zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into org-policy-rework

This commit is contained in:
Aleksandr Averbukh 2022-07-06 19:57:05 +02:00 committed by GitHub
parent adac90d1bb 0d9fac316a
commit 966aaba67f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 67 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
fast/stages/01-resman/billing.tf
View File

@ -42,6 +42,7 @@ module "billing-organization-ext" {
organization_id = "organizations/${var.billing_account.organization_id}" organization_id = "organizations/${var.billing_account.organization_id}"
iam_additive = { iam_additive = {
"roles/billing.user" = local.billing_ext_users "roles/billing.user" = local.billing_ext_users
"roles/billing.costsManager" = local.billing_ext_users
} }
} }
@ -55,3 +56,12 @@ resource "google_billing_account_iam_member" "billing_ext_admin" {
role = "roles/billing.user" role = "roles/billing.user"
member = each.key member = each.key
} }
resource "google_billing_account_iam_member" "billing_ext_costsmanager" {
for_each = toset(
local.billing_ext ? local.billing_ext_users : []
)
billing_account_id = var.billing_account.id
role = "roles/billing.costsManager"
member = each.key
}

2
fast/stages/01-resman/cicd-project-factory.tf
View File

@ -122,10 +122,12 @@ module "branch-pf-dev-sa-cicd" {
each.value.branch == null each.value.branch == null
? format( ? format(
local.identity_providers[each.value.identity_provider].principalset_tpl, local.identity_providers[each.value.identity_provider].principalset_tpl,
var.automation.federated_identity_pool,
each.value.name each.value.name
) )
: format( : format(
local.identity_providers[each.value.identity_provider].principal_tpl, local.identity_providers[each.value.identity_provider].principal_tpl,
var.automation.federated_identity_pool,
each.value.name, each.value.name,
each.value.branch each.value.branch
) )

10
fast/stages/02-networking-nva/landing.tf
View File

@ -38,10 +38,12 @@ module "landing-project" {
service_projects = [] service_projects = []
} }
iam = { iam = {
"roles/dns.admin" = [local.service_accounts.project-factory-prod] "roles/dns.admin" = compact([
(local.custom_roles.service_project_network_admin) = [ try(local.service_accounts.project-factory-prod, null)
local.service_accounts.project-factory-prod ])
] (local.custom_roles.service_project_network_admin) = compact([
try(local.service_accounts.project-factory-prod, null)
])
} }
} }

3
fast/stages/02-networking-nva/main.tf
View File

@ -25,7 +25,8 @@ locals {
})] })]
} }
service_accounts = { service_accounts = {
for k, v in coalesce(var.service_accounts, {}) : k => "serviceAccount:${v}" for k, v in coalesce(var.service_accounts, {}) :
k => "serviceAccount:${v}" if v != null
} }
stage3_sas_delegated_grants = [ stage3_sas_delegated_grants = [
"roles/composer.sharedVpcAgent", "roles/composer.sharedVpcAgent",

8
fast/stages/02-networking-nva/spoke-dev.tf
View File

@ -40,7 +40,9 @@ module "dev-spoke-project" {
} }
metric_scopes = [module.landing-project.project_id] metric_scopes = [module.landing-project.project_id]
iam = { iam = {
"roles/dns.admin" = compact([local.service_accounts.project-factory-dev]) "roles/dns.admin" = compact([
try(local.service_accounts.project-factory-dev, null)
])
} }
} }
@ -124,8 +126,8 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
project = module.dev-spoke-project.project_id project = module.dev-spoke-project.project_id
role = "roles/resourcemanager.projectIamAdmin" role = "roles/resourcemanager.projectIamAdmin"
members = compact([ members = compact([
local.service_accounts.data-platform-dev, try(local.service_accounts.data-platform-dev, null),
local.service_accounts.project-factory-dev, try(local.service_accounts.project-factory-dev, null),
]) ])
condition { condition {
title = "dev_stage3_sa_delegated_grants" title = "dev_stage3_sa_delegated_grants"

8
fast/stages/02-networking-nva/spoke-prod.tf
View File

@ -40,7 +40,9 @@ module "prod-spoke-project" {
} }
metric_scopes = [module.landing-project.project_id] metric_scopes = [module.landing-project.project_id]
iam = { iam = {
"roles/dns.admin" = compact([local.service_accounts.project-factory-prod]) "roles/dns.admin" = compact([
try(local.service_accounts.project-factory-prod, null)
])
} }
} }
@ -124,8 +126,8 @@ resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
project = module.prod-spoke-project.project_id project = module.prod-spoke-project.project_id
role = "roles/resourcemanager.projectIamAdmin" role = "roles/resourcemanager.projectIamAdmin"
members = compact([ members = compact([
local.service_accounts.data-platform-prod, try(local.service_accounts.data-platform-prod, null),
local.service_accounts.project-factory-prod, try(local.service_accounts.project-factory-prod, null),
]) ])
condition { condition {
title = "prod_stage3_sa_delegated_grants" title = "prod_stage3_sa_delegated_grants"

10
fast/stages/02-networking-peering/landing.tf
View File

@ -38,10 +38,12 @@ module "landing-project" {
service_projects = [] service_projects = []
} }
iam = { iam = {
"roles/dns.admin" = [local.service_accounts.project-factory-prod] "roles/dns.admin" = compact([
(local.custom_roles.service_project_network_admin) = [ try(local.service_accounts.project-factory-prod, null)
local.service_accounts.project-factory-prod ])
] (local.custom_roles.service_project_network_admin) = compact([
try(local.service_accounts.project-factory-prod, null)
])
} }
} }

3
fast/stages/02-networking-peering/main.tf
View File

@ -36,7 +36,8 @@ locals {
"roles/vpcaccess.user", "roles/vpcaccess.user",
] ]
service_accounts = { service_accounts = {
for k, v in coalesce(var.service_accounts, {}) : k => "serviceAccount:${v}" for k, v in coalesce(var.service_accounts, {}) :
k => "serviceAccount:${v}" if v != null
} }
} }

8
fast/stages/02-networking-peering/spoke-dev.tf
View File

@ -41,7 +41,9 @@ module "dev-spoke-project" {
} }
metric_scopes = [module.landing-project.project_id] metric_scopes = [module.landing-project.project_id]
iam = { iam = {
"roles/dns.admin" = compact([local.service_accounts.project-factory-dev]) "roles/dns.admin" = compact([
try(local.service_accounts.project-factory-dev, null)
])
} }
} }
@ -101,8 +103,8 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
project = module.dev-spoke-project.project_id project = module.dev-spoke-project.project_id
role = "roles/resourcemanager.projectIamAdmin" role = "roles/resourcemanager.projectIamAdmin"
members = compact([ members = compact([
local.service_accounts.data-platform-dev, try(local.service_accounts.data-platform-dev, null),
local.service_accounts.project-factory-dev, try(local.service_accounts.project-factory-dev, null),
]) ])
condition { condition {
title = "dev_stage3_sa_delegated_grants" title = "dev_stage3_sa_delegated_grants"

8
fast/stages/02-networking-peering/spoke-prod.tf
View File

@ -41,7 +41,9 @@ module "prod-spoke-project" {
} }
metric_scopes = [module.landing-project.project_id] metric_scopes = [module.landing-project.project_id]
iam = { iam = {
"roles/dns.admin" = compact([local.service_accounts.project-factory-prod]) "roles/dns.admin" = compact([
try(local.service_accounts.project-factory-prod, null)
])
} }
} }
@ -101,8 +103,8 @@ resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
project = module.prod-spoke-project.project_id project = module.prod-spoke-project.project_id
role = "roles/resourcemanager.projectIamAdmin" role = "roles/resourcemanager.projectIamAdmin"
members = compact([ members = compact([
local.service_accounts.data-platform-prod, try(local.service_accounts.data-platform-prod, null),
local.service_accounts.project-factory-prod, try(local.service_accounts.project-factory-prod, null),
]) ])
condition { condition {
title = "prod_stage3_sa_delegated_grants" title = "prod_stage3_sa_delegated_grants"

10
fast/stages/02-networking-vpn/landing.tf
View File

@ -38,10 +38,12 @@ module "landing-project" {
service_projects = [] service_projects = []
} }
iam = { iam = {
"roles/dns.admin" = [local.service_accounts.project-factory-prod] "roles/dns.admin" = compact([
(local.custom_roles.service_project_network_admin) = [ try(local.service_accounts.project-factory-prod, null)
local.service_accounts.project-factory-prod ])
] (local.custom_roles.service_project_network_admin) = compact([
try(local.service_accounts.project-factory-prod, null)
])
} }
} }

3
fast/stages/02-networking-vpn/main.tf
View File

@ -36,7 +36,8 @@ locals {
"roles/vpcaccess.user", "roles/vpcaccess.user",
] ]
service_accounts = { service_accounts = {
for k, v in coalesce(var.service_accounts, {}) : k => "serviceAccount:${v}" for k, v in coalesce(var.service_accounts, {}) :
k => "serviceAccount:${v}" if v != null
} }
} }

8
fast/stages/02-networking-vpn/spoke-dev.tf
View File

@ -41,7 +41,9 @@ module "dev-spoke-project" {
} }
metric_scopes = [module.landing-project.project_id] metric_scopes = [module.landing-project.project_id]
iam = { iam = {
"roles/dns.admin" = compact([local.service_accounts.project-factory-dev]) "roles/dns.admin" = compact([
try(local.service_accounts.project-factory-dev, null)
])
} }
} }
@ -101,8 +103,8 @@ resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
project = module.dev-spoke-project.project_id project = module.dev-spoke-project.project_id
role = "roles/resourcemanager.projectIamAdmin" role = "roles/resourcemanager.projectIamAdmin"
members = compact([ members = compact([
local.service_accounts.data-platform-dev, try(local.service_accounts.data-platform-dev, null),
local.service_accounts.project-factory-dev, try(local.service_accounts.project-factory-dev, null),
]) ])
condition { condition {
title = "dev_stage3_sa_delegated_grants" title = "dev_stage3_sa_delegated_grants"

8
fast/stages/02-networking-vpn/spoke-prod.tf
View File

@ -41,7 +41,9 @@ module "prod-spoke-project" {
} }
metric_scopes = [module.landing-project.project_id] metric_scopes = [module.landing-project.project_id]
iam = { iam = {
"roles/dns.admin" = compact([local.service_accounts.project-factory-prod]) "roles/dns.admin" = compact([
try(local.service_accounts.project-factory-prod, null)
])
} }
} }
@ -101,8 +103,8 @@ resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
project = module.prod-spoke-project.project_id project = module.prod-spoke-project.project_id
role = "roles/resourcemanager.projectIamAdmin" role = "roles/resourcemanager.projectIamAdmin"
members = compact([ members = compact([
local.service_accounts.data-platform-prod, try(local.service_accounts.data-platform-prod, null),
local.service_accounts.project-factory-prod, try(local.service_accounts.project-factory-prod, null),
]) ])
condition { condition {
title = "prod_stage3_sa_delegated_grants" title = "prod_stage3_sa_delegated_grants"