Allow specifying custom role names

2022-02-10 19:12:07 +01:00 · 2022-02-10 19:12:07 +01:00 · c4d36cc66b
parent ae49074921
commit c4d36cc66b
5 changed files with 19 additions and 7 deletions
--- a/fast/stages/00-bootstrap/organization.tf
+++ b/fast/stages/00-bootstrap/organization.tf
@ -147,12 +147,12 @@ module "organization" {
  iam_additive = local.iam_additive
  custom_roles = {
    # this is needed for use in additive IAM bindings, to avoid conflicts
-    "organizationIamAdmin" = [
+    (var.custom_role_names.organization_iam_admin) = [
      "resourcemanager.organizations.get",
      "resourcemanager.organizations.getIamPolicy",
      "resourcemanager.organizations.setIamPolicy"
    ]
-    "serviceProjectNetworkAdmin" = [
+    (var.custom_role_names.service_project_network_admin) = [
      "compute.globalOperations.get",
      "compute.organizations.disableXpnResource",
      "compute.organizations.enableXpnResource",
@ -182,7 +182,7 @@ module "organization" {

 resource "google_organization_iam_binding" "org_admin_delegated" {
  org_id  = var.organization.id
-  role    = module.organization.custom_role_id.organizationIamAdmin
+  role    = module.organization.custom_role_id[var.custom_role_names.organization_iam_admin]
  members = [module.automation-tf-resman-sa.iam_email]
  condition {
    title       = "automation_sa_delegated_grants"
--- a/fast/stages/00-bootstrap/outputs.tf
+++ b/fast/stages/00-bootstrap/outputs.tf
@ -15,6 +15,10 @@
 */

 locals {
+  _custom_roles = {
+    for k, v in var.custom_role_names :
+    k => module.organization.custom_role_id[v]
+  }
  providers = {
    "00-bootstrap" = templatefile("${path.module}/../../assets/templates/providers.tpl", {
      bucket = module.automation-tf-bootstrap-gcs.name
@ -31,14 +35,14 @@ locals {
    "01-resman" = jsonencode({
      automation_project_id = module.automation-project.project_id
      billing_account       = var.billing_account
-      custom_roles          = module.organization.custom_role_id
+      custom_roles          = local._custom_roles
      groups                = var.groups
      organization          = var.organization
      prefix                = var.prefix
    })
    "02-networking" = jsonencode({
      billing_account_id = var.billing_account.id
-      custom_roles       = module.organization.custom_role_id
+      custom_roles       = local._custom_roles
      organization       = var.organization
      prefix             = var.prefix
    })
--- a/fast/stages/00-bootstrap/variables.tf
+++ b/fast/stages/00-bootstrap/variables.tf
@ -28,6 +28,14 @@ variable "bootstrap_user" {
  default     = null
 }

+variable "custom_role_names" {
+  description = "Names of custom roles defined at the org level."
+  type = object({
+    organization_iam_admin        = "organizationIamAdmin"
+    service_project_network_admin = "serviceProjectNetworkAdmin"
+  })
+}
+
 variable "groups" {
  # https://cloud.google.com/docs/enterprise/setup-checklist
  description = "Group names to grant organization-level permissions."
--- a/fast/stages/02-networking-vpn/vpc-spoke-dev.tf
+++ b/fast/stages/02-networking-vpn/vpc-spoke-dev.tf
@ -40,7 +40,7 @@ module "dev-spoke-project" {
  metric_scopes = [module.landing-project.project_id]
  iam = {
    "roles/dns.admin" = [var.project_factory_sa.dev]
-    (var.custom_roles.serviceProjectNetworkAdmin) = [
+    (var.custom_roles.service_project_network_admin) = [
      var.project_factory_sa.prod
    ]
  }
--- a/fast/stages/02-networking-vpn/vpc-spoke-prod.tf
+++ b/fast/stages/02-networking-vpn/vpc-spoke-prod.tf
@ -40,7 +40,7 @@ module "prod-spoke-project" {
  metric_scopes = [module.landing-project.project_id]
  iam = {
    "roles/dns.admin" = [var.project_factory_sa.prod]
-    (var.custom_roles.serviceProjectNetworkAdmin) = [
+    (var.custom_roles.service_project_network_admin) = [
      var.project_factory_sa.prod
    ]
  }