feat(dev): add `zfnd` organization rules and `zfnd-dev-zebra` project
This commit is contained in:
parent
d245088fa1
commit
e43743e33a
|
@ -62,7 +62,7 @@ module "branch-sandbox-sa" {
|
|||
}
|
||||
|
||||
resource "google_organization_iam_member" "org_policy_admin_sandbox" {
|
||||
count = var.fast_features.project_factory ? 1 : 0
|
||||
count = var.fast_features.sandbox ? 1 : 0
|
||||
org_id = var.organization.id
|
||||
role = "roles/orgpolicy.policyAdmin"
|
||||
member = module.branch-sandbox-sa.0.iam_email
|
||||
|
|
|
@ -4,11 +4,11 @@
|
|||
|
||||
compute.disableGuestAttributesAccess:
|
||||
rules:
|
||||
- enforce: true
|
||||
- enforce: false
|
||||
|
||||
compute.requireOsLogin:
|
||||
rules:
|
||||
- enforce: true
|
||||
- enforce: false
|
||||
|
||||
compute.restrictLoadBalancerCreationForTypes:
|
||||
rules:
|
||||
|
@ -22,10 +22,9 @@ compute.skipDefaultNetworkCreation:
|
|||
|
||||
compute.vmExternalIpAccess:
|
||||
rules:
|
||||
- deny:
|
||||
- allow:
|
||||
all: true
|
||||
|
||||
|
||||
# compute.disableInternetNetworkEndpointGroup:
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
|
|
@ -13,3 +13,8 @@ iam.disableServiceAccountKeyCreation:
|
|||
iam.disableServiceAccountKeyUpload:
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
iam.allowServiceAccountCredentialLifetimeExtension:
|
||||
rules:
|
||||
- allow:
|
||||
all: true
|
|
@ -15,3 +15,39 @@ ingress:
|
|||
rules:
|
||||
- protocol: tcp
|
||||
ports: [12345, 12346]
|
||||
ingress-allow-ssh:
|
||||
description: "Allow ssh connections to all instances"
|
||||
# TODO: just allow ssh to specific instances
|
||||
# targets:
|
||||
# - composer-worker
|
||||
rules:
|
||||
- protocol: tcp
|
||||
ports: [22]
|
||||
|
||||
ingress-allow-zebrad-ports:
|
||||
description: "Allow traffic to Zebra nodes."
|
||||
# TODO: just allow zebra to CD instances, not CI instances
|
||||
# targets:
|
||||
# - release
|
||||
# - cd
|
||||
rules:
|
||||
- protocol: tcp
|
||||
ports: [8233, 18233]
|
||||
|
||||
allow-all-ssh: # descriptive name, naming convention is adjusted by the module
|
||||
allow: # `allow` or `deny`
|
||||
- ports: ['22'] # ports for a specific protocol, keep empty list `[]` for all ports
|
||||
protocol: tcp # protocol, put `all` for any protocol
|
||||
direction: INGRESS # EGRESS or INGRESS
|
||||
disabled: true # `false` or `true`, FW rule is disabled when `true`, default value is `false`
|
||||
source_ranges: # list of source ranges, should be specified only for `INGRESS` rule
|
||||
- 0.0.0.0/0
|
||||
|
||||
allow-zebrad-ports: # descriptive name, naming convention is adjusted by the module
|
||||
allow: # `allow` or `deny`
|
||||
- ports: ['8233', '18233']
|
||||
protocol: tcp # protocol, put `all` for any protocol
|
||||
direction: INGRESS # EGRESS or INGRESS
|
||||
disabled: false
|
||||
source_ranges: # list of source ranges, should be specified only for `INGRESS` rule
|
||||
- 0.0.0.0/0
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
# skip boilerplate check
|
||||
|
||||
region: europe-west1
|
||||
description: Default subnet for dev Data Platform
|
||||
ip_cidr_range: 10.128.48.0/24
|
||||
secondary_ip_ranges:
|
||||
pods: 100.128.48.0/20
|
||||
services: 100.255.48.0/24
|
|
@ -1,5 +1,5 @@
|
|||
# skip boilerplate check
|
||||
|
||||
region: europe-west1
|
||||
region: us-east1
|
||||
ip_cidr_range: 10.128.32.0/24
|
||||
description: Default subnet for dev
|
|
@ -1,5 +1,5 @@
|
|||
# skip boilerplate check
|
||||
|
||||
region: europe-west1
|
||||
region: us-east1
|
||||
ip_cidr_range: 10.128.64.0/24
|
||||
description: Default subnet for prod
|
|
@ -1,24 +1,23 @@
|
|||
# skip boilerplate check
|
||||
|
||||
billing_account_id: 012345-67890A-BCDEF0
|
||||
billing_account_id: 01EBC4-8CD936-3108EA
|
||||
|
||||
# [opt] Setup for billing alerts
|
||||
billing_alert:
|
||||
amount: 1000
|
||||
thresholds:
|
||||
current: [0.5, 0.8]
|
||||
forecasted: [0.5, 0.8]
|
||||
forecasted: [1.2, 1.5]
|
||||
credit_treatment: INCLUDE_ALL_CREDITS
|
||||
|
||||
# [opt] Contacts for billing alerts and important notifications
|
||||
essential_contacts: ["team-contacts@example.com"]
|
||||
essential_contacts: ["admin@zfnd.org"]
|
||||
|
||||
# [opt] Labels set for all projects
|
||||
labels:
|
||||
environment: dev
|
||||
department: accounting
|
||||
application: example-app
|
||||
foo: bar
|
||||
department: engineering
|
||||
|
||||
|
||||
# [opt] Additional notification channels for billing
|
||||
notification_channels: []
|
||||
|
|
|
@ -0,0 +1,133 @@
|
|||
# skip boilerplate check
|
||||
|
||||
# [opt] Billing alerts config - overrides default if set
|
||||
billing_alert:
|
||||
amount: 5000
|
||||
thresholds:
|
||||
current:
|
||||
- 0.8
|
||||
- 1.0
|
||||
forecasted: []
|
||||
credit_treatment: INCLUDE_ALL_CREDITS
|
||||
|
||||
# [opt] DNS zones to be created as children of the environment_dns_zone defined in defaults
|
||||
dns_zones: []
|
||||
|
||||
# [opt] Contacts for billing alerts and important notifications
|
||||
essential_contacts:
|
||||
- devops@zfnd.org
|
||||
|
||||
# Folder the project will be created as children of
|
||||
folder_id: folders/319341746722
|
||||
|
||||
# [opt] Authoritative IAM bindings in group => [roles] format
|
||||
group_iam:
|
||||
engineers@zfnd.org:
|
||||
- roles/editor
|
||||
|
||||
# [opt] Authoritative IAM bindings in role => [principals] format
|
||||
# Generally used to grant roles to service accounts external to the project
|
||||
iam:
|
||||
roles/iam.workloadIdentityUser:
|
||||
- principalSet://iam.googleapis.com/projects/771011584009/locations/global/workloadIdentityPools/zfnd-bootstrap/*
|
||||
roles/editor:
|
||||
- serviceAccount:1059680692020@cloudservices.gserviceaccount.com
|
||||
|
||||
# [opt] Service robots and keys they will be assigned as cryptoKeyEncrypterDecrypter
|
||||
# in service => [keys] format
|
||||
# kms_service_agents:
|
||||
# compute: [key1, key2]
|
||||
# storage: [key1, key2]
|
||||
|
||||
# [opt] Labels for the project - merged with the ones defined in defaults
|
||||
labels:
|
||||
environment: dev
|
||||
application: zebra
|
||||
|
||||
# [opt] Org policy overrides defined at project level
|
||||
org_policies:
|
||||
compute.disableGuestAttributesAccess:
|
||||
rules:
|
||||
- enforce: false
|
||||
compute.trustedImageProjects:
|
||||
rules:
|
||||
- allow:
|
||||
all: true
|
||||
# values:
|
||||
# - projects/zfnd-prod-iac-core-0
|
||||
# - projects/zebra-zealous
|
||||
# - projects/cos-cloud
|
||||
# - projects/dataflow-service-producer-prod
|
||||
# - projects/serverless-vpc-access-images
|
||||
# - projects/windows-cloud
|
||||
compute.vmExternalIpAccess:
|
||||
rules:
|
||||
- allow:
|
||||
all: true
|
||||
compute.requireOsLogin:
|
||||
rules:
|
||||
- enforce: false
|
||||
iam.allowServiceAccountCredentialLifetimeExtension:
|
||||
rules:
|
||||
- allow:
|
||||
all: true
|
||||
iam.allowedPolicyMemberDomains:
|
||||
rules:
|
||||
- allow:
|
||||
all: true
|
||||
|
||||
# [opt] Service account to create for the project and their roles on the project
|
||||
# in name => [roles] format
|
||||
service_accounts:
|
||||
instance-deployer:
|
||||
- roles/compute.instanceAdmin
|
||||
- roles/compute.storageAdmin
|
||||
- roles/compute.loadBalancerAdmin
|
||||
- roles/errorreporting.user
|
||||
- roles/logging.logWriter
|
||||
- roles/monitoring.metricWriter
|
||||
- roles/artifactregistry.reader
|
||||
- roles/iam.serviceAccountUser
|
||||
- roles/iam.workloadIdentityUser
|
||||
artifact-publisher:
|
||||
- roles/artifactregistry.writer
|
||||
- roles/iam.workloadIdentityUser
|
||||
|
||||
# [opt] APIs to enable on the project.
|
||||
services:
|
||||
- artifactregistry.googleapis.com
|
||||
- compute.googleapis.com
|
||||
- clouddebugger.googleapis.com
|
||||
- clouderrorreporting.googleapis.com
|
||||
- cloudresourcemanager.googleapis.com
|
||||
- containeranalysis.googleapis.com
|
||||
- logging.googleapis.com
|
||||
- monitoring.googleapis.com
|
||||
- osconfig.googleapis.com
|
||||
- networkmanagement.googleapis.com
|
||||
- stackdriver.googleapis.com
|
||||
- storage.googleapis.com
|
||||
- iap.googleapis.com
|
||||
|
||||
# [opt] Roles to assign to the service identities in service => [roles] format
|
||||
service_identities_iam:
|
||||
compute:
|
||||
- roles/storage.objectViewer
|
||||
|
||||
# [opt] VPC setup.
|
||||
# If set enables the `compute.googleapis.com` service and configures
|
||||
# service project attachment
|
||||
|
||||
vpc:
|
||||
# [opt] If set, enables the container API
|
||||
gke_setup: null
|
||||
|
||||
# Host project the project will be service project of
|
||||
host_project: zfnd-dev-net-spoke-0
|
||||
|
||||
# [opt] Subnets in the host project where principals will be granted networkUser
|
||||
# in region/subnet-name => [principals]
|
||||
subnets_iam:
|
||||
us-east1/dev-default-ue1:
|
||||
- user:gustavo@zfnd.org
|
||||
- serviceAccount:instance-deployer@zfnd-dev-zebra.iam.gserviceaccount.com
|
|
@ -55,4 +55,87 @@ module "projects" {
|
|||
vpc = try(each.value.vpc, null)
|
||||
}
|
||||
|
||||
module "zebra_caching_artifact_registry" {
|
||||
source = "../../../../modules/artifact-registry"
|
||||
project_id = "zfnd-dev-zebra"
|
||||
location = "us"
|
||||
format = "DOCKER"
|
||||
id = "zebra"
|
||||
description = "Docker repository storing the Zebra application for testing purposes"
|
||||
iam = {
|
||||
"roles/artifactregistry.reader" = ["allUsers"]
|
||||
}
|
||||
}
|
||||
|
||||
module "zebra_artifact_registry" {
|
||||
source = "../../../../modules/artifact-registry"
|
||||
project_id = "zfnd-dev-zebra"
|
||||
location = "us"
|
||||
format = "DOCKER"
|
||||
id = "zebra-caching"
|
||||
description = "Docker repository storing Zebra's build layers for caching"
|
||||
iam = {
|
||||
"roles/artifactregistry.reader" = ["allUsers"]
|
||||
}
|
||||
}
|
||||
|
||||
module "lwd_caching_artifact_registry" {
|
||||
source = "../../../../modules/artifact-registry"
|
||||
project_id = "zfnd-dev-zebra"
|
||||
location = "us"
|
||||
format = "DOCKER"
|
||||
id = "lightwalletd"
|
||||
description = "Docker repository storing the Zebra application for testing purposes"
|
||||
iam = {
|
||||
"roles/artifactregistry.reader" = ["allUsers"]
|
||||
}
|
||||
}
|
||||
|
||||
module "lwd_artifact_registry" {
|
||||
source = "../../../../modules/artifact-registry"
|
||||
project_id = "zfnd-dev-zebra"
|
||||
location = "us"
|
||||
format = "DOCKER"
|
||||
id = "lightwalletd-caching"
|
||||
description = "Docker repository storing Zebra's build layers for caching"
|
||||
iam = {
|
||||
"roles/artifactregistry.reader" = ["allUsers"]
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_compute_health_check" "http-health-check" {
|
||||
name = "zebrad-tracing-filter"
|
||||
description = "Health check via http"
|
||||
project = "zfnd-dev-zebra"
|
||||
|
||||
timeout_sec = 10
|
||||
check_interval_sec = 30
|
||||
healthy_threshold = 2
|
||||
unhealthy_threshold = 3
|
||||
|
||||
http_health_check {
|
||||
port = "3000"
|
||||
port_specification = "USE_FIXED_PORT"
|
||||
request_path = "/filter"
|
||||
proxy_header = "NONE"
|
||||
# TODO: we should validate a specific response, not ANY response
|
||||
# response = "I AM HEALTHY"
|
||||
}
|
||||
}
|
||||
|
||||
module "runner-mig-dind" {
|
||||
source = "github.com/terraform-google-modules/terraform-google-github-actions-runners?ref=v3.1.1//modules/gh-runner-mig-container-vm"
|
||||
create_network = true
|
||||
subnetwork_project = var.subnetwork_project
|
||||
subnet_name = var.subnet_name
|
||||
subnet_ip = var.subnet_ip
|
||||
service_account = null
|
||||
project_id = var.project_id
|
||||
image = var.image
|
||||
repo_name = var.repo_name
|
||||
repo_url = var.repo_url
|
||||
repo_owner = var.repo_owner
|
||||
gh_token = var.gh_token
|
||||
region = var.region
|
||||
dind = true
|
||||
}
|
||||
|
|
|
@ -18,3 +18,15 @@ output "projects" {
|
|||
description = "Created projects and service accounts."
|
||||
value = module.projects
|
||||
}
|
||||
|
||||
# self-hosted runners outputs
|
||||
|
||||
output "mig_instance_group" {
|
||||
description = "The instance group url of the created MIG"
|
||||
value = module.runner-mig-dind.mig_instance_group
|
||||
}
|
||||
|
||||
output "mig_name" {
|
||||
description = "The name of the MIG"
|
||||
value = module.runner-mig-dind.mig_name
|
||||
}
|
||||
|
|
|
@ -76,3 +76,67 @@ variable "vpc_self_links" {
|
|||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
# self-hosted runners variables
|
||||
|
||||
variable "project_id" {
|
||||
type = string
|
||||
description = "The project id to deploy Github Runner MIG"
|
||||
}
|
||||
|
||||
variable "image" {
|
||||
type = string
|
||||
description = "The github runner image"
|
||||
}
|
||||
|
||||
variable "repo_url" {
|
||||
type = string
|
||||
description = "Repo URL for the Github Action"
|
||||
}
|
||||
|
||||
|
||||
variable "repo_name" {
|
||||
type = string
|
||||
description = "Name of the repo for the Github Action"
|
||||
}
|
||||
|
||||
|
||||
variable "repo_owner" {
|
||||
type = string
|
||||
description = "Owner of the repo for the Github Action"
|
||||
}
|
||||
|
||||
variable "gh_token" {
|
||||
type = string
|
||||
description = "Github token that is used for generating Self Hosted Runner Token"
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
type = string
|
||||
description = "The GCP region to deploy instances into"
|
||||
default = "us-east1"
|
||||
}
|
||||
|
||||
variable "subnetwork_project" {
|
||||
type = string
|
||||
description = "The ID of the project in which the subnetwork belongs. If it is not provided, the project_id is used."
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable "subnet_name" {
|
||||
type = string
|
||||
description = "Name for the subnet"
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable "subnet_ip" {
|
||||
type = string
|
||||
description = "IP range for the subnet"
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable "service_account" {
|
||||
description = "Service account email address"
|
||||
type = string
|
||||
default = ""
|
||||
}
|
Loading…
Reference in New Issue