locals { short_mcomm = lower(replace(split("@", var.mcomm_group_email)[0],".","-")) } resource "google_folder" "customer_folder" { display_name = local.short_mcomm parent = var.division_folder_ids[var.division] } data "google_iam_policy" "customer_folder_policy" { binding { role = "roles/browser" members = [ "group:${var.mcomm_group_email}", ] } binding { role = "roles/resourcemanager.folderViewer" members = [ "group:${var.mcomm_group_email}", ] } binding { role = "roles/resourcemanager.projectCreator" members = [ "serviceAccount:${google_service_account.customer_service_account.email}", ] } binding { role = "roles/resourcemanager.folderEditor" members = [ "serviceAccount:${var.provisioning_service_account_email}", ] } } resource "google_folder_iam_policy" "customer_folder_policy" { folder = google_folder.customer_folder.name policy_data = data.google_iam_policy.customer_folder_policy.policy_data } resource "random_id" "customer_bucket_id" { byte_length = 2 } resource "google_storage_bucket" "customer_bucket" { project = var.customer_bucket_project_id name = "gcp-at-um-${local.short_mcomm}-${random_id.customer_bucket_id.hex}" location = "US" storage_class = "STANDARD" bucket_policy_only = true versioning { enabled = true } } resource "google_service_account" "customer_service_account" { project = var.customer_service_account_project_id account_id = "${local.short_mcomm}-tf" description = "${local.short_mcomm} Terraform Service Account" } data "google_iam_policy" "customer_service_account_policy" { binding { role = "roles/iam.serviceAccountKeyAdmin" members = [ "group:${var.mcomm_group_email}", ] } } resource "google_service_account_iam_policy" "customer_service_account_policy" { service_account_id = google_service_account.customer_service_account.name policy_data = data.google_iam_policy.customer_service_account_policy.policy_data } data "google_iam_policy" "customer_bucket_policy" { binding { role = "roles/storage.legacyBucketWriter" members = [ "serviceAccount:${google_service_account.customer_service_account.email}", ] } binding { role = "roles/storage.objectViewer" members = [ "group:${var.mcomm_group_email}", ] } } resource "google_storage_bucket_iam_policy" "customer_bucket_policy" { bucket = google_storage_bucket.customer_bucket.name policy_data = data.google_iam_policy.customer_bucket_policy.policy_data } // Need to make a customer Git repo // Need to write to a customer database # resource "google_billing_subaccount" "customer_subaccount" { # display_name = "${local.short_mcomm}" # master_billing_account = var.master_billing_account_id # rename_on_destroy = true # } # resource "google_billing_account_iam_policy" "customer_billing_account_policy" { # billing_account_id = google_billing_subaccount.customer_subaccount.billing_account_id # policy_data = data.google_iam_policy.customer_billing_account_policy.policy_data # } # data "google_iam_policy" "customer_billing_account_policy" { # binding { # role = "roles/billing.user" # members = [ # "user:${google_service_account.customer_service_account.name}", # ] # } # binding { # role = "organizations/715302536254/roles/UM_billingUser" # members = [ # "group:${var.mcomm_group_email}", # ] # } # }