feat: remove default SA editor role from Seed and CICD projects (#896)

* remove Editor from Seed and CICD projects * code review fixes * Apply suggestions from code review Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>
terraform-google-modules · Dec 7, 2022 · 465d3dd · 465d3dd
1 parent 8bd7d14
commit 465d3dd
Show file tree

Hide file tree

Showing 4 changed files with 129 additions and 0 deletions.
diff --git a/0-bootstrap/modules/parent-iam-remove-role/main.tf b/0-bootstrap/modules/parent-iam-remove-role/main.tf
@@ -0,0 +1,45 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  org_id     = var.parent_type == "organization" ? var.parent_id : ""
+  folder_id  = var.parent_type == "folder" ? var.parent_id : ""
+  project_id = var.parent_type == "project" ? var.parent_id : ""
+}
+
+resource "google_organization_iam_binding" "iam_remove" {
+  for_each = toset(var.parent_type == "organization" ? var.roles : [])
+
+  org_id  = local.org_id
+  role    = each.key
+  members = []
+}
+
+resource "google_folder_iam_binding" "iam_remove" {
+  for_each = toset(var.parent_type == "folder" ? var.roles : [])
+
+  folder  = local.folder_id
+  role    = each.key
+  members = []
+}
+
+resource "google_project_iam_binding" "iam_remove" {
+  for_each = toset(var.parent_type == "project" ? var.roles : [])
+
+  project = local.project_id
+  role    = each.key
+  members = []
+}
diff --git a/0-bootstrap/modules/parent-iam-remove-role/variables.tf b/0-bootstrap/modules/parent-iam-remove-role/variables.tf
@@ -0,0 +1,35 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "parent_type" {
+  description = "Type of the parent resource. valid values are `organization`, `folder`, and `project`."
+  type        = string
+
+  validation {
+    condition     = contains(["organization", "folder", "project"], var.parent_type)
+    error_message = "For parent_type only `organization`, `folder`, and `project` are valid."
+  }
+}
+
+variable "parent_id" {
+  description = "ID of the parent resource."
+  type        = string
+}
+
+variable "roles" {
+  description = "Roles to remove all members in the parent resource."
+  type        = list(string)
+}
diff --git a/0-bootstrap/modules/parent-iam-remove-role/versions.tf b/0-bootstrap/modules/parent-iam-remove-role/versions.tf
@@ -0,0 +1,25 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 3.77"
+    }
+  }
+}
diff --git a/0-bootstrap/sa.tf b/0-bootstrap/sa.tf
@@ -126,6 +126,11 @@ locals {
       "roles/dns.admin",
     ],
   }
+
+  bootstrap_projects = {
+    "seed" = module.seed_bootstrap.seed_project_id,
+    "cicd" = local.cicd_project_id,
+  }
 }
 
 resource "google_service_account" "terraform-env-sa" {
@@ -176,6 +181,25 @@ module "cicd_project_iam_member" {
   roles       = each.value
 }
 
+// When the bootstrap projects are created, the Compute Engine
+// default service account is disabled but it still has the Editor
+// role associated with the service account. This default SA is the
+// only member with the editor role.
+// This module will remove all editors from both projects.
+module "bootstrap_projects_remove_editor" {
+  source   = "./modules/parent-iam-remove-role"
+  for_each = local.bootstrap_projects
+
+  parent_type = "project"
+  parent_id   = each.value
+  roles       = ["roles/editor"]
+
+  depends_on = [
+    module.seed_project_iam_member,
+    module.cicd_project_iam_member
+  ]
+}
+
 resource "google_billing_account_iam_member" "tf_billing_user" {
   for_each = local.granular_sa