2022-01-19 05:17:20 -08:00
|
|
|
/**
|
2023-03-07 07:46:46 -08:00
|
|
|
* Copyright 2023 Google LLC
|
2022-01-19 05:17:20 -08:00
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
2022-01-21 10:38:18 -08:00
|
|
|
# tfdoc:file:description Organization-level IAM.
|
2022-01-19 05:17:20 -08:00
|
|
|
|
|
|
|
locals {
|
2023-08-20 00:44:20 -07:00
|
|
|
# reassemble logical bindings into the formats expected by the module
|
|
|
|
_iam_bindings = merge(
|
|
|
|
local.iam_domain_bindings,
|
|
|
|
local.iam_sa_bindings,
|
|
|
|
local.iam_user_bootstrap_bindings,
|
|
|
|
{
|
|
|
|
for k, v in local.iam_group_bindings : "group:${k}" => {
|
|
|
|
authoritative = []
|
|
|
|
additive = v.additive
|
|
|
|
}
|
|
|
|
}
|
|
|
|
)
|
|
|
|
_iam_bindings_auth = flatten([
|
|
|
|
for member, data in local._iam_bindings : [
|
|
|
|
for role in data.authoritative : {
|
|
|
|
member = member
|
|
|
|
role = role
|
|
|
|
}
|
2022-02-20 02:26:30 -08:00
|
|
|
]
|
2023-08-20 00:44:20 -07:00
|
|
|
])
|
|
|
|
_iam_bindings_add = flatten([
|
|
|
|
for member, data in local._iam_bindings : [
|
|
|
|
for role in data.additive : {
|
|
|
|
member = member
|
|
|
|
role = role
|
|
|
|
}
|
2022-02-20 02:26:30 -08:00
|
|
|
]
|
2023-08-20 00:44:20 -07:00
|
|
|
])
|
|
|
|
group_iam = {
|
|
|
|
for k, v in local.iam_group_bindings : k => v.authoritative
|
2022-01-19 05:17:20 -08:00
|
|
|
}
|
2023-08-20 00:44:20 -07:00
|
|
|
iam = merge(
|
2022-01-19 05:17:20 -08:00
|
|
|
{
|
2023-08-20 00:44:20 -07:00
|
|
|
for r in local.iam_delete_roles : r => []
|
2022-01-19 05:17:20 -08:00
|
|
|
},
|
2023-08-20 00:44:20 -07:00
|
|
|
{
|
|
|
|
for b in local._iam_bindings_auth : b.role => b.member...
|
|
|
|
}
|
2022-01-19 05:17:20 -08:00
|
|
|
)
|
2023-08-20 00:44:20 -07:00
|
|
|
iam_bindings_additive = {
|
|
|
|
for b in local._iam_bindings_add : "${b.role}-${b.member}" => {
|
|
|
|
member = b.member
|
|
|
|
role = b.role
|
|
|
|
}
|
2022-01-19 05:17:20 -08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
module "organization" {
|
|
|
|
source = "../../../modules/organization"
|
|
|
|
organization_id = "organizations/${var.organization.id}"
|
|
|
|
# human (groups) IAM bindings
|
|
|
|
group_iam = {
|
2023-08-20 00:44:20 -07:00
|
|
|
for k, v in local.group_iam :
|
|
|
|
k => distinct(concat(v, lookup(var.group_iam, k, [])))
|
2022-01-19 05:17:20 -08:00
|
|
|
}
|
|
|
|
# machine (service accounts) IAM bindings
|
2023-08-20 00:44:20 -07:00
|
|
|
iam = merge(
|
|
|
|
{
|
|
|
|
for k, v in local.iam : k => distinct(concat(v, lookup(var.iam, k, [])))
|
|
|
|
},
|
|
|
|
{
|
|
|
|
for k, v in var.iam : k => v if lookup(local.iam, k, null) == null
|
|
|
|
}
|
|
|
|
)
|
2022-01-19 05:17:20 -08:00
|
|
|
# additive bindings, used for roles co-managed by different stages
|
2023-08-20 00:44:20 -07:00
|
|
|
iam_bindings_additive = merge(
|
|
|
|
local.iam_bindings_additive,
|
|
|
|
var.iam_bindings_additive
|
|
|
|
)
|
|
|
|
# delegated role grant for resource manager service account
|
|
|
|
iam_bindings = {
|
|
|
|
sa_resman_delegated_iam = {
|
|
|
|
members = [module.automation-tf-resman-sa.iam_email]
|
|
|
|
role = module.organization.custom_role_id[var.custom_role_names.organization_iam_admin]
|
|
|
|
condition = {
|
|
|
|
expression = format(
|
|
|
|
"api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
|
|
|
|
join(",", formatlist("'%s'", concat(
|
|
|
|
[
|
|
|
|
"roles/accesscontextmanager.policyAdmin",
|
|
|
|
"roles/compute.orgFirewallPolicyAdmin",
|
|
|
|
"roles/compute.xpnAdmin",
|
|
|
|
"roles/orgpolicy.policyAdmin",
|
|
|
|
"roles/resourcemanager.organizationViewer",
|
|
|
|
module.organization.custom_role_id[var.custom_role_names.tenant_network_admin]
|
|
|
|
],
|
|
|
|
local.billing_mode == "org" ? [
|
|
|
|
"roles/billing.admin",
|
|
|
|
"roles/billing.costsManager",
|
|
|
|
"roles/billing.user",
|
|
|
|
] : []
|
|
|
|
)))
|
|
|
|
)
|
|
|
|
title = "automation_sa_delegated_grants"
|
|
|
|
description = "Automation service account delegated grants."
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2023-07-06 23:40:37 -07:00
|
|
|
custom_roles = merge(var.custom_roles, {
|
2022-01-19 05:17:20 -08:00
|
|
|
# this is needed for use in additive IAM bindings, to avoid conflicts
|
2022-02-10 10:12:07 -08:00
|
|
|
(var.custom_role_names.organization_iam_admin) = [
|
2022-01-19 05:17:20 -08:00
|
|
|
"resourcemanager.organizations.get",
|
|
|
|
"resourcemanager.organizations.getIamPolicy",
|
|
|
|
"resourcemanager.organizations.setIamPolicy"
|
|
|
|
]
|
2022-02-10 10:12:07 -08:00
|
|
|
(var.custom_role_names.service_project_network_admin) = [
|
2022-01-19 05:17:20 -08:00
|
|
|
"compute.globalOperations.get",
|
2022-08-30 11:41:34 -07:00
|
|
|
# compute.networks.updatePeering and compute.networks.get are
|
|
|
|
# used by automation service accounts who manage service
|
|
|
|
# projects where peering creation might be needed (e.g. GKE). If
|
|
|
|
# you remove them your network administrators should create
|
|
|
|
# peerings for service projects
|
2022-06-30 02:00:57 -07:00
|
|
|
"compute.networks.updatePeering",
|
|
|
|
"compute.networks.get",
|
2022-01-19 05:17:20 -08:00
|
|
|
"compute.organizations.disableXpnResource",
|
|
|
|
"compute.organizations.enableXpnResource",
|
|
|
|
"compute.projects.get",
|
|
|
|
"compute.subnetworks.getIamPolicy",
|
|
|
|
"compute.subnetworks.setIamPolicy",
|
|
|
|
"dns.networks.bindPrivateDNSZone",
|
2022-02-03 09:36:47 -08:00
|
|
|
"resourcemanager.projects.get",
|
2022-01-19 05:17:20 -08:00
|
|
|
]
|
2023-02-08 00:59:43 -08:00
|
|
|
(var.custom_role_names.tenant_network_admin) = [
|
|
|
|
"compute.globalOperations.get",
|
|
|
|
]
|
2023-07-06 23:40:37 -07:00
|
|
|
})
|
2022-01-19 05:17:20 -08:00
|
|
|
logging_sinks = {
|
|
|
|
for name, attrs in var.log_sinks : name => {
|
2022-11-12 02:30:34 -08:00
|
|
|
bq_partitioned_table = attrs.type == "bigquery"
|
2022-11-12 10:24:41 -08:00
|
|
|
destination = local.log_sink_destinations[name].id
|
2022-11-12 02:30:34 -08:00
|
|
|
filter = attrs.filter
|
2022-11-12 10:24:41 -08:00
|
|
|
type = attrs.type
|
2022-01-19 05:17:20 -08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|