From 71d9858ce6d7acbafb0528078feb8005b0f6159d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= Date: Sun, 12 May 2024 09:12:45 +0000 Subject: [PATCH 1/2] Fix 0-bootstrap iam_by_principals not taking into account all principals --- fast/stages/0-bootstrap/organization.tf | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/fast/stages/0-bootstrap/organization.tf b/fast/stages/0-bootstrap/organization.tf index f91b4e8c14..fdd08937a7 100644 --- a/fast/stages/0-bootstrap/organization.tf +++ b/fast/stages/0-bootstrap/organization.tf @@ -138,8 +138,14 @@ module "organization" { organization_id = module.organization-logging.id # human (groups) IAM bindings iam_by_principals = { - for k, v in local.iam_principals : - k => distinct(concat(v, lookup(var.iam_by_principals, k, []))) + for key in distinct(concat( + keys(local.iam_principals), + keys(var.iam_by_principals), + )) : + key => distinct(concat( + lookup(local.iam_principals, key, []), + lookup(var.iam_by_principals, key, []), + )) } # machine (service accounts) IAM bindings iam = merge( From 0c98d72e573c89162b9b792e87218d55a1c4bf26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= Date: Sun, 12 May 2024 18:50:00 +0000 Subject: [PATCH 2/2] Add test-case for iam_by_principals for 0-bootstrap stage --- tests/collectors.py | 2 +- .../s0_bootstrap/iam_by_principals.tfvars | 20 +++++++++++++++++ .../s0_bootstrap/iam_by_principals.yaml | 22 +++++++++++++++++++ tests/fast/stages/s0_bootstrap/tftest.yaml | 2 ++ 4 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 tests/fast/stages/s0_bootstrap/iam_by_principals.tfvars create mode 100644 tests/fast/stages/s0_bootstrap/iam_by_principals.yaml diff --git a/tests/collectors.py b/tests/collectors.py index 310b8151cc..9e26c06774 100644 --- a/tests/collectors.py +++ b/tests/collectors.py @@ -92,7 +92,7 @@ def runtest(self): self.tf_var_files, self.extra_files) except AssertionError: def full_paths(x): - return [(self.parent.path.parent / x ) for x in x] + return [str(self.parent.path.parent / x ) for x in x] print(f'Error in inventory file: {" ".join(full_paths(self.inventory))}') print(f'To regenerate inventory run: python tools/plan_summary.py {self.module} {" ".join(full_paths(self.tf_var_files))}') raise diff --git a/tests/fast/stages/s0_bootstrap/iam_by_principals.tfvars b/tests/fast/stages/s0_bootstrap/iam_by_principals.tfvars new file mode 100644 index 0000000000..4ceaffb6ac --- /dev/null +++ b/tests/fast/stages/s0_bootstrap/iam_by_principals.tfvars @@ -0,0 +1,20 @@ +organization = { + domain = "fast.example.com" + id = 123456789012 + customer_id = "C00000000" +} +billing_account = { + id = "000000-111111-222222" +} +essential_contacts = "gcp-organization-admins@fast.example.com" +iam_by_principals = { + "user:other@fast.example.com" = ["roles/browser"] +} +prefix = "fast" +org_policies_config = { + import_defaults = false +} +outputs_location = "/fast-config" +groups = { + gcp-support = "group:gcp-support@example.com" +} diff --git a/tests/fast/stages/s0_bootstrap/iam_by_principals.yaml b/tests/fast/stages/s0_bootstrap/iam_by_principals.yaml new file mode 100644 index 0000000000..83b965d302 --- /dev/null +++ b/tests/fast/stages/s0_bootstrap/iam_by_principals.yaml @@ -0,0 +1,22 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.organization.google_organization_iam_binding.authoritative["roles/browser"]: + condition: [] + members: + - domain:fast.example.com + - user:other@fast.example.com + org_id: '123456789012' + role: roles/browser diff --git a/tests/fast/stages/s0_bootstrap/tftest.yaml b/tests/fast/stages/s0_bootstrap/tftest.yaml index 8f415a219a..2643714eb9 100644 --- a/tests/fast/stages/s0_bootstrap/tftest.yaml +++ b/tests/fast/stages/s0_bootstrap/tftest.yaml @@ -25,3 +25,5 @@ tests: - simple.yaml - simple_projects.yaml - simple_sas.yaml + + iam_by_principals: