-
Notifications
You must be signed in to change notification settings - Fork 696
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggested groups and firecall accounts permissions #446
Suggested groups and firecall accounts permissions #446
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This overall LGTM, as it brings the foundation closer in line with the whitepaper & also does not require users to have all the groups to get started.
Are you comfortable with this approach @bharathkkb & @daniel-cit ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall LGTM, some minor nits.
We should also consider auto creating groups https://github.com/terraform-google-modules/terraform-google-group when the provider has better support.
1-org/envs/shared/iam.tf
Outdated
} | ||
|
||
/****************************************** | ||
Firecall accounts permissions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Firecall accounts permissions | |
Firewall accounts permissions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed this to " Privileged accounts permissions according to SFB (Section 6.3 - Privileged identities)"
1-org/envs/shared/iam.tf
Outdated
@@ -87,3 +87,116 @@ resource "google_organization_iam_member" "billing_viewer" { | |||
role = "roles/billing.viewer" | |||
member = "group:${var.billing_data_users}" | |||
} | |||
|
|||
/****************************************** | |||
Groups permissions according to SFB - IAM |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we state the SFB v2 section so the user has context
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, changed this to "Groups permissions according to SFB (Section 6.2 - Users and groups)"
resource "google_organization_iam_member" "organization_viewer" { | ||
count = var.gcp_platform_viewer != null && var.parent_folder == "" ? 1 : 0 | ||
org_id = var.org_id | ||
role = "roles/viewer" | ||
member = "group:${var.gcp_platform_viewer}" | ||
} | ||
|
||
resource "google_folder_iam_member" "organization_viewer" { | ||
count = var.gcp_platform_viewer != null && var.parent_folder != "" ? 1 : 0 | ||
folder = "folders/${var.parent_folder}" | ||
role = "roles/viewer" | ||
member = "group:${var.gcp_platform_viewer}" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should consider refactoring this into a module which takes in parent_folder
and makes the switch btw roles. This will be more DRY, but can do that in a follow up PR too.
hi @aarturm - could you please rebase? It looks like you have some conflicts in the README |
according to SFB on orgnization level.
@rjerrems PR corrected. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - Thanks @aarturm
@bharathkkb can you take a look when you get a chance and we can merge? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @aarturm LGTM
I added organization level permissions for groups and firecall accounts as sugested in chapter 6.2 of Google Cloud Security Foundations Guide
It's related to issue #354.