History

Ludovico Magnocavallo 819894d2ba IAM interface refactor (#1595 ) * IAM modules refactor proposal * policy * subheading * Update 20230816-iam-refactor.md * log Julio's +1 * data-catalog-policy-tag * dataproc * dataproc * folder * folder * folder * folder * project * better filtering in test examples * project * folder * folder * organization * fix variable descriptions * kms * net-vpc * dataplex-datascan * modules/iam-service-account * modules/source-repository/ * blueprints/cloud-operations/vm-migration/ * blueprints/third-party-solutions/wordpress * dataplex-datascan * blueprints/cloud-operations/workload-identity-federation * blueprints/data-solutions/cloudsql-multiregion/ * blueprints/data-solutions/composer-2 * Update 20230816-iam-refactor.md * Update 20230816-iam-refactor.md * capture discussion in architectural doc * update variable names and refactor proposal * project * blueprints first round * folder * organization * data-catalog-policy-tag * re-enable folder inventory * project module style fix * dataproc * source-repository * source-repository tests * dataplex-datascan * dataplex-datascan tests * net-vpc * net-vpc test examples * iam-service-account * iam-service-account test examples * kms * boilerplate * tfdoc * fix module tests * more blueprint fixes * fix typo in data blueprints * incomplete refactor of data platform foundations * tfdoc * data platform foundation * refactor data platform foundation iam locals * remove redundant example test * shielded folder fix * fix typo * project factory * project factory outputs * tfdoc * test workflow: less verbose tests, fix tf version * re-enable -vv, shorter traceback, fix action version * ignore github extension warning, re-enable action version * fast bootstrap IAM, untested * bootstrap stage IAM fixes * stage 0 tests * fast stage 1 * tenant stage 1 * minor changes to fast stage 0 and 1 * fast security stage * fast mt stage 0 * fast mt stage 0 * fast pf		2023-08-20 09:44:20 +02:00
..
README.md	IAM interface refactor (#1595 )	2023-08-20 09:44:20 +02:00
iam.tf	IAM interface refactor (#1595 )	2023-08-20 09:44:20 +02:00
main.tf	More module descriptions (#1572 )	2023-08-06 09:25:45 +00:00
outputs.tf	Ensure all modules have an `id` output (#1410 )	2023-06-02 16:07:22 +02:00
variables.tf	IAM interface refactor (#1595 )	2023-08-20 09:44:20 +02:00
versions.tf	Moved allow_net_admin to enable_features flag. Bumped provider version to 4.76	2023-08-07 14:27:20 +01:00

README.md

Data Catalog Module

This module simplifies the creation of Data Catalog Policy Tags. Policy Tags can be used to configure Bigquery column-level access.

Note: Data Catalog is still in beta, hence this module currently uses the beta provider.

IAM
Examples
- Simple Taxonomy with policy tags
- Taxonomy with IAM binding
Variables
Outputs
TODO

IAM

IAM is managed via several variables that implement different features and levels of control:

iam and group_iam configure authoritative bindings that manage individual roles exclusively, and are internally merged
iam_bindings configure authoritative bindings with optional support for conditions, and are not internally merged with the previous two variables
iam_bindings_additive configure additive bindings via individual role/member pairs with optional support conditions

The authoritative and additive approaches can be used together, provided different roles are managed by each. Some care must also be taken with the groups_iam variable to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.

Refer to the project module for examples of the IAM interface.

Examples

Simple Taxonomy with policy tags

module "cmn-dc" {
  source     = "./fabric/modules/data-catalog-policy-tag"
  name       = "my-datacatalog-policy-tags"
  project_id = "my-project"
  tags = {
    low    = {}
    medium = {}
    high   = {}
  }
}
# tftest modules=1 resources=4

Taxonomy with IAM binding

module "cmn-dc" {
  source     = "./fabric/modules/data-catalog-policy-tag"
  name       = "my-datacatalog-policy-tags"
  project_id = "my-project"
  tags = {
    low    = {}
    medium = {}
    high = {
      iam = {
        "roles/datacatalog.categoryFineGrainedReader" = [
          "group:GROUP_NAME@example.com"
        ]
      }
    }
  }
  iam = {
    "roles/datacatalog.categoryAdmin" = ["group:GROUP_NAME@example.com"]
  }
  iam_bindings_additive = {
    am1-admin = {
      member = "user:am1@example.com"
      role   = "roles/datacatalog.categoryAdmin"
    }
  }
}
# tftest modules=1 resources=7

Variables

name	description	type	required	default
name	Name of this taxonomy.	`string`	✓
project_id	GCP project id.		✓
activated_policy_types	A list of policy types that are activated for this taxonomy.	`list(string)`		`["FINE_GRAINED_ACCESS_CONTROL"]`
description	Description of this taxonomy.	`string`		`"Taxonomy - Terraform managed"`
group_iam	Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable.	`map(list(string))`		`{}`
iam	IAM bindings in {ROLE => [MEMBERS]} format.	`map(list(string))`		`{}`
iam_bindings	Authoritative IAM bindings in {ROLE => {members = [], condition = {}}}.	`map(object({…}))`		`{}`
iam_bindings_additive	Individual additive IAM bindings. Keys are arbitrary.	`map(object({…}))`		`{}`
location	Data Catalog Taxonomy location.	`string`		`"eu"`
prefix	Optional prefix used to generate project id and name.	`string`		`null`
tags	List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format.	`map(object({…}))`		`{}`

Outputs

name	description	sensitive
id	Fully qualified taxonomy id.
tags	Policy Tags.

TODO

Support IAM at tag level.
Support Child policy tags