Allow additive IAM grants by robots name
Regreatablly member name will be known after apply, hence changes in the tests
This commit is contained in:
parent
36a7347744
commit
e64e8db20d
|
@ -138,6 +138,29 @@ module "project" {
|
||||||
# tftest modules=1 resources=2
|
# tftest modules=1 resources=2
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Using shortcodes for Service Identities in additive IAM
|
||||||
|
Most Service Identities contains project number in their e-mail address and this prevents additive IAM to work, as these values are not known at moment of execution of `terraform plan` (its not an issue for authoritative IAM). To refer current project Service Identities you may use shortcodes for Service Identities similarly as for `service_identity_iam` when configuring Shared VPC.
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "project" {
|
||||||
|
source = "./fabric/modules/project"
|
||||||
|
name = "project-example"
|
||||||
|
|
||||||
|
services = [
|
||||||
|
"run.googleapis.com",
|
||||||
|
"container.googleapis.com",
|
||||||
|
]
|
||||||
|
|
||||||
|
iam_additive = {
|
||||||
|
"roles/editor" = ["cloudservices"]
|
||||||
|
"roles/vpcaccess.user" = ["cloudrun"]
|
||||||
|
"roles/container.hostServiceAgentUser" = ["container-engine"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# tftest modules=1 resources=6
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### Service identities requiring manual IAM grants
|
### Service identities requiring manual IAM grants
|
||||||
|
|
||||||
The module will create service identities at project creation instead of creating of them at the time of first use. This allows granting these service identities roles in other projects, something which is usually necessary in a Shared VPC context.
|
The module will create service identities at project creation instead of creating of them at the time of first use. This allows granting these service identities roles in other projects, something which is usually necessary in a Shared VPC context.
|
||||||
|
|
|
@ -47,7 +47,18 @@ locals {
|
||||||
}
|
}
|
||||||
iam_additive = {
|
iam_additive = {
|
||||||
for pair in concat(local._iam_additive_pairs, local._iam_additive_member_pairs) :
|
for pair in concat(local._iam_additive_pairs, local._iam_additive_member_pairs) :
|
||||||
"${pair.role}-${pair.member}" => pair
|
"${pair.role}-${pair.member}" => {
|
||||||
|
role = pair.role
|
||||||
|
member = (
|
||||||
|
pair.member == "cloudservices"
|
||||||
|
? "serviceAccount:${local.service_account_cloud_services}"
|
||||||
|
: pair.member == "default-compute"
|
||||||
|
? "serviceAccount:${local.service_accounts_default.compute}"
|
||||||
|
: pair.member == "default-gae"
|
||||||
|
? "serviceAccount:${local.service_accounts_default.gae}"
|
||||||
|
: try("serviceAccount:${local.service_accounts_robots[pair.member]}", pair.member)
|
||||||
|
)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -17,17 +17,14 @@ values:
|
||||||
project_id: project-example
|
project_id: project-example
|
||||||
module.project.google_project_iam_member.additive["roles/editor-user:two@example.org"]:
|
module.project.google_project_iam_member.additive["roles/editor-user:two@example.org"]:
|
||||||
condition: []
|
condition: []
|
||||||
member: user:two@example.org
|
|
||||||
project: project-example
|
project: project-example
|
||||||
role: roles/editor
|
role: roles/editor
|
||||||
module.project.google_project_iam_member.additive["roles/owner-user:one@example.org"]:
|
module.project.google_project_iam_member.additive["roles/owner-user:one@example.org"]:
|
||||||
condition: []
|
condition: []
|
||||||
member: user:one@example.org
|
|
||||||
project: project-example
|
project: project-example
|
||||||
role: roles/owner
|
role: roles/owner
|
||||||
module.project.google_project_iam_member.additive["roles/owner-user:two@example.org"]:
|
module.project.google_project_iam_member.additive["roles/owner-user:two@example.org"]:
|
||||||
condition: []
|
condition: []
|
||||||
member: user:two@example.org
|
|
||||||
project: project-example
|
project: project-example
|
||||||
role: roles/owner
|
role: roles/owner
|
||||||
|
|
||||||
|
|
|
@ -16,22 +16,18 @@ values:
|
||||||
module.project.google_project.project[0]: {}
|
module.project.google_project.project[0]: {}
|
||||||
module.project.google_project_iam_member.additive["roles/owner-group:three@example.org"]:
|
module.project.google_project_iam_member.additive["roles/owner-group:three@example.org"]:
|
||||||
condition: []
|
condition: []
|
||||||
member: group:three@example.org
|
|
||||||
project: project-example
|
project: project-example
|
||||||
role: roles/owner
|
role: roles/owner
|
||||||
module.project.google_project_iam_member.additive["roles/storage.objectAdmin-group:two@example.org"]:
|
module.project.google_project_iam_member.additive["roles/storage.objectAdmin-group:two@example.org"]:
|
||||||
condition: []
|
condition: []
|
||||||
member: group:two@example.org
|
|
||||||
project: project-example
|
project: project-example
|
||||||
role: roles/storage.objectAdmin
|
role: roles/storage.objectAdmin
|
||||||
module.project.google_project_iam_member.additive["roles/viewer-group:one@example.org"]:
|
module.project.google_project_iam_member.additive["roles/viewer-group:one@example.org"]:
|
||||||
condition: []
|
condition: []
|
||||||
member: group:one@example.org
|
|
||||||
project: project-example
|
project: project-example
|
||||||
role: roles/viewer
|
role: roles/viewer
|
||||||
module.project.google_project_iam_member.additive["roles/viewer-group:two@xample.org"]:
|
module.project.google_project_iam_member.additive["roles/viewer-group:two@xample.org"]:
|
||||||
condition: []
|
condition: []
|
||||||
member: group:two@xample.org
|
|
||||||
project: project-example
|
project: project-example
|
||||||
role: roles/viewer
|
role: roles/viewer
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue