Skip to content

Commit

Permalink
[FAST] Add permissions to nsec-r SA
Browse files Browse the repository at this point in the history
  • Loading branch information
Luca Prete committed Aug 21, 2024
1 parent fe55217 commit 191baab
Show file tree
Hide file tree
Showing 12 changed files with 1,797 additions and 32 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# yaml-language-server: $schema=../../schemas/custom-role.schema.json

name: networkFirewallPoliciesViewer
includedPermissions:
- networksecurity.firewallEndpointAssociations.get
- networksecurity.firewallEndpointAssociations.list
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# yaml-language-server: $schema=../../schemas/custom-role.schema.json

name: ngfwEnterpriseViewer
includedPermissions:
- networksecurity.firewallEndpoints.get
- networksecurity.firewallEndpoints.list
- networksecurity.firewallEndpoints.use
- networksecurity.locations.get
- networksecurity.locations.list
- networksecurity.operations.get
- networksecurity.operations.list
- networksecurity.securityProfileGroups.get
- networksecurity.securityProfileGroups.list
- networksecurity.securityProfileGroups.use
- networksecurity.securityProfiles.get
- networksecurity.securityProfiles.list
- networksecurity.securityProfiles.use
2 changes: 2 additions & 0 deletions fast/stages/0-bootstrap/organization.tf
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,9 @@ module "organization" {
]))
, join(",", formatlist("'%s'", [
module.organization.custom_role_id["network_firewall_policies_admin"],
module.organization.custom_role_id["network_firewall_policies_viewer"],
module.organization.custom_role_id["ngfw_enterprise_admin"],
module.organization.custom_role_id["ngfw_enterprise_viewer"],
module.organization.custom_role_id["service_project_network_admin"],
module.organization.custom_role_id["tenant_network_admin"]
]))
Expand Down
14 changes: 7 additions & 7 deletions fast/stages/1-resman/README.md

Large diffs are not rendered by default.

8 changes: 7 additions & 1 deletion fast/stages/1-resman/branch-networking.tf
Original file line number Diff line number Diff line change
Expand Up @@ -31,13 +31,19 @@ locals {
"roles/resourcemanager.folderViewer" = [module.branch-network-r-sa.iam_email]
},
var.fast_features.nsec != true ? {} : {
# nsec service account
# nsec service accounts
"roles/serviceusage.serviceUsageAdmin" = [
try(module.branch-nsec-sa[0].iam_email, null)
]
"roles/serviceusage.serviceUsageConsumer" = [
try(module.branch-nsec-r-sa[0].iam_email, null)
]
(var.custom_roles["network_firewall_policies_admin"]) = [
try(module.branch-nsec-sa[0].iam_email, null)
]
(var.custom_roles["network_firewall_policies_viewer"]) = [
try(module.branch-nsec-r-sa[0].iam_email, null)
]
}
)
# deep-merge FAST-specific IAM with user-provided bindings in var.folder_iam
Expand Down
8 changes: 8 additions & 0 deletions fast/stages/1-resman/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,14 @@ locals {
member = module.branch-nsec-sa[0].iam_email
role = local.custom_roles["ngfw_enterprise_admin"],
}
sa_net_nsec_r_fw_policy_admin = {
member = module.branch-nsec-sa[0].iam_email
role = "roles/compute.orgFirewallPolicyUser"
}
sa_net_nsec_r_ngfw_enterprise_viewer = {
member = module.branch-nsec-r-sa[0].iam_email
role = local.custom_roles["ngfw_enterprise_viewer"],
}
},
# optional billing roles for network and security
local.billing_mode != "org" ? {} : {
Expand Down
1 change: 1 addition & 0 deletions fast/stages/1-resman/variables-fast.tf
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ variable "custom_roles" {
gcve_network_admin = string
network_firewall_policies_admin = string
ngfw_enterprise_admin = string
ngfw_enterprise_viewer = string
organization_admin_viewer = string
service_project_network_admin = string
storage_viewer = string
Expand Down
1,709 changes: 1,700 additions & 9 deletions tests/fast/stages/s0_bootstrap/checklist.yaml

Large diffs are not rendered by default.

6 changes: 4 additions & 2 deletions tests/fast/stages/s0_bootstrap/simple.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ counts:
google_logging_project_bucket_config: 4
google_org_policy_policy: 22
google_organization_iam_binding: 28
google_organization_iam_custom_role: 9
google_organization_iam_custom_role: 11
google_organization_iam_member: 29
google_project: 3
google_project_iam_audit_config: 1
Expand All @@ -41,7 +41,7 @@ counts:
google_tags_tag_value: 1
local_file: 10
modules: 20
resources: 229
resources: 231

outputs:
automation: __missing__
Expand All @@ -50,7 +50,9 @@ outputs:
custom_roles:
gcve_network_admin: organizations/123456789012/roles/gcveNetworkAdmin
network_firewall_policies_admin: organizations/123456789012/roles/networkFirewallPoliciesAdmin
network_firewall_policies_viewer: organizations/123456789012/roles/networkFirewallPoliciesViewer
ngfw_enterprise_admin: organizations/123456789012/roles/ngfwEnterpriseAdmin
ngfw_enterprise_viewer: organizations/123456789012/roles/ngfwEnterpriseViewer
organization_admin_viewer: organizations/123456789012/roles/organizationAdminViewer
organization_iam_admin: organizations/123456789012/roles/organizationIamAdmin
service_project_network_admin: organizations/123456789012/roles/serviceProjectNetworkAdmin
Expand Down
2 changes: 1 addition & 1 deletion tests/fast/stages/s0_bootstrap/simple_projects.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright 2023 Google LLC
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand Down
14 changes: 8 additions & 6 deletions tests/fast/stages/s1_resman/checklist.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,14 @@ billing_account = {
}
custom_roles = {
# organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin",
gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin"
network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin"
ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin"
organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer"
service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
storage_viewer = "organizations/123456789012/roles/storageViewer"
gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin"
network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin"
network_firewall_policies_viewer = "organizations/123456789012/roles/networkFirewallPoliciesViewer"
ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin"
ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer"
organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer"
service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
storage_viewer = "organizations/123456789012/roles/storageViewer"
}
factories_config = {
checklist_data = "checklist-data.json"
Expand Down
14 changes: 8 additions & 6 deletions tests/fast/stages/s1_resman/simple.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,14 @@ billing_account = {
}
custom_roles = {
# organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin",
gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin"
network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin"
ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin"
organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer"
service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
storage_viewer = "organizations/123456789012/roles/storageViewer"
gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin"
network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin"
network_firewall_policies_viewer = "organizations/123456789012/roles/networkFirewallPoliciesViewer"
ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin"
ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer"
organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer"
service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
storage_viewer = "organizations/123456789012/roles/storageViewer"
}
groups = {
gcp-billing-admins = "gcp-billing-admins",
Expand Down

0 comments on commit 191baab

Please sign in to comment.