kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Allow defining org-level pam_entitlements in 0-org-setup (#3506)

Browse Source
This commit is contained in:
Julio Castillo
2025-11-05 19:27:59 +01:00
committed by GitHub
parent fc538a15cc
commit 002349c35b
5 changed files with 135 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
fast/stages/0-org-setup/datasets/classic/organization/.config.yaml
View File

@@ -92,6 +92,9 @@ iam_by_principals:
$iam_principals:service_accounts/iac-0/iac-vpcsc-ro:
- roles/accesscontextmanager.policyReader
- roles/cloudasset.viewer
# Uncomment if you want to use PAM.
# $service_agents:pam:
# - roles/privilegedaccessmanager.serviceAgent
logging:
# disable_default_log_sink: false
storage_location: $locations:primary

3
fast/stages/0-org-setup/organization.tf
View File

@@ -141,7 +141,8 @@ module "organization-iam" {
iam_by_principals_additive = lookup(
local.organization, "iam_by_principals_additive", {}
)
logging_sinks = try(local.organization.logging.sinks, {})
logging_sinks = try(local.organization.logging.sinks, {})
pam_entitlements = try(local.organization.pam_entitlements, {})
tags_config = {
force_context_ids = true
}

119
fast/stages/0-org-setup/schemas/organization.schema.json
View File

@@ -164,6 +164,9 @@
}
}
},
"pam_entitlements": {
"$ref": "#/$defs/pam_entitlements"
},
"tags": {
"type": "object",
"additionalProperties": {
@@ -328,6 +331,120 @@
}
}
}
},
"pam_entitlements": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^[a-z][a-z0-9-]{0,61}[a-z0-9]$": {
"type": "object",
"properties": {
"max_request_duration": {
"type": "string"
},
"eligible_users": {
"type": "array",
"items": {
"type": "string"
}
},
"privileged_access": {
"type": "array",
"items": {
"type": "object",
"properties": {
"role": {
"type": "string"
},
"condition": {
"type": "string"
}
},
"required": [
"role"
],
"additionalProperties": false
}
},
"requester_justification_config": {
"type": "object",
"properties": {
"not_mandatory": {
"type": "boolean"
},
"unstructured": {
"type": "boolean"
}
},
"additionalProperties": false
},
"manual_approvals": {
"type": "object",
"properties": {
"require_approver_justification": {
"type": "boolean"
},
"steps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"approvers": {
"type": "array",
"items": {
"type": "string"
}
},
"approvals_needed": {
"type": "number"
},
"approver_email_recipients": {
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"approvers"
],
"additionalProperties": false
}
}
},
"required": [
"require_approver_justification",
"steps"
],
"additionalProperties": false
},
"additional_notification_targets": {
"type": "object",
"properties": {
"admin_email_recipients": {
"type": "array",
"items": {
"type": "string"
}
},
"requester_email_recipients": {
"type": "array",
"items": {
"type": "string"
}
}
},
"additionalProperties": false
}
},
"required": [
"max_request_duration",
"eligible_users",
"privileged_access"
],
"additionalProperties": false
}
}
}
}
}
}

9
modules/organization/main.tf
View File

@@ -15,11 +15,18 @@
*/
locals {
ctx = {
_ctx = {
for k, v in var.context : k => {
for kk, vv in v : "${local.ctx_p}${k}:${kk}" => vv
} if k != "condition_vars"
}
# add service agents into the iam_principals context namespace
ctx = merge(
local._ctx,
{
iam_principals = merge(local._ctx.iam_principals, local.service_agents_ctx)
}
)
ctx_p = "$"
organization_id_numeric = split("/", var.organization_id)[1]
}

4
modules/organization/service-agents.tf
View File

@@ -37,4 +37,8 @@ locals {
iam_email = "serviceAccount:${v.email}"
})
}
service_agents_ctx = {
for k, v in local.service_agents :
"$service_agents:${k}" => v.iam_email
}
}