- the roles listed in `direct_role_grants` will be granted unconditionally to the users listed in `project_administrators`.
- additionally, `project_administrators` will be granted the role `roles/resourcemanager.projectIamAdmin` in a restricted fashion, allowing them to only grant the roles listed in `delegated_role_grants` to other users.
By carefully choosing `direct_role_grants` and `delegated_role_grants`, you can restrict which services can be used within the project while still giving enough freedom to project administrators to still grant permissions to other principals within their projects.
A [Medium article](https://medium.com/@jccb/managing-gcp-service-usage-through-delegated-role-grants-a843610f2226) has been published for this blueprint, refer to it for more details on the context and the specifics of running the blueprint.
By changing the `restricted_role_grant`, the blueprint can be used to grant administrators a predefined role like `roles/compute.networkAdmin`, which allows setting IAM policies on service resources like subnetworks, but restrict the roles that those administrators are able to confer to other users.
Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fcloud-foundation-fabric&cloudshell_print=cloud-shell-readme.txt&cloudshell_working_dir=blueprints%2Fcloud-operations%2Fiam-delegated-role-grants), then go through the following steps to create resources:
This blueprint includes a python script that audits a list of roles to ensure you're not granting the `setIamPolicy` permission at the project, folder or organization level. To audit all the predefined compute roles, run it like this:
| [project_id](variables.tf#L73) | GCP project id where to grant direct and delegated roles to the users listed in project_administrators. | <code>string</code> | ✓ | |
| [delegated_role_grants](variables.tf#L17) | List of roles that project administrators will be allowed to grant/revoke. | <code>list(string)</code> | | <codetitle="[ "roles/storage.admin", "roles/storage.hmacKeyAdmin", "roles/storage.legacyBucketOwner", "roles/storage.objectAdmin", "roles/storage.objectCreator", "roles/storage.objectViewer", "roles/compute.admin", "roles/compute.imageUser", "roles/compute.instanceAdmin", "roles/compute.instanceAdmin.v1", "roles/compute.networkAdmin", "roles/compute.networkUser", "roles/compute.networkViewer", "roles/compute.orgFirewallPolicyAdmin", "roles/compute.orgFirewallPolicyUser", "roles/compute.orgSecurityPolicyAdmin", "roles/compute.orgSecurityPolicyUser", "roles/compute.orgSecurityResourceAdmin", "roles/compute.osAdminLogin", "roles/compute.osLogin", "roles/compute.osLoginExternalUser", "roles/compute.packetMirroringAdmin", "roles/compute.packetMirroringUser", "roles/compute.publicIpAdmin", "roles/compute.securityAdmin", "roles/compute.serviceAgent", "roles/compute.storageAdmin", "roles/compute.viewer", "roles/viewer" ]">[…]</code> |
| [direct_role_grants](variables.tf#L53) | List of roles granted directly to project administrators. | <code>list(string)</code> | | <codetitle="[ "roles/compute.admin", "roles/storage.admin", ]">[…]</code> |
| [project_create](variables.tf#L67) | Create project instead of using an existing one. | <code>bool</code> | | <code>false</code> |
| [restricted_role_grant](variables.tf#L78) | Role grant to which the restrictions will apply. | <code>string</code> | | <code>"roles/resourcemanager.projectIamAdmin"</code> |