Allow specifying custom role names
This commit is contained in:
parent
ae49074921
commit
c4d36cc66b
|
@ -147,12 +147,12 @@ module "organization" {
|
|||
iam_additive = local.iam_additive
|
||||
custom_roles = {
|
||||
# this is needed for use in additive IAM bindings, to avoid conflicts
|
||||
"organizationIamAdmin" = [
|
||||
(var.custom_role_names.organization_iam_admin) = [
|
||||
"resourcemanager.organizations.get",
|
||||
"resourcemanager.organizations.getIamPolicy",
|
||||
"resourcemanager.organizations.setIamPolicy"
|
||||
]
|
||||
"serviceProjectNetworkAdmin" = [
|
||||
(var.custom_role_names.service_project_network_admin) = [
|
||||
"compute.globalOperations.get",
|
||||
"compute.organizations.disableXpnResource",
|
||||
"compute.organizations.enableXpnResource",
|
||||
|
@ -182,7 +182,7 @@ module "organization" {
|
|||
|
||||
resource "google_organization_iam_binding" "org_admin_delegated" {
|
||||
org_id = var.organization.id
|
||||
role = module.organization.custom_role_id.organizationIamAdmin
|
||||
role = module.organization.custom_role_id[var.custom_role_names.organization_iam_admin]
|
||||
members = [module.automation-tf-resman-sa.iam_email]
|
||||
condition {
|
||||
title = "automation_sa_delegated_grants"
|
||||
|
|
|
@ -15,6 +15,10 @@
|
|||
*/
|
||||
|
||||
locals {
|
||||
_custom_roles = {
|
||||
for k, v in var.custom_role_names :
|
||||
k => module.organization.custom_role_id[v]
|
||||
}
|
||||
providers = {
|
||||
"00-bootstrap" = templatefile("${path.module}/../../assets/templates/providers.tpl", {
|
||||
bucket = module.automation-tf-bootstrap-gcs.name
|
||||
|
@ -31,14 +35,14 @@ locals {
|
|||
"01-resman" = jsonencode({
|
||||
automation_project_id = module.automation-project.project_id
|
||||
billing_account = var.billing_account
|
||||
custom_roles = module.organization.custom_role_id
|
||||
custom_roles = local._custom_roles
|
||||
groups = var.groups
|
||||
organization = var.organization
|
||||
prefix = var.prefix
|
||||
})
|
||||
"02-networking" = jsonencode({
|
||||
billing_account_id = var.billing_account.id
|
||||
custom_roles = module.organization.custom_role_id
|
||||
custom_roles = local._custom_roles
|
||||
organization = var.organization
|
||||
prefix = var.prefix
|
||||
})
|
||||
|
|
|
@ -28,6 +28,14 @@ variable "bootstrap_user" {
|
|||
default = null
|
||||
}
|
||||
|
||||
variable "custom_role_names" {
|
||||
description = "Names of custom roles defined at the org level."
|
||||
type = object({
|
||||
organization_iam_admin = "organizationIamAdmin"
|
||||
service_project_network_admin = "serviceProjectNetworkAdmin"
|
||||
})
|
||||
}
|
||||
|
||||
variable "groups" {
|
||||
# https://cloud.google.com/docs/enterprise/setup-checklist
|
||||
description = "Group names to grant organization-level permissions."
|
||||
|
|
|
@ -40,7 +40,7 @@ module "dev-spoke-project" {
|
|||
metric_scopes = [module.landing-project.project_id]
|
||||
iam = {
|
||||
"roles/dns.admin" = [var.project_factory_sa.dev]
|
||||
(var.custom_roles.serviceProjectNetworkAdmin) = [
|
||||
(var.custom_roles.service_project_network_admin) = [
|
||||
var.project_factory_sa.prod
|
||||
]
|
||||
}
|
||||
|
|
|
@ -40,7 +40,7 @@ module "prod-spoke-project" {
|
|||
metric_scopes = [module.landing-project.project_id]
|
||||
iam = {
|
||||
"roles/dns.admin" = [var.project_factory_sa.prod]
|
||||
(var.custom_roles.serviceProjectNetworkAdmin) = [
|
||||
(var.custom_roles.service_project_network_admin) = [
|
||||
var.project_factory_sa.prod
|
||||
]
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue