Merge pull request #181 from drebes/org-iam-authoritative

Authoritative IAM for organization

CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
 - **incompatible change** removed the `logging-sinks` module. Logging sinks can now be created the `logging_sinks` variable in the in the `project`, `folder` and `organization` modules
 - add support for creating logging exclusions in the `project`, `folder` and `organization` modules
 - add support for Confidential Compute to `compute-vm` module
+- add support for handling IAM policy (bindings, audit config) as fully authoritative in the `organization` module
 
 ## [4.2.0] - 2020-11-25
 

modules/organization/README.md

@@ -128,6 +128,8 @@ module "org" {
 | *iam_additive* | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 | *iam_additive_members* | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 | *iam_audit_config* | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> |  | <code title="">{}</code> |
+| *iam_audit_config_authoritative* | IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> |  | <code title="">null</code> |
+| *iam_bindings_authoritative* | IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">null</code> |
 | *logging_exclusions* | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="">{}</code> |
 | *logging_sinks* | Logging sinks to create for this organization. | <code title="map&#40;object&#40;&#123;&#10;destination      &#61; string&#10;type &#61; string&#10;filter           &#61; string&#10;iam              &#61; bool&#10;include_children &#61; bool&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 | *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map&#40;bool&#41;">map(bool)</code> |  | <code title="">{}</code> |

modules/organization/main.tf

@@ -85,6 +85,37 @@ resource "google_organization_iam_member" "additive" {
   member = each.value.member
 }
 
+resource "google_organization_iam_policy" "authoritative" {
+  count       = var.iam_bindings_authoritative != null || var.iam_audit_config_authoritative != null ? 1 : 0
+  org_id      = local.organization_id_numeric
+  policy_data = data.google_iam_policy.authoritative.policy_data
+}
+
+data "google_iam_policy" "authoritative" {
+  dynamic "binding" {
+    for_each = var.iam_bindings_authoritative != null ? var.iam_bindings_authoritative : {}
+    content {
+      role    = binding.key
+      members = binding.value
+    }
+  }
+
+  dynamic "audit_config" {
+    for_each = var.iam_audit_config_authoritative != null ? var.iam_audit_config_authoritative : {}
+    content {
+      service = audit_config.key
+      dynamic "audit_log_configs" {
+        for_each = audit_config.value
+        iterator = config
+        content {
+          log_type         = config.key
+          exempted_members = config.value
+        }
+      }
+    }
+  }
+}
+
 resource "google_organization_iam_audit_config" "config" {
   for_each = var.iam_audit_config
   org_id   = local.organization_id_numeric

modules/organization/outputs.tf

@@ -22,6 +22,7 @@ output "organization_id" {
     google_organization_iam_binding.authoritative,
     google_organization_iam_custom_role.roles,
     google_organization_iam_member.additive,
+    google_organization_iam_policy.authoritative,
     google_organization_policy.boolean,
     google_organization_policy.list
   ]

modules/organization/variables.tf

@@ -49,6 +49,23 @@ variable "iam_audit_config" {
   # }
 }
 
+variable "iam_bindings_authoritative" {
+  description = "IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution."
+  type        = map(list(string))
+  default     = null
+}
+
+variable "iam_audit_config_authoritative" {
+  description = "IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution."
+  type        = map(map(list(string)))
+  default     = null
+  # default = {
+  #   allServices = {
+  #     DATA_READ = ["user:me@example.org"]
+  #   }
+  # }
+}
+
 variable "organization_id" {
   description = "Organization id in organizations/nnnnnn format."
   type        = string