zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/fast/stages/1-resman/branch-security.tf

119 lines
4.0 KiB
Terraform
Raw Permalink Normal View History

Merge Fabric FAST (#435) Co-authored-by: Simone Ruffilli <sruffilli@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
2022-01-19 05:17:20 -08:00
/**
Extend FAST to support different principal types (#2064) * add doc draft * typos * typo * typo * typos * rewording * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * move iam variables to a separate file * move billing-account module to iam_principals * move data-catalog-policy-tag module to iam_principals * move dataplex-datascan module to iam_principals * move dataproc module to iam_principals * move folder module to iam_principals * copyright * move organization module to iam_principals * move project module to iam_principals * move source-repository module to iam_principals * update blueprints for iam_principals interface * FAST bootstrap * module READMEs fixes * FAST bootstrap * FAST networking stages * FAST security stage * FAST gke stage * FAST multitenant bootstrap stage * FAST multitenant resman stage * tfdoc * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * fix module test * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Rename iam_principals to iam_by_principals * Update IAM template to include iam_by_principals * Update Resman README * Fix ADR link format --------- Co-authored-by: Julio Castillo <jccb@google.com>
2024-02-12 05:35:30 -08:00
* Copyright 2024 Google LLC
Merge Fabric FAST (#435) Co-authored-by: Simone Ruffilli <sruffilli@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
2022-01-19 05:17:20 -08:00
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
# tfdoc:file:description Security stage resources.
Add variable to resman to control top-level folder IAM (#2196)
2024-04-04 01:26:35 -07:00
locals {
# FAST-specific IAM
_security_folder_fast_iam = {
"roles/logging.admin" = [module.branch-security-sa.iam_email]
"roles/owner" = [module.branch-security-sa.iam_email]
"roles/resourcemanager.folderAdmin" = [module.branch-security-sa.iam_email]
"roles/resourcemanager.projectCreator" = [module.branch-security-sa.iam_email]
# read-only (plan) automation service account
"roles/viewer" = [module.branch-security-r-sa.iam_email]
"roles/resourcemanager.folderViewer" = [module.branch-security-r-sa.iam_email]
}
# deep-merge FAST-specific IAM with user-provided bindings in var.folder_iam
_security_folder_iam = merge(
var.folder_iam.security,
{
for role, principals in local._security_folder_fast_iam :
role => distinct(concat(principals, lookup(var.folder_iam.security, role, [])))
}
)
}
Merge Fabric FAST (#435) Co-authored-by: Simone Ruffilli <sruffilli@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
2022-01-19 05:17:20 -08:00
module "branch-security-folder" {
source = "../../../modules/folder"
FAST: add top-level folders and restructure teams/tenants in resman (#2254) * remove teams and tenants from resman * move fast features to stage 1, fix test inventories * folders * fix factory, add top level folder resources to outputs * tfdoc * stage 0 log sink defs * tfdoc * enable toc in resman readme * simple tenants * fast compatibility automation and logging * testing fast-compatible tenants * testing fast-compatible tenants * tfdoc * remove mt stages * remove tests, fix links * disable tflint * fast tests * make organization conditional in resman * check names tool * export real prefix to tfvars, prevent destroy errors * prefix validation * fix billing account export format * tfdoc * root node folder * resman changes * tenant resman roles * first apply of tenant resman * tenant log sinks in stage 1 * fix test vars * tfdoc * tenant vpc-sc access policy * fix tests expected values * tenant CI/CD * identity providers * wif * tfdoc * add comments to identity locals * full-feature tenant resman apply * tenant billing IAM * stage test * fix CI/CD comments * tenant net stage verified * tenant sec stage verified * fix test * README work * tfdoc * README * README rewording * README rewording * tfdoc * FAST excalidraw * review comments * diagram review changes * add iam log sink for tenants * remove redundant try from security stage * Implement tflint-fast in Python driven by tftest.yaml files * tflint * test ci changes * revert linting changes * disable tflint for fast * Create junit-style report for FAST tflint * Remove junit-reporter * YAPF tflint-fast.py * Output tflint FAST to job summary * Step summary * Disable step_summary as output is not useful * ignore tflint warning * re-enable tflint on FAST --------- Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com>
2024-05-15 02:17:13 -07:00
parent = local.root_node
Merge Fabric FAST (#435) Co-authored-by: Simone Ruffilli <sruffilli@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
2022-01-19 05:17:20 -08:00
name = "Security"
Extend FAST to support different principal types (#2064) * add doc draft * typos * typo * typo * typos * rewording * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * move iam variables to a separate file * move billing-account module to iam_principals * move data-catalog-policy-tag module to iam_principals * move dataplex-datascan module to iam_principals * move dataproc module to iam_principals * move folder module to iam_principals * copyright * move organization module to iam_principals * move project module to iam_principals * move source-repository module to iam_principals * update blueprints for iam_principals interface * FAST bootstrap * module READMEs fixes * FAST bootstrap * FAST networking stages * FAST security stage * FAST gke stage * FAST multitenant bootstrap stage * FAST multitenant resman stage * tfdoc * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * fix module test * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Rename iam_principals to iam_by_principals * Update IAM template to include iam_by_principals * Update Resman README * Fix ADR link format --------- Co-authored-by: Julio Castillo <jccb@google.com>
2024-02-12 05:35:30 -08:00
iam_by_principals = {
(local.principals.gcp-security-admins) = [
(WIP) Read-only service accounts for automation and CI/CD (#1899) * add design doc for the new CI/CD sa * describe the actual implementation * specify which files will need to be changed * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Fix typo * stage 0 read-only service accounts * stage 0 IAM map * linting * cicd read-only service accounts * tweak workflow templates * roles and github workflow fixes * tfdoc * Ad-hoc custom role factory for FAST bootstrap * use factory variable for custom roles data path * custom roles factory in org/project modules * tfdoc * rename custom roles factory variable, fix gitlab template * gitlab workflow fixes * fix merge * output plan results on failed assertion * update stage 0 expected values * data platform branch * gke * networking * security * project factory * outputs * workflow templates * resman apply fixes * tfdoc * fix stage 1 test fixture * fix gh workflow * read-only resman sa roles * fix test * read-only resman sa roles * read-only resman sa roles * read-only resman sa roles * read-only resman sa roles * fix test variables * rename wif principal attribute names * rename wif principal variables * multitenant stages --------- Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
2023-12-27 03:33:16 -08:00
# owner and viewer roles are broad and might grant unwanted access
# replace them with more selective custom roles for production deployments
"roles/editor"
Merge Fabric FAST (#435) Co-authored-by: Simone Ruffilli <sruffilli@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
2022-01-19 05:17:20 -08:00
]
}
Add variable to resman to control top-level folder IAM (#2196)
2024-04-04 01:26:35 -07:00
iam = local._security_folder_iam
Use tags and tag-based IAM conditions in FAST (#553) * organization module * folder module * project module * fix project binding * environment tags * use id instead of name for references * environment bindings * conditional org policy admin binding via tags * rename pf service accounts and buckets * update IAM docs * kms module * compute-vm * fix compute-vm * tfdoc
2022-02-20 02:26:30 -08:00
tag_bindings = {
FAST: allow changing tag names from variables in resman (#628)
2022-04-13 01:22:33 -07:00
context = try(
FAST: add top-level folders and restructure teams/tenants in resman (#2254) * remove teams and tenants from resman * move fast features to stage 1, fix test inventories * folders * fix factory, add top level folder resources to outputs * tfdoc * stage 0 log sink defs * tfdoc * enable toc in resman readme * simple tenants * fast compatibility automation and logging * testing fast-compatible tenants * testing fast-compatible tenants * tfdoc * remove mt stages * remove tests, fix links * disable tflint * fast tests * make organization conditional in resman * check names tool * export real prefix to tfvars, prevent destroy errors * prefix validation * fix billing account export format * tfdoc * root node folder * resman changes * tenant resman roles * first apply of tenant resman * tenant log sinks in stage 1 * fix test vars * tfdoc * tenant vpc-sc access policy * fix tests expected values * tenant CI/CD * identity providers * wif * tfdoc * add comments to identity locals * full-feature tenant resman apply * tenant billing IAM * stage test * fix CI/CD comments * tenant net stage verified * tenant sec stage verified * fix test * README work * tfdoc * README * README rewording * README rewording * tfdoc * FAST excalidraw * review comments * diagram review changes * add iam log sink for tenants * remove redundant try from security stage * Implement tflint-fast in Python driven by tftest.yaml files * tflint * test ci changes * revert linting changes * disable tflint for fast * Create junit-style report for FAST tflint * Remove junit-reporter * YAPF tflint-fast.py * Output tflint FAST to job summary * Step summary * Disable step_summary as output is not useful * ignore tflint warning * re-enable tflint on FAST --------- Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com>
2024-05-15 02:17:13 -07:00
local.tag_values["${var.tag_names.context}/security"].id, null
FAST: allow changing tag names from variables in resman (#628)
2022-04-13 01:22:33 -07:00
)
Use tags and tag-based IAM conditions in FAST (#553) * organization module * folder module * project module * fix project binding * environment tags * use id instead of name for references * environment bindings * conditional org policy admin binding via tags * rename pf service accounts and buckets * update IAM docs * kms module * compute-vm * fix compute-vm * tfdoc
2022-02-20 02:26:30 -08:00
}
Merge Fabric FAST (#435) Co-authored-by: Simone Ruffilli <sruffilli@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
2022-01-19 05:17:20 -08:00
}
(WIP) Read-only service accounts for automation and CI/CD (#1899) * add design doc for the new CI/CD sa * describe the actual implementation * specify which files will need to be changed * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Fix typo * stage 0 read-only service accounts * stage 0 IAM map * linting * cicd read-only service accounts * tweak workflow templates * roles and github workflow fixes * tfdoc * Ad-hoc custom role factory for FAST bootstrap * use factory variable for custom roles data path * custom roles factory in org/project modules * tfdoc * rename custom roles factory variable, fix gitlab template * gitlab workflow fixes * fix merge * output plan results on failed assertion * update stage 0 expected values * data platform branch * gke * networking * security * project factory * outputs * workflow templates * resman apply fixes * tfdoc * fix stage 1 test fixture * fix gh workflow * read-only resman sa roles * fix test * read-only resman sa roles * read-only resman sa roles * read-only resman sa roles * read-only resman sa roles * fix test variables * rename wif principal attribute names * rename wif principal variables * multitenant stages --------- Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
2023-12-27 03:33:16 -08:00
# automation service account
Initial MVP for CI/CD (#608) * preliminary support for wif in stage 0 * IAM wif role * IAM wif role TODO * add support for external SA IAM to SA module * add name output to SA module * separate cicd SA * tfdoc * GITLAB principal (untested) * make GCS name output static * outputs bucket * fix stage 1 test * tweak outputs * tfdoc * move wif_pool to automation variable * add support for top-level and repository providers * add missing boilerplate * fix branchless principal * initial workflow * symlink provider template in stages * remove service accounts from stage 0 cicd tfvars * add cicd interface variable to resman stage * fix cicd variable in resman stage * better condition on outputs_location * fix last change * change outputs_location type * revert outputs_location change * split outputs in stage 0 * update ci/cd temporary notes * rename additive IAM resource in SA module * split outputs in stage 1 * remove unused locals * fix stage 1 tests * tfdoc * Upload action files to outputs_bucket * Fix tests and README * rename template, streamline outputs * local templates and gcs output for all stage 2 * add workflows to local output files * Use lowercase WIF providers everywhere * Bring back suffix for workflow files * Remove unused files * Update READMEs * preliminary CI/CD implementation for stage 1 * fix stage 1 * stage 1 cicd * tfdoc * fix tests * readme and links for cicd and wif * refactor wif providers * refactor cicd for stage 1 * fix stage 1 * wif org policies * split identity provider configuration from cicd * add type attribute to cicd repositories * valid cicd repositories have a workflow template * refactor stage 01 * fix stage 01 tests * minimal CI/CD documentation * better check_links error reporting * fix links * Added Gitlab specific configurations Set the default issuer_uri for Gitlab. Added allowed audiences to OIDC configuration. * Fixed TF formatting in identity providers. * Changing identity provider audience to null Changing identity provider audience to default to null. * add instructions for renaming workflows * address Julio's comments Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: alexmeissner <alexmeissner@google.com>
2022-04-11 23:17:27 -07:00
Merge Fabric FAST (#435) Co-authored-by: Simone Ruffilli <sruffilli@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
2022-01-19 05:17:20 -08:00
module "branch-security-sa" {
FAST: add top-level folders and restructure teams/tenants in resman (#2254) * remove teams and tenants from resman * move fast features to stage 1, fix test inventories * folders * fix factory, add top level folder resources to outputs * tfdoc * stage 0 log sink defs * tfdoc * enable toc in resman readme * simple tenants * fast compatibility automation and logging * testing fast-compatible tenants * testing fast-compatible tenants * tfdoc * remove mt stages * remove tests, fix links * disable tflint * fast tests * make organization conditional in resman * check names tool * export real prefix to tfvars, prevent destroy errors * prefix validation * fix billing account export format * tfdoc * root node folder * resman changes * tenant resman roles * first apply of tenant resman * tenant log sinks in stage 1 * fix test vars * tfdoc * tenant vpc-sc access policy * fix tests expected values * tenant CI/CD * identity providers * wif * tfdoc * add comments to identity locals * full-feature tenant resman apply * tenant billing IAM * stage test * fix CI/CD comments * tenant net stage verified * tenant sec stage verified * fix test * README work * tfdoc * README * README rewording * README rewording * tfdoc * FAST excalidraw * review comments * diagram review changes * add iam log sink for tenants * remove redundant try from security stage * Implement tflint-fast in Python driven by tftest.yaml files * tflint * test ci changes * revert linting changes * disable tflint for fast * Create junit-style report for FAST tflint * Remove junit-reporter * YAPF tflint-fast.py * Output tflint FAST to job summary * Step summary * Disable step_summary as output is not useful * ignore tflint warning * re-enable tflint on FAST --------- Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com>
2024-05-15 02:17:13 -07:00
source = "../../../modules/iam-service-account"
project_id = var.automation.project_id
name = "prod-resman-sec-0"
display_name = "Terraform resman security service account."
prefix = var.prefix
service_account_create = var.root_node == null
Initial MVP for CI/CD (#608) * preliminary support for wif in stage 0 * IAM wif role * IAM wif role TODO * add support for external SA IAM to SA module * add name output to SA module * separate cicd SA * tfdoc * GITLAB principal (untested) * make GCS name output static * outputs bucket * fix stage 1 test * tweak outputs * tfdoc * move wif_pool to automation variable * add support for top-level and repository providers * add missing boilerplate * fix branchless principal * initial workflow * symlink provider template in stages * remove service accounts from stage 0 cicd tfvars * add cicd interface variable to resman stage * fix cicd variable in resman stage * better condition on outputs_location * fix last change * change outputs_location type * revert outputs_location change * split outputs in stage 0 * update ci/cd temporary notes * rename additive IAM resource in SA module * split outputs in stage 1 * remove unused locals * fix stage 1 tests * tfdoc * Upload action files to outputs_bucket * Fix tests and README * rename template, streamline outputs * local templates and gcs output for all stage 2 * add workflows to local output files * Use lowercase WIF providers everywhere * Bring back suffix for workflow files * Remove unused files * Update READMEs * preliminary CI/CD implementation for stage 1 * fix stage 1 * stage 1 cicd * tfdoc * fix tests * readme and links for cicd and wif * refactor wif providers * refactor cicd for stage 1 * fix stage 1 * wif org policies * split identity provider configuration from cicd * add type attribute to cicd repositories * valid cicd repositories have a workflow template * refactor stage 01 * fix stage 01 tests * minimal CI/CD documentation * better check_links error reporting * fix links * Added Gitlab specific configurations Set the default issuer_uri for Gitlab. Added allowed audiences to OIDC configuration. * Fixed TF formatting in identity providers. * Changing identity provider audience to null Changing identity provider audience to default to null. * add instructions for renaming workflows * address Julio's comments Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: alexmeissner <alexmeissner@google.com>
2022-04-11 23:17:27 -07:00
iam = {
"roles/iam.serviceAccountTokenCreator" = compact([
Add tflint to pipelines (#2220) * Fix terraform_deprecated_index https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_index.md * Fix terraform_deprecated_interpolation Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md * Fix more indexing * Remove unused variable * Enable TFLint for modules * Add tflint config file * Fix chdir * Lint modules * TFLint fixes * TFLint * Fixes binauthz README * Fixes DNS response policy tests. Restores MIG outputs. * Fixes other DNS response policy tests. * Update tests for fast 2-e * Moar fixed tests --------- Co-authored-by: Simone Ruffilli <sruffilli@google.com>
2024-04-17 01:23:48 -07:00
try(module.branch-security-sa-cicd[0].iam_email, null)
Initial MVP for CI/CD (#608) * preliminary support for wif in stage 0 * IAM wif role * IAM wif role TODO * add support for external SA IAM to SA module * add name output to SA module * separate cicd SA * tfdoc * GITLAB principal (untested) * make GCS name output static * outputs bucket * fix stage 1 test * tweak outputs * tfdoc * move wif_pool to automation variable * add support for top-level and repository providers * add missing boilerplate * fix branchless principal * initial workflow * symlink provider template in stages * remove service accounts from stage 0 cicd tfvars * add cicd interface variable to resman stage * fix cicd variable in resman stage * better condition on outputs_location * fix last change * change outputs_location type * revert outputs_location change * split outputs in stage 0 * update ci/cd temporary notes * rename additive IAM resource in SA module * split outputs in stage 1 * remove unused locals * fix stage 1 tests * tfdoc * Upload action files to outputs_bucket * Fix tests and README * rename template, streamline outputs * local templates and gcs output for all stage 2 * add workflows to local output files * Use lowercase WIF providers everywhere * Bring back suffix for workflow files * Remove unused files * Update READMEs * preliminary CI/CD implementation for stage 1 * fix stage 1 * stage 1 cicd * tfdoc * fix tests * readme and links for cicd and wif * refactor wif providers * refactor cicd for stage 1 * fix stage 1 * wif org policies * split identity provider configuration from cicd * add type attribute to cicd repositories * valid cicd repositories have a workflow template * refactor stage 01 * fix stage 01 tests * minimal CI/CD documentation * better check_links error reporting * fix links * Added Gitlab specific configurations Set the default issuer_uri for Gitlab. Added allowed audiences to OIDC configuration. * Fixed TF formatting in identity providers. * Changing identity provider audience to null Changing identity provider audience to default to null. * add instructions for renaming workflows * address Julio's comments Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: alexmeissner <alexmeissner@google.com>
2022-04-11 23:17:27 -07:00
])
}
fixed permissions for security stage SA (#1376) it should be able to use automation project as a quota project, hence it needs `serviceusage.serviceUsageConsumer` role
2023-05-15 03:20:33 -07:00
iam_project_roles = {
Add service usage consumer role to IaC SAs, refactor delegated grants in FAST (#1773) * add serviceusage role to iac sas, refactor delegated grants * fix test * tfdoc
2023-10-18 05:18:31 -07:00
(var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"]
fixed permissions for security stage SA (#1376) it should be able to use automation project as a quota project, hence it needs `serviceusage.serviceUsageConsumer` role
2023-05-15 03:20:33 -07:00
}
Initial MVP for CI/CD (#608) * preliminary support for wif in stage 0 * IAM wif role * IAM wif role TODO * add support for external SA IAM to SA module * add name output to SA module * separate cicd SA * tfdoc * GITLAB principal (untested) * make GCS name output static * outputs bucket * fix stage 1 test * tweak outputs * tfdoc * move wif_pool to automation variable * add support for top-level and repository providers * add missing boilerplate * fix branchless principal * initial workflow * symlink provider template in stages * remove service accounts from stage 0 cicd tfvars * add cicd interface variable to resman stage * fix cicd variable in resman stage * better condition on outputs_location * fix last change * change outputs_location type * revert outputs_location change * split outputs in stage 0 * update ci/cd temporary notes * rename additive IAM resource in SA module * split outputs in stage 1 * remove unused locals * fix stage 1 tests * tfdoc * Upload action files to outputs_bucket * Fix tests and README * rename template, streamline outputs * local templates and gcs output for all stage 2 * add workflows to local output files * Use lowercase WIF providers everywhere * Bring back suffix for workflow files * Remove unused files * Update READMEs * preliminary CI/CD implementation for stage 1 * fix stage 1 * stage 1 cicd * tfdoc * fix tests * readme and links for cicd and wif * refactor wif providers * refactor cicd for stage 1 * fix stage 1 * wif org policies * split identity provider configuration from cicd * add type attribute to cicd repositories * valid cicd repositories have a workflow template * refactor stage 01 * fix stage 01 tests * minimal CI/CD documentation * better check_links error reporting * fix links * Added Gitlab specific configurations Set the default issuer_uri for Gitlab. Added allowed audiences to OIDC configuration. * Fixed TF formatting in identity providers. * Changing identity provider audience to null Changing identity provider audience to default to null. * add instructions for renaming workflows * address Julio's comments Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: alexmeissner <alexmeissner@google.com>
2022-04-11 23:17:27 -07:00
iam_storage_roles = {
Widen scope for prod project factory SA to dev (#1263) * restrict storage role on outputs bucket for stage SAs * grant prod project factory SA authority over prod and dev org policies * network stages delegated grants on dev to prod pf SA * security grants to prod pf SA on dev * tfdoc * tests
2023-03-17 09:24:55 -07:00
(var.automation.outputs_bucket) = ["roles/storage.objectAdmin"]
Initial MVP for CI/CD (#608) * preliminary support for wif in stage 0 * IAM wif role * IAM wif role TODO * add support for external SA IAM to SA module * add name output to SA module * separate cicd SA * tfdoc * GITLAB principal (untested) * make GCS name output static * outputs bucket * fix stage 1 test * tweak outputs * tfdoc * move wif_pool to automation variable * add support for top-level and repository providers * add missing boilerplate * fix branchless principal * initial workflow * symlink provider template in stages * remove service accounts from stage 0 cicd tfvars * add cicd interface variable to resman stage * fix cicd variable in resman stage * better condition on outputs_location * fix last change * change outputs_location type * revert outputs_location change * split outputs in stage 0 * update ci/cd temporary notes * rename additive IAM resource in SA module * split outputs in stage 1 * remove unused locals * fix stage 1 tests * tfdoc * Upload action files to outputs_bucket * Fix tests and README * rename template, streamline outputs * local templates and gcs output for all stage 2 * add workflows to local output files * Use lowercase WIF providers everywhere * Bring back suffix for workflow files * Remove unused files * Update READMEs * preliminary CI/CD implementation for stage 1 * fix stage 1 * stage 1 cicd * tfdoc * fix tests * readme and links for cicd and wif * refactor wif providers * refactor cicd for stage 1 * fix stage 1 * wif org policies * split identity provider configuration from cicd * add type attribute to cicd repositories * valid cicd repositories have a workflow template * refactor stage 01 * fix stage 01 tests * minimal CI/CD documentation * better check_links error reporting * fix links * Added Gitlab specific configurations Set the default issuer_uri for Gitlab. Added allowed audiences to OIDC configuration. * Fixed TF formatting in identity providers. * Changing identity provider audience to null Changing identity provider audience to default to null. * add instructions for renaming workflows * address Julio's comments Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: alexmeissner <alexmeissner@google.com>
2022-04-11 23:17:27 -07:00
}
Merge Fabric FAST (#435) Co-authored-by: Simone Ruffilli <sruffilli@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
2022-01-19 05:17:20 -08:00
}
(WIP) Read-only service accounts for automation and CI/CD (#1899) * add design doc for the new CI/CD sa * describe the actual implementation * specify which files will need to be changed * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Fix typo * stage 0 read-only service accounts * stage 0 IAM map * linting * cicd read-only service accounts * tweak workflow templates * roles and github workflow fixes * tfdoc * Ad-hoc custom role factory for FAST bootstrap * use factory variable for custom roles data path * custom roles factory in org/project modules * tfdoc * rename custom roles factory variable, fix gitlab template * gitlab workflow fixes * fix merge * output plan results on failed assertion * update stage 0 expected values * data platform branch * gke * networking * security * project factory * outputs * workflow templates * resman apply fixes * tfdoc * fix stage 1 test fixture * fix gh workflow * read-only resman sa roles * fix test * read-only resman sa roles * read-only resman sa roles * read-only resman sa roles * read-only resman sa roles * fix test variables * rename wif principal attribute names * rename wif principal variables * multitenant stages --------- Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
2023-12-27 03:33:16 -08:00
# automation read-only service account
module "branch-security-r-sa" {
FAST: add top-level folders and restructure teams/tenants in resman (#2254) * remove teams and tenants from resman * move fast features to stage 1, fix test inventories * folders * fix factory, add top level folder resources to outputs * tfdoc * stage 0 log sink defs * tfdoc * enable toc in resman readme * simple tenants * fast compatibility automation and logging * testing fast-compatible tenants * testing fast-compatible tenants * tfdoc * remove mt stages * remove tests, fix links * disable tflint * fast tests * make organization conditional in resman * check names tool * export real prefix to tfvars, prevent destroy errors * prefix validation * fix billing account export format * tfdoc * root node folder * resman changes * tenant resman roles * first apply of tenant resman * tenant log sinks in stage 1 * fix test vars * tfdoc * tenant vpc-sc access policy * fix tests expected values * tenant CI/CD * identity providers * wif * tfdoc * add comments to identity locals * full-feature tenant resman apply * tenant billing IAM * stage test * fix CI/CD comments * tenant net stage verified * tenant sec stage verified * fix test * README work * tfdoc * README * README rewording * README rewording * tfdoc * FAST excalidraw * review comments * diagram review changes * add iam log sink for tenants * remove redundant try from security stage * Implement tflint-fast in Python driven by tftest.yaml files * tflint * test ci changes * revert linting changes * disable tflint for fast * Create junit-style report for FAST tflint * Remove junit-reporter * YAPF tflint-fast.py * Output tflint FAST to job summary * Step summary * Disable step_summary as output is not useful * ignore tflint warning * re-enable tflint on FAST --------- Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com>
2024-05-15 02:17:13 -07:00
source = "../../../modules/iam-service-account"
project_id = var.automation.project_id
name = "prod-resman-sec-0r"
display_name = "Terraform resman security service account (read-only)."
prefix = var.prefix
service_account_create = var.root_node == null
(WIP) Read-only service accounts for automation and CI/CD (#1899) * add design doc for the new CI/CD sa * describe the actual implementation * specify which files will need to be changed * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Fix typo * stage 0 read-only service accounts * stage 0 IAM map * linting * cicd read-only service accounts * tweak workflow templates * roles and github workflow fixes * tfdoc * Ad-hoc custom role factory for FAST bootstrap * use factory variable for custom roles data path * custom roles factory in org/project modules * tfdoc * rename custom roles factory variable, fix gitlab template * gitlab workflow fixes * fix merge * output plan results on failed assertion * update stage 0 expected values * data platform branch * gke * networking * security * project factory * outputs * workflow templates * resman apply fixes * tfdoc * fix stage 1 test fixture * fix gh workflow * read-only resman sa roles * fix test * read-only resman sa roles * read-only resman sa roles * read-only resman sa roles * read-only resman sa roles * fix test variables * rename wif principal attribute names * rename wif principal variables * multitenant stages --------- Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
2023-12-27 03:33:16 -08:00
iam = {
"roles/iam.serviceAccountTokenCreator" = compact([
Add tflint to pipelines (#2220) * Fix terraform_deprecated_index https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_index.md * Fix terraform_deprecated_interpolation Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md * Fix more indexing * Remove unused variable * Enable TFLint for modules * Add tflint config file * Fix chdir * Lint modules * TFLint fixes * TFLint * Fixes binauthz README * Fixes DNS response policy tests. Restores MIG outputs. * Fixes other DNS response policy tests. * Update tests for fast 2-e * Moar fixed tests --------- Co-authored-by: Simone Ruffilli <sruffilli@google.com>
2024-04-17 01:23:48 -07:00
try(module.branch-security-r-sa-cicd[0].iam_email, null)
(WIP) Read-only service accounts for automation and CI/CD (#1899) * add design doc for the new CI/CD sa * describe the actual implementation * specify which files will need to be changed * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Fix typo * stage 0 read-only service accounts * stage 0 IAM map * linting * cicd read-only service accounts * tweak workflow templates * roles and github workflow fixes * tfdoc * Ad-hoc custom role factory for FAST bootstrap * use factory variable for custom roles data path * custom roles factory in org/project modules * tfdoc * rename custom roles factory variable, fix gitlab template * gitlab workflow fixes * fix merge * output plan results on failed assertion * update stage 0 expected values * data platform branch * gke * networking * security * project factory * outputs * workflow templates * resman apply fixes * tfdoc * fix stage 1 test fixture * fix gh workflow * read-only resman sa roles * fix test * read-only resman sa roles * read-only resman sa roles * read-only resman sa roles * read-only resman sa roles * fix test variables * rename wif principal attribute names * rename wif principal variables * multitenant stages --------- Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
2023-12-27 03:33:16 -08:00
])
}
iam_project_roles = {
(var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"]
}
iam_storage_roles = {
(var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]]
}
}
# automation bucket
Merge Fabric FAST (#435) Co-authored-by: Simone Ruffilli <sruffilli@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
2022-01-19 05:17:20 -08:00
module "branch-security-gcs" {
FAST: add support for storage locations in stages 0 and 1 (#800) * FAST: add support for storage locations in stages 0 and 1 * fix typo * fix typo on logging * tfdoc
2022-09-08 06:24:42 -07:00
source = "../../../modules/gcs"
project_id = var.automation.project_id
name = "prod-resman-sec-0"
prefix = var.prefix
location = var.locations.gcs
storage_class = local.gcs_storage_class
versioning = true
Merge Fabric FAST (#435) Co-authored-by: Simone Ruffilli <sruffilli@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
2022-01-19 05:17:20 -08:00
iam = {
(WIP) Read-only service accounts for automation and CI/CD (#1899) * add design doc for the new CI/CD sa * describe the actual implementation * specify which files will need to be changed * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Update 0-cicd-plan-sa.md * Fix typo * stage 0 read-only service accounts * stage 0 IAM map * linting * cicd read-only service accounts * tweak workflow templates * roles and github workflow fixes * tfdoc * Ad-hoc custom role factory for FAST bootstrap * use factory variable for custom roles data path * custom roles factory in org/project modules * tfdoc * rename custom roles factory variable, fix gitlab template * gitlab workflow fixes * fix merge * output plan results on failed assertion * update stage 0 expected values * data platform branch * gke * networking * security * project factory * outputs * workflow templates * resman apply fixes * tfdoc * fix stage 1 test fixture * fix gh workflow * read-only resman sa roles * fix test * read-only resman sa roles * read-only resman sa roles * read-only resman sa roles * read-only resman sa roles * fix test variables * rename wif principal attribute names * rename wif principal variables * multitenant stages --------- Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
2023-12-27 03:33:16 -08:00
"roles/storage.objectAdmin" = [module.branch-security-sa.iam_email]
"roles/storage.objectViewer" = [module.branch-security-r-sa.iam_email]
Merge Fabric FAST (#435) Co-authored-by: Simone Ruffilli <sruffilli@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
2022-01-19 05:17:20 -08:00
}
}