kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixing typos and adding missing roles for Terraform and CI/CD service… (#3351)

Browse Source 
* Fixing typos and adding missing roles for Terraform and CI/CD service accounts in 0-org-setup stage.

* Updated organization schema to allow defining custom roles under iam_by_principals and updated organization.schema.md accordingly.
This commit is contained in:
norbert-loderer
2025-09-23 19:20:21 +00:00
committed by GitHub
parent f1762a5465
commit 2492494c68
7 changed files with 75 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
fast/stages/0-org-setup/data/cicd.yaml
View File

@@ -41,7 +41,7 @@ workflows:
apply: $output_files:providers/0-org-setup
plan: $output_files:providers/0-org-setup-ro
files:
- tfvars/0-boostrap.auto.tfvars.json
- 0-org-setup.auto.tfvars.json
service_accounts:
apply: $iam_principals:service_accounts/iac-0/iac-org-cicd-rw
plan: $iam_principals:service_accounts/iac-0/iac-org-cicd-ro

2
fast/stages/0-org-setup/data/defaults.yaml
View File

@@ -46,7 +46,7 @@ output_files:
service_account: $iam_principals:service_accounts/iac-0/iac-org-rw
0-org-setup-ro:
bucket: $storage_buckets:iac-0/iac-org-state
service_account: $iam_principals:service_accounts/iac-0/iac-org-rw
service_account: $iam_principals:service_accounts/iac-0/iac-org-ro
1-vpcsc:
bucket: $storage_buckets:iac-0/iac-stage-state
prefix: 1-vpcsc

2
fast/stages/0-org-setup/data/organization/.config.yaml
View File

@@ -76,6 +76,8 @@ iam_by_principals:
- roles/resourcemanager.folderViewer
- roles/resourcemanager.tagViewer
- roles/serviceusage.serviceUsageViewer
- $custom_roles:organization_admin_viewer
- $custom_roles:tag_viewer
$iam_principals:service_accounts/iac-0/iac-networking-rw:
- roles/compute.orgFirewallPolicyAdmin
- roles/compute.xpnAdmin

4
fast/stages/0-org-setup/data/projects/core/iac-0.yaml
View File

@@ -130,6 +130,8 @@ buckets:
- $iam_principals:service_accounts/iac-0/iac-security-ro
- $iam_principals:service_accounts/iac-0/iac-pf-ro
- $iam_principals:service_accounts/iac-0/iac-vpcsc-ro
- $iam_principals:service_accounts/iac-0/iac-org-cicd-rw
- $iam_principals:service_accounts/iac-0/iac-org-cicd-ro
service_accounts:
# IaC service accounts for this stage
iac-org-ro:
@@ -142,11 +144,13 @@ service_accounts:
iam_sa_roles:
$service_account_ids:iac-0/iac-org-ro:
- roles/iam.workloadIdentityUser
- roles/iam.serviceAccountTokenCreator
iac-org-cicd-rw:
display_name: IaC service account for org setup CI/CD (read-write).
iam_sa_roles:
$service_account_ids:iac-0/iac-org-rw:
- roles/iam.workloadIdentityUser
- roles/iam.serviceAccountTokenCreator
# IaC service accounts for vpc-sc stage
iac-vpcsc-ro:
display_name: IaC service account for VPC service controls (read-only).

2
fast/stages/0-org-setup/schemas/organization.schema.json
View File

@@ -312,7 +312,7 @@
"type": "array",
"items": {
"type": "string",
"pattern": "^roles/"
"pattern": "^(?:roles/|\\$custom_roles:)"
}
}
}

2
fast/stages/0-org-setup/schemas/organization.schema.md
View File

@@ -94,4 +94,4 @@
<br>*additional properties: false*
- **`^(?:\$[a-z_-]+:|domain:|group:|serviceAccount:|user:|principal:|principalSet:)`**: *array*
- items: *string*
<br>*pattern: ^roles/*
<br>*pattern: ^(?:roles/|\$custom_roles:)*

69
tests/fast/stages/s0_org_setup/not-simple.yaml
View File

@@ -544,6 +544,8 @@ values:
members:
- serviceAccount:iac-dp-dev-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-org-cicd-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-org-cicd-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
@@ -682,6 +684,11 @@ values:
members:
- serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/storage.admin
? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["$custom_roles:project_iam_viewer"]
: condition: []
members:
- serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: organizations/1234567890/roles/projectIamViewer
? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["$custom_roles:service_project_network_admin"]
: condition: []
members:
@@ -757,6 +764,31 @@ values:
members:
- serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: organizations/1234567890/roles/serviceProjectNetworkAdmin
module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.bindings["project_factory"]:
condition:
- description: null
expression: "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\n\
\ 'roles/compute.networkUser', 'roles/composer.sharedVpcAgent',\n 'roles/container.hostServiceAgentUser',\
\ 'roles/vpcaccess.user'\n])"
title: Project factory delegated IAM grant.
members:
- serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.projectIamAdmin
module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["$custom_roles:project_iam_viewer"]:
condition: []
members:
- serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: organizations/1234567890/roles/projectIamViewer
? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/cloudkms.cryptoKeyEncrypterDecrypter"]
: condition: []
members:
- serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/cloudkms.viewer"]:
condition: []
members:
- serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/cloudkms.viewer
module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/logging.admin"]:
condition: []
members:
@@ -797,6 +829,15 @@ values:
members:
- serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/viewer
module.factory.module.folder-1-iam["security"].google_folder_iam_binding.bindings["project_factory"]:
condition:
- description: null
expression: "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\n\
\ 'roles/cloudkms.cryptoKeyEncrypterDecrypter'\n])"
title: Project factory delegated IAM grant.
members:
- serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.projectIamAdmin
? module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["$custom_roles:service_project_network_admin"]
: condition: []
members:
@@ -1508,12 +1549,20 @@ values:
timeouts: null
module.factory.module.service_accounts-iam["iac-0/iac-org-cicd-ro"].data.google_service_account.service_account[0]:
account_id: iac-org-cicd-ro
? module.factory.module.service_accounts-iam["iac-0/iac-org-cicd-ro"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-ro-roles/iam.serviceAccountTokenCreator"]
: condition: []
role: roles/iam.serviceAccountTokenCreator
service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
? module.factory.module.service_accounts-iam["iac-0/iac-org-cicd-ro"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-ro-roles/iam.workloadIdentityUser"]
: condition: []
role: roles/iam.workloadIdentityUser
service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
module.factory.module.service_accounts-iam["iac-0/iac-org-cicd-rw"].data.google_service_account.service_account[0]:
account_id: iac-org-cicd-rw
? module.factory.module.service_accounts-iam["iac-0/iac-org-cicd-rw"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-rw-roles/iam.serviceAccountTokenCreator"]
: condition: []
role: roles/iam.serviceAccountTokenCreator
service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
? module.factory.module.service_accounts-iam["iac-0/iac-org-cicd-rw"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-rw-roles/iam.workloadIdentityUser"]
: condition: []
role: roles/iam.workloadIdentityUser
@@ -2187,6 +2236,18 @@ values:
parameters: null
values: []
timeouts: null
module.organization-iam[0].google_organization_iam_binding.authoritative["$custom_roles:organization_admin_viewer"]:
condition: []
members:
- serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
org_id: '1234567890'
role: organizations/1234567890/roles/organizationAdminViewer
module.organization-iam[0].google_organization_iam_binding.authoritative["$custom_roles:tag_viewer"]:
condition: []
members:
- serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
org_id: '1234567890'
role: organizations/1234567890/roles/tagViewer
module.organization-iam[0].google_organization_iam_binding.authoritative["roles/accesscontextmanager.policyAdmin"]:
condition: []
members:
@@ -2627,7 +2688,7 @@ counts:
google_logging_project_bucket_config: 3
google_org_policy_custom_constraint: 1
google_org_policy_policy: 37
google_organization_iam_binding: 33
google_organization_iam_binding: 35
google_organization_iam_custom_role: 7
google_project: 2
google_project_iam_binding: 14
@@ -2635,7 +2696,7 @@ counts:
google_project_service: 30
google_project_service_identity: 8
google_service_account: 16
google_service_account_iam_member: 2
google_service_account_iam_member: 4
google_storage_bucket: 3
google_storage_bucket_iam_binding: 4
google_storage_bucket_object: 9
@@ -2648,5 +2709,5 @@ counts:
google_tags_tag_value_iam_binding: 4
local_file: 9
modules: 43
resources: 292
terraform_data: 2
resources: 296
terraform_data: 2