I have a question about best practices to append to a new IAM role to every project that I have deployed via Terraform. I have Terraform integrated with git to deploy projects. I used two modules depending on the use case for the project to add google groups to IAM either “terraform-google-modules/iam/google//modules/projects_iam” or using google_project_iam_member for a single role, How would i set a variable in my project module to look at each module and append “roles/cloudsupport.techSupportEditor” to each IAM resource declared in the project (Its one), I worked on a similar request recently where i had to append a requested set of api’s to each project, based on a label (ie free or paid). I added locals block to my project module to achieve it, would i do so something similar to append iam ? I am having difficultly with the logic for this.
locals {
billing_apis = var.label_cost_type == "paid" || var.label_cost_type == "charged" ? var.billing_svcs : var.non_billing_svcs
all_apis = distinct(concat(local.billing_apis, var.enable_apis))
}
resource "google_project" "project" {
name = var.project_name
project_id = var.project_id
folder_id = var.folder_id
billing_account = var.billing_account
labels = "${merge(
var.custom_labels,
map(
"category", "${lower(var.label_category)}",
"cost_type", "${lower(var.label_cost_type)}",
"gm", "${lower(var.label_gm)}",
"org", "${lower(var.label_org)}",
"owner", "${lower(var.label_owner)}",
"manger", "${lower(var.label_manager)}",
"resource_type", "${lower(var.label_resource_type)}",
"team", "${lower(var.label_team)}",
"product", "${lower(var.label_product)}",
"ticket", "${lower(var.label_ticket)}",
"terraform", "${lower(var.label_terraform)}",
)
)}"
}
resource "google_project_service" "enable_apis" {
for_each = toset(local.all_apis)
project = var.project_id
service = each.key
disable_on_destroy = false
disable_dependent_services = false
depends_on = [ google_project.project ]
timeouts {
create = "5m"
delete = "5m"
read = "5m"
update = "5m"
}
}
I have a question about best practices to append to a new IAM role to every project that I have deployed via Terraform. I have Terraform integrated with git to deploy projects. I used two modules depending on the use case for the project to add google groups to IAM either “terraform-google-modules/iam/google//modules/projects_iam” or using google_project_iam_member for a single role, How would i set a variable in my project module to look at each module and append “roles/cloudsupport.techSupportEditor” to each IAM resource declared in the project (Its one), I worked on a similar request recently where i had to append a requested set of api’s to each project, based on a label (ie free or paid). I added locals block to my project module to achieve it, would i do so something similar to append iam ? I am having difficultly with the logic for this.
locals {
billing_apis = var.label_cost_type == "paid" || var.label_cost_type == "charged" ? var.billing_svcs : var.non_billing_svcs
all_apis = distinct(concat(local.billing_apis, var.enable_apis))
}
resource "google_project" "project" {
name = var.project_name
project_id = var.project_id
folder_id = var.folder_id
billing_account = var.billing_account
labels = "${merge(
var.custom_labels,
map(
"category", "${lower(var.label_category)}",
"cost_type", "${lower(var.label_cost_type)}",
"gm", "${lower(var.label_gm)}",
"org", "${lower(var.label_org)}",
"owner", "${lower(var.label_owner)}",
"manger", "${lower(var.label_manager)}",
"resource_type", "${lower(var.label_resource_type)}",
"team", "${lower(var.label_team)}",
"product", "${lower(var.label_product)}",
"ticket", "${lower(var.label_ticket)}",
"terraform", "${lower(var.label_terraform)}",
)
)}"
}
resource "google_project_service" "enable_apis" {
for_each = toset(local.all_apis)
project = var.project_id
service = each.key
disable_on_destroy = false
disable_dependent_services = false
depends_on = [ google_project.project ]
timeouts {
create = "5m"
delete = "5m"
read = "5m"
update = "5m"
}
}
Here is the example of what I use to apply IAM in each project
resource "google_project_iam_member" "make-it-vip" {
project = "make-it-vip"
role = "roles/editor"
member = "group:gcp-make-it-vip@foo.com"
}
If i need to apply multiple IAM roles i use this one…
module "athenabindings" {
source = "terraform-google-modules/iam/google//modules/projects_iam"
version = "~> v6.1.0"
projects = ["athena"]
mode = "additive"
bindings = {
"roles/viewer" = [
"group:gcp-athena@foo.com",
]
"roles/storage.objectAdmin" = [
"group:gcp-athena@foo.com",
]
"roles/bigquery.admin" = [
"group:gcp-athena@foo.com",
]
"roles/dataflow.developer" = [
"group:gcp-athena@foo.com",
]
}
}
Thanks for the help!