From 6bd4b8021a0fbeca0fb3397f44359a34fb2a267e Mon Sep 17 00:00:00 2001 From: averbukh Date: Wed, 15 Dec 2021 11:07:22 +0100 Subject: [PATCH] Refactoring --- .../onprem-sa-key-management/README.md | 9 ++--- .../cloud-shell-readme.txt | 4 +-- .../onprem-sa-key-management/main.tf | 30 ++++++---------- .../onprem-sa-key-management/outputs.tf | 11 ++---- .../onprem-sa-key-management/variables.tf | 34 +++++++++++++++++++ 5 files changed, 54 insertions(+), 34 deletions(-) diff --git a/cloud-operations/onprem-sa-key-management/README.md b/cloud-operations/onprem-sa-key-management/README.md index ec26e80b..c16c56db 100644 --- a/cloud-operations/onprem-sa-key-management/README.md +++ b/cloud-operations/onprem-sa-key-management/README.md @@ -42,8 +42,8 @@ terraform apply -var project_id=$GOOGLE_CLOUD_PROJECT Extract JSON credentials templates from terraform output and put the private part of the keys into templates ```bash -terraform show -json | jq '.values.outputs."data-uploader-credentials".value."public_key.pem" | fromjson' > data-uploader.json -terraform show -json | jq '.values.outputs."prisma-security-credentials".value."public_key.pem" | fromjson' > prisma-security.json +terraform show -json | jq '.values.outputs."sa-credentials".value."data-uploader"."public_key.pem" | fromjson' > data-uploader.json +terraform show -json | jq '.values.outputs."sa-credentials".value."prisma-security"."public_key.pem" | fromjson' > prisma-security.json contents=$(jq --arg key "$(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json contents=$(jq --arg key "$(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json @@ -68,11 +68,12 @@ terraform destroy -var project_id=$GOOGLE_CLOUD_PROJECT |---|---|:---: |:---:|:---:| | project_id | Project id. | string | ✓ | | | *project_create* | Create project instead of using an existing one. | bool | | false | +| *service_accounts* | List of service accounts. | list(object({...})) | | ... | +| *services* | Service APIs to enable. | list(string) | | [] | ## Outputs | name | description | sensitive | |---|---|:---:| -| data-uploader-credentials | Data Uploader SA json key templates. | | -| prisma-security-credentials | Prisma Security SA json key templates. | | +| sa-credentials | SA json key templates. | | diff --git a/cloud-operations/onprem-sa-key-management/cloud-shell-readme.txt b/cloud-operations/onprem-sa-key-management/cloud-shell-readme.txt index 167df24a..ff75626a 100644 --- a/cloud-operations/onprem-sa-key-management/cloud-shell-readme.txt +++ b/cloud-operations/onprem-sa-key-management/cloud-shell-readme.txt @@ -28,8 +28,8 @@ # extract JSON credentials templates from terraform output and put the private part of the keys into templates -- terraform show -json | jq '.values.outputs."data-uploader-credentials".value."public_key.pem" | fromjson' > data-uploader.json -- terraform show -json | jq '.values.outputs."prisma-security-credentials".value."public_key.pem" | fromjson' > prisma-security.json +- terraform show -json | jq '.values.outputs."sa-credentials".value."data-uploader"."public_key.pem" | fromjson' > data-uploader.json +- terraform show -json | jq '.values.outputs."sa-credentials".value."prisma-security"."public_key.pem" | fromjson' > prisma-security.json - contents=$(jq --arg key "$(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json - contents=$(jq --arg key "$(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json diff --git a/cloud-operations/onprem-sa-key-management/main.tf b/cloud-operations/onprem-sa-key-management/main.tf index b925cf19..e4ffe168 100644 --- a/cloud-operations/onprem-sa-key-management/main.tf +++ b/cloud-operations/onprem-sa-key-management/main.tf @@ -14,34 +14,24 @@ * limitations under the License. */ +locals { + service_accounts = { for sa in var.service_accounts : sa.name => sa } +} + module "project" { source = "../../modules/project" name = var.project_id project_create = var.project_create + services = var.services } -module "onprem-data-uploader" { +module "integration-sa" { source = "../../modules/iam-service-account" + for_each = local.service_accounts project_id = module.project.project_id - name = "onprem-data-uploader" + name = each.value.name iam_project_roles = { - (module.project.project_id) = [ - "roles/bigquery.dataOwner", - "roles/bigquery.jobUser", - "roles/storage.objectAdmin" - ] + (module.project.project_id) = each.value.iam_project_roles } - public_keys_directory = "public-keys/data-uploader/" -} - -module "onprem-prisma-security" { - source = "../../modules/iam-service-account" - project_id = module.project.project_id - name = "onprem-prisma-security" - iam_project_roles = { - (module.project.project_id) = [ - "roles/iam.securityReviewer" - ] - } - public_keys_directory = "public-keys/prisma-security/" + public_keys_directory = each.value.public_keys_path } diff --git a/cloud-operations/onprem-sa-key-management/outputs.tf b/cloud-operations/onprem-sa-key-management/outputs.tf index 314bb2e2..a8f9c16a 100644 --- a/cloud-operations/onprem-sa-key-management/outputs.tf +++ b/cloud-operations/onprem-sa-key-management/outputs.tf @@ -14,12 +14,7 @@ * limitations under the License. */ -output "data-uploader-credentials" { - description = "Data Uploader SA json key templates." - value = module.onprem-data-uploader.service_account_credentials -} - -output "prisma-security-credentials" { - description = "Prisma Security SA json key templates." - value = module.onprem-prisma-security.service_account_credentials +output "sa-credentials" { + description = "SA json key templates." + value = { for key, value in module.integration-sa : key => value.service_account_credentials } } diff --git a/cloud-operations/onprem-sa-key-management/variables.tf b/cloud-operations/onprem-sa-key-management/variables.tf index e80fbd0c..5ad2390b 100644 --- a/cloud-operations/onprem-sa-key-management/variables.tf +++ b/cloud-operations/onprem-sa-key-management/variables.tf @@ -24,3 +24,37 @@ variable "project_id" { description = "Project id." type = string } + +variable "services" { + description = "Service APIs to enable." + type = list(string) + default = [] +} + +variable "service_accounts" { + description = "List of service accounts." + type = list(object({ + name = string + iam_project_roles = list(string) + public_keys_path = string + })) + default = [ + { + name = "data-uploader" + iam_project_roles = [ + "roles/bigquery.dataOwner", + "roles/bigquery.jobUser", + "roles/storage.objectAdmin" + ] + public_keys_path = "public-keys/data-uploader/" + }, + { + name = "prisma-security" + iam_project_roles = [ + "roles/iam.securityReviewer" + ] + public_keys_path = "public-keys/prisma-security/" + }, + ] + +}