Commit 152acc71 authored by Adam Robinson's avatar Adam Robinson
Browse files

generate datalab_service_account_readers

parent 255990e7
......@@ -64,6 +64,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
group_by_email = local.owners_group_email
}
//add reader group permissions to the data dataset
dynamic "access" {
for_each = each.key == "data" ? [local.read-only_group_email] : []
content {
......@@ -72,6 +73,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
}
}
//add writer group permissions to the data dataset
dynamic "access" {
for_each = each.key == "data" ? [local.writer_group_email] : []
content {
......@@ -80,6 +82,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
}
}
//add all datalab service accounts to have read access to the data dataset
dynamic "access" {
for_each = each.key == "data" ? local.datalab_service_account_readers : []
content {
......@@ -88,6 +91,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
}
}
//add permission for worker group to the worker dataset
dynamic "access" {
for_each = each.key != "data" ? [local.worker_project_email[each.key]] : []
content {
......@@ -96,8 +100,9 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
}
}
//give datalab service accounts writer access to the corresponding worker dataset
dynamic "access" {
for_each = [for v in var.datalab_user_list : v.value == "each.key" ? google_service_account.datalab_service_account[v.key].email : []]
for_each = compact([ for v in keys(var.datalab_user_list) : var.datalab_user_list[v] == each.value ? google_service_account.datalab_service_account[v].email : "" ])
content {
role = "organizations/715302536254/roles/BigQueryDataEditor_NO_Export"
user_by_email = access.value
......
......@@ -43,6 +43,15 @@ resource "google_compute_firewall" "datalab-network-allow-ssh" {
}
}
resource "google_project_iam_binding" "view_compute_instances" {
for_each = { for v in local.worker_projects : v => v }
project = google_project.hipaa_project[each.key].project_id
role = "roles/compute.viewer"
members = [
"group:${local.worker_project_email[each.key]}",
]
}
resource "google_service_account" "datalab_service_account" {
for_each = var.datalab_user_list
account_id = "datalab-${split("@", each.key)[0]}"
......@@ -85,15 +94,18 @@ resource "null_resource" "datalab" {
triggers = {
user = each.key
project_id = google_project.hipaa_project[each.value].project_id
}
provisioner "local-exec" {
command = "datalab create --project ${google_project.hipaa_project[each.value].project_id} --machine-type n1-standard-1 --zone us-central1-a --no-connect --for-user ${each.key} --service-account ${google_service_account.datalab_service_account[each.key].email} datalab-${split("@", each.key)[0]}"
//command = "datalab create --project ${google_project.hipaa_project[each.value].project_id} --machine-type n1-standard-1 --zone us-central1-a --no-connect --for-user ${each.key} --service-account ${google_service_account.datalab_service_account[each.key].email} datalab-${split("@", each.key)[0]}"
command = "datalab create --project ${self.triggers.project_id} --machine-type n1-standard-1 --zone us-central1-a --no-connect --for-user ${self.triggers.user} --service-account ${google_service_account.datalab_service_account[self.triggers.user].email} datalab-${split("@", self.triggers.user)[0]}"
}
provisioner "local-exec" {
when = "destroy"
command = "datalab delete --quiet --delete-disk --project ${google_project.hipaa_project[each.value].project_id} --zone us-central1-a datalab-${split("@", each.key)[0]}"
//command = "datalab delete --quiet --delete-disk --project ${google_project.hipaa_project[each.value].project_id} --zone us-central1-a datalab-${split("@", each.key)[0]}"
command = "datalab delete --quiet --delete-disk --project ${self.triggers.project_id} --zone us-central1-a datalab-${split("@", self.triggers.user)[0]}"
}
depends_on = [ google_sourcerepo_repository.datalab-notebooks, google_compute_network.datalab-network, null_resource.install_gcloud_cli ]
}
\ No newline at end of file
......@@ -46,5 +46,5 @@ locals {
read-only_group_email = "${var.project_prefix}-read-only@${var.domain}"
alerts_group_email = "${var.project_prefix}-alerts@${var.domain}"
worker_project_email = { for x in local.worker_projects : x => "${var.project_prefix}-${x}@${var.domain}" }
datalab_service_account_readers = []
datalab_service_account_readers = [ for x in keys(var.datalab_user_list) : google_service_account.datalab_service_account[x].email ]
}
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment