From d2f0b17ec46721c6200e32fb532219ef5780883c Mon Sep 17 00:00:00 2001
From: Roberto Jung Drebes <drebes@users.noreply.github.com>
Date: Wed, 17 May 2023 11:07:47 +0200
Subject: [PATCH] Allows groups from other orgs/domains (#1383)

* Allows groups from other orgs
---
 fast/stages-multitenant/0-bootstrap-tenant/main.tf | 2 +-
 fast/stages-multitenant/1-resman-tenant/main.tf    | 2 +-
 fast/stages/0-bootstrap/README.md                  | 2 +-
 fast/stages/0-bootstrap/main.tf                    | 2 +-
 fast/stages/0-bootstrap/variables.tf               | 2 +-
 fast/stages/1-resman/README.md                     | 2 +-
 fast/stages/1-resman/main.tf                       | 2 +-
 fast/stages/1-resman/variables.tf                  | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/fast/stages-multitenant/0-bootstrap-tenant/main.tf b/fast/stages-multitenant/0-bootstrap-tenant/main.tf
index 3a150594..e4ca74af 100644
--- a/fast/stages-multitenant/0-bootstrap-tenant/main.tf
+++ b/fast/stages-multitenant/0-bootstrap-tenant/main.tf
@@ -22,7 +22,7 @@ locals {
   )
   groups = {
     for k, v in var.tenant_config.groups :
-    k => v == null ? null : "${v}@${var.organization.domain}"
+    k => v == null ? null : can(regex(".*@.*", v)) ? v : "${v}@${var.organization.domain}"
   }
   fast_features = {
     for k, v in var.tenant_config.fast_features :
diff --git a/fast/stages-multitenant/1-resman-tenant/main.tf b/fast/stages-multitenant/1-resman-tenant/main.tf
index 76c04639..eb29fe42 100644
--- a/fast/stages-multitenant/1-resman-tenant/main.tf
+++ b/fast/stages-multitenant/1-resman-tenant/main.tf
@@ -71,7 +71,7 @@ locals {
   )
   groups = {
     for k, v in var.groups :
-    k => v == null ? null : "${v}@${var.organization.domain}"
+    k => v == null ? null : can(regex(".*@.*", v)) ? v : "${v}@${var.organization.domain}"
   }
   groups_iam = {
     for k, v in local.groups : k => v != null ? "group:${v}" : null
diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
index 2c7a8657..5a75e43d 100644
--- a/fast/stages/0-bootstrap/README.md
+++ b/fast/stages/0-bootstrap/README.md
@@ -509,7 +509,7 @@ The remaining configuration is manual, as it regards the repositories themselves
 | [custom_role_names](variables.tf#L79) | Names of custom roles defined at the org level. | <code title="object&#40;&#123;&#10;  organization_iam_admin        &#61; string&#10;  service_project_network_admin &#61; string&#10;  tenant_network_admin          &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  organization_iam_admin        &#61; &#34;organizationIamAdmin&#34;&#10;  service_project_network_admin &#61; &#34;serviceProjectNetworkAdmin&#34;&#10;  tenant_network_admin          &#61; &#34;tenantNetworkAdmin&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
 | [fast_features](variables.tf#L93) | Selective control for top-level FAST features. | <code title="object&#40;&#123;&#10;  data_platform   &#61; optional&#40;bool, false&#41;&#10;  gke             &#61; optional&#40;bool, false&#41;&#10;  project_factory &#61; optional&#40;bool, false&#41;&#10;  sandbox         &#61; optional&#40;bool, false&#41;&#10;  teams           &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [federated_identity_providers](variables.tf#L106) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | <code title="map&#40;object&#40;&#123;&#10;  attribute_condition &#61; string&#10;  issuer              &#61; string&#10;  custom_settings &#61; object&#40;&#123;&#10;    issuer_uri        &#61; string&#10;    allowed_audiences &#61; list&#40;string&#41;&#10;  &#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [groups](variables.tf#L120) | Group names to grant organization-level permissions. | <code>map&#40;string&#41;</code> |  | <code title="&#123;&#10;  gcp-billing-admins      &#61; &#34;gcp-billing-admins&#34;,&#10;  gcp-devops              &#61; &#34;gcp-devops&#34;,&#10;  gcp-network-admins      &#61; &#34;gcp-network-admins&#34;&#10;  gcp-organization-admins &#61; &#34;gcp-organization-admins&#34;&#10;  gcp-security-admins     &#61; &#34;gcp-security-admins&#34;&#10;  gcp-support &#61; &#34;gcp-devops&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
+| [groups](variables.tf#L120) | Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed. | <code>map&#40;string&#41;</code> |  | <code title="&#123;&#10;  gcp-billing-admins      &#61; &#34;gcp-billing-admins&#34;,&#10;  gcp-devops              &#61; &#34;gcp-devops&#34;,&#10;  gcp-network-admins      &#61; &#34;gcp-network-admins&#34;&#10;  gcp-organization-admins &#61; &#34;gcp-organization-admins&#34;&#10;  gcp-security-admins     &#61; &#34;gcp-security-admins&#34;&#10;  gcp-support &#61; &#34;gcp-devops&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
 | [iam](variables.tf#L138) | Organization-level custom IAM settings in role => [principal] format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [iam_additive](variables.tf#L144) | Organization-level custom IAM settings in role => [principal] format for non-authoritative bindings. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [locations](variables.tf#L150) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10;  bq      &#61; string&#10;  gcs     &#61; string&#10;  logging &#61; string&#10;  pubsub  &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  bq      &#61; &#34;EU&#34;&#10;  gcs     &#61; &#34;EU&#34;&#10;  logging &#61; &#34;global&#34;&#10;  pubsub  &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
diff --git a/fast/stages/0-bootstrap/main.tf b/fast/stages/0-bootstrap/main.tf
index dba2ed08..dead9288 100644
--- a/fast/stages/0-bootstrap/main.tf
+++ b/fast/stages/0-bootstrap/main.tf
@@ -22,7 +22,7 @@ locals {
   )
   groups = {
     for k, v in var.groups :
-    k => "${v}@${var.organization.domain}"
+    k => can(regex(".*@.*", v)) ? v : "${v}@${var.organization.domain}"
   }
   groups_iam = {
     for k, v in local.groups :
diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf
index c8582289..a17c4e57 100644
--- a/fast/stages/0-bootstrap/variables.tf
+++ b/fast/stages/0-bootstrap/variables.tf
@@ -119,7 +119,7 @@ variable "federated_identity_providers" {
 
 variable "groups" {
   # https://cloud.google.com/docs/enterprise/setup-checklist
-  description = "Group names to grant organization-level permissions."
+  description = "Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed."
   type        = map(string)
   default = {
     gcp-billing-admins      = "gcp-billing-admins",
diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md
index c2c32dda..afe0ba3c 100644
--- a/fast/stages/1-resman/README.md
+++ b/fast/stages/1-resman/README.md
@@ -212,7 +212,7 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
 | [custom_roles](variables.tf#L131) | Custom roles defined at the org level, in key => id format. | <code title="object&#40;&#123;&#10;  service_project_network_admin &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> | <code>0-bootstrap</code> |
 | [data_dir](variables.tf#L140) | Relative path for the folder storing configuration data. | <code>string</code> |  | <code>&#34;data&#34;</code> |  |
 | [fast_features](variables.tf#L146) | Selective control for top-level FAST features. | <code title="object&#40;&#123;&#10;  data_platform   &#61; optional&#40;bool, false&#41;&#10;  gke             &#61; optional&#40;bool, false&#41;&#10;  project_factory &#61; optional&#40;bool, false&#41;&#10;  sandbox         &#61; optional&#40;bool, false&#41;&#10;  teams           &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-0-bootstrap</code> |
-| [groups](variables.tf#L160) | Group names to grant organization-level permissions. | <code title="object&#40;&#123;&#10;  gcp-devops          &#61; optional&#40;string&#41;&#10;  gcp-network-admins  &#61; optional&#40;string&#41;&#10;  gcp-security-admins &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
+| [groups](variables.tf#L160) | Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed. | <code title="object&#40;&#123;&#10;  gcp-devops          &#61; optional&#40;string&#41;&#10;  gcp-network-admins  &#61; optional&#40;string&#41;&#10;  gcp-security-admins &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
 | [locations](variables.tf#L173) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10;  bq      &#61; string&#10;  gcs     &#61; string&#10;  logging &#61; string&#10;  pubsub  &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  bq      &#61; &#34;EU&#34;&#10;  gcs     &#61; &#34;EU&#34;&#10;  logging &#61; &#34;global&#34;&#10;  pubsub  &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> | <code>0-bootstrap</code> |
 | [organization_policy_configs](variables.tf#L201) | Organization policies customization. | <code title="object&#40;&#123;&#10;  allowed_policy_member_domains &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
 | [outputs_location](variables.tf#L209) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> |  | <code>null</code> |  |
diff --git a/fast/stages/1-resman/main.tf b/fast/stages/1-resman/main.tf
index ff08b8c5..95bc1c4f 100644
--- a/fast/stages/1-resman/main.tf
+++ b/fast/stages/1-resman/main.tf
@@ -69,7 +69,7 @@ locals {
   )
   groups = {
     for k, v in var.groups :
-    k => "${v}@${var.organization.domain}"
+    k => can(regex(".*@.*", v)) ? v : "${v}@${var.organization.domain}"
   }
   groups_iam = {
     for k, v in local.groups : k => v != null ? "group:${v}" : null
diff --git a/fast/stages/1-resman/variables.tf b/fast/stages/1-resman/variables.tf
index f2e413c9..e13a4e39 100644
--- a/fast/stages/1-resman/variables.tf
+++ b/fast/stages/1-resman/variables.tf
@@ -160,7 +160,7 @@ variable "fast_features" {
 variable "groups" {
   # tfdoc:variable:source 0-bootstrap
   # https://cloud.google.com/docs/enterprise/setup-checklist
-  description = "Group names to grant organization-level permissions."
+  description = "Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed."
   type = object({
     gcp-devops          = optional(string)
     gcp-network-admins  = optional(string)