Add delegated grants for stage 3 service accounts

2022-02-03 13:59:17 +01:00 · 2022-02-03 13:59:17 +01:00 · 346914d315
parent 4e86fbcd04
commit 346914d315
3 changed files with 44 additions and 2 deletions
--- a/fast/stages/02-networking/vpc-spoke-dev.tf
+++ b/fast/stages/02-networking/vpc-spoke-dev.tf
@ -103,3 +103,24 @@ module "dev-spoke-psa-addresses" {
    }
  }
 }
+
+# Create delegated grants for stage3 service accounts
+resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
+  project = module.dev-spoke-project.project_id
+  role    = "roles/resourcemanager.projectIamAdmin"
+  members = [
+    var.project_factory_sa.dev
+  ]
+  condition {
+    title       = "dev_stage3_sa_delegated_grants"
+    description = "Development host project delegated grants."
+    expression = format(
+      "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
+      join(",", formatlist("'%s'", [
+        "roles/compute.networkUser",
+        "roles/container.hostServiceAgentUser",
+        "roles/vpcaccess.user",
+        ]
+    )))
+  }
+}
--- a/fast/stages/02-networking/vpc-spoke-prod.tf
+++ b/fast/stages/02-networking/vpc-spoke-prod.tf
@ -103,3 +103,24 @@ module "prod-spoke-psa-addresses" {
    }
  }
 }
+
+# Create delegated grants for stage3 service accounts
+resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
+  project = module.prod-spoke-project.project_id
+  role    = "roles/resourcemanager.projectIamAdmin"
+  members = [
+    var.project_factory_sa.prod
+  ]
+  condition {
+    title       = "prod_stage3_sa_delegated_grants"
+    description = "Production host project delegated grants."
+    expression = format(
+      "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
+      join(",", formatlist("'%s'", [
+        "roles/compute.networkUser",
+        "roles/container.hostServiceAgentUser",
+        "roles/vpcaccess.user",
+        ]
+    )))
+  }
+}
--- a/modules/net-vpc/main.tf
+++ b/modules/net-vpc/main.tf
@ -49,7 +49,7 @@ locals {
      ip_cidr_range      = v.ip_cidr_range
      name               = k
      region             = v.region
-      secondary_ip_range = try(v.secondary_ip_range, [])
+      secondary_ip_range = try(v.secondary_ip_range, {})
    }
  }
  _iam    = var.iam == null ? {} : var.iam
@ -176,7 +176,7 @@ resource "google_compute_subnetwork" "subnetwork" {
  region        = each.value.region
  name          = each.value.name
  ip_cidr_range = each.value.ip_cidr_range
-  secondary_ip_range = each.value.secondary_ip_range == null ? [] : [
+  secondary_ip_range = [
    for name, range in each.value.secondary_ip_range :
    { range_name = name, ip_cidr_range = range }
  ]