From e4f55fb7ff372e8ae406ee253547863b52160183 Mon Sep 17 00:00:00 2001 From: karpok78 Date: Mon, 10 Feb 2025 00:55:54 +0100 Subject: [PATCH] Add bucket IAM policy read (#2872) Allow the Project factory read only SA to retrieve buckets IAM policy for buckets created by the PF --- .../data/custom-roles/organization_admin_viewer.yaml | 1 + .../stages/1-resman/data/top-level-folders/teams.yaml | 11 ++++++++++- tests/fast/stages/s1_resman/simple.yaml | 4 ++-- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/fast/stages/0-bootstrap/data/custom-roles/organization_admin_viewer.yaml b/fast/stages/0-bootstrap/data/custom-roles/organization_admin_viewer.yaml index dfef91eab..755fe1a18 100644 --- a/fast/stages/0-bootstrap/data/custom-roles/organization_admin_viewer.yaml +++ b/fast/stages/0-bootstrap/data/custom-roles/organization_admin_viewer.yaml @@ -31,3 +31,4 @@ includedPermissions: - resourcemanager.projects.get - resourcemanager.projects.getIamPolicy - resourcemanager.projects.list + - storage.buckets.getIamPolicy diff --git a/fast/stages/1-resman/data/top-level-folders/teams.yaml b/fast/stages/1-resman/data/top-level-folders/teams.yaml index 907bdd7b2..1d32de85d 100644 --- a/fast/stages/1-resman/data/top-level-folders/teams.yaml +++ b/fast/stages/1-resman/data/top-level-folders/teams.yaml @@ -26,7 +26,16 @@ iam_by_principals: - roles/viewer - roles/resourcemanager.folderViewer - roles/resourcemanager.tagViewer - +iam_bindings: + pf_viewer: + role: organization_admin_viewer + members: + - project-factory-ro + condition: + title: project-factory-scoped + description: Allow to check buckets and contact policies + expression: | + resource.matchTag('${organization.id}/${tag_names.context}', 'project-factory') # don't create a context tag since this uses the pf tag is_fast_context: false tag_bindings: diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml index 1d5d5cc4e..c128a5915 100644 --- a/tests/fast/stages/s1_resman/simple.yaml +++ b/tests/fast/stages/s1_resman/simple.yaml @@ -14,7 +14,7 @@ counts: google_folder: 12 - google_folder_iam_binding: 50 + google_folder_iam_binding: 51 google_org_policy_policy: 2 google_organization_iam_member: 15 google_project_iam_member: 13 @@ -29,7 +29,7 @@ counts: google_tags_tag_value: 12 google_tags_tag_value_iam_binding: 4 modules: 32 - resources: 194 + resources: 195 outputs: cicd_repositories: