Top level folder factory support for automation SA IAM (#2818)

* Top level folder factory support for automation SA IAM * Fixes iam_bindings and iam_bindings_additive for top-level-folder --------- Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
2025-01-16 10:32:59 +01:00
parent fcf254dddf
commit 8b31a006c7
4 changed files with 28 additions and 13 deletions
--- a/fast/stages/1-resman/data/top-level-folders/sandbox.yaml
+++ b/fast/stages/1-resman/data/top-level-folders/sandbox.yaml
@@ -18,5 +18,10 @@ name: Sandbox
 automation:
  environment_name: dev
  short_name: sbox
+# You can create role bindings referring to the automation service account by
+# referring to it using `self` keyword, per the example below
+iam: 
+  "roles/owner":
+    - self
 factories_config:
  org_policies: data/org-policies/sandbox
--- a/fast/stages/1-resman/schemas/top-level-folder.schema.json
+++ b/fast/stages/1-resman/schemas/top-level-folder.schema.json
@@ -261,7 +261,7 @@
          "type": "array",
          "items": {
            "type": "string",
-            "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc)"
+            "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|self)"
          }
        }
      }
@@ -278,7 +278,7 @@
              "type": "array",
              "items": {
                "type": "string",
-                "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc)"
+                "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|self)"
              }
            },
            "role": {
@@ -318,7 +318,7 @@
          "properties": {
            "member": {
              "type": "string",
-              "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc)"
+              "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|self)"
            },
            "role": {
              "type": "string",
@@ -361,4 +361,4 @@
      }
    }
  }
-}
+}
--- a/fast/stages/1-resman/top-level-folders.tf
+++ b/fast/stages/1-resman/top-level-folders.tf
@@ -86,19 +86,29 @@ module "top-level-folder" {
  iam = {
    for role, members in each.value.iam :
    lookup(var.custom_roles, role, role) => [
-      for member in members : lookup(local.top_level_sa, member, member)
+      for member in members : (each.value.automation != null && member == "self")
+      ? module.top-level-sa[each.key].iam_email
+      : lookup(local.top_level_sa, member, member)
    ]
  }
  iam_bindings = {
-    for k, v in each.value.iam_bindings : k => merge(v, {
-      member = lookup(local.top_level_sa, v.member, v.member)
-      role   = lookup(var.custom_roles, v.role, v.role)
-    })
+    for k, v in each.value.iam_bindings : k => {
+      members = [
+        for member in v.members : (each.value.automation != null && member == "self")
+        ? module.top-level-sa[each.key].iam_email
+        : lookup(local.top_level_sa, member, member)
+      ]
+      role = lookup(var.custom_roles, v.role, v.role)
+    }
  }
  iam_bindings_additive = {
    for k, v in each.value.iam_bindings_additive : k => merge(v, {
-      member = lookup(local.top_level_sa, v.member, v.member)
-      role   = lookup(var.custom_roles, v.role, v.role)
+      member = (
+        each.value.automation != null && v.member == "self"
+        ? module.top-level-sa[each.key].iam_email
+        : lookup(local.top_level_sa, v.member, v.member)
+      )
+      role = lookup(var.custom_roles, v.role, v.role)
    })
  }
  # we don't replace here to avoid dynamic values in keys
--- a/tests/fast/stages/s1_resman/simple.yaml
+++ b/tests/fast/stages/s1_resman/simple.yaml
@@ -108,7 +108,7 @@ values:

 counts:
  google_folder: 14
-  google_folder_iam_binding: 73
+  google_folder_iam_binding: 74
  google_org_policy_policy: 2
  google_organization_iam_member: 18
  google_project_iam_member: 23
@@ -123,7 +123,7 @@ counts:
  google_tags_tag_value: 12
  google_tags_tag_value_iam_binding: 4
  modules: 48
-  resources: 285
+  resources: 286

 outputs:
  cicd_repositories: