Merge pull request #181 from drebes/org-iam-authoritative
Authoritative IAM for organization
This commit is contained in:
commit
86a37616b2
|
@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
|
||||||
- **incompatible change** removed the `logging-sinks` module. Logging sinks can now be created the `logging_sinks` variable in the in the `project`, `folder` and `organization` modules
|
- **incompatible change** removed the `logging-sinks` module. Logging sinks can now be created the `logging_sinks` variable in the in the `project`, `folder` and `organization` modules
|
||||||
- add support for creating logging exclusions in the `project`, `folder` and `organization` modules
|
- add support for creating logging exclusions in the `project`, `folder` and `organization` modules
|
||||||
- add support for Confidential Compute to `compute-vm` module
|
- add support for Confidential Compute to `compute-vm` module
|
||||||
|
- add support for handling IAM policy (bindings, audit config) as fully authoritative in the `organization` module
|
||||||
|
|
||||||
## [4.2.0] - 2020-11-25
|
## [4.2.0] - 2020-11-25
|
||||||
|
|
||||||
|
|
|
@ -128,6 +128,8 @@ module "org" {
|
||||||
| *iam_additive* | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
| *iam_additive* | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||||
| *iam_additive_members* | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
| *iam_additive_members* | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||||
| *iam_audit_config* | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">{}</code> |
|
| *iam_audit_config* | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">{}</code> |
|
||||||
|
| *iam_audit_config_authoritative* | IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution. | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">null</code> |
|
||||||
|
| *iam_bindings_authoritative* | IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. | <code title="map(list(string))">map(list(string))</code> | | <code title="">null</code> |
|
||||||
| *logging_exclusions* | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code title="map(string)">map(string)</code> | | <code title="">{}</code> |
|
| *logging_exclusions* | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code title="map(string)">map(string)</code> | | <code title="">{}</code> |
|
||||||
| *logging_sinks* | Logging sinks to create for this organization. | <code title="map(object({ destination = string type = string filter = string iam = bool include_children = bool }))">map(object({...}))</code> | | <code title="">{}</code> |
|
| *logging_sinks* | Logging sinks to create for this organization. | <code title="map(object({ destination = string type = string filter = string iam = bool include_children = bool }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||||
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map(bool)">map(bool)</code> | | <code title="">{}</code> |
|
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map(bool)">map(bool)</code> | | <code title="">{}</code> |
|
||||||
|
|
|
@ -85,6 +85,37 @@ resource "google_organization_iam_member" "additive" {
|
||||||
member = each.value.member
|
member = each.value.member
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "google_organization_iam_policy" "authoritative" {
|
||||||
|
count = var.iam_bindings_authoritative != null || var.iam_audit_config_authoritative != null ? 1 : 0
|
||||||
|
org_id = local.organization_id_numeric
|
||||||
|
policy_data = data.google_iam_policy.authoritative.policy_data
|
||||||
|
}
|
||||||
|
|
||||||
|
data "google_iam_policy" "authoritative" {
|
||||||
|
dynamic "binding" {
|
||||||
|
for_each = var.iam_bindings_authoritative != null ? var.iam_bindings_authoritative : {}
|
||||||
|
content {
|
||||||
|
role = binding.key
|
||||||
|
members = binding.value
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
dynamic "audit_config" {
|
||||||
|
for_each = var.iam_audit_config_authoritative != null ? var.iam_audit_config_authoritative : {}
|
||||||
|
content {
|
||||||
|
service = audit_config.key
|
||||||
|
dynamic "audit_log_configs" {
|
||||||
|
for_each = audit_config.value
|
||||||
|
iterator = config
|
||||||
|
content {
|
||||||
|
log_type = config.key
|
||||||
|
exempted_members = config.value
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
resource "google_organization_iam_audit_config" "config" {
|
resource "google_organization_iam_audit_config" "config" {
|
||||||
for_each = var.iam_audit_config
|
for_each = var.iam_audit_config
|
||||||
org_id = local.organization_id_numeric
|
org_id = local.organization_id_numeric
|
||||||
|
|
|
@ -22,6 +22,7 @@ output "organization_id" {
|
||||||
google_organization_iam_binding.authoritative,
|
google_organization_iam_binding.authoritative,
|
||||||
google_organization_iam_custom_role.roles,
|
google_organization_iam_custom_role.roles,
|
||||||
google_organization_iam_member.additive,
|
google_organization_iam_member.additive,
|
||||||
|
google_organization_iam_policy.authoritative,
|
||||||
google_organization_policy.boolean,
|
google_organization_policy.boolean,
|
||||||
google_organization_policy.list
|
google_organization_policy.list
|
||||||
]
|
]
|
||||||
|
|
|
@ -49,6 +49,23 @@ variable "iam_audit_config" {
|
||||||
# }
|
# }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "iam_bindings_authoritative" {
|
||||||
|
description = "IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution."
|
||||||
|
type = map(list(string))
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "iam_audit_config_authoritative" {
|
||||||
|
description = "IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution."
|
||||||
|
type = map(map(list(string)))
|
||||||
|
default = null
|
||||||
|
# default = {
|
||||||
|
# allServices = {
|
||||||
|
# DATA_READ = ["user:me@example.org"]
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
}
|
||||||
|
|
||||||
variable "organization_id" {
|
variable "organization_id" {
|
||||||
description = "Organization id in organizations/nnnnnn format."
|
description = "Organization id in organizations/nnnnnn format."
|
||||||
type = string
|
type = string
|
||||||
|
|
Loading…
Reference in New Issue