Add wif permissions to bootstrap tf SA (#2290)

* add wif permissions to bootstrap tf SA
2024-05-20 18:15:23 +02:00
parent 98126f2ab8
commit 79af34b69e
3 changed files with 22 additions and 5 deletions
--- a/fast/stages/0-bootstrap/organization-iam.tf
+++ b/fast/stages/0-bootstrap/organization-iam.tf
@@ -108,6 +108,7 @@ locals {
      additive = concat(
        [
          "roles/iam.organizationRoleAdmin",
+          "roles/iam.workforcePoolAdmin",
          "roles/orgpolicy.policyAdmin"
        ],
        local.billing_mode != "org" ? [] : [
@@ -126,6 +127,7 @@ locals {
        [
          # the organizationAdminViewer custom role is granted via the SA module
          "roles/iam.organizationRoleViewer",
+          "roles/iam.workforcePoolViewer",
          "roles/orgpolicy.policyViewer"
        ],
        local.billing_mode != "org" ? [] : [
--- a/tests/fast/stages/s0_bootstrap/checklist.yaml
+++ b/tests/fast/stages/s0_bootstrap/checklist.yaml
@@ -92,6 +92,12 @@ values:
    - group:gcp-security-admins@fast.example.com
    org_id: '123456789012'
    role: roles/iam.securityReviewer
+  module.organization.google_organization_iam_binding.authoritative["roles/iam.workforcePoolAdmin"]:
+    condition: [ ]
+    members:
+      - group:gcp-organization-admins@fast.example.com
+    org_id: '123456789012'
+    role: roles/iam.workforcePoolAdmin
  module.organization.google_organization_iam_binding.authoritative["roles/logging.admin"]:
    condition: []
    members:
@@ -295,6 +301,16 @@ values:
    member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
    org_id: '123456789012'
    role: roles/iam.organizationRoleViewer
+  ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+  : condition: [ ]
+    member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/iam.workforcePoolAdmin
+  ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+  : condition: [ ]
+    member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/iam.workforcePoolViewer
  ? module.organization.google_organization_iam_member.bindings["roles/logging.configWriter-group:gcp-security-admins@fast.example.com"]
  : condition: []
    member: group:gcp-security-admins@fast.example.com
@@ -366,7 +382,7 @@ counts:
  google_org_policy_policy: 22
  google_organization_iam_binding: 28
  google_organization_iam_custom_role: 7
-  google_organization_iam_member: 36
+  google_organization_iam_member: 38
  google_project: 3
  google_project_iam_audit_config: 1
  google_project_iam_binding: 19
@@ -383,4 +399,4 @@ counts:
  google_tags_tag_key: 1
  google_tags_tag_value: 1
  modules: 18
-  resources: 205
+  resources: 207
--- a/tests/fast/stages/s0_bootstrap/simple.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple.yaml
@@ -35,7 +35,6 @@ values:
    - group:gcp-support@example.com
    org_id: '123456789012'
    role: roles/monitoring.viewer
-counts:
 counts:
  google_bigquery_dataset: 1
  google_bigquery_default_service_account: 3
@@ -46,7 +45,7 @@ counts:
  google_org_policy_policy: 22
  google_organization_iam_binding: 28
  google_organization_iam_custom_role: 7
-  google_organization_iam_member: 23
+  google_organization_iam_member: 25
  google_project: 3
  google_project_iam_audit_config: 1
  google_project_iam_binding: 19
@@ -64,7 +63,7 @@ counts:
  google_tags_tag_value: 1
  local_file: 8
  modules: 17
-  resources: 197
+  resources: 199

 outputs:
  custom_roles: