Swap xpnAdmin with custom xpnServiceAdmin for service projects

fast/stages/01-resman/README.md

@@ -168,13 +168,13 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
 |---|---|:---:|:---:|:---:|:---:|
 | [automation_project_id](variables.tf#L20) | Project id for the automation project created by the bootstrap stage. | <code>string</code> | ✓ |  | <code>00-bootstrap</code> |
 | [billing_account](variables.tf#L26) | Billing account id and organization id ('nnnnnnnn' or null). | <code title="object&#40;&#123;&#10;  id              &#61; string&#10;  organization_id &#61; number&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>00-bootstrap</code> |
-| [organization](variables.tf#L57) | Organization details. | <code title="object&#40;&#123;&#10;  domain      &#61; string&#10;  id          &#61; number&#10;  customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>00-bootstrap</code> |
-| [prefix](variables.tf#L81) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ |  | <code>00-bootstrap</code> |
-| [custom_roles](variables.tf#L35) | Custom roles defined at the org level, in key => id format. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> | <code>00-bootstrap</code> |
-| [groups](variables.tf#L42) | Group names to grant organization-level permissions. | <code>map&#40;string&#41;</code> |  | <code title="&#123;&#10;  gcp-billing-admins      &#61; &#34;gcp-billing-admins&#34;,&#10;  gcp-devops              &#61; &#34;gcp-devops&#34;,&#10;  gcp-network-admins      &#61; &#34;gcp-network-admins&#34;&#10;  gcp-organization-admins &#61; &#34;gcp-organization-admins&#34;&#10;  gcp-security-admins     &#61; &#34;gcp-security-admins&#34;&#10;  gcp-support             &#61; &#34;gcp-support&#34;&#10;&#125;">&#123;&#8230;&#125;</code> | <code>00-bootstrap</code> |
-| [organization_policy_configs](variables.tf#L67) | Organization policies customization. | <code title="object&#40;&#123;&#10;  allowed_policy_member_domains &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
-| [outputs_location](variables.tf#L75) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> |  | <code>null</code> |  |
-| [team_folders](variables.tf#L92) | Team folders to be created. Format is described in a code comment. | <code title="map&#40;object&#40;&#123;&#10;  descriptive_name     &#61; string&#10;  group_iam            &#61; map&#40;list&#40;string&#41;&#41;&#10;  impersonation_groups &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>null</code> |  |
+| [organization](variables.tf#L59) | Organization details. | <code title="object&#40;&#123;&#10;  domain      &#61; string&#10;  id          &#61; number&#10;  customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>00-bootstrap</code> |
+| [prefix](variables.tf#L83) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ |  | <code>00-bootstrap</code> |
+| [custom_roles](variables.tf#L35) | Custom roles defined at the org level, in key => id format. | <code title="object&#40;&#123;&#10;  service_project_network_admin &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> | <code>00-bootstrap</code> |
+| [groups](variables.tf#L44) | Group names to grant organization-level permissions. | <code>map&#40;string&#41;</code> |  | <code title="&#123;&#10;  gcp-billing-admins      &#61; &#34;gcp-billing-admins&#34;,&#10;  gcp-devops              &#61; &#34;gcp-devops&#34;,&#10;  gcp-network-admins      &#61; &#34;gcp-network-admins&#34;&#10;  gcp-organization-admins &#61; &#34;gcp-organization-admins&#34;&#10;  gcp-security-admins     &#61; &#34;gcp-security-admins&#34;&#10;  gcp-support             &#61; &#34;gcp-support&#34;&#10;&#125;">&#123;&#8230;&#125;</code> | <code>00-bootstrap</code> |
+| [organization_policy_configs](variables.tf#L69) | Organization policies customization. | <code title="object&#40;&#123;&#10;  allowed_policy_member_domains &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
+| [outputs_location](variables.tf#L77) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> |  | <code>null</code> |  |
+| [team_folders](variables.tf#L94) | Team folders to be created. Format is described in a code comment. | <code title="map&#40;object&#40;&#123;&#10;  descriptive_name     &#61; string&#10;  group_iam            &#61; map&#40;list&#40;string&#41;&#41;&#10;  impersonation_groups &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>null</code> |  |
 
 ## Outputs
 

fast/stages/01-resman/branch-data-platform.tf

@@ -35,10 +35,10 @@ module "branch-dp-dev-folder" {
   name      = "Development"
   group_iam = {}
   iam = {
+    (local.custom_roles.service_project_network_admin) = [module.branch-dp-dev-sa.iam_email]
     # remove owner here and at project level if SA does not manage project resources
-    "roles/compute.xpnAdmin"               = [module.branch-dp-dev-sa.iam_email]
-    "roles/logging.admin"                  = [module.branch-dp-dev-sa.iam_email]
     "roles/owner"                          = [module.branch-dp-dev-sa.iam_email]
+    "roles/logging.admin"                  = [module.branch-dp-dev-sa.iam_email]
     "roles/resourcemanager.folderAdmin"    = [module.branch-dp-dev-sa.iam_email]
     "roles/resourcemanager.projectCreator" = [module.branch-dp-dev-sa.iam_email]
   }
@@ -74,12 +74,12 @@ module "branch-dp-prod-folder" {
   name      = "Production"
   group_iam = {}
   iam = {
+    (local.custom_roles.service_project_network_admin) = [module.branch-dp-prod-sa.iam_email]
     # remove owner here and at project level if SA does not manage project resources
-    "roles/logging.admin"                  = [module.branch-dp-prod-sa.iam_email]
     "roles/owner"                          = [module.branch-dp-prod-sa.iam_email]
+    "roles/logging.admin"                  = [module.branch-dp-prod-sa.iam_email]
     "roles/resourcemanager.folderAdmin"    = [module.branch-dp-prod-sa.iam_email]
     "roles/resourcemanager.projectCreator" = [module.branch-dp-prod-sa.iam_email]
-    "roles/compute.xpnAdmin"               = [module.branch-dp-prod-sa.iam_email]
   }
   tag_bindings = {
     context = module.organization.tag_values["environment/production"].id

fast/stages/01-resman/branch-networking.tf

@@ -82,7 +82,7 @@ module "branch-network-dev-folder" {
   parent = module.branch-network-folder.id
   name   = "Development"
   iam = {
-    "roles/compute.xpnAdmin" = [
+    (local.custom_roles.service_project_network_admin) = [
       module.branch-dp-dev-sa.iam_email,
       module.branch-teams-dev-pf-sa.iam_email
     ]

fast/stages/01-resman/branch-teams.tf

@@ -84,22 +84,12 @@ module "branch-teams-team-dev-folder" {
   # environment-wide human permissions on the whole teams environment
   group_iam = {}
   iam = {
+    (local.custom_roles.service_project_network_admin) = [module.branch-teams-dev-pf-sa.iam_email]
     # remove owner here and at project level if SA does not manage project resources
-    "roles/owner" = [
-      module.branch-teams-dev-pf-sa.iam_email
-    ]
-    "roles/logging.admin" = [
-      module.branch-teams-dev-pf-sa.iam_email
-    ]
-    "roles/resourcemanager.folderAdmin" = [
-      module.branch-teams-dev-pf-sa.iam_email
-    ]
-    "roles/resourcemanager.projectCreator" = [
-      module.branch-teams-dev-pf-sa.iam_email
-    ]
-    "roles/compute.xpnAdmin" = [
-      module.branch-teams-dev-pf-sa.iam_email
-    ]
+    "roles/owner"                          = [module.branch-teams-dev-pf-sa.iam_email]
+    "roles/logging.admin"                  = [module.branch-teams-dev-pf-sa.iam_email]
+    "roles/resourcemanager.folderAdmin"    = [module.branch-teams-dev-pf-sa.iam_email]
+    "roles/resourcemanager.projectCreator" = [module.branch-teams-dev-pf-sa.iam_email]
   }
   tag_bindings = {
     environment = module.organization.tag_values["environment/development"].id
@@ -147,22 +137,12 @@ module "branch-teams-team-prod-folder" {
   # environment-wide human permissions on the whole teams environment
   group_iam = {}
   iam = {
+    (local.custom_roles.service_project_network_admin) = [module.branch-teams-prod-pf-sa.iam_email]
     # remove owner here and at project level if SA does not manage project resources
-    "roles/owner" = [
-      module.branch-teams-prod-pf-sa.iam_email
-    ]
-    "roles/logging.admin" = [
-      module.branch-teams-prod-pf-sa.iam_email
-    ]
-    "roles/resourcemanager.folderAdmin" = [
-      module.branch-teams-prod-pf-sa.iam_email
-    ]
-    "roles/resourcemanager.projectCreator" = [
-      module.branch-teams-prod-pf-sa.iam_email
-    ]
-    "roles/compute.xpnAdmin" = [
-      module.branch-teams-prod-pf-sa.iam_email
-    ]
+    "roles/owner"                          = [module.branch-teams-prod-pf-sa.iam_email]
+    "roles/logging.admin"                  = [module.branch-teams-prod-pf-sa.iam_email]
+    "roles/resourcemanager.folderAdmin"    = [module.branch-teams-prod-pf-sa.iam_email]
+    "roles/resourcemanager.projectCreator" = [module.branch-teams-prod-pf-sa.iam_email]
   }
   tag_bindings = {
     environment = module.organization.tag_values["environment/production"].id

fast/stages/01-resman/main.tf

@@ -19,6 +19,7 @@ locals {
   billing_ext     = var.billing_account.organization_id == null
   billing_org     = var.billing_account.organization_id == var.organization.id
   billing_org_ext = !local.billing_ext && !local.billing_org
+  custom_roles    = coalesce(var.custom_roles, {})
   groups = {
     for k, v in var.groups :
     k => "${v}@${var.organization.domain}"

fast/stages/01-resman/variables.tf

@@ -35,8 +35,10 @@ variable "billing_account" {
 variable "custom_roles" {
   # tfdoc:variable:source 00-bootstrap
   description = "Custom roles defined at the org level, in key => id format."
-  type        = map(string)
-  default     = {}
+  type = object({
+    service_project_network_admin = string
+  })
+  default = null
 }
 
 variable "groups" {

fast/stages/02-networking-nva/spoke-dev.tf

@@ -40,9 +40,6 @@ module "dev-spoke-project" {
   metric_scopes = [module.landing-project.project_id]
   iam = {
     "roles/dns.admin" = [local.service_accounts.project-factory-dev]
-    (local.custom_roles.service_project_network_admin) = values(
-      local.service_accounts
-    )
   }
 }
 

fast/stages/02-networking-nva/spoke-prod.tf

@@ -40,9 +40,6 @@ module "prod-spoke-project" {
   metric_scopes = [module.landing-project.project_id]
   iam = {
     "roles/dns.admin" = [local.service_accounts.project-factory-prod]
-    (local.custom_roles.service_project_network_admin) = values(
-      local.service_accounts
-    )
   }
 }
 

fast/stages/02-networking-vpn/spoke-dev.tf

@@ -41,9 +41,6 @@ module "dev-spoke-project" {
   metric_scopes = [module.landing-project.project_id]
   iam = {
     "roles/dns.admin" = [local.service_accounts.project-factory-dev]
-    (local.custom_roles.service_project_network_admin) = values(
-      local.service_accounts
-    )
   }
 }
 

fast/stages/02-networking-vpn/spoke-prod.tf

@@ -41,9 +41,6 @@ module "prod-spoke-project" {
   metric_scopes = [module.landing-project.project_id]
   iam = {
     "roles/dns.admin" = [local.service_accounts.project-factory-prod]
-    (local.custom_roles.service_project_network_admin) = values(
-      local.service_accounts
-    )
   }
 }