Tips-Of-Mine/terraform-gcp-projet
Tips-Of-Mine/terraform-gcp-projet
2
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

test all
Some checks failed
terraform validation / Terraform (push) Failing after 25s
Details

Browse Source
This commit is contained in:
Hubert Cornet 2025-01-23 21:21:48 +01:00
parent 87097c5092
commit 60a58e232c
8 changed files with 760 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
groups.tf Normal file
View File

@ -0,0 +1,54 @@
# In order to create google groups, the calling identity should have at least the
# Group Admin role in Google Admin. More info: https://support.google.com/a/answer/2405986
module "cs-gg-service-i-team-it-prod-svc" {
source = "terraform-google-modules/group/google"
version = "~> 0.6"
id = "service-i-team-it-prod-svc@tips-of-mine.com"
display_name = "service-i-team-it-prod-svc"
customer_id = data.google_organization.org.directory_customer_id
types = [
"default",
"security",
]
}
module "cs-gg-service-i-team-it-nonprod-svc" {
source = "terraform-google-modules/group/google"
version = "~> 0.6"
id = "service-i-team-it-nonprod-svc@tips-of-mine.com"
display_name = "service-i-team-it-nonprod-svc"
customer_id = data.google_organization.org.directory_customer_id
types = [
"default",
"security",
]
}
module "cs-gg-service-i-team-rh-prod-svc" {
source = "terraform-google-modules/group/google"
version = "~> 0.6"
id = "service-i-team-rh-prod-svc@tips-of-mine.com"
display_name = "service-i-team-rh-prod-svc"
customer_id = data.google_organization.org.directory_customer_id
types = [
"default",
"security",
]
}
module "cs-gg-service-i-team-rh-nonprod-svc" {
source = "terraform-google-modules/group/google"
version = "~> 0.6"
id = "service-i-team-rh-nonprod-svc@tips-of-mine.com"
display_name = "service-i-team-rh-nonprod-svc"
customer_id = data.google_organization.org.directory_customer_id
types = [
"default",
"security",
]
}

209
iam.tf Normal file
View File

@ -0,0 +1,209 @@
module "cs-folders-iam-0-computeinstanceAdminv1" {
source = "terraform-google-modules/iam/google//modules/folders_iam"
version = "~> 7.7"
folders = [
local.folder_map["Non-Production"].id,
]
bindings = {
"roles/compute.instanceAdmin.v1" = [
"group:gcp-developers@tips-of-mine.com",
]
}
}
module "cs-folders-iam-0-containeradmin" {
source = "terraform-google-modules/iam/google//modules/folders_iam"
version = "~> 7.7"
folders = [
local.folder_map["Non-Production"].id,
]
bindings = {
"roles/container.admin" = [
"group:gcp-developers@tips-of-mine.com",
]
}
}
module "cs-folders-iam-1-computeinstanceAdminv1" {
source = "terraform-google-modules/iam/google//modules/folders_iam"
version = "~> 7.7"
folders = [
local.folder_map["Development"].id,
]
bindings = {
"roles/compute.instanceAdmin.v1" = [
"group:gcp-developers@tips-of-mine.com",
]
}
}
module "cs-folders-iam-1-containeradmin" {
source = "terraform-google-modules/iam/google//modules/folders_iam"
version = "~> 7.7"
folders = [
local.folder_map["Development"].id,
]
bindings = {
"roles/container.admin" = [
"group:gcp-developers@tips-of-mine.com",
]
}
}
module "cs-projects-iam-2-loggingviewer" {
source = "terraform-google-modules/iam/google//modules/projects_iam"
version = "~> 7.7"
projects = [
module.cs-project-logging-monitoring.project_id,
]
bindings = {
"roles/logging.viewer" = [
"group:gcp-logging-monitoring-viewers@tips-of-mine.com",
]
}
}
module "cs-projects-iam-2-loggingprivateLogViewer" {
source = "terraform-google-modules/iam/google//modules/projects_iam"
version = "~> 7.7"
projects = [
module.cs-project-logging-monitoring.project_id,
]
bindings = {
"roles/logging.privateLogViewer" = [
"group:gcp-logging-monitoring-viewers@tips-of-mine.com",
]
}
}
module "cs-projects-iam-2-bigquerydataViewer" {
source = "terraform-google-modules/iam/google//modules/projects_iam"
version = "~> 7.7"
projects = [
module.cs-project-logging-monitoring.project_id,
]
bindings = {
"roles/bigquery.dataViewer" = [
"group:gcp-logging-monitoring-viewers@tips-of-mine.com",
]
}
}
module "cs-projects-iam-2-pubsubviewer" {
source = "terraform-google-modules/iam/google//modules/projects_iam"
version = "~> 7.7"
projects = [
module.cs-project-logging-monitoring.project_id,
]
bindings = {
"roles/pubsub.viewer" = [
"group:gcp-logging-monitoring-viewers@tips-of-mine.com",
]
}
}
module "cs-projects-iam-2-monitoringviewer" {
source = "terraform-google-modules/iam/google//modules/projects_iam"
version = "~> 7.7"
projects = [
module.cs-project-logging-monitoring.project_id,
]
bindings = {
"roles/monitoring.viewer" = [
"group:gcp-logging-monitoring-viewers@tips-of-mine.com",
]
}
}
module "cs-projects-iam-3-bigquerydataViewer" {
source = "terraform-google-modules/iam/google//modules/projects_iam"
version = "~> 7.7"
projects = [
module.cs-project-logging-monitoring.project_id,
]
bindings = {
"roles/bigquery.dataViewer" = [
"group:gcp-security-admins@tips-of-mine.com",
]
}
}
module "cs-projects-iam-3-pubsubviewer" {
source = "terraform-google-modules/iam/google//modules/projects_iam"
version = "~> 7.7"
projects = [
module.cs-project-logging-monitoring.project_id,
]
bindings = {
"roles/pubsub.viewer" = [
"group:gcp-security-admins@tips-of-mine.com",
]
}
}
module "cs-service-projects-iam-4-computeinstanceAdminv1" {
source = "terraform-google-modules/iam/google//modules/projects_iam"
version = "~> 7.7"
projects = [
module.cs-svc-team-it-prod-svc-xvzz.project_id,
]
bindings = {
"roles/compute.instanceAdmin.v1" = [
"group:${module.cs-gg-service-i-team-it-prod-svc.id}",
]
}
}
module "cs-service-projects-iam-5-computeinstanceAdminv1" {
source = "terraform-google-modules/iam/google//modules/projects_iam"
version = "~> 7.7"
projects = [
module.cs-svc-team-it-nonprod-svc-xvzz.project_id,
]
bindings = {
"roles/compute.instanceAdmin.v1" = [
"group:${module.cs-gg-service-i-team-it-nonprod-svc.id}",
]
}
}
module "cs-service-projects-iam-6-computeinstanceAdminv1" {
source = "terraform-google-modules/iam/google//modules/projects_iam"
version = "~> 7.7"
projects = [
module.cs-svc-team-rh-prod-svc-xvzz.project_id,
]
bindings = {
"roles/compute.instanceAdmin.v1" = [
"group:${module.cs-gg-service-i-team-rh-prod-svc.id}",
]
}
}
module "cs-service-projects-iam-7-computeinstanceAdminv1" {
source = "terraform-google-modules/iam/google//modules/projects_iam"
version = "~> 7.7"
projects = [
module.cs-svc-team-rh-nonprod-svc-xvzz.project_id,
]
bindings = {
"roles/compute.instanceAdmin.v1" = [
"group:${module.cs-gg-service-i-team-rh-nonprod-svc.id}",
]
}
}

27
log-export.tf Normal file
View File

@ -0,0 +1,27 @@
# random suffix to prevent collisions
resource "random_id" "suffix" {
byte_length = 4
}
module "cs-logsink-logbucketsink" {
source = "terraform-google-modules/log-export/google"
version = "~> 8.0"
destination_uri = module.cs-logging-destination.destination_uri
log_sink_name = "${var.org_id}-logbucketsink-${random_id.suffix.hex}"
parent_resource_id = var.org_id
parent_resource_type = "organization"
include_children = true
filter = "logName: /logs/cloudaudit.googleapis.com%2Factivity OR logName: /logs/cloudaudit.googleapis.com%2Fsystem_event OR logName: /logs/cloudaudit.googleapis.com%2Fdata_access OR logName: /logs/cloudaudit.googleapis.com%2Faccess_transparency"
}
module "cs-logging-destination" {
source = "terraform-google-modules/log-export/google//modules/logbucket"
version = "~> 8.0"
project_id = module.cs-project-logging-monitoring.project_id
name = "tips-of-mine-logging"
location = "global"
retention_days = 30
log_sink_writer_identity = module.cs-logsink-logbucketsink.writer_identity
}

12
monitoring.tf Normal file
View File

@ -0,0 +1,12 @@
resource "google_monitoring_monitored_project" "cs-monitored-projects" {
for_each = toset([
module.cs-project-vpc-host-prod.project_id,
module.cs-project-vpc-host-nonprod.project_id,
module.cs-svc-team-it-prod-svc-xvzz.project_id,
module.cs-svc-team-it-nonprod-svc-xvzz.project_id,
module.cs-svc-team-rh-prod-svc-xvzz.project_id,
module.cs-svc-team-rh-nonprod-svc-xvzz.project_id,
])
metrics_scope = "locations/global/metricsScopes/${module.cs-project-logging-monitoring.project_id}"
name = each.value
}

171
network.tf Normal file
View File

@ -0,0 +1,171 @@
# VPC and Subnets
module "cs-vpc-prod-shared" {
source = "terraform-google-modules/network/google"
version = "~> 9.0"
project_id = module.cs-project-vpc-host-prod.project_id
network_name = "vpc-prod-shared"
subnets = [
{
subnet_name = "subnet-prod-1"
subnet_ip = "10.55.55.0/24"
subnet_region = "europe-west1"
subnet_private_access = true
subnet_flow_logs = true
subnet_flow_logs_sampling = "0.5"
subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA"
subnet_flow_logs_interval = "INTERVAL_10_MIN"
},
{
subnet_name = "subnet-prod-2"
subnet_ip = "10.55.56.0/24"
subnet_region = "europe-west2"
subnet_private_access = true
subnet_flow_logs = true
subnet_flow_logs_sampling = "0.5"
subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA"
subnet_flow_logs_interval = "INTERVAL_10_MIN"
},
]
firewall_rules = [
{
name = "vpc-prod-shared-allow-icmp"
direction = "INGRESS"
priority = 10000
log_config = {
metadata = "INCLUDE_ALL_METADATA"
}
allow = [
{
protocol = "icmp"
ports = []
}
]
ranges = [
"10.128.0.0/9",
]
},
{
name = "vpc-prod-shared-allow-ssh"
direction = "INGRESS"
priority = 10000
log_config = {
metadata = "INCLUDE_ALL_METADATA"
}
allow = [
{
protocol = "tcp"
ports = ["22"]
}
]
ranges = [
"35.235.240.0/20",
]
},
{
name = "vpc-prod-shared-allow-rdp"
direction = "INGRESS"
priority = 10000
log_config = {
metadata = "INCLUDE_ALL_METADATA"
}
allow = [
{
protocol = "tcp"
ports = ["3389"]
}
]
ranges = [
"35.235.240.0/20",
]
},
]
}
# VPC and Subnets
module "cs-vpc-nonprod-shared" {
source = "terraform-google-modules/network/google"
version = "~> 9.0"
project_id = module.cs-project-vpc-host-nonprod.project_id
network_name = "vpc-nonprod-shared"
subnets = [
{
subnet_name = "subnet-non-prod-1"
subnet_ip = "10.56.55.0/24"
subnet_region = "europe-west1"
subnet_private_access = true
subnet_flow_logs = true
subnet_flow_logs_sampling = "0.5"
subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA"
subnet_flow_logs_interval = "INTERVAL_10_MIN"
},
{
subnet_name = "subnet-non-prod-2"
subnet_ip = "10.56.56.0/24"
subnet_region = "europe-west2"
subnet_private_access = true
subnet_flow_logs = true
subnet_flow_logs_sampling = "0.5"
subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA"
subnet_flow_logs_interval = "INTERVAL_10_MIN"
},
]
firewall_rules = [
{
name = "vpc-nonprod-shared-allow-icmp"
direction = "INGRESS"
priority = 10000
log_config = {
metadata = "INCLUDE_ALL_METADATA"
}
allow = [
{
protocol = "icmp"
ports = []
}
]
ranges = [
"10.128.0.0/9",
]
},
{
name = "vpc-nonprod-shared-allow-ssh"
direction = "INGRESS"
priority = 10000
log_config = {
metadata = "INCLUDE_ALL_METADATA"
}
allow = [
{
protocol = "tcp"
ports = ["22"]
}
]
ranges = [
"35.235.240.0/20",
]
},
{
name = "vpc-nonprod-shared-allow-rdp"
direction = "INGRESS"
priority = 10000
log_config = {
metadata = "INCLUDE_ALL_METADATA"
}
allow = [
{
protocol = "tcp"
ports = ["3389"]
}
]
ranges = [
"35.235.240.0/20",
]
},
]
}

199
org-policy.tf Normal file
View File

@ -0,0 +1,199 @@
module "cs-org-policy-storage_publicAccessPrevention" {
source = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
version = "~> 5.2"
policy_root = "organization"
policy_root_id = var.org_id
constraint = "storage.publicAccessPrevention"
policy_type = "boolean"
exclude_folders = []
exclude_projects = []
rules = [
{
enforcement = true
allow = []
deny = []
conditions = []
}, ]
}
module "cs-org-policy-compute_requireOsLogin" {
source = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
version = "~> 5.2"
policy_root = "organization"
policy_root_id = var.org_id
constraint = "compute.requireOsLogin"
policy_type = "boolean"
exclude_folders = []
exclude_projects = []
rules = [
{
enforcement = true
allow = []
deny = []
conditions = []
}, ]
}
module "cs-org-policy-compute_vmExternalIpAccess" {
source = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
version = "~> 5.2"
policy_root = "organization"
policy_root_id = var.org_id
constraint = "compute.vmExternalIpAccess"
policy_type = "list"
exclude_folders = []
exclude_projects = []
rules = [
{
enforcement = true
allow = []
deny = []
conditions = []
}, ]
}
module "cs-org-policy-compute_disableNestedVirtualization" {
source = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
version = "~> 5.2"
policy_root = "organization"
policy_root_id = var.org_id
constraint = "compute.disableNestedVirtualization"
policy_type = "boolean"
exclude_folders = []
exclude_projects = []
rules = [
{
enforcement = true
allow = []
deny = []
conditions = []
}, ]
}
module "cs-org-policy-compute_disableSerialPortAccess" {
source = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
version = "~> 5.2"
policy_root = "organization"
policy_root_id = var.org_id
constraint = "compute.disableSerialPortAccess"
policy_type = "boolean"
exclude_folders = []
exclude_projects = []
rules = [
{
enforcement = true
allow = []
deny = []
conditions = []
}, ]
}
module "cs-org-policy-sql_restrictAuthorizedNetworks" {
source = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
version = "~> 5.2"
policy_root = "organization"
policy_root_id = var.org_id
constraint = "sql.restrictAuthorizedNetworks"
policy_type = "boolean"
exclude_folders = []
exclude_projects = []
rules = [
{
enforcement = true
allow = []
deny = []
conditions = []
}, ]
}
module "cs-org-policy-sql_restrictPublicIp" {
source = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
version = "~> 5.2"
policy_root = "organization"
policy_root_id = var.org_id
constraint = "sql.restrictPublicIp"
policy_type = "boolean"
exclude_folders = []
exclude_projects = []
rules = [
{
enforcement = true
allow = []
deny = []
conditions = []
}, ]
}
module "cs-org-policy-compute_restrictXpnProjectLienRemoval" {
source = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
version = "~> 5.2"
policy_root = "organization"
policy_root_id = var.org_id
constraint = "compute.restrictXpnProjectLienRemoval"
policy_type = "boolean"
exclude_folders = []
exclude_projects = []
rules = [
{
enforcement = true
allow = []
deny = []
conditions = []
}, ]
}
module "cs-org-policy-compute_skipDefaultNetworkCreation" {
source = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
version = "~> 5.2"
policy_root = "organization"
policy_root_id = var.org_id
constraint = "compute.skipDefaultNetworkCreation"
policy_type = "boolean"
exclude_folders = []
exclude_projects = []
rules = [
{
enforcement = true
allow = []
deny = []
conditions = []
}, ]
}
module "cs-org-policy-compute_disableVpcExternalIpv6" {
source = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
version = "~> 5.2"
policy_root = "organization"
policy_root_id = var.org_id
constraint = "compute.disableVpcExternalIpv6"
policy_type = "boolean"
exclude_folders = []
exclude_projects = []
rules = [
{
enforcement = true
allow = []
deny = []
conditions = []
}, ]
}

87
service-projects.tf Normal file
View File

@ -0,0 +1,87 @@
module "cs-svc-team-it-prod-svc-xvzz" {
source = "terraform-google-modules/project-factory/google//modules/svpc_service_project"
version = "~> 16.0"
name = "service-i-team-it-prod-svc"
project_id = "team-it-prod-svc-xvzz"
org_id = var.org_id
billing_account = var.billing_account
folder_id = local.folder_map["Production/Service-IT/Team IT"].id
shared_vpc = module.cs-vpc-prod-shared.project_id
shared_vpc_subnets = [
try(module.cs-vpc-prod-shared.subnets["europe-west1/subnet-prod-1"].self_link, ""),
try(module.cs-vpc-prod-shared.subnets["europe-west2/subnet-prod-2"].self_link, ""),
]
domain = data.google_organization.org.domain
group_name = module.cs-gg-service-i-team-it-prod-svc.name
group_role = "roles/viewer"
depends_on = [
module.cs-org-policy-compute_skipDefaultNetworkCreation,
]
}
module "cs-svc-team-it-nonprod-svc-xvzz" {
source = "terraform-google-modules/project-factory/google//modules/svpc_service_project"
version = "~> 16.0"
name = "service-i-team-it-nonprod-svc"
project_id = "team-it-nonprod-svc-xvzz"
org_id = var.org_id
billing_account = var.billing_account
folder_id = local.folder_map["Non-Production/Service-IT/Team IT"].id
shared_vpc = module.cs-vpc-nonprod-shared.project_id
shared_vpc_subnets = [
try(module.cs-vpc-nonprod-shared.subnets["europe-west1/subnet-non-prod-1"].self_link, ""),
try(module.cs-vpc-nonprod-shared.subnets["europe-west2/subnet-non-prod-2"].self_link, ""),
]
domain = data.google_organization.org.domain
group_name = module.cs-gg-service-i-team-it-nonprod-svc.name
group_role = "roles/viewer"
depends_on = [
module.cs-org-policy-compute_skipDefaultNetworkCreation,
]
}
module "cs-svc-team-rh-prod-svc-xvzz" {
source = "terraform-google-modules/project-factory/google//modules/svpc_service_project"
version = "~> 16.0"
name = "service-i-team-rh-prod-svc"
project_id = "team-rh-prod-svc-xvzz"
org_id = var.org_id
billing_account = var.billing_account
folder_id = local.folder_map["Production/Service-IT/Team RH"].id
shared_vpc = module.cs-project-vpc-host-prod.project_id
domain = data.google_organization.org.domain
group_name = module.cs-gg-service-i-team-rh-prod-svc.name
group_role = "roles/viewer"
depends_on = [
module.cs-org-policy-compute_skipDefaultNetworkCreation,
]
}
module "cs-svc-team-rh-nonprod-svc-xvzz" {
source = "terraform-google-modules/project-factory/google//modules/svpc_service_project"
version = "~> 16.0"
name = "service-i-team-rh-nonprod-svc"
project_id = "team-rh-nonprod-svc-xvzz"
org_id = var.org_id
billing_account = var.billing_account
folder_id = local.folder_map["Non-Production/Service-IT/Team RH"].id
shared_vpc = module.cs-project-vpc-host-nonprod.project_id
domain = data.google_organization.org.domain
group_name = module.cs-gg-service-i-team-rh-nonprod-svc.name
group_role = "roles/viewer"
depends_on = [
module.cs-org-policy-compute_skipDefaultNetworkCreation,
]
}

2
versions.tf
View File

@ -4,7 +4,7 @@ terraform {
required_providers { required_providers {
google = { google = {
source = "hashicorp/google" source = "hashicorp/google"
version = "~> 6.16.0" version = ">= 5.22"
} }
google-beta = { google-beta = {
source = "hashicorp/google-beta" source = "hashicorp/google-beta"