Skip to content

Commit

Permalink
Add cross-project IAM binding support (#955)
Browse files Browse the repository at this point in the history 
* Add recipe for cross-project IAM permissions

Add cross-project IAM permission support for the following resources:
storage buckets
projects
organizations
folders
  • Loading branch information
@pasha-gh
pasha-gh authored Jul 19, 2021
1 parent 196d74d commit 52d8fd6
Show file tree
Hide file tree
Showing 18 changed files with 687 additions and 4 deletions.
9 changes: 9 additions & 0 deletions docs/tfengine/schemas/iam_members.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# IAM members recipe

<!-- These files are auto generated -->

## Properties

| Property | Description | Type | Required | Default | Pattern |
| -------- | ----------- | ---- | -------- | ------- | ------- |
| iam_members | [Module](https://github.com/terraform-google-modules/terraform-google-iam) | object | false | - | - |
70 changes: 70 additions & 0 deletions examples/tfengine/generated/iam_members/iam_members/main.tf
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

71 changes: 71 additions & 0 deletions examples/tfengine/generated/iam_members/iam_members/terraform.tfvars
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

49 changes: 49 additions & 0 deletions examples/tfengine/generated/iam_members/iam_members/variables.tf
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

70 changes: 70 additions & 0 deletions examples/tfengine/generated/team/additional_iam_members/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

terraform {
required_version = ">=0.14"
required_providers {
google = "~> 3.0"
google-beta = "~> 3.0"
kubernetes = "~> 1.0"
}
backend "gcs" {
bucket = "example-terraform-state"
prefix = "additional_iam_members"
}
}

module "storage_bucket_iam_members" {
source = "terraform-google-modules/iam/google//modules/storage_buckets_iam"
mode = "additive"
for_each = {
for idx, member in var.storage_bucket_iam_members :
idx => member
}
storage_buckets = each.value.resource_ids
bindings = each.value.bindings
}

module "project_iam_members" {
source = "terraform-google-modules/iam/google//modules/projects_iam"
mode = "additive"
for_each = {
for idx, member in var.project_iam_members :
idx => member
}
projects = each.value.resource_ids
bindings = each.value.bindings
}

module "folder_iam_members" {
source = "terraform-google-modules/iam/google//modules/folders_iam"
mode = "additive"
for_each = {
for idx, member in var.folder_iam_members :
idx => member
}
folders = each.value.resource_ids
bindings = each.value.bindings
}

module "organization_iam_members" {
source = "terraform-google-modules/iam/google//modules/organizations_iam"
mode = "additive"
for_each = {
for idx, member in var.organization_iam_members :
idx => member
}
organizations = each.value.resource_ids
bindings = each.value.bindings
}
36 changes: 36 additions & 0 deletions examples/tfengine/generated/team/additional_iam_members/terraform.tfvars
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.


project_iam_members = [
{
resource_ids = ["example-prod-data"]
bindings = {
"roles/browser" = [
"serviceAccount:[email protected]",
],
}
},
]

storage_bucket_iam_members = [
{
resource_ids = ["example-bucket"]
bindings = {
"roles/storage.admin" = [
"serviceAccount:[email protected]",
],
}
},
]
49 changes: 49 additions & 0 deletions examples/tfengine/generated/team/additional_iam_members/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

variable "storage_bucket_iam_members" {
description = "IAM members for storage buckets. Assigns additional non-authoritative IAM bindings to a list of storage buckets."
default = []
type = list(object({
resource_ids = list(string)
bindings = map(list(string))
}))
}

variable "project_iam_members" {
description = "IAM members for projects. Assigns additional non-authoritative IAM bindings to a list of projects."
default = []
type = list(object({
resource_ids = list(string)
bindings = map(list(string))
}))
}

variable "folder_iam_members" {
description = "IAM members for folders. Assigns additional non-authoritative IAM bindings to a list of folders."
default = []
type = list(object({
resource_ids = list(string)
bindings = map(list(string))
}))
}

variable "organization_iam_members" {
description = "IAM members for organizations. Assigns additional non-authoritative IAM bindings to a list of organizations."
default = []
type = list(object({
resource_ids = list(string)
bindings = map(list(string))
}))
}
6 changes: 3 additions & 3 deletions examples/tfengine/generated/team/cicd/triggers.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ resource "google_cloudbuild_trigger" "validate_prod" {

substitutions = {
_TERRAFORM_ROOT = "terraform"
_MANAGED_DIRS = "project_secrets project_networks project_apps project_data"
_MANAGED_DIRS = "project_secrets project_networks project_apps project_data additional_iam_members"
}

depends_on = [
Expand Down Expand Up @@ -66,7 +66,7 @@ resource "google_cloudbuild_trigger" "plan_prod" {

substitutions = {
_TERRAFORM_ROOT = "terraform"
_MANAGED_DIRS = "project_secrets project_networks project_apps project_data"
_MANAGED_DIRS = "project_secrets project_networks project_apps project_data additional_iam_members"
}

depends_on = [
Expand Down Expand Up @@ -97,7 +97,7 @@ resource "google_cloudbuild_trigger" "apply_prod" {

substitutions = {
_TERRAFORM_ROOT = "terraform"
_MANAGED_DIRS = "project_secrets project_networks project_apps project_data"
_MANAGED_DIRS = "project_secrets project_networks project_apps project_data additional_iam_members"
}

depends_on = [
Expand Down
Loading

0 comments on commit 52d8fd6

Please sign in to comment.