+go 1.21.0
 
 require (
-	github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.11.1
-	github.com/gruntwork-io/terratest v0.46.11
-	github.com/hashicorp/hcl/v2 v2.19.1
+	github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.0
+	github.com/gruntwork-io/terratest v0.46.14
+	github.com/hashicorp/hcl/v2 v2.20.1
 	github.com/mitchellh/go-testing-interface v1.14.2-0.20210821155943-2d9075ca8770
-	github.com/stretchr/testify v1.8.4
+	github.com/stretchr/testify v1.9.0
 	github.com/terraform-google-modules/terraform-example-foundation/test/integration v0.0.0-20240112234556-03b1976b42c4
-	github.com/tidwall/gjson v1.17.0
+	github.com/tidwall/gjson v1.17.1
 )
 
 require (
@@ -22,17 +22,17 @@ require (
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/aws/aws-sdk-go v1.45.5 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/google/uuid v1.3.1 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-getter v1.7.2 // indirect
+	github.com/hashicorp/go-getter v1.7.4 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/go-version v1.6.0 // indirect
@@ -43,21 +43,22 @@ require (
 	github.com/mattn/go-zglob v0.0.4 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tidwall/sjson v1.2.5 // indirect
 	github.com/tmccombs/hcl2json v0.6.0 // indirect
 	github.com/ulikunitz/xz v0.5.11 // indirect
 	github.com/zclconf/go-cty v1.14.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	golang.org/x/crypto v0.17.0 // indirect
-	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
 	golang.org/x/oauth2 v0.12.0 // indirect
 	golang.org/x/sync v0.4.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/tools v0.13.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	google.golang.org/api v0.138.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect