-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
142 lines (114 loc) · 4.4 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
// Bootstrap a GCP environment with a host project and remote state
locals {
prefix = "${lower(var.name)}"
project_id = "${local.prefix}-host-${random_id.random_project_id_suffix.hex}"
default_services = [
"admin.googleapis.com",
"appengine.googleapis.com",
"cloudbilling.googleapis.com",
"cloudresourcemanager.googleapis.com",
"compute.googleapis.com",
"iam.googleapis.com",
"oslogin.googleapis.com",
"serviceusage.googleapis.com",
"storage-api.googleapis.com"
]
nested_services = ["${local.default_services}", "${var.activate_apis}"]
services = ["${distinct(flatten(local.nested_services))}"]
bootstrap_roles = [
// Permission to view organization IAM policy. This is needed when the bootstrap
// account is being used to manage the bootstrap module, because it needs to
// enumerate the organization policy to see that it has the following roles.
"roles/browser",
// Permissions required for the bootstrap service account to manage itself.
// This is not needed if the bootstrap service account will not be used to run
// the bootstrap configuration itself.
"roles/resourcemanager.organizationAdmin",
"roles/resourcemanager.organizationViewer",
"roles/resourcemanager.projectCreator",
"roles/resourcemanager.projectIamAdmin",
// Normally grant this
"roles/resourcemanager.folderViewer",
// But this is used so that the user can stand up folders
"roles/resourcemanager.folderAdmin",
"roles/appengine.appViewer",
"roles/billing.user",
"roles/compute.xpnAdmin",
"roles/compute.networkAdmin",
// Grant the bootstrap account access to manage service accounts and keys.
"roles/iam.serviceAccountAdmin",
"roles/iam.serviceAccountKeyAdmin",
]
bootstrap_project_roles = [
"roles/storage.admin",
// Grant the bootstrap account access to manage APIs on the bootstrap project. The bootstrap
// project must have a given API activated on it so that service accounts can manage that
// service on a normal project.
"roles/serviceusage.serviceUsageAdmin"
]
sa_credentials_dir = "~/.config/gcloud/service-accounts"
bootstrap_credentials = "${local.sa_credentials_dir}/${google_service_account.main.email}.json"
bootstrap_sa_fmt = "serviceAccount:${google_service_account.main.email}"
}
resource "google_folder" "main" {
display_name = "${var.name}"
parent = "organizations/${var.organization_id}"
lifecycle {
prevent_destroy = true
}
}
resource "random_id" "random_project_id_suffix" {
byte_length = 2
}
resource "google_project" "main" {
project_id = "${local.project_id}"
name = "${var.name} Host"
folder_id = "${google_folder.main.name}"
billing_account = "${var.billing_account}"
}
resource "google_project_services" "main" {
project = "${google_project.main.project_id}"
services = "${local.services}"
}
resource "random_id" "tf_state_suffix" {
byte_length = 2
}
resource "google_storage_bucket" "terraform-state" {
name = "terraform-state-${random_id.tf_state_suffix.hex}"
project = "${google_project.main.project_id}"
location = "US"
depends_on = ["google_project_services.main"]
}
resource "random_id" "bootstrap_sa_suffix" {
byte_length = 2
}
resource "google_service_account" "main" {
project = "${google_project.main.project_id}"
display_name = "${var.name} Bootstrap service account"
account_id = "${local.prefix}-bootstrap-${random_id.bootstrap_sa_suffix.hex}"
}
resource "google_service_account_key" "main" {
service_account_id = "${google_service_account.main.name}"
provisioner "local-exec" {
command = "mkdir -p ${local.sa_credentials_dir}"
}
provisioner "local-exec" {
command = "base64 --decode <(echo $KEY_B64) > ${local.bootstrap_credentials}"
interpreter = ["bash", "-c"]
environment {
KEY_B64 = "${google_service_account_key.main.private_key}"
}
}
}
resource "google_organization_iam_member" "bootstrap_roles" {
count = "${length(local.bootstrap_roles)}"
org_id = "${var.organization_id}"
role = "${element(local.bootstrap_roles, count.index)}"
member = "${local.bootstrap_sa_fmt}"
}
resource "google_project_iam_member" "bootstrap_roles" {
count = "${length(local.bootstrap_project_roles)}"
project = "${google_project.main.project_id}"
role = "${element(local.bootstrap_project_roles, count.index)}"
member = "${local.bootstrap_sa_fmt}"
}