Commit 40a85d27 authored by Adam Robinson's avatar Adam Robinson
Browse files

split datalab instance creation to separate module

parent cf6ff57d
......@@ -81,7 +81,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
}
dynamic "access" {
for_each = each.key == "data" ? local.datalab_service_account_readers : []
for_each = each.key == "data" ? var.datalab_service_account_readers : []
content {
role = "organizations/715302536254/roles/BigQueryDataViewer_NO_Export"
user_by_email = access.value
......
resource "google_project_iam_binding" "datalab_service_account_iam_binding" {
project = google_project.hipaa_project["data"].project_id
role = "roles/bigquery.jobUser"
members = [ for v in local.datalab_service_account_readers : "serviceAccount:${v}" ]
}
resource "google_project_service" "sourcerepo-api" {
for_each = { for v in local.worker_projects : v => v }
project = google_project.hipaa_project[each.key].project_id
......@@ -42,58 +35,3 @@ resource "google_compute_firewall" "datalab-network-allow-ssh" {
ports = [ "22" ]
}
}
resource "google_service_account" "datalab_service_account" {
for_each = var.datalab_user_list
account_id = "datalab-${split("@", each.key)[0]}"
project = google_project.hipaa_project[each.value].project_id
}
resource "google_service_account_iam_binding" "datalab_service_account_iam_binding" {
for_each = var.datalab_user_list
service_account_id = google_service_account.datalab_service_account[each.key].name
role = "roles/iam.serviceAccountUser"
members = [
"user:${each.key}",
]
}
data "google_iam_policy" "datalab_user_to_instance_policy" {
for_each = var.datalab_user_list
binding {
role = "roles/compute.instanceAdmin.v1"
members = [
"user:${each.key}",
]
}
}
resource "google_compute_instance_iam_policy" "datalab_user_to_instance_binding" {
for_each = var.datalab_user_list
instance_name = "datalab-${split("@", each.key)[0]}"
project = google_project.hipaa_project[each.value].project_id
zone = "us-central1-a"
policy_data = "${data.google_iam_policy.datalab_user_to_instance_policy[each.key].policy_data}"
depends_on = [ null_resource.datalab ]
}
resource "null_resource" "datalab" {
for_each = var.datalab_user_list
triggers = {
user = each.key
}
provisioner "local-exec" {
command = "datalab create --project ${google_project.hipaa_project[each.value].project_id} --machine-type n1-standard-1 --zone us-central1-a --no-connect --for-user ${each.key} --service-account ${google_service_account.datalab_service_account[each.key].email} datalab-${split("@", each.key)[0]}"
}
provisioner "local-exec" {
when = "destroy"
command = "datalab delete --quiet --delete-disk --project ${google_project.hipaa_project[each.value].project_id} --zone us-central1-a datalab-${split("@", each.key)[0]}"
}
depends_on = [ google_sourcerepo_repository.datalab-notebooks, google_compute_network.datalab-network, null_resource.install_datalab_cli ]
}
\ No newline at end of file
......@@ -57,14 +57,4 @@ resource "google_logging_metric" "set_iam_permissions_change" {
}
}
//fix this later
# module "project_audit_logs" {
# source = "./modules/google_hipaa_project_auditing"
# destination_project_id = var.project_type == "audit" ? google_project.hipaa_project.project_id : var.audit_project_id
# source_project_id = google_project.hipaa_project.project_id
# owners_group_email = var.owners_group_email
# auditor_group_email = var.auditor_group_email
# dependencies = [ null_resource.external_dependencies.id ]
# }
resource "null_resource" "dummy_import_resource" {}
\ No newline at end of file
......@@ -10,27 +10,12 @@ variable "domain" {}
variable "project_prefix" {}
# variable "datalab_service_account_readers" {
# default = []
# }
# variable "vpc_host_project_id" {
# default = ""
# }
# variable "dataset_permissions" {
# type = "list"
# default = []
# }
variable "dependencies" {
variable "datalab_service_account_readers" {
default = []
}
variable "datalab_user_list" {
type = "map"
default = {}
variable "dependencies" {
default = []
}
locals {
......@@ -46,5 +31,4 @@ locals {
read-only_group_email = "${var.project_prefix}-read-only@${var.domain}"
alerts_group_email = "${var.project_prefix}-alerts@${var.domain}"
worker_project_email = { for x in local.worker_projects : x => "${var.project_prefix}-${x}@${var.domain}" }
datalab_service_account_readers = []
}
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment