Grant individual roles to auditors

relaycorp · Mar 4, 2024 · ff5e7cd · ff5e7cd
1 parent 4fd5101
commit ff5e7cd
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 15 deletions.
diff --git a/environments/belgium/audit.tf b/environments/belgium/audit.tf
@@ -0,0 +1,69 @@
+// TODO: Remove once the security audit is over
+
+variable "temporary_auditor_iam_uris" {
+  type = list(string)
+}
+
+resource "google_project_iam_member" "auditors_iam" {
+  for_each = toset(var.temporary_auditor_iam_uris)
+
+  project = var.gcp_project_id
+  role    = "roles/iam.roleViewer"
+  member  = each.value
+}
+
+resource "google_project_iam_member" "auditors_kms" {
+  for_each = toset(var.temporary_auditor_iam_uris)
+
+  project = var.gcp_project_id
+  role    = "roles/cloudkms.viewer"
+  member  = each.value
+}
+
+resource "google_project_iam_member" "auditors_run" {
+  for_each = toset(var.temporary_auditor_iam_uris)
+
+  project = var.gcp_project_id
+  role    = "roles/run.viewer"
+  member  = each.value
+}
+
+resource "google_project_iam_member" "auditors_scheduler" {
+  for_each = toset(var.temporary_auditor_iam_uris)
+
+  project = var.gcp_project_id
+  role    = "roles/cloudscheduler.viewer"
+  member  = each.value
+}
+
+resource "google_project_iam_member" "auditors_redis" {
+  for_each = toset(var.temporary_auditor_iam_uris)
+
+  project = var.gcp_project_id
+  role    = "roles/redis.viewer"
+  member  = each.value
+}
+
+resource "google_project_iam_member" "auditors_pubsub" {
+  for_each = toset(var.temporary_auditor_iam_uris)
+
+  project = var.gcp_project_id
+  role    = "roles/pubsub.viewer"
+  member  = each.value
+}
+
+resource "google_project_iam_member" "auditors_network" {
+  for_each = toset(var.temporary_auditor_iam_uris)
+
+  project = var.gcp_project_id
+  role    = "roles/compute.networkViewer"
+  member  = each.value
+}
+
+resource "google_project_iam_member" "auditors_secret_manager" {
+  for_each = toset(var.temporary_auditor_iam_uris)
+
+  project = var.gcp_project_id
+  role    = "roles/secretmanager.viewer"
+  member  = each.value
+}
diff --git a/environments/belgium/gateway.tf b/environments/belgium/gateway.tf
@@ -16,13 +16,3 @@ module "gateway" {
 
   gcp_shared_infra_project_id = var.shared_infra_gcp_project_id
 }
-
-// TODO: Remove once the security audit is over
-resource "google_project_iam_member" "temporary_auditors" {
-  // repeat for each auditor_uris
-  for_each = toset(var.temporary_auditor_iam_uris)
-
-  project = var.gcp_project_id
-  role    = "roles/viewer"
-  member  = each.value
-}
diff --git a/environments/belgium/variables.tf b/environments/belgium/variables.tf
@@ -7,8 +7,3 @@ variable "gcp_project_id" {}
 variable "shared_infra_gcp_project_id" {}
 
 variable "mongodbatlas_project_id" {}
-
-// TODO: Remove once the security audit is over
-variable "temporary_auditor_iam_uris" {
-  type = list(string)
-}