From 0f91a964da3a41ba20820bb6e802c420f869c933 Mon Sep 17 00:00:00 2001 From: apichick Date: Tue, 7 Nov 2023 08:11:23 +0100 Subject: [PATCH] Added back sink iam flag as module users might not have access to the sink destination and the role might need to be granted somewhere else --- modules/folder/README.md | 12 ++++++------ modules/folder/logging.tf | 2 +- modules/folder/variables.tf | 1 + modules/organization/README.md | 18 +++++++++--------- modules/organization/logging.tf | 2 +- modules/organization/variables.tf | 1 + 6 files changed, 19 insertions(+), 17 deletions(-) diff --git a/modules/folder/README.md b/modules/folder/README.md index 2ba7e9107a..8c75cadd5e 100644 --- a/modules/folder/README.md +++ b/modules/folder/README.md @@ -295,12 +295,12 @@ module "folder" { | [id](variables.tf#L83) | Folder ID in case you use folder_create=false. | string | | null | | [logging_data_access](variables.tf#L89) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | map(map(list(string))) | | {} | | [logging_exclusions](variables.tf#L104) | Logging exclusions for this folder in the form {NAME -> FILTER}. | map(string) | | {} | -| [logging_sinks](variables.tf#L111) | Logging sinks to create for the folder. | map(object({…})) | | {} | -| [name](variables.tf#L141) | Folder name. | string | | null | -| [org_policies](variables.tf#L147) | Organization policies applied to this folder keyed by policy name. | map(object({…})) | | {} | -| [org_policies_data_path](variables.tf#L174) | Path containing org policies in YAML format. | string | | null | -| [parent](variables.tf#L180) | Parent in folders/folder_id or organizations/org_id format. | string | | null | -| [tag_bindings](variables.tf#L190) | Tag bindings for this folder, in key => tag value id format. | map(string) | | null | +| [logging_sinks](variables.tf#L111) | Logging sinks to create for the folder. | map(object({…})) | | {} | +| [name](variables.tf#L142) | Folder name. | string | | null | +| [org_policies](variables.tf#L148) | Organization policies applied to this folder keyed by policy name. | map(object({…})) | | {} | +| [org_policies_data_path](variables.tf#L175) | Path containing org policies in YAML format. | string | | null | +| [parent](variables.tf#L181) | Parent in folders/folder_id or organizations/org_id format. | string | | null | +| [tag_bindings](variables.tf#L191) | Tag bindings for this folder, in key => tag value id format. | map(string) | | null | ## Outputs diff --git a/modules/folder/logging.tf b/modules/folder/logging.tf index 8000a02145..033113ff2e 100644 --- a/modules/folder/logging.tf +++ b/modules/folder/logging.tf @@ -22,7 +22,7 @@ locals { type => { for name, sink in var.logging_sinks : name => sink - if sink.type == type + if sink.iam == true && sink.type == type } } } diff --git a/modules/folder/variables.tf b/modules/folder/variables.tf index 1c55168187..91e8e11e81 100644 --- a/modules/folder/variables.tf +++ b/modules/folder/variables.tf @@ -117,6 +117,7 @@ variable "logging_sinks" { disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = string + iam = optional(bool, true) include_children = optional(bool, true) type = string })) diff --git a/modules/organization/README.md b/modules/organization/README.md index 86df8ab3ba..b760f03626 100644 --- a/modules/organization/README.md +++ b/modules/organization/README.md @@ -456,7 +456,7 @@ module "org" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [organization_id](variables.tf#L211) | Organization id in organizations/nnnnnn format. | string | ✓ | | +| [organization_id](variables.tf#L212) | Organization id in organizations/nnnnnn format. | string | ✓ | | | [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | map(list(string)) | | {} | | [custom_roles](variables.tf#L24) | Map of role name => list of permissions to create in this project. | map(list(string)) | | {} | | [firewall_policy](variables.tf#L31) | Hierarchical firewall policies to associate to the organization. | object({…}) | | null | @@ -466,14 +466,14 @@ module "org" { | [iam_bindings_additive](variables.tf#L69) | Individual additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | | [logging_data_access](variables.tf#L84) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | map(map(list(string))) | | {} | | [logging_exclusions](variables.tf#L99) | Logging exclusions for this organization in the form {NAME -> FILTER}. | map(string) | | {} | -| [logging_sinks](variables.tf#L106) | Logging sinks to create for the organization. | map(object({…})) | | {} | -| [network_tags](variables.tf#L136) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | -| [org_policies](variables.tf#L158) | Organization policies applied to this organization keyed by policy name. | map(object({…})) | | {} | -| [org_policies_data_path](variables.tf#L185) | Path containing org policies in YAML format. | string | | null | -| [org_policy_custom_constraints](variables.tf#L191) | Organization policy custom constraints keyed by constraint name. | map(object({…})) | | {} | -| [org_policy_custom_constraints_data_path](variables.tf#L205) | Path containing org policy custom constraints in YAML format. | string | | null | -| [tag_bindings](variables.tf#L220) | Tag bindings for this organization, in key => tag value id format. | map(string) | | null | -| [tags](variables.tf#L226) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | +| [logging_sinks](variables.tf#L106) | Logging sinks to create for the organization. | map(object({…})) | | {} | +| [network_tags](variables.tf#L137) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | +| [org_policies](variables.tf#L159) | Organization policies applied to this organization keyed by policy name. | map(object({…})) | | {} | +| [org_policies_data_path](variables.tf#L186) | Path containing org policies in YAML format. | string | | null | +| [org_policy_custom_constraints](variables.tf#L192) | Organization policy custom constraints keyed by constraint name. | map(object({…})) | | {} | +| [org_policy_custom_constraints_data_path](variables.tf#L206) | Path containing org policy custom constraints in YAML format. | string | | null | +| [tag_bindings](variables.tf#L221) | Tag bindings for this organization, in key => tag value id format. | map(string) | | null | +| [tags](variables.tf#L227) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | ## Outputs diff --git a/modules/organization/logging.tf b/modules/organization/logging.tf index 7719c0fb62..7f0665e3ab 100644 --- a/modules/organization/logging.tf +++ b/modules/organization/logging.tf @@ -21,7 +21,7 @@ locals { for type in ["bigquery", "logging", "pubsub", "storage"] : type => { for name, sink in var.logging_sinks : - name => sink if sink.type == type + name => sink if sink.iam && sink.type == type } } } diff --git a/modules/organization/variables.tf b/modules/organization/variables.tf index c9899e2e1d..f664deaef1 100644 --- a/modules/organization/variables.tf +++ b/modules/organization/variables.tf @@ -112,6 +112,7 @@ variable "logging_sinks" { disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = string + iam = optional(bool, true) include_children = optional(bool, true) type = string }))