locals { short_mcomm = lower(replace(split("@", var.mcomm_group_email)[0],".","-")) customer_service_account_suffix = "-${var.division}-tf" customer_service_account_prefix = substr(local.short_mcomm,0,30-length(local.customer_service_account_suffix)) customer_service_account_id = "${local.customer_service_account_prefix}${local.customer_service_account_suffix}" division_folder_ids = { dev = { //its = "" } test = { its = "folders/100600555387" campus = "folders/549439339393" mm = "folders/783942636538" hipaa = "folders/607376512236" } prod = { its = "folders/666809107084" campus = "folders/1013928641872" mm = "folders/332243639992" hipaa = "folders/293380204207" } } master_billing_account_id = { //dev = "" test = "01D8BC-7D5855-0BC393" prod = "01D8BC-7D5855-0BC393" } database_function_url = { //dev = "" test = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db" # Need a test DB prod = "https://us-central1-gcp-at-um-db.cloudfunctions.net/customer_db" } curl_body = { kind = "billing" billingAccountId = google_billing_subaccount.customer_subaccount.billing_account_id billing_contact = var.billing_contact mcomm_group_email = var.mcomm_group_email shortcode = var.shortcode } } module "audit" { count = var.division == "hipaa" ? 1: 0 source = "./modules/terraform-google-gcp-at-um-customer-audit/" division = var.division billing_id = google_billing_subaccount.customer_subaccount.billing_account_id folder_id = google_folder.customer_folder.id mcomm_group_email = var.mcomm_group_email database_function_url = local.database_function_url[var.environment] shortcode = var.shortcode environment = var.environment audit_logs_access = var.audit_logs_access } resource "google_folder" "customer_folder" { display_name = var.folder_display_name == "" ? local.short_mcomm : var.folder_display_name parent = local.division_folder_ids[var.environment][var.division] } data "google_iam_policy" "customer_folder_policy" { binding { role = "roles/browser" members = [ "group:${var.mcomm_group_email}", ] } binding { role = "organizations/715302536254/roles/GCP_at_UM_Customer_Folder_Viewer" members = [ "group:${var.mcomm_group_email}", ] } dynamic "binding" { for_each = var.customer_is_shared_vpc_admin ? ["roles/compute.xpnAdmin"] : [] content { role = binding.value members = [ "group:${var.mcomm_group_email}", ] } } binding { role = "roles/resourcemanager.projectCreator" members = [ "serviceAccount:${google_service_account.customer_service_account.email}", ] } binding { role = "roles/resourcemanager.folderEditor" members = [ "serviceAccount:${var.provisioning_service_account_email}", ] } } resource "google_folder_iam_policy" "customer_folder_policy" { folder = google_folder.customer_folder.name policy_data = data.google_iam_policy.customer_folder_policy.policy_data } resource "random_id" "customer_bucket_id" { byte_length = 2 } resource "google_storage_bucket" "customer_bucket" { project = var.customer_bucket_project_id name = "gcp-at-um-${local.short_mcomm}-${random_id.customer_bucket_id.hex}" location = "US" storage_class = "STANDARD" uniform_bucket_level_access = true versioning { enabled = true } } resource "google_service_account" "customer_service_account" { project = var.customer_service_account_project_id account_id = local.customer_service_account_id description = "${local.short_mcomm} Terraform Service Account" } data "google_iam_policy" "customer_service_account_policy" { binding { role = "roles/iam.serviceAccountKeyAdmin" members = [ "group:${var.mcomm_group_email}", ] } } resource "google_service_account_iam_policy" "customer_service_account_policy" { service_account_id = google_service_account.customer_service_account.name policy_data = data.google_iam_policy.customer_service_account_policy.policy_data } data "google_iam_policy" "customer_bucket_policy" { binding { role = "roles/storage.legacyBucketWriter" members = [ "serviceAccount:${google_service_account.customer_service_account.email}", ] } binding { role = "roles/storage.objectViewer" members = [ "group:${var.mcomm_group_email}", ] } } resource "google_storage_bucket_iam_policy" "customer_bucket_policy" { bucket = google_storage_bucket.customer_bucket.name policy_data = data.google_iam_policy.customer_bucket_policy.policy_data } data "google_service_account_id_token" "customer_db_token" { target_audience = local.database_function_url[var.environment] } resource "null_resource" "customer_database" { triggers = { billingAccountId = google_billing_subaccount.customer_subaccount.billing_account_id billing_contact = var.billing_contact mcomm_group_email = var.mcomm_group_email shortcode = var.shortcode } provisioner "local-exec" { command = "curl ${local.database_function_url[var.environment]} -H \"Authorization: Bearer ${data.google_service_account_id_token.customer_db_token.id_token}\" -H \"Content-Type: application/json\" -d '${jsonencode(local.curl_body)}'" } } // Need to make a customer Git repo resource "google_billing_subaccount" "customer_subaccount" { display_name = local.short_mcomm master_billing_account = local.master_billing_account_id[var.environment] deletion_policy = "RENAME_ON_DESTROY" } resource "google_billing_account_iam_policy" "customer_billing_account_policy" { billing_account_id = google_billing_subaccount.customer_subaccount.billing_account_id policy_data = data.google_iam_policy.customer_billing_account_policy.policy_data } data "google_iam_policy" "customer_billing_account_policy" { binding { role = "roles/billing.user" members = [ "serviceAccount:${google_service_account.customer_service_account.email}", ] } binding { role = "organizations/715302536254/roles/UM_billingUser" members = [ "group:${var.mcomm_group_email}", ] } }