zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/organization
History
Ludovico Magnocavallo 357f6d5939 depend log sinks from IAM roles, fixes #371 2021-12-01 12:08:04 +01:00
..
README.md update test params after README fix 2021-10-14 20:15:31 +02:00
main.tf depend log sinks from IAM roles, fixes #371 2021-12-01 12:08:04 +01:00
outputs.tf Add more validations to linter 2021-10-08 18:26:04 +02:00
variables.tf Add more validations to linter 2021-10-08 18:26:04 +02:00
versions.tf Use the same versions file everywhere, pin to tf 1.0+ provider 4.0+ (#355) 2021-11-03 15:05:43 +01:00

README.md

Organization Module

This module allows managing several organization properties:

  • IAM bindings, both authoritative and additive
  • custom IAM roles
  • audit logging configuration for services
  • organization policies

Example

module "org" {
  source          = "./modules/organization"
  organization_id = "organizations/1234567890"
  group_iam       = {
    "cloud-owners@example.org" = ["roles/owner", "roles/projectCreator"]
  }
  iam             = {
    "roles/resourcemanager.projectCreator" = ["group:cloud-admins@example.org"]
  }
  policy_boolean = {
    "constraints/compute.disableGuestAttributesAccess" = true
    "constraints/compute.skipDefaultNetworkCreation"   = true
  }
  policy_list = {
    "constraints/compute.trustedImageProjects" = {
      inherit_from_parent = null
      suggested_value     = null
      status              = true
      values              = ["projects/my-project"]
    }
  }
}
# tftest:modules=1:resources=6

IAM

There are several mutually exclusive ways of managing IAM in this module

  • non-authoritative via the iam_additive and iam_additive_members variables, where bindings created outside this module will coexist with those managed here
  • authoritative via the group_iam and iam variables, where bindings created outside this module (eg in the console) will be removed at each terraform apply cycle if the same role is also managed here
  • authoritative policy via the iam_bindings_authoritative variable, where any binding created outside this module (eg in the console) will be removed at each terraform apply cycle regardless of the role

Some care must be takend with the groups_iam variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.

Hierarchical firewall rules

module "org" {
  source          = "./modules/organization"
  organization_id = var.organization_id
  firewall_policies = {
    iap-policy = {
      allow-iap-ssh = {
        description = "Always allow ssh from IAP"
        direction   = "INGRESS"
        action      = "allow"
        priority    = 100
        ranges      = ["35.235.240.0/20"]
        ports = {
          tcp = ["22"]
        }
        target_service_accounts = null
        target_resources        = null
        logging                 = false
      }
    }
  }
  firewall_policy_attachments = {
    iap_policy = module.org.firewall_policy_id["iap-policy"]
  }
}
# tftest:modules=1:resources=3

Logging Sinks

module "gcs" {
  source        = "./modules/gcs"
  project_id    = var.project_id
  name          = "gcs_sink"
  force_destroy = true
}

module "dataset" {
  source     = "./modules/bigquery-dataset"
  project_id = var.project_id
  id         = "bq_sink"
}

module "pubsub" {
  source     = "./modules/pubsub"
  project_id = var.project_id
  name       = "pubsub_sink"
}

module "bucket" {
  source      = "./modules/logging-bucket"
  parent_type = "project"
  parent      = "my-project"
  id          = "bucket"
}

module "org" {
  source          = "./modules/organization"
  organization_id = var.organization_id

  logging_sinks = {
    warnings = {
      type             = "gcs"
      destination      = module.gcs.name
      filter           = "severity=WARNING"
      iam              = false
      include_children = true
      exclusions       = {}
    }
    info = {
      type             = "bigquery"
      destination      = module.dataset.id
      filter           = "severity=INFO"
      iam              = false
      include_children = true
      exclusions       = {}
    }
    notice = {
      type             = "pubsub"
      destination      = module.pubsub.id
      filter           = "severity=NOTICE"
      iam              = true
      include_children = true
      exclusions       = {}
    }
    debug = {
      type             = "logging"
      destination      = module.bucket.id
      filter           = "severity=DEBUG"
      iam              = true
      include_children = false
      exclusions = {
        no-compute = "logName:compute"
      }
    }
  }
  logging_exclusions = {
    no-gce-instances = "resource.type=gce_instance"
  }
}
# tftest:modules=5:resources=11

Custom Roles

module "org" {
  source          = "./modules/organization"
  organization_id = var.organization_id
  custom_roles = {
    "myRole" = [
      "compute.instances.list",
    ]
  }
  iam = {
    (module.org.custom_role_id.myRole) = ["user:me@example.com"]
  }
}
# tftest:modules=1:resources=2

Variables

name description type required default
organization_id Organization id in organizations/nnnnnn format. string
contacts List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES map(list(string)) {}
custom_roles Map of role name => list of permissions to create in this project. map(list(string)) {}
firewall_policies Hierarchical firewall policies to create in the organization. map(map(object({...}))) {}
firewall_policy_attachments List of hierarchical firewall policy IDs to attach to the organization map(string) {}
group_iam Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the iam variable. map(list(string)) {}
iam IAM bindings, in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_additive Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_additive_members IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. map(list(string)) {}
iam_audit_config Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. map(map(list(string))) {}
iam_audit_config_authoritative IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution. map(map(list(string))) null
iam_bindings_authoritative IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. map(list(string)) null
logging_exclusions Logging exclusions for this organization in the form {NAME -> FILTER}. map(string) {}
logging_sinks Logging sinks to create for this organization. map(object({...})) {}
policy_boolean Map of boolean org policies and enforcement value, set value to null for policy restore. map(bool) {}
policy_list Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. map(object({...})) {}

Outputs

name description sensitive
custom_role_id Map of custom role IDs created in the organization.
custom_roles Map of custom roles resources created in the organization.
firewall_policies Map of firewall policy resources created in the organization.
firewall_policy_id Map of firewall policy ids created in the organization.
organization_id Organization id dependent on module resources.
sink_writer_identities Writer identities created for each sink.