datalab.tf 4.87 KB
Newer Older
1
2
3
4
5
6
7
resource "google_project_iam_binding" "datalab_service_account_iam_binding" {
    project = google_project.hipaa_project["data"].project_id
    role    = "roles/bigquery.jobUser"

    members = [ for v in local.datalab_service_account_readers : "serviceAccount:${v}" ]
}

Adam Robinson's avatar
Adam Robinson committed
8
resource "google_project_service" "sourcerepo-api" {
9
10
11
    for_each = { for v in local.worker_projects : v => v }
    project = google_project.hipaa_project[each.key].project_id
    service = "sourcerepo.googleapis.com"
Adam Robinson's avatar
Adam Robinson committed
12
13
}

Adam Robinson's avatar
Adam Robinson committed
14
resource "google_sourcerepo_repository" "datalab-notebooks" {
15
    for_each = { for v in local.worker_projects : v => v }
Adam Robinson's avatar
Adam Robinson committed
16
    name = "datalab-notebooks"
17
    project = google_project.hipaa_project[each.key].project_id
Adam Robinson's avatar
Adam Robinson committed
18
    depends_on = [ google_project_service.sourcerepo-api ]
Adam Robinson's avatar
Adam Robinson committed
19
20
21
}

resource "google_compute_network" "datalab-network" {
22
    for_each = { for v in local.worker_projects : v => v }
Adam Robinson's avatar
Adam Robinson committed
23
24
    name = "datalab-network"
    auto_create_subnetworks = true
25
    project = google_project.hipaa_project[each.key].project_id
26
    description = "Network for Google Cloud Datalab instances"
Adam Robinson's avatar
Adam Robinson committed
27
28
}

29
resource "google_compute_firewall" "datalab-network-allow-ssh" {
30
    for_each = { for v in local.worker_projects : v => v }
31
32
    name = "datalab-network-allow-ssh"
    description = "Allow SSH access to Datalab instances"
33
34
    network = google_compute_network.datalab-network[each.key].name
    project = google_project.hipaa_project[each.key].project_id
35
36
37
    
    priority = 1000
    direction = "INGRESS"
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
    source_ranges = [
        "35.190.247.0/24",
        "64.233.160.0/19",
        "66.102.0.0/20",
        "66.249.80.0/20",
        "72.14.192.0/18",
        "74.125.0.0/16",
        "108.177.8.0/21",
        "173.194.0.0/16",
        "209.85.128.0/17",
        "216.58.192.0/19",
        "216.239.32.0/19",
        "172.217.0.0/19",
        "172.217.32.0/20",
        "172.217.128.0/19",
        "172.217.160.0/20",
        "172.217.192.0/19",
        "108.177.96.0/19",
        "35.191.0.0/16",
        "130.211.0.0/22",
    ]
59
60
61
62
63

    allow {
        protocol = "tcp"
        ports    = [ "22" ]
    }
64
}
65

66
67
68
69
70
71
72
73
74
resource "google_project_iam_binding" "view_compute_instances" {
    for_each = { for v in local.worker_projects : v => v }
    project = google_project.hipaa_project[each.key].project_id
    role = "roles/compute.viewer"
    members = [
        "group:${local.worker_project_email[each.key]}",
    ]
}

75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
resource "google_service_account" "datalab_service_account" {
    for_each = var.datalab_user_list
    account_id = "datalab-${split("@", each.key)[0]}"
    project = google_project.hipaa_project[each.value].project_id
}

resource "google_service_account_iam_binding" "datalab_service_account_iam_binding" {
    for_each = var.datalab_user_list
    service_account_id = google_service_account.datalab_service_account[each.key].name
    role = "roles/iam.serviceAccountUser"
    members = [
        "user:${each.key}",
    ]
}

data "google_iam_policy" "datalab_user_to_instance_policy" {
    for_each = var.datalab_user_list
    binding {
        role = "roles/compute.instanceAdmin.v1"

        members = [
            "user:${each.key}",
        ]
    }
}

resource "google_compute_instance_iam_policy" "datalab_user_to_instance_binding" {
    for_each = var.datalab_user_list
    instance_name  = "datalab-${split("@", each.key)[0]}"
    project = google_project.hipaa_project[each.value].project_id
105
    zone = var.datalab_zone
106
107
108
109
110
111
112
113
114
115
116
    policy_data = "${data.google_iam_policy.datalab_user_to_instance_policy[each.key].policy_data}"
    depends_on = [ null_resource.datalab ]
}



resource "null_resource" "datalab" {
    for_each = var.datalab_user_list

    triggers = {
        user = each.key
117
        project_id = google_project.hipaa_project[each.value].project_id
118
119
120
    }

    provisioner "local-exec" {
121
        //command = "datalab create --project ${google_project.hipaa_project[each.value].project_id} --machine-type n1-standard-1 --zone us-central1-a --no-connect --for-user ${each.key} --service-account ${google_service_account.datalab_service_account[each.key].email} datalab-${split("@", each.key)[0]}"
122
        command = "datalab create --project ${self.triggers.project_id} --machine-type n1-standard-1 --zone ${var.datalab_zone} --no-connect --for-user ${self.triggers.user} --service-account ${google_service_account.datalab_service_account[self.triggers.user].email} datalab-${split("@", self.triggers.user)[0]}"
123
124
125
126
    }

    provisioner "local-exec" {
        when    = "destroy"
127
        //command = "datalab delete --quiet --delete-disk --project ${google_project.hipaa_project[each.value].project_id} --zone us-central1-a datalab-${split("@", each.key)[0]}"
128
        command = "datalab delete --quiet --delete-disk --project ${self.triggers.project_id} --zone ${var.datalab_zone} datalab-${split("@", self.triggers.user)[0]}"
129
    }
Adam Robinson's avatar
Adam Robinson committed
130
    depends_on = [ google_sourcerepo_repository.datalab-notebooks, google_compute_network.datalab-network, null_resource.install_gcloud_cli ]
131
}