History

Ludovico Magnocavallo 6941313c7d Factories refactor (#1843 ) * factories refactor doc * Adds file schema and filesystem organization * Update 20231106-factories.md * move factories out of blueprints and create new factories README * align factory in billing-account module * align factory in dataplex-datascan module * align factory in billing-account module * align factory in net-firewall-policy module * align factory in dns-response-policy module * align factory in net-vpc-firewall module * align factory in net-vpc module * align factory variable names in FAST * remove decentralized firewall blueprint * bump terraform version * bump module versions * update top-level READMEs * move project factory to modules * fix variable names and tests * tfdoc * remove changelog link * add project factory to top-level README * fix cludrun eventarc diff * fix README * fix cludrun eventarc diff --------- Co-authored-by: Simone Ruffilli <sruffilli@google.com>		2024-02-26 10:16:52 +00:00
..
README.md	Extend FAST to support different principal types (#2064 )	2024-02-12 14:35:30 +01:00
iam.tf	Extend FAST to support different principal types (#2064 )	2024-02-12 14:35:30 +01:00
main.tf	More module descriptions (#1572 )	2023-08-06 09:25:45 +00:00
outputs.tf	Ensure all modules have an `id` output (#1410 )	2023-06-02 16:07:22 +02:00
variables-iam.tf	Extend FAST to support different principal types (#2064 )	2024-02-12 14:35:30 +01:00
variables.tf	Extend FAST to support different principal types (#2064 )	2024-02-12 14:35:30 +01:00
versions.tf	Factories refactor (#1843 )	2024-02-26 10:16:52 +00:00

README.md

Data Catalog Module

This module simplifies the creation of Data Catalog Policy Tags. Policy Tags can be used to configure Bigquery column-level access.

Note: Data Catalog is still in beta, hence this module currently uses the beta provider.

IAM
Examples
- Simple Taxonomy with policy tags
- Taxonomy with IAM binding
Variables
Outputs
TODO

IAM

IAM is managed via several variables that implement different features and levels of control:

iam and iam_by_principals configure authoritative bindings that manage individual roles exclusively, and are internally merged
iam_bindings configure authoritative bindings with optional support for conditions, and are not internally merged with the previous two variables
iam_bindings_additive configure additive bindings via individual role/member pairs with optional support conditions

The authoritative and additive approaches can be used together, provided different roles are managed by each. Some care must also be taken with the iam_by_principals variable to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.

Refer to the project module for examples of the IAM interface.

Examples

Simple Taxonomy with policy tags

module "cmn-dc" {
  source     = "./fabric/modules/data-catalog-policy-tag"
  name       = "my-datacatalog-policy-tags"
  project_id = "my-project"
  tags = {
    low    = {}
    medium = {}
    high   = {}
  }
}
# tftest modules=1 resources=4

Taxonomy with IAM binding

module "cmn-dc" {
  source     = "./fabric/modules/data-catalog-policy-tag"
  name       = "my-datacatalog-policy-tags"
  project_id = "my-project"
  tags = {
    low    = {}
    medium = {}
    high = {
      iam = {
        "roles/datacatalog.categoryFineGrainedReader" = [
          "group:GROUP_NAME@example.com"
        ]
      }
    }
  }
  iam = {
    "roles/datacatalog.categoryAdmin" = ["group:GROUP_NAME@example.com"]
  }
  iam_bindings_additive = {
    am1-admin = {
      member = "user:am1@example.com"
      role   = "roles/datacatalog.categoryAdmin"
    }
  }
}
# tftest modules=1 resources=7

Variables

name	description	type	required	default
name	Name of this taxonomy.	`string`	✓
project_id	GCP project id.	`string`	✓
activated_policy_types	A list of policy types that are activated for this taxonomy.	`list(string)`		`["FINE_GRAINED_ACCESS_CONTROL"]`
description	Description of this taxonomy.	`string`		`"Taxonomy - Terraform managed"`
iam	IAM bindings in {ROLE => [MEMBERS]} format.	`map(list(string))`		`{}`
iam_bindings	Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary.	`map(object({…}))`		`{}`
iam_bindings_additive	Individual additive IAM bindings. Keys are arbitrary.	`map(object({…}))`		`{}`
iam_by_principals	Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable.	`map(list(string))`		`{}`
location	Data Catalog Taxonomy location.	`string`		`"eu"`
prefix	Optional prefix used to generate project id and name.	`string`		`null`
tags	List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format.	`map(object({…}))`		`{}`

Outputs

name	description	sensitive
id	Fully qualified taxonomy id.
tags	Policy Tags.

TODO

Support IAM at tag level.
Support Child policy tags