Merge pull request #533 from GoogleCloudPlatform/ludo/fast-custom-role-names
Allow specifying custom role names
This commit is contained in:
commit
eac11193c1
|
@ -327,22 +327,23 @@ Names used in internal references (e.g. `module.foo-prod.id`) are only used by T
|
||||||
| name | description | type | required | default | producer |
|
| name | description | type | required | default | producer |
|
||||||
|---|---|:---:|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|:---:|
|
||||||
| [billing_account](variables.tf#L17) | Billing account id and organization id ('nnnnnnnn' or null). | <code title="object({ id = string organization_id = number })">object({…})</code> | ✓ | | |
|
| [billing_account](variables.tf#L17) | Billing account id and organization id ('nnnnnnnn' or null). | <code title="object({ id = string organization_id = number })">object({…})</code> | ✓ | | |
|
||||||
| [organization](variables.tf#L84) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | |
|
| [organization](variables.tf#L96) | Organization details. | <code title="object({ domain = string id = number customer_id = string })">object({…})</code> | ✓ | | |
|
||||||
| [prefix](variables.tf#L99) | Prefix used for resources that need unique names. | <code>string</code> | ✓ | | |
|
| [prefix](variables.tf#L111) | Prefix used for resources that need unique names. | <code>string</code> | ✓ | | |
|
||||||
| [bootstrap_user](variables.tf#L25) | Email of the nominal user running this stage for the first time. | <code>string</code> | | <code>null</code> | |
|
| [bootstrap_user](variables.tf#L25) | Email of the nominal user running this stage for the first time. | <code>string</code> | | <code>null</code> | |
|
||||||
| [groups](variables.tf#L31) | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | |
|
| [custom_role_names](variables.tf#L31) | Names of custom roles defined at the org level. | <code title="object({ organization_iam_admin = string service_project_network_admin = string })">object({…})</code> | | <code title="{ organization_iam_admin = "organizationIamAdmin" service_project_network_admin = "serviceProjectNetworkAdmin" }">{…}</code> | |
|
||||||
| [iam](variables.tf#L45) | Organization-level custom IAM settings in role => [principal] format. | <code>map(list(string))</code> | | <code>{}</code> | |
|
| [groups](variables.tf#L43) | Group names to grant organization-level permissions. | <code>map(string)</code> | | <code title="{ gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", gcp-network-admins = "gcp-network-admins" gcp-organization-admins = "gcp-organization-admins" gcp-security-admins = "gcp-security-admins" gcp-support = "gcp-support" }">{…}</code> | |
|
||||||
| [iam_additive](variables.tf#L51) | Organization-level custom IAM settings in role => [principal] format for non-authoritative bindings. | <code>map(list(string))</code> | | <code>{}</code> | |
|
| [iam](variables.tf#L57) | Organization-level custom IAM settings in role => [principal] format. | <code>map(list(string))</code> | | <code>{}</code> | |
|
||||||
| [log_sinks](variables.tf#L59) | Org-level log sinks, in name => {type, filter} format. | <code title="map(object({ filter = string type = string }))">map(object({…}))</code> | | <code title="{ audit-logs = { filter = "logName:\"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName:\"/logs/cloudaudit.googleapis.com%2Fsystem_event\"" type = "bigquery" } vpc-sc = { filter = "protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\"" type = "bigquery" } }">{…}</code> | |
|
| [iam_additive](variables.tf#L63) | Organization-level custom IAM settings in role => [principal] format for non-authoritative bindings. | <code>map(list(string))</code> | | <code>{}</code> | |
|
||||||
| [outputs_location](variables.tf#L93) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
| [log_sinks](variables.tf#L71) | Org-level log sinks, in name => {type, filter} format. | <code title="map(object({ filter = string type = string }))">map(object({…}))</code> | | <code title="{ audit-logs = { filter = "logName:\"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName:\"/logs/cloudaudit.googleapis.com%2Fsystem_event\"" type = "bigquery" } vpc-sc = { filter = "protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\"" type = "bigquery" } }">{…}</code> | |
|
||||||
|
| [outputs_location](variables.tf#L105) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | <code>string</code> | | <code>null</code> | |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
| name | description | sensitive | consumers |
|
| name | description | sensitive | consumers |
|
||||||
|---|---|:---:|---|
|
|---|---|:---:|---|
|
||||||
| [billing_dataset](outputs.tf#L85) | BigQuery dataset prepared for billing export. | | |
|
| [billing_dataset](outputs.tf#L89) | BigQuery dataset prepared for billing export. | | |
|
||||||
| [project_ids](outputs.tf#L90) | Projects created by this stage. | | |
|
| [project_ids](outputs.tf#L94) | Projects created by this stage. | | |
|
||||||
| [providers](outputs.tf#L101) | Terraform provider files for this stage and dependent stages. | ✓ | <code>stage-01</code> |
|
| [providers](outputs.tf#L105) | Terraform provider files for this stage and dependent stages. | ✓ | <code>stage-01</code> |
|
||||||
| [tfvars](outputs.tf#L110) | Terraform variable files for the following stages. | ✓ | |
|
| [tfvars](outputs.tf#L114) | Terraform variable files for the following stages. | ✓ | |
|
||||||
|
|
||||||
<!-- END TFDOC -->
|
<!-- END TFDOC -->
|
||||||
|
|
|
@ -73,7 +73,10 @@ resource "google_organization_iam_binding" "billing_org_ext_admin_delegated" {
|
||||||
org_id = var.billing_account.organization_id
|
org_id = var.billing_account.organization_id
|
||||||
# if the billing org does not have our custom role, user the predefined one
|
# if the billing org does not have our custom role, user the predefined one
|
||||||
# role = "roles/resourcemanager.organizationAdmin"
|
# role = "roles/resourcemanager.organizationAdmin"
|
||||||
role = "organizations/${var.billing_account.organization_id}/roles/organizationIamAdmin"
|
role = join("", [
|
||||||
|
"organizations/${var.billing_account.organization_id}/",
|
||||||
|
"roles/${var.custom_role_names.organization_iam_admin}"
|
||||||
|
])
|
||||||
members = [module.automation-tf-resman-sa.iam_email]
|
members = [module.automation-tf-resman-sa.iam_email]
|
||||||
condition {
|
condition {
|
||||||
title = "automation_sa_delegated_grants"
|
title = "automation_sa_delegated_grants"
|
||||||
|
|
|
@ -147,12 +147,12 @@ module "organization" {
|
||||||
iam_additive = local.iam_additive
|
iam_additive = local.iam_additive
|
||||||
custom_roles = {
|
custom_roles = {
|
||||||
# this is needed for use in additive IAM bindings, to avoid conflicts
|
# this is needed for use in additive IAM bindings, to avoid conflicts
|
||||||
"organizationIamAdmin" = [
|
(var.custom_role_names.organization_iam_admin) = [
|
||||||
"resourcemanager.organizations.get",
|
"resourcemanager.organizations.get",
|
||||||
"resourcemanager.organizations.getIamPolicy",
|
"resourcemanager.organizations.getIamPolicy",
|
||||||
"resourcemanager.organizations.setIamPolicy"
|
"resourcemanager.organizations.setIamPolicy"
|
||||||
]
|
]
|
||||||
"serviceProjectNetworkAdmin" = [
|
(var.custom_role_names.service_project_network_admin) = [
|
||||||
"compute.globalOperations.get",
|
"compute.globalOperations.get",
|
||||||
"compute.organizations.disableXpnResource",
|
"compute.organizations.disableXpnResource",
|
||||||
"compute.organizations.enableXpnResource",
|
"compute.organizations.enableXpnResource",
|
||||||
|
@ -182,7 +182,7 @@ module "organization" {
|
||||||
|
|
||||||
resource "google_organization_iam_binding" "org_admin_delegated" {
|
resource "google_organization_iam_binding" "org_admin_delegated" {
|
||||||
org_id = var.organization.id
|
org_id = var.organization.id
|
||||||
role = module.organization.custom_role_id.organizationIamAdmin
|
role = module.organization.custom_role_id[var.custom_role_names.organization_iam_admin]
|
||||||
members = [module.automation-tf-resman-sa.iam_email]
|
members = [module.automation-tf-resman-sa.iam_email]
|
||||||
condition {
|
condition {
|
||||||
title = "automation_sa_delegated_grants"
|
title = "automation_sa_delegated_grants"
|
||||||
|
|
|
@ -15,6 +15,10 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
|
_custom_roles = {
|
||||||
|
for k, v in var.custom_role_names :
|
||||||
|
k => module.organization.custom_role_id[v]
|
||||||
|
}
|
||||||
providers = {
|
providers = {
|
||||||
"00-bootstrap" = templatefile("${path.module}/../../assets/templates/providers.tpl", {
|
"00-bootstrap" = templatefile("${path.module}/../../assets/templates/providers.tpl", {
|
||||||
bucket = module.automation-tf-bootstrap-gcs.name
|
bucket = module.automation-tf-bootstrap-gcs.name
|
||||||
|
@ -31,14 +35,14 @@ locals {
|
||||||
"01-resman" = jsonencode({
|
"01-resman" = jsonencode({
|
||||||
automation_project_id = module.automation-project.project_id
|
automation_project_id = module.automation-project.project_id
|
||||||
billing_account = var.billing_account
|
billing_account = var.billing_account
|
||||||
custom_roles = module.organization.custom_role_id
|
custom_roles = local._custom_roles
|
||||||
groups = var.groups
|
groups = var.groups
|
||||||
organization = var.organization
|
organization = var.organization
|
||||||
prefix = var.prefix
|
prefix = var.prefix
|
||||||
})
|
})
|
||||||
"02-networking" = jsonencode({
|
"02-networking" = jsonencode({
|
||||||
billing_account_id = var.billing_account.id
|
billing_account_id = var.billing_account.id
|
||||||
custom_roles = module.organization.custom_role_id
|
custom_roles = local._custom_roles
|
||||||
organization = var.organization
|
organization = var.organization
|
||||||
prefix = var.prefix
|
prefix = var.prefix
|
||||||
})
|
})
|
||||||
|
|
|
@ -28,6 +28,18 @@ variable "bootstrap_user" {
|
||||||
default = null
|
default = null
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "custom_role_names" {
|
||||||
|
description = "Names of custom roles defined at the org level."
|
||||||
|
type = object({
|
||||||
|
organization_iam_admin = string
|
||||||
|
service_project_network_admin = string
|
||||||
|
})
|
||||||
|
default = {
|
||||||
|
organization_iam_admin = "organizationIamAdmin"
|
||||||
|
service_project_network_admin = "serviceProjectNetworkAdmin"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
variable "groups" {
|
variable "groups" {
|
||||||
# https://cloud.google.com/docs/enterprise/setup-checklist
|
# https://cloud.google.com/docs/enterprise/setup-checklist
|
||||||
description = "Group names to grant organization-level permissions."
|
description = "Group names to grant organization-level permissions."
|
||||||
|
|
|
@ -40,7 +40,7 @@ module "dev-spoke-project" {
|
||||||
metric_scopes = [module.landing-project.project_id]
|
metric_scopes = [module.landing-project.project_id]
|
||||||
iam = {
|
iam = {
|
||||||
"roles/dns.admin" = [var.project_factory_sa.dev]
|
"roles/dns.admin" = [var.project_factory_sa.dev]
|
||||||
(var.custom_roles.serviceProjectNetworkAdmin) = [
|
(var.custom_roles.service_project_network_admin) = [
|
||||||
var.project_factory_sa.prod
|
var.project_factory_sa.prod
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
|
@ -40,7 +40,7 @@ module "prod-spoke-project" {
|
||||||
metric_scopes = [module.landing-project.project_id]
|
metric_scopes = [module.landing-project.project_id]
|
||||||
iam = {
|
iam = {
|
||||||
"roles/dns.admin" = [var.project_factory_sa.prod]
|
"roles/dns.admin" = [var.project_factory_sa.prod]
|
||||||
(var.custom_roles.serviceProjectNetworkAdmin) = [
|
(var.custom_roles.service_project_network_admin) = [
|
||||||
var.project_factory_sa.prod
|
var.project_factory_sa.prod
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue