From efa8ab1e9c5fdabca045d53546abe22a08e43629 Mon Sep 17 00:00:00 2001
From: alaincormier-ssc <94859304+alaincormier-ssc@users.noreply.github.com>
Date: Fri, 24 Nov 2023 12:38:54 -0400
Subject: [PATCH] feat: add example to manage client project iam permissions
 (#724)

* feat: add example to manage client project iam permissions

* rename setter, update users role example, fix typo

* remove client reference
---
 .../tier3/client-project-iam/Kptfile          | 18 +++++
 .../tier3/client-project-iam/README.md        | 77 +++++++++++++++++++
 .../client-project-iam/iam-tier4-sa.yaml      | 33 ++++++++
 .../tier3/client-project-iam/iam-users.yaml   | 63 +++++++++++++++
 .../tier3/client-project-iam/setters.yaml     | 46 +++++++++++
 5 files changed, 237 insertions(+)
 create mode 100644 examples/landing-zone-v2/configconnector/tier3/client-project-iam/Kptfile
 create mode 100755 examples/landing-zone-v2/configconnector/tier3/client-project-iam/README.md
 create mode 100644 examples/landing-zone-v2/configconnector/tier3/client-project-iam/iam-tier4-sa.yaml
 create mode 100644 examples/landing-zone-v2/configconnector/tier3/client-project-iam/iam-users.yaml
 create mode 100644 examples/landing-zone-v2/configconnector/tier3/client-project-iam/setters.yaml

diff --git a/examples/landing-zone-v2/configconnector/tier3/client-project-iam/Kptfile b/examples/landing-zone-v2/configconnector/tier3/client-project-iam/Kptfile
new file mode 100644
index 000000000..f7bf74074
--- /dev/null
+++ b/examples/landing-zone-v2/configconnector/tier3/client-project-iam/Kptfile
@@ -0,0 +1,18 @@
+apiVersion: kpt.dev/v1
+kind: Kptfile
+metadata:
+  name: client-project-iam
+  annotations:
+    config.kubernetes.io/local-config: "true"
+info:
+  description: |
+    Landing zone v2 subpackage.
+    Depends on `client-project-setup` package and tier3 namespace.
+
+    **Example** to manage users and tier4 service account roles.
+
+    Edit roles based on the project's requirements and deploy once per service project in the tier3 namespace.
+pipeline:
+  mutators:
+    - image: gcr.io/kpt-fn/apply-setters:v0.2
+      configPath: setters.yaml
diff --git a/examples/landing-zone-v2/configconnector/tier3/client-project-iam/README.md b/examples/landing-zone-v2/configconnector/tier3/client-project-iam/README.md
new file mode 100755
index 000000000..847cd22b9
--- /dev/null
+++ b/examples/landing-zone-v2/configconnector/tier3/client-project-iam/README.md
@@ -0,0 +1,77 @@
+<!-- BEGINNING OF PRE-COMMIT-BLUEPRINT DOCS HOOK:TITLE -->
+# client-project-iam
+
+
+<!-- END OF PRE-COMMIT-BLUEPRINT DOCS HOOK:TITLE -->
+
+
+<!-- BEGINNING OF PRE-COMMIT-BLUEPRINT DOCS HOOK:BODY -->
+Landing zone v2 subpackage.
+Depends on `client-project-setup` package and tier3 namespace.
+
+**Example** to manage users and tier4 service account roles.
+
+Edit roles based on the project's requirements and deploy once per service project in the tier3 namespace.
+
+## Setters
+
+|    Name     |          Value          | Type | Count |
+|-------------|-------------------------|------|-------|
+| project-id  | client-project-12345    | str  |     5 |
+| users-group | group:users@example.com | str  |     7 |
+
+## Sub-packages
+
+This package has no sub-packages.
+
+## Resources
+
+|       File        |            APIVersion             |       Kind       |              Name               | Namespace |
+|-------------------|-----------------------------------|------------------|---------------------------------|-----------|
+| iam-tier4-sa.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPartialPolicy | project-id-tier4-sa-permissions |           |
+| iam-users.yaml    | iam.cnrm.cloud.google.com/v1beta1 | IAMPartialPolicy | project-id-users-permissions    |           |
+
+## Resource References
+
+- [IAMPartialPolicy](https://cloud.google.com/config-connector/docs/reference/resource-docs/iam/iampartialpolicy)
+
+## Usage
+
+1.  Clone the package:
+    ```shell
+    kpt pkg get https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/examples/landing-zone-v2/configconnector/tier3/client-project-iam@${VERSION}
+    ```
+    Replace `${VERSION}` with the desired repo branch or tag
+    (for example, `main`).
+
+1.  Move into the local package:
+    ```shell
+    cd "./client-project-iam/"
+    ```
+
+1.  Edit the function config file(s):
+    - setters.yaml
+
+1.  Execute the function pipeline
+    ```shell
+    kpt fn render
+    ```
+
+1.  Initialize the resource inventory
+    ```shell
+    kpt live init --namespace ${NAMESPACE}
+    ```
+    Replace `${NAMESPACE}` with the namespace in which to manage
+    the inventory ResourceGroup (for example, `config-control`).
+
+1.  Apply the package resources to your cluster
+    ```shell
+    kpt live apply
+    ```
+
+1.  Wait for the resources to be ready
+    ```shell
+    kpt live status --output table --poll-until current
+    ```
+
+<!-- END OF PRE-COMMIT-BLUEPRINT DOCS HOOK:BODY -->
diff --git a/examples/landing-zone-v2/configconnector/tier3/client-project-iam/iam-tier4-sa.yaml b/examples/landing-zone-v2/configconnector/tier3/client-project-iam/iam-tier4-sa.yaml
new file mode 100644
index 000000000..68ecf5824
--- /dev/null
+++ b/examples/landing-zone-v2/configconnector/tier3/client-project-iam/iam-tier4-sa.yaml
@@ -0,0 +1,33 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#########
+# AU-9, AC-3 - IAM Partial Policy that binds tier4 namespace service account to the required minimum project scoped roles to deploy allowed resources
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPartialPolicy
+metadata:
+  name: project-id-tier4-sa-permissions # kpt-set: ${project-id}-tier4-sa-permissions
+  annotations:
+    cnrm.cloud.google.com/ignore-clusterless: "true"
+spec:
+  resourceRef:
+    kind: Project
+    external: projects/project-id # kpt-set: projects/${project-id}
+  # AU-9, AC-3
+  bindings:
+    # edit / add roles to tier4-sa as required
+    #
+    # "Instance Admin" - required to deploy compute instances
+    - role: roles/compute.instanceAdmin
+      members:
+        - member: "serviceAccount:tier4-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:tier4-sa@${project-id}.iam.gserviceaccount.com
diff --git a/examples/landing-zone-v2/configconnector/tier3/client-project-iam/iam-users.yaml b/examples/landing-zone-v2/configconnector/tier3/client-project-iam/iam-users.yaml
new file mode 100644
index 000000000..92a881ae6
--- /dev/null
+++ b/examples/landing-zone-v2/configconnector/tier3/client-project-iam/iam-users.yaml
@@ -0,0 +1,63 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#########
+# AU-9, AC-3 - IAM Partial Policy that binds users to the required minimum project scoped roles to perform duties
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPartialPolicy
+metadata:
+  name: project-id-users-permissions # kpt-set: ${project-id}-users-permissions
+  annotations:
+    cnrm.cloud.google.com/ignore-clusterless: "true"
+spec:
+  resourceRef:
+    kind: Project
+    external: projects/project-id # kpt-set: projects/${project-id}
+  # AU-9, AC-3
+  bindings:
+    # edit / add roles to users as required
+    #
+    # "Viewer" - required to view the project and its resources
+    - role: roles/viewer
+      members:
+        - member: users-group # kpt-set: ${users-group}
+    #
+    # "Secret Manager Secret Version Adder" - required to add a version to an existing secret
+    - role: roles/secretmanager.secretVersionAdder
+      members:
+        - member: users-group # kpt-set: ${users-group}
+    #
+    # "Cloud KMS Admin" - required to manage Key Management Service resources
+    - role: roles/cloudkms.admin
+      members:
+        - member: users-group # kpt-set: ${users-group}
+    #
+    # "Monitoring Editor" - required to edit monitoring configurations
+    - role: roles/monitoring.editor
+      members:
+        - member: users-group # kpt-set: ${users-group}
+    #
+    # "Error Reporting Admin" - required to create log based alerts. It grants permissions to create error reports and notification rules
+    - role: roles/errorreporting.admin
+      members:
+        - member: users-group # kpt-set: ${users-group}
+    #
+    # "Tech Support Editor" - required to create support ticket with Google Support
+    - role: roles/cloudsupport.techSupportEditor
+      members:
+        - member: users-group # kpt-set: ${users-group}
+    #
+    # "Essential Contacts Admin" - required to manage essential contacts for the project
+    - role: roles/essentialcontacts.admin
+      members:
+        - member: users-group # kpt-set: ${users-group}
diff --git a/examples/landing-zone-v2/configconnector/tier3/client-project-iam/setters.yaml b/examples/landing-zone-v2/configconnector/tier3/client-project-iam/setters.yaml
new file mode 100644
index 000000000..0102520cc
--- /dev/null
+++ b/examples/landing-zone-v2/configconnector/tier3/client-project-iam/setters.yaml
@@ -0,0 +1,46 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#########
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: setters
+  annotations:
+    config.kubernetes.io/local-config: "true"
+data:
+  ##########################
+  # Instructions
+  ##########################
+  #
+  # Follow instructions specific to each section.
+  #
+  ##########################
+  # Project
+  ##########################
+  #
+  # the project id that was created by the client-project-setup
+  # customization: required
+  project-id: client-project-12345
+  #
+  ##########################
+  # IAM
+  ##########################
+  #
+  # a group of users (i.e. app developers, etc.) to be granted permissions on the project
+  # customization: required
+  users-group: group:users@example.com
+  #
+  ##########################
+  # End of Configurations
+  ##########################