-
Notifications
You must be signed in to change notification settings - Fork 910
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement the full IAM interface for tags (#2269)
* IAM authoritative bindings in org module * remove extra newline * organization module * project module * tfdoc
- Loading branch information
Showing
9 changed files
with
492 additions
and
92 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -440,12 +440,44 @@ module "org" { | |
| iam = { | ||
| "roles/resourcemanager.tagAdmin" = ["group:${var.group_email}"] | ||
| } | ||
| iam_bindings = { | ||
| viewer = { | ||
| role = "roles/resourcemanager.tagViewer" | ||
| members = ["group:[email protected]"] | ||
| } | ||
| } | ||
| iam_bindings_additive = { | ||
| user_app1 = { | ||
| role = "roles/resourcemanager.tagUser" | ||
| member = "group:[email protected]" | ||
| } | ||
| } | ||
| values = { | ||
| dev = {} | ||
| dev = { | ||
| iam_bindings_additive = { | ||
| user_app2 = { | ||
| role = "roles/resourcemanager.tagUser" | ||
| member = "group:[email protected]" | ||
| } | ||
| } | ||
| } | ||
| prod = { | ||
| description = "Environment: production." | ||
| iam = { | ||
| "roles/resourcemanager.tagViewer" = ["group:${var.group_email}"] | ||
| "roles/resourcemanager.tagViewer" = ["group:[email protected]"] | ||
| } | ||
| iam_bindings = { | ||
| admin = { | ||
| role = "roles/resourcemanager.tagAdmin" | ||
| members = ["group:[email protected]"] | ||
| condition = { | ||
| title = "gcp_support" | ||
| expression = <<-END | ||
| request.time.getHours("Europe/Berlin") <= 9 && | ||
| request.time.getHours("Europe/Berlin") >= 17 | ||
| END | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
|
|
@@ -455,8 +487,9 @@ module "org" { | |
| env-prod = module.org.tag_values["environment/prod"].id | ||
| } | ||
| } | ||
| # tftest modules=1 resources=6 inventory=tags.yaml e2e serial | ||
| # tftest modules=1 resources=10 inventory=tags.yaml | ||
| ``` | ||
| <!-- TODO: reinstate e2e serial --> | ||
|
|
||
| You can also define network tags, through a dedicated variable *network_tags*: | ||
|
|
||
|
|
@@ -498,7 +531,7 @@ module "org" { | |
| | [org-policy-custom-constraints.tf](./org-policy-custom-constraints.tf) | None | <code>google_org_policy_custom_constraint</code> | | ||
| | [organization-policies.tf](./organization-policies.tf) | Organization-level organization policies. | <code>google_org_policy_policy</code> | | ||
| | [outputs.tf](./outputs.tf) | Module outputs. | | | ||
| | [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> | | ||
| | [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_key_iam_member</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> · <code>google_tags_tag_value_iam_member</code> | | ||
| | [variables-iam.tf](./variables-iam.tf) | None | | | ||
| | [variables-logging.tf](./variables-logging.tf) | None | | | ||
| | [variables-tags.tf](./variables-tags.tf) | None | | | ||
|
|
@@ -522,11 +555,11 @@ module "org" { | |
| | [logging_exclusions](variables-logging.tf#L32) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> | | ||
| | [logging_settings](variables-logging.tf#L39) | Default settings for logging resources. | <code title="object({ disable_default_sink = optional(bool) storage_location = optional(string) })">object({…})</code> | | <code>null</code> | | ||
| | [logging_sinks](variables-logging.tf#L49) | Logging sinks to create for the organization. | <code title="map(object({ bq_partitioned_table = optional(bool, false) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = optional(string) iam = optional(bool, true) include_children = optional(bool, true) type = string }))">map(object({…}))</code> | | <code>{}</code> | | ||
| | [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) network = string # project_id/vpc_name values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) })), {}) }))">map(object({…}))</code> | | <code>{}</code> | | ||
| | [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) id = optional(string) network = string # project_id/vpc_name values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) })), {}) }))">map(object({…}))</code> | | <code>{}</code> | | ||
| | [org_policies](variables.tf#L51) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) })), []) }))">map(object({…}))</code> | | <code>{}</code> | | ||
| | [org_policy_custom_constraints](variables.tf#L78) | Organization policy custom constraints keyed by constraint name. | <code title="map(object({ display_name = optional(string) description = optional(string) action_type = string condition = string method_types = list(string) resource_types = list(string) }))">map(object({…}))</code> | | <code>{}</code> | | ||
| | [tag_bindings](variables-tags.tf#L45) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>{}</code> | | ||
| | [tags](variables-tags.tf#L52) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) })), {}) }))">map(object({…}))</code> | | <code>{}</code> | | ||
| | [tag_bindings](variables-tags.tf#L81) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>{}</code> | | ||
| | [tags](variables-tags.tf#L88) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) id = optional(string) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) id = optional(string) })), {}) }))">map(object({…}))</code> | | <code>{}</code> | | ||
|
|
||
| ## Outputs | ||
|
|
||
|
|
||
Oops, something went wrong.