Skip to content

Commit

Permalink
Added iam_bindings and iam_bindings_additive to apigee module
Browse files Browse the repository at this point in the history
  • Loading branch information
apichick committed Oct 27, 2023
1 parent 86d7ac1 commit 8c5725d
Show file tree
Hide file tree
Showing 6 changed files with 129 additions and 35 deletions.
71 changes: 57 additions & 14 deletions modules/apigee/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ This module simplifies the creation of a Apigee resources (organization, environ
- [New environment](#new-environment)
- [New instance (VPC Peering Provisioning Mode)](#new-instance-vpc-peering-provisioning-mode)
- [New instance (Non VPC Peering Provisioning Mode)](#new-instance-non-vpc-peering-provisioning-mode)
- [IAM](#iam)
- [New endpoint attachment](#new-endpoint-attachment)
- [Apigee add-ons](#apigee-add-ons)
- [Variables](#variables)
Expand Down Expand Up @@ -87,7 +88,6 @@ module "apigee" {

When a new Apigee organization is created, it is automatically peered to the authorized network. You can prevent this from happening by using the `disable_vpc_peering` key in the `organization` variable, as shown below:


```hcl
module "apigee" {
source = "./fabric/modules/apigee"
Expand Down Expand Up @@ -117,7 +117,6 @@ module "apigee" {
# tftest modules=1 resources=6 inventory=no-peering.yaml
```


### All resources (CLOUD)

```hcl
Expand Down Expand Up @@ -147,9 +146,6 @@ module "apigee" {
display_name = "APIs prod"
description = "APIs prod"
envgroups = ["prod"]
iam = {
"roles/viewer" = ["group:[email protected]"]
}
}
}
instances = {
Expand All @@ -176,7 +172,7 @@ module "apigee" {
}
}
}
# tftest modules=1 resources=15
# tftest modules=1 resources=14
```

### All resources (HYBRID control plane)
Expand Down Expand Up @@ -205,13 +201,10 @@ module "apigee" {
display_name = "APIs prod"
description = "APIs prod"
envgroups = ["prod"]
iam = {
"roles/viewer" = ["group:[email protected]"]
}
}
}
}
# tftest modules=1 resources=8
# tftest modules=1 resources=7
```

### New environment group
Expand Down Expand Up @@ -281,6 +274,56 @@ module "apigee" {
# tftest modules=1 resources=2
```

### IAM

```hcl
module "apigee" {
source = "./fabric/modules/apigee"
project_id = "my-project"
organization = {
display_name = "My Organization"
description = "My Organization"
authorized_network = "my-vpc"
runtime_type = "CLOUD"
billing_type = "PAYG"
database_encryption_key = "123456789"
analytics_region = "europe-west1"
}
envgroups = {
test = ["test.example.com"]
prod = ["prod.example.com"]
}
environments = {
apis-test = {
display_name = "APIs test"
description = "APIs Test"
envgroups = ["test"]
iam = {
"roles/apigee.environmentAdmin" = ["group:[email protected]"]
}
iam_bindings_additive = {
viewer = {
role = "roles/viewer"
member = "user:[email protected]"
}
}
}
apis-prod = {
display_name = "APIs prod"
description = "APIs prod"
envgroups = ["prod"]
iam_bindings = {
apigee-env-admin = {
role = "roles/apigee.environmentAdmin"
members = ["group:[email protected]"]
}
}
}
}
}
# tftest modules=1 resources=10
```

### New endpoint attachment

Endpoint attachments allow to implement [Apigee southbound network patterns](https://cloud.google.com/apigee/docs/api-platform/architecture/southbound-networking-patterns-endpoints#create-the-psc-attachments).
Expand Down Expand Up @@ -316,13 +359,13 @@ module "apigee" {

| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [project_id](variables.tf#L117) | Project ID. | <code>string</code> || |
| [project_id](variables.tf#L125) | Project ID. | <code>string</code> || |
| [addons_config](variables.tf#L17) | Addons configuration. | <code title="object&#40;&#123;&#10; advanced_api_ops &#61; optional&#40;bool, false&#41;&#10; api_security &#61; optional&#40;bool, false&#41;&#10; connectors_platform &#61; optional&#40;bool, false&#41;&#10; integration &#61; optional&#40;bool, false&#41;&#10; monetization &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [endpoint_attachments](variables.tf#L29) | Endpoint attachments. | <code title="map&#40;object&#40;&#123;&#10; region &#61; string&#10; service_attachment &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [envgroups](variables.tf#L39) | Environment groups (NAME => [HOSTNAMES]). | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [environments](variables.tf#L46) | Environments. | <code title="map&#40;object&#40;&#123;&#10; display_name &#61; optional&#40;string&#41;&#10; description &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10; deployment_type &#61; optional&#40;string&#41;&#10; api_proxy_type &#61; optional&#40;string&#41;&#10; node_config &#61; optional&#40;object&#40;&#123;&#10; min_node_count &#61; optional&#40;number&#41;&#10; max_node_count &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;&#41;&#10; envgroups &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [instances](variables.tf#L64) | Instances ([REGION] => [INSTANCE]). | <code title="map&#40;object&#40;&#123;&#10; name &#61; optional&#40;string&#41;&#10; display_name &#61; optional&#40;string&#41;&#10; description &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10; runtime_ip_cidr_range &#61; optional&#40;string&#41;&#10; troubleshooting_ip_cidr_range &#61; optional&#40;string&#41;&#10; disk_encryption_key &#61; optional&#40;string&#41;&#10; consumer_accept_list &#61; optional&#40;list&#40;string&#41;&#41;&#10; enable_nat &#61; optional&#40;bool, false&#41;&#10; environments &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [organization](variables.tf#L89) | Apigee organization. If set to null the organization must already exist. | <code title="object&#40;&#123;&#10; display_name &#61; optional&#40;string&#41;&#10; description &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10; authorized_network &#61; optional&#40;string&#41;&#10; runtime_type &#61; optional&#40;string, &#34;CLOUD&#34;&#41;&#10; billing_type &#61; optional&#40;string&#41;&#10; database_encryption_key &#61; optional&#40;string&#41;&#10; analytics_region &#61; optional&#40;string, &#34;europe-west1&#34;&#41;&#10; retention &#61; optional&#40;string&#41;&#10; disable_vpc_peering &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [environments](variables.tf#L46) | Environments. | <code title="map&#40;object&#40;&#123;&#10; display_name &#61; optional&#40;string&#41;&#10; description &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10; deployment_type &#61; optional&#40;string&#41;&#10; api_proxy_type &#61; optional&#40;string&#41;&#10; node_config &#61; optional&#40;object&#40;&#123;&#10; min_node_count &#61; optional&#40;number&#41;&#10; max_node_count &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10; role &#61; string&#10; members &#61; list&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10; role &#61; string&#10; member &#61; string&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; envgroups &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [instances](variables.tf#L72) | Instances ([REGION] => [INSTANCE]). | <code title="map&#40;object&#40;&#123;&#10; name &#61; optional&#40;string&#41;&#10; display_name &#61; optional&#40;string&#41;&#10; description &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10; runtime_ip_cidr_range &#61; optional&#40;string&#41;&#10; troubleshooting_ip_cidr_range &#61; optional&#40;string&#41;&#10; disk_encryption_key &#61; optional&#40;string&#41;&#10; consumer_accept_list &#61; optional&#40;list&#40;string&#41;&#41;&#10; enable_nat &#61; optional&#40;bool, false&#41;&#10; environments &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [organization](variables.tf#L97) | Apigee organization. If set to null the organization must already exist. | <code title="object&#40;&#123;&#10; display_name &#61; optional&#40;string&#41;&#10; description &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10; authorized_network &#61; optional&#40;string&#41;&#10; runtime_type &#61; optional&#40;string, &#34;CLOUD&#34;&#41;&#10; billing_type &#61; optional&#40;string&#41;&#10; database_encryption_key &#61; optional&#40;string&#41;&#10; analytics_region &#61; optional&#40;string, &#34;europe-west1&#34;&#41;&#10; retention &#61; optional&#40;string&#41;&#10; disable_vpc_peering &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |

## Outputs

Expand Down
57 changes: 57 additions & 0 deletions modules/apigee/iam.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
/**
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

resource "google_apigee_environment_iam_binding" "authoritative" {
for_each = merge(concat([for k1, v1 in var.environments : {
for k2, v2 in v1.iam : "${k1}-${k2}" => {
environment = "${k1}"
role = k2
members = v2
}
}])...)
org_id = local.org_id
env_id = google_apigee_environment.environments[each.value.environment].name
role = each.value.role
members = each.value.members
}

resource "google_apigee_environment_iam_binding" "bindings" {
for_each = merge(concat([for k1, v1 in var.environments : {
for k2, v2 in coalesce(v1.iam_bindings, {}) : "${k1}-${k2}" => {
environment = "${k1}"
role = v2.role
members = v2.members
}
}])...)
org_id = local.org_id
env_id = google_apigee_environment.environments[each.value.environment].name
role = each.value.role
members = each.value.members
}

resource "google_apigee_environment_iam_member" "bindings" {
for_each = merge(concat([for k1, v1 in var.environments : {
for k2, v2 in coalesce(v1.iam_bindings_additive, {}) : "${k1}-${k2}" => {
environment = "${k1}"
role = v2.role
member = v2.member
}
}])...)
org_id = local.org_id
env_id = google_apigee_environment.environments[each.value.environment].name
role = each.value.role
member = each.value.member
}
18 changes: 2 additions & 16 deletions modules/apigee/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ resource "google_apigee_environment" "environments" {

resource "google_apigee_envgroup_attachment" "envgroup_attachments" {
for_each = merge(concat([for k1, v1 in var.environments : {
for v2 in coalesce(v1.envgroups, []) : "${k1}-${v2}" => {
for v2 in v1.envgroups : "${k1}-${v2}" => {
environment = k1
envgroup = v2
}
Expand All @@ -72,20 +72,6 @@ resource "google_apigee_envgroup_attachment" "envgroup_attachments" {
depends_on = [google_apigee_envgroup.envgroups]
}

resource "google_apigee_environment_iam_binding" "binding" {
for_each = merge(concat([for k1, v1 in var.environments : {
for k2, v2 in coalesce(v1.iam, {}) : "${k1}-${k2}" => {
environment = "${k1}"
role = k2
members = v2
}
}])...)
org_id = local.org_id
env_id = google_apigee_environment.environments[each.value.environment].name
role = each.value.role
members = each.value.members
}

resource "google_apigee_instance" "instances" {
for_each = var.instances
name = coalesce(each.value.name, "instance-${each.key}")
Expand Down Expand Up @@ -114,7 +100,7 @@ resource "google_apigee_nat_address" "apigee_nat" {

resource "google_apigee_instance_attachment" "instance_attachments" {
for_each = merge(concat([for k1, v1 in var.instances : {
for v2 in coalesce(v1.environments, []) :
for v2 in v1.environments :
"${k1}-${v2}" => {
instance = k1
environment = v2
Expand Down
14 changes: 11 additions & 3 deletions modules/apigee/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,16 @@ variable "environments" {
min_node_count = optional(number)
max_node_count = optional(number)
}))
iam = optional(map(list(string)))
envgroups = optional(list(string))
iam = optional(map(list(string)), {})
iam_bindings = optional(map(object({
role = string
members = list(string)
})), {})
iam_bindings_additive = optional(map(object({
role = string
member = string
})), {})
envgroups = optional(list(string), [])
}))
default = {}
nullable = false
Expand All @@ -72,7 +80,7 @@ variable "instances" {
disk_encryption_key = optional(string)
consumer_accept_list = optional(list(string))
enable_nat = optional(bool, false)
environments = optional(list(string))
environments = optional(list(string), [])
}))
validation {
condition = alltrue([
Expand Down
2 changes: 1 addition & 1 deletion tests/modules/apigee/all_psc_mode.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ values:
description: APIs Test
display_name: APIs test
name: apis-test
google_apigee_environment_iam_binding.binding["apis-prod-roles/viewer"]:
google_apigee_environment_iam_binding.authoritative["apis-prod-roles/viewer"]:
condition: []
env_id: apis-prod
members:
Expand Down
2 changes: 1 addition & 1 deletion tests/modules/apigee/all_vpc_mode.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ values:
description: APIs Test
display_name: APIs test
name: apis-test
google_apigee_environment_iam_binding.binding["apis-prod-roles/viewer"]:
google_apigee_environment_iam_binding.authoritative["apis-prod-roles/viewer"]:
condition: []
env_id: apis-prod
members:
Expand Down

0 comments on commit 8c5725d

Please sign in to comment.