From 7cd5f49eed14efe54eda454c5ab8317a9d55bcd0 Mon Sep 17 00:00:00 2001 From: Stephen Soltesz Date: Thu, 24 Aug 2023 17:31:00 -0400 Subject: [PATCH 1/2] Add module for custom iam roles --- .../cloudkubernetesdeployer.tf | 246 ++++++++++++++++++ 1 file changed, 246 insertions(+) create mode 100644 modules/iam-custom-roles/cloudkubernetesdeployer.tf diff --git a/modules/iam-custom-roles/cloudkubernetesdeployer.tf b/modules/iam-custom-roles/cloudkubernetesdeployer.tf new file mode 100644 index 0000000..4f3a3b4 --- /dev/null +++ b/modules/iam-custom-roles/cloudkubernetesdeployer.tf @@ -0,0 +1,246 @@ +resource "google_project_iam_custom_role" "cloudkubernetesdeployer" { + description = "cloud-kubernetes-deployer" + permissions = [ + "container.bindings.create", + "container.bindings.delete", + "container.bindings.get", + "container.bindings.list", + "container.bindings.update", + "container.certificateSigningRequests.approve", + "container.certificateSigningRequests.create", + "container.certificateSigningRequests.delete", + "container.certificateSigningRequests.get", + "container.certificateSigningRequests.list", + "container.certificateSigningRequests.update", + "container.certificateSigningRequests.updateStatus", + "container.clusterRoleBindings.create", + "container.clusterRoleBindings.delete", + "container.clusterRoleBindings.get", + "container.clusterRoleBindings.list", + "container.clusterRoleBindings.update", + "container.clusterRoles.bind", + "container.clusterRoles.create", + "container.clusterRoles.delete", + "container.clusterRoles.get", + "container.clusterRoles.list", + "container.clusterRoles.update", + "container.clusters.create", + "container.clusters.delete", + "container.clusters.get", + "container.clusters.getCredentials", + "container.clusters.list", + "container.clusters.update", + "container.componentStatuses.get", + "container.componentStatuses.list", + "container.configMaps.create", + "container.configMaps.delete", + "container.configMaps.get", + "container.configMaps.list", + "container.configMaps.update", + "container.cronJobs.create", + "container.cronJobs.delete", + "container.cronJobs.get", + "container.cronJobs.list", + "container.cronJobs.update", + "container.cronJobs.updateStatus", + "container.daemonSets.create", + "container.daemonSets.delete", + "container.daemonSets.get", + "container.daemonSets.list", + "container.daemonSets.update", + "container.daemonSets.updateStatus", + "container.deployments.create", + "container.deployments.delete", + "container.deployments.get", + "container.deployments.list", + "container.deployments.rollback", + "container.deployments.update", + "container.deployments.updateStatus", + "container.endpoints.create", + "container.endpoints.delete", + "container.endpoints.get", + "container.endpoints.list", + "container.endpoints.update", + "container.events.create", + "container.events.delete", + "container.events.get", + "container.events.list", + "container.events.update", + "container.horizontalPodAutoscalers.create", + "container.horizontalPodAutoscalers.delete", + "container.horizontalPodAutoscalers.get", + "container.horizontalPodAutoscalers.list", + "container.horizontalPodAutoscalers.update", + "container.horizontalPodAutoscalers.updateStatus", + "container.ingresses.create", + "container.ingresses.delete", + "container.ingresses.get", + "container.ingresses.list", + "container.ingresses.update", + "container.ingresses.updateStatus", + "container.jobs.create", + "container.jobs.delete", + "container.jobs.get", + "container.jobs.list", + "container.jobs.update", + "container.jobs.updateStatus", + "container.limitRanges.create", + "container.limitRanges.delete", + "container.limitRanges.get", + "container.limitRanges.list", + "container.limitRanges.update", + "container.localSubjectAccessReviews.create", + "container.localSubjectAccessReviews.list", + "container.mutatingWebhookConfigurations.get", + "container.mutatingWebhookConfigurations.update", + "container.namespaces.create", + "container.namespaces.delete", + "container.namespaces.get", + "container.namespaces.list", + "container.namespaces.update", + "container.namespaces.updateStatus", + "container.networkPolicies.create", + "container.networkPolicies.delete", + "container.networkPolicies.get", + "container.networkPolicies.list", + "container.networkPolicies.update", + "container.nodes.create", + "container.nodes.delete", + "container.nodes.get", + "container.nodes.list", + "container.nodes.proxy", + "container.nodes.update", + "container.nodes.updateStatus", + "container.operations.get", + "container.operations.list", + "container.persistentVolumeClaims.create", + "container.persistentVolumeClaims.delete", + "container.persistentVolumeClaims.get", + "container.persistentVolumeClaims.list", + "container.persistentVolumeClaims.update", + "container.persistentVolumeClaims.updateStatus", + "container.persistentVolumes.create", + "container.persistentVolumes.delete", + "container.persistentVolumes.get", + "container.persistentVolumes.list", + "container.persistentVolumes.update", + "container.persistentVolumes.updateStatus", + "container.petSets.create", + "container.petSets.delete", + "container.petSets.get", + "container.petSets.list", + "container.petSets.update", + "container.petSets.updateStatus", + "container.podDisruptionBudgets.create", + "container.podDisruptionBudgets.delete", + "container.podDisruptionBudgets.get", + "container.podDisruptionBudgets.list", + "container.podDisruptionBudgets.update", + "container.podDisruptionBudgets.updateStatus", + "container.podPresets.create", + "container.podPresets.delete", + "container.podPresets.get", + "container.podPresets.list", + "container.podPresets.update", + "container.podTemplates.create", + "container.podTemplates.delete", + "container.podTemplates.get", + "container.podTemplates.list", + "container.podTemplates.update", + "container.pods.attach", + "container.pods.create", + "container.pods.delete", + "container.pods.evict", + "container.pods.exec", + "container.pods.get", + "container.pods.getLogs", + "container.pods.list", + "container.pods.portForward", + "container.pods.proxy", + "container.pods.update", + "container.pods.updateStatus", + "container.replicaSets.create", + "container.replicaSets.delete", + "container.replicaSets.get", + "container.replicaSets.list", + "container.replicaSets.update", + "container.replicaSets.updateStatus", + "container.replicationControllers.create", + "container.replicationControllers.delete", + "container.replicationControllers.get", + "container.replicationControllers.list", + "container.replicationControllers.update", + "container.replicationControllers.updateStatus", + "container.resourceQuotas.create", + "container.resourceQuotas.delete", + "container.resourceQuotas.get", + "container.resourceQuotas.list", + "container.resourceQuotas.update", + "container.resourceQuotas.updateStatus", + "container.roleBindings.create", + "container.roleBindings.delete", + "container.roleBindings.get", + "container.roleBindings.list", + "container.roleBindings.update", + "container.roles.bind", + "container.roles.create", + "container.roles.delete", + "container.roles.get", + "container.roles.list", + "container.roles.update", + "container.scheduledJobs.create", + "container.scheduledJobs.delete", + "container.scheduledJobs.get", + "container.scheduledJobs.list", + "container.scheduledJobs.update", + "container.scheduledJobs.updateStatus", + "container.secrets.create", + "container.secrets.delete", + "container.secrets.get", + "container.secrets.list", + "container.secrets.update", + "container.selfSubjectAccessReviews.create", + "container.selfSubjectAccessReviews.list", + "container.serviceAccounts.create", + "container.serviceAccounts.delete", + "container.serviceAccounts.get", + "container.serviceAccounts.list", + "container.serviceAccounts.update", + "container.services.create", + "container.services.delete", + "container.services.get", + "container.services.list", + "container.services.proxy", + "container.services.update", + "container.statefulSets.create", + "container.statefulSets.delete", + "container.statefulSets.get", + "container.statefulSets.list", + "container.statefulSets.update", + "container.statefulSets.updateStatus", + "container.storageClasses.create", + "container.storageClasses.delete", + "container.storageClasses.get", + "container.storageClasses.list", + "container.storageClasses.update", + "container.subjectAccessReviews.create", + "container.subjectAccessReviews.list", + "container.thirdPartyObjects.create", + "container.thirdPartyObjects.delete", + "container.thirdPartyObjects.get", + "container.thirdPartyObjects.list", + "container.thirdPartyObjects.update", + "container.thirdPartyResources.create", + "container.thirdPartyResources.delete", + "container.thirdPartyResources.get", + "container.thirdPartyResources.list", + "container.thirdPartyResources.update", + "container.validatingWebhookConfigurations.get", + "container.validatingWebhookConfigurations.update", + "storage.buckets.list" + ] + role_id = "cloudkubernetesdeployer" + stage = "GA" + title = "cloud-kubernetes-deployer" +} +# terraform import google_iam_custom_role.cloudkubernetesdeployer mlab-sandbox##cloudkubernetesdeployer From 5ea445d72081bca1f30179ed9508358988a24447 Mon Sep 17 00:00:00 2001 From: Stephen Soltesz Date: Thu, 24 Aug 2023 17:31:47 -0400 Subject: [PATCH 2/2] Add custom iam roles --- mlab-sandbox/main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mlab-sandbox/main.tf b/mlab-sandbox/main.tf index 3d952b4..98995a3 100644 --- a/mlab-sandbox/main.tf +++ b/mlab-sandbox/main.tf @@ -32,3 +32,7 @@ module "data-pipeline" { project = var.project default_location = var.default_location } + +module "iam-custom-roles" { + source = "../modules/iam-custom-roles" +}