From 6c9ed9460233a19b8d256be300739cb37d63b00a Mon Sep 17 00:00:00 2001 From: lopezvit Date: Wed, 6 May 2026 17:23:42 +0300 Subject: [PATCH] Fix custom_roles not permeating when used in dns zone IAM (#3938) Co-authored-by: Ludovico Magnocavallo --- fast/stages/2-networking/factory-dns.tf | 10 ++++++---- .../dns/zones/net-core-0/pub-child.yaml | 5 +++++ .../stages/s2_networking/dns_delegations.tfvars | 3 +++ .../stages/s2_networking/dns_delegations.yaml | 17 ++++++++++++++++- 4 files changed, 30 insertions(+), 5 deletions(-) diff --git a/fast/stages/2-networking/factory-dns.tf b/fast/stages/2-networking/factory-dns.tf index cc93c2f61..1ad478192 100644 --- a/fast/stages/2-networking/factory-dns.tf +++ b/fast/stages/2-networking/factory-dns.tf @@ -133,8 +133,9 @@ module "dns-zones" { zone_config = each.value.zone_config recordsets = each.value.recordsets context = { - project_ids = local.ctx_projects.project_ids - networks = local.ctx_vpcs.self_links + custom_roles = local.ctx.custom_roles + project_ids = local.ctx_projects.project_ids + networks = local.ctx_vpcs.self_links } depends_on = [module.vpc-factory] } @@ -146,8 +147,9 @@ module "dns-delegations" { name = replace(each.key, "/", "-") recordsets = each.value context = { - project_ids = local.ctx_projects.project_ids - networks = local.ctx_vpcs.self_links + custom_roles = local.ctx.custom_roles + project_ids = local.ctx_projects.project_ids + networks = local.ctx_vpcs.self_links } depends_on = [module.dns-zones] } diff --git a/tests/fast/stages/s2_networking/data-testdns-delegation/dns/zones/net-core-0/pub-child.yaml b/tests/fast/stages/s2_networking/data-testdns-delegation/dns/zones/net-core-0/pub-child.yaml index c45cab687..480243180 100644 --- a/tests/fast/stages/s2_networking/data-testdns-delegation/dns/zones/net-core-0/pub-child.yaml +++ b/tests/fast/stages/s2_networking/data-testdns-delegation/dns/zones/net-core-0/pub-child.yaml @@ -9,3 +9,8 @@ domain: child.example.com. public: dnssec_config: state: "off" +iam: + roles/dns.reader: + - serviceAccount:config-plane-dev-rw@fast-config-plane-dev.iam.gserviceaccount.com + $custom_roles:dns_resource_record_sets_adder: + - serviceAccount:config-plane-dev-rw@fast-config-plane-dev.iam.gserviceaccount.com diff --git a/tests/fast/stages/s2_networking/dns_delegations.tfvars b/tests/fast/stages/s2_networking/dns_delegations.tfvars index 11c1903d5..a6a8eebc0 100644 --- a/tests/fast/stages/s2_networking/dns_delegations.tfvars +++ b/tests/fast/stages/s2_networking/dns_delegations.tfvars @@ -4,6 +4,9 @@ automation = { billing_account = { id = "000000-111111-222222" } +custom_roles = { + dns_resource_record_sets_adder = "organizations/123456789012/roles/DNSResourceRecordSetsAdder" +} factories_config = { dataset = "./data-testdns-delegation" paths = { diff --git a/tests/fast/stages/s2_networking/dns_delegations.yaml b/tests/fast/stages/s2_networking/dns_delegations.yaml index 5876f56a4..970035f3d 100644 --- a/tests/fast/stages/s2_networking/dns_delegations.yaml +++ b/tests/fast/stages/s2_networking/dns_delegations.yaml @@ -17,15 +17,18 @@ counts: google_compute_route: 3 google_compute_shared_vpc_host_project: 1 google_compute_subnetwork: 1 + google_dns_keys: 1 google_dns_managed_zone: 4 + google_dns_managed_zone_iam_binding: 2 google_dns_record_set: 3 + google_logging_project_settings: 1 google_project: 1 google_project_iam_member: 8 google_project_service: 10 google_project_service_identity: 8 google_storage_bucket_object: 2 modules: 9 - resources: 46 + resources: 48 terraform_data: 2 values: module.dns-delegations["net-core-0/pub-parent"].google_dns_record_set.dns_record_set["NS child.example.com."]: @@ -49,3 +52,15 @@ values: routing_policy: [] ttl: 300 type: DS + module.dns-zones["net-core-0/pub-child"].google_dns_managed_zone_iam_binding.iam_bindings["$custom_roles:dns_resource_record_sets_adder"]: + condition: [] + members: + - serviceAccount:config-plane-dev-rw@fast-config-plane-dev.iam.gserviceaccount.com + project: fast-prod-net-core-0 + role: organizations/123456789012/roles/DNSResourceRecordSetsAdder + module.dns-zones["net-core-0/pub-child"].google_dns_managed_zone_iam_binding.iam_bindings["roles/dns.reader"]: + condition: [] + members: + - serviceAccount:config-plane-dev-rw@fast-config-plane-dev.iam.gserviceaccount.com + project: fast-prod-net-core-0 + role: roles/dns.reader