Manage billing.creator role authoritatively in FAST bootstrap.
By default new orgs grant billing.creator and resourcemanager.projectCreator to the whole domain[1]. This PR makes FAST remove the former binding during the bootstrap (the latter is already managed by FAST). Fixes #1220 [1] https://cloud.google.com/resource-manager/docs/default-access-control
This commit is contained in:
parent
cd8f0890e9
commit
38808b37c0
|
@ -1,5 +1,5 @@
|
||||||
/**
|
/**
|
||||||
* Copyright 2022 Google LLC
|
* Copyright 2023 Google LLC
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -20,6 +20,7 @@ locals {
|
||||||
# organization authoritative IAM bindings, in an easy to edit format before
|
# organization authoritative IAM bindings, in an easy to edit format before
|
||||||
# they are combined with var.iam a bit further in locals
|
# they are combined with var.iam a bit further in locals
|
||||||
_iam = {
|
_iam = {
|
||||||
|
"roles/billing.creator" = []
|
||||||
"roles/browser" = [
|
"roles/browser" = [
|
||||||
"domain:${var.organization.domain}"
|
"domain:${var.organization.domain}"
|
||||||
]
|
]
|
||||||
|
|
Loading…
Reference in New Issue