Commit f4b4caea authored by Adam Robinson's avatar Adam Robinson
Browse files

Merge branch 'make_more_generic' into 'master'

Make more generic

See merge request !35
parents 988c34a1 af4d1fd8
......@@ -51,6 +51,56 @@ resource "google_logging_metric" "unexpected_bucket_access" {
}
}
resource "google_project_iam_custom_role" "BigQueryDataEditor_NO_Export" {
for_each = { for v in local.projects_storing_data : v => v }
role_id = "BigQueryDataEditor_NO_Export"
title = "BigQuery Data Editor - No Export"
description = "BigQuery Data Editor minus bigquery.tables.export and resourcemanager.projects.list"
project = google_project.hipaa_project[each.key].project_id
stage = "GA"
permissions = [
"bigquery.datasets.create",
"bigquery.datasets.get",
"bigquery.datasets.getIamPolicy",
"bigquery.datasets.updateTag",
"bigquery.models.updateTag",
"bigquery.routines.create",
"bigquery.routines.delete",
"bigquery.routines.get",
"bigquery.routines.list",
"bigquery.routines.update",
"bigquery.tables.create",
"bigquery.tables.delete",
"bigquery.tables.get",
"bigquery.tables.getData",
"bigquery.tables.list",
"bigquery.tables.update",
"bigquery.tables.updateData",
"bigquery.tables.updateTag",
"resourcemanager.projects.get",
//"resourcemanager.projects.list", not supported roles created in a project
]
}
resource "google_project_iam_custom_role" "BigQueryDataViewer_NO_Export" {
for_each = { for v in local.projects_storing_data : v => v }
role_id = "BigQueryDataViewer_NO_Export"
title = "BigQuery Data Viewer - No Export"
description = "BigQuery Data Viewer minus bigquery.tables.export, bigquery.tables.getData, and resourcemanager.projects.list"
project = google_project.hipaa_project[each.key].project_id
stage = "GA"
permissions = [
"bigquery.datasets.get",
"bigquery.datasets.getIamPolicy",
"bigquery.routines.get",
"bigquery.routines.list",
"bigquery.tables.get",
"bigquery.tables.list",
"resourcemanager.projects.get",
//"resourcemanager.projects.list", not supported roles created in a project
]
}
# Create BigQuery Dataset in Data or Worker projects
resource "google_bigquery_dataset" "hipaa_data_bq" {
for_each = { for v in local.projects_storing_data : v => v }
......@@ -68,7 +118,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
dynamic "access" {
for_each = each.key == "data" ? [local.read-only_group_email] : []
content {
role = "organizations/715302536254/roles/BigQueryDataViewer_NO_Export"
role = google_project_iam_custom_role.BigQueryDataViewer_NO_Export[each.key].id
group_by_email = access.value
}
}
......@@ -77,7 +127,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
dynamic "access" {
for_each = each.key == "data" ? [local.writer_group_email] : []
content {
role = "organizations/715302536254/roles/BigQueryDataEditor_NO_Export"
role = google_project_iam_custom_role.BigQueryDataEditor_NO_Export[each.key].id
group_by_email = access.value
}
}
......@@ -86,7 +136,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
dynamic "access" {
for_each = each.key == "data" ? local.datalab_service_account_readers : []
content {
role = "organizations/715302536254/roles/BigQueryDataViewer_NO_Export"
role = google_project_iam_custom_role.BigQueryDataViewer_NO_Export[each.key].id
user_by_email = access.value
}
}
......@@ -95,7 +145,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
dynamic "access" {
for_each = each.key != "data" ? [local.worker_project_email[each.key]] : []
content {
role = "organizations/715302536254/roles/BigQueryDataViewer_NO_Export"
role = google_project_iam_custom_role.BigQueryDataViewer_NO_Export[each.key].id
group_by_email = access.value
}
}
......@@ -104,7 +154,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
dynamic "access" {
for_each = compact([ for v in keys(var.datalab_user_list) : var.datalab_user_list[v] == each.value ? google_service_account.datalab_service_account[v].email : "" ])
content {
role = "organizations/715302536254/roles/BigQueryDataEditor_NO_Export"
role = google_project_iam_custom_role.BigQueryDataEditor_NO_Export[each.key].id
user_by_email = access.value
}
}
......
......@@ -82,7 +82,7 @@ resource "google_compute_instance_iam_policy" "datalab_user_to_instance_binding"
for_each = var.datalab_user_list
instance_name = "datalab-${split("@", each.key)[0]}"
project = google_project.hipaa_project[each.value].project_id
zone = "us-central1-a"
zone = var.datalab_zone
policy_data = "${data.google_iam_policy.datalab_user_to_instance_policy[each.key].policy_data}"
depends_on = [ null_resource.datalab ]
}
......@@ -99,13 +99,13 @@ resource "null_resource" "datalab" {
provisioner "local-exec" {
//command = "datalab create --project ${google_project.hipaa_project[each.value].project_id} --machine-type n1-standard-1 --zone us-central1-a --no-connect --for-user ${each.key} --service-account ${google_service_account.datalab_service_account[each.key].email} datalab-${split("@", each.key)[0]}"
command = "datalab create --project ${self.triggers.project_id} --machine-type n1-standard-1 --zone us-central1-a --no-connect --for-user ${self.triggers.user} --service-account ${google_service_account.datalab_service_account[self.triggers.user].email} datalab-${split("@", self.triggers.user)[0]}"
command = "datalab create --project ${self.triggers.project_id} --machine-type n1-standard-1 --zone ${var.datalab_zone} --no-connect --for-user ${self.triggers.user} --service-account ${google_service_account.datalab_service_account[self.triggers.user].email} datalab-${split("@", self.triggers.user)[0]}"
}
provisioner "local-exec" {
when = "destroy"
//command = "datalab delete --quiet --delete-disk --project ${google_project.hipaa_project[each.value].project_id} --zone us-central1-a datalab-${split("@", each.key)[0]}"
command = "datalab delete --quiet --delete-disk --project ${self.triggers.project_id} --zone us-central1-a datalab-${split("@", self.triggers.user)[0]}"
command = "datalab delete --quiet --delete-disk --project ${self.triggers.project_id} --zone ${var.datalab_zone} datalab-${split("@", self.triggers.user)[0]}"
}
depends_on = [ google_sourcerepo_repository.datalab-notebooks, google_compute_network.datalab-network, null_resource.install_gcloud_cli ]
}
\ No newline at end of file
......@@ -33,6 +33,11 @@ variable "datalab_user_list" {
default = {}
}
variable "datalab_zone" {
description = "The zone to create datalab instances in"
default = "us-central1-a"
}
locals {
base_projects = ["audit", "data", "network", "monitor"]
projects_storing_data = concat(["data"], local.worker_projects)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment