diff --git a/README.md b/README.md index f9b6773f..86638887 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ This is a collection of submodules that make it easier to non-destructively mana * [Custom Role IAM](modules/custom_role_iam) * [DNS Zone IAM](modules/dns_zones_iam) * [Folders IAM](modules/folders_iam) +* [Iap Backend Service IAM](modules/iap_web_backend_services_iam) * [KMS Crypto Keys IAM](modules/kms_crypto_keys_iam) * [KMS_Key Rings IAM](modules/kms_key_rings_iam) * [Organizations IAM](modules/organizations_iam) @@ -120,6 +121,7 @@ You can choose the following resource types to apply the IAM bindings: - Service Accounts (`service_accounts` variable) - Subnetworks (`subnets` variable) - Storage buckets (`storage_buckets` variable) +- IAP Web Backend Service (`web_backend_services` variable) - Pubsub topics (`pubsub_topics` variable) - Pubsub subscriptions (`pubsub_subscriptions` variable) - Kms Key Rings (`kms_key_rings` variable) diff --git a/examples/iap_web_backend_services_iam/README.md b/examples/iap_web_backend_services_iam/README.md new file mode 100644 index 00000000..4ae46acf --- /dev/null +++ b/examples/iap_web_backend_services_iam/README.md @@ -0,0 +1,19 @@ +# PubSub Topic Example + +This example illustrates how to use the `iap_web_backend_services_iam` submodule + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes | +| iap\_web\_backend\_service | Web service to bind iam to | `string` | n/a | yes | +| project | Project id of the web backend service | `string` | n/a | yes | +| user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes | + +## Outputs + +No outputs. + + diff --git a/examples/iap_web_backend_services_iam/main.tf b/examples/iap_web_backend_services_iam/main.tf new file mode 100644 index 00000000..936cb642 --- /dev/null +++ b/examples/iap_web_backend_services_iam/main.tf @@ -0,0 +1,34 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/****************************************** + Module iap_web_backend_services_iam + *****************************************/ +module "iap_web_backend_services_iam" { + source = "../../modules/iap_web_backend_services_iam" + + project = var.project + iap_web_backend_services = [var.iap_web_backend_service] + mode = "additive" + + bindings = { + "roles/iap.httpsResourceAccessor" = [ + "group:${var.group_email}", + "user:${var.user_email}", + ] + } + +} diff --git a/examples/iap_web_backend_services_iam/variables.tf b/examples/iap_web_backend_services_iam/variables.tf new file mode 100644 index 00000000..891d1c35 --- /dev/null +++ b/examples/iap_web_backend_services_iam/variables.tf @@ -0,0 +1,39 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "group_email" { + type = string + description = "Email for group to receive roles (ex. group@example.com)" +} + +variable "user_email" { + type = string + description = "Email for group to receive roles (Ex. user@example.com)" +} + +/****************************************** + iap_web_backend_service variables + *****************************************/ +variable "project" { + type = string + description = "Project id of the web backend service" +} + +variable "iap_web_backend_service" { + type = string + description = "Web service to bind iam to" +} + diff --git a/modules/iap_web_backend_services_iam/README.md b/modules/iap_web_backend_services_iam/README.md new file mode 100644 index 00000000..e84428f8 --- /dev/null +++ b/modules/iap_web_backend_services_iam/README.md @@ -0,0 +1,52 @@ +# Module iap_web_backend_services IAM + +This optional module is used to assign iap_web_backend_services roles + +## Example Usage +``` +module "iap_web_backend_services_iam" { + source = "terraform-google-modules/iam/google//modules/iap_web_backend_services_iam" + version = "~> 8.0" + + iap_web_backend_services = ["my-iap-backend-service-name"] + mode = "additive" + + bindings = { + "roles/iap.httpsResourceAccessor" = [ + "serviceAccount:my-sa@my-project.iam.gserviceaccount.com", + "group:my-group@my-org.com", + "user:my-user@my-org.com", + ] + } + conditional_bindings = [ + { + role = "roles/iap.httpsResourceAccessor" + title = "expires_after_2019_12_31" + description = "Expiring at midnight of 2019-12-31" + expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")" + members = ["user:my-user@my-org.com"] + } + ] +} +``` + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| bindings | Map of role (key) and list of members (value) to add the IAM policies/bindings | `map(list(string))` | `{}` | no | +| conditional\_bindings | List of maps of role and respective conditions, and the members to add the IAM policies/bindings | 
list(object({
    role        = string
    title       = string
    description = string
    expression  = string
    members     = list(string)
  }))
| `[]` | no | +| iap\_web\_backend\_services | IAP Web Backend Service list to add the IAM policies/bindings | `list(string)` | `[]` | no | +| mode | Mode for adding the IAM policies/bindings, additive and authoritative | `string` | `"additive"` | no | +| project | Project where the iap\_web\_backend\_services bindings are placed | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| iap\_web\_backend\_services | IAP Web Backend Services which received bindings. | +| members | Members which were bound to the IAP Web Backend Service. | +| roles | Roles which were assigned to members. | + + diff --git a/modules/iap_web_backend_services_iam/main.tf b/modules/iap_web_backend_services_iam/main.tf new file mode 100644 index 00000000..c724df4d --- /dev/null +++ b/modules/iap_web_backend_services_iam/main.tf @@ -0,0 +1,64 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/****************************************** + Run helper module to get generic calculated data + *****************************************/ +module "helper" { + source = "../helper" + bindings = var.bindings + mode = var.mode + entities = var.iap_web_backend_services + conditional_bindings = var.conditional_bindings +} + +/****************************************** + IAP Web Backend IAM binding authoritative + *****************************************/ +resource "google_iap_web_backend_service_iam_binding" "iap_web_backend_service_iam_authoritative" { + for_each = module.helper.set_authoritative + web_backend_service = module.helper.bindings_authoritative[each.key].name + project = var.project + role = module.helper.bindings_authoritative[each.key].role + members = module.helper.bindings_authoritative[each.key].members + dynamic "condition" { + for_each = module.helper.bindings_authoritative[each.key].condition.title == "" ? [] : [module.helper.bindings_authoritative[each.key].condition] + content { + title = module.helper.bindings_authoritative[each.key].condition.title + description = module.helper.bindings_authoritative[each.key].condition.description + expression = module.helper.bindings_authoritative[each.key].condition.expression + } + } +} + +/****************************************** + IAP Web Backend IAM binding additive + *****************************************/ +resource "google_iap_web_backend_service_iam_member" "iap_web_backend_service_iam_additive" { + for_each = module.helper.set_additive + web_backend_service = module.helper.bindings_additive[each.key].name + project = var.project + role = module.helper.bindings_additive[each.key].role + member = module.helper.bindings_additive[each.key].member + dynamic "condition" { + for_each = module.helper.bindings_additive[each.key].condition.title == "" ? [] : [module.helper.bindings_additive[each.key].condition] + content { + title = module.helper.bindings_additive[each.key].condition.title + description = module.helper.bindings_additive[each.key].condition.description + expression = module.helper.bindings_additive[each.key].condition.expression + } + } +} diff --git a/modules/iap_web_backend_services_iam/outputs.tf b/modules/iap_web_backend_services_iam/outputs.tf new file mode 100644 index 00000000..fbd87219 --- /dev/null +++ b/modules/iap_web_backend_services_iam/outputs.tf @@ -0,0 +1,31 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "iap_web_backend_services" { + value = distinct(module.helper.bindings_by_member[*].name) + description = "IAP Web Backend Services which received bindings." + depends_on = [google_iap_web_backend_service_iam_binding.iap_web_backend_service_iam_authoritative, google_iap_web_backend_service_iam_member.iap_web_backend_service_iam_additive, ] +} + +output "roles" { + value = distinct(module.helper.bindings_by_member[*].role) + description = "Roles which were assigned to members." +} + +output "members" { + value = distinct(module.helper.bindings_by_member[*].member) + description = "Members which were bound to the IAP Web Backend Service." +} diff --git a/modules/iap_web_backend_services_iam/variables.tf b/modules/iap_web_backend_services_iam/variables.tf new file mode 100644 index 00000000..7f2d715e --- /dev/null +++ b/modules/iap_web_backend_services_iam/variables.tf @@ -0,0 +1,50 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "iap_web_backend_services" { + description = "IAP Web Backend Service list to add the IAM policies/bindings" + default = [] + type = list(string) +} + +variable "project" { + description = "Project where the iap_web_backend_services bindings are placed" + type = string +} + +variable "mode" { + description = "Mode for adding the IAM policies/bindings, additive and authoritative" + type = string + default = "additive" +} + +variable "bindings" { + description = "Map of role (key) and list of members (value) to add the IAM policies/bindings" + type = map(list(string)) + default = {} +} + +variable "conditional_bindings" { + description = "List of maps of role and respective conditions, and the members to add the IAM policies/bindings" + type = list(object({ + role = string + title = string + description = string + expression = string + members = list(string) + })) + default = [] +} diff --git a/modules/iap_web_backend_services_iam/versions.tf b/modules/iap_web_backend_services_iam/versions.tf new file mode 100644 index 00000000..6c7535fd --- /dev/null +++ b/modules/iap_web_backend_services_iam/versions.tf @@ -0,0 +1,27 @@ +/** + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 1.3" + required_providers { + + google = { + source = "hashicorp/google" + version = ">= 3.53, < 7" + } + } + +}