Top level folder factory support for automation SA IAM (GoogleCloudPlatform#2818)

* Top level folder factory support for automation SA IAM

* Fixes iam_bindings and iam_bindings_additive for top-level-folder

---------

Co-authored-by: Ludovico Magnocavallo <[email protected]>

Author: 2 people

fast/stages/1-resman/data/top-level-folders/sandbox.yaml

@@ -18,5 +18,10 @@ name: Sandbox
 automation:
   environment_name: dev
   short_name: sbox
+# You can create role bindings referring to the automation service account by
+# referring to it using `self` keyword, per the example below
+iam: 
+  "roles/owner":
+    - self
 factories_config:
   org_policies: data/org-policies/sandbox

fast/stages/1-resman/schemas/top-level-folder.schema.json

@@ -261,7 +261,7 @@
           "type": "array",
           "items": {
             "type": "string",
-            "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc)"
+            "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|self)"
           }
         }
       }
@@ -278,7 +278,7 @@
               "type": "array",
               "items": {
                 "type": "string",
-                "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc)"
+                "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|self)"
               }
             },
             "role": {
@@ -318,7 +318,7 @@
           "properties": {
             "member": {
               "type": "string",
-              "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc)"
+              "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|self)"
             },
             "role": {
               "type": "string",
@@ -361,4 +361,4 @@
       }
     }
   }
-}
+}

fast/stages/1-resman/top-level-folders.tf

@@ -86,23 +86,29 @@ module "top-level-folder" {
   iam = {
     for role, members in each.value.iam :
     lookup(var.custom_roles, role, role) => [
-      for member in members : lookup(local.top_level_sa, member, member)
+      for member in members : (each.value.automation != null && member == "self")
+      ? module.top-level-sa[each.key].iam_email
+      : lookup(local.top_level_sa, member, member)
     ]
   }
   iam_bindings = {
-    for k, v in each.value.iam_bindings : k => merge(v, {
-      role = lookup(var.custom_roles, v.role, v.role)
+    for k, v in each.value.iam_bindings : k => {
       members = [
-        for item in v.members :
-        lookup(local.top_level_sa, item, item)
+        for member in v.members : (each.value.automation != null && member == "self")
+        ? module.top-level-sa[each.key].iam_email
+        : lookup(local.top_level_sa, member, member)
       ]
-      condition = try(v.condition, null)
-    })
+      role = lookup(var.custom_roles, v.role, v.role)
+    }
   }
   iam_bindings_additive = {
     for k, v in each.value.iam_bindings_additive : k => merge(v, {
-      member = lookup(local.top_level_sa, v.member, v.member)
-      role   = lookup(var.custom_roles, v.role, v.role)
+      member = (
+        each.value.automation != null && v.member == "self"
+        ? module.top-level-sa[each.key].iam_email
+        : lookup(local.top_level_sa, v.member, v.member)
+      )
+      role = lookup(var.custom_roles, v.role, v.role)
     })
   }
   # we don't replace here to avoid dynamic values in keys