From 91febe4cd131f5d919f77bd7a3ec4add9fb29a6a Mon Sep 17 00:00:00 2001 From: Roberto Jung Drebes Date: Wed, 9 Dec 2020 22:58:17 +0000 Subject: [PATCH 1/3] Authoritative IAM for organization --- modules/organization/main.tf | 31 +++++++++++++++++++++++++++++++ modules/organization/outputs.tf | 1 + modules/organization/variables.tf | 17 +++++++++++++++++ 3 files changed, 49 insertions(+) diff --git a/modules/organization/main.tf b/modules/organization/main.tf index 1c115f24..c1d28b9a 100644 --- a/modules/organization/main.tf +++ b/modules/organization/main.tf @@ -85,6 +85,37 @@ resource "google_organization_iam_member" "additive" { member = each.value.member } +resource "google_organization_iam_policy" "authoritative" { + count = var.iam_bindings_authoritative != null || var.iam_audit_config_authoritative != null ? 1 : 0 + org_id = local.organization_id_numeric + policy_data = data.google_iam_policy.authoritative.policy_data +} + +data "google_iam_policy" "authoritative" { + dynamic "binding" { + for_each = var.iam_bindings_authoritative != null ? var.iam_bindings_authoritative : {} + content { + role = binding.key + members = binding.value + } + } + + dynamic "audit_config" { + for_each = var.iam_audit_config_authoritative != null ? var.iam_audit_config_authoritative : {} + content { + service = audit_config.key + dynamic "audit_log_configs" { + for_each = audit_config.value + iterator = config + content { + log_type = config.key + exempted_members = config.value + } + } + } + } +} + resource "google_organization_iam_audit_config" "config" { for_each = var.iam_audit_config org_id = local.organization_id_numeric diff --git a/modules/organization/outputs.tf b/modules/organization/outputs.tf index 869f8185..6f2a1e5e 100644 --- a/modules/organization/outputs.tf +++ b/modules/organization/outputs.tf @@ -22,6 +22,7 @@ output "organization_id" { google_organization_iam_binding.authoritative, google_organization_iam_custom_role.roles, google_organization_iam_member.additive, + google_organization_iam_policy.authoritative, google_organization_policy.boolean, google_organization_policy.list ] diff --git a/modules/organization/variables.tf b/modules/organization/variables.tf index 976bfeb7..4e168aeb 100644 --- a/modules/organization/variables.tf +++ b/modules/organization/variables.tf @@ -49,6 +49,23 @@ variable "iam_audit_config" { # } } +variable "iam_bindings_authoritative" { + description = "IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution." + type = map(list(string)) + default = null +} + +variable "iam_audit_config_authoritative" { + description = "IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution." + type = map(map(list(string))) + default = null + # default = { + # allServices = { + # DATA_READ = ["user:me@example.org"] + # } + # } +} + variable "organization_id" { description = "Organization id in organizations/nnnnnn format." type = string From 177a4d7f2cf38e3660c2f0622076ad9ae37af8df Mon Sep 17 00:00:00 2001 From: Roberto Jung Drebes Date: Thu, 10 Dec 2020 09:36:32 +0000 Subject: [PATCH 2/3] update README.md for org module with new parameters --- modules/organization/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/organization/README.md b/modules/organization/README.md index f51d4365..9b775673 100644 --- a/modules/organization/README.md +++ b/modules/organization/README.md @@ -128,6 +128,8 @@ module "org" { | *iam_additive* | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | *iam_additive_members* | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | map(list(string)) | | {} | | *iam_audit_config* | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | map(map(list(string))) | | {} | +| *iam_audit_config_authoritative* | IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution. | map(map(list(string))) | | null | +| *iam_bindings_authoritative* | IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. | map(list(string)) | | null | | *logging_exclusions* | Logging exclusions for this organization in the form {NAME -> FILTER}. | map(string) | | {} | | *logging_sinks* | Logging sinks to create for this organization. | map(object({...})) | | {} | | *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | map(bool) | | {} | From 8a4c8c4d50b3ab472ff4f0b9828ffecd1efd9354 Mon Sep 17 00:00:00 2001 From: Roberto Jung Drebes Date: Thu, 10 Dec 2020 09:45:23 +0000 Subject: [PATCH 3/3] update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fdd77ced..761ca8be 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file. - **incompatible change** removed the `logging-sinks` module. Logging sinks can now be created the `logging_sinks` variable in the in the `project`, `folder` and `organization` modules - add support for creating logging exclusions in the `project`, `folder` and `organization` modules - add support for Confidential Compute to `compute-vm` module +- add support for handling IAM policy (bindings, audit config) as fully authoritative in the `organization` module ## [4.2.0] - 2020-11-25