Alignment across repositories (#148)

.github/workflows/non-production.yml

@@ -15,20 +15,20 @@ permissions:
   id-token: write
 
 jobs:
-  global_infra:
+  global:
     name: "Global"
     uses: osinfra-io/github-terraform-called-workflows/.github/workflows/[email protected]
     if: github.actor != 'osinfra-sa'
     with:
       checkout_ref: ${{ github.ref }}
       environment: non-production
-      github_environment: "Non-Production Infrastructure: Global"
+      github_environment: "Non-Production: Global"
       service_account: plt-lz-identity-github@ptl-lz-terraform-tf05-nonprod.iam.gserviceaccount.com
       terraform_plan_args: -var-file=tfvars/non-production.tfvars
       terraform_state_bucket: plt-lz-identity-3bfe-nonprod
       terraform_version: ${{ vars.TERRAFORM_VERSION }}
       terraform_workspace: global-non-production
-      working_directory: global/infra
+      working_directory: global
       workload_identity_provider: projects/992372365053/locations/global/workloadIdentityPools/github-actions/providers/github-actions-oidc
     secrets:
       gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }}

.github/workflows/production.yml

@@ -15,20 +15,20 @@ permissions:
   id-token: write
 
 jobs:
-  global_infra:
+  global:
     name: "Global"
     uses: osinfra-io/github-terraform-called-workflows/.github/workflows/[email protected]
     if: github.event.workflow_run.conclusion == 'success'
     with:
       checkout_ref: ${{ github.ref }}
       environment: production
-      github_environment: "Production Infrastructure: Global"
+      github_environment: "Production: Global"
       service_account: plt-lz-identity-github@ptl-lz-terraform-tf62-prod.iam.gserviceaccount.com
       terraform_plan_args: -var-file=tfvars/production.tfvars
       terraform_state_bucket: plt-lz-identity-e194-prod
       terraform_version: ${{ vars.TERRAFORM_VERSION }}
       terraform_workspace: global-production
-      working_directory: global/infra
+      working_directory: global
       workload_identity_provider: projects/134040294660/locations/global/workloadIdentityPools/github-actions/providers/github-actions-oidc
     secrets:
       gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }}

.github/workflows/sandbox.yml

@@ -16,20 +16,20 @@ permissions:
   id-token: write
 
 jobs:
-  global_infra:
+  global:
     name: "Global"
     uses: osinfra-io/github-terraform-called-workflows/.github/workflows/[email protected]
     if: github.actor != 'dependabot[bot]'
     with:
       checkout_ref: ${{ github.ref }}
       environment: sandbox
-      github_environment: "Sandbox Infrastructure: Global"
+      github_environment: "Sandbox: Global"
       service_account: plt-lz-identity-github@ptl-lz-terraform-tf91-sb.iam.gserviceaccount.com
       terraform_plan_args: -var-file=tfvars/sandbox.tfvars
       terraform_state_bucket: plt-lz-identity-2c8b-sb
       terraform_version: ${{ vars.TERRAFORM_VERSION }}
       terraform_workspace: global-sandbox
-      working_directory: global/infra
+      working_directory: global
       workload_identity_provider: projects/746490462722/locations/global/workloadIdentityPools/github-actions/providers/github-actions-oidc
     secrets:
       gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }}

.pre-commit-config.yaml

@@ -9,19 +9,9 @@ repos:
       - id: end-of-file-fixer
       - id: trailing-whitespace
       - id: check-symlinks
-      - id: no-commit-to-branch
-
-  - repo: local
-    hooks:
-      - id: infracost_generate_config
-        name: Infracost generate config
-        entry: bash -c 'infracost generate config --repo-path=. --template-path=infracost.yml.tmpl --out-file=infracost.yml'
-        language: system
-        files: ^infracost\.yml\.tmpl$
-        verbose: false
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.0
+    rev: v1.88.4
     hooks:
       - id: terraform_fmt
 
@@ -38,8 +28,3 @@ repos:
           - --hook-config=--path-to-file=README.md
           - --hook-config=--add-to-exiting-file=true
           - --hook-config=--create-file-if-not-exist=false
-
-      - id: infracost_breakdown
-        args:
-          - --args=--config-file=infracost.yml
-          - --args=--sync-usage-file

README.md

@@ -8,6 +8,8 @@
 
 [![infracost](https://img.shields.io/endpoint?url=https://dashboard.api.infracost.io/shields/json/cbeecfe3-576f-4553-984c-e451a575ee47/repos/cdfd3281-bb1c-425b-aad0-1a80a1512502/branch/62383c83-9bf4-4fa9-8b48-7b96987f6fc1)](https://dashboard.infracost.io/org/osinfra-io/repos/cdfd3281-bb1c-425b-aad0-1a80a1512502?tab=settings)
 
+💵 Monthly estimates based on Infracost baseline costs.
+
 ## Repository Description
 
 This repository configures [workload identity federation](https://cloud.google.com/iam/docs/workload-identity-federation) that aligns with our [Google Cloud landing zone platform](https://docs.osinfra.io/google-cloud-platform/landing-zone) design. A landing zone should be a prerequisite to deploying enterprise workloads in a cloud environment.

global/infra/README.md → global/README.md

@@ -9,12 +9,13 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 5.17.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 5.22.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_datadog"></a> [datadog](#module\_datadog) | github.com/osinfra-io/terraform-datadog-google-integration//global | v0.1.4 |
 | <a name="module_project"></a> [project](#module\_project) | github.com/osinfra-io/terraform-google-project//global | v0.1.9 |
 
 ## Resources
@@ -32,6 +33,7 @@ No requirements.
 | <a name="input_cis_2_2_logging_sink_project_id"></a> [cis\_2\_2\_logging\_sink\_project\_id](#input\_cis\_2\_2\_logging\_sink\_project\_id) | The CIS 2.2 logging sink benchmark project ID | `string` | n/a | yes |
 | <a name="input_datadog_api_key"></a> [datadog\_api\_key](#input\_datadog\_api\_key) | Datadog API key | `string` | n/a | yes |
 | <a name="input_datadog_app_key"></a> [datadog\_app\_key](#input\_datadog\_app\_key) | Datadog APP key | `string` | n/a | yes |
+| <a name="input_enable_datadog"></a> [enable\_datadog](#input\_enable\_datadog) | Enable Datadog integration | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The environment suffix for example: `sb` (Sandbox), `nonprod` (Non-Production), `prod` (Production) | `string` | `"sb"` | no |
 | <a name="input_folder_id"></a> [folder\_id](#input\_folder\_id) | The numeric ID of the folder this project should be created under. Only one of `org_id` or `folder_id` may be specified | `string` | n/a | yes |
 

global/backend.tf

@@ -0,0 +1 @@
+../shared/backend.tf

global/infra/locals.tf → global/locals.tf

@@ -2,6 +2,12 @@
 # https://www.terraform.io/language/values/locals
 
 locals {
+  labels = {
+    env        = var.environment
+    repository = "google-cloud-workload-identity"
+    platform   = "google-cloud-landing-zone"
+    team       = "platform-google-cloud-landing-zone"
+  }
 
   workload_identity = {
     "github-actions" = {

global/infra/main.tf → global/main.tf

@@ -29,13 +29,16 @@ provider "datadog" {
 # Datadog Google Cloud Platform Integration Module (osinfra.io)
 # https://github.com/osinfra-io/terraform-datadog-google-integration
 
-# module "datadog" {
-#   source = "github.com/osinfra-io/terraform-datadog-google-integration//global?ref=v0.1.0"
-
-#   api_key         = var.datadog_api_key
-#   is_cspm_enabled = true
-#   project         = module.project.project_id
-# }
+module "datadog" {
+  source = "github.com/osinfra-io/terraform-datadog-google-integration//global?ref=v0.1.4"
+  count  = var.enable_datadog ? 1 : 0
+
+  api_key         = var.datadog_api_key
+  cost_center     = "x001"
+  is_cspm_enabled = true
+  labels          = local.labels
+  project         = module.project.project_id
+}
 
 # Google Project Module (osinfra.io)
 # https://github.com/osinfra-io/terraform-google-project
@@ -49,15 +52,8 @@ module "project" {
   description                     = "identity"
   environment                     = var.environment
   folder_id                       = var.folder_id
-
-  labels = {
-    env        = var.environment
-    repository = "google-cloud-workload-identity"
-    platform   = "google-cloud-landing-zone"
-    team       = "platform-google-cloud-landing-zone"
-  }
-
-  prefix = "plt-lz"
+  labels                          = local.labels
+  prefix                          = "plt-lz"
 
   services = [
     "cloudasset.googleapis.com",

global/infra/tfvars/sandbox.tfvars → global/tfvars/sandbox.tfvars

@@ -1,2 +1,3 @@
 cis_2_2_logging_sink_project_id = "plt-lz-audit01-tf92-sb"
+enable_datadog                  = true
 folder_id                       = "267179923152"

global/infra/variables.tf → global/variables.tf

@@ -24,6 +24,12 @@ variable "datadog_app_key" {
   sensitive   = true
 }
 
+variable "enable_datadog" {
+  description = "Enable Datadog integration"
+  type        = bool
+  default     = false
+}
+
 variable "environment" {
   description = "The environment suffix for example: `sb` (Sandbox), `nonprod` (Non-Production), `prod` (Production)"
   type        = string