variablize networkUser role management #697
Conversation
There was a problem hiding this comment.
Thanks for the PR @vponnam
I have a suggestion for renaming the variable as the scope is increasing since it would be a breaking change for users currently using grant_services_network_role=false.
modules/core_project_factory/main.tf
Outdated
| @@ -179,7 +179,7 @@ resource "google_service_account_iam_member" "service_account_grant_to_group" { | |||
| compute.networkUser role granted to G Suite group, APIs Service account, and Project Service Account | |||
| *****************************************************************************************************************/ | |||
| resource "google_project_iam_member" "controlling_group_vpc_membership" { | |||
| count = var.enable_shared_vpc_service_project && length(var.shared_vpc_subnets) == 0 ? local.shared_vpc_users_length : 0 | |||
| count = var.grant_services_network_role && var.enable_shared_vpc_service_project && length(var.shared_vpc_subnets) == 0 ? local.shared_vpc_users_length : 0 | |||
There was a problem hiding this comment.
Lets add a test to make sure we wont have regressions in the future
https://github.com/terraform-google-modules/terraform-google-project-factory/blob/master/test/integration/dynamic_shared_vpc/controls/svpc.rb
|
cc @abelgana for context |
| @@ -157,6 +157,42 @@ | |||
| ) | |||
| end | |||
| end | |||
|
|
|||
| it "service project c with explicit subnets and grant_network_role flag set to false does not include project default service account in the roles/compute.networkUser IAM binding" do | |||
There was a problem hiding this comment.
Lets add also confirm via a test that binding is added for a different service projevt where the flag is true(i.e by default). Maybe
There was a problem hiding this comment.
this test scenario is cover for the service-project
Co-authored-by: Bharath KKB <[email protected]>
|
@vponnam |
In environments especially large sized with 100-to-1000s of projects and where networkUser role is explicitly managed outside of core_project_factory, it helps(sometimes required) to have the ability to not assign networkUser role to New Default Service Account, group_name, and Google APIs Service Account.
This change being an addition to the code, no breaking changes are expected.
cc @bharathkkb for context