From d63902233d7e1be0f748b165be76d3c4f68d27c5 Mon Sep 17 00:00:00 2001 From: Imran Nayer Date: Wed, 11 Sep 2024 14:32:46 -0500 Subject: [PATCH] fix: Removed Privileged Access Manager(PAM) sub-module (#226) --- README.md | 33 ++----- examples/privileged_access_manager/README.md | 16 ---- examples/privileged_access_manager/main.tf | 39 --------- .../privileged_access_manager/variables.tf | 20 ----- modules/privileged_access_manager/README.md | 56 ------------ modules/privileged_access_manager/main.tf | 77 ---------------- modules/privileged_access_manager/outputs.tf | 20 ----- .../privileged_access_manager/variables.tf | 87 ------------------- modules/privileged_access_manager/versions.tf | 34 -------- 9 files changed, 7 insertions(+), 375 deletions(-) delete mode 100644 examples/privileged_access_manager/README.md delete mode 100644 examples/privileged_access_manager/main.tf delete mode 100644 examples/privileged_access_manager/variables.tf delete mode 100644 modules/privileged_access_manager/README.md delete mode 100644 modules/privileged_access_manager/main.tf delete mode 100644 modules/privileged_access_manager/outputs.tf delete mode 100644 modules/privileged_access_manager/variables.tf delete mode 100644 modules/privileged_access_manager/versions.tf diff --git a/README.md b/README.md index 4750788a..3eb20f33 100644 --- a/README.md +++ b/README.md @@ -21,13 +21,10 @@ This is a collection of submodules that make it easier to non-destructively mana * [Subnets IAM](modules/subnets_iam) * [Tag Keys IAM](modules/tag_keys_iam) * [Tag Values IAM](modules/tag_values_iam) +* [Secure Source Manager](modules/secure_source_manager_iam) ## Compatibility -This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue. - If you haven't -[upgraded](https://www.terraform.io/upgrade-guides/0-13.html) and need a Terraform -0.12.x-compatible version of this module, the last released version -intended for Terraform 0.12.x is [v6.4.1](https://registry.terraform.io/modules/terraform-google-modules/-iam/google/v6.4.1). +This module is meant for use with Terraform 1.3+ and tested using Terraform 1.3+. If you find incompatibilities using Terraform >=1.3, please open an issue. ## Upgrading @@ -44,7 +41,7 @@ Full examples are in the [examples](./examples/) folder, but basic usage is as f ```hcl module "projects_iam_bindings" { source = "terraform-google-modules/iam/google//modules/projects_iam" - version = "~> 7.7" + version = "~> 8.0" projects = ["project-123456", "project-9876543"] @@ -129,6 +126,7 @@ You can choose the following resource types to apply the IAM bindings: - Kms Crypto Keys (`kms_crypto_keys` variable) - Secret Manager Secrets (`secrets` variable) - DNS Zones (`managed_zones` variable) +- Secure Source Manager (`entity_ids` and `location` variable) Set the specified variable on the module call to choose the resources to affect. Remember to set the `mode` [variable](#additive-and-authoritative-modes) and give enough [permissions](#permissions) to manage the selected resource as well. Note that the `bindings` variable accepts an empty map `{}` passed in as an argument in the case that resources don't have IAM bindings to apply. @@ -199,30 +197,13 @@ In order to execute a submodule you must have a Service Account with an appropri ### Terraform -Be sure you have the correct Terraform version (0.12), you can choose the binary here: -- https://releases.hashicorp.com/terraform/ +Be sure you have the correct Terraform version >= 1.3 ### Terraform plugins Be sure you have the compiled plugins on $HOME/.terraform.d/plugins/ -- [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) 1.20.0 -- [terraform-provider-google-beta](https://github.com/terraform-providers/terraform-provider-google-beta) 1.20.0 +- [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) >= 5.37 +- [terraform-provider-google-beta](https://github.com/terraform-providers/terraform-provider-google-beta) >= 5.37 See each plugin page for more information about how to compile and use them. - -## Fast install (optional) - -For a fast install, please configure the variables on init_centos.sh or init_debian.sh script and then launch it. - -The script will do: -- Environment variables setting -- Installation of base packages like wget, curl, unzip, gcloud, etc. -- Installation of go 1.9.0 -- Installation of Terraform 0.10.x -- Download the terraform-provider-google plugin -- Compile the terraform-provider-google plugin -- Move the terraform-provider-google to the right location - -[v1.1.1]: https://registry.terraform.io/modules/terraform-google-modules/iam/google/1.1.1 -[terraform-0.12-upgrade]: https://www.terraform.io/upgrade-guides/0-12.html diff --git a/examples/privileged_access_manager/README.md b/examples/privileged_access_manager/README.md deleted file mode 100644 index 66fc4f17..00000000 --- a/examples/privileged_access_manager/README.md +++ /dev/null @@ -1,16 +0,0 @@ -# DNS ZOne Example - -This example illustrates how to use the `privileged_access_manager` submodule - - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| project\_id | Project ID to create BigQuery resources in | `string` | n/a | yes | - -## Outputs - -No outputs. - - diff --git a/examples/privileged_access_manager/main.tf b/examples/privileged_access_manager/main.tf deleted file mode 100644 index 3baee768..00000000 --- a/examples/privileged_access_manager/main.tf +++ /dev/null @@ -1,39 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "entitlement" { - source = "terraform-google-modules/iam/google//modules/privileged_access_manager" - version = "~> 8.0" - - entitlement_id = "example-entitlement" - parent_id = var.project_id - parent_type = "project" - entitlement_requesters = [ - "user:requester@example.com", - ] - entitlement_approvers = [ - "user:approver@example.com", - ] - role_bindings = [ - { - role = "roles/storage.admin" - condition_expression = "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")" - }, - { - role = "roles/bigquery.admin" - } - ] -} diff --git a/examples/privileged_access_manager/variables.tf b/examples/privileged_access_manager/variables.tf deleted file mode 100644 index 2cb7f68a..00000000 --- a/examples/privileged_access_manager/variables.tf +++ /dev/null @@ -1,20 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "project_id" { - type = string - description = "Project ID to create BigQuery resources in" -} diff --git a/modules/privileged_access_manager/README.md b/modules/privileged_access_manager/README.md deleted file mode 100644 index 54d0fb7d..00000000 --- a/modules/privileged_access_manager/README.md +++ /dev/null @@ -1,56 +0,0 @@ -# Module Privileged Access Manager - -This submodule is used to create privileged access manager entitlements - -## Example Usage -``` -module "dns_zones_iam_binding" { - source = "terraform-google-modules/iam/google//modules/dns_zones_iam" - version = "~> 8.0" - - entitlement_id = "example-entitlement" - parent_id = "parent-project-id" - parent_type = "project" - entitlement_requesters = [ - "group:test-grp-01-poc@imran.joonix.net" - ] - entitlement_approvers = [ - "user:abc@example.com" - ] - role_bindings = [ - { - role = "roles/storage.admin" - condition_expression = "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")" - }, - { - role = "roles/bigquery.admin" - } - ] -} -``` - - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| entitlement\_approval\_notification\_recipients | List of email addresses to be notified when a request is granted | `list(string)` | `null` | no | -| entitlement\_approvers | Required List of users, groups or service accounts who can approve this entitlement. Can be one or more of Google Account email, Google Group or Service account | `list(string)` | n/a | yes | -| entitlement\_availability\_notification\_recipients | List of email addresses to be notified when a entitlement is created. These email addresses will receive an email about availability of the entitlement | `list(string)` | `null` | no | -| entitlement\_id | The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters. This value should be unique among all other Entitlements under the specified parent | `string` | n/a | yes | -| entitlement\_requesters | Required List of users, groups, service accounts or domains who can request grants using this entitlement. Can be one or more of Google Account email, Google Group, Service account, or Google Workspace domain | `list(string)` | n/a | yes | -| location | The region of the Entitlement resource | `string` | `"global"` | no | -| max\_request\_duration\_hours | The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more | `number` | `1` | no | -| parent\_id | The ID of organization, folder, or project to create the entitlement in | `string` | n/a | yes | -| parent\_type | Parent type. Can be organization, folder, or project to create the entitlement in | `string` | n/a | yes | -| requester\_justification | If the requester is required to provide a justification | `bool` | `true` | no | -| require\_approver\_justification | Do the approvers need to provide a justification for their actions | `bool` | `true` | no | -| role\_bindings | The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more | 
list(object({
    role                 = string
    condition_expression = optional(string)
  }))
| n/a | yes | - -## Outputs - -| Name | Description | -|------|-------------| -| entitlement | Entitlement created | - - diff --git a/modules/privileged_access_manager/main.tf b/modules/privileged_access_manager/main.tf deleted file mode 100644 index f617c941..00000000 --- a/modules/privileged_access_manager/main.tf +++ /dev/null @@ -1,77 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - max_request_duration = var.max_request_duration_hours * 60 * 60 - role_bindings = { for x in var.role_bindings : x.role => x } -} - -resource "google_privileged_access_manager_entitlement" "entitlement" { - provider = google-beta - entitlement_id = var.entitlement_id - location = var.location - max_request_duration = "${local.max_request_duration}s" - parent = "${var.parent_type}s/${var.parent_id}" - - requester_justification_config { - dynamic "unstructured" { - for_each = var.requester_justification ? ["unstructured"] : [] - content {} - } - dynamic "not_mandatory" { - for_each = !var.requester_justification ? ["not_mandatory"] : [] - content {} - } - } - - eligible_users { - principals = var.entitlement_requesters #Can request entitlement - } - - additional_notification_targets { - admin_email_recipients = var.entitlement_approval_notification_recipients #Notified when entitlement is approved - requester_email_recipients = var.entitlement_availability_notification_recipients #Notified when entitlement is available - } - - privileged_access { - gcp_iam_access { - resource = "//cloudresourcemanager.googleapis.com/${var.parent_type}s/${var.parent_id}" - resource_type = "cloudresourcemanager.googleapis.com/${title(var.parent_type)}" - - dynamic "role_bindings" { - for_each = local.role_bindings - content { - role = role_bindings.key - condition_expression = role_bindings.value.condition_expression - } - } - } - } - - approval_workflow { # Only 1 approval_workflow is allowed - manual_approvals { # Only 1 manual_approvals is allowed - require_approver_justification = var.require_approver_justification - # Only 1 step is allowed - steps { - approvals_needed = 1 - approver_email_recipients = var.entitlement_approval_notification_recipients - approvers { - principals = var.entitlement_approvers - } - } - } - } -} diff --git a/modules/privileged_access_manager/outputs.tf b/modules/privileged_access_manager/outputs.tf deleted file mode 100644 index 1e6c81ca..00000000 --- a/modules/privileged_access_manager/outputs.tf +++ /dev/null @@ -1,20 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -output "entitlement" { - value = google_privileged_access_manager_entitlement.entitlement - description = "Entitlement created" -} diff --git a/modules/privileged_access_manager/variables.tf b/modules/privileged_access_manager/variables.tf deleted file mode 100644 index 07c437c1..00000000 --- a/modules/privileged_access_manager/variables.tf +++ /dev/null @@ -1,87 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "entitlement_id" { - type = string - description = "The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters. This value should be unique among all other Entitlements under the specified parent" - validation { - condition = can(regex("^[a-z][a-z0-9-]{3,62}$", var.entitlement_id)) - error_message = "ERROR: entitlement_id must contain only Letters(lowercase), number, hyphen and should be 4-63 characters" - } -} -variable "location" { - type = string - description = "The region of the Entitlement resource" - default = "global" -} - -variable "parent_id" { - type = string - description = "The ID of organization, folder, or project to create the entitlement in" -} - -variable "parent_type" { - type = string - description = "Parent type. Can be organization, folder, or project to create the entitlement in" -} - -variable "requester_justification" { - type = bool - description = "If the requester is required to provide a justification" - default = true -} - -variable "require_approver_justification" { - type = bool - description = "Do the approvers need to provide a justification for their actions" - default = true -} - -variable "entitlement_requesters" { - type = list(string) - description = "Required List of users, groups, service accounts or domains who can request grants using this entitlement. Can be one or more of Google Account email, Google Group, Service account, or Google Workspace domain" -} - -variable "entitlement_approvers" { - type = list(string) - description = "Required List of users, groups or service accounts who can approve this entitlement. Can be one or more of Google Account email, Google Group or Service account" -} - -variable "entitlement_approval_notification_recipients" { - type = list(string) - description = "List of email addresses to be notified when a request is granted" - default = null -} - -variable "entitlement_availability_notification_recipients" { - type = list(string) - description = "List of email addresses to be notified when a entitlement is created. These email addresses will receive an email about availability of the entitlement" - default = null -} - -variable "max_request_duration_hours" { - type = number - description = "The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more" - default = 1 -} - -variable "role_bindings" { - type = list(object({ - role = string - condition_expression = optional(string) - })) - description = "The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more" -} diff --git a/modules/privileged_access_manager/versions.tf b/modules/privileged_access_manager/versions.tf deleted file mode 100644 index 7f90e3ec..00000000 --- a/modules/privileged_access_manager/versions.tf +++ /dev/null @@ -1,34 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -terraform { - required_version = ">= 1.3" - required_providers { - google = { - source = "hashicorp/google" - version = ">= 5.28, < 7" - } - google-beta = { - source = "hashicorp/google-beta" - version = ">= 5.28, < 7" - } - } - - provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-iam:privileged_access_manager/v7.7.1" - } - -}