200 lines
7.3 KiB
HCL
200 lines
7.3 KiB
HCL
/**
|
|
* Copyright 2022 Google LLC
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
# tfdoc:file:description Organization policies.
|
|
|
|
|
|
locals {
|
|
# set to the empty list if you remove the data platform branch
|
|
branch_dataplatform_sa_iam_emails = [
|
|
module.branch-dp-dev-sa.iam_email,
|
|
module.branch-dp-prod-sa.iam_email
|
|
]
|
|
# set to the empty list if you remove the teams branch
|
|
branch_teams_pf_sa_iam_emails = [
|
|
module.branch-teams-dev-pf-sa.iam_email,
|
|
module.branch-teams-prod-pf-sa.iam_email
|
|
]
|
|
list_allow = {
|
|
inherit_from_parent = false
|
|
suggested_value = null
|
|
status = true
|
|
values = []
|
|
}
|
|
list_deny = {
|
|
inherit_from_parent = false
|
|
suggested_value = null
|
|
status = false
|
|
values = []
|
|
}
|
|
policy_configs = (
|
|
var.organization_policy_configs == null
|
|
? {}
|
|
: var.organization_policy_configs
|
|
)
|
|
}
|
|
|
|
module "organization" {
|
|
source = "../../../modules/organization"
|
|
organization_id = "organizations/${var.organization.id}"
|
|
# IAM additive bindings, granted via the restricted Organization Admin custom
|
|
# role assigned in stage 00; they need to be additive to avoid conflicts
|
|
iam_additive = merge(
|
|
{
|
|
"roles/accesscontextmanager.policyAdmin" = [
|
|
module.branch-security-sa.iam_email
|
|
]
|
|
"roles/compute.orgFirewallPolicyAdmin" = [
|
|
module.branch-network-sa.iam_email
|
|
]
|
|
"roles/compute.xpnAdmin" = [
|
|
module.branch-network-sa.iam_email
|
|
]
|
|
},
|
|
local.billing_org ? {
|
|
"roles/billing.costsManager" = local.branch_teams_pf_sa_iam_emails
|
|
"roles/billing.user" = concat(
|
|
[
|
|
module.branch-network-sa.iam_email,
|
|
module.branch-security-sa.iam_email,
|
|
],
|
|
local.branch_dataplatform_sa_iam_emails,
|
|
# enable if individual teams can create their own projects
|
|
# [
|
|
# for k, v in module.branch-teams-team-sa : v.iam_email
|
|
# ],
|
|
local.branch_teams_pf_sa_iam_emails
|
|
)
|
|
} : {}
|
|
)
|
|
# sample subset of useful organization policies, edit to suit requirements
|
|
policy_boolean = {
|
|
"constraints/cloudfunctions.requireVPCConnector" = true
|
|
"constraints/compute.disableGuestAttributesAccess" = true
|
|
"constraints/compute.disableInternetNetworkEndpointGroup" = true
|
|
"constraints/compute.disableNestedVirtualization" = true
|
|
"constraints/compute.disableSerialPortAccess" = true
|
|
"constraints/compute.requireOsLogin" = true
|
|
"constraints/compute.restrictXpnProjectLienRemoval" = true
|
|
"constraints/compute.skipDefaultNetworkCreation" = true
|
|
"constraints/compute.setNewProjectDefaultToZonalDNSOnly" = true
|
|
"constraints/iam.automaticIamGrantsForDefaultServiceAccounts" = true
|
|
"constraints/iam.disableServiceAccountKeyCreation" = true
|
|
"constraints/iam.disableServiceAccountKeyUpload" = true
|
|
"constraints/sql.restrictPublicIp" = true
|
|
"constraints/sql.restrictAuthorizedNetworks" = true
|
|
"constraints/storage.uniformBucketLevelAccess" = true
|
|
}
|
|
policy_list = {
|
|
"constraints/cloudfunctions.allowedIngressSettings" = merge(
|
|
local.list_allow, { values = ["is:ALLOW_INTERNAL_ONLY"] }
|
|
)
|
|
"constraints/cloudfunctions.allowedVpcConnectorEgressSettings" = merge(
|
|
local.list_allow, { values = ["is:PRIVATE_RANGES_ONLY"] }
|
|
)
|
|
"constraints/compute.restrictLoadBalancerCreationForTypes" = merge(
|
|
local.list_allow, { values = ["in:INTERNAL"] }
|
|
)
|
|
"constraints/compute.vmExternalIpAccess" = local.list_deny
|
|
"constraints/iam.allowedPolicyMemberDomains" = merge(
|
|
local.list_allow, {
|
|
values = concat(
|
|
[var.organization.customer_id],
|
|
try(local.policy_configs.allowed_policy_member_domains, [])
|
|
)
|
|
})
|
|
"constraints/run.allowedIngress" = merge(
|
|
local.list_allow, { values = ["is:internal"] }
|
|
)
|
|
"constraints/run.allowedVPCEgress" = merge(
|
|
local.list_allow, { values = ["is:private-ranges-only"] }
|
|
)
|
|
# "constraints/compute.restrictCloudNATUsage" = local.list_deny
|
|
# "constraints/compute.restrictDedicatedInterconnectUsage" = local.list_deny
|
|
# "constraints/compute.restrictPartnerInterconnectUsage" = local.list_deny
|
|
# "constraints/compute.restrictProtocolForwardingCreationForTypes" = local.list_deny
|
|
# "constraints/compute.restrictSharedVpcHostProjects" = local.list_deny
|
|
# "constraints/compute.restrictSharedVpcSubnetworks" = local.list_deny
|
|
# "constraints/compute.restrictVpcPeering" = local.list_deny
|
|
# "constraints/compute.restrictVpnPeerIPs" = local.list_deny
|
|
# "constraints/compute.vmCanIpForward" = local.list_deny
|
|
# "constraints/gcp.resourceLocations" = {
|
|
# inherit_from_parent = false
|
|
# suggested_value = null
|
|
# status = true
|
|
# values = local.allowed_regions
|
|
# }
|
|
# https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#restrict
|
|
# "constraints/iam.workloadIdentityPoolProviders" = merge(
|
|
# local.list_allow, { values = [
|
|
# for k, v in coalesce(var.automation.federated_identity_providers, {}) :
|
|
# v.issuer_uri
|
|
# ] }
|
|
# )
|
|
# "constraints/iam.workloadIdentityPoolAwsAccounts" = merge(
|
|
# local.list_allow, { values = [
|
|
#
|
|
# ] }
|
|
# )
|
|
}
|
|
tags = {
|
|
context = {
|
|
description = "Resource management context."
|
|
iam = {}
|
|
values = {
|
|
data = null
|
|
gke = null
|
|
networking = null
|
|
sandbox = null
|
|
security = null
|
|
teams = null
|
|
}
|
|
}
|
|
environment = {
|
|
description = "Environment definition."
|
|
iam = {}
|
|
values = {
|
|
development = null
|
|
production = null
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
# organization policy admin role assigned with a condition on tags
|
|
|
|
resource "google_organization_iam_member" "org_policy_admin" {
|
|
for_each = {
|
|
data-dev = ["data", "development", module.branch-dp-dev-sa.iam_email]
|
|
data-prod = ["data", "production", module.branch-dp-prod-sa.iam_email]
|
|
pf-dev = ["teams", "development", module.branch-teams-dev-pf-sa.iam_email]
|
|
pf-prod = ["teams", "production", module.branch-teams-prod-pf-sa.iam_email]
|
|
}
|
|
org_id = var.organization.id
|
|
role = "roles/orgpolicy.policyAdmin"
|
|
member = each.value.2
|
|
condition {
|
|
title = "org_policy_tag_scoped"
|
|
description = "Org policy tag scoped grant for ${each.value.0}/${each.value.1}."
|
|
expression = <<-END
|
|
resource.matchTag('${var.organization.id}/context', '${each.value.0}')
|
|
&&
|
|
resource.matchTag('${var.organization.id}/environment', '${each.value.1}')
|
|
END
|
|
}
|
|
}
|
|
|