├── test ├── .gitignore ├── setup │ ├── .gitignore │ ├── variables.tf │ └── versions.tf ├── integration │ ├── helper │ │ └── inspec.yml │ ├── billing-iam │ │ └── inspec.yml │ ├── member-iam │ │ └── inspec.yml │ ├── custom-role │ │ └── inspec.yml │ └── static-and-dynamic │ │ └── inspec.yml └── fixtures │ ├── member-iam │ ├── variables.tf │ ├── main.tf │ ├── outputs.tf │ └── versions.tf │ ├── custom-role │ ├── variables.tf │ ├── versions.tf │ ├── main.tf │ └── outputs.tf │ ├── billing-iam │ ├── main.tf │ ├── variables.tf │ ├── versions.tf │ └── outputs.tf │ ├── additive │ ├── versions.tf │ ├── main.tf │ └── variables.tf │ ├── helper │ ├── versions.tf │ └── base │ │ ├── versions.tf │ │ └── variables.tf │ ├── authoritative │ ├── versions.tf │ └── main.tf │ └── static-and-dynamic │ ├── versions.tf │ └── static_projects │ ├── versions.tf │ ├── outputs.tf │ ├── main.tf │ └── variables.tf ├── examples ├── .gitignore ├── billing_account │ ├── README.md │ ├── variables.tf │ ├── outputs.tf │ └── main.tf ├── custom_role_project │ ├── README.md │ ├── variables.tf │ └── outputs.tf ├── custom_role_org │ ├── README.md │ ├── variables.tf │ ├── outputs.tf │ └── main.tf ├── member_iam │ ├── variables.tf │ ├── README.md │ ├── outputs.tf │ └── main.tf ├── kms_key_ring │ ├── README.md │ ├── main.tf │ └── variables.tf ├── kms_crypto_key │ ├── README.md │ ├── main.tf │ └── variables.tf ├── dns_zone │ ├── README.md │ ├── variables.tf │ └── main.tf ├── tag_keys │ ├── README.md │ ├── variables.tf │ └── main.tf ├── tag_values │ ├── README.md │ ├── variables.tf │ └── main.tf ├── bigquery_dataset │ ├── README.md │ └── variables.tf ├── folder │ ├── README.md │ ├── main.tf │ └── variables.tf ├── stackdriver_agent_roles │ ├── CLOUDSHELL_TUTORIAL.md │ ├── variables.tf │ ├── main.tf │ └── README.md ├── project │ ├── README.md │ ├── main.tf │ └── variables.tf ├── project_conditions │ ├── README.md │ └── variables.tf ├── organization │ ├── README.md │ ├── main.tf │ └── variables.tf ├── secure_source_manager │ ├── README.md │ ├── outputs.tf │ └── variables.tf ├── storage_bucket │ ├── README.md │ ├── main.tf │ └── variables.tf ├── secret_manager │ ├── README.md │ ├── main.tf │ └── variables.tf ├── pubsub_topic │ ├── README.md │ ├── main.tf │ └── variables.tf ├── pubsub_subscription │ ├── README.md │ └── main.tf ├── cloud_run_service │ ├── README.md │ └── main.tf ├── service_account │ ├── README.md │ └── main.tf └── subnet │ └── README.md ├── .github ├── renovate.json ├── release-please.yml └── trusted-contribution.yml ├── CODEOWNERS ├── modules ├── helper │ ├── versions.tf │ ├── variables.tf │ ├── outputs.tf │ └── README.md ├── secret_manager_iam │ ├── versions.tf │ ├── outputs.tf │ └── variables.tf ├── audit_config │ ├── outputs.tf │ ├── variables.tf │ ├── versions.tf │ └── main.tf ├── member_iam │ ├── main.tf │ ├── outputs.tf │ ├── versions.tf │ ├── variables.tf │ └── README.md ├── folders_iam │ ├── versions.tf │ ├── outputs.tf │ └── variables.tf ├── subnets_iam │ ├── versions.tf │ └── outputs.tf ├── dns_zones_iam │ ├── versions.tf │ ├── variables.tf │ ├── outputs.tf │ └── README.md ├── projects_iam │ ├── versions.tf │ ├── outputs.tf │ └── variables.tf ├── tag_keys_iam │ ├── versions.tf │ ├── variables.tf │ ├── outputs.tf │ └── README.md ├── tag_values_iam │ ├── versions.tf │ ├── variables.tf │ ├── outputs.tf │ └── README.md ├── custom_role_iam │ ├── versions.tf │ └── outputs.tf ├── kms_crypto_keys_iam │ ├── versions.tf │ ├── outputs.tf │ └── variables.tf ├── kms_key_rings_iam │ ├── versions.tf │ ├── outputs.tf │ └── variables.tf ├── organizations_iam │ ├── versions.tf │ ├── outputs.tf │ └── variables.tf ├── pubsub_topics_iam │ ├── versions.tf │ ├── outputs.tf │ └── variables.tf ├── storage_buckets_iam │ ├── versions.tf │ ├── outputs.tf │ └── variables.tf ├── bigquery_datasets_iam │ ├── versions.tf │ ├── variables.tf │ └── outputs.tf ├── billing_accounts_iam │ ├── versions.tf │ ├── variables.tf │ ├── outputs.tf │ └── README.md ├── service_accounts_iam │ ├── versions.tf │ └── outputs.tf ├── cloud_run_services_iam │ ├── versions.tf │ ├── outputs.tf │ └── variables.tf ├── pubsub_subscriptions_iam │ ├── versions.tf │ ├── outputs.tf │ └── variables.tf ├── secure_source_manager_iam │ ├── versions.tf │ └── outputs.tf └── artifact_registry_iam │ ├── versions.tf │ ├── outputs.tf │ └── variables.tf └── .gitignore /test/.gitignore: -------------------------------------------------------------------------------- 1 | source.sh 2 | -------------------------------------------------------------------------------- /test/setup/.gitignore: -------------------------------------------------------------------------------- 1 | terraform.tfvars 2 | source.sh 3 | -------------------------------------------------------------------------------- /examples/.gitignore: -------------------------------------------------------------------------------- 1 | # Examples should keep variables for user-changeable values 2 | terraform.tfvars 3 | -------------------------------------------------------------------------------- /.github/renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": ["github>GoogleCloudPlatform/cloud-foundation-toolkit//infra/terraform/test-org/github/resources/renovate"] 4 | } 5 | -------------------------------------------------------------------------------- /examples/billing_account/README.md: -------------------------------------------------------------------------------- 1 | # Billing Account Example 2 | 3 | This example illustrates how to use the `billing_accounts_iam` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | project\_id | Project ID for the module | `string` | n/a | yes | 11 | 12 | ## Outputs 13 | 14 | | Name | Description | 15 | |------|-------------| 16 | | service\_account\_addresses | Service Account Addresses which were bound to projects. | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | # NOTE: This file is automatically generated from values at: 2 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/org/locals.tf 3 | 4 | * @terraform-google-modules/cft-admins @imrannayer 5 | 6 | # NOTE: GitHub CODEOWNERS locations: 7 | # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-and-branch-protection 8 | 9 | CODEOWNERS @terraform-google-modules/cft-admins 10 | .github/CODEOWNERS @terraform-google-modules/cft-admins 11 | docs/CODEOWNERS @terraform-google-modules/cft-admins 12 | 13 | -------------------------------------------------------------------------------- /examples/custom_role_project/README.md: -------------------------------------------------------------------------------- 1 | # Project Level Custom Role Example 2 | 3 | This example illustrates how to use the `custom_role_iam` submodule to create a custom role at the project level. 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | project\_id | Variable for Project ID. | `string` | n/a | yes | 11 | 12 | ## Outputs 13 | 14 | | Name | Description | 15 | |------|-------------| 16 | | role\_id | ID of the custom role created at project level. | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /examples/custom_role_org/README.md: -------------------------------------------------------------------------------- 1 | # Organization Level Custom Role Example 2 | 3 | This example illustrates how to use the `custom_role_iam` submodule to create a custom role at the organization level. 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | org\_id | Variable for Organization ID. | `string` | n/a | yes | 11 | 12 | ## Outputs 13 | 14 | | Name | Description | 15 | |------|-------------| 16 | | role\_id | ID of the custom role created at organization level. | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /.github/release-please.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | releaseType: terraform-module 16 | handleGHRelease: true 17 | -------------------------------------------------------------------------------- /modules/helper/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | } 20 | -------------------------------------------------------------------------------- /test/integration/helper/inspec.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # This is a helper inspec profile used to share libraries 16 | # across other profiles 17 | 18 | name: helper 19 | -------------------------------------------------------------------------------- /examples/member_iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "Project id" 19 | type = string 20 | } 21 | 22 | -------------------------------------------------------------------------------- /test/fixtures/member-iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "Project id" 19 | type = string 20 | } 21 | 22 | -------------------------------------------------------------------------------- /examples/custom_role_org/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "org_id" { 18 | type = string 19 | description = "Variable for Organization ID." 20 | } 21 | -------------------------------------------------------------------------------- /examples/custom_role_project/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | type = string 19 | description = "Variable for Project ID." 20 | } 21 | -------------------------------------------------------------------------------- /test/fixtures/member-iam/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "member_roles" { 18 | source = "../../../examples/member_iam" 19 | project_id = var.project_id 20 | } 21 | -------------------------------------------------------------------------------- /examples/kms_key_ring/README.md: -------------------------------------------------------------------------------- 1 | # KMS Key Ring Example 2 | 3 | This example illustrates how to use the `kms_key_rings_iam` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | 11 | | kms\_key\_ring\_one | First kms\_ring to add the IAM policies/bindings | `string` | n/a | yes | 12 | | kms\_key\_ring\_two | First kms\_ring to add the IAM policies/bindings | `string` | n/a | yes | 13 | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | 14 | 15 | ## Outputs 16 | 17 | No outputs. 18 | 19 | 20 | -------------------------------------------------------------------------------- /examples/kms_crypto_key/README.md: -------------------------------------------------------------------------------- 1 | # KMS Crypto Key Example 2 | 3 | This example illustrates how to use the `kms_crypto_keys_iam` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | 11 | | kms\_crypto\_key\_one | First kms\_cripto\_key to add the IAM policies/bindings | `string` | n/a | yes | 12 | | kms\_crypto\_key\_two | Second kms\_cripto\_key to add the IAM policies/bindings | `string` | n/a | yes | 13 | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | 14 | 15 | ## Outputs 16 | 17 | No outputs. 18 | 19 | 20 | -------------------------------------------------------------------------------- /examples/custom_role_org/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "role_id" { 18 | value = module.custom-roles-org.custom_role_id 19 | description = "ID of the custom role created at organization level." 20 | } 21 | -------------------------------------------------------------------------------- /examples/custom_role_project/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "role_id" { 18 | value = module.custom-role-project.custom_role_id 19 | description = "ID of the custom role created at project level." 20 | } 21 | -------------------------------------------------------------------------------- /examples/dns_zone/README.md: -------------------------------------------------------------------------------- 1 | # DNS ZOne Example 2 | 3 | This example illustrates how to use the `bigquery_datasets_iam` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | 11 | | project\_id | Project ID to create BigQuery resources in | `string` | n/a | yes | 12 | | sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes | 13 | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | 14 | 15 | ## Outputs 16 | 17 | No outputs. 18 | 19 | 20 | -------------------------------------------------------------------------------- /examples/tag_keys/README.md: -------------------------------------------------------------------------------- 1 | # DNS ZOne Example 2 | 3 | This example illustrates how to use the `bigquery_datasets_iam` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | 11 | | project\_id | Project ID to create BigQuery resources in | `string` | n/a | yes | 12 | | sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes | 13 | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | 14 | 15 | ## Outputs 16 | 17 | No outputs. 18 | 19 | 20 | -------------------------------------------------------------------------------- /examples/tag_values/README.md: -------------------------------------------------------------------------------- 1 | # DNS ZOne Example 2 | 3 | This example illustrates how to use the `bigquery_datasets_iam` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | 11 | | project\_id | Project ID to create BigQuery resources in | `string` | n/a | yes | 12 | | sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes | 13 | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | 14 | 15 | ## Outputs 16 | 17 | No outputs. 18 | 19 | 20 | -------------------------------------------------------------------------------- /test/integration/billing-iam/inspec.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: billing-iam 16 | attributes: 17 | - name: billing_iam_test_accounts 18 | required: true 19 | type: array 20 | - name: project_id 21 | required: true 22 | type: string 23 | -------------------------------------------------------------------------------- /examples/bigquery_dataset/README.md: -------------------------------------------------------------------------------- 1 | # BigQuery Dataset Example 2 | 3 | This example illustrates how to use the `bigquery_datasets_iam` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | 11 | | project\_id | Project ID to create BigQuery resources in | `string` | n/a | yes | 12 | | sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes | 13 | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | 14 | 15 | ## Outputs 16 | 17 | No outputs. 18 | 19 | 20 | -------------------------------------------------------------------------------- /modules/secret_manager_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.53, < 8" 24 | } 25 | } 26 | 27 | } 28 | -------------------------------------------------------------------------------- /modules/audit_config/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "audit_log_config" { 18 | value = var.audit_log_config 19 | description = "Map of log type and exempted members to be added to service" 20 | depends_on = [google_project_iam_audit_config.project] 21 | } 22 | -------------------------------------------------------------------------------- /modules/member_iam/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | resource "google_project_iam_member" "project_iam_member" { 18 | for_each = toset(var.project_roles) 19 | project = var.project_id 20 | role = each.key 21 | member = "${var.prefix}:${var.service_account_address}" 22 | } 23 | -------------------------------------------------------------------------------- /modules/member_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "roles" { 18 | value = google_project_iam_member.project_iam_member 19 | description = "Project roles." 20 | } 21 | 22 | output "project_id" { 23 | value = var.project_id 24 | description = "Project id." 25 | } 26 | -------------------------------------------------------------------------------- /examples/folder/README.md: -------------------------------------------------------------------------------- 1 | # Folder Example 2 | 3 | This example illustrates how to use the `folders_iam` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | folder\_one | The first folder ID to apply IAM bindings | `string` | n/a | yes | 11 | | folder\_two | The second folder ID to apply IAM bindings | `string` | n/a | yes | 12 | | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | 13 | | sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes | 14 | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | 15 | 16 | ## Outputs 17 | 18 | No outputs. 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /test/fixtures/custom-role/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | type = string 19 | description = "Project ID of the Custom Role." 20 | } 21 | 22 | variable "org_id" { 23 | type = string 24 | description = "Organization ID of the Custom Role." 25 | } 26 | -------------------------------------------------------------------------------- /examples/stackdriver_agent_roles/CLOUDSHELL_TUTORIAL.md: -------------------------------------------------------------------------------- 1 | # Stackdriver Agent Roles for Service Account 2 | 3 | ### Configuration 4 | 5 | ### Set your Project ID 6 | 7 | In the Shell below, run `gcloud config set project `, where `` is the GCP project in which you wish to grant roles to the service account. 8 | 9 | ### Initialize Terraform 10 | 11 | In the Shell, run `terraform init` to initialize `terraform` and download necessary support files. 12 | 13 | ### Run Terraform 14 | 15 | In the Shell, run `terraform apply`. When prompted, enter the email address for the service account that you'd like to grant these roles to. Review the changes that `terraform` would like to apply, then type `yes` to confirm. 16 | 17 | ### You're Done! 18 | 19 | If `terraform` completes without error, the IAM roles `roles/logging.logWriter` and `roles/monitoring.metricWriter` have been applied to the service account you specified. 20 | -------------------------------------------------------------------------------- /test/fixtures/billing-iam/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #additive 18 | 19 | # module "iam_binding_billing_accounts_additive" { 20 | # source = "../../../examples/billing_account" 21 | # billing_account_id = var.billing_iam_test_account 22 | # project_id = var.project_id 23 | # } 24 | -------------------------------------------------------------------------------- /examples/billing_account/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # variable "billing_account_id" { 18 | # type = string 19 | # description = "Billing Account ID to apply IAM bindings" 20 | # } 21 | 22 | variable "project_id" { 23 | type = string 24 | description = "Project ID for the module" 25 | } 26 | -------------------------------------------------------------------------------- /examples/project/README.md: -------------------------------------------------------------------------------- 1 | # Project Example 2 | 3 | This example illustrates how to use the `projects_iam` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | 11 | | project\_one | First project id to add the IAM policies/bindings | `string` | n/a | yes | 12 | | project\_two | Second project id to add the IAM policies/bindings | `string` | n/a | yes | 13 | | sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes | 14 | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | 15 | 16 | ## Outputs 17 | 18 | No outputs. 19 | 20 | 21 | -------------------------------------------------------------------------------- /test/fixtures/billing-iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "billing_iam_test_account" { 18 | type = string 19 | description = "Billing Account ID to use for testing IAM policies/bindings." 20 | } 21 | 22 | variable "project_id" { 23 | type = string 24 | description = "Project ID" 25 | } 26 | -------------------------------------------------------------------------------- /examples/project_conditions/README.md: -------------------------------------------------------------------------------- 1 | # Project Example 2 | 3 | This example illustrates how to use the `projects_iam` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | 11 | | project\_one | First project id to add the IAM policies/bindings | `string` | n/a | yes | 12 | | project\_two | Second project id to add the IAM policies/bindings | `string` | n/a | yes | 13 | | sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes | 14 | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | 15 | 16 | ## Outputs 17 | 18 | No outputs. 19 | 20 | 21 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # OSX leaves these everywhere on SMB shares 2 | ._* 3 | 4 | # OSX trash 5 | .DS_Store 6 | *.pyc* 7 | 8 | # Emacs save files 9 | *~ 10 | \#*\# 11 | .\#* 12 | 13 | # Vim-related files 14 | [._]*.s[a-w][a-z] 15 | [._]s[a-w][a-z] 16 | *.un~ 17 | Session.vim 18 | .netrwhist 19 | 20 | ### https://raw.github.com/github/gitignore/90f149de451a5433aebd94d02d11b0e28843a1af/Terraform.gitignore 21 | 22 | # Local .terraform directories 23 | **/.terraform/* 24 | 25 | # .tfstate files 26 | *.tfstate 27 | *.tfstate.* 28 | 29 | # Crash log files 30 | crash.log 31 | 32 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most 33 | # .tfvars files are managed as part of configuration and so should be included in 34 | # version control. 35 | # 36 | # example.tfvars 37 | # 38 | 39 | **/terraform.tfvars 40 | 41 | # Secrets 42 | credentials.json 43 | 44 | # Test files 45 | .kitchen/ 46 | 47 | # tf lock file 48 | .terraform.lock.hcl 49 | -------------------------------------------------------------------------------- /test/fixtures/member-iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "project_id" { 18 | value = var.project_id 19 | description = "Project id." 20 | } 21 | 22 | output "service_account_email" { 23 | value = module.member_roles.service_account_address 24 | description = "Member which was bound to projects." 25 | } 26 | -------------------------------------------------------------------------------- /examples/organization/README.md: -------------------------------------------------------------------------------- 1 | # Organization Example 2 | 3 | This example illustrates how to use the `organizations_iam` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | 11 | | organization\_one | First organization to add the IAM policies/bindings | `string` | n/a | yes | 12 | | organization\_two | Second organization to add the IAM policies/bindings | `string` | n/a | yes | 13 | | sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes | 14 | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | 15 | 16 | ## Outputs 17 | 18 | No outputs. 19 | 20 | 21 | -------------------------------------------------------------------------------- /test/integration/member-iam/inspec.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: member-iam 16 | depends: 17 | - name: inspec-gcp 18 | git: https://github.com/inspec/inspec-gcp.git 19 | tag: v0.10.0 20 | attributes: 21 | - name: project_id 22 | required: true 23 | type: string 24 | - name: service_account_email 25 | required: true 26 | type: string 27 | 28 | -------------------------------------------------------------------------------- /examples/secure_source_manager/README.md: -------------------------------------------------------------------------------- 1 | # DNS ZOne Example 2 | 3 | This example illustrates how to use the `privileged_access_manager` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | 11 | | project\_id | Project ID to create BigQuery resources in | `string` | n/a | yes | 12 | | sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes | 13 | | user\_email | Email for user to receive roles (Ex. user@example.com) | `string` | n/a | yes | 14 | 15 | ## Outputs 16 | 17 | | Name | Description | 18 | |------|-------------| 19 | | instance\_id | SSM Instance ID | 20 | | repository\_id | SSM repository ID | 21 | 22 | 23 | -------------------------------------------------------------------------------- /test/fixtures/additive/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13" 19 | required_providers { 20 | google = { 21 | source = "hashicorp/google" 22 | version = "~> 4.0" 23 | } 24 | google-beta = { 25 | source = "hashicorp/google-beta" 26 | version = "~> 4.0" 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /test/fixtures/helper/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13" 19 | required_providers { 20 | google = { 21 | source = "hashicorp/google" 22 | version = "~> 4.0" 23 | } 24 | google-beta = { 25 | source = "hashicorp/google-beta" 26 | version = "~> 4.0" 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /test/fixtures/member-iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13" 19 | required_providers { 20 | google = { 21 | source = "hashicorp/google" 22 | version = "~> 4.0" 23 | } 24 | google-beta = { 25 | source = "hashicorp/google-beta" 26 | version = "~> 4.0" 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /examples/member_iam/README.md: -------------------------------------------------------------------------------- 1 | # Member iam Module Example 2 | 3 | This example illustrates how to use the `member_iam` submodule 4 | 5 | ## Requirements 6 | ### Installed Software 7 | - [Terraform](https://www.terraform.io/downloads.html) ~> 0.12.6 8 | - [Terraform Provider for GCP](https://github.com/terraform-providers/terraform-provider-google) ~> 2.19 9 | - [Terraform Provider for GCP Beta](https://github.com/terraform-providers/terraform-provider-google-beta) ~> 2.19 10 | 11 | 12 | ## Inputs 13 | 14 | | Name | Description | Type | Default | Required | 15 | |------|-------------|------|---------|:--------:| 16 | | project\_id | Project id | `string` | n/a | yes | 17 | 18 | ## Outputs 19 | 20 | | Name | Description | 21 | |------|-------------| 22 | | project\_id | Project id. | 23 | | roles | Project roles. | 24 | | service\_account\_address | Member which was bound to projects. | 25 | 26 | 27 | -------------------------------------------------------------------------------- /test/fixtures/authoritative/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13" 19 | required_providers { 20 | google = { 21 | source = "hashicorp/google" 22 | version = "~> 4.0" 23 | } 24 | google-beta = { 25 | source = "hashicorp/google-beta" 26 | version = "~> 4.0" 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /test/fixtures/billing-iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13" 19 | required_providers { 20 | google = { 21 | source = "hashicorp/google" 22 | version = "~> 4.0" 23 | } 24 | google-beta = { 25 | source = "hashicorp/google-beta" 26 | version = "~> 4.0" 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /test/fixtures/custom-role/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13" 19 | required_providers { 20 | google = { 21 | source = "hashicorp/google" 22 | version = "~> 4.0" 23 | } 24 | google-beta = { 25 | source = "hashicorp/google-beta" 26 | version = "~> 4.0" 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /test/fixtures/helper/base/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13" 19 | required_providers { 20 | google = { 21 | source = "hashicorp/google" 22 | version = "~> 4.0" 23 | } 24 | google-beta = { 25 | source = "hashicorp/google-beta" 26 | version = "~> 4.0" 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /examples/storage_bucket/README.md: -------------------------------------------------------------------------------- 1 | # Storage Bucket Example 2 | 3 | This example illustrates how to use the `storage_buckets_iam` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | 11 | | sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes | 12 | | storage\_bucket\_one | First name of a GCS bucket to add the IAM policies/bindings | `string` | n/a | yes | 13 | | storage\_bucket\_two | Second name of a GCS bucket to add the IAM policies/bindings | `string` | n/a | yes | 14 | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | 15 | 16 | ## Outputs 17 | 18 | No outputs. 19 | 20 | 21 | -------------------------------------------------------------------------------- /test/fixtures/static-and-dynamic/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13" 19 | required_providers { 20 | google = { 21 | source = "hashicorp/google" 22 | version = "~> 4.0" 23 | } 24 | google-beta = { 25 | source = "hashicorp/google-beta" 26 | version = "~> 4.0" 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /examples/secure_source_manager/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "instance_id" { 18 | value = google_secure_source_manager_instance.default.instance_id 19 | description = "SSM Instance ID" 20 | } 21 | 22 | output "repository_id" { 23 | value = google_secure_source_manager_repository.default.repository_id 24 | description = "SSM repository ID" 25 | } 26 | -------------------------------------------------------------------------------- /examples/secret_manager/README.md: -------------------------------------------------------------------------------- 1 | # Secret Manager Example 2 | 3 | This example illustrates how to use the `secret_manager_iam` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | 11 | | project\_id | GCP Project ID. | `string` | n/a | yes | 12 | | sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes | 13 | | secret\_one | The first secret ID to apply IAM bindings | `string` | n/a | yes | 14 | | secret\_two | The second secret ID to apply IAM bindings | `string` | n/a | yes | 15 | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | 16 | 17 | ## Outputs 18 | 19 | No outputs. 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /examples/stackdriver_agent_roles/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "service_account_email" { 18 | type = string 19 | description = "The service account email to enable Stackdriver agent roles on" 20 | } 21 | 22 | variable "project" { 23 | type = string 24 | description = "GCP project in which you wish to grant roles to the service account" 25 | } 26 | 27 | -------------------------------------------------------------------------------- /test/fixtures/static-and-dynamic/static_projects/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13" 19 | required_providers { 20 | google = { 21 | source = "hashicorp/google" 22 | version = "~> 4.0" 23 | } 24 | google-beta = { 25 | source = "hashicorp/google-beta" 26 | version = "~> 4.0" 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /modules/folders_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.53, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:folders_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /modules/member_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.53, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:member_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /modules/subnets_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.53, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:subnets_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /modules/audit_config/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "audit_log_config" { 18 | description = "List of objects to be added to audit log config" 19 | type = list(object({ service : string, log_type : string, exempted_members : list(string) })) 20 | } 21 | 22 | variable "project" { 23 | description = "Project to add the IAM policies/bindings" 24 | type = string 25 | } 26 | -------------------------------------------------------------------------------- /modules/audit_config/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.53, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:audit_config/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /modules/dns_zones_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 4.48, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:dns_zone_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /modules/projects_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.53, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:projects_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /modules/tag_keys_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 4.48, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:dns_zone_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /modules/tag_values_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 4.48, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:dns_zone_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /modules/custom_role_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.53, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:custom_role_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /modules/kms_crypto_keys_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.53, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:kms_crypto_keys_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /modules/kms_key_rings_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.53, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:kms_key_rings_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /modules/organizations_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.53, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:organizations_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /modules/pubsub_topics_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.53, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:pubsub_topics_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /modules/storage_buckets_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.53, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:storage_buckets_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /modules/bigquery_datasets_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.53, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:bigquery_dataset_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /modules/billing_accounts_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.53, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:billing_accounts_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /modules/service_accounts_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.53, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:service_accounts_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /.github/trusted-contribution.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023-2025 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # NOTE: This file is automatically generated from: 16 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/github 17 | 18 | annotations: 19 | - type: comment 20 | text: "/gcbrun" 21 | trustedContributors: 22 | - release-please[bot] 23 | - renovate[bot] 24 | - renovate-bot 25 | - forking-renovate[bot] 26 | - dependabot[bot] 27 | -------------------------------------------------------------------------------- /modules/cloud_run_services_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.53, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:cloud_run_services_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /modules/pubsub_subscriptions_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.53, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:pubsub_subscriptions_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /modules/secure_source_manager_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 5.37, < 8" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-iam:secure_source_manager_iam/v8.2.0" 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /examples/pubsub_topic/README.md: -------------------------------------------------------------------------------- 1 | # PubSub Topic Example 2 | 3 | This example illustrates how to use the `pubsub_topics_iam` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | 11 | | pubsub\_topic\_one | First pubsub topic to add the IAM policies/bindings | `string` | n/a | yes | 12 | | pubsub\_topic\_project | Project id of the pub/sub topic | `string` | n/a | yes | 13 | | pubsub\_topic\_two | Second pubsub topic to add the IAM policies/bindings | `string` | n/a | yes | 14 | | sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes | 15 | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | 16 | 17 | ## Outputs 18 | 19 | No outputs. 20 | 21 | 22 | -------------------------------------------------------------------------------- /examples/member_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "roles" { 18 | value = module.member_roles.roles 19 | description = "Project roles." 20 | } 21 | 22 | output "project_id" { 23 | value = var.project_id 24 | description = "Project id." 25 | } 26 | 27 | output "service_account_address" { 28 | value = google_service_account.member_iam_test.email 29 | description = "Member which was bound to projects." 30 | } 31 | -------------------------------------------------------------------------------- /test/integration/custom-role/inspec.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: custom-role 16 | attributes: 17 | - name: custom_role_id_project 18 | required: true 19 | type: string 20 | - name: custom_role_id_org 21 | required: true 22 | type: string 23 | - name: custom_role_id_org_unsupported 24 | required: true 25 | type: string 26 | - name: project_id 27 | required: true 28 | type: string 29 | - name: org_id 30 | required: true 31 | type: string 32 | -------------------------------------------------------------------------------- /test/fixtures/additive/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "generic" { 18 | source = "../helper" 19 | mode = "additive" 20 | subnet_cidr = ["192.168.0.0/24", "192.168.10.0/24"] 21 | folder_id = var.folder_id 22 | billing_account = var.billing_account 23 | location = var.location 24 | project_id = var.project_id 25 | member1 = var.member1 26 | member2 = var.member2 27 | roles = var.roles 28 | } 29 | -------------------------------------------------------------------------------- /examples/stackdriver_agent_roles/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | resource "google_project_iam_member" "monitoring-log_writer" { 18 | role = "roles/logging.logWriter" 19 | member = "serviceAccount:${var.service_account_email}" 20 | project = var.project 21 | } 22 | 23 | resource "google_project_iam_member" "monitoring-metric_writer" { 24 | role = "roles/monitoring.metricWriter" 25 | member = "serviceAccount:${var.service_account_email}" 26 | project = var.project 27 | } 28 | -------------------------------------------------------------------------------- /test/fixtures/authoritative/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "generic" { 18 | source = "../helper" 19 | mode = "authoritative" 20 | subnet_cidr = ["192.168.1.0/24", "192.168.11.0/24"] 21 | folder_id = var.folder_id 22 | billing_account = var.billing_account 23 | location = var.location 24 | project_id = var.project_id 25 | member1 = var.member1 26 | member2 = var.member2 27 | roles = var.roles 28 | } 29 | -------------------------------------------------------------------------------- /examples/pubsub_subscription/README.md: -------------------------------------------------------------------------------- 1 | # PubSub Subscription Example 2 | 3 | This example illustrates how to use the `pubsub_subscriptions_iam` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | 11 | | pubsub\_subscription\_one | First pubsub subscription name to add the IAM policies/bindings | `string` | n/a | yes | 12 | | pubsub\_subscription\_project | Project id of the pub/sub subscription | `string` | n/a | yes | 13 | | pubsub\_subscription\_two | Second pubsub subscription name to add the IAM policies/bindings | `string` | n/a | yes | 14 | | sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes | 15 | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | 16 | 17 | ## Outputs 18 | 19 | No outputs. 20 | 21 | 22 | -------------------------------------------------------------------------------- /modules/artifact_registry_iam/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 3.53, < 8" 24 | } 25 | 26 | google-beta = { 27 | source = "hashicorp/google-beta" 28 | version = ">= 3.53, < 8" 29 | } 30 | } 31 | 32 | provider_meta "google" { 33 | module_name = "blueprints/terraform/terraform-google-iam:artifact_registry_iam/v8.2.0" 34 | } 35 | 36 | } 37 | -------------------------------------------------------------------------------- /test/fixtures/static-and-dynamic/static_projects/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "ids" { 18 | value = local.static_project_ids 19 | description = "Projects created for bindings." 20 | 21 | depends_on = [ 22 | # Projects must be created before the statically generated project_id 23 | # can be used in the IAM module 24 | google_project.test 25 | ] 26 | } 27 | 28 | output "mode" { 29 | value = var.mode 30 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 31 | } 32 | -------------------------------------------------------------------------------- /test/setup/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "org_id" { 18 | description = "The numeric organization id" 19 | } 20 | 21 | variable "folder_id" { 22 | description = "The folder to deploy in" 23 | } 24 | 25 | variable "billing_account" { 26 | description = "The billing account id associated with the project, e.g. XXXXXX-YYYYYY-ZZZZZZ" 27 | } 28 | 29 | variable "billing_iam_test_account" { 30 | description = "The billing iam test account id is for the billing-iam-module, only for testing, e.g. XXXXXX-YYYYYY-ZZZZZZ" 31 | } 32 | -------------------------------------------------------------------------------- /modules/tag_keys_iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "tag_keys" { 18 | description = "List of tag keys to add the IAM policies/bindings" 19 | type = list(string) 20 | } 21 | 22 | variable "mode" { 23 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 24 | type = string 25 | default = "additive" 26 | } 27 | 28 | variable "bindings" { 29 | description = "Map of role (key) and list of members (value) to add the IAM policies/bindings" 30 | type = map(any) 31 | } 32 | -------------------------------------------------------------------------------- /test/setup/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13" 19 | required_providers { 20 | google = { 21 | source = "hashicorp/google" 22 | version = ">= 3.36" 23 | } 24 | google-beta = { 25 | source = "hashicorp/google-beta" 26 | version = ">= 3.36" 27 | } 28 | null = { 29 | source = "hashicorp/null" 30 | version = ">= 3.0" 31 | } 32 | random = { 33 | source = "hashicorp/random" 34 | version = ">= 2.2" 35 | } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /modules/tag_values_iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "tag_values" { 18 | description = "List of tag values to add the IAM policies/bindings" 19 | type = list(string) 20 | } 21 | 22 | variable "mode" { 23 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 24 | type = string 25 | default = "additive" 26 | } 27 | 28 | variable "bindings" { 29 | description = "Map of role (key) and list of members (value) to add the IAM policies/bindings" 30 | type = map(any) 31 | } 32 | -------------------------------------------------------------------------------- /modules/member_iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "service_account_address" { 18 | description = "Service account address" 19 | type = string 20 | } 21 | 22 | variable "project_id" { 23 | description = "Project id" 24 | type = string 25 | } 26 | 27 | variable "project_roles" { 28 | description = "List of IAM roles" 29 | type = list(string) 30 | } 31 | 32 | variable "prefix" { 33 | description = "Prefix member or group or serviceaccount" 34 | type = string 35 | default = "serviceAccount" 36 | } 37 | 38 | -------------------------------------------------------------------------------- /examples/cloud_run_service/README.md: -------------------------------------------------------------------------------- 1 | # Cloud Run Example 2 | 3 | This example illustrates how to use the `cloud_run_service_iam` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | cloud\_run\_service\_location | The location of the cloud run instance | `string` | n/a | yes | 11 | | cloud\_run\_service\_one | First cloud run service to add the IAM policies/bindings | `string` | n/a | yes | 12 | | cloud\_run\_service\_project | Project id of the cloud run service | `string` | n/a | yes | 13 | | cloud\_run\_service\_two | Second cloud run service to add the IAM policies/bindings | `string` | n/a | yes | 14 | | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | 15 | | sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes | 16 | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | 17 | 18 | ## Outputs 19 | 20 | No outputs. 21 | 22 | 23 | -------------------------------------------------------------------------------- /modules/custom_role_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "custom_role_id" { 18 | value = local.custom-role-output 19 | description = "ID of the custom role created." 20 | } 21 | 22 | output "custom_role_name" { 23 | value = (var.target_level == "project") ? google_project_iam_custom_role.project-custom-role[0].name : google_organization_iam_custom_role.org-custom-role[0].name 24 | description = "Name of the custom role created in the format {{target_level}}/{{target_id}}/roles/{{role_id}}, for use as a reference in other resources such as IAM role bindings." 25 | } 26 | -------------------------------------------------------------------------------- /test/fixtures/billing-iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # Resources 18 | 19 | #Additive 20 | 21 | # output "billing_iam_test_accounts" { 22 | # value = module.iam_binding_billing_accounts_additive.billing_account_ids 23 | # description = "Billing Accounts which received bindings." 24 | # } 25 | 26 | # output "members" { 27 | # value = module.iam_binding_billing_accounts_additive.members 28 | # description = "Members which were bound to the billing accounts." 29 | # } 30 | 31 | output "project_id" { 32 | value = var.project_id 33 | description = "Project ID" 34 | } 35 | -------------------------------------------------------------------------------- /modules/audit_config/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | locals { 18 | audit_log_config = { 19 | for key, val in var.audit_log_config : 20 | val.service => val... 21 | } 22 | } 23 | 24 | resource "google_project_iam_audit_config" "project" { 25 | for_each = local.audit_log_config 26 | project = var.project 27 | service = each.key 28 | 29 | dynamic "audit_log_config" { 30 | for_each = each.value 31 | iterator = log_type 32 | content { 33 | log_type = log_type.value.log_type 34 | exempted_members = log_type.value.exempted_members 35 | } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /modules/billing_accounts_iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "billing_account_ids" { 18 | description = "Billing Accounts IDs list to add the IAM policies/bindings" 19 | default = [] 20 | type = list(string) 21 | } 22 | 23 | variable "mode" { 24 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 25 | type = string 26 | default = "additive" 27 | } 28 | 29 | variable "bindings" { 30 | description = "Map of role (key) and list of members (value) to add the IAM policies/bindings" 31 | type = map(list(string)) 32 | } 33 | -------------------------------------------------------------------------------- /examples/billing_account/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "service_account_addresses" { 18 | value = [local.service_account_01_email, local.service_account_02_email] 19 | description = "Service Account Addresses which were bound to projects." 20 | } 21 | 22 | # output "billing_account_ids" { 23 | # value = module.billing-account-iam.billing_account_ids 24 | # description = "Billing Accounts which received bindings." 25 | # } 26 | 27 | # output "members" { 28 | # value = module.billing-account-iam.members 29 | # description = "Members which were bound to the billing accounts." 30 | # } 31 | -------------------------------------------------------------------------------- /test/fixtures/static-and-dynamic/static_projects/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | locals { 18 | mode_short = var.mode == "authoritative" ? "auth" : "add" 19 | 20 | static_project_ids = [ 21 | for i in range(var.n) 22 | : "${var.prefix}-${local.mode_short}-st-${i}-${var.random_hexes[i]}" 23 | ] 24 | } 25 | 26 | resource "google_project" "test" { 27 | count = var.n 28 | 29 | project_id = local.static_project_ids[count.index] 30 | folder_id = var.folder_id 31 | name = "Test IAM Project ${title(local.mode_short)} St ${count.index}" 32 | billing_account = var.billing_account 33 | } 34 | -------------------------------------------------------------------------------- /examples/member_iam/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | resource "google_service_account" "member_iam_test" { 18 | project = var.project_id 19 | account_id = "member-iam-test" 20 | display_name = "member-iam-test" 21 | } 22 | 23 | module "member_roles" { 24 | source = "terraform-google-modules/iam/google//modules/member_iam" 25 | version = "~> 8.0" 26 | 27 | service_account_address = google_service_account.member_iam_test.email 28 | project_id = var.project_id 29 | project_roles = ["roles/compute.networkAdmin", "roles/appengine.appAdmin"] 30 | prefix = "serviceAccount" 31 | } 32 | -------------------------------------------------------------------------------- /examples/stackdriver_agent_roles/README.md: -------------------------------------------------------------------------------- 1 | # Stackdriver Agent Roles 2 | 3 | Applies the roles necessary to write metrics and logs to Stackdriver to a given service account. 4 | 5 | ## Quick Start 6 | 7 | [![Open in Cloud Shell](http://www.gstatic.com/cloudssh/images/open-btn.svg)](https://console.cloud.google.com/cloudshell/editor?cloudshell_image=gcr.io/graphite-cloud-shell-images/terraform:latest&cloudshell_git_repo=https://github.com/terraform-google-modules/terraform-google-iam.git&cloudshell_working_dir=examples/stackdriver_agent_roles&cloudshell_tutorial=CLOUDSHELL_TUTORIAL.md) 8 | 9 | 1. Use the above link to open a Cloud Shell 10 | 2. Follow the tutorial presented in Cloud Shell (see also [CLOUDSHELL_TUTORIAL.md](./CLOUDSHELL_TUTORIAL.md)). 11 | 12 | 13 | ## Inputs 14 | 15 | | Name | Description | Type | Default | Required | 16 | |------|-------------|------|---------|:--------:| 17 | | project | GCP project in which you wish to grant roles to the service account | `string` | n/a | yes | 18 | | service\_account\_email | The service account email to enable Stackdriver agent roles on | `string` | n/a | yes | 19 | 20 | ## Outputs 21 | 22 | No outputs. 23 | 24 | 25 | -------------------------------------------------------------------------------- /modules/member_iam/README.md: -------------------------------------------------------------------------------- 1 | # Module Member IAM 2 | 3 | This optional module is used to assign service account roles 4 | 5 | ## Example Usage 6 | ``` 7 | module "member_roles" { 8 | source = "terraform-google-modules/iam/google//modules/member_iam" 9 | version = "~> 8.0" 10 | 11 | service_account_address = "my-sa@my-project.iam.gserviceaccount.com" 12 | prefix = "serviceAccount" 13 | project_id = "my-project-one" 14 | project_roles = ["roles/compute.networkAdmin", "roles/appengine.appAdmin"] 15 | } 16 | 17 | ``` 18 | 19 | 20 | ## Inputs 21 | 22 | | Name | Description | Type | Default | Required | 23 | |------|-------------|------|---------|:--------:| 24 | | prefix | Prefix member or group or serviceaccount | `string` | `"serviceAccount"` | no | 25 | | project\_id | Project id | `string` | n/a | yes | 26 | | project\_roles | List of IAM roles | `list(string)` | n/a | yes | 27 | | service\_account\_address | Service account address | `string` | n/a | yes | 28 | 29 | ## Outputs 30 | 31 | | Name | Description | 32 | |------|-------------| 33 | | project\_id | Project id. | 34 | | roles | Project roles. | 35 | 36 | 37 | -------------------------------------------------------------------------------- /examples/dns_zone/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "group_email" { 18 | type = string 19 | description = "Email for group to receive roles (ex. group@example.com)" 20 | } 21 | 22 | variable "sa_email" { 23 | type = string 24 | description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)" 25 | } 26 | 27 | variable "user_email" { 28 | type = string 29 | description = "Email for group to receive roles (Ex. user@example.com)" 30 | } 31 | 32 | variable "project_id" { 33 | type = string 34 | description = "Project ID to create BigQuery resources in" 35 | } 36 | -------------------------------------------------------------------------------- /examples/tag_keys/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "group_email" { 18 | type = string 19 | description = "Email for group to receive roles (ex. group@example.com)" 20 | } 21 | 22 | variable "sa_email" { 23 | type = string 24 | description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)" 25 | } 26 | 27 | variable "user_email" { 28 | type = string 29 | description = "Email for group to receive roles (Ex. user@example.com)" 30 | } 31 | 32 | variable "project_id" { 33 | type = string 34 | description = "Project ID to create BigQuery resources in" 35 | } 36 | -------------------------------------------------------------------------------- /modules/folders_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "folders" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "Folders which received bindings." 20 | depends_on = [google_folder_iam_binding.folder_iam_authoritative, google_folder_iam_member.folder_iam_additive, ] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to the folders." 31 | } 32 | -------------------------------------------------------------------------------- /modules/projects_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "projects" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "Projects wich received bindings." 20 | depends_on = [google_project_iam_binding.project_iam_authoritative, google_project_iam_member.project_iam_additive, ] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to projects." 31 | } 32 | -------------------------------------------------------------------------------- /examples/service_account/README.md: -------------------------------------------------------------------------------- 1 | # Service Account Example 2 | 3 | This example illustrates how to use the `service_accounts_iam` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | `"goose_net_admins@goosecorp.org"` | no | 11 | | sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | `"sa-tf-test-receiver-01@ci-iam-0c5f.iam.gserviceaccount.com"` | no | 12 | | service\_account\_one | First service Account to add the IAM policies/bindings | `string` | `"sa-tf-test-01@ci-iam-0c5f.iam.gserviceaccount.com"` | no | 13 | | service\_account\_project | Project id of the service account | `string` | `"ci-iam-0c5f"` | no | 14 | | service\_account\_two | First service Account to add the IAM policies/bindings | `string` | `"sa-tf-test-02@ci-iam-0c5f.iam.gserviceaccount.com"` | no | 15 | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | `"awmalik@google.com"` | no | 16 | 17 | ## Outputs 18 | 19 | No outputs. 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /examples/folder/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /****************************************** 18 | Module folder_iam_binding calling 19 | *****************************************/ 20 | module "folder-iam" { 21 | source = "terraform-google-modules/iam/google//modules/folders_iam" 22 | version = "~> 8.0" 23 | 24 | folders = [var.folder_one, var.folder_two] 25 | 26 | mode = "additive" 27 | 28 | bindings = { 29 | "roles/resourcemanager.folderEditor" = [ 30 | "serviceAccount:${var.sa_email}", 31 | "group:${var.group_email}", 32 | ] 33 | 34 | "roles/resourcemanager.folderViewer" = [ 35 | "user:${var.user_email}", 36 | ] 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /examples/secure_source_manager/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "group_email" { 18 | type = string 19 | description = "Email for group to receive roles (ex. group@example.com)" 20 | } 21 | 22 | variable "sa_email" { 23 | type = string 24 | description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)" 25 | } 26 | 27 | variable "user_email" { 28 | type = string 29 | description = "Email for user to receive roles (Ex. user@example.com)" 30 | } 31 | 32 | variable "project_id" { 33 | type = string 34 | description = "Project ID to create BigQuery resources in" 35 | } 36 | -------------------------------------------------------------------------------- /modules/dns_zones_iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project" { 18 | description = "Project to add the IAM policies/bindings" 19 | type = string 20 | } 21 | 22 | variable "managed_zones" { 23 | description = "List of managed zone to add the IAM policies/bindings" 24 | type = list(string) 25 | } 26 | 27 | variable "mode" { 28 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 29 | type = string 30 | default = "additive" 31 | } 32 | 33 | variable "bindings" { 34 | description = "Map of role (key) and list of members (value) to add the IAM policies/bindings" 35 | type = map(any) 36 | } 37 | -------------------------------------------------------------------------------- /modules/tag_keys_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "tag_keys" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "Tag keys which received for bindings." 20 | depends_on = [google_tags_tag_key_iam_binding.tag_key_iam_authoritative, google_tags_tag_key_iam_member.tag_key_iam_additive, ] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to the Tag keys." 31 | } 32 | -------------------------------------------------------------------------------- /modules/subnets_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "subnets" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "Subnetworks which received bindings." 20 | depends_on = [google_compute_subnetwork_iam_binding.subnet_iam_authoritative, google_compute_subnetwork_iam_member.subnet_iam_additive, ] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to the Subnetwork." 31 | } 32 | -------------------------------------------------------------------------------- /modules/tag_values_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "tag_keys" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "Tag keys which received for bindings." 20 | depends_on = [google_tags_tag_value_iam_binding.tag_value_iam_authoritative, google_tags_tag_value_iam_member.tag_value_iam_additive, ] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to the Tag keys." 31 | } 32 | -------------------------------------------------------------------------------- /modules/bigquery_datasets_iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project" { 18 | description = "Project to add the IAM policies/bindings" 19 | type = string 20 | } 21 | 22 | variable "bigquery_datasets" { 23 | description = "BigQuery dataset IDs list to add the IAM policies/bindings" 24 | type = list(string) 25 | } 26 | 27 | variable "mode" { 28 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 29 | type = string 30 | default = "additive" 31 | } 32 | 33 | variable "bindings" { 34 | description = "Map of role (key) and list of members (value) to add the IAM policies/bindings" 35 | type = map(any) 36 | } 37 | -------------------------------------------------------------------------------- /modules/organizations_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "organizations" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "Organizations which received bindings." 20 | depends_on = [google_organization_iam_binding.organization_iam_authoritative, google_organization_iam_member.organization_iam_additive, ] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to organizations." 31 | } 32 | -------------------------------------------------------------------------------- /modules/kms_key_rings_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "kms_key_rings" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "KMS key rings which received bindings." 20 | depends_on = [google_kms_key_ring_iam_binding.kms_key_ring_iam_authoritative, google_kms_key_ring_iam_member.kms_key_ring_iam_additive, ] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to the KMS key rings." 31 | } 32 | -------------------------------------------------------------------------------- /modules/dns_zones_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "managed_zones" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "DNS Managed Zones which received for bindings." 20 | depends_on = [google_dns_managed_zone_iam_binding.dns_zone_iam_authoritative, google_dns_managed_zone_iam_member.dns_zone_iam_additive, ] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to the DNS managed zones." 31 | } 32 | -------------------------------------------------------------------------------- /modules/pubsub_topics_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "pubsub_topics" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "PubSub Topics which received for bindings." 20 | depends_on = [google_pubsub_topic_iam_binding.pubsub_topic_iam_authoritative, google_pubsub_topic_iam_member.pubsub_topic_iam_additive, ] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to the PubSub Topics." 31 | } 32 | -------------------------------------------------------------------------------- /examples/subnet/README.md: -------------------------------------------------------------------------------- 1 | # Subnet Example 2 | 3 | This example illustrates how to use the `subnets_iam` submodule 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | 11 | | project | The project where the subnet resides | `string` | n/a | yes | 12 | | region | The region where the subnet resides | `string` | n/a | yes | 13 | | sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes | 14 | | subnet\_one | First subnet id to add the IAM policies/bindings | `string` | n/a | yes | 15 | | subnet\_two | Second subnet id to add the IAM policies/bindings | `string` | n/a | yes | 16 | | user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | 17 | 18 | ## Outputs 19 | 20 | No outputs. 21 | 22 | 23 | 24 | ## Caveats 25 | The module expects the subnets to be provided fully qualified. (ex: `projects//regions//subnetworks/`) This example takes your inputted project, region and subnets to form the fully qualified subnet ids. 26 | -------------------------------------------------------------------------------- /modules/kms_crypto_keys_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "kms_crypto_keys" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "KMS crypto keys which received bindings." 20 | depends_on = [google_kms_crypto_key_iam_binding.kms_crypto_key_iam_authoritative, google_kms_crypto_key_iam_member.kms_crypto_key_iam_additive, ] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to the KMS crypto keys." 31 | } 32 | -------------------------------------------------------------------------------- /modules/storage_buckets_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "storage_buckets" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "Storage Buckets which received bindings." 20 | depends_on = [google_storage_bucket_iam_binding.storage_bucket_iam_authoritative, google_storage_bucket_iam_member.storage_bucket_iam_additive, ] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to the Storage Bucket." 31 | } 32 | -------------------------------------------------------------------------------- /modules/service_accounts_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "service_accounts" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "Service Accounts which received bindings." 20 | depends_on = [google_service_account_iam_binding.service_account_iam_authoritative, google_service_account_iam_member.service_account_iam_additive, ] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to the Service Account." 31 | } 32 | -------------------------------------------------------------------------------- /modules/billing_accounts_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "billing_account_ids" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "Billing Accounts which received bindings." 20 | depends_on = [google_billing_account_iam_binding.billing_account_iam_authoritative, google_billing_account_iam_member.billing_account_iam_additive, ] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to the billing accounts." 31 | } 32 | -------------------------------------------------------------------------------- /modules/cloud_run_services_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "cloud_run_services" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "Cloud Run services which received for bindings." 20 | depends_on = [google_cloud_run_service_iam_binding.cloud_run_iam_authoritative, google_cloud_run_service_iam_member.cloud_run_iam_additive] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to the Cloud Run services." 31 | } 32 | -------------------------------------------------------------------------------- /modules/pubsub_topics_iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project" { 18 | description = "Project to add the IAM policies/bindings" 19 | default = "" 20 | type = string 21 | } 22 | 23 | variable "pubsub_topics" { 24 | description = "PubSub Topics list to add the IAM policies/bindings" 25 | default = [] 26 | type = list(string) 27 | } 28 | 29 | variable "mode" { 30 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 31 | type = string 32 | default = "additive" 33 | } 34 | 35 | variable "bindings" { 36 | description = "Map of role (key) and list of members (value) to add the IAM policies/bindings" 37 | type = map(any) 38 | } 39 | -------------------------------------------------------------------------------- /modules/secret_manager_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "secrets" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "Secret Manager Secrets which received for bindings." 20 | depends_on = [google_secret_manager_secret_iam_binding.secret_manager_iam_authoritative, google_secret_manager_secret_iam_member.secret_manager_iam_additive] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to the Secret Manager Secrets." 31 | } 32 | -------------------------------------------------------------------------------- /examples/kms_key_ring/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /****************************************** 18 | Module kms_key_ring_iam_binding calling 19 | *****************************************/ 20 | module "kms_key_ring_iam_binding" { 21 | source = "terraform-google-modules/iam/google//modules/kms_key_rings_iam" 22 | version = "~> 8.0" 23 | 24 | kms_key_rings = [var.kms_key_ring_one, var.kms_key_ring_two] 25 | mode = "additive" 26 | 27 | bindings = { 28 | "roles/cloudkms.cryptoKeyEncrypter" = [ 29 | "user:${var.user_email}", 30 | "group:${var.group_email}", 31 | ] 32 | "roles/cloudkms.cryptoKeyDecrypter" = [ 33 | "user:${var.user_email}", 34 | "group:${var.group_email}", 35 | ] 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /examples/secret_manager/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /****************************************** 18 | Module secret_iam_binding calling 19 | *****************************************/ 20 | module "folder-iam" { 21 | source = "terraform-google-modules/iam/google//modules/secret_manager_iam" 22 | version = "~> 8.0" 23 | 24 | project = var.project_id 25 | secrets = [var.secret_one, var.secret_two] 26 | 27 | mode = "additive" 28 | 29 | bindings = { 30 | "roles/secretmanager.secretAccessor" = [ 31 | "serviceAccount:${var.sa_email}", 32 | "group:${var.group_email}", 33 | "user:${var.user_email}", 34 | ] 35 | 36 | "roles/secretmanager.viewer" = [ 37 | "user:${var.user_email}", 38 | ] 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /modules/bigquery_datasets_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "bigquery_datasets" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "Bigquery dataset IDs which received for bindings." 20 | depends_on = [google_bigquery_dataset_iam_binding.bigquery_dataset_iam_authoritative, google_bigquery_dataset_iam_member.bigquery_dataset_iam_additive, ] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to the bigquery datasets." 31 | } 32 | -------------------------------------------------------------------------------- /test/integration/static-and-dynamic/inspec.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: static-and-dynamic 16 | depends: 17 | - name: helper 18 | path: ../helper 19 | attributes: 20 | - name: authoritative_static_projects 21 | required: true 22 | type: array 23 | - name: additive_static_projects 24 | required: true 25 | type: array 26 | - name: authoritative_dynamic_projects 27 | required: true 28 | type: array 29 | - name: additive_dynamic_projects 30 | required: true 31 | type: array 32 | - name: member_group_0 33 | required: true 34 | type: array 35 | - name: member_group_1 36 | required: true 37 | type: array 38 | - name: roles 39 | required: true 40 | # workaround InSpec lack of support for integer 41 | type: string 42 | -------------------------------------------------------------------------------- /test/fixtures/helper/base/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "base_billing_account" { 18 | description = "The billing account id associated with the project, e.g. XXXXXX-YYYYYY-ZZZZZZ" 19 | } 20 | 21 | variable "base_parent_id" { 22 | description = "Folder to create resources in, e.g. folders/12345678" 23 | } 24 | 25 | variable "base_location" { 26 | description = "Region for subnetwork tests." 27 | } 28 | 29 | variable "base_project_id" { 30 | description = "Project ID of the test fixture project. Used to avoid timing issues with recently created projects." 31 | } 32 | 33 | variable "subnet_cidr" { 34 | description = "List of CIDRs to use when creating fixture subnetworks. Used to avoid the resource locking between test suites." 35 | } 36 | -------------------------------------------------------------------------------- /modules/pubsub_subscriptions_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "pubsub_subscriptions" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "PubSub Subscriptions which received bindings." 20 | depends_on = [google_pubsub_subscription_iam_binding.pubsub_subscription_iam_authoritative, google_pubsub_subscription_iam_member.pubsub_subscription_iam_additive, ] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to the PubSub Subscription." 31 | } 32 | -------------------------------------------------------------------------------- /modules/pubsub_subscriptions_iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project" { 18 | description = "Project to add the IAM policies/bindings" 19 | default = "" 20 | type = string 21 | } 22 | 23 | variable "pubsub_subscriptions" { 24 | description = "PubSub Subscriptions list to add the IAM policies/bindings" 25 | default = [] 26 | type = list(string) 27 | } 28 | 29 | variable "mode" { 30 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 31 | type = string 32 | default = "additive" 33 | } 34 | 35 | variable "bindings" { 36 | description = "Map of role (key) and list of members (value) to add the IAM policies/bindings" 37 | type = map(list(string)) 38 | } 39 | -------------------------------------------------------------------------------- /examples/kms_crypto_key/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /****************************************** 18 | Module kms_crypto_key_iam_binding calling 19 | *****************************************/ 20 | module "kms_crypto_key_iam_binding" { 21 | source = "terraform-google-modules/iam/google//modules/kms_crypto_keys_iam" 22 | version = "~> 8.0" 23 | 24 | kms_crypto_keys = [var.kms_crypto_key_one, var.kms_crypto_key_two] 25 | 26 | mode = "authoritative" 27 | 28 | bindings = { 29 | "roles/cloudkms.cryptoKeyEncrypter" = [ 30 | "user:${var.user_email}", 31 | "group:${var.group_email}", 32 | ] 33 | "roles/cloudkms.cryptoKeyDecrypter" = [ 34 | "user:${var.user_email}", 35 | "group:${var.group_email}", 36 | ] 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /examples/kms_key_ring/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "group_email" { 18 | type = string 19 | description = "Email for group to receive roles (ex. group@example.com)" 20 | } 21 | 22 | variable "user_email" { 23 | type = string 24 | description = "Email for group to receive roles (Ex. user@example.com)" 25 | } 26 | 27 | /****************************************** 28 | kms_key_ring_iam_binding variables 29 | *****************************************/ 30 | variable "kms_key_ring_one" { 31 | type = string 32 | description = "First kms_ring to add the IAM policies/bindings" 33 | } 34 | 35 | variable "kms_key_ring_two" { 36 | type = string 37 | description = "First kms_ring to add the IAM policies/bindings" 38 | } 39 | 40 | -------------------------------------------------------------------------------- /modules/secure_source_manager_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "instances" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "Secure source manager instance names which received for bindings." 20 | depends_on = [google_secure_source_manager_instance_iam_binding.ssm_instance_iam_authoritative, google_secure_source_manager_instance_iam_member.ssm_instance_iam_additive, ] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to the SSM instances." 31 | } 32 | -------------------------------------------------------------------------------- /examples/project/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /****************************************** 18 | Module project_iam_binding calling 19 | *****************************************/ 20 | module "project_iam_binding" { 21 | source = "terraform-google-modules/iam/google//modules/projects_iam" 22 | version = "~> 8.0" 23 | 24 | projects = [var.project_one, var.project_two] 25 | mode = "additive" 26 | 27 | bindings = { 28 | "roles/compute.networkAdmin" = [ 29 | "serviceAccount:${var.sa_email}", 30 | "group:${var.group_email}", 31 | "user:${var.user_email}", 32 | ] 33 | "roles/appengine.appAdmin" = [ 34 | "serviceAccount:${var.sa_email}", 35 | "group:${var.group_email}", 36 | "user:${var.user_email}", 37 | ] 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /modules/artifact_registry_iam/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "repositories" { 18 | value = distinct(module.helper.bindings_by_member[*].name) 19 | description = "Artifact registry repositories which received bindings." 20 | depends_on = [google_artifact_registry_repository_iam_binding.artifact_registry_iam_authoritative, google_artifact_registry_repository_iam_member.artifact_registry_iam_additive, ] 21 | } 22 | 23 | output "roles" { 24 | value = distinct(module.helper.bindings_by_member[*].role) 25 | description = "Roles which were assigned to members." 26 | } 27 | 28 | output "members" { 29 | value = distinct(module.helper.bindings_by_member[*].member) 30 | description = "Members which were bound to artifact registry repositories." 31 | } 32 | -------------------------------------------------------------------------------- /examples/kms_crypto_key/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "group_email" { 18 | type = string 19 | description = "Email for group to receive roles (ex. group@example.com)" 20 | } 21 | 22 | variable "user_email" { 23 | type = string 24 | description = "Email for group to receive roles (Ex. user@example.com)" 25 | } 26 | 27 | /****************************************** 28 | kms_crypto_key_iam_binding variables 29 | *****************************************/ 30 | variable "kms_crypto_key_one" { 31 | type = string 32 | description = "First kms_cripto_key to add the IAM policies/bindings" 33 | } 34 | 35 | variable "kms_crypto_key_two" { 36 | type = string 37 | description = "Second kms_cripto_key to add the IAM policies/bindings" 38 | } 39 | 40 | -------------------------------------------------------------------------------- /modules/tag_keys_iam/README.md: -------------------------------------------------------------------------------- 1 | # Module Tag Keys IAM 2 | 3 | This submodule is used to assign roles on Tag Keys. 4 | 5 | ## Example Usage 6 | ``` 7 | module "tag_keys_iam_binding" { 8 | source = "terraform-google-modules/iam/google//modules/tag_keys_iam" 9 | version = "~> 8.2" 10 | tag_keys = [ 11 | google_tags_tag_key.tag_key.name, 12 | ] 13 | mode = "authoritative" 14 | 15 | bindings = { 16 | "roles/viewer" = [ 17 | "serviceAccount:${var.sa_email}", 18 | "group:${var.group_email}", 19 | "user:${var.user_email}", 20 | ] 21 | } 22 | } 23 | ``` 24 | 25 | 26 | ## Inputs 27 | 28 | | Name | Description | Type | Default | Required | 29 | |------|-------------|------|---------|:--------:| 30 | | bindings | Map of role (key) and list of members (value) to add the IAM policies/bindings | `map(any)` | n/a | yes | 31 | | mode | Mode for adding the IAM policies/bindings, additive and authoritative | `string` | `"additive"` | no | 32 | | tag\_keys | List of tag keys to add the IAM policies/bindings | `list(string)` | n/a | yes | 33 | 34 | ## Outputs 35 | 36 | | Name | Description | 37 | |------|-------------| 38 | | members | Members which were bound to the Tag keys. | 39 | | roles | Roles which were assigned to members. | 40 | | tag\_keys | Tag keys which received for bindings. | 41 | 42 | 43 | -------------------------------------------------------------------------------- /examples/tag_values/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "group_email" { 18 | type = string 19 | description = "Email for group to receive roles (ex. group@example.com)" 20 | } 21 | 22 | variable "sa_email" { 23 | type = string 24 | description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)" 25 | } 26 | 27 | variable "user_email" { 28 | type = string 29 | description = "Email for group to receive roles (Ex. user@example.com)" 30 | } 31 | 32 | /****************************************** 33 | bigquery_dataset_iam_binding variables 34 | *****************************************/ 35 | variable "project_id" { 36 | type = string 37 | description = "Project ID to create BigQuery resources in" 38 | } 39 | -------------------------------------------------------------------------------- /examples/bigquery_dataset/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "group_email" { 18 | type = string 19 | description = "Email for group to receive roles (ex. group@example.com)" 20 | } 21 | 22 | variable "sa_email" { 23 | type = string 24 | description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)" 25 | } 26 | 27 | variable "user_email" { 28 | type = string 29 | description = "Email for group to receive roles (Ex. user@example.com)" 30 | } 31 | 32 | /****************************************** 33 | bigquery_dataset_iam_binding variables 34 | *****************************************/ 35 | variable "project_id" { 36 | type = string 37 | description = "Project ID to create BigQuery resources in" 38 | } 39 | -------------------------------------------------------------------------------- /modules/tag_values_iam/README.md: -------------------------------------------------------------------------------- 1 | # Module Tag Values IAM 2 | 3 | This submodule is used to assign roles on Tag Values. 4 | 5 | ## Example Usage 6 | ``` 7 | module "tag_keys_iam_binding" { 8 | source = "terraform-google-modules/iam/google//modules/tag_values_iam" 9 | version = "~> 8.2" 10 | tag_values = [ 11 | google_tags_tag_value.tag_value.name, 12 | ] 13 | mode = "authoritative" 14 | 15 | bindings = { 16 | "roles/viewer" = [ 17 | "serviceAccount:${var.sa_email}", 18 | "group:${var.group_email}", 19 | "user:${var.user_email}", 20 | ] 21 | } 22 | } 23 | ``` 24 | 25 | 26 | ## Inputs 27 | 28 | | Name | Description | Type | Default | Required | 29 | |------|-------------|------|---------|:--------:| 30 | | bindings | Map of role (key) and list of members (value) to add the IAM policies/bindings | `map(any)` | n/a | yes | 31 | | mode | Mode for adding the IAM policies/bindings, additive and authoritative | `string` | `"additive"` | no | 32 | | tag\_values | List of tag values to add the IAM policies/bindings | `list(string)` | n/a | yes | 33 | 34 | ## Outputs 35 | 36 | | Name | Description | 37 | |------|-------------| 38 | | members | Members which were bound to the Tag keys. | 39 | | roles | Roles which were assigned to members. | 40 | | tag\_keys | Tag keys which received for bindings. | 41 | 42 | 43 | -------------------------------------------------------------------------------- /test/fixtures/custom-role/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "create_custom_role_project" { 18 | source = "../../../examples/custom_role_project" 19 | project_id = var.project_id 20 | } 21 | 22 | module "create_custom_role_org" { 23 | source = "../../../examples/custom_role_org" 24 | org_id = var.org_id 25 | } 26 | 27 | module "create_custom_role_unsupported_permissions_org" { 28 | source = "../../../modules/custom_role_iam" 29 | target_level = "org" 30 | target_id = var.org_id 31 | role_id = "customDatastoreViewer_${random_id.rand_custom_id.hex}" 32 | base_roles = ["roles/gkehub.viewer"] # https://cloud.google.com/iam/docs/custom-roles-permissions-support 33 | permissions = [] 34 | members = [] 35 | } 36 | 37 | resource "random_id" "rand_custom_id" { 38 | byte_length = 2 39 | } 40 | -------------------------------------------------------------------------------- /examples/organization/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /****************************************** 18 | Module organization_iam_binding calling 19 | *****************************************/ 20 | module "organization_iam_binding" { 21 | source = "terraform-google-modules/iam/google//modules/organizations_iam" 22 | version = "~> 8.0" 23 | 24 | organizations = [var.organization_one, var.organization_two] 25 | mode = "authoritative" 26 | 27 | bindings = { 28 | "roles/resourcemanager.organizationViewer" = [ 29 | "serviceAccount:${var.sa_email}", 30 | "group:${var.group_email}", 31 | "user:${var.user_email}", 32 | ] 33 | "roles/resourcemanager.projectDeleter" = [ 34 | "serviceAccount:${var.sa_email}", 35 | "group:${var.group_email}", 36 | "user:${var.user_email}", 37 | ] 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /examples/storage_bucket/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /****************************************** 18 | Module pubsub_subscription_iam_binding calling 19 | *****************************************/ 20 | module "storage_buckets_iam_binding" { 21 | source = "terraform-google-modules/iam/google//modules/storage_buckets_iam" 22 | version = "~> 8.0" 23 | 24 | storage_buckets = [var.storage_bucket_one, var.storage_bucket_two] 25 | mode = "additive" 26 | 27 | bindings = { 28 | "roles/storage.legacyBucketReader" = [ 29 | "serviceAccount:${var.sa_email}", 30 | "group:${var.group_email}", 31 | "user:${var.user_email}", 32 | ] 33 | "roles/storage.legacyBucketWriter" = [ 34 | "serviceAccount:${var.sa_email}", 35 | "group:${var.group_email}", 36 | "user:${var.user_email}", 37 | ] 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /examples/pubsub_topic/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /****************************************** 18 | Module pubsub_topic_iam_binding calling 19 | *****************************************/ 20 | module "pubsub_topic_iam_binding" { 21 | source = "terraform-google-modules/iam/google//modules/pubsub_topics_iam" 22 | version = "~> 8.0" 23 | 24 | project = var.pubsub_topic_project 25 | pubsub_topics = [var.pubsub_topic_one, var.pubsub_topic_two] 26 | mode = "authoritative" 27 | 28 | bindings = { 29 | "roles/pubsub.publisher" = [ 30 | "serviceAccount:${var.sa_email}", 31 | "group:${var.group_email}", 32 | "user:${var.user_email}", 33 | ] 34 | "roles/pubsub.viewer" = [ 35 | "serviceAccount:${var.sa_email}", 36 | "group:${var.group_email}", 37 | "user:${var.user_email}", 38 | ] 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /modules/cloud_run_services_iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project" { 18 | description = "Project to add the IAM policies/bindings" 19 | default = "" 20 | type = string 21 | } 22 | 23 | variable "location" { 24 | description = "The location of the cloud run instance" 25 | default = "" 26 | type = string 27 | } 28 | 29 | variable "cloud_run_services" { 30 | description = "Cloud Run services list to add the IAM policies/bindings" 31 | default = [] 32 | type = list(string) 33 | } 34 | 35 | variable "mode" { 36 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 37 | type = string 38 | default = "additive" 39 | } 40 | 41 | variable "bindings" { 42 | description = "Map of role (key) and list of members (value) to add the IAM policies/bindings" 43 | type = map(any) 44 | } 45 | -------------------------------------------------------------------------------- /examples/tag_keys/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /********************************************* 18 | Module tag_keys_iam_binding calling 19 | *********************************************/ 20 | module "tag_keys_iam_binding" { 21 | source = "terraform-google-modules/iam/google//modules/tag_keys_iam" 22 | version = "~> 8.0" 23 | 24 | tag_keys = [ 25 | google_tags_tag_key.tag_key.name, 26 | ] 27 | mode = "authoritative" 28 | 29 | bindings = { 30 | "roles/viewer" = [ 31 | "serviceAccount:${var.sa_email}", 32 | "group:${var.group_email}", 33 | "user:${var.user_email}", 34 | ] 35 | } 36 | } 37 | 38 | data "google_project" "project" { 39 | project_id = var.project_id 40 | } 41 | 42 | resource "google_tags_tag_key" "tag_key" { 43 | parent = "projects/${data.google_project.project.number}" 44 | short_name = "foo" 45 | description = "test tags" 46 | } 47 | -------------------------------------------------------------------------------- /examples/service_account/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /****************************************** 18 | Module service_account_iam_binding calling 19 | *****************************************/ 20 | module "service_account_iam_binding" { 21 | source = "terraform-google-modules/iam/google//modules/service_accounts_iam" 22 | version = "~> 8.0" 23 | 24 | service_accounts = [var.service_account_one, var.service_account_two] 25 | project = var.service_account_project 26 | mode = "additive" 27 | bindings = { 28 | "roles/iam.serviceAccountKeyAdmin" = [ 29 | "serviceAccount:${var.sa_email}", 30 | "group:${var.group_email}", 31 | "user:${var.user_email}", 32 | ] 33 | "roles/iam.serviceAccountTokenCreator" = [ 34 | "serviceAccount:${var.sa_email}", 35 | "group:${var.group_email}", 36 | "user:${var.user_email}", 37 | ] 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /test/fixtures/custom-role/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "project_id" { 18 | value = var.project_id 19 | description = "Project ID of the Custom Role." 20 | } 21 | 22 | output "org_id" { 23 | value = var.org_id 24 | description = "Organization ID of the Custom Role." 25 | } 26 | 27 | output "custom_role_id_project" { 28 | value = module.create_custom_role_project.role_id 29 | description = "ID of the custom role created at project level." 30 | } 31 | 32 | output "custom_role_id_org" { 33 | value = module.create_custom_role_org.role_id 34 | description = "ID of the custom role created at organization level." 35 | } 36 | 37 | output "custom_role_id_org_unsupported" { 38 | value = module.create_custom_role_unsupported_permissions_org.custom_role_id 39 | description = "ID of the custom role created formed from base role with unsupported permissions" 40 | } 41 | -------------------------------------------------------------------------------- /examples/folder/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "group_email" { 18 | type = string 19 | description = "Email for group to receive roles (ex. group@example.com)" 20 | } 21 | 22 | variable "sa_email" { 23 | type = string 24 | description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)" 25 | } 26 | 27 | variable "user_email" { 28 | type = string 29 | description = "Email for group to receive roles (Ex. user@example.com)" 30 | } 31 | 32 | /****************************************** 33 | folder_iam_binding variables 34 | *****************************************/ 35 | variable "folder_one" { 36 | type = string 37 | description = "The first folder ID to apply IAM bindings" 38 | } 39 | 40 | variable "folder_two" { 41 | type = string 42 | description = "The second folder ID to apply IAM bindings" 43 | } 44 | -------------------------------------------------------------------------------- /examples/pubsub_subscription/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /****************************************** 18 | Module pubsub_subscription_iam_binding calling 19 | *****************************************/ 20 | module "pubsub_subscription_iam_binding" { 21 | source = "terraform-google-modules/iam/google//modules/pubsub_subscriptions_iam" 22 | version = "~> 8.0" 23 | 24 | project = var.pubsub_subscription_project 25 | pubsub_subscriptions = [var.pubsub_subscription_one, var.pubsub_subscription_two] 26 | mode = "additive" 27 | 28 | bindings = { 29 | "roles/pubsub.viewer" = [ 30 | "serviceAccount:${var.sa_email}", 31 | "group:${var.group_email}", 32 | "user:${var.user_email}", 33 | ] 34 | "roles/pubsub.editor" = [ 35 | "serviceAccount:${var.sa_email}", 36 | "group:${var.group_email}", 37 | "user:${var.user_email}", 38 | ] 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /modules/artifact_registry_iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "repositories" { 18 | description = "Artifact registry repositories list to add the IAM policies/bindings" 19 | default = [] 20 | type = list(string) 21 | } 22 | 23 | variable "location" { 24 | description = "Location of the provided artifact registry repositories" 25 | type = string 26 | } 27 | 28 | variable "project" { 29 | description = "Project where the artifact registry repositories are placed" 30 | type = string 31 | } 32 | 33 | variable "mode" { 34 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 35 | type = string 36 | default = "additive" 37 | } 38 | 39 | variable "bindings" { 40 | description = "Map of role (key) and list of members (value) to add the IAM policies/bindings" 41 | type = map(list(string)) 42 | default = {} 43 | } 44 | -------------------------------------------------------------------------------- /test/fixtures/static-and-dynamic/static_projects/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "folder_id" { 18 | type = string 19 | description = "Folder to create resources in, e.g. folders/12345678" 20 | } 21 | 22 | variable "billing_account" { 23 | type = string 24 | description = "Billing account to associate created projects with." 25 | } 26 | 27 | variable "random_hexes" { 28 | type = list(string) 29 | description = "List of pre-generated random id hexes. Required for 'for_each' to work when testing static scerarios." 30 | } 31 | 32 | variable "mode" { 33 | type = string 34 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 35 | } 36 | 37 | variable "n" { 38 | type = number 39 | description = "Amount of projects to create" 40 | } 41 | 42 | variable "prefix" { 43 | type = string 44 | description = "Prefix for the project name" 45 | } 46 | -------------------------------------------------------------------------------- /examples/project/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "group_email" { 18 | type = string 19 | description = "Email for group to receive roles (ex. group@example.com)" 20 | } 21 | 22 | variable "sa_email" { 23 | type = string 24 | description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)" 25 | } 26 | 27 | variable "user_email" { 28 | type = string 29 | description = "Email for group to receive roles (Ex. user@example.com)" 30 | } 31 | 32 | /****************************************** 33 | project_iam_binding variables 34 | *****************************************/ 35 | variable "project_one" { 36 | type = string 37 | description = "First project id to add the IAM policies/bindings" 38 | } 39 | 40 | variable "project_two" { 41 | type = string 42 | description = "Second project id to add the IAM policies/bindings" 43 | } 44 | 45 | -------------------------------------------------------------------------------- /modules/billing_accounts_iam/README.md: -------------------------------------------------------------------------------- 1 | # Module Billing Accounts IAM 2 | 3 | This optional module is used to assign Billing Accounts roles 4 | 5 | ## Usage 6 | 7 | ```hcl 8 | module "billing-account-iam" { 9 | source = "terraform-google-modules/iam/google//modules/billing_accounts_iam" 10 | version = "~> 8.2" 11 | 12 | billing_account_ids = ["035617-1B8VBC-AF0TD9"] 13 | 14 | mode = "additive" 15 | 16 | bindings = { 17 | "roles/billing.viewer" = [ 18 | "serviceAccount:my-sa@my-project.iam.gserviceaccount.com", 19 | "group:my-group@my-org.com", 20 | ] 21 | 22 | "roles/billing.user" = [ 23 | "user:my-user@my-org.com", 24 | ] 25 | } 26 | } 27 | ``` 28 | 29 | 30 | ## Inputs 31 | 32 | | Name | Description | Type | Default | Required | 33 | |------|-------------|------|---------|:--------:| 34 | | billing\_account\_ids | Billing Accounts IDs list to add the IAM policies/bindings | `list(string)` | `[]` | no | 35 | | bindings | Map of role (key) and list of members (value) to add the IAM policies/bindings | `map(list(string))` | n/a | yes | 36 | | mode | Mode for adding the IAM policies/bindings, additive and authoritative | `string` | `"additive"` | no | 37 | 38 | ## Outputs 39 | 40 | | Name | Description | 41 | |------|-------------| 42 | | billing\_account\_ids | Billing Accounts which received bindings. | 43 | | members | Members which were bound to the billing accounts. | 44 | | roles | Roles which were assigned to members. | 45 | 46 | 47 | -------------------------------------------------------------------------------- /modules/helper/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "bindings" { 18 | description = "Map of role (key) and list of members (value) to add the IAM policies/bindings" 19 | type = map(list(string)) 20 | default = {} 21 | } 22 | 23 | variable "mode" { 24 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 25 | type = string 26 | default = "additive" 27 | } 28 | 29 | variable "entities" { 30 | description = "Entities list to add the IAM policies/bindings" 31 | type = list(string) 32 | } 33 | 34 | variable "conditional_bindings" { 35 | description = "List of maps of role and respective conditions, and the members to add the IAM policies/bindings" 36 | type = list(object({ 37 | role = string 38 | title = string 39 | description = string 40 | expression = string 41 | members = list(string) 42 | })) 43 | default = [ 44 | ] 45 | } 46 | -------------------------------------------------------------------------------- /examples/project_conditions/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "group_email" { 18 | type = string 19 | description = "Email for group to receive roles (ex. group@example.com)" 20 | } 21 | 22 | variable "sa_email" { 23 | type = string 24 | description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)" 25 | } 26 | 27 | variable "user_email" { 28 | type = string 29 | description = "Email for group to receive roles (Ex. user@example.com)" 30 | } 31 | 32 | /****************************************** 33 | project_iam_binding variables 34 | *****************************************/ 35 | variable "project_one" { 36 | type = string 37 | description = "First project id to add the IAM policies/bindings" 38 | } 39 | 40 | variable "project_two" { 41 | type = string 42 | description = "Second project id to add the IAM policies/bindings" 43 | } 44 | 45 | -------------------------------------------------------------------------------- /examples/cloud_run_service/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /****************************************** 18 | Module cloud_run_service_iam_binding calling 19 | *****************************************/ 20 | 21 | module "cloud_run_service_iam_binding" { 22 | source = "terraform-google-modules/iam/google//modules/cloud_run_services_iam" 23 | version = "~> 8.0" 24 | 25 | project = var.cloud_run_service_project 26 | location = var.cloud_run_service_location 27 | cloud_run_services = [var.cloud_run_service_one, var.cloud_run_service_two] 28 | mode = "authoritative" 29 | 30 | bindings = { 31 | "roles/role.admin" = [ 32 | "serviceAccount:${var.sa_email}", 33 | "group:${var.group_email}", 34 | "user:${var.user_email}", 35 | ] 36 | "roles/role.invoker" = [ 37 | "serviceAccount:${var.sa_email}", 38 | "group:${var.group_email}", 39 | "user:${var.user_email}", 40 | ] 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /examples/organization/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "group_email" { 18 | type = string 19 | description = "Email for group to receive roles (ex. group@example.com)" 20 | } 21 | 22 | variable "sa_email" { 23 | type = string 24 | description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)" 25 | } 26 | 27 | variable "user_email" { 28 | type = string 29 | description = "Email for group to receive roles (Ex. user@example.com)" 30 | } 31 | 32 | /****************************************** 33 | organization_iam_binding variables 34 | *****************************************/ 35 | variable "organization_one" { 36 | type = string 37 | description = "First organization to add the IAM policies/bindings" 38 | } 39 | 40 | variable "organization_two" { 41 | type = string 42 | description = "Second organization to add the IAM policies/bindings" 43 | } 44 | 45 | -------------------------------------------------------------------------------- /modules/folders_iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "folders" { 18 | description = "Folders list to add the IAM policies/bindings" 19 | default = [] 20 | type = list(string) 21 | } 22 | 23 | variable "mode" { 24 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 25 | type = string 26 | default = "additive" 27 | } 28 | 29 | variable "bindings" { 30 | description = "Map of role (key) and list of members (value) to add the IAM policies/bindings" 31 | type = map(list(string)) 32 | default = {} 33 | } 34 | 35 | variable "conditional_bindings" { 36 | description = "List of maps of role and respective conditions, and the members to add the IAM policies/bindings" 37 | type = list(object({ 38 | role = string 39 | title = string 40 | description = string 41 | expression = string 42 | members = list(string) 43 | })) 44 | default = [] 45 | } 46 | -------------------------------------------------------------------------------- /modules/helper/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "bindings_by_member" { 18 | value = local.bindings_by_member 19 | description = "List of bindings for entities unwinded by members." 20 | } 21 | 22 | output "set_authoritative" { 23 | value = local.set_authoritative 24 | description = "A set of authoritative binding keys (from bindings_authoritative) to be used in for_each. Unwinded by roles." 25 | } 26 | 27 | output "set_additive" { 28 | value = local.set_additive 29 | description = "A set of additive binding keys (from bindings_additive) to be used in for_each. Unwinded by members." 30 | } 31 | 32 | output "bindings_authoritative" { 33 | value = local.bindings_authoritative 34 | description = "Map of authoritative bindings for entities. Unwinded by roles." 35 | } 36 | 37 | output "bindings_additive" { 38 | value = local.bindings_additive 39 | description = "Map of additive bindings for entities. Unwinded by members." 40 | } 41 | -------------------------------------------------------------------------------- /modules/projects_iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "projects" { 18 | description = "Projects list to add the IAM policies/bindings" 19 | default = [] 20 | type = list(string) 21 | } 22 | 23 | variable "mode" { 24 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 25 | type = string 26 | default = "additive" 27 | } 28 | 29 | variable "bindings" { 30 | description = "Map of role (key) and list of members (value) to add the IAM policies/bindings" 31 | type = map(list(string)) 32 | default = {} 33 | } 34 | 35 | variable "conditional_bindings" { 36 | description = "List of maps of role and respective conditions, and the members to add the IAM policies/bindings" 37 | type = list(object({ 38 | role = string 39 | title = string 40 | description = string 41 | expression = string 42 | members = list(string) 43 | })) 44 | default = [] 45 | } 46 | -------------------------------------------------------------------------------- /modules/helper/README.md: -------------------------------------------------------------------------------- 1 | # IAM helper 2 | 3 | This is a helper module. Do not use this module directly. 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | bindings | Map of role (key) and list of members (value) to add the IAM policies/bindings | `map(list(string))` | `{}` | no | 11 | | conditional\_bindings | List of maps of role and respective conditions, and the members to add the IAM policies/bindings | 
list(object({
    role        = string
    title       = string
    description = string
    expression  = string
    members     = list(string)
  }))
| `[]` | no | 12 | | entities | Entities list to add the IAM policies/bindings | `list(string)` | n/a | yes | 13 | | mode | Mode for adding the IAM policies/bindings, additive and authoritative | `string` | `"additive"` | no | 14 | 15 | ## Outputs 16 | 17 | | Name | Description | 18 | |------|-------------| 19 | | bindings\_additive | Map of additive bindings for entities. Unwinded by members. | 20 | | bindings\_authoritative | Map of authoritative bindings for entities. Unwinded by roles. | 21 | | bindings\_by\_member | List of bindings for entities unwinded by members. | 22 | | set\_additive | A set of additive binding keys (from bindings\_additive) to be used in for\_each. Unwinded by members. | 23 | | set\_authoritative | A set of authoritative binding keys (from bindings\_authoritative) to be used in for\_each. Unwinded by roles. | 24 | 25 | 26 | -------------------------------------------------------------------------------- /examples/custom_role_org/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | resource "random_id" "rand_custom_id" { 18 | byte_length = 2 19 | } 20 | 21 | /****************************************** 22 | Module custom_role call 23 | *****************************************/ 24 | module "custom-roles-org" { 25 | source = "terraform-google-modules/iam/google//modules/custom_role_iam" 26 | version = "~> 8.0" 27 | 28 | target_level = "org" 29 | target_id = var.org_id 30 | role_id = "iamDeleter_${random_id.rand_custom_id.hex}" 31 | base_roles = ["roles/iam.serviceAccountAdmin"] 32 | permissions = ["iam.roles.list", "iam.roles.create", "iam.roles.delete"] 33 | excluded_permissions = ["iam.serviceAccounts.setIamPolicy"] 34 | description = "This is an organization level custom role." 35 | members = ["group:test-gcp-org-admins@test.blueprints.joonix.net", "group:test-gcp-billing-admins@test.blueprints.joonix.net"] 36 | } 37 | -------------------------------------------------------------------------------- /examples/storage_bucket/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "group_email" { 18 | type = string 19 | description = "Email for group to receive roles (ex. group@example.com)" 20 | } 21 | 22 | variable "sa_email" { 23 | type = string 24 | description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)" 25 | } 26 | 27 | variable "user_email" { 28 | type = string 29 | description = "Email for group to receive roles (Ex. user@example.com)" 30 | } 31 | 32 | /****************************************** 33 | storage_bucket_iam_binding variables 34 | *****************************************/ 35 | variable "storage_bucket_one" { 36 | type = string 37 | description = "First name of a GCS bucket to add the IAM policies/bindings" 38 | } 39 | 40 | variable "storage_bucket_two" { 41 | type = string 42 | description = "Second name of a GCS bucket to add the IAM policies/bindings" 43 | } 44 | 45 | -------------------------------------------------------------------------------- /modules/kms_key_rings_iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "kms_key_rings" { 18 | description = "KMS Key Rings list to add the IAM policies/bindings" 19 | default = [] 20 | type = list(string) 21 | } 22 | 23 | variable "mode" { 24 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 25 | type = string 26 | default = "additive" 27 | } 28 | 29 | variable "bindings" { 30 | description = "Map of role (key) and list of members (value) to add the IAM policies/bindings" 31 | type = map(list(string)) 32 | default = {} 33 | } 34 | 35 | variable "conditional_bindings" { 36 | description = "List of maps of role and respective conditions, and the members to add the IAM policies/bindings" 37 | type = list(object({ 38 | role = string 39 | title = string 40 | description = string 41 | expression = string 42 | members = list(string) 43 | })) 44 | default = [] 45 | } 46 | -------------------------------------------------------------------------------- /modules/organizations_iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "organizations" { 18 | description = "Organizations list to add the IAM policies/bindings" 19 | default = [] 20 | type = list(string) 21 | } 22 | 23 | variable "mode" { 24 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 25 | type = string 26 | default = "additive" 27 | } 28 | 29 | variable "bindings" { 30 | description = "Map of role (key) and list of members (value) to add the IAM policies/bindings" 31 | type = map(list(string)) 32 | default = {} 33 | } 34 | 35 | variable "conditional_bindings" { 36 | description = "List of maps of role and respective conditions, and the members to add the IAM policies/bindings" 37 | type = list(object({ 38 | role = string 39 | title = string 40 | description = string 41 | expression = string 42 | members = list(string) 43 | })) 44 | default = [] 45 | } 46 | -------------------------------------------------------------------------------- /modules/kms_crypto_keys_iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "kms_crypto_keys" { 18 | description = "KMS crypto keys list to add the IAM policies/bindings" 19 | default = [] 20 | type = list(string) 21 | } 22 | 23 | variable "mode" { 24 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 25 | type = string 26 | default = "additive" 27 | } 28 | 29 | variable "bindings" { 30 | description = "Map of role (key) and list of members (value) to add the IAM policies/bindings" 31 | type = map(list(string)) 32 | default = {} 33 | } 34 | 35 | variable "conditional_bindings" { 36 | description = "List of maps of role and respective conditions, and the members to add the IAM policies/bindings" 37 | type = list(object({ 38 | role = string 39 | title = string 40 | description = string 41 | expression = string 42 | members = list(string) 43 | })) 44 | default = [] 45 | } 46 | -------------------------------------------------------------------------------- /modules/storage_buckets_iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "storage_buckets" { 18 | description = "Storage Buckets list to add the IAM policies/bindings" 19 | default = [] 20 | type = list(string) 21 | } 22 | 23 | variable "mode" { 24 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 25 | type = string 26 | default = "additive" 27 | } 28 | 29 | variable "bindings" { 30 | description = "Map of role (key) and list of members (value) to add the IAM policies/bindings" 31 | type = map(list(string)) 32 | default = {} 33 | } 34 | 35 | variable "conditional_bindings" { 36 | description = "List of maps of role and respective conditions, and the members to add the IAM policies/bindings" 37 | type = list(object({ 38 | role = string 39 | title = string 40 | description = string 41 | expression = string 42 | members = list(string) 43 | })) 44 | default = [] 45 | } 46 | -------------------------------------------------------------------------------- /examples/secret_manager/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | type = string 19 | description = "GCP Project ID." 20 | } 21 | 22 | variable "group_email" { 23 | type = string 24 | description = "Email for group to receive roles (ex. group@example.com)" 25 | } 26 | 27 | variable "sa_email" { 28 | type = string 29 | description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)" 30 | } 31 | 32 | variable "user_email" { 33 | type = string 34 | description = "Email for group to receive roles (Ex. user@example.com)" 35 | } 36 | 37 | /****************************************** 38 | secret_iam_binding variables 39 | *****************************************/ 40 | variable "secret_one" { 41 | type = string 42 | description = "The first secret ID to apply IAM bindings" 43 | } 44 | 45 | variable "secret_two" { 46 | type = string 47 | description = "The second secret ID to apply IAM bindings" 48 | } 49 | -------------------------------------------------------------------------------- /examples/billing_account/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | locals { 18 | service_account_01_email = "billing-iam-test-01@${var.project_id}.iam.gserviceaccount.com" 19 | service_account_02_email = "billing-iam-test-02@${var.project_id}.iam.gserviceaccount.com" 20 | 21 | # bindings = { 22 | # "roles/billing.viewer" = [ 23 | # "serviceAccount:${local.service_account_01_email}", 24 | # ] 25 | 26 | # "roles/billing.admin" = [ 27 | # "serviceAccount:${local.service_account_01_email}", 28 | # "serviceAccount:${local.service_account_02_email}", 29 | # ] 30 | # } 31 | } 32 | 33 | /****************************************** 34 | Module billing_account_iam_binding calling 35 | *****************************************/ 36 | # module "billing-account-iam" { 37 | # source = "terraform-google-modules/iam/google//modules/billing_accounts_iam" 38 | # version = "~> 8.0" 39 | 40 | # billing_account_ids = [var.billing_account_id] 41 | 42 | # mode = "additive" 43 | 44 | # bindings = local.bindings 45 | # } 46 | -------------------------------------------------------------------------------- /examples/pubsub_topic/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2019 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "group_email" { 18 | type = string 19 | description = "Email for group to receive roles (ex. group@example.com)" 20 | } 21 | 22 | variable "sa_email" { 23 | type = string 24 | description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)" 25 | } 26 | 27 | variable "user_email" { 28 | type = string 29 | description = "Email for group to receive roles (Ex. user@example.com)" 30 | } 31 | 32 | /****************************************** 33 | pubsub_topic_iam_binding variables 34 | *****************************************/ 35 | variable "pubsub_topic_project" { 36 | type = string 37 | description = "Project id of the pub/sub topic" 38 | } 39 | 40 | variable "pubsub_topic_one" { 41 | type = string 42 | description = "First pubsub topic to add the IAM policies/bindings" 43 | } 44 | 45 | variable "pubsub_topic_two" { 46 | type = string 47 | description = "Second pubsub topic to add the IAM policies/bindings" 48 | } 49 | 50 | -------------------------------------------------------------------------------- /examples/tag_values/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /********************************************* 18 | Module tag_values_iam_binding calling 19 | *********************************************/ 20 | module "tag_values_iam_binding" { 21 | source = "terraform-google-modules/iam/google//modules/tag_values_iam" 22 | version = "~> 8.0" 23 | 24 | tag_values = [ 25 | google_tags_tag_value.tag_value.name, 26 | ] 27 | mode = "authoritative" 28 | 29 | bindings = { 30 | "roles/viewer" = [ 31 | "serviceAccount:${var.sa_email}", 32 | "group:${var.group_email}", 33 | "user:${var.user_email}", 34 | ] 35 | } 36 | } 37 | 38 | data "google_project" "project" { 39 | project_id = var.project_id 40 | } 41 | 42 | resource "google_tags_tag_key" "tag_key" { 43 | parent = "projects/${data.google_project.project.number}" 44 | short_name = "foo1" 45 | description = "test tags" 46 | } 47 | 48 | resource "google_tags_tag_value" "tag_value" { 49 | parent = "tagKeys/${google_tags_tag_key.tag_key.name}" 50 | short_name = "bar1" 51 | description = "Tag value bar." 52 | } 53 | -------------------------------------------------------------------------------- /modules/secret_manager_iam/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project" { 18 | description = "Project to add the IAM policies/bindings" 19 | default = "" 20 | type = string 21 | } 22 | 23 | variable "secrets" { 24 | description = "Secret Manager Secrets list to add the IAM policies/bindings" 25 | default = [] 26 | type = list(string) 27 | } 28 | 29 | variable "mode" { 30 | description = "Mode for adding the IAM policies/bindings, additive and authoritative" 31 | type = string 32 | default = "additive" 33 | } 34 | 35 | variable "bindings" { 36 | description = "Map of role (key) and list of members (value) to add the IAM policies/bindings" 37 | type = map(any) 38 | } 39 | 40 | variable "conditional_bindings" { 41 | description = "List of maps of role and respective conditions, and the members to add the IAM policies/bindings" 42 | type = list(object({ 43 | role = string 44 | title = string 45 | description = string 46 | expression = string 47 | members = list(string) 48 | })) 49 | default = [] 50 | } 51 | -------------------------------------------------------------------------------- /examples/dns_zone/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /********************************************* 18 | Module dns_zone_iam_binding calling 19 | *********************************************/ 20 | module "dns_zones_iam_binding" { 21 | source = "terraform-google-modules/iam/google//modules/dns_zones_iam" 22 | version = "~> 8.0" 23 | 24 | project = var.project_id 25 | managed_zones = [ 26 | google_dns_managed_zone.dns_zone_one.name, 27 | ] 28 | mode = "authoritative" 29 | 30 | bindings = { 31 | "roles/viewer" = [ 32 | "serviceAccount:${var.sa_email}", 33 | "group:${var.group_email}", 34 | "user:${var.user_email}", 35 | ] 36 | "roles/dns.reader" = [ 37 | "serviceAccount:${var.sa_email}", 38 | "group:${var.group_email}", 39 | "user:${var.user_email}", 40 | ] 41 | } 42 | } 43 | 44 | resource "google_dns_managed_zone" "dns_zone_one" { 45 | project = var.project_id 46 | name = "test-iam-dns-${random_id.test.hex}-one" 47 | dns_name = "example-${random_id.test.hex}.com." 48 | } 49 | 50 | resource "random_id" "test" { 51 | byte_length = 4 52 | } 53 | -------------------------------------------------------------------------------- /modules/dns_zones_iam/README.md: -------------------------------------------------------------------------------- 1 | # Module DNS Zone IAM 2 | 3 | This submodule is used to assign roles on DNS zones. 4 | 5 | ## Example Usage 6 | ``` 7 | module "dns_zones_iam_binding" { 8 | source = "terraform-google-modules/iam/google//modules/dns_zones_iam" 9 | version = "~> 8.2" 10 | 11 | project = var.project_id 12 | managed_zones = [ 13 | google_dns_managed_zone.dns_zone_one.name, 14 | ] 15 | mode = "authoritative" 16 | 17 | bindings = { 18 | "roles/viewer" = [ 19 | "serviceAccount:${var.sa_email}", 20 | "group:${var.group_email}", 21 | "user:${var.user_email}", 22 | ] 23 | "roles/dns.reader" = [ 24 | "serviceAccount:${var.sa_email}", 25 | "group:${var.group_email}", 26 | "user:${var.user_email}", 27 | ] 28 | } 29 | } 30 | ``` 31 | 32 | 33 | ## Inputs 34 | 35 | | Name | Description | Type | Default | Required | 36 | |------|-------------|------|---------|:--------:| 37 | | bindings | Map of role (key) and list of members (value) to add the IAM policies/bindings | `map(any)` | n/a | yes | 38 | | managed\_zones | List of managed zone to add the IAM policies/bindings | `list(string)` | n/a | yes | 39 | | mode | Mode for adding the IAM policies/bindings, additive and authoritative | `string` | `"additive"` | no | 40 | | project | Project to add the IAM policies/bindings | `string` | n/a | yes | 41 | 42 | ## Outputs 43 | 44 | | Name | Description | 45 | |------|-------------| 46 | | managed\_zones | DNS Managed Zones which received for bindings. | 47 | | members | Members which were bound to the DNS managed zones. | 48 | | roles | Roles which were assigned to members. | 49 | 50 | 51 | -------------------------------------------------------------------------------- /test/fixtures/additive/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "folder_id" { 18 | type = string 19 | description = "Folder to create resources in, e.g. folders/12345678" 20 | } 21 | 22 | variable "billing_account" { 23 | type = string 24 | description = "Billing account to associate created projects with." 25 | } 26 | 27 | variable "location" { 28 | type = string 29 | description = "Region for subnetwork tests." 30 | default = "us-central1" 31 | } 32 | 33 | variable "project_id" { 34 | type = string 35 | description = "Project ID of the test fixture project. Used to avoid timing issues with recently created projects." 36 | } 37 | 38 | variable "member1" { 39 | type = string 40 | description = "Member created for binding with roles." 41 | } 42 | 43 | variable "member2" { 44 | type = string 45 | description = "Member created for binding with roles." 46 | } 47 | 48 | variable "roles" { 49 | type = number 50 | default = 2 51 | description = "Amount of roles to assign. Useful for testing how the module behaves on updates." 52 | } 53 | --------------------------------------------------------------------------------