Add cross-project IAM binding support

docs/tfengine/schemas/iam_bindings.md

@@ -0,0 +1,13 @@
+# Recipe for iam bindings
+
+<!-- These files are auto generated -->
+
+## Properties
+
+| Property | Description | Type | Required | Default | Pattern |
+| -------- | ----------- | ---- | -------- | ------- | ------- |
+| iam_bindings | [Module](https://github.com/terraform-google-modules/terraform-google-iam) | array(object) | false | - | - |
+| iam_bindings.bindings | Map of IAM role to list of members to grant access to the role. | object | true | - | - |
+| iam_bindings.parent_ids | Ids of the parent to assign the bindings. | array(string) | false | - | - |
+| iam_bindings.parent_type | Type of the resource to assign the bindings. | string | true | - | ^storage_bucket\|project\|organization\|folder\|billing_account$ |
+| state_bucket | Bucket to store remote state. | string | false | - | - |

docs/tfengine/schemas/project.md

@@ -6,6 +6,7 @@
 
 | Property | Description | Type | Required | Default | Pattern |
 | -------- | ----------- | ---- | -------- | ------- | ------- |
+| iam_bindings | IAM bindings for this or other projects.        See [iam_bindings.md](./iam_bindings.md) for schema. | - | false | - | - |
 | parent_id | ID of parent GCP resource to apply the policy        Can be one of the organization ID or folder ID according to parent_type. | string | false | - | - |
 | parent_type | Type of parent GCP resource to apply the policy        Can be one of 'organization' or 'folder'. | string | false | - | ^organization\|folder$ |
 | project | Config for the project. | object | true | - | - |

examples/tfengine/generated/team/cicd/triggers.tf

@@ -36,7 +36,7 @@ resource "google_cloudbuild_trigger" "validate_prod" {
 
   substitutions = {
     _TERRAFORM_ROOT = "terraform"
-    _MANAGED_DIRS   = "project_secrets project_networks project_apps project_data"
+    _MANAGED_DIRS   = "project_secrets project_networks project_apps project_data projetc_iam"
   }
 
   depends_on = [
@@ -66,7 +66,7 @@ resource "google_cloudbuild_trigger" "plan_prod" {
 
   substitutions = {
     _TERRAFORM_ROOT = "terraform"
-    _MANAGED_DIRS   = "project_secrets project_networks project_apps project_data"
+    _MANAGED_DIRS   = "project_secrets project_networks project_apps project_data projetc_iam"
   }
 
   depends_on = [
@@ -97,7 +97,7 @@ resource "google_cloudbuild_trigger" "apply_prod" {
 
   substitutions = {
     _TERRAFORM_ROOT = "terraform"
-    _MANAGED_DIRS   = "project_secrets project_networks project_apps project_data"
+    _MANAGED_DIRS   = "project_secrets project_networks project_apps project_data projetc_iam"
   }
 
   depends_on = [

examples/tfengine/generated/team/project_iam/main.tf

@@ -0,0 +1,77 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_version = ">=0.14"
+  required_providers {
+    google      = "~> 3.0"
+    google-beta = "~> 3.0"
+    kubernetes  = "~> 1.0"
+  }
+  backend "gcs" {
+    bucket = "example-terraform-state"
+    prefix = "project_iam"
+  }
+}
+
+# Create the project and optionally enable APIs, create the deletion lien and add to shared VPC.
+# Deletion lien: https://cloud.google.com/resource-manager/docs/project-liens
+# Shared VPC: https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations#centralize_network_control
+module "project" {
+  source  = "terraform-google-modules/project-factory/google"
+  version = "~> 11.1.0"
+
+  name            = "example-prod-iam"
+  org_id          = ""
+  folder_id       = "12345678"
+  billing_account = "000-000-000"
+  lien            = true
+  # Create and keep default service accounts when certain APIs are enabled.
+  default_service_account = "keep"
+  # Do not create an additional project service account to be used for Compute Engine.
+  create_project_sa = false
+  # When Kubernetes Engine API is enabled, grant Kubernetes Engine Service Agent the
+  # Compute Security Admin role on the VPC host project so it can manage firewall rules.
+  # It is a no-op when Kubernetes Engine API is not enabled in the project.
+  grant_services_security_admin_role = true
+  activate_apis                      = []
+}
+
+module "storage_bucket_iam_bindings_0" {
+  source = "terraform-google-modules/iam/google//modules/storage_buckets_iam"
+  storage_buckets = [
+    "example-bucket",
+  ]
+  mode = "additive"
+
+  bindings = {
+    "roles/storage.admin" = [
+      "serviceAccount:[email protected]",
+    ],
+  }
+}
+
+module "project_iam_bindings_1" {
+  source = "terraform-google-modules/iam/google//modules/projects_iam"
+  projects = [
+    "example-prod-data",
+  ]
+  mode = "additive"
+
+  bindings = {
+    "roles/browser" = [
+      "serviceAccount:[email protected]",
+    ],
+  }
+}

examples/tfengine/iam_bindings.hcl

@@ -0,0 +1,73 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# {{$recipes := "../../templates/tfengine/recipes"}}
+
+data = {
+  parent_type      = "folder" # One of `organization` or `folder`.
+  parent_id        = "12345678"
+  billing_account  = "000-000-000"
+  state_bucket     = "example-terraform-state"
+  storage_location = "us-central1"
+}
+
+template "iam_bindings" {
+  recipe_path = "{{$recipes}}/project.hcl"
+  output_path = "./iam_bindings"
+  data = {
+    project = {
+      project_id = "example-iam"
+      exists     = false
+    }
+    iam_bindings = [{
+      parent_type = "storage_bucket"
+      parent_ids = [
+        "example-bucket",
+      ]
+      bindings = {
+        "roles/storage.legacyBucketReader" = [
+          "serviceAccount:[email protected]",
+          "group:[email protected]",
+          "user:[email protected]"
+        ]
+        "roles/storage.legacyBucketWriter" = [
+          "serviceAccount:[email protected]",
+        ]
+      }
+    },
+    {
+      parent_type = "project"
+      parent_ids = [
+        "example-project-one",
+        "example-project-two",
+      ]
+      bindings = {
+        "roles/compute.networkAdmin" = [
+          "serviceAccount:[email protected]",
+        ]
+      }
+    },
+    {
+      parent_type = "project"
+      parent_ids = [
+        "example-project-one"
+      ]
+      bindings = {
+        "roles/compute.loadBalancerAdmin" = [
+          "serviceAccount:[email protected]",
+        ]
+      }
+    }]
+  }
+}

examples/tfengine/modules/foundation.hcl

@@ -140,6 +140,7 @@ template "cicd" {
           "project_networks",
           "project_apps",
           "project_data",
+          "projetc_iam",
         ]
       }
     ]

examples/tfengine/modules/team.hcl

@@ -442,6 +442,40 @@ EOF
   }
 }
 
+# IAM bindings - adding storage admin permissions to a service account.
+template "project_iam" {
+  recipe_path = "{{.recipes}}/project.hcl"
+  output_path = "./project_iam"
+  data = {
+    project = {
+      project_id = "{{.prefix}}-{{.env}}-iam"
+      // exists     = false
+    }
+    iam_bindings = [{
+      parent_type = "storage_bucket"
+      parent_ids = [
+        "{{.prefix}}-bucket",
+      ]
+      bindings = {
+        "roles/storage.admin" = [
+          "serviceAccount:runner@{{.prefix}}-{{.env}}-apps.iam.gserviceaccount.com"
+        ]
+      }
+    },
+    {
+      parent_type = "project"
+      parent_ids = [
+        "{{.prefix}}-{{.env}}-data",
+      ]
+      bindings = {
+        "roles/browser" = [
+          "serviceAccount:runner@{{.prefix}}-{{.env}}-apps.iam.gserviceaccount.com"
+        ]
+      }
+    }]
+  }
+}
+
 # Kubernetes Terraform deployment. This should be deployed after the GKE Cluster has been deployed.
 template "kubernetes" {
   recipe_path = "{{.recipes}}/deployment.hcl"