Note: The default ITS GitLab runner is a shared resource and is subject to slowdowns during heavy usage.
You can run your own GitLab runner that is dedicated just to your group if you need to avoid processing delays.

main.tf 7.95 KB
Newer Older
Adam Robinson's avatar
Adam Robinson committed
1
locals {
Adam Robinson's avatar
Adam Robinson committed
2
    short_mcomm = lower(replace(split("@", var.mcomm_group_email)[0],".","-"))
3
4
5
6

    customer_service_account_suffix = "-${var.division}-tf"
    customer_service_account_prefix = substr(local.short_mcomm,0,30-length(local.customer_service_account_suffix))
    customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"
Adam Robinson's avatar
Adam Robinson committed
7
8
9
10
11
    division_folder_ids = {
        dev = {
            //its = ""
        }
        test = {
Kenny Moore's avatar
Kenny Moore committed
12
13
14
            its    = "folders/1065543734594"
            campus = "folders/694924320608"
            mm     = "folders/841027711031"
15
            hipaa  = "folders/607376512236"
Adam Robinson's avatar
Adam Robinson committed
16
17
        }
        prod = {
18
19
20
21
            its    = "folders/666809107084"
            campus = "folders/1013928641872"            
            mm     = "folders/332243639992"
            hipaa  = "folders/293380204207"
Adam Robinson's avatar
Adam Robinson committed
22
23
24
25
        }
    }
    master_billing_account_id = {
        //dev  = ""
Adam Robinson's avatar
Adam Robinson committed
26
27
        test = "01D8BC-7D5855-0BC393"
        prod = "01D8BC-7D5855-0BC393"
Adam Robinson's avatar
Adam Robinson committed
28
29
30
    }
    database_function_url = {
        //dev = ""
Kenny Moore's avatar
Kenny Moore committed
31
        test = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db" # Need a test DB
Adam Robinson's avatar
Adam Robinson committed
32
        prod = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db"
Adam Robinson's avatar
Adam Robinson committed
33
34
35
36
37
38
39
40
    }
    curl_body = {
        kind              = "billing"
        billingAccountId  = google_billing_subaccount.customer_subaccount.billing_account_id
        billing_contact   = var.billing_contact
        mcomm_group_email = var.mcomm_group_email
        shortcode         = var.shortcode
    }
Kenny Moore's avatar
Kenny Moore committed
41
42
43
44
45
46
47
48
    retain_logs = var.division == "hipaa" || var.audit_logs_access != "" ? true : false # if division is hipaa OR audit_logs_access is not an empty string enable audit logs access
    retain_logs_bq = {
        enable = var.division == "hipaa" ? true: var.retain_logs_bigquery["enable"]
        retention_days = var.division == "hipaa" ? 14 : var.retain_logs_bigquery["retention_days"]
    }
    retain_logs_gcs = {
        enable          = var.division == "hipaa" ? true: var.retain_logs_gcs["enable"]
        storage_class   = var.division == "hipaa" ? "COLDLINE": var.retain_logs_gcs["storage_class"]
Kenny Moore's avatar
Kenny Moore committed
49
        retention_days  = var.division == "hipaa" ? 1100 : var.retain_logs_gcs["retention_days"]
Kenny Moore's avatar
Kenny Moore committed
50
    }    
Kenny Moore's avatar
Kenny Moore committed
51
52
53
}

module "audit" {
Kenny Moore's avatar
Kenny Moore committed
54
55
    # count                   = var.division == "hipaa" ? 1: 0
    count                   = local.retain_logs ? 1:0
Kenny Moore's avatar
Kenny Moore committed
56
57
    source                  = "./modules/terraform-google-gcp-at-um-customer-audit/"
    division                = var.division
58
    billing_id              = google_billing_subaccount.customer_subaccount.billing_account_id
Kenny Moore's avatar
Kenny Moore committed
59
60
61
62
    folder_id               = google_folder.customer_folder.id
    mcomm_group_email       = var.mcomm_group_email
    database_function_url   = local.database_function_url[var.environment]
    shortcode               = var.shortcode
Kenny Moore's avatar
Kenny Moore committed
63
    environment             = var.environment
Kenny Moore's avatar
Kenny Moore committed
64
    audit_logs_access       = var.audit_logs_access
Kenny Moore's avatar
Kenny Moore committed
65
66
67
68
69
    big_query               = local.retain_logs_bq["enable"]
    big_query_retention     = local.retain_logs_bq["retention_days"]
    gcs                     = local.retain_logs_gcs["enable"]
    gcs_storage_class       = local.retain_logs_gcs["storage_class"]
    gcs_expiration_days     = local.retain_logs_gcs["retention_days"]
Adam Robinson's avatar
Adam Robinson committed
70
71
}

Adam Robinson's avatar
Adam Robinson committed
72
resource "google_folder" "customer_folder" {
73
    display_name = var.folder_display_name == "" ? local.short_mcomm : var.folder_display_name
Adam Robinson's avatar
Adam Robinson committed
74
    parent = local.division_folder_ids[var.environment][var.division]
Adam Robinson's avatar
Adam Robinson committed
75
76
77
78
79
80
81
82
83
84
}

data "google_iam_policy" "customer_folder_policy" {
    binding {
        role = "roles/browser"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

Kenny Moore's avatar
Kenny Moore committed
85
86
87
88
89
90
91
    binding {
        role = "roles/cloudasset.viewer"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

Adam Robinson's avatar
Adam Robinson committed
92
    binding {
93
        role = "organizations/715302536254/roles/GCP_at_UM_Customer_Folder_Viewer"
Adam Robinson's avatar
Adam Robinson committed
94
95
96
97
98
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

99
100
    dynamic "binding" {
        for_each = var.customer_is_shared_vpc_admin ? ["roles/compute.xpnAdmin"] : []
Kenny Moore's avatar
Kenny Moore committed
101
        content {
102
            role = binding.value
Kenny Moore's avatar
Kenny Moore committed
103
104
105
106
            members = [
                "group:${var.mcomm_group_email}",
            ]
        }
107
108
    }

Adam Robinson's avatar
Adam Robinson committed
109
110
111
    binding {
        role = "roles/resourcemanager.projectCreator"
        members = [
Adam Robinson's avatar
Adam Robinson committed
112
113
114
115
            "serviceAccount:${google_service_account.customer_service_account.email}",
        ]
    }

116
    binding {
Adam Robinson's avatar
Adam Robinson committed
117
118
119
        role = "roles/resourcemanager.folderEditor"
        members = [
            "serviceAccount:${var.provisioning_service_account_email}",
Adam Robinson's avatar
Adam Robinson committed
120
121
122
123
124
        ]
    }
}

resource "google_folder_iam_policy" "customer_folder_policy" {
Adam Robinson's avatar
Adam Robinson committed
125
  folder      = google_folder.customer_folder.name
Adam Robinson's avatar
Adam Robinson committed
126
127
128
129
130
131
132
133
134
135
136
137
138
  policy_data = data.google_iam_policy.customer_folder_policy.policy_data
}

resource "random_id" "customer_bucket_id" {
    byte_length = 2
}

resource "google_storage_bucket" "customer_bucket" {
    project = var.customer_bucket_project_id
    name = "gcp-at-um-${local.short_mcomm}-${random_id.customer_bucket_id.hex}"
    location = "US"
    storage_class = "STANDARD"

Kenny Moore's avatar
Kenny Moore committed
139
    uniform_bucket_level_access = true
Adam Robinson's avatar
Adam Robinson committed
140
141
142
143
144
145
146

    versioning {
        enabled = true
    }
}

resource "google_service_account" "customer_service_account" {
147
148
    project     = var.customer_service_account_project_id
    account_id  = local.customer_service_account_id
Adam Robinson's avatar
Adam Robinson committed
149
150
151
    description = "${local.short_mcomm} Terraform Service Account"
}

Adam Robinson's avatar
Adam Robinson committed
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
data "google_iam_policy" "customer_service_account_policy" {
  binding {
    role = "roles/iam.serviceAccountKeyAdmin"

    members = [
        "group:${var.mcomm_group_email}",
    ]
  }
}

resource "google_service_account_iam_policy" "customer_service_account_policy" {
  service_account_id = google_service_account.customer_service_account.name
  policy_data        = data.google_iam_policy.customer_service_account_policy.policy_data
}

Adam Robinson's avatar
Adam Robinson committed
167
168
169
170
data "google_iam_policy" "customer_bucket_policy" {
    binding {
        role = "roles/storage.legacyBucketWriter"
        members = [
Adam Robinson's avatar
Adam Robinson committed
171
            "serviceAccount:${google_service_account.customer_service_account.email}",
Adam Robinson's avatar
Adam Robinson committed
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
        ]
    }

    binding {
        role = "roles/storage.objectViewer"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }
}

resource "google_storage_bucket_iam_policy" "customer_bucket_policy" {
    bucket = google_storage_bucket.customer_bucket.name
    policy_data = data.google_iam_policy.customer_bucket_policy.policy_data
}

188
data "google_service_account_id_token" "customer_db_token" {
Adam Robinson's avatar
Adam Robinson committed
189
    target_audience = local.database_function_url[var.environment]
190
191
192
193
}

resource "null_resource" "customer_database" {
    triggers = {
Adam Robinson's avatar
Adam Robinson committed
194
195
        billingAccountId  = google_billing_subaccount.customer_subaccount.billing_account_id
        billing_contact   = var.billing_contact
196
        mcomm_group_email = var.mcomm_group_email
Adam Robinson's avatar
Adam Robinson committed
197
        shortcode         = var.shortcode
198
    }
Adam Robinson's avatar
Adam Robinson committed
199

200
    provisioner "local-exec" {
Adam Robinson's avatar
Adam Robinson committed
201
        command = "curl ${local.database_function_url[var.environment]} -H \"Authorization: Bearer ${data.google_service_account_id_token.customer_db_token.id_token}\" -H \"Content-Type: application/json\" -d '${jsonencode(local.curl_body)}'"
202
203
204
205
    }
}

// Need to make a customer Git repo
Adam Robinson's avatar
Adam Robinson committed
206

207
resource "google_billing_subaccount" "customer_subaccount" {
Adam Robinson's avatar
Adam Robinson committed
208
    display_name           = local.short_mcomm
209
210
211
212
213
214
215
216
217
218
219
220
221
222
    master_billing_account = local.master_billing_account_id[var.environment]
    deletion_policy        = "RENAME_ON_DESTROY"
}

resource "google_billing_account_iam_policy" "customer_billing_account_policy" {
    billing_account_id = google_billing_subaccount.customer_subaccount.billing_account_id
    policy_data        = data.google_iam_policy.customer_billing_account_policy.policy_data
}

data "google_iam_policy" "customer_billing_account_policy" {
    binding {
        role = "roles/billing.user"

        members = [
223
            "serviceAccount:${google_service_account.customer_service_account.email}",
224
225
226
227
228
229
230
231
232
233
234
        ]
    }

    binding {
        role = "organizations/715302536254/roles/UM_billingUser"

        members = [
            "group:${var.mcomm_group_email}",
        ]
    }
}