Allow specifying custom role names

This commit is contained in:
Ludovico Magnocavallo 2022-02-10 19:12:07 +01:00
parent ae49074921
commit c4d36cc66b
5 changed files with 19 additions and 7 deletions

View File

@ -147,12 +147,12 @@ module "organization" {
iam_additive = local.iam_additive
custom_roles = {
# this is needed for use in additive IAM bindings, to avoid conflicts
"organizationIamAdmin" = [
(var.custom_role_names.organization_iam_admin) = [
"resourcemanager.organizations.get",
"resourcemanager.organizations.getIamPolicy",
"resourcemanager.organizations.setIamPolicy"
]
"serviceProjectNetworkAdmin" = [
(var.custom_role_names.service_project_network_admin) = [
"compute.globalOperations.get",
"compute.organizations.disableXpnResource",
"compute.organizations.enableXpnResource",
@ -182,7 +182,7 @@ module "organization" {
resource "google_organization_iam_binding" "org_admin_delegated" {
org_id = var.organization.id
role = module.organization.custom_role_id.organizationIamAdmin
role = module.organization.custom_role_id[var.custom_role_names.organization_iam_admin]
members = [module.automation-tf-resman-sa.iam_email]
condition {
title = "automation_sa_delegated_grants"

View File

@ -15,6 +15,10 @@
*/
locals {
_custom_roles = {
for k, v in var.custom_role_names :
k => module.organization.custom_role_id[v]
}
providers = {
"00-bootstrap" = templatefile("${path.module}/../../assets/templates/providers.tpl", {
bucket = module.automation-tf-bootstrap-gcs.name
@ -31,14 +35,14 @@ locals {
"01-resman" = jsonencode({
automation_project_id = module.automation-project.project_id
billing_account = var.billing_account
custom_roles = module.organization.custom_role_id
custom_roles = local._custom_roles
groups = var.groups
organization = var.organization
prefix = var.prefix
})
"02-networking" = jsonencode({
billing_account_id = var.billing_account.id
custom_roles = module.organization.custom_role_id
custom_roles = local._custom_roles
organization = var.organization
prefix = var.prefix
})

View File

@ -28,6 +28,14 @@ variable "bootstrap_user" {
default = null
}
variable "custom_role_names" {
description = "Names of custom roles defined at the org level."
type = object({
organization_iam_admin = "organizationIamAdmin"
service_project_network_admin = "serviceProjectNetworkAdmin"
})
}
variable "groups" {
# https://cloud.google.com/docs/enterprise/setup-checklist
description = "Group names to grant organization-level permissions."

View File

@ -40,7 +40,7 @@ module "dev-spoke-project" {
metric_scopes = [module.landing-project.project_id]
iam = {
"roles/dns.admin" = [var.project_factory_sa.dev]
(var.custom_roles.serviceProjectNetworkAdmin) = [
(var.custom_roles.service_project_network_admin) = [
var.project_factory_sa.prod
]
}

View File

@ -40,7 +40,7 @@ module "prod-spoke-project" {
metric_scopes = [module.landing-project.project_id]
iam = {
"roles/dns.admin" = [var.project_factory_sa.prod]
(var.custom_roles.serviceProjectNetworkAdmin) = [
(var.custom_roles.service_project_network_admin) = [
var.project_factory_sa.prod
]
}