zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Authoritative IAM for organization

This commit is contained in:
Roberto Jung Drebes 2020-12-09 22:58:17 +00:00
parent b41e2b4b63
commit 91febe4cd1
3 changed files with 49 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
modules/organization/main.tf
View File

@ -85,6 +85,37 @@ resource "google_organization_iam_member" "additive" {
member = each.value.member member = each.value.member
} }
resource "google_organization_iam_policy" "authoritative" {
count = var.iam_bindings_authoritative != null || var.iam_audit_config_authoritative != null ? 1 : 0
org_id = local.organization_id_numeric
policy_data = data.google_iam_policy.authoritative.policy_data
}
data "google_iam_policy" "authoritative" {
dynamic "binding" {
for_each = var.iam_bindings_authoritative != null ? var.iam_bindings_authoritative : {}
content {
role = binding.key
members = binding.value
}
}
dynamic "audit_config" {
for_each = var.iam_audit_config_authoritative != null ? var.iam_audit_config_authoritative : {}
content {
service = audit_config.key
dynamic "audit_log_configs" {
for_each = audit_config.value
iterator = config
content {
log_type = config.key
exempted_members = config.value
}
}
}
}
}
resource "google_organization_iam_audit_config" "config" { resource "google_organization_iam_audit_config" "config" {
for_each = var.iam_audit_config for_each = var.iam_audit_config
org_id = local.organization_id_numeric org_id = local.organization_id_numeric

1
modules/organization/outputs.tf
View File

@ -22,6 +22,7 @@ output "organization_id" {
google_organization_iam_binding.authoritative, google_organization_iam_binding.authoritative,
google_organization_iam_custom_role.roles, google_organization_iam_custom_role.roles,
google_organization_iam_member.additive, google_organization_iam_member.additive,
google_organization_iam_policy.authoritative,
google_organization_policy.boolean, google_organization_policy.boolean,
google_organization_policy.list google_organization_policy.list
] ]

17
modules/organization/variables.tf
View File

@ -49,6 +49,23 @@ variable "iam_audit_config" {
# } # }
} }
variable "iam_bindings_authoritative" {
description = "IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution."
type = map(list(string))
default = null
}
variable "iam_audit_config_authoritative" {
description = "IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution."
type = map(map(list(string)))
default = null
# default = {
# allServices = {
# DATA_READ = ["user:me@example.org"]
# }
# }
}
variable "organization_id" { variable "organization_id" {
description = "Organization id in organizations/nnnnnn format." description = "Organization id in organizations/nnnnnn format."
type = string type = string