Skip to content

Commit

Permalink
More
Browse files Browse the repository at this point in the history
  • Loading branch information
Luca Prete committed Aug 9, 2024
1 parent 06227dc commit 64da753
Show file tree
Hide file tree
Showing 4 changed files with 97 additions and 43 deletions.
21 changes: 2 additions & 19 deletions fast/stages/2-security/core-dev.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,23 +15,6 @@
*/

locals {
_dev_nsec_authz_iam = {
iam_bindings_additive = {
member = module.dev-sec-project.service_agents["networksecurity"]
role = "roles/privateca.certificateManager"
}
}
dev_ca_pool_config = {
for k, v in var.cas_configs.dev
: k => merge(
v.ca_pool_config,
(
try(v.authz_nsec_sa, false) == true
? local._dev_nsec_authz_iam
: {}
)
)
}
dev_kms_restricted_admins = [
for sa in distinct(compact([
var.service_accounts.data-platform-dev,
Expand Down Expand Up @@ -73,11 +56,11 @@ module "dev-sec-kms" {
}

module "dev-sec-cas" {
for_each = var.cas_configs.dev
for_each = local.cas_configs.dev
source = "../../../modules/certificate-authority-service"
project_id = module.dev-sec-project.project_id
ca_configs = each.value.ca_configs
ca_pool_config = local.dev_ca_pool_config[each.key]
ca_pool_config = each.value.ca_pool_config
iam = each.value.iam
iam_bindings = each.value.iam_bindings
iam_bindings_additive = each.value.iam_bindings_additive
Expand Down
21 changes: 2 additions & 19 deletions fast/stages/2-security/core-prod.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,23 +15,6 @@
*/

locals {
_prod_nsec_authz_iam = {
iam_bindings_additive = {
member = module.prod-sec-project.service_agents["networksecurity"]
role = "roles/privateca.certificateManager"
}
}
prod_ca_pool_config = {
for k, v in var.cas_configs.prod
: k => merge(
v.ca_pool_config,
(
try(v.authz_nsec_sa, false) == true
? local._prod_nsec_authz_iam
: {}
)
)
}
prod_kms_restricted_admins = [
for sa in distinct(compact([
var.service_accounts.data-platform-prod,
Expand Down Expand Up @@ -72,11 +55,11 @@ module "prod-sec-kms" {
}

module "prod-sec-cas" {
for_each = var.cas_configs.prod
for_each = local.cas_configs.prod
source = "../../../modules/certificate-authority-service"
project_id = module.prod-sec-project.project_id
ca_configs = each.value.ca_configs
ca_pool_config = local.prod_ca_pool_config[each.key]
ca_pool_config = each.value.ca_pool_config
iam = each.value.iam
iam_bindings = each.value.iam_bindings
iam_bindings_additive = each.value.iam_bindings_additive
Expand Down
67 changes: 66 additions & 1 deletion fast/stages/2-security/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@ locals {
)
}
}

# list of locations with keys
kms_locations = distinct(flatten([
for k, v in var.kms_keys : v.locations
Expand All @@ -47,6 +46,72 @@ locals {
if contains(v.locations, loc)
}
}
_ngfw_cas_configs = {
dev = {
dev-ca-0 = {
ca_configs = {
dev-root-ngfw-ca-0 = {
deletion_protection = false #delete
subject = {
common_name = var.ngfw_tls_config.dev.common_name
organization = var.ngfw_tls_config.dev.organization
}
}
}
ca_pool_config = {
authz_nsec_sa = true
name = "dev-ngfw-ca-pool-0"
}
iam = {}
iam_bindings = {}
iam_bindings_additive = {
nsec_dev_sa_binding = {
member = module.dev-sec-project.service_agents["networksecurity"].iam_email
role = "roles/privateca.certificateManager"
}
}
iam_by_principals = {}
location = var.ngfw_tls_config.dev.location
}
}
prod = {
prod-ca-0 = {
ca_configs = {
root-prod-ngfw-ca-0 = {
deletion_protection = false
subject = {
common_name = var.ngfw_tls_config.prod.common_name
organization = var.ngfw_tls_config.prod.organization
}
}
}
ca_pool_config = {
authz_nsec_sa = true
name = "prod-ngfw-ca-pool-0"
}
iam = {}
iam_bindings = {}
iam_bindings_additive = {
nsec_prod_sa_binding = {
member = module.prod-sec-project.service_agents["networksecurity"].iam_email
role = "roles/privateca.certificateManager"
}
}
iam_by_principals = {}
location = var.ngfw_tls_config.prod.location
}
}
}
cas_configs = {
dev = merge(
var.cas_configs.dev,
var.ngfw_tls_config.dev.enabled ? local._ngfw_cas_configs.dev : {}
)
prod = merge(
var.cas_configs.prod,
var.ngfw_tls_config.prod.enabled ? local._ngfw_cas_configs.prod : {}
)
}
project_services = [
"certificatemanager.googleapis.com",
"cloudkms.googleapis.com",
Expand Down
31 changes: 27 additions & 4 deletions fast/stages/2-security/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -17,24 +17,24 @@
variable "cas_configs" {
description = "The CAS CAs to add to each environment"
type = object({
dev = map(object({
dev = optional(map(object({
ca_configs = map(any)
ca_pool_config = map(any)
location = string
iam = optional(map(list(string)), {})
iam_bindings = optional(map(any), {})
iam_bindings_additive = optional(map(any), {})
iam_by_principals = optional(map(list(string)), {})
}))
prod = map(object({
})), {})
prod = optional(map(object({
ca_configs = map(any)
ca_pool_config = map(any)
location = string
iam = optional(map(list(string)), {})
iam_bindings = optional(map(any), {})
iam_bindings_additive = optional(map(any), {})
iam_by_principals = optional(map(list(string)), {})
}))
})), {})
})
nullable = false
default = {
Expand Down Expand Up @@ -88,6 +88,29 @@ variable "kms_keys" {
nullable = false
}

variable "ngfw_tls_config" {
description = "The CAS NGFW Enterprise configuration, used for TLS Inspection."
type = object({
dev = optional(object({
common_name = optional(string, "dev.example.com")
enabled = optional(bool, false)
location = optional(string, "europe-west1")
organization = optional(string, "Example")
}), {})
prod = optional(object({
common_name = optional(string, "prod.example.com")
enabled = optional(bool, false)
location = optional(string, "europe-west1")
organization = optional(string, "Example")
}), {})
})
nullable = false
default = {
dev = {}
prod = {}
}
}

variable "outputs_location" {
description = "Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable."
type = string
Expand Down

0 comments on commit 64da753

Please sign in to comment.