Skip to content

Commit

Permalink
Merge pull request #1908 from GoogleCloudPlatform/wiktorn_project_iam…
Browse files Browse the repository at this point in the history
…_subnet_readme

README fixes for #1907
  • Loading branch information
wiktorn authored Dec 7, 2023
2 parents e4c55bc + 84a15c4 commit 861df24
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion modules/project/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -232,13 +232,14 @@ The module allows managing Shared VPC status for both hosts and service projects

Project service association for VPC host projects can be

- autoritatively managed in the host project by enabling Shared VPC and specifying the set of service projects, or
- authoritatively managed in the host project by enabling Shared VPC and specifying the set of service projects, or
- additively managed in service projects by by enabling Shared VPC in the host project and then "attaching" each service project independently

IAM bindings in the host project for API service identities can be managed from service projects in two different ways:

- via the `service_identity_iam` attribute, by specifying the set of roles and service agents
- via the `service_iam_grants` attribute that leverages a [fixed list of roles for each service](./sharedvpc-agent-iam.yaml), by specifying a list of services
- via the `service_identity_subnet_iam` attribute, by providing a map of `"<region>/<subnet_name>"` -> `[ "<service_identity>", (...)]`, to grant `compute.networkUser` role on subnet level to service identity

While the first method is more explicit and readable, the second method is simpler and less error prone as all appropriate roles are predefined for all required service agents (eg compute and cloud services). You can mix and match as the two sets of bindings are then internally combined.

Expand Down Expand Up @@ -318,6 +319,8 @@ module "service-project" {

In specific cases it might make sense to selectively grant the `compute.networkUser` role for service identities at the subnet level, and while that is best done via org policies it's also supported by this module.

In this example, Compute service identity will be granted compute.networkUser in the `gce` subnet defined in `europe-west1` region.

```hcl
module "host-project" {
source = "./fabric/modules/project"
Expand Down

0 comments on commit 861df24

Please sign in to comment.