diff --git a/fast/stages/03-gke-multitenant/_module/README.md b/fast/stages/03-gke-multitenant/_module/README.md
index 7afc74d5a..fe14b4634 100644
--- a/fast/stages/03-gke-multitenant/_module/README.md
+++ b/fast/stages/03-gke-multitenant/_module/README.md
@@ -43,9 +43,9 @@ TODO
| [billing_account_id](variables.tf#L27) | Billing account id. | string | ✓ | | |
| [clusters](variables.tf#L63) | | map(object({…})) | ✓ | | |
| [folder_id](variables.tf#L165) | Folder used for the GKE project in folders/nnnnnnnnnnn format. | string | ✓ | | |
-| [nodepools](variables.tf#L201) | | map(map(object({…}))) | ✓ | | |
-| [prefix](variables.tf#L218) | Prefix used for resources that need unique names. | string | ✓ | | |
-| [vpc_config](variables.tf#L230) | Shared VPC project and VPC details. | object({…}) | ✓ | | |
+| [nodepools](variables.tf#L208) | | map(map(object({…}))) | ✓ | | |
+| [prefix](variables.tf#L225) | Prefix used for resources that need unique names. | string | ✓ | | |
+| [vpc_config](variables.tf#L237) | Shared VPC project and VPC details. | object({…}) | ✓ | | |
| [authenticator_security_group](variables.tf#L21) | Optional group used for Groups for GKE. | string | | null | |
| [cluster_defaults](variables.tf#L32) | Default values for optional cluster configurations. | object({…}) | | {…} | |
| [dns_domain](variables.tf#L96) | Domain name used for clusters, prefixed by each cluster name. Leave null to disable Cloud DNS for GKE. | string | | null | |
@@ -54,9 +54,10 @@ TODO
| [fleet_features](variables.tf#L145) | Enable and configue fleet features. Set to null to disable GKE Hub if fleet workload identity is not used. | object({…}) | | null | |
| [fleet_workload_identity](variables.tf#L158) | Use Fleet Workload Identity for clusters. Enables GKE Hub if set to true. | bool | | true | |
| [group_iam](variables.tf#L170) | Project-level IAM bindings for groups. Use group emails as keys, list of roles as values. | map(list(string)) | | {} | |
-| [labels](variables.tf#L177) | Project-level labels. | map(string) | | {} | |
-| [nodepool_defaults](variables.tf#L183) | | object({…}) | | {…} | |
-| [project_services](variables.tf#L223) | Additional project services to enable. | list(string) | | [] | |
+| [iam](variables.tf#L177) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | |
+| [labels](variables.tf#L184) | Project-level labels. | map(string) | | {} | |
+| [nodepool_defaults](variables.tf#L190) | | object({…}) | | {…} | |
+| [project_services](variables.tf#L230) | Additional project services to enable. | list(string) | | [] | |
## Outputs
diff --git a/fast/stages/03-gke-multitenant/_module/main.tf b/fast/stages/03-gke-multitenant/_module/main.tf
index 3bc2a9cc5..470d40349 100644
--- a/fast/stages/03-gke-multitenant/_module/main.tf
+++ b/fast/stages/03-gke-multitenant/_module/main.tf
@@ -21,6 +21,7 @@ module "gke-project-0" {
parent = var.folder_id
prefix = var.prefix
group_iam = var.group_iam
+ iam = var.iam
labels = var.labels
services = concat(
[
diff --git a/fast/stages/03-gke-multitenant/_module/variables.tf b/fast/stages/03-gke-multitenant/_module/variables.tf
index 9e2822ccc..15f180785 100644
--- a/fast/stages/03-gke-multitenant/_module/variables.tf
+++ b/fast/stages/03-gke-multitenant/_module/variables.tf
@@ -174,6 +174,13 @@ variable "group_iam" {
nullable = false
}
+variable "iam" {
+ description = "Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format."
+ type = map(list(string))
+ default = {}
+ nullable = false
+}
+
variable "labels" {
description = "Project-level labels."
type = map(string)
diff --git a/fast/stages/03-gke-multitenant/dev/README.md b/fast/stages/03-gke-multitenant/dev/README.md
index 6ed71da3a..fb237343a 100644
--- a/fast/stages/03-gke-multitenant/dev/README.md
+++ b/fast/stages/03-gke-multitenant/dev/README.md
@@ -49,10 +49,10 @@ TODO
| [billing_account](variables.tf#L35) | Billing account id and organization id ('nnnnnnnn' or null). | object({…}) | ✓ | | 00-bootstrap |
| [clusters](variables.tf#L75) | | map(object({…})) | ✓ | | |
| [folder_ids](variables.tf#L177) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 01-resman |
-| [host_project_ids](variables.tf#L192) | Host project for the shared VPC. | object({…}) | ✓ | | 02-networking |
-| [nodepools](variables.tf#L224) | | map(map(object({…}))) | ✓ | | |
-| [prefix](variables.tf#L247) | Prefix used for resources that need unique names. | string | ✓ | | |
-| [vpc_self_links](variables.tf#L259) | Self link for the shared VPC. | object({…}) | ✓ | | 02-networking |
+| [host_project_ids](variables.tf#L199) | Host project for the shared VPC. | object({…}) | ✓ | | 02-networking |
+| [nodepools](variables.tf#L231) | | map(map(object({…}))) | ✓ | | |
+| [prefix](variables.tf#L254) | Prefix used for resources that need unique names. | string | ✓ | | |
+| [vpc_self_links](variables.tf#L266) | Self link for the shared VPC. | object({…}) | ✓ | | 02-networking |
| [authenticator_security_group](variables.tf#L29) | Optional group used for Groups for GKE. | string | | null | |
| [cluster_defaults](variables.tf#L44) | Default values for optional cluster configurations. | object({…}) | | {…} | |
| [dns_domain](variables.tf#L108) | Domain name used for clusters, prefixed by each cluster name. Leave null to disable Cloud DNS for GKE. | string | | null | |
@@ -60,11 +60,12 @@ TODO
| [fleet_configmanagement_templates](variables.tf#L122) | Sets of config management configurations that can be applied to member clusters, in config name => {options} format. | map(object({…})) | | {} | |
| [fleet_features](variables.tf#L157) | Enable and configue fleet features. Set to null to disable GKE Hub if fleet workload identity is not used. | object({…}) | | null | |
| [fleet_workload_identity](variables.tf#L170) | Use Fleet Workload Identity for clusters. Enables GKE Hub if set to true. | bool | | true | |
-| [group_iam](variables.tf#L185) | Project-level IAM bindings for groups. Use group emails as keys, list of roles as values. | map(list(string)) | | {} | |
-| [labels](variables.tf#L200) | Project-level labels. | map(string) | | {} | |
-| [nodepool_defaults](variables.tf#L206) | | object({…}) | | {…} | |
-| [outputs_location](variables.tf#L241) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | |
-| [project_services](variables.tf#L252) | Additional project services to enable. | list(string) | | [] | |
+| [group_iam](variables.tf#L185) | Project-level authoritative IAM bindings for groups in {GROUP_EMAIL => [ROLES]} format. Use group emails as keys, list of roles as values. | map(list(string)) | | {} | |
+| [iam](variables.tf#L192) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | |
+| [labels](variables.tf#L207) | Project-level labels. | map(string) | | {} | |
+| [nodepool_defaults](variables.tf#L213) | | object({…}) | | {…} | |
+| [outputs_location](variables.tf#L248) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | |
+| [project_services](variables.tf#L259) | Additional project services to enable. | list(string) | | [] | |
## Outputs
diff --git a/fast/stages/03-gke-multitenant/dev/main.tf b/fast/stages/03-gke-multitenant/dev/main.tf
index 09d898d18..5ac7e332f 100644
--- a/fast/stages/03-gke-multitenant/dev/main.tf
+++ b/fast/stages/03-gke-multitenant/dev/main.tf
@@ -21,6 +21,7 @@ module "gke-multitenant" {
billing_account_id = var.billing_account.id
folder_id = var.folder_ids.gke-dev
group_iam = var.group_iam
+ iam = var.iam
labels = merge(var.labels, { environment = "dev" })
prefix = "${var.prefix}-dev"
project_services = var.project_services
diff --git a/fast/stages/03-gke-multitenant/dev/variables.tf b/fast/stages/03-gke-multitenant/dev/variables.tf
index 12f234276..997ba13f2 100644
--- a/fast/stages/03-gke-multitenant/dev/variables.tf
+++ b/fast/stages/03-gke-multitenant/dev/variables.tf
@@ -183,7 +183,14 @@ variable "folder_ids" {
}
variable "group_iam" {
- description = "Project-level IAM bindings for groups. Use group emails as keys, list of roles as values."
+ description = "Project-level authoritative IAM bindings for groups in {GROUP_EMAIL => [ROLES]} format. Use group emails as keys, list of roles as values."
+ type = map(list(string))
+ default = {}
+ nullable = false
+}
+
+variable "iam" {
+ description = "Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format."
type = map(list(string))
default = {}
nullable = false