fix: Implement examples of ensuring projectCreator rights are applied (…

…#15)

* feat: Implement examples of ensuring projectCreator rights are applied in code prior to bootstrap for #14 & update fixtures

* fix: issue that caused recreation of permissions on each terraform apply without changes

* fix: Move code for projectCreator into main module to fix #14 and update documentation

README.md

@@ -85,7 +85,6 @@ For the cloudbuild submodule, see the README [cloudbuild](./modules/cloudbuild).
 
 - `roles/resourcemanager.organizationAdmin` on GCP Organization
 - `roles/billing.admin` on supplied billing account
-- `roles/resourcemanager.projectCreator` on GCP Organization for `group_org_admins` group.
 - Account running terraform should be a member of group provided in `group_org_admins` variable, otherwise they will loose `roles/resourcemanager.projectCreator` access. Additional members can be added by using the `org_project_creators` variable.
 
 ### Credentials

examples/cloudbuild_enabled/main.tf

@@ -31,6 +31,10 @@ provider "random" {
   version = "~> 2.2"
 }
 
+/*************************************************
+  Bootstrap GCP Organization.
+*************************************************/
+
 module "seed_bootstrap" {
   source                  = "../.."
   org_id                  = var.org_id

examples/simple/main.tf

@@ -30,6 +30,10 @@ provider "random" {
   version = "~> 2.2"
 }
 
+/*************************************************
+  Bootstrap GCP Organization.
+*************************************************/
+
 module "seed_bootstrap" {
   source               = "../.."
   org_id               = var.org_id

main.tf

@@ -30,6 +30,16 @@ data "google_organization" "org" {
   organization = var.org_id
 }
 
+/*************************************************
+  Make sure group_org_admins has projectCreator.
+*************************************************/
+
+resource "google_organization_iam_member" "tmp_project_creator" {
+  org_id = var.org_id
+  role   = "roles/resourcemanager.projectCreator"
+  member = "group:${var.group_org_admins}"
+}
+
 /******************************************
   Create IaC Project
 *******************************************/
@@ -41,7 +51,7 @@ module "seed_project" {
   random_project_id           = true
   disable_services_on_destroy = false
   folder_id                   = var.folder_id
-  org_id                      = var.org_id
+  org_id                      = google_organization_iam_member.tmp_project_creator.org_id
   billing_account             = var.billing_account
   activate_apis               = local.activate_apis
   labels                      = var.project_labels

modules/cloudbuild/variables.tf

@@ -76,6 +76,7 @@ variable "activate_apis" {
   type        = list(string)
 
   default = [
+    "serviceusage.googleapis.com",
     "servicenetworking.googleapis.com",
     "compute.googleapis.com",
     "logging.googleapis.com",

test/integration/cloudbuild_enabled/controls/gcp.rb

@@ -17,12 +17,13 @@
   "servicenetworking.googleapis.com",
   "compute.googleapis.com",
   "logging.googleapis.com",
-  "bigquery-json.googleapis.com",
+  "bigquery.googleapis.com",
   "cloudresourcemanager.googleapis.com",
   "cloudbilling.googleapis.com",
   "iam.googleapis.com",
   "admin.googleapis.com",
-  "appengine.googleapis.com"
+  "appengine.googleapis.com",
+  "storage-api.googleapis.com"
 ]
 
 cloudbuild_apis = ["cloudbuild.googleapis.com", "sourcerepo.googleapis.com", "cloudkms.googleapis.com"]

test/integration/simple/controls/gcp.rb

@@ -17,12 +17,13 @@
   "servicenetworking.googleapis.com",
   "compute.googleapis.com",
   "logging.googleapis.com",
-  "bigquery-json.googleapis.com",
+  "bigquery.googleapis.com",
   "cloudresourcemanager.googleapis.com",
   "cloudbilling.googleapis.com",
   "iam.googleapis.com",
   "admin.googleapis.com",
-  "appengine.googleapis.com"
+  "appengine.googleapis.com",
+  "storage-api.googleapis.com"
 ]
 
 control "bootstrap" do