kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added 2 IAM roles for pf SA and updated test (#3333)

Browse Source 
* Added 2 IAM roles for pf SA and updated test

* Updated role grant with condition
This commit is contained in:
fenyvesi-levi
2025-09-17 15:37:07 +02:00
committed by GitHub
parent dc24cd10b6
commit 4102e53588
4 changed files with 16 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
fast/stages/0-org-setup/README.md
View File

@@ -635,5 +635,5 @@ Define values for the `var.environments` variable in a tfvars file.
| [iam_principals](outputs.tf#L17) | IAM principals. | |
| [locations](outputs.tf#L22) | Default locations. | |
| [projects](outputs.tf#L27) | Attributes for managed projects. | |
| [tfvars](outputs.tf#L32) | Stage tfvars. | |
| [tfvars](outputs.tf#L32) | Stage tfvars. | |
<!-- END TFDOC -->

12
fast/stages/0-org-setup/data/folders/networking/.config.yaml
View File

@@ -31,6 +31,7 @@ iam_by_principals:
- $custom_roles:service_project_network_admin
$iam_principals:service_accounts/iac-0/iac-pf-ro:
- roles/compute.viewer
- $custom_roles:project_iam_viewer
iam_bindings:
dp_dev_rw:
members:
@@ -48,3 +49,14 @@ iam_bindings:
title: Data platform dev network viewer.
expression: |
resource.matchTag('${organization.id}/environment', 'development')
project_factory:
role: roles/resourcemanager.projectIamAdmin
members:
- $iam_principals:service_accounts/iac-0/iac-pf-rw
condition:
title: Project factory delegated IAM grant.
expression: |
api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([
'roles/compute.networkUser', 'roles/composer.sharedVpcAgent',
'roles/container.hostServiceAgentUser', 'roles/vpcaccess.user'
])

1
fast/stages/0-org-setup/outputs.tf
View File

@@ -32,4 +32,5 @@ output "projects" {
output "tfvars" {
description = "Stage tfvars."
value = local.of_tfvars
sensitive = true
}

4
tests/fast/stages/s0_org_setup/not-simple.yaml
View File

@@ -2619,7 +2619,7 @@ counts:
google_bigquery_default_service_account: 1
google_billing_account_iam_member: 5
google_folder: 8
google_folder_iam_binding: 38
google_folder_iam_binding: 40
google_iam_workload_identity_pool: 1
google_iam_workload_identity_pool_provider: 1
google_logging_organization_settings: 1
@@ -2648,5 +2648,5 @@ counts:
google_tags_tag_value_iam_binding: 4
local_file: 9
modules: 43
resources: 286
resources: 288
terraform_data: 2