kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move org policies lower in the project factory dependency chain to support extended context (#3937)

Browse Source 
* module project-factory: include project in conditional_var context for org policies

* module project-factory: include project and folders in conditional_var context for org policies

- Move project org policies (explicit and factory) to projects-iam invocation.
- Move folder org policies (explicit and factory) to folder-X-iam invocations (levels 1-4).
- Inject folder_ids into projects-iam condition_vars and pass resolved folders.
- Update and regenerate test inventories (example.yaml, simple.yaml, hardened.yaml).

TAG=agy
CONV=e0f45850-ab01-4600-a2b6-4de62465c204

---------

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
This commit is contained in:
Luca Prete
2026-05-06 14:48:08 +02:00
committed by GitHub
parent 26dbaa2d6e
commit 04e64c4ae2
5 changed files with 119 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
modules/project-factory/folders.tf
View File

@@ -65,9 +65,8 @@ module "folder-1" {
? v :
"${var.factories_config.basepath}/${v}"
), null)
if contains(["org_policies", "scc_sha_custom_modules"], k)
if contains(["scc_sha_custom_modules"], k)
}
org_policies = lookup(each.value, "org_policies", {})
pam_entitlements = lookup(each.value, "pam_entitlements", {})
assured_workload_config = lookup(each.value, "assured_workload_config", null)
logging_settings = anytrue([
@@ -87,6 +86,7 @@ module "folder-1-iam" {
id = module.folder-1[each.key].id
asset_feeds = lookup(each.value, "asset_feeds", {})
asset_search = lookup(each.value, "asset_search", {})
org_policies = lookup(each.value, "org_policies", {})
# we do anything that can refer to IAM and custom roles in this call
factories_config = {
for k, v in lookup(each.value, "factories_config", {}) : k => try(pathexpand(
@@ -94,7 +94,7 @@ module "folder-1-iam" {
? v :
"${var.factories_config.basepath}/${v}"
), null)
if contains(["pam_entitlements"], k)
if contains(["pam_entitlements", "org_policies"], k)
}
autokey_config = lookup(each.value, "autokey_config", null)
contacts = lookup(each.value, "contacts", {})
@@ -137,9 +137,8 @@ module "folder-2" {
? v :
"${var.factories_config.basepath}/${v}"
), null)
if contains(["org_policies", "scc_sha_custom_modules"], k)
if contains(["scc_sha_custom_modules"], k)
}
org_policies = lookup(each.value, "org_policies", {})
pam_entitlements = lookup(each.value, "pam_entitlements", {})
assured_workload_config = lookup(each.value, "assured_workload_config", null)
logging_settings = anytrue([
@@ -164,6 +163,7 @@ module "folder-2-iam" {
id = module.folder-2[each.key].id
asset_feeds = lookup(each.value, "asset_feeds", {})
asset_search = lookup(each.value, "asset_search", {})
org_policies = lookup(each.value, "org_policies", {})
# we do anything that can refer to IAM and custom roles in this call
factories_config = {
for k, v in lookup(each.value, "factories_config", {}) : k => try(pathexpand(
@@ -171,7 +171,7 @@ module "folder-2-iam" {
? v :
"${var.factories_config.basepath}/${v}"
), null)
if contains(["pam_entitlements"], k)
if contains(["pam_entitlements", "org_policies"], k)
}
autokey_config = lookup(each.value, "autokey_config", null)
contacts = lookup(each.value, "contacts", {})
@@ -217,9 +217,8 @@ module "folder-3" {
? v :
"${var.factories_config.basepath}/${v}"
), null)
if contains(["org_policies", "scc_sha_custom_modules"], k)
if contains(["scc_sha_custom_modules"], k)
}
org_policies = lookup(each.value, "org_policies", {})
pam_entitlements = lookup(each.value, "pam_entitlements", {})
assured_workload_config = lookup(each.value, "assured_workload_config", null)
logging_settings = anytrue([
@@ -244,6 +243,7 @@ module "folder-3-iam" {
id = module.folder-3[each.key].id
asset_feeds = lookup(each.value, "asset_feeds", {})
asset_search = lookup(each.value, "asset_search", {})
org_policies = lookup(each.value, "org_policies", {})
# we do anything that can refer to IAM and custom roles in this call
factories_config = {
for k, v in lookup(each.value, "factories_config", {}) : k => try(pathexpand(
@@ -251,7 +251,7 @@ module "folder-3-iam" {
? v :
"${var.factories_config.basepath}/${v}"
), null)
if contains(["pam_entitlements"], k)
if contains(["pam_entitlements", "org_policies"], k)
}
autokey_config = lookup(each.value, "autokey_config", null)
contacts = lookup(each.value, "contacts", {})
@@ -297,9 +297,8 @@ module "folder-4" {
? v :
"${var.factories_config.basepath}/${v}"
), null)
if contains(["org_policies", "scc_sha_custom_modules"], k)
if contains(["scc_sha_custom_modules"], k)
}
org_policies = lookup(each.value, "org_policies", {})
pam_entitlements = lookup(each.value, "pam_entitlements", {})
assured_workload_config = lookup(each.value, "assured_workload_config", null)
logging_settings = anytrue([
@@ -324,6 +323,7 @@ module "folder-4-iam" {
id = module.folder-4[each.key].id
asset_feeds = lookup(each.value, "asset_feeds", {})
asset_search = lookup(each.value, "asset_search", {})
org_policies = lookup(each.value, "org_policies", {})
# we do anything that can refer to IAM and custom roles in this call
factories_config = {
for k, v in lookup(each.value, "factories_config", {}) : k => try(pathexpand(
@@ -331,7 +331,7 @@ module "folder-4-iam" {
? v :
"${var.factories_config.basepath}/${v}"
), null)
if contains(["pam_entitlements"], k)
if contains(["pam_entitlements", "org_policies"], k)
}
autokey_config = lookup(each.value, "autokey_config", null)
contacts = lookup(each.value, "contacts", {})

28
modules/project-factory/projects.tf
View File

@@ -146,6 +146,7 @@ module "projects" {
? v :
"${var.factories_config.basepath}/${v}"
), null)
if k != "org_policies"
}
kms_autokeys = try(each.value.kms.autokeys, {})
labels = merge(
@@ -157,7 +158,6 @@ module "projects" {
logging_metrics = try(each.value.logging_metrics, null)
logging_sinks = try(each.value.logging_sinks, {})
notification_channels = try(each.value.notification_channels, null)
org_policies = each.value.org_policies
quotas = each.value.quotas
services = distinct(concat(
each.value.services,
@@ -173,10 +173,11 @@ module "projects" {
}
module "projects-iam" {
source = "../project"
for_each = local.projects_input
name = each.value.name
prefix = each.value.prefix
source = "../project"
for_each = local.projects_input
name = each.value.name
prefix = each.value.prefix
org_policies = each.value.org_policies
project_reuse = {
use_data_source = false
attributes = {
@@ -186,11 +187,21 @@ module "projects-iam" {
}
}
context = merge(local.ctx, {
condition_vars = merge(
local.ctx.condition_vars, {
folder_ids = {
for k, v in local.ctx_folder_ids : replace(k, "$folder_ids:", "") => v
}
projects = {
for k, v in module.projects : k => v.project_id
}
}
)
tag_vars = {
projects = merge(try(local.ctx.tag_vars.projects, {}), local.tag_vars_projects)
organization = try(local.ctx.tag_vars.organization, {})
}
folder_ids = local.ctx.folder_ids
folder_ids = local.ctx_folder_ids
kms_keys = merge(local.ctx.kms_keys, local.kms_keys)
iam_principals = merge(
local.ctx_iam_principals,
@@ -208,6 +219,11 @@ module "projects-iam" {
factories_config = {
# we do anything that can refer to IAM and custom roles in this call
pam_entitlements = try(each.value.factories_config.pam_entitlements, null)
org_policies = lookup(each.value.factories_config, "org_policies", null) == null ? null : try(pathexpand(
var.factories_config.basepath == null || startswith(each.value.factories_config.org_policies, "/") || startswith(each.value.factories_config.org_policies, ".")
? each.value.factories_config.org_policies :
"${var.factories_config.basepath}/${each.value.factories_config.org_policies}"
), null)
}
iam = lookup(each.value, "iam", {})
iam_bindings = lookup(each.value, "iam_bindings", {})