diff --git a/terraform/create_service_account.sh b/terraform/create_service_account.sh index fafe83adf..d69a90796 100755 --- a/terraform/create_service_account.sh +++ b/terraform/create_service_account.sh @@ -7,14 +7,18 @@ $0: Create a Service User Account for a given space Usage: $0 -h - $0 -s -u [-r ] [-o ] + $0 -s -u [-r ] [-o ] [-m] Options: -h: show help and exit -s : configure the space to act on. Required -u : set the service user name. Required -r : set the service user's role to either space-deployer or space-auditor. Default: space-deployer +-m: If provided, make the service user an OrgManager -o : configure the organization to act on. Default: $org + +Notes: +OrgManager is required for terraform to create -egress spaces " set -e @@ -23,8 +27,9 @@ set -o pipefail space="" service="" role="space-deployer" +org_manager="false" -while getopts ":hs:u:r:o:" opt; do +while getopts ":hms:u:r:o:" opt; do case "$opt" in s) space=${OPTARG} @@ -38,6 +43,9 @@ while getopts ":hs:u:r:o:" opt; do o) org=${OPTARG} ;; + m) + org_manager="true" + ;; h) echo "$usage" exit 0 @@ -60,13 +68,17 @@ cf create-service-key $service service-account-key 1>&2 # output service key to stdout in secrets.auto.tfvars format creds=`cf service-key $service service-account-key | tail -n 4` -username=`echo $creds | jq '.username'` -password=`echo $creds | jq '.password'` +username=`echo $creds | jq -r '.username'` +password=`echo $creds | jq -r '.password'` + +if [[ $org_manager = "true" ]]; then + cf set-org-role $username $org OrgManager 1>&2 +fi cat << EOF # generated with $0 -s $space -u $service -r $role -o $org # revoke with $(dirname $0)/destroy_service_account.sh -s $space -u $service -o $org -cf_user = $username -cf_password = $password +cf_user = "$username" +cf_password = "$password" EOF diff --git a/terraform/sandbox/main.tf b/terraform/sandbox/main.tf index f04d15b67..fd1c4ced3 100644 --- a/terraform/sandbox/main.tf +++ b/terraform/sandbox/main.tf @@ -53,3 +53,16 @@ module "contact_list_bucket" { recursive_delete = local.recursive_delete s3_service_name = "${local.app_name}-contact-list-bucket-${local.env}" } + +module "egress-space" { + source = "../shared/egress_space" + + cf_user = var.cf_user + cf_password = var.cf_password + cf_org_name = local.cf_org_name + cf_restricted_space_name = local.cf_space_name + deployers = [ + var.cf_user, + "ryan.ahearn@gsa.gov" + ] +} diff --git a/terraform/shared/egress_space/main.tf b/terraform/shared/egress_space/main.tf new file mode 100644 index 000000000..4a65b74e9 --- /dev/null +++ b/terraform/shared/egress_space/main.tf @@ -0,0 +1,36 @@ +### +# Target space/org +### + +data "cloudfoundry_org" "org" { + name = var.cf_org_name +} + +### +# Egress Space +### + +resource "cloudfoundry_space" "public_egress" { + name = "${var.cf_restricted_space_name}-egress" + org = data.cloudfoundry_org.org.id +} + +### +# User roles +### + +data "cloudfoundry_user" "users" { + for_each = var.deployers + name = each.key + org_id = data.cloudfoundry_org.org.id +} + +locals { + user_ids = [for user in data.cloudfoundry_user.users : user.id] +} + +resource "cloudfoundry_space_users" "deployers" { + space = cloudfoundry_space.public_egress.id + managers = local.user_ids + developers = local.user_ids +} diff --git a/terraform/shared/egress_space/providers.tf b/terraform/shared/egress_space/providers.tf new file mode 100644 index 000000000..ad8addecd --- /dev/null +++ b/terraform/shared/egress_space/providers.tf @@ -0,0 +1,16 @@ +terraform { + required_version = "~> 1.0" + required_providers { + cloudfoundry = { + source = "cloudfoundry-community/cloudfoundry" + version = "~> 0.15" + } + } +} + +provider "cloudfoundry" { + api_url = "https://api.fr.cloud.gov" + user = var.cf_user + password = var.cf_password + app_logs_max = 30 +} diff --git a/terraform/shared/egress_space/variables.tf b/terraform/shared/egress_space/variables.tf new file mode 100644 index 000000000..1ab080dea --- /dev/null +++ b/terraform/shared/egress_space/variables.tf @@ -0,0 +1,10 @@ +variable "cf_password" { + type = string + sensitive = true +} +variable "cf_user" {} +variable "cf_org_name" {} +variable "cf_restricted_space_name" {} +variable "deployers" { + type = set(string) +} diff --git a/terraform/staging/main.tf b/terraform/staging/main.tf index abbb0a5be..6fca24d76 100644 --- a/terraform/staging/main.tf +++ b/terraform/staging/main.tf @@ -53,3 +53,15 @@ module "contact_list_bucket" { recursive_delete = local.recursive_delete s3_service_name = "${local.app_name}-contact-list-bucket-${local.env}" } + +module "egress-space" { + source = "../shared/egress_space" + + cf_user = var.cf_user + cf_password = var.cf_password + cf_org_name = local.cf_org_name + cf_restricted_space_name = local.cf_space_name + deployers = [ + var.cf_user + ] +}