From d87a82d84a4631f838e8de54b7560a02da6df23a Mon Sep 17 00:00:00 2001 From: Brett Curtis Date: Sat, 30 Mar 2024 10:21:25 -0400 Subject: [PATCH] Alignment across repositories --- .coderabbit.yaml | 13 --------- .github/workflows/non-production.yml | 6 ++-- .github/workflows/production.yml | 6 ++-- .github/workflows/sandbox.yml | 6 ++-- .pre-commit-config.yaml | 17 +---------- README.md | 2 ++ global/{infra => }/.terraform.lock.hcl | 0 global/{infra => }/README.md | 4 ++- global/backend.tf | 1 + global/infra/backend.tf | 1 - global/infra/infracost/non-production.yml | 15 ---------- global/infra/infracost/production.yml | 15 ---------- global/infra/infracost/sandbox.yml | 15 ---------- global/{infra => }/locals.tf | 6 ++++ global/{infra => }/main.tf | 28 ++++++++----------- global/{infra => }/outputs.tf | 0 .../{infra => }/tfvars/non-production.tfvars | 0 global/{infra => }/tfvars/production.tfvars | 0 global/{infra => }/tfvars/sandbox.tfvars | 1 + global/{infra => }/variables.tf | 6 ++++ infracost.yml | 26 ----------------- infracost.yml.tmpl | 22 --------------- 22 files changed, 41 insertions(+), 149 deletions(-) delete mode 100644 .coderabbit.yaml rename global/{infra => }/.terraform.lock.hcl (100%) rename global/{infra => }/README.md (90%) create mode 120000 global/backend.tf delete mode 120000 global/infra/backend.tf delete mode 100644 global/infra/infracost/non-production.yml delete mode 100644 global/infra/infracost/production.yml delete mode 100644 global/infra/infracost/sandbox.yml rename global/{infra => }/locals.tf (90%) rename global/{infra => }/main.tf (87%) rename global/{infra => }/outputs.tf (100%) rename global/{infra => }/tfvars/non-production.tfvars (100%) mode change 100755 => 100644 rename global/{infra => }/tfvars/production.tfvars (100%) mode change 100755 => 100644 rename global/{infra => }/tfvars/sandbox.tfvars (73%) rename global/{infra => }/variables.tf (89%) mode change 100755 => 100644 delete mode 100644 infracost.yml delete mode 100644 infracost.yml.tmpl diff --git a/.coderabbit.yaml b/.coderabbit.yaml deleted file mode 100644 index 4fdb225..0000000 --- a/.coderabbit.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# CodeRabbit Configuration File -# https://coderabbit.ai/docs/get-started/customize-coderabbit - -# yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json - -early_access: true -reviews: - request_changes_workflow: true - auto_review: - enabled: true - poem: false -chat: - auto_reply: true diff --git a/.github/workflows/non-production.yml b/.github/workflows/non-production.yml index 6146f17..becc4f0 100644 --- a/.github/workflows/non-production.yml +++ b/.github/workflows/non-production.yml @@ -15,20 +15,20 @@ permissions: id-token: write jobs: - global_infra: + global: name: "Global" uses: osinfra-io/github-terraform-called-workflows/.github/workflows/plan-and-apply.yml@v0.2.1 if: github.actor != 'osinfra-sa' with: checkout_ref: ${{ github.ref }} environment: non-production - github_environment: "Non-Production Infrastructure: Global" + github_environment: "Non-Production: Global" service_account: plt-lz-identity-github@ptl-lz-terraform-tf05-nonprod.iam.gserviceaccount.com terraform_plan_args: -var-file=tfvars/non-production.tfvars terraform_state_bucket: plt-lz-identity-3bfe-nonprod terraform_version: ${{ vars.TERRAFORM_VERSION }} terraform_workspace: global-non-production - working_directory: global/infra + working_directory: global workload_identity_provider: projects/992372365053/locations/global/workloadIdentityPools/github-actions/providers/github-actions-oidc secrets: gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }} diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml index d768be3..7803a58 100644 --- a/.github/workflows/production.yml +++ b/.github/workflows/production.yml @@ -15,20 +15,20 @@ permissions: id-token: write jobs: - global_infra: + global: name: "Global" uses: osinfra-io/github-terraform-called-workflows/.github/workflows/plan-and-apply.yml@v0.2.1 if: github.event.workflow_run.conclusion == 'success' with: checkout_ref: ${{ github.ref }} environment: production - github_environment: "Production Infrastructure: Global" + github_environment: "Production: Global" service_account: plt-lz-identity-github@ptl-lz-terraform-tf62-prod.iam.gserviceaccount.com terraform_plan_args: -var-file=tfvars/production.tfvars terraform_state_bucket: plt-lz-identity-e194-prod terraform_version: ${{ vars.TERRAFORM_VERSION }} terraform_workspace: global-production - working_directory: global/infra + working_directory: global workload_identity_provider: projects/134040294660/locations/global/workloadIdentityPools/github-actions/providers/github-actions-oidc secrets: gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }} diff --git a/.github/workflows/sandbox.yml b/.github/workflows/sandbox.yml index ce44fba..d3f6340 100644 --- a/.github/workflows/sandbox.yml +++ b/.github/workflows/sandbox.yml @@ -16,20 +16,20 @@ permissions: id-token: write jobs: - global_infra: + global: name: "Global" uses: osinfra-io/github-terraform-called-workflows/.github/workflows/plan-and-apply.yml@v0.2.1 if: github.actor != 'dependabot[bot]' with: checkout_ref: ${{ github.ref }} environment: sandbox - github_environment: "Sandbox Infrastructure: Global" + github_environment: "Sandbox: Global" service_account: plt-lz-identity-github@ptl-lz-terraform-tf91-sb.iam.gserviceaccount.com terraform_plan_args: -var-file=tfvars/sandbox.tfvars terraform_state_bucket: plt-lz-identity-2c8b-sb terraform_version: ${{ vars.TERRAFORM_VERSION }} terraform_workspace: global-sandbox - working_directory: global/infra + working_directory: global workload_identity_provider: projects/746490462722/locations/global/workloadIdentityPools/github-actions/providers/github-actions-oidc secrets: gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5c1d712..73071a4 100755 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -9,19 +9,9 @@ repos: - id: end-of-file-fixer - id: trailing-whitespace - id: check-symlinks - - id: no-commit-to-branch - - - repo: local - hooks: - - id: infracost_generate_config - name: Infracost generate config - entry: bash -c 'infracost generate config --repo-path=. --template-path=infracost.yml.tmpl --out-file=infracost.yml' - language: system - files: ^infracost\.yml\.tmpl$ - verbose: false - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.88.0 + rev: v1.88.4 hooks: - id: terraform_fmt @@ -38,8 +28,3 @@ repos: - --hook-config=--path-to-file=README.md - --hook-config=--add-to-exiting-file=true - --hook-config=--create-file-if-not-exist=false - - - id: infracost_breakdown - args: - - --args=--config-file=infracost.yml - - --args=--sync-usage-file diff --git a/README.md b/README.md index b47c244..b0dbfd5 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,8 @@ [![infracost](https://img.shields.io/endpoint?url=https://dashboard.api.infracost.io/shields/json/cbeecfe3-576f-4553-984c-e451a575ee47/repos/cdfd3281-bb1c-425b-aad0-1a80a1512502/branch/62383c83-9bf4-4fa9-8b48-7b96987f6fc1)](https://dashboard.infracost.io/org/osinfra-io/repos/cdfd3281-bb1c-425b-aad0-1a80a1512502?tab=settings) +💵 Monthly estimates based on Infracost baseline costs. + ## Repository Description This repository configures [workload identity federation](https://cloud.google.com/iam/docs/workload-identity-federation) that aligns with our [Google Cloud landing zone platform](https://docs.osinfra.io/google-cloud-platform/landing-zone) design. A landing zone should be a prerequisite to deploying enterprise workloads in a cloud environment. diff --git a/global/infra/.terraform.lock.hcl b/global/.terraform.lock.hcl similarity index 100% rename from global/infra/.terraform.lock.hcl rename to global/.terraform.lock.hcl diff --git a/global/infra/README.md b/global/README.md similarity index 90% rename from global/infra/README.md rename to global/README.md index e80b1d2..3c46dec 100644 --- a/global/infra/README.md +++ b/global/README.md @@ -9,12 +9,13 @@ No requirements. | Name | Version | |------|---------| -| [google](#provider\_google) | 5.17.0 | +| [google](#provider\_google) | 5.22.0 | ## Modules | Name | Source | Version | |------|--------|---------| +| [datadog](#module\_datadog) | github.com/osinfra-io/terraform-datadog-google-integration//global | v0.1.4 | | [project](#module\_project) | github.com/osinfra-io/terraform-google-project//global | v0.1.9 | ## Resources @@ -32,6 +33,7 @@ No requirements. | [cis\_2\_2\_logging\_sink\_project\_id](#input\_cis\_2\_2\_logging\_sink\_project\_id) | The CIS 2.2 logging sink benchmark project ID | `string` | n/a | yes | | [datadog\_api\_key](#input\_datadog\_api\_key) | Datadog API key | `string` | n/a | yes | | [datadog\_app\_key](#input\_datadog\_app\_key) | Datadog APP key | `string` | n/a | yes | +| [enable\_datadog](#input\_enable\_datadog) | Enable Datadog integration | `bool` | `false` | no | | [environment](#input\_environment) | The environment suffix for example: `sb` (Sandbox), `nonprod` (Non-Production), `prod` (Production) | `string` | `"sb"` | no | | [folder\_id](#input\_folder\_id) | The numeric ID of the folder this project should be created under. Only one of `org_id` or `folder_id` may be specified | `string` | n/a | yes | diff --git a/global/backend.tf b/global/backend.tf new file mode 120000 index 0000000..441bbf6 --- /dev/null +++ b/global/backend.tf @@ -0,0 +1 @@ +../shared/backend.tf \ No newline at end of file diff --git a/global/infra/backend.tf b/global/infra/backend.tf deleted file mode 120000 index f3c74de..0000000 --- a/global/infra/backend.tf +++ /dev/null @@ -1 +0,0 @@ -../../shared/backend.tf \ No newline at end of file diff --git a/global/infra/infracost/non-production.yml b/global/infra/infracost/non-production.yml deleted file mode 100644 index 1ecf15d..0000000 --- a/global/infra/infracost/non-production.yml +++ /dev/null @@ -1,15 +0,0 @@ -# You can use this file to define resource usage estimates for Infracost to use when calculating -# the cost of usage-based resource, such as AWS S3 or Lambda. -# `infracost breakdown --usage-file infracost-usage.yml [other flags]` -# See https://infracost.io/usage-file/ for docs -version: 0.1 -resource_type_default_usage: - google_logging_project_sink: - monthly_logging_data_gb: 15.0 # Monthly logging data in GB. -# resource_usage: - ## - ## The following usage values apply to individual resources and override any value defined in the resource_type_default_usage section. - ## All values are commented-out, you can uncomment resources and customize as needed. - ## - # module.project.google_logging_project_sink.cis_2_2_logging_sink: - # monthly_logging_data_gb: 0.0 # Monthly logging data in GB. diff --git a/global/infra/infracost/production.yml b/global/infra/infracost/production.yml deleted file mode 100644 index 11f944c..0000000 --- a/global/infra/infracost/production.yml +++ /dev/null @@ -1,15 +0,0 @@ -# You can use this file to define resource usage estimates for Infracost to use when calculating -# the cost of usage-based resource, such as AWS S3 or Lambda. -# `infracost breakdown --usage-file infracost-usage.yml [other flags]` -# See https://infracost.io/usage-file/ for docs -version: 0.1 -resource_type_default_usage: - google_logging_project_sink: - monthly_logging_data_gb: 10.0 # Monthly logging data in GB. -# resource_usage: - ## - ## The following usage values apply to individual resources and override any value defined in the resource_type_default_usage section. - ## All values are commented-out, you can uncomment resources and customize as needed. - ## - # module.project.google_logging_project_sink.cis_2_2_logging_sink: - # monthly_logging_data_gb: 0.0 # Monthly logging data in GB. diff --git a/global/infra/infracost/sandbox.yml b/global/infra/infracost/sandbox.yml deleted file mode 100644 index b5c00cf..0000000 --- a/global/infra/infracost/sandbox.yml +++ /dev/null @@ -1,15 +0,0 @@ -# You can use this file to define resource usage estimates for Infracost to use when calculating -# the cost of usage-based resource, such as AWS S3 or Lambda. -# `infracost breakdown --usage-file infracost-usage.yml [other flags]` -# See https://infracost.io/usage-file/ for docs -version: 0.1 -resource_type_default_usage: - google_logging_project_sink: - monthly_logging_data_gb: 5.0 # Monthly logging data in GB. -# resource_usage: - ## - ## The following usage values apply to individual resources and override any value defined in the resource_type_default_usage section. - ## All values are commented-out, you can uncomment resources and customize as needed. - ## - # module.project.google_logging_project_sink.cis_2_2_logging_sink: - # monthly_logging_data_gb: 0.0 # Monthly logging data in GB. diff --git a/global/infra/locals.tf b/global/locals.tf similarity index 90% rename from global/infra/locals.tf rename to global/locals.tf index 5e59df7..7eb0f41 100644 --- a/global/infra/locals.tf +++ b/global/locals.tf @@ -2,6 +2,12 @@ # https://www.terraform.io/language/values/locals locals { + labels = { + env = var.environment + repository = "google-cloud-workload-identity" + platform = "google-cloud-landing-zone" + team = "platform-google-cloud-landing-zone" + } workload_identity = { "github-actions" = { diff --git a/global/infra/main.tf b/global/main.tf similarity index 87% rename from global/infra/main.tf rename to global/main.tf index edc710d..aa7f04f 100644 --- a/global/infra/main.tf +++ b/global/main.tf @@ -29,13 +29,16 @@ provider "datadog" { # Datadog Google Cloud Platform Integration Module (osinfra.io) # https://github.com/osinfra-io/terraform-datadog-google-integration -# module "datadog" { -# source = "github.com/osinfra-io/terraform-datadog-google-integration//global?ref=v0.1.0" - -# api_key = var.datadog_api_key -# is_cspm_enabled = true -# project = module.project.project_id -# } +module "datadog" { + source = "github.com/osinfra-io/terraform-datadog-google-integration//global?ref=v0.1.4" + count = var.enable_datadog ? 1 : 0 + + api_key = var.datadog_api_key + cost_center = "x001" + is_cspm_enabled = true + labels = local.labels + project = module.project.project_id +} # Google Project Module (osinfra.io) # https://github.com/osinfra-io/terraform-google-project @@ -49,15 +52,8 @@ module "project" { description = "identity" environment = var.environment folder_id = var.folder_id - - labels = { - env = var.environment - repository = "google-cloud-workload-identity" - platform = "google-cloud-landing-zone" - team = "platform-google-cloud-landing-zone" - } - - prefix = "plt-lz" + labels = local.labels + prefix = "plt-lz" services = [ "cloudasset.googleapis.com", diff --git a/global/infra/outputs.tf b/global/outputs.tf similarity index 100% rename from global/infra/outputs.tf rename to global/outputs.tf diff --git a/global/infra/tfvars/non-production.tfvars b/global/tfvars/non-production.tfvars old mode 100755 new mode 100644 similarity index 100% rename from global/infra/tfvars/non-production.tfvars rename to global/tfvars/non-production.tfvars diff --git a/global/infra/tfvars/production.tfvars b/global/tfvars/production.tfvars old mode 100755 new mode 100644 similarity index 100% rename from global/infra/tfvars/production.tfvars rename to global/tfvars/production.tfvars diff --git a/global/infra/tfvars/sandbox.tfvars b/global/tfvars/sandbox.tfvars similarity index 73% rename from global/infra/tfvars/sandbox.tfvars rename to global/tfvars/sandbox.tfvars index 4b207ed..1516572 100644 --- a/global/infra/tfvars/sandbox.tfvars +++ b/global/tfvars/sandbox.tfvars @@ -1,2 +1,3 @@ cis_2_2_logging_sink_project_id = "plt-lz-audit01-tf92-sb" +enable_datadog = true folder_id = "267179923152" diff --git a/global/infra/variables.tf b/global/variables.tf old mode 100755 new mode 100644 similarity index 89% rename from global/infra/variables.tf rename to global/variables.tf index 62f67c9..be075ea --- a/global/infra/variables.tf +++ b/global/variables.tf @@ -24,6 +24,12 @@ variable "datadog_app_key" { sensitive = true } +variable "enable_datadog" { + description = "Enable Datadog integration" + type = bool + default = false +} + variable "environment" { description = "The environment suffix for example: `sb` (Sandbox), `nonprod` (Non-Production), `prod` (Production)" type = string diff --git a/infracost.yml b/infracost.yml deleted file mode 100644 index ecece66..0000000 --- a/infracost.yml +++ /dev/null @@ -1,26 +0,0 @@ - -# Infracost Configuration -# https://www.infracost.io/docs/config_file - -# Do not edit the infracost.yml file directly, it is generated by the infracost.yml.tmpl file. -# Edit the infracost.yml.tmpl file and run the following command from the root of the repository to generate the infracost.yml file: - -# infracost generate config --repo-path=. --template-path=infracost.yml.tmpl --out-file=infracost.yml - -version: 0.1 -projects: - - path: global/infra - name: "global/infra: non-production" - usage_file: global/infra/infracost/non-production.yml - terraform_var_files: - - tfvars/non-production.tfvars - - path: global/infra - name: "global/infra: production" - usage_file: global/infra/infracost/production.yml - terraform_var_files: - - tfvars/production.tfvars - - path: global/infra - name: "global/infra: sandbox" - usage_file: global/infra/infracost/sandbox.yml - terraform_var_files: - - tfvars/sandbox.tfvars diff --git a/infracost.yml.tmpl b/infracost.yml.tmpl deleted file mode 100644 index 95070d0..0000000 --- a/infracost.yml.tmpl +++ /dev/null @@ -1,22 +0,0 @@ -{{/* Infracost Template: https://www.infracost.io/docs/features/config_file/#template-syntax */}} -# Infracost Configuration -# https://www.infracost.io/docs/config_file - -# Do not edit the infracost.yml file directly, it is generated by the infracost.yml.tmpl file. -# Edit the infracost.yml.tmpl file and run the following command from the root of the repository to generate the infracost.yml file: - -# infracost generate config --repo-path=. --template-path=infracost.yml.tmpl --out-file=infracost.yml - -version: 0.1 -projects: -{{- range $match := matchPaths ":location(global|regional)/:type(app|infra)/:app?/tfvars/:env.tfvars" }} - {{- $appDir := ""}} - {{- if $match.app }} - {{- $appDir = print "/" $match.app }} - {{- end }} - - path: {{ $match.location }}/{{ $match.type }}{{ $appDir }} - name: "{{ $match.location }}/{{ $match.type }}{{ $appDir }}: {{ $match.env }}" - usage_file: {{ $match.location }}/{{ $match.type }}{{ $appDir }}/infracost/{{ $match.env }}.yml - terraform_var_files: - - tfvars/{{ $match.env }}.tfvars -{{- end }}