71a64487d5
* add doc draft * typos * typo * typo * typos * rewording * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * move iam variables to a separate file * move billing-account module to iam_principals * move data-catalog-policy-tag module to iam_principals * move dataplex-datascan module to iam_principals * move dataproc module to iam_principals * move folder module to iam_principals * copyright * move organization module to iam_principals * move project module to iam_principals * move source-repository module to iam_principals * update blueprints for iam_principals interface * FAST bootstrap * module READMEs fixes * FAST bootstrap * FAST networking stages * FAST security stage * FAST gke stage * FAST multitenant bootstrap stage * FAST multitenant resman stage * tfdoc * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Update 0-domainless-iam.md * fix module test * Update 0-domainless-iam.md * Update 0-domainless-iam.md * Rename iam_principals to iam_by_principals * Update IAM template to include iam_by_principals * Update Resman README * Fix ADR link format --------- Co-authored-by: Julio Castillo <jccb@google.com> |
||
---|---|---|
.. | ||
README.md | ||
iam.tf | ||
main.tf | ||
outputs.tf | ||
variables-iam.tf | ||
variables.tf | ||
versions.tf |
README.md
Data Catalog Module
This module simplifies the creation of Data Catalog Policy Tags. Policy Tags can be used to configure Bigquery column-level access.
Note: Data Catalog is still in beta, hence this module currently uses the beta provider.
IAM
IAM is managed via several variables that implement different features and levels of control:
iam
andiam_by_principals
configure authoritative bindings that manage individual roles exclusively, and are internally mergediam_bindings
configure authoritative bindings with optional support for conditions, and are not internally merged with the previous two variablesiam_bindings_additive
configure additive bindings via individual role/member pairs with optional support conditions
The authoritative and additive approaches can be used together, provided different roles are managed by each. Some care must also be taken with the iam_by_principals
variable to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
Refer to the project module for examples of the IAM interface.
Examples
Simple Taxonomy with policy tags
module "cmn-dc" {
source = "./fabric/modules/data-catalog-policy-tag"
name = "my-datacatalog-policy-tags"
project_id = "my-project"
tags = {
low = {}
medium = {}
high = {}
}
}
# tftest modules=1 resources=4
Taxonomy with IAM binding
module "cmn-dc" {
source = "./fabric/modules/data-catalog-policy-tag"
name = "my-datacatalog-policy-tags"
project_id = "my-project"
tags = {
low = {}
medium = {}
high = {
iam = {
"roles/datacatalog.categoryFineGrainedReader" = [
"group:GROUP_NAME@example.com"
]
}
}
}
iam = {
"roles/datacatalog.categoryAdmin" = ["group:GROUP_NAME@example.com"]
}
iam_bindings_additive = {
am1-admin = {
member = "user:am1@example.com"
role = "roles/datacatalog.categoryAdmin"
}
}
}
# tftest modules=1 resources=7
Variables
name | description | type | required | default |
---|---|---|---|---|
name | Name of this taxonomy. | string |
✓ | |
project_id | GCP project id. | string |
✓ | |
activated_policy_types | A list of policy types that are activated for this taxonomy. | list(string) |
["FINE_GRAINED_ACCESS_CONTROL"] |
|
description | Description of this taxonomy. | string |
"Taxonomy - Terraform managed" |
|
iam | IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
iam_bindings | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…})) |
{} |
|
iam_bindings_additive | Individual additive IAM bindings. Keys are arbitrary. | map(object({…})) |
{} |
|
iam_by_principals | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the iam variable. |
map(list(string)) |
{} |
|
location | Data Catalog Taxonomy location. | string |
"eu" |
|
prefix | Optional prefix used to generate project id and name. | string |
null |
|
tags | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(object({…})) |
{} |
Outputs
name | description | sensitive |
---|---|---|
id | Fully qualified taxonomy id. | |
tags | Policy Tags. |
TODO
- Support IAM at tag level.
- Support Child policy tags