Remove iam_roles from service accounts, folder and organization modules
This commit is contained in:
parent
66942cc5c6
commit
85fda5b1fe
|
@ -86,11 +86,10 @@ module "tf-gcs-environments" {
|
|||
###############################################################################
|
||||
|
||||
module "environment-folders" {
|
||||
source = "../../modules/folder"
|
||||
for_each = var.environments
|
||||
parent = var.root_node
|
||||
name = each.value
|
||||
iam_roles = local.folder_roles
|
||||
source = "../../modules/folder"
|
||||
for_each = var.environments
|
||||
parent = var.root_node
|
||||
name = each.value
|
||||
iam_members = {
|
||||
for role in local.folder_roles :
|
||||
(role) => [module.tf-service-accounts[each.value].iam_email]
|
||||
|
|
|
@ -48,7 +48,6 @@ module "folder" {
|
|||
| name | Folder name. | <code title="">string</code> | ✓ | |
|
||||
| parent | Parent in folders/folder_id or organizations/org_id format. | <code title="string validation { condition = can(regex("(organizations|folders)/[0-9]+", var.parent)) error_message = "Parent must be of the form folders/folder_id or organizations/organization_id." }">string</code> | ✓ | |
|
||||
| *iam_members* | List of IAM members keyed by role. | <code title="map(set(string))">map(set(string))</code> | | <code title="">null</code> |
|
||||
| *iam_roles* | List of IAM roles. | <code title="set(string)">set(string)</code> | | <code title="">null</code> |
|
||||
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map(bool)">map(bool)</code> | | <code title="">{}</code> |
|
||||
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
|
||||
|
|
|
@ -21,7 +21,7 @@ resource "google_folder" "folder" {
|
|||
}
|
||||
|
||||
resource "google_folder_iam_binding" "authoritative" {
|
||||
for_each = var.iam_roles
|
||||
for_each = toset(keys(var.iam_members))
|
||||
folder = google_folder.folder.name
|
||||
role = each.key
|
||||
members = lookup(var.iam_members, each.key, [])
|
||||
|
|
|
@ -20,12 +20,6 @@ variable "iam_members" {
|
|||
default = null
|
||||
}
|
||||
|
||||
variable "iam_roles" {
|
||||
description = "List of IAM roles."
|
||||
type = set(string)
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
description = "Folder name."
|
||||
type = string
|
||||
|
|
|
@ -39,7 +39,6 @@ module "myproject-default-service-accounts" {
|
|||
| *iam_members* | Map of members which are granted authoritative roles on the service account, keyed by role. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_organization_roles* | Project roles granted to the service account, by organization id. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_project_roles* | Project roles granted to the service account, by project id. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_roles* | Authoritative roles granted on the service account. | <code title="set(string)">set(string)</code> | | <code title="">[]</code> |
|
||||
| *iam_storage_roles* | Storage roles granted to the service account, by bucket name. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||
| *prefix* | Prefix applied to service account names. | <code title="">string</code> | | <code title="">null</code> |
|
||||
|
||||
|
|
|
@ -67,8 +67,7 @@ resource "google_service_account_key" "key" {
|
|||
}
|
||||
|
||||
resource "google_service_account_iam_binding" "roles" {
|
||||
for_each = var.iam_roles
|
||||
#for_each = toset(keys(var.iam_members))
|
||||
for_each = toset(keys(var.iam_members))
|
||||
service_account_id = google_service_account.service_account.name
|
||||
role = each.key
|
||||
members = lookup(var.iam_members, each.key, [])
|
||||
|
|
|
@ -26,12 +26,6 @@ variable "iam_members" {
|
|||
default = {}
|
||||
}
|
||||
|
||||
variable "iam_roles" {
|
||||
description = "Authoritative roles granted on the service account."
|
||||
type = set(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "iam_billing_roles" {
|
||||
description = "Project roles granted to the service account, by billing account id."
|
||||
type = map(set(string))
|
||||
|
|
|
@ -13,7 +13,6 @@ This module allows managing several organization properties:
|
|||
module "org" {
|
||||
source = "./modules/organization"
|
||||
org_id = 1234567890
|
||||
iam_roles = ["roles/projectCreator"]
|
||||
iam_members = { "roles/projectCreator" = ["group:cloud-admins@example.org"] }
|
||||
policy_boolean = {
|
||||
"constraints/compute.disableGuestAttributesAccess" = true
|
||||
|
@ -40,7 +39,6 @@ module "org" {
|
|||
| *iam_additive_bindings* | Map of roles lists used to set non authoritative bindings, keyed by members. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_audit_config* | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">{}</code> |
|
||||
| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_roles* | List of roles used to set authoritative bindings. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map(bool)">map(bool)</code> | | <code title="">{}</code> |
|
||||
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
|
||||
|
|
|
@ -37,7 +37,7 @@ resource "google_organization_iam_custom_role" "roles" {
|
|||
}
|
||||
|
||||
resource "google_organization_iam_binding" "authoritative" {
|
||||
for_each = toset(var.iam_roles)
|
||||
for_each = toset(keys(var.iam_members))
|
||||
org_id = var.org_id
|
||||
role = each.value
|
||||
members = lookup(var.iam_members, each.value, [])
|
||||
|
|
|
@ -26,12 +26,6 @@ variable "iam_members" {
|
|||
default = {}
|
||||
}
|
||||
|
||||
variable "iam_roles" {
|
||||
description = "List of roles used to set authoritative bindings."
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "iam_additive_bindings" {
|
||||
description = "Map of roles lists used to set non authoritative bindings, keyed by members."
|
||||
type = map(list(string))
|
||||
|
|
|
@ -19,7 +19,6 @@ module "test" {
|
|||
parent = "organizations/12345678"
|
||||
name = "folder-a"
|
||||
iam_members = var.iam_members
|
||||
iam_roles = var.iam_roles
|
||||
policy_boolean = var.policy_boolean
|
||||
policy_list = var.policy_list
|
||||
}
|
||||
|
|
|
@ -19,11 +19,6 @@ variable "iam_members" {
|
|||
default = {}
|
||||
}
|
||||
|
||||
variable "iam_roles" {
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "policy_boolean" {
|
||||
type = map(bool)
|
||||
default = {}
|
||||
|
|
|
@ -30,34 +30,22 @@ def test_folder(plan_runner):
|
|||
assert resource['values']['parent'] == 'organizations/12345678'
|
||||
|
||||
|
||||
def test_iam_roles_only(plan_runner):
|
||||
"Test folder resources with only iam roles passed."
|
||||
_, resources = plan_runner(FIXTURES_DIR,
|
||||
iam_roles='["roles/owner"]')
|
||||
assert len(resources) == 2
|
||||
|
||||
|
||||
def test_iam(plan_runner):
|
||||
"Test folder resources with iam roles and members."
|
||||
iam_roles = '["roles/owner"]'
|
||||
iam_members = '{"roles/owner" = ["user:a@b.com"] }'
|
||||
_, resources = plan_runner(FIXTURES_DIR,
|
||||
iam_roles=iam_roles,
|
||||
iam_members=iam_members)
|
||||
assert len(resources) == 2
|
||||
|
||||
def test_iam_multiple_members(plan_runner):
|
||||
"Test folder resources with multiple iam members."
|
||||
iam_roles = '["roles/owner"]'
|
||||
iam_members = '{"roles/owner" = ["user:a@b.com", "user:c@d.com"] }'
|
||||
_, resources = plan_runner(FIXTURES_DIR,
|
||||
iam_roles=iam_roles,
|
||||
iam_members=iam_members)
|
||||
assert len(resources) == 2
|
||||
|
||||
def test_iam_multiple_roles(plan_runner):
|
||||
"Test folder resources with multiple iam roles."
|
||||
iam_roles = '["roles/owner", "roles/viewer"]'
|
||||
iam_members = (
|
||||
'{ '
|
||||
'"roles/owner" = ["user:a@b.com"], '
|
||||
|
@ -65,6 +53,5 @@ def test_iam_multiple_roles(plan_runner):
|
|||
'} '
|
||||
)
|
||||
_, resources = plan_runner(FIXTURES_DIR,
|
||||
iam_roles=iam_roles,
|
||||
iam_members=iam_members)
|
||||
assert len(resources) == 3
|
||||
|
|
|
@ -21,7 +21,6 @@ module "test" {
|
|||
prefix = var.prefix
|
||||
generate_key = var.generate_key
|
||||
iam_members = var.iam_members
|
||||
iam_roles = var.iam_roles
|
||||
iam_billing_roles = var.iam_billing_roles
|
||||
iam_folder_roles = var.iam_folder_roles
|
||||
iam_organization_roles = var.iam_organization_roles
|
||||
|
|
|
@ -24,11 +24,6 @@ variable "iam_members" {
|
|||
default = {}
|
||||
}
|
||||
|
||||
variable "iam_roles" {
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "iam_billing_roles" {
|
||||
type = map(list(string))
|
||||
default = {}
|
||||
|
|
|
@ -37,7 +37,6 @@ def test_resources(plan_runner):
|
|||
def test_iam_roles(plan_runner):
|
||||
"Test iam roles with one member."
|
||||
variables = dict(
|
||||
iam_roles='["roles/iam.serviceAccountUser"]',
|
||||
iam_members=(
|
||||
'{'
|
||||
'"roles/iam.serviceAccountUser" = ["user:a@b.com"] '
|
||||
|
|
|
@ -15,13 +15,12 @@
|
|||
*/
|
||||
|
||||
module "test" {
|
||||
source = "../../../../modules/organization"
|
||||
org_id = 1234567890
|
||||
custom_roles = var.custom_roles
|
||||
iam_members = var.iam_members
|
||||
iam_roles = var.iam_roles
|
||||
iam_additive_bindings= var.iam_additive_bindings
|
||||
iam_audit_config = var.iam_audit_config
|
||||
policy_boolean = var.policy_boolean
|
||||
policy_list = var.policy_list
|
||||
source = "../../../../modules/organization"
|
||||
org_id = 1234567890
|
||||
custom_roles = var.custom_roles
|
||||
iam_members = var.iam_members
|
||||
iam_additive_bindings = var.iam_additive_bindings
|
||||
iam_audit_config = var.iam_audit_config
|
||||
policy_boolean = var.policy_boolean
|
||||
policy_list = var.policy_list
|
||||
}
|
||||
|
|
|
@ -24,17 +24,11 @@ variable "iam_members" {
|
|||
default = {}
|
||||
}
|
||||
|
||||
variable "iam_roles" {
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "iam_additive_bindings" {
|
||||
type = map(list(string))
|
||||
default = {}
|
||||
}
|
||||
|
||||
|
||||
variable "iam_audit_config" {
|
||||
type = map(map(list(string)))
|
||||
default = {}
|
||||
|
|
Loading…
Reference in New Issue