From 840fc86b3e7a0b9f0734d7cb41abca813b84ab40 Mon Sep 17 00:00:00 2001 From: lcaggio Date: Wed, 1 Feb 2023 08:55:33 +0100 Subject: [PATCH] Fix groups. Fix tests. --- .../data-solutions/shielded-folder/README.md | 24 +++++++++---------- .../data-solutions/shielded-folder/kms.tf | 5 ++-- .../shielded-folder/log-export.tf | 5 ++++ .../data-solutions/shielded-folder/main.tf | 3 ++- .../shielded-folder/variables.tf | 5 ++-- .../__init__.py | 0 .../fixture/main.tf | 0 .../test_plan.py | 0 8 files changed, 23 insertions(+), 19 deletions(-) rename tests/blueprints/data_solutions/{shielded-folder => shielded_folder}/__init__.py (100%) rename tests/blueprints/data_solutions/{shielded-folder => shielded_folder}/fixture/main.tf (100%) rename tests/blueprints/data_solutions/{shielded-folder => shielded_folder}/test_plan.py (100%) diff --git a/blueprints/data-solutions/shielded-folder/README.md b/blueprints/data-solutions/shielded-folder/README.md index ea53b996b..651c1a55e 100644 --- a/blueprints/data-solutions/shielded-folder/README.md +++ b/blueprints/data-solutions/shielded-folder/README.md @@ -39,7 +39,7 @@ This separation into projects allows adhering to the least-privilege principle b User groups provide a stable frame of reference that allows decoupling the final set of permissions from the stage where entities and resources are created, and their IAM bindings are defined. We use three groups to control access to resources: -- `data-engineers`: They handle and run workloads on the `workload` subfolder. They have owner access to all resources in the `workload` folder in order to troubleshoot possible issues with pipelines. This team can also impersonate any service account. +- `data-engineers`: They handle and run workloads on the `workload` subfolder. They have editor access to all resources in the `workload` folder in order to troubleshoot possible issues within the workload. This team can also impersonate any service account in the workload folder. - `data-security`: They handle security configurations for the shielded folder. They have owner access to the `audit-log` and `sec-core` projects. ## Encryption @@ -117,23 +117,23 @@ terraform apply | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [organization](variables.tf#L130) | Organization details. | object({…}) | ✓ | | -| [prefix](variables.tf#L138) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | +| [organization](variables.tf#L129) | Organization details. | object({…}) | ✓ | | +| [prefix](variables.tf#L137) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | | [access_policy](variables.tf#L17) | Access Policy name, set to null if creating one. | string | | null | | [access_policy_create](variables.tf#L23) | Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format. | object({…}) | | null | | [data_dir](variables.tf#L33) | Relative path for the folder storing configuration data. | string | | "data" | | [enable_features](variables.tf#L39) | Flag to enable features on the solution. | object({…}) | | {…} | | [folder_create](variables.tf#L52) | Provide values if folder creation is needed, uses existing folder if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | | null | | [folder_id](variables.tf#L61) | Folder ID in case you use folder_create=null. | string | | null | -| [groups](variables.tf#L67) | User groups. | map(string) | | {…} | -| [kms_keys](variables.tf#L77) | KMS keys to create, keyed by name. | map(object({…})) | | {} | -| [log_locations](variables.tf#L88) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {…} | -| [log_sinks](variables.tf#L105) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | -| [projects_create](variables.tf#L148) | Provide values if projects creation is needed, uses existing project if null. Projects will be created in the shielded folder. | object({…}) | | null | -| [projects_id](variables.tf#L156) | Project id, references existing projects if `projects_create` is null. Projects will be moved into the shielded folder. | object({…}) | | null | -| [vpc_sc_access_levels](variables.tf#L165) | VPC SC access level definitions. | map(object({…})) | | {} | -| [vpc_sc_egress_policies](variables.tf#L194) | VPC SC egress policy defnitions. | map(object({…})) | | {} | -| [vpc_sc_ingress_policies](variables.tf#L214) | VPC SC ingress policy defnitions. | map(object({…})) | | {} | +| [groups](variables.tf#L67) | User groups. | map(string) | | {…} | +| [kms_keys](variables.tf#L76) | KMS keys to create, keyed by name. | map(object({…})) | | {} | +| [log_locations](variables.tf#L87) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {…} | +| [log_sinks](variables.tf#L104) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | +| [projects_create](variables.tf#L147) | Provide values if projects creation is needed, uses existing project if null. Projects will be created in the shielded folder. | object({…}) | | null | +| [projects_id](variables.tf#L155) | Project id, references existing projects if `projects_create` is null. Projects will be moved into the shielded folder. | object({…}) | | null | +| [vpc_sc_access_levels](variables.tf#L164) | VPC SC access level definitions. | map(object({…})) | | {} | +| [vpc_sc_egress_policies](variables.tf#L193) | VPC SC egress policy defnitions. | map(object({…})) | | {} | +| [vpc_sc_ingress_policies](variables.tf#L213) | VPC SC ingress policy defnitions. | map(object({…})) | | {} | ## Outputs diff --git a/blueprints/data-solutions/shielded-folder/kms.tf b/blueprints/data-solutions/shielded-folder/kms.tf index 180e2bfaa..af3a5521e 100644 --- a/blueprints/data-solutions/shielded-folder/kms.tf +++ b/blueprints/data-solutions/shielded-folder/kms.tf @@ -64,9 +64,8 @@ module "sec-project" { project_create = var.projects_create != null && var.enable_features.encryption prefix = var.projects_create == null ? null : var.prefix group_iam = { - (local.groups.data-engineers) = [ - "roles/cloudkms.admin", - "roles/viewer", + (local.groups.workload-security) = [ + "roles/editor" ] } services = [ diff --git a/blueprints/data-solutions/shielded-folder/log-export.tf b/blueprints/data-solutions/shielded-folder/log-export.tf index c2139bc3f..5baeecaf9 100644 --- a/blueprints/data-solutions/shielded-folder/log-export.tf +++ b/blueprints/data-solutions/shielded-folder/log-export.tf @@ -43,6 +43,11 @@ module "log-export-project" { billing_account = try(var.projects_create.billing_account_id, null) project_create = var.projects_create != null prefix = var.projects_create == null ? null : var.prefix + group_iam = { + (local.groups.workload-security) = [ + "roles/editor" + ] + } iam = { # "roles/owner" = [module.automation-tf-bootstrap-sa.iam_email] } diff --git a/blueprints/data-solutions/shielded-folder/main.tf b/blueprints/data-solutions/shielded-folder/main.tf index 4105e7bcb..7aab57574 100644 --- a/blueprints/data-solutions/shielded-folder/main.tf +++ b/blueprints/data-solutions/shielded-folder/main.tf @@ -48,8 +48,9 @@ locals { for k, v in local.groups : k => "group:${v}" } group_iam = { - (local.groups.data-engineers) = [ + (local.groups.workload-engineers) = [ "roles/editor", + "roles/iam.serviceAccountTokenCreator" ] } diff --git a/blueprints/data-solutions/shielded-folder/variables.tf b/blueprints/data-solutions/shielded-folder/variables.tf index 0e8414d0e..fb58e2cfd 100644 --- a/blueprints/data-solutions/shielded-folder/variables.tf +++ b/blueprints/data-solutions/shielded-folder/variables.tf @@ -68,9 +68,8 @@ variable "groups" { description = "User groups." type = map(string) default = { - #TODO data-analysts = "gcp-data-analysts" - data-engineers = "gcp-data-engineers" - data-security = "gcp-data-security" + workload-engineers = "gcp-data-engineers" + workload-security = "gcp-data-security" } } diff --git a/tests/blueprints/data_solutions/shielded-folder/__init__.py b/tests/blueprints/data_solutions/shielded_folder/__init__.py similarity index 100% rename from tests/blueprints/data_solutions/shielded-folder/__init__.py rename to tests/blueprints/data_solutions/shielded_folder/__init__.py diff --git a/tests/blueprints/data_solutions/shielded-folder/fixture/main.tf b/tests/blueprints/data_solutions/shielded_folder/fixture/main.tf similarity index 100% rename from tests/blueprints/data_solutions/shielded-folder/fixture/main.tf rename to tests/blueprints/data_solutions/shielded_folder/fixture/main.tf diff --git a/tests/blueprints/data_solutions/shielded-folder/test_plan.py b/tests/blueprints/data_solutions/shielded_folder/test_plan.py similarity index 100% rename from tests/blueprints/data_solutions/shielded-folder/test_plan.py rename to tests/blueprints/data_solutions/shielded_folder/test_plan.py