Support mulitple universes in bootstrap (GoogleCloudPlatform#2851)

juliocc · ludoo · karpok78 · commit c8ebcf7aaf9d · 2025-02-08T10:37:17.000+01:00
* Initial support for universes in bootstrap

* Add var description

* Add universe to globals output

* Fix typo

* Update README

* Allow universes to exclude services

* Move service exclusion to project module

* Move service exclusion loging to the project module

---------

Co-authored-by: Ludovico Magnocavallo &lt;ludomagno@google.com&gt;
diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
@@ -687,23 +687,24 @@ FAST defines a simple mechanism to extend stage functionality via the use of [ad
 | [outputs_location](variables.tf#L286) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> |  | <code>null</code> |  |
 | [project_parent_ids](variables.tf#L301) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | <code title="object&#40;&#123;&#10;  automation &#61; optional&#40;string&#41;&#10;  billing    &#61; optional&#40;string&#41;&#10;  logging    &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [resource_names](variables.tf#L312) | Resource names overrides for specific resources. Prefix is always set via code, except where noted in the variable type. | <code title="object&#40;&#123;&#10;  bq-billing           &#61; optional&#40;string, &#34;billing_export&#34;&#41;&#10;  bq-logs              &#61; optional&#40;string, &#34;logs&#34;&#41;&#10;  gcs-bootstrap        &#61; optional&#40;string, &#34;prod-iac-core-bootstrap-0&#34;&#41;&#10;  gcs-logs             &#61; optional&#40;string, &#34;prod-logs&#34;&#41;&#10;  gcs-outputs          &#61; optional&#40;string, &#34;prod-iac-core-outputs-0&#34;&#41;&#10;  gcs-resman           &#61; optional&#40;string, &#34;prod-iac-core-resman-0&#34;&#41;&#10;  gcs-vpcsc            &#61; optional&#40;string, &#34;prod-iac-core-vpcsc-0&#34;&#41;&#10;  project-automation   &#61; optional&#40;string, &#34;prod-iac-core-0&#34;&#41;&#10;  project-billing      &#61; optional&#40;string, &#34;prod-billing-exp-0&#34;&#41;&#10;  project-logs         &#61; optional&#40;string, &#34;prod-audit-logs-0&#34;&#41;&#10;  pubsub-logs_template &#61; optional&#40;string, &#34;&#36;&#36;&#123;key&#125;&#34;&#41;&#10;  sa-bootstrap         &#61; optional&#40;string, &#34;prod-bootstrap-0&#34;&#41;&#10;  sa-bootstrap_ro      &#61; optional&#40;string, &#34;prod-bootstrap-0r&#34;&#41;&#10;  sa-cicd_template     &#61; optional&#40;string, &#34;prod-&#36;&#36;&#123;key&#125;-1&#34;&#41;&#10;  sa-cicd_template_ro  &#61; optional&#40;string, &#34;prod-&#36;&#36;&#123;key&#125;-1r&#34;&#41;&#10;  sa-resman            &#61; optional&#40;string, &#34;prod-resman-0&#34;&#41;&#10;  sa-resman_ro         &#61; optional&#40;string, &#34;prod-resman-0r&#34;&#41;&#10;  sa-vpcsc             &#61; optional&#40;string, &#34;prod-vpcsc-0&#34;&#41;&#10;  sa-vpcsc_ro          &#61; optional&#40;string, &#34;prod-vpcsc-0r&#34;&#41;&#10;  wf-bootstrap          &#61; optional&#40;string, &#34;&#36;&#36;&#123;prefix&#125;-bootstrap&#34;&#41;&#10;  wf-provider_template  &#61; optional&#40;string, &#34;&#36;&#36;&#123;prefix&#125;-bootstrap-&#36;&#36;&#123;key&#125;&#34;&#41;&#10;  wif-bootstrap         &#61; optional&#40;string, &#34;&#36;&#36;&#123;prefix&#125;-bootstrap&#34;&#41;&#10;  wif-provider_template &#61; optional&#40;string, &#34;&#36;&#36;&#123;prefix&#125;-bootstrap-&#36;&#36;&#123;key&#125;&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [workforce_identity_providers](variables.tf#L344) | Workforce Identity Federation pools. | <code title="map&#40;object&#40;&#123;&#10;  attribute_condition &#61; optional&#40;string&#41;&#10;  issuer              &#61; string&#10;  display_name        &#61; string&#10;  description         &#61; string&#10;  disabled            &#61; optional&#40;bool, false&#41;&#10;  saml &#61; optional&#40;object&#40;&#123;&#10;    idp_metadata_xml &#61; string&#10;  &#125;&#41;, null&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [workload_identity_providers](variables.tf#L360) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | <code title="map&#40;object&#40;&#123;&#10;  attribute_condition &#61; optional&#40;string&#41;&#10;  issuer              &#61; string&#10;  custom_settings &#61; optional&#40;object&#40;&#123;&#10;    issuer_uri &#61; optional&#40;string&#41;&#10;    audiences  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    jwks_json  &#61; optional&#40;string&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [universe](variables.tf#L344) | Target GCP universe. | <code title="object&#40;&#123;&#10;  domain               &#61; string&#10;  prefix               &#61; string&#10;  unavailable_services &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
+| [workforce_identity_providers](variables.tf#L354) | Workforce Identity Federation pools. | <code title="map&#40;object&#40;&#123;&#10;  attribute_condition &#61; optional&#40;string&#41;&#10;  issuer              &#61; string&#10;  display_name        &#61; string&#10;  description         &#61; string&#10;  disabled            &#61; optional&#40;bool, false&#41;&#10;  saml &#61; optional&#40;object&#40;&#123;&#10;    idp_metadata_xml &#61; string&#10;  &#125;&#41;, null&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [workload_identity_providers](variables.tf#L370) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | <code title="map&#40;object&#40;&#123;&#10;  attribute_condition &#61; optional&#40;string&#41;&#10;  issuer              &#61; string&#10;  custom_settings &#61; optional&#40;object&#40;&#123;&#10;    issuer_uri &#61; optional&#40;string&#41;&#10;    audiences  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    jwks_json  &#61; optional&#40;string&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 
 ## Outputs
 
 | name | description | sensitive | consumers |
 |---|---|:---:|---|
-| [automation](outputs.tf#L112) | Automation resources. |  |  |
-| [billing_dataset](outputs.tf#L117) | BigQuery dataset prepared for billing export. |  |  |
-| [cicd_repositories](outputs.tf#L122) | CI/CD repository configurations. |  |  |
-| [custom_roles](outputs.tf#L134) | Organization-level custom roles. |  |  |
-| [outputs_bucket](outputs.tf#L139) | GCS bucket where generated output files are stored. |  |  |
-| [project_ids](outputs.tf#L144) | Projects created by this stage. |  |  |
-| [providers](outputs.tf#L154) | Terraform provider files for this stage and dependent stages. | ✓ | <code>stage-01</code> |
-| [service_accounts](outputs.tf#L161) | Automation service accounts created by this stage. |  |  |
-| [tfvars](outputs.tf#L170) | Terraform variable files for the following stages. | ✓ |  |
-| [tfvars_globals](outputs.tf#L176) | Terraform Globals variable files for the following stages. | ✓ |  |
-| [workforce_identity_pool](outputs.tf#L182) | Workforce Identity Federation pool. |  |  |
-| [workload_identity_pool](outputs.tf#L191) | Workload Identity Federation pool and providers. |  |  |
+| [automation](outputs.tf#L113) | Automation resources. |  |  |
+| [billing_dataset](outputs.tf#L118) | BigQuery dataset prepared for billing export. |  |  |
+| [cicd_repositories](outputs.tf#L123) | CI/CD repository configurations. |  |  |
+| [custom_roles](outputs.tf#L135) | Organization-level custom roles. |  |  |
+| [outputs_bucket](outputs.tf#L140) | GCS bucket where generated output files are stored. |  |  |
+| [project_ids](outputs.tf#L145) | Projects created by this stage. |  |  |
+| [providers](outputs.tf#L155) | Terraform provider files for this stage and dependent stages. | ✓ | <code>stage-01</code> |
+| [service_accounts](outputs.tf#L162) | Automation service accounts created by this stage. |  |  |
+| [tfvars](outputs.tf#L171) | Terraform variable files for the following stages. | ✓ |  |
+| [tfvars_globals](outputs.tf#L177) | Terraform Globals variable files for the following stages. | ✓ |  |
+| [workforce_identity_pool](outputs.tf#L183) | Workforce Identity Federation pool. |  |  |
+| [workload_identity_pool](outputs.tf#L192) | Workload Identity Federation pool and providers. |  |  |
 <!-- END TFDOC -->
diff --git a/fast/stages/0-bootstrap/automation.tf b/fast/stages/0-bootstrap/automation.tf
@@ -23,7 +23,8 @@ module "automation-project" {
   parent = coalesce(
     var.project_parent_ids.automation, "organizations/${var.organization.id}"
   )
-  prefix = var.prefix
+  prefix   = var.prefix
+  universe = var.universe
   contacts = (
     var.bootstrap_user != null || var.essential_contacts == null
     ? {}
diff --git a/fast/stages/0-bootstrap/billing.tf b/fast/stages/0-bootstrap/billing.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2024 Google LLC
+ * Copyright 2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -47,7 +47,8 @@ module "billing-export-project" {
   parent = coalesce(
     var.project_parent_ids.billing, "organizations/${var.organization.id}"
   )
-  prefix = var.prefix
+  prefix   = var.prefix
+  universe = var.universe
   contacts = (
     var.bootstrap_user != null || var.essential_contacts == null
     ? {}
diff --git a/fast/stages/0-bootstrap/log-export.tf b/fast/stages/0-bootstrap/log-export.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2024 Google LLC
+ * Copyright 2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -43,6 +43,7 @@ module "log-export-project" {
     var.project_parent_ids.logging, "organizations/${var.organization.id}"
   )
   prefix          = var.prefix
+  universe        = var.universe
   billing_account = var.billing_account.id
   contacts = (
     var.bootstrap_user != null || var.essential_contacts == null
diff --git a/fast/stages/0-bootstrap/outputs-providers.tf b/fast/stages/0-bootstrap/outputs-providers.tf
@@ -16,6 +16,9 @@
 
 # tfdoc:file:description Locals for provider output files.
 
+# TODO: templates should probably use provider::terraform::encode_expr
+# (not jsonencode) to encode extras
+
 locals {
   _parent_stage_resources = {
     "1-resman" = {
@@ -33,62 +36,94 @@ locals {
     # this stage's providers
     {
       "0-bootstrap" = templatefile(local._tpl_providers, {
-        backend_extra = null
         bucket        = module.automation-tf-bootstrap-gcs.name
         name          = "bootstrap"
         sa            = module.automation-tf-bootstrap-sa.email
+        backend_extra = null
+        provider_extra = var.universe == null ? null : {
+          universe_domain = var.universe.domain
+        }
       })
       "0-bootstrap-r" = templatefile(local._tpl_providers, {
-        backend_extra = null
         bucket        = module.automation-tf-bootstrap-gcs.name
         name          = "bootstrap"
         sa            = module.automation-tf-bootstrap-r-sa.email
+        backend_extra = null
+        provider_extra = var.universe == null ? null : {
+          universe_domain = var.universe.domain
+        }
       })
     },
     # stage 1 providers
     {
       "1-resman" = templatefile(local._tpl_providers, {
-        backend_extra = null
         bucket        = module.automation-tf-resman-gcs.name
         name          = "resman"
         sa            = module.automation-tf-resman-sa.email
+        backend_extra = null
+        provider_extra = var.universe == null ? null : {
+          universe_domain = var.universe.domain
+        }
       })
       "1-resman-r" = templatefile(local._tpl_providers, {
-        backend_extra = null
         bucket        = module.automation-tf-resman-gcs.name
         name          = "resman"
         sa            = module.automation-tf-resman-r-sa.email
+        backend_extra = null
+        provider_extra = var.universe == null ? null : {
+          universe_domain = var.universe.domain
+        }
       })
       "1-vpcsc" = templatefile(local._tpl_providers, {
-        backend_extra = "prefix = \"vpcsc\""
-        bucket        = module.automation-tf-vpcsc-gcs.name
-        name          = "vpcsc"
-        sa            = module.automation-tf-vpcsc-sa.email
+        bucket = module.automation-tf-vpcsc-gcs.name
+        name   = "vpcsc"
+        sa     = module.automation-tf-vpcsc-sa.email
+        backend_extra = {
+          prefix = "vpcsc"
+        }
+        provider_extra = var.universe == null ? null : {
+          universe_domain = var.universe.domain
+        }
       })
       "1-vpcsc-r" = templatefile(local._tpl_providers, {
-        backend_extra = "prefix = \"vpcsc\""
-        bucket        = module.automation-tf-vpcsc-gcs.name
-        name          = "vpcsc"
-        sa            = module.automation-tf-vpcsc-r-sa.email
+        bucket = module.automation-tf-vpcsc-gcs.name
+        name   = "vpcsc"
+        sa     = module.automation-tf-vpcsc-r-sa.email
+        backend_extra = {
+          prefix = "vpcsc"
+        }
+        provider_extra = var.universe == null ? null : {
+          universe_domain = var.universe.domain
+        }
       })
     },
     # stage 1 addons
     {
       for k, v in var.fast_addon :
       "${v.parent_stage}-${k}" => templatefile(local._tpl_providers, {
-        backend_extra = "prefix = \"addons/${k}\""
-        name          = "${v.parent_stage}-${k}"
-        bucket        = local._parent_stage_resources[v.parent_stage].bucket
-        sa            = local._parent_stage_resources[v.parent_stage].sa
+        name   = "${v.parent_stage}-${k}"
+        bucket = local._parent_stage_resources[v.parent_stage].bucket
+        sa     = local._parent_stage_resources[v.parent_stage].sa
+        backend_extra = {
+          prefix = "addons/${k}"
+        }
+        provider_extra = var.universe == null ? null : {
+          universe_domain = var.universe.domain
+        }
       })
     },
     {
       for k, v in var.fast_addon :
       "${v.parent_stage}-${k}-r" => templatefile(local._tpl_providers, {
-        backend_extra = "prefix = \"addons/${k}\""
-        name          = "${v.parent_stage}-${k}"
-        bucket        = local._parent_stage_resources[v.parent_stage].bucket
-        sa            = local._parent_stage_resources[v.parent_stage].sa_r
+        name   = "${v.parent_stage}-${k}"
+        bucket = local._parent_stage_resources[v.parent_stage].bucket
+        sa     = local._parent_stage_resources[v.parent_stage].sa_r
+        backend_extra = {
+          prefix = "addons/${k}"
+        }
+        provider_extra = var.universe == null ? null : {
+          universe_domain = var.universe.domain
+        }
       })
     }
   )
diff --git a/fast/stages/0-bootstrap/outputs.tf b/fast/stages/0-bootstrap/outputs.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2024 Google LLC
+ * Copyright 2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -90,6 +90,7 @@ locals {
         split("/", k)[1] => v.id
       }
     }
+    universe = var.universe
   }
   tfvars_globals = {
     billing_account = var.billing_account
diff --git a/fast/stages/0-bootstrap/templates/providers.tf.tpl b/fast/stages/0-bootstrap/templates/providers.tf.tpl
@@ -18,16 +18,22 @@ terraform {
   backend "gcs" {
     bucket                      = "${bucket}"
     impersonate_service_account = "${sa}"
-    %{~ if backend_extra != null ~}
-    ${indent(4, backend_extra)}
-    %{~ endif ~}
+    %{~ for k, v in coalesce(backend_extra, {}) ~}
+    ${k} = ${jsonencode(v)}
+    %{~ endfor ~}
   }
 }
 provider "google" {
   impersonate_service_account = "${sa}"
+  %{~ for k, v in coalesce(provider_extra, {}) ~}
+  ${k} = ${jsonencode(v)}
+  %{~ endfor ~}
 }
 provider "google-beta" {
   impersonate_service_account = "${sa}"
+  %{~ for k, v in coalesce(provider_extra, {}) ~}
+  ${k} = ${jsonencode(v)}
+  %{~ endfor ~}
 }
 
 # end provider.tf for ${name}
diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2024 Google LLC
+ * Copyright 2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -341,6 +341,16 @@ variable "resource_names" {
   default  = {}
 }
 
+variable "universe" {
+  description = "Target GCP universe."
+  type = object({
+    domain               = string
+    prefix               = string
+    unavailable_services = optional(list(string), [])
+  })
+  default = null
+}
+
 variable "workforce_identity_providers" {
   description = "Workforce Identity Federation pools."
   type = map(object({

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/**`
`2`		`- * Copyright 2024 Google LLC`
	`2`	`+ * Copyright 2025 Google LLC`
`3`	`3`	`*`
`4`	`4`	`* Licensed under the Apache License, Version 2.0 (the "License");`
`5`	`5`	`* you may not use this file except in compliance with the License.`
`@@ -43,6 +43,7 @@ module "log-export-project" {`
`43`	`43`	`var.project_parent_ids.logging, "organizations/${var.organization.id}"`
`44`	`44`	`)`
`45`	`45`	`prefix = var.prefix`
	`46`	`+ universe = var.universe`
`46`	`47`	`billing_account = var.billing_account.id`
`47`	`48`	`contacts = (`
`48`	`49`	`var.bootstrap_user != null \|\| var.essential_contacts == null`