feat(project-factory): introduce additive iam bindings to project-fac…

…tory
GoogleCloudPlatform · Oct 31, 2022 · dcec8a9 · dcec8a9
1 parent b668e80
commit dcec8a9
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 4 deletions.
diff --git a/blueprints/factories/project-factory/main.tf b/blueprints/factories/project-factory/main.tf
@@ -21,7 +21,14 @@ locals {
       "group:${k}" if try(index(v, r), null) != null
     ]
   }
+  _group_iam_additive = {
+    for r in local._group_iam_additive_bindings : r => [
+      for k, v in var.group_iam_additive :
+      "group:${k}" if try(index(v, r), null) != null
+    ]
+  }
   _group_iam_bindings = distinct(flatten(values(var.group_iam)))
+  _group_iam_additive_bindings = distinct(flatten(values(var.group_iam_additive)))
   _project_id = (
     var.prefix == null || var.prefix == ""
     ? var.project_id
@@ -37,6 +44,16 @@ locals {
   _service_accounts_iam_bindings = distinct(flatten(
     values(var.service_accounts)
   ))
+  _service_accounts_iam_additive = {
+    for r in local._service_accounts_iam_additive_bindings : r => [
+      for k, v in var.service_accounts_additive :
+      module.service-accounts[k].iam_email
+      if try(index(v, r), null) != null
+    ]
+  }
+  _service_accounts_iam_additive_bindings = distinct(flatten(
+    values(var.service_accounts_additive)
+  ))
   _services = concat([
     "billingbudgets.googleapis.com",
     "essentialcontacts.googleapis.com"
@@ -53,6 +70,14 @@ locals {
       if contains(roles, role)
     ]
   }
+  _service_identities_roles_additive = distinct(flatten(values(var.service_identities_iam_additive)))
+  _service_identities_iam_additive = {
+    for role in local._service_identities_roles_additive : role => [
+      for service, roles in var.service_identities_iam_additive :
+      "serviceAccount:${module.project.service_accounts.robots[service]}"
+      if contains(roles, role)
+    ]
+  }
   _vpc_subnet_bindings = (
     local.vpc.subnets_iam == null || local.vpc.host_project == null
     ? []
@@ -91,6 +116,20 @@ locals {
       try(local._service_identities_iam[role], []),
     )
   }
+  iam_additive = {
+    for role in distinct(concat(
+      keys(var.iam_additive),
+      keys(local._group_iam_additive),
+      keys(local._service_accounts_iam_additive),
+      keys(local._service_identities_iam_additive),
+    )) :
+    role => concat(
+      try(var.iam_additive[role], []),
+      try(local._group_iam_additive[role], []),
+      try(local._service_accounts_iam_additive[role], []),
+      try(local._service_identities_iam_additive[role], []),
+    )
+  }
   labels = merge(
     coalesce(var.labels, {}), coalesce(try(var.defaults.labels, {}), {})
   )
@@ -147,6 +186,7 @@ module "project" {
   prefix                     = var.prefix
   contacts                   = { for c in local.essential_contacts : c => ["ALL"] }
   iam                        = local.iam
+  iam_additive               = local.iam_additive
   labels                     = local.labels
   org_policies               = try(var.org_policies, {})
   parent                     = var.folder_id

diff --git a/blueprints/factories/project-factory/variables.tf b/blueprints/factories/project-factory/variables.tf
@@ -78,12 +78,24 @@ variable "group_iam" {
   default     = {}
 }
 
+variable "group_iam_additive" {
+  description = "Custom additive IAM settings in group => [role] format."
+  type        = map(list(string))
+  default     = {}
+}
+
 variable "iam" {
   description = "Custom IAM settings in role => [principal] format."
   type        = map(list(string))
   default     = {}
 }
 
+variable "iam_additive" {
+  description = "Custom additive IAM settings in role => [principal] format."
+  type        = map(list(string))
+  default     = {}
+}
+
 variable "kms_service_agents" {
   description = "KMS IAM configuration in as service => [key]."
   type        = map(list(string))
@@ -160,10 +172,9 @@ variable "service_accounts_iam" {
   nullable    = false
 }
 
-
-variable "service_identities_iam" {
-  description = "Custom IAM settings for service identities in service => [role] format."
-  type        = map(list(string))
+variable "service_accounts_iam_additive" {
+  description = "IAM additive bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]}"
+  type        = map(map(list(string)))
   default     = {}
   nullable    = false
 }
@@ -175,6 +186,20 @@ variable "services" {
   nullable    = false
 }
 
+variable "service_identities_iam" {
+  description = "Custom IAM settings for service identities in service => [role] format."
+  type        = map(list(string))
+  default     = {}
+  nullable    = false
+}
+
+variable "service_identities_iam_additive" {
+  description = "Custom additive IAM settings for service identities in service => [role] format."
+  type        = map(list(string))
+  default     = {}
+  nullable    = false
+}
+
 variable "vpc" {
   description = "VPC configuration for the project."
   type = object({