Refactoring

2021-12-15 11:07:22 +01:00 · 2021-12-15 11:07:22 +01:00 · 6bd4b8021a
parent ae4d8e0611
commit 6bd4b8021a
5 changed files with 54 additions and 34 deletions
--- a/cloud-operations/onprem-sa-key-management/README.md
+++ b/cloud-operations/onprem-sa-key-management/README.md
@ -42,8 +42,8 @@ terraform apply -var project_id=$GOOGLE_CLOUD_PROJECT

 Extract JSON credentials templates from terraform output and put the private part of the keys into templates
 ```bash
-terraform show -json | jq '.values.outputs."data-uploader-credentials".value."public_key.pem" | fromjson' > data-uploader.json
-terraform show -json | jq '.values.outputs."prisma-security-credentials".value."public_key.pem" | fromjson' > prisma-security.json
+terraform show -json | jq '.values.outputs."sa-credentials".value."data-uploader"."public_key.pem" | fromjson' > data-uploader.json
+terraform show -json | jq '.values.outputs."sa-credentials".value."prisma-security"."public_key.pem" | fromjson' > prisma-security.json

 contents=$(jq --arg key "$(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json
 contents=$(jq --arg key "$(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json
@ -68,11 +68,12 @@ terraform destroy -var project_id=$GOOGLE_CLOUD_PROJECT
 |---|---|:---: |:---:|:---:|
 | project_id | Project id. | <code title="">string</code> | ✓ |  |
 | *project_create* | Create project instead of using an existing one. | <code title="">bool</code> |  | <code title="">false</code> |
+| *service_accounts* | List of service accounts. | <code title="list&#40;object&#40;&#123;&#10;name              &#61; string&#10;iam_project_roles &#61; list&#40;string&#41;&#10;public_keys_path  &#61; string&#10;&#125;&#41;&#41;">list(object({...}))</code> |  | <code title="&#91;&#10;&#123;&#10;name &#61; &#34;data-uploader&#34;&#10;iam_project_roles &#61; &#91;&#10;&#34;roles&#47;bigquery.dataOwner&#34;,&#10;&#34;roles&#47;bigquery.jobUser&#34;,&#10;&#34;roles&#47;storage.objectAdmin&#34;&#10;&#93;&#10;public_keys_path &#61; &#34;public-keys&#47;data-uploader&#47;&#34;&#10;&#125;,&#10;&#123;&#10;name &#61; &#34;prisma-security&#34;&#10;iam_project_roles &#61; &#91;&#10;&#34;roles&#47;iam.securityReviewer&#34;&#10;&#93;&#10;public_keys_path &#61; &#34;public-keys&#47;prisma-security&#47;&#34;&#10;&#125;,&#10;&#93;">...</code> |
+| *services* | Service APIs to enable. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |

 ## Outputs

 | name | description | sensitive |
 |---|---|:---:|
-| data-uploader-credentials | Data Uploader SA json key templates. |  |
-| prisma-security-credentials | Prisma Security SA json key templates. |  |
+| sa-credentials | SA json key templates. |  |
 <!-- END TFDOC -->
--- a/cloud-operations/onprem-sa-key-management/cloud-shell-readme.txt
+++ b/cloud-operations/onprem-sa-key-management/cloud-shell-readme.txt
@ -28,8 +28,8 @@

 # extract JSON credentials templates from terraform output and put the private part of the keys into templates

- terraform show -json | jq '.values.outputs."data-uploader-credentials".value."public_key.pem" | fromjson' > data-uploader.json
- terraform show -json | jq '.values.outputs."prisma-security-credentials".value."public_key.pem" | fromjson' > prisma-security.json
+- terraform show -json | jq '.values.outputs."sa-credentials".value."data-uploader"."public_key.pem" | fromjson' > data-uploader.json
+- terraform show -json | jq '.values.outputs."sa-credentials".value."prisma-security"."public_key.pem" | fromjson' > prisma-security.json

 - contents=$(jq --arg key "$(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json
 - contents=$(jq --arg key "$(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json
--- a/cloud-operations/onprem-sa-key-management/main.tf
+++ b/cloud-operations/onprem-sa-key-management/main.tf
@ -14,34 +14,24 @@
 * limitations under the License.
 */

+locals {
+  service_accounts = { for sa in var.service_accounts : sa.name => sa }
+}
+
 module "project" {
  source         = "../../modules/project"
  name           = var.project_id
  project_create = var.project_create
+  services       = var.services
 }

-module "onprem-data-uploader" {
+module "integration-sa" {
  source     = "../../modules/iam-service-account"
+  for_each   = local.service_accounts
  project_id = module.project.project_id
-  name       = "onprem-data-uploader"
+  name       = each.value.name
  iam_project_roles = {
-    (module.project.project_id) = [
-      "roles/bigquery.dataOwner",
-      "roles/bigquery.jobUser",
-      "roles/storage.objectAdmin"
-    ]
+    (module.project.project_id) = each.value.iam_project_roles
  }
-  public_keys_directory = "public-keys/data-uploader/"
-}
-
-module "onprem-prisma-security" {
-  source     = "../../modules/iam-service-account"
-  project_id = module.project.project_id
-  name       = "onprem-prisma-security"
-  iam_project_roles = {
-    (module.project.project_id) = [
-      "roles/iam.securityReviewer"
-    ]
-  }
-  public_keys_directory = "public-keys/prisma-security/"
+  public_keys_directory = each.value.public_keys_path
 }
--- a/cloud-operations/onprem-sa-key-management/outputs.tf
+++ b/cloud-operations/onprem-sa-key-management/outputs.tf
@ -14,12 +14,7 @@
 * limitations under the License.
 */

-output "data-uploader-credentials" {
-  description = "Data Uploader SA json key templates."
-  value       = module.onprem-data-uploader.service_account_credentials
-}
-
-output "prisma-security-credentials" {
-  description = "Prisma Security SA json key templates."
-  value       = module.onprem-prisma-security.service_account_credentials
+output "sa-credentials" {
+  description = "SA json key templates."
+  value       = { for key, value in module.integration-sa : key => value.service_account_credentials }
 }
--- a/cloud-operations/onprem-sa-key-management/variables.tf
+++ b/cloud-operations/onprem-sa-key-management/variables.tf
@ -24,3 +24,37 @@ variable "project_id" {
  description = "Project id."
  type        = string
 }
+
+variable "services" {
+  description = "Service APIs to enable."
+  type        = list(string)
+  default     = []
+}
+
+variable "service_accounts" {
+  description = "List of service accounts."
+  type = list(object({
+    name              = string
+    iam_project_roles = list(string)
+    public_keys_path  = string
+  }))
+  default = [
+    {
+      name = "data-uploader"
+      iam_project_roles = [
+        "roles/bigquery.dataOwner",
+        "roles/bigquery.jobUser",
+        "roles/storage.objectAdmin"
+      ]
+      public_keys_path = "public-keys/data-uploader/"
+    },
+    {
+      name = "prisma-security"
+      iam_project_roles = [
+        "roles/iam.securityReviewer"
+      ]
+      public_keys_path = "public-keys/prisma-security/"
+    },
+  ]
+
+}