diff --git a/fast/stages-multitenant/0-bootstrap-tenant/main.tf b/fast/stages-multitenant/0-bootstrap-tenant/main.tf
index 3a1505949f..e4ca74afc8 100644
--- a/fast/stages-multitenant/0-bootstrap-tenant/main.tf
+++ b/fast/stages-multitenant/0-bootstrap-tenant/main.tf
@@ -22,7 +22,7 @@ locals {
)
groups = {
for k, v in var.tenant_config.groups :
- k => v == null ? null : "${v}@${var.organization.domain}"
+ k => v == null ? null : can(regex(".*@.*", v)) ? v : "${v}@${var.organization.domain}"
}
fast_features = {
for k, v in var.tenant_config.fast_features :
diff --git a/fast/stages-multitenant/1-resman-tenant/main.tf b/fast/stages-multitenant/1-resman-tenant/main.tf
index 76c046396b..eb29fe4239 100644
--- a/fast/stages-multitenant/1-resman-tenant/main.tf
+++ b/fast/stages-multitenant/1-resman-tenant/main.tf
@@ -71,7 +71,7 @@ locals {
)
groups = {
for k, v in var.groups :
- k => v == null ? null : "${v}@${var.organization.domain}"
+ k => v == null ? null : can(regex(".*@.*", v)) ? v : "${v}@${var.organization.domain}"
}
groups_iam = {
for k, v in local.groups : k => v != null ? "group:${v}" : null
diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
index 2c7a8657a6..5a75e43d51 100644
--- a/fast/stages/0-bootstrap/README.md
+++ b/fast/stages/0-bootstrap/README.md
@@ -509,7 +509,7 @@ The remaining configuration is manual, as it regards the repositories themselves
| [custom_role_names](variables.tf#L79) | Names of custom roles defined at the org level. | object({…}) | | {…} | |
| [fast_features](variables.tf#L93) | Selective control for top-level FAST features. | object({…}) | | {} | |
| [federated_identity_providers](variables.tf#L106) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | |
-| [groups](variables.tf#L120) | Group names to grant organization-level permissions. | map(string) | | {…} | |
+| [groups](variables.tf#L120) | Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed. | map(string) | | {…} | |
| [iam](variables.tf#L138) | Organization-level custom IAM settings in role => [principal] format. | map(list(string)) | | {} | |
| [iam_additive](variables.tf#L144) | Organization-level custom IAM settings in role => [principal] format for non-authoritative bindings. | map(list(string)) | | {} | |
| [locations](variables.tf#L150) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {…} | |
diff --git a/fast/stages/0-bootstrap/main.tf b/fast/stages/0-bootstrap/main.tf
index dba2ed089c..dead928810 100644
--- a/fast/stages/0-bootstrap/main.tf
+++ b/fast/stages/0-bootstrap/main.tf
@@ -22,7 +22,7 @@ locals {
)
groups = {
for k, v in var.groups :
- k => "${v}@${var.organization.domain}"
+ k => can(regex(".*@.*", v)) ? v : "${v}@${var.organization.domain}"
}
groups_iam = {
for k, v in local.groups :
diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf
index c85822892c..a17c4e5706 100644
--- a/fast/stages/0-bootstrap/variables.tf
+++ b/fast/stages/0-bootstrap/variables.tf
@@ -119,7 +119,7 @@ variable "federated_identity_providers" {
variable "groups" {
# https://cloud.google.com/docs/enterprise/setup-checklist
- description = "Group names to grant organization-level permissions."
+ description = "Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed."
type = map(string)
default = {
gcp-billing-admins = "gcp-billing-admins",
diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md
index c2c32dda21..afe0ba3c3b 100644
--- a/fast/stages/1-resman/README.md
+++ b/fast/stages/1-resman/README.md
@@ -212,7 +212,7 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
| [custom_roles](variables.tf#L131) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
| [data_dir](variables.tf#L140) | Relative path for the folder storing configuration data. | string | | "data" | |
| [fast_features](variables.tf#L146) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap |
-| [groups](variables.tf#L160) | Group names to grant organization-level permissions. | object({…}) | | {} | 0-bootstrap |
+| [groups](variables.tf#L160) | Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed. | object({…}) | | {} | 0-bootstrap |
| [locations](variables.tf#L173) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {…} | 0-bootstrap |
| [organization_policy_configs](variables.tf#L201) | Organization policies customization. | object({…}) | | null | |
| [outputs_location](variables.tf#L209) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | |
diff --git a/fast/stages/1-resman/main.tf b/fast/stages/1-resman/main.tf
index ff08b8c58d..95bc1c4f22 100644
--- a/fast/stages/1-resman/main.tf
+++ b/fast/stages/1-resman/main.tf
@@ -69,7 +69,7 @@ locals {
)
groups = {
for k, v in var.groups :
- k => "${v}@${var.organization.domain}"
+ k => can(regex(".*@.*", v)) ? v : "${v}@${var.organization.domain}"
}
groups_iam = {
for k, v in local.groups : k => v != null ? "group:${v}" : null
diff --git a/fast/stages/1-resman/variables.tf b/fast/stages/1-resman/variables.tf
index f2e413c981..e13a4e39e5 100644
--- a/fast/stages/1-resman/variables.tf
+++ b/fast/stages/1-resman/variables.tf
@@ -160,7 +160,7 @@ variable "fast_features" {
variable "groups" {
# tfdoc:variable:source 0-bootstrap
# https://cloud.google.com/docs/enterprise/setup-checklist
- description = "Group names to grant organization-level permissions."
+ description = "Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed."
type = object({
gcp-devops = optional(string)
gcp-network-admins = optional(string)