From 4af6ad48c54e91ba44b387c3988d837f8719f7ef Mon Sep 17 00:00:00 2001 From: Abhishek Tiwari Date: Mon, 30 Dec 2024 04:03:36 +0000 Subject: [PATCH] chore: downgrade roles --- Makefile | 1 + metadata.yaml | 22 ++++++++++------------ modules/budget/metadata.yaml | 14 ++++++-------- modules/essential_contacts/metadata.yaml | 14 ++++++-------- modules/fabric-project/metadata.yaml | 16 +++++++--------- modules/gsuite_enabled/metadata.yaml | 22 ++++++++++------------ modules/project_services/metadata.yaml | 16 +++++++--------- modules/quota_manager/metadata.yaml | 22 ++++++++++------------ modules/shared_vpc_access/metadata.yaml | 14 ++++++-------- modules/svpc_service_project/metadata.yaml | 14 ++++++-------- test/setup/iam.tf | 2 -- 11 files changed, 69 insertions(+), 88 deletions(-) diff --git a/Makefile b/Makefile index 7fc39212..56548455 100644 --- a/Makefile +++ b/Makefile @@ -90,6 +90,7 @@ docker_test_lint: .PHONY: docker_generate_docs docker_generate_docs: docker run --rm -it \ + -e ENABLE_BPMETADATA \ -v "${CURDIR}":/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs' diff --git a/metadata.yaml b/metadata.yaml index 0a2cca36..644a95b4 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -356,16 +356,12 @@ spec: roles: - level: Project roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser - level: Project roles: - - roles/owner - roles/resourcemanager.projectCreator - roles/resourcemanager.folderAdmin - roles/resourcemanager.folderIamAdmin @@ -373,10 +369,12 @@ spec: - roles/compute.xpnAdmin - level: Project roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - - roles/resourcemanager.tagAdmin - - roles/resourcemanager.tagUser + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager services: - admin.googleapis.com - appengine.googleapis.com diff --git a/modules/budget/metadata.yaml b/modules/budget/metadata.yaml index 3802f5d0..d82474b8 100644 --- a/modules/budget/metadata.yaml +++ b/modules/budget/metadata.yaml @@ -122,7 +122,12 @@ spec: roles: - level: Project roles: - - roles/owner + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + - level: Project + roles: - roles/resourcemanager.projectCreator - roles/resourcemanager.folderAdmin - roles/resourcemanager.folderIamAdmin @@ -130,13 +135,6 @@ spec: - roles/compute.xpnAdmin - level: Project roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - - roles/resourcemanager.tagAdmin - - roles/resourcemanager.tagUser - - level: Project - roles: - - roles/owner - roles/compute.admin - roles/iam.serviceAccountAdmin - roles/resourcemanager.projectIamAdmin diff --git a/modules/essential_contacts/metadata.yaml b/modules/essential_contacts/metadata.yaml index 6f0af96e..09582547 100644 --- a/modules/essential_contacts/metadata.yaml +++ b/modules/essential_contacts/metadata.yaml @@ -79,7 +79,12 @@ spec: roles: - level: Project roles: - - roles/owner + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + - level: Project + roles: - roles/resourcemanager.projectCreator - roles/resourcemanager.folderAdmin - roles/resourcemanager.folderIamAdmin @@ -87,13 +92,6 @@ spec: - roles/compute.xpnAdmin - level: Project roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - - roles/resourcemanager.tagAdmin - - roles/resourcemanager.tagUser - - level: Project - roles: - - roles/owner - roles/compute.admin - roles/iam.serviceAccountAdmin - roles/resourcemanager.projectIamAdmin diff --git a/modules/fabric-project/metadata.yaml b/modules/fabric-project/metadata.yaml index c3212574..322daab1 100644 --- a/modules/fabric-project/metadata.yaml +++ b/modules/fabric-project/metadata.yaml @@ -159,21 +159,19 @@ spec: - roles/resourcemanager.tagUser - level: Project roles: - - roles/owner + - roles/resourcemanager.projectCreator + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.folderIamAdmin + - roles/billing.projectManager + - roles/compute.xpnAdmin + - level: Project + roles: - roles/compute.admin - roles/iam.serviceAccountAdmin - roles/resourcemanager.projectIamAdmin - roles/storage.admin - roles/iam.serviceAccountUser - roles/billing.projectManager - - level: Project - roles: - - roles/owner - - roles/resourcemanager.projectCreator - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.folderIamAdmin - - roles/billing.projectManager - - roles/compute.xpnAdmin services: - admin.googleapis.com - appengine.googleapis.com diff --git a/modules/gsuite_enabled/metadata.yaml b/modules/gsuite_enabled/metadata.yaml index 13a363d1..272a3650 100644 --- a/modules/gsuite_enabled/metadata.yaml +++ b/modules/gsuite_enabled/metadata.yaml @@ -250,16 +250,12 @@ spec: roles: - level: Project roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser - level: Project roles: - - roles/owner - roles/resourcemanager.projectCreator - roles/resourcemanager.folderAdmin - roles/resourcemanager.folderIamAdmin @@ -267,10 +263,12 @@ spec: - roles/compute.xpnAdmin - level: Project roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - - roles/resourcemanager.tagAdmin - - roles/resourcemanager.tagUser + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager services: - admin.googleapis.com - appengine.googleapis.com diff --git a/modules/project_services/metadata.yaml b/modules/project_services/metadata.yaml index fefbd84b..0d394a94 100644 --- a/modules/project_services/metadata.yaml +++ b/modules/project_services/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2022 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -104,7 +104,12 @@ spec: roles: - level: Project roles: - - roles/owner + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + - level: Project + roles: - roles/resourcemanager.projectCreator - roles/resourcemanager.folderAdmin - roles/resourcemanager.folderIamAdmin @@ -112,13 +117,6 @@ spec: - roles/compute.xpnAdmin - level: Project roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - - roles/resourcemanager.tagAdmin - - roles/resourcemanager.tagUser - - level: Project - roles: - - roles/owner - roles/compute.admin - roles/iam.serviceAccountAdmin - roles/resourcemanager.projectIamAdmin diff --git a/modules/quota_manager/metadata.yaml b/modules/quota_manager/metadata.yaml index f84a36d0..ede82b40 100644 --- a/modules/quota_manager/metadata.yaml +++ b/modules/quota_manager/metadata.yaml @@ -79,16 +79,12 @@ spec: roles: - level: Project roles: - - roles/owner - - roles/compute.admin - - roles/iam.serviceAccountAdmin - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/iam.serviceAccountUser - - roles/billing.projectManager + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser - level: Project roles: - - roles/owner - roles/resourcemanager.projectCreator - roles/resourcemanager.folderAdmin - roles/resourcemanager.folderIamAdmin @@ -96,10 +92,12 @@ spec: - roles/compute.xpnAdmin - level: Project roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - - roles/resourcemanager.tagAdmin - - roles/resourcemanager.tagUser + - roles/compute.admin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/iam.serviceAccountUser + - roles/billing.projectManager services: - admin.googleapis.com - appengine.googleapis.com diff --git a/modules/shared_vpc_access/metadata.yaml b/modules/shared_vpc_access/metadata.yaml index 23070c80..11b8195d 100644 --- a/modules/shared_vpc_access/metadata.yaml +++ b/modules/shared_vpc_access/metadata.yaml @@ -106,7 +106,12 @@ spec: roles: - level: Project roles: - - roles/owner + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + - level: Project + roles: - roles/resourcemanager.projectCreator - roles/resourcemanager.folderAdmin - roles/resourcemanager.folderIamAdmin @@ -114,13 +119,6 @@ spec: - roles/compute.xpnAdmin - level: Project roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - - roles/resourcemanager.tagAdmin - - roles/resourcemanager.tagUser - - level: Project - roles: - - roles/owner - roles/compute.admin - roles/iam.serviceAccountAdmin - roles/resourcemanager.projectIamAdmin diff --git a/modules/svpc_service_project/metadata.yaml b/modules/svpc_service_project/metadata.yaml index d540afae..102675d1 100644 --- a/modules/svpc_service_project/metadata.yaml +++ b/modules/svpc_service_project/metadata.yaml @@ -237,7 +237,12 @@ spec: roles: - level: Project roles: - - roles/owner + - roles/accesscontextmanager.policyAdmin + - roles/resourcemanager.organizationViewer + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + - level: Project + roles: - roles/resourcemanager.projectCreator - roles/resourcemanager.folderAdmin - roles/resourcemanager.folderIamAdmin @@ -245,13 +250,6 @@ spec: - roles/compute.xpnAdmin - level: Project roles: - - roles/accesscontextmanager.policyAdmin - - roles/resourcemanager.organizationViewer - - roles/resourcemanager.tagAdmin - - roles/resourcemanager.tagUser - - level: Project - roles: - - roles/owner - roles/compute.admin - roles/iam.serviceAccountAdmin - roles/resourcemanager.projectIamAdmin diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 8f1b2acb..eb17a581 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -16,7 +16,6 @@ locals { int_required_project_roles = [ - "roles/owner", "roles/compute.admin", "roles/iam.serviceAccountAdmin", "roles/resourcemanager.projectIamAdmin", @@ -26,7 +25,6 @@ locals { ] int_required_folder_roles = [ - "roles/owner", "roles/resourcemanager.projectCreator", "roles/resourcemanager.folderAdmin", "roles/resourcemanager.folderIamAdmin",