Context improvements: "all service accounts" principal in folder, org, project modules; custom roles in factory condition vars for FAST stage 0 (#3548)

* iam principalsets * fix folder * add custom roles to factory condition vars in stage 0 * project shared vpc IAM
2025-11-24 09:28:41 +01:00
parent 5ee09daddc
commit 10e29e1eeb
11 changed files with 51 additions and 21 deletions
--- a/modules/folder/iam.tf
+++ b/modules/folder/iam.tf
@@ -24,6 +24,12 @@ locals {
      k if try(index(v, r), null) != null
    ]
  }
+  ctx_iam_principals = merge(local.ctx.iam_principals, {
+    "$iam_principalsets:service_accounts/all" = format(
+      "principalSet://cloudresourcemanager.googleapis.com/folders/%s/type/ServiceAccount",
+      coalesce(try(split("/", local.folder_id)[1], null), "-")
+    )
+  })
  iam = {
    for role in distinct(concat(keys(var.iam), keys(local._iam_principals))) :
    role => concat(
@@ -52,7 +58,7 @@ resource "google_folder_iam_binding" "authoritative" {
  role     = lookup(local.ctx.custom_roles, each.key, each.key)
  members = [
    for v in each.value :
-    lookup(local.ctx.iam_principals, v, v)
+    lookup(local.ctx_iam_principals, v, v)
  ]
 }

@@ -61,7 +67,7 @@ resource "google_folder_iam_binding" "bindings" {
  folder   = local.folder_id
  role     = lookup(local.ctx.custom_roles, each.value.role, each.value.role)
  members = [
-    for v in each.value.members : lookup(local.ctx.iam_principals, v, v)
+    for v in each.value.members : lookup(local.ctx_iam_principals, v, v)
  ]
  dynamic "condition" {
    for_each = each.value.condition == null ? [] : [""]
--- a/modules/folder/logging.tf
+++ b/modules/folder/logging.tf
@@ -52,7 +52,7 @@ resource "google_folder_iam_audit_config" "default" {
      log_type = audit_log_config.key
      exempted_members = [
        for m in try(audit_log_config.value.exempted_members, []) :
-        lookup(local.ctx.iam_principals, m, m)
+        lookup(local.ctx_iam_principals, m, m)
      ]
    }
  }
--- a/modules/folder/pam.tf
+++ b/modules/folder/pam.tf
@@ -70,7 +70,7 @@ resource "google_privileged_access_manager_entitlement" "default" {

  eligible_users {
    principals = [
-      for u in each.value.eligible_users : lookup(local.ctx.iam_principals, u, u)
+      for u in each.value.eligible_users : lookup(local.ctx_iam_principals, u, u)
    ]
  }

@@ -113,7 +113,7 @@ resource "google_privileged_access_manager_entitlement" "default" {
          content {
            approvers {
              principals = [
-                for a in step.value.approvers : lookup(local.ctx.iam_principals, a, a)
+                for a in step.value.approvers : lookup(local.ctx_iam_principals, a, a)
              ]
            }