terraform-google-modules / terraform-google-project-factory

Creates an opinionated Google Cloud project by using Shared VPC, IAM, and Google Cloud APIs
https://registry.terraform.io/modules/terraform-google-modules/project-factory/google
Apache License 2.0
835 stars 538 forks source link

Allow using groups for shared VPC access #814

Closed g-prkr closed 1 year ago

g-prkr commented 1 year ago

TL;DR

Currently, the project creation creates new service accounts and updates the access for the shared VPC project by updating the IAM policy. This runs into limitations of the no. of principals that IAM policies support (1500), documented here - https://cloud.google.com/iam/docs/reference/rest/v1/Policy#:~:text=The%20bindings%20in,the%20Policy.

The recommended approach to fix this is to use a group which has access to the shared VPC project and adding the new SA to the group, instead of updating the policy. Making these configurable options will help large customers scale the automation more easily.

Terraform Resources

No response

Detailed design

No response

Additional information

No response

g-awmalik commented 1 year ago

I'm assuming the IAM policy you're mentioning is for the project service account on the shared VPC subnets as roles/compute.networkUser. This is happening here.

The customer has the option to set create_project_sa as false and instead set manage_group and provide the gsuite group as group_email.

This way the project service account won't be created and won't get added to the shared VPC project's IAM policies while the group will to which access can be managed as needed.

Does this make sense to you?

g-prkr commented 1 year ago

Thanks. The expectation is that the SA gets created for the new project and gets access to the shared VPC. In order to get access, instead of modifying the IAM policy, will the new SA gets added to the configured group. Will setting create_project_sa to true and manage_group as well with the group_email achieve this?

g-awmalik commented 1 year ago

No it won't. It'll give both the SA and the group the networkUser role on the host project.

For this we'll need to introduce another flag that specifies if the created project SA should explicitly be given permissions or just added to the group.

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days