assign net delegated grants by env

2022-02-18 08:38:36 +01:00 · 2022-02-18 08:38:36 +01:00 · 21a901c1dc
parent b147a4cc44
commit 21a901c1dc
5 changed files with 17 additions and 5 deletions
--- a/fast/stages/01-resman/branch-data-platform.tf
+++ b/fast/stages/01-resman/branch-data-platform.tf
@ -33,11 +33,11 @@ module "branch-dp-dev-folder" {
  group_iam = {}
  iam = {
    # remove owner here and at project level if SA does not manage project resources
+    "roles/compute.xpnAdmin"               = [module.branch-dp-dev-sa.iam_email]
    "roles/logging.admin"                  = [module.branch-dp-dev-sa.iam_email]
    "roles/owner"                          = [module.branch-dp-dev-sa.iam_email]
    "roles/resourcemanager.folderAdmin"    = [module.branch-dp-dev-sa.iam_email]
    "roles/resourcemanager.projectCreator" = [module.branch-dp-dev-sa.iam_email]
-    "roles/compute.xpnAdmin"               = [module.branch-dp-dev-sa.iam_email]
  }
 }

--- a/fast/stages/02-networking-nva/spoke-dev.tf
+++ b/fast/stages/02-networking-nva/spoke-dev.tf
@ -125,7 +125,10 @@ module "peering-dev" {
 resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
  project = module.dev-spoke-project.project_id
  role    = "roles/resourcemanager.projectIamAdmin"
-  members = values(local.service_accounts)
+  members = [
+    local.service_accounts.data-platform-dev,
+    local.service_accounts.project-factory-dev,
+  ]
  condition {
    title       = "dev_stage3_sa_delegated_grants"
    description = "Development host project delegated grants."
--- a/fast/stages/02-networking-nva/spoke-prod.tf
+++ b/fast/stages/02-networking-nva/spoke-prod.tf
@ -125,7 +125,10 @@ module "peering-prod" {
 resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
  project = module.prod-spoke-project.project_id
  role    = "roles/resourcemanager.projectIamAdmin"
-  members = values(local.service_accounts)
+  members = [
+    local.service_accounts.data-platform-prod,
+    local.service_accounts.project-factory-prod,
+  ]
  condition {
    title       = "prod_stage3_sa_delegated_grants"
    description = "Production host project delegated grants."
--- a/fast/stages/02-networking-vpn/spoke-dev.tf
+++ b/fast/stages/02-networking-vpn/spoke-dev.tf
@ -102,7 +102,10 @@ module "dev-spoke-cloudnat" {
 resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
  project = module.dev-spoke-project.project_id
  role    = "roles/resourcemanager.projectIamAdmin"
-  members = values(local.service_accounts)
+  members = [
+    local.service_accounts.data-platform-dev,
+    local.service_accounts.project-factory-dev,
+  ]
  condition {
    title       = "dev_stage3_sa_delegated_grants"
    description = "Development host project delegated grants."
--- a/fast/stages/02-networking-vpn/spoke-prod.tf
+++ b/fast/stages/02-networking-vpn/spoke-prod.tf
@ -102,7 +102,10 @@ module "prod-spoke-cloudnat" {
 resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
  project = module.prod-spoke-project.project_id
  role    = "roles/resourcemanager.projectIamAdmin"
-  members = values(local.service_accounts)
+  members = [
+    local.service_accounts.data-platform-prod,
+    local.service_accounts.project-factory-prod,
+  ]
  condition {
    title       = "prod_stage3_sa_delegated_grants"
    description = "Production host project delegated grants."