zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/folder
History
Wiktor Niesiobędzki 1a657b31d3 Bump beta provider to 4.48 
This is the first version that supports `gateway_api_config` block
 		2023-01-29 15:50:24 +01:00
..
README.md Update folder tests 2023-01-03 16:52:31 +01:00
firewall-policies.tf Rename tf files to use dashes 2022-02-04 08:45:49 +01:00
iam.tf Add support for IAM additive to folder module (#580) 2022-03-11 09:46:32 +01:00
logging.tf Only set partitioned table when sink type is bigquery 2022-11-22 15:48:48 +01:00
main.tf Update resman modules (#475) 2022-01-29 19:35:33 +01:00
organization-policies.tf Reorder org policy rules 2023-01-03 16:52:31 +01:00
outputs.tf Update project/folder/module to use new org policies API and tf1.3 optionals. 2022-10-28 17:49:44 +02:00
tags.tf Add support for resource management tags and tag bindings (#552) 2022-02-20 11:14:18 +01:00
variables.tf Remove as_logging_destination 2022-11-12 19:24:41 +01:00
versions.tf Bump beta provider to 4.48 2023-01-29 15:50:24 +01:00

README.md

Google Cloud Folder Module

This module allows the creation and management of folders, including support for IAM bindings, organization policies, and hierarchical firewall rules.

Basic example with IAM bindings

module "folder" {
  source = "./fabric/modules/folder"
  parent = "organizations/1234567890"
  name   = "Folder name"
  group_iam = {
    "cloud-owners@example.org" = [
      "roles/owner",
      "roles/resourcemanager.folderAdmin",
      "roles/resourcemanager.projectCreator"
    ]
  }
  iam = {
    "roles/owner" = ["user:one@example.org"]
  }
  iam_additive = {
    "roles/compute.admin"  = ["user:a1@example.org", "user:a2@example.org"]
    "roles/compute.viewer" = ["user:a2@example.org"]
  }
  iam_additive_members = {
    "user:am1@example.org" = ["roles/storage.admin"]
    "user:am2@example.org" = ["roles/storage.objectViewer"]
  }
}
# tftest modules=1 resources=9 inventory=iam.yaml

Organization policies

To manage organization policies, the orgpolicy.googleapis.com service should be enabled in the quota project.

module "folder" {
  source = "./fabric/modules/folder"
  parent = "organizations/1234567890"
  name   = "Folder name"
  org_policies = {
    "compute.disableGuestAttributesAccess" = {
      enforce = true
    }
    "constraints/compute.skipDefaultNetworkCreation" = {
      enforce = true
    }
    "iam.disableServiceAccountKeyCreation" = {
      enforce = true
    }
    "iam.disableServiceAccountKeyUpload" = {
      enforce = false
      rules = [
        {
          condition = {
            expression  = "resource.matchTagId(\"tagKeys/1234\", \"tagValues/1234\")"
            title       = "condition"
            description = "test condition"
            location    = "somewhere"
          }
          enforce = true
        }
      ]
    }
    "constraints/iam.allowedPolicyMemberDomains" = {
      allow = {
        values = ["C0xxxxxxx", "C0yyyyyyy"]
      }
    }
    "constraints/compute.trustedImageProjects" = {
      allow = {
        values = ["projects/my-project"]
      }
    }
    "constraints/compute.vmExternalIpAccess" = {
      deny = { all = true }
    }
  }
}
# tftest modules=1 resources=8 inventory=org-policies.yaml

Organization policy factory

See the organization policy factory in the project module.

Logging Sinks

module "gcs" {
  source        = "./fabric/modules/gcs"
  project_id    = "my-project"
  name          = "gcs_sink"
  force_destroy = true
}

module "dataset" {
  source     = "./fabric/modules/bigquery-dataset"
  project_id = "my-project"
  id         = "bq_sink"
}

module "pubsub" {
  source     = "./fabric/modules/pubsub"
  project_id = "my-project"
  name       = "pubsub_sink"
}

module "bucket" {
  source      = "./fabric/modules/logging-bucket"
  parent_type = "project"
  parent      = "my-project"
  id          = "bucket"
}

module "folder-sink" {
  source = "./fabric/modules/folder"
  parent = "folders/657104291943"
  name   = "my-folder"
  logging_sinks = {
    warnings = {
      destination = module.gcs.id
      filter      = "severity=WARNING"
      type        = "storage"
    }
    info = {
      destination = module.dataset.id
      filter      = "severity=INFO"
      type        = "bigquery"
    }
    notice = {
      destination = module.pubsub.id
      filter      = "severity=NOTICE"
      type        = "pubsub"
    }
    debug = {
      destination = module.bucket.id
      filter      = "severity=DEBUG"
      exclusions = {
        no-compute = "logName:compute"
      }
      type = "logging"
    }
  }
  logging_exclusions = {
    no-gce-instances = "resource.type=gce_instance"
  }
}
# tftest modules=5 resources=14 inventory=logging.yaml

Hierarchical firewall policies

Hierarchical firewall policies can be managed in two ways:

  • via the firewall_policies variable, to directly define policies and rules in Terraform
  • via the firewall_policy_factory variable, to leverage external YaML files via a simple "factory" embedded in the module (see here for more context on factories)

Once you have policies (either created via the module or externally), you can associate them using the firewall_policy_association variable.

Directly defined firewall policies

module "folder1" {
  source = "./fabric/modules/folder"
  parent = var.organization_id
  name   = "policy-container"

  firewall_policies = {
    iap-policy = {
      allow-admins = {
        description             = "Access from the admin subnet to all subnets"
        direction               = "INGRESS"
        action                  = "allow"
        priority                = 1000
        ranges                  = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
        ports                   = { all = [] }
        target_service_accounts = null
        target_resources        = null
        logging                 = false
      }
      allow-iap-ssh = {
        description             = "Always allow ssh from IAP"
        direction               = "INGRESS"
        action                  = "allow"
        priority                = 100
        ranges                  = ["35.235.240.0/20"]
        ports                   = { tcp = ["22"] }
        target_service_accounts = null
        target_resources        = null
        logging                 = false
      }
    }
  }
  firewall_policy_association = {
    iap-policy = "iap-policy"
  }
}

module "folder2" {
  source = "./fabric/modules/folder"
  parent = var.organization_id
  name   = "hf2"
  firewall_policy_association = {
    iap-policy = module.folder1.firewall_policy_id["iap-policy"]
  }
}
# tftest modules=2 resources=7 inventory=hfw.yaml

Firewall policy factory

The in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run terraform).

module "folder1" {
  source = "./fabric/modules/folder"
  parent = var.organization_id
  name   = "policy-container"
  firewall_policy_factory = {
    cidr_file   = "configs/firewall-policies/cidrs.yaml"
    policy_name = "iap-policy"
    rules_file  = "configs/firewall-policies/rules.yaml"
  }
  firewall_policy_association = {
    iap-policy = "iap-policy"
  }
}

module "folder2" {
  source = "./fabric/modules/folder"
  parent = var.organization_id
  name   = "hf2"
  firewall_policy_association = {
    iap-policy = module.folder1.firewall_policy_id["iap-policy"]
  }
}
# tftest modules=2 resources=7 files=cidrs,rules inventory=hfw.yaml

# tftest-file id=cidrs path=configs/firewall-policies/cidrs.yaml
rfc1918:
  - 10.0.0.0/8
  - 172.16.0.0/12
  - 192.168.0.0/16

# tftest-file id=rules path=configs/firewall-policies/rules.yaml
allow-admins:
  description: Access from the admin subnet to all subnets
  direction: INGRESS
  action: allow
  priority: 1000
  ranges:
    - $rfc1918
  ports:
    all: []
  target_resources: null
  logging: false

allow-iap-ssh:
  description: "Always allow ssh from IAP"
  direction: INGRESS
  action: allow
  priority: 100
  ranges:
    - 35.235.240.0/20
  ports:
    tcp: ["22"]
  target_resources: null
  logging: false

Tags

Refer to the Creating and managing tags documentation for details on usage.

module "org" {
  source          = "./fabric/modules/organization"
  organization_id = var.organization_id
  tags = {
    environment = {
      description = "Environment specification."
      iam         = null
      values = {
        dev  = null
        prod = null
      }
    }
  }
}

module "folder" {
  source = "./fabric/modules/folder"
  name   = "Test"
  parent = module.org.organization_id
  tag_bindings = {
    env-prod = module.org.tag_values["environment/prod"].id
    foo      = "tagValues/12345678"
  }
}
# tftest modules=2 resources=6 inventory=tags.yaml

Files

name description resources
firewall-policies.tf None google_compute_firewall_policy · google_compute_firewall_policy_association · google_compute_firewall_policy_rule
iam.tf IAM bindings, roles and audit logging resources. google_folder_iam_binding · google_folder_iam_member
logging.tf Log sinks and supporting resources. google_bigquery_dataset_iam_member · google_logging_folder_exclusion · google_logging_folder_sink · google_project_iam_member · google_pubsub_topic_iam_member · google_storage_bucket_iam_member
main.tf Module-level locals and resources. google_essential_contacts_contact · google_folder
organization-policies.tf Folder-level organization policies. google_org_policy_policy
outputs.tf Module outputs.
tags.tf None google_tags_tag_binding
variables.tf Module variables.
versions.tf Version pins.

Variables

name description type required default
contacts List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. map(list(string)) {}
firewall_policies Hierarchical firewall policies created in this folder. map(map(object({…}))) {}
firewall_policy_association The hierarchical firewall policy to associate to this folder. Must be either a key in the firewall_policies map or the id of a policy defined somewhere else. map(string) {}
firewall_policy_factory Configuration for the firewall policy factory. object({…}) null
folder_create Create folder. When set to false, uses id to reference an existing folder. bool true
group_iam Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the iam variable. map(list(string)) {}
iam IAM bindings in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_additive Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_additive_members IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. map(list(string)) {}
id Folder ID in case you use folder_create=false. string null
logging_exclusions Logging exclusions for this folder in the form {NAME -> FILTER}. map(string) {}
logging_sinks Logging sinks to create for the organization. map(object({…})) {}
name Folder name. string null
org_policies Organization policies applied to this folder keyed by policy name. map(object({…})) {}
org_policies_data_path Path containing org policies in YAML format. string null
parent Parent in folders/folder_id or organizations/org_id format. string null
tag_bindings Tag bindings for this folder, in key => tag value id format. map(string) null

Outputs

name description sensitive
firewall_policies Map of firewall policy resources created in this folder.
firewall_policy_id Map of firewall policy ids created in this folder.
folder Folder resource.
id Folder id.
name Folder name.
sink_writer_identities Writer identities created for each sink.