init

konpyutaika · Sep 24, 2022 · b846231 · b846231
1 parent f23780b
commit b846231
Show file tree

Hide file tree

Showing 6 changed files with 182 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+.idea
diff --git a/CHANGELOG.MD b/CHANGELOG.MD
@@ -0,0 +1 @@
+
diff --git a/README.MD b/README.MD
@@ -0,0 +1,44 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_service_account.project_service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account_iam_member.sa_iam_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource |
+| [google_service_account_key.project_service_account_key](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_bigquery_dataset_bindings"></a> [bigquery\_dataset\_bindings](#input\_bigquery\_dataset\_bindings) | BigQuery dataset iam bindings | `map(map(list(string)))` | `{}` | no |
+| <a name="input_bigquery_table_bindings"></a> [bigquery\_table\_bindings](#input\_bigquery\_table\_bindings) | Bigquery table iam bindings | `map(map(map(list(string))))` | `{}` | no |
+| <a name="input_cloud_storage_bindings"></a> [cloud\_storage\_bindings](#input\_cloud\_storage\_bindings) | GCS iam bindings | `map(map(list(string)))` | `{}` | no |
+| <a name="input_common_custom_roles"></a> [common\_custom\_roles](#input\_common\_custom\_roles) | Map defining the common custom roles | <pre>map(object({<br>                  permissions = list(string)<br>                  role_id = string<br>                  description = string<br>                }))</pre> | n/a | yes |
+| <a name="input_compute_instance_bindings"></a> [compute\_instance\_bindings](#input\_compute\_instance\_bindings) | Instance iam bindings | `map(map(map(list(string))))` | `{}` | no |
+| <a name="input_custom_roles"></a> [custom\_roles](#input\_custom\_roles) | Map defining the custom roles | <pre>map(object({<br>                  permissions = list(string)<br>                  role_id = string<br>                  description = string<br>                }))</pre> | n/a | yes |
+| <a name="input_project_bindings"></a> [project\_bindings](#input\_project\_bindings) | Project iam bindings | `map(list(string))` | `{}` | no |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | project\_id | `string` | n/a | yes |
+| <a name="input_pubsub_subscription_bindings"></a> [pubsub\_subscription\_bindings](#input\_pubsub\_subscription\_bindings) | Pubsub subscription iam bindings | `map(map(list(string)))` | `{}` | no |
+| <a name="input_pubsub_topic_bindings"></a> [pubsub\_topic\_bindings](#input\_pubsub\_topic\_bindings) | Pubsub topic iam bindings | `map(map(list(string)))` | `{}` | no |
+| <a name="input_service_accounts"></a> [service\_accounts](#input\_service\_accounts) | Map of service accounts id -> values | <pre>map(object({<br>                name = string<br>                description = string<br>                vault_path = string<br>                create_key = bool<br>                rotate_key = bool<br>              }))</pre> | `{}` | no |
+| <a name="input_service_accounts_bindings"></a> [service\_accounts\_bindings](#input\_service\_accounts\_bindings) | Service account iam bindings | `map(map(list(string)))` | `{}` | no |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/service-accounts-bindings.tf b/service-accounts-bindings.tf
@@ -0,0 +1,28 @@
+locals {
+  sa_bindings = flatten([
+  for sa_key, sa in var.service_accounts_bindings : [
+  for role_key, members in sa : [
+  for member in members : {
+    service_account = sa_key
+    member = member
+    role = role_key
+  }
+  ]
+  ]
+  ])
+}
+
+resource "google_service_account_iam_member" "sa_iam_binding" {
+  for_each = {
+    for binding in local.sa_bindings : "${binding.service_account}.${binding.member}.${binding.role}" => binding
+  }
+
+  service_account_id = each.value.service_account
+  role = each.value.role
+  member = each.value.member
+
+  depends_on = [
+    google_service_account.project_service_account, # in case bindings refers to service account
+    google_project_iam_custom_role.project_custom_role_map # in case bindings refers to custom roles
+  ]
+}
diff --git a/service-accounts.tf b/service-accounts.tf
@@ -0,0 +1,25 @@
+# DEFAULT TF CONTENT
+#     Create all SA
+#     Create SA Key & Write to Vault -> when management is enabled & rotation is disabled
+
+resource "google_service_account" "project_service_account" {
+  for_each = var.service_accounts
+
+  project = var.project_id
+  account_id = each.key
+  display_name = each.value.name
+  description = each.value.description
+}
+
+resource "google_service_account_key" "project_service_account_key" {
+  for_each = {
+    for _key, _value in var.service_accounts : _key => _value
+    if _value.create_key && !_value.rotate_key
+  }
+
+  service_account_id = google_service_account.project_service_account[each.key].account_id
+}
+
+# INDIVIDUAL RESOURCE FOR SA MANAGED with ROTATION ENABLED :
+
+
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,83 @@
+variable "project_id" {
+  type        = string
+  description = "project_id"
+}
+
+variable "common_custom_roles" {
+  type        = map(object({
+                  permissions = list(string)
+                  role_id = string
+                  description = string
+                }))
+  description = "Map defining the common custom roles"
+}
+
+variable "custom_roles" {
+  type        = map(object({
+                  permissions = list(string)
+                  role_id = string
+                  description = string
+                }))
+  description = "Map defining the custom roles"
+}
+
+variable "project_bindings" {
+  type        = map(list(string))
+  description = "Project iam bindings"
+  default     = {}
+}
+
+variable "service_accounts" {
+  type        = map(object({
+                name = string
+                description = string
+                vault_path = string
+                create_key = bool
+                rotate_key = bool
+              }))
+  description = "Map of service accounts id -> values"
+  default     = {}
+}
+
+variable "service_accounts_bindings" {
+  type        = map(map(list(string)))
+  description = "Service account iam bindings"
+  default     = {}
+}
+
+variable "cloud_storage_bindings" {
+  type        = map(map(list(string)))
+  description = "GCS iam bindings"
+  default     = {}
+}
+
+variable "compute_instance_bindings" {
+  type        = map(map(map(list(string))))
+  description = "Instance iam bindings"
+  default     = {}
+}
+
+variable "pubsub_subscription_bindings" {
+  type        = map(map(list(string)))
+  description = "Pubsub subscription iam bindings"
+  default     = {}
+}
+
+variable "pubsub_topic_bindings" {
+  type        = map(map(list(string)))
+  description = "Pubsub topic iam bindings"
+  default     = {}
+}
+
+variable "bigquery_dataset_bindings" {
+  type        = map(map(list(string)))
+  description = "BigQuery dataset iam bindings"
+  default     = {}
+}
+
+variable "bigquery_table_bindings" {
+  type        = map(map(map(list(string))))
+  description = "Bigquery table iam bindings"
+  default     = {}
+}
+