kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Support context interpolation for PAM email recipients (#3903)

Browse Source
This commit is contained in:
Ludovico Magnocavallo
2026-04-24 18:29:31 +02:00
committed by GitHub
parent d22320fe62
commit fb33752d8d
5 changed files with 88 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
modules/folder/pam.tf
View File

@@ -117,8 +117,15 @@ resource "google_privileged_access_manager_entitlement" "default" {
]
}
approvals_needed = step.value.approvals_needed
approver_email_recipients = step.value.approver_email_recipients
approvals_needed = step.value.approvals_needed
approver_email_recipients = (
step.value.approver_email_recipients == null
? null
: [
for e in step.value.approver_email_recipients :
lookup(local.ctx.email_addresses, e, e)
]
)
}
}
}
@@ -128,8 +135,22 @@ resource "google_privileged_access_manager_entitlement" "default" {
dynamic "additional_notification_targets" {
for_each = each.value.additional_notification_targets == null ? [] : [""]
content {
admin_email_recipients = each.value.additional_notification_targets.admin_email_recipients
requester_email_recipients = each.value.additional_notification_targets.requester_email_recipients
admin_email_recipients = (
each.value.additional_notification_targets.admin_email_recipients == null
? null
: [
for e in each.value.additional_notification_targets.admin_email_recipients :
lookup(local.ctx.email_addresses, e, e)
]
)
requester_email_recipients = (
each.value.additional_notification_targets.requester_email_recipients == null
? null
: [
for e in each.value.additional_notification_targets.requester_email_recipients :
lookup(local.ctx.email_addresses, e, e)
]
)
}
}

29
modules/organization/pam.tf
View File

@@ -117,8 +117,15 @@ resource "google_privileged_access_manager_entitlement" "default" {
]
}
approvals_needed = step.value.approvals_needed
approver_email_recipients = step.value.approver_email_recipients
approvals_needed = step.value.approvals_needed
approver_email_recipients = (
step.value.approver_email_recipients == null
? null
: [
for e in step.value.approver_email_recipients :
lookup(local.ctx.email_addresses, e, e)
]
)
}
}
}
@@ -128,8 +135,22 @@ resource "google_privileged_access_manager_entitlement" "default" {
dynamic "additional_notification_targets" {
for_each = each.value.additional_notification_targets == null ? [] : [""]
content {
admin_email_recipients = each.value.additional_notification_targets.admin_email_recipients
requester_email_recipients = each.value.additional_notification_targets.requester_email_recipients
admin_email_recipients = (
each.value.additional_notification_targets.admin_email_recipients == null
? null
: [
for e in each.value.additional_notification_targets.admin_email_recipients :
lookup(local.ctx.email_addresses, e, e)
]
)
requester_email_recipients = (
each.value.additional_notification_targets.requester_email_recipients == null
? null
: [
for e in each.value.additional_notification_targets.requester_email_recipients :
lookup(local.ctx.email_addresses, e, e)
]
)
}
}

29
modules/project/pam.tf
View File

@@ -117,8 +117,15 @@ resource "google_privileged_access_manager_entitlement" "default" {
]
}
approvals_needed = step.value.approvals_needed
approver_email_recipients = step.value.approver_email_recipients
approvals_needed = step.value.approvals_needed
approver_email_recipients = (
step.value.approver_email_recipients == null
? null
: [
for e in step.value.approver_email_recipients :
lookup(local.ctx.email_addresses, e, e)
]
)
}
}
}
@@ -128,8 +135,22 @@ resource "google_privileged_access_manager_entitlement" "default" {
dynamic "additional_notification_targets" {
for_each = each.value.additional_notification_targets == null ? [] : [""]
content {
admin_email_recipients = each.value.additional_notification_targets.admin_email_recipients
requester_email_recipients = each.value.additional_notification_targets.requester_email_recipients
admin_email_recipients = (
each.value.additional_notification_targets.admin_email_recipients == null
? null
: [
for e in each.value.additional_notification_targets.admin_email_recipients :
lookup(local.ctx.email_addresses, e, e)
]
)
requester_email_recipients = (
each.value.additional_notification_targets.requester_email_recipients == null
? null
: [
for e in each.value.additional_notification_targets.requester_email_recipients :
lookup(local.ctx.email_addresses, e, e)
]
)
}
}
depends_on = [

7
tests/modules/organization/context.tfvars
View File

@@ -149,9 +149,14 @@ pam_entitlements = {
manual_approvals = {
require_approver_justification = true
steps = [{
approvers = ["$iam_principals:mygroup"]
approvers = ["$iam_principals:mygroup"]
approver_email_recipients = ["$email_addresses:default"]
}]
}
additional_notification_targets = {
admin_email_recipients = ["$email_addresses:default"]
requester_email_recipients = ["$email_addresses:default"]
}
eligible_users = ["$iam_principals:mygroup"]
privileged_access = [
{ role = "roles/compute.networkAdmin" },

9
tests/modules/organization/context.yaml
View File

@@ -165,13 +165,18 @@ values:
org_id: '1234567890'
role: organizations/366118655033/roles/myRoleTwo
google_privileged_access_manager_entitlement.default["net-admins"]:
additional_notification_targets: []
additional_notification_targets:
- admin_email_recipients:
- foo@example.com
requester_email_recipients:
- foo@example.com
approval_workflow:
- manual_approvals:
- require_approver_justification: true
steps:
- approvals_needed: 1
approver_email_recipients: null
approver_email_recipients:
- foo@example.com
approvers:
- principals:
- group:test-group@example.com