From 71b7c68ca258fb81ec90e28cffa15d2fa0f2c08f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= Date: Thu, 28 Aug 2025 19:52:49 +0000 Subject: [PATCH] fix missing conditions in top-level-folders IAM --- .../1-resman/data/top-level-folders/teams.yaml | 1 + fast/stages/1-resman/stage-2.tf | 8 +++++--- fast/stages/1-resman/top-level-folders.tf | 6 ++++-- tests/fast/stages/s1_resman/simple.yaml | 14 +++++++++++++- 4 files changed, 23 insertions(+), 6 deletions(-) diff --git a/fast/stages/1-resman/data/top-level-folders/teams.yaml b/fast/stages/1-resman/data/top-level-folders/teams.yaml index 1d32de85d..227e47639 100644 --- a/fast/stages/1-resman/data/top-level-folders/teams.yaml +++ b/fast/stages/1-resman/data/top-level-folders/teams.yaml @@ -36,6 +36,7 @@ iam_bindings: description: Allow to check buckets and contact policies expression: | resource.matchTag('${organization.id}/${tag_names.context}', 'project-factory') + # don't create a context tag since this uses the pf tag is_fast_context: false tag_bindings: diff --git a/fast/stages/1-resman/stage-2.tf b/fast/stages/1-resman/stage-2.tf index ed1e395d7..139bd9357 100644 --- a/fast/stages/1-resman/stage-2.tf +++ b/fast/stages/1-resman/stage-2.tf @@ -185,13 +185,15 @@ module "stage2-folder" { members = [ for m in v.members : lookup(local.principals_iam, m, m) ] - role = lookup(var.custom_roles, v.role, v.role) + role = lookup(var.custom_roles, v.role, v.role) + condition = v.condition }) } iam_bindings_additive = { for k, v in each.value.folder_config.iam_bindings_additive : k => merge(v, { - member = lookup(local.principals_iam, v.member, v.member) - role = lookup(var.custom_roles, v.role, v.role) + member = lookup(local.principals_iam, v.member, v.member) + role = lookup(var.custom_roles, v.role, v.role) + condition = v.condition }) } iam_by_principals = { diff --git a/fast/stages/1-resman/top-level-folders.tf b/fast/stages/1-resman/top-level-folders.tf index 2f4b62010..0e7b753f3 100644 --- a/fast/stages/1-resman/top-level-folders.tf +++ b/fast/stages/1-resman/top-level-folders.tf @@ -100,7 +100,8 @@ module "top-level-folder" { ? module.top-level-sa[each.key].iam_email : lookup(local.top_level_sa, member, member) ] - role = lookup(var.custom_roles, v.role, v.role) + role = lookup(var.custom_roles, v.role, v.role) + condition = v.condition } } iam_bindings_additive = { @@ -110,7 +111,8 @@ module "top-level-folder" { ? module.top-level-sa[each.key].iam_email : lookup(local.principals_iam, v.member, v.member) ) - role = lookup(var.custom_roles, v.role, v.role) + role = lookup(var.custom_roles, v.role, v.role) + condition = v.condition }) } iam_by_principals = { diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml index 5e0f4b4b1..e6ab16d82 100644 --- a/tests/fast/stages/s1_resman/simple.yaml +++ b/tests/fast/stages/s1_resman/simple.yaml @@ -12,6 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. + counts: google_folder: 16 google_folder_iam_binding: 72 @@ -32,6 +33,18 @@ counts: resources: 271 values: + module.top-level-folder["teams"].google_folder_iam_binding.bindings["pf_viewer"]: + condition: + - description: Allow to check buckets and contact policies + expression: 'resource.matchTag(''${organization.id}/${tag_names.context}'', + ''project-factory'') + + ' + title: project-factory-scoped + members: + - serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com + role: organizations/123456789012/roles/organizationAdminViewer + google_storage_bucket_object.workflows["2-project-factory"]: bucket: fast2-prod-iac-core-outputs content: "# Copyright 2025 Google LLC\n#\n# Licensed under the Apache License,\ @@ -160,4 +173,3 @@ outputs: secops-rw: fast2-prod-resman-so-0@fast2-prod-automation.iam.gserviceaccount.com security-ro: fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com security-rw: fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com -