Add support for group-based IAM to resource management modules (#229)

* group_iam support for organization * group_iam support for folder * fix typo in variable description * add group_iam to project module * update project module README
2021-04-11 14:48:16 +02:00
parent 7154e2cee6
commit f8413cc98e
12 changed files with 206 additions and 96 deletions
--- a/tests/modules/organization/fixture/main.tf
+++ b/tests/modules/organization/fixture/main.tf
@@ -18,6 +18,7 @@ module "test" {
  source                      = "../../../../modules/organization"
  organization_id             = "organizations/1234567890"
  custom_roles                = var.custom_roles
+  group_iam                   = var.group_iam
  iam                         = var.iam
  iam_additive                = var.iam_additive
  iam_additive_members        = var.iam_additive_members
--- a/tests/modules/organization/fixture/variables.tf
+++ b/tests/modules/organization/fixture/variables.tf
@@ -19,6 +19,11 @@ variable "custom_roles" {
  default = {}
 }

+variable "group_iam" {
+  type    = map(list(string))
+  default = {}
+}
+
 variable "iam" {
  type    = map(list(string))
  default = {}
--- a/tests/modules/organization/test_plan.py
+++ b/tests/modules/organization/test_plan.py
@@ -30,6 +30,32 @@ def test_audit_config(plan_runner):
  assert log_types == set(['DATA_READ', 'DATA_WRITE'])


+def test_iam(plan_runner):
+  "Test IAM."
+  group_iam = (
+      '{'
+      '"owners@example.org" = ["roles/owner", "roles/resourcemanager.folderAdmin"],'
+      '"viewers@example.org" = ["roles/viewer"]'
+      '}'
+  )
+  iam = (
+      '{'
+      '"roles/owner" = ["user:one@example.org", "user:two@example.org"],'
+      '"roles/browser" = ["domain:example.org"]'
+      '}'
+  )
+  _, resources = plan_runner(FIXTURES_DIR, group_iam=group_iam, iam=iam)
+  roles = sorted([(r['values']['role'], sorted(r['values']['members']))
+                  for r in resources if r['type'] == 'google_organization_iam_binding'])
+  assert roles == [
+      ('roles/browser', ['domain:example.org']),
+      ('roles/owner', ['group:owners@example.org', 'user:one@example.org',
+       'user:two@example.org']),
+      ('roles/resourcemanager.folderAdmin', ['group:owners@example.org']),
+      ('roles/viewer', ['group:viewers@example.org']),
+  ]
+
+
 def test_iam_additive_members(plan_runner):
  "Test IAM additive members."
  iam = (
@@ -126,7 +152,7 @@ def test_firweall_policy(plan_runner):
  assert len(resources) == 4

  policies = [r for r in resources
-           if r['type'] == 'google_compute_organization_security_policy']
+              if r['type'] == 'google_compute_organization_security_policy']
  assert len(policies) == 1

  rules = [r for r in resources
@@ -146,16 +172,16 @@ def test_firweall_policy(plan_runner):
    rule_values.append((name, index, action, direction, priority, config))

  assert sorted(rule_values) == sorted([
-    ('rule', 'policy1-allow-ingress', 'allow', 'INGRESS', 100,[
-      {
-        'dest_ip_ranges': None,
-        'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['22']}],
-        'src_ip_ranges': ['10.0.0.0/8']
-      }]),
-    ('rule', 'policy1-deny-egress', 'deny', 'EGRESS', 200, [
-      {
-        'dest_ip_ranges': ['192.168.0.0/24'],
-        'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['443']}],
-        'src_ip_ranges': None
-      }])
+      ('rule', 'policy1-allow-ingress', 'allow', 'INGRESS', 100, [
+          {
+              'dest_ip_ranges': None,
+              'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['22']}],
+              'src_ip_ranges': ['10.0.0.0/8']
+          }]),
+      ('rule', 'policy1-deny-egress', 'deny', 'EGRESS', 200, [
+          {
+              'dest_ip_ranges': ['192.168.0.0/24'],
+              'layer4_config': [{'ip_protocol': 'tcp', 'ports': ['443']}],
+              'src_ip_ranges': None
+          }])
  ])