add support for service agents to project factory service accounts IAM (#3830)
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
a6b98bac28
commit
534fd4faf0
@@ -281,6 +281,7 @@ Assuming keys of the form `my_folder`, `my_project`, `my_sa`, etc. this is an ex
|
||||
- `$folder_ids:my_folder`
|
||||
- `$iam_principals:my_principal`
|
||||
- `$iam_principals:service_accounts/my_project/my_sa`
|
||||
- `$iam_principals:service_agents/_self_/my_api`
|
||||
- `$iam_principals:service_agents/my_project/my_api`
|
||||
- `$iam_principalsets:service_accounts/all`
|
||||
- `$kms_keys:my_key`
|
||||
@@ -633,18 +634,22 @@ iam:
|
||||
service_accounts:
|
||||
app-0-be:
|
||||
display_name: "Backend instances."
|
||||
# assign roles on different projects
|
||||
iam_project_roles:
|
||||
$project_ids:dev-spoke-0:
|
||||
- roles/compute.networkUser
|
||||
# assign roles on this project projects
|
||||
iam_self_roles:
|
||||
- roles/logging.logWriter
|
||||
- roles/monitoring.metricWriter
|
||||
tag_bindings:
|
||||
context: $tag_values:context/project-factory
|
||||
# this is just for illustrative/test purposes
|
||||
# assign roles on this service account
|
||||
iam:
|
||||
roles/iam.serviceAccountUser:
|
||||
- $iam_principals:service_accounts/_self_/app-0-fe
|
||||
- $iam_principals:service_agents/_self_/compute
|
||||
- $iam_principals:service_agents/dev-tb-app0-0/compute
|
||||
iam_bindings_additive:
|
||||
test:
|
||||
role: roles/iam.serviceAccountUser
|
||||
|
||||
@@ -117,6 +117,8 @@ module "service_accounts-iam" {
|
||||
local.ctx.iam_principals,
|
||||
local.projects_sas_iam_emails,
|
||||
local.automation_sas_iam_emails,
|
||||
local.projects_service_agents,
|
||||
lookup(local.per_project_service_agents, each.value.project_key, {}),
|
||||
lookup(local.self_sas_iam_emails, each.value.project_key, {})
|
||||
)
|
||||
service_account_ids = merge(
|
||||
|
||||
@@ -63,6 +63,12 @@ locals {
|
||||
}
|
||||
]...) : k => v
|
||||
})
|
||||
per_project_service_agents = {
|
||||
for k, v in module.projects : k => {
|
||||
for kk, vv in v.service_agents :
|
||||
"service_agents/_self_/${kk}" => vv.iam_email
|
||||
}
|
||||
}
|
||||
project_ids = {
|
||||
for k, v in module.projects : k => v.project_id
|
||||
}
|
||||
@@ -167,6 +173,7 @@ module "projects-iam" {
|
||||
kms_keys = merge(local.ctx.kms_keys, local.kms_keys)
|
||||
iam_principals = merge(
|
||||
local.ctx_iam_principals,
|
||||
lookup(local.per_project_service_agents, each.key, {}),
|
||||
lookup(local.self_sas_iam_emails, each.key, {}),
|
||||
local.projects_service_agents
|
||||
)
|
||||
|
||||
@@ -934,8 +934,6 @@ values:
|
||||
timeouts: null
|
||||
? module.project-factory.module.service_accounts-iam["dev-ta-app0-be/app-0-be"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountUser"]
|
||||
: condition: []
|
||||
members:
|
||||
- serviceAccount:app-0-fe@test-pf-dev-ta-app0-be.iam.gserviceaccount.com
|
||||
role: roles/iam.serviceAccountUser
|
||||
? module.project-factory.module.service_accounts-iam["dev-ta-app0-be/app-0-be"].google_service_account_iam_member.additive["$service_account_ids:_self_/app-0-fe-roles/iam.serviceAccountUser"]
|
||||
: condition: []
|
||||
|
||||
Reference in New Issue
Block a user