From 60a58e232c5c54c05385f479398badc5f1a1ac05 Mon Sep 17 00:00:00 2001 From: hcornet Date: Thu, 23 Jan 2025 21:21:48 +0100 Subject: [PATCH] test all --- groups.tf | 54 ++++++++++++ iam.tf | 209 ++++++++++++++++++++++++++++++++++++++++++++ log-export.tf | 27 ++++++ monitoring.tf | 12 +++ network.tf | 171 ++++++++++++++++++++++++++++++++++++ org-policy.tf | 199 +++++++++++++++++++++++++++++++++++++++++ service-projects.tf | 87 ++++++++++++++++++ versions.tf | 2 +- 8 files changed, 760 insertions(+), 1 deletion(-) create mode 100644 groups.tf create mode 100644 iam.tf create mode 100644 log-export.tf create mode 100644 monitoring.tf create mode 100644 network.tf create mode 100644 org-policy.tf create mode 100644 service-projects.tf diff --git a/groups.tf b/groups.tf new file mode 100644 index 0000000..aaef6fc --- /dev/null +++ b/groups.tf @@ -0,0 +1,54 @@ +# In order to create google groups, the calling identity should have at least the +# Group Admin role in Google Admin. More info: https://support.google.com/a/answer/2405986 + +module "cs-gg-service-i-team-it-prod-svc" { + source = "terraform-google-modules/group/google" + version = "~> 0.6" + + id = "service-i-team-it-prod-svc@tips-of-mine.com" + display_name = "service-i-team-it-prod-svc" + customer_id = data.google_organization.org.directory_customer_id + types = [ + "default", + "security", + ] +} + +module "cs-gg-service-i-team-it-nonprod-svc" { + source = "terraform-google-modules/group/google" + version = "~> 0.6" + + id = "service-i-team-it-nonprod-svc@tips-of-mine.com" + display_name = "service-i-team-it-nonprod-svc" + customer_id = data.google_organization.org.directory_customer_id + types = [ + "default", + "security", + ] +} + +module "cs-gg-service-i-team-rh-prod-svc" { + source = "terraform-google-modules/group/google" + version = "~> 0.6" + + id = "service-i-team-rh-prod-svc@tips-of-mine.com" + display_name = "service-i-team-rh-prod-svc" + customer_id = data.google_organization.org.directory_customer_id + types = [ + "default", + "security", + ] +} + +module "cs-gg-service-i-team-rh-nonprod-svc" { + source = "terraform-google-modules/group/google" + version = "~> 0.6" + + id = "service-i-team-rh-nonprod-svc@tips-of-mine.com" + display_name = "service-i-team-rh-nonprod-svc" + customer_id = data.google_organization.org.directory_customer_id + types = [ + "default", + "security", + ] +} diff --git a/iam.tf b/iam.tf new file mode 100644 index 0000000..7b9aa72 --- /dev/null +++ b/iam.tf @@ -0,0 +1,209 @@ +module "cs-folders-iam-0-computeinstanceAdminv1" { + source = "terraform-google-modules/iam/google//modules/folders_iam" + version = "~> 7.7" + + folders = [ + local.folder_map["Non-Production"].id, + ] + bindings = { + "roles/compute.instanceAdmin.v1" = [ + "group:gcp-developers@tips-of-mine.com", + ] + } +} + +module "cs-folders-iam-0-containeradmin" { + source = "terraform-google-modules/iam/google//modules/folders_iam" + version = "~> 7.7" + + folders = [ + local.folder_map["Non-Production"].id, + ] + bindings = { + "roles/container.admin" = [ + "group:gcp-developers@tips-of-mine.com", + ] + } +} + +module "cs-folders-iam-1-computeinstanceAdminv1" { + source = "terraform-google-modules/iam/google//modules/folders_iam" + version = "~> 7.7" + + folders = [ + local.folder_map["Development"].id, + ] + bindings = { + "roles/compute.instanceAdmin.v1" = [ + "group:gcp-developers@tips-of-mine.com", + ] + } +} + +module "cs-folders-iam-1-containeradmin" { + source = "terraform-google-modules/iam/google//modules/folders_iam" + version = "~> 7.7" + + folders = [ + local.folder_map["Development"].id, + ] + bindings = { + "roles/container.admin" = [ + "group:gcp-developers@tips-of-mine.com", + ] + } +} + +module "cs-projects-iam-2-loggingviewer" { + source = "terraform-google-modules/iam/google//modules/projects_iam" + version = "~> 7.7" + + projects = [ + module.cs-project-logging-monitoring.project_id, + ] + bindings = { + "roles/logging.viewer" = [ + "group:gcp-logging-monitoring-viewers@tips-of-mine.com", + ] + } +} + +module "cs-projects-iam-2-loggingprivateLogViewer" { + source = "terraform-google-modules/iam/google//modules/projects_iam" + version = "~> 7.7" + + projects = [ + module.cs-project-logging-monitoring.project_id, + ] + bindings = { + "roles/logging.privateLogViewer" = [ + "group:gcp-logging-monitoring-viewers@tips-of-mine.com", + ] + } +} + +module "cs-projects-iam-2-bigquerydataViewer" { + source = "terraform-google-modules/iam/google//modules/projects_iam" + version = "~> 7.7" + + projects = [ + module.cs-project-logging-monitoring.project_id, + ] + bindings = { + "roles/bigquery.dataViewer" = [ + "group:gcp-logging-monitoring-viewers@tips-of-mine.com", + ] + } +} + +module "cs-projects-iam-2-pubsubviewer" { + source = "terraform-google-modules/iam/google//modules/projects_iam" + version = "~> 7.7" + + projects = [ + module.cs-project-logging-monitoring.project_id, + ] + bindings = { + "roles/pubsub.viewer" = [ + "group:gcp-logging-monitoring-viewers@tips-of-mine.com", + ] + } +} + +module "cs-projects-iam-2-monitoringviewer" { + source = "terraform-google-modules/iam/google//modules/projects_iam" + version = "~> 7.7" + + projects = [ + module.cs-project-logging-monitoring.project_id, + ] + bindings = { + "roles/monitoring.viewer" = [ + "group:gcp-logging-monitoring-viewers@tips-of-mine.com", + ] + } +} + +module "cs-projects-iam-3-bigquerydataViewer" { + source = "terraform-google-modules/iam/google//modules/projects_iam" + version = "~> 7.7" + + projects = [ + module.cs-project-logging-monitoring.project_id, + ] + bindings = { + "roles/bigquery.dataViewer" = [ + "group:gcp-security-admins@tips-of-mine.com", + ] + } +} + +module "cs-projects-iam-3-pubsubviewer" { + source = "terraform-google-modules/iam/google//modules/projects_iam" + version = "~> 7.7" + + projects = [ + module.cs-project-logging-monitoring.project_id, + ] + bindings = { + "roles/pubsub.viewer" = [ + "group:gcp-security-admins@tips-of-mine.com", + ] + } +} + +module "cs-service-projects-iam-4-computeinstanceAdminv1" { + source = "terraform-google-modules/iam/google//modules/projects_iam" + version = "~> 7.7" + + projects = [ + module.cs-svc-team-it-prod-svc-xvzz.project_id, + ] + bindings = { + "roles/compute.instanceAdmin.v1" = [ + "group:${module.cs-gg-service-i-team-it-prod-svc.id}", + ] + } +} + +module "cs-service-projects-iam-5-computeinstanceAdminv1" { + source = "terraform-google-modules/iam/google//modules/projects_iam" + version = "~> 7.7" + + projects = [ + module.cs-svc-team-it-nonprod-svc-xvzz.project_id, + ] + bindings = { + "roles/compute.instanceAdmin.v1" = [ + "group:${module.cs-gg-service-i-team-it-nonprod-svc.id}", + ] + } +} + +module "cs-service-projects-iam-6-computeinstanceAdminv1" { + source = "terraform-google-modules/iam/google//modules/projects_iam" + version = "~> 7.7" + + projects = [ + module.cs-svc-team-rh-prod-svc-xvzz.project_id, + ] + bindings = { + "roles/compute.instanceAdmin.v1" = [ + "group:${module.cs-gg-service-i-team-rh-prod-svc.id}", + ] + } +} + +module "cs-service-projects-iam-7-computeinstanceAdminv1" { + source = "terraform-google-modules/iam/google//modules/projects_iam" + version = "~> 7.7" + + projects = [ + module.cs-svc-team-rh-nonprod-svc-xvzz.project_id, + ] + bindings = { + "roles/compute.instanceAdmin.v1" = [ + "group:${module.cs-gg-service-i-team-rh-nonprod-svc.id}", + ] + } +} diff --git a/log-export.tf b/log-export.tf new file mode 100644 index 0000000..ee09674 --- /dev/null +++ b/log-export.tf @@ -0,0 +1,27 @@ +# random suffix to prevent collisions +resource "random_id" "suffix" { + byte_length = 4 +} + +module "cs-logsink-logbucketsink" { + source = "terraform-google-modules/log-export/google" + version = "~> 8.0" + + destination_uri = module.cs-logging-destination.destination_uri + log_sink_name = "${var.org_id}-logbucketsink-${random_id.suffix.hex}" + parent_resource_id = var.org_id + parent_resource_type = "organization" + include_children = true + filter = "logName: /logs/cloudaudit.googleapis.com%2Factivity OR logName: /logs/cloudaudit.googleapis.com%2Fsystem_event OR logName: /logs/cloudaudit.googleapis.com%2Fdata_access OR logName: /logs/cloudaudit.googleapis.com%2Faccess_transparency" +} + +module "cs-logging-destination" { + source = "terraform-google-modules/log-export/google//modules/logbucket" + version = "~> 8.0" + + project_id = module.cs-project-logging-monitoring.project_id + name = "tips-of-mine-logging" + location = "global" + retention_days = 30 + log_sink_writer_identity = module.cs-logsink-logbucketsink.writer_identity +} diff --git a/monitoring.tf b/monitoring.tf new file mode 100644 index 0000000..2e035e7 --- /dev/null +++ b/monitoring.tf @@ -0,0 +1,12 @@ +resource "google_monitoring_monitored_project" "cs-monitored-projects" { + for_each = toset([ + module.cs-project-vpc-host-prod.project_id, + module.cs-project-vpc-host-nonprod.project_id, + module.cs-svc-team-it-prod-svc-xvzz.project_id, + module.cs-svc-team-it-nonprod-svc-xvzz.project_id, + module.cs-svc-team-rh-prod-svc-xvzz.project_id, + module.cs-svc-team-rh-nonprod-svc-xvzz.project_id, + ]) + metrics_scope = "locations/global/metricsScopes/${module.cs-project-logging-monitoring.project_id}" + name = each.value +} diff --git a/network.tf b/network.tf new file mode 100644 index 0000000..6e0d2de --- /dev/null +++ b/network.tf @@ -0,0 +1,171 @@ +# VPC and Subnets +module "cs-vpc-prod-shared" { + source = "terraform-google-modules/network/google" + version = "~> 9.0" + + project_id = module.cs-project-vpc-host-prod.project_id + network_name = "vpc-prod-shared" + + subnets = [ + { + subnet_name = "subnet-prod-1" + subnet_ip = "10.55.55.0/24" + subnet_region = "europe-west1" + subnet_private_access = true + subnet_flow_logs = true + subnet_flow_logs_sampling = "0.5" + subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA" + subnet_flow_logs_interval = "INTERVAL_10_MIN" + }, + { + subnet_name = "subnet-prod-2" + subnet_ip = "10.55.56.0/24" + subnet_region = "europe-west2" + subnet_private_access = true + subnet_flow_logs = true + subnet_flow_logs_sampling = "0.5" + subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA" + subnet_flow_logs_interval = "INTERVAL_10_MIN" + }, + ] + + firewall_rules = [ + { + name = "vpc-prod-shared-allow-icmp" + direction = "INGRESS" + priority = 10000 + log_config = { + metadata = "INCLUDE_ALL_METADATA" + } + allow = [ + { + protocol = "icmp" + ports = [] + } + ] + ranges = [ + "10.128.0.0/9", + ] + }, + { + name = "vpc-prod-shared-allow-ssh" + direction = "INGRESS" + priority = 10000 + log_config = { + metadata = "INCLUDE_ALL_METADATA" + } + allow = [ + { + protocol = "tcp" + ports = ["22"] + } + ] + ranges = [ + "35.235.240.0/20", + ] + }, + { + name = "vpc-prod-shared-allow-rdp" + direction = "INGRESS" + priority = 10000 + log_config = { + metadata = "INCLUDE_ALL_METADATA" + } + allow = [ + { + protocol = "tcp" + ports = ["3389"] + } + ] + ranges = [ + "35.235.240.0/20", + ] + }, + ] +} + +# VPC and Subnets +module "cs-vpc-nonprod-shared" { + source = "terraform-google-modules/network/google" + version = "~> 9.0" + + project_id = module.cs-project-vpc-host-nonprod.project_id + network_name = "vpc-nonprod-shared" + + subnets = [ + { + subnet_name = "subnet-non-prod-1" + subnet_ip = "10.56.55.0/24" + subnet_region = "europe-west1" + subnet_private_access = true + subnet_flow_logs = true + subnet_flow_logs_sampling = "0.5" + subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA" + subnet_flow_logs_interval = "INTERVAL_10_MIN" + }, + { + subnet_name = "subnet-non-prod-2" + subnet_ip = "10.56.56.0/24" + subnet_region = "europe-west2" + subnet_private_access = true + subnet_flow_logs = true + subnet_flow_logs_sampling = "0.5" + subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA" + subnet_flow_logs_interval = "INTERVAL_10_MIN" + }, + ] + + firewall_rules = [ + { + name = "vpc-nonprod-shared-allow-icmp" + direction = "INGRESS" + priority = 10000 + log_config = { + metadata = "INCLUDE_ALL_METADATA" + } + allow = [ + { + protocol = "icmp" + ports = [] + } + ] + ranges = [ + "10.128.0.0/9", + ] + }, + { + name = "vpc-nonprod-shared-allow-ssh" + direction = "INGRESS" + priority = 10000 + log_config = { + metadata = "INCLUDE_ALL_METADATA" + } + allow = [ + { + protocol = "tcp" + ports = ["22"] + } + ] + ranges = [ + "35.235.240.0/20", + ] + }, + { + name = "vpc-nonprod-shared-allow-rdp" + direction = "INGRESS" + priority = 10000 + log_config = { + metadata = "INCLUDE_ALL_METADATA" + } + allow = [ + { + protocol = "tcp" + ports = ["3389"] + } + ] + ranges = [ + "35.235.240.0/20", + ] + }, + ] +} diff --git a/org-policy.tf b/org-policy.tf new file mode 100644 index 0000000..45bcb51 --- /dev/null +++ b/org-policy.tf @@ -0,0 +1,199 @@ +module "cs-org-policy-storage_publicAccessPrevention" { + source = "terraform-google-modules/org-policy/google//modules/org_policy_v2" + version = "~> 5.2" + + policy_root = "organization" + policy_root_id = var.org_id + constraint = "storage.publicAccessPrevention" + policy_type = "boolean" + exclude_folders = [] + exclude_projects = [] + + rules = [ + { + enforcement = true + allow = [] + deny = [] + conditions = [] + }, ] +} + +module "cs-org-policy-compute_requireOsLogin" { + source = "terraform-google-modules/org-policy/google//modules/org_policy_v2" + version = "~> 5.2" + + policy_root = "organization" + policy_root_id = var.org_id + constraint = "compute.requireOsLogin" + policy_type = "boolean" + exclude_folders = [] + exclude_projects = [] + + rules = [ + { + enforcement = true + allow = [] + deny = [] + conditions = [] + }, ] +} + +module "cs-org-policy-compute_vmExternalIpAccess" { + source = "terraform-google-modules/org-policy/google//modules/org_policy_v2" + version = "~> 5.2" + + policy_root = "organization" + policy_root_id = var.org_id + constraint = "compute.vmExternalIpAccess" + policy_type = "list" + exclude_folders = [] + exclude_projects = [] + + rules = [ + { + enforcement = true + allow = [] + deny = [] + conditions = [] + }, ] +} + +module "cs-org-policy-compute_disableNestedVirtualization" { + source = "terraform-google-modules/org-policy/google//modules/org_policy_v2" + version = "~> 5.2" + + policy_root = "organization" + policy_root_id = var.org_id + constraint = "compute.disableNestedVirtualization" + policy_type = "boolean" + exclude_folders = [] + exclude_projects = [] + + rules = [ + { + enforcement = true + allow = [] + deny = [] + conditions = [] + }, ] +} + +module "cs-org-policy-compute_disableSerialPortAccess" { + source = "terraform-google-modules/org-policy/google//modules/org_policy_v2" + version = "~> 5.2" + + policy_root = "organization" + policy_root_id = var.org_id + constraint = "compute.disableSerialPortAccess" + policy_type = "boolean" + exclude_folders = [] + exclude_projects = [] + + rules = [ + { + enforcement = true + allow = [] + deny = [] + conditions = [] + }, ] +} + +module "cs-org-policy-sql_restrictAuthorizedNetworks" { + source = "terraform-google-modules/org-policy/google//modules/org_policy_v2" + version = "~> 5.2" + + policy_root = "organization" + policy_root_id = var.org_id + constraint = "sql.restrictAuthorizedNetworks" + policy_type = "boolean" + exclude_folders = [] + exclude_projects = [] + + rules = [ + { + enforcement = true + allow = [] + deny = [] + conditions = [] + }, ] +} + +module "cs-org-policy-sql_restrictPublicIp" { + source = "terraform-google-modules/org-policy/google//modules/org_policy_v2" + version = "~> 5.2" + + policy_root = "organization" + policy_root_id = var.org_id + constraint = "sql.restrictPublicIp" + policy_type = "boolean" + exclude_folders = [] + exclude_projects = [] + + rules = [ + { + enforcement = true + allow = [] + deny = [] + conditions = [] + }, ] +} + +module "cs-org-policy-compute_restrictXpnProjectLienRemoval" { + source = "terraform-google-modules/org-policy/google//modules/org_policy_v2" + version = "~> 5.2" + + policy_root = "organization" + policy_root_id = var.org_id + constraint = "compute.restrictXpnProjectLienRemoval" + policy_type = "boolean" + exclude_folders = [] + exclude_projects = [] + + rules = [ + { + enforcement = true + allow = [] + deny = [] + conditions = [] + }, ] +} + +module "cs-org-policy-compute_skipDefaultNetworkCreation" { + source = "terraform-google-modules/org-policy/google//modules/org_policy_v2" + version = "~> 5.2" + + policy_root = "organization" + policy_root_id = var.org_id + constraint = "compute.skipDefaultNetworkCreation" + policy_type = "boolean" + exclude_folders = [] + exclude_projects = [] + + rules = [ + { + enforcement = true + allow = [] + deny = [] + conditions = [] + }, ] +} + +module "cs-org-policy-compute_disableVpcExternalIpv6" { + source = "terraform-google-modules/org-policy/google//modules/org_policy_v2" + version = "~> 5.2" + + policy_root = "organization" + policy_root_id = var.org_id + constraint = "compute.disableVpcExternalIpv6" + policy_type = "boolean" + exclude_folders = [] + exclude_projects = [] + + rules = [ + { + enforcement = true + allow = [] + deny = [] + conditions = [] + }, ] +} diff --git a/service-projects.tf b/service-projects.tf new file mode 100644 index 0000000..20d4868 --- /dev/null +++ b/service-projects.tf @@ -0,0 +1,87 @@ +module "cs-svc-team-it-prod-svc-xvzz" { + source = "terraform-google-modules/project-factory/google//modules/svpc_service_project" + version = "~> 16.0" + + name = "service-i-team-it-prod-svc" + project_id = "team-it-prod-svc-xvzz" + org_id = var.org_id + billing_account = var.billing_account + folder_id = local.folder_map["Production/Service-IT/Team IT"].id + + shared_vpc = module.cs-vpc-prod-shared.project_id + shared_vpc_subnets = [ + try(module.cs-vpc-prod-shared.subnets["europe-west1/subnet-prod-1"].self_link, ""), + try(module.cs-vpc-prod-shared.subnets["europe-west2/subnet-prod-2"].self_link, ""), + ] + + domain = data.google_organization.org.domain + group_name = module.cs-gg-service-i-team-it-prod-svc.name + group_role = "roles/viewer" + depends_on = [ + module.cs-org-policy-compute_skipDefaultNetworkCreation, + ] +} + +module "cs-svc-team-it-nonprod-svc-xvzz" { + source = "terraform-google-modules/project-factory/google//modules/svpc_service_project" + version = "~> 16.0" + + name = "service-i-team-it-nonprod-svc" + project_id = "team-it-nonprod-svc-xvzz" + org_id = var.org_id + billing_account = var.billing_account + folder_id = local.folder_map["Non-Production/Service-IT/Team IT"].id + + shared_vpc = module.cs-vpc-nonprod-shared.project_id + shared_vpc_subnets = [ + try(module.cs-vpc-nonprod-shared.subnets["europe-west1/subnet-non-prod-1"].self_link, ""), + try(module.cs-vpc-nonprod-shared.subnets["europe-west2/subnet-non-prod-2"].self_link, ""), + ] + + domain = data.google_organization.org.domain + group_name = module.cs-gg-service-i-team-it-nonprod-svc.name + group_role = "roles/viewer" + depends_on = [ + module.cs-org-policy-compute_skipDefaultNetworkCreation, + ] +} + +module "cs-svc-team-rh-prod-svc-xvzz" { + source = "terraform-google-modules/project-factory/google//modules/svpc_service_project" + version = "~> 16.0" + + name = "service-i-team-rh-prod-svc" + project_id = "team-rh-prod-svc-xvzz" + org_id = var.org_id + billing_account = var.billing_account + folder_id = local.folder_map["Production/Service-IT/Team RH"].id + + shared_vpc = module.cs-project-vpc-host-prod.project_id + + domain = data.google_organization.org.domain + group_name = module.cs-gg-service-i-team-rh-prod-svc.name + group_role = "roles/viewer" + depends_on = [ + module.cs-org-policy-compute_skipDefaultNetworkCreation, + ] +} + +module "cs-svc-team-rh-nonprod-svc-xvzz" { + source = "terraform-google-modules/project-factory/google//modules/svpc_service_project" + version = "~> 16.0" + + name = "service-i-team-rh-nonprod-svc" + project_id = "team-rh-nonprod-svc-xvzz" + org_id = var.org_id + billing_account = var.billing_account + folder_id = local.folder_map["Non-Production/Service-IT/Team RH"].id + + shared_vpc = module.cs-project-vpc-host-nonprod.project_id + + domain = data.google_organization.org.domain + group_name = module.cs-gg-service-i-team-rh-nonprod-svc.name + group_role = "roles/viewer" + depends_on = [ + module.cs-org-policy-compute_skipDefaultNetworkCreation, + ] +} diff --git a/versions.tf b/versions.tf index 70a4e41..e8bd277 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 6.16.0" + version = ">= 5.22" } google-beta = { source = "hashicorp/google-beta"