Roman Timofeev ec2310c0b3 adding option to use IAM and federated account names + example | 2 gadi atpakaļ | |
---|---|---|
.. | ||
examples | 2 gadi atpakaļ | |
.gitignore | 3 gadi atpakaļ | |
.pre-commit-config.yaml | 3 gadi atpakaļ | |
README.md | 2 gadi atpakaļ | |
main.tf | 2 gadi atpakaļ | |
outputs.tf | 2 gadi atpakaļ | |
variables.tf | 2 gadi atpakaļ | |
versions.tf | 2 gadi atpakaļ |
Use org_user_role_mapping
variable to add permissions to existing IAM users (Yandex.Passport and Federated users) for organization level.
Use cloud_user_role_mapping
variable to add permissions to existing IAM users (Yandex.Passport and Federated users) for cloud level.
Use folder_user_role_mapping
variable to add permissions to existing IAM users (Yandex.Passport and Federated users) for folder level.
To use IAM usernames(YandexID accounts) and Federated accounts as input variables 'iam_users_names' and 'fed_users_names' put usernames_to_ids = true
. You can also use 'users_with_ids' with IDs and all of them together. See example in variables' descriptions
Use sa_role_mapping
variable to create service accounts with permissions for folder level.
export YC_TOKEN=$(yc iam create-token)
export YC_CLOUD_ID=$(yc config get cloud-id)
export YC_FOLDER_ID=$(yc config get folder-id)
Remember that service accounts in cloud must have unique names
You can use following yc cli
commands for diagnostic:
yc resource-manager folder list-operations --id XXXXXXXXXXXXXX
yc resource-manager folder list-access-bindings --id XXXXXXXXXXXXXX
To import existing service accounts use:
terraform import 'module.<module name>.yandex_iam_service_account.sa["<SA-name>"]' <SA id>
or
terraform import 'module.iam.yandex_iam_service_account.sa["sa-robot"]' aje0am0b06tj6v8mXXXX
Then add SA-name
to your variables and try terraform plan
Correct resource path can be found with terraform state list
Name | Version |
---|---|
terraform | >= 1.0 |
yandex | ~> 0.68 |
Name | Version |
---|---|
yandex | 0.68.0 |
No modules.
Name | Description | Type | Default | Required |
---|---|---|---|---|
cloud_binding_authoritative | "Authoritative. Sets the IAM policy for the CLOUD and replaces any existing policy already attached. If Authoritative = true : take roles from all objects in variable "cloud_user_role_mapping" and make unique role as a new key of map with members" |
bool |
false |
no |
cloud_id | Cloud-ID where where need to add permissions. Mandatory variable for CLOUD, if omited default CLOUD_ID will be used | string |
null |
no |
cloud_user_role_mapping | Group of IAM User-IDs and it's permissions in CLOUD, where name = JOB Tille(aka IAM Group). Use usernames or user-ids or both ### Example #cloud_user_role_mapping = [ { job_title_name = "devops" iam_users_names = ["name.surname", ] fed_users_names = ["name.surname@yantoso.ru", ] roles = ["editor", ] }, { job_title_name = "developers" users_with_ids = ["userAccount:idxxxxxx1", "federatedUser:idxxxxxx2"] iam_users_names = ["name.surname", ] roles = ["viewer","k8s.editor",] }, ] |
any |
[] |
no |
federation_id | Federation ID, mandatory for 'fed_users_names' | string |
null |
no |
folder_binding_authoritative | Authoritative. Sets the IAM policy for the FOLDER and replaces any existing policy already attached. | bool |
false |
no |
folder_id | Folder-ID where need to add permissions. Mandatory variable for FOLDER, if omited default FOLDER_ID will be used | string |
null |
no |
folder_user_role_mapping | Group of IAM User-IDs and it's permissions in FOLDER, where name = JOB Tille(aka IAM Group). Use usernames or user-ids or both ### Example #folder_user_role_mapping = [ { job_title_name = "devops" iam_users_names = ["name.surname", ] fed_users_names = ["name.surname@yantoso.ru", ] roles = ["iam.serviceAccounts.user", "k8s.editor", "k8s.cluster-api.cluster-admin", "container-registry.admin"] }, { job_title_name = "developers" users_with_ids = ["userAccount:idxxxxxx1", "federatedUser:idxxxxxx2"] roles = ["k8s.viewer",] }, ] |
any |
[] |
no |
org_binding_authoritative | "Authoritative. Sets the IAM policy for the ORGANIZATION and replaces any existing policy already attached. If Authoritative = true : take roles from all objects in variable "org_user_role_mapping" and make unique role as a new key of map with members" |
bool |
false |
no |
org_id | ORGANIZATION-ID where where need to add permissions. Mandatory variable for ORGANIZATION, if omited default ORGANIZATION_ID will be used | string |
null |
no |
org_user_role_mapping | Group of IAM User-IDs and it's permissions in ORGANIZATION, where name = JOB Tille(aka IAM Group). Use usernames or user-ids or both ### Example #org_user_role_mapping = [ { job_title_name = "admins" iam_users_names = ["name.surname", ] fed_users_names = ["name.surname@yantoso.ru", ] roles = ["admin",] }, { job_title_name = "network_admins" sers_with_ids = ["userAccount:idxxxxxx1", "federatedUser:idxxxxxx2"] roles = ["vpc.admin",] }, ] |
any |
[] |
no |
sa_role_mapping | List of SA and it's permissions ### Example sa_role_mapping = [ { name = "sa-cluster" roles = ["editor",] }, { name = "sa-nodes" roles = ["container-registry.images.puller",] }, ] |
any |
[] |
no |
usernames_to_ids | If true Usernames from IAM and Federation will be used as input variables 'iam_users_names' and 'fed_users_names' | bool |
true |
no |
Name | Description |
---|---|
sa_ids | List IDs of created service accounts |
sa_names | List Names of created service accounts |
sa_object | Map with service accounts info , key = service account name |