zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

use all service accounts from stage1 in networking delegated grants

This commit is contained in:
Ludovico Magnocavallo 2022-02-18 08:21:25 +01:00
parent a02179422d
commit b147a4cc44
4 changed files with 32 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
fast/stages/02-networking-nva/spoke-dev.tf
View File

@ -120,3 +120,18 @@ module "peering-dev" {
local_network = module.dev-spoke-vpc.self_link
peer_network = module.landing-trusted-vpc.self_link
}
# Create delegated grants for stage3 service accounts
resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
project = module.dev-spoke-project.project_id
role = "roles/resourcemanager.projectIamAdmin"
members = values(local.service_accounts)
condition {
title = "dev_stage3_sa_delegated_grants"
description = "Development host project delegated grants."
expression = format(
"api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
)
}
}

15
fast/stages/02-networking-nva/spoke-prod.tf
View File

@ -120,3 +120,18 @@ module "peering-prod" {
local_network = module.prod-spoke-vpc.self_link
peer_network = module.landing-trusted-vpc.self_link
}
# Create delegated grants for stage3 service accounts
resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
project = module.prod-spoke-project.project_id
role = "roles/resourcemanager.projectIamAdmin"
members = values(local.service_accounts)
condition {
title = "prod_stage3_sa_delegated_grants"
description = "Production host project delegated grants."
expression = format(
"api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
)
}
}

4
fast/stages/02-networking-vpn/spoke-dev.tf
View File

@ -102,9 +102,7 @@ module "dev-spoke-cloudnat" {
resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
project = module.dev-spoke-project.project_id
role = "roles/resourcemanager.projectIamAdmin"
members = [
local.service_accounts.project-factory-dev
]
members = values(local.service_accounts)
condition {
title = "dev_stage3_sa_delegated_grants"
description = "Development host project delegated grants."

4
fast/stages/02-networking-vpn/spoke-prod.tf
View File

@ -102,9 +102,7 @@ module "prod-spoke-cloudnat" {
resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
project = module.prod-spoke-project.project_id
role = "roles/resourcemanager.projectIamAdmin"
members = [
local.service_accounts.project-factory-prod
]
members = values(local.service_accounts)
condition {
title = "prod_stage3_sa_delegated_grants"
description = "Production host project delegated grants."