From 31bf9b98d197d1a81cd8a75044dfac566ed5175f Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Fri, 25 Feb 2022 12:19:10 +0100 Subject: [PATCH] Swap xpnAdmin with custom xpnServiceAdmin for service projects --- fast/stages/01-resman/README.md | 14 +++---- fast/stages/01-resman/branch-data-platform.tf | 8 ++-- fast/stages/01-resman/branch-networking.tf | 2 +- fast/stages/01-resman/branch-teams.tf | 40 +++++-------------- fast/stages/01-resman/main.tf | 1 + fast/stages/01-resman/variables.tf | 6 ++- fast/stages/02-networking-nva/spoke-dev.tf | 3 -- fast/stages/02-networking-nva/spoke-prod.tf | 3 -- fast/stages/02-networking-vpn/spoke-dev.tf | 3 -- fast/stages/02-networking-vpn/spoke-prod.tf | 3 -- 10 files changed, 27 insertions(+), 56 deletions(-) diff --git a/fast/stages/01-resman/README.md b/fast/stages/01-resman/README.md index f525193d..3ac9c09e 100644 --- a/fast/stages/01-resman/README.md +++ b/fast/stages/01-resman/README.md @@ -168,13 +168,13 @@ Due to its simplicity, this stage lends itself easily to customizations: adding |---|---|:---:|:---:|:---:|:---:| | [automation_project_id](variables.tf#L20) | Project id for the automation project created by the bootstrap stage. | string | ✓ | | 00-bootstrap | | [billing_account](variables.tf#L26) | Billing account id and organization id ('nnnnnnnn' or null). | object({…}) | ✓ | | 00-bootstrap | -| [organization](variables.tf#L57) | Organization details. | object({…}) | ✓ | | 00-bootstrap | -| [prefix](variables.tf#L81) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 00-bootstrap | -| [custom_roles](variables.tf#L35) | Custom roles defined at the org level, in key => id format. | map(string) | | {} | 00-bootstrap | -| [groups](variables.tf#L42) | Group names to grant organization-level permissions. | map(string) | | {…} | 00-bootstrap | -| [organization_policy_configs](variables.tf#L67) | Organization policies customization. | object({…}) | | null | | -| [outputs_location](variables.tf#L75) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | -| [team_folders](variables.tf#L92) | Team folders to be created. Format is described in a code comment. | map(object({…})) | | null | | +| [organization](variables.tf#L59) | Organization details. | object({…}) | ✓ | | 00-bootstrap | +| [prefix](variables.tf#L83) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 00-bootstrap | +| [custom_roles](variables.tf#L35) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 00-bootstrap | +| [groups](variables.tf#L44) | Group names to grant organization-level permissions. | map(string) | | {…} | 00-bootstrap | +| [organization_policy_configs](variables.tf#L69) | Organization policies customization. | object({…}) | | null | | +| [outputs_location](variables.tf#L77) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | +| [team_folders](variables.tf#L94) | Team folders to be created. Format is described in a code comment. | map(object({…})) | | null | | ## Outputs diff --git a/fast/stages/01-resman/branch-data-platform.tf b/fast/stages/01-resman/branch-data-platform.tf index 9585f051..e6ecad3f 100644 --- a/fast/stages/01-resman/branch-data-platform.tf +++ b/fast/stages/01-resman/branch-data-platform.tf @@ -35,10 +35,10 @@ module "branch-dp-dev-folder" { name = "Development" group_iam = {} iam = { + (local.custom_roles.service_project_network_admin) = [module.branch-dp-dev-sa.iam_email] # remove owner here and at project level if SA does not manage project resources - "roles/compute.xpnAdmin" = [module.branch-dp-dev-sa.iam_email] - "roles/logging.admin" = [module.branch-dp-dev-sa.iam_email] "roles/owner" = [module.branch-dp-dev-sa.iam_email] + "roles/logging.admin" = [module.branch-dp-dev-sa.iam_email] "roles/resourcemanager.folderAdmin" = [module.branch-dp-dev-sa.iam_email] "roles/resourcemanager.projectCreator" = [module.branch-dp-dev-sa.iam_email] } @@ -74,12 +74,12 @@ module "branch-dp-prod-folder" { name = "Production" group_iam = {} iam = { + (local.custom_roles.service_project_network_admin) = [module.branch-dp-prod-sa.iam_email] # remove owner here and at project level if SA does not manage project resources - "roles/logging.admin" = [module.branch-dp-prod-sa.iam_email] "roles/owner" = [module.branch-dp-prod-sa.iam_email] + "roles/logging.admin" = [module.branch-dp-prod-sa.iam_email] "roles/resourcemanager.folderAdmin" = [module.branch-dp-prod-sa.iam_email] "roles/resourcemanager.projectCreator" = [module.branch-dp-prod-sa.iam_email] - "roles/compute.xpnAdmin" = [module.branch-dp-prod-sa.iam_email] } tag_bindings = { context = module.organization.tag_values["environment/production"].id diff --git a/fast/stages/01-resman/branch-networking.tf b/fast/stages/01-resman/branch-networking.tf index 3b5e2ff1..43ababfc 100644 --- a/fast/stages/01-resman/branch-networking.tf +++ b/fast/stages/01-resman/branch-networking.tf @@ -82,7 +82,7 @@ module "branch-network-dev-folder" { parent = module.branch-network-folder.id name = "Development" iam = { - "roles/compute.xpnAdmin" = [ + (local.custom_roles.service_project_network_admin) = [ module.branch-dp-dev-sa.iam_email, module.branch-teams-dev-pf-sa.iam_email ] diff --git a/fast/stages/01-resman/branch-teams.tf b/fast/stages/01-resman/branch-teams.tf index a377be9a..8f615931 100644 --- a/fast/stages/01-resman/branch-teams.tf +++ b/fast/stages/01-resman/branch-teams.tf @@ -84,22 +84,12 @@ module "branch-teams-team-dev-folder" { # environment-wide human permissions on the whole teams environment group_iam = {} iam = { + (local.custom_roles.service_project_network_admin) = [module.branch-teams-dev-pf-sa.iam_email] # remove owner here and at project level if SA does not manage project resources - "roles/owner" = [ - module.branch-teams-dev-pf-sa.iam_email - ] - "roles/logging.admin" = [ - module.branch-teams-dev-pf-sa.iam_email - ] - "roles/resourcemanager.folderAdmin" = [ - module.branch-teams-dev-pf-sa.iam_email - ] - "roles/resourcemanager.projectCreator" = [ - module.branch-teams-dev-pf-sa.iam_email - ] - "roles/compute.xpnAdmin" = [ - module.branch-teams-dev-pf-sa.iam_email - ] + "roles/owner" = [module.branch-teams-dev-pf-sa.iam_email] + "roles/logging.admin" = [module.branch-teams-dev-pf-sa.iam_email] + "roles/resourcemanager.folderAdmin" = [module.branch-teams-dev-pf-sa.iam_email] + "roles/resourcemanager.projectCreator" = [module.branch-teams-dev-pf-sa.iam_email] } tag_bindings = { environment = module.organization.tag_values["environment/development"].id @@ -147,22 +137,12 @@ module "branch-teams-team-prod-folder" { # environment-wide human permissions on the whole teams environment group_iam = {} iam = { + (local.custom_roles.service_project_network_admin) = [module.branch-teams-prod-pf-sa.iam_email] # remove owner here and at project level if SA does not manage project resources - "roles/owner" = [ - module.branch-teams-prod-pf-sa.iam_email - ] - "roles/logging.admin" = [ - module.branch-teams-prod-pf-sa.iam_email - ] - "roles/resourcemanager.folderAdmin" = [ - module.branch-teams-prod-pf-sa.iam_email - ] - "roles/resourcemanager.projectCreator" = [ - module.branch-teams-prod-pf-sa.iam_email - ] - "roles/compute.xpnAdmin" = [ - module.branch-teams-prod-pf-sa.iam_email - ] + "roles/owner" = [module.branch-teams-prod-pf-sa.iam_email] + "roles/logging.admin" = [module.branch-teams-prod-pf-sa.iam_email] + "roles/resourcemanager.folderAdmin" = [module.branch-teams-prod-pf-sa.iam_email] + "roles/resourcemanager.projectCreator" = [module.branch-teams-prod-pf-sa.iam_email] } tag_bindings = { environment = module.organization.tag_values["environment/production"].id diff --git a/fast/stages/01-resman/main.tf b/fast/stages/01-resman/main.tf index 9d12239e..0cc1c6bb 100644 --- a/fast/stages/01-resman/main.tf +++ b/fast/stages/01-resman/main.tf @@ -19,6 +19,7 @@ locals { billing_ext = var.billing_account.organization_id == null billing_org = var.billing_account.organization_id == var.organization.id billing_org_ext = !local.billing_ext && !local.billing_org + custom_roles = coalesce(var.custom_roles, {}) groups = { for k, v in var.groups : k => "${v}@${var.organization.domain}" diff --git a/fast/stages/01-resman/variables.tf b/fast/stages/01-resman/variables.tf index 7c8a584d..639aba6f 100644 --- a/fast/stages/01-resman/variables.tf +++ b/fast/stages/01-resman/variables.tf @@ -35,8 +35,10 @@ variable "billing_account" { variable "custom_roles" { # tfdoc:variable:source 00-bootstrap description = "Custom roles defined at the org level, in key => id format." - type = map(string) - default = {} + type = object({ + service_project_network_admin = string + }) + default = null } variable "groups" { diff --git a/fast/stages/02-networking-nva/spoke-dev.tf b/fast/stages/02-networking-nva/spoke-dev.tf index 3c3cd3d6..a5acd921 100644 --- a/fast/stages/02-networking-nva/spoke-dev.tf +++ b/fast/stages/02-networking-nva/spoke-dev.tf @@ -40,9 +40,6 @@ module "dev-spoke-project" { metric_scopes = [module.landing-project.project_id] iam = { "roles/dns.admin" = [local.service_accounts.project-factory-dev] - (local.custom_roles.service_project_network_admin) = values( - local.service_accounts - ) } } diff --git a/fast/stages/02-networking-nva/spoke-prod.tf b/fast/stages/02-networking-nva/spoke-prod.tf index 28d0b089..9ce40bc2 100644 --- a/fast/stages/02-networking-nva/spoke-prod.tf +++ b/fast/stages/02-networking-nva/spoke-prod.tf @@ -40,9 +40,6 @@ module "prod-spoke-project" { metric_scopes = [module.landing-project.project_id] iam = { "roles/dns.admin" = [local.service_accounts.project-factory-prod] - (local.custom_roles.service_project_network_admin) = values( - local.service_accounts - ) } } diff --git a/fast/stages/02-networking-vpn/spoke-dev.tf b/fast/stages/02-networking-vpn/spoke-dev.tf index f6457952..d62949af 100644 --- a/fast/stages/02-networking-vpn/spoke-dev.tf +++ b/fast/stages/02-networking-vpn/spoke-dev.tf @@ -41,9 +41,6 @@ module "dev-spoke-project" { metric_scopes = [module.landing-project.project_id] iam = { "roles/dns.admin" = [local.service_accounts.project-factory-dev] - (local.custom_roles.service_project_network_admin) = values( - local.service_accounts - ) } } diff --git a/fast/stages/02-networking-vpn/spoke-prod.tf b/fast/stages/02-networking-vpn/spoke-prod.tf index 09fc23a6..001bab75 100644 --- a/fast/stages/02-networking-vpn/spoke-prod.tf +++ b/fast/stages/02-networking-vpn/spoke-prod.tf @@ -41,9 +41,6 @@ module "prod-spoke-project" { metric_scopes = [module.landing-project.project_id] iam = { "roles/dns.admin" = [local.service_accounts.project-factory-prod] - (local.custom_roles.service_project_network_admin) = values( - local.service_accounts - ) } }