Use tags and tag-based IAM conditions in FAST (#553)
* organization module * folder module * project module * fix project binding * environment tags * use id instead of name for references * environment bindings * conditional org policy admin binding via tags * rename pf service accounts and buckets * update IAM docs * kms module * compute-vm * fix compute-vm * tfdoc
This commit is contained in:
parent
0b5ed8b7ef
commit
474bcbdd0e
|
@ -12,7 +12,7 @@ Legend: <code>+</code> additive, <code>•</code> conditional.
|
|||
|<b>gcp-security-admins</b><br><small><i>group</i></small>|[roles/cloudasset.owner](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.owner) <br>[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor) <br>[roles/iam.securityReviewer](https://cloud.google.com/iam/docs/understanding-roles#iam.securityReviewer) <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/securitycenter.admin](https://cloud.google.com/iam/docs/understanding-roles#securitycenter.admin) <br>[roles/accesscontextmanager.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#accesscontextmanager.policyAdmin) <code>+</code><br>[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) <code>+</code><br>[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code>|
|
||||
|<b>gcp-support</b><br><small><i>group</i></small>|[roles/cloudsupport.techSupportEditor](https://cloud.google.com/iam/docs/understanding-roles#cloudsupport.techSupportEditor) <br>[roles/logging.viewer](https://cloud.google.com/iam/docs/understanding-roles#logging.viewer) <br>[roles/monitoring.viewer](https://cloud.google.com/iam/docs/understanding-roles#monitoring.viewer) |
|
||||
|<b>prod-bootstrap-0</b><br><small><i>serviceAccount</i></small>|[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/resourcemanager.organizationAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) <br>[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) <code>+</code><br>[roles/iam.organizationRoleAdmin](https://cloud.google.com/iam/docs/understanding-roles#iam.organizationRoleAdmin) <code>+</code>|
|
||||
|<b>prod-resman-0</b><br><small><i>serviceAccount</i></small>|organizations/[org_id #0]/roles/organizationIamAdmin <code>•</code><br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) <code>+</code><br>[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code>|
|
||||
|<b>prod-resman-0</b><br><small><i>serviceAccount</i></small>|organizations/[org_id #0]/roles/organizationIamAdmin <code>•</code><br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.tagAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagAdmin) <br>[roles/resourcemanager.tagUser](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagUser) <br>[roles/billing.admin](https://cloud.google.com/iam/docs/understanding-roles#billing.admin) <code>+</code><br>[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code>|
|
||||
|
||||
## Project <i>prod-audit-logs-0</i>
|
||||
|
||||
|
|
|
@ -41,6 +41,12 @@ locals {
|
|||
[module.automation-tf-bootstrap-sa.iam_email],
|
||||
local._iam_bootstrap_user
|
||||
)
|
||||
"roles/resourcemanager.tagAdmin" = [
|
||||
module.automation-tf-resman-sa.iam_email
|
||||
]
|
||||
"roles/resourcemanager.tagUser" = [
|
||||
module.automation-tf-resman-sa.iam_email
|
||||
]
|
||||
}
|
||||
# organization additive IAM bindings, in an easy to edit format before
|
||||
# they are combined with var.iam_additive a bit further in locals
|
||||
|
|
|
@ -6,15 +6,18 @@ Legend: <code>+</code> additive, <code>•</code> conditional.
|
|||
|
||||
| members | roles |
|
||||
|---|---|
|
||||
|<b>dev-resman-pf-0</b><br><small><i>serviceAccount</i></small>|[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) <code>+</code><br>[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code><br>[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code>|
|
||||
|<b>dev-resman-dp-0</b><br><small><i>serviceAccount</i></small>|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code><code>•</code><br>[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code>|
|
||||
|<b>dev-resman-pf-0</b><br><small><i>serviceAccount</i></small>|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code><code>•</code><br>[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) <code>+</code><br>[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code>|
|
||||
|<b>prod-resman-dp-0</b><br><small><i>serviceAccount</i></small>|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code><code>•</code><br>[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code>|
|
||||
|<b>prod-resman-net-0</b><br><small><i>serviceAccount</i></small>|[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code><br>[roles/compute.orgFirewallPolicyAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.orgFirewallPolicyAdmin) <code>+</code><br>[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) <code>+</code>|
|
||||
|<b>prod-resman-pf-0</b><br><small><i>serviceAccount</i></small>|[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) <code>+</code><br>[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code><br>[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code>|
|
||||
|<b>prod-resman-pf-0</b><br><small><i>serviceAccount</i></small>|[roles/orgpolicy.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#orgpolicy.policyAdmin) <code>+</code><code>•</code><br>[roles/billing.costsManager](https://cloud.google.com/iam/docs/understanding-roles#billing.costsManager) <code>+</code><br>[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code>|
|
||||
|<b>prod-resman-sec-0</b><br><small><i>serviceAccount</i></small>|[roles/accesscontextmanager.policyAdmin](https://cloud.google.com/iam/docs/understanding-roles#accesscontextmanager.policyAdmin) <code>+</code><br>[roles/billing.user](https://cloud.google.com/iam/docs/understanding-roles#billing.user) <code>+</code>|
|
||||
|
||||
## Folder <i>development</i>
|
||||
|
||||
| members | roles |
|
||||
|---|---|
|
||||
|<b>dev-resman-dp-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) <br>[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) |
|
||||
|<b>dev-resman-pf-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) |
|
||||
|
||||
## Folder <i>networking</i>
|
||||
|
@ -28,6 +31,7 @@ Legend: <code>+</code> additive, <code>•</code> conditional.
|
|||
|
||||
| members | roles |
|
||||
|---|---|
|
||||
|<b>prod-resman-dp-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) <br>[roles/logging.admin](https://cloud.google.com/iam/docs/understanding-roles#logging.admin) <br>[roles/owner](https://cloud.google.com/iam/docs/understanding-roles#owner) <br>[roles/resourcemanager.folderAdmin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin) <br>[roles/resourcemanager.projectCreator](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectCreator) <br>[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) |
|
||||
|<b>prod-resman-pf-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.xpnAdmin](https://cloud.google.com/iam/docs/understanding-roles#compute.xpnAdmin) |
|
||||
|
||||
## Folder <i>sandbox</i>
|
||||
|
|
|
@ -158,7 +158,7 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
|
|||
| [branch-security.tf](./branch-security.tf) | Security stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
|
||||
| [branch-teams.tf](./branch-teams.tf) | Team stages resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
|
||||
| [main.tf](./main.tf) | Module-level locals and resources. | | |
|
||||
| [organization.tf](./organization.tf) | Organization policies. | <code>organization</code> | |
|
||||
| [organization.tf](./organization.tf) | Organization policies. | <code>organization</code> | <code>google_organization_iam_member</code> |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | | <code>local_file</code> |
|
||||
| [variables.tf](./variables.tf) | Module variables. | | |
|
||||
|
||||
|
|
|
@ -22,6 +22,9 @@ module "branch-dp-folder" {
|
|||
source = "../../../modules/folder"
|
||||
parent = "organizations/${var.organization.id}"
|
||||
name = "Data Platform"
|
||||
tag_bindings = {
|
||||
context = module.organization.tag_values["context/data"].id
|
||||
}
|
||||
}
|
||||
|
||||
# environment: development folder
|
||||
|
@ -39,6 +42,9 @@ module "branch-dp-dev-folder" {
|
|||
"roles/resourcemanager.folderAdmin" = [module.branch-dp-dev-sa.iam_email]
|
||||
"roles/resourcemanager.projectCreator" = [module.branch-dp-dev-sa.iam_email]
|
||||
}
|
||||
tag_bindings = {
|
||||
context = module.organization.tag_values["environment/development"].id
|
||||
}
|
||||
}
|
||||
|
||||
module "branch-dp-dev-sa" {
|
||||
|
@ -75,6 +81,9 @@ module "branch-dp-prod-folder" {
|
|||
"roles/resourcemanager.projectCreator" = [module.branch-dp-prod-sa.iam_email]
|
||||
"roles/compute.xpnAdmin" = [module.branch-dp-prod-sa.iam_email]
|
||||
}
|
||||
tag_bindings = {
|
||||
context = module.organization.tag_values["environment/production"].id
|
||||
}
|
||||
}
|
||||
|
||||
module "branch-dp-prod-sa" {
|
||||
|
|
|
@ -38,6 +38,9 @@ module "branch-network-folder" {
|
|||
"roles/resourcemanager.projectCreator" = [module.branch-network-sa.iam_email]
|
||||
"roles/compute.xpnAdmin" = [module.branch-network-sa.iam_email]
|
||||
}
|
||||
tag_bindings = {
|
||||
context = module.organization.tag_values["context/networking"].id
|
||||
}
|
||||
}
|
||||
|
||||
module "branch-network-sa" {
|
||||
|
@ -66,9 +69,12 @@ module "branch-network-prod-folder" {
|
|||
iam = {
|
||||
"roles/compute.xpnAdmin" = [
|
||||
module.branch-dp-prod-sa.iam_email,
|
||||
module.branch-teams-prod-projectfactory-sa.iam_email
|
||||
module.branch-teams-prod-pf-sa.iam_email
|
||||
]
|
||||
}
|
||||
tag_bindings = {
|
||||
context = module.organization.tag_values["environment/production"].id
|
||||
}
|
||||
}
|
||||
|
||||
module "branch-network-dev-folder" {
|
||||
|
@ -78,7 +84,10 @@ module "branch-network-dev-folder" {
|
|||
iam = {
|
||||
"roles/compute.xpnAdmin" = [
|
||||
module.branch-dp-dev-sa.iam_email,
|
||||
module.branch-teams-dev-projectfactory-sa.iam_email
|
||||
module.branch-teams-dev-pf-sa.iam_email
|
||||
]
|
||||
}
|
||||
tag_bindings = {
|
||||
context = module.organization.tag_values["environment/development"].id
|
||||
}
|
||||
}
|
||||
|
|
|
@ -37,6 +37,9 @@ module "branch-sandbox-folder" {
|
|||
values = []
|
||||
}
|
||||
}
|
||||
tag_bindings = {
|
||||
context = module.organization.tag_values["context/sandbox"].id
|
||||
}
|
||||
}
|
||||
|
||||
module "branch-sandbox-gcs" {
|
||||
|
|
|
@ -39,6 +39,9 @@ module "branch-security-folder" {
|
|||
"roles/resourcemanager.folderAdmin" = [module.branch-security-sa.iam_email]
|
||||
"roles/resourcemanager.projectCreator" = [module.branch-security-sa.iam_email]
|
||||
}
|
||||
tag_bindings = {
|
||||
context = module.organization.tag_values["context/security"].id
|
||||
}
|
||||
}
|
||||
|
||||
module "branch-security-sa" {
|
||||
|
|
|
@ -22,6 +22,9 @@ module "branch-teams-folder" {
|
|||
source = "../../../modules/folder"
|
||||
parent = "organizations/${var.organization.id}"
|
||||
name = "Teams"
|
||||
tag_bindings = {
|
||||
context = module.organization.tag_values["context/teams"].id
|
||||
}
|
||||
}
|
||||
|
||||
module "branch-teams-prod-sa" {
|
||||
|
@ -83,24 +86,32 @@ module "branch-teams-team-dev-folder" {
|
|||
iam = {
|
||||
# remove owner here and at project level if SA does not manage project resources
|
||||
"roles/owner" = [
|
||||
module.branch-teams-dev-projectfactory-sa.iam_email
|
||||
module.branch-teams-dev-pf-sa.iam_email
|
||||
]
|
||||
"roles/logging.admin" = [
|
||||
module.branch-teams-dev-projectfactory-sa.iam_email
|
||||
module.branch-teams-dev-pf-sa.iam_email
|
||||
]
|
||||
"roles/resourcemanager.folderAdmin" = [
|
||||
module.branch-teams-dev-projectfactory-sa.iam_email
|
||||
module.branch-teams-dev-pf-sa.iam_email
|
||||
]
|
||||
"roles/resourcemanager.projectCreator" = [
|
||||
module.branch-teams-dev-projectfactory-sa.iam_email
|
||||
module.branch-teams-dev-pf-sa.iam_email
|
||||
]
|
||||
"roles/compute.xpnAdmin" = [
|
||||
module.branch-teams-dev-projectfactory-sa.iam_email
|
||||
module.branch-teams-dev-pf-sa.iam_email
|
||||
]
|
||||
}
|
||||
tag_bindings = {
|
||||
context = module.organization.tag_values["environment/development"].id
|
||||
}
|
||||
}
|
||||
|
||||
module "branch-teams-dev-projectfactory-sa" {
|
||||
moved {
|
||||
from = module.branch-teams-dev-projectfactory-sa
|
||||
to = module.branch-teams-dev-pf-sa
|
||||
}
|
||||
|
||||
module "branch-teams-dev-pf-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
project_id = var.automation_project_id
|
||||
name = "dev-resman-pf-0"
|
||||
|
@ -109,14 +120,19 @@ module "branch-teams-dev-projectfactory-sa" {
|
|||
prefix = var.prefix
|
||||
}
|
||||
|
||||
module "branch-teams-dev-projectfactory-gcs" {
|
||||
moved {
|
||||
from = module.branch-teams-dev-projectfactory-gcs
|
||||
to = module.branch-teams-dev-pf-gcs
|
||||
}
|
||||
|
||||
module "branch-teams-dev-pf-gcs" {
|
||||
source = "../../../modules/gcs"
|
||||
project_id = var.automation_project_id
|
||||
name = "dev-resman-pf-0"
|
||||
prefix = var.prefix
|
||||
versioning = true
|
||||
iam = {
|
||||
"roles/storage.objectAdmin" = [module.branch-teams-dev-projectfactory-sa.iam_email]
|
||||
"roles/storage.objectAdmin" = [module.branch-teams-dev-pf-sa.iam_email]
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -133,24 +149,32 @@ module "branch-teams-team-prod-folder" {
|
|||
iam = {
|
||||
# remove owner here and at project level if SA does not manage project resources
|
||||
"roles/owner" = [
|
||||
module.branch-teams-prod-projectfactory-sa.iam_email
|
||||
module.branch-teams-prod-pf-sa.iam_email
|
||||
]
|
||||
"roles/logging.admin" = [
|
||||
module.branch-teams-prod-projectfactory-sa.iam_email
|
||||
module.branch-teams-prod-pf-sa.iam_email
|
||||
]
|
||||
"roles/resourcemanager.folderAdmin" = [
|
||||
module.branch-teams-prod-projectfactory-sa.iam_email
|
||||
module.branch-teams-prod-pf-sa.iam_email
|
||||
]
|
||||
"roles/resourcemanager.projectCreator" = [
|
||||
module.branch-teams-prod-projectfactory-sa.iam_email
|
||||
module.branch-teams-prod-pf-sa.iam_email
|
||||
]
|
||||
"roles/compute.xpnAdmin" = [
|
||||
module.branch-teams-prod-projectfactory-sa.iam_email
|
||||
module.branch-teams-prod-pf-sa.iam_email
|
||||
]
|
||||
}
|
||||
tag_bindings = {
|
||||
context = module.organization.tag_values["environment/production"].id
|
||||
}
|
||||
}
|
||||
|
||||
module "branch-teams-prod-projectfactory-sa" {
|
||||
moved {
|
||||
from = module.branch-teams-prod-projectfactory-sa
|
||||
to = module.branch-teams-prod-pf-sa
|
||||
}
|
||||
|
||||
module "branch-teams-prod-pf-sa" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
project_id = var.automation_project_id
|
||||
name = "prod-resman-pf-0"
|
||||
|
@ -159,13 +183,18 @@ module "branch-teams-prod-projectfactory-sa" {
|
|||
prefix = var.prefix
|
||||
}
|
||||
|
||||
module "branch-teams-prod-projectfactory-gcs" {
|
||||
moved {
|
||||
from = module.branch-teams-prod-projectfactory-gcs
|
||||
to = module.branch-teams-prod-pf-gcs
|
||||
}
|
||||
|
||||
module "branch-teams-prod-pf-gcs" {
|
||||
source = "../../../modules/gcs"
|
||||
project_id = var.automation_project_id
|
||||
name = "prod-resman-pf-0"
|
||||
prefix = var.prefix
|
||||
versioning = true
|
||||
iam = {
|
||||
"roles/storage.objectAdmin" = [module.branch-teams-prod-projectfactory-sa.iam_email]
|
||||
"roles/storage.objectAdmin" = [module.branch-teams-prod-pf-sa.iam_email]
|
||||
}
|
||||
}
|
||||
|
|
|
@ -25,8 +25,8 @@ locals {
|
|||
]
|
||||
# set to the empty list if you remove the teams branch
|
||||
branch_teams_pf_sa_iam_emails = [
|
||||
module.branch-teams-dev-projectfactory-sa.iam_email,
|
||||
module.branch-teams-prod-projectfactory-sa.iam_email
|
||||
module.branch-teams-dev-pf-sa.iam_email,
|
||||
module.branch-teams-prod-pf-sa.iam_email
|
||||
]
|
||||
list_allow = {
|
||||
inherit_from_parent = false
|
||||
|
@ -63,11 +63,6 @@ module "organization" {
|
|||
"roles/compute.xpnAdmin" = [
|
||||
module.branch-network-sa.iam_email
|
||||
]
|
||||
# TODO: implement tag-based conditions on this org role
|
||||
"roles/orgpolicy.policyAdmin" = concat(
|
||||
local.branch_teams_pf_sa_iam_emails,
|
||||
local.branch_dataplatform_sa_iam_emails,
|
||||
)
|
||||
},
|
||||
local.billing_org ? {
|
||||
"roles/billing.costsManager" = local.branch_teams_pf_sa_iam_emails
|
||||
|
@ -143,4 +138,50 @@ module "organization" {
|
|||
# values = local.allowed_regions
|
||||
# }
|
||||
}
|
||||
tags = {
|
||||
context = {
|
||||
description = "Resource management context."
|
||||
iam = {}
|
||||
values = {
|
||||
data = null
|
||||
gke = null
|
||||
networking = null
|
||||
sandbox = null
|
||||
security = null
|
||||
teams = null
|
||||
}
|
||||
}
|
||||
environment = {
|
||||
description = "Environment definition."
|
||||
iam = {}
|
||||
values = {
|
||||
development = null
|
||||
production = null
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# organization policy admin role assigned with a condition on tags
|
||||
|
||||
resource "google_organization_iam_member" "org_policy_admin" {
|
||||
for_each = {
|
||||
data-dev = ["data", "development", module.branch-dp-dev-sa.iam_email]
|
||||
data-prod = ["data", "production", module.branch-dp-prod-sa.iam_email]
|
||||
pf-dev = ["teams", "development", module.branch-teams-dev-pf-sa.iam_email]
|
||||
pf-prod = ["teams", "production", module.branch-teams-prod-pf-sa.iam_email]
|
||||
}
|
||||
org_id = var.organization.id
|
||||
role = "roles/orgpolicy.policyAdmin"
|
||||
member = each.value.2
|
||||
condition {
|
||||
title = "org_policy_tag_scoped"
|
||||
description = "Org policy tag scoped grant for ${each.value.0}/${each.value.1}."
|
||||
expression = <<-END
|
||||
resource.matchTag('${var.organization.id}/context', '${each.value.0}')
|
||||
&&
|
||||
resource.matchTag('${var.organization.id}/environment', '${each.value.1}')
|
||||
END
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -57,14 +57,14 @@ locals {
|
|||
sa = module.branch-dp-prod-sa.email
|
||||
})
|
||||
"03-project-factory-dev" = templatefile("${path.module}/../../assets/templates/providers.tpl", {
|
||||
bucket = module.branch-teams-dev-projectfactory-gcs.name
|
||||
bucket = module.branch-teams-dev-pf-gcs.name
|
||||
name = "team-dev"
|
||||
sa = module.branch-teams-dev-projectfactory-sa.email
|
||||
sa = module.branch-teams-dev-pf-sa.email
|
||||
})
|
||||
"03-project-factory-prod" = templatefile("${path.module}/../../assets/templates/providers.tpl", {
|
||||
bucket = module.branch-teams-prod-projectfactory-gcs.name
|
||||
bucket = module.branch-teams-prod-pf-gcs.name
|
||||
name = "team-prod"
|
||||
sa = module.branch-teams-prod-projectfactory-sa.email
|
||||
sa = module.branch-teams-prod-pf-sa.email
|
||||
})
|
||||
"99-sandbox" = templatefile("${path.module}/../../assets/templates/providers.tpl", {
|
||||
bucket = module.branch-sandbox-gcs.name
|
||||
|
@ -77,8 +77,8 @@ locals {
|
|||
data-platform-dev = module.branch-dp-dev-sa.email
|
||||
data-platform-prod = module.branch-dp-prod-sa.email
|
||||
networking = module.branch-network-sa.email
|
||||
project-factory-dev = module.branch-teams-dev-projectfactory-sa.email
|
||||
project-factory-prod = module.branch-teams-prod-projectfactory-sa.email
|
||||
project-factory-dev = module.branch-teams-dev-pf-sa.email
|
||||
project-factory-prod = module.branch-teams-prod-pf-sa.email
|
||||
sandbox = module.branch-sandbox-sa.email
|
||||
security = module.branch-security-sa.email
|
||||
teams = module.branch-teams-prod-sa.email
|
||||
|
@ -140,12 +140,12 @@ output "project_factories" {
|
|||
description = "Data for the project factories stage."
|
||||
value = {
|
||||
dev = {
|
||||
bucket = module.branch-teams-dev-projectfactory-gcs.name
|
||||
sa = module.branch-teams-dev-projectfactory-sa.email
|
||||
bucket = module.branch-teams-dev-pf-gcs.name
|
||||
sa = module.branch-teams-dev-pf-sa.email
|
||||
}
|
||||
prod = {
|
||||
bucket = module.branch-teams-prod-projectfactory-gcs.name
|
||||
sa = module.branch-teams-prod-projectfactory-sa.email
|
||||
bucket = module.branch-teams-prod-pf-gcs.name
|
||||
sa = module.branch-teams-prod-pf-sa.email
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,98 @@
|
|||
# IAM bindings reference
|
||||
|
||||
Legend: <code>+</code> additive, <code>•</code> conditional.
|
||||
|
||||
## Project <i>dev-data-cmn-0</i>
|
||||
|
||||
| members | roles |
|
||||
|---|---|
|
||||
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/dlp.estimatesAdmin](https://cloud.google.com/iam/docs/understanding-roles#dlp.estimatesAdmin) <br>[roles/dlp.reader](https://cloud.google.com/iam/docs/understanding-roles#dlp.reader) <br>[roles/dlp.user](https://cloud.google.com/iam/docs/understanding-roles#dlp.user) |
|
||||
|<b>gcp-data-security</b><br><small><i>group</i></small>|[roles/dlp.admin](https://cloud.google.com/iam/docs/understanding-roles#dlp.admin) |
|
||||
|<b>dev-data-load-df-0</b><br><small><i>serviceAccount</i></small>|[roles/dlp.user](https://cloud.google.com/iam/docs/understanding-roles#dlp.user) |
|
||||
|<b>dev-data-trf-df-0</b><br><small><i>serviceAccount</i></small>|[roles/dlp.user](https://cloud.google.com/iam/docs/understanding-roles#dlp.user) |
|
||||
|
||||
## Project <i>dev-data-dtl-0-0</i>
|
||||
|
||||
| members | roles |
|
||||
|---|---|
|
||||
|<b>gcp-data-analysts</b><br><small><i>group</i></small>|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user) <br>[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer) <br>[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
||||
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) |
|
||||
|<b>dev-data-load-df-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/storage.objectCreator](https://cloud.google.com/iam/docs/understanding-roles#storage.objectCreator) |
|
||||
|<b>dev-data-trf-bq-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) |
|
||||
|<b>dev-data-trf-df-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) |
|
||||
|
||||
## Project <i>dev-data-dtl-1-0</i>
|
||||
|
||||
| members | roles |
|
||||
|---|---|
|
||||
|<b>gcp-data-analysts</b><br><small><i>group</i></small>|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user) <br>[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer) <br>[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
||||
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) |
|
||||
|<b>dev-data-trf-bq-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) |
|
||||
|<b>dev-data-trf-df-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/storage.objectCreator](https://cloud.google.com/iam/docs/understanding-roles#storage.objectCreator) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
||||
|
||||
## Project <i>dev-data-dtl-2-0</i>
|
||||
|
||||
| members | roles |
|
||||
|---|---|
|
||||
|<b>gcp-data-analysts</b><br><small><i>group</i></small>|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user) <br>[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer) <br>[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
||||
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) |
|
||||
|<b>dev-data-trf-bq-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) |
|
||||
|<b>dev-data-trf-df-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/storage.objectCreator](https://cloud.google.com/iam/docs/understanding-roles#storage.objectCreator) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
||||
|
||||
## Project <i>dev-data-dtl-plg-0</i>
|
||||
|
||||
| members | roles |
|
||||
|---|---|
|
||||
|<b>gcp-data-analysts</b><br><small><i>group</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user) <br>[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer) <br>[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) |
|
||||
|
||||
## Project <i>dev-data-lnd-0</i>
|
||||
|
||||
| members | roles |
|
||||
|---|---|
|
||||
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/pubsub.editor](https://cloud.google.com/iam/docs/understanding-roles#pubsub.editor) <br>[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) |
|
||||
|<b>dev-data-lnd-bq-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) |
|
||||
|<b>dev-data-lnd-cs-0</b><br><small><i>serviceAccount</i></small>|[roles/storage.objectCreator](https://cloud.google.com/iam/docs/understanding-roles#storage.objectCreator) |
|
||||
|<b>dev-data-lnd-ps-0</b><br><small><i>serviceAccount</i></small>|[roles/pubsub.publisher](https://cloud.google.com/iam/docs/understanding-roles#pubsub.publisher) |
|
||||
|<b>dev-data-load-df-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user) <br>[roles/pubsub.subscriber](https://cloud.google.com/iam/docs/understanding-roles#pubsub.subscriber) <br>[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||
|<b>dev-data-orc-cmp-0</b><br><small><i>serviceAccount</i></small>|[roles/pubsub.subscriber](https://cloud.google.com/iam/docs/understanding-roles#pubsub.subscriber) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
||||
|
||||
## Project <i>dev-data-lod-0</i>
|
||||
|
||||
| members | roles |
|
||||
|---|---|
|
||||
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/compute.viewer](https://cloud.google.com/iam/docs/understanding-roles#compute.viewer) <br>[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) <br>[roles/dataflow.developer](https://cloud.google.com/iam/docs/understanding-roles#dataflow.developer) <br>[roles/viewer](https://cloud.google.com/iam/docs/understanding-roles#viewer) |
|
||||
|<b>dev-data-load-df-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) <br>[roles/dataflow.worker](https://cloud.google.com/iam/docs/understanding-roles#dataflow.worker) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||
|<b>dev-data-orc-cmp-0</b><br><small><i>serviceAccount</i></small>|[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) |
|
||||
|<b>service-426128559612</b><br><small><i>serviceAccount</i></small>|[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||
|
||||
## Project <i>dev-data-orc-0</i>
|
||||
|
||||
| members | roles |
|
||||
|---|---|
|
||||
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/cloudbuild.builds.editor](https://cloud.google.com/iam/docs/understanding-roles#cloudbuild.builds.editor) <br>[roles/composer.admin](https://cloud.google.com/iam/docs/understanding-roles#composer.admin) <br>[roles/composer.environmentAndStorageObjectAdmin](https://cloud.google.com/iam/docs/understanding-roles#composer.environmentAndStorageObjectAdmin) <br>[roles/iam.serviceAccountUser](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountUser) <br>[roles/iap.httpsResourceAccessor](https://cloud.google.com/iam/docs/understanding-roles#iap.httpsResourceAccessor) <br>[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||
|<b>dev-data-load-df-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) <br>[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) |
|
||||
|<b>dev-data-orc-cmp-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/composer.worker](https://cloud.google.com/iam/docs/understanding-roles#composer.worker) <br>[roles/iam.serviceAccountUser](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountUser) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||
|<b>dev-data-trf-df-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) |
|
||||
|<b>service-36960036774</b><br><small><i>serviceAccount</i></small>|[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||
|
||||
## Project <i>dev-data-trf-0</i>
|
||||
|
||||
| members | roles |
|
||||
|---|---|
|
||||
|<b>gcp-data-engineers</b><br><small><i>group</i></small>|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) <br>[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) |
|
||||
|<b>dev-data-orc-cmp-0</b><br><small><i>serviceAccount</i></small>|[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) |
|
||||
|<b>dev-data-trf-bq-0</b><br><small><i>serviceAccount</i></small>|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) |
|
||||
|<b>dev-data-trf-df-0</b><br><small><i>serviceAccount</i></small>|[roles/dataflow.worker](https://cloud.google.com/iam/docs/understanding-roles#dataflow.worker) <br>[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||
|<b>service-883871192228</b><br><small><i>serviceAccount</i></small>|[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) |
|
||||
|
||||
## Project <i>dev-net-spoke-0</i>
|
||||
|
||||
| members | roles |
|
||||
|---|---|
|
||||
|<b>36960036774</b><br><small><i>serviceAccount</i></small>|[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) <code>+</code>|
|
||||
|<b>dev-data-load-df-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) <code>+</code>|
|
||||
|<b>dev-data-trf-df-0</b><br><small><i>serviceAccount</i></small>|[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) <code>+</code>|
|
||||
|<b>service-36960036774</b><br><small><i>serviceAccount</i></small>|[roles/composer.sharedVpcAgent](https://cloud.google.com/iam/docs/understanding-roles#composer.sharedVpcAgent) <code>+</code><br>[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) <code>+</code><br>[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) <code>+</code><br>[roles/container.hostServiceAgentUser](https://cloud.google.com/iam/docs/understanding-roles#container.hostServiceAgentUser) <code>+</code><br>[roles/container.hostServiceAgentUser](https://cloud.google.com/iam/docs/understanding-roles#container.hostServiceAgentUser) <code>+</code>|
|
||||
|<b>service-426128559612</b><br><small><i>serviceAccount</i></small>|[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) <code>+</code>|
|
||||
|<b>service-883871192228</b><br><small><i>serviceAccount</i></small>|[roles/compute.networkUser](https://cloud.google.com/iam/docs/understanding-roles#compute.networkUser) <code>+</code>|
|
Loading…
Reference in New Issue