From 1e4499c8abce341af1ff0faceca328f576227e01 Mon Sep 17 00:00:00 2001 From: lcaggio Date: Mon, 6 Feb 2023 14:58:40 +0100 Subject: [PATCH] Fixes --- .../data-solutions/shielded-folder/README.md | 55 ++++++++++++------- .../shielded-folder/variables.tf | 4 +- .../shielded-folder/simple.tfvars | 13 ----- .../shielded_folder/simple.tfvars | 20 +++++++ .../simple.yaml | 20 +++---- .../tftest.yaml | 0 6 files changed, 66 insertions(+), 46 deletions(-) delete mode 100644 tests/blueprints/data_solutions/shielded-folder/simple.tfvars create mode 100644 tests/blueprints/data_solutions/shielded_folder/simple.tfvars rename tests/blueprints/data_solutions/{shielded-folder => shielded_folder}/simple.yaml (95%) rename tests/blueprints/data_solutions/{shielded-folder => shielded_folder}/tftest.yaml (100%) diff --git a/blueprints/data-solutions/shielded-folder/README.md b/blueprints/data-solutions/shielded-folder/README.md index 8f37af385..eadd86c27 100644 --- a/blueprints/data-solutions/shielded-folder/README.md +++ b/blueprints/data-solutions/shielded-folder/README.md @@ -75,7 +75,7 @@ Access level rules are not defined. Before moving the configuration to enforced An access level based on the network range you are using to reach the console (e.g. Proxy IP, Internet connection, ...) is suggested. Example: -```hcl +```tfvars vpc_sc_access_levels = { users = { conditions = [ @@ -87,7 +87,7 @@ vpc_sc_access_levels = { Alternatively, you can configure an access level based on the identity that needs to reach resources from outside the perimeter. -```hcl +```tfvars vpc_sc_access_levels = { users = { conditions = [ @@ -114,16 +114,32 @@ The Shielded Folder blueprint is meant to be executed by a Service Account (or a The shielded Folfer blueprint assumes [groups described](#user-groups) are created in your GCP organization. -### Variable configuration +### Variable configuration PIPPO There are three sets of variables you will need to fill in: ```hcl +access_policy_config = { + access_policy_create = { + parent = "organizations/1234567890123" + title = "ShieldedMVP" + } +} +folder_config = { + folder_create = { + display_name = "ShieldedMVP" + parent = "organizations/1234567890123" + } +} organization = { - id = "12345678" domain = "example.com" + id = "1122334455" } prefix = "prefix" +project_config_2 = { + billing_account_id = "123456-123456-123456" +} +# tftest modules=8 resources=35 ``` ### Deploying the blueprint @@ -140,23 +156,20 @@ terraform apply | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [organization](variables.tf#L129) | Organization details. | object({…}) | ✓ | | -| [prefix](variables.tf#L137) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | -| [access_policy](variables.tf#L17) | Access Policy name, set to null if creating one. | string | | null | -| [access_policy_create](variables.tf#L23) | Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format. | object({…}) | | null | -| [data_dir](variables.tf#L33) | Relative path for the folder storing configuration data. | string | | "data" | -| [enable_features](variables.tf#L39) | Flag to enable features on the solution. | object({…}) | | {…} | -| [folder_create](variables.tf#L52) | Provide values if folder creation is needed, uses existing folder if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | | null | -| [folder_id](variables.tf#L61) | Folder ID in case you use folder_create=null. | string | | null | -| [groups](variables.tf#L67) | User groups. | map(string) | | {…} | -| [kms_keys](variables.tf#L76) | KMS keys to create, keyed by name. | map(object({…})) | | {} | -| [log_locations](variables.tf#L87) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {…} | -| [log_sinks](variables.tf#L104) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | -| [projects_create](variables.tf#L147) | Provide values if projects creation is needed, uses existing project if null. Projects will be created in the shielded folder. | object({…}) | | null | -| [projects_id](variables.tf#L155) | Project id, references existing projects if `projects_create` is null. Projects will be moved into the shielded folder. | object({…}) | | null | -| [vpc_sc_access_levels](variables.tf#L164) | VPC SC access level definitions. | map(object({…})) | | {} | -| [vpc_sc_egress_policies](variables.tf#L193) | VPC SC egress policy defnitions. | map(object({…})) | | {} | -| [vpc_sc_ingress_policies](variables.tf#L213) | VPC SC ingress policy defnitions. | map(object({…})) | | {} | +| [access_policy_config](variables.tf#L17) | Provide 'access_policy_create' values if a folder scoped Access Policy creation is needed, uses existing 'policy_name' otherwise. Parent is in 'organizations/123456' format. Policy will be created scoped to the folder. | object({…}) | ✓ | | +| [folder_config](variables.tf#L49) | Provide 'folder_create' values if folder creation is needed, uses existing 'folder_id' otherwise. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | ✓ | | +| [organization](variables.tf#L124) | Organization details. | object({…}) | ✓ | | +| [prefix](variables.tf#L132) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | +| [project_config](variables.tf#L141) | Provide 'billing_account_id' value if project creation is needed, uses existing 'projects_id' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | ✓ | | +| [data_dir](variables.tf#L29) | Relative path for the folder storing configuration data. | string | | "data" | +| [enable_features](variables.tf#L35) | Flag to enable features on the solution. | object({…}) | | {…} | +| [groups](variables.tf#L61) | User groups. | object({…}) | | {} | +| [kms_keys](variables.tf#L71) | KMS keys to create, keyed by name. | map(object({…})) | | {} | +| [log_locations](variables.tf#L82) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {…} | +| [log_sinks](variables.tf#L99) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | +| [vpc_sc_access_levels](variables.tf#L157) | VPC SC access level definitions. | map(object({…})) | | {} | +| [vpc_sc_egress_policies](variables.tf#L186) | VPC SC egress policy defnitions. | map(object({…})) | | {} | +| [vpc_sc_ingress_policies](variables.tf#L206) | VPC SC ingress policy defnitions. | map(object({…})) | | {} | ## Outputs diff --git a/blueprints/data-solutions/shielded-folder/variables.tf b/blueprints/data-solutions/shielded-folder/variables.tf index 8daba6db8..22fd76be5 100644 --- a/blueprints/data-solutions/shielded-folder/variables.tf +++ b/blueprints/data-solutions/shielded-folder/variables.tf @@ -35,12 +35,12 @@ variable "data_dir" { variable "enable_features" { description = "Flag to enable features on the solution." type = object({ - encryption = optional(bool, false) + encryption = optional(bool, true) log_sink = optional(bool, true) vpc_sc = optional(bool, true) }) default = { - encryption = false + encryption = true log_sink = true vpc_sc = true } diff --git a/tests/blueprints/data_solutions/shielded-folder/simple.tfvars b/tests/blueprints/data_solutions/shielded-folder/simple.tfvars deleted file mode 100644 index 2c77276b5..000000000 --- a/tests/blueprints/data_solutions/shielded-folder/simple.tfvars +++ /dev/null @@ -1,13 +0,0 @@ -data_dir = null -folder_create = { - display_name = "ShieldedMVP" - parent = "organizations/1054601055974" -} -organization = { - domain = "example.com" - id = "1122334455" -} -prefix = "prefix" -projects_create = { - billing_account_id = "123456-123456-123456" -} diff --git a/tests/blueprints/data_solutions/shielded_folder/simple.tfvars b/tests/blueprints/data_solutions/shielded_folder/simple.tfvars new file mode 100644 index 000000000..83e8b1399 --- /dev/null +++ b/tests/blueprints/data_solutions/shielded_folder/simple.tfvars @@ -0,0 +1,20 @@ +access_policy_config = { + access_policy_create = { + parent = "organizations/1234567890123" + title = "ShieldedMVP" + } +} +folder_config = { + folder_create = { + display_name = "ShieldedMVP" + parent = "organizations/1234567890123" + } +} +organization = { + domain = "example.com" + id = "1122334455" +} +prefix = "prefix" +project_config = { + billing_account_id = "123456-123456-123456" +} diff --git a/tests/blueprints/data_solutions/shielded-folder/simple.yaml b/tests/blueprints/data_solutions/shielded_folder/simple.yaml similarity index 95% rename from tests/blueprints/data_solutions/shielded-folder/simple.yaml rename to tests/blueprints/data_solutions/shielded_folder/simple.yaml index bcae41193..acfe8168e 100644 --- a/tests/blueprints/data_solutions/shielded-folder/simple.yaml +++ b/tests/blueprints/data_solutions/shielded_folder/simple.yaml @@ -136,16 +136,16 @@ counts: google_bigquery_default_service_account: 1 google_folder: 2 google_folder_iam_binding: 2 + google_kms_crypto_key: 3 + google_kms_crypto_key_iam_member: 3 + google_kms_key_ring: 2 google_logging_folder_sink: 2 - google_project: 1 - google_project_iam_binding: 1 - google_project_service: 4 - google_project_service_identity: 1 + google_project: 2 + google_project_iam_binding: 2 + google_project_service: 7 + google_project_service_identity: 2 google_projects: 1 google_storage_project_service_account: 1 - modules: 5 - resources: 21 - -outputs: - folders: __missing__ - folders_sink_writer_identities: __missing__ + modules: 8 + resources: 52 + \ No newline at end of file diff --git a/tests/blueprints/data_solutions/shielded-folder/tftest.yaml b/tests/blueprints/data_solutions/shielded_folder/tftest.yaml similarity index 100% rename from tests/blueprints/data_solutions/shielded-folder/tftest.yaml rename to tests/blueprints/data_solutions/shielded_folder/tftest.yaml