zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix IAM, add tfvars example

This commit is contained in:
Lorenzo Caggioni 2022-01-14 18:29:10 +01:00
parent 5d7adc4bf2
commit 87426786ce
2 changed files with 31 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
examples/data-solutions/gcs-to-bq-with-least-privileges/main.tf
View File

@ -12,29 +12,7 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
############################################################################### locals {
# Projects #
###############################################################################
module "project" {
source = "../../../modules/project"
name = var.project_id
parent = try(var.project_create.parent, null)
billing_account = try(var.project_create.billing_account_id, null)
project_create = var.project_create != null
prefix = var.project_create == null ? null : var.prefix
services = [
"bigquery.googleapis.com",
"bigquerystorage.googleapis.com",
"bigqueryreservation.googleapis.com",
"cloudkms.googleapis.com",
"compute.googleapis.com",
"dataflow.googleapis.com",
"servicenetworking.googleapis.com",
"storage.googleapis.com",
"storage-component.googleapis.com",
]
# additive IAM bindings avoid disrupting bindings in existing project
iam = { iam = {
# GCS roles # GCS roles
"roles/storage.objectAdmin" = [ "roles/storage.objectAdmin" = [
@ -99,6 +77,33 @@ module "project" {
"serviceAccount:${module.project.service_accounts.robots.dataflow}" "serviceAccount:${module.project.service_accounts.robots.dataflow}"
] ]
} }
}
###############################################################################
# Projects #
###############################################################################
module "project" {
source = "../../../modules/project"
name = var.project_id
parent = try(var.project_create.parent, null)
billing_account = try(var.project_create.billing_account_id, null)
project_create = var.project_create != null
prefix = var.project_create == null ? null : var.prefix
services = [
"bigquery.googleapis.com",
"bigquerystorage.googleapis.com",
"bigqueryreservation.googleapis.com",
"cloudkms.googleapis.com",
"compute.googleapis.com",
"dataflow.googleapis.com",
"servicenetworking.googleapis.com",
"storage.googleapis.com",
"storage-component.googleapis.com",
]
# additive IAM bindings avoid disrupting bindings in existing project
iam = var.project_create != null ? local.iam : {}
iam_additive = var.project_create == null ? local.iam : {}
service_config = { service_config = {
disable_on_destroy = false, disable_dependent_services = false disable_on_destroy = false, disable_dependent_services = false
} }

3
examples/data-solutions/gcs-to-bq-with-least-privileges/terraform.tfvars.sample Normal file
View File

@ -0,0 +1,3 @@
data_eng_principals = ["user:data-eng@domain.com"]
project_id = "datalake-001"
prefix = "prefix"