feat: Add permissions for SFB recommended groups (#446)

aarturm · web-flow · commit a18b2036531d · 2021-07-14T09:29:41.000-05:00
* Added group and firecall permissions

according to SFB on orgnization level.

* 1-org README.md updated with new variables

* Corrected permissions for firewall billing admin user

* Corrected permissions for firewall billing admin user

* Variable description and comments updates

* Added group and firecall permissions

according to SFB on orgnization level.

* 1-org README.md updated with new variables

* Corrected permissions for firewall billing admin user

* Corrected permissions for firewall billing admin user

* Variable description and comments updates
diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md
@@ -21,6 +21,15 @@
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
 | enable\_os\_login\_policy | Enable OS Login Organization Policy. | `bool` | `false` | no |
 | folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no |
+| gcp\_audit\_viewer | Members are part of an audit team and view audit logs in the logging project. | `string` | `null` | no |
+| gcp\_billing\_admin\_user | Identity that has billing administrator permissions | `string` | `null` | no |
+| gcp\_billing\_creator\_user | Identity that can create billing accounts. | `string` | `null` | no |
+| gcp\_global\_secrets\_admin | G Suite or Cloud Identity group that members are responsible for putting secrets into Secrets Manager. | `string` | `null` | no |
+| gcp\_network\_viewer | G Suite or Cloud Identity group that members are part of the networking team and review network configurations | `string` | `null` | no |
+| gcp\_org\_admin\_user | Identity that has organization administrator permissions. | `string` | `null` | no |
+| gcp\_platform\_viewer | G Suite or Cloud Identity group that have the ability to view resource information across the Google Cloud organization. | `string` | `null` | no |
+| gcp\_scc\_admin | G Suite or Cloud Identity group that can administer Security Command Center. | `string` | `null` | no |
+| gcp\_security\_reviewer | G Suite or Cloud Identity group that members are part of the security team responsible for reviewing cloud security. | `string` | `null` | no |
 | interconnect\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the Dedicated Interconnect project. | `string` | `null` | no |
 | interconnect\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the Dedicated Interconnect project. | `list(number)` | <pre>[<br>  0.5,<br>  0.75,<br>  0.9,<br>  0.95<br>]</pre> | no |
 | interconnect\_project\_budget\_amount | The amount to use as the budget for the Dedicated Interconnect project. | `number` | `1000` | no |
diff --git a/1-org/envs/shared/iam.tf b/1-org/envs/shared/iam.tf
@@ -87,3 +87,116 @@ resource "google_organization_iam_member" "billing_viewer" {
   role   = "roles/billing.viewer"
   member = "group:${var.billing_data_users}"
 }
+
+/******************************************
+ Groups permissions according to SFB (Section 6.2 - Users and groups) - IAM
+*****************************************/
+
+resource "google_organization_iam_member" "organization_viewer" {
+  count  = var.gcp_platform_viewer != null && var.parent_folder == "" ? 1 : 0
+  org_id = var.org_id
+  role   = "roles/viewer"
+  member = "group:${var.gcp_platform_viewer}"
+}
+
+resource "google_folder_iam_member" "organization_viewer" {
+  count  = var.gcp_platform_viewer != null && var.parent_folder != "" ? 1 : 0
+  folder = "folders/${var.parent_folder}"
+  role   = "roles/viewer"
+  member = "group:${var.gcp_platform_viewer}"
+}
+
+resource "google_organization_iam_member" "security_reviewer" {
+  count  = var.gcp_security_reviewer != null && var.parent_folder == "" ? 1 : 0
+  org_id = var.org_id
+  role   = "roles/iam.securityReviewer"
+  member = "group:${var.gcp_security_reviewer}"
+}
+
+resource "google_folder_iam_member" "security_reviewer" {
+  count  = var.gcp_security_reviewer != null && var.parent_folder != "" ? 1 : 0
+  folder = "folders/${var.parent_folder}"
+  role   = "roles/iam.securityReviewer"
+  member = "group:${var.gcp_security_reviewer}"
+}
+
+resource "google_organization_iam_member" "network_viewer" {
+  count  = var.gcp_network_viewer != null && var.parent_folder == "" ? 1 : 0
+  org_id = var.org_id
+  role   = "roles/compute.networkViewer"
+  member = "group:${var.gcp_network_viewer}"
+}
+
+resource "google_folder_iam_member" "network_viewer" {
+  count  = var.gcp_network_viewer != null && var.parent_folder != "" ? 1 : 0
+  folder = "folders/${var.parent_folder}"
+  role   = "roles/compute.networkViewer"
+  member = "group:${var.gcp_network_viewer}"
+}
+
+resource "google_project_iam_member" "audit_log_viewer" {
+  count   = var.gcp_audit_viewer != null ? 1 : 0
+  project = module.org_audit_logs.project_id
+  role    = "roles/logging.viewer"
+  member  = "group:${var.gcp_audit_viewer}"
+}
+
+resource "google_project_iam_member" "audit_private_logviewer" {
+  count   = var.gcp_audit_viewer != null ? 1 : 0
+  project = module.org_audit_logs.project_id
+  role    = "roles/logging.privateLogViewer"
+  member  = "group:${var.gcp_audit_viewer}"
+}
+
+resource "google_project_iam_member" "audit_bq_data_viewer" {
+  count   = var.gcp_audit_viewer != null ? 1 : 0
+  project = module.org_audit_logs.project_id
+  role    = "roles/bigquery.dataViewer"
+  member  = "group:${var.gcp_audit_viewer}"
+}
+
+resource "google_project_iam_member" "scc_admin" {
+  count   = var.gcp_scc_admin != null ? 1 : 0
+  project = module.scc_notifications.project_id
+  role    = "roles/securitycenter.adminEditor"
+  member  = "group:${var.gcp_scc_admin}"
+}
+
+resource "google_project_iam_member" "global_secrets_admin" {
+  count   = var.gcp_global_secrets_admin != null ? 1 : 0
+  project = module.org_secrets.project_id
+  role    = "roles/secretmanager.admin"
+  member  = "group:${var.gcp_global_secrets_admin}"
+}
+
+/******************************************
+ Privileged accounts permissions according to SFB (Section 6.3 - Privileged identities)
+*****************************************/
+
+resource "google_organization_iam_member" "org_admin_user" {
+  count  = var.gcp_org_admin_user != null && var.parent_folder == "" ? 1 : 0
+  org_id = var.org_id
+  role   = "roles/resourcemanager.organizationAdmin"
+  member = "user:${var.gcp_org_admin_user}"
+}
+
+resource "google_folder_iam_member" "org_admin_user" {
+  count  = var.gcp_org_admin_user != null && var.parent_folder != "" ? 1 : 0
+  folder = "folders/${var.parent_folder}"
+  role   = "roles/resourcemanager.folderAdmin"
+  member = "user:${var.gcp_org_admin_user}"
+}
+
+resource "google_organization_iam_member" "billing_creator_user" {
+  count  = var.gcp_billing_creator_user != null && var.parent_folder == "" ? 1 : 0
+  org_id = var.org_id
+  role   = "roles/billing.creator"
+  member = "user:${var.gcp_billing_creator_user}"
+}
+
+resource "google_billing_account_iam_member" "billing_admin_user" {
+  count              = var.gcp_billing_admin_user != null ? 1 : 0
+  billing_account_id = var.billing_account
+  role               = "roles/billing.admin"
+  member             = "user:${var.gcp_billing_admin_user}"
+}
diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf
@@ -291,3 +291,57 @@ variable "folder_prefix" {
   type        = string
   default     = "fldr"
 }
+
+variable "gcp_platform_viewer" {
+  description = "G Suite or Cloud Identity group that have the ability to view resource information across the Google Cloud organization."
+  type        = string
+  default     = null
+}
+
+variable "gcp_security_reviewer" {
+  description = "G Suite or Cloud Identity group that members are part of the security team responsible for reviewing cloud security."
+  type        = string
+  default     = null
+}
+
+variable "gcp_network_viewer" {
+  description = "G Suite or Cloud Identity group that members are part of the networking team and review network configurations"
+  type        = string
+  default     = null
+}
+
+variable "gcp_scc_admin" {
+  description = "G Suite or Cloud Identity group that can administer Security Command Center."
+  type        = string
+  default     = null
+}
+
+variable "gcp_audit_viewer" {
+  description = "Members are part of an audit team and view audit logs in the logging project."
+  type        = string
+  default     = null
+}
+
+variable "gcp_global_secrets_admin" {
+  description = "G Suite or Cloud Identity group that members are responsible for putting secrets into Secrets Manager."
+  type        = string
+  default     = null
+}
+
+variable "gcp_org_admin_user" {
+  description = "Identity that has organization administrator permissions."
+  type        = string
+  default     = null
+}
+
+variable "gcp_billing_creator_user" {
+  description = "Identity that can create billing accounts."
+  type        = string
+  default     = null
+}
+
+variable "gcp_billing_admin_user" {
+  description = "Identity that has billing administrator permissions"
+  type        = string
+  default     = null
+}
