Allow granting network user role on host project from project module and factory (#1930)

* Update shared vpc config for project factory and project module for more granular Shared VPC configuration --------- Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
2023-12-15 14:39:21 +01:00
parent db31c1b8aa
commit c50b732c79
9 changed files with 217 additions and 33 deletions
--- a/modules/project/variables.tf
+++ b/modules/project/variables.tf
@@ -303,9 +303,11 @@ variable "shared_vpc_service_config" {
  # the list of valid service identities is in service-agents.yaml
  type = object({
    host_project                = string
+    network_users               = optional(list(string), [])
    service_identity_iam        = optional(map(list(string)), {})
    service_identity_subnet_iam = optional(map(list(string)), {})
    service_iam_grants          = optional(list(string), [])
+    network_subnet_users        = optional(map(list(string)), {})
  })
  default = {
    host_project = null
@@ -314,10 +316,13 @@ variable "shared_vpc_service_config" {
  validation {
    condition = var.shared_vpc_service_config.host_project != null || (
      var.shared_vpc_service_config.host_project == null &&
+      length(var.shared_vpc_service_config.network_users) == 0 &&
      length(var.shared_vpc_service_config.service_iam_grants) == 0 &&
-      length(var.shared_vpc_service_config.service_iam_grants) == 0
+      length(var.shared_vpc_service_config.service_identity_iam) == 0 &&
+      length(var.shared_vpc_service_config.service_identity_subnet_iam) == 0 &&
+      length(var.shared_vpc_service_config.network_subnet_users) == 0
    )
-    error_message = "You need to provide host_project when providing service_identity_iam or service_iam_grants"
+    error_message = "You need to provide host_project when providing Shared VPC host and subnet IAM permissions."
  }
 }