add owner label to everything

Jeffreyhung · Jeffreyhung · commit ef24bb941cbf · 2025-02-12T09:03:52.000-08:00
diff --git a/functions/main.tf b/functions/main.tf
@@ -10,6 +10,7 @@ variable "region" {}
 variable "secret_ids" {}
 variable "deploy_sa_email" {}
 variable "local_variables" {}
+variable "owner" {}
 
 module "cloud_function_gen2" {
   source   = "../modules/cloud-function-gen2"
@@ -40,6 +41,7 @@ module "cloud_function_gen2" {
   project         = var.project
   secret_ids      = var.secret_ids
   deploy_sa_email = var.deploy_sa_email
+  owner           = var.owner
 }
 
 module "cronjob-gen2" {
@@ -58,6 +60,7 @@ module "cronjob-gen2" {
   target_project  = var.project
   target_region   = var.region
   deploy_sa_email = var.deploy_sa_email
+  owner           = var.owner
 
   depends_on = [
     module.cloud_function_gen2
diff --git a/index.tf b/index.tf
@@ -5,6 +5,7 @@ module "infrastructure" {
   region          = var.region
   project_id      = var.project_id
   deploy_sa_email = var.deploy_sa_email
+  owner           = var.owner
 }
 
 module "functions" {
@@ -16,6 +17,7 @@ module "functions" {
   secret_ids      = module.infrastructure.secret_ids
   deploy_sa_email = var.deploy_sa_email != null ? var.deploy_sa_email : module.infrastructure.deploy_sa_email
   local_variables = local.local_variables
+  owner           = var.owner
 
   depends_on = [
     module.infrastructure
@@ -29,9 +31,11 @@ module "workflows" {
   region          = var.region
   project_id      = var.project_id
   deploy_sa_email = var.deploy_sa_email != null ? var.deploy_sa_email : module.infrastructure.deploy_sa_email
+  owner           = var.owner
 
   depends_on = [
-    module.infrastructure
+    module.infrastructure,
+    module.functions
   ]
 }
 
@@ -44,6 +48,7 @@ module "pubsubs" {
   bucket_location = var.bucket_location
   zone            = var.zone
   deploy_sa_email = var.deploy_sa_email != null ? var.deploy_sa_email : module.infrastructure.deploy_sa_email
+  owner           = var.owner
 
   depends_on = [
     module.infrastructure
diff --git a/infrastructure/main.tf b/infrastructure/main.tf
@@ -3,6 +3,10 @@ resource "google_storage_bucket" "staging_bucket" {
   location                 = "US"
   force_destroy            = true
   public_access_prevention = "enforced"
+  labels = {
+    owner = var.owner
+    terraformed = "true"
+  }
 }
 
 resource "google_storage_bucket_iam_binding" "staging-bucket-iam" {
@@ -31,6 +35,10 @@ resource "google_storage_bucket" "tf-state" {
   versioning {
     enabled = true
   }
+  labels = {
+    owner = var.owner
+    terraformed = "true"
+  }
 }
 
 resource "google_storage_bucket_iam_binding" "tfstate-bucket-iam" {
diff --git a/infrastructure/secrets.tf b/infrastructure/secrets.tf
@@ -4,6 +4,10 @@ resource "google_secret_manager_secret" "secret" {
   replication {
     auto {}
   }
+  labels = {
+    owner = var.owner
+    terraformed = "true"
+  }
 }
 
 # since some of the secrets will be shared across functions and workflows
diff --git a/infrastructure/variables.tf b/infrastructure/variables.tf
@@ -19,3 +19,8 @@ variable "deploy_sa_email" {
   description = "service account for deployment"
   default     = null
 }
+
+variable "owner" {
+  type        = string
+  description = "The owner of the project, used for tagging resources and future ownership tracking"
+}
diff --git a/infrastructure/workload_identity.tf b/infrastructure/workload_identity.tf
@@ -7,7 +7,7 @@ resource "google_service_account" "gha_cloud_functions_deployment" {
   count = var.deploy_sa_email != null ? 0 : 1
 
   account_id   = "gha-cloud-functions-deployment"
-  description  = "For use by Terraform and GitHub Actions to deploy cloud-functions"
+  description  = "For use by Terraform and GitHub Actions to deploy cloud-functions, owned by ${var.owner}, managed by Terraform"
   display_name = "gha-cloud-functions-deployment"
   project      = var.project
 }
@@ -17,7 +17,7 @@ resource "google_iam_workload_identity_pool" "gha_terraform_checker_pool" {
 
   workload_identity_pool_id = "${local.gha_name}-pool"
   display_name              = "GHA Terraform Checker Pool"
-  description               = "Identity pool for Terraform Plan GHA"
+  description               = "Identity pool for Terraform Plan GHA, owned by ${var.owner}, managed by Terraform"
 }
 
 resource "google_iam_workload_identity_pool_provider" "gha_terraform_checker_provider" {
@@ -26,7 +26,7 @@ resource "google_iam_workload_identity_pool_provider" "gha_terraform_checker_pro
   workload_identity_pool_id          = google_iam_workload_identity_pool.gha_terraform_checker_pool[0].workload_identity_pool_id
   workload_identity_pool_provider_id = "${local.gha_name}-provider"
   display_name                       = "GHA Terraform Checker Provider"
-  description                        = "OIDC identity pool provider for Terraform Plan GHA"
+  description                        = "OIDC identity pool provider for Terraform Plan GHA, owned by ${var.owner}, managed by Terraform"
 
   attribute_mapping = {
     "google.subject"       = "assertion.${local.attribute_scope}"
diff --git a/modules/cloud-function-gen2/main.tf b/modules/cloud-function-gen2/main.tf
@@ -1,6 +1,7 @@
 resource "google_service_account" "function_sa" {
   account_id   = "cf-${var.name}"
   display_name = "Cloud Function Service Account for ${var.name}"
+  description = "Service account for ${var.name}, owned by ${var.owner}, managed by Terraform"
 }
 
 
@@ -65,6 +66,10 @@ data "archive_file" "source" {
 resource "google_storage_bucket_object" "zip" {
   source       = data.archive_file.source.output_path
   content_type = "application/zip"
+  metadata = {
+    owner = var.owner
+    terraformed = "true"
+  }
 
   # Append to the MD5 checksum of the files's content
   # to force the zip to be updated as soon as a change occurs
@@ -76,6 +81,10 @@ resource "google_cloudfunctions2_function" "function" {
   name        = var.name
   location    = var.location
   description = var.description
+  labels      = {
+    owner = var.owner
+    terraformed = "true"
+  }
 
   build_config {
     runtime           = var.runtime
diff --git a/modules/cloud-function-gen2/variables.tf b/modules/cloud-function-gen2/variables.tf
@@ -117,3 +117,8 @@ variable "allow_unauthenticated" {
   nullable    = false
   default     = false
 }
+
+variable "owner" {
+  type        = string
+  description = "The owner of the project, used for tagging resources and future ownership tracking"
+}
diff --git a/modules/cloud-workflow/main.tf b/modules/cloud-workflow/main.tf
@@ -1,6 +1,7 @@
 resource "google_service_account" "workflow_sa" {
   account_id   = "wf-${var.name}"
   display_name = "Workflow Service Account for ${var.name}"
+  description = "Service account for ${var.name}, owned by ${var.owner}, managed by Terraform"
 }
 
 resource "google_service_account_iam_member" "workflow_sa_actas_iam" {
@@ -20,6 +21,11 @@ resource "google_workflows_workflow" "workflow" {
   description     = var.description
   service_account = google_service_account.workflow_sa.id
   source_contents = templatefile("${var.workflow_yaml_file}", {})
+  labels = {
+    owner = var.owner
+    terraformed = "true"
+  }
+  
   depends_on = [
     google_service_account_iam_member.workflow_sa_actas_iam,
     google_service_account_iam_member.deploy_sa_actas_iam
diff --git a/modules/cloud-workflow/variables.tf b/modules/cloud-workflow/variables.tf
@@ -40,9 +40,16 @@ variable "deploy_sa_email" {
 variable "project" {
   type = string
 }
+
 variable "project_id" {
   type = string
 }
+
 variable "region" {
   type = string
 }
+
+variable "owner" {
+  type        = string
+  description = "The owner of the project, used for tagging resources and future ownership tracking"
+}
diff --git a/modules/cronjob-gen2/main.tf b/modules/cronjob-gen2/main.tf
@@ -1,6 +1,7 @@
 resource "google_service_account" "cronjob_sa" {
   account_id   = "cj-${var.name}"
   display_name = "CronJob Service Account for ${var.name}"
+  description = "Service account for ${var.name}, owned by ${var.owner}, managed by Terraform"
 }
 
 resource "google_service_account_iam_member" "deploy_sa_actas_iam" {
diff --git a/modules/cronjob-gen2/variables.tf b/modules/cronjob-gen2/variables.tf
@@ -55,4 +55,9 @@ variable "attempt_deadline" {
 variable "deploy_sa_email" {
   type        = string
   description = "Service account used for CD in GitHub actions"
-}
+}
+
+variable "owner" {
+  type        = string
+  description = "The owner of the project, used for tagging resources and future ownership tracking"
+}
diff --git a/modules/eventarc-workflow-trigger/main.tf b/modules/eventarc-workflow-trigger/main.tf
@@ -1,6 +1,7 @@
 resource "google_service_account" "earc-trigger-sa" {
   account_id   = "earc-${var.name}"
-  display_name = "Service Account for the earc trigger ${var.name}"
+  display_name = "Earc trigger ${var.name}"
+  description = "Service account for the earc trigger ${var.name}, owned by ${var.owner}, managed by Terraform"
 }
 
 resource "google_service_account_iam_member" "earc_sa_actas_iam" {
@@ -31,6 +32,10 @@ resource "google_eventarc_trigger" "earc-trigger" {
   name            = var.name
   location        = var.location
   service_account = google_service_account.earc-trigger-sa.email
+  labels = {
+    owner = var.owner
+    terraformed = "true"
+  }
 
   dynamic "matching_criteria" {
     for_each = var.criteria
diff --git a/modules/eventarc-workflow-trigger/variables.tf b/modules/eventarc-workflow-trigger/variables.tf
@@ -30,3 +30,8 @@ variable "criteria" {
     value     = string
   }))
 }
+
+variable "owner" {
+  type        = string
+  description = "The owner of the project, used for tagging resources and future ownership tracking"
+}
diff --git a/modules/pubsub-sink/main.tf b/modules/pubsub-sink/main.tf
@@ -3,6 +3,10 @@ resource "google_storage_bucket" "pubsub-sink-bucket" {
   location                 = var.bucket_location
   force_destroy            = true
   public_access_prevention = "enforced"
+  labels = {
+    owner = var.owner
+    terraformed = "true"
+  }
 
   lifecycle_rule {
     condition {
diff --git a/modules/pubsub-sink/variables.tf b/modules/pubsub-sink/variables.tf
@@ -17,3 +17,8 @@ variable "gcp_region" {
   type        = string
   description = "GCP Region"
 }
+
+variable "owner" {
+  type        = string
+  description = "The owner of the project, used for tagging resources and future ownership tracking"
+}
diff --git a/modules/pubsub/main.tf b/modules/pubsub/main.tf
@@ -1,6 +1,10 @@
 # Create a topic
 resource "google_pubsub_topic" "topic" {
   name = var.topic_name
+  labels = {
+    owner = var.owner
+    terraformed = "true"
+  }
 
   message_retention_duration = "604800s" # 7 days (maximum)
   message_storage_policy {
@@ -16,6 +20,10 @@ resource "google_pubsub_subscription" "subscription" {
   retain_acked_messages      = false     # Remove acknowledged messages (default)
   ack_deadline_seconds       = 600       # maximum
   enable_message_ordering    = false     # default
+  labels = {
+    owner = var.owner
+    terraformed = "true"
+  }
 
   dynamic "expiration_policy" {
     for_each = var.ttl != null ? [1] : []
@@ -32,6 +40,7 @@ resource "google_pubsub_subscription" "subscription" {
 resource "google_service_account" "pubsub_service_account" {
   account_id   = var.service_account_id
   display_name = var.service_account_display_name
+  description = "Service account for ${var.topic_name}, owned by ${var.owner}, managed by Terraform"
 }
 
 # Pub/Sub Viewer
diff --git a/modules/pubsub/variables.tf b/modules/pubsub/variables.tf
@@ -33,3 +33,8 @@ variable "ttl" {
   description = "Pub/Sub topic ttl"
   default     = null
 }
+
+variable "owner" {
+  type        = string
+  description = "The owner of the project, used for tagging resources and future ownership tracking"
+}
diff --git a/pubsubs/main.tf b/pubsubs/main.tf
@@ -10,6 +10,7 @@ variable "region" {}
 variable "deploy_sa_email" {}
 variable "bucket_location" {}
 variable "zone" {}
+variable "owner" {}
 
 module "pubsubs" {
   source   = "../modules/pubsub"
@@ -22,6 +23,7 @@ module "pubsubs" {
   service_account_id           = each.value.pubsub.service_account_id
   service_account_display_name = each.value.pubsub.service_account_display_name
   ttl                          = lookup(each.value.pubsub, "ttl", null)
+  owner                        = var.owner
 }
 
 module "pubsubs_sink" {
@@ -32,4 +34,5 @@ module "pubsubs_sink" {
   bucket_location = var.bucket_location
   project_id      = var.project_id
   gcp_region      = var.region
+  owner           = var.owner
 }
diff --git a/terraform.tfvars b/terraform.tfvars
@@ -5,10 +5,9 @@ project_id      = "jeffreyhung-test"
 project_num     = "546928617664"
 bucket_location = "US-WEST1"
 tf_state_bucket = "jeffreyhung-test-tfstate"
+# Owner of the project, used for tagging resources and future ownership tracking
+owner           = "team-security"
 
 # provide the service account email for deployment if you want to use your own workload identity provider
 # if you want to spin up new workload identity pool, set this to null
 deploy_sa_email = null
-
-
-# TODO: add owner/team information and bake that into GCP tags
diff --git a/varables.tf b/varables.tf
@@ -39,6 +39,11 @@ variable "deploy_sa_email" {
   default     = null
 }
 
+variable "owner" {
+  type        = string
+  description = "The owner of the project, used for tagging resources and future ownership tracking"
+}
+
 # A hack to turn all var in the tfvars file into a map
 # This will allow us to make these vars available when reading configs from yamls
 locals {
diff --git a/workflows/main.tf b/workflows/main.tf
@@ -8,6 +8,7 @@ variable "project_id" {}
 variable "project" {}
 variable "region" {}
 variable "deploy_sa_email" {}
+variable "owner" {}
 
 module "workflows" {
   source   = "../modules/cloud-workflow"
@@ -24,6 +25,7 @@ module "workflows" {
   project_id      = var.project_id
   region          = var.region
   deploy_sa_email = var.deploy_sa_email
+  owner           = var.owner
 }
 
 module "workflows-ingest-trigger" {
@@ -35,6 +37,6 @@ module "workflows-ingest-trigger" {
   deploy_sa_email     = var.deploy_sa_email
   workflow_project_id = var.project_id
   workflow_id         = module.workflows[each.value.name].workflow_id
-
+  owner               = var.owner
   criteria = each.value.workflow-trigger.criteria
 }

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,10 @@ resource "google_storage_bucket" "staging_bucket" {`
`3`	`3`	`location = "US"`
`4`	`4`	`force_destroy = true`
`5`	`5`	`public_access_prevention = "enforced"`
	`6`	`+ labels = {`
	`7`	`+ owner = var.owner`
	`8`	`+ terraformed = "true"`
	`9`	`+ }`
`6`	`10`	`}`
`7`	`11`
`8`	`12`	`resource "google_storage_bucket_iam_binding" "staging-bucket-iam" {`
`@@ -31,6 +35,10 @@ resource "google_storage_bucket" "tf-state" {`
`31`	`35`	`versioning {`
`32`	`36`	`enabled = true`
`33`	`37`	`}`
	`38`	`+ labels = {`
	`39`	`+ owner = var.owner`
	`40`	`+ terraformed = "true"`
	`41`	`+ }`
`34`	`42`	`}`
`35`	`43`
`36`	`44`	`resource "google_storage_bucket_iam_binding" "tfstate-bucket-iam" {`
Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,10 @@ resource "google_secret_manager_secret" "secret" {`
`4`	`4`	`replication {`
`5`	`5`	`auto {}`
`6`	`6`	`}`
	`7`	`+ labels = {`
	`8`	`+ owner = var.owner`
	`9`	`+ terraformed = "true"`
	`10`	`+ }`
`7`	`11`	`}`
`8`	`12`
`9`	`13`	`# since some of the secrets will be shared across functions and workflows`
Original file line number	Diff line number	Diff line change
`@@ -19,3 +19,8 @@ variable "deploy_sa_email" {`
`19`	`19`	`description = "service account for deployment"`
`20`	`20`	`default = null`
`21`	`21`	`}`
	`22`	`+`
	`23`	`+variable "owner" {`
	`24`	`+ type = string`
	`25`	`+ description = "The owner of the project, used for tagging resources and future ownership tracking"`
	`26`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -117,3 +117,8 @@ variable "allow_unauthenticated" {`
`117`	`117`	`nullable = false`
`118`	`118`	`default = false`
`119`	`119`	`}`
	`120`	`+`
	`121`	`+variable "owner" {`
	`122`	`+ type = string`
	`123`	`+ description = "The owner of the project, used for tagging resources and future ownership tracking"`
	`124`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -40,9 +40,16 @@ variable "deploy_sa_email" {`
`40`	`40`	`variable "project" {`
`41`	`41`	`type = string`
`42`	`42`	`}`
	`43`	`+`
`43`	`44`	`variable "project_id" {`
`44`	`45`	`type = string`
`45`	`46`	`}`
	`47`	`+`
`46`	`48`	`variable "region" {`
`47`	`49`	`type = string`
`48`	`50`	`}`
	`51`	`+`
	`52`	`+variable "owner" {`
	`53`	`+ type = string`
	`54`	`+ description = "The owner of the project, used for tagging resources and future ownership tracking"`
	`55`	`+}`