diff --git a/experimental/cloudbuild/cloudbuild.yaml b/experimental/cloudbuild/cloudbuild.yaml index 2796a505..eb6ea308 100644 --- a/experimental/cloudbuild/cloudbuild.yaml +++ b/experimental/cloudbuild/cloudbuild.yaml @@ -45,14 +45,16 @@ steps: echo "bigquery_region = \"${_FOURKEYS_BIGQUERY_REGION}\"" >> environment.auto.tfvars echo "cloud_build_branch = \"${_FOURKEYS_CLOUD_BUILD_BRANCH}\"" >> environment.auto.tfvars + echo "google_domain_mapping_region = \"${_FOURKEYS_DOMAIN_MAPPING_REGION}\"" >> environment.auto.tfvars + echo "google_gcr_domain = \"${_FOURKEYS_GCR_DOMAIN}\"" >> environment.auto.tfvars echo "google_project_id = \"${PROJECT_ID}\"" >> environment.auto.tfvars echo "google_region = \"${_FOURKEYS_REGION}\"" >> environment.auto.tfvars - echo "google_gcr_domain = \"${_FOURKEYS_GCR_DOMAIN}\"" >> environment.auto.tfvars - echo "google_domain_mapping_region = \"${_FOURKEYS_DOMAIN_MAPPING_REGION}\"" >> environment.auto.tfvars + echo "looker_service_account = ${_FOURKEYS_LOOKER_SERVICE_ACCOUNT}" >> environment.auto.tfvars echo "mapped_domain = \"${_FOURKEYS_MAPPED_DOMAIN}\"" >> environment.auto.tfvars - echo "parsers = [ ${_FOURKEYS_PARSERS} ]" >> environment.auto.tfvars echo "owner = \"${_FOURKEYS_OWNER}\"" >> environment.auto.tfvars + echo "parsers = [ ${_FOURKEYS_PARSERS} ]" >> environment.auto.tfvars echo "repository = \"$REPO_NAME\"" >> environment.auto.tfvars + echo "service_account_keys_policy_override = ${_FOURKEYS_SERVICE_ACCOUNT_KEYS}" >> environment.auto.tfvars terraform init else @@ -125,11 +127,13 @@ options: substitutions: _FOURKEYS_BIGQUERY_REGION: 'US' _FOURKEYS_CLOUD_BUILD_BRANCH: 'main' + _FOURKEYS_DOMAIN_MAPPING_REGION: 'us-central1' _FOURKEYS_GCR_DOMAIN: 'gcr.io' + _FOURKEYS_LOOKER_SERVICE_ACCOUNT: 'true' + _FOURKEYS_MAPPED_DOMAIN: '' _FOURKEYS_OWNER: 'GoogleCloudPlatform' _FOURKEYS_PARSERS: '\"cloud-build\", \"github\", \"gitlab\", \"tekton\"' _FOURKEYS_PROVISION_BRANCH: 'main' _FOURKEYS_REGION: 'us-central1' - _FOURKEYS_DOMAIN_MAPPING_REGION: 'us-central1' - _FOURKEYS_MAPPED_DOMAIN: '' + _FOURKEYS_SERVICE_ACCOUNT_KEYS: 'true' timeout: 3600s # Same as token now, i.e. 1hr. diff --git a/experimental/terraform/outputs.tf b/experimental/terraform/outputs.tf index c1eeb4b1..86976079 100644 --- a/experimental/terraform/outputs.tf +++ b/experimental/terraform/outputs.tf @@ -22,3 +22,7 @@ output "event_handler_secret" { value = google_secret_manager_secret_version.event_handler.secret_data sensitive = true } + +output "looker_service_account_email" { + value = try(module.service_account_for_looker[0].email, null) +} diff --git a/experimental/terraform/resource_looker.tf b/experimental/terraform/resource_looker.tf new file mode 100644 index 00000000..5dc88995 --- /dev/null +++ b/experimental/terraform/resource_looker.tf @@ -0,0 +1,26 @@ +module "service_account_for_looker" { + source = "terraform-google-modules/service-accounts/google" + version = "~> 3.0" + count = var.looker_service_account ? 1 : 0 + + display_name = "Looker" + description = "Looker accessor account (managed by Terraform)" + project_id = var.google_project_id + names = ["looker"] + project_roles = [ + "${var.google_project_id}=>roles/bigquery.user", + ] +} + +resource "google_project_organization_policy" "service_account_keys_policy" { + count = var.service_account_keys_policy_override ? 1 : 0 + + project = var.google_project_id + constraint = "iam.disableServiceAccountKeyCreation" + + list_policy { + allow { + all = false + } + } +} diff --git a/experimental/terraform/variables.tf b/experimental/terraform/variables.tf index 7f1b3e27..01bb75d2 100644 --- a/experimental/terraform/variables.tf +++ b/experimental/terraform/variables.tf @@ -65,6 +65,12 @@ variable "google_gcr_domain" { default = "gcr.io" } +variable "looker_service_account" { + description = "To create a service account for Looker (dashboard)" + default = false + type = bool +} + variable "mapped_domain" { type = string description = "Domain name which is mapped on cloud run." @@ -95,6 +101,12 @@ variable "repository" { description = "The name of the git repository" } +variable "service_account_keys_policy_override" { + description = "To override organisation service account keys creation policy for project" + default = false + type = bool +} + variable "subdomain" { description = "The prefix added to the `mapped_domain`, of event handler, use to create a record within Google Cloud DNS." default = "dora"