generated from fergusmacd/template-repo-terraform
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathgroups-permissions.tf
132 lines (127 loc) · 5.73 KB
/
groups-permissions.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
locals {
all_docker_repos = concat(
[for key in artifactory_virtual_repository.docker_virtual : key.key],
[for key in artifactory_remote_repository.docker_remote : key.key],
[for key in artifactory_local_repository.docker_local : key.key]
)
artifactory_groups = {
read_docker_all = {
name = "read-docker-all"
description = "Read only access to all docker repos, meant to be used by developers to pull down images from all docker repos."
}
upload_docker_dev_local = {
name = "upload-docker-dev-local"
description = "Access group for upload access to docker-dev-local, used by the build server to upload docker builds to dev-local."
}
download_docker_remote = {
name = "download-docker-remote"
description = "Download group for caching objects in the remote repo, used by a build server and a way to control what images are used."
}
read_docker_dev_virtual = {
name = "read-docker-dev-virtual"
description = "Access group for read only access to the docker-dev-virtual repo, used by the cluster to ensure images are downloaded from the correct repo."
}
read_docker_stg_virtual = {
name = "read-docker-stg-virtual"
description = "Access group for read only access to the docker-stg-virtual repo, used by the cluster to ensure images are downloaded from the correct repo."
}
read_docker_prod_virtual = {
name = "read-docker-prod-virtual"
description = "Access group for read only access to the docker-prod-virtual repo, used by the cluster to ensure images are downloaded from the correct repo."
}
promote_docker_to_stg_local = {
name = "promote-to-docker-stg-local"
description = "Access group for promoting images from dev to stg, used by whatever promotion mechanism is decided."
}
promote_docker_to_prod_local = {
name = "promote-to-docker-prod-local"
description = "Access group for promoting images from stg to prod, used by whatever promotion mechanism is decided."
}
}
artifactory_permission_targets = {
read_docker_all = {
name = "read-docker-all"
repositories = [for key in local.all_docker_repos : key]
groups_name = artifactory_group.groups["read_docker_all"].name
permissions = ["read"]
}
deploy_docker_dev_local = {
name = "deploy-docker-dev-local"
repositories = [artifactory_local_repository.docker_local["docker_dev"].key]
groups_name = artifactory_group.groups["upload_docker_dev_local"].name
permissions = ["read", "write", "annotate"]
}
download_docker_remote = {
name = "download-docker-remote"
repositories = [artifactory_remote_repository.docker_remote["docker_prod"].key]
groups_name = artifactory_group.groups["download_docker_remote"].name
permissions = ["read", "write", "annotate"]
}
read_docker_dev_local = {
name = "read-docker-dev-local"
repositories = [artifactory_local_repository.docker_local["docker_dev"].key]
groups_name = artifactory_group.groups["promote_docker_to_stg_local"].name
permissions = ["read"]
}
read_docker_stg_local = {
name = "read-docker-stg-local"
repositories = [artifactory_local_repository.docker_local["docker_stg"].key]
groups_name = artifactory_group.groups["promote_docker_to_prod_local"].name
permissions = ["read"]
}
read_docker_dev_virtual = {
name = "read-docker-dev-virtual"
repositories = [artifactory_virtual_repository.docker_virtual["docker_dev"].key,
artifactory_local_repository.docker_local["docker_dev"].key]
groups_name = artifactory_group.groups["read_docker_dev_virtual"].name
permissions = ["read"]
}
read_docker_stg_virtual = {
name = "read-docker-stg-virtual"
repositories = [artifactory_virtual_repository.docker_virtual["docker_stg"].key,
artifactory_local_repository.docker_local["docker_stg"].key]
groups_name = artifactory_group.groups["read_docker_stg_virtual"].name
permissions = ["read"]
}
read_docker_prod_virtual = {
name = "read-docker-prod-virtual"
repositories = [artifactory_virtual_repository.docker_virtual["docker_prod"].key,
artifactory_local_repository.docker_local["docker_prod"].key]
groups_name = artifactory_group.groups["read_docker_prod_virtual"].name
permissions = ["read"]
}
bot_promote_docker_to_stg_local = {
name = "promote-docker-to-stg-local"
repositories = [artifactory_local_repository.docker_local["docker_stg"].key]
groups_name = artifactory_group.groups["promote_docker_to_stg_local"].name
permissions = ["read", "write", "annotate"]
}
promote_docker_to_prod_local = {
name = "promote-docker-to-prod-local"
repositories = [artifactory_local_repository.docker_local["docker_prod"].key]
groups_name = artifactory_group.groups["promote_docker_to_prod_local"].name
permissions = ["read", "write", "annotate"]
}
}
}
resource "artifactory_group" "groups" {
for_each = local.artifactory_groups
name = each.value.name
description = each.value.description
admin_privileges = false
auto_join = false
}
# https://github.com/atlassian/terraform-provider-artifactory/blob/master/website/docs/r/artifactory_permission_target.html.markdown
resource "artifactory_permission_target" "permission_targets" {
for_each = local.artifactory_permission_targets
name = each.value.name
repo {
repositories = each.value.repositories
actions {
groups {
name = each.value.groups_name
permissions = each.value.permissions
}
}
}
}