diff --git a/.gitignore b/.gitignore index 9ce300b1..92701728 100644 --- a/.gitignore +++ b/.gitignore @@ -43,3 +43,11 @@ crash.log **/*.tfvars credentials.json + +override.tf +override.tf.json +*_override.tf +*_override.tf.json +.idea/ + +setup-tests.sh diff --git a/test/integration/simple_example/controls/gsutil.rb b/.pre-commit-config.yaml similarity index 51% rename from test/integration/simple_example/controls/gsutil.rb rename to .pre-commit-config.yaml index 692309f0..c9c39f73 100644 --- a/test/integration/simple_example/controls/gsutil.rb +++ b/.pre-commit-config.yaml @@ -1,4 +1,4 @@ -# Copyright 2018 Google LLC +# Copyright 2019 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,12 +12,22 @@ # See the License for the specific language governing permissions and # limitations under the License. -control "gsutil" do - title "gsutil" - - describe command("gsutil ls -p #{attribute("project_id")}") do - its(:exit_status) { should eq 0 } - its(:stderr) { should eq "" } - its(:stdout) { should match "gs://#{attribute("bucket_name")}" } - end -end +repos: +- repo: git://github.com/antonbabenko/pre-commit-terraform + rev: v1.21.0 + hooks: + - id: terraform_fmt + # - id: terraform_docs +- repo: git://github.com/pre-commit/pre-commit-hooks + rev: v2.2.3 + hooks: + - id: check-executables-have-shebangs + - id: check-json + - id: check-merge-conflict + - id: check-xml + - id: check-yaml + - id: detect-private-key + - id: pretty-format-json + args: [--autofix] + - id: sort-simple-yaml + - id: trailing-whitespace diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index a350db59..6458f256 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -49,6 +49,8 @@ You will also need to set a few environment variables: export TF_VAR_org_id="your_org_id" export TF_VAR_folder_id="your_folder_id" export TF_VAR_billing_account="your_billing_account_id" +export TF_VAR_group_org_admins="gcp-organization-admins@example.com" +export TF_VAR_group_billing_admins="gcp-billing-admins@example.com" ``` With these settings in place, you can prepare a test project using Docker: diff --git a/Makefile b/Makefile index 6a107952..1a23e1a1 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.1.0 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.6.0 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd @@ -39,6 +39,8 @@ docker_test_prepare: -e TF_VAR_org_id \ -e TF_VAR_folder_id \ -e TF_VAR_billing_account \ + -e TF_VAR_group_org_admins \ + -e TF_VAR_group_billing_admins \ -v $(CURDIR):/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ /usr/local/bin/execute_with_credentials.sh prepare_environment @@ -51,6 +53,8 @@ docker_test_cleanup: -e TF_VAR_org_id \ -e TF_VAR_folder_id \ -e TF_VAR_billing_account \ + -e TF_VAR_group_org_admins \ + -e TF_VAR_group_billing_admins \ -v $(CURDIR):/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ /usr/local/bin/execute_with_credentials.sh cleanup_environment diff --git a/README.md b/README.md index 32f51cca..81886edc 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,6 @@ # terraform-google-bootstrap -This module was generated from [terraform-google-module-template](https://github.com/terraform-google-modules/terraform-google-module-template/), which by default generates a module that simply creates a GCS bucket. As the module develops, this README should be updated. - -The resources/services/activations/deletions that this module will create/trigger are: - -- Create a GCS bucket with the provided name +The purpose of this module is to help bootstrap a GCP organization, creating all the required GCP resources & permissions to start using the Cloud Foundation Toolkit (CFT). For users who want to use Cloud Build & Cloud Source Repos for foundations code, there is also a submodule to help bootstrap all the required resources to do this. ## Usage @@ -15,68 +11,99 @@ module "bootstrap" { source = "terraform-google-modules/bootstrap/google" version = "~> 0.1" - project_id = "" - bucket_name = "gcs-test-bucket" + org_id = "" + billing_account = "" + group_org_admins = "gcp-organization-admins@example.com" + group_billing_admins = "gcp-billing-admins@example.com" + default_region = "australia-southeast1" } ``` Functional examples are included in the [examples](./examples/) directory. +## Features + +The Organization Bootstrap module will take the following actions: + +1. Create a new GCP seed project using `project_prefix`. +1. Enable APIs in the seed project using `activate_apis` +1. Create a new service account for terraform in seed project +1. Create GCS bucket for Terraform state and grant access to service account +1. Grant IAM permissions required for CFT modules & Organization setup + 1. Overwrite organization wide project creator and billing account creator roles + 1. Grant Organization permissions to service account using `sa_org_iam_permissions` + 1. Grant access to billing account for service account + 1. Grant Organization permissions to `group_org_admins` using `org_admins_org_iam_permissions` + 1. Grant billing permissions to `group_billing_admins` + 1. (optional) Permissions required for service account impersonation using `sa_enable_impersonation` + +For the cloudbuild submodule, see the README [cloudbuild](./modules/cloudbuild). + + ## Inputs | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| bucket\_name | The name of the bucket to create | string | n/a | yes | -| project\_id | The project ID to deploy to | string | n/a | yes | +| activate\_apis | List of APIs to enable in the seed project. | list(string) | `` | no | +| billing\_account | The ID of the billing account to associate projects with. | string | n/a | yes | +| default\_region | Default region to create resources where applicable. | string | `"us-central1"` | no | +| folder\_id | The ID of a folder to host this project | string | `""` | no | +| group\_billing\_admins | Google Group for GCP Billing Administrators | string | n/a | yes | +| group\_org\_admins | Google Group for GCP Organization Administrators | string | n/a | yes | +| org\_admins\_org\_iam\_permissions | List of permissions granted to the group supplied in group_org_admins variable across the GCP organization. | list(string) | `` | no | +| org\_id | GCP Organization ID | string | n/a | yes | +| org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | list(string) | `` | no | +| project\_prefix | Name prefix to use for projects created. | string | `"cft"` | no | +| sa\_enable\_impersonation | Allow org_admins group to impersonate service account & enable APIs required. | bool | `"false"` | no | +| sa\_org\_iam\_permissions | List of permissions granted to Terraform service account across the GCP organization. | list(string) | `` | no | ## Outputs | Name | Description | |------|-------------| -| bucket\_name | | +| gcs\_bucket\_tfstate | Bucket used for storing terraform state for foundations pipelines in seed project. | +| seed\_project\_id | Project where service accounts and core APIs will be enabled. | +| terraform\_sa\_email | Email for privileged service account for Terraform. | +| terraform\_sa\_name | Fully qualified name for privileged service account for Terraform. | ## Requirements -These sections describe requirements for using this module. - ### Software -The following dependencies must be available: +- [gcloud sdk](https://cloud.google.com/sdk/install) >= 206.0.0 +- [Terraform](https://www.terraform.io/downloads.html) >= 0.12.6 +- [terraform-provider-google] plugin 2.1.x +- [terraform-provider-google-beta] plugin 2.1.x -- [Terraform][terraform] v0.12 -- [Terraform Provider for GCP][terraform-provider-gcp] plugin v2.0 +### Permissions -### Service Account +- `roles/resourcemanager.organizationAdmin` on GCP Organization +- `roles/billing.admin` on supplied billing account +- `roles/resourcemanager.projectCreator` on GCP Organization for `group_org_admins` group. +- Account running terraform should be a member of group provided in `group_org_admins` variable, otherwise they will loose `roles/resourcemanager.projectCreator` access. Additional members can be added by using the `org_project_creators` variable. -A service account with the following roles must be used to provision -the resources of this module: +### Credentials -- Storage Admin: `roles/storage.admin` - -The [Project Factory module][project-factory-module] and the -[IAM module][iam-module] may be used in combination to provision a -service account with the necessary roles applied. +For users interested in using service account impersonation which this module helps enable with `sa_enable_impersonation`, please see this [blog post](https://medium.com/google-cloud/terraform-assume-role-and-service-account-impersonation-on-google-cloud-ffc553863e72) which explains how it works. ### APIs A project with the following APIs enabled must be used to host the resources of this module: -- Google Cloud Storage JSON API: `storage-api.googleapis.com` +- Google Cloud Resource Manager API: `cloudresourcemanager.googleapis.com` +- Google Cloud Billing API: `cloudbilling.googleapis.com` +- Google Cloud IAM API: `iam.googleapis.com` +- Google Cloud Storage API `storage-api.googleapis.com` +- Google Cloud Service Usage API: `serviceusage.googleapis.com` -The [Project Factory module][project-factory-module] can be used to -provision a project with the necessary APIs enabled. +This API can be enabled in the default project created during establishing an organization. ## Contributing Refer to the [contribution guidelines](./CONTRIBUTING.md) for information on contributing to this module. - -[iam-module]: https://registry.terraform.io/modules/terraform-google-modules/iam/google -[project-factory-module]: https://registry.terraform.io/modules/terraform-google-modules/project-factory/google -[terraform-provider-gcp]: https://www.terraform.io/docs/providers/google/index.html -[terraform]: https://www.terraform.io/downloads.html diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index acdecf83..8227ccb2 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -21,15 +21,33 @@ steps: - 'TF_VAR_org_id=$_ORG_ID' - 'TF_VAR_folder_id=$_FOLDER_ID' - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' + - 'TF_VAR_group_org_admins=test-gcp-org-admins@test.infra.cft.tips' + - 'TF_VAR_group_billing_admins=test-gcp-billing-admins@test.infra.cft.tips' - id: create name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create'] -- id: converge +- id: converge-simple name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge'] -- id: verify + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge simple-default'] +- id: verify-simple name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify'] + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify simple-default'] + # Required to rerun to reinstate ci-integration account as project creator as not member of group_org_admins. +- id: prepare-rerun + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && prepare_environment'] + env: + - 'TF_VAR_org_id=$_ORG_ID' + - 'TF_VAR_folder_id=$_FOLDER_ID' + - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' + - 'TF_VAR_group_org_admins=test-gcp-org-admins@test.infra.cft.tips' + - 'TF_VAR_group_billing_admins=test-gcp-billing-admins@test.infra.cft.tips' +- id: converge-cloudbuild-enabled + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge cloudbuild-enabled-default'] +- id: verify-cloudbuild-enabled + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify cloudbuild-enabled-default'] - id: destroy name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy'] @@ -38,4 +56,4 @@ tags: - 'integration' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.1.0' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.6.0' diff --git a/examples/cloudbuild_enabled/README.md b/examples/cloudbuild_enabled/README.md new file mode 100644 index 00000000..b3acd83d --- /dev/null +++ b/examples/cloudbuild_enabled/README.md @@ -0,0 +1,31 @@ +## Overview + +This example combines the Organization bootstrap module with the Cloud Build submodule, to setup everything that is required to run subsequent infrastructure as code using cloud native tooling and limited external dependencies. For more details on what the Cloud Build module is doing, see the [readme](../../modules/cloudbuild). + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| billing\_account | The ID of the billing account to associate projects with. | string | n/a | yes | +| default\_region | Default region to create resources where applicable. | string | `"us-central1"` | no | +| group\_billing\_admins | Google Group for GCP Billing Administrators | string | n/a | yes | +| group\_org\_admins | Google Group for GCP Organization Administrators | string | n/a | yes | +| org\_id | GCP Organization ID | string | n/a | yes | +| org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | list(string) | `` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| cloudbuild\_project\_id | Project where CloudBuild configuration and terraform container image will reside. | +| csr\_repos | List of Cloud Source Repos created by the module, linked to Cloud Build triggers. | +| gcs\_bucket\_cloudbuild\_artifacts | Bucket used to store Cloud/Build artefacts in CloudBuild project. | +| gcs\_bucket\_tfstate | Bucket used for storing terraform state for foundations pipelines in seed project. | +| kms\_crypto\_key | KMS key created by the module. | +| kms\_keyring | KMS Keyring created by the module. | +| seed\_project\_id | Project where service accounts and core APIs will be enabled. | +| terraform\_sa\_email | Email for privileged service account for Terraform. | +| terraform\_sa\_name | Fully qualified name for privileged service account for Terraform. | + + diff --git a/examples/cloudbuild_enabled/cloudbuild-tf-apply.yaml b/examples/cloudbuild_enabled/cloudbuild-tf-apply.yaml new file mode 100644 index 00000000..bb9daca3 --- /dev/null +++ b/examples/cloudbuild_enabled/cloudbuild-tf-apply.yaml @@ -0,0 +1,42 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +timeout: 1200s +steps: +# terraform init -input=false +- name: gcr.io/$PROJECT_ID/terraform + args: + - init + - -input=false +# terraform validate +- name: gcr.io/$PROJECT_ID/terraform + args: + - validate +# terraform plan -input=false -out=tfplan +- name: gcr.io/$PROJECT_ID/terraform + args: + - plan + - -input=false + - -out=tfplan +# terraform apply -auto-approve -input=false tfplan +- name: gcr.io/$PROJECT_ID/terraform + args: + - apply + - -auto-approve + - -input=false + - tfplan +artifacts: + objects: + location: 'gs://${_ARTIFACT_BUCKET_NAME}/terraform/cloudbuild/apply/$BUILD_ID' + paths: ['cloudbuild-tf-apply.yaml', 'tfplan'] diff --git a/test/integration/simple_example/controls/gcp.rb b/examples/cloudbuild_enabled/cloudbuild-tf-plan.yaml similarity index 51% rename from test/integration/simple_example/controls/gcp.rb rename to examples/cloudbuild_enabled/cloudbuild-tf-plan.yaml index 3b5382bd..0c7fe954 100644 --- a/test/integration/simple_example/controls/gcp.rb +++ b/examples/cloudbuild_enabled/cloudbuild-tf-plan.yaml @@ -1,4 +1,4 @@ -# Copyright 2018 Google LLC +# Copyright 2019 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,10 +12,24 @@ # See the License for the specific language governing permissions and # limitations under the License. -control "gcp" do - title "GCP Resources" - - describe google_storage_bucket(name: attribute("bucket_name")) do - it { should exist } - end -end +timeout: 1200s +steps: +# terraform init -input=false +- name: gcr.io/$PROJECT_ID/terraform + args: + - init + - -input=false +# terraform validate +- name: gcr.io/$PROJECT_ID/terraform + args: + - validate +# terraform plan -input=false -out=tfplan +- name: gcr.io/$PROJECT_ID/terraform + args: + - plan + - -input=false + - -out=tfplan +artifacts: + objects: + location: 'gs://${_ARTIFACT_BUCKET_NAME}/terraform/cloudbuild/plan/$BUILD_ID' + paths: ['cloudbuild-tf-plan.yaml', 'tfplan'] diff --git a/examples/cloudbuild_enabled/main.tf b/examples/cloudbuild_enabled/main.tf new file mode 100644 index 00000000..f75519dd --- /dev/null +++ b/examples/cloudbuild_enabled/main.tf @@ -0,0 +1,43 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +provider "google" { + version = "~> 2.0" +} + +module "seed_bootstrap" { + source = "../.." + org_id = var.org_id + billing_account = var.billing_account + group_org_admins = var.group_org_admins + group_billing_admins = var.group_billing_admins + default_region = var.default_region + org_project_creators = var.org_project_creators + sa_enable_impersonation = true +} + +module "cloudbuild_bootstrap" { + source = "../../modules/cloudbuild" + org_id = var.org_id + billing_account = var.billing_account + group_org_admins = var.group_org_admins + default_region = var.default_region + sa_enable_impersonation = true + terraform_sa_email = module.seed_bootstrap.terraform_sa_email + terraform_sa_name = module.seed_bootstrap.terraform_sa_name + terraform_state_bucket = module.seed_bootstrap.gcs_bucket_tfstate +} diff --git a/examples/cloudbuild_enabled/outputs.tf b/examples/cloudbuild_enabled/outputs.tf new file mode 100644 index 00000000..7aa983f1 --- /dev/null +++ b/examples/cloudbuild_enabled/outputs.tf @@ -0,0 +1,60 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "seed_project_id" { + description = "Project where service accounts and core APIs will be enabled." + value = module.seed_bootstrap.seed_project_id +} + +output "terraform_sa_email" { + description = "Email for privileged service account for Terraform." + value = module.seed_bootstrap.terraform_sa_email +} + +output "terraform_sa_name" { + description = "Fully qualified name for privileged service account for Terraform." + value = module.seed_bootstrap.terraform_sa_name +} + +output "gcs_bucket_tfstate" { + description = "Bucket used for storing terraform state for foundations pipelines in seed project." + value = module.seed_bootstrap.gcs_bucket_tfstate +} + +output "cloudbuild_project_id" { + description = "Project where CloudBuild configuration and terraform container image will reside." + value = module.cloudbuild_bootstrap.cloudbuild_project_id +} + +output "gcs_bucket_cloudbuild_artifacts" { + description = "Bucket used to store Cloud/Build artefacts in CloudBuild project." + value = module.cloudbuild_bootstrap.gcs_bucket_cloudbuild_artifacts +} + +output "csr_repos" { + description = "List of Cloud Source Repos created by the module, linked to Cloud Build triggers." + value = module.cloudbuild_bootstrap.csr_repos +} + +output "kms_keyring" { + description = "KMS Keyring created by the module." + value = module.cloudbuild_bootstrap.kms_keyring +} + +output "kms_crypto_key" { + description = "KMS key created by the module." + value = module.cloudbuild_bootstrap.kms_crypto_key +} diff --git a/examples/cloudbuild_enabled/variables.tf b/examples/cloudbuild_enabled/variables.tf new file mode 100644 index 00000000..c955dd76 --- /dev/null +++ b/examples/cloudbuild_enabled/variables.tf @@ -0,0 +1,47 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "org_id" { + description = "GCP Organization ID" + type = string +} + +variable "billing_account" { + description = "The ID of the billing account to associate projects with." + type = string +} + +variable "group_org_admins" { + description = "Google Group for GCP Organization Administrators" + type = string +} + +variable "group_billing_admins" { + description = "Google Group for GCP Billing Administrators" + type = string +} + +variable "default_region" { + description = "Default region to create resources where applicable." + type = string + default = "us-central1" +} + +variable "org_project_creators" { + description = "Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required." + type = list(string) + default = [] +} diff --git a/examples/simple/README.md b/examples/simple/README.md new file mode 100644 index 00000000..4752a593 --- /dev/null +++ b/examples/simple/README.md @@ -0,0 +1,26 @@ +## Overview + +This example demonstrates the simplest usage of the GCP organization bootstrap module, accepting default values for the module variables. + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| billing\_account | The ID of the billing account to associate projects with. | string | n/a | yes | +| default\_region | Default region to create resources where applicable. | string | `"us-central1"` | no | +| group\_billing\_admins | Google Group for GCP Billing Administrators | string | n/a | yes | +| group\_org\_admins | Google Group for GCP Organization Administrators | string | n/a | yes | +| org\_id | GCP Organization ID | string | n/a | yes | +| org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | list(string) | `` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| gcs\_bucket\_tfstate | Bucket used for storing terraform state for foundations pipelines in seed project. | +| seed\_project\_id | Project where service accounts and core APIs will be enabled. | +| terraform\_sa\_email | Email for privileged service account for Terraform. | +| terraform\_sa\_name | Fully qualified name for privileged service account for Terraform. | + + diff --git a/examples/simple_example/variables.tf b/examples/simple/main.tf similarity index 58% rename from examples/simple_example/variables.tf rename to examples/simple/main.tf index eeadd9d7..e6c602d6 100644 --- a/examples/simple_example/variables.tf +++ b/examples/simple/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2019 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -14,12 +14,17 @@ * limitations under the License. */ -variable "project_id" { - description = "The ID of the project in which to provision resources." - type = string + +provider "google" { + version = "~> 2.0" } -variable "bucket_name" { - description = "The name of the bucket to create." - type = string +module "seed_bootstrap" { + source = "../.." + org_id = var.org_id + billing_account = var.billing_account + group_org_admins = var.group_org_admins + group_billing_admins = var.group_billing_admins + default_region = var.default_region + org_project_creators = var.org_project_creators } diff --git a/examples/simple/outputs.tf b/examples/simple/outputs.tf new file mode 100644 index 00000000..504f3158 --- /dev/null +++ b/examples/simple/outputs.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "seed_project_id" { + description = "Project where service accounts and core APIs will be enabled." + value = module.seed_bootstrap.seed_project_id +} + +output "terraform_sa_email" { + description = "Email for privileged service account for Terraform." + value = module.seed_bootstrap.terraform_sa_email +} + +output "terraform_sa_name" { + description = "Fully qualified name for privileged service account for Terraform." + value = module.seed_bootstrap.terraform_sa_name +} + +output "gcs_bucket_tfstate" { + description = "Bucket used for storing terraform state for foundations pipelines in seed project." + value = module.seed_bootstrap.gcs_bucket_tfstate +} diff --git a/examples/simple/variables.tf b/examples/simple/variables.tf new file mode 100644 index 00000000..c955dd76 --- /dev/null +++ b/examples/simple/variables.tf @@ -0,0 +1,47 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "org_id" { + description = "GCP Organization ID" + type = string +} + +variable "billing_account" { + description = "The ID of the billing account to associate projects with." + type = string +} + +variable "group_org_admins" { + description = "Google Group for GCP Organization Administrators" + type = string +} + +variable "group_billing_admins" { + description = "Google Group for GCP Billing Administrators" + type = string +} + +variable "default_region" { + description = "Default region to create resources where applicable." + type = string + default = "us-central1" +} + +variable "org_project_creators" { + description = "Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required." + type = list(string) + default = [] +} diff --git a/examples/simple_example/README.md b/examples/simple_example/README.md deleted file mode 100644 index ef4f2f96..00000000 --- a/examples/simple_example/README.md +++ /dev/null @@ -1,25 +0,0 @@ -# Simple Example - -This example illustrates how to use the `bootstrap` module. - - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|:----:|:-----:|:-----:| -| bucket\_name | The name of the bucket to create. | string | n/a | yes | -| project\_id | The ID of the project in which to provision resources. | string | n/a | yes | - -## Outputs - -| Name | Description | -|------|-------------| -| bucket\_name | The name of the bucket. | - - - -To provision this example, run the following from within this directory: -- `terraform init` to get the plugins -- `terraform plan` to see the infrastructure plan -- `terraform apply` to apply the infrastructure build -- `terraform destroy` to destroy the built infrastructure diff --git a/kitchen.yml b/kitchen.yml index f3c9c354..4bf92216 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -26,18 +26,24 @@ platforms: - name: default suites: - - name: simple_example + - name: simple driver: - root_module_directory: test/fixtures/simple_example/ + root_module_directory: test/fixtures/simple/ verifier: color: false systems: - - name: simple_example local - backend: local + - name: simple gcp + backend: gcp controls: - - gcloud - - gsutil - - name: simple_example gcp + - bootstrap + - name: cloudbuild_enabled + driver: + root_module_directory: test/fixtures/cloudbuild_enabled/ + verifier: + color: false + systems: + - name: cloudbuild_enabled gcp backend: gcp controls: - - gcp + - bootstrap + - cloudbuild diff --git a/main.tf b/main.tf index 5693fda0..26361e61 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2019 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -14,11 +14,140 @@ * limitations under the License. */ -terraform { - required_version = "~> 0.12.0" +locals { + seed_project_id = format("%s-%s", var.project_prefix, "seed") + impersonation_apis = distinct(concat(var.activate_apis, ["serviceusage.googleapis.com", "iamcredentials.googleapis.com"])) + impersonation_enabled_count = var.sa_enable_impersonation == true ? 1 : 0 + activate_apis = var.sa_enable_impersonation == true ? local.impersonation_apis : var.activate_apis + org_project_creators = distinct(concat(var.org_project_creators, ["serviceAccount:${google_service_account.org_terraform.email}", "group:${var.group_org_admins}"])) } -resource "google_storage_bucket" "main" { - project = var.project_id - name = var.bucket_name +resource "random_id" "suffix" { + byte_length = 2 +} + +data "google_organization" "org" { + organization = var.org_id +} + +/****************************************** + Create IaC Project +*******************************************/ + +module "seed_project" { + source = "terraform-google-modules/project-factory/google" + version = "~> 5.0" + name = local.seed_project_id + random_project_id = true + disable_services_on_destroy = false + folder_id = var.folder_id + org_id = var.org_id + billing_account = var.billing_account + activate_apis = local.activate_apis +} + +/****************************************** + Service Account - Terraform for Org +*******************************************/ + +resource "google_service_account" "org_terraform" { + project = module.seed_project.project_id + account_id = "org-terraform" + display_name = "CFT Organization Terraform Account" +} + +/*********************************************** + GCS Bucket - Terraform State + ***********************************************/ + +resource "google_storage_bucket" "org_terraform_state" { + project = module.seed_project.project_id + name = format("%s-%s-%s", var.project_prefix, "tfstate", random_id.suffix.hex) + location = var.default_region +} + +/*********************************************** + Authorative permissions at org. Required to + remove default org wide permissions + granting billing account and project creation. + ***********************************************/ + +resource "google_organization_iam_binding" "billing_creator" { + org_id = var.org_id + role = "roles/billing.creator" + members = [ + "group:${var.group_billing_admins}", + ] +} + +resource "google_organization_iam_binding" "project_creator" { + org_id = var.org_id + role = "roles/resourcemanager.projectCreator" + members = local.org_project_creators +} + +/*********************************************** + Organization permissions for org admins. + ***********************************************/ + +resource "google_organization_iam_member" "org_admins_group" { + for_each = toset(var.org_admins_org_iam_permissions) + org_id = var.org_id + role = each.value + member = "group:${var.group_org_admins}" +} + +/*********************************************** + Organization permissions for billing admins. + ***********************************************/ + +resource "google_organization_iam_member" "org_billing_admin" { + org_id = var.org_id + role = "roles/billing.admin" + member = "group:${var.group_billing_admins}" +} + +/*********************************************** + Organization permissions for Terraform. + ***********************************************/ + +resource "google_organization_iam_member" "tf_sa_org_perms" { + for_each = toset(var.sa_org_iam_permissions) + + org_id = var.org_id + role = each.value + member = "serviceAccount:${google_service_account.org_terraform.email}" +} + +resource "google_billing_account_iam_member" "tf_billing_user" { + billing_account_id = var.billing_account + role = "roles/billing.user" + member = "serviceAccount:${google_service_account.org_terraform.email}" +} + +resource "google_storage_bucket_iam_member" "org_terraform_state_iam" { + bucket = google_storage_bucket.org_terraform_state.name + role = "roles/storage.objectAdmin" + member = "serviceAccount:${google_service_account.org_terraform.email}" +} + +/*********************************************** + IAM - Impersonation permissions to run terraform + as org admin. + ***********************************************/ + +resource "google_service_account_iam_member" "org_admin_sa_impersonate_permissions" { + count = local.impersonation_enabled_count + + service_account_id = google_service_account.org_terraform.name + role = "roles/iam.serviceAccountTokenCreator" + member = "group:${var.group_org_admins}" +} + +resource "google_organization_iam_member" "org_admin_serviceusage_consumer" { + count = local.impersonation_enabled_count + + org_id = var.org_id + role = "roles/serviceusage.serviceUsageConsumer" + member = "group:${var.group_org_admins}" } diff --git a/modules/cloudbuild/README.md b/modules/cloudbuild/README.md new file mode 100644 index 00000000..c7d68dfd --- /dev/null +++ b/modules/cloudbuild/README.md @@ -0,0 +1,114 @@ +## Overview + + +## Usage + +Basic usage of this module is as follows: + +```hcl +module "bootstrap" { + source = "terraform-google-modules/bootstrap/google//modules/cloudbuild" + version = "~> 0.1" + + org_id = "" + billing_account = "" + group_org_admins = "gcp-organization-admins@example.com" + group_billing_admins = "gcp-billing-admins@example.com" + default_region = "australia-southeast1" + sa_enable_impersonation = true + terraform_sa_email = "" + terraform_sa_name = "" + terraform_state_bucket = "" +} +``` + +Functional examples and sample Cloud Build definitions are included in the [examples](../../examples/) directory. + +## Features + +1. Create a new GCP cloud build project using `project_prefix` +1. Enable APIs in the cloud build project using `activate_apis` +1. Build a Terraform docker image for Cloud Build +1. Create a GCS bucket for Cloud Build Artifacts using `project_prefix` +1. Create Cloud Source Repos for pipelines using list of repos in `cloud_source_repos` + 1. Create Cloud Build trigger for terraform apply on master branch + 1. Create Cloud Build trigger for terrafor plan on all other branches +1. Create KMS Keyring and key for encryption + 1. Grant access to decrypt to Cloud Build service account and `terraform_sa_email` + 1. Grant access to encrypt to `group_org_admins` +1. Optionally give Cloud Build service account permissions to impersonate terraform service account using `sa_enable_impersonation` and supplied value for `terraform_sa_name` + + + +## Resources created + +- KMS Keyring and key for secrets, including IAM for Cloudbuild, Org Admins and Terraform service acocunt +- (optional) Cloudbuild impersonation permissions for a service account +- (optional) Cloud Source Repos, with triggers for terraform plan (all other branches) & terraform apply (master) + + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| activate\_apis | List of APIs to enable in the Cloudbuild project. | list(string) | `` | no | +| billing\_account | The ID of the billing account to associate projects with. | string | n/a | yes | +| cloud\_source\_repos | List of Cloud Source Repo's to create with CloudBuild triggers. | list(string) | `` | no | +| default\_region | Default region to create resources where applicable. | string | `"us-central1"` | no | +| folder\_id | The ID of a folder to host this project | string | `""` | no | +| group\_org\_admins | Google Group for GCP Organization Administrators | string | n/a | yes | +| org\_id | GCP Organization ID | string | n/a | yes | +| project\_prefix | Name prefix to use for projects created. | string | `"cft"` | no | +| sa\_enable\_impersonation | Allow org_admins group to impersonate service account & enable APIs required. | bool | `"false"` | no | +| terraform\_sa\_email | Email for terraform service account. | string | n/a | yes | +| terraform\_sa\_name | Fully-qualified name of the terraform service account. | string | n/a | yes | +| terraform\_state\_bucket | Default state bucket, used in Cloud Build substitutions. | string | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| cloudbuild\_project\_id | Project where CloudBuild configuration and terraform container image will reside. | +| csr\_repos | List of Cloud Source Repos created by the module, linked to Cloud Build triggers. | +| gcs\_bucket\_cloudbuild\_artifacts | Bucket used to store Cloud/Build artefacts in CloudBuild project. | +| kms\_crypto\_key | KMS key created by the module. | +| kms\_keyring | KMS Keyring created by the module. | + + + +## Requirements + +### Software + +- [gcloud sdk](https://cloud.google.com/sdk/install) >= 206.0.0 +- [Terraform](https://www.terraform.io/downloads.html) >= 0.12.6 +- [terraform-provider-google] plugin 2.1.x +- [terraform-provider-google-beta] plugin 2.1.x + +### Permissions + +- `roles/billing.user` on supplied billing account +- `roles/resourcemanager.organizationAdmin` on GCP Organization +- `roles/resourcemanager.projectCreator` on GCP Organization or folder + +### APIs + +A project with the following APIs enabled must be used to host the +resources of this module: + +- Google Cloud Resource Manager API: `cloudresourcemanager.googleapis.com` +- Google Cloud Billing API: `cloudbilling.googleapis.com` +- Google Cloud IAM API: `iam.googleapis.com` +- Google Cloud Storage API `storage-api.googleapis.com` +- Google Cloud Service Usage API: `serviceusage.googleapis.com` +- Google Cloud Build API: `cloudbuild.googleapis.com` +- Google Cloud Source Repo API: `sourcerepo.googleapis.com` +- Google Cloud KMS API: `cloudkms.googleapis.com` + +This API can be enabled in the default project created during establishing an organization. + +## Contributing + +Refer to the [contribution guidelines](../../CONTRIBUTING.md) for +information on contributing to this module. diff --git a/modules/cloudbuild/cloudbuild_builder/Dockerfile b/modules/cloudbuild/cloudbuild_builder/Dockerfile new file mode 100644 index 00000000..3c4bb77c --- /dev/null +++ b/modules/cloudbuild/cloudbuild_builder/Dockerfile @@ -0,0 +1,36 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/cloud-builders/gcloud-slim + +ENV TERRAFORM_VERSION=0.12.13 +ENV TERRAFORM_VERSION_SHA256SUM=63f765a3f83987b67b046a9c31acff1ec9ee618990d0eab4db34eca6c0d861ec + +RUN apt-get update && \ + /builder/google-cloud-sdk/bin/gcloud -q components install alpha beta && \ + apt-get -y install curl jq unzip ca-certificates && \ + curl https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip \ + > terraform_linux_amd64.zip && \ + echo "${TERRAFORM_VERSION_SHA256SUM} terraform_linux_amd64.zip" > terraform_SHA256SUMS && \ + sha256sum -c terraform_SHA256SUMS --status && \ + unzip terraform_linux_amd64.zip -d /builder/terraform && \ + rm -f terraform_linux_amd64.zip && \ + apt-get remove --purge -y curl unzip && \ + apt-get --purge -y autoremove && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* + +ENV PATH=/builder/terraform/:$PATH +COPY entrypoint.bash /builder/entrypoint.bash +ENTRYPOINT ["/builder/entrypoint.bash"] diff --git a/modules/cloudbuild/cloudbuild_builder/README.md b/modules/cloudbuild/cloudbuild_builder/README.md new file mode 100644 index 00000000..8ffd95e9 --- /dev/null +++ b/modules/cloudbuild/cloudbuild_builder/README.md @@ -0,0 +1,9 @@ +# Terraform cloud builder + +This builder creates a [Terraform](https://www.terraform.io/) image for use in cloud build to run the [Cloud Foundation Toolkit](https://cloud.google.com/foundation-toolkit/) modules. + +### Building this builder +This builder is automatically created if you use the cloudbuild terraform submodule. If you would like to build manually, run the following command in this directory. +```sh +$ gcloud builds submit --config=cloudbuild.yaml +``` diff --git a/test/integration/simple_example/controls/gcloud.rb b/modules/cloudbuild/cloudbuild_builder/cloudbuild.yaml similarity index 60% rename from test/integration/simple_example/controls/gcloud.rb rename to modules/cloudbuild/cloudbuild_builder/cloudbuild.yaml index d2a2609c..1c50e298 100644 --- a/test/integration/simple_example/controls/gcloud.rb +++ b/modules/cloudbuild/cloudbuild_builder/cloudbuild.yaml @@ -1,4 +1,4 @@ -# Copyright 2018 Google LLC +# Copyright 2019 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,12 +12,11 @@ # See the License for the specific language governing permissions and # limitations under the License. -control "gcloud" do - title "gcloud" - - describe command("gcloud --project=#{attribute("project_id")} services list --enabled") do - its(:exit_status) { should eq 0 } - its(:stderr) { should eq "" } - its(:stdout) { should match "storage-api.googleapis.com" } - end -end +# In this directory, run the following command to build this builder. +# $ gcloud builds submit . --config=cloudbuild.yaml +steps: +- name: 'gcr.io/cloud-builders/docker' + args: ['build', '--tag=gcr.io/${PROJECT_ID}/terraform', '.'] +- name: 'gcr.io/${PROJECT_ID}/terraform' + args: ['version'] +images: ['gcr.io/${PROJECT_ID}/terraform'] diff --git a/modules/cloudbuild/cloudbuild_builder/entrypoint.bash b/modules/cloudbuild/cloudbuild_builder/entrypoint.bash new file mode 100755 index 00000000..f557a37e --- /dev/null +++ b/modules/cloudbuild/cloudbuild_builder/entrypoint.bash @@ -0,0 +1,53 @@ +#!/bin/bash +set -e + +active_account="" +function get-active-account() { + active_account=$(gcloud auth list --filter=status:ACTIVE --format="value(account)" 2> /dev/null) +} + +function activate-service-key() { + rootdir=/root/.config/gcloud-config + mkdir -p $rootdir + tmpdir=$(mktemp -d "$rootdir/servicekey.XXXXXXXX") + trap "rm -rf $tmpdir" EXIT + echo ${GCLOUD_SERVICE_KEY} | base64 --decode -i > ${tmpdir}/gcloud-service-key.json + gcloud auth activate-service-account --key-file ${tmpdir}/gcloud-service-key.json --quiet + get-active-account +} + +function service-account-usage() { + cat < +EOF + exit 1 +} + +function account-active-warning() { + cat < ../source.sh - -project_id=$(terraform output project_id) -echo "export TF_VAR_project_id='$project_id'" >> ../source.sh - -sa_json=$(terraform output sa_key) -# shellcheck disable=SC2086 -echo "export SERVICE_ACCOUNT_JSON='$(echo $sa_json | base64 --decode)'" >> ../source.sh diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index 357bb1e4..f7286275 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -22,3 +22,31 @@ output "sa_key" { value = google_service_account_key.int_test.private_key sensitive = true } + +output "org_id" { + value = var.org_id +} + +output "folder_id" { + value = var.folder_id +} + +output "billing_account" { + value = var.billing_account +} + +output "group_org_admins" { + value = var.group_org_admins +} + +output "group_billing_admins" { + value = var.group_billing_admins +} + +output "default_region" { + value = var.default_region +} + +output "org_project_creators" { + value = ["serviceAccount:${google_service_account.int_test.email}"] +} diff --git a/test/setup/variables.tf b/test/setup/variables.tf index 6d80b898..f56d667f 100644 --- a/test/setup/variables.tf +++ b/test/setup/variables.tf @@ -15,12 +15,31 @@ */ variable "org_id" { description = "The numeric organization id" + type = string } variable "folder_id" { description = "The folder to deploy in" + type = string } variable "billing_account" { description = "The billing account id associated with the project, e.g. XXXXXX-YYYYYY-ZZZZZZ" + type = string +} + +variable "group_org_admins" { + description = "Google Group for GCP Organization Administrators" + type = string +} + +variable "group_billing_admins" { + description = "Google Group for GCP Billing Administrators" + type = string +} + +variable "default_region" { + description = "Default region to create resources where applicable." + type = string + default = "us-central1" } diff --git a/variables.tf b/variables.tf index 65ec922c..bea477a7 100644 --- a/variables.tf +++ b/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2019 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -14,10 +14,102 @@ * limitations under the License. */ -variable "project_id" { - description = "The project ID to deploy to" +/****************************************** + Required variables +*******************************************/ + +variable "org_id" { + description = "GCP Organization ID" + type = string +} + +variable "billing_account" { + description = "The ID of the billing account to associate projects with." + type = string +} + +variable "group_org_admins" { + description = "Google Group for GCP Organization Administrators" + type = string +} + +variable "group_billing_admins" { + description = "Google Group for GCP Billing Administrators" + type = string +} + +variable "default_region" { + description = "Default region to create resources where applicable." + type = string + default = "us-central1" +} + +/****************************************** + Optional variables +*******************************************/ + +variable "project_prefix" { + description = "Name prefix to use for projects created." + default = "cft" + type = string +} + +variable "activate_apis" { + description = "List of APIs to enable in the seed project." + type = list(string) + + default = [ + "servicenetworking.googleapis.com", + "compute.googleapis.com", + "logging.googleapis.com", + "bigquery-json.googleapis.com", + "cloudresourcemanager.googleapis.com", + "cloudbilling.googleapis.com", + "iam.googleapis.com", + "admin.googleapis.com", + "appengine.googleapis.com", + ] +} + +variable "sa_org_iam_permissions" { + description = "List of permissions granted to Terraform service account across the GCP organization." + type = list(string) + default = [ + "roles/billing.user", + "roles/compute.networkAdmin", + "roles/compute.xpnAdmin", + "roles/iam.serviceAccountAdmin", + "roles/logging.configWriter", + "roles/orgpolicy.policyAdmin", + "roles/resourcemanager.folderCreator", + "roles/resourcemanager.folderViewer", + "roles/resourcemanager.organizationViewer" + ] +} + +variable "sa_enable_impersonation" { + description = "Allow org_admins group to impersonate service account & enable APIs required." + type = bool + default = false +} + +variable "org_admins_org_iam_permissions" { + description = "List of permissions granted to the group supplied in group_org_admins variable across the GCP organization." + type = list(string) + default = [ + "roles/billing.user", + "roles/resourcemanager.organizationAdmin" + ] +} + +variable "folder_id" { + description = "The ID of a folder to host this project" + type = string + default = "" } -variable "bucket_name" { - description = "The name of the bucket to create" +variable "org_project_creators" { + description = "Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required." + type = list(string) + default = [] } diff --git a/versions.tf b/versions.tf index 832ec1df..27ba8fc1 100644 --- a/versions.tf +++ b/versions.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2019 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -15,5 +15,5 @@ */ terraform { - required_version = ">= 0.12" + required_version = "~> 0.12.6" }