From b024700b89f6d245cf39f43c447b52547b7d670c Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 9 Aug 2024 12:03:47 +0200 Subject: [PATCH] organization module factory schemas --- .vscode/settings.json | 7 +- .../data/custom-roles/gcve_network_admin.yaml | 2 + .../network_firewall_policies_admin.yaml | 2 + .../custom-roles/ngfw_enterprise_admin.yaml | 2 + .../organization_admin_viewer.yaml | 2 + .../custom-roles/organization_iam_admin.yaml | 2 + .../service_project_network_admin.yaml | 2 + .../data/custom-roles/storage_viewer.yaml | 2 + .../data/custom-roles/tag_viewer.yaml | 2 + .../custom-roles/tenant_network_admin.yaml | 2 + .../data/org-policies/compute.yaml | 20 ++++- .../0-bootstrap/data/org-policies/gcp.yaml | 6 +- .../0-bootstrap/data/org-policies/iam.yaml | 20 ++++- .../data/org-policies/serverless.yaml | 20 ++++- .../0-bootstrap/data/org-policies/sql.yaml | 20 ++++- .../data/org-policies/storage.yaml | 20 ++++- modules/organization/README.md | 16 +--- .../schemas/custom-role.schema.json | 18 +++++ .../schemas/org-policies.schema.json | 73 +++++++++++++++++++ .../org-policy-custom-constraint.schema.json | 42 +++++++++++ modules/project/README.md | 3 +- 21 files changed, 247 insertions(+), 36 deletions(-) create mode 100644 modules/organization/schemas/custom-role.schema.json create mode 100644 modules/organization/schemas/org-policies.schema.json create mode 100644 modules/organization/schemas/org-policy-custom-constraint.schema.json diff --git a/.vscode/settings.json b/.vscode/settings.json index 5191466a28..eafe5043b4 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -6,5 +6,10 @@ ], "url": "http://json-schema.org/draft-07/schema#" } - ] + ], + "yaml.schemas": { + "modules/project-factory/schemas/budget.schema.json": [ + "budgets/**/*yaml" + ], + } } \ No newline at end of file diff --git a/fast/stages/0-bootstrap/data/custom-roles/gcve_network_admin.yaml b/fast/stages/0-bootstrap/data/custom-roles/gcve_network_admin.yaml index 255ac781e1..5cc40f6a68 100644 --- a/fast/stages/0-bootstrap/data/custom-roles/gcve_network_admin.yaml +++ b/fast/stages/0-bootstrap/data/custom-roles/gcve_network_admin.yaml @@ -12,6 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json + name: gcveNetworkAdmin includedPermissions: - vmwareengine.networkPeerings.create diff --git a/fast/stages/0-bootstrap/data/custom-roles/network_firewall_policies_admin.yaml b/fast/stages/0-bootstrap/data/custom-roles/network_firewall_policies_admin.yaml index eb78791ac6..e54e45f9ba 100644 --- a/fast/stages/0-bootstrap/data/custom-roles/network_firewall_policies_admin.yaml +++ b/fast/stages/0-bootstrap/data/custom-roles/network_firewall_policies_admin.yaml @@ -12,6 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json + name: networkFirewallPoliciesAdmin includedPermissions: - compute.networks.setFirewallPolicy diff --git a/fast/stages/0-bootstrap/data/custom-roles/ngfw_enterprise_admin.yaml b/fast/stages/0-bootstrap/data/custom-roles/ngfw_enterprise_admin.yaml index 3c54a58346..b9e9cb10eb 100644 --- a/fast/stages/0-bootstrap/data/custom-roles/ngfw_enterprise_admin.yaml +++ b/fast/stages/0-bootstrap/data/custom-roles/ngfw_enterprise_admin.yaml @@ -12,6 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json + name: ngfwEnterpriseAdmin includedPermissions: - networksecurity.firewallEndpoints.create diff --git a/fast/stages/0-bootstrap/data/custom-roles/organization_admin_viewer.yaml b/fast/stages/0-bootstrap/data/custom-roles/organization_admin_viewer.yaml index d20ca2f7d8..ee99b093cf 100644 --- a/fast/stages/0-bootstrap/data/custom-roles/organization_admin_viewer.yaml +++ b/fast/stages/0-bootstrap/data/custom-roles/organization_admin_viewer.yaml @@ -12,7 +12,9 @@ # See the License for the specific language governing permissions and # limitations under the License. +# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json # this is used by the plan-only admin SA + name: organizationAdminViewer includedPermissions: - essentialcontacts.contacts.get diff --git a/fast/stages/0-bootstrap/data/custom-roles/organization_iam_admin.yaml b/fast/stages/0-bootstrap/data/custom-roles/organization_iam_admin.yaml index 9ce8ac5c0e..880c1334f0 100644 --- a/fast/stages/0-bootstrap/data/custom-roles/organization_iam_admin.yaml +++ b/fast/stages/0-bootstrap/data/custom-roles/organization_iam_admin.yaml @@ -12,7 +12,9 @@ # See the License for the specific language governing permissions and # limitations under the License. +# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json # this is needed for use in additive IAM bindings, to avoid conflicts + name: organizationIamAdmin includedPermissions: - resourcemanager.organizations.get diff --git a/fast/stages/0-bootstrap/data/custom-roles/service_project_network_admin.yaml b/fast/stages/0-bootstrap/data/custom-roles/service_project_network_admin.yaml index a0eaf9b3b9..2651911950 100644 --- a/fast/stages/0-bootstrap/data/custom-roles/service_project_network_admin.yaml +++ b/fast/stages/0-bootstrap/data/custom-roles/service_project_network_admin.yaml @@ -12,6 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json + name: serviceProjectNetworkAdmin includedPermissions: - compute.globalOperations.get diff --git a/fast/stages/0-bootstrap/data/custom-roles/storage_viewer.yaml b/fast/stages/0-bootstrap/data/custom-roles/storage_viewer.yaml index 4ee33ca7be..e5ebf4ee76 100644 --- a/fast/stages/0-bootstrap/data/custom-roles/storage_viewer.yaml +++ b/fast/stages/0-bootstrap/data/custom-roles/storage_viewer.yaml @@ -12,7 +12,9 @@ # See the License for the specific language governing permissions and # limitations under the License. +# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json # the following permissions are a descoped version of storage.admin + name: storageViewer includedPermissions: - storage.buckets.get diff --git a/fast/stages/0-bootstrap/data/custom-roles/tag_viewer.yaml b/fast/stages/0-bootstrap/data/custom-roles/tag_viewer.yaml index 756d0e9354..1362e577e0 100644 --- a/fast/stages/0-bootstrap/data/custom-roles/tag_viewer.yaml +++ b/fast/stages/0-bootstrap/data/custom-roles/tag_viewer.yaml @@ -12,7 +12,9 @@ # See the License for the specific language governing permissions and # limitations under the License. +# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json # the following permissions are a descoped version of tagAdm + name: tagViewer includedPermissions: - resourcemanager.tagHolds.list diff --git a/fast/stages/0-bootstrap/data/custom-roles/tenant_network_admin.yaml b/fast/stages/0-bootstrap/data/custom-roles/tenant_network_admin.yaml index 9d1e02822f..40a0081789 100644 --- a/fast/stages/0-bootstrap/data/custom-roles/tenant_network_admin.yaml +++ b/fast/stages/0-bootstrap/data/custom-roles/tenant_network_admin.yaml @@ -12,6 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json + name: tenantNetworkAdmin includedPermissions: - compute.globalOperations.get diff --git a/fast/stages/0-bootstrap/data/org-policies/compute.yaml b/fast/stages/0-bootstrap/data/org-policies/compute.yaml index 98fa6c6512..69f4453ce7 100644 --- a/fast/stages/0-bootstrap/data/org-policies/compute.yaml +++ b/fast/stages/0-bootstrap/data/org-policies/compute.yaml @@ -1,10 +1,22 @@ -# skip boilerplate check +# Copyright 2024 Google LLC # -# sample subset of useful organization policies, edit to suit requirements +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. --- -# Terraform will be unable to decode this file if it does not contain valid YAML -# You can retain `---` (start of the document) to indicate an empty document. +# sample subset of useful organization policies, edit to suit requirements +# start of document (---) avoids errors if the file only contains comments + +# yaml-language-server: $schema=../../../../../modules/organization/schemas/org-policies.schema.json compute.disableGuestAttributesAccess: rules: diff --git a/fast/stages/0-bootstrap/data/org-policies/gcp.yaml b/fast/stages/0-bootstrap/data/org-policies/gcp.yaml index bef5629c52..96df60ca06 100644 --- a/fast/stages/0-bootstrap/data/org-policies/gcp.yaml +++ b/fast/stages/0-bootstrap/data/org-policies/gcp.yaml @@ -13,8 +13,10 @@ # limitations under the License. --- -# Terraform will be unable to decode this file if it does not contain valid YAML -# You can retain `---` (start of the document) to indicate an empty document. +# sample subset of useful organization policies, edit to suit requirements +# start of document (---) avoids errors if the file only contains comments + +# yaml-language-server: $schema=../../../../../modules/organization/schemas/org-policies.schema.json # gcp.resourceLocations: # rules: diff --git a/fast/stages/0-bootstrap/data/org-policies/iam.yaml b/fast/stages/0-bootstrap/data/org-policies/iam.yaml index 59f7784fec..7b39b926c3 100644 --- a/fast/stages/0-bootstrap/data/org-policies/iam.yaml +++ b/fast/stages/0-bootstrap/data/org-policies/iam.yaml @@ -1,10 +1,22 @@ -# skip boilerplate check +# Copyright 2024 Google LLC # -# sample subset of useful organization policies, edit to suit requirements +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. --- -# Terraform will be unable to decode this file if it does not contain valid YAML -# You can retain `---` (start of the document) to indicate an empty document. +# sample subset of useful organization policies, edit to suit requirements +# start of document (---) avoids errors if the file only contains comments + +# yaml-language-server: $schema=../../../../../modules/organization/schemas/org-policies.schema.json iam.automaticIamGrantsForDefaultServiceAccounts: rules: diff --git a/fast/stages/0-bootstrap/data/org-policies/serverless.yaml b/fast/stages/0-bootstrap/data/org-policies/serverless.yaml index b7c3dc2371..d504e588ed 100644 --- a/fast/stages/0-bootstrap/data/org-policies/serverless.yaml +++ b/fast/stages/0-bootstrap/data/org-policies/serverless.yaml @@ -1,10 +1,22 @@ -# skip boilerplate check +# Copyright 2024 Google LLC # -# sample subset of useful organization policies, edit to suit requirements +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. --- -# Terraform will be unable to decode this file if it does not contain valid YAML -# You can retain `---` (start of the document) to indicate an empty document. +# sample subset of useful organization policies, edit to suit requirements +# start of document (---) avoids errors if the file only contains comments + +# yaml-language-server: $schema=../../../../../modules/organization/schemas/org-policies.schema.json run.allowedIngress: rules: diff --git a/fast/stages/0-bootstrap/data/org-policies/sql.yaml b/fast/stages/0-bootstrap/data/org-policies/sql.yaml index de2731a038..f52a532a7a 100644 --- a/fast/stages/0-bootstrap/data/org-policies/sql.yaml +++ b/fast/stages/0-bootstrap/data/org-policies/sql.yaml @@ -1,10 +1,22 @@ -# skip boilerplate check +# Copyright 2024 Google LLC # -# sample subset of useful organization policies, edit to suit requirements +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. --- -# Terraform will be unable to decode this file if it does not contain valid YAML -# You can retain `---` (start of the document) to indicate an empty document. +# sample subset of useful organization policies, edit to suit requirements +# start of document (---) avoids errors if the file only contains comments + +# yaml-language-server: $schema=../../../../../modules/organization/schemas/org-policies.schema.json sql.restrictAuthorizedNetworks: rules: diff --git a/fast/stages/0-bootstrap/data/org-policies/storage.yaml b/fast/stages/0-bootstrap/data/org-policies/storage.yaml index 64873dacf7..dc9b5bf74f 100644 --- a/fast/stages/0-bootstrap/data/org-policies/storage.yaml +++ b/fast/stages/0-bootstrap/data/org-policies/storage.yaml @@ -1,10 +1,22 @@ -# skip boilerplate check +# Copyright 2024 Google LLC # -# sample subset of useful organization policies, edit to suit requirements +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. --- -# Terraform will be unable to decode this file if it does not contain valid YAML -# You can retain `---` (start of the document) to indicate an empty document. +# sample subset of useful organization policies, edit to suit requirements +# start of document (---) avoids errors if the file only contains comments + +# yaml-language-server: $schema=../../../../../modules/organization/schemas/org-policies.schema.json storage.uniformBucketLevelAccess: rules: diff --git a/modules/organization/README.md b/modules/organization/README.md index 44bafc948b..e94bd64354 100644 --- a/modules/organization/README.md +++ b/modules/organization/README.md @@ -190,12 +190,6 @@ module "org" { ``` ```yaml -# tftest-file id=gke path=configs/custom-constraints/gke.yaml - ---- -# Terraform will be unable to decode this file if it does not contain valid YAML -# You can retain `---` (start of the document) to indicate an empty document. - custom.gkeEnableLogging: resource_types: - container.googleapis.com/Cluster @@ -214,15 +208,11 @@ custom.gkeEnableAutoUpgrade: action_type: ALLOW display_name: Enable node auto-upgrade description: All node pools must have node auto-upgrade enabled. + +# tftest-file id=gke path=configs/custom-constraints/gke.yaml ``` ```yaml -# tftest-file id=dataproc path=configs/custom-constraints/dataproc.yaml - ---- -# Terraform will be unable to decode this file if it does not contain valid YAML -# You can retain `---` (start of the document) to indicate an empty document. - custom.dataprocNoMoreThan10Workers: resource_types: - dataproc.googleapis.com/Cluster @@ -233,6 +223,8 @@ custom.dataprocNoMoreThan10Workers: action_type: DENY display_name: Total number of worker instances cannot be larger than 10 description: Cluster cannot have more than 10 workers, including primary and secondary workers. + +# tftest-file id=dataproc path=configs/custom-constraints/dataproc.yaml ``` ## Hierarchical Firewall Policy Attachments diff --git a/modules/organization/schemas/custom-role.schema.json b/modules/organization/schemas/custom-role.schema.json new file mode 100644 index 0000000000..d7526482c6 --- /dev/null +++ b/modules/organization/schemas/custom-role.schema.json @@ -0,0 +1,18 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "Custom Role", + "type": "object", + "additionalProperties": false, + "properties": { + "name": { + "type": "string" + }, + "includedPermissions": { + "type": "array", + "items": { + "type": "string", + "pattern": "^[a-zA-Z-]+\\.[a-zA-Z-]+\\.[a-zA-Z-]+$" + } + } + } +} \ No newline at end of file diff --git a/modules/organization/schemas/org-policies.schema.json b/modules/organization/schemas/org-policies.schema.json new file mode 100644 index 0000000000..7353ddfb2a --- /dev/null +++ b/modules/organization/schemas/org-policies.schema.json @@ -0,0 +1,73 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "Organization Policies", + "type": "object", + "additionalProperties": false, + "patternProperties": { + "^[a-z-]+\\.[a-zA-Z]+$": { + "type": "object", + "additionalProperties": false, + "properties": { + "inherit_from_parent": { + "type": "boolean" + }, + "reset": { + "type": "boolean" + }, + "rules": { + "type": "array", + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "allow": { + "$ref": "#/$defs/allow-deny" + }, + "deny": { + "$ref": "#/$defs/allow-deny" + }, + "enforce": { + "type": "boolean" + }, + "condition": { + "type": "object", + "additionalProperties": false, + "properties": { + "description": { + "type": "string" + }, + "expression": { + "type": "string" + }, + "location": { + "type": "string" + }, + "title": { + "type": "string" + } + } + } + } + } + } + } + } + }, + "$defs": { + "allow-deny": { + "type": "object", + "additionalProperties": false, + "properties": { + "all": { + "type": "boolean" + }, + "values": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } +} \ No newline at end of file diff --git a/modules/organization/schemas/org-policy-custom-constraint.schema.json b/modules/organization/schemas/org-policy-custom-constraint.schema.json new file mode 100644 index 0000000000..fd7fc5c7f6 --- /dev/null +++ b/modules/organization/schemas/org-policy-custom-constraint.schema.json @@ -0,0 +1,42 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "Organization Policy Custom Constraints", + "type": "object", + "additionalProperties": false, + "patternProperties": { + "^[a-z-]+\\.[a-zA-Z]+$": { + "type": "object", + "additionalProperties": false, + "required": [ + "action_type", + "condition" + ], + "properties": { + "display_name": { + "type": "string" + }, + "description": { + "type": "string" + }, + "action_type": { + "type": "string" + }, + "condition": { + "type": "string" + }, + "method_types": { + "type": "array", + "items": { + "type": "string" + } + }, + "resource_types": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } +} \ No newline at end of file diff --git a/modules/project/README.md b/modules/project/README.md index c91cea85cb..2a51aa7a31 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -188,10 +188,10 @@ The `service_agents` output provides a convenient way to access information abou The complete list of Google Cloud service agents, including their names, default roles, and associated APIs, is maintained in the [service-agents.yaml](./service-agents.yaml) file. This file is regularly updated to reflect the [official list of Google Cloud service agents](https://cloud.google.com/iam/docs/service-agents) using the [`build_service_agents`](../../tools/build_service_agents.py) script. - #### Service Agent Aliases Consider the code below: + ```hcl module "project" { source = "./fabric/modules/project" @@ -209,6 +209,7 @@ module "project" { ``` The `service_agents` output for this snippet would look similar to this: + ```tfvars service_agents = { "artifactregistry" = {