Context improvements: "all service accounts" principal in folder, org, project modules; custom roles in factory condition vars for FAST stage 0 (#3548)

* iam principalsets * fix folder * add custom roles to factory condition vars in stage 0 * project shared vpc IAM
2025-11-24 09:28:41 +01:00
parent 5ee09daddc
commit 10e29e1eeb
11 changed files with 51 additions and 21 deletions
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -1655,7 +1655,8 @@ module "project" {
  }
  iam = {
    "roles/editor" = [
-      module.project.service_agents.cloudservices.iam_email
+      module.project.service_agents.cloudservices.iam_email,
+      "$iam_principalsets:service_accounts/all"
    ]
    "roles/apigee.serviceAgent" = [
      module.project.service_agents.apigee.iam_email
--- a/modules/project/iam.tf
+++ b/modules/project/iam.tf
@@ -38,10 +38,19 @@ locals {
      k if try(index(v, r), null) != null
    ]
  }
-  ctx_iam_principals = merge(local.ctx.iam_principals, {
-    for k, v in local.aliased_service_agents :
-    "$service_agents:${k}" => v.iam_email
-  })
+  ctx_iam_principals = merge(
+    local.ctx.iam_principals,
+    {
+      for k, v in local.aliased_service_agents :
+      "$service_agents:${k}" => v.iam_email
+    },
+    {
+      "$iam_principalsets:service_accounts/all" = format(
+        "principalSet://cloudresourcemanager.googleapis.com/projects/%s/type/ServiceAccount",
+        coalesce(local.project.number, "-")
+      )
+    }
+  )
  custom_role_ids = {
    for k, v in google_project_iam_custom_role.roles :
    # build the string manually so that role IDs can be used as map
--- a/modules/project/shared-vpc.tf
+++ b/modules/project/shared-vpc.tf
@@ -165,7 +165,7 @@ resource "google_project_iam_member" "shared_vpc_host_iam" {
    var.shared_vpc_service_config.host_project
  )
  role   = "roles/compute.networkUser"
-  member = lookup(local.ctx.iam_principals, each.value, each.value)
+  member = lookup(local.ctx_iam_principals, each.value, each.value)
 }

 resource "google_project_iam_member" "shared_vpc_host_iam_additive" {
@@ -179,7 +179,7 @@ resource "google_project_iam_member" "shared_vpc_host_iam_additive" {
    local.ctx.custom_roles, each.value.role, each.value.role
  )
  member = lookup(
-    local.ctx.iam_principals, each.value.member, each.value.member
+    local.ctx_iam_principals, each.value.member, each.value.member
  )
  dynamic "condition" {
    for_each = each.value.condition == null ? [] : [""]
@@ -225,6 +225,6 @@ resource "google_compute_subnetwork_iam_member" "shared_vpc_host_subnets_iam" {
  subnetwork = each.value.subnet
  role       = "roles/compute.networkUser"
  member = lookup(
-    local.ctx.iam_principals, each.value.member, each.value.member
+    local.ctx_iam_principals, each.value.member, each.value.member
  )
 }