Introduce iam_by_principals_conditional (#3649)
* Introduce iam_by_principals_conditional * Add iam_by_principals_conditional to project factory * Update IAM ADR * Update project factory readme * Sync FAST schemas * Update organization schema * Add resman tests for iam_by_principals_conditional * Update PF project-defaults.tf * Update copyright
This commit is contained in:
Julio Castillo
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Copyright 2025 Google LLC
|
||||
* Copyright 2026 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -140,6 +140,9 @@ module "organization-iam" {
|
||||
iam_by_principals = lookup(
|
||||
local.organization, "iam_by_principals", {}
|
||||
)
|
||||
iam_by_principals_conditional = lookup(
|
||||
local.organization, "iam_by_principals_conditional", {}
|
||||
)
|
||||
iam_bindings = lookup(
|
||||
local.organization, "iam_bindings", {}
|
||||
)
|
||||
|
||||
@@ -179,6 +179,9 @@
|
||||
"iam_by_principals": {
|
||||
"$ref": "#/$defs/iam_by_principals"
|
||||
},
|
||||
"iam_by_principals_conditional": {
|
||||
"$ref": "#/$defs/iam_by_principals_conditional"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
@@ -453,6 +456,48 @@
|
||||
}
|
||||
}
|
||||
},
|
||||
"iam_by_principals_conditional": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"patternProperties": {
|
||||
"^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\\$iam_principals:)": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"required": [
|
||||
"condition",
|
||||
"roles"
|
||||
],
|
||||
"properties": {
|
||||
"condition": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"required": [
|
||||
"expression",
|
||||
"title"
|
||||
],
|
||||
"properties": {
|
||||
"expression": {
|
||||
"type": "string"
|
||||
},
|
||||
"title": {
|
||||
"type": "string"
|
||||
},
|
||||
"description": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"roles": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string",
|
||||
"pattern": "^(?:roles/|\\$custom_roles:)"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"iam_billing_roles": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
|
||||
@@ -88,6 +88,9 @@
|
||||
"iam_by_principals": {
|
||||
"$ref": "#/$defs/iam_by_principals"
|
||||
},
|
||||
"iam_by_principals_conditional": {
|
||||
"$ref": "#/$defs/iam_by_principals_conditional"
|
||||
},
|
||||
"iam_by_principals_additive": {
|
||||
"$ref": "#/$defs/iam_by_principals"
|
||||
},
|
||||
@@ -527,6 +530,48 @@
|
||||
}
|
||||
}
|
||||
},
|
||||
"iam_by_principals_conditional": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"patternProperties": {
|
||||
"^(?:\\$[a-z_-]+:|domain:|group:|serviceAccount:|user:|principal:|principalSet:)": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"required": [
|
||||
"condition",
|
||||
"roles"
|
||||
],
|
||||
"properties": {
|
||||
"condition": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"required": [
|
||||
"expression",
|
||||
"title"
|
||||
],
|
||||
"properties": {
|
||||
"expression": {
|
||||
"type": "string"
|
||||
},
|
||||
"title": {
|
||||
"type": "string"
|
||||
},
|
||||
"description": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"roles": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string",
|
||||
"pattern": "^(?:roles/|\\$custom_roles:)"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"pam_entitlements": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
|
||||
@@ -210,6 +210,9 @@
|
||||
"iam_by_principals": {
|
||||
"$ref": "#/$defs/iam_by_principals"
|
||||
},
|
||||
"iam_by_principals_conditional": {
|
||||
"$ref": "#/$defs/iam_by_principals_conditional"
|
||||
},
|
||||
"iam_by_principals_additive": {
|
||||
"$ref": "#/$defs/iam_by_principals"
|
||||
},
|
||||
@@ -1204,6 +1207,48 @@
|
||||
}
|
||||
}
|
||||
},
|
||||
"iam_by_principals_conditional": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"patternProperties": {
|
||||
"^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\\$iam_principals:[a-z0-9_-]+)": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"required": [
|
||||
"condition",
|
||||
"roles"
|
||||
],
|
||||
"properties": {
|
||||
"condition": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"required": [
|
||||
"expression",
|
||||
"title"
|
||||
],
|
||||
"properties": {
|
||||
"expression": {
|
||||
"type": "string"
|
||||
},
|
||||
"title": {
|
||||
"type": "string"
|
||||
},
|
||||
"description": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"roles": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string",
|
||||
"pattern": "^(?:roles/|\\$custom_roles:)"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"iam_billing_roles": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
|
||||
@@ -179,6 +179,9 @@
|
||||
"iam_by_principals": {
|
||||
"$ref": "#/$defs/iam_by_principals"
|
||||
},
|
||||
"iam_by_principals_conditional": {
|
||||
"$ref": "#/$defs/iam_by_principals_conditional"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
@@ -453,6 +456,48 @@
|
||||
}
|
||||
}
|
||||
},
|
||||
"iam_by_principals_conditional": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"patternProperties": {
|
||||
"^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\\$iam_principals:)": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"required": [
|
||||
"condition",
|
||||
"roles"
|
||||
],
|
||||
"properties": {
|
||||
"condition": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"required": [
|
||||
"expression",
|
||||
"title"
|
||||
],
|
||||
"properties": {
|
||||
"expression": {
|
||||
"type": "string"
|
||||
},
|
||||
"title": {
|
||||
"type": "string"
|
||||
},
|
||||
"description": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"roles": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string",
|
||||
"pattern": "^(?:roles/|\\$custom_roles:)"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"iam_billing_roles": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
|
||||
@@ -210,6 +210,9 @@
|
||||
"iam_by_principals": {
|
||||
"$ref": "#/$defs/iam_by_principals"
|
||||
},
|
||||
"iam_by_principals_conditional": {
|
||||
"$ref": "#/$defs/iam_by_principals_conditional"
|
||||
},
|
||||
"iam_by_principals_additive": {
|
||||
"$ref": "#/$defs/iam_by_principals"
|
||||
},
|
||||
@@ -1204,6 +1207,48 @@
|
||||
}
|
||||
}
|
||||
},
|
||||
"iam_by_principals_conditional": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"patternProperties": {
|
||||
"^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\\$iam_principals:[a-z0-9_-]+)": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"required": [
|
||||
"condition",
|
||||
"roles"
|
||||
],
|
||||
"properties": {
|
||||
"condition": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"required": [
|
||||
"expression",
|
||||
"title"
|
||||
],
|
||||
"properties": {
|
||||
"expression": {
|
||||
"type": "string"
|
||||
},
|
||||
"title": {
|
||||
"type": "string"
|
||||
},
|
||||
"description": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"roles": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string",
|
||||
"pattern": "^(?:roles/|\\$custom_roles:)"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"iam_billing_roles": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
|
||||
@@ -179,6 +179,9 @@
|
||||
"iam_by_principals": {
|
||||
"$ref": "#/$defs/iam_by_principals"
|
||||
},
|
||||
"iam_by_principals_conditional": {
|
||||
"$ref": "#/$defs/iam_by_principals_conditional"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
@@ -453,6 +456,48 @@
|
||||
}
|
||||
}
|
||||
},
|
||||
"iam_by_principals_conditional": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"patternProperties": {
|
||||
"^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\\$iam_principals:)": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"required": [
|
||||
"condition",
|
||||
"roles"
|
||||
],
|
||||
"properties": {
|
||||
"condition": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"required": [
|
||||
"expression",
|
||||
"title"
|
||||
],
|
||||
"properties": {
|
||||
"expression": {
|
||||
"type": "string"
|
||||
},
|
||||
"title": {
|
||||
"type": "string"
|
||||
},
|
||||
"description": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"roles": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string",
|
||||
"pattern": "^(?:roles/|\\$custom_roles:)"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"iam_billing_roles": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
|
||||
@@ -210,6 +210,9 @@
|
||||
"iam_by_principals": {
|
||||
"$ref": "#/$defs/iam_by_principals"
|
||||
},
|
||||
"iam_by_principals_conditional": {
|
||||
"$ref": "#/$defs/iam_by_principals_conditional"
|
||||
},
|
||||
"iam_by_principals_additive": {
|
||||
"$ref": "#/$defs/iam_by_principals"
|
||||
},
|
||||
@@ -1204,6 +1207,48 @@
|
||||
}
|
||||
}
|
||||
},
|
||||
"iam_by_principals_conditional": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"patternProperties": {
|
||||
"^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\\$iam_principals:[a-z0-9_-]+)": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"required": [
|
||||
"condition",
|
||||
"roles"
|
||||
],
|
||||
"properties": {
|
||||
"condition": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"required": [
|
||||
"expression",
|
||||
"title"
|
||||
],
|
||||
"properties": {
|
||||
"expression": {
|
||||
"type": "string"
|
||||
},
|
||||
"title": {
|
||||
"type": "string"
|
||||
},
|
||||
"description": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"roles": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string",
|
||||
"pattern": "^(?:roles/|\\$custom_roles:)"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"iam_billing_roles": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
|
||||
@@ -179,6 +179,9 @@
|
||||
"iam_by_principals": {
|
||||
"$ref": "#/$defs/iam_by_principals"
|
||||
},
|
||||
"iam_by_principals_conditional": {
|
||||
"$ref": "#/$defs/iam_by_principals_conditional"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
@@ -453,6 +456,48 @@
|
||||
}
|
||||
}
|
||||
},
|
||||
"iam_by_principals_conditional": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"patternProperties": {
|
||||
"^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\\$iam_principals:)": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"required": [
|
||||
"condition",
|
||||
"roles"
|
||||
],
|
||||
"properties": {
|
||||
"condition": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"required": [
|
||||
"expression",
|
||||
"title"
|
||||
],
|
||||
"properties": {
|
||||
"expression": {
|
||||
"type": "string"
|
||||
},
|
||||
"title": {
|
||||
"type": "string"
|
||||
},
|
||||
"description": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"roles": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string",
|
||||
"pattern": "^(?:roles/|\\$custom_roles:)"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"iam_billing_roles": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
|
||||
@@ -210,6 +210,9 @@
|
||||
"iam_by_principals": {
|
||||
"$ref": "#/$defs/iam_by_principals"
|
||||
},
|
||||
"iam_by_principals_conditional": {
|
||||
"$ref": "#/$defs/iam_by_principals_conditional"
|
||||
},
|
||||
"iam_by_principals_additive": {
|
||||
"$ref": "#/$defs/iam_by_principals"
|
||||
},
|
||||
@@ -1204,6 +1207,48 @@
|
||||
}
|
||||
}
|
||||
},
|
||||
"iam_by_principals_conditional": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"patternProperties": {
|
||||
"^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\\$iam_principals:[a-z0-9_-]+)": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"required": [
|
||||
"condition",
|
||||
"roles"
|
||||
],
|
||||
"properties": {
|
||||
"condition": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"required": [
|
||||
"expression",
|
||||
"title"
|
||||
],
|
||||
"properties": {
|
||||
"expression": {
|
||||
"type": "string"
|
||||
},
|
||||
"title": {
|
||||
"type": "string"
|
||||
},
|
||||
"description": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"roles": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string",
|
||||
"pattern": "^(?:roles/|\\$custom_roles:)"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"iam_billing_roles": {
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
|
||||
Reference in New Issue
Block a user