main.tf 3.64 KB
Newer Older
Adam Robinson's avatar
Adam Robinson committed
1
locals {
Adam Robinson's avatar
Adam Robinson committed
2
    short_mcomm = lower(replace(split("@", var.mcomm_group_email)[0],".","-"))
Adam Robinson's avatar
Adam Robinson committed
3
4
}

Adam Robinson's avatar
Adam Robinson committed
5
resource "google_folder" "customer_folder" {
Adam Robinson's avatar
Adam Robinson committed
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
    display_name = local.short_mcomm
    parent = var.division_folder_ids[var.division]
}

data "google_iam_policy" "customer_folder_policy" {
    binding {
        role = "roles/browser"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

    binding {
        role = "roles/resourcemanager.folderViewer"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }

    binding {
        role = "roles/resourcemanager.projectCreator"
        members = [
Adam Robinson's avatar
Adam Robinson committed
28
29
30
31
32
33
34
35
            "serviceAccount:${google_service_account.customer_service_account.email}",
        ]
    }

        binding {
        role = "roles/resourcemanager.folderEditor"
        members = [
            "serviceAccount:${var.provisioning_service_account_email}",
Adam Robinson's avatar
Adam Robinson committed
36
37
38
39
40
        ]
    }
}

resource "google_folder_iam_policy" "customer_folder_policy" {
Adam Robinson's avatar
Adam Robinson committed
41
  folder      = google_folder.customer_folder.name
Adam Robinson's avatar
Adam Robinson committed
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
  policy_data = data.google_iam_policy.customer_folder_policy.policy_data
}

resource "random_id" "customer_bucket_id" {
    byte_length = 2
}

resource "google_storage_bucket" "customer_bucket" {
    project = var.customer_bucket_project_id
    name = "gcp-at-um-${local.short_mcomm}-${random_id.customer_bucket_id.hex}"
    location = "US"
    storage_class = "STANDARD"

    bucket_policy_only = true

    versioning {
        enabled = true
    }
}

resource "google_service_account" "customer_service_account" {
    project = var.customer_service_account_project_id
    account_id   = "${local.short_mcomm}-tf"
    description = "${local.short_mcomm} Terraform Service Account"
}

Adam Robinson's avatar
Adam Robinson committed
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
data "google_iam_policy" "customer_service_account_policy" {
  binding {
    role = "roles/iam.serviceAccountKeyAdmin"

    members = [
        "group:${var.mcomm_group_email}",
    ]
  }
}

resource "google_service_account_iam_policy" "customer_service_account_policy" {
  service_account_id = google_service_account.customer_service_account.name
  policy_data        = data.google_iam_policy.customer_service_account_policy.policy_data
}

Adam Robinson's avatar
Adam Robinson committed
83
84
85
86
data "google_iam_policy" "customer_bucket_policy" {
    binding {
        role = "roles/storage.legacyBucketWriter"
        members = [
Adam Robinson's avatar
Adam Robinson committed
87
            "serviceAccount:${google_service_account.customer_service_account.email}",
Adam Robinson's avatar
Adam Robinson committed
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
        ]
    }

    binding {
        role = "roles/storage.objectViewer"
        members = [
            "group:${var.mcomm_group_email}",
        ]
    }
}

resource "google_storage_bucket_iam_policy" "customer_bucket_policy" {
    bucket = google_storage_bucket.customer_bucket.name
    policy_data = data.google_iam_policy.customer_bucket_policy.policy_data
}

// Need to make a customer Git repo

// Need to write to a customer database

Adam Robinson's avatar
Adam Robinson committed
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
# resource "google_billing_subaccount" "customer_subaccount" {
#     display_name = "${local.short_mcomm}"
#     master_billing_account = var.master_billing_account_id
#     rename_on_destroy = true
# }

# resource "google_billing_account_iam_policy" "customer_billing_account_policy" {
#     billing_account_id = google_billing_subaccount.customer_subaccount.billing_account_id
#     policy_data        = data.google_iam_policy.customer_billing_account_policy.policy_data
# }

# data "google_iam_policy" "customer_billing_account_policy" {
#     binding {
#         role = "roles/billing.user"

#         members = [
#             "user:${google_service_account.customer_service_account.name}",
#         ]
#     }

#     binding {
#         role = "organizations/715302536254/roles/UM_billingUser"

#         members = [
#             "group:${var.mcomm_group_email}",
#         ]
#     }
# }