Suggested groups and firecall accounts permissions #446
Conversation
There was a problem hiding this comment.
This overall LGTM, as it brings the foundation closer in line with the whitepaper & also does not require users to have all the groups to get started.
Are you comfortable with this approach @bharathkkb & @daniel-cit ?
There was a problem hiding this comment.
Overall LGTM, some minor nits.
We should also consider auto creating groups https://github.com/terraform-google-modules/terraform-google-group when the provider has better support.
1-org/envs/shared/iam.tf
Outdated
| } | ||
|
|
||
| /****************************************** | ||
| Firecall accounts permissions |
There was a problem hiding this comment.
| Firecall accounts permissions | |
| Firewall accounts permissions |
There was a problem hiding this comment.
I changed this to " Privileged accounts permissions according to SFB (Section 6.3 - Privileged identities)"
1-org/envs/shared/iam.tf
Outdated
| @@ -87,3 +87,116 @@ resource "google_organization_iam_member" "billing_viewer" { | |||
| role = "roles/billing.viewer" | |||
| member = "group:${var.billing_data_users}" | |||
| } | |||
|
|
|||
| /****************************************** | |||
| Groups permissions according to SFB - IAM | |||
There was a problem hiding this comment.
Can we state the SFB v2 section so the user has context
There was a problem hiding this comment.
Sure, changed this to "Groups permissions according to SFB (Section 6.2 - Users and groups)"
| resource "google_organization_iam_member" "organization_viewer" { | ||
| count = var.gcp_platform_viewer != null && var.parent_folder == "" ? 1 : 0 | ||
| org_id = var.org_id | ||
| role = "roles/viewer" | ||
| member = "group:${var.gcp_platform_viewer}" | ||
| } | ||
|
|
||
| resource "google_folder_iam_member" "organization_viewer" { | ||
| count = var.gcp_platform_viewer != null && var.parent_folder != "" ? 1 : 0 | ||
| folder = "folders/${var.parent_folder}" | ||
| role = "roles/viewer" | ||
| member = "group:${var.gcp_platform_viewer}" | ||
| } |
There was a problem hiding this comment.
We should consider refactoring this into a module which takes in parent_folder and makes the switch btw roles. This will be more DRY, but can do that in a follow up PR too.
|
hi @aarturm - could you please rebase? It looks like you have some conflicts in the README |
according to SFB on orgnization level.
|
@rjerrems PR corrected. |
|
@bharathkkb can you take a look when you get a chance and we can merge? |
I added organization level permissions for groups and firecall accounts as sugested in chapter 6.2 of Google Cloud Security Foundations Guide
It's related to issue #354.