feat(google_permissions): Allow roles/datastore.user for folder, nonprod, and prod roles#449
feat(google_permissions): Allow roles/datastore.user for folder, nonprod, and prod roles#449
Conversation
Release plan
|
jbuck
force-pushed
the
jbuck/push-ouqpwpzunsyu
branch
3 times, most recently
from
2ba3f28 to
cfe3ca0
Compare
whd
left a comment
whd
left a comment
There was a problem hiding this comment.
I could also move the existing resource blocks to use this instead, if that's desired.
I think that will be overall less confusing but will produce minor confusion in the short term i.e. you will probably want to manually roll this out everywhere if you do this and while you probably should, I can see the argument for letting dependabot handle the easy upgrade and save proper refactoring for when we've done upstream work to facilitate that like https://mozilla-hub.atlassian.net/browse/MZCLD-2140
jbuck
force-pushed
the
jbuck/push-ouqpwpzunsyu
branch
from
cfe3ca0 to
294f002
Compare
whd
left a comment
whd
left a comment
There was a problem hiding this comment.
r+wc
I strongly recommend updating https://github.com/mozilla/terraform-modules/blob/main/google_permissions/ADDING_NEW_ROLE.md if this is the new preferred way to add roles.
google_permissions/outputs.tf
Outdated
| precondition { | ||
| condition = alltrue([ | ||
| for x in var.nonprod_roles : contains(local.project_additional_roles, x) | ||
| for x in var.nonprod_roles : contains(local.project_additional_roles, x) || contains(local.allowed_prod_roles, x) |
There was a problem hiding this comment.
| for x in var.nonprod_roles : contains(local.project_additional_roles, x) || contains(local.allowed_prod_roles, x) | |
| for x in var.nonprod_roles : contains(local.project_additional_roles, x) || contains(local.allowed_nonprod_roles, x) |
| */ | ||
|
|
||
| locals { | ||
| allowed_folder_roles = [ |
There was a problem hiding this comment.
If there's a high probability we keep these lists synced it makes sense to deduplicate here. But that gets into the general structure of this module which is not a topic we want to get into.
There was a problem hiding this comment.
Yeah, I think as part of the refactoring of existing roles into using local.allowed_folder_roles, local.allowed_nonprod_roles, and local.allowed_prod_roles that would be a good time to remove this list
There was a problem hiding this comment.
Er whoops, misread the context. I kept the original design where roles could be allowed at separate levels
google_permissions/outputs.tf
Outdated
| precondition { | ||
| condition = alltrue([ | ||
| for x in var.nonprod_roles : contains(local.project_additional_roles, x) | ||
| for x in var.nonprod_roles : contains(local.project_additional_roles, x) || contains(local.allowed_prod_roles, x) |
There was a problem hiding this comment.
| for x in var.nonprod_roles : contains(local.project_additional_roles, x) || contains(local.allowed_prod_roles, x) | |
| for x in var.nonprod_roles : contains(local.project_additional_roles, x) || contains(local.allowed_nonprod_roles, x) |
…rod, and prod roles MZCLD-2439
jbuck
force-pushed
the
jbuck/push-ouqpwpzunsyu
branch
from
294f002 to
eec274c
Compare
whd
left a comment
whd
left a comment
There was a problem hiding this comment.
r+ the docs simplification though I have a bit of a hard time following the lines preliminary to the changes.
2 participants
Description
This PR allows
roles/datastore.userfor folder, nonprod, and prod roles. I decided on a slightly different implementation scheme that should be a bit easier for CEs to manage roles. I could also move the existing resource blocks to use this instead, if that's desired.Related Tickets & Documents