From 1901ea04f84fa7627cdd8bc63244b7da6879f7d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= Date: Sat, 11 Feb 2023 12:53:28 +0000 Subject: [PATCH] Allow additive IAM grants by robots name Regreatablly member name will be known after apply, hence changes in the tests --- modules/project/README.md | 23 +++++++++++++++++++ modules/project/iam.tf | 13 ++++++++++- .../examples/iam-additive-members.yaml | 3 --- .../project/examples/iam-additive.yaml | 4 ---- 4 files changed, 35 insertions(+), 8 deletions(-) diff --git a/modules/project/README.md b/modules/project/README.md index fbc4ab294d..e7a645fe54 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -138,6 +138,29 @@ module "project" { # tftest modules=1 resources=2 ``` +### Using shortcodes for Service Identities in additive IAM +Most Service Identities contains project number in their e-mail address and this prevents additive IAM to work, as these values are not known at moment of execution of `terraform plan` (its not an issue for authoritative IAM). To refer current project Service Identities you may use shortcodes for Service Identities similarly as for `service_identity_iam` when configuring Shared VPC. + +```hcl +module "project" { + source = "./fabric/modules/project" + name = "project-example" + + services = [ + "run.googleapis.com", + "container.googleapis.com", + ] + + iam_additive = { + "roles/editor" = ["cloudservices"] + "roles/vpcaccess.user" = ["cloudrun"] + "roles/container.hostServiceAgentUser" = ["container-engine"] + } +} +# tftest modules=1 resources=6 +``` + + ### Service identities requiring manual IAM grants The module will create service identities at project creation instead of creating of them at the time of first use. This allows granting these service identities roles in other projects, something which is usually necessary in a Shared VPC context. diff --git a/modules/project/iam.tf b/modules/project/iam.tf index 69925cc767..3ed2d2a6fd 100644 --- a/modules/project/iam.tf +++ b/modules/project/iam.tf @@ -47,7 +47,18 @@ locals { } iam_additive = { for pair in concat(local._iam_additive_pairs, local._iam_additive_member_pairs) : - "${pair.role}-${pair.member}" => pair + "${pair.role}-${pair.member}" => { + role = pair.role + member = ( + pair.member == "cloudservices" + ? "serviceAccount:${local.service_account_cloud_services}" + : pair.member == "default-compute" + ? "serviceAccount:${local.service_accounts_default.compute}" + : pair.member == "default-gae" + ? "serviceAccount:${local.service_accounts_default.gae}" + : try("serviceAccount:${local.service_accounts_robots[pair.member]}", pair.member) + ) + } } } diff --git a/tests/modules/project/examples/iam-additive-members.yaml b/tests/modules/project/examples/iam-additive-members.yaml index 5832e4dcaa..6a517a4a1d 100644 --- a/tests/modules/project/examples/iam-additive-members.yaml +++ b/tests/modules/project/examples/iam-additive-members.yaml @@ -17,17 +17,14 @@ values: project_id: project-example module.project.google_project_iam_member.additive["roles/editor-user:two@example.org"]: condition: [] - member: user:two@example.org project: project-example role: roles/editor module.project.google_project_iam_member.additive["roles/owner-user:one@example.org"]: condition: [] - member: user:one@example.org project: project-example role: roles/owner module.project.google_project_iam_member.additive["roles/owner-user:two@example.org"]: condition: [] - member: user:two@example.org project: project-example role: roles/owner diff --git a/tests/modules/project/examples/iam-additive.yaml b/tests/modules/project/examples/iam-additive.yaml index f07b0df66e..5bab822321 100644 --- a/tests/modules/project/examples/iam-additive.yaml +++ b/tests/modules/project/examples/iam-additive.yaml @@ -16,22 +16,18 @@ values: module.project.google_project.project[0]: {} module.project.google_project_iam_member.additive["roles/owner-group:three@example.org"]: condition: [] - member: group:three@example.org project: project-example role: roles/owner module.project.google_project_iam_member.additive["roles/storage.objectAdmin-group:two@example.org"]: condition: [] - member: group:two@example.org project: project-example role: roles/storage.objectAdmin module.project.google_project_iam_member.additive["roles/viewer-group:one@example.org"]: condition: [] - member: group:one@example.org project: project-example role: roles/viewer module.project.google_project_iam_member.additive["roles/viewer-group:two@xample.org"]: condition: [] - member: group:two@xample.org project: project-example role: roles/viewer