Commit 1a18281a authored by Adam Robinson's avatar Adam Robinson
Browse files

Merge branch 'make_more_generic' into 'master'

permission fixes for datalab

See merge request !36
parents f4b4caea f62bffe6
......@@ -86,6 +86,26 @@ resource "google_project_iam_custom_role" "BigQueryDataViewer_NO_Export" {
for_each = { for v in local.projects_storing_data : v => v }
role_id = "BigQueryDataViewer_NO_Export"
title = "BigQuery Data Viewer - No Export"
description = "BigQuery Data Viewer minus bigquery.tables.export and resourcemanager.projects.list"
project = google_project.hipaa_project[each.key].project_id
stage = "GA"
permissions = [
"bigquery.datasets.get",
"bigquery.datasets.getIamPolicy",
"bigquery.routines.get",
"bigquery.routines.list",
"bigquery.tables.get",
"bigquery.tables.getData",
"bigquery.tables.list",
"resourcemanager.projects.get",
//"resourcemanager.projects.list", not supported roles created in a project
]
}
resource "google_project_iam_custom_role" "BigQuerySchemaViewer" {
for_each = { for v in local.projects_storing_data : v => v }
role_id = "BigQuerySchemaViewer"
title = "BigQuery Schema Viewer"
description = "BigQuery Data Viewer minus bigquery.tables.export, bigquery.tables.getData, and resourcemanager.projects.list"
project = google_project.hipaa_project[each.key].project_id
stage = "GA"
......@@ -118,7 +138,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
dynamic "access" {
for_each = each.key == "data" ? [local.read-only_group_email] : []
content {
role = google_project_iam_custom_role.BigQueryDataViewer_NO_Export[each.key].id
role = google_project_iam_custom_role.BigQuerySchemaViewer[each.key].id
group_by_email = access.value
}
}
......@@ -145,7 +165,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
dynamic "access" {
for_each = each.key != "data" ? [local.worker_project_email[each.key]] : []
content {
role = google_project_iam_custom_role.BigQueryDataViewer_NO_Export[each.key].id
role = google_project_iam_custom_role.BigQuerySchemaViewer[each.key].id
group_by_email = access.value
}
}
......
resource "google_project_iam_binding" "datalab_service_account_iam_binding" {
project = google_project.hipaa_project["data"].project_id
for_each = { for v in local.worker_projects : v => v }
project = google_project.hipaa_project[each.key].project_id
role = "roles/bigquery.jobUser"
members = [ for v in local.datalab_service_account_readers : "serviceAccount:${v}" ]
members = compact([ for v in keys(var.datalab_user_list) : var.datalab_user_list[v] == each.value ? "serviceAccount:${google_service_account.datalab_service_account[v].email}" : "" ])
}
resource "google_project_service" "sourcerepo-api" {
......@@ -35,7 +36,27 @@ resource "google_compute_firewall" "datalab-network-allow-ssh" {
priority = 1000
direction = "INGRESS"
source_ranges = [ "0.0.0.0/0" ]
source_ranges = [
"35.190.247.0/24",
"64.233.160.0/19",
"66.102.0.0/20",
"66.249.80.0/20",
"72.14.192.0/18",
"74.125.0.0/16",
"108.177.8.0/21",
"173.194.0.0/16",
"209.85.128.0/17",
"216.58.192.0/19",
"216.239.32.0/19",
"172.217.0.0/19",
"172.217.32.0/20",
"172.217.128.0/19",
"172.217.160.0/20",
"172.217.192.0/19",
"108.177.96.0/19",
"35.191.0.0/16",
"130.211.0.0/22",
]
allow {
protocol = "tcp"
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment