- the roles listed in `direct_role_grants` will be granted unconditionally to the users listed in `project_administrators`.
- additionally, `project_administrators` will be granted the role `roles/resourcemanager.projectIamAdmin` in a restricted fashion, allowing them to only grant the roles listed in `delegated_role_grants` to other users.
By carefully choosing `direct_role_grants` and `delegated_role_grants`, you can restrict which services can be used within the project while still giving enough freedom to project administrators to still grant permissions to other principals within their projects.
A [Medium article](https://medium.com/@jccb/managing-gcp-service-usage-through-delegated-role-grants-a843610f2226) has been published for this example, refer to it for more details on the context and the specifics of running the example.
By changing the `restricted_role_grant`, the example can be used to grant administrators a predefined role like `roles/compute.networkAdmin`, which allows setting IAM policies on service resources like subnetworks, but restrict the roles that those administrators are able to confer to other users.
You can easily configure the example for this use case:
Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fcloud-foundation-fabric&cloudshell_print=cloud-shell-readme.txt&cloudshell_working_dir=examples%2Fcloud-operations%2Fiam-delegated-role-grants), then go through the following steps to create resources:
This example includes a python script that audits a list of roles to ensure you're not granting the `setIamPolicy` permission at the project, folder or organization level. To audit all the predefined compute roles, run it like this:
| [project_id](variables.tf#L73) | GCP project id where to grant direct and delegated roles to the users listed in project_administrators. | <code>string</code> | ✓ | |
| [delegated_role_grants](variables.tf#L17) | List of roles that project administrators will be allowed to grant/revoke. | <code>list(string)</code> | | <codetitle="[ "roles/storage.admin", "roles/storage.hmacKeyAdmin", "roles/storage.legacyBucketOwner", "roles/storage.objectAdmin", "roles/storage.objectCreator", "roles/storage.objectViewer", "roles/compute.admin", "roles/compute.imageUser", "roles/compute.instanceAdmin", "roles/compute.instanceAdmin.v1", "roles/compute.networkAdmin", "roles/compute.networkUser", "roles/compute.networkViewer", "roles/compute.orgFirewallPolicyAdmin", "roles/compute.orgFirewallPolicyUser", "roles/compute.orgSecurityPolicyAdmin", "roles/compute.orgSecurityPolicyUser", "roles/compute.orgSecurityResourceAdmin", "roles/compute.osAdminLogin", "roles/compute.osLogin", "roles/compute.osLoginExternalUser", "roles/compute.packetMirroringAdmin", "roles/compute.packetMirroringUser", "roles/compute.publicIpAdmin", "roles/compute.securityAdmin", "roles/compute.serviceAgent", "roles/compute.storageAdmin", "roles/compute.viewer", "roles/viewer" ]">[…]</code> |
| [direct_role_grants](variables.tf#L53) | List of roles granted directly to project administrators. | <code>list(string)</code> | | <codetitle="[ "roles/compute.admin", "roles/storage.admin", ]">[…]</code> |
| [project_create](variables.tf#L67) | Create project instead of using an existing one. | <code>bool</code> | | <code>false</code> |
| [restricted_role_grant](variables.tf#L78) | Role grant to which the restrictions will apply. | <code>string</code> | | <code>"roles/resourcemanager.projectIamAdmin"</code> |