Update service account and support for helpers (#146)

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

.github/workflows/non-production.yml

@@ -23,9 +23,9 @@ jobs:
       checkout_ref: ${{ github.ref }}
       environment: non-production
       github_environment: "Non-Production: Main"
-      service_account: plt-lz-services-github@ptl-lz-terraform-tf05-nonprod.iam.gserviceaccount.com
+      service_account: plt-lz-services-github@plt-lz-terraform-tfe2-nonprod.iam.gserviceaccount.com
       terraform_plan_args: -var-file=tfvars/non-production.tfvars
-      terraform_state_bucket: plt-lz-services-3bfe-nonprod
+      terraform_state_bucket: plt-lz-services-ae26-nonprod
       terraform_version: ${{ vars.TERRAFORM_VERSION }}
       terraform_workspace: main-non-production
       workload_identity_provider: projects/992372365053/locations/global/workloadIdentityPools/github-actions/providers/github-actions-oidc
@@ -45,9 +45,9 @@ jobs:
       checkout_ref: ${{ github.ref }}
       environment: us-east1-non-production
       github_environment: "Non-Production: Regional - us-east1"
-      service_account: plt-lz-services-github@ptl-lz-terraform-tf05-nonprod.iam.gserviceaccount.com
+      service_account: plt-lz-services-github@plt-lz-terraform-tfe2-nonprod.iam.gserviceaccount.com
       terraform_plan_args: -var-file=tfvars/us-east1-non-production.tfvars
-      terraform_state_bucket: plt-lz-services-3bfe-nonprod
+      terraform_state_bucket: plt-lz-services-ae26-nonprod
       terraform_version: ${{ vars.TERRAFORM_VERSION }}
       terraform_workspace: us-east1-non-production
       working_directory: regional

.github/workflows/production.yml

@@ -23,9 +23,9 @@ jobs:
       checkout_ref: ${{ github.ref }}
       environment: production
       github_environment: "Production: Main"
-      service_account: plt-lz-services-github@ptl-lz-terraform-tf62-prod.iam.gserviceaccount.com
+      service_account: plt-lz-services-github@plt-lz-terraform-tf56-prod.iam.gserviceaccount.com
       terraform_plan_args: -var-file=tfvars/production.tfvars
-      terraform_state_bucket: plt-lz-services-e194-prod
+      terraform_state_bucket: plt-lz-services-53a5-prod
       terraform_version: ${{ vars.TERRAFORM_VERSION }}
       terraform_workspace: main-production
       workload_identity_provider: projects/134040294660/locations/global/workloadIdentityPools/github-actions/providers/github-actions-oidc
@@ -45,9 +45,9 @@ jobs:
       checkout_ref: ${{ github.ref }}
       environment: us-east1-production
       github_environment: "Production: Regional - us-east1"
-      service_account: plt-lz-services-github@ptl-lz-terraform-tf62-prod.iam.gserviceaccount.com
+      service_account: plt-lz-services-github@plt-lz-terraform-tf56-prod.iam.gserviceaccount.com
       terraform_plan_args: -var-file=tfvars/us-east1-production.tfvars
-      terraform_state_bucket: plt-lz-services-e194-prod
+      terraform_state_bucket: plt-lz-services-53a5-prod
       terraform_version: ${{ vars.TERRAFORM_VERSION }}
       terraform_workspace: us-east1-production
       working_directory: regional

.github/workflows/sandbox.yml

@@ -24,9 +24,9 @@ jobs:
       checkout_ref: ${{ github.ref }}
       environment: sandbox
       github_environment: "Sandbox: Main"
-      service_account: plt-lz-services-github@ptl-lz-terraform-tf91-sb.iam.gserviceaccount.com
+      service_account: plt-lz-services-github@plt-lz-terraform-tf00-sb.iam.gserviceaccount.com
       terraform_plan_args: -var-file=tfvars/sandbox.tfvars
-      terraform_state_bucket: plt-lz-services-2c8b-sb
+      terraform_state_bucket: plt-lz-services-4312-sb
       terraform_version: ${{ vars.TERRAFORM_VERSION }}
       terraform_workspace: main-sandbox
       workload_identity_provider: projects/746490462722/locations/global/workloadIdentityPools/github-actions/providers/github-actions-oidc
@@ -46,9 +46,9 @@ jobs:
       checkout_ref: ${{ github.ref }}
       environment: us-east1-sandbox
       github_environment: "Sandbox: Regional - us-east1"
-      service_account: plt-lz-services-github@ptl-lz-terraform-tf91-sb.iam.gserviceaccount.com
+      service_account: plt-lz-services-github@plt-lz-terraform-tf00-sb.iam.gserviceaccount.com
       terraform_plan_args: -var-file=tfvars/us-east1-sandbox.tfvars
-      terraform_state_bucket: plt-lz-services-2c8b-sb
+      terraform_state_bucket: plt-lz-services-4312-sb
       terraform_version: ${{ vars.TERRAFORM_VERSION }}
       terraform_workspace: us-east1-sandbox
       working_directory: regional

.gitignore

@@ -15,9 +15,6 @@ crash.log
 # be included in version control.
 local.tfvars
 
-# Provider.tf is used for local development of modules and shouldn't be added to repos.
-provider.tf
-
 # Ignore override files as they are usually used to override ressources locally
 override.tf
 override.tf.json

.pre-commit-config.yaml

@@ -3,15 +3,15 @@
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v5.0.0
     hooks:
       - id: check-yaml
       - id: end-of-file-fixer
       - id: trailing-whitespace
       - id: check-symlinks
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.96.1
+    rev: v1.96.2
     hooks:
       - id: terraform_fmt
 
@@ -22,22 +22,19 @@ repos:
         args:
           - --hook-config=--retry-once-with-cleanup=true
           - --tf-init-args=-upgrade
+        exclude: tests/fixtures/shared
 
       # Always run after terraform_validate
 
       - id: terraform_docs
-        args:
-          - --hook-config=--path-to-file=README.md
-          - --hook-config=--add-to-exiting-file=true
-          - --hook-config=--create-file-if-not-exist=false
 
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: 3.2.255
+    rev: 3.2.344
     hooks:
       - id: checkov
         verbose: true
         args:
+          - --download-external-modules=true
           - --skip-check
           - "CKV_TF_1"
-          - --download-external-modules=true
           - --quiet

README.md

@@ -53,21 +53,21 @@ Links to documentation and other resources required to develop and iterate in th
 | Name | Source | Version |
 |------|--------|---------|
 | datadog | github.com/osinfra-io/terraform-datadog-google-integration | v0.3.0 |
-| project | github.com/osinfra-io/terraform-google-project | v0.4.0 |
+| helpers | github.com/osinfra-io/terraform-core-helpers//root | v0.1.2 |
+| project | github.com/osinfra-io/terraform-google-project | v0.4.5 |
 
 #### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| billing\_account | The alphanumeric ID of the billing account this project belongs to | `string` | `"01C550-A2C86B-B8F16B"` | no |
-| cis\_2\_2\_logging\_sink\_project\_id | The CIS 2.2 logging sink benchmark project ID | `string` | n/a | yes |
 | datadog\_api\_key | Datadog API key | `string` | n/a | yes |
 | datadog\_app\_key | Datadog APP key | `string` | n/a | yes |
-| enable\_datadog | Enable Datadog integration | `bool` | `false` | no |
-| enable\_datadog\_cloud\_cost\_management | Enable Datadog cloud cost management | `bool` | `false` | no |
-| environment | The environment for example: `sandbox`, `non-production`, `production` | `string` | `"sandbox"` | no |
-| folder\_id | The numeric ID of the folder this project should be created under. Only one of `org_id` or `folder_id` may be specified | `string` | n/a | yes |
-| monthly\_budget\_amount | The monthly budget amount in USD to set for the project | `number` | `5` | no |
+| datadog\_enable | Enable Datadog integration | `bool` | `false` | no |
+| datadog\_enable\_cloud\_cost\_management | Enable Datadog cloud cost management | `bool` | `false` | no |
+| project\_billing\_account | The alphanumeric ID of the billing account this project belongs to | `string` | `"01C550-A2C86B-B8F16B"` | no |
+| project\_cis\_2\_2\_logging\_sink\_project\_id | The CIS 2.2 logging sink benchmark project ID | `string` | n/a | yes |
+| project\_folder\_id | The numeric ID of the folder this project should be created under. Only one of `org_id` or `folder_id` may be specified | `string` | n/a | yes |
+| project\_monthly\_budget\_amount | The monthly budget amount in USD to set for the project | `number` | `5` | no |
 
 #### Outputs
 

helpers.tf

@@ -0,0 +1 @@
+shared/helpers.tf

main.tf

@@ -31,13 +31,13 @@ provider "datadog" {
 
 module "datadog" {
   source = "github.com/osinfra-io/terraform-datadog-google-integration?ref=v0.3.0"
-  count  = var.enable_datadog ? 1 : 0
+  count  = var.datadog_enable ? 1 : 0
 
   api_key                            = var.datadog_api_key
-  enable_cloud_cost_management       = var.enable_datadog_cloud_cost_management
+  enable_cloud_cost_management       = var.datadog_enable_cloud_cost_management
   is_security_command_center_enabled = true
   is_cspm_enabled                    = true
-  labels                             = local.labels
+  labels                             = module.helpers.labels
   project                            = module.project.id
 }
 
@@ -47,13 +47,12 @@ module "datadog" {
 module "project" {
   source = "github.com/osinfra-io/terraform-google-project?ref=v0.4.5"
 
-  billing_account                 = var.billing_account
-  cis_2_2_logging_sink_project_id = var.cis_2_2_logging_sink_project_id
+  billing_account                 = var.project_billing_account
+  cis_2_2_logging_sink_project_id = var.project_cis_2_2_logging_sink_project_id
   description                     = "services"
-  environment                     = local.env
-  folder_id                       = var.folder_id
-  labels                          = local.labels
-  monthly_budget_amount           = var.monthly_budget_amount
+  folder_id                       = var.project_folder_id
+  labels                          = module.helpers.labels
+  monthly_budget_amount           = var.project_monthly_budget_amount
   prefix                          = "plt-lz"
 
   services = [

regional/README.md

@@ -9,12 +9,14 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 6.4.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 6.14.1 |
 | <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_helpers"></a> [helpers](#module\_helpers) | github.com/osinfra-io/terraform-core-helpers//root | v0.1.2 |
 
 ## Resources
 
@@ -33,8 +35,6 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_docker_repositories"></a> [docker\_repositories](#input\_docker\_repositories) | The map of names and members for the Docker artifact registry repositories | <pre>map(object({<br/>    registry_readers = optional(list(string))<br/>    registry_writers = optional(list(string))<br/>  }))</pre> | `{}` | no |
 | <a name="input_enable_docker_remote_repository"></a> [enable\_docker\_remote\_repository](#input\_enable\_docker\_remote\_repository) | Enable the Docker remote repository | `bool` | `false` | no |
-| <a name="input_environment"></a> [environment](#input\_environment) | The environment for example: `sandbox`, `non-production`, `production` | `string` | `"sandbox"` | no |
-| <a name="input_region"></a> [region](#input\_region) | The region for this subnetwork | `string` | n/a | yes |
 | <a name="input_remote_bucket"></a> [remote\_bucket](#input\_remote\_bucket) | The remote bucket the `terraform_remote_state` data source retrieves the state from | `string` | n/a | yes |
 
 ## Outputs

regional/helpers.tf

@@ -0,0 +1 @@
+../shared/helpers.tf

regional/locals.tf

@@ -2,21 +2,5 @@
 # https://www.terraform.io/docs/language/values/locals.html
 
 locals {
-  env = lookup(local.env_map, var.environment, "none")
-
-  env_map = {
-    "non-production" = "nonprod"
-    "production"     = "prod"
-    "sandbox"        = "sb"
-  }
-
-  labels = {
-    cost-center = "x001"
-    env         = var.environment
-    repository  = "google-cloud-services"
-    platform    = "google-cloud-landing-zone"
-    team        = "platform-google-cloud-landing-zone"
-  }
-
   main = data.terraform_remote_state.main.outputs
 }

regional/main.tf

@@ -24,7 +24,7 @@ data "terraform_remote_state" "main" {
     prefix = "google-cloud-services"
   }
 
-  workspace = "main-${var.environment}"
+  workspace = "main-${module.helpers.environment}"
 }
 
 # Google Artifact Registry Repository
@@ -38,7 +38,7 @@ resource "google_artifact_registry_repository" "docker_standard" {
 
   description   = "Registry for multi-region - US Standard : ${each.key}"
   format        = "DOCKER"
-  labels        = local.labels
+  labels        = module.helpers.labels
   location      = "us"
   project       = local.main.project_id
   repository_id = "${each.key}-standard"
@@ -49,7 +49,7 @@ resource "google_artifact_registry_repository" "docker_remote" {
 
   description = "Registry for multi-region - US Docker Hub"
   format      = "DOCKER"
-  labels      = local.labels
+  labels      = module.helpers.labels
   location    = "us"
   mode        = "REMOTE_REPOSITORY"
   project     = local.main.project_id
@@ -73,7 +73,7 @@ resource "google_artifact_registry_repository" "docker_virtual" {
 
   description   = "Registry for multi-region - US Virtual : ${each.key}"
   format        = "DOCKER"
-  labels        = local.labels
+  labels        = module.helpers.labels
   location      = "us"
   mode          = "VIRTUAL_REPOSITORY"
   project       = local.main.project_id

regional/tfvars/us-east1-non-production.tfvars

@@ -1,3 +1 @@
-environment   = "non-production"
-region        = "us-east1"
-remote_bucket = "plt-lz-services-3bfe-nonprod"
+remote_bucket = "plt-lz-services-ae26-nonprod"

regional/tfvars/us-east1-production.tfvars

@@ -1,5 +1,4 @@
 enable_docker_remote_repository = true
-environment                     = "production"
 
 docker_repositories = {
   "plt-docker" = {
@@ -12,6 +11,4 @@ docker_repositories = {
   }
 }
 
-
-region        = "us-east1"
-remote_bucket = "plt-lz-services-e194-prod"
+remote_bucket = "plt-lz-services-53a5-prod"

regional/tfvars/us-east1-sandbox.tfvars

@@ -11,5 +11,4 @@ docker_repositories = {
   }
 }
 
-region        = "us-east1"
-remote_bucket = "plt-lz-services-2c8b-sb"
+remote_bucket = "plt-lz-services-4312-sb"

regional/variables.tf

@@ -1,9 +1,3 @@
-variable "environment" {
-  description = "The environment for example: `sandbox`, `non-production`, `production`"
-  type        = string
-  default     = "sandbox"
-}
-
 variable "docker_repositories" {
   description = "The map of names and members for the Docker artifact registry repositories"
   type = map(object({
@@ -19,11 +13,6 @@ variable "enable_docker_remote_repository" {
   default     = false
 }
 
-variable "region" {
-  description = "The region for this subnetwork"
-  type        = string
-}
-
 variable "remote_bucket" {
   type        = string
   description = "The remote bucket the `terraform_remote_state` data source retrieves the state from"

shared/helpers.tf

@@ -0,0 +1,11 @@
+# Terraform Core Helpers Module (osinfra.io)
+# https://github.com/osinfra-io/terraform-core-helpers
+
+module "helpers" {
+  source = "github.com/osinfra-io/terraform-core-helpers//root?ref=v0.1.2"
+
+  cost_center         = "x001"
+  data_classification = "public"
+  repository          = "google-cloud-services"
+  team                = "platform-google-cloud-landing-zone"
+}

tfvars/non-production.tfvars

@@ -1,3 +1,2 @@
-cis_2_2_logging_sink_project_id = "plt-lz-audit01-tff4-nonprod"
-environment                     = "non-production"
-folder_id                       = "306437988454"
+project_cis_2_2_logging_sink_project_id = "plt-lz-audit01-tff4-nonprod"
+project_folder_id                       = "306437988454"

tfvars/production.tfvars

@@ -1,6 +1,5 @@
-cis_2_2_logging_sink_project_id      = "plt-lz-audit01-tf91-prod"
-enable_datadog                       = true
-enable_datadog_cloud_cost_management = true
-environment                          = "production"
-folder_id                            = "638543714452"
-monthly_budget_amount                = 25
+datadog_enable                          = true
+datadog_enable_cloud_cost_management  = true
+project_cis_2_2_logging_sink_project_id = "plt-lz-audit01-tf91-prod"
+project_folder_id                       = "638543714452"
+project_monthly_budget_amount           = 25

tfvars/sandbox.tfvars

@@ -1,4 +1,4 @@
-cis_2_2_logging_sink_project_id      = "plt-lz-audit01-tf92-sb"
-enable_datadog                       = false
-enable_datadog_cloud_cost_management = false
-folder_id                            = "44679921766"
+datadog_enable                          = false
+datadog_enable_cloud_cost_management    = false
+project_cis_2_2_logging_sink_project_id = "plt-lz-audit01-tf92-sb"
+project_folder_id                       = "44679921766"