Implement proper support for data access logs in resource manager modules (#1497)

* organization module * rename iam_bindings_authoritative to iam_policy, fix tests * add support for data access logs and iam policy to folder module * test inventories * add support for data access logs and iam policy to project module
2023-07-10 10:08:02 +02:00
parent 438a3134e2
commit 551dc581e8
26 changed files with 611 additions and 137 deletions
--- a/modules/folder/iam.tf
+++ b/modules/folder/iam.tf
@@ -63,3 +63,34 @@ resource "google_folder_iam_member" "additive" {
  role   = each.value.role
  member = each.value.member
 }
+
+resource "google_folder_iam_policy" "authoritative" {
+  count       = var.iam_policy != null ? 1 : 0
+  folder      = local.folder.name
+  policy_data = data.google_iam_policy.authoritative.0.policy_data
+}
+
+data "google_iam_policy" "authoritative" {
+  count = var.iam_policy != null ? 1 : 0
+  dynamic "binding" {
+    for_each = try(var.iam_policy, {})
+    content {
+      role    = binding.key
+      members = binding.value
+    }
+  }
+  dynamic "audit_config" {
+    for_each = var.logging_data_access
+    content {
+      service = audit_config.key
+      dynamic "audit_log_configs" {
+        for_each = audit_config.value
+        iterator = config
+        content {
+          log_type         = config.key
+          exempted_members = config.value
+        }
+      }
+    }
+  }
+}