Giter Site home page Giter Site logo

osinfra-io / google-cloud-hierarchy Goto Github PK

View Code? Open in Web Editor NEW
2.0 1.0 0.0 354 KB

Infrastructure as Code (IaC) example for Google Cloud Platform Hierarchy.

Home Page: https://www.osinfra.io

License: GNU General Public License v2.0

HCL 100.00%
google-cloud-platform infrastructure-as-code terraform osinfra google-cloud-landing-zone-platform platform-team

google-cloud-hierarchy's People

Stargazers

avatar avatar

Watchers

avatar

google-cloud-hierarchy's Issues

Support for Cloud Identity group memberships

Description

Manage group memberships through Terraform resource: google_cloud_identity_group_membership

Acceptance

  • Group memberships defined as code
  • All roles should be supported
  • Keep code reasonably DRY but not to the extent where code is hard to read for beginners

Implementation Notes

Google has an example here: https://github.com/terraform-google-modules/terraform-google-group/blob/main/main.tf

Terraform documentation: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_identity_group_membership

Additional Context

GitHub actions backend service accounts should be able to manage billing budgets

We want to allow GitHub actions backend service accounts to manage billing budgets. This will allow us to set up a budget in the project module and have the GitHub actions backend service account manage the budget.

Tasks
Beta Give feedback

Rename Testing and Terraform folders for clarity

Description

The testing folder is specific to the Kitchen, and the Terraform folder is for the backend. Clarity around folder names would be good.

Acceptance

  • Kitchen Testing folder
  • Terraform Backend folder

Implementation Notes

Additional Context

Align coding conventions

Description

Let's align the coding conventions here with other repositories.

Acceptance

  • Align coding conventions with other repositories

Implementation Notes

Additional Context

Add or update identity group

Developer notes:

Open in GitHub Codespaces

Email address:

[email protected]

Identity group name:

platform-registry-readers, platform-registry-writers

Owners:

[email protected]

Managers:

No response

Members:

No response

GKE security groups:

  • Add as a nested group to GKE security groups

Additional comments:

No response

Improve resource name for `resource "google_folder" "environment"`

Description

The resource:

resource "google_folder" "environment" {
  for_each = { for folder in local.environments : "${folder.system}.${folder.environment}" => folder }

  display_name = each.value.environment
  parent       = google_folder.folder_system[each.value.system].name
}

Generates some funky resource names using `"${folder.system}.${folder.environment}" what can we do to improve on this?

Acceptance

  • Ideally, we can do something without adding a new value
  • Resource names normalized

Implementation Notes

Example:

  # google_folder.environment["system_2.Non-Production"] will be created
  + resource "google_folder" "environment" {
      + create_time     = (known after apply)
      + display_name    = "Non-Production"
      + folder_id       = (known after apply)
      + id              = (known after apply)
      + lifecycle_state = (known after apply)
      + name            = (known after apply)
      + parent          = (known after apply)
    }

Additional Context

#21 #22

Group for Terraform backend service accounts

Description

We will need a group for Terraform backend service accounts. For example, each backend service account created will require IAM roles to solve this problem:

Error: Request `Create IAM Members roles/logging.bucketWriter serviceAccount:[email protected] for project "shared-logs01-tf3521-sb"` returned error: Error retrieving IAM policy for project "shared-logs01-tf3521-sb": googleapi: Error 403: The caller does not have permission, forbidden

In this example, we have a service account creating a new project and resource for google_logging_project_sink, which requires project IAM admin in the logging project. This isn't ideal from a security perspective, but I'm not sure there is another way around it if we set up logging buckets this way.

Acceptance

  • Terraform backend service accounts should be able to create the google_logging_project_sink resource

Implementation Notes

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_project_sink

Additional Context

Also, note the service account for the terraform backend will need to be a manager in the group.

Support for billing budgets at an organizational and folder level

As part of osinfra-io/terraform-google-project#53, project creators can set project-level budgets. It would be useful if organizational-level and team-level (folder) budgets were also available.

Tasks
Beta Give feedback

Custom IAM role for GKE firewall resources

Suppose you want a GKE cluster in a service project to create and manage the firewall resources in your host project. In that case, the service project's GKE service account must be granted the appropriate IAM permissions. We went with the finer-grained approach.

Create a custom IAM role that includes only the following permissions
Beta Give feedback

Duplicate object key on identity groups when service account name is the same 

╷
│ Error: Duplicate object key
│ 
│   on locals.tf line 71, in locals:
│   51:   owners = { for owner in flatten([
│   52:     # This will iterate over the identity_groups map and return a list of maps based of the values of the owners
│   53:     # that includes the group key.
│   54:     for identity_group_key, group in var.identity_groups : [
│   55:       for owner in group.owners : {
│   56:         group = identity_group_key
│   57:         owner = owner
│   58:         # Split Function
│   59:         # https://developer.hashicorp.com/terraform/language/functions/split
│   60:         # This will split the owner string into a list of strings based on the @ symbol.
│   61:         # We do this because the owner string is an email address and we want to use the
│   62:         # the group plus the first part of the email address as resource name key.
│   63:         owner_split = split("@", owner)
│   64:       }
│   65:     ]
│   66:   ]) : "${owner.group}-${owner.owner_split[0]}" => owner }
│     ├────────────────
│     │ owner.group is "backstage"
│     │ owner.owner_split[0] is "plt-backstage-github"
│ 
│ Two different items produced the key "backstage-plt-backstage-github" in this 'for' expression. If duplicates are expected, use the ellipsis (...) after the value expression
│ to enable grouping by key.
╵

Add or update custom IAM role

Developer notes:

Open in GitHub Codespaces

Email address:

[email protected]

Role ID:

container.deployer

Role title:

Kubernetes Engine Deployer

Role description:

Access to deploy Kubernetes resources

Role permissions:

compute.addresses.create compute.addresses.delete compute.addresses.get compute.addresses.list compute.globalAddresses.create compute.globalAddresses.delete compute.globalAddresses.get compute.globalAddresses.list compute.instanceGroupManagers.get container.clusterRoleBindings.delete container.clusterRoleBindings.get container.clusterRoles.delete container.clusters.get container.clusters.list container.customResourceDefinitions.list resourcemanager.projects.get resourcemanager.projects.list

Additional comments:

No response

Add `gke-security-groups` Google Group for Kubernetes RBAC

Cluster Administrators should leverage G Suite Groups and Cloud IAM to assign Kubernetes user roles to a collection of users instead of individual emails using only Cloud IAM.

This is related to: osinfra-io/terraform-google-kubernetes-engine#14

We ultimately need the onboarding code to create and manage nested groups under

Tasks
Beta Give feedback

Documentation:

Support for google_folder_iam_policy at team, service and environment folders

To ensure proper access, teams must assign IAM roles to folders based on cloud identity groups. This allows developers to view and perform console-level activities as needed.

Tasks
Beta Give feedback

Manually added service account to testing sandbox for Shared VPC Admin.

Issue template for custom IAM roles

Add a service interface for creating a custom role.

Tasks
Beta Give feedback

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.