Merge pull request #560 from GoogleCloudPlatform/jccb/fast-custom-xpn-role
Swap xpnAdmin with custom xpnServiceAdmin for service projects
This commit is contained in:
commit
62b15aa51d
|
@ -168,13 +168,13 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
|
||||||
|---|---|:---:|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|:---:|
|
||||||
| [automation_project_id](variables.tf#L20) | Project id for the automation project created by the bootstrap stage. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
| [automation_project_id](variables.tf#L20) | Project id for the automation project created by the bootstrap stage. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||||
| [billing_account](variables.tf#L26) | Billing account id and organization id ('nnnnnnnn' or null). | <code title="object({ id = string organization_id = number })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
| [billing_account](variables.tf#L26) | Billing account id and organization id ('nnnnnnnn' or null). | <code title="object({ id = string organization_id = number })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||||
| [organization](variables.tf#L57) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
| [organization](variables.tf#L59) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||||
| [prefix](variables.tf#L81) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
| [prefix](variables.tf#L83) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||||
| [custom_roles](variables.tf#L35) | Custom roles defined at the org level, in key => id format. | <code>map(string)</code> | | <code>{}</code> | <code>00-bootstrap</code> |
|
| [custom_roles](variables.tf#L35) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>00-bootstrap</code> |
|
||||||
| [groups](variables.tf#L42) | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | <code>00-bootstrap</code> |
|
| [groups](variables.tf#L44) | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | <code>00-bootstrap</code> |
|
||||||
| [organization_policy_configs](variables.tf#L67) | Organization policies customization. | <code title="object({ allowed_policy_member_domains = list(string) })">object({…})</code> | | <code>null</code> | |
|
| [organization_policy_configs](variables.tf#L69) | Organization policies customization. | <code title="object({ allowed_policy_member_domains = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||||
| [outputs_location](variables.tf#L75) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
| [outputs_location](variables.tf#L77) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
| [team_folders](variables.tf#L92) | Team folders to be created. Format is described in a code comment. | <code title="map(object({ descriptive_name = string group_iam = map(list(string)) impersonation_groups = list(string) }))">map(object({…}))</code> | | <code>null</code> | |
|
| [team_folders](variables.tf#L94) | Team folders to be created. Format is described in a code comment. | <code title="map(object({ descriptive_name = string group_iam = map(list(string)) impersonation_groups = list(string) }))">map(object({…}))</code> | | <code>null</code> | |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -35,10 +35,10 @@ module "branch-dp-dev-folder" {
|
||||||
name = "Development"
|
name = "Development"
|
||||||
group_iam = {}
|
group_iam = {}
|
||||||
iam = {
|
iam = {
|
||||||
|
(local.custom_roles.service_project_network_admin) = [module.branch-dp-dev-sa.iam_email]
|
||||||
# remove owner here and at project level if SA does not manage project resources
|
# remove owner here and at project level if SA does not manage project resources
|
||||||
"roles/compute.xpnAdmin" = [module.branch-dp-dev-sa.iam_email]
|
|
||||||
"roles/logging.admin" = [module.branch-dp-dev-sa.iam_email]
|
|
||||||
"roles/owner" = [module.branch-dp-dev-sa.iam_email]
|
"roles/owner" = [module.branch-dp-dev-sa.iam_email]
|
||||||
|
"roles/logging.admin" = [module.branch-dp-dev-sa.iam_email]
|
||||||
"roles/resourcemanager.folderAdmin" = [module.branch-dp-dev-sa.iam_email]
|
"roles/resourcemanager.folderAdmin" = [module.branch-dp-dev-sa.iam_email]
|
||||||
"roles/resourcemanager.projectCreator" = [module.branch-dp-dev-sa.iam_email]
|
"roles/resourcemanager.projectCreator" = [module.branch-dp-dev-sa.iam_email]
|
||||||
}
|
}
|
||||||
|
@ -74,12 +74,12 @@ module "branch-dp-prod-folder" {
|
||||||
name = "Production"
|
name = "Production"
|
||||||
group_iam = {}
|
group_iam = {}
|
||||||
iam = {
|
iam = {
|
||||||
|
(local.custom_roles.service_project_network_admin) = [module.branch-dp-prod-sa.iam_email]
|
||||||
# remove owner here and at project level if SA does not manage project resources
|
# remove owner here and at project level if SA does not manage project resources
|
||||||
"roles/logging.admin" = [module.branch-dp-prod-sa.iam_email]
|
|
||||||
"roles/owner" = [module.branch-dp-prod-sa.iam_email]
|
"roles/owner" = [module.branch-dp-prod-sa.iam_email]
|
||||||
|
"roles/logging.admin" = [module.branch-dp-prod-sa.iam_email]
|
||||||
"roles/resourcemanager.folderAdmin" = [module.branch-dp-prod-sa.iam_email]
|
"roles/resourcemanager.folderAdmin" = [module.branch-dp-prod-sa.iam_email]
|
||||||
"roles/resourcemanager.projectCreator" = [module.branch-dp-prod-sa.iam_email]
|
"roles/resourcemanager.projectCreator" = [module.branch-dp-prod-sa.iam_email]
|
||||||
"roles/compute.xpnAdmin" = [module.branch-dp-prod-sa.iam_email]
|
|
||||||
}
|
}
|
||||||
tag_bindings = {
|
tag_bindings = {
|
||||||
context = module.organization.tag_values["environment/production"].id
|
context = module.organization.tag_values["environment/production"].id
|
||||||
|
|
|
@ -82,7 +82,7 @@ module "branch-network-dev-folder" {
|
||||||
parent = module.branch-network-folder.id
|
parent = module.branch-network-folder.id
|
||||||
name = "Development"
|
name = "Development"
|
||||||
iam = {
|
iam = {
|
||||||
"roles/compute.xpnAdmin" = [
|
(local.custom_roles.service_project_network_admin) = [
|
||||||
module.branch-dp-dev-sa.iam_email,
|
module.branch-dp-dev-sa.iam_email,
|
||||||
module.branch-teams-dev-pf-sa.iam_email
|
module.branch-teams-dev-pf-sa.iam_email
|
||||||
]
|
]
|
||||||
|
|
|
@ -84,22 +84,12 @@ module "branch-teams-team-dev-folder" {
|
||||||
# environment-wide human permissions on the whole teams environment
|
# environment-wide human permissions on the whole teams environment
|
||||||
group_iam = {}
|
group_iam = {}
|
||||||
iam = {
|
iam = {
|
||||||
|
(local.custom_roles.service_project_network_admin) = [module.branch-teams-dev-pf-sa.iam_email]
|
||||||
# remove owner here and at project level if SA does not manage project resources
|
# remove owner here and at project level if SA does not manage project resources
|
||||||
"roles/owner" = [
|
"roles/owner" = [module.branch-teams-dev-pf-sa.iam_email]
|
||||||
module.branch-teams-dev-pf-sa.iam_email
|
"roles/logging.admin" = [module.branch-teams-dev-pf-sa.iam_email]
|
||||||
]
|
"roles/resourcemanager.folderAdmin" = [module.branch-teams-dev-pf-sa.iam_email]
|
||||||
"roles/logging.admin" = [
|
"roles/resourcemanager.projectCreator" = [module.branch-teams-dev-pf-sa.iam_email]
|
||||||
module.branch-teams-dev-pf-sa.iam_email
|
|
||||||
]
|
|
||||||
"roles/resourcemanager.folderAdmin" = [
|
|
||||||
module.branch-teams-dev-pf-sa.iam_email
|
|
||||||
]
|
|
||||||
"roles/resourcemanager.projectCreator" = [
|
|
||||||
module.branch-teams-dev-pf-sa.iam_email
|
|
||||||
]
|
|
||||||
"roles/compute.xpnAdmin" = [
|
|
||||||
module.branch-teams-dev-pf-sa.iam_email
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
tag_bindings = {
|
tag_bindings = {
|
||||||
environment = module.organization.tag_values["environment/development"].id
|
environment = module.organization.tag_values["environment/development"].id
|
||||||
|
@ -147,22 +137,12 @@ module "branch-teams-team-prod-folder" {
|
||||||
# environment-wide human permissions on the whole teams environment
|
# environment-wide human permissions on the whole teams environment
|
||||||
group_iam = {}
|
group_iam = {}
|
||||||
iam = {
|
iam = {
|
||||||
|
(local.custom_roles.service_project_network_admin) = [module.branch-teams-prod-pf-sa.iam_email]
|
||||||
# remove owner here and at project level if SA does not manage project resources
|
# remove owner here and at project level if SA does not manage project resources
|
||||||
"roles/owner" = [
|
"roles/owner" = [module.branch-teams-prod-pf-sa.iam_email]
|
||||||
module.branch-teams-prod-pf-sa.iam_email
|
"roles/logging.admin" = [module.branch-teams-prod-pf-sa.iam_email]
|
||||||
]
|
"roles/resourcemanager.folderAdmin" = [module.branch-teams-prod-pf-sa.iam_email]
|
||||||
"roles/logging.admin" = [
|
"roles/resourcemanager.projectCreator" = [module.branch-teams-prod-pf-sa.iam_email]
|
||||||
module.branch-teams-prod-pf-sa.iam_email
|
|
||||||
]
|
|
||||||
"roles/resourcemanager.folderAdmin" = [
|
|
||||||
module.branch-teams-prod-pf-sa.iam_email
|
|
||||||
]
|
|
||||||
"roles/resourcemanager.projectCreator" = [
|
|
||||||
module.branch-teams-prod-pf-sa.iam_email
|
|
||||||
]
|
|
||||||
"roles/compute.xpnAdmin" = [
|
|
||||||
module.branch-teams-prod-pf-sa.iam_email
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
tag_bindings = {
|
tag_bindings = {
|
||||||
environment = module.organization.tag_values["environment/production"].id
|
environment = module.organization.tag_values["environment/production"].id
|
||||||
|
|
|
@ -19,6 +19,7 @@ locals {
|
||||||
billing_ext = var.billing_account.organization_id == null
|
billing_ext = var.billing_account.organization_id == null
|
||||||
billing_org = var.billing_account.organization_id == var.organization.id
|
billing_org = var.billing_account.organization_id == var.organization.id
|
||||||
billing_org_ext = !local.billing_ext && !local.billing_org
|
billing_org_ext = !local.billing_ext && !local.billing_org
|
||||||
|
custom_roles = coalesce(var.custom_roles, {})
|
||||||
groups = {
|
groups = {
|
||||||
for k, v in var.groups :
|
for k, v in var.groups :
|
||||||
k => "${v}@${var.organization.domain}"
|
k => "${v}@${var.organization.domain}"
|
||||||
|
|
|
@ -35,8 +35,10 @@ variable "billing_account" {
|
||||||
variable "custom_roles" {
|
variable "custom_roles" {
|
||||||
# tfdoc:variable:source 00-bootstrap
|
# tfdoc:variable:source 00-bootstrap
|
||||||
description = "Custom roles defined at the org level, in key => id format."
|
description = "Custom roles defined at the org level, in key => id format."
|
||||||
type = map(string)
|
type = object({
|
||||||
default = {}
|
service_project_network_admin = string
|
||||||
|
})
|
||||||
|
default = null
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "groups" {
|
variable "groups" {
|
||||||
|
|
|
@ -40,9 +40,6 @@ module "dev-spoke-project" {
|
||||||
metric_scopes = [module.landing-project.project_id]
|
metric_scopes = [module.landing-project.project_id]
|
||||||
iam = {
|
iam = {
|
||||||
"roles/dns.admin" = [local.service_accounts.project-factory-dev]
|
"roles/dns.admin" = [local.service_accounts.project-factory-dev]
|
||||||
(local.custom_roles.service_project_network_admin) = values(
|
|
||||||
local.service_accounts
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -40,9 +40,6 @@ module "prod-spoke-project" {
|
||||||
metric_scopes = [module.landing-project.project_id]
|
metric_scopes = [module.landing-project.project_id]
|
||||||
iam = {
|
iam = {
|
||||||
"roles/dns.admin" = [local.service_accounts.project-factory-prod]
|
"roles/dns.admin" = [local.service_accounts.project-factory-prod]
|
||||||
(local.custom_roles.service_project_network_admin) = values(
|
|
||||||
local.service_accounts
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -41,9 +41,6 @@ module "dev-spoke-project" {
|
||||||
metric_scopes = [module.landing-project.project_id]
|
metric_scopes = [module.landing-project.project_id]
|
||||||
iam = {
|
iam = {
|
||||||
"roles/dns.admin" = [local.service_accounts.project-factory-dev]
|
"roles/dns.admin" = [local.service_accounts.project-factory-dev]
|
||||||
(local.custom_roles.service_project_network_admin) = values(
|
|
||||||
local.service_accounts
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -41,9 +41,6 @@ module "prod-spoke-project" {
|
||||||
metric_scopes = [module.landing-project.project_id]
|
metric_scopes = [module.landing-project.project_id]
|
||||||
iam = {
|
iam = {
|
||||||
"roles/dns.admin" = [local.service_accounts.project-factory-prod]
|
"roles/dns.admin" = [local.service_accounts.project-factory-prod]
|
||||||
(local.custom_roles.service_project_network_admin) = values(
|
|
||||||
local.service_accounts
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -22,8 +22,8 @@ module "stage" {
|
||||||
organization_id = 123456789012
|
organization_id = 123456789012
|
||||||
}
|
}
|
||||||
custom_roles = {
|
custom_roles = {
|
||||||
"organizationIamAdmin" : "organizations/123456789012/roles/organizationIamAdmin",
|
# organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin",
|
||||||
"xpnServiceAdmin" : "organizations/123456789012/roles/xpnServiceAdmin"
|
service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
|
||||||
}
|
}
|
||||||
groups = {
|
groups = {
|
||||||
gcp-billing-admins = "gcp-billing-admins",
|
gcp-billing-admins = "gcp-billing-admins",
|
||||||
|
|
Loading…
Reference in New Issue