diff --git a/Makefile b/Makefile index 53cd1bfd..3827bf20 100644 --- a/Makefile +++ b/Makefile @@ -15,7 +15,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.10.0 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.12.0 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd diff --git a/README.md b/README.md index 2ade5853..eeee6fb1 100644 --- a/README.md +++ b/README.md @@ -47,16 +47,19 @@ Functional examples are included in the | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| | admins | IAM-style members who will be granted roles/storage.objectAdmin on all buckets. | list(string) | `` | no | -| bucket\_admins | Map of lowercase unprefixed name => comma-delimited IAM-style bucket admins. | map | `` | no | -| bucket\_creators | Map of lowercase unprefixed name => comma-delimited IAM-style bucket creators. | map | `` | no | -| bucket\_policy\_only | Disable ad-hoc ACLs on specified buckets. Defaults to true. Map of lowercase unprefixed name => boolean | map | `` | no | -| bucket\_viewers | Map of lowercase unprefixed name => comma-delimited IAM-style bucket viewers. | map | `` | no | +| bucket\_admins | Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket admins. | map(string) | `` | no | +| bucket\_creators | Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket creators. | map(string) | `` | no | +| bucket\_hmac\_key\_admins | Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket HMAC Key admins. | map(string) | `` | no | +| bucket\_policy\_only | Disable ad-hoc ACLs on specified buckets. Defaults to true. Map of lowercase unprefixed name => boolean | map(bool) | `` | no | +| bucket\_storage\_admins | Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket storage admins. | map(string) | `` | no | +| bucket\_viewers | Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket viewers. | map(string) | `` | no | | cors | Map of maps of mixed type attributes for CORS values. See appropriate attribute types here: https://www.terraform.io/docs/providers/google/r/storage_bucket.html#cors | any | `` | no | | creators | IAM-style members who will be granted roles/storage.objectCreators on all buckets. | list(string) | `` | no | -| encryption\_key\_names | Optional map of lowercase unprefixed name => string, empty strings are ignored. | map | `` | no | -| folders | Map of lowercase unprefixed name => list of top level folder objects. | map | `` | no | -| force\_destroy | Optional map of lowercase unprefixed name => boolean, defaults to false. | map | `` | no | -| labels | Labels to be attached to the buckets | map | `` | no | +| encryption\_key\_names | Optional map of lowercase unprefixed name => string, empty strings are ignored. | map(string) | `` | no | +| folders | Map of lowercase unprefixed name => list of top level folder objects. | map(list(string)) | `` | no | +| force\_destroy | Optional map of lowercase unprefixed name => boolean, defaults to false. | map(bool) | `` | no | +| hmac\_key\_admins | IAM-style members who will be granted roles/storage.hmacKeyAdmin on all buckets. | list(string) | `` | no | +| labels | Labels to be attached to the buckets | map(string) | `` | no | | lifecycle\_rules | List of lifecycle rules to configure. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#lifecycle_rule except condition.matches_storage_class should be a comma delimited string. | object | `` | no | | location | Bucket location. | string | `"EU"` | no | | names | Bucket name suffixes. | list(string) | n/a | yes | @@ -64,9 +67,12 @@ Functional examples are included in the | project\_id | Bucket project id. | string | n/a | yes | | set\_admin\_roles | Grant roles/storage.objectAdmin role to admins and bucket_admins. | bool | `"false"` | no | | set\_creator\_roles | Grant roles/storage.objectCreator role to creators and bucket_creators. | bool | `"false"` | no | +| set\_hmac\_key\_admin\_roles | Grant roles/storage.hmacKeyAdmin role to hmac_key_admins and bucket_hmac_key_admins. | bool | `"false"` | no | +| set\_storage\_admin\_roles | Grant roles/storage.admin role to storage_admins and bucket_storage_admins. | bool | `"false"` | no | | set\_viewer\_roles | Grant roles/storage.objectViewer role to viewers and bucket_viewers. | bool | `"false"` | no | +| storage\_admins | IAM-style members who will be granted roles/storage.admin on all buckets. | list(string) | `` | no | | storage\_class | Bucket storage class. | string | `"MULTI_REGIONAL"` | no | -| versioning | Optional map of lowercase unprefixed name => boolean, defaults to false. | map | `` | no | +| versioning | Optional map of lowercase unprefixed name => boolean, defaults to false. | map(bool) | `` | no | | viewers | IAM-style members who will be granted roles/storage.objectViewer on all buckets. | list(string) | `` | no | | website | Map of website values. Supported attributes: main_page_suffix, not_found_page | any | `` | no | diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 5d08b39e..f290d730 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -41,4 +41,4 @@ tags: - 'integration' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.11.0' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.12.0' diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml index 565b7377..626bf126 100644 --- a/build/lint.cloudbuild.yaml +++ b/build/lint.cloudbuild.yaml @@ -21,4 +21,4 @@ tags: - 'lint' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.11.0' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.12.0' diff --git a/main.tf b/main.tf index 1a6b2a8f..9c44eb8d 100644 --- a/main.tf +++ b/main.tf @@ -152,6 +152,36 @@ resource "google_storage_bucket_iam_binding" "viewers" { ) } +resource "google_storage_bucket_iam_binding" "hmac_key_admins" { + for_each = var.set_hmac_key_admin_roles ? local.names_set : toset([]) + bucket = google_storage_bucket.buckets[each.key].name + role = "roles/storage.hmacKeyAdmin" + members = compact( + concat( + var.hmac_key_admins, + split( + ",", + lookup(var.bucket_hmac_key_admins, each.key, ""), + ), + ), + ) +} + +resource "google_storage_bucket_iam_binding" "storage_admins" { + for_each = var.set_storage_admin_roles ? local.names_set : toset([]) + bucket = google_storage_bucket.buckets[each.value].name + role = "roles/storage.admin" + members = compact( + concat( + var.storage_admins, + split( + ",", + lookup(var.bucket_storage_admins, each.value, ""), + ), + ), + ) +} + resource "google_storage_bucket_object" "folders" { for_each = { for obj in local.folder_list : "${obj.bucket}_${obj.folder}" => obj } bucket = google_storage_bucket.buckets[each.value.bucket].name diff --git a/test/setup/main.tf b/test/setup/main.tf index de5cbf0e..bcee5731 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -24,7 +24,10 @@ module "project" { folder_id = var.folder_id billing_account = var.billing_account + skip_gcloud_download = true + activate_apis = [ + "iam.googleapis.com", "storage-api.googleapis.com", "cloudresourcemanager.googleapis.com", "compute.googleapis.com", diff --git a/variables.tf b/variables.tf index da6571a5..2a9a89e2 100644 --- a/variables.tf +++ b/variables.tf @@ -43,25 +43,25 @@ variable "storage_class" { variable "force_destroy" { description = "Optional map of lowercase unprefixed name => boolean, defaults to false." - type = map + type = map(bool) default = {} } variable "versioning" { description = "Optional map of lowercase unprefixed name => boolean, defaults to false." - type = map + type = map(bool) default = {} } variable "encryption_key_names" { description = "Optional map of lowercase unprefixed name => string, empty strings are ignored." - type = map + type = map(string) default = {} } variable "bucket_policy_only" { description = "Disable ad-hoc ACLs on specified buckets. Defaults to true. Map of lowercase unprefixed name => boolean" - type = map + type = map(bool) default = {} } @@ -83,33 +83,57 @@ variable "viewers" { default = [] } +variable "hmac_key_admins" { + description = "IAM-style members who will be granted roles/storage.hmacKeyAdmin on all buckets." + type = list(string) + default = [] +} + +variable "storage_admins" { + description = "IAM-style members who will be granted roles/storage.admin on all buckets." + type = list(string) + default = [] +} + variable "bucket_admins" { - description = "Map of lowercase unprefixed name => comma-delimited IAM-style bucket admins." - type = map + description = "Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket admins." + type = map(string) default = {} } variable "bucket_creators" { - description = "Map of lowercase unprefixed name => comma-delimited IAM-style bucket creators." - type = map + description = "Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket creators." + type = map(string) default = {} } variable "bucket_viewers" { - description = "Map of lowercase unprefixed name => comma-delimited IAM-style bucket viewers." - type = map + description = "Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket viewers." + type = map(string) + default = {} +} + +variable "bucket_hmac_key_admins" { + description = "Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket HMAC Key admins." + type = map(string) + default = {} +} + +variable "bucket_storage_admins" { + description = "Map of lowercase unprefixed name => comma-delimited IAM-style per-bucket storage admins." + type = map(string) default = {} } variable "labels" { description = "Labels to be attached to the buckets" - type = map + type = map(string) default = {} } variable "folders" { description = "Map of lowercase unprefixed name => list of top level folder objects." - type = map + type = map(list(string)) default = {} } @@ -133,6 +157,18 @@ variable "set_viewer_roles" { default = false } +variable "set_hmac_key_admin_roles" { + description = "Grant roles/storage.hmacKeyAdmin role to hmac_key_admins and bucket_hmac_key_admins." + type = bool + default = false +} + +variable "set_storage_admin_roles" { + description = "Grant roles/storage.admin role to storage_admins and bucket_storage_admins." + type = bool + default = false +} + variable "lifecycle_rules" { type = set(object({ # Object with keys: