zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/organization
History
Ludovico Magnocavallo f8413cc98e
Add support for group-based IAM to resource management modules (#229) 
* group_iam support for organization

* group_iam support for folder

* fix typo in variable description

* add group_iam to project module

* update project module README
 		2021-04-11 14:48:16 +02:00
..
README.md Add support for group-based IAM to resource management modules (#229) 2021-04-11 14:48:16 +02:00
main.tf Add support for group-based IAM to resource management modules (#229) 2021-04-11 14:48:16 +02:00
outputs.tf Fix IAM bindings for logging sinks 2021-03-31 09:59:28 +02:00
variables.tf Add support for group-based IAM to resource management modules (#229) 2021-04-11 14:48:16 +02:00
versions.tf fix modules version constraints (#206) 2021-03-05 08:41:59 +01:00

README.md

Organization Module

This module allows managing several organization properties:

  • IAM bindings, both authoritative and additive
  • custom IAM roles
  • audit logging configuration for services
  • organization policies

Example

module "org" {
  source          = "./modules/organization"
  organization_id = "organizations/1234567890"
  group_iam       = {
    "cloud-owners@example.org" = ["roles/owner", "roles/projectCreator"]
  }
  iam             = {
    "roles/projectCreator" = ["group:cloud-admins@example.org"]
  }
  policy_boolean = {
    "constraints/compute.disableGuestAttributesAccess" = true
    "constraints/compute.skipDefaultNetworkCreation"   = true
  }
  policy_list = {
    "constraints/compute.trustedImageProjects" = {
      inherit_from_parent = null
      suggested_value     = null
      status              = true
      values              = ["projects/my-project"]
    }
  }
}
# tftest:modules=1:resources=5

IAM

There are several mutually exclusive ways of managing IAM in this module

  • non-authoritative via the iam_additive and iam_additive_members variables, where bindings created outside this module will coexist with those managed here
  • authoritative via the group_iam and iam variables, where bindings created outside this module (eg in the console) will be removed at each terraform apply cycle if the same role is also managed here
  • authoritative policy via the iam_bindings_authoritative variable, where any binding created outside this module (eg in the console) will be removed at each terraform apply cycle regardless of the role

Some care must be takend with the groups_iam variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.

Hierarchical firewall rules

module "org" {
  source          = "./modules/organization"
  organization_id = var.organization_id
  firewall_policies = {
    iap-policy = {
      allow-iap-ssh = {
        description = "Always allow ssh from IAP"
        direction   = "INGRESS"
        action      = "allow"
        priority    = 100
        ranges      = ["35.235.240.0/20"]
        ports = {
          tcp = ["22"]
        }
        target_service_accounts = null
        target_resources        = null
        logging                 = false
      }
    }
  }
  firewall_policy_attachments = {
    iap_policy = module.org.firewall_policy_id["iap-policy"]
  }
}
# tftest:modules=1:resources=3

Logging Sinks

module "gcs" {
  source        = "./modules/gcs"
  project_id    = var.project_id
  name          = "gcs_sink"
  force_destroy = true
}

module "dataset" {
  source     = "./modules/bigquery-dataset"
  project_id = var.project_id
  id         = "bq_sink"
}

module "pubsub" {
  source     = "./modules/pubsub"
  project_id = var.project_id
  name       = "pubsub_sink"
}

module "bucket" {
  source      = "./modules/logging-bucket"
  parent_type = "project"
  parent      = "my-project"
  id          = "bucket"
}

module "org" {
  source          = "./modules/organization"
  organization_id = var.organization_id

  logging_sinks = {
    warnings = {
      type             = "gcs"
      destination      = module.gcs.name
      filter           = "severity=WARNING"
      iam              = false
      include_children = true
      exclusions       = {}
    }
    info = {
      type             = "bigquery"
      destination      = module.dataset.id
      filter           = "severity=INFO"
      iam              = false
      include_children = true
      exclusions       = {}
    }
    notice = {
      type             = "pubsub"
      destination      = module.pubsub.id
      filter           = "severity=NOTICE"
      iam              = true
      include_children = true
      exclusions       = {}
    }
    debug = {
      type             = "logging"
      destination      = module.bucket.id
      filter           = "severity=DEBUG"
      iam              = true
      include_children = false
      exclusions = {
        no-compute = "logName:compute"
      }
    }
  }
  logging_exclusions = {
    no-gce-instances = "resource.type=gce_instance"
  }
}
# tftest:modules=5:resources=11

Variables

name description type required default
organization_id Organization id in organizations/nnnnnn format. string
contacts List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES map(list(string)) {}
custom_roles Map of role name => list of permissions to create in this project. map(list(string)) {}
firewall_policies Hierarchical firewall policies to create in the organization. map(map(object({...}))) {}
firewall_policy_attachments List of hierarchical firewall policy IDs to attach to the organization map(string) {}
group_iam Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the iam variable. map(list(string)) {}
iam IAM bindings, in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_additive Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_additive_members IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. map(list(string)) {}
iam_audit_config Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. map(map(list(string))) {}
iam_audit_config_authoritative IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution. map(map(list(string))) null
iam_bindings_authoritative IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. map(list(string)) null
logging_exclusions Logging exclusions for this organization in the form {NAME -> FILTER}. map(string) {}
logging_sinks Logging sinks to create for this organization. map(object({...})) {}
policy_boolean Map of boolean org policies and enforcement value, set value to null for policy restore. map(bool) {}
policy_list Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. map(object({...})) {}

Outputs

name description sensitive
firewall_policies Map of firewall policy resources created in the organization.
firewall_policy_id Map of firewall policy ids created in the organization.
organization_id Organization id dependent on module resources.
sink_writer_identities Writer identities created for each sink.