From 30d7126b835bd266ee0a3268a073cfcfd93a10e5 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 26 Oct 2023 16:09:03 +0200 Subject: [PATCH 1/2] Allow specifying arbitrary project roles for service accounts in project factory (#1814) * allow specifying arbitrary project roles for service accounts in project factory * tfdoc --- blueprints/factories/project-factory/README.md | 18 +++++++++++------- .../factories/project-factory/factory.tf | 7 ++++--- blueprints/factories/project-factory/main.tf | 18 ++++++------------ .../factories/project-factory/variables.tf | 9 ++++++--- 4 files changed, 27 insertions(+), 25 deletions(-) diff --git a/blueprints/factories/project-factory/README.md b/blueprints/factories/project-factory/README.md index 3a1219b2..d2d07c43 100644 --- a/blueprints/factories/project-factory/README.md +++ b/blueprints/factories/project-factory/README.md @@ -59,7 +59,7 @@ module "project-factory" { data_path = "data" } } -# tftest modules=6 resources=15 files=prj-app-1,prj-app-2 +# tftest modules=6 resources=17 files=prj-app-1,prj-app-2 ``` ```yaml @@ -74,8 +74,12 @@ service_encryption_key_ids: services: - storage.googleapis.com service_accounts: - app-1-be: {} - app-1-fe: {} + app-1-be: + iam_project_roles: + - roles/logging.logWriter + - roles/monitoring.metricWriter + app-1-fe: + display_name: "Test app 1 frontend." # tftest-file id=prj-app-1 path=data/prj-app-1.yaml ``` @@ -104,10 +108,10 @@ shared_vpc_service_config: | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [factory_data](variables.tf#L85) | Project data from either YAML files or externally parsed data. | object({…}) | ✓ | | -| [data_defaults](variables.tf#L17) | Optional default values used when corresponding project data from files are missing. | object({…}) | | {} | -| [data_merges](variables.tf#L45) | Optional values that will be merged with corresponding data from files. Combines with `data_defaults`, file data, and `data_overrides`. | object({…}) | | {} | -| [data_overrides](variables.tf#L64) | Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`. | object({…}) | | {} | +| [factory_data](variables.tf#L88) | Project data from either YAML files or externally parsed data. | object({…}) | ✓ | | +| [data_defaults](variables.tf#L17) | Optional default values used when corresponding project data from files are missing. | object({…}) | | {} | +| [data_merges](variables.tf#L46) | Optional values that will be merged with corresponding data from files. Combines with `data_defaults`, file data, and `data_overrides`. | object({…}) | | {} | +| [data_overrides](variables.tf#L66) | Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`. | object({…}) | | {} | ## Outputs diff --git a/blueprints/factories/project-factory/factory.tf b/blueprints/factories/project-factory/factory.tf index d966d6d8..e0351a0a 100644 --- a/blueprints/factories/project-factory/factory.tf +++ b/blueprints/factories/project-factory/factory.tf @@ -101,9 +101,10 @@ locals { service_accounts = flatten([ for k, v in local.projects : [ for name, opts in v.service_accounts : { - project = k - name = name - options = opts + project = k + name = name + display_name = try(opts.display_name, "Terraform-managed.") + iam_project_roles = try(opts.iam_project_roles, null) } ] ]) diff --git a/blueprints/factories/project-factory/main.tf b/blueprints/factories/project-factory/main.tf index eb8833a4..81f1d316 100644 --- a/blueprints/factories/project-factory/main.tf +++ b/blueprints/factories/project-factory/main.tf @@ -69,16 +69,10 @@ module "service-accounts" { for_each = { for k in local.service_accounts : "${k.project}-${k.name}" => k } - name = each.value.name - project_id = module.projects[each.value.project].project_id - iam_project_roles = ( - try(each.value.options.default_roles, null) == null - ? {} - : { - (module.projects[each.value.project].project_id) = [ - "roles/logging.logWriter", - "roles/monitoring.metricWriter" - ] - } - ) + project_id = module.projects[each.value.project].project_id + name = each.value.name + display_name = each.value.display_name + iam_project_roles = each.value.iam_project_roles == null ? {} : { + (module.projects[each.value.project].project_id) = each.value.iam_project_roles + } } diff --git a/blueprints/factories/project-factory/variables.tf b/blueprints/factories/project-factory/variables.tf index d7176474..55578562 100644 --- a/blueprints/factories/project-factory/variables.tf +++ b/blueprints/factories/project-factory/variables.tf @@ -35,7 +35,8 @@ variable "data_defaults" { tag_bindings = optional(map(string), {}) # non-project resources service_accounts = optional(map(object({ - default_roles = optional(bool, true) + display_name = optional(string, "Terraform-managed.") + iam_project_roles = optional(list(string)) })), {}) }) nullable = false @@ -54,7 +55,8 @@ variable "data_merges" { tag_bindings = optional(map(string), {}) # non-project resources service_accounts = optional(map(object({ - default_roles = optional(bool, true) + display_name = optional(string, "Terraform-managed.") + iam_project_roles = optional(list(string)) })), {}) }) nullable = false @@ -75,7 +77,8 @@ variable "data_overrides" { services = optional(list(string)) # non-project resources service_accounts = optional(map(object({ - default_roles = optional(bool, true) + display_name = optional(string, "Terraform-managed.") + iam_project_roles = optional(list(string)) }))) }) nullable = false From d0b1ced28053fe7546eb3b7d726b51f1bd8e0938 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 26 Oct 2023 17:25:36 +0200 Subject: [PATCH 2/2] fix logic for default source range in firewall ingress rules (#1815) --- modules/net-vpc-firewall/README.md | 13 +++++++++++++ modules/net-vpc-firewall/main.tf | 2 +- .../modules/net_vpc_firewall/examples/factory.yaml | 2 -- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/modules/net-vpc-firewall/README.md b/modules/net-vpc-firewall/README.md index 235f1ebc..8198b100 100644 --- a/modules/net-vpc-firewall/README.md +++ b/modules/net-vpc-firewall/README.md @@ -7,6 +7,19 @@ This module allows creation and management of different types of firewall rules The predefined rules are enabled by default and set to the ranges of the GCP health checkers for HTTP/HTTPS, and the IAP forwarders for SSH. See the relevant section below on how to configure or disable them. + +- [Examples](#examples) + - [Minimal open firewall](#minimal-open-firewall) + - [Custom rules](#custom-rules) + - [Controlling or turning off default rules](#controlling-or-turning-off-default-rules) + - [Overriding default tags and ranges](#overriding-default-tags-and-ranges) + - [Disabling predefined rules](#disabling-predefined-rules) + - [Including source & destination ranges](#including-source-destination-ranges) + - [Rules Factory](#rules-factory) +- [Variables](#variables) +- [Outputs](#outputs) + + ## Examples ### Minimal open firewall diff --git a/modules/net-vpc-firewall/main.tf b/modules/net-vpc-firewall/main.tf index 5f7a95b5..f3faac9f 100644 --- a/modules/net-vpc-firewall/main.tf +++ b/modules/net-vpc-firewall/main.tf @@ -97,7 +97,7 @@ resource "google_compute_firewall" "custom-rules" { source_ranges = ( each.value.direction == "INGRESS" ? ( - each.value.source_ranges == null + each.value.source_ranges == null && each.value.sources == null ? ["0.0.0.0/0"] : each.value.source_ranges ) diff --git a/tests/modules/net_vpc_firewall/examples/factory.yaml b/tests/modules/net_vpc_firewall/examples/factory.yaml index 389fb52a..73a095dd 100644 --- a/tests/modules/net_vpc_firewall/examples/factory.yaml +++ b/tests/modules/net_vpc_firewall/examples/factory.yaml @@ -53,8 +53,6 @@ values: network: my-network priority: 1000 project: my-project - source_ranges: - - 0.0.0.0/0 source_service_accounts: - service-1@my-project.iam.gserviceaccount.com source_tags: null