How to apply 'allowed-policy-member-domains-all' to resource

[skaaptjop]

Hi,
For the life of me I can't quite work out how to bind the 'org-policies/allowed-policy-member-domains-all' tag to a resource in stage 2 PF.

Given that stage 2 doesn't specifically create resources (e.g. cloud run) but projects and folders, it seems likely to apply the relaxed restriction on a project/folder level.

Failing that, I guess we'd need IAM permissions in the (optional) automation project created in stage 2-PF to allow adding that tag. However, stage 2 doesn't know what IAM principals will exist in that project. I thought the "org_policy_tag_pf_scoped" constraint would handle this?

I've also tried specifying it in tag_bindings up the stage hierarchy but it seems these are more for "context", "environment" and "custom tags". I can't seem to bind the org-policies/allowed-policy-member-domains-all ...

[ludoo]

Off the top of my mind and on my phone, will give you a proper answer tomorrow. But the simplest way of doing it is to bind the tag value id which you can read in the resman tfvars, to a project or folder via tag_bindings. The service account doing the binding needs tag user role on both tag value and resource receiving the bind. The pf service account might lack it on this specific tag value, but you can assign it using the tags variable in resman stage which can interpolate IAM even in tag values we define internally in code, just define the same tag name and value via variable and include iam.

Sorry if this is a bit cryptic, will show some code tomorrow as soon as I have a few minutes, and we should document this, thanks for raising the topic.

[skaaptjop]

Thanks. I was hoping the "org_policy_tag_pf_scoped" constraint would handle the correct grants.
I'm finding now that I can't even view the tag values at the organisation level as the project factory is not granted org-viewer roles. This will take some digging up the hierarchy tree

[ludoo]

You just need tag user role for the pf service account.

[skaaptjop]

Strange. I have the tag use role on of sa. I'll dig deeper to see what s wrong. Thanks

[ludoo]

Ach, so I forgot that org policy tags are in stage 0.

In your stage 0 tfvars:

org_policies_config = {
  constraints = {
    allowed_policy_member_domains = [
      # ...any workspace customer IDs you need to add here
    ]
  }
  tag_values = {
    allowed-policy-member-domains-all = {
      iam = {
        # replace prefix with your own prefix
        "roles/resourcemanager.tagUser" = [
          "serviceAccount:fast-05a-resman-pf-0@fast-05a-prod-iac-core-0.iam.gserviceaccount.com"
        ]
        "roles/resourcemanager.tagViewer" = [
          "serviceAccount:fast-05a-resman-pf-0r@fast-05a-prod-iac-core-0.iam.gserviceaccount.com"
        ]
      }
    }
  }
}

The tag value id you need in the binding is in the stage 0 JSON tfvars:

"org_policy_tags": {
    "key_id": "tagKeys/281483844453094",
    "key_name": "org-policies",
    "values": {
      "allowed-policy-member-domains-all": "tagValues/281478523748783"
    }
  }

This should be enough for the pf to then set tag bindings on folders or projects:

tag_bindings:
  org-policies-drs-allow-all: tagValues/281478523748783

module.projects.module.projects["prod-tb-0"].google_tags_tag_binding.binding["org-policies-drs-allow-all"]: Creation complete after 2s [id=tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Fprojects%2F1044030836401/tagValues/281478523748783]