Add variable to resman to control top-level folder IAM (#2196)

Author: juliocc

fast/stages/1-resman/README.md

@@ -21,6 +21,7 @@ module "branch-dp-folder" {
   count  = var.fast_features.data_platform ? 1 : 0
   parent = "organizations/${var.organization.id}"
   name   = "Data Platform"
+  iam    = var.folder_iam.data_platform
   tag_bindings = {
     context = try(
       module.organization.tag_values["${var.tag_names.context}/data"].id, null

fast/stages/1-resman/branch-data-platform.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,6 +21,7 @@ module "branch-gcve-folder" {
   count  = var.fast_features.gcve ? 1 : 0
   parent = "organizations/${var.organization.id}"
   name   = "GCVE"
+  iam    = var.folder_iam.gcve
   tag_bindings = {
     context = try(
       module.organization.tag_values["${var.tag_names.context}/gcve"].id, null

fast/stages/1-resman/branch-gcve.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,6 +21,7 @@ module "branch-gke-folder" {
   count  = var.fast_features.gke ? 1 : 0
   parent = "organizations/${var.organization.id}"
   name   = "GKE"
+  iam    = var.folder_iam.gke
   tag_bindings = {
     context = try(
       module.organization.tag_values["${var.tag_names.context}/gke"].id, null

fast/stages/1-resman/branch-gke.tf

@@ -16,6 +16,29 @@
 
 # tfdoc:file:description Networking stage resources.
 
+locals {
+  # FAST-specific IAM
+  _network_folder_fast_iam = {
+    # read-write (apply) automation service account
+    "roles/logging.admin"                  = [module.branch-network-sa.iam_email]
+    "roles/owner"                          = [module.branch-network-sa.iam_email]
+    "roles/resourcemanager.folderAdmin"    = [module.branch-network-sa.iam_email]
+    "roles/resourcemanager.projectCreator" = [module.branch-network-sa.iam_email]
+    "roles/compute.xpnAdmin"               = [module.branch-network-sa.iam_email]
+    # read-only (plan) automation service account
+    "roles/viewer"                       = [module.branch-network-r-sa.iam_email]
+    "roles/resourcemanager.folderViewer" = [module.branch-network-r-sa.iam_email]
+  }
+  # deep-merge FAST-specific IAM with user-provided bindings in var.folder_iam
+  _network_folder_iam = merge(
+    var.folder_iam.network,
+    {
+      for role, principals in local._network_folder_fast_iam :
+      role => distinct(concat(principals, lookup(var.folder_iam.network, role, [])))
+    }
+  )
+}
+
 module "branch-network-folder" {
   source = "../../../modules/folder"
   parent = "organizations/${var.organization.id}"
@@ -27,17 +50,7 @@ module "branch-network-folder" {
       "roles/editor",
     ]
   }
-  iam = {
-    # read-write (apply) automation service account
-    "roles/logging.admin"                  = [module.branch-network-sa.iam_email]
-    "roles/owner"                          = [module.branch-network-sa.iam_email]
-    "roles/resourcemanager.folderAdmin"    = [module.branch-network-sa.iam_email]
-    "roles/resourcemanager.projectCreator" = [module.branch-network-sa.iam_email]
-    "roles/compute.xpnAdmin"               = [module.branch-network-sa.iam_email]
-    # read-only (plan) automation service account
-    "roles/viewer"                       = [module.branch-network-r-sa.iam_email]
-    "roles/resourcemanager.folderViewer" = [module.branch-network-r-sa.iam_email]
-  }
+  iam = local._network_folder_iam
   tag_bindings = {
     context = try(
       module.organization.tag_values["${var.tag_names.context}/networking"].id, null

fast/stages/1-resman/branch-networking.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,17 +16,31 @@
 
 # tfdoc:file:description Sandbox stage resources.
 
-module "branch-sandbox-folder" {
-  source = "../../../modules/folder"
-  count  = var.fast_features.sandbox ? 1 : 0
-  parent = "organizations/${var.organization.id}"
-  name   = "Sandbox"
-  iam = {
+locals {
+  # FAST-specific IAM
+  _sandbox_folder_fast_iam = !var.fast_features.sandbox ? {} : {
     "roles/logging.admin"                  = [module.branch-sandbox-sa.0.iam_email]
     "roles/owner"                          = [module.branch-sandbox-sa.0.iam_email]
     "roles/resourcemanager.folderAdmin"    = [module.branch-sandbox-sa.0.iam_email]
     "roles/resourcemanager.projectCreator" = [module.branch-sandbox-sa.0.iam_email]
   }
+  # deep-merge FAST-specific IAM with user-provided bindings in var.folder_iam
+  _sandbox_folder_iam = merge(
+    var.folder_iam.sandbox,
+    {
+      for role, principals in local._sandbox_folder_fast_iam :
+      role => distinct(concat(principals, lookup(var.folder_iam.sandbox, role, [])))
+    }
+  )
+}
+
+
+module "branch-sandbox-folder" {
+  source = "../../../modules/folder"
+  count  = var.fast_features.sandbox ? 1 : 0
+  parent = "organizations/${var.organization.id}"
+  name   = "Sandbox"
+  iam    = local._sandbox_folder_iam
   org_policies = {
     "sql.restrictPublicIp"       = { rules = [{ enforce = false }] }
     "compute.vmExternalIpAccess" = { rules = [{ allow = { all = true } }] }

fast/stages/1-resman/branch-sandbox.tf

@@ -16,6 +16,28 @@
 
 # tfdoc:file:description Security stage resources.
 
+locals {
+  # FAST-specific IAM
+  _security_folder_fast_iam = {
+    "roles/logging.admin"                  = [module.branch-security-sa.iam_email]
+    "roles/owner"                          = [module.branch-security-sa.iam_email]
+    "roles/resourcemanager.folderAdmin"    = [module.branch-security-sa.iam_email]
+    "roles/resourcemanager.projectCreator" = [module.branch-security-sa.iam_email]
+    # read-only (plan) automation service account
+    "roles/viewer"                       = [module.branch-security-r-sa.iam_email]
+    "roles/resourcemanager.folderViewer" = [module.branch-security-r-sa.iam_email]
+  }
+
+  # deep-merge FAST-specific IAM with user-provided bindings in var.folder_iam
+  _security_folder_iam = merge(
+    var.folder_iam.security,
+    {
+      for role, principals in local._security_folder_fast_iam :
+      role => distinct(concat(principals, lookup(var.folder_iam.security, role, [])))
+    }
+  )
+}
+
 module "branch-security-folder" {
   source = "../../../modules/folder"
   parent = "organizations/${var.organization.id}"
@@ -27,16 +49,7 @@ module "branch-security-folder" {
       "roles/editor"
     ]
   }
-  iam = {
-    # read-write (apply) automation service account
-    "roles/logging.admin"                  = [module.branch-security-sa.iam_email]
-    "roles/owner"                          = [module.branch-security-sa.iam_email]
-    "roles/resourcemanager.folderAdmin"    = [module.branch-security-sa.iam_email]
-    "roles/resourcemanager.projectCreator" = [module.branch-security-sa.iam_email]
-    # read-only (plan) automation service account
-    "roles/viewer"                       = [module.branch-security-r-sa.iam_email]
-    "roles/resourcemanager.folderViewer" = [module.branch-security-r-sa.iam_email]
-  }
+  iam = local._security_folder_iam
   tag_bindings = {
     context = try(
       module.organization.tag_values["${var.tag_names.context}/security"].id, null

fast/stages/1-resman/branch-security.tf

@@ -17,19 +17,31 @@
 # tfdoc:file:description Team stage resources.
 
 # TODO(ludo): add support for CI/CD
-
-module "branch-teams-folder" {
-  source = "../../../modules/folder"
-  count  = var.fast_features.teams ? 1 : 0
-  parent = "organizations/${var.organization.id}"
-  name   = "Teams"
-  iam = {
+locals {
+  # FAST-specific IAM
+  _teams_folder_fast_iam = !var.fast_features.teams ? {} : {
     "roles/logging.admin"                  = [module.branch-teams-sa.0.iam_email]
     "roles/owner"                          = [module.branch-teams-sa.0.iam_email]
     "roles/resourcemanager.folderAdmin"    = [module.branch-teams-sa.0.iam_email]
     "roles/resourcemanager.projectCreator" = [module.branch-teams-sa.0.iam_email]
     "roles/compute.xpnAdmin"               = [module.branch-teams-sa.0.iam_email]
   }
+  # deep-merge FAST-specific IAM with user-provided bindings in var.folder_iam
+  _teams_folder_iam = merge(
+    var.folder_iam.teams,
+    {
+      for role, principals in local._teams_folder_fast_iam :
+      role => distinct(concat(principals, lookup(var.folder_iam.teams, role, [])))
+    }
+  )
+}
+
+module "branch-teams-folder" {
+  source = "../../../modules/folder"
+  count  = var.fast_features.teams ? 1 : 0
+  parent = "organizations/${var.organization.id}"
+  name   = "Teams"
+  iam    = local._teams_folder_iam
   tag_bindings = {
     context = try(
       module.organization.tag_values["${var.tag_names.context}/teams"].id, null

fast/stages/1-resman/branch-teams.tf

@@ -33,6 +33,7 @@ module "tenant-tenants-folder" {
   source = "../../../modules/folder"
   parent = "organizations/${var.organization.id}"
   name   = "Tenants"
+  iam    = var.folder_iam.tenants
   tag_bindings = {
     context = module.organization.tag_values["${var.tag_names.context}/tenant"].id
   }

fast/stages/1-resman/branch-tenants.tf

@@ -180,6 +180,22 @@ variable "fast_features" {
   nullable = false
 }
 
+variable "folder_iam" {
+  description = "Authoritative IAM for top-level folders."
+  type = object({
+    data_platform = optional(map(list(string)), {})
+    gcve          = optional(map(list(string)), {})
+    gke           = optional(map(list(string)), {})
+    sandbox       = optional(map(list(string)), {})
+    security      = optional(map(list(string)), {})
+    network       = optional(map(list(string)), {})
+    teams         = optional(map(list(string)), {})
+    tenants       = optional(map(list(string)), {})
+  })
+  nullable = false
+  default  = {}
+}
+
 variable "groups" {
   # tfdoc:variable:source 0-bootstrap
   # https://cloud.google.com/docs/enterprise/setup-checklist