-
Notifications
You must be signed in to change notification settings - Fork 171
/
metadata.yaml
157 lines (156 loc) · 4.69 KB
/
metadata.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: blueprints.cloud.google.com/v1alpha1
kind: BlueprintMetadata
metadata:
name: terraform-google-iam
annotations:
config.kubernetes.io/local-config: "true"
spec:
title: Module Secret Manager IAM
source:
repo: https://github.com/terraform-google-modules/terraform-google-iam/
sourceType: git
actuationTool:
type: Terraform
version: '>= 0.13'
examples:
- name: bigquery_dataset
location: examples/bigquery_dataset
- name: billing_account
location: examples/billing_account
- name: cloud_run_service
location: examples/cloud_run_service
- name: custom_role_org
location: examples/custom_role_org
- name: custom_role_project
location: examples/custom_role_project
- name: folder
location: examples/folder
- name: kms_crypto_key
location: examples/kms_crypto_key
- name: kms_key_ring
location: examples/kms_key_ring
- name: member_iam
location: examples/member_iam
- name: organization
location: examples/organization
- name: project
location: examples/project
- name: project_conditions
location: examples/project_conditions
- name: pubsub_subscription
location: examples/pubsub_subscription
- name: pubsub_topic
location: examples/pubsub_topic
- name: secret_manager
location: examples/secret_manager
- name: service_account
location: examples/service_account
- name: stackdriver_agent_roles
location: examples/stackdriver_agent_roles
- name: storage_bucket
location: examples/storage_bucket
- name: subnet
location: examples/subnet
variables:
- name: bindings
description: Map of role (key) and list of members (value) to add the IAM policies/bindings
type: map(any)
required: true
- name: conditional_bindings
description: List of maps of role and respective conditions, and the members to add the IAM policies/bindings
type: |-
list(object({
role = string
title = string
description = string
expression = string
members = list(string)
}))
default: []
required: false
- name: mode
description: Mode for adding the IAM policies/bindings, additive and authoritative
type: string
default: additive
required: false
- name: project
description: Project to add the IAM policies/bindings
type: string
default: ""
required: false
- name: secrets
description: Secret Manager Secrets list to add the IAM policies/bindings
type: list(string)
default: []
required: false
outputs:
- name: members
description: Members which were bound to the Secret Manager Secrets.
- name: roles
description: Roles which were assigned to members.
- name: secrets
description: Secret Manager Secrets which received for bindings.
roles:
- level: Project
roles:
- roles/iam.organizationRoleAdmin
- roles/orgpolicy.policyAdmin
- roles/resourcemanager.organizationAdmin
- level: Project
roles:
- roles/owner
- roles/resourcemanager.projectIamAdmin
- roles/iam.serviceAccountAdmin
- roles/compute.admin
- roles/compute.networkAdmin
- roles/compute.storageAdmin
- roles/pubsub.admin
- roles/cloudkms.admin
- roles/storage.admin
- roles/composer.worker
- roles/secretmanager.admin
- level: Project
roles:
- roles/resourcemanager.projectCreator
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.folderIamAdmin
- roles/owner
- roles/billing.projectManager
- roles/composer.worker
- level: Project
roles:
- roles/billing.user
- level: Project
roles:
- roles/billing.admin
services:
- admin.googleapis.com
- appengine.googleapis.com
- cloudbilling.googleapis.com
- cloudresourcemanager.googleapis.com
- compute.googleapis.com
- iam.googleapis.com
- iamcredentials.googleapis.com
- oslogin.googleapis.com
- serviceusage.googleapis.com
- cloudkms.googleapis.com
- pubsub.googleapis.com
- storage-api.googleapis.com
- servicenetworking.googleapis.com
- storage-component.googleapis.com
- iap.googleapis.com
- secretmanager.googleapis.com
- bigquery.googleapis.com