2019-09-11 05:39:33 -07:00
|
|
|
# Copyright 2019 Google LLC
|
|
|
|
#
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
#
|
|
|
|
# https://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
#
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
# limitations under the License.
|
|
|
|
|
2019-10-30 14:21:15 -07:00
|
|
|
# TODO(averbukh): simplify log-sink parameters once https://github.com/terraform-google-modules/terraform-google-log-export/issues/28 is done.
|
2019-09-11 05:39:33 -07:00
|
|
|
|
|
|
|
locals {
|
|
|
|
parent_numeric_id = element(split("/", var.root_node), 1)
|
|
|
|
log_sink_parent_resource_type = element(split("/", var.root_node), 0) == "organizations" ? "organization" : "folder"
|
|
|
|
log_sink_name = element(split("/", var.root_node), 0) == "organizations" ? "logs-audit-org-${local.parent_numeric_id}" : "logs-audit-folder-${local.parent_numeric_id}"
|
|
|
|
}
|
|
|
|
|
|
|
|
###############################################################################
|
|
|
|
# Shared resources folder #
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
module "shared-folder" {
|
|
|
|
source = "terraform-google-modules/folders/google"
|
2020-01-10 00:07:23 -08:00
|
|
|
version = "2.0.2"
|
2019-09-11 05:39:33 -07:00
|
|
|
parent = var.root_node
|
|
|
|
names = ["shared"]
|
|
|
|
}
|
|
|
|
|
|
|
|
###############################################################################
|
|
|
|
# Terraform top-level resources #
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
# Terraform project
|
|
|
|
|
|
|
|
module "project-tf" {
|
|
|
|
source = "terraform-google-modules/project-factory/google//modules/fabric-project"
|
2019-11-04 11:50:08 -08:00
|
|
|
version = "5.0.0"
|
2019-09-11 05:39:33 -07:00
|
|
|
parent = module.shared-folder.id
|
|
|
|
billing_account = var.billing_account_id
|
|
|
|
prefix = var.prefix
|
|
|
|
name = "terraform"
|
|
|
|
lien_reason = "terraform"
|
|
|
|
owners = var.terraform_owners
|
|
|
|
activate_apis = var.project_services
|
|
|
|
}
|
|
|
|
|
|
|
|
# Per environment service accounts
|
|
|
|
|
|
|
|
module "service-accounts-tf-environments" {
|
|
|
|
source = "terraform-google-modules/service-accounts/google"
|
2020-01-10 00:07:23 -08:00
|
|
|
version = "2.0.2"
|
2019-09-11 05:39:33 -07:00
|
|
|
project_id = module.project-tf.project_id
|
|
|
|
org_id = var.organization_id
|
|
|
|
billing_account_id = var.billing_account_id
|
|
|
|
prefix = var.prefix
|
|
|
|
names = var.environments
|
|
|
|
grant_billing_role = true
|
|
|
|
generate_keys = var.generate_service_account_keys
|
|
|
|
}
|
|
|
|
|
|
|
|
# Bootstrap Terraform state GCS bucket
|
|
|
|
|
|
|
|
module "gcs-tf-bootstrap" {
|
|
|
|
source = "terraform-google-modules/cloud-storage/google"
|
|
|
|
version = "1.0.0"
|
|
|
|
project_id = module.project-tf.project_id
|
|
|
|
prefix = "${var.prefix}-tf"
|
|
|
|
names = ["tf-bootstrap"]
|
|
|
|
location = var.gcs_location
|
|
|
|
}
|
|
|
|
|
|
|
|
# Per environment Terraform state GCS buckets
|
|
|
|
|
|
|
|
module "gcs-tf-environments" {
|
|
|
|
source = "terraform-google-modules/cloud-storage/google"
|
|
|
|
version = "1.0.0"
|
|
|
|
project_id = module.project-tf.project_id
|
|
|
|
prefix = "${var.prefix}-tf"
|
|
|
|
names = var.environments
|
|
|
|
location = var.gcs_location
|
|
|
|
set_admin_roles = true
|
|
|
|
bucket_admins = zipmap(
|
|
|
|
var.environments,
|
|
|
|
module.service-accounts-tf-environments.iam_emails_list
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
###############################################################################
|
|
|
|
# Business units #
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
# Business unit 1
|
|
|
|
|
|
|
|
module "business-unit-1-folders" {
|
2019-11-04 11:50:08 -08:00
|
|
|
source = "./modules/business-unit-folders"
|
2019-09-11 05:39:33 -07:00
|
|
|
business_unit_folder_name = var.business_unit_1_name
|
|
|
|
environments = var.environments
|
|
|
|
per_folder_admins = module.service-accounts-tf-environments.iam_emails_list
|
|
|
|
root_node = var.root_node
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
# Business unit 2
|
|
|
|
|
|
|
|
module "business-unit-2-folders" {
|
2019-11-04 11:50:08 -08:00
|
|
|
source = "./modules/business-unit-folders"
|
2019-09-11 05:39:33 -07:00
|
|
|
business_unit_folder_name = var.business_unit_2_name
|
|
|
|
environments = var.environments
|
|
|
|
per_folder_admins = module.service-accounts-tf-environments.iam_emails_list
|
|
|
|
root_node = var.root_node
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
# Business unit 3
|
|
|
|
|
|
|
|
module "business-unit-3-folders" {
|
2019-11-04 11:50:08 -08:00
|
|
|
source = "./modules/business-unit-folders"
|
2019-09-11 05:39:33 -07:00
|
|
|
business_unit_folder_name = var.business_unit_3_name
|
|
|
|
environments = var.environments
|
|
|
|
per_folder_admins = module.service-accounts-tf-environments.iam_emails_list
|
|
|
|
root_node = var.root_node
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
###############################################################################
|
|
|
|
# Audit log exports #
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
# Audit logs project
|
|
|
|
|
|
|
|
module "project-audit" {
|
|
|
|
source = "terraform-google-modules/project-factory/google//modules/fabric-project"
|
2019-11-04 11:50:08 -08:00
|
|
|
version = "5.0.0"
|
2019-09-11 05:39:33 -07:00
|
|
|
parent = module.shared-folder.id
|
|
|
|
billing_account = var.billing_account_id
|
|
|
|
prefix = var.prefix
|
|
|
|
name = "audit"
|
|
|
|
lien_reason = "audit"
|
|
|
|
viewers = var.audit_viewers
|
2019-11-04 11:50:08 -08:00
|
|
|
activate_apis = concat(var.project_services, [
|
|
|
|
"bigquery.googleapis.com",
|
|
|
|
])
|
2019-09-11 05:39:33 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
# Audit logs destination on BigQuery
|
|
|
|
|
|
|
|
module "bq-audit-export" {
|
|
|
|
source = "terraform-google-modules/log-export/google//modules/bigquery"
|
2020-01-10 00:07:23 -08:00
|
|
|
version = "3.2.0"
|
2019-09-11 05:39:33 -07:00
|
|
|
project_id = module.project-audit.project_id
|
|
|
|
dataset_name = "${replace(local.log_sink_name, "-", "_")}"
|
|
|
|
log_sink_writer_identity = module.log-sink-audit.writer_identity
|
|
|
|
}
|
|
|
|
|
|
|
|
# Audit log sink for root node
|
|
|
|
|
|
|
|
module "log-sink-audit" {
|
|
|
|
source = "terraform-google-modules/log-export/google"
|
2020-01-10 00:07:23 -08:00
|
|
|
version = "3.2.0"
|
2019-09-11 05:39:33 -07:00
|
|
|
filter = "logName: \"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName: \"/logs/cloudaudit.googleapis.com%2Fsystem_event\""
|
|
|
|
log_sink_name = local.log_sink_name
|
|
|
|
parent_resource_type = local.log_sink_parent_resource_type
|
|
|
|
parent_resource_id = local.parent_numeric_id
|
|
|
|
include_children = "true"
|
|
|
|
unique_writer_identity = "true"
|
|
|
|
destination_uri = "${module.bq-audit-export.destination_uri}"
|
|
|
|
}
|
|
|
|
|
|
|
|
###############################################################################
|
|
|
|
# Shared resources (GCR, GCS, KMS, etc.) #
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
# Shared resources project
|
|
|
|
|
|
|
|
module "project-shared-resources" {
|
|
|
|
source = "terraform-google-modules/project-factory/google//modules/fabric-project"
|
2019-11-04 11:50:08 -08:00
|
|
|
version = "5.0.0"
|
2019-09-11 05:39:33 -07:00
|
|
|
parent = module.shared-folder.id
|
|
|
|
billing_account = var.billing_account_id
|
|
|
|
prefix = var.prefix
|
|
|
|
name = "shared"
|
|
|
|
lien_reason = "shared"
|
|
|
|
activate_apis = var.project_services
|
|
|
|
extra_bindings_roles = var.shared_bindings_roles
|
|
|
|
extra_bindings_members = var.shared_bindings_members
|
|
|
|
}
|
|
|
|
|
|
|
|
# Add further modules here for resources that are common to all business units
|
|
|
|
# like GCS buckets (used to hold shared assets), Container Registry, KMS, etc.
|