assign net delegated grants by env
This commit is contained in:
parent
b147a4cc44
commit
21a901c1dc
|
@ -33,11 +33,11 @@ module "branch-dp-dev-folder" {
|
|||
group_iam = {}
|
||||
iam = {
|
||||
# remove owner here and at project level if SA does not manage project resources
|
||||
"roles/compute.xpnAdmin" = [module.branch-dp-dev-sa.iam_email]
|
||||
"roles/logging.admin" = [module.branch-dp-dev-sa.iam_email]
|
||||
"roles/owner" = [module.branch-dp-dev-sa.iam_email]
|
||||
"roles/resourcemanager.folderAdmin" = [module.branch-dp-dev-sa.iam_email]
|
||||
"roles/resourcemanager.projectCreator" = [module.branch-dp-dev-sa.iam_email]
|
||||
"roles/compute.xpnAdmin" = [module.branch-dp-dev-sa.iam_email]
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -125,7 +125,10 @@ module "peering-dev" {
|
|||
resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
|
||||
project = module.dev-spoke-project.project_id
|
||||
role = "roles/resourcemanager.projectIamAdmin"
|
||||
members = values(local.service_accounts)
|
||||
members = [
|
||||
local.service_accounts.data-platform-dev,
|
||||
local.service_accounts.project-factory-dev,
|
||||
]
|
||||
condition {
|
||||
title = "dev_stage3_sa_delegated_grants"
|
||||
description = "Development host project delegated grants."
|
||||
|
|
|
@ -125,7 +125,10 @@ module "peering-prod" {
|
|||
resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
|
||||
project = module.prod-spoke-project.project_id
|
||||
role = "roles/resourcemanager.projectIamAdmin"
|
||||
members = values(local.service_accounts)
|
||||
members = [
|
||||
local.service_accounts.data-platform-prod,
|
||||
local.service_accounts.project-factory-prod,
|
||||
]
|
||||
condition {
|
||||
title = "prod_stage3_sa_delegated_grants"
|
||||
description = "Production host project delegated grants."
|
||||
|
|
|
@ -102,7 +102,10 @@ module "dev-spoke-cloudnat" {
|
|||
resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
|
||||
project = module.dev-spoke-project.project_id
|
||||
role = "roles/resourcemanager.projectIamAdmin"
|
||||
members = values(local.service_accounts)
|
||||
members = [
|
||||
local.service_accounts.data-platform-dev,
|
||||
local.service_accounts.project-factory-dev,
|
||||
]
|
||||
condition {
|
||||
title = "dev_stage3_sa_delegated_grants"
|
||||
description = "Development host project delegated grants."
|
||||
|
|
|
@ -102,7 +102,10 @@ module "prod-spoke-cloudnat" {
|
|||
resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
|
||||
project = module.prod-spoke-project.project_id
|
||||
role = "roles/resourcemanager.projectIamAdmin"
|
||||
members = values(local.service_accounts)
|
||||
members = [
|
||||
local.service_accounts.data-platform-prod,
|
||||
local.service_accounts.project-factory-prod,
|
||||
]
|
||||
condition {
|
||||
title = "prod_stage3_sa_delegated_grants"
|
||||
description = "Production host project delegated grants."
|
||||
|
|
Loading…
Reference in New Issue