kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

clarify some admin bindings via comments (#663)

Browse Source
This commit is contained in:
Ludovico Magnocavallo
2022-06-05 19:48:26 +02:00
committed by GitHub
parent fa321fc67c
commit 8040a4538c
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
fast/stages/00-bootstrap/organization.tf
View File

@@ -63,13 +63,15 @@ locals {
]
# use additive to support cross-org roles for billing
"roles/iam.organizationRoleAdmin" = [
# uncomment if roles/owner is removed to organization admins
# local.groups.gcp-organization-admins,
local.groups_iam.gcp-security-admins,
module.automation-tf-bootstrap-sa.iam_email
]
"roles/orgpolicy.policyAdmin" = [
module.automation-tf-resman-sa.iam_email,
local.groups_iam.gcp-organization-admins,
local.groups_iam.gcp-security-admins,
local.groups_iam.gcp-organization-admins
module.automation-tf-resman-sa.iam_email
]
},
local.billing_org ? {
@@ -126,6 +128,9 @@ module "organization" {
"roles/compute.osAdminLogin",
"roles/compute.osLoginExternalUser",
"roles/owner",
# granted via additive roles
# roles/iam.organizationRoleAdmin
# roles/orgpolicy.policyAdmin
"roles/resourcemanager.folderAdmin",
"roles/resourcemanager.organizationAdmin",
"roles/resourcemanager.projectCreator",