add files again

caetano-colin · May 22, 2024 · 5ba54de · 5ba54de
1 parent e30ae29
commit 5ba54de
Show file tree

Hide file tree

Showing 2 changed files with 230 additions and 0 deletions.
diff --git a/4-projects/business_unit_3/shared/example_artifacts.tf b/4-projects/business_unit_3/shared/example_artifacts.tf
@@ -0,0 +1,96 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  artifact_tf_sa_roles = [
+    "roles/artifactregistry.admin",
+    "roles/cloudbuild.builds.editor",
+    "roles/cloudbuild.connectionAdmin",
+    "roles/iam.serviceAccountAdmin",
+    "roles/secretmanager.admin",
+    "roles/source.admin",
+    "roles/storage.admin",
+  ]
+
+}
+module "app_infra_artifacts_project" {
+  source = "../../modules/single_project"
+  # count  = local.enable_cloudbuild_deploy ? 1 : 0
+
+  org_id              = local.org_id
+  billing_account     = local.billing_account
+  folder_id           = local.common_folder_name
+  environment         = "common"
+  project_budget      = var.project_budget
+  project_prefix      = local.project_prefix
+  key_rings           = local.shared_kms_key_ring
+  remote_state_bucket = var.remote_state_bucket
+  activate_apis = [
+    "artifactregistry.googleapis.com",
+    "logging.googleapis.com",
+    "billingbudgets.googleapis.com",
+    "serviceusage.googleapis.com",
+    "storage.googleapis.com",
+    "cloudbuild.googleapis.com",
+    "secretmanager.googleapis.com",
+    "sourcerepo.googleapis.com",
+  ]
+  # Metadata
+  project_suffix    = "artifacts"
+  application_name  = "app-infra-artifacts"
+  billing_code      = "1234"
+  primary_contact   = "[email protected]"
+  secondary_contact = "[email protected]"
+  business_code     = "bu3"
+}
+
+# resource "google_kms_crypto_key" "ml_key" {
+#   for_each        = toset(local.shared_kms_key_ring)
+#   name            = module.app_infra_artifacts_project[0].project_name
+#   key_ring        = each.key
+#   rotation_period = var.key_rotation_period
+#   lifecycle {
+#     prevent_destroy = false
+#   }
+# }
+
+resource "google_kms_crypto_key_iam_member" "ml_key" {
+  for_each      = module.app_infra_cloudbuild_project[0].kms_keys
+  crypto_key_id = each.value.id
+  role          = "roles/cloudkms.admin"
+  member        = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-artifact-publish"]}"
+}
+
+resource "google_project_iam_member" "artifact_tf_sa_roles" {
+  for_each = toset(local.artifact_tf_sa_roles)
+  project  = module.app_infra_artifacts_project[0].project_id
+  role     = each.key
+  member   = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-artifact-publish"]}"
+}
+
+// Add Service Agent for Cloud Build
+resource "google_project_iam_member" "artifact_cloudbuild_agent" {
+  project = module.app_infra_artifacts_project[0].project_id
+  role    = "roles/secretmanager.secretAccessor"
+  member  = "serviceAccount:${module.app_infra_artifacts_project[0].project_number}@cloudbuild.gserviceaccount.com"
+}
+
+// Add Repository for Artifact repo
+
+resource "google_sourcerepo_repository" "artifact_repo" {
+  project = module.app_infra_artifacts_project[0].project_id
+  name    = var.cloud_source_artifacts_repo_name
+}
diff --git a/4-projects/business_unit_3/shared/example_service_catalog.tf b/4-projects/business_unit_3/shared/example_service_catalog.tf
@@ -0,0 +1,134 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  service_catalog_tf_sa_roles = [
+    "roles/cloudbuild.builds.editor",
+    "roles/iam.serviceAccountAdmin",
+    "roles/cloudbuild.connectionAdmin",
+    "roles/secretmanager.admin",
+    "roles/storage.admin",
+    "roles/source.admin",
+  ]
+}
+
+module "app_service_catalog_project" {
+  source = "../../modules/single_project"
+  # count  = local.enable_cloudbuild_deploy ? 1 : 0
+
+  org_id              = local.org_id
+  billing_account     = local.billing_account
+  folder_id           = local.common_folder_name
+  environment         = "common"
+  project_budget      = var.project_budget
+  project_prefix      = local.project_prefix
+  key_rings           = local.shared_kms_key_ring
+  remote_state_bucket = var.remote_state_bucket
+  activate_apis = [
+    "logging.googleapis.com",
+    "storage.googleapis.com",
+    "serviceusage.googleapis.com",
+    "secretmanager.googleapis.com",
+    "cloudbuild.googleapis.com",
+    "cloudresourcemanager.googleapis.com",
+    "sourcerepo.googleapis.com",
+  ]
+  # Metadata
+  project_suffix    = var.cloud_source_service_catalog_repo_name
+  application_name  = "app-infra-ml"
+  billing_code      = "1234"
+  primary_contact   = "[email protected]"
+  secondary_contact = "[email protected]"
+  business_code     = "bu3"
+}
+
+resource "google_kms_crypto_key_iam_member" "sc_key" {
+  for_each      = module.app_service_catalog_project[0].kms_keys
+  crypto_key_id = each.value.id
+  role          = "roles/cloudkms.admin"
+  member        = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"]}"
+}
+
+// Grab Service Agent for Secret Manager
+resource "google_project_service_identity" "secretmanager_agent" {
+  provider = google-beta
+  project  = module.app_service_catalog_project[0].project_id
+  service  = "secretmanager.googleapis.com"
+}
+
+// Add Secret Manager Service Agent to key with encrypt/decrypt permissions
+resource "google_kms_crypto_key_iam_member" "secretmanager_agent" {
+  for_each      = module.app_service_catalog_project[0].kms_keys
+  crypto_key_id = each.value.id
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  member        = "serviceAccount:${google_project_service_identity.secretmanager_agent.email}"
+}
+
+// Grab Service Agent for Storage
+resource "google_project_service_identity" "storage" {
+  provider = google-beta
+  project  = module.app_service_catalog_project[0].project_id
+  service  = "storage.googleapis.com"
+}
+// Add Service Agent for Storage
+resource "google_kms_crypto_key_iam_member" "storage_agent" {
+  for_each      = module.app_service_catalog_project[0].kms_keys
+  crypto_key_id = each.value.id
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  member        = "serviceAccount:service-${module.app_service_catalog_project[0].project_number}@gs-project-accounts.iam.gserviceaccount.com"
+
+  depends_on = [google_project_service_identity.storage]
+}
+
+// Add infra pipeline SA encrypt/decrypt permissions
+resource "google_kms_crypto_key_iam_member" "storage-kms-key-binding" {
+  for_each      = module.app_service_catalog_project[0].kms_keys
+  crypto_key_id = each.value.id
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  member        = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"]}"
+}
+
+resource "google_project_iam_member" "service_catalog_tf_sa_roles" {
+  for_each = toset(local.service_catalog_tf_sa_roles)
+  project  = module.app_service_catalog_project[0].project_id
+  role     = each.key
+  member   = "serviceAccount:${module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"]}"
+}
+
+// Add Service Agent for Cloud Build
+resource "google_project_iam_member" "cloudbuild_agent" {
+  project = module.app_service_catalog_project[0].project_id
+  role    = "roles/secretmanager.secretAccessor"
+  member  = "serviceAccount:${module.app_service_catalog_project[0].project_number}@cloudbuild.gserviceaccount.com"
+}
+
+// Add Service Catalog Source Repository
+
+resource "google_sourcerepo_repository" "service_catalog" {
+  project = module.app_service_catalog_project[0].project_id
+  name    = var.cloud_source_service_catalog_repo_name
+}
+
+/**
+ * When Jenkins CICD is used for deployment this resource
+ * is created to terraform validation works.
+ * Without this resource, this module creates zero resources
+ * and it breaks terraform validation throwing the error below:
+ * ERROR: [Terraform plan json does not contain resource_changes key]
+ */
+resource "null_resource" "jenkins_cicd_service_catalog" {
+  count = !local.enable_cloudbuild_deploy ? 1 : 0
+}