zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add conditional org admin role to sandbox SA (#1385) 

* add org admin conditional role to sandbox SA

* tfdoc
This commit is contained in:
Ludovico Magnocavallo 2023-05-21 10:48:41 +02:00 committed by GitHub
parent d2f0b17ec4
commit e0911c6291
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
fast/stages/1-resman/README.md
View File

@ -185,7 +185,7 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
| [branch-gke.tf](./branch-gke.tf) | GKE multitenant stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
| [branch-networking.tf](./branch-networking.tf) | Networking stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
| [branch-project-factory.tf](./branch-project-factory.tf) | Project factory stage resources. | <code>gcs</code> · <code>iam-service-account</code> | <code>google_organization_iam_member</code> |
| [branch-sandbox.tf](./branch-sandbox.tf) | Sandbox stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
| [branch-sandbox.tf](./branch-sandbox.tf) | Sandbox stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | <code>google_organization_iam_member</code> |
| [branch-security.tf](./branch-security.tf) | Security stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
| [branch-teams.tf](./branch-teams.tf) | Team stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
| [cicd-data-platform.tf](./cicd-data-platform.tf) | CI/CD resources for the data platform branch. | <code>iam-service-account</code> · <code>source-repository</code> | |

14
fast/stages/1-resman/branch-sandbox.tf
View File

@ -60,3 +60,17 @@ module "branch-sandbox-sa" {
display_name = "Terraform resman sandbox service account."
prefix = var.prefix
}
resource "google_organization_iam_member" "org_policy_admin_sandbox" {
count = var.fast_features.project_factory ? 1 : 0
org_id = var.organization.id
role = "roles/orgpolicy.policyAdmin"
member = module.branch-sandbox-sa.0.iam_email
condition {
title = "org_policy_tag_sandbox_scoped"
description = "Org policy tag scoped grant for sandbox."
expression = <<-END
resource.matchTag('${var.organization.id}/${var.tag_names.context}', 'sandbox')
END
}
}