Update terraform validator version and add policy-library

[daniel-cit]

In this PR:

• Update of terraform-validator version, for both Jenkins and Cloud Build
• Scorecard bundle of the policy-library added
• Browser role added to Jenkins and Cloud Build service accounts
• Cloud build yaml files and Jenkinsfile updated for location of policy-library and a default project
• Updates to the READMEs

@morgante @rjerrems @bharathkkb this PR added the bundle created by kpt as is.
Is this approach OK or should we remove files not related to the execution (bundler, cloudbuild, docs, scripts, ...) ?

[daniel-cit]

The gcp_storage_bucket_policy_only_v1.yam policy is using the deprecated argument bucketPolicyOnly

https://github.com/daniel-cit/terraform-example-foundation/blob/0aad98a3c7aaf5b9526839c6a98e78f4b05ba73b/policy-library/policies/templates/gcp_storage_bucket_policy_only_v1.yaml

        bucket_policy_enabled(bucket) = bucket_policy_enabled {
        	iam_configuration := lib.get_default(bucket, "iamConfiguration", {})
        	bucket_policy_only := lib.get_default(iam_configuration, "bucketPolicyOnly", {})
        	bucket_policy_enabled := lib.get_default(bucket_policy_only, "enabled", null)
        }

which generates a false positive for the bucket created for the logs sink

terraform-example-foundation/1-org/envs/shared/log_sinks.tf

Line 85 in d6007d4

uniform_bucket_level_access = true

Related issues:

• handwritten resource storage_bucket.go is out of sync with resource_storage_bucket.go GoogleCloudPlatform/terraform-google-conversion#591
• The policy "storage bucket policy only" is using deprecated argument bucketPolicyOnly GoogleCloudPlatform/policy-library#388

[bharathkkb]

@daniel-cit could we remove that policy and track it in an issue?

[comment-bot-dev]

Thanks for the PR! 🚀
Unfortunately it looks like some of our CI checks failed. See the Contributing Guide for details.

• ⚠️check_terraform
  Failed Terraform check. More details below.

Attempting to download /workspace/test/bundle.hcl bundle.
/tmp/bundler /workspace
Fetching Terraform 0.13.5 core package...
Local plugin directory ".plugins" found; scanning for provider binaries.
No ".plugins" directory found, skipping local provider discovery.
Creating terraform_0.13.5-bundle2021012812_linux_amd64.zip ...
All done!
Archive:  terraform_0.13.5-bundle2021012812_linux_amd64.zip
/workspace
Running terraform fmt
Running terraform validate
terraform_validate ./0-bootstrap 
Success!
The configuration is valid.
terraform_validate ./0-bootstrap/modules/jenkins-agent 
Success!
The configuration is valid.
terraform_validate ./1-org/envs/shared 
Success!
The configuration is valid.
terraform_validate ./2-environments/envs/development 
Success!
The configuration is valid.
terraform_validate ./2-environments/envs/non-production 
Success!
The configuration is valid.
terraform_validate ./2-environments/envs/production 
Success!
The configuration is valid.
terraform_validate ./2-environments/modules/env_baseline 
Success!
The configuration is valid.
terraform_validate ./3-networks/envs/development 
Success!
The configuration is valid.
terraform_validate ./3-networks/envs/non-production 
Success!
The configuration is valid.
terraform_validate ./3-networks/envs/production 
Success!
The configuration is valid.
terraform_validate ./3-networks/envs/shared 
Success!
The configuration is valid.
terraform_validate ./3-networks/modules/base_shared_vpc 
Success!
The configuration is valid.
terraform_validate ./3-networks/modules/dedicated_interconnect 
Success!
The configuration is valid.
terraform_validate ./3-networks/modules/restricted_shared_vpc 
Success!
The configuration is valid.
terraform_validate ./3-networks/modules/vpn-ha 
Success!
The configuration is valid.
terraform_validate ./4-projects/business_unit_1/development 
Success!
The configuration is valid.
terraform_validate ./4-projects/business_unit_1/non-production 
Success!
The configuration is valid.
terraform_validate ./4-projects/business_unit_1/production 
Success!
The configuration is valid.
terraform_validate ./4-projects/business_unit_2/development 
Success!
The configuration is valid.
terraform_validate ./4-projects/business_unit_2/non-production 
Success!
The configuration is valid.
terraform_validate ./4-projects/business_unit_2/production 
Success!
The configuration is valid.
terraform_validate ./4-projects/modules/single_project 
Success!
The configuration is valid.
terraform_validate ./test/fixtures/bootstrap 
Success!
The configuration is valid.
terraform_validate ./test/fixtures/envs 
Success!
The configuration is valid.
terraform_validate ./test/fixtures/networks 
There are some problems with the configuration, described below.
The Terraform configuration must be valid before initialization so that
Terraform can determine which modules and providers need to be installed.
Error: 
Module does not support depends_on
 on main.tf line 30, in module "non-production":
 30:   source                           = 
"../../../3-networks/envs/non-production"
Module "non-production" cannot be used with depends_on because it contains a
nested provider configuration for "google.impersonate", at
../../../3-networks/envs/non-production/providers.tf:21,10-18.
This module can be made compatible with depends_on by changing it to receive
all of its provider configurations from the calling module, by using the
"providers" argument in the calling module block.
Error: 
Module does not support depends_on
 on main.tf line 30, in module "non-production":
 30:   source                           = 
"../../../3-networks/envs/non-production"
Module "non-production" cannot be used with depends_on because it contains a
nested provider configuration for "google", at
../../../3-networks/envs/non-production/providers.tf:40,10-18.
This module can be made compatible with depends_on by changing it to receive
all of its provider configurations from the calling module, by using the
"providers" argument in the calling module block.
Error: 
Module does not support depends_on
 on main.tf line 30, in module "non-production":
 30:   source                           = 
"../../../3-networks/envs/non-production"
Module "non-production" cannot be used with depends_on because it contains a
nested provider configuration for "google-beta", at
../../../3-networks/envs/non-production/providers.tf:45,10-23.
This module can be made compatible with depends_on by changing it to receive
all of its provider configurations from the calling module, by using the
"providers" argument in the calling module block.
Error: 
Module does not support depends_on
 on main.tf line 43, in module "production":
 43:   source                           = 
"../../../3-networks/envs/production"
Module "production" cannot be used with depends_on because it contains a
nested provider configuration for "google.impersonate", at
../../../3-networks/envs/production/providers.tf:21,10-18.
This module can be made compatible with depends_on by changing it to receive
all of its provider configurations from the calling module, by using the
"providers" argument in the calling module block.
Error: 
Module does not support depends_on
 on main.tf line 43, in module "production":
 43:   source                           = 
"../../../3-networks/envs/production"
Module "production" cannot be used with depends_on because it contains a
nested provider configuration for "google", at
../../../3-networks/envs/production/providers.tf:40,10-18.
This module can be made compatible with depends_on by changing it to receive
all of its provider configurations from the calling module, by using the
"providers" argument in the calling module block.
Error: 
Module does not support depends_on
 on main.tf line 43, in module "production":
 43:   source                           = 
"../../../3-networks/envs/production"
Module "production" cannot be used with depends_on because it contains a
nested provider configuration for "google-beta", at
../../../3-networks/envs/production/providers.tf:45,10-23.
This module can be made compatible with depends_on by changing it to receive
all of its provider configurations from the calling module, by using the
"providers" argument in the calling module block.
terraform_validate ./test/fixtures/org 
Success!
The configuration is valid.
terraform_validate ./test/fixtures/projects 
Success!
The configuration is valid.
terraform_validate ./test/setup 
Success!
The configuration is valid.

[rjerrems]

Hi @amandakarina - it looks like there are some merge conflicts for bootstrap,

[rjerrems]

Thanks @amandakarina - it LGTM.. Has this been tested with the foundation end to end?

@bharathkkb - should we consider adding some automated tests to ensure that this is working as expected? (can be done in another PR)

[rjerrems]

Also lets make sure we squash and merge as there are a tonne of commits

[morgante]

@rjerrems @daniel-cit @bharathkkb Is this ready to merge?

[rjerrems]

I think we can merge @morgante - we will inevitably need to test more thoroughly as a part of the release anyway.

[bharathkkb]

@rjerrems opened #321 to keep track of testing as part of CI.