main.tf 5.72 KB
Newer Older
Adam Robinson's avatar
Adam Robinson committed
1
locals {
Adam Robinson's avatar
Adam Robinson committed
2
    short_mcomm = lower(replace(split("@", var.mcomm_group_email)[0],".","-"))
3
4
5
6
7

    customer_service_account_suffix = "-${var.division}-tf"
    customer_service_account_prefix = substr(local.short_mcomm,0,30-length(local.customer_service_account_suffix))
    customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"

Adam Robinson's avatar
Adam Robinson committed
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
    division_folder_ids = {
        dev = {
            //its = ""
        }
        test = {
            its               = "folders/100600555387"
            campus            = "folders/549439339393"
            michigan_medicine = "folders/783942636538"
            hipaa             = "folders/607376512236"
        }
        prod = {
            its               = "folders/666809107084"
            campus            = "folders/1013928641872"            
            michigan_medicine = "folders/332243639992"
            hipaa             = "folders/293380204207"
        }
    }
    master_billing_account_id = {
        //dev  = ""
        test = "015023-FF6053-5F797A"
        prod = "015023-FF6053-5F797A"
    }
    database_function_url = {
        //dev = ""
        //test = ""
        prod = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db"
    }
Adam Robinson's avatar
Adam Robinson committed
35
36
}

Adam Robinson's avatar
Adam Robinson committed
37
resource "google_folder" "customer_folder" {
38
    display_name = var.folder_display_name == "" ? local.short_mcomm : var.folder_display_name
Adam Robinson's avatar
Adam Robinson committed
39
    parent = local.division_folder_ids[var.environment][var.division]
Adam Robinson's avatar
Adam Robinson committed
40
41
42
43
44
45
46
47
48
49
50
}

data "google_iam_policy" "customer_folder_policy" {
    binding {
        role = "roles/browser"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

    binding {
51
        role = "organizations/715302536254/roles/GCP_at_UM_Customer_Folder_Viewer"
Adam Robinson's avatar
Adam Robinson committed
52
53
54
55
56
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

57
58
59
60
61
62
63
64
    dynamic "binding" {
        for_each = var.customer_is_shared_vpc_admin ? ["roles/compute.xpnAdmin"] : []
        role = binding
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

Adam Robinson's avatar
Adam Robinson committed
65
66
67
    binding {
        role = "roles/resourcemanager.projectCreator"
        members = [
Adam Robinson's avatar
Adam Robinson committed
68
69
70
71
            "serviceAccount:${google_service_account.customer_service_account.email}",
        ]
    }

72
    binding {
Adam Robinson's avatar
Adam Robinson committed
73
74
75
        role = "roles/resourcemanager.folderEditor"
        members = [
            "serviceAccount:${var.provisioning_service_account_email}",
Adam Robinson's avatar
Adam Robinson committed
76
77
78
79
80
        ]
    }
}

resource "google_folder_iam_policy" "customer_folder_policy" {
Adam Robinson's avatar
Adam Robinson committed
81
  folder      = google_folder.customer_folder.name
Adam Robinson's avatar
Adam Robinson committed
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
  policy_data = data.google_iam_policy.customer_folder_policy.policy_data
}

resource "random_id" "customer_bucket_id" {
    byte_length = 2
}

resource "google_storage_bucket" "customer_bucket" {
    project = var.customer_bucket_project_id
    name = "gcp-at-um-${local.short_mcomm}-${random_id.customer_bucket_id.hex}"
    location = "US"
    storage_class = "STANDARD"

    bucket_policy_only = true

    versioning {
        enabled = true
    }
}

resource "google_service_account" "customer_service_account" {
103
104
    project     = var.customer_service_account_project_id
    account_id  = local.customer_service_account_id
Adam Robinson's avatar
Adam Robinson committed
105
106
107
    description = "${local.short_mcomm} Terraform Service Account"
}

Adam Robinson's avatar
Adam Robinson committed
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
data "google_iam_policy" "customer_service_account_policy" {
  binding {
    role = "roles/iam.serviceAccountKeyAdmin"

    members = [
        "group:${var.mcomm_group_email}",
    ]
  }
}

resource "google_service_account_iam_policy" "customer_service_account_policy" {
  service_account_id = google_service_account.customer_service_account.name
  policy_data        = data.google_iam_policy.customer_service_account_policy.policy_data
}

Adam Robinson's avatar
Adam Robinson committed
123
124
125
126
data "google_iam_policy" "customer_bucket_policy" {
    binding {
        role = "roles/storage.legacyBucketWriter"
        members = [
Adam Robinson's avatar
Adam Robinson committed
127
            "serviceAccount:${google_service_account.customer_service_account.email}",
Adam Robinson's avatar
Adam Robinson committed
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
        ]
    }

    binding {
        role = "roles/storage.objectViewer"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }
}

resource "google_storage_bucket_iam_policy" "customer_bucket_policy" {
    bucket = google_storage_bucket.customer_bucket.name
    policy_data = data.google_iam_policy.customer_bucket_policy.policy_data
}

144
data "google_service_account_id_token" "customer_db_token" {
Adam Robinson's avatar
Adam Robinson committed
145
    target_audience = local.database_function_url[var.environment]
146
147
148
149
150
151
152
153
}

resource "null_resource" "customer_database" {
    triggers = {
        billing_contact = var.billing_contact
        mcomm_group_email = var.mcomm_group_email
        shortcode = var.shortcode
    }
Adam Robinson's avatar
Adam Robinson committed
154

155
    provisioner "local-exec" {
Adam Robinson's avatar
Adam Robinson committed
156
        command = "curl ${local.database_function_url[var.environment]} -H \"Authorization: Bearer ${data.google_service_account_id_token.customer_db_token.id_token}\" -H \"Content-Type: application/json\" -d '{\"kind\": \"billing\", \"billingAccountId\": \"asdf\"}'"
157
158
159
160
    }
}

// Need to make a customer Git repo
Adam Robinson's avatar
Adam Robinson committed
161

Adam Robinson's avatar
Adam Robinson committed
162
163
# resource "google_billing_subaccount" "customer_subaccount" {
#     display_name = "${local.short_mcomm}"
Adam Robinson's avatar
Adam Robinson committed
164
#     master_billing_account = local.master_billing_account_id[var.environment]
Adam Robinson's avatar
Adam Robinson committed
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
#     rename_on_destroy = true
# }

# resource "google_billing_account_iam_policy" "customer_billing_account_policy" {
#     billing_account_id = google_billing_subaccount.customer_subaccount.billing_account_id
#     policy_data        = data.google_iam_policy.customer_billing_account_policy.policy_data
# }

# data "google_iam_policy" "customer_billing_account_policy" {
#     binding {
#         role = "roles/billing.user"

#         members = [
#             "user:${google_service_account.customer_service_account.name}",
#         ]
#     }

#     binding {
#         role = "organizations/715302536254/roles/UM_billingUser"

#         members = [
#             "group:${var.mcomm_group_email}",
#         ]
#     }
# }