From a627cfbe780d340f1d4f3efbd203dd5da22cd2c5 Mon Sep 17 00:00:00 2001 From: Pavel Zhukov Date: Wed, 27 Nov 2019 21:19:45 +0200 Subject: [PATCH 1/3] [test-org] Create long-living SA which has G-Suite access. Used for project-factory tests of gsuite functionality and can be used in other gsuite-related tests in other modules. --- infra/terraform/test-org/org/gsuite.tf | 99 +++++++++++++++++++++++++ infra/terraform/test-org/org/outputs.tf | 16 ++++ 2 files changed, 115 insertions(+) create mode 100644 infra/terraform/test-org/org/gsuite.tf diff --git a/infra/terraform/test-org/org/gsuite.tf b/infra/terraform/test-org/org/gsuite.tf new file mode 100644 index 00000000000..0c27fe7fd16 --- /dev/null +++ b/infra/terraform/test-org/org/gsuite.tf @@ -0,0 +1,99 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + ci_gsuite_sa_project_roles = [ + "roles/owner", + "roles/compute.admin", + "roles/iam.serviceAccountAdmin", + "roles/resourcemanager.projectIamAdmin", + "roles/storage.admin", + "roles/iam.serviceAccountUser", + "roles/billing.projectManager", + ] + + ci_gsuite_sa_folder_roles = [ + "roles/owner", + "roles/resourcemanager.projectCreator", + "roles/resourcemanager.folderAdmin", + "roles/resourcemanager.folderIamAdmin", + "roles/billing.projectManager", + ] +} + +resource "google_folder" "ci_gsuite_sa_folder" { + display_name = "ci-gsuite-sa-folder" + parent = "folders/${replace(local.folders["ci-projects"], "folders/", "")}" +} + +module "ci_gsuite_sa_project" { + source = "terraform-google-modules/project-factory/google" + version = "~> 4.0" + + name = "ci-gsuite-sa-project" + random_project_id = true + org_id = local.org_id + folder_id = google_folder.ci_gsuite_sa_folder.id + billing_account = local.billing_account + + labels = { + cft-ci = "permanent" + } + + activate_apis = [ + "admin.googleapis.com", + "appengine.googleapis.com", + "cloudbilling.googleapis.com", + "cloudresourcemanager.googleapis.com", + "compute.googleapis.com", + "iam.googleapis.com", + "iamcredentials.googleapis.com", + "oslogin.googleapis.com", + "serviceusage.googleapis.com", + ] +} + +resource "google_service_account" "ci_gsuite_sa" { + project = module.ci_gsuite_sa_project.project_id + account_id = "ci-gsuite-sa" + display_name = "ci-gsuite-sa" +} + +resource "google_project_iam_member" "ci_gsuite_sa_project" { + count = length(local.ci_gsuite_sa_project_roles) + + project = module.ci_gsuite_sa_project.project_id + role = local.ci_gsuite_sa_project_roles[count.index] + member = "serviceAccount:${google_service_account.ci_gsuite_sa.email}" +} + +resource "google_folder_iam_member" "ci_gsuite_sa_folder" { + count = length(local.ci_gsuite_sa_folder_roles) + + folder = google_folder.ci_gsuite_sa_folder.name + role = local.ci_gsuite_sa_folder_roles[count.index] + member = "serviceAccount:${google_service_account.ci_gsuite_sa.email}" +} + +resource "google_billing_account_iam_member" "ci_gsuite_sa_billing" { + billing_account_id = local.billing_account + role = "roles/billing.user" + member = "serviceAccount:${google_service_account.ci_gsuite_sa.email}" +} + +resource "google_service_account_key" "ci_gsuite_sa" { + service_account_id = google_service_account.ci_gsuite_sa.id +} diff --git a/infra/terraform/test-org/org/outputs.tf b/infra/terraform/test-org/org/outputs.tf index 9d93801d0c6..65d6552bcd2 100644 --- a/infra/terraform/test-org/org/outputs.tf +++ b/infra/terraform/test-org/org/outputs.tf @@ -29,3 +29,19 @@ output "billing_account" { output "cft_ci_group" { value = local.cft_ci_group } + +output "ci_gsuite_sa_id" { + value = google_service_account.ci_gsuite_sa.id +} + +output "ci_gsuite_sa_email" { + value = google_service_account.ci_gsuite_sa.email +} + +output "ci_gsuite_sa_folder_id" { + value = google_folder.ci_gsuite_sa_folder.id +} + +output "ci_gsuite_sa_project_id" { + value = module.ci_gsuite_sa_project.project_id +} From c507bad8a78badeefc758504e69d688ee2e003fe Mon Sep 17 00:00:00 2001 From: Pavel Zhukov Date: Thu, 28 Nov 2019 14:29:32 +0200 Subject: [PATCH 2/3] [test-org] use for_each. Output generated sa key. --- infra/terraform/test-org/org/gsuite.tf | 8 ++++---- infra/terraform/test-org/org/outputs.tf | 5 +++++ 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/infra/terraform/test-org/org/gsuite.tf b/infra/terraform/test-org/org/gsuite.tf index 0c27fe7fd16..f40c52aee90 100644 --- a/infra/terraform/test-org/org/gsuite.tf +++ b/infra/terraform/test-org/org/gsuite.tf @@ -73,18 +73,18 @@ resource "google_service_account" "ci_gsuite_sa" { } resource "google_project_iam_member" "ci_gsuite_sa_project" { - count = length(local.ci_gsuite_sa_project_roles) + for_each = toset(local.ci_gsuite_sa_project_roles) project = module.ci_gsuite_sa_project.project_id - role = local.ci_gsuite_sa_project_roles[count.index] + role = each.value member = "serviceAccount:${google_service_account.ci_gsuite_sa.email}" } resource "google_folder_iam_member" "ci_gsuite_sa_folder" { - count = length(local.ci_gsuite_sa_folder_roles) + for_each = toset(local.ci_gsuite_sa_folder_roles) folder = google_folder.ci_gsuite_sa_folder.name - role = local.ci_gsuite_sa_folder_roles[count.index] + role = each.value member = "serviceAccount:${google_service_account.ci_gsuite_sa.email}" } diff --git a/infra/terraform/test-org/org/outputs.tf b/infra/terraform/test-org/org/outputs.tf index 65d6552bcd2..61121796202 100644 --- a/infra/terraform/test-org/org/outputs.tf +++ b/infra/terraform/test-org/org/outputs.tf @@ -45,3 +45,8 @@ output "ci_gsuite_sa_folder_id" { output "ci_gsuite_sa_project_id" { value = module.ci_gsuite_sa_project.project_id } + +output "ci_gsuite_sa_key" { + value = google_service_account_key.ci_gsuite_sa.private_key + sensitive = true +} From fb424d3a06b93e356e2bb5f10846e93b55df72af Mon Sep 17 00:00:00 2001 From: Pavel Zhukov Date: Thu, 28 Nov 2019 16:51:49 +0200 Subject: [PATCH 3/3] [test-org] Remove gsuite sa key. Hardcode project_id to force the constant SA email. --- infra/terraform/test-org/org/gsuite.tf | 6 +----- infra/terraform/test-org/org/outputs.tf | 5 ----- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/infra/terraform/test-org/org/gsuite.tf b/infra/terraform/test-org/org/gsuite.tf index f40c52aee90..49d3141cc15 100644 --- a/infra/terraform/test-org/org/gsuite.tf +++ b/infra/terraform/test-org/org/gsuite.tf @@ -44,7 +44,7 @@ module "ci_gsuite_sa_project" { version = "~> 4.0" name = "ci-gsuite-sa-project" - random_project_id = true + project_id = "ci-gsuite-sa-project" org_id = local.org_id folder_id = google_folder.ci_gsuite_sa_folder.id billing_account = local.billing_account @@ -93,7 +93,3 @@ resource "google_billing_account_iam_member" "ci_gsuite_sa_billing" { role = "roles/billing.user" member = "serviceAccount:${google_service_account.ci_gsuite_sa.email}" } - -resource "google_service_account_key" "ci_gsuite_sa" { - service_account_id = google_service_account.ci_gsuite_sa.id -} diff --git a/infra/terraform/test-org/org/outputs.tf b/infra/terraform/test-org/org/outputs.tf index 61121796202..65d6552bcd2 100644 --- a/infra/terraform/test-org/org/outputs.tf +++ b/infra/terraform/test-org/org/outputs.tf @@ -45,8 +45,3 @@ output "ci_gsuite_sa_folder_id" { output "ci_gsuite_sa_project_id" { value = module.ci_gsuite_sa_project.project_id } - -output "ci_gsuite_sa_key" { - value = google_service_account_key.ci_gsuite_sa.private_key - sensitive = true -}