Top level folder factory support for automation SA IAM (#2818)
* Top level folder factory support for automation SA IAM * Fixes iam_bindings and iam_bindings_additive for top-level-folder --------- Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
This commit is contained in:
Simone Ruffilli
@@ -18,5 +18,10 @@ name: Sandbox
|
|||||||
automation:
|
automation:
|
||||||
environment_name: dev
|
environment_name: dev
|
||||||
short_name: sbox
|
short_name: sbox
|
||||||
|
# You can create role bindings referring to the automation service account by
|
||||||
|
# referring to it using `self` keyword, per the example below
|
||||||
|
iam:
|
||||||
|
"roles/owner":
|
||||||
|
- self
|
||||||
factories_config:
|
factories_config:
|
||||||
org_policies: data/org-policies/sandbox
|
org_policies: data/org-policies/sandbox
|
||||||
|
|||||||
@@ -261,7 +261,7 @@
|
|||||||
"type": "array",
|
"type": "array",
|
||||||
"items": {
|
"items": {
|
||||||
"type": "string",
|
"type": "string",
|
||||||
"pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc)"
|
"pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|self)"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -278,7 +278,7 @@
|
|||||||
"type": "array",
|
"type": "array",
|
||||||
"items": {
|
"items": {
|
||||||
"type": "string",
|
"type": "string",
|
||||||
"pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc)"
|
"pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|self)"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"role": {
|
"role": {
|
||||||
@@ -318,7 +318,7 @@
|
|||||||
"properties": {
|
"properties": {
|
||||||
"member": {
|
"member": {
|
||||||
"type": "string",
|
"type": "string",
|
||||||
"pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc)"
|
"pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|self)"
|
||||||
},
|
},
|
||||||
"role": {
|
"role": {
|
||||||
"type": "string",
|
"type": "string",
|
||||||
@@ -361,4 +361,4 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -86,19 +86,29 @@ module "top-level-folder" {
|
|||||||
iam = {
|
iam = {
|
||||||
for role, members in each.value.iam :
|
for role, members in each.value.iam :
|
||||||
lookup(var.custom_roles, role, role) => [
|
lookup(var.custom_roles, role, role) => [
|
||||||
for member in members : lookup(local.top_level_sa, member, member)
|
for member in members : (each.value.automation != null && member == "self")
|
||||||
|
? module.top-level-sa[each.key].iam_email
|
||||||
|
: lookup(local.top_level_sa, member, member)
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
iam_bindings = {
|
iam_bindings = {
|
||||||
for k, v in each.value.iam_bindings : k => merge(v, {
|
for k, v in each.value.iam_bindings : k => {
|
||||||
member = lookup(local.top_level_sa, v.member, v.member)
|
members = [
|
||||||
role = lookup(var.custom_roles, v.role, v.role)
|
for member in v.members : (each.value.automation != null && member == "self")
|
||||||
})
|
? module.top-level-sa[each.key].iam_email
|
||||||
|
: lookup(local.top_level_sa, member, member)
|
||||||
|
]
|
||||||
|
role = lookup(var.custom_roles, v.role, v.role)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
iam_bindings_additive = {
|
iam_bindings_additive = {
|
||||||
for k, v in each.value.iam_bindings_additive : k => merge(v, {
|
for k, v in each.value.iam_bindings_additive : k => merge(v, {
|
||||||
member = lookup(local.top_level_sa, v.member, v.member)
|
member = (
|
||||||
role = lookup(var.custom_roles, v.role, v.role)
|
each.value.automation != null && v.member == "self"
|
||||||
|
? module.top-level-sa[each.key].iam_email
|
||||||
|
: lookup(local.top_level_sa, v.member, v.member)
|
||||||
|
)
|
||||||
|
role = lookup(var.custom_roles, v.role, v.role)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
# we don't replace here to avoid dynamic values in keys
|
# we don't replace here to avoid dynamic values in keys
|
||||||
|
|||||||
@@ -108,7 +108,7 @@ values:
|
|||||||
|
|
||||||
counts:
|
counts:
|
||||||
google_folder: 14
|
google_folder: 14
|
||||||
google_folder_iam_binding: 73
|
google_folder_iam_binding: 74
|
||||||
google_org_policy_policy: 2
|
google_org_policy_policy: 2
|
||||||
google_organization_iam_member: 18
|
google_organization_iam_member: 18
|
||||||
google_project_iam_member: 23
|
google_project_iam_member: 23
|
||||||
@@ -123,7 +123,7 @@ counts:
|
|||||||
google_tags_tag_value: 12
|
google_tags_tag_value: 12
|
||||||
google_tags_tag_value_iam_binding: 4
|
google_tags_tag_value_iam_binding: 4
|
||||||
modules: 48
|
modules: 48
|
||||||
resources: 285
|
resources: 286
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
cicd_repositories:
|
cicd_repositories:
|
||||||
|
|||||||
Reference in New Issue
Block a user