231 lines
8.0 KiB
HCL
231 lines
8.0 KiB
HCL
/**
|
|
* Copyright 2023 Google LLC
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
locals {
|
|
_group_iam = {
|
|
for r in local._group_iam_bindings : r => [
|
|
for k, v in var.group_iam :
|
|
"group:${k}" if try(index(v, r), null) != null
|
|
]
|
|
}
|
|
_group_iam_additive = {
|
|
for r in local._group_iam_additive_bindings : r => [
|
|
for k, v in var.group_iam_additive :
|
|
"group:${k}" if try(index(v, r), null) != null
|
|
]
|
|
}
|
|
_group_iam_bindings = distinct(flatten(values(var.group_iam)))
|
|
_group_iam_additive_bindings = distinct(flatten(values(var.group_iam_additive)))
|
|
|
|
_service_accounts_iam = {
|
|
for r in local._service_accounts_iam_bindings : r => [
|
|
for k, v in var.service_accounts :
|
|
module.service-accounts[k].iam_email
|
|
if try(index(v, r), null) != null
|
|
]
|
|
}
|
|
_service_accounts_iam_bindings = distinct(flatten(
|
|
values(var.service_accounts)
|
|
))
|
|
_service_accounts_iam_additive = {
|
|
for r in local._service_accounts_iam_additive_bindings : r => [
|
|
for k, v in var.service_accounts_additive :
|
|
module.service-accounts[k].iam_email
|
|
if try(index(v, r), null) != null
|
|
]
|
|
}
|
|
_service_accounts_iam_additive_bindings = distinct(flatten(
|
|
values(var.service_accounts_additive)
|
|
))
|
|
_services = concat([
|
|
"billingbudgets.googleapis.com",
|
|
"essentialcontacts.googleapis.com",
|
|
"orgpolicy.googleapis.com",
|
|
],
|
|
length(var.dns_zones) > 0 ? ["dns.googleapis.com"] : [],
|
|
try(var.vpc.gke_setup, null) != null ? ["container.googleapis.com"] : [],
|
|
var.vpc != null ? ["compute.googleapis.com"] : [],
|
|
)
|
|
_service_identities_roles = distinct(flatten(values(var.service_identities_iam)))
|
|
_service_identities_iam = {
|
|
for role in local._service_identities_roles : role => [
|
|
for service, roles in var.service_identities_iam :
|
|
"serviceAccount:${module.project.service_accounts.robots[service]}"
|
|
if contains(roles, role)
|
|
]
|
|
}
|
|
_service_identities_roles_additive = distinct(flatten(values(var.service_identities_iam_additive)))
|
|
_service_identities_iam_additive = {
|
|
for role in local._service_identities_roles_additive : role => [
|
|
for service, roles in var.service_identities_iam_additive :
|
|
"serviceAccount:${module.project.service_accounts.robots[service]}"
|
|
if contains(roles, role)
|
|
]
|
|
}
|
|
_vpc_subnet_bindings = (
|
|
local.vpc.subnets_iam == null || local.vpc.host_project == null
|
|
? []
|
|
: flatten([
|
|
for subnet, members in local.vpc.subnets_iam : [
|
|
for member in members : {
|
|
region = split("/", subnet)[0]
|
|
subnet = split("/", subnet)[1]
|
|
member = member
|
|
}
|
|
]
|
|
])
|
|
)
|
|
billing_account_id = coalesce(
|
|
var.billing_account_id, try(var.defaults.billing_account_id, "")
|
|
)
|
|
billing_alert = (
|
|
var.billing_alert == null
|
|
? try(var.defaults.billing_alert, null)
|
|
: var.billing_alert
|
|
)
|
|
essential_contacts = concat(
|
|
try(var.defaults.essential_contacts, []), var.essential_contacts
|
|
)
|
|
iam = {
|
|
for role in distinct(concat(
|
|
keys(var.iam),
|
|
keys(local._group_iam),
|
|
keys(local._service_accounts_iam),
|
|
keys(local._service_identities_iam),
|
|
)) :
|
|
role => concat(
|
|
try(var.iam[role], []),
|
|
try(local._group_iam[role], []),
|
|
try(local._service_accounts_iam[role], []),
|
|
try(local._service_identities_iam[role], []),
|
|
)
|
|
}
|
|
iam_additive = {
|
|
for role in distinct(concat(
|
|
keys(var.iam_additive),
|
|
keys(local._group_iam_additive),
|
|
keys(local._service_accounts_iam_additive),
|
|
keys(local._service_identities_iam_additive),
|
|
)) :
|
|
role => concat(
|
|
try(var.iam_additive[role], []),
|
|
try(local._group_iam_additive[role], []),
|
|
try(local._service_accounts_iam_additive[role], []),
|
|
try(local._service_identities_iam_additive[role], []),
|
|
)
|
|
}
|
|
labels = merge(
|
|
coalesce(var.labels, {}), coalesce(try(var.defaults.labels, {}), {})
|
|
)
|
|
services = distinct(concat(var.services, local._services))
|
|
vpc = coalesce(var.vpc, {
|
|
host_project = null, gke_setup = null, subnets_iam = null
|
|
})
|
|
vpc_cloudservices = (
|
|
local.vpc_gke_service_agent ||
|
|
contains(var.services, "compute.googleapis.com")
|
|
)
|
|
vpc_gke_security_admin = coalesce(
|
|
try(local.vpc.gke_setup.enable_security_admin, null), false
|
|
)
|
|
vpc_gke_service_agent = coalesce(
|
|
try(local.vpc.gke_setup.enable_host_service_agent, null), false
|
|
)
|
|
vpc_subnet_bindings = {
|
|
for binding in local._vpc_subnet_bindings :
|
|
"${binding.subnet}:${binding.member}" => binding
|
|
}
|
|
}
|
|
|
|
module "billing-alert" {
|
|
for_each = local.billing_alert == null ? {} : { 1 = 1 }
|
|
source = "../../../modules/billing-budget"
|
|
billing_account = local.billing_account_id
|
|
name = "${module.project.project_id} budget"
|
|
amount = local.billing_alert.amount
|
|
thresholds = local.billing_alert.thresholds
|
|
credit_treatment = local.billing_alert.credit_treatment
|
|
notification_channels = var.defaults.notification_channels
|
|
projects = ["projects/${module.project.number}"]
|
|
email_recipients = {
|
|
project_id = module.project.project_id
|
|
emails = local.essential_contacts
|
|
}
|
|
}
|
|
|
|
module "dns" {
|
|
source = "../../../modules/dns"
|
|
for_each = toset(var.dns_zones)
|
|
project_id = coalesce(local.vpc.host_project, module.project.project_id)
|
|
type = "private"
|
|
name = each.value
|
|
domain = "${each.value}.${var.defaults.environment_dns_zone}"
|
|
client_networks = [var.defaults.shared_vpc_self_link]
|
|
}
|
|
|
|
module "project" {
|
|
source = "../../../modules/project"
|
|
billing_account = local.billing_account_id
|
|
name = var.project_id
|
|
descriptive_name = var.descriptive_name
|
|
prefix = var.prefix
|
|
contacts = { for c in local.essential_contacts : c => ["ALL"] }
|
|
iam = local.iam
|
|
iam_additive = local.iam_additive
|
|
labels = local.labels
|
|
org_policies = try(var.org_policies, {})
|
|
parent = var.folder_id
|
|
service_encryption_key_ids = var.kms_service_agents
|
|
services = local.services
|
|
shared_vpc_service_config = var.vpc == null ? null : {
|
|
host_project = local.vpc.host_project
|
|
# these are non-authoritative
|
|
service_identity_iam = {
|
|
"roles/compute.networkUser" = compact([
|
|
local.vpc_gke_service_agent ? "container-engine" : null,
|
|
local.vpc_cloudservices ? "cloudservices" : null
|
|
])
|
|
"roles/compute.securityAdmin" = compact([
|
|
local.vpc_gke_security_admin ? "container-engine" : null,
|
|
])
|
|
"roles/container.hostServiceAgentUser" = compact([
|
|
local.vpc_gke_service_agent ? "container-engine" : null
|
|
])
|
|
}
|
|
}
|
|
}
|
|
|
|
module "service-accounts" {
|
|
source = "../../../modules/iam-service-account"
|
|
for_each = var.service_accounts
|
|
name = each.key
|
|
project_id = module.project.project_id
|
|
iam = lookup(var.service_accounts_iam, each.key, null)
|
|
}
|
|
|
|
resource "google_compute_subnetwork_iam_member" "default" {
|
|
for_each = local.vpc_subnet_bindings
|
|
project = local.vpc.host_project
|
|
subnetwork = "projects/${local.vpc.host_project}/regions/${each.value.region}/subnetworks/${each.value.subnet}"
|
|
region = each.value.region
|
|
role = "roles/compute.networkUser"
|
|
member = (
|
|
lookup(var.service_accounts, each.value.member, null) != null
|
|
? module.service-accounts[each.value.member].iam_email
|
|
: each.value.member
|
|
)
|
|
}
|