diff --git a/fast/stages/00-bootstrap/organization.tf b/fast/stages/00-bootstrap/organization.tf index ea2e4cef..689f378b 100644 --- a/fast/stages/00-bootstrap/organization.tf +++ b/fast/stages/00-bootstrap/organization.tf @@ -147,12 +147,12 @@ module "organization" { iam_additive = local.iam_additive custom_roles = { # this is needed for use in additive IAM bindings, to avoid conflicts - "organizationIamAdmin" = [ + (var.custom_role_names.organization_iam_admin) = [ "resourcemanager.organizations.get", "resourcemanager.organizations.getIamPolicy", "resourcemanager.organizations.setIamPolicy" ] - "serviceProjectNetworkAdmin" = [ + (var.custom_role_names.service_project_network_admin) = [ "compute.globalOperations.get", "compute.organizations.disableXpnResource", "compute.organizations.enableXpnResource", @@ -182,7 +182,7 @@ module "organization" { resource "google_organization_iam_binding" "org_admin_delegated" { org_id = var.organization.id - role = module.organization.custom_role_id.organizationIamAdmin + role = module.organization.custom_role_id[var.custom_role_names.organization_iam_admin] members = [module.automation-tf-resman-sa.iam_email] condition { title = "automation_sa_delegated_grants" diff --git a/fast/stages/00-bootstrap/outputs.tf b/fast/stages/00-bootstrap/outputs.tf index d7924781..d074d91f 100644 --- a/fast/stages/00-bootstrap/outputs.tf +++ b/fast/stages/00-bootstrap/outputs.tf @@ -15,6 +15,10 @@ */ locals { + _custom_roles = { + for k, v in var.custom_role_names : + k => module.organization.custom_role_id[v] + } providers = { "00-bootstrap" = templatefile("${path.module}/../../assets/templates/providers.tpl", { bucket = module.automation-tf-bootstrap-gcs.name @@ -31,14 +35,14 @@ locals { "01-resman" = jsonencode({ automation_project_id = module.automation-project.project_id billing_account = var.billing_account - custom_roles = module.organization.custom_role_id + custom_roles = local._custom_roles groups = var.groups organization = var.organization prefix = var.prefix }) "02-networking" = jsonencode({ billing_account_id = var.billing_account.id - custom_roles = module.organization.custom_role_id + custom_roles = local._custom_roles organization = var.organization prefix = var.prefix }) diff --git a/fast/stages/00-bootstrap/variables.tf b/fast/stages/00-bootstrap/variables.tf index 1bf0e2de..8fe53c7f 100644 --- a/fast/stages/00-bootstrap/variables.tf +++ b/fast/stages/00-bootstrap/variables.tf @@ -28,6 +28,14 @@ variable "bootstrap_user" { default = null } +variable "custom_role_names" { + description = "Names of custom roles defined at the org level." + type = object({ + organization_iam_admin = "organizationIamAdmin" + service_project_network_admin = "serviceProjectNetworkAdmin" + }) +} + variable "groups" { # https://cloud.google.com/docs/enterprise/setup-checklist description = "Group names to grant organization-level permissions." diff --git a/fast/stages/02-networking-vpn/vpc-spoke-dev.tf b/fast/stages/02-networking-vpn/vpc-spoke-dev.tf index 9b3c0f9e..4a3f0f25 100644 --- a/fast/stages/02-networking-vpn/vpc-spoke-dev.tf +++ b/fast/stages/02-networking-vpn/vpc-spoke-dev.tf @@ -40,7 +40,7 @@ module "dev-spoke-project" { metric_scopes = [module.landing-project.project_id] iam = { "roles/dns.admin" = [var.project_factory_sa.dev] - (var.custom_roles.serviceProjectNetworkAdmin) = [ + (var.custom_roles.service_project_network_admin) = [ var.project_factory_sa.prod ] } diff --git a/fast/stages/02-networking-vpn/vpc-spoke-prod.tf b/fast/stages/02-networking-vpn/vpc-spoke-prod.tf index 7f42ab2c..3be90c2e 100644 --- a/fast/stages/02-networking-vpn/vpc-spoke-prod.tf +++ b/fast/stages/02-networking-vpn/vpc-spoke-prod.tf @@ -40,7 +40,7 @@ module "prod-spoke-project" { metric_scopes = [module.landing-project.project_id] iam = { "roles/dns.admin" = [var.project_factory_sa.prod] - (var.custom_roles.serviceProjectNetworkAdmin) = [ + (var.custom_roles.service_project_network_admin) = [ var.project_factory_sa.prod ] }