Authoritative IAM for organization
This commit is contained in:
parent
b41e2b4b63
commit
91febe4cd1
|
@ -85,6 +85,37 @@ resource "google_organization_iam_member" "additive" {
|
||||||
member = each.value.member
|
member = each.value.member
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "google_organization_iam_policy" "authoritative" {
|
||||||
|
count = var.iam_bindings_authoritative != null || var.iam_audit_config_authoritative != null ? 1 : 0
|
||||||
|
org_id = local.organization_id_numeric
|
||||||
|
policy_data = data.google_iam_policy.authoritative.policy_data
|
||||||
|
}
|
||||||
|
|
||||||
|
data "google_iam_policy" "authoritative" {
|
||||||
|
dynamic "binding" {
|
||||||
|
for_each = var.iam_bindings_authoritative != null ? var.iam_bindings_authoritative : {}
|
||||||
|
content {
|
||||||
|
role = binding.key
|
||||||
|
members = binding.value
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
dynamic "audit_config" {
|
||||||
|
for_each = var.iam_audit_config_authoritative != null ? var.iam_audit_config_authoritative : {}
|
||||||
|
content {
|
||||||
|
service = audit_config.key
|
||||||
|
dynamic "audit_log_configs" {
|
||||||
|
for_each = audit_config.value
|
||||||
|
iterator = config
|
||||||
|
content {
|
||||||
|
log_type = config.key
|
||||||
|
exempted_members = config.value
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
resource "google_organization_iam_audit_config" "config" {
|
resource "google_organization_iam_audit_config" "config" {
|
||||||
for_each = var.iam_audit_config
|
for_each = var.iam_audit_config
|
||||||
org_id = local.organization_id_numeric
|
org_id = local.organization_id_numeric
|
||||||
|
|
|
@ -22,6 +22,7 @@ output "organization_id" {
|
||||||
google_organization_iam_binding.authoritative,
|
google_organization_iam_binding.authoritative,
|
||||||
google_organization_iam_custom_role.roles,
|
google_organization_iam_custom_role.roles,
|
||||||
google_organization_iam_member.additive,
|
google_organization_iam_member.additive,
|
||||||
|
google_organization_iam_policy.authoritative,
|
||||||
google_organization_policy.boolean,
|
google_organization_policy.boolean,
|
||||||
google_organization_policy.list
|
google_organization_policy.list
|
||||||
]
|
]
|
||||||
|
|
|
@ -49,6 +49,23 @@ variable "iam_audit_config" {
|
||||||
# }
|
# }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "iam_bindings_authoritative" {
|
||||||
|
description = "IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution."
|
||||||
|
type = map(list(string))
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "iam_audit_config_authoritative" {
|
||||||
|
description = "IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution."
|
||||||
|
type = map(map(list(string)))
|
||||||
|
default = null
|
||||||
|
# default = {
|
||||||
|
# allServices = {
|
||||||
|
# DATA_READ = ["user:me@example.org"]
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
}
|
||||||
|
|
||||||
variable "organization_id" {
|
variable "organization_id" {
|
||||||
description = "Organization id in organizations/nnnnnn format."
|
description = "Organization id in organizations/nnnnnn format."
|
||||||
type = string
|
type = string
|
||||||
|
|
Loading…
Reference in New Issue