Note: The default ITS GitLab runner is a shared resource and is subject to slowdowns during heavy usage.
You can run your own GitLab runner that is dedicated just to your group if you need to avoid processing delays.

main.tf 6.42 KB
Newer Older
Adam Robinson's avatar
Adam Robinson committed
1
locals {
Adam Robinson's avatar
Adam Robinson committed
2
    short_mcomm = lower(replace(split("@", var.mcomm_group_email)[0],".","-"))
3
4
5
6

    customer_service_account_suffix = "-${var.division}-tf"
    customer_service_account_prefix = substr(local.short_mcomm,0,30-length(local.customer_service_account_suffix))
    customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"
Adam Robinson's avatar
Adam Robinson committed
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
    division_folder_ids = {
        dev = {
            //its = ""
        }
        test = {
            its               = "folders/100600555387"
            campus            = "folders/549439339393"
            michigan_medicine = "folders/783942636538"
            hipaa             = "folders/607376512236"
        }
        prod = {
            its               = "folders/666809107084"
            campus            = "folders/1013928641872"            
            michigan_medicine = "folders/332243639992"
            hipaa             = "folders/293380204207"
        }
    }
    master_billing_account_id = {
        //dev  = ""
Adam Robinson's avatar
Adam Robinson committed
26
27
        test = "01D8BC-7D5855-0BC393"
        prod = "01D8BC-7D5855-0BC393"
Adam Robinson's avatar
Adam Robinson committed
28
29
30
    }
    database_function_url = {
        //dev = ""
Kenny Moore's avatar
Kenny Moore committed
31
        test = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db" # Need a test DB
Adam Robinson's avatar
Adam Robinson committed
32
        prod = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db"
Kenny Moore's avatar
Kenny Moore committed
33
34
35
36
37
38
39
    }        
}

module "audit" {
    count                   = var.division == "hipaa" ? 1: 0
    source                  = "./modules/terraform-google-gcp-at-um-customer-audit/"
    division                = var.division
40
    billing_id              = google_billing_subaccount.customer_subaccount.billing_account_id
Kenny Moore's avatar
Kenny Moore committed
41
42
43
44
45
    folder_id               = google_folder.customer_folder.id
    mcomm_group_email       = var.mcomm_group_email
    database_function_url   = local.database_function_url[var.environment]
    shortcode               = var.shortcode
    environment             = var.environment     
Adam Robinson's avatar
Adam Robinson committed
46
47
}

Adam Robinson's avatar
Adam Robinson committed
48
resource "google_folder" "customer_folder" {
49
    display_name = var.folder_display_name == "" ? local.short_mcomm : var.folder_display_name
Adam Robinson's avatar
Adam Robinson committed
50
    parent = local.division_folder_ids[var.environment][var.division]
Adam Robinson's avatar
Adam Robinson committed
51
52
53
54
55
56
57
58
59
60
61
}

data "google_iam_policy" "customer_folder_policy" {
    binding {
        role = "roles/browser"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

    binding {
62
        role = "organizations/715302536254/roles/GCP_at_UM_Customer_Folder_Viewer"
Adam Robinson's avatar
Adam Robinson committed
63
64
65
66
67
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

68
69
    dynamic "binding" {
        for_each = var.customer_is_shared_vpc_admin ? ["roles/compute.xpnAdmin"] : []
Kenny Moore's avatar
Kenny Moore committed
70
71
72
73
74
75
        content {
            role = binding
            members = [
                "group:${var.mcomm_group_email}",
            ]
        }
76
77
    }

Adam Robinson's avatar
Adam Robinson committed
78
79
80
    binding {
        role = "roles/resourcemanager.projectCreator"
        members = [
Adam Robinson's avatar
Adam Robinson committed
81
82
83
84
            "serviceAccount:${google_service_account.customer_service_account.email}",
        ]
    }

85
    binding {
Adam Robinson's avatar
Adam Robinson committed
86
87
88
        role = "roles/resourcemanager.folderEditor"
        members = [
            "serviceAccount:${var.provisioning_service_account_email}",
Adam Robinson's avatar
Adam Robinson committed
89
90
91
92
93
        ]
    }
}

resource "google_folder_iam_policy" "customer_folder_policy" {
Adam Robinson's avatar
Adam Robinson committed
94
  folder      = google_folder.customer_folder.name
Adam Robinson's avatar
Adam Robinson committed
95
96
97
98
99
100
101
102
103
104
105
106
107
  policy_data = data.google_iam_policy.customer_folder_policy.policy_data
}

resource "random_id" "customer_bucket_id" {
    byte_length = 2
}

resource "google_storage_bucket" "customer_bucket" {
    project = var.customer_bucket_project_id
    name = "gcp-at-um-${local.short_mcomm}-${random_id.customer_bucket_id.hex}"
    location = "US"
    storage_class = "STANDARD"

Kenny Moore's avatar
Kenny Moore committed
108
    uniform_bucket_level_access = true
Adam Robinson's avatar
Adam Robinson committed
109
110
111
112
113
114
115

    versioning {
        enabled = true
    }
}

resource "google_service_account" "customer_service_account" {
116
117
    project     = var.customer_service_account_project_id
    account_id  = local.customer_service_account_id
Adam Robinson's avatar
Adam Robinson committed
118
119
120
    description = "${local.short_mcomm} Terraform Service Account"
}

Adam Robinson's avatar
Adam Robinson committed
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
data "google_iam_policy" "customer_service_account_policy" {
  binding {
    role = "roles/iam.serviceAccountKeyAdmin"

    members = [
        "group:${var.mcomm_group_email}",
    ]
  }
}

resource "google_service_account_iam_policy" "customer_service_account_policy" {
  service_account_id = google_service_account.customer_service_account.name
  policy_data        = data.google_iam_policy.customer_service_account_policy.policy_data
}

Adam Robinson's avatar
Adam Robinson committed
136
137
138
139
data "google_iam_policy" "customer_bucket_policy" {
    binding {
        role = "roles/storage.legacyBucketWriter"
        members = [
Adam Robinson's avatar
Adam Robinson committed
140
            "serviceAccount:${google_service_account.customer_service_account.email}",
Adam Robinson's avatar
Adam Robinson committed
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
        ]
    }

    binding {
        role = "roles/storage.objectViewer"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }
}

resource "google_storage_bucket_iam_policy" "customer_bucket_policy" {
    bucket = google_storage_bucket.customer_bucket.name
    policy_data = data.google_iam_policy.customer_bucket_policy.policy_data
}

157
data "google_service_account_id_token" "customer_db_token" {
Adam Robinson's avatar
Adam Robinson committed
158
    target_audience = local.database_function_url[var.environment]
159
160
161
162
163
164
165
166
}

resource "null_resource" "customer_database" {
    triggers = {
        billing_contact = var.billing_contact
        mcomm_group_email = var.mcomm_group_email
        shortcode = var.shortcode
    }
Adam Robinson's avatar
Adam Robinson committed
167

168
    provisioner "local-exec" {
Adam Robinson's avatar
Adam Robinson committed
169
        command = "curl ${local.database_function_url[var.environment]} -H \"Authorization: Bearer ${data.google_service_account_id_token.customer_db_token.id_token}\" -H \"Content-Type: application/json\" -d '{\"kind\": \"billing\", \"billingAccountId\": \"asdf\"}'"
170
171
172
173
    }
}

// Need to make a customer Git repo
Adam Robinson's avatar
Adam Robinson committed
174

175
resource "google_billing_subaccount" "customer_subaccount" {
Adam Robinson's avatar
Adam Robinson committed
176
    display_name           = local.short_mcomm
177
178
179
180
181
182
183
184
185
186
187
188
189
190
    master_billing_account = local.master_billing_account_id[var.environment]
    deletion_policy        = "RENAME_ON_DESTROY"
}

resource "google_billing_account_iam_policy" "customer_billing_account_policy" {
    billing_account_id = google_billing_subaccount.customer_subaccount.billing_account_id
    policy_data        = data.google_iam_policy.customer_billing_account_policy.policy_data
}

data "google_iam_policy" "customer_billing_account_policy" {
    binding {
        role = "roles/billing.user"

        members = [
191
            "serviceAccount:${google_service_account.customer_service_account.email}",
192
193
194
195
196
197
198
199
200
201
202
        ]
    }

    binding {
        role = "organizations/715302536254/roles/UM_billingUser"

        members = [
            "group:${var.mcomm_group_email}",
        ]
    }
}