Skip to content

Commit

Permalink
Add wif permissions to bootstrap tf SA (#2290)
Browse files Browse the repository at this point in the history
* add wif permissions to bootstrap tf SA
  • Loading branch information
simonebruzzechesse authored May 20, 2024
1 parent 98126f2 commit 79af34b
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 5 deletions.
2 changes: 2 additions & 0 deletions fast/stages/0-bootstrap/organization-iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@ locals {
additive = concat(
[
"roles/iam.organizationRoleAdmin",
"roles/iam.workforcePoolAdmin",
"roles/orgpolicy.policyAdmin"
],
local.billing_mode != "org" ? [] : [
Expand All @@ -126,6 +127,7 @@ locals {
[
# the organizationAdminViewer custom role is granted via the SA module
"roles/iam.organizationRoleViewer",
"roles/iam.workforcePoolViewer",
"roles/orgpolicy.policyViewer"
],
local.billing_mode != "org" ? [] : [
Expand Down
20 changes: 18 additions & 2 deletions tests/fast/stages/s0_bootstrap/checklist.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,12 @@ values:
- group:[email protected]
org_id: '123456789012'
role: roles/iam.securityReviewer
module.organization.google_organization_iam_binding.authoritative["roles/iam.workforcePoolAdmin"]:
condition: [ ]
members:
- group:[email protected]
org_id: '123456789012'
role: roles/iam.workforcePoolAdmin
module.organization.google_organization_iam_binding.authoritative["roles/logging.admin"]:
condition: []
members:
Expand Down Expand Up @@ -295,6 +301,16 @@ values:
member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
org_id: '123456789012'
role: roles/iam.organizationRoleViewer
? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
: condition: [ ]
member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
org_id: '123456789012'
role: roles/iam.workforcePoolAdmin
? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
: condition: [ ]
member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
org_id: '123456789012'
role: roles/iam.workforcePoolViewer
? module.organization.google_organization_iam_member.bindings["roles/logging.configWriter-group:[email protected]"]
: condition: []
member: group:[email protected]
Expand Down Expand Up @@ -366,7 +382,7 @@ counts:
google_org_policy_policy: 22
google_organization_iam_binding: 28
google_organization_iam_custom_role: 7
google_organization_iam_member: 36
google_organization_iam_member: 38
google_project: 3
google_project_iam_audit_config: 1
google_project_iam_binding: 19
Expand All @@ -383,4 +399,4 @@ counts:
google_tags_tag_key: 1
google_tags_tag_value: 1
modules: 18
resources: 205
resources: 207
5 changes: 2 additions & 3 deletions tests/fast/stages/s0_bootstrap/simple.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@ values:
- group:[email protected]
org_id: '123456789012'
role: roles/monitoring.viewer
counts:
counts:
google_bigquery_dataset: 1
google_bigquery_default_service_account: 3
Expand All @@ -46,7 +45,7 @@ counts:
google_org_policy_policy: 22
google_organization_iam_binding: 28
google_organization_iam_custom_role: 7
google_organization_iam_member: 23
google_organization_iam_member: 25
google_project: 3
google_project_iam_audit_config: 1
google_project_iam_binding: 19
Expand All @@ -64,7 +63,7 @@ counts:
google_tags_tag_value: 1
local_file: 8
modules: 17
resources: 197
resources: 199

outputs:
custom_roles:
Expand Down

0 comments on commit 79af34b

Please sign in to comment.