Add conditional org admin role to sandbox SA (#1385)
* add org admin conditional role to sandbox SA * tfdoc
This commit is contained in:
parent
d2f0b17ec4
commit
e0911c6291
|
@ -185,7 +185,7 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
|
|||
| [branch-gke.tf](./branch-gke.tf) | GKE multitenant stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
|
||||
| [branch-networking.tf](./branch-networking.tf) | Networking stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
|
||||
| [branch-project-factory.tf](./branch-project-factory.tf) | Project factory stage resources. | <code>gcs</code> · <code>iam-service-account</code> | <code>google_organization_iam_member</code> |
|
||||
| [branch-sandbox.tf](./branch-sandbox.tf) | Sandbox stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
|
||||
| [branch-sandbox.tf](./branch-sandbox.tf) | Sandbox stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | <code>google_organization_iam_member</code> |
|
||||
| [branch-security.tf](./branch-security.tf) | Security stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
|
||||
| [branch-teams.tf](./branch-teams.tf) | Team stage resources. | <code>folder</code> · <code>gcs</code> · <code>iam-service-account</code> | |
|
||||
| [cicd-data-platform.tf](./cicd-data-platform.tf) | CI/CD resources for the data platform branch. | <code>iam-service-account</code> · <code>source-repository</code> | |
|
||||
|
|
|
@ -60,3 +60,17 @@ module "branch-sandbox-sa" {
|
|||
display_name = "Terraform resman sandbox service account."
|
||||
prefix = var.prefix
|
||||
}
|
||||
|
||||
resource "google_organization_iam_member" "org_policy_admin_sandbox" {
|
||||
count = var.fast_features.project_factory ? 1 : 0
|
||||
org_id = var.organization.id
|
||||
role = "roles/orgpolicy.policyAdmin"
|
||||
member = module.branch-sandbox-sa.0.iam_email
|
||||
condition {
|
||||
title = "org_policy_tag_sandbox_scoped"
|
||||
description = "Org policy tag scoped grant for sandbox."
|
||||
expression = <<-END
|
||||
resource.matchTag('${var.organization.id}/${var.tag_names.context}', 'sandbox')
|
||||
END
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue