main.tf 2.94 KB
Newer Older
Adam Robinson's avatar
Adam Robinson committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
locals {
    short_mcomm = split("@", var.mcomm_group_email)[0]
}

resource "gcp_folder" "customer_folder" {
    display_name = local.short_mcomm
    parent = var.division_folder_ids[var.division]
}

data "google_iam_policy" "customer_folder_policy" {
    binding {
        role = "roles/browser"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

    binding {
        role = "roles/resourcemanager.folderViewer"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

    binding {
        role = "roles/resourcemanager.projectCreator"
        members = [
            "user:${google_service_account.customer_service_account.name}",
        ]
    }
}

resource "google_folder_iam_policy" "customer_folder_policy" {
  folder      = gcp_folder.customer_folder.name
  policy_data = data.google_iam_policy.customer_folder_policy.policy_data
}

resource "random_id" "customer_bucket_id" {
    byte_length = 2
}

resource "google_storage_bucket" "customer_bucket" {
    project = var.customer_bucket_project_id
    name = "gcp-at-um-${local.short_mcomm}-${random_id.customer_bucket_id.hex}"
    location = "US"
    storage_class = "STANDARD"

    bucket_policy_only = true

    versioning {
        enabled = true
    }
}

resource "google_service_account" "customer_service_account" {
    project = var.customer_service_account_project_id
    account_id   = "${local.short_mcomm}-tf"
    description = "${local.short_mcomm} Terraform Service Account"
}

data "google_iam_policy" "customer_bucket_policy" {
    binding {
        role = "roles/storage.legacyBucketWriter"
        members = [
            "user:${google_service_account.customer_service_account.name}",
        ]
    }

    binding {
        role = "roles/storage.objectViewer"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }
}

resource "google_storage_bucket_iam_policy" "customer_bucket_policy" {
    bucket = google_storage_bucket.customer_bucket.name
    policy_data = data.google_iam_policy.customer_bucket_policy.policy_data
}

// Need to make a customer Git repo

// Need to write to a customer database

resource "google_billing_subaccount" "customer_subaccount" {
    display_name = "${local.short_mcomm}"
    master_billing_account = var.master_billing_account_id
    rename_on_destroy = true
}

resource "google_billing_account_iam_policy" "customer_billing_account_policy" {
    billing_account_id = google_billing_subaccount.customer_subaccount.billing_account_id
    policy_data        = data.google_iam_policy.customer_billing_account_policy.policy_data
}

data "google_iam_policy" "customer_billing_account_policy" {
    binding {
        role = "roles/billing.user"

        members = [
            "user:${google_service_account.customer_service_account.name}",
        ]
    }

    binding {
        role = "organizations/715302536254/roles/UM_billingUser"

        members = [
            "group:${var.mcomm_group_email}",
        ]
    }
}