kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Ignored condition attribute in IAM tag bindings within the organisation/project modules (#3762)

Browse Source 
* fix(modules/organization): conditions ignored in tags

* fix(modules/project): conditions ignored in tags

* fix(modules/project): Tags:1 test skipped due to bad markdown block

---------

Co-authored-by: Julio Castillo <jccb@google.com>
This commit is contained in:
jnahelou
2026-03-18 18:12:46 +01:00
committed by GitHub
parent 1a23853a2c
commit 78e00682f8
6 changed files with 95 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
modules/organization/README.md
View File

@@ -772,6 +772,15 @@ module "org" {
role = "roles/resourcemanager.tagUser"
member = "group:app2-team@example.org"
}
delegate_user_app2 = {
role = "roles/resourcemanager.tagAdmin"
member = "group:app2-team@example.org"
condition = {
expression = "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\"roles/resourcemanager.tagUser\"])"
title = "only_taguser_delegation"
description = "Allow the IaC data service account to grant the tagUser role to any principal on projects it manages."
}
}
}
}
prod = {
@@ -800,7 +809,7 @@ module "org" {
env-prod = module.org.tag_values["environment/prod"].id
}
}
# tftest modules=1 resources=10 inventory=tags.yaml
# tftest modules=1 resources=11 inventory=tags.yaml
```
You can also define network tags, through a dedicated variable *network_tags*:

32
modules/organization/tags.tf
View File

@@ -221,6 +221,14 @@ resource "google_tags_tag_key_iam_binding" "bindings" {
for v in local.tags[each.value.tag]["iam_bindings"][each.value.binding].members :
lookup(local.ctx.iam_principals, v, v)
]
dynamic "condition" {
for_each = local.tags[each.value.tag]["iam_bindings"][each.value.binding].condition == null ? [] : [""]
content {
expression = local.tags[each.value.tag]["iam_bindings"][each.value.binding].condition.expression
title = local.tags[each.value.tag]["iam_bindings"][each.value.binding].condition.title
description = local.tags[each.value.tag]["iam_bindings"][each.value.binding].condition.description
}
}
}
resource "google_tags_tag_key_iam_member" "bindings" {
@@ -236,6 +244,14 @@ resource "google_tags_tag_key_iam_member" "bindings" {
local.tags[each.value.tag]["iam_bindings_additive"][each.value.binding].member,
local.tags[each.value.tag]["iam_bindings_additive"][each.value.binding].member
)
dynamic "condition" {
for_each = local.tags[each.value.tag]["iam_bindings_additive"][each.value.binding].condition == null ? [] : [""]
content {
expression = local.tags[each.value.tag]["iam_bindings_additive"][each.value.binding].condition.expression
title = local.tags[each.value.tag]["iam_bindings_additive"][each.value.binding].condition.title
description = local.tags[each.value.tag]["iam_bindings_additive"][each.value.binding].condition.description
}
}
}
# values
@@ -279,6 +295,14 @@ resource "google_tags_tag_value_iam_binding" "bindings" {
for v in local.tags[each.value.tag]["values"][each.value.name]["iam_bindings"][each.value.binding].members :
lookup(local.ctx.iam_principals, v, v)
]
dynamic "condition" {
for_each = local.tags[each.value.tag]["values"][each.value.name]["iam_bindings"][each.value.binding].condition == null ? [] : [""]
content {
expression = local.tags[each.value.tag]["values"][each.value.name]["iam_bindings"][each.value.binding].condition.expression
title = local.tags[each.value.tag]["values"][each.value.name]["iam_bindings"][each.value.binding].condition.title
description = local.tags[each.value.tag]["values"][each.value.name]["iam_bindings"][each.value.binding].condition.description
}
}
}
resource "google_tags_tag_value_iam_member" "bindings" {
@@ -296,6 +320,14 @@ resource "google_tags_tag_value_iam_member" "bindings" {
local.tags[each.value.tag]["values"][each.value.name]["iam_bindings_additive"][each.value.binding].member,
local.tags[each.value.tag]["values"][each.value.name]["iam_bindings_additive"][each.value.binding].member
)
dynamic "condition" {
for_each = local.tags[each.value.tag]["values"][each.value.name]["iam_bindings_additive"][each.value.binding].condition == null ? [] : [""]
content {
expression = local.tags[each.value.tag]["values"][each.value.name]["iam_bindings_additive"][each.value.binding].condition.expression
title = local.tags[each.value.tag]["values"][each.value.name]["iam_bindings_additive"][each.value.binding].condition.title
description = local.tags[each.value.tag]["values"][each.value.name]["iam_bindings_additive"][each.value.binding].condition.description
}
}
}
# bindings