Skip to content

Commit

Permalink
Swap groups_iam/iam_group for iam_by_principals in bootstrap README (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
robrankin authored Nov 13, 2024
1 parent b41fc41 commit 47057b6
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions fast/stages/0-bootstrap/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -468,10 +468,10 @@ One other area where we directly support customizations is IAM. The code here, a

In code, the distinction above reflects on how IAM bindings are specified in the underlying module variables:

- group roles "for humans" always use `iam_groups` variables
- group roles "for humans" always use `iam_by_principals` variables
- service account roles always use `iam` variables

This makes it easy to tweak user roles by adding mappings to the `iam_groups` variables of the relevant resources, without having to understand and deal with the details of service account roles.
This makes it easy to tweak user roles by adding mappings to the `iam_by_principals` variables of the relevant resources, without having to understand and deal with the details of service account roles.

One more critical difference in IAM bindings is between authoritative and additive:

Expand All @@ -482,7 +482,7 @@ This stage groups all IAM definitions in the [organization-iam.tf](./organizatio

When customizations are needed, three stage-level variables allow injecting additional bindings to match the desired setup:

- `group_iam` allows adding authoritative bindings for groups
- `iam_by_principals` allows adding authoritative bindings for groups
- `iam` allows adding authoritative bindings for any type of supported principal, and is merged with the internal `iam` local and then with group bindings at the module level
- `iam_bindings_additive` allows adding individual role/member pairs, and also supports IAM conditions

Expand Down

0 comments on commit 47057b6

Please sign in to comment.