Add delegated grants for stage 3 service accounts
This commit is contained in:
parent
4e86fbcd04
commit
346914d315
|
@ -103,3 +103,24 @@ module "dev-spoke-psa-addresses" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Create delegated grants for stage3 service accounts
|
||||||
|
resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
|
||||||
|
project = module.dev-spoke-project.project_id
|
||||||
|
role = "roles/resourcemanager.projectIamAdmin"
|
||||||
|
members = [
|
||||||
|
var.project_factory_sa.dev
|
||||||
|
]
|
||||||
|
condition {
|
||||||
|
title = "dev_stage3_sa_delegated_grants"
|
||||||
|
description = "Development host project delegated grants."
|
||||||
|
expression = format(
|
||||||
|
"api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
|
||||||
|
join(",", formatlist("'%s'", [
|
||||||
|
"roles/compute.networkUser",
|
||||||
|
"roles/container.hostServiceAgentUser",
|
||||||
|
"roles/vpcaccess.user",
|
||||||
|
]
|
||||||
|
)))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -103,3 +103,24 @@ module "prod-spoke-psa-addresses" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Create delegated grants for stage3 service accounts
|
||||||
|
resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
|
||||||
|
project = module.prod-spoke-project.project_id
|
||||||
|
role = "roles/resourcemanager.projectIamAdmin"
|
||||||
|
members = [
|
||||||
|
var.project_factory_sa.prod
|
||||||
|
]
|
||||||
|
condition {
|
||||||
|
title = "prod_stage3_sa_delegated_grants"
|
||||||
|
description = "Production host project delegated grants."
|
||||||
|
expression = format(
|
||||||
|
"api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
|
||||||
|
join(",", formatlist("'%s'", [
|
||||||
|
"roles/compute.networkUser",
|
||||||
|
"roles/container.hostServiceAgentUser",
|
||||||
|
"roles/vpcaccess.user",
|
||||||
|
]
|
||||||
|
)))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -49,7 +49,7 @@ locals {
|
||||||
ip_cidr_range = v.ip_cidr_range
|
ip_cidr_range = v.ip_cidr_range
|
||||||
name = k
|
name = k
|
||||||
region = v.region
|
region = v.region
|
||||||
secondary_ip_range = try(v.secondary_ip_range, [])
|
secondary_ip_range = try(v.secondary_ip_range, {})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
_iam = var.iam == null ? {} : var.iam
|
_iam = var.iam == null ? {} : var.iam
|
||||||
|
@ -176,7 +176,7 @@ resource "google_compute_subnetwork" "subnetwork" {
|
||||||
region = each.value.region
|
region = each.value.region
|
||||||
name = each.value.name
|
name = each.value.name
|
||||||
ip_cidr_range = each.value.ip_cidr_range
|
ip_cidr_range = each.value.ip_cidr_range
|
||||||
secondary_ip_range = each.value.secondary_ip_range == null ? [] : [
|
secondary_ip_range = [
|
||||||
for name, range in each.value.secondary_ip_range :
|
for name, range in each.value.secondary_ip_range :
|
||||||
{ range_name = name, ip_cidr_range = range }
|
{ range_name = name, ip_cidr_range = range }
|
||||||
]
|
]
|
||||||
|
|
Loading…
Reference in New Issue