use all service accounts from stage1 in networking delegated grants
This commit is contained in:
parent
a02179422d
commit
b147a4cc44
|
@ -120,3 +120,18 @@ module "peering-dev" {
|
|||
local_network = module.dev-spoke-vpc.self_link
|
||||
peer_network = module.landing-trusted-vpc.self_link
|
||||
}
|
||||
|
||||
# Create delegated grants for stage3 service accounts
|
||||
resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
|
||||
project = module.dev-spoke-project.project_id
|
||||
role = "roles/resourcemanager.projectIamAdmin"
|
||||
members = values(local.service_accounts)
|
||||
condition {
|
||||
title = "dev_stage3_sa_delegated_grants"
|
||||
description = "Development host project delegated grants."
|
||||
expression = format(
|
||||
"api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
|
||||
join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
|
||||
)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -120,3 +120,18 @@ module "peering-prod" {
|
|||
local_network = module.prod-spoke-vpc.self_link
|
||||
peer_network = module.landing-trusted-vpc.self_link
|
||||
}
|
||||
|
||||
# Create delegated grants for stage3 service accounts
|
||||
resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
|
||||
project = module.prod-spoke-project.project_id
|
||||
role = "roles/resourcemanager.projectIamAdmin"
|
||||
members = values(local.service_accounts)
|
||||
condition {
|
||||
title = "prod_stage3_sa_delegated_grants"
|
||||
description = "Production host project delegated grants."
|
||||
expression = format(
|
||||
"api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
|
||||
join(",", formatlist("'%s'", local.stage3_sas_delegated_grants))
|
||||
)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -102,9 +102,7 @@ module "dev-spoke-cloudnat" {
|
|||
resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
|
||||
project = module.dev-spoke-project.project_id
|
||||
role = "roles/resourcemanager.projectIamAdmin"
|
||||
members = [
|
||||
local.service_accounts.project-factory-dev
|
||||
]
|
||||
members = values(local.service_accounts)
|
||||
condition {
|
||||
title = "dev_stage3_sa_delegated_grants"
|
||||
description = "Development host project delegated grants."
|
||||
|
|
|
@ -102,9 +102,7 @@ module "prod-spoke-cloudnat" {
|
|||
resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
|
||||
project = module.prod-spoke-project.project_id
|
||||
role = "roles/resourcemanager.projectIamAdmin"
|
||||
members = [
|
||||
local.service_accounts.project-factory-prod
|
||||
]
|
||||
members = values(local.service_accounts)
|
||||
condition {
|
||||
title = "prod_stage3_sa_delegated_grants"
|
||||
description = "Production host project delegated grants."
|
||||
|
|
Loading…
Reference in New Issue