From d6d503e7dd965deb1c57fabb260fbf80dc84d2f4 Mon Sep 17 00:00:00 2001 From: g-awmalik Date: Tue, 27 Dec 2022 10:45:07 -0800 Subject: [PATCH] fix: fixes lint issues and generate metadata (#175) Co-authored-by: Awais Malik --- .kitchen.yml | 6 + Makefile | 2 +- build/int.cloudbuild.yaml | 2 +- build/lint.cloudbuild.yaml | 2 +- examples/kms_crypto_key/README.md | 1 - examples/kms_crypto_key/variables.tf | 5 - examples/kms_key_ring/README.md | 1 - examples/kms_key_ring/variables.tf | 5 - examples/service_account/README.md | 13 +- examples/service_account/variables.tf | 11 +- metadata.yaml | 150 ++++++++++++++++ modules/artifact_registry_iam/metadata.yaml | 148 ++++++++++++++++ modules/artifact_registry_iam/variables.tf | 1 + modules/artifact_registry_iam/versions.tf | 5 + modules/audit_config/metadata.yaml | 129 ++++++++++++++ modules/bigquery_datasets_iam/metadata.yaml | 142 +++++++++++++++ modules/bigquery_datasets_iam/variables.tf | 1 + modules/billing_accounts_iam/metadata.yaml | 139 +++++++++++++++ modules/custom_role_iam/metadata.yaml | 167 ++++++++++++++++++ modules/folders_iam/metadata.yaml | 152 ++++++++++++++++ modules/helper/README.md | 25 +++ modules/helper/metadata.yaml | 154 ++++++++++++++++ modules/helper/variables.tf | 1 + modules/helper/versions.tf | 19 ++ modules/kms_crypto_keys_iam/metadata.yaml | 152 ++++++++++++++++ modules/kms_key_rings_iam/metadata.yaml | 152 ++++++++++++++++ modules/kms_key_rings_iam/variables.tf | 1 + modules/member_iam/metadata.yaml | 140 +++++++++++++++ modules/organizations_iam/metadata.yaml | 152 ++++++++++++++++ modules/organizations_iam/variables.tf | 1 + modules/projects_iam/metadata.yaml | 152 ++++++++++++++++ modules/projects_iam/variables.tf | 1 + .../pubsub_subscriptions_iam/metadata.yaml | 144 +++++++++++++++ modules/pubsub_subscriptions_iam/variables.tf | 1 + modules/pubsub_topics_iam/metadata.yaml | 144 +++++++++++++++ modules/pubsub_topics_iam/variables.tf | 1 + modules/secret_manager_iam/metadata.yaml | 155 ++++++++++++++++ modules/secret_manager_iam/variables.tf | 1 + modules/service_accounts_iam/metadata.yaml | 157 ++++++++++++++++ modules/service_accounts_iam/variables.tf | 1 + modules/storage_buckets_iam/metadata.yaml | 152 ++++++++++++++++ modules/storage_buckets_iam/variables.tf | 1 + modules/subnets_iam/metadata.yaml | 161 +++++++++++++++++ modules/subnets_iam/variables.tf | 1 + 44 files changed, 2925 insertions(+), 26 deletions(-) create mode 100644 metadata.yaml create mode 100644 modules/artifact_registry_iam/metadata.yaml create mode 100644 modules/audit_config/metadata.yaml create mode 100644 modules/bigquery_datasets_iam/metadata.yaml create mode 100644 modules/billing_accounts_iam/metadata.yaml create mode 100644 modules/custom_role_iam/metadata.yaml create mode 100644 modules/folders_iam/metadata.yaml create mode 100644 modules/helper/README.md create mode 100644 modules/helper/metadata.yaml create mode 100644 modules/helper/versions.tf create mode 100644 modules/kms_crypto_keys_iam/metadata.yaml create mode 100644 modules/kms_key_rings_iam/metadata.yaml create mode 100644 modules/member_iam/metadata.yaml create mode 100644 modules/organizations_iam/metadata.yaml create mode 100644 modules/projects_iam/metadata.yaml create mode 100644 modules/pubsub_subscriptions_iam/metadata.yaml create mode 100644 modules/pubsub_topics_iam/metadata.yaml create mode 100644 modules/secret_manager_iam/metadata.yaml create mode 100644 modules/service_accounts_iam/metadata.yaml create mode 100644 modules/storage_buckets_iam/metadata.yaml create mode 100644 modules/subnets_iam/metadata.yaml diff --git a/.kitchen.yml b/.kitchen.yml index 31bb5e7a..9c944019 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -32,6 +32,7 @@ suites: name: terraform command_timeout: 1800 root_module_directory: test/fixtures/additive + verify_version: false verifier: name: terraform systems: @@ -46,6 +47,7 @@ suites: name: terraform command_timeout: 1800 root_module_directory: test/fixtures/authoritative + verify_version: false verifier: name: terraform systems: @@ -64,6 +66,7 @@ suites: name: terraform command_timeout: 1800 root_module_directory: test/fixtures/static-and-dynamic + verify_version: false verifier: name: terraform systems: @@ -77,6 +80,7 @@ suites: name: terraform command_timeout: 1800 root_module_directory: test/fixtures/member-iam + verify_version: false verifier: name: terraform systems: @@ -90,6 +94,7 @@ suites: name: terraform command_timeout: 1800 root_module_directory: test/fixtures/billing-iam + verify_version: false verifier: name: terraform systems: @@ -103,6 +108,7 @@ suites: name: terraform command_timeout: 1800 root_module_directory: test/fixtures/custom-role + verify_version: false verifier: name: terraform systems: diff --git a/Makefile b/Makefile index 30643a85..a9d53314 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.0 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.10 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index ff2abe5d..ead2f88e 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -275,4 +275,4 @@ tags: - 'integration' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.0' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10' diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml index d5704913..9e1353e2 100644 --- a/build/lint.cloudbuild.yaml +++ b/build/lint.cloudbuild.yaml @@ -21,4 +21,4 @@ tags: - 'lint' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.0' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10' diff --git a/examples/kms_crypto_key/README.md b/examples/kms_crypto_key/README.md index 2c30acce..8ac9d913 100644 --- a/examples/kms_crypto_key/README.md +++ b/examples/kms_crypto_key/README.md @@ -10,7 +10,6 @@ This example illustrates how to use the `kms_crypto_keys_iam` submodule | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | | kms\_crypto\_key\_one | First kms\_cripto\_key to add the IAM policies/bindings | `string` | n/a | yes | | kms\_crypto\_key\_two | Second kms\_cripto\_key to add the IAM policies/bindings | `string` | n/a | yes | -| sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | ## Outputs diff --git a/examples/kms_crypto_key/variables.tf b/examples/kms_crypto_key/variables.tf index ee9674e0..ccdc1f09 100644 --- a/examples/kms_crypto_key/variables.tf +++ b/examples/kms_crypto_key/variables.tf @@ -19,11 +19,6 @@ variable "group_email" { description = "Email for group to receive roles (ex. group@example.com)" } -variable "sa_email" { - type = string - description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)" -} - variable "user_email" { type = string description = "Email for group to receive roles (Ex. user@example.com)" diff --git a/examples/kms_key_ring/README.md b/examples/kms_key_ring/README.md index 96faf5b2..268dba04 100644 --- a/examples/kms_key_ring/README.md +++ b/examples/kms_key_ring/README.md @@ -10,7 +10,6 @@ This example illustrates how to use the `kms_key_rings_iam` submodule | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | | kms\_key\_ring\_one | First kms\_ring to add the IAM policies/bindings | `string` | n/a | yes | | kms\_key\_ring\_two | First kms\_ring to add the IAM policies/bindings | `string` | n/a | yes | -| sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | ## Outputs diff --git a/examples/kms_key_ring/variables.tf b/examples/kms_key_ring/variables.tf index 4133e08e..c86f941b 100644 --- a/examples/kms_key_ring/variables.tf +++ b/examples/kms_key_ring/variables.tf @@ -19,11 +19,6 @@ variable "group_email" { description = "Email for group to receive roles (ex. group@example.com)" } -variable "sa_email" { - type = string - description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)" -} - variable "user_email" { type = string description = "Email for group to receive roles (Ex. user@example.com)" diff --git a/examples/service_account/README.md b/examples/service_account/README.md index 37fcc99b..5883d658 100644 --- a/examples/service_account/README.md +++ b/examples/service_account/README.md @@ -7,13 +7,12 @@ This example illustrates how to use the `service_accounts_iam` submodule | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| credentials\_file\_path | Path to the service account | `any` | n/a | yes | -| group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | -| sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes | -| service\_account\_one | First service Account to add the IAM policies/bindings | `string` | n/a | yes | -| service\_account\_project | Project id of the service account | `string` | n/a | yes | -| service\_account\_two | First service Account to add the IAM policies/bindings | `string` | n/a | yes | -| user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | +| group\_email | Email for group to receive roles (ex. group@example.com) | `string` | `"goose_net_admins@goosecorp.org"` | no | +| sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | `"sa-tf-test-receiver-01@ci-iam-0c5f.iam.gserviceaccount.com"` | no | +| service\_account\_one | First service Account to add the IAM policies/bindings | `string` | `"sa-tf-test-01@ci-iam-0c5f.iam.gserviceaccount.com"` | no | +| service\_account\_project | Project id of the service account | `string` | `"ci-iam-0c5f"` | no | +| service\_account\_two | First service Account to add the IAM policies/bindings | `string` | `"sa-tf-test-02@ci-iam-0c5f.iam.gserviceaccount.com"` | no | +| user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | `"awmalik@google.com"` | no | ## Outputs diff --git a/examples/service_account/variables.tf b/examples/service_account/variables.tf index ba882576..0b2b7087 100644 --- a/examples/service_account/variables.tf +++ b/examples/service_account/variables.tf @@ -17,16 +17,20 @@ variable "group_email" { type = string description = "Email for group to receive roles (ex. group@example.com)" + default = "goose_net_admins@goosecorp.org" } variable "sa_email" { type = string description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)" + default = "sa-tf-test-receiver-01@ci-iam-0c5f.iam.gserviceaccount.com" } variable "user_email" { type = string description = "Email for group to receive roles (Ex. user@example.com)" + default = "awmalik@google.com" + } /****************************************** @@ -35,18 +39,17 @@ variable "user_email" { variable "service_account_project" { type = string description = "Project id of the service account" + default = "ci-iam-0c5f" } variable "service_account_one" { type = string description = "First service Account to add the IAM policies/bindings" + default = "sa-tf-test-01@ci-iam-0c5f.iam.gserviceaccount.com" } variable "service_account_two" { type = string description = "First service Account to add the IAM policies/bindings" -} - -variable "credentials_file_path" { - description = "Path to the service account" + default = "sa-tf-test-02@ci-iam-0c5f.iam.gserviceaccount.com" } diff --git a/metadata.yaml b/metadata.yaml new file mode 100644 index 00000000..970f5857 --- /dev/null +++ b/metadata.yaml @@ -0,0 +1,150 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Google IAM Terraform Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + subBlueprints: + - name: artifact_registry_iam + location: modules/artifact_registry_iam + - name: audit_config + location: modules/audit_config + - name: bigquery_datasets_iam + location: modules/bigquery_datasets_iam + - name: billing_accounts_iam + location: modules/billing_accounts_iam + - name: custom_role_iam + location: modules/custom_role_iam + - name: folders_iam + location: modules/folders_iam + - name: helper + location: modules/helper + - name: kms_crypto_keys_iam + location: modules/kms_crypto_keys_iam + - name: kms_key_rings_iam + location: modules/kms_key_rings_iam + - name: member_iam + location: modules/member_iam + - name: organizations_iam + location: modules/organizations_iam + - name: projects_iam + location: modules/projects_iam + - name: pubsub_subscriptions_iam + location: modules/pubsub_subscriptions_iam + - name: pubsub_topics_iam + location: modules/pubsub_topics_iam + - name: secret_manager_iam + location: modules/secret_manager_iam + - name: service_accounts_iam + location: modules/service_accounts_iam + - name: storage_buckets_iam + location: modules/storage_buckets_iam + - name: subnets_iam + location: modules/subnets_iam + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + roles: + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + - level: Project + roles: + - roles/billing.user + - level: Project + roles: + - roles/billing.admin + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/artifact_registry_iam/metadata.yaml b/modules/artifact_registry_iam/metadata.yaml new file mode 100644 index 00000000..b9e97fcc --- /dev/null +++ b/modules/artifact_registry_iam/metadata.yaml @@ -0,0 +1,148 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Module Artifact registry repository IAM + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + version: 7.4.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + variables: + - name: bindings + description: Map of role (key) and list of members (value) to add the IAM policies/bindings + type: map(list(string)) + default: {} + required: false + - name: location + description: Location of the provided artifact registry repositories + type: string + required: true + - name: mode + description: Mode for adding the IAM policies/bindings, additive and authoritative + type: string + default: additive + required: false + - name: project + description: Project where the artifact registry repositories are placed + type: string + required: true + - name: repositories + description: Artifact registry repositories list to add the IAM policies/bindings + type: list(string) + default: [] + required: false + outputs: + - name: members + description: Members which were bound to artifact registry repositories. + - name: repositories + description: Artifact registry repositories which received bindings. + - name: roles + description: Roles which were assigned to members. + roles: + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + - level: Project + roles: + - roles/billing.user + - level: Project + roles: + - roles/billing.admin + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/artifact_registry_iam/variables.tf b/modules/artifact_registry_iam/variables.tf index 3636d047..507c00a2 100644 --- a/modules/artifact_registry_iam/variables.tf +++ b/modules/artifact_registry_iam/variables.tf @@ -32,6 +32,7 @@ variable "project" { variable "mode" { description = "Mode for adding the IAM policies/bindings, additive and authoritative" + type = string default = "additive" } diff --git a/modules/artifact_registry_iam/versions.tf b/modules/artifact_registry_iam/versions.tf index a4baf7a9..703fc004 100644 --- a/modules/artifact_registry_iam/versions.tf +++ b/modules/artifact_registry_iam/versions.tf @@ -22,6 +22,11 @@ terraform { source = "hashicorp/google" version = ">= 3.53, < 5.0" } + + google-beta = { + source = "hashicorp/google-beta" + version = ">= 3.53, < 5.0" + } } provider_meta "google" { diff --git a/modules/audit_config/metadata.yaml b/modules/audit_config/metadata.yaml new file mode 100644 index 00000000..4e5192e7 --- /dev/null +++ b/modules/audit_config/metadata.yaml @@ -0,0 +1,129 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Module audit_config + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + version: 7.4.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + variables: + - name: audit_log_config + description: List of objects to be added to audit log config + type: 'list(object({ service : string, log_type : string, exempted_members : list(string) }))' + required: true + - name: project + description: Project to add the IAM policies/bindings + type: string + required: true + outputs: + - name: audit_log_config + description: Map of log type and exempted members to be added to service + roles: + - level: Project + roles: + - roles/billing.admin + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + - level: Project + roles: + - roles/billing.user + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/bigquery_datasets_iam/metadata.yaml b/modules/bigquery_datasets_iam/metadata.yaml new file mode 100644 index 00000000..a28cc575 --- /dev/null +++ b/modules/bigquery_datasets_iam/metadata.yaml @@ -0,0 +1,142 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Module bigquery_datasets IAM + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + version: 7.4.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + variables: + - name: bigquery_datasets + description: BigQuery dataset IDs list to add the IAM policies/bindings + type: list(string) + required: true + - name: bindings + description: Map of role (key) and list of members (value) to add the IAM policies/bindings + type: map(any) + required: true + - name: mode + description: Mode for adding the IAM policies/bindings, additive and authoritative + type: string + default: additive + required: false + - name: project + description: Project to add the IAM policies/bindings + type: string + required: true + outputs: + - name: bigquery_datasets + description: Bigquery dataset IDs which received for bindings. + - name: members + description: Members which were bound to the bigquery datasets. + - name: roles + description: Roles which were assigned to members. + roles: + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + - level: Project + roles: + - roles/billing.user + - level: Project + roles: + - roles/billing.admin + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/bigquery_datasets_iam/variables.tf b/modules/bigquery_datasets_iam/variables.tf index b2dc3f71..9de7821a 100644 --- a/modules/bigquery_datasets_iam/variables.tf +++ b/modules/bigquery_datasets_iam/variables.tf @@ -26,6 +26,7 @@ variable "bigquery_datasets" { variable "mode" { description = "Mode for adding the IAM policies/bindings, additive and authoritative" + type = string default = "additive" } diff --git a/modules/billing_accounts_iam/metadata.yaml b/modules/billing_accounts_iam/metadata.yaml new file mode 100644 index 00000000..2084e6d4 --- /dev/null +++ b/modules/billing_accounts_iam/metadata.yaml @@ -0,0 +1,139 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Module Billing Accounts IAM + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + version: 7.4.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + variables: + - name: billing_account_ids + description: Billing Accounts IDs list to add the IAM policies/bindings + type: list(string) + default: [] + required: false + - name: bindings + description: Map of role (key) and list of members (value) to add the IAM policies/bindings + type: map(list(string)) + required: true + - name: mode + description: Mode for adding the IAM policies/bindings, additive and authoritative + type: string + default: additive + required: false + outputs: + - name: billing_account_ids + description: Billing Accounts which received bindings. + - name: members + description: Members which were bound to the billing accounts. + - name: roles + description: Roles which were assigned to members. + roles: + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + - level: Project + roles: + - roles/billing.user + - level: Project + roles: + - roles/billing.admin + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/custom_role_iam/metadata.yaml b/modules/custom_role_iam/metadata.yaml new file mode 100644 index 00000000..f79f47d7 --- /dev/null +++ b/modules/custom_role_iam/metadata.yaml @@ -0,0 +1,167 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Module Custom Role IAM + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + version: 7.4.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + variables: + - name: base_roles + description: List of base predefined roles to use to compose custom role. + type: list(string) + default: [] + required: false + - name: description + description: Description of Custom role. + type: string + default: "" + required: false + - name: excluded_permissions + description: List of permissions to exclude from custom role. + type: list(string) + default: [] + required: false + - name: members + description: List of members to be added to custom role. + type: list(string) + required: true + - name: permissions + description: IAM permissions assigned to Custom Role. + type: list(string) + required: true + - name: role_id + description: ID of the Custom Role. + type: string + required: true + - name: stage + description: The current launch stage of the role. Defaults to GA. + type: string + default: GA + required: false + - name: target_id + description: Variable for project or organization ID. + type: string + required: true + - name: target_level + description: String variable to denote if custom role being created is at project or organization level. + type: string + default: project + required: false + - name: title + description: Human-readable title of the Custom Role, defaults to role_id. + type: string + default: "" + required: false + outputs: + - name: custom_role_id + description: ID of the custom role created. + roles: + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + - level: Project + roles: + - roles/billing.user + - level: Project + roles: + - roles/billing.admin + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/folders_iam/metadata.yaml b/modules/folders_iam/metadata.yaml new file mode 100644 index 00000000..c65abe84 --- /dev/null +++ b/modules/folders_iam/metadata.yaml @@ -0,0 +1,152 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Module folder IAM + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + version: 7.4.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + variables: + - name: bindings + description: Map of role (key) and list of members (value) to add the IAM policies/bindings + type: map(list(string)) + default: {} + required: false + - name: conditional_bindings + description: List of maps of role and respective conditions, and the members to add the IAM policies/bindings + type: |- + list(object({ + role = string + title = string + description = string + expression = string + members = list(string) + })) + default: [] + required: false + - name: folders + description: Folders list to add the IAM policies/bindings + type: list(string) + default: [] + required: false + - name: mode + description: Mode for adding the IAM policies/bindings, additive and authoritative + type: string + default: additive + required: false + outputs: + - name: folders + description: Folders which received bindings. + - name: members + description: Members which were bound to the folders. + - name: roles + description: Roles which were assigned to members. + roles: + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + - level: Project + roles: + - roles/billing.user + - level: Project + roles: + - roles/billing.admin + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/helper/README.md b/modules/helper/README.md new file mode 100644 index 00000000..48e66ee6 --- /dev/null +++ b/modules/helper/README.md @@ -0,0 +1,25 @@ +# IAM helper + +This is a helper module. Do not use this module directly. + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| bindings | Map of role (key) and list of members (value) to add the IAM policies/bindings | `map(list(string))` | `{}` | no | +| conditional\_bindings | List of maps of role and respective conditions, and the members to add the IAM policies/bindings | 
list(object({
    role        = string
    title       = string
    description = string
    expression  = string
    members     = list(string)
  }))
| `[]` | no | +| entities | Entities list to add the IAM policies/bindings | `list(string)` | n/a | yes | +| mode | Mode for adding the IAM policies/bindings, additive and authoritative | `string` | `"additive"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| bindings\_additive | Map of additive bindings for entities. Unwinded by members. | +| bindings\_authoritative | Map of authoritative bindings for entities. Unwinded by roles. | +| bindings\_by\_member | List of bindings for entities unwinded by members. | +| set\_additive | A set of additive binding keys (from bindings\_additive) to be used in for\_each. Unwinded by members. | +| set\_authoritative | A set of authoritative binding keys (from bindings\_authoritative) to be used in for\_each. Unwinded by roles. | + + diff --git a/modules/helper/metadata.yaml b/modules/helper/metadata.yaml new file mode 100644 index 00000000..83c2183c --- /dev/null +++ b/modules/helper/metadata.yaml @@ -0,0 +1,154 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: IAM helper + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + variables: + - name: bindings + description: Map of role (key) and list of members (value) to add the IAM policies/bindings + type: map(list(string)) + default: {} + required: false + - name: conditional_bindings + description: List of maps of role and respective conditions, and the members to add the IAM policies/bindings + type: |- + list(object({ + role = string + title = string + description = string + expression = string + members = list(string) + })) + default: [] + required: false + - name: entities + description: Entities list to add the IAM policies/bindings + type: list(string) + required: true + - name: mode + description: Mode for adding the IAM policies/bindings, additive and authoritative + type: string + default: additive + required: false + outputs: + - name: bindings_additive + description: Map of additive bindings for entities. Unwinded by members. + - name: bindings_authoritative + description: Map of authoritative bindings for entities. Unwinded by roles. + - name: bindings_by_member + description: List of bindings for entities unwinded by members. + - name: set_additive + description: A set of additive binding keys (from bindings_additive) to be used in for_each. Unwinded by members. + - name: set_authoritative + description: A set of authoritative binding keys (from bindings_authoritative) to be used in for_each. Unwinded by roles. + roles: + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + - level: Project + roles: + - roles/billing.user + - level: Project + roles: + - roles/billing.admin + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/helper/variables.tf b/modules/helper/variables.tf index a10a2cbd..2c0185af 100644 --- a/modules/helper/variables.tf +++ b/modules/helper/variables.tf @@ -22,6 +22,7 @@ variable "bindings" { variable "mode" { description = "Mode for adding the IAM policies/bindings, additive and authoritative" + type = string default = "additive" } diff --git a/modules/helper/versions.tf b/modules/helper/versions.tf new file mode 100644 index 00000000..c001c4e3 --- /dev/null +++ b/modules/helper/versions.tf @@ -0,0 +1,19 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 0.13" +} diff --git a/modules/kms_crypto_keys_iam/metadata.yaml b/modules/kms_crypto_keys_iam/metadata.yaml new file mode 100644 index 00000000..76b18f54 --- /dev/null +++ b/modules/kms_crypto_keys_iam/metadata.yaml @@ -0,0 +1,152 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Module kms_crypto_key IAM + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + version: 7.4.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + variables: + - name: bindings + description: Map of role (key) and list of members (value) to add the IAM policies/bindings + type: map(list(string)) + default: {} + required: false + - name: conditional_bindings + description: List of maps of role and respective conditions, and the members to add the IAM policies/bindings + type: |- + list(object({ + role = string + title = string + description = string + expression = string + members = list(string) + })) + default: [] + required: false + - name: kms_crypto_keys + description: KMS crypto keys list to add the IAM policies/bindings + type: list(string) + default: [] + required: false + - name: mode + description: Mode for adding the IAM policies/bindings, additive and authoritative + type: string + default: additive + required: false + outputs: + - name: kms_crypto_keys + description: KMS crypto keys which received bindings. + - name: members + description: Members which were bound to the KMS crypto keys. + - name: roles + description: Roles which were assigned to members. + roles: + - level: Project + roles: + - roles/billing.user + - level: Project + roles: + - roles/billing.admin + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/kms_key_rings_iam/metadata.yaml b/modules/kms_key_rings_iam/metadata.yaml new file mode 100644 index 00000000..e986f06a --- /dev/null +++ b/modules/kms_key_rings_iam/metadata.yaml @@ -0,0 +1,152 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Module kms_key_ring IAM + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + version: 7.4.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + variables: + - name: bindings + description: Map of role (key) and list of members (value) to add the IAM policies/bindings + type: map(list(string)) + default: {} + required: false + - name: conditional_bindings + description: List of maps of role and respective conditions, and the members to add the IAM policies/bindings + type: |- + list(object({ + role = string + title = string + description = string + expression = string + members = list(string) + })) + default: [] + required: false + - name: kms_key_rings + description: KMS Key Rings list to add the IAM policies/bindings + type: list(string) + default: [] + required: false + - name: mode + description: Mode for adding the IAM policies/bindings, additive and authoritative + type: string + default: additive + required: false + outputs: + - name: kms_key_rings + description: KMS key rings which received bindings. + - name: members + description: Members which were bound to the KMS key rings. + - name: roles + description: Roles which were assigned to members. + roles: + - level: Project + roles: + - roles/billing.admin + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + - level: Project + roles: + - roles/billing.user + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/kms_key_rings_iam/variables.tf b/modules/kms_key_rings_iam/variables.tf index 1d9be475..512644f0 100644 --- a/modules/kms_key_rings_iam/variables.tf +++ b/modules/kms_key_rings_iam/variables.tf @@ -21,6 +21,7 @@ variable "kms_key_rings" { variable "mode" { description = "Mode for adding the IAM policies/bindings, additive and authoritative" + type = string default = "additive" } diff --git a/modules/member_iam/metadata.yaml b/modules/member_iam/metadata.yaml new file mode 100644 index 00000000..d544280e --- /dev/null +++ b/modules/member_iam/metadata.yaml @@ -0,0 +1,140 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Module Member IAM + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + version: 7.4.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + variables: + - name: prefix + description: Prefix member or group or serviceaccount + type: string + default: serviceAccount + required: false + - name: project_id + description: Project id + type: string + required: true + - name: project_roles + description: List of IAM roles + type: list(string) + required: true + - name: service_account_address + description: Service account address + type: string + required: true + outputs: + - name: project_id + description: Project id. + - name: roles + description: Project roles. + roles: + - level: Project + roles: + - roles/billing.admin + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + - level: Project + roles: + - roles/billing.user + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/organizations_iam/metadata.yaml b/modules/organizations_iam/metadata.yaml new file mode 100644 index 00000000..516501f3 --- /dev/null +++ b/modules/organizations_iam/metadata.yaml @@ -0,0 +1,152 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Module organization IAM + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + version: 7.4.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + variables: + - name: bindings + description: Map of role (key) and list of members (value) to add the IAM policies/bindings + type: map(list(string)) + default: {} + required: false + - name: conditional_bindings + description: List of maps of role and respective conditions, and the members to add the IAM policies/bindings + type: |- + list(object({ + role = string + title = string + description = string + expression = string + members = list(string) + })) + default: [] + required: false + - name: mode + description: Mode for adding the IAM policies/bindings, additive and authoritative + type: string + default: additive + required: false + - name: organizations + description: Organizations list to add the IAM policies/bindings + type: list(string) + default: [] + required: false + outputs: + - name: members + description: Members which were bound to organizations. + - name: organizations + description: Organizations which received bindings. + - name: roles + description: Roles which were assigned to members. + roles: + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + - level: Project + roles: + - roles/billing.user + - level: Project + roles: + - roles/billing.admin + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/organizations_iam/variables.tf b/modules/organizations_iam/variables.tf index 5b27e224..f64e24bd 100644 --- a/modules/organizations_iam/variables.tf +++ b/modules/organizations_iam/variables.tf @@ -21,6 +21,7 @@ variable "organizations" { variable "mode" { description = "Mode for adding the IAM policies/bindings, additive and authoritative" + type = string default = "additive" } diff --git a/modules/projects_iam/metadata.yaml b/modules/projects_iam/metadata.yaml new file mode 100644 index 00000000..fd8a3b3f --- /dev/null +++ b/modules/projects_iam/metadata.yaml @@ -0,0 +1,152 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Module Project IAM + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + version: 7.4.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + variables: + - name: bindings + description: Map of role (key) and list of members (value) to add the IAM policies/bindings + type: map(list(string)) + default: {} + required: false + - name: conditional_bindings + description: List of maps of role and respective conditions, and the members to add the IAM policies/bindings + type: |- + list(object({ + role = string + title = string + description = string + expression = string + members = list(string) + })) + default: [] + required: false + - name: mode + description: Mode for adding the IAM policies/bindings, additive and authoritative + type: string + default: additive + required: false + - name: projects + description: Projects list to add the IAM policies/bindings + type: list(string) + default: [] + required: false + outputs: + - name: members + description: Members which were bound to projects. + - name: projects + description: Projects wich received bindings. + - name: roles + description: Roles which were assigned to members. + roles: + - level: Project + roles: + - roles/billing.user + - level: Project + roles: + - roles/billing.admin + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/projects_iam/variables.tf b/modules/projects_iam/variables.tf index a1027916..daf5b0b0 100644 --- a/modules/projects_iam/variables.tf +++ b/modules/projects_iam/variables.tf @@ -22,6 +22,7 @@ variable "projects" { variable "mode" { description = "Mode for adding the IAM policies/bindings, additive and authoritative" + type = string default = "additive" } diff --git a/modules/pubsub_subscriptions_iam/metadata.yaml b/modules/pubsub_subscriptions_iam/metadata.yaml new file mode 100644 index 00000000..bc3e81db --- /dev/null +++ b/modules/pubsub_subscriptions_iam/metadata.yaml @@ -0,0 +1,144 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Module pubsub_subscription IAM + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + version: 7.4.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + variables: + - name: bindings + description: Map of role (key) and list of members (value) to add the IAM policies/bindings + type: map(list(string)) + required: true + - name: mode + description: Mode for adding the IAM policies/bindings, additive and authoritative + type: string + default: additive + required: false + - name: project + description: Project to add the IAM policies/bindings + type: string + default: "" + required: false + - name: pubsub_subscriptions + description: PubSub Subscriptions list to add the IAM policies/bindings + type: list(string) + default: [] + required: false + outputs: + - name: members + description: Members which were bound to the PubSub Subscription. + - name: pubsub_subscriptions + description: PubSub Subscriptions which received bindings. + - name: roles + description: Roles which were assigned to members. + roles: + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + - level: Project + roles: + - roles/billing.user + - level: Project + roles: + - roles/billing.admin + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/pubsub_subscriptions_iam/variables.tf b/modules/pubsub_subscriptions_iam/variables.tf index 1a91ba80..8eedec6f 100644 --- a/modules/pubsub_subscriptions_iam/variables.tf +++ b/modules/pubsub_subscriptions_iam/variables.tf @@ -28,6 +28,7 @@ variable "pubsub_subscriptions" { variable "mode" { description = "Mode for adding the IAM policies/bindings, additive and authoritative" + type = string default = "additive" } diff --git a/modules/pubsub_topics_iam/metadata.yaml b/modules/pubsub_topics_iam/metadata.yaml new file mode 100644 index 00000000..53855727 --- /dev/null +++ b/modules/pubsub_topics_iam/metadata.yaml @@ -0,0 +1,144 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Module pubsub_topic IAM + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + version: 7.4.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + variables: + - name: bindings + description: Map of role (key) and list of members (value) to add the IAM policies/bindings + type: map(any) + required: true + - name: mode + description: Mode for adding the IAM policies/bindings, additive and authoritative + type: string + default: additive + required: false + - name: project + description: Project to add the IAM policies/bindings + type: string + default: "" + required: false + - name: pubsub_topics + description: PubSub Topics list to add the IAM policies/bindings + type: list(string) + default: [] + required: false + outputs: + - name: members + description: Members which were bound to the PubSub Topics. + - name: pubsub_topics + description: PubSub Topics which received for bindings. + - name: roles + description: Roles which were assigned to members. + roles: + - level: Project + roles: + - roles/billing.user + - level: Project + roles: + - roles/billing.admin + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/pubsub_topics_iam/variables.tf b/modules/pubsub_topics_iam/variables.tf index 4b5b2580..03aa51b4 100644 --- a/modules/pubsub_topics_iam/variables.tf +++ b/modules/pubsub_topics_iam/variables.tf @@ -28,6 +28,7 @@ variable "pubsub_topics" { variable "mode" { description = "Mode for adding the IAM policies/bindings, additive and authoritative" + type = string default = "additive" } diff --git a/modules/secret_manager_iam/metadata.yaml b/modules/secret_manager_iam/metadata.yaml new file mode 100644 index 00000000..6b70654c --- /dev/null +++ b/modules/secret_manager_iam/metadata.yaml @@ -0,0 +1,155 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Module Secret Manager IAM + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + variables: + - name: bindings + description: Map of role (key) and list of members (value) to add the IAM policies/bindings + type: map(any) + required: true + - name: conditional_bindings + description: List of maps of role and respective conditions, and the members to add the IAM policies/bindings + type: |- + list(object({ + role = string + title = string + description = string + expression = string + members = list(string) + })) + default: [] + required: false + - name: mode + description: Mode for adding the IAM policies/bindings, additive and authoritative + type: string + default: additive + required: false + - name: project + description: Project to add the IAM policies/bindings + type: string + default: "" + required: false + - name: secrets + description: Secret Manager Secrets list to add the IAM policies/bindings + type: list(string) + default: [] + required: false + outputs: + - name: members + description: Members which were bound to the Secret Manager Secrets. + - name: roles + description: Roles which were assigned to members. + - name: secrets + description: Secret Manager Secrets which received for bindings. + roles: + - level: Project + roles: + - roles/billing.user + - level: Project + roles: + - roles/billing.admin + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/secret_manager_iam/variables.tf b/modules/secret_manager_iam/variables.tf index 2437419c..c94a1ae3 100644 --- a/modules/secret_manager_iam/variables.tf +++ b/modules/secret_manager_iam/variables.tf @@ -28,6 +28,7 @@ variable "secrets" { variable "mode" { description = "Mode for adding the IAM policies/bindings, additive and authoritative" + type = string default = "additive" } diff --git a/modules/service_accounts_iam/metadata.yaml b/modules/service_accounts_iam/metadata.yaml new file mode 100644 index 00000000..65efd9f4 --- /dev/null +++ b/modules/service_accounts_iam/metadata.yaml @@ -0,0 +1,157 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Module service_account IAM + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + version: 7.4.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + variables: + - name: bindings + description: Map of role (key) and list of members (value) to add the IAM policies/bindings + type: map(list(string)) + default: {} + required: false + - name: conditional_bindings + description: List of maps of role and respective conditions, and the members to add the IAM policies/bindings + type: |- + list(object({ + role = string + title = string + description = string + expression = string + members = list(string) + })) + default: [] + required: false + - name: mode + description: Mode for adding the IAM policies/bindings, additive and authoritative + type: string + default: additive + required: false + - name: project + description: Project to add the IAM policies/bindings + type: string + default: "" + required: false + - name: service_accounts + description: Service Accounts Email list to add the IAM policies/bindings + type: list(string) + default: [] + required: false + outputs: + - name: members + description: Members which were bound to the Service Account. + - name: roles + description: Roles which were assigned to members. + - name: service_accounts + description: Service Accounts which received bindings. + roles: + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + - level: Project + roles: + - roles/billing.user + - level: Project + roles: + - roles/billing.admin + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/service_accounts_iam/variables.tf b/modules/service_accounts_iam/variables.tf index 2764f6eb..d04e8552 100644 --- a/modules/service_accounts_iam/variables.tf +++ b/modules/service_accounts_iam/variables.tf @@ -28,6 +28,7 @@ variable "service_accounts" { variable "mode" { description = "Mode for adding the IAM policies/bindings, additive and authoritative" + type = string default = "additive" } diff --git a/modules/storage_buckets_iam/metadata.yaml b/modules/storage_buckets_iam/metadata.yaml new file mode 100644 index 00000000..73d13316 --- /dev/null +++ b/modules/storage_buckets_iam/metadata.yaml @@ -0,0 +1,152 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Module storage_bucket IAM + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + version: 7.4.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + variables: + - name: bindings + description: Map of role (key) and list of members (value) to add the IAM policies/bindings + type: map(list(string)) + default: {} + required: false + - name: conditional_bindings + description: List of maps of role and respective conditions, and the members to add the IAM policies/bindings + type: |- + list(object({ + role = string + title = string + description = string + expression = string + members = list(string) + })) + default: [] + required: false + - name: mode + description: Mode for adding the IAM policies/bindings, additive and authoritative + type: string + default: additive + required: false + - name: storage_buckets + description: Storage Buckets list to add the IAM policies/bindings + type: list(string) + default: [] + required: false + outputs: + - name: members + description: Members which were bound to the Storage Bucket. + - name: roles + description: Roles which were assigned to members. + - name: storage_buckets + description: Storage Buckets which received bindings. + roles: + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + - level: Project + roles: + - roles/billing.user + - level: Project + roles: + - roles/billing.admin + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/storage_buckets_iam/variables.tf b/modules/storage_buckets_iam/variables.tf index a956a33e..9b28403c 100644 --- a/modules/storage_buckets_iam/variables.tf +++ b/modules/storage_buckets_iam/variables.tf @@ -21,6 +21,7 @@ variable "storage_buckets" { variable "mode" { description = "Mode for adding the IAM policies/bindings, additive and authoritative" + type = string default = "additive" } diff --git a/modules/subnets_iam/metadata.yaml b/modules/subnets_iam/metadata.yaml new file mode 100644 index 00000000..57b3aa4e --- /dev/null +++ b/modules/subnets_iam/metadata.yaml @@ -0,0 +1,161 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-iam + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Module subnet IAM + source: + repo: https://github.com/terraform-google-modules/terraform-google-iam.git + sourceType: git + version: 7.4.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: bigquery_dataset + location: examples/bigquery_dataset + - name: billing_account + location: examples/billing_account + - name: custom_role_org + location: examples/custom_role_org + - name: custom_role_project + location: examples/custom_role_project + - name: folder + location: examples/folder + - name: kms_crypto_key + location: examples/kms_crypto_key + - name: kms_key_ring + location: examples/kms_key_ring + - name: member_iam + location: examples/member_iam + - name: organization + location: examples/organization + - name: project + location: examples/project + - name: project_conditions + location: examples/project_conditions + - name: pubsub_subscription + location: examples/pubsub_subscription + - name: pubsub_topic + location: examples/pubsub_topic + - name: secret_manager + location: examples/secret_manager + - name: service_account + location: examples/service_account + - name: stackdriver_agent_roles + location: examples/stackdriver_agent_roles + - name: storage_bucket + location: examples/storage_bucket + - name: subnet + location: examples/subnet + variables: + - name: bindings + description: Map of role (key) and list of members (value) to add the IAM policies/bindings + type: map(list(string)) + default: {} + required: false + - name: conditional_bindings + description: List of maps of role and respective conditions, and the members to add the IAM policies/bindings + type: |- + list(object({ + role = string + title = string + description = string + expression = string + members = list(string) + })) + default: [] + required: false + - name: mode + description: Mode for adding the IAM policies/bindings, additive and authoritative + type: string + default: additive + required: false + - name: project + description: Project to add the IAM policies/bindings + type: string + default: "" + required: false + - name: subnets + description: Subnetwork list to add the IAM policies/bindings + type: list(string) + default: [] + required: false + - name: subnets_region + description: Subnetworks region + type: string + required: true + outputs: + - name: members + description: Members which were bound to the Subnetwork. + - name: roles + description: Roles which were assigned to members. + - name: subnets + description: Subnetworks which received bindings. + roles: + - level: Project + roles: + - roles/billing.admin + - level: Project + roles: + - roles/iam.organizationRoleAdmin + - roles/orgpolicy.policyAdmin + - roles/resourcemanager.organizationAdmin + - level: Project + roles: + - roles/owner + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/compute.networkAdmin + - roles/compute.storageAdmin + - roles/pubsub.admin + - roles/cloudkms.admin + - roles/storage.admin + - roles/composer.worker + - roles/secretmanager.admin + - level: Project + roles: + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/owner + - roles/billing.projectManager + - roles/composer.worker + - level: Project + roles: + - roles/billing.user + services: + - admin.googleapis.com + - appengine.googleapis.com + - cloudbilling.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - oslogin.googleapis.com + - serviceusage.googleapis.com + - cloudkms.googleapis.com + - pubsub.googleapis.com + - storage-api.googleapis.com + - servicenetworking.googleapis.com + - storage-component.googleapis.com + - iap.googleapis.com + - secretmanager.googleapis.com + - bigquery.googleapis.com diff --git a/modules/subnets_iam/variables.tf b/modules/subnets_iam/variables.tf index 61843dd6..1b5cba67 100644 --- a/modules/subnets_iam/variables.tf +++ b/modules/subnets_iam/variables.tf @@ -28,6 +28,7 @@ variable "subnets" { variable "mode" { description = "Mode for adding the IAM policies/bindings, additive and authoritative" + type = string default = "additive" }