Conditionally creates billing sink if the billing account is of type resource (#3130)

* updated billing.tf file to conditionally creates billing sink if the billing account resides out of org

* replace resources with modules

* replace individual iam resources with billing_iam local passed in the module

* update module name and path and move iam from local to module call

* update README.md

* Add log_bucket option to billing_account variable, and update billing account IAM assignments

* update 0-bootstrap README to reflect changes to billing account module

* Update current bootstrap tests to reflect the change to billing_account variable

* Create test for the case when billing account log bucket is created

* running fmt

---------

Co-authored-by: Ludovico Magnocavallo <[email protected]>

Author: Ali-Aburub

fast/stages/0-bootstrap/README.md

@@ -17,22 +17,41 @@
 # tfdoc:file:description Billing export project and dataset.
 
 locals {
-  # used here for convenience, in organization.tf members are explicit
-  billing_ext_admins = [
-    local.principals.gcp-billing-admins,
-    local.principals.gcp-organization-admins,
-    module.automation-tf-bootstrap-sa.iam_email,
-    module.automation-tf-resman-sa.iam_email
-  ]
-  billing_ext_viewers = [
-    module.automation-tf-bootstrap-r-sa.iam_email,
-    module.automation-tf-resman-r-sa.iam_email
-  ]
   billing_mode = (
     var.billing_account.no_iam
     ? null
     : var.billing_account.is_org_level ? "org" : "resource"
   )
+
+  _billing_iam_bindings = {
+    "roles/billing.admin" = [
+      local.principals.gcp-billing-admins,
+      local.principals.gcp-organization-admins,
+      module.automation-tf-bootstrap-sa.iam_email,
+      module.automation-tf-resman-sa.iam_email
+    ],
+    "roles/billing.viewer" = [
+      module.automation-tf-bootstrap-r-sa.iam_email,
+      module.automation-tf-resman-r-sa.iam_email
+    ],
+    "roles/logging.configWriter" = local.billing_mode == "org" || !var.billing_account.force_create.log_bucket ? [] : [
+      module.automation-tf-bootstrap-sa.iam_email
+    ]
+  }
+
+  _billing_iam_bindings_add = flatten([for role, bindings in local._billing_iam_bindings : [
+    for member in bindings : {
+      member = member,
+      role   = role
+    }
+  ]])
+
+  billing_iam_bindings_additive = {
+    for b in local._billing_iam_bindings_add : "${b.role}-${b.member}" => {
+      member = b.member
+      role   = b.role
+    }
+  }
 }
 
 # billing account in same org (IAM is in the organization.tf file)
@@ -81,20 +100,28 @@ module "billing-export-dataset" {
 
 # standalone billing account
 
-resource "google_billing_account_iam_member" "billing_ext_admin" {
-  for_each = toset(
-    local.billing_mode == "resource" ? local.billing_ext_admins : []
-  )
-  billing_account_id = var.billing_account.id
-  role               = "roles/billing.admin"
-  member             = each.key
+module "billing-account-logbucket" {
+  source        = "../../../modules/logging-bucket"
+  count         = local.billing_mode == "resource" && var.billing_account.force_create.log_bucket ? 1 : 0
+  parent_type   = "project"
+  parent        = module.log-export-project.project_id
+  id            = "billing-account"
+  location      = local.locations.logging
+  log_analytics = { enable = true }
+  # org-level logging settings ready before we create any logging buckets
+  depends_on = [module.organization-logging]
 }
 
-resource "google_billing_account_iam_member" "billing_ext_viewer" {
-  for_each = toset(
-    local.billing_mode == "resource" ? local.billing_ext_viewers : []
-  )
-  billing_account_id = var.billing_account.id
-  role               = "roles/billing.viewer"
-  member             = each.key
-}
+module "billing-account" {
+  source                = "../../../modules/billing-account"
+  count                 = local.billing_mode == "resource" ? 1 : 0
+  id                    = var.billing_account.id
+  iam_bindings_additive = local.billing_iam_bindings_additive
+  logging_sinks = !var.billing_account.force_create.log_bucket ? {} : {
+    billing_bucket_log_sink = {
+      destination = module.billing-account-logbucket[0].id
+      type        = "logging"
+      description = "billing-account sink (Terraform-managed)."
+    }
+  }
+}

fast/stages/0-bootstrap/billing.tf

@@ -19,8 +19,9 @@ variable "billing_account" {
   type = object({
     id = string
     force_create = optional(object({
-      dataset = optional(bool, false)
-      project = optional(bool, false)
+      dataset    = optional(bool, false)
+      project    = optional(bool, false)
+      log_bucket = optional(bool, false)
     }), {})
     is_org_level = optional(bool, true)
     no_iam       = optional(bool, false)

fast/stages/0-bootstrap/variables.tf

@@ -2493,6 +2493,7 @@ outputs:
       force_create:
         dataset: false
         project: false
+        log_bucket: false
       id: 000000-111111-222222
       is_org_level: true
       no_iam: false

tests/fast/stages/s0_bootstrap/cicd.yaml

@@ -0,0 +1,23 @@
+billing_account = {
+  id           = "000000-111111-222222"
+  is_org_level = false
+  force_create = {
+    dataset    = true
+    project    = true
+    log_bucket = true
+  }
+}
+essential_contacts = "[email protected]"
+groups = {
+  gcp-support = "group:[email protected]"
+}
+org_policies_config = {
+  import_defaults = false
+}
+organization = {
+  domain      = "fast.example.com"
+  id          = 123456789012
+  customer_id = "C00000000"
+}
+outputs_location = "/fast-config"
+prefix           = "fast"