When deleting service account, deprivilege first to remove IAM bindin…

…g before deleting service account. main-file draft draft tmpl draft draft draft
terraform-google-modules · Dec 20, 2019 · f07145f · f07145f
1 parent 09c4a4c
commit f07145f
Show file tree

Hide file tree

Showing 23 changed files with 713 additions and 41 deletions.
diff --git a/Makefile b/Makefile
@@ -89,6 +89,17 @@ docker_generate_docs:
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
 		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs'
 
+# Generate files from autogen
+.PHONY: docker_generate
+docker_generate:
+	docker run --rm -it \
+                -v "$(CURDIR)":/workspace \
+                $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
+                /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate'
+
 # Alias for backwards compatibility
 .PHONY: generate_docs
 generate_docs: docker_generate_docs
+
+.PHONY: generate
+generate: docker_generate
diff --git a/README.md b/README.md
@@ -151,9 +151,9 @@ determining that location is as follows:
 | group\_email | The email of the G Suite group with group_name |
 | project\_bucket\_self\_link | Project's bucket selfLink |
 | project\_bucket\_url | Project's bucket url |
-| project\_id |  |
-| project\_name |  |
-| project\_number |  |
+| project\_id | If provided, the project uses the given project ID. Mutually exclusive with random_project_id being true. |
+| project\_name | The name for the project |
+| project\_number | The number for the project |
 | service\_account\_display\_name | The display name of the default service account |
 | service\_account\_email | The email of the default service account |
 | service\_account\_id | The id of the default service account |

diff --git a/autogen/main.tf.tmpl b/autogen/main.tf.tmpl
@@ -0,0 +1,139 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+{{ autogeneration_note }}
+
+{% if gsuite_enabled %}
+locals {
+  group_name = var.group_name != "" ? var.group_name : format("%s-editors", var.name)
+}
+
+/***********************************************
+  Make service account member of sa_group group
+ ***********************************************/
+resource "gsuite_group_member" "service_account_sa_group_member" {
+  count = var.sa_group != "" ? 1 : 0
+
+  group = var.sa_group
+  email = module.project-factory.service_account_email
+  role  = "MEMBER"
+}
+
+/*****************************************
+  G Suite group information retrieval
+ *****************************************/
+{% else %}
+/*****************************************
+  Organization info retrieval
+ *****************************************/
+{% endif %}
+module "gsuite_group" {
+  {% if root_module %}
+  source = "./modules/gsuite_group"
+  {% else %}
+  source = "../gsuite_group"
+  {% endif %}
+
+  domain = var.domain
+  {% if gsuite_enabled %}
+  name   = local.group_name
+  {% else %}
+  name   = var.group_name
+  {% endif %}
+  org_id = var.org_id
+}
+
+{% if gsuite_enabled %}
+/******************************************
+  Gsuite Group Configuration
+ *****************************************/
+resource "gsuite_group" "group" {
+  count = var.create_group ? 1 : 0
+
+  description = "${var.name} project group"
+  email       = module.gsuite_group.email
+  name        = local.group_name
+}
+
+/***********************************************
+  Make APIs service account member of api_sa_group
+ ***********************************************/
+resource "gsuite_group_member" "api_s_account_api_sa_group_member" {
+  count = var.api_sa_group != "" ? 1 : 0
+
+  group = var.api_sa_group
+  email = module.project-factory.api_s_account
+  role  = "MEMBER"
+}
+
+{% endif %}
+module "project-factory" {
+  {% if root_module %}
+  source = "./modules/core_project_factory"
+  {% else %}
+  source = "../core_project_factory"
+  {% endif %}
+
+  {% if gsuite_enabled %}
+  group_email = element(
+    compact(
+      concat(gsuite_group.group.*.email, [module.gsuite_group.email]),
+    ),
+    0,
+  )
+  {% else %}
+  group_email                 = module.gsuite_group.email
+  {% endif %}
+  group_role                  = var.group_role
+  lien                        = var.lien
+  {% if gsuite_enabled %}
+  manage_group                = var.group_name != "" || var.create_group
+  {% else %}
+  manage_group                = var.group_name != "" ? "true" : "false"
+  {% endif %}
+  random_project_id           = var.random_project_id
+  org_id                      = var.org_id
+  name                        = var.name
+  project_id                  = var.project_id
+  shared_vpc                  = var.shared_vpc
+  {% if svpc_module %}
+  shared_vpc_enabled          = true
+  {% elif gsuite_enabled %}
+  shared_vpc_enabled          =  var.shared_vpc_enabled
+  {% elif root_module %}
+  shared_vpc_enabled          = var.shared_vpc != ""
+  {% endif %}
+  billing_account             = var.billing_account
+  folder_id                   = var.folder_id
+  sa_role                     = var.sa_role
+  activate_apis               = var.activate_apis
+  usage_bucket_name           = var.usage_bucket_name
+  usage_bucket_prefix         = var.usage_bucket_prefix
+  credentials_path            = var.credentials_path
+  {% if root_module or gsuite_enabled %}
+  impersonate_service_account = var.impersonate_service_account
+  {% endif %}
+  shared_vpc_subnets          = var.shared_vpc_subnets
+  labels                      = var.labels
+  bucket_project              = var.bucket_project
+  bucket_name                 = var.bucket_name
+  bucket_location             = var.bucket_location
+  auto_create_network         = var.auto_create_network
+  disable_services_on_destroy = var.disable_services_on_destroy
+  default_service_account     = var.default_service_account
+  disable_dependent_services  = var.disable_dependent_services
+  python_interpreter_path     = var.python_interpreter_path
+}
diff --git a/autogen/outputs.tf.tmpl b/autogen/outputs.tf.tmpl
@@ -0,0 +1,89 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+{{ autogeneration_note }}
+
+output "project_name" {
+  description = "The name for the project"
+  value       = module.project-factory.project_name
+}
+
+output "project_id" {
+  description = "If provided, the project uses the given project ID. Mutually exclusive with random_project_id being true."
+  value       = module.project-factory.project_id
+}
+
+output "project_number" {
+  description = "The number for the project"
+  value       = module.project-factory.project_number
+}
+
+output "domain" {
+  value       = module.gsuite_group.domain
+  description = "The organization's domain"
+}
+
+output "group_email" {
+  value       = module.gsuite_group.email
+  {% if gsuite_enabled %}
+  description = "The email of the created G Suite group with group_name"
+  {% else %}
+  description = "The email of the G Suite group with group_name"
+  {% endif %}
+}
+{% if gsuite_enabled %}
+
+output "group_name" {
+  value       = module.gsuite_group.name
+  description = "The group_name of the G Suite group"
+}
+{% endif %}
+
+output "service_account_id" {
+  value       = module.project-factory.service_account_id
+  description = "The id of the default service account"
+}
+
+output "service_account_display_name" {
+  value       = module.project-factory.service_account_display_name
+  description = "The display name of the default service account"
+}
+
+output "service_account_email" {
+  value       = module.project-factory.service_account_email
+  description = "The email of the default service account"
+}
+
+output "service_account_name" {
+  value       = module.project-factory.service_account_name
+  description = "The fully-qualified name of the default service account"
+}
+
+output "service_account_unique_id" {
+  value       = module.project-factory.service_account_unique_id
+  description = "The unique id of the default service account"
+}
+
+output "project_bucket_self_link" {
+  value       = module.project-factory.project_bucket_self_link
+  description = "Project's bucket selfLink"
+}
+
+output "project_bucket_url" {
+  value       = module.project-factory.project_bucket_url
+  description = "Project's bucket url"
+}
+