add missing role for pf ro account (#2683)
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
8c02ff0780
commit
aa30e33618
@@ -267,18 +267,18 @@ terraform apply
|
||||
|---|---|:---:|:---:|:---:|:---:|
|
||||
| [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | <code title="object({ outputs_bucket = string project_id = string project_number = string federated_identity_pool = string federated_identity_providers = map(object({ audiences = list(string) issuer = string issuer_uri = string name = string principal_branch = string principal_repo = string })) service_accounts = object({ resman-r = string }) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [billing_account](variables-fast.tf#L42) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | <code title="object({ id = string is_org_level = optional(bool, true) no_iam = optional(bool, false) })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [logging](variables-fast.tf#L97) | Logging configuration for tenants. | <code title="object({ project_id = string log_sinks = optional(map(object({ filter = string type = string })), {}) })">object({…})</code> | ✓ | | <code>1-tenant-factory</code> |
|
||||
| [organization](variables-fast.tf#L110) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [prefix](variables-fast.tf#L128) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | <code title="object({ organization_admin_viewer = string service_project_network_admin = string storage_viewer = string gcve_network_admin = optional(string) gcve_network_viewer = optional(string) network_firewall_policies_admin = optional(string) ngfw_enterprise_admin = optional(string) ngfw_enterprise_viewer = optional(string) })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [logging](variables-fast.tf#L98) | Logging configuration for tenants. | <code title="object({ project_id = string log_sinks = optional(map(object({ filter = string type = string })), {}) })">object({…})</code> | ✓ | | <code>1-tenant-factory</code> |
|
||||
| [organization](variables-fast.tf#L111) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [prefix](variables-fast.tf#L129) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>0-bootstrap</code> |
|
||||
| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | <code title="object({ organization_admin_viewer = string project_iam_viewer = string service_project_network_admin = string storage_viewer = string gcve_network_admin = optional(string) gcve_network_viewer = optional(string) network_firewall_policies_admin = optional(string) ngfw_enterprise_admin = optional(string) ngfw_enterprise_viewer = optional(string) })">object({…})</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [environment_names](variables.tf#L20) | Long environment names. | <code title="object({ dev = string prod = string })">object({…})</code> | | <code title="{ dev = "development" prod = "production" }">{…}</code> | |
|
||||
| [factories_config](variables.tf#L32) | Configuration for the resource factories or external data. | <code title="object({ org_policies = optional(string, "data/org-policies") stage_3 = optional(string, "data/stage-3") top_level_folders = optional(string, "data/top-level-folders") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [fast_stage_2](variables-stages.tf#L17) | FAST stages 2 configurations. | <code title="object({ networking = optional(object({ enabled = optional(bool, true) short_name = optional(string, "net") cicd_config = optional(object({ identity_provider = string repository = object({ name = string branch = optional(string) parent_id = optional(string) type = optional(string, "github") }) })) folder_config = optional(object({ create_env_folders = optional(bool, true) iam_by_principals = optional(map(list(string)), {}) name = optional(string, "Networking") parent_id = optional(string) }), {}) }), {}) network_security = optional(object({ enabled = optional(bool, false) short_name = optional(string, "nsec") cicd_config = optional(object({ identity_provider = string repository = object({ name = string branch = optional(string) parent_id = optional(string) type = optional(string, "github") }) })) }), {}) project_factory = optional(object({ enabled = optional(bool, true) short_name = optional(string, "pf") cicd_config = optional(object({ identity_provider = string repository = object({ name = string branch = optional(string) type = optional(string, "github") }) })) }), {}) security = optional(object({ enabled = optional(bool, true) short_name = optional(string, "sec") cicd_config = optional(object({ identity_provider = string repository = object({ name = string branch = optional(string) type = optional(string, "github") }) })) folder_config = optional(object({ create_env_folders = optional(bool, false) iam_by_principals = optional(map(list(string)), {}) name = optional(string, "Security") parent_id = optional(string) }), {}) }), {}) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [fast_stage_3](variables-stages.tf#L97) | FAST stages 3 configurations. | <code title="map(object({ short_name = string environment = optional(string, "dev") cicd_config = optional(object({ identity_provider = string repository = object({ name = string branch = optional(string) type = optional(string, "github") }) })) folder_config = optional(object({ name = string iam_by_principals = optional(map(list(string)), {}) parent_id = optional(string) tag_bindings = optional(map(string), {}) })) organization_iam = optional(object({ context_tag_value = string sa_roles = object({ ro = optional(list(string), []) rw = optional(list(string), []) }) })) stage2_iam = optional(object({ networking = optional(object({ iam_admin_delegated = optional(bool, false) sa_roles = optional(object({ ro = optional(list(string), []) rw = optional(list(string), []) }), {}) }), {}) security = optional(object({ iam_admin_delegated = optional(bool, false) sa_roles = optional(object({ ro = optional(list(string), []) rw = optional(list(string), []) }), {}) }), {}) }), {}) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [groups](variables-fast.tf#L69) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object({ gcp-billing-admins = optional(string, "gcp-billing-admins") gcp-devops = optional(string, "gcp-devops") gcp-network-admins = optional(string, "gcp-vpc-network-admins") gcp-organization-admins = optional(string, "gcp-organization-admins") gcp-security-admins = optional(string, "gcp-security-admins") })">object({…})</code> | | <code>{}</code> | <code>0-bootstrap</code> |
|
||||
| [locations](variables-fast.tf#L84) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object({ bq = optional(string, "EU") gcs = optional(string, "EU") logging = optional(string, "global") pubsub = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | <code>0-bootstrap</code> |
|
||||
| [groups](variables-fast.tf#L70) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object({ gcp-billing-admins = optional(string, "gcp-billing-admins") gcp-devops = optional(string, "gcp-devops") gcp-network-admins = optional(string, "gcp-vpc-network-admins") gcp-organization-admins = optional(string, "gcp-organization-admins") gcp-security-admins = optional(string, "gcp-security-admins") })">object({…})</code> | | <code>{}</code> | <code>0-bootstrap</code> |
|
||||
| [locations](variables-fast.tf#L85) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object({ bq = optional(string, "EU") gcs = optional(string, "EU") logging = optional(string, "global") pubsub = optional(list(string), []) })">object({…})</code> | | <code>{}</code> | <code>0-bootstrap</code> |
|
||||
| [outputs_location](variables.tf#L43) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [root_node](variables-fast.tf#L134) | Root node for the hierarchy, if running in tenant mode. | <code>string</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [root_node](variables-fast.tf#L135) | Root node for the hierarchy, if running in tenant mode. | <code>string</code> | | <code>null</code> | <code>0-bootstrap</code> |
|
||||
| [tag_names](variables.tf#L49) | Customized names for resource management tags. | <code title="object({ context = optional(string, "context") environment = optional(string, "environment") })">object({…})</code> | | <code>{}</code> | |
|
||||
| [tags](variables.tf#L63) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) })), {}) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
| [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | <code title="map(object({ name = string parent_id = optional(string) automation = optional(object({ enable = optional(bool, true) environment_name = optional(string, "prod") sa_impersonation_principals = optional(list(string), []) short_name = optional(string) }), {}) contacts = optional(map(list(string)), {}) firewall_policy = optional(object({ name = string policy = string })) is_fast_context = optional(bool, true) logging_data_access = optional(map(map(list(string))), {}) logging_exclusions = optional(map(string), {}) logging_settings = optional(object({ disable_default_sink = optional(bool) storage_location = optional(string) })) logging_sinks = optional(map(object({ bq_partitioned_table = optional(bool, false) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = optional(string) iam = optional(bool, true) include_children = optional(bool, true) type = string })), {}) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_by_principals = optional(map(list(string)), {}) org_policies = optional(map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) })), []) })), {}) tag_bindings = optional(map(string), {}) }))">map(object({…}))</code> | | <code>{}</code> | |
|
||||
|
||||
@@ -96,6 +96,9 @@ module "net-folder" {
|
||||
(var.custom_roles.service_project_network_admin) = [
|
||||
module.pf-sa-rw[0].iam_email
|
||||
]
|
||||
(var.custom_roles.project_iam_viewer) = [
|
||||
module.pf-sa-ro[0].iam_email
|
||||
]
|
||||
"roles/compute.networkViewer" = [
|
||||
module.pf-sa-ro[0].iam_email
|
||||
]
|
||||
|
||||
@@ -60,6 +60,9 @@ module "sec-folder" {
|
||||
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
|
||||
module.pf-sa-rw[0].iam_email
|
||||
]
|
||||
(var.custom_roles.project_iam_viewer) = [
|
||||
module.pf-sa-ro[0].iam_email
|
||||
]
|
||||
"roles/cloudkms.viewer" = [
|
||||
module.pf-sa-ro[0].iam_email
|
||||
]
|
||||
|
||||
@@ -55,6 +55,7 @@ variable "custom_roles" {
|
||||
description = "Custom roles defined at the org level, in key => id format."
|
||||
type = object({
|
||||
organization_admin_viewer = string
|
||||
project_iam_viewer = string
|
||||
service_project_network_admin = string
|
||||
storage_viewer = string
|
||||
gcve_network_admin = optional(string)
|
||||
|
||||
Reference in New Issue
Block a user