/** * Copyright 2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ # tfdoc:file:description Security stage resources. locals { # FAST-specific IAM _security_folder_fast_iam = { "roles/logging.admin" = [module.branch-security-sa.iam_email] "roles/owner" = [module.branch-security-sa.iam_email] "roles/resourcemanager.folderAdmin" = [module.branch-security-sa.iam_email] "roles/resourcemanager.projectCreator" = [module.branch-security-sa.iam_email] # read-only (plan) automation service account "roles/viewer" = [module.branch-security-r-sa.iam_email] "roles/resourcemanager.folderViewer" = [module.branch-security-r-sa.iam_email] } # deep-merge FAST-specific IAM with user-provided bindings in var.folder_iam _security_folder_iam = merge( var.folder_iam.security, { for role, principals in local._security_folder_fast_iam : role => distinct(concat(principals, lookup(var.folder_iam.security, role, []))) } ) } module "branch-security-folder" { source = "../../../modules/folder" parent = local.root_node name = "Security" iam_by_principals = { (local.principals.gcp-security-admins) = [ # owner and viewer roles are broad and might grant unwanted access # replace them with more selective custom roles for production deployments "roles/editor" ] } iam = local._security_folder_iam tag_bindings = { context = try( local.tag_values["${var.tag_names.context}/security"].id, null ) } } # automation service account module "branch-security-sa" { source = "../../../modules/iam-service-account" project_id = var.automation.project_id name = "prod-resman-sec-0" display_name = "Terraform resman security service account." prefix = var.prefix service_account_create = var.root_node == null iam = { "roles/iam.serviceAccountTokenCreator" = compact([ try(module.branch-security-sa-cicd[0].iam_email, null) ]) } iam_project_roles = { (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] } iam_storage_roles = { (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] } } # automation read-only service account module "branch-security-r-sa" { source = "../../../modules/iam-service-account" project_id = var.automation.project_id name = "prod-resman-sec-0r" display_name = "Terraform resman security service account (read-only)." prefix = var.prefix service_account_create = var.root_node == null iam = { "roles/iam.serviceAccountTokenCreator" = compact([ try(module.branch-security-r-sa-cicd[0].iam_email, null) ]) } iam_project_roles = { (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] } iam_storage_roles = { (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] } } # automation bucket module "branch-security-gcs" { source = "../../../modules/gcs" project_id = var.automation.project_id name = "prod-resman-sec-0" prefix = var.prefix location = var.locations.gcs storage_class = local.gcs_storage_class versioning = true iam = { "roles/storage.objectAdmin" = [module.branch-security-sa.iam_email] "roles/storage.objectViewer" = [module.branch-security-r-sa.iam_email] } }