0-bootstrap/README.md

@@ -113,7 +113,7 @@ your current Jenkins manager (master) environment.
     ```
 1. Run `terraform init`.
 1. Run `terraform plan` and review the output.
-1. To run terraform-validator steps please follow the [instructions](https://github.com/forseti-security/policy-library/blob/master/docs/user_guide.md#install-terraform-validator) in the **Install Terraform Validator** section and install version `2021-03-22`. You will also need to rename the binary from `terraform-validator-<your-platform>` to `terraform-validator`.
+1. To run terraform-validator steps please follow the [instructions](https://github.com/forseti-security/policy-library/blob/master/docs/user_guide.md#install-terraform-validator) in the **Install Terraform Validator** section and install version `2021-03-22`. You will also need to rename the binary from `terraform-validator-<your-platform>` to `terraform-validator`and the terraform-validator binary must be in your PATH.
     1. Run `terraform plan -input=false -out bootstrap.tfplan`
     1. Run `terraform show -json bootstrap.tfplan > bootstrap.json`
     1. Run `terraform-validator validate bootstrap.json --policy-path="../policy-library" --project <A-VALID-PROJECT-ID>` and check for violations (`<A-VALID-PROJECT-ID>` must be an existing project you have access to, this is necessary because Terraform-validator needs to link resources to a valid Google Cloud Platform project).

0-bootstrap/versions.tf

@@ -33,7 +33,7 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:bootstrap/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:bootstrap/v2.2.0"
   }
 
 }

1-org/envs/shared/README.md

@@ -21,6 +21,15 @@
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
 | enable\_os\_login\_policy | Enable OS Login Organization Policy. | `bool` | `false` | no |
 | folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no |
+| gcp\_audit\_viewer | Members are part of an audit team and view audit logs in the logging project. | `string` | `null` | no |
+| gcp\_billing\_admin\_user | Identity that has billing administrator permissions | `string` | `null` | no |
+| gcp\_billing\_creator\_user | Identity that can create billing accounts. | `string` | `null` | no |
+| gcp\_global\_secrets\_admin | G Suite or Cloud Identity group that members are responsible for putting secrets into Secrets Manager. | `string` | `null` | no |
+| gcp\_network\_viewer | G Suite or Cloud Identity group that members are part of the networking team and review network configurations | `string` | `null` | no |
+| gcp\_org\_admin\_user | Identity that has organization administrator permissions. | `string` | `null` | no |
+| gcp\_platform\_viewer | G Suite or Cloud Identity group that have the ability to view resource information across the Google Cloud organization. | `string` | `null` | no |
+| gcp\_scc\_admin | G Suite or Cloud Identity group that can administer Security Command Center. | `string` | `null` | no |
+| gcp\_security\_reviewer | G Suite or Cloud Identity group that members are part of the security team responsible for reviewing cloud security. | `string` | `null` | no |
 | interconnect\_project\_alert\_pubsub\_topic | The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}` for the Dedicated Interconnect project. | `string` | `null` | no |
 | interconnect\_project\_alert\_spent\_percents | A list of percentages of the budget to alert on when threshold is exceeded for the Dedicated Interconnect project. | `list(number)` | <pre>[<br>  0.5,<br>  0.75,<br>  0.9,<br>  0.95<br>]</pre> | no |
 | interconnect\_project\_budget\_amount | The amount to use as the budget for the Dedicated Interconnect project. | `number` | `1000` | no |

1-org/envs/shared/iam.tf

@@ -87,3 +87,116 @@ resource "google_organization_iam_member" "billing_viewer" {
   role   = "roles/billing.viewer"
   member = "group:${var.billing_data_users}"
 }
+
+/******************************************
+ Groups permissions according to SFB (Section 6.2 - Users and groups) - IAM
+*****************************************/
+
+resource "google_organization_iam_member" "organization_viewer" {
+  count  = var.gcp_platform_viewer != null && var.parent_folder == "" ? 1 : 0
+  org_id = var.org_id
+  role   = "roles/viewer"
+  member = "group:${var.gcp_platform_viewer}"
+}
+
+resource "google_folder_iam_member" "organization_viewer" {
+  count  = var.gcp_platform_viewer != null && var.parent_folder != "" ? 1 : 0
+  folder = "folders/${var.parent_folder}"
+  role   = "roles/viewer"
+  member = "group:${var.gcp_platform_viewer}"
+}
+
+resource "google_organization_iam_member" "security_reviewer" {
+  count  = var.gcp_security_reviewer != null && var.parent_folder == "" ? 1 : 0
+  org_id = var.org_id
+  role   = "roles/iam.securityReviewer"
+  member = "group:${var.gcp_security_reviewer}"
+}
+
+resource "google_folder_iam_member" "security_reviewer" {
+  count  = var.gcp_security_reviewer != null && var.parent_folder != "" ? 1 : 0
+  folder = "folders/${var.parent_folder}"
+  role   = "roles/iam.securityReviewer"
+  member = "group:${var.gcp_security_reviewer}"
+}
+
+resource "google_organization_iam_member" "network_viewer" {
+  count  = var.gcp_network_viewer != null && var.parent_folder == "" ? 1 : 0
+  org_id = var.org_id
+  role   = "roles/compute.networkViewer"
+  member = "group:${var.gcp_network_viewer}"
+}
+
+resource "google_folder_iam_member" "network_viewer" {
+  count  = var.gcp_network_viewer != null && var.parent_folder != "" ? 1 : 0
+  folder = "folders/${var.parent_folder}"
+  role   = "roles/compute.networkViewer"
+  member = "group:${var.gcp_network_viewer}"
+}
+
+resource "google_project_iam_member" "audit_log_viewer" {
+  count   = var.gcp_audit_viewer != null ? 1 : 0
+  project = module.org_audit_logs.project_id
+  role    = "roles/logging.viewer"
+  member  = "group:${var.gcp_audit_viewer}"
+}
+
+resource "google_project_iam_member" "audit_private_logviewer" {
+  count   = var.gcp_audit_viewer != null ? 1 : 0
+  project = module.org_audit_logs.project_id
+  role    = "roles/logging.privateLogViewer"
+  member  = "group:${var.gcp_audit_viewer}"
+}
+
+resource "google_project_iam_member" "audit_bq_data_viewer" {
+  count   = var.gcp_audit_viewer != null ? 1 : 0
+  project = module.org_audit_logs.project_id
+  role    = "roles/bigquery.dataViewer"
+  member  = "group:${var.gcp_audit_viewer}"
+}
+
+resource "google_project_iam_member" "scc_admin" {
+  count   = var.gcp_scc_admin != null ? 1 : 0
+  project = module.scc_notifications.project_id
+  role    = "roles/securitycenter.adminEditor"
+  member  = "group:${var.gcp_scc_admin}"
+}
+
+resource "google_project_iam_member" "global_secrets_admin" {
+  count   = var.gcp_global_secrets_admin != null ? 1 : 0
+  project = module.org_secrets.project_id
+  role    = "roles/secretmanager.admin"
+  member  = "group:${var.gcp_global_secrets_admin}"
+}
+
+/******************************************
+ Privileged accounts permissions according to SFB (Section 6.3 - Privileged identities)
+*****************************************/
+
+resource "google_organization_iam_member" "org_admin_user" {
+  count  = var.gcp_org_admin_user != null && var.parent_folder == "" ? 1 : 0
+  org_id = var.org_id
+  role   = "roles/resourcemanager.organizationAdmin"
+  member = "user:${var.gcp_org_admin_user}"
+}
+
+resource "google_folder_iam_member" "org_admin_user" {
+  count  = var.gcp_org_admin_user != null && var.parent_folder != "" ? 1 : 0
+  folder = "folders/${var.parent_folder}"
+  role   = "roles/resourcemanager.folderAdmin"
+  member = "user:${var.gcp_org_admin_user}"
+}
+
+resource "google_organization_iam_member" "billing_creator_user" {
+  count  = var.gcp_billing_creator_user != null && var.parent_folder == "" ? 1 : 0
+  org_id = var.org_id
+  role   = "roles/billing.creator"
+  member = "user:${var.gcp_billing_creator_user}"
+}
+
+resource "google_billing_account_iam_member" "billing_admin_user" {
+  count              = var.gcp_billing_admin_user != null ? 1 : 0
+  billing_account_id = var.billing_account
+  role               = "roles/billing.admin"
+  member             = "user:${var.gcp_billing_admin_user}"
+}

1-org/envs/shared/variables.tf

@@ -291,3 +291,57 @@ variable "folder_prefix" {
   type        = string
   default     = "fldr"
 }
+
+variable "gcp_platform_viewer" {
+  description = "G Suite or Cloud Identity group that have the ability to view resource information across the Google Cloud organization."
+  type        = string
+  default     = null
+}
+
+variable "gcp_security_reviewer" {
+  description = "G Suite or Cloud Identity group that members are part of the security team responsible for reviewing cloud security."
+  type        = string
+  default     = null
+}
+
+variable "gcp_network_viewer" {
+  description = "G Suite or Cloud Identity group that members are part of the networking team and review network configurations"
+  type        = string
+  default     = null
+}
+
+variable "gcp_scc_admin" {
+  description = "G Suite or Cloud Identity group that can administer Security Command Center."
+  type        = string
+  default     = null
+}
+
+variable "gcp_audit_viewer" {
+  description = "Members are part of an audit team and view audit logs in the logging project."
+  type        = string
+  default     = null
+}
+
+variable "gcp_global_secrets_admin" {
+  description = "G Suite or Cloud Identity group that members are responsible for putting secrets into Secrets Manager."
+  type        = string
+  default     = null
+}
+
+variable "gcp_org_admin_user" {
+  description = "Identity that has organization administrator permissions."
+  type        = string
+  default     = null
+}
+
+variable "gcp_billing_creator_user" {
+  description = "Identity that can create billing accounts."
+  type        = string
+  default     = null
+}
+
+variable "gcp_billing_admin_user" {
+  description = "Identity that has billing administrator permissions"
+  type        = string
+  default     = null
+}

1-org/envs/shared/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:org/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:org/v2.2.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:org/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:org/v2.2.0"
   }
 }

2-environments/modules/env_baseline/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:org/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:org/v2.2.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:org/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:org/v2.2.0"
   }
 }

3-networks/modules/base_shared_vpc/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:base_shared_vpc/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:base_shared_vpc/v2.2.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:base_shared_vpc/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:base_shared_vpc/v2.2.0"
   }
 }

3-networks/modules/dedicated_interconnect/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:dedicated_interconnect/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:dedicated_interconnect/v2.2.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:dedicated_interconnect/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:dedicated_interconnect/v2.2.0"
   }
 }

3-networks/modules/hierarchical_firewall_policy/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:hierarchical_firewall_policy/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:hierarchical_firewall_policy/v2.2.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:hierarchical_firewall_policy/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:hierarchical_firewall_policy/v2.2.0"
   }
 }

3-networks/modules/partner_interconnect/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:partner_interconnect/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:partner_interconnect/v2.2.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:partner_interconnect/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:partner_interconnect/v2.2.0"
   }
 }

3-networks/modules/restricted_shared_vpc/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:restricted_shared_vpc/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:restricted_shared_vpc/v2.2.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:restricted_shared_vpc/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:restricted_shared_vpc/v2.2.0"
   }
 }

3-networks/modules/transitivity/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:transitivity/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:transitivity/v2.2.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:transitivity/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:transitivity/v2.2.0"
   }
 }

4-projects/modules/infra_pipelines/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:infra_pipelines/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:infra_pipelines/v2.2.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:infra_pipelines/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:infra_pipelines/v2.2.0"
   }
 }

4-projects/modules/single_project/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:single_project/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:single_project/v2.2.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:single_project/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:single_project/v2.2.0"
   }
 }

5-app-infra/modules/env_base/versions.tf

@@ -37,10 +37,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:app_env_base/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:app_env_base/v2.2.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:app_env_base/v2.1.1"
+    module_name = "blueprints/terraform/terraform-example-foundation:app_env_base/v2.2.0"
   }
 }

CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## [2.2.0](https://www.github.com/terraform-google-modules/terraform-example-foundation/compare/v2.1.1...v2.2.0) (2021-07-16)
+
+
+### Features
+
+* Add permissions for SFB recommended groups ([#446](https://www.github.com/terraform-google-modules/terraform-example-foundation/issues/446)) ([a18b203](https://www.github.com/terraform-google-modules/terraform-example-foundation/commit/a18b2036531d9529778d6a0e6b6c9583a0ec76a2))
+
+
+### Bug Fixes
+
+* added link to FAQ in 1-org ([#497](https://www.github.com/terraform-google-modules/terraform-example-foundation/issues/497)) ([a266e02](https://www.github.com/terraform-google-modules/terraform-example-foundation/commit/a266e0275604ea4aff87a64c06ed100f070db520))
+* Update project-factory module to 10.1 ([#499](https://www.github.com/terraform-google-modules/terraform-example-foundation/issues/499)) ([f46e2e8](https://www.github.com/terraform-google-modules/terraform-example-foundation/commit/f46e2e86d18b847bd08497551b58da4794137e4f))
+
 ### [2.1.1](https://www.github.com/terraform-google-modules/terraform-example-foundation/compare/v2.1.0...v2.1.1) (2021-06-23)