kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Project Factory (#432)

Browse Source
This commit is contained in:
Simone Ruffilli
2022-01-14 10:29:09 +01:00
committed by GitHub
parent baa31e82d9
commit 3f498594ee
5 changed files with 582 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
examples/factories/README.md
View File

@@ -38,5 +38,6 @@ If needed, converting factories to consume JSON is a matter of switching from `y
### Dedicated Factories
A dedicated resource factory for the massive creation of VPC firewall rules across different projects/VPCs is also provided as a reference: [net-vpc-firewall-yaml](net-vpc-firewall-yaml/README.md)
- [net-vpc-firewall-yaml](net-vpc-firewall-yaml/README.md) for VPC firewall rules across different projects/VPCs
- [project-factory](project-factory/README.md) for projects

250
examples/factories/project-factory/README.md Normal file
View File

@@ -0,0 +1,250 @@
# Minimal Project Factory
This module implements a minimal, opinionated project factory (see [Factories](../README.md) for rationale) that allows for the creation of projects.
While the module can be invoked by manually populating the required variables, its interface is meant for the massive creation of resources leveraging a set of well-defined YaML documents, as shown in the examples below.
The Project Factory is meant to be executed by a Service Account (or a regular user) having this minimal set of permissions over your resources:
* **Org level** - a custom role for networking operations including the following permissions
* `"compute.organizations.enableXpnResource"`,
* `"compute.organizations.disableXpnResource"`,
* `"compute.subnetworks.setIamPolicy"`,
* `"dns.networks.bindPrivateDNSZone"`
* and role `"roles/orgpolicy.policyAdmin"`
* **on each folder** where projects will be created
* `"roles/logging.admin"`
* `"roles/owner"`
* `"roles/resourcemanager.folderAdmin"`
* `"roles/resourcemanager.projectCreator"`
* **on the host project** for the Shared VPC/s
* `"roles/browser"`
* `"roles/compute.viewer"`
* `"roles/dns.admin"`
## Example
### Directory structure
```
.
├── data
│ ├── defaults.yaml
│ └── projects
│ ├── project-example-one.yaml
│ ├── project-example-two.yaml
│ └── project-example-three.yaml
├── main.tf
└── terraform.tfvars
```
### Terraform code
```tfvars
# ./terraform.tfvars
data_dir = "data/projects/"
defaults_file = "data/defaults.yaml"
```
```hcl
# ./main.tf
locals {
defaults = yamldecode(file(var.defaults_file))
projects = {
for f in fileset("${var.data_dir}", "**/*.yaml") :
trimsuffix(f, ".yaml") => yamldecode(file("${var.data_dir}/${f}"))
}
}
module "projects" {
source = "./factories/project-factory"
for_each = local.projects
defaults = local.defaults
project_id = each.key
billing_account_id = try(each.value.billing_account_id, null)
billing_alert = try(each.value.billing_alert, null)
dns_zones = try(each.value.dns_zones, [])
essential_contacts = try(each.value.essential_contacts, [])
folder_id = each.value.folder_id
group_iam = try(each.value.group_iam, {})
iam = try(each.value.iam, {})
kms_service_agents = try(each.value.kms, {})
labels = try(each.value.labels, {})
org_policies = try(each.value.org_policies, null)
secrets = try(each.value.secrets, {})
service_accounts = try(each.value.service_accounts, {})
services = try(each.value.services, [])
services_iam = try(each.value.services_iam, {})
vpc = try(each.value.vpc, null)
}
```
### Projects configuration
```yaml
# ./data/defaults.yaml
# The following applies as overrideable defaults for all projects
# All attributes are required
billing_account_id: 012345-67890A-BCDEF0
billing_alert:
amount: 1000
thresholds:
current: [0.5, 0.8]
forecasted: [0.5, 0.8]
credit_treatment: INCLUDE_ALL_CREDITS
environment_dns_zone: prod.gcp.example.com
essential_contacts: []
labels:
environment: production
department: legal
application: my-legal-bot
notification_channels: []
shared_vpc_self_link: https://www.googleapis.com/compute/v1/projects/project-example-host-project/global/networks/vpc-one
vpc_host_project: project-example-host-project
```
```yaml
# ./data/projects/project-example-one.yaml
# One file per project - projects will be named after the filename
# [opt] Billing account id - overrides default if set
billing_account_id: 012345-67890A-BCDEF0
# [opt] Billing alerts config - overrides default if set
billing_alert:
amount: 10
thresholds:
current:
- 0.5
- 0.8
forecasted: []
# [opt] DNS zones to be created as children of the environment_dns_zone defined in defaults
dns_zones:
- lorem
- ipsum
# [opt] Contacts for billing alerts and important notifications
essential_contacts:
- team-a-contacts@example.com
# Folder the project will be created as children of
folder_id: folders/012345678901
# [opt] Authoritative IAM bindings in group => [roles] format
group_iam:
test-team-foobar@fast-lab-0.gcp-pso-italy.net:
- roles/compute.admin
# [opt] Authoritative IAM bindings in role => [principals] format
# Generally used to grant roles to service accounts external to the project
iam:
roles/compute.admin:
- serviceAccount:service-account
# [opt] Service robots and keys they will be assigned as cryptoKeyEncrypterDecrypter
# in service => [keys] format
kms_service_agents:
compute: [key1, key2]
storage: [key1, key2]
# [opt] Labels for the project - merged with the ones defined in defaults
labels:
environment: prod
# [opt] Org policy overrides defined at project level
org_policies:
policy_boolean:
constraints/compute.disableGuestAttributesAccess: true
policy_list:
constraints/compute.trustedImageProjects:
inherit_from_parent: null
status: true
suggested_value: null
values:
- projects/fast-prod-iac-core-0
# [opt] Service account to create for the project and their roles on the project
# in name => [roles] format
service_accounts:
another-service-account:
- roles/compute.admin
my-service-account:
- roles/compute.admin
# [opt] APIs to enable on the project.
services:
- storage.googleapis.com
- stackdriver.googleapis.com
- compute.googleapis.com
# [opt] Roles to assign to the robots service accounts in robot => [roles] format
services_iam:
compute:
- roles/storage.objectViewer
# [opt] VPC setup.
# If set enables the `compute.googleapis.com` service and configures
# service project attachment
vpc:
# [opt] If set, enables the container API
gke_setup:
# Grants "roles/container.hostServiceAgentUser" to the container robot if set
enable_host_service_agent: false
# Grants "roles/compute.securityAdmin" to the container robot if set
enable_security_admin: true
# Host project the project will be service project of
host_project: fast-prod-net-spoke-0
# [opt] Subnets in the host project where principals will be granted networkUser
# in region/subnet-name => [principals]
subnets_iam:
europe-west1/prod-default-ew1: []
- user:foobar@example.com
- serviceAccount:service-account1
```
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| billing_account_id | Billing account id. | <code>string</code> | ✓ | |
| defaults | Project factory default values. | <code title="object&#40;&#123;&#10; billing_account_id &#61; string&#10; billing_alert &#61; object&#40;&#123;&#10; amount &#61; number&#10; thresholds &#61; object&#40;&#123;&#10; current &#61; list&#40;number&#41;&#10; forecasted &#61; list&#40;number&#41;&#10; &#125;&#41;&#10; credit_treatment &#61; string&#10; &#125;&#41;&#10; environment_dns_zone &#61; string&#10; essential_contacts &#61; list&#40;string&#41;&#10; labels &#61; map&#40;string&#41;&#10; notification_channels &#61; list&#40;string&#41;&#10; shared_vpc_self_link &#61; string&#10; vpc_host_project &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| folder_id | Folder ID for the folder where the project will be created. | <code>string</code> | ✓ | |
| project_id | Project id. | <code>string</code> | ✓ | |
| billing_alert | Billing alert configuration. | <code title="object&#40;&#123;&#10; amount &#61; number&#10; thresholds &#61; object&#40;&#123;&#10; current &#61; list&#40;number&#41;&#10; forecasted &#61; list&#40;number&#41;&#10; &#125;&#41;&#10; credit_treatment &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| dns_zones | DNS private zones to create as child of var.defaults.environment_dns_zone. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| essential_contacts | Email contacts to be used for billing and GCP notifications | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| group_iam | Custom IAM settings in group => [role] format. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| iam | Custom IAM settings in role => [principal] format. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| kms_service_agents | KMS IAM configuration in as service => [key]. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| labels | Labels to be assigned at project level. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| org_policies | Org-policy overrides at project level. | <code title="object&#40;&#123;&#10; policy_boolean &#61; map&#40;bool&#41;&#10; policy_list &#61; map&#40;object&#40;&#123;&#10; inherit_from_parent &#61; bool&#10; suggested_value &#61; string&#10; status &#61; bool&#10; values &#61; list&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| service_accounts | Service accounts to be created, and roles to assign them. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| services | Services to be enabled for the project. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| services_iam | Custom IAM settings for robot ServiceAccounts in service => [role] format. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| vpc | VPC configuration for the project. | <code title="object&#40;&#123;&#10; host_project &#61; string&#10; gke_setup &#61; object&#40;&#123;&#10; enable_security_admin &#61; bool&#10; enable_host_service_agent &#61; bool&#10; &#125;&#41;&#10; subnets_iam &#61; map&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| project_id | Project ID. | |
<!-- END TFDOC -->

160
examples/factories/project-factory/main.tf Normal file
View File

@@ -0,0 +1,160 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
locals {
_gke_iam_hsau = try(var.vpc.gke_setup.enable_security_admin, false) ? {
"roles/container.hostServiceAgentUser" = [
"serviceAccount:${local.service_accounts_robots["container-engine"]}"
] } : {}
_gke_iam_securityadmin = try(var.vpc.gke_setup.enable_security_admin, false) ? {
"roles/compute.securityAdmin" = [
"serviceAccount:${local.service_accounts_robots["container-engine"]}"
] } : {}
_group_iam = {
for r in local._group_iam_roles : r => [
for k, v in var.group_iam : "group:${k}" if try(index(v, r), null) != null
]
}
_group_iam_roles = distinct(flatten(values(var.group_iam)))
_service_accounts_iam = {
for r in local._service_accounts_iam_roles : r => [
for k, v in var.service_accounts : "serviceAccount:${k}@${var.project_id}.iam.gserviceaccount.com" if try(index(v, r), null) != null
]
}
_service_accounts_iam_roles = distinct(flatten(values(var.service_accounts)))
_services = concat([
"billingbudgets.googleapis.com",
"essentialcontacts.googleapis.com"
],
length(var.dns_zones) > 0 ? ["dns.googleapis.com"] : [],
try(var.vpc.gke_setup, null) != null ? ["container.googleapis.com"] : [],
var.vpc != null ? ["compute.googleapis.com"] : [],
)
_services_iam_roles = distinct(flatten(values(var.services_iam)))
_services_iam = {
for r in local._services_iam_roles : r => [
for k, v in var.services_iam : "serviceAccount:${local.service_accounts_robots[k]}" if try(index(v, r), null) != null
]
}
billing_account_id = coalesce(var.billing_account_id, var.defaults.billing_account_id)
billing_alert = var.billing_alert == null ? var.defaults.billing_alert : var.billing_alert
essential_contacts = concat(try(var.defaults.essential_contacts, []), var.essential_contacts)
iam = {
for role in distinct(concat(
keys(var.iam),
keys(local._group_iam),
keys(local._gke_iam_hsau),
keys(local._gke_iam_securityadmin),
keys(local._service_accounts_iam),
keys(local._services_iam),
)) :
role => concat(
try(var.iam[role], []),
try(local._group_iam[role], []),
try(local._gke_iam_hsau[role], []),
try(local._gke_iam_securityadmin[role], []),
try(local._service_accounts_iam[role], []),
try(local._services_iam[role], []),
)
}
labels = merge(coalesce(var.labels, {}), coalesce(var.defaults.labels, {}))
network_user_service_accounts = concat(
contains(local.services, "compute.googleapis.com") ? ["serviceAccount:${local.service_accounts_robots.compute}"] : [],
contains(local.services, "container.googleapis.com") ? ["serviceAccount:${local.service_accounts_robots.container-engine}"] : [],
[])
services = distinct(concat(var.services, local._services))
service_accounts_robots = {
for service, name in local.service_accounts_robot_services :
service => "${service == "bq" ? "bq" : "service"}-${module.project.number}@${name}.iam.gserviceaccount.com"
}
service_accounts_robot_services = {
cloudasset = "gcp-sa-cloudasset"
cloudbuild = "gcp-sa-cloudbuild"
compute = "compute-system"
container-engine = "container-engine-robot"
containerregistry = "containerregistry"
dataflow = "dataflow-service-producer-prod"
dataproc = "dataproc-accounts"
gae-flex = "gae-api-prod"
gcf = "gcf-admin-robot"
pubsub = "gcp-sa-pubsub"
secretmanager = "gcp-sa-secretmanager"
storage = "gs-project-accounts"
}
vpc_host_project = try(var.vpc.host_project, var.defaults.vpc_host_project)
vpc_setup = var.vpc != null
}
module "billing-alert" {
for_each = local.billing_alert == null ? {} : { 1 = 1 }
source = "github.com/terraform-google-modules/cloud-foundation-fabric//modules/billing-budget?ref=v12.0.0"
billing_account = local.billing_account_id
name = "${module.project.project_id} budget"
amount = local.billing_alert.amount
thresholds = local.billing_alert.thresholds
credit_treatment = local.billing_alert.credit_treatment
notification_channels = var.defaults.notification_channels
projects = ["projects/${module.project.number}"]
email_recipients = {
project_id = module.project.project_id
emails = local.essential_contacts
}
}
module "dns" {
source = "github.com/terraform-google-modules/cloud-foundation-fabric//modules/dns?ref=v12.0.0"
for_each = toset(var.dns_zones)
project_id = module.project.project_id
type = "private"
name = each.value
domain = "${each.value}.${var.defaults.environment_dns_zone}"
client_networks = [var.defaults.shared_vpc_self_link]
}
module "project" {
source = "github.com/terraform-google-modules/cloud-foundation-fabric//modules/project?ref=v12.0.0"
billing_account = local.billing_account_id
name = var.project_id
contacts = { for c in local.essential_contacts : c => ["ALL"] }
iam = local.iam
labels = local.labels
parent = var.folder_id
policy_boolean = try(var.org_policies.policy_boolean, {})
policy_list = try(var.org_policies.policy_list, {})
service_encryption_key_ids = var.kms_service_agents
services = local.services
shared_vpc_service_config = {
attach = local.vpc_setup
host_project = local.vpc_host_project
}
}
module "service-accounts" {
source = "github.com/terraform-google-modules/cloud-foundation-fabric//modules/iam-service-account?ref=v12.0.0"
for_each = var.service_accounts
name = each.key
project_id = module.project.project_id
}
resource "google_compute_subnetwork_iam_binding" "binding" {
for_each = local.vpc_setup ? coalesce(var.vpc.subnets_iam, {}) : {}
project = local.vpc_host_project
subnetwork = "projects/${local.vpc_host_project}/regions/${split("/", each.key)[0]}/subnetworks/${split("/", each.key)[1]}"
region = split("/", each.key)[0]
role = "roles/compute.networkUser"
members = concat(each.value, local.network_user_service_accounts)
}

22
examples/factories/project-factory/outputs.tf Normal file
View File

@@ -0,0 +1,22 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
# TODO(): proper outputs
output "project_id" {
description = "Project ID."
value = module.project.project_id
}

148
examples/factories/project-factory/variables.tf Normal file
View File

@@ -0,0 +1,148 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "billing_account_id" {
description = "Billing account id."
type = string
}
variable "billing_alert" {
description = "Billing alert configuration."
type = object({
amount = number
thresholds = object({
current = list(number)
forecasted = list(number)
})
credit_treatment = string
})
default = null
}
variable "defaults" {
description = "Project factory default values."
type = object({
billing_account_id = string
billing_alert = object({
amount = number
thresholds = object({
current = list(number)
forecasted = list(number)
})
credit_treatment = string
})
environment_dns_zone = string
essential_contacts = list(string)
labels = map(string)
notification_channels = list(string)
shared_vpc_self_link = string
vpc_host_project = string
})
}
variable "dns_zones" {
description = "DNS private zones to create as child of var.defaults.environment_dns_zone."
type = list(string)
default = []
}
variable "essential_contacts" {
description = "Email contacts to be used for billing and GCP notifications"
type = list(string)
default = []
}
variable "folder_id" {
description = "Folder ID for the folder where the project will be created."
type = string
}
variable "group_iam" {
description = "Custom IAM settings in group => [role] format."
type = map(list(string))
default = {}
}
variable "iam" {
description = "Custom IAM settings in role => [principal] format."
type = map(list(string))
default = {}
}
variable "kms_service_agents" {
description = "KMS IAM configuration in as service => [key]."
type = map(list(string))
default = {}
}
variable "labels" {
description = "Labels to be assigned at project level."
type = map(string)
default = {}
}
variable "org_policies" {
description = "Org-policy overrides at project level."
type = object({
policy_boolean = map(bool)
policy_list = map(object({
inherit_from_parent = bool
suggested_value = string
status = bool
values = list(string)
}))
})
default = null
}
variable "project_id" {
description = "Project id."
type = string
}
variable "service_accounts" {
description = "Service accounts to be created, and roles to assign them."
type = map(list(string))
default = {}
}
variable "services" {
description = "Services to be enabled for the project."
type = list(string)
default = []
}
variable "services_iam" {
description = "Custom IAM settings for robot ServiceAccounts in service => [role] format."
type = map(list(string))
default = {}
}
variable "vpc" {
description = "VPC configuration for the project."
type = object({
host_project = string
gke_setup = object({
enable_security_admin = bool
enable_host_service_agent = bool
})
subnets_iam = map(list(string))
})
default = null
}