Note: The default ITS GitLab runner is a shared resource and is subject to slowdowns during heavy usage.
You can run your own GitLab runner that is dedicated just to your group if you need to avoid processing delays.

Commit 0471b333 authored by Adam Robinson's avatar Adam Robinson
Browse files

terraform fmt

parent 2f1eb4ed
locals {
short_mcomm = lower(replace(split("@", var.mcomm_group_email)[0],".","-"))
customer_service_account_suffix = "-${var.division}-tf"
customer_service_account_prefix = substr(local.short_mcomm,0,30-length(local.customer_service_account_suffix))
customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"
division_folder_ids = {
dev = {
//its = ""
}
test = {
its = "folders/1065543734594"
campus = "folders/694924320608"
mm = "folders/841027711031"
hipaa = "folders/607376512236"
}
prod = {
its = "folders/666809107084"
campus = "folders/1013928641872"
mm = "folders/332243639992"
hipaa = "folders/293380204207"
}
short_mcomm = lower(replace(split("@", var.mcomm_group_email)[0], ".", "-"))
customer_service_account_suffix = "-${var.division}-tf"
customer_service_account_prefix = substr(local.short_mcomm, 0, 30 - length(local.customer_service_account_suffix))
customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"
division_folder_ids = {
dev = {
//its = ""
}
test = {
its = "folders/1065543734594"
campus = "folders/694924320608"
mm = "folders/841027711031"
hipaa = "folders/607376512236"
}
prod = {
its = "folders/666809107084"
campus = "folders/1013928641872"
mm = "folders/332243639992"
hipaa = "folders/293380204207"
}
master_billing_account_id = {
//dev = ""
test = "01D8BC-7D5855-0BC393"
prod = "01D8BC-7D5855-0BC393"
}
database_function_url = {
//dev = ""
test = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db" # Need a test DB
prod = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db"
}
curl_body = {
kind = "billing"
billingAccountId = google_billing_subaccount.customer_subaccount.billing_account_id
billing_contact = var.billing_contact
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
}
retain_logs = var.division == "hipaa" || var.audit_logs_access != "" ? true : false # if division is hipaa OR audit_logs_access is not an empty string enable audit logs access
retain_logs_bq = {
enable = var.division == "hipaa" ? true: var.retain_logs_bigquery["enable"]
retention_days = var.division == "hipaa" ? 14 : var.retain_logs_bigquery["retention_days"]
}
retain_logs_gcs = {
enable = var.division == "hipaa" ? true: var.retain_logs_gcs["enable"]
storage_class = var.division == "hipaa" ? "COLDLINE": var.retain_logs_gcs["storage_class"]
retention_days = var.division == "hipaa" ? 1100 : var.retain_logs_gcs["retention_days"]
}
}
master_billing_account_id = {
//dev = ""
test = "01D8BC-7D5855-0BC393"
prod = "01D8BC-7D5855-0BC393"
}
database_function_url = {
//dev = ""
test = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db" # Need a test DB
prod = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db"
}
curl_body = {
kind = "billing"
billingAccountId = google_billing_subaccount.customer_subaccount.billing_account_id
billing_contact = var.billing_contact
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
}
retain_logs = var.division == "hipaa" || var.audit_logs_access != "" ? true : false # if division is hipaa OR audit_logs_access is not an empty string enable audit logs access
retain_logs_bq = {
enable = var.division == "hipaa" ? true : var.retain_logs_bigquery["enable"]
retention_days = var.division == "hipaa" ? 14 : var.retain_logs_bigquery["retention_days"]
}
retain_logs_gcs = {
enable = var.division == "hipaa" ? true : var.retain_logs_gcs["enable"]
storage_class = var.division == "hipaa" ? "COLDLINE" : var.retain_logs_gcs["storage_class"]
retention_days = var.division == "hipaa" ? 1100 : var.retain_logs_gcs["retention_days"]
}
}
module "audit" {
# count = var.division == "hipaa" ? 1: 0
count = local.retain_logs ? 1:0
source = "./modules/terraform-google-gcp-at-um-customer-audit/"
division = var.division
billing_id = google_billing_subaccount.customer_subaccount.billing_account_id
folder_id = google_folder.customer_folder.id
mcomm_group_email = var.mcomm_group_email
database_function_url = local.database_function_url[var.environment]
shortcode = var.shortcode
environment = var.environment
audit_logs_access = var.audit_logs_access
big_query = local.retain_logs_bq["enable"]
big_query_retention = local.retain_logs_bq["retention_days"]
gcs = local.retain_logs_gcs["enable"]
gcs_storage_class = local.retain_logs_gcs["storage_class"]
gcs_expiration_days = local.retain_logs_gcs["retention_days"]
# count = var.division == "hipaa" ? 1: 0
count = local.retain_logs ? 1 : 0
source = "./modules/terraform-google-gcp-at-um-customer-audit/"
division = var.division
billing_id = google_billing_subaccount.customer_subaccount.billing_account_id
folder_id = google_folder.customer_folder.id
mcomm_group_email = var.mcomm_group_email
database_function_url = local.database_function_url[var.environment]
shortcode = var.shortcode
environment = var.environment
audit_logs_access = var.audit_logs_access
big_query = local.retain_logs_bq["enable"]
big_query_retention = local.retain_logs_bq["retention_days"]
gcs = local.retain_logs_gcs["enable"]
gcs_storage_class = local.retain_logs_gcs["storage_class"]
gcs_expiration_days = local.retain_logs_gcs["retention_days"]
}
resource "google_folder" "customer_folder" {
display_name = var.folder_display_name == "" ? local.short_mcomm : var.folder_display_name
parent = local.division_folder_ids[var.environment][var.division]
display_name = var.folder_display_name == "" ? local.short_mcomm : var.folder_display_name
parent = local.division_folder_ids[var.environment][var.division]
}
data "google_iam_policy" "customer_folder_policy" {
binding {
role = "roles/browser"
members = [
"group:${var.mcomm_group_email}",
]
}
binding {
role = "roles/browser"
members = [
"group:${var.mcomm_group_email}",
]
}
binding {
role = "roles/cloudasset.viewer"
members = [
"group:${var.mcomm_group_email}",
]
}
binding {
role = "roles/cloudasset.viewer"
members = [
"group:${var.mcomm_group_email}",
]
}
binding {
role = "organizations/715302536254/roles/GCP_at_UM_Customer_Folder_Viewer"
members = [
"group:${var.mcomm_group_email}",
]
}
binding {
role = "organizations/715302536254/roles/GCP_at_UM_Customer_Folder_Viewer"
members = [
"group:${var.mcomm_group_email}",
]
}
dynamic "binding" {
for_each = var.customer_is_shared_vpc_admin ? ["roles/compute.xpnAdmin"] : []
content {
role = binding.value
members = [
"group:${var.mcomm_group_email}",
]
}
dynamic "binding" {
for_each = var.customer_is_shared_vpc_admin ? ["roles/compute.xpnAdmin"] : []
content {
role = binding.value
members = [
"group:${var.mcomm_group_email}",
]
}
}
binding {
role = "roles/resourcemanager.projectCreator"
members = [
"serviceAccount:${google_service_account.customer_service_account.email}",
]
}
binding {
role = "roles/resourcemanager.projectCreator"
members = [
"serviceAccount:${google_service_account.customer_service_account.email}",
]
}
binding {
role = "roles/resourcemanager.folderEditor"
members = [
"serviceAccount:${var.provisioning_service_account_email}",
]
}
binding {
role = "roles/resourcemanager.folderEditor"
members = [
"serviceAccount:${var.provisioning_service_account_email}",
]
}
}
resource "google_folder_iam_policy" "customer_folder_policy" {
......@@ -127,26 +127,26 @@ resource "google_folder_iam_policy" "customer_folder_policy" {
}
resource "random_id" "customer_bucket_id" {
byte_length = 2
byte_length = 2
}
resource "google_storage_bucket" "customer_bucket" {
project = var.customer_bucket_project_id
name = "gcp-at-um-${local.short_mcomm}-${random_id.customer_bucket_id.hex}"
location = "US"
storage_class = "STANDARD"
project = var.customer_bucket_project_id
name = "gcp-at-um-${local.short_mcomm}-${random_id.customer_bucket_id.hex}"
location = "US"
storage_class = "STANDARD"
uniform_bucket_level_access = true
uniform_bucket_level_access = true
versioning {
enabled = true
}
versioning {
enabled = true
}
}
resource "google_service_account" "customer_service_account" {
project = var.customer_service_account_project_id
account_id = local.customer_service_account_id
description = "${local.short_mcomm} Terraform Service Account"
project = var.customer_service_account_project_id
account_id = local.customer_service_account_id
description = "${local.short_mcomm} Terraform Service Account"
}
data "google_iam_policy" "customer_service_account_policy" {
......@@ -154,7 +154,7 @@ data "google_iam_policy" "customer_service_account_policy" {
role = "roles/iam.serviceAccountKeyAdmin"
members = [
"group:${var.mcomm_group_email}",
"group:${var.mcomm_group_email}",
]
}
}
......@@ -165,70 +165,70 @@ resource "google_service_account_iam_policy" "customer_service_account_policy" {
}
data "google_iam_policy" "customer_bucket_policy" {
binding {
role = "roles/storage.legacyBucketWriter"
members = [
"serviceAccount:${google_service_account.customer_service_account.email}",
]
}
binding {
role = "roles/storage.legacyBucketWriter"
members = [
"serviceAccount:${google_service_account.customer_service_account.email}",
]
}
binding {
role = "roles/storage.objectViewer"
members = [
"group:${var.mcomm_group_email}",
]
}
binding {
role = "roles/storage.objectViewer"
members = [
"group:${var.mcomm_group_email}",
]
}
}
resource "google_storage_bucket_iam_policy" "customer_bucket_policy" {
bucket = google_storage_bucket.customer_bucket.name
policy_data = data.google_iam_policy.customer_bucket_policy.policy_data
bucket = google_storage_bucket.customer_bucket.name
policy_data = data.google_iam_policy.customer_bucket_policy.policy_data
}
data "google_service_account_id_token" "customer_db_token" {
target_audience = local.database_function_url[var.environment]
target_audience = local.database_function_url[var.environment]
}
resource "null_resource" "customer_database" {
triggers = {
billingAccountId = google_billing_subaccount.customer_subaccount.billing_account_id
billing_contact = var.billing_contact
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
}
triggers = {
billingAccountId = google_billing_subaccount.customer_subaccount.billing_account_id
billing_contact = var.billing_contact
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
}
provisioner "local-exec" {
command = "curl ${local.database_function_url[var.environment]} -H \"Authorization: Bearer ${data.google_service_account_id_token.customer_db_token.id_token}\" -H \"Content-Type: application/json\" -d '${jsonencode(local.curl_body)}'"
}
provisioner "local-exec" {
command = "curl ${local.database_function_url[var.environment]} -H \"Authorization: Bearer ${data.google_service_account_id_token.customer_db_token.id_token}\" -H \"Content-Type: application/json\" -d '${jsonencode(local.curl_body)}'"
}
}
// Need to make a customer Git repo
resource "google_billing_subaccount" "customer_subaccount" {
display_name = local.short_mcomm
master_billing_account = local.master_billing_account_id[var.environment]
deletion_policy = "RENAME_ON_DESTROY"
display_name = local.short_mcomm
master_billing_account = local.master_billing_account_id[var.environment]
deletion_policy = "RENAME_ON_DESTROY"
}
resource "google_billing_account_iam_policy" "customer_billing_account_policy" {
billing_account_id = google_billing_subaccount.customer_subaccount.billing_account_id
policy_data = data.google_iam_policy.customer_billing_account_policy.policy_data
billing_account_id = google_billing_subaccount.customer_subaccount.billing_account_id
policy_data = data.google_iam_policy.customer_billing_account_policy.policy_data
}
data "google_iam_policy" "customer_billing_account_policy" {
binding {
role = "roles/billing.user"
binding {
role = "roles/billing.user"
members = [
"serviceAccount:${google_service_account.customer_service_account.email}",
]
}
members = [
"serviceAccount:${google_service_account.customer_service_account.email}",
]
}
binding {
role = "organizations/715302536254/roles/UM_billingUser"
binding {
role = "organizations/715302536254/roles/UM_billingUser"
members = [
"group:${var.mcomm_group_email}",
]
}
members = [
"group:${var.mcomm_group_email}",
]
}
}
locals {
short_mcomm = lower(replace(split("@", var.mcomm_group_email)[0],".","-"))
project_id_prefix = "${var.division}-audit-"
project_id_customer = substr(local.short_mcomm,0,30-5-length(local.project_id_prefix))
project_id = "${local.project_id_prefix}${local.project_id_customer}-${random_id.id[0].hex}"
project_name = substr("${var.division} Audit ${local.short_mcomm}",0,30)
security_contact = "security@umich.edu"
# customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"
filter_string = "Change_Me_to_Send_Additional_Logs_to_Splunk; Leave_Exclusions_in_Place_PLEASE"
log_filter_list = [
"log_id(\"cloudaudit.googleapis.com/activity\")",
"log_id(\"externalaudit.googleapis.com/activity\")",
"log_id(\"cloudaudit.googleapis.com/system_event\")",
"log_id(\"externalaudit.googleapis.com/system_event\")",
"log_id(\"cloudaudit.googleapis.com/access_transparency\")",
"log_id(\"externalaudit.googleapis.com/access_transparency\")",
"log_id(\"cloudaudit.googleapis.com/data_access\")",
"log_id(\"externalaudit.googleapis.com/data_access\")",
"log_id(\"compute.googleapis.com/vpc_flows\")",
]
log_filters = join(" OR ", local.log_filter_list)
curl_body = {
kind = "project"
security_contact = local.security_contact
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
vpn = false
dt_phi = true
dt_ferpa = false
dt_pii = false
dt_glba = false
dt_hsr = false
dt_ssn = false
dt_acp = false
dt_it_sec_info = true
dt_itar = false
dt_pci = false
dt_fisma = false
dt_other_data = false
dt_other_data_info = ""
short_mcomm = lower(replace(split("@", var.mcomm_group_email)[0], ".", "-"))
project_id_prefix = "${var.division}-audit-"
project_id_customer = substr(local.short_mcomm, 0, 30 - 5 - length(local.project_id_prefix))
project_id = "${local.project_id_prefix}${local.project_id_customer}-${random_id.id[0].hex}"
project_name = substr("${var.division} Audit ${local.short_mcomm}", 0, 30)
security_contact = "security@umich.edu"
# customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}"
filter_string = "Change_Me_to_Send_Additional_Logs_to_Splunk; Leave_Exclusions_in_Place_PLEASE"
log_filter_list = [
"log_id(\"cloudaudit.googleapis.com/activity\")",
"log_id(\"externalaudit.googleapis.com/activity\")",
"log_id(\"cloudaudit.googleapis.com/system_event\")",
"log_id(\"externalaudit.googleapis.com/system_event\")",
"log_id(\"cloudaudit.googleapis.com/access_transparency\")",
"log_id(\"externalaudit.googleapis.com/access_transparency\")",
"log_id(\"cloudaudit.googleapis.com/data_access\")",
"log_id(\"externalaudit.googleapis.com/data_access\")",
"log_id(\"compute.googleapis.com/vpc_flows\")",
]
log_filters = join(" OR ", local.log_filter_list)
curl_body = {
kind = "project"
security_contact = local.security_contact
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
vpn = false
dt_phi = true
dt_ferpa = false
dt_pii = false
dt_glba = false
dt_hsr = false
dt_ssn = false
dt_acp = false
dt_it_sec_info = true
dt_itar = false
dt_pci = false
dt_fisma = false
dt_other_data = false
dt_other_data_info = ""
}
log_export_project = split("/", local.log_export_destination[var.environment][var.division])[2]
log_export_destination = {
//dev = ""
test = {
its = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
campus = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
# michigan_medicine = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
mm = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
hipaa = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/hipaa-logs-test"
# "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-test"
}
log_export_project = split("/",local.log_export_destination[var.environment][var.division])[2]
log_export_destination = {
//dev = ""
test = {
its = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
campus = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
# michigan_medicine = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
mm = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
hipaa = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/hipaa-logs-test"
# "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-test"
}
prod = {
its = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
campus = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
# michigan_medicine = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
mm = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
hipaa = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-prod" # "pubsub.googleapis.com/projects/${var.division}-logs-${var.environment}"
}
prod = {
its = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
campus = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
# michigan_medicine = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
mm = "pubsub.googleapis.com/projects/gcp-at-um-test-mon/topics/gcp-at-um-logs-test"
hipaa = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/hipaa-logs-prod" # "pubsub.googleapis.com/projects/${var.division}-logs-${var.environment}"
}
}
big_query_enabled = var.big_query ? 1 : 0
gcs_enabled = var.gcs ? 1 : 0
big_query_or_gcs_enabled = var.gcs || var.big_query ? 1 : 0
big_query_enabled = var.big_query ? 1 : 0
gcs_enabled = var.gcs ? 1 : 0
big_query_or_gcs_enabled = var.gcs || var.big_query ? 1 : 0
gcs_expiration_seconds = (var.gcs_expiration_days - 1) * 24 * 60 * 60
gcs_expiration_seconds = (var.gcs_expiration_days - 1) * 24 * 60 * 60
}
resource "google_project" "gcp_project" {
count = local.big_query_or_gcs_enabled
name = local.project_name
project_id = local.project_id
folder_id = var.folder_id
billing_account = var.billing_id
auto_create_network = false
labels = {
"shortcode" = var.shortcode
}
lifecycle {
resource "google_project" "gcp_project" {
count = local.big_query_or_gcs_enabled
name = local.project_name
project_id = local.project_id
folder_id = var.folder_id
billing_account = var.billing_id
auto_create_network = false
labels = {
"shortcode" = var.shortcode
}
lifecycle {
ignore_changes = [
project_id,
project_id,
name,
]
}
......@@ -115,11 +115,11 @@ module "destination_bq" {
}
resource "google_bigquery_dataset_iam_binding" "bq_user" {
count = local.big_query_enabled
project = google_project.gcp_project[0].project_id
dataset_id = module.destination_bq[0].resource_name
role = "roles/bigquery.user"
members = [
count = local.big_query_enabled
project = google_project.gcp_project[0].project_id
dataset_id = module.destination_bq[0].resource_name
role = "roles/bigquery.user"
members = [
# "user:kenmoore@umich.edu",
"group:${var.audit_logs_access}",
"group:${var.mcomm_group_email}"
......@@ -136,27 +136,27 @@ resource "google_bigquery_dataset_iam_binding" "bq_user" {
# ]
# }
data "google_service_account_id_token" "customer_db_token" {
target_audience = var.database_function_url
target_audience = var.database_function_url
}
resource "null_resource" "customer_database" {
triggers = {
security_contact = local.security_contact
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
}
triggers = {
security_contact = local.security_contact
mcomm_group_email = var.mcomm_group_email
shortcode = var.shortcode
}
provisioner "local-exec" {
command = "curl ${var.database_function_url} -H \"Authorization: Bearer ${data.google_service_account_id_token.customer_db_token.id_token}\" -H \"Content-Type: application/json\" -d '${jsonencode(local.curl_body)}'"
}
provisioner "local-exec" {
command = "curl ${var.database_function_url} -H \"Authorization: Bearer ${data.google_service_account_id_token.customer_db_token.id_token}\" -H \"Content-Type: application/json\" -d '${jsonencode(local.curl_body)}'"
}
}