-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
93 lines (77 loc) · 2.64 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
module "project" {
source = "terraform-google-modules/project-factory/google"
random_project_id = true
name = var.project_name
org_id = var.organization_id
billing_account = var.billing_account
default_service_account = "deprivilege"
activate_apis = [
"compute.googleapis.com",
"container.googleapis.com",
"sourcerepo.googleapis.com",
"clouddeploy.googleapis.com",
"artifactregistry.googleapis.com",
"cloudresourcemanager.googleapis.com",
"clouddeploy.googleapis.com",
]
}
module "org-policy-requireOsLogin" {
source = "terraform-google-modules/org-policy/google"
policy_for = "project"
constraint = "compute.requireOsLogin"
project_id = module.project.project_id
policy_type = "boolean"
enforce = false
}
module "org-policy-requireShieldedVm" {
source = "terraform-google-modules/org-policy/google"
policy_for = "project"
constraint = "compute.requireShieldedVm"
project_id = module.project.project_id
policy_type = "boolean"
enforce = false
}
module "org-policy-vmCanIpForward" {
source = "terraform-google-modules/org-policy/google"
policy_for = "project"
constraint = "compute.vmCanIpForward"
project_id = module.project.project_id
policy_type = "list"
enforce = false
}
module "org-policy-vmExternalIpAccess" {
source = "terraform-google-modules/org-policy/google"
policy_for = "project"
constraint = "compute.vmExternalIpAccess"
project_id = module.project.project_id
policy_type = "list"
enforce = false
}
module "org-policy-restrictVpcPeering" {
source = "terraform-google-modules/org-policy/google"
policy_for = "project"
constraint = "compute.restrictVpcPeering"
project_id = module.project.project_id
policy_type = "list"
enforce = false
}
module "project-iam-bindings" {
source = "terraform-google-modules/iam/google//modules/projects_iam"
projects = [module.project.project_id]
mode = "additive"
bindings = {
"roles/clouddeploy.admin" = [
"serviceAccount:${module.project.project_number}@cloudbuild.gserviceaccount.com",
]
"roles/editor" = [
"serviceAccount:${module.project.project_number}[email protected]",
]
}
}
resource "google_service_account_iam_binding" "cloudbuild-clouddeploy" {
service_account_id = "projects/${module.project.project_id}/serviceAccounts/${module.project.project_number}[email protected]"
role = "roles/iam.serviceAccountUser"
members = [
"serviceAccount:${module.project.project_number}@cloudbuild.gserviceaccount.com",
]
}