feat: Fleet app operator permissions #1986
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- added type string to the role variable - changed role maps from variables to locals
…because only one of them is required
…ator_name, is_user_app_operator> With this change, the admin explicitly specifies whether the app operator is a user or group. This can help to not take dependency to the value of the app operator name (i.e., previously whether user != '' or a group != '').
- removed the app operator email input and use a service account created in the module instead - removed the app operator role input and simply use the VIEW role
…ng the app_operator_team input
hosseingolestani
changed the title
|
/gcbrun |
…le module This was changed by my local run of make docker_test_lint.
|
/gcbrun |
|
From the CI: |
When possible, it's suggest to avoid variables in examples (as you will need to provide a value from the integration test). For example, a end to end example could first create a born in fleet cluster, and then pass the fleet project from that. |
apeabody
reviewed
Jul 3, 2024
apeabody
reviewed
Jul 3, 2024
apeabody
reviewed
Jul 3, 2024
apeabody
reviewed
Jul 3, 2024
…ions and example modules
I defined a new project for fleet testing purposes (though for now, I'm not creating a cluster in the example module). I added the test fixture to provide the project ID. |
|
/gcbrun |
…st fixtures This should hopefully make the app operator email available at apply time of the example module.
|
/gcbrun |
…rmissions I'm now building the service account email string explicitly and instead declaring depencency to the service account resource, so that for_each works without the need for applying the service account resource in advance.
|
/gcbrun |
…d iam service account
|
/gcbrun |
This seems to be the correct way to grant the necessary permissions.
|
/gcbrun |
1 similar comment
|
/gcbrun |
|
…issions The condition is a bit long, and it's possibly included in two lines in the project IAM policy. I'm trying to see if checking subconditions separately works.
|
/gcbrun |
…ions to just looking for log buckets in the project IAM policy
apeabody
requested changes
Jul 19, 2024
There was a problem hiding this comment.
Thanks for the contribution @hosseingolestani!
Just a few final nits and we can get this merged!
… of) principal name in scope rbac role binding id.
apeabody
approved these changes
Jul 19, 2024
|
Spot checked the most recent CI test for |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces a Terraform module that bundles different permissions (IAM and RBAC Role Bindings) required for Fleet team management.