main.tf 6.41 KB
Newer Older
Adam Robinson's avatar
Adam Robinson committed
1
locals {
Adam Robinson's avatar
Adam Robinson committed
2
    short_mcomm = lower(replace(split("@", var.mcomm_group_email)[0],".","-"))
3
4
5
6

    customer_service_account_suffix = "-${var.division}-tf"
    customer_service_account_prefix = substr(local.short_mcomm,0,30-length(local.customer_service_account_suffix))
    customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"
Adam Robinson's avatar
Adam Robinson committed
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
    division_folder_ids = {
        dev = {
            //its = ""
        }
        test = {
            its               = "folders/100600555387"
            campus            = "folders/549439339393"
            michigan_medicine = "folders/783942636538"
            hipaa             = "folders/607376512236"
        }
        prod = {
            its               = "folders/666809107084"
            campus            = "folders/1013928641872"            
            michigan_medicine = "folders/332243639992"
            hipaa             = "folders/293380204207"
        }
    }
    master_billing_account_id = {
        //dev  = ""
Adam Robinson's avatar
Adam Robinson committed
26
27
        test = "01D8BC-7D5855-0BC393"
        prod = "01D8BC-7D5855-0BC393"
Adam Robinson's avatar
Adam Robinson committed
28
29
30
    }
    database_function_url = {
        //dev = ""
Kenny Moore's avatar
Kenny Moore committed
31
        test = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db" # Need a test DB
Adam Robinson's avatar
Adam Robinson committed
32
        prod = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db"
Kenny Moore's avatar
Kenny Moore committed
33
34
35
36
37
38
39
    }        
}

module "audit" {
    count                   = var.division == "hipaa" ? 1: 0
    source                  = "./modules/terraform-google-gcp-at-um-customer-audit/"
    division                = var.division
40
    billing_id              = google_billing_subaccount.customer_subaccount.billing_account_id
Kenny Moore's avatar
Kenny Moore committed
41
42
43
44
45
    folder_id               = google_folder.customer_folder.id
    mcomm_group_email       = var.mcomm_group_email
    database_function_url   = local.database_function_url[var.environment]
    shortcode               = var.shortcode
    environment             = var.environment     
Adam Robinson's avatar
Adam Robinson committed
46
47
}

Adam Robinson's avatar
Adam Robinson committed
48
resource "google_folder" "customer_folder" {
49
    display_name = var.folder_display_name == "" ? local.short_mcomm : var.folder_display_name
Adam Robinson's avatar
Adam Robinson committed
50
    parent = local.division_folder_ids[var.environment][var.division]
Adam Robinson's avatar
Adam Robinson committed
51
52
53
54
55
56
57
58
59
60
61
}

data "google_iam_policy" "customer_folder_policy" {
    binding {
        role = "roles/browser"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

    binding {
62
        role = "organizations/715302536254/roles/GCP_at_UM_Customer_Folder_Viewer"
Adam Robinson's avatar
Adam Robinson committed
63
64
65
66
67
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

68
69
    dynamic "binding" {
        for_each = var.customer_is_shared_vpc_admin ? ["roles/compute.xpnAdmin"] : []
Kenny Moore's avatar
Kenny Moore committed
70
71
72
73
74
75
        content {
            role = binding
            members = [
                "group:${var.mcomm_group_email}",
            ]
        }
76
77
    }

Adam Robinson's avatar
Adam Robinson committed
78
79
80
    binding {
        role = "roles/resourcemanager.projectCreator"
        members = [
Adam Robinson's avatar
Adam Robinson committed
81
82
83
84
            "serviceAccount:${google_service_account.customer_service_account.email}",
        ]
    }

85
    binding {
Adam Robinson's avatar
Adam Robinson committed
86
87
88
        role = "roles/resourcemanager.folderEditor"
        members = [
            "serviceAccount:${var.provisioning_service_account_email}",
Adam Robinson's avatar
Adam Robinson committed
89
90
91
92
93
        ]
    }
}

resource "google_folder_iam_policy" "customer_folder_policy" {
Adam Robinson's avatar
Adam Robinson committed
94
  folder      = google_folder.customer_folder.name
Adam Robinson's avatar
Adam Robinson committed
95
96
97
98
99
100
101
102
103
104
105
106
107
  policy_data = data.google_iam_policy.customer_folder_policy.policy_data
}

resource "random_id" "customer_bucket_id" {
    byte_length = 2
}

resource "google_storage_bucket" "customer_bucket" {
    project = var.customer_bucket_project_id
    name = "gcp-at-um-${local.short_mcomm}-${random_id.customer_bucket_id.hex}"
    location = "US"
    storage_class = "STANDARD"

Kenny Moore's avatar
Kenny Moore committed
108
    uniform_bucket_level_access = true
Adam Robinson's avatar
Adam Robinson committed
109
110
111
112
113
114
115

    versioning {
        enabled = true
    }
}

resource "google_service_account" "customer_service_account" {
116
117
    project     = var.customer_service_account_project_id
    account_id  = local.customer_service_account_id
Adam Robinson's avatar
Adam Robinson committed
118
119
120
    description = "${local.short_mcomm} Terraform Service Account"
}

Adam Robinson's avatar
Adam Robinson committed
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
data "google_iam_policy" "customer_service_account_policy" {
  binding {
    role = "roles/iam.serviceAccountKeyAdmin"

    members = [
        "group:${var.mcomm_group_email}",
    ]
  }
}

resource "google_service_account_iam_policy" "customer_service_account_policy" {
  service_account_id = google_service_account.customer_service_account.name
  policy_data        = data.google_iam_policy.customer_service_account_policy.policy_data
}

Adam Robinson's avatar
Adam Robinson committed
136
137
138
139
data "google_iam_policy" "customer_bucket_policy" {
    binding {
        role = "roles/storage.legacyBucketWriter"
        members = [
Adam Robinson's avatar
Adam Robinson committed
140
            "serviceAccount:${google_service_account.customer_service_account.email}",
Adam Robinson's avatar
Adam Robinson committed
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
        ]
    }

    binding {
        role = "roles/storage.objectViewer"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }
}

resource "google_storage_bucket_iam_policy" "customer_bucket_policy" {
    bucket = google_storage_bucket.customer_bucket.name
    policy_data = data.google_iam_policy.customer_bucket_policy.policy_data
}

157
data "google_service_account_id_token" "customer_db_token" {
Adam Robinson's avatar
Adam Robinson committed
158
    target_audience = local.database_function_url[var.environment]
159
160
161
162
163
164
165
166
}

resource "null_resource" "customer_database" {
    triggers = {
        billing_contact = var.billing_contact
        mcomm_group_email = var.mcomm_group_email
        shortcode = var.shortcode
    }
Adam Robinson's avatar
Adam Robinson committed
167

168
    provisioner "local-exec" {
Adam Robinson's avatar
Adam Robinson committed
169
        command = "curl ${local.database_function_url[var.environment]} -H \"Authorization: Bearer ${data.google_service_account_id_token.customer_db_token.id_token}\" -H \"Content-Type: application/json\" -d '{\"kind\": \"billing\", \"billingAccountId\": \"asdf\"}'"
170
171
172
173
    }
}

// Need to make a customer Git repo
Adam Robinson's avatar
Adam Robinson committed
174

175
resource "google_billing_subaccount" "customer_subaccount" {
Adam Robinson's avatar
Adam Robinson committed
176
    display_name           = local.short_mcomm
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
    master_billing_account = local.master_billing_account_id[var.environment]
    deletion_policy        = "RENAME_ON_DESTROY"
}

resource "google_billing_account_iam_policy" "customer_billing_account_policy" {
    billing_account_id = google_billing_subaccount.customer_subaccount.billing_account_id
    policy_data        = data.google_iam_policy.customer_billing_account_policy.policy_data
}

data "google_iam_policy" "customer_billing_account_policy" {
    binding {
        role = "roles/billing.user"

        members = [
            "user:${google_service_account.customer_service_account.name}",
        ]
    }

    binding {
        role = "organizations/715302536254/roles/UM_billingUser"

        members = [
            "group:${var.mcomm_group_email}",
        ]
    }
}