Skip to content

Commit

Permalink
SSPROD-48612: add ciem roles to cspm svc acct org case (#46)
Browse files Browse the repository at this point in the history 
* SSPROD-48612: add ciem roles to cspm svc acct org case

* rm ciem roles from pub sub integrations
  • Loading branch information
@haresh-suresh
haresh-suresh authored Oct 24, 2024
1 parent 3814ac6 commit 0cc5797
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 10 deletions.
3 changes: 2 additions & 1 deletion modules/config-posture/organizational.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,8 @@ data "google_organization" "org" {
# role permissions for CSPM (GCP Predefined Roles for Sysdig Cloud Secure Posture Management)
#---------------------------------------------------------------------------------------------
resource "google_organization_iam_member" "cspm" {
for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer"]) : []
# adding ciem role with permissions to the service account alongside cspm roles
for_each = var.is_organizational ? toset(["roles/cloudasset.viewer", "roles/iam.workloadIdentityUser", "roles/logging.viewer", "roles/cloudfunctions.viewer", "roles/cloudbuild.builds.viewer", "roles/orgpolicy.policyViewer", "roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.roleViewer", "roles/container.clusterViewer", "roles/compute.viewer"]) : []

org_id = data.google_organization.org[0].org_id
role = each.key
Expand Down
9 changes: 0 additions & 9 deletions modules/integrations/pub-sub/organizational.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,13 +83,4 @@ resource "google_organization_iam_member" "custom" {
org_id = data.google_organization.org[0].org_id
role = google_organization_iam_custom_role.custom_ingestion_auth_role[0].id
member = "serviceAccount:${google_service_account.push_auth.email}"
}

# adding ciem role with permissions to the service account for org
resource "google_organization_iam_member" "identity_mgmt" {
for_each = var.is_organizational ? toset(["roles/recommender.viewer", "roles/iam.serviceAccountViewer", "roles/iam.organizationRoleViewer", "roles/container.clusterViewer", "roles/compute.viewer"]) : []

org_id = data.google_organization.org[0].org_id
role = each.key
member = "serviceAccount:${google_service_account.push_auth.email}"
}

0 comments on commit 0cc5797

Please sign in to comment.