kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Allow disabling network security stage (#2701)

Browse Source 
* Allow disabling security stage

* Remove deprecated network_firewall_policies_viewer

* Enable nsec in resman tests
This commit is contained in:
Julio Castillo
2024-11-17 10:04:18 +01:00
committed by GitHub
parent f140adfab8
commit 1fc5e90bdd
5 changed files with 244 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
fast/stages/1-resman/stage-2-networking.tf
View File

@@ -60,35 +60,25 @@ module "net-folder" {
# network security stage 2 service accounts
var.fast_stage_2.network_security.enabled != true ? {} : {
"roles/serviceusage.serviceUsageAdmin" = [
try(module.nsec-sa-rw[0].iam_email, null)
module.nsec-sa-rw[0].iam_email
]
(var.custom_roles["network_firewall_policies_admin"]) = [
try(module.nsec-sa-rw[0].iam_email, null)
module.nsec-sa-rw[0].iam_email
]
"roles/compute.orgFirewallPolicyUser" = [
try(module.nsec-sa-ro[0].iam_email, null)
module.nsec-sa-ro[0].iam_email
]
"roles/serviceusage.serviceUsageConsumer" = [
try(module.nsec-sa-ro[0].iam_email, null)
module.nsec-sa-ro[0].iam_email
]
},
# security stage 2 service accounts
var.fast_stage_2.security.enabled != true ? {} : {
"roles/serviceusage.serviceUsageAdmin" = [
try(module.sec-sa-rw[0].iam_email, null)
module.sec-sa-rw[0].iam_email
]
"roles/serviceusage.serviceUsageConsumer" = [
try(module.sec-sa-ro[0].iam_email, null)
]
},
try(var.custom_roles["network_firewall_policies_admin"], null) == null ? {} : {
(var.custom_roles["network_firewall_policies_admin"]) = [
try(module.sec-sa-rw[0].iam_email, null)
]
},
try(var.custom_roles["network_firewall_policies_viewer"], null) == null ? {} : {
(var.custom_roles["network_firewall_policies_viewer"]) = [
try(module.sec-sa-ro[0].iam_email, null)
module.sec-sa-ro[0].iam_email
]
},
# project factory service accounts

14
fast/stages/1-tenant-factory/README.md
View File

@@ -328,13 +328,13 @@ gcloud storage cp gs://{prefix}-{tenant-shortname}-prod-iac-core-0/tfvars/0-boot
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | <code title="object&#40;&#123;&#10; outputs_bucket &#61; string&#10; project_id &#61; string&#10; project_number &#61; string&#10; federated_identity_pool &#61; string&#10; federated_identity_providers &#61; map&#40;object&#40;&#123;&#10; audiences &#61; list&#40;string&#41;&#10; issuer &#61; string&#10; issuer_uri &#61; string&#10; name &#61; string&#10; principal_branch &#61; string&#10; principal_repo &#61; string&#10; &#125;&#41;&#41;&#10; service_accounts &#61; object&#40;&#123;&#10; resman &#61; string&#10; resman-r &#61; string&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | | <code>0-bootstrap</code> |
| [billing_account](variables-fast.tf#L42) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | <code title="object&#40;&#123;&#10; id &#61; string&#10; is_org_level &#61; optional&#40;bool, true&#41;&#10; no_iam &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | | <code>0-bootstrap</code> |
| [logging](variables-fast.tf#L99) | Logging resources created by the bootstrap stage. | <code title="object&#40;&#123;&#10; project_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | | <code>0-bootstrap</code> |
| [org_policy_tags](variables-fast.tf#L118) | Organization policy tags. | <code title="object&#40;&#123;&#10; key_id &#61; string&#10; key_name &#61; string&#10; values &#61; map&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | | <code>0-bootstrap</code> |
| [organization](variables-fast.tf#L108) | Organization details. | <code title="object&#40;&#123;&#10; domain &#61; string&#10; id &#61; number&#10; customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | | <code>0-bootstrap</code> |
| [prefix](variables-fast.tf#L135) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | <code title="object&#40;&#123;&#10; gcve_network_admin &#61; string&#10; network_firewall_policies_admin &#61; string&#10; network_firewall_policies_viewer &#61; optional&#40;string&#41;&#10; ngfw_enterprise_admin &#61; optional&#40;string&#41;&#10; ngfw_enterprise_viewer &#61; optional&#40;string&#41;&#10; organization_admin_viewer &#61; string&#10; service_project_network_admin &#61; string&#10; storage_viewer &#61; string&#10; tenant_network_admin &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | <code>0-bootstrap</code> |
| [groups](variables-fast.tf#L71) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10; gcp-billing-admins &#61; optional&#40;string, &#34;gcp-billing-admins&#34;&#41;&#10; gcp-devops &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10; gcp-network-admins &#61; optional&#40;string, &#34;gcp-vpc-network-admins&#34;&#41;&#10; gcp-organization-admins &#61; optional&#40;string, &#34;gcp-organization-admins&#34;&#41;&#10; gcp-security-admins &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
| [locations](variables-fast.tf#L86) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10; bq &#61; optional&#40;string, &#34;EU&#34;&#41;&#10; gcs &#61; optional&#40;string, &#34;EU&#34;&#41;&#10; logging &#61; optional&#40;string, &#34;global&#34;&#41;&#10; pubsub &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
| [logging](variables-fast.tf#L97) | Logging resources created by the bootstrap stage. | <code title="object&#40;&#123;&#10; project_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | | <code>0-bootstrap</code> |
| [org_policy_tags](variables-fast.tf#L116) | Organization policy tags. | <code title="object&#40;&#123;&#10; key_id &#61; string&#10; key_name &#61; string&#10; values &#61; map&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | | <code>0-bootstrap</code> |
| [organization](variables-fast.tf#L106) | Organization details. | <code title="object&#40;&#123;&#10; domain &#61; string&#10; id &#61; number&#10; customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | | <code>0-bootstrap</code> |
| [prefix](variables-fast.tf#L133) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | <code title="object&#40;&#123;&#10; gcve_network_admin &#61; string&#10; network_firewall_policies_admin &#61; string&#10; ngfw_enterprise_admin &#61; optional&#40;string&#41;&#10; ngfw_enterprise_viewer &#61; optional&#40;string&#41;&#10; organization_admin_viewer &#61; string&#10; service_project_network_admin &#61; string&#10; storage_viewer &#61; string&#10; tenant_network_admin &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | <code>0-bootstrap</code> |
| [groups](variables-fast.tf#L69) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10; gcp-billing-admins &#61; optional&#40;string, &#34;gcp-billing-admins&#34;&#41;&#10; gcp-devops &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10; gcp-network-admins &#61; optional&#40;string, &#34;gcp-vpc-network-admins&#34;&#41;&#10; gcp-organization-admins &#61; optional&#40;string, &#34;gcp-organization-admins&#34;&#41;&#10; gcp-security-admins &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
| [locations](variables-fast.tf#L84) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10; bq &#61; optional&#40;string, &#34;EU&#34;&#41;&#10; gcs &#61; optional&#40;string, &#34;EU&#34;&#41;&#10; logging &#61; optional&#40;string, &#34;global&#34;&#41;&#10; pubsub &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
| [outputs_location](variables.tf#L17) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
| [root_node](variables.tf#L23) | Root folder under which tenants are created, in folders/nnnn format. Defaults to the organization if null. | <code>string</code> | | <code>null</code> | |
| [tag_names](variables.tf#L36) | Customized names for resource management tags. | <code title="object&#40;&#123;&#10; tenant &#61; optional&#40;string, &#34;tenant&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> | |

14
fast/stages/1-tenant-factory/variables-fast.tf
View File

@@ -56,14 +56,12 @@ variable "custom_roles" {
type = object({
gcve_network_admin = string
network_firewall_policies_admin = string
# TODO: remove after v34.0.0
network_firewall_policies_viewer = optional(string)
ngfw_enterprise_admin = optional(string)
ngfw_enterprise_viewer = optional(string)
organization_admin_viewer = string
service_project_network_admin = string
storage_viewer = string
tenant_network_admin = string
ngfw_enterprise_admin = optional(string)
ngfw_enterprise_viewer = optional(string)
organization_admin_viewer = string
service_project_network_admin = string
storage_viewer = string
tenant_network_admin = string
})
default = null
}