kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add PAM support (#3438)

Browse Source 
* PAM first pass

* Add factory and extend to organization

* Extend to project, add examples

* Add additionalProperties to all objects

* Fix boilerplate

* Expose pam_entitlements to project-factory

* Fix readme

* Move entitlements to second folder/project pass

* extend tests

* Fix readme

* Remove timeouts from inventories
This commit is contained in:
Julio Castillo
2025-10-20 14:50:37 +02:00
committed by GitHub
parent 0759cf5454
commit 48f6b4cd49
36 changed files with 1962 additions and 116 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
modules/project-factory/projects.tf
View File

@@ -73,7 +73,13 @@ module "projects" {
})
default_service_account = try(each.value.default_service_account, "keep")
descriptive_name = try(each.value.descriptive_name, null)
factories_config = { for k, v in each.value.factories_config : k => v if k != "observability" }
factories_config = {
custom_roles = try(each.value.factories_config.custom_roles, null)
org_policies = try(each.value.factories_config.org_policies, null)
quotas = try(each.value.factories_config.quotas, null)
scc_sha_custom_modules = try(each.value.factories_config.scc_sha_custom_modules, null)
tags = try(each.value.factories_config.tags, null)
}
labels = merge(
each.value.labels, var.data_merges.labels
)
@@ -118,11 +124,16 @@ module "projects-iam" {
kms_keys = local.ctx.kms_keys
iam_principals = local.ctx_iam_principals
})
factories_config = { for k, v in each.value.factories_config : k => v if k == "observability" }
factories_config = {
# we do anything that can refer to IAM and custom roles in this call
observability = try(each.value.factories_config.observability, null)
pam_entitlements = try(each.value.factories_config.pam_entitlements, null)
}
iam = lookup(each.value, "iam", {})
iam_bindings = lookup(each.value, "iam_bindings", {})
iam_bindings_additive = lookup(each.value, "iam_bindings_additive", {})
iam_by_principals = lookup(each.value, "iam_by_principals", {})
pam_entitlements = try(each.value.pam_entitlements, {})
service_agents_config = {
create_primary_agents = false
grant_default_roles = false