Merge branch 'master' into fast-dev-dp

2022-02-08 17:50:00 +01:00 · 2022-02-08 17:50:00 +01:00 · d86cb3febe
parent e270adf516 c27b25c114
commit d86cb3febe
4 changed files with 105 additions and 97 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -6,6 +6,8 @@ All notable changes to this project will be documented in this file.

 -  **incompatible change** removed `iam` key from logging sink configuration in the `project` and `organization` modules
 - remove GCS to BQ with Dataflow example, replace by GCS to BQ with least privileges
+- the `net-vpc` and `project` modules now use the beta provider for shared VPC-related resources
+- new `iot-core` module

 ## [13.0.0] - 2022-01-27

@ -17,7 +19,6 @@ All notable changes to this project will be documented in this file.
 - support service dependencies for crypto key bindings in project module
 - refactor project module in multiple files
 - add support for per-file option overrides to tfdoc
- the `net-vpc` and `project` modules now use the beta provider for shared VPC-related resources

 ## [12.0.0] - 2022-01-11

--- a/fast/stages/00-bootstrap/IAM.md
+++ b/fast/stages/00-bootstrap/IAM.md
@ -8,7 +8,7 @@ Legend: <code>+</code> additive, <code>•</code> conditional.
 |---|---|
 |<b></b><br><small><i>domain</i></small>|[roles/browser](https://cloud.google.com/iam/docs/understanding-roles#browser) <br>[roles/resourcemanager.organizationViewer](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationViewer) |
 |<b>gcp-network-admins</b><br><small><i>group</i></small>|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner) <br>[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor) <br>[roles/compute.orgFirewallPolicyAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.orgFirewallPolicyAdmin) <code>+</code><br>[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) <code>+</code>|
-|<b>gcp-organization-admins</b><br><small><i>group</i></small>|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner) <br>[roles/cloudsupport.admin](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.admin) <br>[roles/compute.osAdminLogin](https://cloud.google.com/iam/docs/understanding-roles#compute.osAdminLogin) <br>[roles/compute.osLoginExternalUser](https://cloud.google.com/iam/docs/understanding-roles#compute.osLoginExternalUser) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) <br>[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) <code>+</code>|
+|<b>gcp-organization-admins</b><br><small><i>group</i></small>|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner) <br>[roles/cloudsupport.admin](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.admin) <br>[roles/compute.osAdminLogin](https://cloud.google.com/iam/docs/understanding-roles#compute.osAdminLogin) <br>[roles/compute.osLoginExternalUser](https://cloud.google.com/iam/docs/understanding-roles#compute.osLoginExternalUser) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) <br>[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) <code>+</code><br>[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code>|
 |<b>gcp-security-admins</b><br><small><i>group</i></small>|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner) <br>[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor) <br>[roles/iam.securityReviewer](https://cloud.google.com/iam/docs/understanding-roles#iam.securityReviewer) <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/securitycenter.admin](https://cloud.google.com/iam/docs/understanding-roles#securitycenter.admin) <br>[roles/accesscontextmanager.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#accesscontextmanager.policyAdmin) <code>+</code><br>[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) <code>+</code><br>[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code>|
 |<b>gcp-support</b><br><small><i>group</i></small>|[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor) <br>[roles/logging.viewer](https://cloud.google.com/iam/docs/understanding-roles#logging.viewer) <br>[roles/monitoring.viewer](https://cloud.google.com/iam/docs/understanding-roles#monitoring.viewer) |
 |<b>prod-bootstrap-0</b><br><small><i>serviceAccount</i></small>|[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) <br>[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) <code>+</code><br>[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) <code>+</code>|
--- a/fast/stages/00-bootstrap/organization.tf
+++ b/fast/stages/00-bootstrap/organization.tf
@ -62,7 +62,8 @@ locals {
      ]
      "roles/orgpolicy.policyAdmin" = [
        module.automation-tf-resman-sa.iam_email,
-        local.groups_iam.gcp-security-admins
+        local.groups_iam.gcp-security-admins,
+        local.groups_iam.gcp-organization-admins
      ]
    },
    local.billing_org ? {
--- a/fast/stages/02-security/vpc-sc.tf
+++ b/fast/stages/02-security/vpc-sc.tf
@ -15,14 +15,8 @@
 */

 locals {
-  # compute the number of projects in each perimeter to detect which to create
-  vpc_sc_counts = {
-    for k in ["dev", "landing", "prod"] : k => length(
-      coalesce(try(var.vpc_sc_perimeter_projects[k], null), [])
-    )
-  }
  # dereference perimeter egress policy names to the actual objects
-  vpc_sc_perimeter_egress_policies = {
+  _vpc_sc_perimeter_egress_policies = {
    for k, v in coalesce(var.vpc_sc_perimeter_egress_policies, {}) :
    k => [
      for i in coalesce(v, []) : var.vpc_sc_egress_policies[i]
@ -30,15 +24,92 @@ locals {
    ]
  }
  # dereference perimeter ingress policy names to the actual objects
-  vpc_sc_perimeter_ingress_policies = {
+  _vpc_sc_perimeter_ingress_policies = {
    for k, v in coalesce(var.vpc_sc_perimeter_ingress_policies, {}) :
    k => [
      for i in coalesce(v, []) : var.vpc_sc_ingress_policies[i]
      if lookup(var.vpc_sc_ingress_policies, i, null) != null
    ]
  }
+  # compute the number of projects in each perimeter to detect which to create
+  vpc_sc_counts = {
+    for k in ["dev", "landing", "prod"] : k => length(
+      coalesce(try(var.vpc_sc_perimeter_projects[k], null), [])
+    )
+  }
+  # define dry run spec at file level for convenience
+  vpc_sc_explicit_dry_run_spec = true
+  # compute perimeter bridge resources (projects)
+  vpc_sc_p_bridge_resources = {
+    landing_to_dev = concat(
+      var.vpc_sc_perimeter_projects.landing,
+      var.vpc_sc_perimeter_projects.dev
+    )
+    landing_to_prod = concat(
+      var.vpc_sc_perimeter_projects.landing,
+      var.vpc_sc_perimeter_projects.prod
+    )
+  }
+  # computer perimeter regular specs / status
+  vpc_sc_p_regular_specs = {
+    dev = {
+      access_levels = coalesce(
+        try(var.vpc_sc_perimeter_access_levels.dev, null), []
+      )
+      resources           = var.vpc_sc_perimeter_projects.dev
+      restricted_services = local.vpc_sc_restricted_services
+      egress_policies = try(
+        local._vpc_sc_perimeter_egress_policies.dev, null
+      )
+      ingress_policies = try(
+        local._vpc_sc_perimeter_ingress_policies.dev, null
+      )
+      vpc_accessible_services = null
+      # vpc_accessible_services = {
+      #   allowed_services   = ["RESTRICTED-SERVICES"]
+      #   enable_restriction = true
+      # }
+    }
+    landing = {
+      access_levels = coalesce(
+        try(var.vpc_sc_perimeter_access_levels.landing, null), []
+      )
+      resources           = var.vpc_sc_perimeter_projects.landing
+      restricted_services = local.vpc_sc_restricted_services
+      egress_policies = try(
+        local._vpc_sc_perimeter_egress_policies.landing, null
+      )
+      ingress_policies = try(
+        local._vpc_sc_perimeter_ingress_policies.landing, null
+      )
+      vpc_accessible_services = null
+      # vpc_accessible_services = {
+      #   allowed_services   = ["RESTRICTED-SERVICES"]
+      #   enable_restriction = true
+      # }
+    }
+    prod = {
+      access_levels = coalesce(
+        try(var.vpc_sc_perimeter_access_levels.prod, null), []
+      )
+      # combine the security project, and any specified in the variable
+      resources           = var.vpc_sc_perimeter_projects.prod
+      restricted_services = local.vpc_sc_restricted_services
+      egress_policies = try(
+        local._vpc_sc_perimeter_egress_policies.prod, null
+      )
+      ingress_policies = try(
+        local._vpc_sc_perimeter_ingress_policies.prod, null
+      )
+      vpc_accessible_services = null
+      # vpc_accessible_services = {
+      #   allowed_services   = ["RESTRICTED-SERVICES"]
+      #   enable_restriction = true
+      # }
+    }
+  }
  # get the list of restricted services from the yaml file
-  vpcsc_restricted_services = yamldecode(
+  vpc_sc_restricted_services = yamldecode(
    file("${path.module}/vpc-sc-restricted-services.yaml")
  )
 }
@ -58,24 +129,17 @@ module "vpc-sc" {
    # landing to dev, only we have projects in landing and dev perimeters
    local.vpc_sc_counts.landing * local.vpc_sc_counts.dev == 0 ? {} : {
      landing_to_dev = {
-        status_resources = null
-        spec_resources = concat(
-          var.vpc_sc_perimeter_projects.landing,
-          var.vpc_sc_perimeter_projects.dev
-        )
-        use_explicit_dry_run_spec = true
+        spec_resources            = local.vpc_sc_p_bridge_resources.landing_to_dev
+        status_resources          = null
+        use_explicit_dry_run_spec = local.vpc_sc_explicit_dry_run_spec
      }
    },
    # landing to prod, only we have projects in landing and prod perimeters
    local.vpc_sc_counts.landing * local.vpc_sc_counts.prod == 0 ? {} : {
      landing_to_prod = {
-        status_resources = null
-        spec_resources = concat(
-          var.vpc_sc_perimeter_projects.landing,
-          var.vpc_sc_perimeter_projects.prod
-        )
-        # set to null and switch spec and status above to enforce
-        use_explicit_dry_run_spec = true
+        spec_resources            = local.vpc_sc_p_bridge_resources.landing_to_prod
+        status_resources          = null
+        use_explicit_dry_run_spec = local.vpc_sc_explicit_dry_run_spec
      }
    }
  )
@ -84,84 +148,26 @@ module "vpc-sc" {
    # dev if we have projects in var.vpc_sc_perimeter_projects.dev
    local.vpc_sc_counts.dev == 0 ? {} : {
      dev = {
-        spec = {
-          access_levels = coalesce(
-            try(var.vpc_sc_perimeter_access_levels.dev, null), []
-          )
-          resources           = var.vpc_sc_perimeter_projects.dev
-          restricted_services = local.vpcsc_restricted_services
-          egress_policies = try(
-            local.vpc_sc_perimeter_egress_policies.dev, null
-          )
-          ingress_policies = try(
-            local.vpc_sc_perimeter_ingress_policies.dev, null
-          )
-          # replace with commented block to enable vpc restrictions
-          vpc_accessible_services = null
-          # vpc_accessible_services = {
-          #   allowed_services   = ["RESTRICTED-SERVICES"]
-          #   enable_restriction = true
-          # }
-        }
-        status = null
-        # set to null and switch spec and status above to enforce
-        use_explicit_dry_run_spec = true
+        spec                      = local.vpc_sc_p_regular_specs.dev
+        status                    = null
+        use_explicit_dry_run_spec = local.vpc_sc_explicit_dry_run_spec
+      }
+    },
+    # landing if we have projects in var.vpc_sc_perimeter_projects.landing
+    local.vpc_sc_counts.landing == 0 ? {} : {
+      landing = {
+        spec                      = local.vpc_sc_p_regular_specs.landing
+        status                    = null
+        use_explicit_dry_run_spec = local.vpc_sc_explicit_dry_run_spec
      }
    },
    # prod if we have projects in var.vpc_sc_perimeter_projects.prod
    local.vpc_sc_counts.prod == 0 ? {} : {
      prod = {
-        spec = {
-          access_levels = coalesce(
-            try(var.vpc_sc_perimeter_access_levels.prod, null), []
-          )
-          # combine the security project, and any specified in the variable
-          resources           = var.vpc_sc_perimeter_projects.prod
-          restricted_services = local.vpcsc_restricted_services
-          egress_policies = try(
-            local.vpc_sc_perimeter_egress_policies.prod, null
-          )
-          ingress_policies = try(
-            local.vpc_sc_perimeter_ingress_policies.prod, null
-          )
-          # replace with commented block to enable vpc restrictions
-          vpc_accessible_services = null
-          # vpc_accessible_services = {
-          #   allowed_services   = ["RESTRICTED-SERVICES"]
-          #   enable_restriction = true
-          # }
-        }
-        status = null
-        # set to null and switch spec and status above to enforce
-        use_explicit_dry_run_spec = true
+        spec                      = local.vpc_sc_p_regular_specs.prod
+        status                    = null
+        use_explicit_dry_run_spec = local.vpc_sc_explicit_dry_run_spec
      }
    },
-    # prod if we have projects in var.vpc_sc_perimeter_projects.prod
-    local.vpc_sc_counts.landing == 0 ? {} : {
-      landing = {
-        spec = {
-          access_levels = coalesce(
-            try(var.vpc_sc_perimeter_access_levels.landing, null), []
-          )
-          resources           = var.vpc_sc_perimeter_projects.landing
-          restricted_services = local.vpcsc_restricted_services
-          egress_policies = try(
-            local.vpc_sc_perimeter_egress_policies.landing, null
-          )
-          ingress_policies = try(
-            local.vpc_sc_perimeter_ingress_policies.landing, null
-          )
-          # replace with commented block to enable vpc restrictions
-          vpc_accessible_services = null
-          # vpc_accessible_services = {
-          #   allowed_services   = ["RESTRICTED-SERVICES"]
-          #   enable_restriction = true
-          # }
-        }
-        status = null
-        # set to null and switch spec and status above to enforce
-        use_explicit_dry_run_spec = true
-      }
-    }
  )
 }