Commit f81aa08a authored by Adam Robinson's avatar Adam Robinson
Browse files

Merge branch 'per_user_datalab_creation' into 'master'

add permissions to bq for service accounts

See merge request its-inf-cs/terraform-modules/google_hipaa_aligned_project!24
parents 1854e313 758f9567
......@@ -7,6 +7,15 @@ resource "null_resource" "is_project_type_valid" {
}
}
# resource "null_resource" "datalab_user_list_only_workers" {
# triggers = var.datalab_user_list != [] && var.project_type != "worker" ? file("ERROR: datalab_user_list is only for worker projects") : {}
# lifecycle {
# ignore_changes = [
# triggers
# ]
# }
# }
resource "null_resource" "is_reader_group_email_valid" {
#triggers = var.reader_group_email == "" && contains(var.project_types_storing_data, var.project_type) == true ? file("ERROR: reader_group_email must be set for worker and data projects") : {}
triggers = var.reader_group_email == "" && var.project_type == "data" ? file("ERROR: reader_group_email must be set for data projects") : {}
......
......@@ -60,18 +60,42 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
dynamic "access" {
for_each = var.reader_group_email == "" ? [] : [var.reader_group_email]
content {
role = "READER"
role = "organizations/715302536254/roles/BigQueryDataViewer_NO_Export"
group_by_email = access.value
}
}
dynamic "access" {
for_each = [var.writer_group_email]
for_each = var.datalab_service_account_readers
content {
role = "WRITER"
role = "organizations/715302536254/roles/BigQueryDataViewer_NO_Export"
user_by_email = access.value
}
}
dynamic "access" {
for_each = var.project_type != "worker" ? [var.writer_group_email] : []
content {
role = "organizations/715302536254/roles/BigQueryDataEditor_NO_Export"
group_by_email = access.value
}
}
dynamic "access" {
for_each = var.project_type == "worker" ? [var.writer_group_email] : []
content {
role = "organizations/715302536254/roles/BigQueryDataViewer_NO_Export"
group_by_email = access.value
}
}
dynamic "access" {
for_each = [for v in var.datalab_user_list : google_service_account.datalab_service_account[v].email]
content {
role = "organizations/715302536254/roles/BigQueryDataEditor_NO_Export"
user_by_email = access.value
}
}
depends_on = [ google_project_service.bq-api ]
}
\ No newline at end of file
......@@ -20,6 +20,53 @@ resource "google_compute_network" "datalab-network" {
description = "Network for Google Cloud Datalab instances"
}
resource "google_compute_firewall" "datalab-network-allow-ssh" {
count = var.project_type == "worker" ? 1 : 0
name = "datalab-network-allow-ssh"
description = "Allow SSH access to Datalab instances"
network = google_compute_network.datalab-network[0].name
project = google_project.hipaa_project.project_id
priority = 1000
direction = "INGRESS"
source_ranges = [ "0.0.0.0/0" ]
allow {
protocol = "tcp"
ports = [ "22" ]
}
}
resource "google_service_account_iam_binding" "datalab_service_account_iam_binding" {
for_each = { for v in var.datalab_user_list : v => v }
service_account_id = google_service_account.datalab_service_account[each.key].name
role = "roles/iam.serviceAccountUser"
members = [
"user:${each.key}",
]
}
data "google_iam_policy" "datalab_user_to_instance_policy" {
for_each = { for v in var.datalab_user_list : v => v }
binding {
role = "roles/compute.instanceAdmin.v1"
members = [
"user:${each.key}",
]
}
}
resource "google_compute_instance_iam_policy" "datalab_user_to_instance_binding" {
for_each = { for v in var.datalab_user_list : v => v }
instance_name = "datalab-${split("@", each.key)[0]}"
project = google_project.hipaa_project.project_id
zone = "us-central1-a"
policy_data = "${data.google_iam_policy.datalab_user_to_instance_policy[each.key].policy_data}"
depends_on = [ null_resource.datalab ]
}
resource "google_service_account" "datalab_service_account" {
for_each = { for v in var.datalab_user_list : v => v }
account_id = "datalab-${split("@", each.key)[0]}"
......
......@@ -28,6 +28,14 @@ resource "google_project_iam_binding" "auditor_iam" {
]
}
resource "google_project_iam_binding" "datalab_service_account_iam_binding" {
count = var.project_type == "data" ? 1 : 0
project = google_project.hipaa_project.project_id
role = "roles/bigquery.jobUser"
members = [ for v in var.datalab_service_account_readers : "serviceAccount:${v}" ]
}
# Enable BQ APIs
resource "google_project_service" "bq-api" {
count = var.project_type != "network" ? 1 : 0
......
......@@ -5,3 +5,7 @@ output "project_id" {
output "bq_api_enabled" {
value = google_project_service.bq-api[0].id
}
output "datalab_service_account_list" {
value = [ for v in var.datalab_user_list : google_service_account.datalab_service_account[v].email ]
}
\ No newline at end of file
......@@ -20,6 +20,10 @@ variable "project_type" {
description = "Project type you are creating (options: audit, data, worker, network, monitor)"
}
variable "datalab_service_account_readers" {
default = []
}
variable "projectPrefix" {}
variable "folder_id" {}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment