Skip to content

Commit

Permalink
remove unused private_ca role for network-security stage
Browse files Browse the repository at this point in the history
  • Loading branch information
Luca Prete committed Aug 29, 2024
1 parent 4b00da4 commit d693d9a
Show file tree
Hide file tree
Showing 17 changed files with 570 additions and 1,714 deletions.
20 changes: 0 additions & 20 deletions fast/stages/0-bootstrap/data/custom-roles/private_ca_user.yaml

This file was deleted.

1 change: 0 additions & 1 deletion fast/stages/0-bootstrap/organization.tf
Original file line number Diff line number Diff line change
Expand Up @@ -191,7 +191,6 @@ module "organization" {
module.organization.custom_role_id["network_firewall_policies_admin"],
module.organization.custom_role_id["ngfw_enterprise_admin"],
module.organization.custom_role_id["ngfw_enterprise_viewer"],
module.organization.custom_role_id["private_ca_user"],
module.organization.custom_role_id["service_project_network_admin"],
module.organization.custom_role_id["tenant_network_admin"]
]))
Expand Down
14 changes: 7 additions & 7 deletions fast/stages/1-resman/README.md

Large diffs are not rendered by default.

3 changes: 1 addition & 2 deletions fast/stages/1-resman/branch-security.tf
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,7 @@ module "branch-security-folder" {
expression = format(
"api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
join(",", formatlist("'%s'", [
"roles/privateca.certificateManager",
var.custom_roles.private_ca_user
"roles/privateca.certificateManager"
]))
)
title = "security_sa_delegated_grants"
Expand Down
1 change: 0 additions & 1 deletion fast/stages/1-resman/variables-fast.tf
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,6 @@ variable "custom_roles" {
ngfw_enterprise_admin = string
ngfw_enterprise_viewer = string
organization_admin_viewer = string
private_ca_user = string
service_project_network_admin = string
storage_viewer = string
})
Expand Down
9 changes: 4 additions & 5 deletions fast/stages/2-security/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -281,12 +281,11 @@ tls_inspection = {
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | <code title="object&#40;&#123;&#10; outputs_bucket &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> || | <code>0-bootstrap</code> |
| [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | <code title="object&#40;&#123;&#10; id &#61; string&#10; is_org_level &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> || | <code>0-bootstrap</code> |
| [folder_ids](variables-fast.tf#L47) | Folder name => id mappings, the 'security' folder name must exist. | <code title="object&#40;&#123;&#10; security &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> || | <code>1-resman</code> |
| [organization](variables-fast.tf#L55) | Organization details. | <code title="object&#40;&#123;&#10; domain &#61; string&#10; id &#61; number&#10; customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> || | <code>0-bootstrap</code> |
| [prefix](variables-fast.tf#L65) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | <code>string</code> || | <code>0-bootstrap</code> |
| [service_accounts](variables-fast.tf#L75) | Automation service accounts that can assign the encrypt/decrypt roles on keys. | <code title="object&#40;&#123;&#10; data-platform-dev &#61; string&#10; data-platform-prod &#61; string&#10; nsec &#61; string&#10; nsec-r &#61; string&#10; project-factory &#61; string&#10; project-factory-dev &#61; string&#10; project-factory-prod &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> || | <code>1-resman</code> |
| [folder_ids](variables-fast.tf#L38) | Folder name => id mappings, the 'security' folder name must exist. | <code title="object&#40;&#123;&#10; security &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> || | <code>1-resman</code> |
| [organization](variables-fast.tf#L46) | Organization details. | <code title="object&#40;&#123;&#10; domain &#61; string&#10; id &#61; number&#10; customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> || | <code>0-bootstrap</code> |
| [prefix](variables-fast.tf#L56) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | <code>string</code> || | <code>0-bootstrap</code> |
| [service_accounts](variables-fast.tf#L66) | Automation service accounts that can assign the encrypt/decrypt roles on keys. | <code title="object&#40;&#123;&#10; data-platform-dev &#61; string&#10; data-platform-prod &#61; string&#10; nsec &#61; string&#10; nsec-r &#61; string&#10; project-factory &#61; string&#10; project-factory-dev &#61; string&#10; project-factory-prod &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> || | <code>1-resman</code> |
| [cas_configs](variables.tf#L17) | The CAS CAs to add to each environment. | <code title="object&#40;&#123;&#10; dev &#61; optional&#40;map&#40;object&#40;&#123;&#10; ca_configs &#61; map&#40;any&#41;&#10; ca_pool_config &#61; map&#40;any&#41;&#10; location &#61; string&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;any&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;any&#41;, &#123;&#125;&#41;&#10; iam_by_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; prod &#61; optional&#40;map&#40;object&#40;&#123;&#10; ca_configs &#61; map&#40;any&#41;&#10; ca_pool_config &#61; map&#40;any&#41;&#10; location &#61; string&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;any&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;any&#41;, &#123;&#125;&#41;&#10; iam_by_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; dev &#61; &#123;&#125;&#10; prod &#61; &#123;&#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [custom_roles](variables-fast.tf#L38) | Custom roles defined at the org level, in key => id format. | <code title="object&#40;&#123;&#10; private_ca_user &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | <code>0-bootstrap</code> |
| [essential_contacts](variables.tf#L46) | Email used for essential contacts, unset if null. | <code>string</code> | | <code>null</code> | |
| [kms_keys](variables.tf#L52) | KMS keys to create, keyed by name. | <code title="map&#40;object&#40;&#123;&#10; rotation_period &#61; optional&#40;string, &#34;7776000s&#34;&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;&#41;&#10; locations &#61; optional&#40;list&#40;string&#41;, &#91;&#10; &#34;europe&#34;, &#34;europe-west1&#34;, &#34;europe-west3&#34;, &#34;global&#34;&#10; &#93;&#41;&#10; purpose &#61; optional&#40;string, &#34;ENCRYPT_DECRYPT&#34;&#41;&#10; skip_initial_version_creation &#61; optional&#40;bool, false&#41;&#10; version_template &#61; optional&#40;object&#40;&#123;&#10; algorithm &#61; string&#10; protection_level &#61; optional&#40;string, &#34;SOFTWARE&#34;&#41;&#10; &#125;&#41;&#41;&#10;&#10;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10; members &#61; list&#40;string&#41;&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10; member &#61; string&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> | |
| [ngfw_tls_configs](variables.tf#L91) | The CAS and trust configurations key names to be used for NGFW Enterprise. | <code title="object&#40;&#123;&#10; keys &#61; optional&#40;object&#40;&#123;&#10; dev &#61; optional&#40;object&#40;&#123;&#10; cas &#61; optional&#40;list&#40;string&#41;, &#91;&#34;ngfw-dev-cas-0&#34;&#93;&#41;&#10; trust_configs &#61; optional&#40;list&#40;string&#41;, &#91;&#34;ngfw-dev-tc-0&#34;&#93;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; prod &#61; optional&#40;object&#40;&#123;&#10; cas &#61; optional&#40;list&#40;string&#41;, &#91;&#34;ngfw-prod-cas-0&#34;&#93;&#41;&#10; trust_configs &#61; optional&#40;list&#40;string&#41;, &#91;&#34;ngfw-prod-tc-0&#34;&#93;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; tls_inspection &#61; optional&#40;object&#40;&#123;&#10; enabled &#61; optional&#40;bool, false&#41;&#10; exclude_public_ca_set &#61; optional&#40;bool, false&#41;&#10; min_tls_version &#61; optional&#40;string, &#34;TLS_1_0&#34;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; dev &#61; &#123;&#125;&#10; prod &#61; &#123;&#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
Expand Down
14 changes: 2 additions & 12 deletions fast/stages/2-security/core-dev.tf
Original file line number Diff line number Diff line change
Expand Up @@ -27,16 +27,6 @@ locals {
role = "roles/privateca.certificateManager"
}
}
ngfw_dev_sa_cas_iam_bindings_additive = {
nsec_dev_sa_binding = {
member = "serviceAccount:${var.service_accounts.nsec}"
role = var.custom_roles.private_ca_user
}
nsec_dev_sa_r_binding = {
member = "serviceAccount:${var.service_accounts.nsec-r}"
role = var.custom_roles.private_ca_user
}
}
dev_kms_restricted_admins = [
for sa in distinct(compact([
var.service_accounts.data-platform-dev,
Expand All @@ -56,12 +46,12 @@ module "dev-sec-project" {
iam = {
"roles/cloudkms.viewer" = local.dev_kms_restricted_admins
}
iam_bindings_additive = merge({
iam_bindings_additive = {
for member in local.dev_kms_restricted_admins :
"kms_restricted_admin.${member}" => merge(local.kms_restricted_admin_template, {
member = member
})
}, local.ngfw_dev_sa_cas_iam_bindings_additive)
}
labels = { environment = "dev", team = "security" }
services = local.project_services
}
Expand Down
14 changes: 2 additions & 12 deletions fast/stages/2-security/core-prod.tf
Original file line number Diff line number Diff line change
Expand Up @@ -27,16 +27,6 @@ locals {
role = "roles/privateca.certificateManager"
}
}
ngfw_prod_sa_cas_iam_bindings_additive = {
nsec_prod_sa_binding = {
member = "serviceAccount:${var.service_accounts.nsec}"
role = var.custom_roles.private_ca_user
}
nsec_prod_sa_r_binding = {
member = "serviceAccount:${var.service_accounts.nsec-r}"
role = var.custom_roles.private_ca_user
}
}
prod_kms_restricted_admins = [
for sa in distinct(compact([
var.service_accounts.data-platform-prod,
Expand All @@ -55,12 +45,12 @@ module "prod-sec-project" {
iam = {
"roles/cloudkms.viewer" = local.prod_kms_restricted_admins
}
iam_bindings_additive = merge({
iam_bindings_additive = {
for member in local.prod_kms_restricted_admins :
"kms_restricted_admin.${member}" => merge(local.kms_restricted_admin_template, {
member = member
})
}, local.ngfw_prod_sa_cas_iam_bindings_additive)
}
labels = { environment = "prod", team = "security" }
services = local.project_services
}
Expand Down
9 changes: 0 additions & 9 deletions fast/stages/2-security/variables-fast.tf
Original file line number Diff line number Diff line change
Expand Up @@ -35,15 +35,6 @@ variable "billing_account" {
}
}

variable "custom_roles" {
# tfdoc:variable:source 0-bootstrap
description = "Custom roles defined at the org level, in key => id format."
type = object({
private_ca_user = string
})
default = null
}

variable "folder_ids" {
# tfdoc:variable:source 1-resman
description = "Folder name => id mappings, the 'security' folder name must exist."
Expand Down
Loading

0 comments on commit d693d9a

Please sign in to comment.