Merge pull request #216 from terraform-google-modules/jccb/logging-iam-fixes
Fix IAM bindings for logging sinks
This commit is contained in:
commit
d8fa166a5d
|
@ -15,3 +15,4 @@ credentials.json
|
||||||
key.json
|
key.json
|
||||||
terraform-ls.tf
|
terraform-ls.tf
|
||||||
bundle.zip
|
bundle.zip
|
||||||
|
.DS_Store
|
||||||
|
|
|
@ -114,7 +114,7 @@ module "folder-sink" {
|
||||||
no-gce-instances = "resource.type=gce_instance"
|
no-gce-instances = "resource.type=gce_instance"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest:modules=5:resources=11
|
# tftest:modules=5:resources=12
|
||||||
```
|
```
|
||||||
|
|
||||||
### Hierarchical firewall policies
|
### Hierarchical firewall policies
|
||||||
|
@ -186,5 +186,5 @@ module "folder2" {
|
||||||
| folder | Folder resource. | |
|
| folder | Folder resource. | |
|
||||||
| id | Folder id. | |
|
| id | Folder id. | |
|
||||||
| name | Folder name. | |
|
| name | Folder name. | |
|
||||||
| sink_writer_identities | None | |
|
| sink_writer_identities | Writer identities created for each sink. | |
|
||||||
<!-- END TFDOC -->
|
<!-- END TFDOC -->
|
||||||
|
|
|
@ -202,27 +202,36 @@ resource "google_logging_folder_sink" "sink" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_storage_bucket_iam_binding" "gcs-sinks-binding" {
|
resource "google_storage_bucket_iam_member" "gcs-sinks-binding" {
|
||||||
for_each = local.sink_bindings["gcs"]
|
for_each = local.sink_bindings["gcs"]
|
||||||
bucket = each.value.destination
|
bucket = each.value.destination
|
||||||
role = "roles/storage.objectCreator"
|
role = "roles/storage.objectCreator"
|
||||||
members = [google_logging_folder_sink.sink[each.key].writer_identity]
|
member = google_logging_folder_sink.sink[each.key].writer_identity
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_bigquery_dataset_iam_binding" "bq-sinks-binding" {
|
resource "google_bigquery_dataset_iam_member" "bq-sinks-binding" {
|
||||||
for_each = local.sink_bindings["bigquery"]
|
for_each = local.sink_bindings["bigquery"]
|
||||||
project = split("/", each.value.destination)[1]
|
project = split("/", each.value.destination)[1]
|
||||||
dataset_id = split("/", each.value.destination)[3]
|
dataset_id = split("/", each.value.destination)[3]
|
||||||
role = "roles/bigquery.dataEditor"
|
role = "roles/bigquery.dataEditor"
|
||||||
members = [google_logging_folder_sink.sink[each.key].writer_identity]
|
member = google_logging_folder_sink.sink[each.key].writer_identity
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_pubsub_topic_iam_binding" "pubsub-sinks-binding" {
|
resource "google_pubsub_topic_iam_member" "pubsub-sinks-binding" {
|
||||||
for_each = local.sink_bindings["pubsub"]
|
for_each = local.sink_bindings["pubsub"]
|
||||||
project = split("/", each.value.destination)[1]
|
project = split("/", each.value.destination)[1]
|
||||||
topic = split("/", each.value.destination)[3]
|
topic = split("/", each.value.destination)[3]
|
||||||
role = "roles/pubsub.publisher"
|
role = "roles/pubsub.publisher"
|
||||||
members = [google_logging_folder_sink.sink[each.key].writer_identity]
|
member = google_logging_folder_sink.sink[each.key].writer_identity
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_project_iam_member" "bucket-sinks-binding" {
|
||||||
|
for_each = local.sink_bindings["logging"]
|
||||||
|
project = split("/", each.value.destination)[1]
|
||||||
|
role = "roles/logging.bucketWriter"
|
||||||
|
member = google_logging_folder_sink.sink[each.key].writer_identity
|
||||||
|
# TODO(jccb): use a condition to limit writer-identity only to this
|
||||||
|
# bucket
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_logging_folder_exclusion" "logging-exclusion" {
|
resource "google_logging_folder_exclusion" "logging-exclusion" {
|
||||||
|
|
|
@ -51,7 +51,7 @@ output "firewall_policy_id" {
|
||||||
}
|
}
|
||||||
|
|
||||||
output "sink_writer_identities" {
|
output "sink_writer_identities" {
|
||||||
description = ""
|
description = "Writer identities created for each sink."
|
||||||
value = {
|
value = {
|
||||||
for name, sink in google_logging_folder_sink.sink : name => sink.writer_identity
|
for name, sink in google_logging_folder_sink.sink : name => sink.writer_identity
|
||||||
}
|
}
|
||||||
|
|
|
@ -131,7 +131,7 @@ module "org" {
|
||||||
no-gce-instances = "resource.type=gce_instance"
|
no-gce-instances = "resource.type=gce_instance"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest:modules=5:resources=10
|
# tftest:modules=5:resources=11
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
@ -163,5 +163,5 @@ module "org" {
|
||||||
| firewall_policies | Map of firewall policy resources created in the organization. | |
|
| firewall_policies | Map of firewall policy resources created in the organization. | |
|
||||||
| firewall_policy_id | Map of firewall policy ids created in the organization. | |
|
| firewall_policy_id | Map of firewall policy ids created in the organization. | |
|
||||||
| organization_id | Organization id dependent on module resources. | |
|
| organization_id | Organization id dependent on module resources. | |
|
||||||
| sink_writer_identities | None | |
|
| sink_writer_identities | Writer identities created for each sink. | |
|
||||||
<!-- END TFDOC -->
|
<!-- END TFDOC -->
|
||||||
|
|
|
@ -286,27 +286,36 @@ resource "google_logging_organization_sink" "sink" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_storage_bucket_iam_binding" "gcs-sinks-binding" {
|
resource "google_storage_bucket_iam_member" "gcs-sinks-binding" {
|
||||||
for_each = local.sink_bindings["gcs"]
|
for_each = local.sink_bindings["gcs"]
|
||||||
bucket = each.value.destination
|
bucket = each.value.destination
|
||||||
role = "roles/storage.objectCreator"
|
role = "roles/storage.objectCreator"
|
||||||
members = [google_logging_organization_sink.sink[each.key].writer_identity]
|
member = google_logging_organization_sink.sink[each.key].writer_identity
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_bigquery_dataset_iam_binding" "bq-sinks-binding" {
|
resource "google_bigquery_dataset_iam_member" "bq-sinks-binding" {
|
||||||
for_each = local.sink_bindings["bigquery"]
|
for_each = local.sink_bindings["bigquery"]
|
||||||
project = split("/", each.value.destination)[1]
|
project = split("/", each.value.destination)[1]
|
||||||
dataset_id = split("/", each.value.destination)[3]
|
dataset_id = split("/", each.value.destination)[3]
|
||||||
role = "roles/bigquery.dataEditor"
|
role = "roles/bigquery.dataEditor"
|
||||||
members = [google_logging_organization_sink.sink[each.key].writer_identity]
|
member = google_logging_organization_sink.sink[each.key].writer_identity
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_pubsub_topic_iam_binding" "pubsub-sinks-binding" {
|
resource "google_pubsub_topic_iam_member" "pubsub-sinks-binding" {
|
||||||
for_each = local.sink_bindings["pubsub"]
|
for_each = local.sink_bindings["pubsub"]
|
||||||
project = split("/", each.value.destination)[1]
|
project = split("/", each.value.destination)[1]
|
||||||
topic = split("/", each.value.destination)[3]
|
topic = split("/", each.value.destination)[3]
|
||||||
role = "roles/pubsub.publisher"
|
role = "roles/pubsub.publisher"
|
||||||
members = [google_logging_organization_sink.sink[each.key].writer_identity]
|
member = google_logging_organization_sink.sink[each.key].writer_identity
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_project_iam_member" "bucket-sinks-binding" {
|
||||||
|
for_each = local.sink_bindings["logging"]
|
||||||
|
project = split("/", each.value.destination)[1]
|
||||||
|
role = "roles/logging.bucketWriter"
|
||||||
|
member = google_logging_organization_sink.sink[each.key].writer_identity
|
||||||
|
# TODO(jccb): use a condition to limit writer-identity only to this
|
||||||
|
# bucket
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_logging_organization_exclusion" "logging-exclusion" {
|
resource "google_logging_organization_exclusion" "logging-exclusion" {
|
||||||
|
|
|
@ -45,7 +45,7 @@ output "firewall_policy_id" {
|
||||||
}
|
}
|
||||||
|
|
||||||
output "sink_writer_identities" {
|
output "sink_writer_identities" {
|
||||||
description = ""
|
description = "Writer identities created for each sink."
|
||||||
value = {
|
value = {
|
||||||
for name, sink in google_logging_organization_sink.sink : name => sink.writer_identity
|
for name, sink in google_logging_organization_sink.sink : name => sink.writer_identity
|
||||||
}
|
}
|
||||||
|
|
|
@ -146,7 +146,7 @@ module "project-host" {
|
||||||
no-gce-instances = "resource.type=gce_instance"
|
no-gce-instances = "resource.type=gce_instance"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest:modules=5:resources=11
|
# tftest:modules=5:resources=12
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
@ -191,6 +191,6 @@ module "project-host" {
|
||||||
| number | Project number. | |
|
| number | Project number. | |
|
||||||
| project_id | Project id. | |
|
| project_id | Project id. | |
|
||||||
| service_accounts | Product robot service accounts in project. | |
|
| service_accounts | Product robot service accounts in project. | |
|
||||||
| sink_writer_identities | None | |
|
| sink_writer_identities | Writer identities created for each sink. | |
|
||||||
<!-- END TFDOC -->
|
<!-- END TFDOC -->
|
||||||
|
|
||||||
|
|
|
@ -277,27 +277,36 @@ resource "google_logging_project_sink" "sink" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_storage_bucket_iam_binding" "gcs-sinks-binding" {
|
resource "google_storage_bucket_iam_member" "gcs-sinks-binding" {
|
||||||
for_each = local.sink_bindings["gcs"]
|
for_each = local.sink_bindings["gcs"]
|
||||||
bucket = each.value.destination
|
bucket = each.value.destination
|
||||||
role = "roles/storage.objectCreator"
|
role = "roles/storage.objectCreator"
|
||||||
members = [google_logging_project_sink.sink[each.key].writer_identity]
|
member = google_logging_project_sink.sink[each.key].writer_identity
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_bigquery_dataset_iam_binding" "bq-sinks-binding" {
|
resource "google_bigquery_dataset_iam_member" "bq-sinks-binding" {
|
||||||
for_each = local.sink_bindings["bigquery"]
|
for_each = local.sink_bindings["bigquery"]
|
||||||
project = split("/", each.value.destination)[1]
|
project = split("/", each.value.destination)[1]
|
||||||
dataset_id = split("/", each.value.destination)[3]
|
dataset_id = split("/", each.value.destination)[3]
|
||||||
role = "roles/bigquery.dataEditor"
|
role = "roles/bigquery.dataEditor"
|
||||||
members = [google_logging_project_sink.sink[each.key].writer_identity]
|
member = google_logging_project_sink.sink[each.key].writer_identity
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_pubsub_topic_iam_binding" "pubsub-sinks-binding" {
|
resource "google_pubsub_topic_iam_member" "pubsub-sinks-binding" {
|
||||||
for_each = local.sink_bindings["pubsub"]
|
for_each = local.sink_bindings["pubsub"]
|
||||||
project = split("/", each.value.destination)[1]
|
project = split("/", each.value.destination)[1]
|
||||||
topic = split("/", each.value.destination)[3]
|
topic = split("/", each.value.destination)[3]
|
||||||
role = "roles/pubsub.publisher"
|
role = "roles/pubsub.publisher"
|
||||||
members = [google_logging_project_sink.sink[each.key].writer_identity]
|
member = google_logging_project_sink.sink[each.key].writer_identity
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_project_iam_member" "bucket-sinks-binding" {
|
||||||
|
for_each = local.sink_bindings["logging"]
|
||||||
|
project = split("/", each.value.destination)[1]
|
||||||
|
role = "roles/logging.bucketWriter"
|
||||||
|
member = google_logging_project_sink.sink[each.key].writer_identity
|
||||||
|
# TODO(jccb): use a condition to limit writer-identity only to this
|
||||||
|
# bucket
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_logging_project_exclusion" "logging-exclusion" {
|
resource "google_logging_project_exclusion" "logging-exclusion" {
|
||||||
|
|
|
@ -68,7 +68,7 @@ output "custom_roles" {
|
||||||
}
|
}
|
||||||
|
|
||||||
output "sink_writer_identities" {
|
output "sink_writer_identities" {
|
||||||
description = ""
|
description = "Writer identities created for each sink."
|
||||||
value = {
|
value = {
|
||||||
for name, sink in google_logging_project_sink.sink : name => sink.writer_identity
|
for name, sink in google_logging_project_sink.sink : name => sink.writer_identity
|
||||||
}
|
}
|
||||||
|
|
|
@ -62,15 +62,16 @@ def test_sinks(plan_runner):
|
||||||
}
|
}
|
||||||
"""
|
"""
|
||||||
_, resources = plan_runner(FIXTURES_DIR, logging_sinks=logging_sinks)
|
_, resources = plan_runner(FIXTURES_DIR, logging_sinks=logging_sinks)
|
||||||
assert len(resources) == 8
|
assert len(resources) == 9
|
||||||
|
|
||||||
resource_types = Counter([r["type"] for r in resources])
|
resource_types = Counter([r["type"] for r in resources])
|
||||||
assert resource_types == {
|
assert resource_types == {
|
||||||
"google_bigquery_dataset_iam_binding": 1,
|
|
||||||
"google_folder": 1,
|
|
||||||
"google_logging_folder_sink": 4,
|
"google_logging_folder_sink": 4,
|
||||||
"google_pubsub_topic_iam_binding": 1,
|
"google_folder": 1,
|
||||||
"google_storage_bucket_iam_binding": 1,
|
"google_bigquery_dataset_iam_member": 1,
|
||||||
|
"google_project_iam_member": 1,
|
||||||
|
"google_pubsub_topic_iam_member": 1,
|
||||||
|
"google_storage_bucket_iam_member": 1,
|
||||||
}
|
}
|
||||||
|
|
||||||
sinks = [r for r in resources if r["type"] == "google_logging_folder_sink"]
|
sinks = [r for r in resources if r["type"] == "google_logging_folder_sink"]
|
||||||
|
@ -111,12 +112,13 @@ def test_sinks(plan_runner):
|
||||||
("warning", "severity=WARNING", "storage.googleapis.com/mybucket", True),
|
("warning", "severity=WARNING", "storage.googleapis.com/mybucket", True),
|
||||||
]
|
]
|
||||||
|
|
||||||
bindings = [r for r in resources if "binding" in r["type"]]
|
bindings = [r for r in resources if "member" in r["type"]]
|
||||||
values = [(r["index"], r["type"], r["values"]["role"]) for r in bindings]
|
values = [(r["index"], r["type"], r["values"]["role"]) for r in bindings]
|
||||||
assert sorted(values) == [
|
assert sorted(values) == [
|
||||||
("info", "google_bigquery_dataset_iam_binding", "roles/bigquery.dataEditor"),
|
("debug", "google_project_iam_member", "roles/logging.bucketWriter"),
|
||||||
("notice", "google_pubsub_topic_iam_binding", "roles/pubsub.publisher"),
|
("info", "google_bigquery_dataset_iam_member", "roles/bigquery.dataEditor"),
|
||||||
("warning", "google_storage_bucket_iam_binding", "roles/storage.objectCreator"),
|
("notice", "google_pubsub_topic_iam_member", "roles/pubsub.publisher"),
|
||||||
|
("warning", "google_storage_bucket_iam_member", "roles/storage.objectCreator"),
|
||||||
]
|
]
|
||||||
|
|
||||||
exclusions = [(r["index"], r["values"]["exclusions"]) for r in sinks]
|
exclusions = [(r["index"], r["values"]["exclusions"]) for r in sinks]
|
||||||
|
|
|
@ -62,14 +62,15 @@ def test_sinks(plan_runner):
|
||||||
}
|
}
|
||||||
"""
|
"""
|
||||||
_, resources = plan_runner(FIXTURES_DIR, logging_sinks=logging_sinks)
|
_, resources = plan_runner(FIXTURES_DIR, logging_sinks=logging_sinks)
|
||||||
assert len(resources) == 7
|
assert len(resources) == 8
|
||||||
|
|
||||||
resource_types = Counter([r["type"] for r in resources])
|
resource_types = Counter([r["type"] for r in resources])
|
||||||
assert resource_types == {
|
assert resource_types == {
|
||||||
"google_bigquery_dataset_iam_binding": 1,
|
|
||||||
"google_logging_organization_sink": 4,
|
"google_logging_organization_sink": 4,
|
||||||
"google_pubsub_topic_iam_binding": 1,
|
"google_bigquery_dataset_iam_member": 1,
|
||||||
"google_storage_bucket_iam_binding": 1,
|
"google_project_iam_member": 1,
|
||||||
|
"google_pubsub_topic_iam_member": 1,
|
||||||
|
"google_storage_bucket_iam_member": 1,
|
||||||
}
|
}
|
||||||
|
|
||||||
sinks = [r for r in resources if r["type"] == "google_logging_organization_sink"]
|
sinks = [r for r in resources if r["type"] == "google_logging_organization_sink"]
|
||||||
|
@ -110,12 +111,13 @@ def test_sinks(plan_runner):
|
||||||
("warning", "severity=WARNING", "storage.googleapis.com/mybucket", True),
|
("warning", "severity=WARNING", "storage.googleapis.com/mybucket", True),
|
||||||
]
|
]
|
||||||
|
|
||||||
bindings = [r for r in resources if "binding" in r["type"]]
|
bindings = [r for r in resources if "member" in r["type"]]
|
||||||
values = [(r["index"], r["type"], r["values"]["role"]) for r in bindings]
|
values = [(r["index"], r["type"], r["values"]["role"]) for r in bindings]
|
||||||
assert sorted(values) == [
|
assert sorted(values) == [
|
||||||
("info", "google_bigquery_dataset_iam_binding", "roles/bigquery.dataEditor"),
|
("debug", "google_project_iam_member", "roles/logging.bucketWriter"),
|
||||||
("notice", "google_pubsub_topic_iam_binding", "roles/pubsub.publisher"),
|
("info", "google_bigquery_dataset_iam_member", "roles/bigquery.dataEditor"),
|
||||||
("warning", "google_storage_bucket_iam_binding", "roles/storage.objectCreator"),
|
("notice", "google_pubsub_topic_iam_member", "roles/pubsub.publisher"),
|
||||||
|
("warning", "google_storage_bucket_iam_member", "roles/storage.objectCreator"),
|
||||||
]
|
]
|
||||||
|
|
||||||
exclusions = [(r["index"], r["values"]["exclusions"]) for r in sinks]
|
exclusions = [(r["index"], r["values"]["exclusions"]) for r in sinks]
|
||||||
|
|
|
@ -62,15 +62,16 @@ def test_sinks(plan_runner):
|
||||||
}
|
}
|
||||||
"""
|
"""
|
||||||
_, resources = plan_runner(FIXTURES_DIR, logging_sinks=logging_sinks)
|
_, resources = plan_runner(FIXTURES_DIR, logging_sinks=logging_sinks)
|
||||||
assert len(resources) == 8
|
assert len(resources) == 9
|
||||||
|
|
||||||
resource_types = Counter([r["type"] for r in resources])
|
resource_types = Counter([r["type"] for r in resources])
|
||||||
assert resource_types == {
|
assert resource_types == {
|
||||||
"google_bigquery_dataset_iam_binding": 1,
|
|
||||||
"google_logging_project_sink": 4,
|
"google_logging_project_sink": 4,
|
||||||
|
"google_bigquery_dataset_iam_member": 1,
|
||||||
"google_project": 1,
|
"google_project": 1,
|
||||||
"google_pubsub_topic_iam_binding": 1,
|
"google_project_iam_member": 1,
|
||||||
"google_storage_bucket_iam_binding": 1,
|
"google_pubsub_topic_iam_member": 1,
|
||||||
|
"google_storage_bucket_iam_member": 1,
|
||||||
}
|
}
|
||||||
|
|
||||||
sinks = [r for r in resources if r["type"] == "google_logging_project_sink"]
|
sinks = [r for r in resources if r["type"] == "google_logging_project_sink"]
|
||||||
|
@ -111,12 +112,13 @@ def test_sinks(plan_runner):
|
||||||
("warning", "severity=WARNING", "storage.googleapis.com/mybucket", False),
|
("warning", "severity=WARNING", "storage.googleapis.com/mybucket", False),
|
||||||
]
|
]
|
||||||
|
|
||||||
bindings = [r for r in resources if "binding" in r["type"]]
|
bindings = [r for r in resources if "member" in r["type"]]
|
||||||
values = [(r["index"], r["type"], r["values"]["role"]) for r in bindings]
|
values = [(r["index"], r["type"], r["values"]["role"]) for r in bindings]
|
||||||
assert sorted(values) == [
|
assert sorted(values) == [
|
||||||
("info", "google_bigquery_dataset_iam_binding", "roles/bigquery.dataEditor"),
|
("debug", "google_project_iam_member", "roles/logging.bucketWriter"),
|
||||||
("notice", "google_pubsub_topic_iam_binding", "roles/pubsub.publisher"),
|
("info", "google_bigquery_dataset_iam_member", "roles/bigquery.dataEditor"),
|
||||||
("warning", "google_storage_bucket_iam_binding", "roles/storage.objectCreator"),
|
("notice", "google_pubsub_topic_iam_member", "roles/pubsub.publisher"),
|
||||||
|
("warning", "google_storage_bucket_iam_member", "roles/storage.objectCreator"),
|
||||||
]
|
]
|
||||||
|
|
||||||
exclusions = [(r["index"], r["values"]["exclusions"]) for r in sinks]
|
exclusions = [(r["index"], r["values"]["exclusions"]) for r in sinks]
|
||||||
|
|
Loading…
Reference in New Issue