Add AssuredWorkload support to the folder module (#2390)
* Feat: Add AssuredWorkload support to the folder module * Formatting * Use square brackets to access list items * Docs gen after adding an example to the readme * Reorder variables * Formatting * Reordering outputs, formatting * Remove try where not needed. Add IAM into the AW example and tests * Fix tests * Enable Assured Workloads in E2E tests * Add compliance_regime and partner enum fields validation * Rewording validation message for compliance_regime, partner fields * Sort the list of allowed values alphabetically * Make the organization dependant on testing environment * fix tests * Disable E2E for Assured Workflow example. This example requires Access Transparency enabled on org level, even chosing different regime, we need to have `parent` and `organization` within the same hierarchy, which is not currently the case and requires more rework of the test framework. --------- Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com>
This commit is contained in:
Aleksandr Averbukh
committed by
GitHub
GitHub
parent
07e519a8b7
commit
85c1b7c156
@@ -5,6 +5,7 @@ This module allows the creation and management of folders, including support for
|
||||
<!-- BEGIN TOC -->
|
||||
- [Basic example with IAM bindings](#basic-example-with-iam-bindings)
|
||||
- [IAM](#iam)
|
||||
- [Assured Workload Folder](#assured-workload-folder)
|
||||
- [Organization policies](#organization-policies)
|
||||
- [Organization Policy Factory](#organization-policy-factory)
|
||||
- [Hierarchical Firewall Policy Attachments](#hierarchical-firewall-policy-attachments)
|
||||
@@ -55,6 +56,37 @@ The authoritative and additive approaches can be used together, provided differe
|
||||
|
||||
Refer to the [project module](../project/README.md#iam) for examples of the IAM interface.
|
||||
|
||||
## Assured Workload Folder
|
||||
|
||||
To create [Assured Workload](https://cloud.google.com/security/products/assured-workloads) folder instead of regular folder.
|
||||
Note that an existing folder can not be converted to an Assured Workload folder, hence `assured_workload_config` is mutually exclusive with `folder_create=false`.
|
||||
|
||||
```hcl
|
||||
module "folder" {
|
||||
source = "./fabric/modules/folder"
|
||||
parent = var.folder_id
|
||||
name = "Folder name"
|
||||
|
||||
assured_workload_config = {
|
||||
compliance_regime = "EU_REGIONS_AND_SUPPORT"
|
||||
display_name = "workload-name"
|
||||
location = "europe-west1"
|
||||
organization = var.organization_id
|
||||
enable_sovereign_controls = true
|
||||
}
|
||||
iam = {
|
||||
"roles/owner" = ["serviceAccount:${var.service_account.email}"]
|
||||
}
|
||||
iam_bindings_additive = {
|
||||
am1-storage-admin = {
|
||||
member = "serviceAccount:${var.service_account.email}"
|
||||
role = "roles/storage.admin"
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=3 inventory=assured-workload.yaml
|
||||
```
|
||||
|
||||
## Organization policies
|
||||
|
||||
To manage organization policies, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
|
||||
@@ -347,7 +379,7 @@ module "folder" {
|
||||
|---|---|---|
|
||||
| [iam.tf](./iam.tf) | IAM bindings. | <code>google_folder_iam_binding</code> · <code>google_folder_iam_member</code> |
|
||||
| [logging.tf](./logging.tf) | Log sinks and supporting resources. | <code>google_bigquery_dataset_iam_member</code> · <code>google_folder_iam_audit_config</code> · <code>google_logging_folder_exclusion</code> · <code>google_logging_folder_settings</code> · <code>google_logging_folder_sink</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
|
||||
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_compute_firewall_policy_association</code> · <code>google_essential_contacts_contact</code> · <code>google_folder</code> |
|
||||
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_assured_workloads_workload</code> · <code>google_compute_firewall_policy_association</code> · <code>google_essential_contacts_contact</code> · <code>google_folder</code> |
|
||||
| [organization-policies.tf](./organization-policies.tf) | Folder-level organization policies. | <code>google_org_policy_policy</code> |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | |
|
||||
| [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> |
|
||||
@@ -360,30 +392,32 @@ module "folder" {
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [factories_config](variables.tf#L24) | Paths to data files and folders that enable factory functionality. | <code title="object({ org_policies = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [firewall_policy](variables.tf#L33) | Hierarchical firewall policy to associate to this folder. | <code title="object({ name = string policy = string })">object({…})</code> | | <code>null</code> |
|
||||
| [folder_create](variables.tf#L42) | Create folder. When set to false, uses id to reference an existing folder. | <code>bool</code> | | <code>true</code> |
|
||||
| [assured_workload_config](variables.tf#L17) | Create AssuredWorkloads folder instead of regular folder when value is provided. Incompatible with folder_create=false. | <code title="object({ compliance_regime = string display_name = string location = string organization = string enable_sovereign_controls = optional(bool) labels = optional(map(string), {}) partner = optional(string) partner_permissions = optional(object({ assured_workloads_monitoring = optional(bool) data_logs_viewer = optional(bool) service_access_approver = optional(bool) })) violation_notifications_enabled = optional(bool) })">object({…})</code> | | <code>null</code> |
|
||||
| [contacts](variables.tf#L70) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [factories_config](variables.tf#L77) | Paths to data files and folders that enable factory functionality. | <code title="object({ org_policies = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [firewall_policy](variables.tf#L86) | Hierarchical firewall policy to associate to this folder. | <code title="object({ name = string policy = string })">object({…})</code> | | <code>null</code> |
|
||||
| [folder_create](variables.tf#L95) | Create folder. When set to false, uses id to reference an existing folder. | <code>bool</code> | | <code>true</code> |
|
||||
| [iam](variables-iam.tf#L17) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_bindings](variables-iam.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [iam_bindings_additive](variables-iam.tf#L39) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [iam_by_principals](variables-iam.tf#L54) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [id](variables.tf#L48) | Folder ID in case you use folder_create=false. | <code>string</code> | | <code>null</code> |
|
||||
| [id](variables.tf#L101) | Folder ID in case you use folder_create=false. | <code>string</code> | | <code>null</code> |
|
||||
| [logging_data_access](variables-logging.tf#L17) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [logging_exclusions](variables-logging.tf#L32) | Logging exclusions for this folder in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_settings](variables-logging.tf#L39) | Default settings for logging resources. | <code title="object({ disable_default_sink = optional(bool) storage_location = optional(string) })">object({…})</code> | | <code>null</code> |
|
||||
| [logging_sinks](variables-logging.tf#L49) | Logging sinks to create for the folder. | <code title="map(object({ bq_partitioned_table = optional(bool, false) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = optional(string) iam = optional(bool, true) include_children = optional(bool, true) type = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [name](variables.tf#L54) | Folder name. | <code>string</code> | | <code>null</code> |
|
||||
| [org_policies](variables.tf#L60) | Organization policies applied to this folder keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [parent](variables.tf#L87) | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> | | <code>null</code> |
|
||||
| [tag_bindings](variables.tf#L97) | Tag bindings for this folder, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [name](variables.tf#L107) | Folder name. | <code>string</code> | | <code>null</code> |
|
||||
| [org_policies](variables.tf#L113) | Organization policies applied to this folder keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [parent](variables.tf#L140) | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> | | <code>null</code> |
|
||||
| [tag_bindings](variables.tf#L150) | Tag bindings for this folder, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| [folder](outputs.tf#L17) | Folder resource. | |
|
||||
| [id](outputs.tf#L22) | Fully qualified folder id. | |
|
||||
| [name](outputs.tf#L33) | Folder name. | |
|
||||
| [sink_writer_identities](outputs.tf#L38) | Writer identities created for each sink. | |
|
||||
| [assured_workload](outputs.tf#L17) | Assured Workloads workload resource. | |
|
||||
| [folder](outputs.tf#L22) | Folder resource. | |
|
||||
| [id](outputs.tf#L27) | Fully qualified folder id. | |
|
||||
| [name](outputs.tf#L38) | Folder name. | |
|
||||
| [sink_writer_identities](outputs.tf#L47) | Writer identities created for each sink. | |
|
||||
<!-- END TFDOC -->
|
||||
|
||||
@@ -16,14 +16,28 @@
|
||||
|
||||
locals {
|
||||
folder_id = (
|
||||
var.folder_create
|
||||
? try(google_folder.folder[0].id, null)
|
||||
: var.id
|
||||
var.assured_workload_config == null
|
||||
? (
|
||||
var.folder_create
|
||||
? try(google_folder.folder[0].id, null)
|
||||
: var.id
|
||||
)
|
||||
: format("folders/%s", try(google_assured_workloads_workload.folder[0].resources[0].resource_id, ""))
|
||||
)
|
||||
aw_parent = (
|
||||
# Assured Workload only accepls folder as a parent and uses organization as a parent when no value provided.
|
||||
var.parent == null
|
||||
? null
|
||||
: (
|
||||
try(startswith(var.parent, "folders/"))
|
||||
? var.parent
|
||||
: null
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
resource "google_folder" "folder" {
|
||||
count = var.folder_create ? 1 : 0
|
||||
count = var.folder_create && var.assured_workload_config == null ? 1 : 0
|
||||
display_name = var.name
|
||||
parent = var.parent
|
||||
}
|
||||
@@ -48,3 +62,30 @@ resource "google_compute_firewall_policy_association" "default" {
|
||||
name = var.firewall_policy.name
|
||||
firewall_policy = var.firewall_policy.policy
|
||||
}
|
||||
|
||||
resource "google_assured_workloads_workload" "folder" {
|
||||
count = (var.assured_workload_config != null && var.folder_create) ? 1 : 0
|
||||
compliance_regime = var.assured_workload_config.compliance_regime
|
||||
display_name = var.assured_workload_config.display_name
|
||||
location = var.assured_workload_config.location
|
||||
organization = var.assured_workload_config.organization
|
||||
enable_sovereign_controls = var.assured_workload_config.enable_sovereign_controls
|
||||
labels = var.assured_workload_config.labels
|
||||
partner = var.assured_workload_config.partner
|
||||
dynamic "partner_permissions" {
|
||||
for_each = try(var.assured_workload_config.partner_permissions, null) == null ? [] : [""]
|
||||
content {
|
||||
assured_workloads_monitoring = var.assured_workload_config.partner_permissions.assured_workloads_monitoring
|
||||
data_logs_viewer = var.assured_workload_config.partner_permissions.data_logs_viewer
|
||||
service_access_approver = var.assured_workload_config.partner_permissions.service_access_approver
|
||||
}
|
||||
}
|
||||
|
||||
provisioned_resources_parent = local.aw_parent
|
||||
|
||||
resource_settings {
|
||||
display_name = var.name
|
||||
resource_type = "CONSUMER_FOLDER"
|
||||
}
|
||||
violation_notifications_enabled = var.assured_workload_config.violation_notifications_enabled
|
||||
}
|
||||
|
||||
@@ -14,6 +14,11 @@
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
output "assured_workload" {
|
||||
description = "Assured Workloads workload resource."
|
||||
value = try(google_assured_workloads_workload.folder[0], null)
|
||||
}
|
||||
|
||||
output "folder" {
|
||||
description = "Folder resource."
|
||||
value = try(google_folder.folder[0], null)
|
||||
@@ -32,7 +37,11 @@ output "id" {
|
||||
|
||||
output "name" {
|
||||
description = "Folder name."
|
||||
value = try(google_folder.folder[0].display_name, null)
|
||||
value = (
|
||||
var.assured_workload_config == null
|
||||
? try(google_folder.folder[0].display_name, null)
|
||||
: try(google_assured_workloads_workload.folder[0].resource_settings[0].display_name, null)
|
||||
)
|
||||
}
|
||||
|
||||
output "sink_writer_identities" {
|
||||
|
||||
@@ -14,6 +14,59 @@
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "assured_workload_config" {
|
||||
description = "Create AssuredWorkloads folder instead of regular folder when value is provided. Incompatible with folder_create=false."
|
||||
type = object({
|
||||
compliance_regime = string
|
||||
display_name = string
|
||||
location = string
|
||||
organization = string
|
||||
enable_sovereign_controls = optional(bool)
|
||||
labels = optional(map(string), {})
|
||||
partner = optional(string)
|
||||
partner_permissions = optional(object({
|
||||
assured_workloads_monitoring = optional(bool)
|
||||
data_logs_viewer = optional(bool)
|
||||
service_access_approver = optional(bool)
|
||||
}))
|
||||
violation_notifications_enabled = optional(bool)
|
||||
|
||||
})
|
||||
default = null
|
||||
validation {
|
||||
condition = try(contains([
|
||||
"ASSURED_WORKLOADS_FOR_PARTNERS",
|
||||
"AU_REGIONS_AND_US_SUPPORT",
|
||||
"CA_PROTECTED_B, IL5",
|
||||
"CA_REGIONS_AND_SUPPORT",
|
||||
"CJIS",
|
||||
"COMPLIANCE_REGIME_UNSPECIFIED",
|
||||
"EU_REGIONS_AND_SUPPORT",
|
||||
"FEDRAMP_HIGH",
|
||||
"FEDRAMP_MODERATE",
|
||||
"HIPAA, HITRUST",
|
||||
"IL2",
|
||||
"IL4",
|
||||
"ISR_REGIONS_AND_SUPPORT",
|
||||
"ISR_REGIONS",
|
||||
"ITAR",
|
||||
"JP_REGIONS_AND_SUPPORT",
|
||||
"US_REGIONAL_ACCESS"
|
||||
], var.assured_workload_config.compliance_regime), true)
|
||||
error_message = "Field assured_workload_config.compliance_regime must be one of the values listed in https://cloud.google.com/assured-workloads/docs/reference/rest/Shared.Types/ComplianceRegime"
|
||||
}
|
||||
validation {
|
||||
condition = try(contains([
|
||||
"LOCAL_CONTROLS_BY_S3NS",
|
||||
"PARTNER_UNSPECIFIED",
|
||||
"SOVEREIGN_CONTROLS_BY_PSN",
|
||||
"SOVEREIGN_CONTROLS_BY_SIA_MINSAIT",
|
||||
"SOVEREIGN_CONTROLS_BY_T_SYSTEMS"
|
||||
], var.assured_workload_config.partner), true)
|
||||
error_message = "Field assured_workload_config.partner must be one of the values listed in https://cloud.google.com/assured-workloads/docs/reference/rest/Shared.Types/Partner"
|
||||
}
|
||||
}
|
||||
|
||||
variable "contacts" {
|
||||
description = "List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES."
|
||||
type = map(list(string))
|
||||
@@ -99,3 +152,4 @@ variable "tag_bindings" {
|
||||
type = map(string)
|
||||
default = null
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user