Merge pull request #560 from GoogleCloudPlatform/jccb/fast-custom-xpn-role
Swap xpnAdmin with custom xpnServiceAdmin for service projects
This commit is contained in:
commit
62b15aa51d
|
@ -168,13 +168,13 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
|
|||
|---|---|:---:|:---:|:---:|:---:|
|
||||
| [automation_project_id](variables.tf#L20) | Project id for the automation project created by the bootstrap stage. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [billing_account](variables.tf#L26) | Billing account id and organization id ('nnnnnnnn' or null). | <code title="object({ id = string organization_id = number })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [organization](variables.tf#L57) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [prefix](variables.tf#L81) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [custom_roles](variables.tf#L35) | Custom roles defined at the org level, in key => id format. | <code>map(string)</code> | | <code>{}</code> | <code>00-bootstrap</code> |
|
||||
| [groups](variables.tf#L42) | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| [organization_policy_configs](variables.tf#L67) | Organization policies customization. | <code title="object({ allowed_policy_member_domains = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||
| [outputs_location](variables.tf#L75) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [team_folders](variables.tf#L92) | Team folders to be created. Format is described in a code comment. | <code title="map(object({ descriptive_name = string group_iam = map(list(string)) impersonation_groups = list(string) }))">map(object({…}))</code> | | <code>null</code> | |
|
||||
| [organization](variables.tf#L59) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [prefix](variables.tf#L83) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ | | <code>00-bootstrap</code> |
|
||||
| [custom_roles](variables.tf#L35) | Custom roles defined at the org level, in key => id format. | <code title="object({ service_project_network_admin = string })">object({…})</code> | | <code>null</code> | <code>00-bootstrap</code> |
|
||||
| [groups](variables.tf#L44) | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | <code>00-bootstrap</code> |
|
||||
| [organization_policy_configs](variables.tf#L69) | Organization policies customization. | <code title="object({ allowed_policy_member_domains = list(string) })">object({…})</code> | | <code>null</code> | |
|
||||
| [outputs_location](variables.tf#L77) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||
| [team_folders](variables.tf#L94) | Team folders to be created. Format is described in a code comment. | <code title="map(object({ descriptive_name = string group_iam = map(list(string)) impersonation_groups = list(string) }))">map(object({…}))</code> | | <code>null</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -35,10 +35,10 @@ module "branch-dp-dev-folder" {
|
|||
name = "Development"
|
||||
group_iam = {}
|
||||
iam = {
|
||||
(local.custom_roles.service_project_network_admin) = [module.branch-dp-dev-sa.iam_email]
|
||||
# remove owner here and at project level if SA does not manage project resources
|
||||
"roles/compute.xpnAdmin" = [module.branch-dp-dev-sa.iam_email]
|
||||
"roles/logging.admin" = [module.branch-dp-dev-sa.iam_email]
|
||||
"roles/owner" = [module.branch-dp-dev-sa.iam_email]
|
||||
"roles/logging.admin" = [module.branch-dp-dev-sa.iam_email]
|
||||
"roles/resourcemanager.folderAdmin" = [module.branch-dp-dev-sa.iam_email]
|
||||
"roles/resourcemanager.projectCreator" = [module.branch-dp-dev-sa.iam_email]
|
||||
}
|
||||
|
@ -74,12 +74,12 @@ module "branch-dp-prod-folder" {
|
|||
name = "Production"
|
||||
group_iam = {}
|
||||
iam = {
|
||||
(local.custom_roles.service_project_network_admin) = [module.branch-dp-prod-sa.iam_email]
|
||||
# remove owner here and at project level if SA does not manage project resources
|
||||
"roles/logging.admin" = [module.branch-dp-prod-sa.iam_email]
|
||||
"roles/owner" = [module.branch-dp-prod-sa.iam_email]
|
||||
"roles/logging.admin" = [module.branch-dp-prod-sa.iam_email]
|
||||
"roles/resourcemanager.folderAdmin" = [module.branch-dp-prod-sa.iam_email]
|
||||
"roles/resourcemanager.projectCreator" = [module.branch-dp-prod-sa.iam_email]
|
||||
"roles/compute.xpnAdmin" = [module.branch-dp-prod-sa.iam_email]
|
||||
}
|
||||
tag_bindings = {
|
||||
context = module.organization.tag_values["environment/production"].id
|
||||
|
|
|
@ -82,7 +82,7 @@ module "branch-network-dev-folder" {
|
|||
parent = module.branch-network-folder.id
|
||||
name = "Development"
|
||||
iam = {
|
||||
"roles/compute.xpnAdmin" = [
|
||||
(local.custom_roles.service_project_network_admin) = [
|
||||
module.branch-dp-dev-sa.iam_email,
|
||||
module.branch-teams-dev-pf-sa.iam_email
|
||||
]
|
||||
|
|
|
@ -84,22 +84,12 @@ module "branch-teams-team-dev-folder" {
|
|||
# environment-wide human permissions on the whole teams environment
|
||||
group_iam = {}
|
||||
iam = {
|
||||
(local.custom_roles.service_project_network_admin) = [module.branch-teams-dev-pf-sa.iam_email]
|
||||
# remove owner here and at project level if SA does not manage project resources
|
||||
"roles/owner" = [
|
||||
module.branch-teams-dev-pf-sa.iam_email
|
||||
]
|
||||
"roles/logging.admin" = [
|
||||
module.branch-teams-dev-pf-sa.iam_email
|
||||
]
|
||||
"roles/resourcemanager.folderAdmin" = [
|
||||
module.branch-teams-dev-pf-sa.iam_email
|
||||
]
|
||||
"roles/resourcemanager.projectCreator" = [
|
||||
module.branch-teams-dev-pf-sa.iam_email
|
||||
]
|
||||
"roles/compute.xpnAdmin" = [
|
||||
module.branch-teams-dev-pf-sa.iam_email
|
||||
]
|
||||
"roles/owner" = [module.branch-teams-dev-pf-sa.iam_email]
|
||||
"roles/logging.admin" = [module.branch-teams-dev-pf-sa.iam_email]
|
||||
"roles/resourcemanager.folderAdmin" = [module.branch-teams-dev-pf-sa.iam_email]
|
||||
"roles/resourcemanager.projectCreator" = [module.branch-teams-dev-pf-sa.iam_email]
|
||||
}
|
||||
tag_bindings = {
|
||||
environment = module.organization.tag_values["environment/development"].id
|
||||
|
@ -147,22 +137,12 @@ module "branch-teams-team-prod-folder" {
|
|||
# environment-wide human permissions on the whole teams environment
|
||||
group_iam = {}
|
||||
iam = {
|
||||
(local.custom_roles.service_project_network_admin) = [module.branch-teams-prod-pf-sa.iam_email]
|
||||
# remove owner here and at project level if SA does not manage project resources
|
||||
"roles/owner" = [
|
||||
module.branch-teams-prod-pf-sa.iam_email
|
||||
]
|
||||
"roles/logging.admin" = [
|
||||
module.branch-teams-prod-pf-sa.iam_email
|
||||
]
|
||||
"roles/resourcemanager.folderAdmin" = [
|
||||
module.branch-teams-prod-pf-sa.iam_email
|
||||
]
|
||||
"roles/resourcemanager.projectCreator" = [
|
||||
module.branch-teams-prod-pf-sa.iam_email
|
||||
]
|
||||
"roles/compute.xpnAdmin" = [
|
||||
module.branch-teams-prod-pf-sa.iam_email
|
||||
]
|
||||
"roles/owner" = [module.branch-teams-prod-pf-sa.iam_email]
|
||||
"roles/logging.admin" = [module.branch-teams-prod-pf-sa.iam_email]
|
||||
"roles/resourcemanager.folderAdmin" = [module.branch-teams-prod-pf-sa.iam_email]
|
||||
"roles/resourcemanager.projectCreator" = [module.branch-teams-prod-pf-sa.iam_email]
|
||||
}
|
||||
tag_bindings = {
|
||||
environment = module.organization.tag_values["environment/production"].id
|
||||
|
|
|
@ -19,6 +19,7 @@ locals {
|
|||
billing_ext = var.billing_account.organization_id == null
|
||||
billing_org = var.billing_account.organization_id == var.organization.id
|
||||
billing_org_ext = !local.billing_ext && !local.billing_org
|
||||
custom_roles = coalesce(var.custom_roles, {})
|
||||
groups = {
|
||||
for k, v in var.groups :
|
||||
k => "${v}@${var.organization.domain}"
|
||||
|
|
|
@ -35,8 +35,10 @@ variable "billing_account" {
|
|||
variable "custom_roles" {
|
||||
# tfdoc:variable:source 00-bootstrap
|
||||
description = "Custom roles defined at the org level, in key => id format."
|
||||
type = map(string)
|
||||
default = {}
|
||||
type = object({
|
||||
service_project_network_admin = string
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "groups" {
|
||||
|
|
|
@ -40,9 +40,6 @@ module "dev-spoke-project" {
|
|||
metric_scopes = [module.landing-project.project_id]
|
||||
iam = {
|
||||
"roles/dns.admin" = [local.service_accounts.project-factory-dev]
|
||||
(local.custom_roles.service_project_network_admin) = values(
|
||||
local.service_accounts
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -40,9 +40,6 @@ module "prod-spoke-project" {
|
|||
metric_scopes = [module.landing-project.project_id]
|
||||
iam = {
|
||||
"roles/dns.admin" = [local.service_accounts.project-factory-prod]
|
||||
(local.custom_roles.service_project_network_admin) = values(
|
||||
local.service_accounts
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -41,9 +41,6 @@ module "dev-spoke-project" {
|
|||
metric_scopes = [module.landing-project.project_id]
|
||||
iam = {
|
||||
"roles/dns.admin" = [local.service_accounts.project-factory-dev]
|
||||
(local.custom_roles.service_project_network_admin) = values(
|
||||
local.service_accounts
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -41,9 +41,6 @@ module "prod-spoke-project" {
|
|||
metric_scopes = [module.landing-project.project_id]
|
||||
iam = {
|
||||
"roles/dns.admin" = [local.service_accounts.project-factory-prod]
|
||||
(local.custom_roles.service_project_network_admin) = values(
|
||||
local.service_accounts
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -22,8 +22,8 @@ module "stage" {
|
|||
organization_id = 123456789012
|
||||
}
|
||||
custom_roles = {
|
||||
"organizationIamAdmin" : "organizations/123456789012/roles/organizationIamAdmin",
|
||||
"xpnServiceAdmin" : "organizations/123456789012/roles/xpnServiceAdmin"
|
||||
# organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin",
|
||||
service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
|
||||
}
|
||||
groups = {
|
||||
gcp-billing-admins = "gcp-billing-admins",
|
||||
|
|
Loading…
Reference in New Issue