44 lines
3.8 KiB
Markdown
44 lines
3.8 KiB
Markdown
# Delegated Role Grants
|
|
|
|
This example shows how to implement [delegated role grants](https://cloud.google.com/iam/docs/setting-limits-on-granting-roles) in GCP.
|
|
|
|
## Running the example
|
|
|
|
Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fcloud-foundation-fabric&cloudshell_print=cloud-shell-readme.txt&cloudshell_working_dir=cloud-operations%2Fdelegated-role-grants), then go through the following steps to create resources:
|
|
|
|
- `terraform init`
|
|
- `terraform apply -var project_id=my-project-id 'project_administrators=["user:project-admin@example.com"]'`
|
|
|
|
Once done testing, you can clean up resources by running `terraform destroy`.
|
|
|
|
## Auditing Roles
|
|
|
|
This example include a python script that ensure audits a list of roles to ensure you're not granting the setIamPolicy permissions at the project, folder or organization level. To audit all the predefined compute roles, run it like this:
|
|
|
|
```bash
|
|
pip3 install -r requirements.txt
|
|
gcloud iam roles list --filter="name:roles/compute. stage=GA" --format="get(name)" > roles.txt
|
|
python3 audit.py roles.txt
|
|
```
|
|
|
|
If you get any warnings, check the roles you're and remove any of them granting any of the following permissions
|
|
- `resourcemanager.projects.setIamPolicy`
|
|
- `resourcemanager.folders.setIamPolicy`
|
|
- `resourcemanager.organizations.setIamPolicy`
|
|
|
|
|
|
<!-- BEGIN TFDOC -->
|
|
## Variables
|
|
|
|
| name | description | type | required | default |
|
|
|---|---|:---: |:---:|:---:|
|
|
| project_administrators | List identities granted administrator permissions. | <code title="list(string)">list(string)</code> | ✓ | |
|
|
| project_id | GCP project id where to grant direct and delegated roles to the users listed in project_administrators. | <code title="">string</code> | ✓ | |
|
|
| *delegated_role_grants* | List of roles that project administrators will be allowed to grant/revoke. | <code title="list(string)">list(string)</code> | | <code title="[ "roles/storage.admin", "roles/storage.hmacKeyAdmin", "roles/storage.legacyBucketOwner", "roles/storage.objectAdmin", "roles/storage.objectCreator", "roles/storage.objectViewer", "roles/compute.admin", "roles/compute.imageUser", "roles/compute.instanceAdmin", "roles/compute.instanceAdmin.v1", "roles/compute.networkAdmin", "roles/compute.networkUser", "roles/compute.networkViewer", "roles/compute.orgFirewallPolicyAdmin", "roles/compute.orgFirewallPolicyUser", "roles/compute.orgSecurityPolicyAdmin", "roles/compute.orgSecurityPolicyUser", "roles/compute.orgSecurityResourceAdmin", "roles/compute.osAdminLogin", "roles/compute.osLogin", "roles/compute.osLoginExternalUser", "roles/compute.packetMirroringAdmin", "roles/compute.packetMirroringUser", "roles/compute.publicIpAdmin", "roles/compute.securityAdmin", "roles/compute.serviceAgent", "roles/compute.storageAdmin", "roles/compute.viewer", "roles/viewer" ]">...</code> |
|
|
| *direct_role_grants* | List of roles granted directly to project administrators. | <code title="list(string)">list(string)</code> | | <code title="[ "roles/compute.admin", "roles/storage.admin", ]">...</code> |
|
|
| *project_create* | Create project instead of using an existing one. | <code title="">bool</code> | | <code title="">false</code> |
|
|
|
|
## Outputs
|
|
|
|
<!-- END TFDOC -->
|