Allows groups from other orgs

GoogleCloudPlatform · May 17, 2023 · b108838 · b108838
1 parent 3cc6c71
commit b108838
Show file tree

Hide file tree

Showing 6 changed files with 6 additions and 6 deletions.
diff --git a/fast/stages-multitenant/0-bootstrap-tenant/main.tf b/fast/stages-multitenant/0-bootstrap-tenant/main.tf
@@ -22,7 +22,7 @@ locals {
   )
   groups = {
     for k, v in var.tenant_config.groups :
-    k => v == null ? null : "${v}@${var.organization.domain}"
+    k => v == null ? null : can(regex(".*@.*", v)) ? v : "${v}@${var.organization.domain}"
   }
   fast_features = {
     for k, v in var.tenant_config.fast_features :

diff --git a/fast/stages-multitenant/1-resman-tenant/main.tf b/fast/stages-multitenant/1-resman-tenant/main.tf
@@ -71,7 +71,7 @@ locals {
   )
   groups = {
     for k, v in var.groups :
-    k => v == null ? null : "${v}@${var.organization.domain}"
+    k => v == null ? null : can(regex(".*@.*", v)) ? v : "${v}@${var.organization.domain}"
   }
   groups_iam = {
     for k, v in local.groups : k => v != null ? "group:${v}" : null

diff --git a/fast/stages/0-bootstrap/main.tf b/fast/stages/0-bootstrap/main.tf
@@ -22,7 +22,7 @@ locals {
   )
   groups = {
     for k, v in var.groups :
-    k => "${v}@${var.organization.domain}"
+    k => can(regex(".*@.*", v)) ? v : "${v}@${var.organization.domain}"
   }
   groups_iam = {
     for k, v in local.groups :

diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf
@@ -119,7 +119,7 @@ variable "federated_identity_providers" {
 
 variable "groups" {
   # https://cloud.google.com/docs/enterprise/setup-checklist
-  description = "Group names to grant organization-level permissions."
+  description = "Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed."
   type        = map(string)
   default = {
     gcp-billing-admins      = "gcp-billing-admins",

diff --git a/fast/stages/1-resman/main.tf b/fast/stages/1-resman/main.tf
@@ -69,7 +69,7 @@ locals {
   )
   groups = {
     for k, v in var.groups :
-    k => "${v}@${var.organization.domain}"
+    k => can(regex(".*@.*", v)) ? v : "${v}@${var.organization.domain}"
   }
   groups_iam = {
     for k, v in local.groups : k => v != null ? "group:${v}" : null

diff --git a/fast/stages/1-resman/variables.tf b/fast/stages/1-resman/variables.tf
@@ -160,7 +160,7 @@ variable "fast_features" {
 variable "groups" {
   # tfdoc:variable:source 0-bootstrap
   # https://cloud.google.com/docs/enterprise/setup-checklist
-  description = "Group names to grant organization-level permissions."
+  description = "Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed."
   type = object({
     gcp-devops          = optional(string)
     gcp-network-admins  = optional(string)