-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmain.tf
258 lines (208 loc) · 8.08 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
locals {
ci_cd_sa_email = var.create_ci_cd_service_account ? module.ci_cd_sa.email[var.ci_cd_sa[0].name] : ""
secret_suffix = var.env_name == "" ? "" : "_${upper(var.env_name)}"
pubsub_sa = "service-${module.project_factory.project_number}@gcp-sa-pubsub.iam.gserviceaccount.com"
binary_auth_sa = "service-${module.project_factory.project_number}@gcp-sa-binaryauthorization.iam.gserviceaccount.com"
cloud_run_default_sa = "service-${module.project_factory.project_number}@serverless-robot-prod.iam.gserviceaccount.com"
}
module "project_factory" {
source = "terraform-google-modules/project-factory/google"
version = "10.1.0"
name = var.name
random_project_id = var.random_project_id
default_service_account = var.default_service_account
org_id = var.org_id
folder_id = var.folder_id
billing_account = var.billing_account
bucket_name = var.bucket_name
bucket_location = "EU"
bucket_project = var.name
bucket_versioning = true
bucket_labels = var.bucket_labels
activate_apis = var.activate_apis
labels = var.labels
svpc_host_project_id = var.shared_vpc
shared_vpc_subnets = var.shared_vpc_subnets
}
module "ci_cd_sa" {
source = "./modules/services"
create_service_account = var.create_ci_cd_service_account
create_service_group = var.create_ci_cd_group
service_group_name = var.service_group_name
clan_gsuite_group = var.clan_gsuite_group
project_id = module.project_factory.project_id
services = var.ci_cd_sa
domain = var.domain
env_name = var.env_name
}
module "pubsub_dlq_sa" {
source = "./modules/services"
create_service_account = var.env_name == "prod" && var.create_ci_cd_service_account == true ? true : false
create_service_group = false
service_group_name = ""
clan_gsuite_group = var.clan_gsuite_group
project_id = module.project_factory.project_id
services = var.pubsub_dlq_sa
domain = var.domain
env_name = var.env_name
}
module "pubsub_custom_external_role" {
source = "./modules/external-roles"
count = var.env_name == "prod" && var.create_ci_cd_service_account == true ? 1 : 0
roles_map = {
"pubsub-dlq-handler" = {
(var.pubsub_dlq_sa_project_id) = [
"roles/cloudfunctions.invoker",
]
}
}
project_id = module.project_factory.project_id
sa_depends_on = [
module.pubsub_dlq_sa.email,
module.project_factory.project_id,
]
}
module "cloudrun_sa" {
source = "./modules/services"
create_service_account = var.create_cloudrun_service_account
create_service_group = var.create_cloudrun_group
service_group_name = var.service_group_name
clan_gsuite_group = var.clan_gsuite_group
project_id = module.project_factory.project_id
services = var.cloudrun_sa
domain = var.domain
env_name = var.env_name
}
module "secret_manager_sa" {
source = "./modules/services"
create_service_account = var.create_secret_manager_service_account
create_service_group = var.create_secret_manager_group
service_group_name = var.service_group_name
clan_gsuite_group = var.clan_gsuite_group
project_id = module.project_factory.project_id
services = var.secret_manager_sa
domain = var.domain
env_name = var.env_name
}
module "services_sa" {
source = "./modules/services"
create_service_account = var.create_service_sa
create_service_group = var.create_services_group
service_group_name = var.service_group_name
clan_gsuite_group = var.clan_gsuite_group
project_id = module.project_factory.project_id
services = var.services
domain = var.domain
env_name = var.env_name
}
module "parent_project_iam" {
source = "./modules/external-project-iam-roles"
service_account_exists = var.create_service_sa
service_account = local.ci_cd_sa_email
parent_project_id = var.parent_project_id
parent_project_iam_roles = var.parent_project_iam_roles
platform_project_id = var.platform_project_id
project_id = module.project_factory.project_id
services = var.services
common_iam_roles = var.common_iam_roles
sa_depends_on = module.services_sa.email
dns_project_id = var.dns_project_id
dns_project_iam_roles = var.dns_project_iam_roles
gcr_project_id = var.gcr_project_id
gcr_project_iam_roles = var.gcr_project_iam_roles
project_type = var.project_type
env_name = var.env_name
binary_api_enabled = contains(module.project_factory.enabled_apis, "binaryauthorization.googleapis.com")
binary_auth_sa = local.binary_auth_sa
cloud_run_api_enabled = contains(module.project_factory.enabled_apis, "run.googleapis.com")
cloud_run_default_sa = local.cloud_run_default_sa
}
module "custom_external_roles" {
source = "./modules/external-roles"
roles_map = var.custom_external_roles
project_id = module.project_factory.project_id
sa_depends_on = [
module.ci_cd_sa.email,
module.cloudrun_sa.email,
module.secret_manager_sa.email,
module.services_sa.email,
module.service_accounts.email,
module.project_factory.project_id,
]
}
module "workload-identity" {
source = "./modules/workload-identity"
project_id = module.project_factory.project_id
cluster_project_id = var.parent_project_id
services = var.services
sa_depends_on = module.services_sa.email
}
module "github_secret" {
source = "./modules/github-secret"
github_token = var.github_token
github_token_gcp_project = var.github_token_gcp_project
github_token_gcp_secret = var.github_token_gcp_secret
github_organization = var.github_organization
repositories = var.repositories
create_secret = var.create_service_sa
secret_name = "GCLOUD_AUTH${local.secret_suffix}"
secret_value = try(lookup(module.ci_cd_sa.private_key_encoded, "ci-cd-pipeline", ""), "")
}
module "additional_user_access" {
source = "./modules/additional-user-access"
project_id = module.project_factory.project_id
domain = var.domain
additional_user_access = var.additional_user_access
clan_gsuite_group = var.clan_gsuite_group
env_name = var.env_name
create_custom_roles = var.create_custom_roles
pubsub_sa = local.pubsub_sa
pubsub_api_enabled = contains(module.project_factory.enabled_apis, "pubsub.googleapis.com")
}
module "service_accounts" {
source = "./modules/service-account"
create_service_account = var.create_sa
project_id = module.project_factory.project_id
service_accounts = var.service_accounts
}
module "gke_resources" {
source = "./modules/gke-resources"
project_type = var.project_type
project_id = module.project_factory.project_id
cluster_project_id = var.parent_project_id
services = var.services
gke_ca_certificate = var.gke_ca_certificate
gke_host = var.gke_host
cicd_service = local.ci_cd_sa_email
sa_depends_on = module.services_sa.email
}
module "pact_broker" {
source = "./modules/pact-broker"
pact_project_id = var.pact_project_id
project_id = module.project_factory.project_id
pactbroker_user_secret = var.pactbroker_user_secret
pactbroker_pass_secret = var.pactbroker_pass_secret
create_pact_secrets = var.create_pact_secrets
env_name = var.env_name
}
module "slack_alerts" {
source = "./modules/slack-notify"
pipeline_project_id = var.pipeline_project_id
project_id = module.project_factory.project_id
slack_notify_secret = var.slack_notify_secret
project_type = var.project_type
}
module "jit_access" {
source = "./modules/jit-access"
project_id = module.project_factory.project_id
jit_access = var.jit_access
create_jit_access = var.create_jit_access
}
module "clan_roles_staging" {
source = "./modules/clan-roles-staging"
clan_roles = var.clan_roles
project_id = module.project_factory.project_id
env_name = var.env_name
clan_gsuite_group = var.clan_gsuite_group
domain = var.domain
}