-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
133 lines (111 loc) · 4.32 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
provider "github" {
owner = var.gh_owner
token = var.gh_token
}
locals {
gcp_project_id_prefix = "gha-wif"
gcp_root_folder_name = "Github"
gcp_workload_identity_attribute_condition = "assertion.repository=='${var.gh_owner}/${var.gh_repository}'"
}
module "folder_gh" {
source = "terraform-google-modules/folders/google"
version = "~> 4.0.1"
names = [local.gcp_root_folder_name]
parent = "organizations/${var.gcp_organization_id}"
}
module "folder_gh_owner" {
source = "terraform-google-modules/folders/google"
version = "~> 4.0.1"
names = [var.gh_owner]
parent = module.folder_gh.id
}
module "project" {
source = "terraform-google-modules/project-factory/google"
version = "~> 14.4.0"
name = var.gh_repository
random_project_id = true
org_id = var.gcp_organization_id
billing_account = var.gcp_billing_account_id
folder_id = module.folder_gh_owner.id
activate_apis = [
"iam.googleapis.com",
"iamcredentials.googleapis.com",
"cloudresourcemanager.googleapis.com",
"cloudkms.googleapis.com",
"cloudbilling.googleapis.com",
"storage.googleapis.com",
"serviceusage.googleapis.com"
]
}
module "bucket" {
source = "./modules/bucket"
providers = {
google-beta = google-beta
}
project_id = module.project.project_id
project_number = module.project.project_number
name = var.gcp_tfstate_bucket_name
location = var.gcp_location
storage_class = "STANDARD"
admin = "serviceAccount:${module.project.service_account_email}"
}
module "workload_identity" {
source = "./modules/workload_identity"
project_id = module.project.project_id
pool_name = var.gcp_workload_identity_pool_name
provider_name = var.gcp_workload_identity_provider_name
random_pool_name = true
random_provider_name = true
attribute_condition = local.gcp_workload_identity_attribute_condition
}
resource "google_folder_iam_member" "folder_gh_owner" {
folder = module.folder_gh.id
role = "roles/owner"
member = "serviceAccount:${module.project.service_account_email}"
}
resource "google_folder_iam_member" "folder_gh_owner_owner" {
folder = module.folder_gh_owner.id
role = "roles/owner"
member = "serviceAccount:${module.project.service_account_email}"
}
resource "google_folder_iam_member" "folder_gh_folder_editor" {
folder = module.folder_gh.id
role = "roles/resourcemanager.folderEditor"
member = "serviceAccount:${module.project.service_account_email}"
}
resource "google_folder_iam_member" "folder_gh_owner_folder_editor" {
folder = module.folder_gh_owner.id
role = "roles/resourcemanager.folderEditor"
member = "serviceAccount:${module.project.service_account_email}"
}
resource "google_folder_iam_member" "folder_gh_project_creator" {
folder = module.folder_gh.id
role = "roles/resourcemanager.projectCreator"
member = "serviceAccount:${module.project.service_account_email}"
}
resource "google_project_iam_member" "project" {
project = module.project.project_id
role = "roles/owner"
member = "serviceAccount:${module.project.service_account_email}"
}
resource "google_billing_account_iam_member" "billing_account_iam_binding" {
billing_account_id = var.gcp_billing_account_id
role = "roles/billing.user"
member = "serviceAccount:${module.project.service_account_email}"
}
resource "google_service_account_iam_member" "workload_identity_iam_binding" {
service_account_id = module.project.service_account_name
role = "roles/iam.workloadIdentityUser"
member = "principalSet://iam.googleapis.com/${module.workload_identity.pool.name}/attribute.repository/${var.gh_owner}/${var.gh_repository}"
}
module "gh_secrets" {
source = "./modules/gh"
gh_repository = var.gh_repository
gcp_organization_id = var.gcp_organization_id
gcp_folder_id = module.folder_gh_owner.id
gcp_billing_account_id = var.gcp_billing_account_id
gcp_project_id = module.project.project_id
gcp_tfstate_bucket_name = module.bucket.names["${var.gcp_tfstate_bucket_name}"]
gcp_service_account_email = module.project.service_account_email
gcp_workload_identity_provider = module.workload_identity.provider.name
}