Idea:

• Use Terraform Validator and fake CAI assets
• Use CFT Scorecard

Based on #132, for dependencies it is better to be explicit on the exact path we want to depend on rather than making it confusing and trying to overdo helpers. Thus, I don't think output_ref is very valuable anymore.

#136 will help reduce duplication in output paths.

Example:

Terraform will perform the following actions:

module.bigquery_destination.google_bigquery_dataset.main will be updated in-place

~ resource "google_bigquery_dataset" "main" {
creation_time = 1586210668516
dataset_id = "1yr_org_audit_logs"
default_partition_expiration_ms = 0
default_table_expiration_ms = 31536000000
delete_contents_on_destroy = false
etag = "xsgr8/dA8yPpPQ8cHO4lZQ=="
id = "projects/<project_id>datasets/1yr_org_audit_logs"
labels = {}
last_modified_time = 1588147206214
location = "us-east1"
project = "<project_id>"
self_link = "https://www.googleapis.com/bigquery/v2/projects/<project_id>/datasets/1yr_org_audit_logs"

  - access {
      - role          = "OWNER" -> null
      - special_group = "projectOwners" -> null
    }
  + access {
      + role          = "roles/bigquery.dataOwner"
      + special_group = "projectOwners"
    }
  - access {
      - group_by_email = "[email protected]" -> null
      - role           = "READER" -> null
    }
  + access {
      + group_by_email = "[email protected]"
      + role           = "roles/bigquery.dataViewer"
    }
}

Plan: 0 to add, 1 to change, 0 to destroy.

The in the foundation recipe to choose org or folder level

We should allow users to run the importer and by default it should try to run in the cwd.

Similar to https://github.com/GoogleCloudPlatform/healthcare-data-protection-suite/tree/master/cmd/tfengine#usage

https://json-schema.org/

This mode would just print the commands it would run, instead of actually running them.

Replace google_organization_policy with terraform-google-modules/terraform-google-org-policy.

Our CI checks should make sure all files have a license header.

Now that we're going to be using labels our configs currently look like this:

templates {
   ...
}

templates {
   ...
}

it is more idiomatic in Terraform to rename this to template and add a label e.g.

template "foundation" {
   ...
}

template "data_project" {
   ...
}

Ideas:

• Use different triggers
• Use https://terragrunt.gruntwork.io/docs/reference/cli-options/#terragrunt-include-dir

Currently the dependency path is relative from the place where the config is being generated.

See if we can add a helper that can allow users to pass in paths from the root.

Example: https://pantheon.corp.google.com/cloud-build/builds/9af7ca0a-18b8-48ff-a942-0625baf9cf00;step=0?project=hcls-data-protection-internal

Throws this error:

/usr/local/bin/markdownlint -> /usr/local/lib/node_modules/markdownlint-cli/markdownlint.js
+ [email protected]
added 36 packages from 28 contributors in 2.261s
/usr/local/lib/node_modules/markdownlint-cli/node_modules/markdownlint/lib/markdownlint.js:799
      throw error;
      ^

TypeError: content.trimEnd is not a function
    at handleRunEnd (/usr/local/lib/node_modules/markdownlint-cli/node_modules/markdownlint/lib/md037.js:38:27)
    at MD037.forEachLine (/usr/local/lib/node_modules/markdownlint-cli/node_modules/markdownlint/lib/md037.js:133:13)
    at forMetadata (/usr/local/lib/node_modules/markdownlint-cli/node_modules/markdownlint/helpers/helpers.js:256:5)
    at Array.forEach (<anonymous>)
    at forEachLine (/usr/local/lib/node_modules/markdownlint-cli/node_modules/markdownlint/helpers/helpers.js:254:16)
    at Object.MD037 [as function] (/usr/local/lib/node_modules/markdownlint-cli/node_modules/markdownlint/lib/md037.js:71:5)
    at forRule (/usr/local/lib/node_modules/markdownlint-cli/node_modules/markdownlint/lib/markdownlint.js:593:20)
    at Array.forEach (<anonymous>)
    at lintContent (/usr/local/lib/node_modules/markdownlint-cli/node_modules/markdownlint/lib/markdownlint.js:639:14)
    at lintContentWrapper (/usr/local/lib/node_modules/markdownlint-cli/node_modules/markdownlint/lib/markdownlint.js:679:12)

A new version of markdownlint-cli was released recently, 0.23.0 on May 5, 1:00am EDT (2020-05-05T04:52:03.666Z). This version is possibly broken.

Suggest to pin it to 0.22.0 for now.

Currently the cicd field is a sibling to devops. This requires duplicationg the devops project id and state bucket.

We should optionally allow the cicd to be set as a child of the devops field so that the common fields don't need to be duplicated.

Use case:
overriding storage bucket location on individual storage buckets or only for audit logs, etc.

To be consistent with Terraform and Terragrunt we should also try to support hcl for all configs being written. Currently engine configs are typically written in YAML.

The primary complexity here is HCL decoder cannot decode to map[string]interface{} (hashicorp/hcl#291).

Terragrunt works around this by duplicating their structs. The input struct defines the map fields as type cty.Value and then do a manual conversion to map using helpers https://github.com/gruntwork-io/terragrunt/blob/27e0fb53c45258d183f6fbb347b718554f15dbaa/config/cty_helpers.go. Then they are set to the output struct as maps to use later on.

GKE module also fetches the network similar to Forseti so if they are in separate deployments the plan will fail on the GKE cluster.

Add a disable for clusters so they are not initially generated.

When importing some sets of resources, sometimes importing some resources will allow importing others. This can be handled by either:

1. Understanding the dependency graph and importing in order.
2. Retrying a full import as long as some progress is made. That is, if some resources were imported, but not all, try again, in case the successful ones now allow importing some of the previously failed ones.

The in the foundation recipe to choose org or folder level

Currently only terraform .tf and terragrunt.hcl files are checked.

Example: ENABLE_LIEN

gruntwork-io/terragrunt#1118

Synchronous deployment can be easier to debug.

Either use Github dep bot or go get -u ./... in the presubmit

This is to help reduce duplication in output paths.

e.g.

# Top level resources
- output_path: "./live"
   templates:
   ... all these templates will be under ./live ...
   - recipe_path: "../folder"
     data:
        "PROD"
   - output_path: "./folder.prod"
     templates:
      ... all these templates will be in the prod folder ...
      

It would be great if we can have a whitelist or blacklist mode for resources and make the deletion check block on it.

Examples:

• in mode whitelist deletions of specific types are allowed. If a new resource wants to be deleted and allowed then first send a PR allowing that resource or resource type.
• in mode blacklist deletions of specific types are not allowed. Thus for example you can prevent any deletion of sensitive resources like GKE cluster or PHI holding resources like healthcare stores.

Initial thoughts:

• Use this repo as the testing configs repo as well. Putting the configs in a testing or Terraform directory
• When cicd components change in templates, regenerate the ones in the testing config directory
• Let CICD of this repo to apply the config changes
• Deploy some dummy infra

Billing account ID and org ID should be hide in the Trigger configuration in Cloud Console and not exposed in the repo.

Let CICD manage APIs in devops project itself can be useful. When new resources are added in data projects, the same API needs to be enabled in the devops project in order for the Cloud Build SA to manage that resources in data projects. By supporting CICD to manage APIs in the devops project, users no longer need to deploy cicd/ directory manually just to enable APIs.

provider, module

For example the apps project needs to depend on the network project

Start with just running sanity checks and go test across the repo