Changes groups variable to one complex object (GoogleCloudPlatform#85)

* Merged (optional) group variables into one complex variable

Makefile

@@ -18,7 +18,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.5
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.7
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 

build/int.cloudbuild.yaml

@@ -89,4 +89,4 @@ tags:
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.5'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.7'

build/lint.cloudbuild.yaml

@@ -21,4 +21,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.5'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.7'

examples/secure_cloud_run/README.md

@@ -63,6 +63,7 @@ This example assumes that below mentioned pre-requisites are in place before con
 | create\_cloud\_armor\_policies | When `true`, the terraform will create the Cloud Armor policies. When `false`, the user must provide their own Cloud Armor name in `cloud_armor_policies_name`. | `bool` | `true` | no |
 | domain | Domain list to run on the load balancer. Used if `ssl` is `true`. | `list(string)` | n/a | yes |
 | folder\_id | The folder ID to apply the policy to. | `string` | `""` | no |
+| groups | Groups which will have roles assigned.<br>  The Serverless Administrators email group which the following roles will be added: Cloud Run Admin, Compute Network Viewer and Compute Network User.<br>  The Serverless Security Administrators email group which the following roles will be added: Cloud Run Viewer, Cloud KMS Viewer and Artifact Registry Reader.<br>  The Cloud Run Developer email group which the following roles will be added: Cloud Run Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter.<br>  The Cloud Run User email group which the following roles will be added: Cloud Run Invoker. | <pre>object({<br>    group_serverless_administrator          = optional(string, null)<br>    group_serverless_security_administrator = optional(string, null)<br>    group_cloud_run_developer               = optional(string, null)<br>    group_cloud_run_developer               = optional(string, null)<br>    group_cloud_run_user                    = optional(string, null)<br>  })</pre> | `{}` | no |
 | ip\_cidr\_range | The range of internal addresses that are owned by the subnetwork and which is going to be used by VPC Connector. For example, 10.0.0.0/28 or 192.168.0.0/28. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported. | `string` | n/a | yes |
 | kms\_project\_id | The project where KMS will be created. | `string` | n/a | yes |
 | organization\_id | The organization ID to apply the policy to. | `string` | `""` | no |

examples/secure_cloud_run/main.tf

@@ -46,10 +46,10 @@ module "secure_cloud_run" {
   create_subnet               = true
   create_cloud_armor_policies = var.create_cloud_armor_policies
   cloud_armor_policies_name   = var.cloud_armor_policies_name
+  groups                      = var.groups
 
   ssl_certificates = {
     generate_certificates_for_domains = var.domain
     ssl_certificates_self_links       = []
   }
-
 }

examples/secure_cloud_run/variables.tf

@@ -90,3 +90,23 @@ variable "cloud_armor_policies_name" {
   description = "Cloud Armor policy name already created in the project. If `create_cloud_armor_policies` is `false`, this variable must be provided, If `create_cloud_armor_policies` is `true`, this variable will be ignored."
   default     = null
 }
+
+variable "groups" {
+  description = <<EOT
+  Groups which will have roles assigned.
+  The Serverless Administrators email group which the following roles will be added: Cloud Run Admin, Compute Network Viewer and Compute Network User.
+  The Serverless Security Administrators email group which the following roles will be added: Cloud Run Viewer, Cloud KMS Viewer and Artifact Registry Reader.
+  The Cloud Run Developer email group which the following roles will be added: Cloud Run Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter.
+  The Cloud Run User email group which the following roles will be added: Cloud Run Invoker.
+  EOT
+
+  type = object({
+    group_serverless_administrator          = optional(string, null)
+    group_serverless_security_administrator = optional(string, null)
+    group_cloud_run_developer               = optional(string, null)
+    group_cloud_run_developer               = optional(string, null)
+    group_cloud_run_user                    = optional(string, null)
+  })
+
+  default = {}
+}

modules/secure-cloud-run-security/README.md

@@ -59,10 +59,7 @@ module "cloud_run_security" {
 | decrypters | List of comma-separated owners for each key declared in set\_decrypters\_for. | `list(string)` | `[]` | no |
 | encrypters | List of comma-separated owners for each key declared in set\_encrypters\_for. | `list(string)` | `[]` | no |
 | folder\_id | The folder ID to apply the policy to. | `string` | `""` | no |
-| group\_cloud\_run\_developer | The Cloud Run Developer email group witch the following roles will be added: Cloud Run Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter. | `string` | `""` | no |
-| group\_cloud\_run\_user | The Cloud Run User email group witch the following roles will be added: Cloud Run Invoker. | `string` | `""` | no |
-| group\_serverless\_administrator | The Serverless Administrators email group witch the following roles will be added: Cloud Run Admin, Compute Network Viewer and Compute Network User. | `string` | `""` | no |
-| group\_serverless\_security\_administrator | The Serverless Security Administrators email group witch the following roles will be added: Cloud Run Viewer, Cloud KMS Viewer and Artifact Registry Reader. | `string` | `""` | no |
+| groups | Groups which will have roles assigned.<br>  The Serverless Administrators email group which the following roles will be added: Cloud Run Admin, Compute Network Viewer and Compute Network User.<br>  The Serverless Security Administrators email group which the following roles will be added: Cloud Run Viewer, Cloud KMS Viewer and Artifact Registry Reader.<br>  The Cloud Run Developer email group which the following roles will be added: Cloud Run Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter.<br>  The Cloud Run User email group which the following roles will be added: Cloud Run Invoker. | <pre>object({<br>    group_serverless_administrator          = optional(string, null)<br>    group_serverless_security_administrator = optional(string, null)<br>    group_cloud_run_developer               = optional(string, null)<br>    group_cloud_run_developer               = optional(string, null)<br>    group_cloud_run_user                    = optional(string, null)<br>  })</pre> | `{}` | no |
 | key\_name | Key name. | `string` | n/a | yes |
 | key\_protection\_level | The protection level to use when creating a version based on this template. Possible values: ["SOFTWARE", "HSM"] | `string` | `"HSM"` | no |
 | key\_rotation\_period | Period of key rotation in seconds. | `string` | `"2592000s"` | no |

modules/secure-cloud-run-security/iam.tf

@@ -15,10 +15,10 @@
  */
 
 locals {
-  roles_serverless_administrator          = var.group_serverless_administrator == "" ? [] : ["roles/run.admin", "roles/compute.networkViewer", "roles/compute.networkUser"]
-  roles_serverless_security_administrator = var.group_serverless_security_administrator == "" ? [] : ["roles/run.viewer", "roles/cloudkms.viewer", "roles/artifactregistry.reader"]
-  roles_group_cloud_run_developer         = var.group_cloud_run_developer == "" ? [] : ["roles/run.developer", "roles/artifactregistry.writer", "cloudkms.cryptoKeyEncrypter"]
-  roles_group_cloud_run_user              = var.group_cloud_run_user == "" ? [] : ["run.invoker"]
+  roles_serverless_administrator          = var.groups.group_serverless_administrator == null ? [] : ["roles/run.admin", "roles/compute.networkViewer", "roles/compute.networkUser"]
+  roles_serverless_security_administrator = var.groups.group_serverless_security_administrator == null ? [] : ["roles/run.viewer", "roles/cloudkms.viewer", "roles/artifactregistry.reader"]
+  roles_group_cloud_run_developer         = var.groups.group_cloud_run_developer == null ? [] : ["roles/run.developer", "roles/artifactregistry.writer", "cloudkms.cryptoKeyEncrypter"]
+  roles_group_cloud_run_user              = var.groups.group_cloud_run_user == null ? [] : ["run.invoker"]
 }
 
 
@@ -27,15 +27,15 @@ resource "google_project_iam_member" "group_serverless_administrator_run_admin"
 
   project = var.serverless_project_id
   role    = each.value
-  member  = "group:${var.group_serverless_administrator}"
+  member  = "group:${var.groups.group_serverless_administrator}"
 }
 
 resource "google_project_iam_member" "group_serverless_security_administrator_run_viewer" {
   for_each = toset(local.roles_serverless_security_administrator)
 
   project = var.kms_project_id
   role    = each.value
-  member  = "group:${var.group_serverless_security_administrator}"
+  member  = "group:${var.groups.group_serverless_security_administrator}"
 }
 
 
@@ -44,13 +44,13 @@ resource "google_project_iam_member" "group_cloud_run_developer_run_developer" {
 
   project = var.kms_project_id
   role    = each.value
-  member  = "group:${var.group_cloud_run_developer}"
+  member  = "group:${var.groups.group_cloud_run_developer}"
 }
 
 resource "google_project_iam_member" "group_cloud_run_user_run_invoker" {
   for_each = toset(local.roles_group_cloud_run_user)
 
   project = var.serverless_project_id
   role    = each.value
-  member  = "group:${var.group_cloud_run_user}"
+  member  = "group:${var.groups.group_cloud_run_user}"
 }

modules/secure-cloud-run-security/variables.tf

@@ -93,26 +93,22 @@ variable "organization_id" {
   default     = ""
 }
 
-variable "group_serverless_administrator" {
-  description = "The Serverless Administrators email group witch the following roles will be added: Cloud Run Admin, Compute Network Viewer and Compute Network User."
-  type        = string
-  default     = ""
-}
-
-variable "group_serverless_security_administrator" {
-  description = "The Serverless Security Administrators email group witch the following roles will be added: Cloud Run Viewer, Cloud KMS Viewer and Artifact Registry Reader."
-  type        = string
-  default     = ""
-}
-
-variable "group_cloud_run_developer" {
-  description = "The Cloud Run Developer email group witch the following roles will be added: Cloud Run Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter."
-  type        = string
-  default     = ""
-}
-
-variable "group_cloud_run_user" {
-  description = "The Cloud Run User email group witch the following roles will be added: Cloud Run Invoker."
-  type        = string
-  default     = ""
+variable "groups" {
+  description = <<EOT
+  Groups which will have roles assigned.
+  The Serverless Administrators email group which the following roles will be added: Cloud Run Admin, Compute Network Viewer and Compute Network User.
+  The Serverless Security Administrators email group which the following roles will be added: Cloud Run Viewer, Cloud KMS Viewer and Artifact Registry Reader.
+  The Cloud Run Developer email group which the following roles will be added: Cloud Run Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter.
+  The Cloud Run User email group which the following roles will be added: Cloud Run Invoker.
+  EOT
+
+  type = object({
+    group_serverless_administrator          = optional(string, null)
+    group_serverless_security_administrator = optional(string, null)
+    group_cloud_run_developer               = optional(string, null)
+    group_cloud_run_developer               = optional(string, null)
+    group_cloud_run_user                    = optional(string, null)
+  })
+
+  default = {}
 }

modules/secure-cloud-run/README.md

@@ -89,10 +89,7 @@ module "secure_cloud_run" {
 | env\_vars | Environment variables (cleartext) | <pre>list(object({<br>    value = string<br>    name  = string<br>  }))</pre> | `[]` | no |
 | folder\_id | The folder ID to apply the policy to. | `string` | `""` | no |
 | grant\_artifact\_register\_reader | When true it will grant permission to read an image from your artifact registry. When true, you must provide `artifact_registry_repository_project_id`, `artifact_registry_repository_location` and `artifact_registry_repository_name`. | `bool` | `false` | no |
-| group\_cloud\_run\_developer | The Cloud Run Developer email group. | `string` | `""` | no |
-| group\_cloud\_run\_user | The Cloud Run User email group. | `string` | `""` | no |
-| group\_serverless\_administrator | The Serverless Administrators email group. | `string` | `""` | no |
-| group\_serverless\_security\_administrator | The Serverless Security Administrators email group. | `string` | `""` | no |
+| groups | Groups which will have roles assigned.<br>  The Serverless Administrators email group which the following roles will be added: Cloud Run Admin, Compute Network Viewer and Compute Network User.<br>  The Serverless Security Administrators email group which the following roles will be added: Cloud Run Viewer, Cloud KMS Viewer and Artifact Registry Reader.<br>  The Cloud Run Developer email group which the following roles will be added: Cloud Run Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter.<br>  The Cloud Run User email group which the following roles will be added: Cloud Run Invoker. | <pre>object({<br>    group_serverless_administrator          = optional(string, null)<br>    group_serverless_security_administrator = optional(string, null)<br>    group_cloud_run_developer               = optional(string, null)<br>    group_cloud_run_developer               = optional(string, null)<br>    group_cloud_run_user                    = optional(string, null)<br>  })</pre> | `{}` | no |
 | image | Image url to be deployed on Cloud Run. | `string` | n/a | yes |
 | ip\_cidr\_range | The range of internal addresses that are owned by the subnetwork and which is going to be used by VPC Connector. For example, 10.0.0.0/28 or 192.168.0.0/28. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported. | `string` | n/a | yes |
 | key\_name | The name of KMS Key to be created and used in Cloud Run. | `string` | `"cloud-run-kms-key"` | no |

modules/secure-cloud-run/main.tf

@@ -92,21 +92,18 @@ resource "google_service_account_iam_member" "identity_service_account_user" {
 module "cloud_run_security" {
   source = "../secure-cloud-run-security"
 
-  kms_project_id                          = var.kms_project_id
-  location                                = var.location
-  serverless_project_id                   = var.serverless_project_id
-  prevent_destroy                         = var.prevent_destroy
-  key_name                                = var.key_name
-  keyring_name                            = var.keyring_name
-  key_rotation_period                     = var.key_rotation_period
-  key_protection_level                    = var.key_protection_level
-  policy_for                              = var.policy_for
-  folder_id                               = var.folder_id
-  organization_id                         = var.organization_id
-  group_serverless_administrator          = var.group_serverless_administrator
-  group_serverless_security_administrator = var.group_serverless_security_administrator
-  group_cloud_run_developer               = var.group_cloud_run_developer
-  group_cloud_run_user                    = var.group_cloud_run_user
+  kms_project_id        = var.kms_project_id
+  location              = var.location
+  serverless_project_id = var.serverless_project_id
+  prevent_destroy       = var.prevent_destroy
+  key_name              = var.key_name
+  keyring_name          = var.keyring_name
+  key_rotation_period   = var.key_rotation_period
+  key_protection_level  = var.key_protection_level
+  policy_for            = var.policy_for
+  folder_id             = var.folder_id
+  organization_id       = var.organization_id
+  groups                = var.groups
 
   encrypters = [
     "serviceAccount:${google_project_service_identity.serverless_sa.email}",

modules/secure-cloud-run/variables.tf

@@ -211,6 +211,26 @@ variable "verified_domain_name" {
   default     = []
 }
 
+variable "groups" {
+  description = <<EOT
+  Groups which will have roles assigned.
+  The Serverless Administrators email group which the following roles will be added: Cloud Run Admin, Compute Network Viewer and Compute Network User.
+  The Serverless Security Administrators email group which the following roles will be added: Cloud Run Viewer, Cloud KMS Viewer and Artifact Registry Reader.
+  The Cloud Run Developer email group which the following roles will be added: Cloud Run Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter.
+  The Cloud Run User email group which the following roles will be added: Cloud Run Invoker.
+  EOT
+
+  type = object({
+    group_serverless_administrator          = optional(string, null)
+    group_serverless_security_administrator = optional(string, null)
+    group_cloud_run_developer               = optional(string, null)
+    group_cloud_run_developer               = optional(string, null)
+    group_cloud_run_user                    = optional(string, null)
+  })
+
+  default = {}
+}
+
 variable "ssl_certificates" {
   type = object({
     ssl_certificates_self_links       = list(string)
@@ -223,27 +243,3 @@ variable "ssl_certificates" {
   }
   description = "A object with a list of domains to auto-generate SSL certificates or a list of SSL Certificates self-links in the pattern `projects/<PROJECT-ID>/global/sslCertificates/<CERT-NAME>` to be used by Load Balancer."
 }
-
-variable "group_serverless_administrator" {
-  description = "The Serverless Administrators email group."
-  type        = string
-  default     = ""
-}
-
-variable "group_serverless_security_administrator" {
-  description = "The Serverless Security Administrators email group."
-  type        = string
-  default     = ""
-}
-
-variable "group_cloud_run_developer" {
-  description = "The Cloud Run Developer email group."
-  type        = string
-  default     = ""
-}
-
-variable "group_cloud_run_user" {
-  description = "The Cloud Run User email group."
-  type        = string
-  default     = ""
-}