From f7ef1271492b66b725708446e1c8041b04aa5c74 Mon Sep 17 00:00:00 2001
From: lcaggio <lorenzo.caggioni@gmail.com>
Date: Wed, 28 Sep 2022 15:14:36 +0200
Subject: [PATCH] first commit.

---
 .../data-platform-foundations/07-exposure.tf  | 49 +++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/blueprints/data-solutions/data-platform-foundations/07-exposure.tf b/blueprints/data-solutions/data-platform-foundations/07-exposure.tf
index 030be0b8..8110159d 100644
--- a/blueprints/data-solutions/data-platform-foundations/07-exposure.tf
+++ b/blueprints/data-solutions/data-platform-foundations/07-exposure.tf
@@ -14,10 +14,59 @@
 
 # tfdoc:file:description common project.
 
+locals {
+  exp_group_iam = {
+    (local.groups.data-engineers) = [
+      "roles/bigquery.admin",
+      "roles/storage.admin",
+    ],
+    (local.groups.data-analysts) = [
+      "analyticshub.googleapis.com",
+      "roles/bigquery.dataViewer",
+      "roles/bigquery.jobUser",
+      "roles/bigquery.metadataViewer",
+      "roles/bigquery.user",
+      "roles/datacatalog.viewer",
+      "roles/datacatalog.tagTemplateViewer",
+      "roles/storage.objectViewer",
+    ]
+  }
+  exp_iam = {
+    "roles/bigquery.dataOwner" = [
+      module.transf-sa-df-0.iam_email,
+      module.transf-sa-bq-0.iam_email,
+    ]
+    "roles/bigquery.jobUser" = [
+      module.transf-sa-bq-0.iam_email,
+    ]
+    "roles/datacatalog.categoryAdmin" = [
+      module.load-sa-df-0.iam_email
+    ]
+    "roles/storage.objectCreator" = [
+      module.transf-sa-df-0.iam_email,
+    ]
+    "roles/storage.objectViewer" = [
+      module.transf-sa-df-0.iam_email,
+    ]
+  }
+  exp_services = concat(var.project_services, [
+    "bigquery.googleapis.com",
+    "bigqueryreservation.googleapis.com",
+    "bigquerystorage.googleapis.com",
+    "cloudkms.googleapis.com",
+    "pubsub.googleapis.com",
+    "storage.googleapis.com",
+    "storage-component.googleapis.com"
+  ])
+}
+
 module "exp-project" {
   source          = "../../../modules/project"
   parent          = var.folder_id
   billing_account = var.billing_account_id
   prefix          = var.prefix
   name            = "exp${local.project_suffix}"
+  group_iam       = local.exp_group_iam
+  iam             = local.exp_iam
+  services        = local.exp_services
 }