Created
March 28, 2023 13:51
-
-
Save rssnyder/4415eed9587614ab4fce2fdaab8edd06 to your computer and use it in GitHub Desktop.
by_tf
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| locals { | |
| org_name = replace(replace(var.org, "/[ -]/", "_"), "/\\W/", "") | |
| org_id = lower(local.org_name) | |
| } | |
| data "harness_platform_current_user" "current" {} | |
| # create the org and project | |
| resource "harness_platform_organization" "this" { | |
| identifier = local.org_id | |
| name = local.org_name | |
| description = "A templated organization" | |
| } | |
| resource "harness_platform_project" "default" { | |
| identifier = "default" | |
| name = "default" | |
| org_id = harness_platform_organization.this.id | |
| } | |
| # create the environments | |
| resource "harness_platform_environment" "dev" { | |
| identifier = "dev" | |
| name = "dev" | |
| org_id = harness_platform_organization.this.id | |
| project_id = harness_platform_project.default.id | |
| type = "PreProduction" | |
| yaml = <<EOF | |
| environment: | |
| name: dev | |
| identifier: dev | |
| description: "" | |
| tags: {} | |
| type: PreProduction | |
| orgIdentifier: ${harness_platform_organization.this.id} | |
| projectIdentifier: ${harness_platform_project.default.id} | |
| variables: [] | |
| EOF | |
| } | |
| resource "harness_platform_environment" "staging" { | |
| identifier = "staging" | |
| name = "staging" | |
| org_id = harness_platform_organization.this.id | |
| project_id = harness_platform_project.default.id | |
| type = "PreProduction" | |
| yaml = <<EOF | |
| environment: | |
| name: staging | |
| identifier: staging | |
| description: "" | |
| tags: {} | |
| type: PreProduction | |
| orgIdentifier: ${harness_platform_organization.this.id} | |
| projectIdentifier: ${harness_platform_project.default.id} | |
| variables: [] | |
| EOF | |
| } | |
| resource "harness_platform_environment" "production" { | |
| identifier = "production" | |
| name = "production" | |
| org_id = harness_platform_organization.this.id | |
| project_id = harness_platform_project.default.id | |
| type = "Production" | |
| yaml = <<EOF | |
| environment: | |
| name: production | |
| identifier: production | |
| description: "" | |
| tags: {} | |
| type: Production | |
| orgIdentifier: ${harness_platform_organization.this.id} | |
| projectIdentifier: ${harness_platform_project.default.id} | |
| variables: [] | |
| EOF | |
| } | |
| # assign access to the admins | |
| data "harness_platform_usergroup" "admins" { | |
| identifier = var.admin_group | |
| } | |
| resource "harness_platform_role_assignments" "admins" { | |
| org_id = harness_platform_organization.this.id | |
| project_id = harness_platform_project.default.id | |
| resource_group_identifier = "_all_project_level_resources" | |
| role_identifier = "_project_admin" | |
| principal { | |
| identifier = data.harness_platform_usergroup.admins.id | |
| type = "USER_GROUP" | |
| # use a group from the account (scim) level | |
| scope_level = "account" | |
| } | |
| } | |
| resource "harness_platform_role_assignments" "admins_viewer" { | |
| org_id = harness_platform_organization.this.id | |
| project_id = harness_platform_project.default.id | |
| resource_group_identifier = "_all_project_level_resources" | |
| role_identifier = "_project_viewer" | |
| principal { | |
| identifier = data.harness_platform_usergroup.admins.id | |
| type = "USER_GROUP" | |
| # use a group from the account (scim) level | |
| scope_level = "account" | |
| } | |
| } | |
| # create resource groups for each environment | |
| resource "harness_platform_resource_group" "environments" { | |
| for_each = toset(["dev", "stage", "prod"]) | |
| identifier = each.key | |
| name = each.key | |
| account_id = data.harness_platform_current_user.current.default_account_id | |
| org_id = harness_platform_organization.this.id | |
| project_id = harness_platform_project.default.id | |
| allowed_scope_levels = ["project"] | |
| resource_filter { | |
| include_all_resources = false | |
| resources { | |
| resource_type = "ENVIRONMENT" | |
| identifiers = [each.key] | |
| } | |
| } | |
| } | |
| # create role for flag toggling | |
| # see possible permissions here: https://developer.harness.io/docs/platform/Role-Based-Access-Control/ref-access-management/api-permissions-reference | |
| resource "harness_platform_roles" "toggler" { | |
| identifier = "toggler" | |
| name = "toggler" | |
| org_id = harness_platform_organization.this.id | |
| project_id = harness_platform_project.default.id | |
| permissions = ["ff_featureflag_toggle"] | |
| allowed_scope_levels = ["project"] | |
| } | |
| # assign access to the devs to toggle in non-prod | |
| data "harness_platform_usergroup" "devs" { | |
| identifier = var.dev_group | |
| } | |
| resource "harness_platform_role_assignments" "devs" { | |
| org_id = harness_platform_organization.this.id | |
| project_id = harness_platform_project.default.id | |
| resource_group_identifier = harness_platform_resource_group.environments["dev"].id | |
| role_identifier = harness_platform_roles.toggler.id | |
| principal { | |
| identifier = data.harness_platform_usergroup.devs.id | |
| type = "USER_GROUP" | |
| # use a group from the account (scim) level | |
| scope_level = "account" | |
| } | |
| } | |
| resource "harness_platform_role_assignments" "devs_viewer" { | |
| org_id = harness_platform_organization.this.id | |
| project_id = harness_platform_project.default.id | |
| resource_group_identifier = "_all_project_level_resources" | |
| role_identifier = "_project_viewer" | |
| principal { | |
| identifier = data.harness_platform_usergroup.devs.id | |
| type = "USER_GROUP" | |
| # use a group from the account (scim) level | |
| scope_level = "account" | |
| } | |
| } | |
| # assign access to the PMs to toggle everywhere | |
| data "harness_platform_usergroup" "pms" { | |
| identifier = var.pm_group | |
| } | |
| resource "harness_platform_role_assignments" "pms" { | |
| org_id = harness_platform_organization.this.id | |
| project_id = harness_platform_project.default.id | |
| resource_group_identifier = "_all_project_level_resources" | |
| role_identifier = harness_platform_roles.toggler.id | |
| principal { | |
| identifier = data.harness_platform_usergroup.pms.id | |
| type = "USER_GROUP" | |
| # use a group from the account (scim) level | |
| scope_level = "account" | |
| } | |
| } | |
| resource "harness_platform_role_assignments" "pms_viewer" { | |
| org_id = harness_platform_organization.this.id | |
| project_id = harness_platform_project.default.id | |
| resource_group_identifier = "_all_project_level_resources" | |
| role_identifier = "_project_viewer" | |
| principal { | |
| identifier = data.harness_platform_usergroup.pms.id | |
| type = "USER_GROUP" | |
| # use a group from the account (scim) level | |
| scope_level = "account" | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| variable "org" { | |
| type = string | |
| description = "a new organization to create" | |
| } | |
| variable "admin_group" { | |
| type = string | |
| } | |
| variable "dev_group" { | |
| type = string | |
| } | |
| variable "pm_group" { | |
| type = string | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment