Merge branch 'master' into fast-dev-dp
This commit is contained in:
commit
d86cb3febe
|
@ -6,6 +6,8 @@ All notable changes to this project will be documented in this file.
|
|||
|
||||
- **incompatible change** removed `iam` key from logging sink configuration in the `project` and `organization` modules
|
||||
- remove GCS to BQ with Dataflow example, replace by GCS to BQ with least privileges
|
||||
- the `net-vpc` and `project` modules now use the beta provider for shared VPC-related resources
|
||||
- new `iot-core` module
|
||||
|
||||
## [13.0.0] - 2022-01-27
|
||||
|
||||
|
@ -17,7 +19,6 @@ All notable changes to this project will be documented in this file.
|
|||
- support service dependencies for crypto key bindings in project module
|
||||
- refactor project module in multiple files
|
||||
- add support for per-file option overrides to tfdoc
|
||||
- the `net-vpc` and `project` modules now use the beta provider for shared VPC-related resources
|
||||
|
||||
## [12.0.0] - 2022-01-11
|
||||
|
||||
|
|
|
@ -8,7 +8,7 @@ Legend: <code>+</code> additive, <code>•</code> conditional.
|
|||
|---|---|
|
||||
|<b></b><br><small><i>domain</i></small>|[roles/browser](https://cloud.google.com/iam/docs/understanding-roles#browser) <br>[roles/resourcemanager.organizationViewer](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationViewer) |
|
||||
|<b>gcp-network-admins</b><br><small><i>group</i></small>|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner) <br>[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor) <br>[roles/compute.orgFirewallPolicyAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.orgFirewallPolicyAdmin) <code>+</code><br>[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) <code>+</code>|
|
||||
|<b>gcp-organization-admins</b><br><small><i>group</i></small>|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner) <br>[roles/cloudsupport.admin](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.admin) <br>[roles/compute.osAdminLogin](https://cloud.google.com/iam/docs/understanding-roles#compute.osAdminLogin) <br>[roles/compute.osLoginExternalUser](https://cloud.google.com/iam/docs/understanding-roles#compute.osLoginExternalUser) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) <br>[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) <code>+</code>|
|
||||
|<b>gcp-organization-admins</b><br><small><i>group</i></small>|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner) <br>[roles/cloudsupport.admin](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.admin) <br>[roles/compute.osAdminLogin](https://cloud.google.com/iam/docs/understanding-roles#compute.osAdminLogin) <br>[roles/compute.osLoginExternalUser](https://cloud.google.com/iam/docs/understanding-roles#compute.osLoginExternalUser) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) <br>[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) <code>+</code><br>[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code>|
|
||||
|<b>gcp-security-admins</b><br><small><i>group</i></small>|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner) <br>[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor) <br>[roles/iam.securityReviewer](https://cloud.google.com/iam/docs/understanding-roles#iam.securityReviewer) <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/securitycenter.admin](https://cloud.google.com/iam/docs/understanding-roles#securitycenter.admin) <br>[roles/accesscontextmanager.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#accesscontextmanager.policyAdmin) <code>+</code><br>[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) <code>+</code><br>[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code>|
|
||||
|<b>gcp-support</b><br><small><i>group</i></small>|[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor) <br>[roles/logging.viewer](https://cloud.google.com/iam/docs/understanding-roles#logging.viewer) <br>[roles/monitoring.viewer](https://cloud.google.com/iam/docs/understanding-roles#monitoring.viewer) |
|
||||
|<b>prod-bootstrap-0</b><br><small><i>serviceAccount</i></small>|[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) <br>[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) <code>+</code><br>[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) <code>+</code>|
|
||||
|
|
|
@ -62,7 +62,8 @@ locals {
|
|||
]
|
||||
"roles/orgpolicy.policyAdmin" = [
|
||||
module.automation-tf-resman-sa.iam_email,
|
||||
local.groups_iam.gcp-security-admins
|
||||
local.groups_iam.gcp-security-admins,
|
||||
local.groups_iam.gcp-organization-admins
|
||||
]
|
||||
},
|
||||
local.billing_org ? {
|
||||
|
|
|
@ -15,14 +15,8 @@
|
|||
*/
|
||||
|
||||
locals {
|
||||
# compute the number of projects in each perimeter to detect which to create
|
||||
vpc_sc_counts = {
|
||||
for k in ["dev", "landing", "prod"] : k => length(
|
||||
coalesce(try(var.vpc_sc_perimeter_projects[k], null), [])
|
||||
)
|
||||
}
|
||||
# dereference perimeter egress policy names to the actual objects
|
||||
vpc_sc_perimeter_egress_policies = {
|
||||
_vpc_sc_perimeter_egress_policies = {
|
||||
for k, v in coalesce(var.vpc_sc_perimeter_egress_policies, {}) :
|
||||
k => [
|
||||
for i in coalesce(v, []) : var.vpc_sc_egress_policies[i]
|
||||
|
@ -30,15 +24,92 @@ locals {
|
|||
]
|
||||
}
|
||||
# dereference perimeter ingress policy names to the actual objects
|
||||
vpc_sc_perimeter_ingress_policies = {
|
||||
_vpc_sc_perimeter_ingress_policies = {
|
||||
for k, v in coalesce(var.vpc_sc_perimeter_ingress_policies, {}) :
|
||||
k => [
|
||||
for i in coalesce(v, []) : var.vpc_sc_ingress_policies[i]
|
||||
if lookup(var.vpc_sc_ingress_policies, i, null) != null
|
||||
]
|
||||
}
|
||||
# compute the number of projects in each perimeter to detect which to create
|
||||
vpc_sc_counts = {
|
||||
for k in ["dev", "landing", "prod"] : k => length(
|
||||
coalesce(try(var.vpc_sc_perimeter_projects[k], null), [])
|
||||
)
|
||||
}
|
||||
# define dry run spec at file level for convenience
|
||||
vpc_sc_explicit_dry_run_spec = true
|
||||
# compute perimeter bridge resources (projects)
|
||||
vpc_sc_p_bridge_resources = {
|
||||
landing_to_dev = concat(
|
||||
var.vpc_sc_perimeter_projects.landing,
|
||||
var.vpc_sc_perimeter_projects.dev
|
||||
)
|
||||
landing_to_prod = concat(
|
||||
var.vpc_sc_perimeter_projects.landing,
|
||||
var.vpc_sc_perimeter_projects.prod
|
||||
)
|
||||
}
|
||||
# computer perimeter regular specs / status
|
||||
vpc_sc_p_regular_specs = {
|
||||
dev = {
|
||||
access_levels = coalesce(
|
||||
try(var.vpc_sc_perimeter_access_levels.dev, null), []
|
||||
)
|
||||
resources = var.vpc_sc_perimeter_projects.dev
|
||||
restricted_services = local.vpc_sc_restricted_services
|
||||
egress_policies = try(
|
||||
local._vpc_sc_perimeter_egress_policies.dev, null
|
||||
)
|
||||
ingress_policies = try(
|
||||
local._vpc_sc_perimeter_ingress_policies.dev, null
|
||||
)
|
||||
vpc_accessible_services = null
|
||||
# vpc_accessible_services = {
|
||||
# allowed_services = ["RESTRICTED-SERVICES"]
|
||||
# enable_restriction = true
|
||||
# }
|
||||
}
|
||||
landing = {
|
||||
access_levels = coalesce(
|
||||
try(var.vpc_sc_perimeter_access_levels.landing, null), []
|
||||
)
|
||||
resources = var.vpc_sc_perimeter_projects.landing
|
||||
restricted_services = local.vpc_sc_restricted_services
|
||||
egress_policies = try(
|
||||
local._vpc_sc_perimeter_egress_policies.landing, null
|
||||
)
|
||||
ingress_policies = try(
|
||||
local._vpc_sc_perimeter_ingress_policies.landing, null
|
||||
)
|
||||
vpc_accessible_services = null
|
||||
# vpc_accessible_services = {
|
||||
# allowed_services = ["RESTRICTED-SERVICES"]
|
||||
# enable_restriction = true
|
||||
# }
|
||||
}
|
||||
prod = {
|
||||
access_levels = coalesce(
|
||||
try(var.vpc_sc_perimeter_access_levels.prod, null), []
|
||||
)
|
||||
# combine the security project, and any specified in the variable
|
||||
resources = var.vpc_sc_perimeter_projects.prod
|
||||
restricted_services = local.vpc_sc_restricted_services
|
||||
egress_policies = try(
|
||||
local._vpc_sc_perimeter_egress_policies.prod, null
|
||||
)
|
||||
ingress_policies = try(
|
||||
local._vpc_sc_perimeter_ingress_policies.prod, null
|
||||
)
|
||||
vpc_accessible_services = null
|
||||
# vpc_accessible_services = {
|
||||
# allowed_services = ["RESTRICTED-SERVICES"]
|
||||
# enable_restriction = true
|
||||
# }
|
||||
}
|
||||
}
|
||||
# get the list of restricted services from the yaml file
|
||||
vpcsc_restricted_services = yamldecode(
|
||||
vpc_sc_restricted_services = yamldecode(
|
||||
file("${path.module}/vpc-sc-restricted-services.yaml")
|
||||
)
|
||||
}
|
||||
|
@ -58,24 +129,17 @@ module "vpc-sc" {
|
|||
# landing to dev, only we have projects in landing and dev perimeters
|
||||
local.vpc_sc_counts.landing * local.vpc_sc_counts.dev == 0 ? {} : {
|
||||
landing_to_dev = {
|
||||
status_resources = null
|
||||
spec_resources = concat(
|
||||
var.vpc_sc_perimeter_projects.landing,
|
||||
var.vpc_sc_perimeter_projects.dev
|
||||
)
|
||||
use_explicit_dry_run_spec = true
|
||||
spec_resources = local.vpc_sc_p_bridge_resources.landing_to_dev
|
||||
status_resources = null
|
||||
use_explicit_dry_run_spec = local.vpc_sc_explicit_dry_run_spec
|
||||
}
|
||||
},
|
||||
# landing to prod, only we have projects in landing and prod perimeters
|
||||
local.vpc_sc_counts.landing * local.vpc_sc_counts.prod == 0 ? {} : {
|
||||
landing_to_prod = {
|
||||
status_resources = null
|
||||
spec_resources = concat(
|
||||
var.vpc_sc_perimeter_projects.landing,
|
||||
var.vpc_sc_perimeter_projects.prod
|
||||
)
|
||||
# set to null and switch spec and status above to enforce
|
||||
use_explicit_dry_run_spec = true
|
||||
spec_resources = local.vpc_sc_p_bridge_resources.landing_to_prod
|
||||
status_resources = null
|
||||
use_explicit_dry_run_spec = local.vpc_sc_explicit_dry_run_spec
|
||||
}
|
||||
}
|
||||
)
|
||||
|
@ -84,84 +148,26 @@ module "vpc-sc" {
|
|||
# dev if we have projects in var.vpc_sc_perimeter_projects.dev
|
||||
local.vpc_sc_counts.dev == 0 ? {} : {
|
||||
dev = {
|
||||
spec = {
|
||||
access_levels = coalesce(
|
||||
try(var.vpc_sc_perimeter_access_levels.dev, null), []
|
||||
)
|
||||
resources = var.vpc_sc_perimeter_projects.dev
|
||||
restricted_services = local.vpcsc_restricted_services
|
||||
egress_policies = try(
|
||||
local.vpc_sc_perimeter_egress_policies.dev, null
|
||||
)
|
||||
ingress_policies = try(
|
||||
local.vpc_sc_perimeter_ingress_policies.dev, null
|
||||
)
|
||||
# replace with commented block to enable vpc restrictions
|
||||
vpc_accessible_services = null
|
||||
# vpc_accessible_services = {
|
||||
# allowed_services = ["RESTRICTED-SERVICES"]
|
||||
# enable_restriction = true
|
||||
# }
|
||||
}
|
||||
status = null
|
||||
# set to null and switch spec and status above to enforce
|
||||
use_explicit_dry_run_spec = true
|
||||
spec = local.vpc_sc_p_regular_specs.dev
|
||||
status = null
|
||||
use_explicit_dry_run_spec = local.vpc_sc_explicit_dry_run_spec
|
||||
}
|
||||
},
|
||||
# landing if we have projects in var.vpc_sc_perimeter_projects.landing
|
||||
local.vpc_sc_counts.landing == 0 ? {} : {
|
||||
landing = {
|
||||
spec = local.vpc_sc_p_regular_specs.landing
|
||||
status = null
|
||||
use_explicit_dry_run_spec = local.vpc_sc_explicit_dry_run_spec
|
||||
}
|
||||
},
|
||||
# prod if we have projects in var.vpc_sc_perimeter_projects.prod
|
||||
local.vpc_sc_counts.prod == 0 ? {} : {
|
||||
prod = {
|
||||
spec = {
|
||||
access_levels = coalesce(
|
||||
try(var.vpc_sc_perimeter_access_levels.prod, null), []
|
||||
)
|
||||
# combine the security project, and any specified in the variable
|
||||
resources = var.vpc_sc_perimeter_projects.prod
|
||||
restricted_services = local.vpcsc_restricted_services
|
||||
egress_policies = try(
|
||||
local.vpc_sc_perimeter_egress_policies.prod, null
|
||||
)
|
||||
ingress_policies = try(
|
||||
local.vpc_sc_perimeter_ingress_policies.prod, null
|
||||
)
|
||||
# replace with commented block to enable vpc restrictions
|
||||
vpc_accessible_services = null
|
||||
# vpc_accessible_services = {
|
||||
# allowed_services = ["RESTRICTED-SERVICES"]
|
||||
# enable_restriction = true
|
||||
# }
|
||||
}
|
||||
status = null
|
||||
# set to null and switch spec and status above to enforce
|
||||
use_explicit_dry_run_spec = true
|
||||
spec = local.vpc_sc_p_regular_specs.prod
|
||||
status = null
|
||||
use_explicit_dry_run_spec = local.vpc_sc_explicit_dry_run_spec
|
||||
}
|
||||
},
|
||||
# prod if we have projects in var.vpc_sc_perimeter_projects.prod
|
||||
local.vpc_sc_counts.landing == 0 ? {} : {
|
||||
landing = {
|
||||
spec = {
|
||||
access_levels = coalesce(
|
||||
try(var.vpc_sc_perimeter_access_levels.landing, null), []
|
||||
)
|
||||
resources = var.vpc_sc_perimeter_projects.landing
|
||||
restricted_services = local.vpcsc_restricted_services
|
||||
egress_policies = try(
|
||||
local.vpc_sc_perimeter_egress_policies.landing, null
|
||||
)
|
||||
ingress_policies = try(
|
||||
local.vpc_sc_perimeter_ingress_policies.landing, null
|
||||
)
|
||||
# replace with commented block to enable vpc restrictions
|
||||
vpc_accessible_services = null
|
||||
# vpc_accessible_services = {
|
||||
# allowed_services = ["RESTRICTED-SERVICES"]
|
||||
# enable_restriction = true
|
||||
# }
|
||||
}
|
||||
status = null
|
||||
# set to null and switch spec and status above to enforce
|
||||
use_explicit_dry_run_spec = true
|
||||
}
|
||||
}
|
||||
)
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue