diff --git a/.coderabbit.yaml b/.coderabbit.yaml
deleted file mode 100644
index 4fdb225..0000000
--- a/.coderabbit.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-# CodeRabbit Configuration File
-# https://coderabbit.ai/docs/get-started/customize-coderabbit
-
-# yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json
-
-early_access: true
-reviews:
- request_changes_workflow: true
- auto_review:
- enabled: true
- poem: false
-chat:
- auto_reply: true
diff --git a/.github/workflows/non-production.yml b/.github/workflows/non-production.yml
index 6146f17..becc4f0 100644
--- a/.github/workflows/non-production.yml
+++ b/.github/workflows/non-production.yml
@@ -15,20 +15,20 @@ permissions:
id-token: write
jobs:
- global_infra:
+ global:
name: "Global"
uses: osinfra-io/github-terraform-called-workflows/.github/workflows/plan-and-apply.yml@v0.2.1
if: github.actor != 'osinfra-sa'
with:
checkout_ref: ${{ github.ref }}
environment: non-production
- github_environment: "Non-Production Infrastructure: Global"
+ github_environment: "Non-Production: Global"
service_account: plt-lz-identity-github@ptl-lz-terraform-tf05-nonprod.iam.gserviceaccount.com
terraform_plan_args: -var-file=tfvars/non-production.tfvars
terraform_state_bucket: plt-lz-identity-3bfe-nonprod
terraform_version: ${{ vars.TERRAFORM_VERSION }}
terraform_workspace: global-non-production
- working_directory: global/infra
+ working_directory: global
workload_identity_provider: projects/992372365053/locations/global/workloadIdentityPools/github-actions/providers/github-actions-oidc
secrets:
gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }}
diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
index d768be3..7803a58 100644
--- a/.github/workflows/production.yml
+++ b/.github/workflows/production.yml
@@ -15,20 +15,20 @@ permissions:
id-token: write
jobs:
- global_infra:
+ global:
name: "Global"
uses: osinfra-io/github-terraform-called-workflows/.github/workflows/plan-and-apply.yml@v0.2.1
if: github.event.workflow_run.conclusion == 'success'
with:
checkout_ref: ${{ github.ref }}
environment: production
- github_environment: "Production Infrastructure: Global"
+ github_environment: "Production: Global"
service_account: plt-lz-identity-github@ptl-lz-terraform-tf62-prod.iam.gserviceaccount.com
terraform_plan_args: -var-file=tfvars/production.tfvars
terraform_state_bucket: plt-lz-identity-e194-prod
terraform_version: ${{ vars.TERRAFORM_VERSION }}
terraform_workspace: global-production
- working_directory: global/infra
+ working_directory: global
workload_identity_provider: projects/134040294660/locations/global/workloadIdentityPools/github-actions/providers/github-actions-oidc
secrets:
gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }}
diff --git a/.github/workflows/sandbox.yml b/.github/workflows/sandbox.yml
index ce44fba..d3f6340 100644
--- a/.github/workflows/sandbox.yml
+++ b/.github/workflows/sandbox.yml
@@ -16,20 +16,20 @@ permissions:
id-token: write
jobs:
- global_infra:
+ global:
name: "Global"
uses: osinfra-io/github-terraform-called-workflows/.github/workflows/plan-and-apply.yml@v0.2.1
if: github.actor != 'dependabot[bot]'
with:
checkout_ref: ${{ github.ref }}
environment: sandbox
- github_environment: "Sandbox Infrastructure: Global"
+ github_environment: "Sandbox: Global"
service_account: plt-lz-identity-github@ptl-lz-terraform-tf91-sb.iam.gserviceaccount.com
terraform_plan_args: -var-file=tfvars/sandbox.tfvars
terraform_state_bucket: plt-lz-identity-2c8b-sb
terraform_version: ${{ vars.TERRAFORM_VERSION }}
terraform_workspace: global-sandbox
- working_directory: global/infra
+ working_directory: global
workload_identity_provider: projects/746490462722/locations/global/workloadIdentityPools/github-actions/providers/github-actions-oidc
secrets:
gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 5c1d712..73071a4 100755
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -9,19 +9,9 @@ repos:
- id: end-of-file-fixer
- id: trailing-whitespace
- id: check-symlinks
- - id: no-commit-to-branch
-
- - repo: local
- hooks:
- - id: infracost_generate_config
- name: Infracost generate config
- entry: bash -c 'infracost generate config --repo-path=. --template-path=infracost.yml.tmpl --out-file=infracost.yml'
- language: system
- files: ^infracost\.yml\.tmpl$
- verbose: false
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.88.0
+ rev: v1.88.4
hooks:
- id: terraform_fmt
@@ -38,8 +28,3 @@ repos:
- --hook-config=--path-to-file=README.md
- --hook-config=--add-to-exiting-file=true
- --hook-config=--create-file-if-not-exist=false
-
- - id: infracost_breakdown
- args:
- - --args=--config-file=infracost.yml
- - --args=--sync-usage-file
diff --git a/README.md b/README.md
index b47c244..b0dbfd5 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,8 @@
[](https://dashboard.infracost.io/org/osinfra-io/repos/cdfd3281-bb1c-425b-aad0-1a80a1512502?tab=settings)
+💵 Monthly estimates based on Infracost baseline costs.
+
## Repository Description
This repository configures [workload identity federation](https://cloud.google.com/iam/docs/workload-identity-federation) that aligns with our [Google Cloud landing zone platform](https://docs.osinfra.io/google-cloud-platform/landing-zone) design. A landing zone should be a prerequisite to deploying enterprise workloads in a cloud environment.
diff --git a/global/infra/.terraform.lock.hcl b/global/.terraform.lock.hcl
similarity index 100%
rename from global/infra/.terraform.lock.hcl
rename to global/.terraform.lock.hcl
diff --git a/global/infra/README.md b/global/README.md
similarity index 90%
rename from global/infra/README.md
rename to global/README.md
index e80b1d2..3c46dec 100644
--- a/global/infra/README.md
+++ b/global/README.md
@@ -9,12 +9,13 @@ No requirements.
| Name | Version |
|------|---------|
-| [google](#provider\_google) | 5.17.0 |
+| [google](#provider\_google) | 5.22.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
+| [datadog](#module\_datadog) | github.com/osinfra-io/terraform-datadog-google-integration//global | v0.1.4 |
| [project](#module\_project) | github.com/osinfra-io/terraform-google-project//global | v0.1.9 |
## Resources
@@ -32,6 +33,7 @@ No requirements.
| [cis\_2\_2\_logging\_sink\_project\_id](#input\_cis\_2\_2\_logging\_sink\_project\_id) | The CIS 2.2 logging sink benchmark project ID | `string` | n/a | yes |
| [datadog\_api\_key](#input\_datadog\_api\_key) | Datadog API key | `string` | n/a | yes |
| [datadog\_app\_key](#input\_datadog\_app\_key) | Datadog APP key | `string` | n/a | yes |
+| [enable\_datadog](#input\_enable\_datadog) | Enable Datadog integration | `bool` | `false` | no |
| [environment](#input\_environment) | The environment suffix for example: `sb` (Sandbox), `nonprod` (Non-Production), `prod` (Production) | `string` | `"sb"` | no |
| [folder\_id](#input\_folder\_id) | The numeric ID of the folder this project should be created under. Only one of `org_id` or `folder_id` may be specified | `string` | n/a | yes |
diff --git a/global/backend.tf b/global/backend.tf
new file mode 120000
index 0000000..441bbf6
--- /dev/null
+++ b/global/backend.tf
@@ -0,0 +1 @@
+../shared/backend.tf
\ No newline at end of file
diff --git a/global/infra/backend.tf b/global/infra/backend.tf
deleted file mode 120000
index f3c74de..0000000
--- a/global/infra/backend.tf
+++ /dev/null
@@ -1 +0,0 @@
-../../shared/backend.tf
\ No newline at end of file
diff --git a/global/infra/infracost/non-production.yml b/global/infra/infracost/non-production.yml
deleted file mode 100644
index 1ecf15d..0000000
--- a/global/infra/infracost/non-production.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-# You can use this file to define resource usage estimates for Infracost to use when calculating
-# the cost of usage-based resource, such as AWS S3 or Lambda.
-# `infracost breakdown --usage-file infracost-usage.yml [other flags]`
-# See https://infracost.io/usage-file/ for docs
-version: 0.1
-resource_type_default_usage:
- google_logging_project_sink:
- monthly_logging_data_gb: 15.0 # Monthly logging data in GB.
-# resource_usage:
- ##
- ## The following usage values apply to individual resources and override any value defined in the resource_type_default_usage section.
- ## All values are commented-out, you can uncomment resources and customize as needed.
- ##
- # module.project.google_logging_project_sink.cis_2_2_logging_sink:
- # monthly_logging_data_gb: 0.0 # Monthly logging data in GB.
diff --git a/global/infra/infracost/production.yml b/global/infra/infracost/production.yml
deleted file mode 100644
index 11f944c..0000000
--- a/global/infra/infracost/production.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-# You can use this file to define resource usage estimates for Infracost to use when calculating
-# the cost of usage-based resource, such as AWS S3 or Lambda.
-# `infracost breakdown --usage-file infracost-usage.yml [other flags]`
-# See https://infracost.io/usage-file/ for docs
-version: 0.1
-resource_type_default_usage:
- google_logging_project_sink:
- monthly_logging_data_gb: 10.0 # Monthly logging data in GB.
-# resource_usage:
- ##
- ## The following usage values apply to individual resources and override any value defined in the resource_type_default_usage section.
- ## All values are commented-out, you can uncomment resources and customize as needed.
- ##
- # module.project.google_logging_project_sink.cis_2_2_logging_sink:
- # monthly_logging_data_gb: 0.0 # Monthly logging data in GB.
diff --git a/global/infra/infracost/sandbox.yml b/global/infra/infracost/sandbox.yml
deleted file mode 100644
index b5c00cf..0000000
--- a/global/infra/infracost/sandbox.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-# You can use this file to define resource usage estimates for Infracost to use when calculating
-# the cost of usage-based resource, such as AWS S3 or Lambda.
-# `infracost breakdown --usage-file infracost-usage.yml [other flags]`
-# See https://infracost.io/usage-file/ for docs
-version: 0.1
-resource_type_default_usage:
- google_logging_project_sink:
- monthly_logging_data_gb: 5.0 # Monthly logging data in GB.
-# resource_usage:
- ##
- ## The following usage values apply to individual resources and override any value defined in the resource_type_default_usage section.
- ## All values are commented-out, you can uncomment resources and customize as needed.
- ##
- # module.project.google_logging_project_sink.cis_2_2_logging_sink:
- # monthly_logging_data_gb: 0.0 # Monthly logging data in GB.
diff --git a/global/infra/locals.tf b/global/locals.tf
similarity index 90%
rename from global/infra/locals.tf
rename to global/locals.tf
index 5e59df7..7eb0f41 100644
--- a/global/infra/locals.tf
+++ b/global/locals.tf
@@ -2,6 +2,12 @@
# https://www.terraform.io/language/values/locals
locals {
+ labels = {
+ env = var.environment
+ repository = "google-cloud-workload-identity"
+ platform = "google-cloud-landing-zone"
+ team = "platform-google-cloud-landing-zone"
+ }
workload_identity = {
"github-actions" = {
diff --git a/global/infra/main.tf b/global/main.tf
similarity index 87%
rename from global/infra/main.tf
rename to global/main.tf
index edc710d..aa7f04f 100644
--- a/global/infra/main.tf
+++ b/global/main.tf
@@ -29,13 +29,16 @@ provider "datadog" {
# Datadog Google Cloud Platform Integration Module (osinfra.io)
# https://github.com/osinfra-io/terraform-datadog-google-integration
-# module "datadog" {
-# source = "github.com/osinfra-io/terraform-datadog-google-integration//global?ref=v0.1.0"
-
-# api_key = var.datadog_api_key
-# is_cspm_enabled = true
-# project = module.project.project_id
-# }
+module "datadog" {
+ source = "github.com/osinfra-io/terraform-datadog-google-integration//global?ref=v0.1.4"
+ count = var.enable_datadog ? 1 : 0
+
+ api_key = var.datadog_api_key
+ cost_center = "x001"
+ is_cspm_enabled = true
+ labels = local.labels
+ project = module.project.project_id
+}
# Google Project Module (osinfra.io)
# https://github.com/osinfra-io/terraform-google-project
@@ -49,15 +52,8 @@ module "project" {
description = "identity"
environment = var.environment
folder_id = var.folder_id
-
- labels = {
- env = var.environment
- repository = "google-cloud-workload-identity"
- platform = "google-cloud-landing-zone"
- team = "platform-google-cloud-landing-zone"
- }
-
- prefix = "plt-lz"
+ labels = local.labels
+ prefix = "plt-lz"
services = [
"cloudasset.googleapis.com",
diff --git a/global/infra/outputs.tf b/global/outputs.tf
similarity index 100%
rename from global/infra/outputs.tf
rename to global/outputs.tf
diff --git a/global/infra/tfvars/non-production.tfvars b/global/tfvars/non-production.tfvars
old mode 100755
new mode 100644
similarity index 100%
rename from global/infra/tfvars/non-production.tfvars
rename to global/tfvars/non-production.tfvars
diff --git a/global/infra/tfvars/production.tfvars b/global/tfvars/production.tfvars
old mode 100755
new mode 100644
similarity index 100%
rename from global/infra/tfvars/production.tfvars
rename to global/tfvars/production.tfvars
diff --git a/global/infra/tfvars/sandbox.tfvars b/global/tfvars/sandbox.tfvars
similarity index 73%
rename from global/infra/tfvars/sandbox.tfvars
rename to global/tfvars/sandbox.tfvars
index 4b207ed..1516572 100644
--- a/global/infra/tfvars/sandbox.tfvars
+++ b/global/tfvars/sandbox.tfvars
@@ -1,2 +1,3 @@
cis_2_2_logging_sink_project_id = "plt-lz-audit01-tf92-sb"
+enable_datadog = true
folder_id = "267179923152"
diff --git a/global/infra/variables.tf b/global/variables.tf
old mode 100755
new mode 100644
similarity index 89%
rename from global/infra/variables.tf
rename to global/variables.tf
index 62f67c9..be075ea
--- a/global/infra/variables.tf
+++ b/global/variables.tf
@@ -24,6 +24,12 @@ variable "datadog_app_key" {
sensitive = true
}
+variable "enable_datadog" {
+ description = "Enable Datadog integration"
+ type = bool
+ default = false
+}
+
variable "environment" {
description = "The environment suffix for example: `sb` (Sandbox), `nonprod` (Non-Production), `prod` (Production)"
type = string
diff --git a/infracost.yml b/infracost.yml
deleted file mode 100644
index ecece66..0000000
--- a/infracost.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-
-# Infracost Configuration
-# https://www.infracost.io/docs/config_file
-
-# Do not edit the infracost.yml file directly, it is generated by the infracost.yml.tmpl file.
-# Edit the infracost.yml.tmpl file and run the following command from the root of the repository to generate the infracost.yml file:
-
-# infracost generate config --repo-path=. --template-path=infracost.yml.tmpl --out-file=infracost.yml
-
-version: 0.1
-projects:
- - path: global/infra
- name: "global/infra: non-production"
- usage_file: global/infra/infracost/non-production.yml
- terraform_var_files:
- - tfvars/non-production.tfvars
- - path: global/infra
- name: "global/infra: production"
- usage_file: global/infra/infracost/production.yml
- terraform_var_files:
- - tfvars/production.tfvars
- - path: global/infra
- name: "global/infra: sandbox"
- usage_file: global/infra/infracost/sandbox.yml
- terraform_var_files:
- - tfvars/sandbox.tfvars
diff --git a/infracost.yml.tmpl b/infracost.yml.tmpl
deleted file mode 100644
index 95070d0..0000000
--- a/infracost.yml.tmpl
+++ /dev/null
@@ -1,22 +0,0 @@
-{{/* Infracost Template: https://www.infracost.io/docs/features/config_file/#template-syntax */}}
-# Infracost Configuration
-# https://www.infracost.io/docs/config_file
-
-# Do not edit the infracost.yml file directly, it is generated by the infracost.yml.tmpl file.
-# Edit the infracost.yml.tmpl file and run the following command from the root of the repository to generate the infracost.yml file:
-
-# infracost generate config --repo-path=. --template-path=infracost.yml.tmpl --out-file=infracost.yml
-
-version: 0.1
-projects:
-{{- range $match := matchPaths ":location(global|regional)/:type(app|infra)/:app?/tfvars/:env.tfvars" }}
- {{- $appDir := ""}}
- {{- if $match.app }}
- {{- $appDir = print "/" $match.app }}
- {{- end }}
- - path: {{ $match.location }}/{{ $match.type }}{{ $appDir }}
- name: "{{ $match.location }}/{{ $match.type }}{{ $appDir }}: {{ $match.env }}"
- usage_file: {{ $match.location }}/{{ $match.type }}{{ $appDir }}/infracost/{{ $match.env }}.yml
- terraform_var_files:
- - tfvars/{{ $match.env }}.tfvars
-{{- end }}