6941313c7d
* factories refactor doc * Adds file schema and filesystem organization * Update 20231106-factories.md * move factories out of blueprints and create new factories README * align factory in billing-account module * align factory in dataplex-datascan module * align factory in billing-account module * align factory in net-firewall-policy module * align factory in dns-response-policy module * align factory in net-vpc-firewall module * align factory in net-vpc module * align factory variable names in FAST * remove decentralized firewall blueprint * bump terraform version * bump module versions * update top-level READMEs * move project factory to modules * fix variable names and tests * tfdoc * remove changelog link * add project factory to top-level README * fix cludrun eventarc diff * fix README * fix cludrun eventarc diff --------- Co-authored-by: Simone Ruffilli <sruffilli@google.com> |
||
---|---|---|
.. | ||
README.md | ||
iam.tf | ||
main.tf | ||
outputs.tf | ||
variables-iam.tf | ||
variables.tf | ||
versions.tf |
README.md
Data Catalog Module
This module simplifies the creation of Data Catalog Policy Tags. Policy Tags can be used to configure Bigquery column-level access.
Note: Data Catalog is still in beta, hence this module currently uses the beta provider.
IAM
IAM is managed via several variables that implement different features and levels of control:
iam
andiam_by_principals
configure authoritative bindings that manage individual roles exclusively, and are internally mergediam_bindings
configure authoritative bindings with optional support for conditions, and are not internally merged with the previous two variablesiam_bindings_additive
configure additive bindings via individual role/member pairs with optional support conditions
The authoritative and additive approaches can be used together, provided different roles are managed by each. Some care must also be taken with the iam_by_principals
variable to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
Refer to the project module for examples of the IAM interface.
Examples
Simple Taxonomy with policy tags
module "cmn-dc" {
source = "./fabric/modules/data-catalog-policy-tag"
name = "my-datacatalog-policy-tags"
project_id = "my-project"
tags = {
low = {}
medium = {}
high = {}
}
}
# tftest modules=1 resources=4
Taxonomy with IAM binding
module "cmn-dc" {
source = "./fabric/modules/data-catalog-policy-tag"
name = "my-datacatalog-policy-tags"
project_id = "my-project"
tags = {
low = {}
medium = {}
high = {
iam = {
"roles/datacatalog.categoryFineGrainedReader" = [
"group:GROUP_NAME@example.com"
]
}
}
}
iam = {
"roles/datacatalog.categoryAdmin" = ["group:GROUP_NAME@example.com"]
}
iam_bindings_additive = {
am1-admin = {
member = "user:am1@example.com"
role = "roles/datacatalog.categoryAdmin"
}
}
}
# tftest modules=1 resources=7
Variables
name | description | type | required | default |
---|---|---|---|---|
name | Name of this taxonomy. | string |
✓ | |
project_id | GCP project id. | string |
✓ | |
activated_policy_types | A list of policy types that are activated for this taxonomy. | list(string) |
["FINE_GRAINED_ACCESS_CONTROL"] |
|
description | Description of this taxonomy. | string |
"Taxonomy - Terraform managed" |
|
iam | IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
iam_bindings | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…})) |
{} |
|
iam_bindings_additive | Individual additive IAM bindings. Keys are arbitrary. | map(object({…})) |
{} |
|
iam_by_principals | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the iam variable. |
map(list(string)) |
{} |
|
location | Data Catalog Taxonomy location. | string |
"eu" |
|
prefix | Optional prefix used to generate project id and name. | string |
null |
|
tags | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(object({…})) |
{} |
Outputs
name | description | sensitive |
---|---|---|
id | Fully qualified taxonomy id. | |
tags | Policy Tags. |
TODO
- Support IAM at tag level.
- Support Child policy tags