zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #216 from terraform-google-modules/jccb/logging-iam-fixes 

Fix IAM bindings for logging sinks
This commit is contained in:
Julio Castillo 2021-03-31 11:34:56 +02:00 committed by GitHub
parent 37935cee3a 7ca2e60399
commit d8fa166a5d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 88 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -15,3 +15,4 @@ credentials.json
key.json key.json
terraform-ls.tf terraform-ls.tf
bundle.zip bundle.zip
.DS_Store

4
modules/folder/README.md
View File

@ -114,7 +114,7 @@ module "folder-sink" {
no-gce-instances = "resource.type=gce_instance" no-gce-instances = "resource.type=gce_instance"
} }
} }
# tftest:modules=5:resources=11 # tftest:modules=5:resources=12
``` ```
### Hierarchical firewall policies ### Hierarchical firewall policies
@ -186,5 +186,5 @@ module "folder2" {
| folder | Folder resource. | | | folder | Folder resource. | |
| id | Folder id. | | | id | Folder id. | |
| name | Folder name. | | | name | Folder name. | |
| sink_writer_identities | None | | | sink_writer_identities | Writer identities created for each sink. | |
<!-- END TFDOC --> <!-- END TFDOC -->

21
modules/folder/main.tf
View File

@ -202,27 +202,36 @@ resource "google_logging_folder_sink" "sink" {
} }
} }
resource "google_storage_bucket_iam_binding" "gcs-sinks-binding" { resource "google_storage_bucket_iam_member" "gcs-sinks-binding" {
for_each = local.sink_bindings["gcs"] for_each = local.sink_bindings["gcs"]
bucket = each.value.destination bucket = each.value.destination
role = "roles/storage.objectCreator" role = "roles/storage.objectCreator"
members = [google_logging_folder_sink.sink[each.key].writer_identity] member = google_logging_folder_sink.sink[each.key].writer_identity
} }
resource "google_bigquery_dataset_iam_binding" "bq-sinks-binding" { resource "google_bigquery_dataset_iam_member" "bq-sinks-binding" {
for_each = local.sink_bindings["bigquery"] for_each = local.sink_bindings["bigquery"]
project = split("/", each.value.destination)[1] project = split("/", each.value.destination)[1]
dataset_id = split("/", each.value.destination)[3] dataset_id = split("/", each.value.destination)[3]
role = "roles/bigquery.dataEditor" role = "roles/bigquery.dataEditor"
members = [google_logging_folder_sink.sink[each.key].writer_identity] member = google_logging_folder_sink.sink[each.key].writer_identity
} }
resource "google_pubsub_topic_iam_binding" "pubsub-sinks-binding" { resource "google_pubsub_topic_iam_member" "pubsub-sinks-binding" {
for_each = local.sink_bindings["pubsub"] for_each = local.sink_bindings["pubsub"]
project = split("/", each.value.destination)[1] project = split("/", each.value.destination)[1]
topic = split("/", each.value.destination)[3] topic = split("/", each.value.destination)[3]
role = "roles/pubsub.publisher" role = "roles/pubsub.publisher"
members = [google_logging_folder_sink.sink[each.key].writer_identity] member = google_logging_folder_sink.sink[each.key].writer_identity
}
resource "google_project_iam_member" "bucket-sinks-binding" {
for_each = local.sink_bindings["logging"]
project = split("/", each.value.destination)[1]
role = "roles/logging.bucketWriter"
member = google_logging_folder_sink.sink[each.key].writer_identity
# TODO(jccb): use a condition to limit writer-identity only to this
# bucket
} }
resource "google_logging_folder_exclusion" "logging-exclusion" { resource "google_logging_folder_exclusion" "logging-exclusion" {

2
modules/folder/outputs.tf
View File

@ -51,7 +51,7 @@ output "firewall_policy_id" {
} }
output "sink_writer_identities" { output "sink_writer_identities" {
description = "" description = "Writer identities created for each sink."
value = { value = {
for name, sink in google_logging_folder_sink.sink : name => sink.writer_identity for name, sink in google_logging_folder_sink.sink : name => sink.writer_identity
} }

4
modules/organization/README.md
View File

@ -131,7 +131,7 @@ module "org" {
no-gce-instances = "resource.type=gce_instance" no-gce-instances = "resource.type=gce_instance"
} }
} }
# tftest:modules=5:resources=10 # tftest:modules=5:resources=11
``` ```
@ -163,5 +163,5 @@ module "org" {
| firewall_policies | Map of firewall policy resources created in the organization. | | | firewall_policies | Map of firewall policy resources created in the organization. | |
| firewall_policy_id | Map of firewall policy ids created in the organization. | | | firewall_policy_id | Map of firewall policy ids created in the organization. | |
| organization_id | Organization id dependent on module resources. | | | organization_id | Organization id dependent on module resources. | |
| sink_writer_identities | None | | | sink_writer_identities | Writer identities created for each sink. | |
<!-- END TFDOC --> <!-- END TFDOC -->

21
modules/organization/main.tf
View File

@ -286,27 +286,36 @@ resource "google_logging_organization_sink" "sink" {
} }
} }
resource "google_storage_bucket_iam_binding" "gcs-sinks-binding" { resource "google_storage_bucket_iam_member" "gcs-sinks-binding" {
for_each = local.sink_bindings["gcs"] for_each = local.sink_bindings["gcs"]
bucket = each.value.destination bucket = each.value.destination
role = "roles/storage.objectCreator" role = "roles/storage.objectCreator"
members = [google_logging_organization_sink.sink[each.key].writer_identity] member = google_logging_organization_sink.sink[each.key].writer_identity
} }
resource "google_bigquery_dataset_iam_binding" "bq-sinks-binding" { resource "google_bigquery_dataset_iam_member" "bq-sinks-binding" {
for_each = local.sink_bindings["bigquery"] for_each = local.sink_bindings["bigquery"]
project = split("/", each.value.destination)[1] project = split("/", each.value.destination)[1]
dataset_id = split("/", each.value.destination)[3] dataset_id = split("/", each.value.destination)[3]
role = "roles/bigquery.dataEditor" role = "roles/bigquery.dataEditor"
members = [google_logging_organization_sink.sink[each.key].writer_identity] member = google_logging_organization_sink.sink[each.key].writer_identity
} }
resource "google_pubsub_topic_iam_binding" "pubsub-sinks-binding" { resource "google_pubsub_topic_iam_member" "pubsub-sinks-binding" {
for_each = local.sink_bindings["pubsub"] for_each = local.sink_bindings["pubsub"]
project = split("/", each.value.destination)[1] project = split("/", each.value.destination)[1]
topic = split("/", each.value.destination)[3] topic = split("/", each.value.destination)[3]
role = "roles/pubsub.publisher" role = "roles/pubsub.publisher"
members = [google_logging_organization_sink.sink[each.key].writer_identity] member = google_logging_organization_sink.sink[each.key].writer_identity
}
resource "google_project_iam_member" "bucket-sinks-binding" {
for_each = local.sink_bindings["logging"]
project = split("/", each.value.destination)[1]
role = "roles/logging.bucketWriter"
member = google_logging_organization_sink.sink[each.key].writer_identity
# TODO(jccb): use a condition to limit writer-identity only to this
# bucket
} }
resource "google_logging_organization_exclusion" "logging-exclusion" { resource "google_logging_organization_exclusion" "logging-exclusion" {

2
modules/organization/outputs.tf
View File

@ -45,7 +45,7 @@ output "firewall_policy_id" {
} }
output "sink_writer_identities" { output "sink_writer_identities" {
description = "" description = "Writer identities created for each sink."
value = { value = {
for name, sink in google_logging_organization_sink.sink : name => sink.writer_identity for name, sink in google_logging_organization_sink.sink : name => sink.writer_identity
} }

4
modules/project/README.md
View File

@ -146,7 +146,7 @@ module "project-host" {
no-gce-instances = "resource.type=gce_instance" no-gce-instances = "resource.type=gce_instance"
} }
} }
# tftest:modules=5:resources=11 # tftest:modules=5:resources=12
``` ```
@ -191,6 +191,6 @@ module "project-host" {
| number | Project number. | | | number | Project number. | |
| project_id | Project id. | | | project_id | Project id. | |
| service_accounts | Product robot service accounts in project. | | | service_accounts | Product robot service accounts in project. | |
| sink_writer_identities | None | | | sink_writer_identities | Writer identities created for each sink. | |
<!-- END TFDOC --> <!-- END TFDOC -->

21
modules/project/main.tf
View File

@ -277,27 +277,36 @@ resource "google_logging_project_sink" "sink" {
} }
} }
resource "google_storage_bucket_iam_binding" "gcs-sinks-binding" { resource "google_storage_bucket_iam_member" "gcs-sinks-binding" {
for_each = local.sink_bindings["gcs"] for_each = local.sink_bindings["gcs"]
bucket = each.value.destination bucket = each.value.destination
role = "roles/storage.objectCreator" role = "roles/storage.objectCreator"
members = [google_logging_project_sink.sink[each.key].writer_identity] member = google_logging_project_sink.sink[each.key].writer_identity
} }
resource "google_bigquery_dataset_iam_binding" "bq-sinks-binding" { resource "google_bigquery_dataset_iam_member" "bq-sinks-binding" {
for_each = local.sink_bindings["bigquery"] for_each = local.sink_bindings["bigquery"]
project = split("/", each.value.destination)[1] project = split("/", each.value.destination)[1]
dataset_id = split("/", each.value.destination)[3] dataset_id = split("/", each.value.destination)[3]
role = "roles/bigquery.dataEditor" role = "roles/bigquery.dataEditor"
members = [google_logging_project_sink.sink[each.key].writer_identity] member = google_logging_project_sink.sink[each.key].writer_identity
} }
resource "google_pubsub_topic_iam_binding" "pubsub-sinks-binding" { resource "google_pubsub_topic_iam_member" "pubsub-sinks-binding" {
for_each = local.sink_bindings["pubsub"] for_each = local.sink_bindings["pubsub"]
project = split("/", each.value.destination)[1] project = split("/", each.value.destination)[1]
topic = split("/", each.value.destination)[3] topic = split("/", each.value.destination)[3]
role = "roles/pubsub.publisher" role = "roles/pubsub.publisher"
members = [google_logging_project_sink.sink[each.key].writer_identity] member = google_logging_project_sink.sink[each.key].writer_identity
}
resource "google_project_iam_member" "bucket-sinks-binding" {
for_each = local.sink_bindings["logging"]
project = split("/", each.value.destination)[1]
role = "roles/logging.bucketWriter"
member = google_logging_project_sink.sink[each.key].writer_identity
# TODO(jccb): use a condition to limit writer-identity only to this
# bucket
} }
resource "google_logging_project_exclusion" "logging-exclusion" { resource "google_logging_project_exclusion" "logging-exclusion" {

2
modules/project/outputs.tf
View File

@ -68,7 +68,7 @@ output "custom_roles" {
} }
output "sink_writer_identities" { output "sink_writer_identities" {
description = "" description = "Writer identities created for each sink."
value = { value = {
for name, sink in google_logging_project_sink.sink : name => sink.writer_identity for name, sink in google_logging_project_sink.sink : name => sink.writer_identity
} }

20
tests/modules/folder/test_plan_logging.py
View File

@ -62,15 +62,16 @@ def test_sinks(plan_runner):
} }
""" """
_, resources = plan_runner(FIXTURES_DIR, logging_sinks=logging_sinks) _, resources = plan_runner(FIXTURES_DIR, logging_sinks=logging_sinks)
assert len(resources) == 8 assert len(resources) == 9
resource_types = Counter([r["type"] for r in resources]) resource_types = Counter([r["type"] for r in resources])
assert resource_types == { assert resource_types == {
"google_bigquery_dataset_iam_binding": 1,
"google_folder": 1,
"google_logging_folder_sink": 4, "google_logging_folder_sink": 4,
"google_pubsub_topic_iam_binding": 1, "google_folder": 1,
"google_storage_bucket_iam_binding": 1, "google_bigquery_dataset_iam_member": 1,
"google_project_iam_member": 1,
"google_pubsub_topic_iam_member": 1,
"google_storage_bucket_iam_member": 1,
} }
sinks = [r for r in resources if r["type"] == "google_logging_folder_sink"] sinks = [r for r in resources if r["type"] == "google_logging_folder_sink"]
@ -111,12 +112,13 @@ def test_sinks(plan_runner):
("warning", "severity=WARNING", "storage.googleapis.com/mybucket", True), ("warning", "severity=WARNING", "storage.googleapis.com/mybucket", True),
] ]
bindings = [r for r in resources if "binding" in r["type"]] bindings = [r for r in resources if "member" in r["type"]]
values = [(r["index"], r["type"], r["values"]["role"]) for r in bindings] values = [(r["index"], r["type"], r["values"]["role"]) for r in bindings]
assert sorted(values) == [ assert sorted(values) == [
("info", "google_bigquery_dataset_iam_binding", "roles/bigquery.dataEditor"), ("debug", "google_project_iam_member", "roles/logging.bucketWriter"),
("notice", "google_pubsub_topic_iam_binding", "roles/pubsub.publisher"), ("info", "google_bigquery_dataset_iam_member", "roles/bigquery.dataEditor"),
("warning", "google_storage_bucket_iam_binding", "roles/storage.objectCreator"), ("notice", "google_pubsub_topic_iam_member", "roles/pubsub.publisher"),
("warning", "google_storage_bucket_iam_member", "roles/storage.objectCreator"),
] ]
exclusions = [(r["index"], r["values"]["exclusions"]) for r in sinks] exclusions = [(r["index"], r["values"]["exclusions"]) for r in sinks]

18
tests/modules/organization/test_plan_logging.py
View File

@ -62,14 +62,15 @@ def test_sinks(plan_runner):
} }
""" """
_, resources = plan_runner(FIXTURES_DIR, logging_sinks=logging_sinks) _, resources = plan_runner(FIXTURES_DIR, logging_sinks=logging_sinks)
assert len(resources) == 7 assert len(resources) == 8
resource_types = Counter([r["type"] for r in resources]) resource_types = Counter([r["type"] for r in resources])
assert resource_types == { assert resource_types == {
"google_bigquery_dataset_iam_binding": 1,
"google_logging_organization_sink": 4, "google_logging_organization_sink": 4,
"google_pubsub_topic_iam_binding": 1, "google_bigquery_dataset_iam_member": 1,
"google_storage_bucket_iam_binding": 1, "google_project_iam_member": 1,
"google_pubsub_topic_iam_member": 1,
"google_storage_bucket_iam_member": 1,
} }
sinks = [r for r in resources if r["type"] == "google_logging_organization_sink"] sinks = [r for r in resources if r["type"] == "google_logging_organization_sink"]
@ -110,12 +111,13 @@ def test_sinks(plan_runner):
("warning", "severity=WARNING", "storage.googleapis.com/mybucket", True), ("warning", "severity=WARNING", "storage.googleapis.com/mybucket", True),
] ]
bindings = [r for r in resources if "binding" in r["type"]] bindings = [r for r in resources if "member" in r["type"]]
values = [(r["index"], r["type"], r["values"]["role"]) for r in bindings] values = [(r["index"], r["type"], r["values"]["role"]) for r in bindings]
assert sorted(values) == [ assert sorted(values) == [
("info", "google_bigquery_dataset_iam_binding", "roles/bigquery.dataEditor"), ("debug", "google_project_iam_member", "roles/logging.bucketWriter"),
("notice", "google_pubsub_topic_iam_binding", "roles/pubsub.publisher"), ("info", "google_bigquery_dataset_iam_member", "roles/bigquery.dataEditor"),
("warning", "google_storage_bucket_iam_binding", "roles/storage.objectCreator"), ("notice", "google_pubsub_topic_iam_member", "roles/pubsub.publisher"),
("warning", "google_storage_bucket_iam_member", "roles/storage.objectCreator"),
] ]
exclusions = [(r["index"], r["values"]["exclusions"]) for r in sinks] exclusions = [(r["index"], r["values"]["exclusions"]) for r in sinks]

18
tests/modules/project/test_plan_logging.py
View File

@ -62,15 +62,16 @@ def test_sinks(plan_runner):
} }
""" """
_, resources = plan_runner(FIXTURES_DIR, logging_sinks=logging_sinks) _, resources = plan_runner(FIXTURES_DIR, logging_sinks=logging_sinks)
assert len(resources) == 8 assert len(resources) == 9
resource_types = Counter([r["type"] for r in resources]) resource_types = Counter([r["type"] for r in resources])
assert resource_types == { assert resource_types == {
"google_bigquery_dataset_iam_binding": 1,
"google_logging_project_sink": 4, "google_logging_project_sink": 4,
"google_bigquery_dataset_iam_member": 1,
"google_project": 1, "google_project": 1,
"google_pubsub_topic_iam_binding": 1, "google_project_iam_member": 1,
"google_storage_bucket_iam_binding": 1, "google_pubsub_topic_iam_member": 1,
"google_storage_bucket_iam_member": 1,
} }
sinks = [r for r in resources if r["type"] == "google_logging_project_sink"] sinks = [r for r in resources if r["type"] == "google_logging_project_sink"]
@ -111,12 +112,13 @@ def test_sinks(plan_runner):
("warning", "severity=WARNING", "storage.googleapis.com/mybucket", False), ("warning", "severity=WARNING", "storage.googleapis.com/mybucket", False),
] ]
bindings = [r for r in resources if "binding" in r["type"]] bindings = [r for r in resources if "member" in r["type"]]
values = [(r["index"], r["type"], r["values"]["role"]) for r in bindings] values = [(r["index"], r["type"], r["values"]["role"]) for r in bindings]
assert sorted(values) == [ assert sorted(values) == [
("info", "google_bigquery_dataset_iam_binding", "roles/bigquery.dataEditor"), ("debug", "google_project_iam_member", "roles/logging.bucketWriter"),
("notice", "google_pubsub_topic_iam_binding", "roles/pubsub.publisher"), ("info", "google_bigquery_dataset_iam_member", "roles/bigquery.dataEditor"),
("warning", "google_storage_bucket_iam_binding", "roles/storage.objectCreator"), ("notice", "google_pubsub_topic_iam_member", "roles/pubsub.publisher"),
("warning", "google_storage_bucket_iam_member", "roles/storage.objectCreator"),
] ]
exclusions = [(r["index"], r["values"]["exclusions"]) for r in sinks] exclusions = [(r["index"], r["values"]["exclusions"]) for r in sinks]