terraform-google-modules/terraform-google-vpc-service-controls

member variables

tejeshnandyala opened this issue · 3 comments

tejeshnandyala commented

is group really supported based on below

variable "members" {
description = "List of members in the standard GCP form: user:{email}, serviceAccount:{email}, group:{email}"
type = list(string)
default = []
}

bharathkkb commented

Yes you can provide a group in the form group:{email}

tejeshnandyala commented

https://cloud.google.com/access-context-manager/docs/access-level-attributes

The documentation from google here says group is not allowed :)

also i see below error when i add groups

googleapi: Error 400: AccessLevel definition has a 'member' field starting with 'group:'. Groups are not supported.

bharathkkb commented

@tejeshnandyala I assumed you were talking about this variable in the example

terraform-google-vpc-service-controls/examples/bq-exfil-demo/variables.tf

Lines 32 to 36 in 54ee979

variable "members" {
description = "List of members in the standard GCP form: user:{email}, serviceAccount:{email}, group:{email}"
type = list(string)
default = []
}

Which is actually used by the bastion host module

terraform-google-vpc-service-controls/examples/bq-exfil-demo/main.tf

Lines 22 to 28 in 54ee979

module "bastion" {
source = "terraform-google-modules/bastion-host/google"
version = "~> 3.0"
project = module.project1.project_id
zone = var.zone
members = var.members

and not with access level

terraform-google-vpc-service-controls/examples/bq-exfil-demo/org.tf

Lines 43 to 49 in 54ee979

module "access_level_members" {
source = "terraform-google-modules/vpc-service-controls/google//modules/access_level"
version = "~> 1.0.1"
policy = module.org_policy.policy_id
name = "terraform_members"
members = ["serviceAccount:${var.terraform_service_account}"]
}

Did you run into an issue running this example?

In our access lvl module we do specify only user/sa email

terraform-google-vpc-service-controls/modules/access_level/variables.tf

Line 52 in 54ee979

description = "Condition - An allowed list of members (users, service accounts). The signed-in identity originating the request must be a part of one of the provided members. If not specified, a request may come from any user (logged in/not logged in, etc.). Formats: user:{emailid}, serviceAccount:{emailid}"