From 474bcbdd0e727c0974857c721a5288ff1cbf42f9 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Sun, 20 Feb 2022 10:26:30 +0000 Subject: [PATCH] Use tags and tag-based IAM conditions in FAST (#553) * organization module * folder module * project module * fix project binding * environment tags * use id instead of name for references * environment bindings * conditional org policy admin binding via tags * rename pf service accounts and buckets * update IAM docs * kms module * compute-vm * fix compute-vm * tfdoc --- fast/stages/00-bootstrap/IAM.md | 2 +- fast/stages/00-bootstrap/organization.tf | 6 ++ fast/stages/01-resman/IAM.md | 8 +- fast/stages/01-resman/README.md | 2 +- fast/stages/01-resman/branch-data-platform.tf | 9 ++ fast/stages/01-resman/branch-networking.tf | 13 ++- fast/stages/01-resman/branch-sandbox.tf | 3 + fast/stages/01-resman/branch-security.tf | 3 + fast/stages/01-resman/branch-teams.tf | 61 +++++++++--- fast/stages/01-resman/organization.tf | 55 +++++++++-- fast/stages/01-resman/outputs.tf | 20 ++-- fast/stages/03-data-platform/dev/IAM.md | 98 +++++++++++++++++++ 12 files changed, 241 insertions(+), 39 deletions(-) create mode 100644 fast/stages/03-data-platform/dev/IAM.md diff --git a/fast/stages/00-bootstrap/IAM.md b/fast/stages/00-bootstrap/IAM.md index 3fc844a3..2d719046 100644 --- a/fast/stages/00-bootstrap/IAM.md +++ b/fast/stages/00-bootstrap/IAM.md @@ -12,7 +12,7 @@ Legend: + additive, conditional. |gcp-security-admins
group|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner)
[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor)
[roles/iam.securityReviewer](https://cloud.google.com/iam/docs/understanding-roles#iam.securityReviewer)
[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/securitycenter.admin](https://cloud.google.com/iam/docs/understanding-roles#securitycenter.admin)
[roles/accesscontextmanager.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#accesscontextmanager.policyAdmin) +
[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) +
[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +| |gcp-support
group|[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor)
[roles/logging.viewer](https://cloud.google.com/iam/docs/understanding-roles#logging.viewer)
[roles/monitoring.viewer](https://cloud.google.com/iam/docs/understanding-roles#monitoring.viewer) | |prod-bootstrap-0
serviceAccount|[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator)
[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) +
[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) +| -|prod-resman-0
serviceAccount|organizations/[org_id #0]/roles/organizationIamAdmin
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) +
[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +| +|prod-resman-0
serviceAccount|organizations/[org_id #0]/roles/organizationIamAdmin
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.tagAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagAdmin)
[roles/resourcemanager.tagUser](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagUser)
[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) +
[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +| ## Project prod-audit-logs-0 diff --git a/fast/stages/00-bootstrap/organization.tf b/fast/stages/00-bootstrap/organization.tf index 689f378b..c9527522 100644 --- a/fast/stages/00-bootstrap/organization.tf +++ b/fast/stages/00-bootstrap/organization.tf @@ -41,6 +41,12 @@ locals { [module.automation-tf-bootstrap-sa.iam_email], local._iam_bootstrap_user ) + "roles/resourcemanager.tagAdmin" = [ + module.automation-tf-resman-sa.iam_email + ] + "roles/resourcemanager.tagUser" = [ + module.automation-tf-resman-sa.iam_email + ] } # organization additive IAM bindings, in an easy to edit format before # they are combined with var.iam_additive a bit further in locals diff --git a/fast/stages/01-resman/IAM.md b/fast/stages/01-resman/IAM.md index 269f5f09..cbd989d9 100644 --- a/fast/stages/01-resman/IAM.md +++ b/fast/stages/01-resman/IAM.md @@ -6,15 +6,18 @@ Legend: + additive, conditional. | members | roles | |---|---| -|dev-resman-pf-0
serviceAccount|[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) +
[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) +
[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +| +|dev-resman-dp-0
serviceAccount|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +
[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) +| +|dev-resman-pf-0
serviceAccount|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +
[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) +
[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) +| +|prod-resman-dp-0
serviceAccount|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +
[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) +| |prod-resman-net-0
serviceAccount|[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) +
[roles/compute.orgFirewallPolicyAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.orgFirewallPolicyAdmin) +
[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) +| -|prod-resman-pf-0
serviceAccount|[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) +
[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) +
[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +| +|prod-resman-pf-0
serviceAccount|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) +
[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) +
[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) +| |prod-resman-sec-0
serviceAccount|[roles/accesscontextmanager.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#accesscontextmanager.policyAdmin) +
[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) +| ## Folder development | members | roles | |---|---| +|dev-resman-dp-0
serviceAccount|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin)
[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator)
[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) | |dev-resman-pf-0
serviceAccount|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) | ## Folder networking @@ -28,6 +31,7 @@ Legend: + additive, conditional. | members | roles | |---|---| +|prod-resman-dp-0
serviceAccount|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin)
[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin)
[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner)
[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin)
[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator)
[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) | |prod-resman-pf-0
serviceAccount|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) | ## Folder sandbox diff --git a/fast/stages/01-resman/README.md b/fast/stages/01-resman/README.md index 01dbdb86..1a39e7f1 100644 --- a/fast/stages/01-resman/README.md +++ b/fast/stages/01-resman/README.md @@ -158,7 +158,7 @@ Due to its simplicity, this stage lends itself easily to customizations: adding | [branch-security.tf](./branch-security.tf) | Security stage resources. | folder · gcs · iam-service-account | | | [branch-teams.tf](./branch-teams.tf) | Team stages resources. | folder · gcs · iam-service-account | | | [main.tf](./main.tf) | Module-level locals and resources. | | | -| [organization.tf](./organization.tf) | Organization policies. | organization | | +| [organization.tf](./organization.tf) | Organization policies. | organization | google_organization_iam_member | | [outputs.tf](./outputs.tf) | Module outputs. | | local_file | | [variables.tf](./variables.tf) | Module variables. | | | diff --git a/fast/stages/01-resman/branch-data-platform.tf b/fast/stages/01-resman/branch-data-platform.tf index 0374219f..9585f051 100644 --- a/fast/stages/01-resman/branch-data-platform.tf +++ b/fast/stages/01-resman/branch-data-platform.tf @@ -22,6 +22,9 @@ module "branch-dp-folder" { source = "../../../modules/folder" parent = "organizations/${var.organization.id}" name = "Data Platform" + tag_bindings = { + context = module.organization.tag_values["context/data"].id + } } # environment: development folder @@ -39,6 +42,9 @@ module "branch-dp-dev-folder" { "roles/resourcemanager.folderAdmin" = [module.branch-dp-dev-sa.iam_email] "roles/resourcemanager.projectCreator" = [module.branch-dp-dev-sa.iam_email] } + tag_bindings = { + context = module.organization.tag_values["environment/development"].id + } } module "branch-dp-dev-sa" { @@ -75,6 +81,9 @@ module "branch-dp-prod-folder" { "roles/resourcemanager.projectCreator" = [module.branch-dp-prod-sa.iam_email] "roles/compute.xpnAdmin" = [module.branch-dp-prod-sa.iam_email] } + tag_bindings = { + context = module.organization.tag_values["environment/production"].id + } } module "branch-dp-prod-sa" { diff --git a/fast/stages/01-resman/branch-networking.tf b/fast/stages/01-resman/branch-networking.tf index d0ec1d0f..a8f876fb 100644 --- a/fast/stages/01-resman/branch-networking.tf +++ b/fast/stages/01-resman/branch-networking.tf @@ -38,6 +38,9 @@ module "branch-network-folder" { "roles/resourcemanager.projectCreator" = [module.branch-network-sa.iam_email] "roles/compute.xpnAdmin" = [module.branch-network-sa.iam_email] } + tag_bindings = { + context = module.organization.tag_values["context/networking"].id + } } module "branch-network-sa" { @@ -66,9 +69,12 @@ module "branch-network-prod-folder" { iam = { "roles/compute.xpnAdmin" = [ module.branch-dp-prod-sa.iam_email, - module.branch-teams-prod-projectfactory-sa.iam_email + module.branch-teams-prod-pf-sa.iam_email ] } + tag_bindings = { + context = module.organization.tag_values["environment/production"].id + } } module "branch-network-dev-folder" { @@ -78,7 +84,10 @@ module "branch-network-dev-folder" { iam = { "roles/compute.xpnAdmin" = [ module.branch-dp-dev-sa.iam_email, - module.branch-teams-dev-projectfactory-sa.iam_email + module.branch-teams-dev-pf-sa.iam_email ] } + tag_bindings = { + context = module.organization.tag_values["environment/development"].id + } } diff --git a/fast/stages/01-resman/branch-sandbox.tf b/fast/stages/01-resman/branch-sandbox.tf index 0e145b6b..fa5441ef 100644 --- a/fast/stages/01-resman/branch-sandbox.tf +++ b/fast/stages/01-resman/branch-sandbox.tf @@ -37,6 +37,9 @@ module "branch-sandbox-folder" { values = [] } } + tag_bindings = { + context = module.organization.tag_values["context/sandbox"].id + } } module "branch-sandbox-gcs" { diff --git a/fast/stages/01-resman/branch-security.tf b/fast/stages/01-resman/branch-security.tf index 33bd5de0..7f0344a6 100644 --- a/fast/stages/01-resman/branch-security.tf +++ b/fast/stages/01-resman/branch-security.tf @@ -39,6 +39,9 @@ module "branch-security-folder" { "roles/resourcemanager.folderAdmin" = [module.branch-security-sa.iam_email] "roles/resourcemanager.projectCreator" = [module.branch-security-sa.iam_email] } + tag_bindings = { + context = module.organization.tag_values["context/security"].id + } } module "branch-security-sa" { diff --git a/fast/stages/01-resman/branch-teams.tf b/fast/stages/01-resman/branch-teams.tf index 9e15a6d3..88ac6dbd 100644 --- a/fast/stages/01-resman/branch-teams.tf +++ b/fast/stages/01-resman/branch-teams.tf @@ -22,6 +22,9 @@ module "branch-teams-folder" { source = "../../../modules/folder" parent = "organizations/${var.organization.id}" name = "Teams" + tag_bindings = { + context = module.organization.tag_values["context/teams"].id + } } module "branch-teams-prod-sa" { @@ -83,24 +86,32 @@ module "branch-teams-team-dev-folder" { iam = { # remove owner here and at project level if SA does not manage project resources "roles/owner" = [ - module.branch-teams-dev-projectfactory-sa.iam_email + module.branch-teams-dev-pf-sa.iam_email ] "roles/logging.admin" = [ - module.branch-teams-dev-projectfactory-sa.iam_email + module.branch-teams-dev-pf-sa.iam_email ] "roles/resourcemanager.folderAdmin" = [ - module.branch-teams-dev-projectfactory-sa.iam_email + module.branch-teams-dev-pf-sa.iam_email ] "roles/resourcemanager.projectCreator" = [ - module.branch-teams-dev-projectfactory-sa.iam_email + module.branch-teams-dev-pf-sa.iam_email ] "roles/compute.xpnAdmin" = [ - module.branch-teams-dev-projectfactory-sa.iam_email + module.branch-teams-dev-pf-sa.iam_email ] } + tag_bindings = { + context = module.organization.tag_values["environment/development"].id + } } -module "branch-teams-dev-projectfactory-sa" { +moved { + from = module.branch-teams-dev-projectfactory-sa + to = module.branch-teams-dev-pf-sa +} + +module "branch-teams-dev-pf-sa" { source = "../../../modules/iam-service-account" project_id = var.automation_project_id name = "dev-resman-pf-0" @@ -109,14 +120,19 @@ module "branch-teams-dev-projectfactory-sa" { prefix = var.prefix } -module "branch-teams-dev-projectfactory-gcs" { +moved { + from = module.branch-teams-dev-projectfactory-gcs + to = module.branch-teams-dev-pf-gcs +} + +module "branch-teams-dev-pf-gcs" { source = "../../../modules/gcs" project_id = var.automation_project_id name = "dev-resman-pf-0" prefix = var.prefix versioning = true iam = { - "roles/storage.objectAdmin" = [module.branch-teams-dev-projectfactory-sa.iam_email] + "roles/storage.objectAdmin" = [module.branch-teams-dev-pf-sa.iam_email] } } @@ -133,24 +149,32 @@ module "branch-teams-team-prod-folder" { iam = { # remove owner here and at project level if SA does not manage project resources "roles/owner" = [ - module.branch-teams-prod-projectfactory-sa.iam_email + module.branch-teams-prod-pf-sa.iam_email ] "roles/logging.admin" = [ - module.branch-teams-prod-projectfactory-sa.iam_email + module.branch-teams-prod-pf-sa.iam_email ] "roles/resourcemanager.folderAdmin" = [ - module.branch-teams-prod-projectfactory-sa.iam_email + module.branch-teams-prod-pf-sa.iam_email ] "roles/resourcemanager.projectCreator" = [ - module.branch-teams-prod-projectfactory-sa.iam_email + module.branch-teams-prod-pf-sa.iam_email ] "roles/compute.xpnAdmin" = [ - module.branch-teams-prod-projectfactory-sa.iam_email + module.branch-teams-prod-pf-sa.iam_email ] } + tag_bindings = { + context = module.organization.tag_values["environment/production"].id + } } -module "branch-teams-prod-projectfactory-sa" { +moved { + from = module.branch-teams-prod-projectfactory-sa + to = module.branch-teams-prod-pf-sa +} + +module "branch-teams-prod-pf-sa" { source = "../../../modules/iam-service-account" project_id = var.automation_project_id name = "prod-resman-pf-0" @@ -159,13 +183,18 @@ module "branch-teams-prod-projectfactory-sa" { prefix = var.prefix } -module "branch-teams-prod-projectfactory-gcs" { +moved { + from = module.branch-teams-prod-projectfactory-gcs + to = module.branch-teams-prod-pf-gcs +} + +module "branch-teams-prod-pf-gcs" { source = "../../../modules/gcs" project_id = var.automation_project_id name = "prod-resman-pf-0" prefix = var.prefix versioning = true iam = { - "roles/storage.objectAdmin" = [module.branch-teams-prod-projectfactory-sa.iam_email] + "roles/storage.objectAdmin" = [module.branch-teams-prod-pf-sa.iam_email] } } diff --git a/fast/stages/01-resman/organization.tf b/fast/stages/01-resman/organization.tf index d49ec86a..2e4cb35e 100644 --- a/fast/stages/01-resman/organization.tf +++ b/fast/stages/01-resman/organization.tf @@ -25,8 +25,8 @@ locals { ] # set to the empty list if you remove the teams branch branch_teams_pf_sa_iam_emails = [ - module.branch-teams-dev-projectfactory-sa.iam_email, - module.branch-teams-prod-projectfactory-sa.iam_email + module.branch-teams-dev-pf-sa.iam_email, + module.branch-teams-prod-pf-sa.iam_email ] list_allow = { inherit_from_parent = false @@ -63,11 +63,6 @@ module "organization" { "roles/compute.xpnAdmin" = [ module.branch-network-sa.iam_email ] - # TODO: implement tag-based conditions on this org role - "roles/orgpolicy.policyAdmin" = concat( - local.branch_teams_pf_sa_iam_emails, - local.branch_dataplatform_sa_iam_emails, - ) }, local.billing_org ? { "roles/billing.costsManager" = local.branch_teams_pf_sa_iam_emails @@ -143,4 +138,50 @@ module "organization" { # values = local.allowed_regions # } } + tags = { + context = { + description = "Resource management context." + iam = {} + values = { + data = null + gke = null + networking = null + sandbox = null + security = null + teams = null + } + } + environment = { + description = "Environment definition." + iam = {} + values = { + development = null + production = null + } + } + } } + +# organization policy admin role assigned with a condition on tags + +resource "google_organization_iam_member" "org_policy_admin" { + for_each = { + data-dev = ["data", "development", module.branch-dp-dev-sa.iam_email] + data-prod = ["data", "production", module.branch-dp-prod-sa.iam_email] + pf-dev = ["teams", "development", module.branch-teams-dev-pf-sa.iam_email] + pf-prod = ["teams", "production", module.branch-teams-prod-pf-sa.iam_email] + } + org_id = var.organization.id + role = "roles/orgpolicy.policyAdmin" + member = each.value.2 + condition { + title = "org_policy_tag_scoped" + description = "Org policy tag scoped grant for ${each.value.0}/${each.value.1}." + expression = <<-END + resource.matchTag('${var.organization.id}/context', '${each.value.0}') + && + resource.matchTag('${var.organization.id}/environment', '${each.value.1}') + END + } +} + diff --git a/fast/stages/01-resman/outputs.tf b/fast/stages/01-resman/outputs.tf index fd06d2aa..d38d9a8f 100644 --- a/fast/stages/01-resman/outputs.tf +++ b/fast/stages/01-resman/outputs.tf @@ -57,14 +57,14 @@ locals { sa = module.branch-dp-prod-sa.email }) "03-project-factory-dev" = templatefile("${path.module}/../../assets/templates/providers.tpl", { - bucket = module.branch-teams-dev-projectfactory-gcs.name + bucket = module.branch-teams-dev-pf-gcs.name name = "team-dev" - sa = module.branch-teams-dev-projectfactory-sa.email + sa = module.branch-teams-dev-pf-sa.email }) "03-project-factory-prod" = templatefile("${path.module}/../../assets/templates/providers.tpl", { - bucket = module.branch-teams-prod-projectfactory-gcs.name + bucket = module.branch-teams-prod-pf-gcs.name name = "team-prod" - sa = module.branch-teams-prod-projectfactory-sa.email + sa = module.branch-teams-prod-pf-sa.email }) "99-sandbox" = templatefile("${path.module}/../../assets/templates/providers.tpl", { bucket = module.branch-sandbox-gcs.name @@ -77,8 +77,8 @@ locals { data-platform-dev = module.branch-dp-dev-sa.email data-platform-prod = module.branch-dp-prod-sa.email networking = module.branch-network-sa.email - project-factory-dev = module.branch-teams-dev-projectfactory-sa.email - project-factory-prod = module.branch-teams-prod-projectfactory-sa.email + project-factory-dev = module.branch-teams-dev-pf-sa.email + project-factory-prod = module.branch-teams-prod-pf-sa.email sandbox = module.branch-sandbox-sa.email security = module.branch-security-sa.email teams = module.branch-teams-prod-sa.email @@ -140,12 +140,12 @@ output "project_factories" { description = "Data for the project factories stage." value = { dev = { - bucket = module.branch-teams-dev-projectfactory-gcs.name - sa = module.branch-teams-dev-projectfactory-sa.email + bucket = module.branch-teams-dev-pf-gcs.name + sa = module.branch-teams-dev-pf-sa.email } prod = { - bucket = module.branch-teams-prod-projectfactory-gcs.name - sa = module.branch-teams-prod-projectfactory-sa.email + bucket = module.branch-teams-prod-pf-gcs.name + sa = module.branch-teams-prod-pf-sa.email } } } diff --git a/fast/stages/03-data-platform/dev/IAM.md b/fast/stages/03-data-platform/dev/IAM.md new file mode 100644 index 00000000..2fa6fbd9 --- /dev/null +++ b/fast/stages/03-data-platform/dev/IAM.md @@ -0,0 +1,98 @@ +# IAM bindings reference + +Legend: + additive, conditional. + +## Project dev-data-cmn-0 + +| members | roles | +|---|---| +|gcp-data-engineers
group|[roles/dlp.estimatesAdmin](https://cloud.google.com/iam/docs/understanding-roles#dlp.estimatesAdmin)
[roles/dlp.reader](https://cloud.google.com/iam/docs/understanding-roles#dlp.reader)
[roles/dlp.user](https://cloud.google.com/iam/docs/understanding-roles#dlp.user) | +|gcp-data-security
group|[roles/dlp.admin](https://cloud.google.com/iam/docs/understanding-roles#dlp.admin) | +|dev-data-load-df-0
serviceAccount|[roles/dlp.user](https://cloud.google.com/iam/docs/understanding-roles#dlp.user) | +|dev-data-trf-df-0
serviceAccount|[roles/dlp.user](https://cloud.google.com/iam/docs/understanding-roles#dlp.user) | + +## Project dev-data-dtl-0-0 + +| members | roles | +|---|---| +|gcp-data-analysts
group|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer)
[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
[roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user)
[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer)
[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer)
[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) | +|gcp-data-engineers
group|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor)
[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) | +|dev-data-load-df-0
serviceAccount|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor)
[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
[roles/storage.objectCreator](https://cloud.google.com/iam/docs/understanding-roles#storage.objectCreator) | +|dev-data-trf-bq-0
serviceAccount|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) | +|dev-data-trf-df-0
serviceAccount|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) | + +## Project dev-data-dtl-1-0 + +| members | roles | +|---|---| +|gcp-data-analysts
group|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer)
[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
[roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user)
[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer)
[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer)
[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) | +|gcp-data-engineers
group|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor)
[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) | +|dev-data-trf-bq-0
serviceAccount|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor)
[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) | +|dev-data-trf-df-0
serviceAccount|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor)
[roles/storage.objectCreator](https://cloud.google.com/iam/docs/understanding-roles#storage.objectCreator)
[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) | + +## Project dev-data-dtl-2-0 + +| members | roles | +|---|---| +|gcp-data-analysts
group|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer)
[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
[roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user)
[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer)
[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer)
[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) | +|gcp-data-engineers
group|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor)
[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) | +|dev-data-trf-bq-0
serviceAccount|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor)
[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) | +|dev-data-trf-df-0
serviceAccount|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor)
[roles/storage.objectCreator](https://cloud.google.com/iam/docs/understanding-roles#storage.objectCreator)
[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) | + +## Project dev-data-dtl-plg-0 + +| members | roles | +|---|---| +|gcp-data-analysts
group|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor)
[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
[roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user)
[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer)
[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer)
[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | +|gcp-data-engineers
group|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor)
[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) | + +## Project dev-data-lnd-0 + +| members | roles | +|---|---| +|gcp-data-engineers
group|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor)
[roles/pubsub.editor](https://cloud.google.com/iam/docs/understanding-roles#pubsub.editor)
[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) | +|dev-data-lnd-bq-0
serviceAccount|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) | +|dev-data-lnd-cs-0
serviceAccount|[roles/storage.objectCreator](https://cloud.google.com/iam/docs/understanding-roles#storage.objectCreator) | +|dev-data-lnd-ps-0
serviceAccount|[roles/pubsub.publisher](https://cloud.google.com/iam/docs/understanding-roles#pubsub.publisher) | +|dev-data-load-df-0
serviceAccount|[roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user)
[roles/pubsub.subscriber](https://cloud.google.com/iam/docs/understanding-roles#pubsub.subscriber)
[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin)
[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | +|dev-data-orc-cmp-0
serviceAccount|[roles/pubsub.subscriber](https://cloud.google.com/iam/docs/understanding-roles#pubsub.subscriber)
[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) | + +## Project dev-data-lod-0 + +| members | roles | +|---|---| +|gcp-data-engineers
group|[roles/compute.viewer](https://cloud.google.com/iam/docs/understanding-roles#compute.viewer)
[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin)
[roles/dataflow.developer](https://cloud.google.com/iam/docs/understanding-roles#dataflow.developer)
[roles/viewer](https://cloud.google.com/iam/docs/understanding-roles#viewer) | +|dev-data-load-df-0
serviceAccount|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin)
[roles/dataflow.worker](https://cloud.google.com/iam/docs/understanding-roles#dataflow.worker)
[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | +|dev-data-orc-cmp-0
serviceAccount|[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) | +|service-426128559612
serviceAccount|[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | + +## Project dev-data-orc-0 + +| members | roles | +|---|---| +|gcp-data-engineers
group|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor)
[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
[roles/cloudbuild.builds.editor](https://cloud.google.com/iam/docs/understanding-roles#cloudbuild.builds.editor)
[roles/composer.admin](https://cloud.google.com/iam/docs/understanding-roles#composer.admin)
[roles/composer.environmentAndStorageObjectAdmin](https://cloud.google.com/iam/docs/understanding-roles#composer.environmentAndStorageObjectAdmin)
[roles/iam.serviceAccountUser](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountUser)
[roles/iap.httpsResourceAccessor](https://cloud.google.com/iam/docs/understanding-roles#iap.httpsResourceAccessor)
[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin)
[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | +|dev-data-load-df-0
serviceAccount|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor)
[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) | +|dev-data-orc-cmp-0
serviceAccount|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
[roles/composer.worker](https://cloud.google.com/iam/docs/understanding-roles#composer.worker)
[roles/iam.serviceAccountUser](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountUser)
[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | +|dev-data-trf-df-0
serviceAccount|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) | +|service-36960036774
serviceAccount|[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | + +## Project dev-data-trf-0 + +| members | roles | +|---|---| +|gcp-data-engineers
group|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) | +|dev-data-orc-cmp-0
serviceAccount|[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) | +|dev-data-trf-bq-0
serviceAccount|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) | +|dev-data-trf-df-0
serviceAccount|[roles/dataflow.worker](https://cloud.google.com/iam/docs/understanding-roles#dataflow.worker)
[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | +|service-883871192228
serviceAccount|[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | + +## Project dev-net-spoke-0 + +| members | roles | +|---|---| +|36960036774
serviceAccount|[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) +| +|dev-data-load-df-0
serviceAccount|[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) +| +|dev-data-trf-df-0
serviceAccount|[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) +| +|service-36960036774
serviceAccount|[roles/composer.sharedVpcAgent](https://cloud.google.com/iam/docs/understanding-roles#composer.sharedVpcAgent) +
[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) +
[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) +
[roles/container.hostServiceAgentUser](https://cloud.google.com/iam/docs/understanding-roles#container.hostServiceAgentUser) +
[roles/container.hostServiceAgentUser](https://cloud.google.com/iam/docs/understanding-roles#container.hostServiceAgentUser) +| +|service-426128559612
serviceAccount|[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) +| +|service-883871192228
serviceAccount|[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) +|