GoogleCloudPlatform · umairidris · Apr 20, 2020 · Apr 20, 2020 · Apr 20, 2020 · Apr 20, 2020
diff --git a/Terraform/README.md b/Terraform/README.md
@@ -29,36 +29,20 @@ MyStudies application.
     in the G Suite Domain:
 
     -   {PREFIX}-org-admins@{DOMAIN}.com: This group has administrative access
-        to the entire org.
+        to the entire org. This group can be used in break-glass situations to
+        give humans access to the org to make changes.
 
     -   {PREFIX}-devops-owners@{DOMAIN}.com: This group has owners access to the
-        devops project.
-
-    -   {PREFIX}-audit-owners@{DOMAIN}.com: This group has owners access to the
-        audit project.
-
-    -   {PREFIX}-apps-owners@{DOMAIN}.com: This group has owners access to the
-        apps project.
-
-    -   {PREFIX}-data-owners@{DOMAIN}.com: This group has owners access to the
-        data project.
-
-    -   {PREFIX}-networks-owners@{DOMAIN}.com: This group has owners access to
-        the networks project.
-
-    -   {PREFIX}-firebase-owners@{DOMAIN}.com: This group has owners access to
-        the firebase project.
+        devops project to make changes to the CICD project or make changes to
+        the Terraform state.
 
     -   {PREFIX}-auditors@{DOMAIN}.com: This group has security reviewer
         (metadata viewer) access to the entire org, as well as viewer access to
         the audit logs BigQuery and Cloud Storage resources.
 
     WARNING: It is always recommended to use CICD to deploy changes to the
     infrastructure. The groups above should remain empty and only have humans
-    added for emergency break-glass situations or when debugging is required.
-    Always join the group that grants you access to the fewest number of
-    resources to do the job through a standardized approval process and revoke
-    access as soon as possible.
+    added for emergency situations or when investigation is required.
 
 ## Directory Structure
 

diff --git a/Terraform/cicd/main.tf b/Terraform/cicd/main.tf
@@ -49,26 +49,28 @@ locals {
   ]
   cloudbuild_sa_viewer_roles = [
     "roles/browser",
-    # Consider using viewer roles for individual services. But it is hard to know beforehand what
-    # services are used in each project.
-    "roles/viewer",
     "roles/iam.securityReviewer",
   ]
-  cloudbuild_sa_editor_roles = concat(local.cloudbuild_sa_viewer_roles, [
+  cloudbuild_sa_editor_roles = [
     "roles/billing.user",
+    "roles/logging.configWriter",
     "roles/orgpolicy.policyAdmin",
-    "roles/owner",
     "roles/resourcemanager.organizationAdmin",
     "roles/resourcemanager.folderCreator",
     "roles/resourcemanager.projectCreator",
-  ])
+  ]
+  cloudbuild_devops_roles = [
+    "roles/secretmanager.secretAccessor",
+    "roles/secretmanager.viewer",
+  ]
 }
 
 locals {
   # Covert "" and "/" to "." in case users use them to indicate root of the git repo.
   terraform_root = trim((var.terraform_root == "" || var.terraform_root == "/") ? "." : var.terraform_root, "/")
   # ./ to indicate root is not recognized by Cloud Build Trigger.
   terraform_root_prefix = local.terraform_root == "." ? "" : "${local.terraform_root}/"
+  cloud_build_sa        = "serviceAccount:${data.google_project.devops.number}@cloudbuild.gserviceaccount.com"
 }
 
 # Cloud Build - API
@@ -84,23 +86,31 @@ resource "google_project_service" "devops_apis" {
 resource "google_storage_bucket_iam_member" "cloudbuild_state_iam" {
   bucket = var.state_bucket
   role   = "roles/storage.objectViewer"
-  member = "serviceAccount:${data.google_project.devops.number}@cloudbuild.gserviceaccount.com"
+  member = local.cloud_build_sa
   depends_on = [
     google_project_service.devops_apis,
   ]
 }
 
 # Grant Cloud Build Service Account access to the organization.
-resource "google_organization_iam_member" "cloudbuild_sa_iam" {
+resource "google_organization_iam_member" "cloudbuild_sa_org_iam" {
   for_each = toset(var.continuous_deployment_enabled ? local.cloudbuild_sa_editor_roles : local.cloudbuild_sa_viewer_roles)
   org_id   = var.org_id
   role     = each.value
-  member   = "serviceAccount:${data.google_project.devops.number}@cloudbuild.gserviceaccount.com"
+  member   = local.cloud_build_sa
   depends_on = [
     google_project_service.devops_apis,
   ]
 }
 
+# Grant Cloud Build Service Account access to the devops project.
+resource "google_project_iam_member" "cloudbuild_sa_project_iam" {
+  for_each = toset(local.cloudbuild_devops_roles)
+  project  = var.devops_project_id
+  role     = each.key
+  member   = local.cloud_build_sa
+}
+
 # Cloud Build Triggers for CI.
 resource "google_cloudbuild_trigger" "validate" {
   disabled = ! var.trigger_enabled

diff --git a/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-apps/project/main.tf b/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-apps/project/main.tf
@@ -36,10 +36,3 @@ module "project" {
   default_service_account = "keep"
   skip_gcloud_download    = true
 }
-
-# Project level IAM permissions for project owners.
-resource "google_project_iam_binding" "owners" {
-  project = module.project.project_id
-  role    = "roles/owner"
-  members = var.owners
-}
diff --git a/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-apps/project/terraform.tfvars b/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-apps/project/terraform.tfvars
@@ -22,6 +22,3 @@ apis = [
   "servicenetworking.googleapis.com",
   "sqladmin.googleapis.com",
 ]
-owners = [
-  "group:rocketturtle-gcp-admin@rocketturtle.net",
-]
diff --git a/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-apps/project/variables.tf b/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-apps/project/variables.tf
@@ -38,7 +38,3 @@ variable "enable_lien" {
   type    = bool
   default = true
 }
-
-variable "owners" {
-  type = list(string)
-}
diff --git a/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-data/project/main.tf b/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-data/project/main.tf
@@ -36,10 +36,3 @@ module "project" {
   default_service_account = "keep"
   skip_gcloud_download    = true
 }
-
-# Project level IAM permissions for project owners.
-resource "google_project_iam_binding" "owners" {
-  project = module.project.project_id
-  role    = "roles/owner"
-  members = var.owners
-}
diff --git a/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-data/project/terraform.tfvars b/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-data/project/terraform.tfvars
@@ -19,6 +19,3 @@ apis = [
   "compute.googleapis.com",
   "servicenetworking.googleapis.com",
 ]
-owners = [
-  "group:rocketturtle-gcp-admin@rocketturtle.net",
-]
diff --git a/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-data/project/variables.tf b/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-data/project/variables.tf
@@ -38,7 +38,3 @@ variable "enable_lien" {
   type    = bool
   default = true
 }
-
-variable "owners" {
-  type = list(string)
-}
diff --git a/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-networks/project/main.tf b/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-networks/project/main.tf
@@ -36,10 +36,3 @@ module "project" {
   default_service_account = "keep"
   skip_gcloud_download    = true
 }
-
-# Project level IAM permissions for project owners.
-resource "google_project_iam_binding" "owners" {
-  project = module.project.project_id
-  role    = "roles/owner"
-  members = var.owners
-}
diff --git a/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-networks/project/terraform.tfvars b/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-networks/project/terraform.tfvars
@@ -22,6 +22,3 @@ apis = [
   "servicenetworking.googleapis.com",
   "sqladmin.googleapis.com",
 ]
-owners = [
-  "group:rocketturtle-gcp-admin@rocketturtle.net",
-]
diff --git a/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-networks/project/variables.tf b/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-networks/project/variables.tf
@@ -38,7 +38,3 @@ variable "enable_lien" {
   type    = bool
   default = true
 }
-
-variable "owners" {
-  type = list(string)
-}
diff --git a/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-resp-firebase/project/main.tf b/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-resp-firebase/project/main.tf
@@ -36,10 +36,3 @@ module "project" {
   default_service_account = "keep"
   skip_gcloud_download    = true
 }
-
-# Project level IAM permissions for project owners.
-resource "google_project_iam_binding" "owners" {
-  project = module.project.project_id
-  role    = "roles/owner"
-  members = var.owners
-}
diff --git a/...m/org/folder.fda-my-studies/project.heroes-hat-dev-resp-firebase/project/terraform.tfvars b/...m/org/folder.fda-my-studies/project.heroes-hat-dev-resp-firebase/project/terraform.tfvars
@@ -18,6 +18,3 @@ billing_account = "01EA90-3519E1-89CB1F"
 apis = [
   "firebase.googleapis.com",
 ]
-owners = [
-  "group:rocketturtle-gcp-admin@rocketturtle.net",
-]
diff --git a/...aform/org/folder.fda-my-studies/project.heroes-hat-dev-resp-firebase/project/variables.tf b/...aform/org/folder.fda-my-studies/project.heroes-hat-dev-resp-firebase/project/variables.tf
@@ -38,7 +38,3 @@ variable "enable_lien" {
   type    = bool
   default = true
 }
-
-variable "owners" {
-  type = list(string)
-}
diff --git a/Terraform/org/project.heroes-hat-dev-audit/project/main.tf b/Terraform/org/project.heroes-hat-dev-audit/project/main.tf
@@ -36,10 +36,3 @@ module "project" {
   default_service_account = "keep"
   skip_gcloud_download    = true
 }
-
-# Project level IAM permissions for project owners.
-resource "google_project_iam_binding" "owners" {
-  project = module.project.project_id
-  role    = "roles/owner"
-  members = var.owners
-}
diff --git a/Terraform/org/project.heroes-hat-dev-audit/project/terraform.tfvars b/Terraform/org/project.heroes-hat-dev-audit/project/terraform.tfvars
@@ -19,6 +19,3 @@ apis = [
   "bigquery.googleapis.com",
   "logging.googleapis.com",
 ]
-owners = [
-  "group:rocketturtle-gcp-admin@rocketturtle.net",
-]
diff --git a/Terraform/org/project.heroes-hat-dev-audit/project/variables.tf b/Terraform/org/project.heroes-hat-dev-audit/project/variables.tf
@@ -38,7 +38,3 @@ variable "enable_lien" {
   type    = bool
   default = true
 }
-
-variable "owners" {
-  type = list(string)
-}