kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add import snippet for IAM to 0-org-setup

Browse Source
This commit is contained in:
Wiktor Niesiobędzki
2025-12-12 11:53:21 +00:00
parent ab0f55216a
commit 5af6a3ee25
1 changed files with 24 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
fast/stages/0-org-setup/README.md
View File

@@ -9,6 +9,7 @@
- [First apply cycle](#first-apply-cycle)
- [Default project](#default-project)
- [Importing org policies](#importing-org-policies)
- [Importing existing organization level IAM bindings](#importing-existing-organization-level-iam-bindings)
- [Local output files storage](#local-output-files-storage)
- [Init and apply the stage](#init-and-apply-the-stage)
- [Provider setup and final apply cycle](#provider-setup-and-final-apply-cycle)
@@ -170,7 +171,7 @@ gcloud config set project [project id]
gcloud services enable \
bigquery.googleapis.com cloudbilling.googleapis.com cloudresourcemanager.googleapis.com \
essentialcontacts.googleapis.com iam.googleapis.com logging.googleapis.com \
orgpolicy.googleapis.com serviceusage.googleapis.com
orgpolicy.googleapis.com serviceusage.googleapis.com
```
#### Importing org policies
@@ -199,6 +200,24 @@ org_policies_imports = [
Once org policies have been imported, the variable definition can be removed from the tfvars file.
#### Importing existing organization level IAM bindings
For brownfield implementations you may need to import existing organization IAM policies. These snippets can help you add existing settings into the YAML file.
Scripts below require [yq](https://github.com/mikefarah/yq/) in at least version 4. It was tested using yq `v4.47.2`.
To create `iam:` part of the `/organization/.config.yaml` file, you can use following snippet:
```shell
gcloud <resource> get-iam-policy <resource name> | yq '.bindings | map({"key": .role, "value": .members}) | from_entries'
```
To create `iam_by_principals:` part of the factory YAML file, you can use following snippet:
```shell
gcloud <resource> get-iam-policy <resource name> | yq '
[.bindings | .[] | .members[] as $member | { "member": $member, "role": .role}] |
group_by(.member) | sort_by(.[0].member) | .[] | { .[0].member: map(.role)}
'
```
#### Local output files storage
Like any other FAST stage, this stage creates output files that contain information about the resources it manages, or provide initial provider and backend configuration for the following stages.
@@ -746,8 +765,8 @@ This configuration adds Okta to the list of allowed Workload Identity providers
$service_account_ids:iac-0/iac-org-ro:
- roles/iam.workloadIdentityUser
- roles/iam.serviceAccountTokenCreator
iam:
roles/iam.workloadIdentityUser:
iam:
roles/iam.workloadIdentityUser:
- principalSet://iam.googleapis.com/projects/<REPLACE_WITH_IAC_PROJECT_NUMBER>/locations/global/workloadIdentityPools/iac-0/* // Modify this
iac-org-cicd-rw:
@@ -756,8 +775,8 @@ This configuration adds Okta to the list of allowed Workload Identity providers
$service_account_ids:iac-0/iac-org-rw:
- roles/iam.workloadIdentityUser
- roles/iam.serviceAccountTokenCreator
iam:
roles/iam.workloadIdentityUser:
iam:
roles/iam.workloadIdentityUser:
- principalSet://iam.googleapis.com/projects/<REPLACE_WITH_IAC_PROJECT_NUMBER>/locations/global/workloadIdentityPools/iac-0/* // Modify this
```