refactor teams, fix #750 (#766)

This commit is contained in:
Ludovico Magnocavallo 2022-08-03 14:34:09 +00:00 committed by GitHub
parent 9b6262de41
commit bfefaf627e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 109 additions and 73 deletions

View File

@ -195,14 +195,14 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
| name | description | sensitive | consumers |
|---|---|:---:|---|
| [cicd_repositories](outputs.tf#L154) | WIF configuration for CI/CD repositories. | | |
| [dataplatform](outputs.tf#L168) | Data for the Data Platform stage. | | |
| [networking](outputs.tf#L184) | Data for the networking stage. | | |
| [project_factories](outputs.tf#L193) | Data for the project factories stage. | | |
| [providers](outputs.tf#L209) | Terraform provider files for this stage and dependent stages. | ✓ | <code>02-networking</code> · <code>02-security</code> · <code>03-dataplatform</code> · <code>xx-sandbox</code> · <code>xx-teams</code> |
| [sandbox](outputs.tf#L216) | Data for the sandbox stage. | | <code>xx-sandbox</code> |
| [security](outputs.tf#L230) | Data for the networking stage. | | <code>02-security</code> |
| [teams](outputs.tf#L240) | Data for the teams stage. | | |
| [tfvars](outputs.tf#L253) | Terraform variable files for the following stages. | ✓ | |
| [cicd_repositories](outputs.tf#L171) | WIF configuration for CI/CD repositories. | | |
| [dataplatform](outputs.tf#L185) | Data for the Data Platform stage. | | |
| [networking](outputs.tf#L201) | Data for the networking stage. | | |
| [project_factories](outputs.tf#L210) | Data for the project factories stage. | | |
| [providers](outputs.tf#L226) | Terraform provider files for this stage and dependent stages. | ✓ | <code>02-networking</code> · <code>02-security</code> · <code>03-dataplatform</code> · <code>xx-sandbox</code> · <code>xx-teams</code> |
| [sandbox](outputs.tf#L233) | Data for the sandbox stage. | | <code>xx-sandbox</code> |
| [security](outputs.tf#L247) | Data for the networking stage. | | <code>02-security</code> |
| [teams](outputs.tf#L257) | Data for the teams stage. | | |
| [tfvars](outputs.tf#L270) | Terraform variable files for the following stages. | ✓ | |
<!-- END TFDOC -->

View File

@ -23,12 +23,10 @@ locals {
module.branch-network-sa.iam_email,
module.branch-security-sa.iam_email,
],
local.branch_dataplatform_sa_iam_emails,
# enable if individual teams can create their own projects
# [
# for k, v in module.branch-teams-team-sa : v.iam_email
# ],
local.branch_teams_pf_sa_iam_emails,
local.branch_optional_sa_lists.dp-dev,
local.branch_optional_sa_lists.dp-prod,
local.branch_optional_sa_lists.pf-dev,
local.branch_optional_sa_lists.pf-prod,
)
}

View File

@ -50,10 +50,10 @@ module "branch-network-prod-folder" {
parent = module.branch-network-folder.id
name = "Production"
iam = {
"roles/compute.xpnAdmin" = compact([
try(module.branch-dp-prod-sa.0.iam_email, ""),
try(module.branch-pf-prod-sa.0.iam_email, ""),
])
(local.custom_roles.service_project_network_admin) = concat(
local.branch_optional_sa_lists.dp-prod,
local.branch_optional_sa_lists.pf-prod,
)
}
tag_bindings = {
environment = try(
@ -67,10 +67,10 @@ module "branch-network-dev-folder" {
parent = module.branch-network-folder.id
name = "Development"
iam = {
(local.custom_roles.service_project_network_admin) = compact([
try(module.branch-dp-dev-sa.0.iam_email, ""),
try(module.branch-pf-dev-sa.0.iam_email, ""),
])
(local.custom_roles.service_project_network_admin) = concat(
local.branch_optional_sa_lists.dp-dev,
local.branch_optional_sa_lists.pf-dev,
)
}
tag_bindings = {
environment = try(

View File

@ -21,11 +21,22 @@ moved {
to = module.branch-teams-folder.0
}
# TODO(ludo): add support for CI/CD
############### top-level Teams branch and automation resources ###############
module "branch-teams-folder" {
source = "../../../modules/folder"
count = var.fast_features.teams ? 1 : 0
parent = "organizations/${var.organization.id}"
name = "Teams"
iam = {
"roles/logging.admin" = [module.branch-teams-sa.0.iam_email]
"roles/owner" = [module.branch-teams-sa.0.iam_email]
"roles/resourcemanager.folderAdmin" = [module.branch-teams-sa.0.iam_email]
"roles/resourcemanager.projectCreator" = [module.branch-teams-sa.0.iam_email]
"roles/compute.xpnAdmin" = [module.branch-teams-sa.0.iam_email]
}
tag_bindings = {
context = try(
module.organization.tag_values["${var.tag_names.context}/teams"].id, null
@ -33,27 +44,44 @@ module "branch-teams-folder" {
}
}
moved {
from = module.branch-teams-prod-sa
to = module.branch-teams-prod-sa.0
}
module "branch-teams-prod-sa" {
module "branch-teams-sa" {
source = "../../../modules/iam-service-account"
count = var.fast_features.teams ? 1 : 0
project_id = var.automation.project_id
name = "prod-resman-teams-0"
description = "Terraform resman production service account."
description = "Terraform resman teams service account."
prefix = var.prefix
iam_storage_roles = {
(var.automation.outputs_bucket) = ["roles/storage.admin"]
}
}
# Team-level folders, service accounts and buckets for each individual team
module "branch-teams-gcs" {
source = "../../../modules/gcs"
count = var.fast_features.teams ? 1 : 0
project_id = var.automation.project_id
name = "prod-resman-teams-0"
prefix = var.prefix
versioning = true
iam = {
"roles/storage.objectAdmin" = [module.branch-teams-sa.0.iam_email]
}
}
################## per-team folders and automation resources ##################
module "branch-teams-team-folder" {
source = "../../../modules/folder"
for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {}
parent = module.branch-teams-folder.0.id
name = each.value.descriptive_name
source = "../../../modules/folder"
for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {}
parent = module.branch-teams-folder.0.id
name = each.value.descriptive_name
iam = {
"roles/logging.admin" = [module.branch-teams-team-sa[each.key].iam_email]
"roles/owner" = [module.branch-teams-team-sa[each.key].iam_email]
"roles/resourcemanager.folderAdmin" = [module.branch-teams-team-sa[each.key].iam_email]
"roles/resourcemanager.projectCreator" = [module.branch-teams-team-sa[each.key].iam_email]
"roles/compute.xpnAdmin" = [module.branch-teams-team-sa[each.key].iam_email]
}
group_iam = each.value.group_iam == null ? {} : each.value.group_iam
}
@ -85,7 +113,7 @@ module "branch-teams-team-gcs" {
}
}
# project factory per-team environment folders
# per-team environment folders where project factory SAs can create projects
module "branch-teams-team-dev-folder" {
source = "../../../modules/folder"
@ -96,12 +124,14 @@ module "branch-teams-team-dev-folder" {
# environment-wide human permissions on the whole teams environment
group_iam = {}
iam = {
(local.custom_roles.service_project_network_admin) = [module.branch-pf-dev-sa.0.iam_email]
(local.custom_roles.service_project_network_admin) = (
local.branch_optional_sa_lists.pf-dev
)
# remove owner here and at project level if SA does not manage project resources
"roles/owner" = [module.branch-pf-dev-sa.0.iam_email]
"roles/logging.admin" = [module.branch-pf-dev-sa.0.iam_email]
"roles/resourcemanager.folderAdmin" = [module.branch-pf-dev-sa.0.iam_email]
"roles/resourcemanager.projectCreator" = [module.branch-pf-dev-sa.0.iam_email]
"roles/owner" = local.branch_optional_sa_lists.pf-dev
"roles/logging.admin" = local.branch_optional_sa_lists.pf-dev
"roles/resourcemanager.folderAdmin" = local.branch_optional_sa_lists.pf-dev
"roles/resourcemanager.projectCreator" = local.branch_optional_sa_lists.pf-dev
}
tag_bindings = {
environment = try(
@ -119,12 +149,14 @@ module "branch-teams-team-prod-folder" {
# environment-wide human permissions on the whole teams environment
group_iam = {}
iam = {
(local.custom_roles.service_project_network_admin) = [module.branch-pf-prod-sa.0.iam_email]
(local.custom_roles.service_project_network_admin) = (
local.branch_optional_sa_lists.pf-prod
)
# remove owner here and at project level if SA does not manage project resources
"roles/owner" = [module.branch-pf-prod-sa.0.iam_email]
"roles/logging.admin" = [module.branch-pf-prod-sa.0.iam_email]
"roles/resourcemanager.folderAdmin" = [module.branch-pf-prod-sa.0.iam_email]
"roles/resourcemanager.projectCreator" = [module.branch-pf-prod-sa.0.iam_email]
"roles/owner" = local.branch_optional_sa_lists.pf-prod
"roles/logging.admin" = local.branch_optional_sa_lists.pf-prod
"roles/resourcemanager.folderAdmin" = local.branch_optional_sa_lists.pf-prod
"roles/resourcemanager.projectCreator" = local.branch_optional_sa_lists.pf-prod
}
tag_bindings = {
environment = try(

View File

@ -26,6 +26,12 @@ locals {
billing_ext = var.billing_account.organization_id == null
billing_org = var.billing_account.organization_id == var.organization.id
billing_org_ext = !local.billing_ext && !local.billing_org
branch_optional_sa_lists = {
dp-dev = compact([try(module.branch-dp-dev-sa.0.iam_email, "")])
dp-prod = compact([try(module.branch-dp-prod-sa.0.iam_email, "")])
pf-dev = compact([try(module.branch-pf-dev-sa.0.iam_email, "")])
pf-prod = compact([try(module.branch-pf-prod-sa.0.iam_email, "")])
}
cicd_repositories = {
for k, v in coalesce(var.cicd_repositories, {}) : k => v
if(
@ -57,7 +63,6 @@ locals {
"02-security.auto.tfvars.json"
]
}
custom_roles = coalesce(var.custom_roles, {})
groups = {
for k, v in var.groups :

View File

@ -18,23 +18,6 @@
locals {
branch_dataplatform_sa_iam_emails = (
var.fast_features.data_platform
? [
module.branch-dp-dev-sa.0.iam_email,
module.branch-dp-prod-sa.0.iam_email
]
: []
)
# set to the empty list if you remove the teams branch
branch_teams_pf_sa_iam_emails = (
var.fast_features.project_factory
? [
module.branch-pf-dev-sa.0.iam_email,
module.branch-pf-prod-sa.0.iam_email
]
: []
)
list_allow = {
inherit_from_parent = false
suggested_value = null
@ -72,18 +55,19 @@ module "organization" {
]
},
local.billing_org ? {
"roles/billing.costsManager" = local.branch_teams_pf_sa_iam_emails
"roles/billing.costsManager" = concat(
local.branch_optional_sa_lists.pf-dev,
local.branch_optional_sa_lists.pf-prod
)
"roles/billing.user" = concat(
[
module.branch-network-sa.iam_email,
module.branch-security-sa.iam_email,
],
local.branch_dataplatform_sa_iam_emails,
# enable if individual teams can create their own projects
# [
# for k, v in module.branch-teams-team-sa : v.iam_email
# ],
local.branch_teams_pf_sa_iam_emails
local.branch_optional_sa_lists.dp-dev,
local.branch_optional_sa_lists.dp-prod,
local.branch_optional_sa_lists.pf-dev,
local.branch_optional_sa_lists.pf-prod,
)
} : {}
)

View File

@ -127,7 +127,24 @@ locals {
name = "sandbox"
sa = module.branch-sandbox-sa.0.email
})
}
},
!var.fast_features.teams ? {} : merge(
{
"03-teams" = templatefile(local._tpl_providers, {
bucket = module.branch-teams-gcs.0.name
name = "teams"
sa = module.branch-teams-sa.0.email
})
},
{
for k, v in module.branch-teams-team-sa :
"03-teams-${k}" => templatefile(local._tpl_providers, {
bucket = module.branch-teams-team-gcs[k].name
name = "teams"
sa = v.email
})
}
)
)
service_accounts = merge(
{
@ -138,7 +155,7 @@ locals {
project-factory-prod = try(module.branch-pf-prod-sa.0.email, null)
sandbox = try(module.branch-sandbox-sa.0.email, null)
security = module.branch-security-sa.email
teams = try(module.branch-teams-prod-sa.0.email, null)
teams = try(module.branch-teams-sa.0.email, null)
},
{
for k, v in module.branch-teams-team-sa : "team-${k}" => v.email