Refactoring
This commit is contained in:
parent
ae4d8e0611
commit
6bd4b8021a
|
@ -42,8 +42,8 @@ terraform apply -var project_id=$GOOGLE_CLOUD_PROJECT
|
|||
|
||||
Extract JSON credentials templates from terraform output and put the private part of the keys into templates
|
||||
```bash
|
||||
terraform show -json | jq '.values.outputs."data-uploader-credentials".value."public_key.pem" | fromjson' > data-uploader.json
|
||||
terraform show -json | jq '.values.outputs."prisma-security-credentials".value."public_key.pem" | fromjson' > prisma-security.json
|
||||
terraform show -json | jq '.values.outputs."sa-credentials".value."data-uploader"."public_key.pem" | fromjson' > data-uploader.json
|
||||
terraform show -json | jq '.values.outputs."sa-credentials".value."prisma-security"."public_key.pem" | fromjson' > prisma-security.json
|
||||
|
||||
contents=$(jq --arg key "$(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json
|
||||
contents=$(jq --arg key "$(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json
|
||||
|
@ -68,11 +68,12 @@ terraform destroy -var project_id=$GOOGLE_CLOUD_PROJECT
|
|||
|---|---|:---: |:---:|:---:|
|
||||
| project_id | Project id. | <code title="">string</code> | ✓ | |
|
||||
| *project_create* | Create project instead of using an existing one. | <code title="">bool</code> | | <code title="">false</code> |
|
||||
| *service_accounts* | List of service accounts. | <code title="list(object({ name = string iam_project_roles = list(string) public_keys_path = string }))">list(object({...}))</code> | | <code title="[ { name = "data-uploader" iam_project_roles = [ "roles/bigquery.dataOwner", "roles/bigquery.jobUser", "roles/storage.objectAdmin" ] public_keys_path = "public-keys/data-uploader/" }, { name = "prisma-security" iam_project_roles = [ "roles/iam.securityReviewer" ] public_keys_path = "public-keys/prisma-security/" }, ]">...</code> |
|
||||
| *services* | Service APIs to enable. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| data-uploader-credentials | Data Uploader SA json key templates. | |
|
||||
| prisma-security-credentials | Prisma Security SA json key templates. | |
|
||||
| sa-credentials | SA json key templates. | |
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -28,8 +28,8 @@
|
|||
|
||||
# extract JSON credentials templates from terraform output and put the private part of the keys into templates
|
||||
|
||||
- terraform show -json | jq '.values.outputs."data-uploader-credentials".value."public_key.pem" | fromjson' > data-uploader.json
|
||||
- terraform show -json | jq '.values.outputs."prisma-security-credentials".value."public_key.pem" | fromjson' > prisma-security.json
|
||||
- terraform show -json | jq '.values.outputs."sa-credentials".value."data-uploader"."public_key.pem" | fromjson' > data-uploader.json
|
||||
- terraform show -json | jq '.values.outputs."sa-credentials".value."prisma-security"."public_key.pem" | fromjson' > prisma-security.json
|
||||
|
||||
- contents=$(jq --arg key "$(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json
|
||||
- contents=$(jq --arg key "$(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json
|
||||
|
|
|
@ -14,34 +14,24 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
locals {
|
||||
service_accounts = { for sa in var.service_accounts : sa.name => sa }
|
||||
}
|
||||
|
||||
module "project" {
|
||||
source = "../../modules/project"
|
||||
name = var.project_id
|
||||
project_create = var.project_create
|
||||
services = var.services
|
||||
}
|
||||
|
||||
module "onprem-data-uploader" {
|
||||
module "integration-sa" {
|
||||
source = "../../modules/iam-service-account"
|
||||
for_each = local.service_accounts
|
||||
project_id = module.project.project_id
|
||||
name = "onprem-data-uploader"
|
||||
name = each.value.name
|
||||
iam_project_roles = {
|
||||
(module.project.project_id) = [
|
||||
"roles/bigquery.dataOwner",
|
||||
"roles/bigquery.jobUser",
|
||||
"roles/storage.objectAdmin"
|
||||
]
|
||||
(module.project.project_id) = each.value.iam_project_roles
|
||||
}
|
||||
public_keys_directory = "public-keys/data-uploader/"
|
||||
}
|
||||
|
||||
module "onprem-prisma-security" {
|
||||
source = "../../modules/iam-service-account"
|
||||
project_id = module.project.project_id
|
||||
name = "onprem-prisma-security"
|
||||
iam_project_roles = {
|
||||
(module.project.project_id) = [
|
||||
"roles/iam.securityReviewer"
|
||||
]
|
||||
}
|
||||
public_keys_directory = "public-keys/prisma-security/"
|
||||
public_keys_directory = each.value.public_keys_path
|
||||
}
|
||||
|
|
|
@ -14,12 +14,7 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
output "data-uploader-credentials" {
|
||||
description = "Data Uploader SA json key templates."
|
||||
value = module.onprem-data-uploader.service_account_credentials
|
||||
}
|
||||
|
||||
output "prisma-security-credentials" {
|
||||
description = "Prisma Security SA json key templates."
|
||||
value = module.onprem-prisma-security.service_account_credentials
|
||||
output "sa-credentials" {
|
||||
description = "SA json key templates."
|
||||
value = { for key, value in module.integration-sa : key => value.service_account_credentials }
|
||||
}
|
||||
|
|
|
@ -24,3 +24,37 @@ variable "project_id" {
|
|||
description = "Project id."
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "services" {
|
||||
description = "Service APIs to enable."
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "service_accounts" {
|
||||
description = "List of service accounts."
|
||||
type = list(object({
|
||||
name = string
|
||||
iam_project_roles = list(string)
|
||||
public_keys_path = string
|
||||
}))
|
||||
default = [
|
||||
{
|
||||
name = "data-uploader"
|
||||
iam_project_roles = [
|
||||
"roles/bigquery.dataOwner",
|
||||
"roles/bigquery.jobUser",
|
||||
"roles/storage.objectAdmin"
|
||||
]
|
||||
public_keys_path = "public-keys/data-uploader/"
|
||||
},
|
||||
{
|
||||
name = "prisma-security"
|
||||
iam_project_roles = [
|
||||
"roles/iam.securityReviewer"
|
||||
]
|
||||
public_keys_path = "public-keys/prisma-security/"
|
||||
},
|
||||
]
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue