Copyright 2021 Google LLC. This software is provided as-is, without warranty or representation for any use or purpose. Your use of it is subject to your agreement with Google.
This module takes a map of job functions for groups/users/service accounts and returns bindings in format which can be passed to GCP IAM modules. Module does not create any resource. It is used to centrally manage job functions to GCP roles mapping and generate bindings as output.
This code is intended for use with Terraform 0.14 or higher.
Basic usage of this module is as follows:
module "get_iam_bindings" {
source = "../get-job-function-roles/"
groups_users_roles_needed = {
"group:test-grp-01@example.com" = ["dba"]
"group:test-grp-02@example.com" = ["developer"]
"user:test-user-01@example.com" = ["viewer", "support"]
"serviceAccount:delete-me-svc-acct-1@sinprj.iam.gserviceaccount.com" = ["developer"]
}
custom_iam_job_functions = {
"sandbox" = [
"roles/editor",
"roles/iap.tunnelResourceAccessor",
]
"dba" = [
"roles/editor",
]
}
override_job_functions = false
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| custom_iam_job_functions | Map of list of GCP roles for job function. These custom job fnction will merge with predefined job functions in the module | map(list(string)) |
null |
no |
| groups_users_roles_needed | Map of list of job function roles needed for groups or users | map(list(string)) |
{} |
no |
| override_job_functions | Overrides predefined Job function in the module with custom job function for matching values | bool |
false |
no |
| Name | Description |
|---|---|
| bindings | Formatted IAM bindings |
When this module is called from the root module input is provided in groups_users_roles_needed as key value pairs. Key can be group:group-email, user:user-email or serviceAccount:service-account-email. Value contains the list of job functions which are defined in this module or passed in custom_iam_job_functions. You can pass 1 or more job functions for each group, user or service account.
Here is an example input
groups_users_roles_needed = {
"group:test-grp-01@example.com" = ["dba"]
"group:test-grp-02@example.com" = ["developer"]
"group:test-grp-03@example.com" = ["viewer", "support"]
"user:user-01@example.com" = ["viewer", "support"]
"serviceAccount:delete-me-svc-acct-1@sinprj.iam.gserviceaccount.com" = ["developer"]
}Users can also pass their own job functions to GCP roles mapping in custom_iam_job_functions variable which is merged with predefined_iam_job_functions before generating final bindings. It will allow users take advantage of formatting this module can perform. If a user passes custom_iam_job_functions with job function(s) which are already present in predefined_iam_job_functions it will override the values if the value of override_job_functions is set to true otherwise the matching job function(s) will be ignored. In this example since the value of override_job_functions is set to true, if dba or sandbox job functions are already present in predefined_iam_job_functions it will be overridden.
module "get_iam_bindings" {
source = "../"
groups_users_roles_needed = {
"group:test-grp-01@example.com" = ["dba"]
"group:test-grp-02@example.com" = ["developer"]
"group:test-grp-03@example.com" = ["viewer", "support"]
}
custom_iam_job_functions = {
"sandbox" = [
"roles/editor",
"roles/iap.tunnelResourceAccessor",
]
"dba" = [
"roles/editor",
]
}
override_job_functions = true
}If you are planning to clone this module and host it in your own environment you can add or remove mappings in your cloned repository. Mapping is defined in the job-roles.tf file in a local variable predefined_iam_job_functions. You can add or remove job functions or GCP roles from a job function. Here is the format:
predefined_iam_job_functions = {
"job-1" = [
"roles/iam.serviceAccountAdmin",
"roles/cloudsupport.techSupportViewer",
]
"job2" = [
"roles/dataflow.admin",
"roles/dataproc.admin",
]
} predefined_iam_job_functions = {
"dba" = [
"roles/iam.serviceAccountAdmin",
"roles/cloudsupport.techSupportViewer",
]
"developer" = [
"roles/dataflow.admin",
"roles/dataproc.admin",
]
}