Merge branch 'master' into remove-env-monitoring-projects

0-bootstrap/Dockerfile

@@ -15,7 +15,7 @@
 FROM gcr.io/cloud-builders/gcloud-slim
 
 # Use ARG so that values can be overriden by user/cloudbuild
-ARG TERRAFORM_VERSION=1.3.0
+ARG TERRAFORM_VERSION=1.3.10
 
 ENV ENV_TERRAFORM_VERSION=$TERRAFORM_VERSION
 

0-bootstrap/README-GitHub.md

@@ -15,7 +15,7 @@ To run the instructions described in this document, install the following:
 - [Google Cloud SDK](https://cloud.google.com/sdk/install) version 393.0.0 or later
     - [terraform-tools](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) component
 - [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) version 2.28.0 or later
-- [Terraform](https://www.terraform.io/downloads.html) version 1.3.0  or later
+- [Terraform](https://www.terraform.io/downloads.html) version 1.3.10  or later
 
 Also make sure that you have the following:
 

0-bootstrap/README-GitLab.md

@@ -13,7 +13,7 @@ To run the instructions described in this document, install the following:
 - [Google Cloud SDK](https://cloud.google.com/sdk/install) version 393.0.0 or later
     - [terraform-tools](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) component
 - [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) version 2.28.0 or later
-- [Terraform](https://www.terraform.io/downloads.html) version 1.3.0 or later
+- [Terraform](https://www.terraform.io/downloads.html) version 1.3.10 or later
 - [jq](https://jqlang.github.io/jq/) version 1.6 or later.
 
 Also make sure that you have the following:

0-bootstrap/README-Jenkins.md

@@ -196,7 +196,7 @@ You arrived to these instructions because you are using the `jenkins_bootstrap`
 ### II. Create the SEED and CI/CD projects using Terraform
 
 - Required information:
-  - Terraform version 1.3.0 - See [Requirements](#requirements) section for more details.
+  - Terraform version 1.3.10 - See [Requirements](#requirements) section for more details.
   - The `terraform.tfvars` file with all the necessary values.
 
 1. Get the appropriate credentials: run the following command with an account that has the [necessary permissions](./modules/jenkins-agent/README.md#permissions).
@@ -209,7 +209,7 @@ You arrived to these instructions because you are using the `jenkins_bootstrap`
 
 1. Run terraform commands.
    - After the credentials are configured, we will create the `prj-b-seed` project (which contains the GCS state bucket and Terraform custom service account) and the `prj-b-cicd` project (which contains the Jenkins Agent, its custom service account and where we will add VPN configuration)
-   - **Use Terraform 1.3.0** to run the terraform script with the commands below
+   - **Use Terraform 1.3.10** to run the terraform script with the commands below
 
    ```bash
    terraform init

0-bootstrap/README-Terraform-Cloud.md

@@ -17,7 +17,7 @@ To run the instructions described in this document, install the following:
 - [Google Cloud SDK](https://cloud.google.com/sdk/install) version 393.0.0 or later
     - [terraform-tools](https://cloud.google.com/docs/terraform/policy-validation/validate-policies#install) component
 - [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) version 2.28.0 or later
-- [Terraform](https://www.terraform.io/downloads.html) version 1.3.0  or later
+- [Terraform](https://www.terraform.io/downloads.html) version 1.3.10  or later
 - [jq](https://jqlang.github.io/jq/download/) version 1.6.0 or later
 
 Also make sure that you have the following:

0-bootstrap/README.md

@@ -64,10 +64,10 @@ To run the commands described in this document, install the following:
 
 - [Google Cloud SDK](https://cloud.google.com/sdk/install) version 393.0.0 or later
 - [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) version 2.28.0 or later
-- [Terraform](https://www.terraform.io/downloads.html) version 1.3.0
+- [Terraform](https://www.terraform.io/downloads.html) version 1.3.10
 - [jq](https://jqlang.github.io/jq/download/) version 1.6.0 or later
 
-**Note:** Make sure that you use version 1.3.0 of Terraform throughout this series. Otherwise, you might experience Terraform state snapshot lock errors.
+**Note:** Make sure that you use version 1.3.10 of Terraform throughout this series. Otherwise, you might experience Terraform state snapshot lock errors.
 
 Also make sure that you've done the following:
 
@@ -307,6 +307,9 @@ Each step has instructions for this change.
 | bucket\_prefix | Name prefix to use for state bucket created. | `string` | `"bkt"` | no |
 | bucket\_tfstate\_kms\_force\_destroy | When deleting a bucket, this boolean option will delete the KMS keys used for the Terraform state bucket. | `bool` | `false` | no |
 | default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no |
+| default\_region\_2 | Secondary default region to create resources where applicable. | `string` | `"us-west1"` | no |
+| default\_region\_gcs | Case-Sensitive default region to create gcs resources where applicable. | `string` | `"US"` | no |
+| default\_region\_kms | Secondary default region to create kms resources where applicable. | `string` | `"us"` | no |
 | folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no |
 | groups | Contain the details of the Groups to be created. | <pre>object({<br>    create_required_groups = optional(bool, false)<br>    create_optional_groups = optional(bool, false)<br>    billing_project        = optional(string, null)<br>    required_groups = object({<br>      group_org_admins     = string<br>      group_billing_admins = string<br>      billing_data_users   = string<br>      audit_data_users     = string<br>    })<br>    optional_groups = optional(object({<br>      monitoring_workspace_users = optional(string, "")<br>      gcp_security_reviewer      = optional(string, "")<br>      gcp_network_viewer         = optional(string, "")<br>      gcp_scc_admin              = optional(string, "")<br>      gcp_global_secrets_admin   = optional(string, "")<br>      gcp_kms_admin              = optional(string, "")<br>    }), {})<br>  })</pre> | n/a | yes |
 | initial\_group\_config | Define the group configuration when it is initialized. Valid values are: WITH\_INITIAL\_OWNER, EMPTY and INITIAL\_GROUP\_CONFIG\_UNSPECIFIED. | `string` | `"WITH_INITIAL_OWNER"` | no |

0-bootstrap/cb.tf

@@ -16,7 +16,7 @@
 
 locals {
   // terraform version image configuration
-  terraform_version = "1.3.0"
+  terraform_version = "1.3.10"
   // The version of the terraform docker image to be used in the workspace builds
   docker_tag_version_terraform = "v1"
 
@@ -70,7 +70,7 @@ resource "random_string" "suffix" {
 
 module "gcp_projects_state_bucket" {
   source  = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
-  version = "~> 5.0"
+  version = "~> 6.0"
 
   name          = "${var.bucket_prefix}-${module.seed_bootstrap.seed_project_id}-gcp-projects-tfstate"
   project_id    = module.seed_bootstrap.seed_project_id
@@ -86,7 +86,7 @@ module "gcp_projects_state_bucket" {
 
 module "tf_source" {
   source  = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_source"
-  version = "~> 7.0"
+  version = "~> 8.0"
 
   org_id                = var.org_id
   folder_id             = google_folder.bootstrap.id
@@ -155,7 +155,7 @@ module "tf_private_pool" {
 
 module "tf_cloud_builder" {
   source  = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_builder"
-  version = "~> 7.0"
+  version = "~> 8.0"
 
   project_id                   = module.tf_source.cloudbuild_project_id
   dockerfile_repo_uri          = module.tf_source.csr_repos[local.cloudbuilder_repo].url
@@ -206,7 +206,7 @@ module "build_terraform_image" {
 
 module "tf_workspace" {
   source   = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_workspace"
-  version  = "~> 7.0"
+  version  = "~> 8.0"
   for_each = local.granular_sa
 
   project_id                = module.tf_source.cloudbuild_project_id

0-bootstrap/github.tf.example

@@ -42,7 +42,7 @@ locals {
     "PROJECT_ID" : module.gh_cicd.project_id,
     "WIF_PROVIDER_NAME" : module.gh_oidc.provider_name,
     "TF_BACKEND" : module.seed_bootstrap.gcs_bucket_tfstate,
-    "TF_VAR_gh_token": var.gh_token,
+    "TF_VAR_gh_token" : var.gh_token,
   }
 
   secrets_list = flatten([
@@ -70,7 +70,7 @@ locals {
 
 module "gh_cicd" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 12.0"
+  version = "~> 15.0"
 
   name              = "${var.project_prefix}-b-cicd-wif-gh"
   random_project_id = true
@@ -90,7 +90,7 @@ module "gh_cicd" {
 }
 
 module "gh_oidc" {
-  source = "terraform-google-modules/github-actions-runners/google//modules/gh-oidc"
+  source  = "terraform-google-modules/github-actions-runners/google//modules/gh-oidc"
   version = "~> 3.1"
 
   project_id  = module.gh_cicd.project_id

0-bootstrap/gitlab.tf.example

@@ -81,7 +81,7 @@ provider "gitlab" {
 
 module "gitlab_cicd" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 12.0"
+  version = "~> 15.0"
 
   name              = "${var.project_prefix}-b-cicd-wif-gl"
   random_project_id = true

0-bootstrap/main.tf

@@ -41,7 +41,7 @@ resource "google_folder" "bootstrap" {
 
 module "seed_bootstrap" {
   source  = "terraform-google-modules/bootstrap/google"
-  version = "~> 7.0"
+  version = "~> 8.0"
 
   org_id                         = var.org_id
   folder_id                      = google_folder.bootstrap.id

0-bootstrap/modules/jenkins-agent/README.md

@@ -77,7 +77,7 @@ module "jenkins_bootstrap" {
 | storage\_bucket\_prefix | Name prefix to use for storage buckets. | `string` | `"bkt"` | no |
 | terraform\_sa\_names | Fully-qualified name of the Terraform Service Accounts. It must be supplied by the Seed Project | `map(string)` | n/a | yes |
 | terraform\_state\_bucket | Default state bucket, used in Cloud Build substitutions. It must be supplied by the Seed Project | `string` | n/a | yes |
-| terraform\_version | Default terraform version. | `string` | `"1.3.0"` | no |
+| terraform\_version | Default terraform version. | `string` | `"1.3.10"` | no |
 | terraform\_version\_sha256sum | sha256sum for default terraform version. | `string` | `"380ca822883176af928c80e5771d1c0ac9d69b13c6d746e6202482aedde7d457"` | no |
 | tunnel0\_bgp\_peer\_address | BGP peer address for tunnel 0 | `string` | n/a | yes |
 | tunnel0\_bgp\_session\_range | BGP session range for tunnel 0 | `string` | n/a | yes |
@@ -103,8 +103,8 @@ module "jenkins_bootstrap" {
 ### Software
 
 - [gcloud sdk](https://cloud.google.com/sdk/install) >= 393.0.0
-- [Terraform](https://www.terraform.io/downloads.html) = 1.3.0
-  - The scripts in this codebase use Terraform v1.3.0. You should use the same version in the manual steps to avoid [Terraform State Snapshot Lock](https://github.com/hashicorp/terraform/issues/23290) errors caused by differences in terraform versions.
+- [Terraform](https://www.terraform.io/downloads.html) = 1.3.10
+  - The scripts in this codebase use Terraform v1.3.10. You should use the same version in the manual steps to avoid [Terraform State Snapshot Lock](https://github.com/hashicorp/terraform/issues/23290) errors caused by differences in terraform versions.
 
 ### Infrastructure
 

0-bootstrap/modules/jenkins-agent/main.tf

@@ -46,9 +46,10 @@ module "cicd_project" {
   Jenkins Agent GCE instance
 *******************************************/
 resource "google_service_account" "jenkins_agent_gce_sa" {
-  project      = module.cicd_project.project_id
-  account_id   = format("%s-%s", var.service_account_prefix, var.jenkins_agent_sa_email)
-  display_name = "Jenkins Agent (GCE instance) custom Service Account"
+  project                      = module.cicd_project.project_id
+  account_id                   = format("%s-%s", var.service_account_prefix, var.jenkins_agent_sa_email)
+  display_name                 = "Jenkins Agent (GCE instance) custom Service Account"
+  create_ignore_already_exists = true
 }
 
 data "template_file" "jenkins_agent_gce_startup_script" {

0-bootstrap/modules/jenkins-agent/variables.tf

@@ -215,7 +215,7 @@ variable "folder_id" {
 variable "terraform_version" {
   description = "Default terraform version."
   type        = string
-  default     = "1.3.0"
+  default     = "1.3.10"
 }
 
 variable "terraform_version_sha256sum" {

0-bootstrap/modules/tfc-agent-gke/main.tf

@@ -82,10 +82,12 @@ module "network" {
  *****************************************/
 
 resource "google_service_account" "tfc_agent_service_account" {
-  count        = var.create_service_account ? 1 : 0
-  project      = var.project_id
-  account_id   = "tfc-agent-gke"
-  display_name = "Terraform Cloud agent GKE Service Account"
+  count = var.create_service_account ? 1 : 0
+
+  project                      = var.project_id
+  account_id                   = "tfc-agent-gke"
+  display_name                 = "Terraform Cloud agent GKE Service Account"
+  create_ignore_already_exists = true
 }
 
 /*****************************************
@@ -370,7 +372,7 @@ resource "google_compute_firewall" "allow_private_api_egress" {
 
 module "private_service_connect" {
   source  = "terraform-google-modules/network/google//modules/private-service-connect"
-  version = "~> 9.0"
+  version = "~> 9.1"
 
   project_id                 = var.project_id
   dns_code                   = "dz-${local.vpc_name}"

0-bootstrap/outputs.tf

@@ -56,6 +56,9 @@ output "common_config" {
     parent_folder         = var.parent_folder,
     billing_account       = var.billing_account,
     default_region        = var.default_region,
+    default_region_2      = var.default_region_2,
+    default_region_gcs    = var.default_region_gcs,
+    default_region_kms    = var.default_region_kms,
     project_prefix        = var.project_prefix,
     folder_prefix         = var.folder_prefix
     parent_id             = local.parent

0-bootstrap/sa.tf

@@ -140,9 +140,10 @@ locals {
 resource "google_service_account" "terraform-env-sa" {
   for_each = local.granular_sa
 
-  project      = module.seed_bootstrap.seed_project_id
-  account_id   = "sa-terraform-${each.key}"
-  display_name = each.value
+  project                      = module.seed_bootstrap.seed_project_id
+  account_id                   = "sa-terraform-${each.key}"
+  display_name                 = each.value
+  create_ignore_already_exists = true
 }
 
 module "org_iam_member" {

0-bootstrap/terraform.example.tfvars

@@ -40,7 +40,10 @@ groups = {
   # }
 }
 
-default_region = "us-central1"
+default_region     = "us-central1"
+default_region_2   = "us-west1"
+default_region_gcs = "US"
+default_region_kms = "us"
 
 # Optional - for an organization with existing projects or for development/validation.
 # Uncomment this variable to place all the example foundation resources under

0-bootstrap/terraform_cloud.tf.example

@@ -52,25 +52,25 @@ locals {
       "1-shared" = { vcs_branch = "production", directory = "/envs/shared" }
     },
     "env" = {
-      "2-production"     = { vcs_branch = "production", directory = "/envs/production" },
+      "2-production"    = { vcs_branch = "production", directory = "/envs/production" },
       "2-nonproduction" = { vcs_branch = "nonproduction", directory = "/envs/nonproduction" },
-      "2-development"    = { vcs_branch = "development", directory = "/envs/development" },
+      "2-development"   = { vcs_branch = "development", directory = "/envs/development" },
     },
     "net" = {
-      "3-production"     = { vcs_branch = "production", directory = "/envs/production" },
+      "3-production"    = { vcs_branch = "production", directory = "/envs/production" },
       "3-nonproduction" = { vcs_branch = "nonproduction", directory = "/envs/nonproduction" },
-      "3-development"    = { vcs_branch = "development", directory = "/envs/development" },
-      "3-shared"         = { vcs_branch = "production", directory = "/envs/shared" },
+      "3-development"   = { vcs_branch = "development", directory = "/envs/development" },
+      "3-shared"        = { vcs_branch = "production", directory = "/envs/shared" },
     },
     "proj" = {
-      "4-bu1-production"     = { vcs_branch = "production", directory = "/business_unit_1/production" },
+      "4-bu1-production"    = { vcs_branch = "production", directory = "/business_unit_1/production" },
       "4-bu1-nonproduction" = { vcs_branch = "nonproduction", directory = "/business_unit_1/nonproduction" },
-      "4-bu1-development"    = { vcs_branch = "development", directory = "/business_unit_1/development" },
-      "4-bu1-shared"         = { vcs_branch = "production", directory = "/business_unit_1/shared" },
-      "4-bu2-production"     = { vcs_branch = "production", directory = "/business_unit_2/production" },
+      "4-bu1-development"   = { vcs_branch = "development", directory = "/business_unit_1/development" },
+      "4-bu1-shared"        = { vcs_branch = "production", directory = "/business_unit_1/shared" },
+      "4-bu2-production"    = { vcs_branch = "production", directory = "/business_unit_2/production" },
       "4-bu2-nonproduction" = { vcs_branch = "nonproduction", directory = "/business_unit_2/nonproduction" },
-      "4-bu2-development"    = { vcs_branch = "development", directory = "/business_unit_2/development" },
-      "4-bu2-shared"         = { vcs_branch = "production", directory = "/business_unit_2/shared" },
+      "4-bu2-development"   = { vcs_branch = "development", directory = "/business_unit_2/development" },
+      "4-bu2-shared"        = { vcs_branch = "production", directory = "/business_unit_2/shared" },
 
     },
   }
@@ -230,7 +230,7 @@ resource "tfe_run_trigger" "projects_bu2_shared_production" {
 
 module "tfc_cicd" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 12.0"
+  version = "~> 15.0"
 
   name              = "${var.project_prefix}-b-cicd-wif-tfc"
   random_project_id = true

0-bootstrap/variables.tf

@@ -30,6 +30,24 @@ variable "default_region" {
   default     = "us-central1"
 }
 
+variable "default_region_2" {
+  description = "Secondary default region to create resources where applicable."
+  type        = string
+  default     = "us-west1"
+}
+
+variable "default_region_gcs" {
+  description = "Case-Sensitive default region to create gcs resources where applicable."
+  type        = string
+  default     = "US"
+}
+
+variable "default_region_kms" {
+  description = "Secondary default region to create kms resources where applicable."
+  type        = string
+  default     = "us"
+}
+
 variable "parent_folder" {
   description = "Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist."
   type        = string