main.tf 7.95 KB
Newer Older
Adam Robinson's avatar
Adam Robinson committed
1
locals {
Adam Robinson's avatar
Adam Robinson committed
2
    short_mcomm = lower(replace(split("@", var.mcomm_group_email)[0],".","-"))
3
4
5
6

    customer_service_account_suffix = "-${var.division}-tf"
    customer_service_account_prefix = substr(local.short_mcomm,0,30-length(local.customer_service_account_suffix))
    customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"
Adam Robinson's avatar
Adam Robinson committed
7
8
9
10
11
    division_folder_ids = {
        dev = {
            //its = ""
        }
        test = {
Kenny Moore's avatar
Kenny Moore committed
12
13
14
            its    = "folders/1065543734594"
            campus = "folders/694924320608"
            mm     = "folders/841027711031"
15
            hipaa  = "folders/607376512236"
Adam Robinson's avatar
Adam Robinson committed
16
17
        }
        prod = {
18
19
20
21
            its    = "folders/666809107084"
            campus = "folders/1013928641872"            
            mm     = "folders/332243639992"
            hipaa  = "folders/293380204207"
Adam Robinson's avatar
Adam Robinson committed
22
23
24
25
        }
    }
    master_billing_account_id = {
        //dev  = ""
Adam Robinson's avatar
Adam Robinson committed
26
27
        test = "01D8BC-7D5855-0BC393"
        prod = "01D8BC-7D5855-0BC393"
Adam Robinson's avatar
Adam Robinson committed
28
29
30
    }
    database_function_url = {
        //dev = ""
Kenny Moore's avatar
Kenny Moore committed
31
        test = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db" # Need a test DB
Adam Robinson's avatar
Adam Robinson committed
32
        prod = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db"
Adam Robinson's avatar
Adam Robinson committed
33
34
35
36
37
38
39
40
    }
    curl_body = {
        kind              = "billing"
        billingAccountId  = google_billing_subaccount.customer_subaccount.billing_account_id
        billing_contact   = var.billing_contact
        mcomm_group_email = var.mcomm_group_email
        shortcode         = var.shortcode
    }
Kenny Moore's avatar
Kenny Moore committed
41
42
43
44
45
46
47
48
49
50
    retain_logs = var.division == "hipaa" || var.audit_logs_access != "" ? true : false # if division is hipaa OR audit_logs_access is not an empty string enable audit logs access
    retain_logs_bq = {
        enable = var.division == "hipaa" ? true: var.retain_logs_bigquery["enable"]
        retention_days = var.division == "hipaa" ? 14 : var.retain_logs_bigquery["retention_days"]
    }
    retain_logs_gcs = {
        enable          = var.division == "hipaa" ? true: var.retain_logs_gcs["enable"]
        storage_class   = var.division == "hipaa" ? "COLDLINE": var.retain_logs_gcs["storage_class"]
        retention_days  = var.division == "hipaa" ? 14 : var.retain_logs_gcs["retention_days"]
    }    
Kenny Moore's avatar
Kenny Moore committed
51
52
53
}

module "audit" {
Kenny Moore's avatar
Kenny Moore committed
54
55
    # count                   = var.division == "hipaa" ? 1: 0
    count                   = local.retain_logs ? 1:0
Kenny Moore's avatar
Kenny Moore committed
56
57
    source                  = "./modules/terraform-google-gcp-at-um-customer-audit/"
    division                = var.division
58
    billing_id              = google_billing_subaccount.customer_subaccount.billing_account_id
Kenny Moore's avatar
Kenny Moore committed
59
60
61
62
    folder_id               = google_folder.customer_folder.id
    mcomm_group_email       = var.mcomm_group_email
    database_function_url   = local.database_function_url[var.environment]
    shortcode               = var.shortcode
Kenny Moore's avatar
Kenny Moore committed
63
    environment             = var.environment
Kenny Moore's avatar
Kenny Moore committed
64
    audit_logs_access       = var.audit_logs_access
Kenny Moore's avatar
Kenny Moore committed
65
66
67
68
69
    big_query               = local.retain_logs_bq["enable"]
    big_query_retention     = local.retain_logs_bq["retention_days"]
    gcs                     = local.retain_logs_gcs["enable"]
    gcs_storage_class       = local.retain_logs_gcs["storage_class"]
    gcs_expiration_days     = local.retain_logs_gcs["retention_days"]
Adam Robinson's avatar
Adam Robinson committed
70
71
}

Adam Robinson's avatar
Adam Robinson committed
72
resource "google_folder" "customer_folder" {
73
    display_name = var.folder_display_name == "" ? local.short_mcomm : var.folder_display_name
Adam Robinson's avatar
Adam Robinson committed
74
    parent = local.division_folder_ids[var.environment][var.division]
Adam Robinson's avatar
Adam Robinson committed
75
76
77
78
79
80
81
82
83
84
}

data "google_iam_policy" "customer_folder_policy" {
    binding {
        role = "roles/browser"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

Kenny Moore's avatar
Kenny Moore committed
85
86
87
88
89
90
91
    binding {
        role = "roles/cloudasset.viewer"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

Adam Robinson's avatar
Adam Robinson committed
92
    binding {
93
        role = "organizations/715302536254/roles/GCP_at_UM_Customer_Folder_Viewer"
Adam Robinson's avatar
Adam Robinson committed
94
95
96
97
98
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

99
100
    dynamic "binding" {
        for_each = var.customer_is_shared_vpc_admin ? ["roles/compute.xpnAdmin"] : []
Kenny Moore's avatar
Kenny Moore committed
101
        content {
102
            role = binding.value
Kenny Moore's avatar
Kenny Moore committed
103
104
105
106
            members = [
                "group:${var.mcomm_group_email}",
            ]
        }
107
108
    }

Adam Robinson's avatar
Adam Robinson committed
109
110
111
    binding {
        role = "roles/resourcemanager.projectCreator"
        members = [
Adam Robinson's avatar
Adam Robinson committed
112
113
114
115
            "serviceAccount:${google_service_account.customer_service_account.email}",
        ]
    }

116
    binding {
Adam Robinson's avatar
Adam Robinson committed
117
118
119
        role = "roles/resourcemanager.folderEditor"
        members = [
            "serviceAccount:${var.provisioning_service_account_email}",
Adam Robinson's avatar
Adam Robinson committed
120
121
122
123
124
        ]
    }
}

resource "google_folder_iam_policy" "customer_folder_policy" {
Adam Robinson's avatar
Adam Robinson committed
125
  folder      = google_folder.customer_folder.name
Adam Robinson's avatar
Adam Robinson committed
126
127
128
129
130
131
132
133
134
135
136
137
138
  policy_data = data.google_iam_policy.customer_folder_policy.policy_data
}

resource "random_id" "customer_bucket_id" {
    byte_length = 2
}

resource "google_storage_bucket" "customer_bucket" {
    project = var.customer_bucket_project_id
    name = "gcp-at-um-${local.short_mcomm}-${random_id.customer_bucket_id.hex}"
    location = "US"
    storage_class = "STANDARD"

Kenny Moore's avatar
Kenny Moore committed
139
    uniform_bucket_level_access = true
Adam Robinson's avatar
Adam Robinson committed
140
141
142
143
144
145
146

    versioning {
        enabled = true
    }
}

resource "google_service_account" "customer_service_account" {
147
148
    project     = var.customer_service_account_project_id
    account_id  = local.customer_service_account_id
Adam Robinson's avatar
Adam Robinson committed
149
150
151
    description = "${local.short_mcomm} Terraform Service Account"
}

Adam Robinson's avatar
Adam Robinson committed
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
data "google_iam_policy" "customer_service_account_policy" {
  binding {
    role = "roles/iam.serviceAccountKeyAdmin"

    members = [
        "group:${var.mcomm_group_email}",
    ]
  }
}

resource "google_service_account_iam_policy" "customer_service_account_policy" {
  service_account_id = google_service_account.customer_service_account.name
  policy_data        = data.google_iam_policy.customer_service_account_policy.policy_data
}

Adam Robinson's avatar
Adam Robinson committed
167
168
169
170
data "google_iam_policy" "customer_bucket_policy" {
    binding {
        role = "roles/storage.legacyBucketWriter"
        members = [
Adam Robinson's avatar
Adam Robinson committed
171
            "serviceAccount:${google_service_account.customer_service_account.email}",
Adam Robinson's avatar
Adam Robinson committed
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
        ]
    }

    binding {
        role = "roles/storage.objectViewer"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }
}

resource "google_storage_bucket_iam_policy" "customer_bucket_policy" {
    bucket = google_storage_bucket.customer_bucket.name
    policy_data = data.google_iam_policy.customer_bucket_policy.policy_data
}

188
data "google_service_account_id_token" "customer_db_token" {
Adam Robinson's avatar
Adam Robinson committed
189
    target_audience = local.database_function_url[var.environment]
190
191
192
193
}

resource "null_resource" "customer_database" {
    triggers = {
Adam Robinson's avatar
Adam Robinson committed
194
195
        billingAccountId  = google_billing_subaccount.customer_subaccount.billing_account_id
        billing_contact   = var.billing_contact
196
        mcomm_group_email = var.mcomm_group_email
Adam Robinson's avatar
Adam Robinson committed
197
        shortcode         = var.shortcode
198
    }
Adam Robinson's avatar
Adam Robinson committed
199

200
    provisioner "local-exec" {
Adam Robinson's avatar
Adam Robinson committed
201
        command = "curl ${local.database_function_url[var.environment]} -H \"Authorization: Bearer ${data.google_service_account_id_token.customer_db_token.id_token}\" -H \"Content-Type: application/json\" -d '${jsonencode(local.curl_body)}'"
202
203
204
205
    }
}

// Need to make a customer Git repo
Adam Robinson's avatar
Adam Robinson committed
206

207
resource "google_billing_subaccount" "customer_subaccount" {
Adam Robinson's avatar
Adam Robinson committed
208
    display_name           = local.short_mcomm
209
210
211
212
213
214
215
216
217
218
219
220
221
222
    master_billing_account = local.master_billing_account_id[var.environment]
    deletion_policy        = "RENAME_ON_DESTROY"
}

resource "google_billing_account_iam_policy" "customer_billing_account_policy" {
    billing_account_id = google_billing_subaccount.customer_subaccount.billing_account_id
    policy_data        = data.google_iam_policy.customer_billing_account_policy.policy_data
}

data "google_iam_policy" "customer_billing_account_policy" {
    binding {
        role = "roles/billing.user"

        members = [
223
            "serviceAccount:${google_service_account.customer_service_account.email}",
224
225
226
227
228
229
230
231
232
233
234
        ]
    }

    binding {
        role = "organizations/715302536254/roles/UM_billingUser"

        members = [
            "group:${var.mcomm_group_email}",
        ]
    }
}