feat: Add support for predefined roles as a basis for custom roles (#118)

zefdelgadillo · web-flow · commit 86c16eed31e9 · 2020-11-10T15:09:59.000-05:00
diff --git a/examples/custom_role_org/main.tf b/examples/custom_role_org/main.tf
@@ -35,10 +35,12 @@ resource "random_id" "rand_custom_id" {
 module "custom-roles-org" {
   source = "../../modules/custom_role_iam/"
 
-  target_level = "org"
-  target_id    = var.org_id
-  role_id      = "iamDeleter_${random_id.rand_custom_id.hex}"
-  permissions  = ["iam.roles.list", "iam.roles.delete"]
-  description  = "This is an organization level custom role."
-  members      = ["group:test-gcp-org-admins@test.infra.cft.tips", "group:test-gcp-billing-admins@test.infra.cft.tips"]
+  target_level         = "org"
+  target_id            = var.org_id
+  role_id              = "iamDeleter_${random_id.rand_custom_id.hex}"
+  base_roles           = ["roles/iam.serviceAccountAdmin"]
+  permissions          = ["iam.roles.list", "iam.roles.create", "iam.roles.delete"]
+  excluded_permissions = ["iam.serviceAccounts.setIamPolicy"]
+  description          = "This is an organization level custom role."
+  members              = ["group:test-gcp-org-admins@test.infra.cft.tips", "group:test-gcp-billing-admins@test.infra.cft.tips"]
 }
diff --git a/examples/custom_role_project/main.tf b/examples/custom_role_project/main.tf
@@ -31,12 +31,14 @@ provider "google-beta" {
 module "custom-role-project" {
   source = "../../modules/custom_role_iam/"
 
-  target_level = "project"
-  target_id    = var.project_id
-  role_id      = "iamDeleter"
-  permissions  = ["iam.roles.list", "iam.roles.delete"]
-  description  = "This is a project level custom role."
-  members      = ["serviceAccount:custom-role-account-01@${var.project_id}.iam.gserviceaccount.com", "serviceAccount:custom-role-account-02@${var.project_id}.iam.gserviceaccount.com"]
+  target_level         = "project"
+  target_id            = var.project_id
+  role_id              = "iamDeleter"
+  base_roles           = ["roles/iam.serviceAccountAdmin"]
+  permissions          = ["iam.roles.list", "iam.roles.create", "iam.roles.delete"]
+  excluded_permissions = ["iam.serviceAccounts.setIamPolicy", "resourcemanager.projects.get", "resourcemanager.projects.list"]
+  description          = "This is a project level custom role."
+  members              = ["serviceAccount:custom-role-account-01@${var.project_id}.iam.gserviceaccount.com", "serviceAccount:custom-role-account-02@${var.project_id}.iam.gserviceaccount.com"]
 }
 
 /******************************************
diff --git a/modules/custom_role_iam/README.md b/modules/custom_role_iam/README.md
@@ -1,20 +1,24 @@
 # Module Custom Role IAM
 
-This optional module is used to create custom roles at organization or project level.
+This optional module is used to create custom roles at organization or project level. The module supports creating custom rules optionally using predefined roles as a base, with additional permissions or excluded permissions.
+
+Permissions that are [unsupported](https://cloud.google.com/iam/docs/custom-roles-permissions-support) from custom roles are automatically excluded.
 
 ## Usage - Custom Role at Organization Level
 
 ```hcl
 module "custom-roles" {
   source = "terraform-google-modules/iam/google//modules/custom_role_iam"
 
-  target_level = "org"
-  target_id    = "123456789"
-  role_id      = "custom_role_id"
-  title        = "Custom Role Unique Title"
-  description  = "Custom Role Description"
-  permissions  = ["iam.roles.list", "iam.roles.create", "iam.roles.delete"]
-  members      = ["user:user01@domain.com", "group:group01@domain.com"]
+  target_level         = "org"
+  target_id            = "123456789"
+  role_id              = "custom_role_id"
+  title                = "Custom Role Unique Title"
+  description          = "Custom Role Description"
+  base_roles           = ["roles/iam.serviceAccountAdmin"]
+  permissions          = ["iam.roles.list", "iam.roles.create", "iam.roles.delete"]
+  excluded_permissions = ["iam.serviceAccounts.setIamPolicy"]
+  members              = ["user:user01@domain.com", "group:group01@domain.com"]
 }
 ```
 
@@ -24,13 +28,15 @@ module "custom-roles" {
 module "custom-roles" {
   source = "terraform-google-modules/iam/google//modules/custom_role_iam"
 
-  target_level = "project"
-  target_id    = "project_id_123"
-  role_id      = "custom_role_id"
-  title        = "Custom Role Unique Title"
-  description  = "Custom Role Description"
-  permissions  = ["iam.roles.list", "iam.roles.create", "iam.roles.delete"]
-  members      = ["serviceAccount:member01@${var.target_id}.iam.gserviceaccount.com", "serviceAccount:member02@${var.target_id}.iam.gserviceaccount.com"]
+  target_level         = "project"
+  target_id            = "project_id_123"
+  role_id              = "custom_role_id"
+  title                = "Custom Role Unique Title"
+  description          = "Custom Role Description"
+  base_roles           = ["roles/iam.serviceAccountAdmin"]
+  permissions          = ["iam.roles.list", "iam.roles.create", "iam.roles.delete"]
+  excluded_permissions = ["iam.serviceAccounts.setIamPolicy"]
+  members              = ["serviceAccount:member01@${var.target_id}.iam.gserviceaccount.com", "serviceAccount:member02@${var.target_id}.iam.gserviceaccount.com"]
 }
 ```
 
@@ -39,7 +45,9 @@ module "custom-roles" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| base\_roles | List of base predefined roles to use to compose custom role. | list(string) | `<list>` | no |
 | description | Description of Custom role. | string | `""` | no |
+| excluded\_permissions | List of permissions to exclude from custom role. | list(string) | `<list>` | no |
 | members | List of members to be added to custom role. | list(string) | n/a | yes |
 | permissions | IAM permissions assigned to Custom Role. | list(string) | n/a | yes |
 | role\_id | ID of the Custom Role. | string | n/a | yes |
diff --git a/modules/custom_role_iam/main.tf b/modules/custom_role_iam/main.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2020 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,7 +15,26 @@
  */
 
 locals {
-  custom-role-output = (var.target_level == "project") ? google_project_iam_custom_role.project-custom-role[0].role_id : google_organization_iam_custom_role.org-custom-role[0].role_id
+  excluded_permissions = concat(data.google_iam_testable_permissions.unsupported_permissions.permissions[*].name, var.excluded_permissions)
+  included_permissions = concat(flatten(values(data.google_iam_role.role_permissions)[*].included_permissions), var.permissions)
+  permissions          = [for permission in local.included_permissions : permission if ! contains(local.excluded_permissions, permission)]
+  custom-role-output   = (var.target_level == "project") ? google_project_iam_custom_role.project-custom-role[0].role_id : google_organization_iam_custom_role.org-custom-role[0].role_id
+}
+
+/******************************************
+  Permissions from predefined roles
+ *****************************************/
+data "google_iam_role" "role_permissions" {
+  for_each = toset(var.base_roles)
+  name     = "${each.value}"
+}
+
+/******************************************
+  Permissions unsupported for custom roles
+ *****************************************/
+data "google_iam_testable_permissions" "unsupported_permissions" {
+  full_resource_name   = var.target_level == "org" ? "//cloudresourcemanager.googleapis.com/organizations/${var.target_id}" : "//cloudresourcemanager.googleapis.com/projects/${var.target_id}"
+  custom_support_level = "NOT_SUPPORTED"
 }
 
 /******************************************
@@ -28,7 +47,7 @@ resource "google_organization_iam_custom_role" "org-custom-role" {
   role_id     = var.role_id
   title       = var.title == "" ? var.role_id : var.title
   description = var.description
-  permissions = var.permissions
+  permissions = local.permissions
 }
 
 /******************************************
@@ -52,7 +71,7 @@ resource "google_project_iam_custom_role" "project-custom-role" {
   role_id     = var.role_id
   title       = var.title == "" ? var.role_id : var.title
   description = var.description
-  permissions = var.permissions
+  permissions = local.permissions
 }
 
 /******************************************
diff --git a/modules/custom_role_iam/variables.tf b/modules/custom_role_iam/variables.tf
@@ -25,11 +25,23 @@ variable "title" {
   default     = ""
 }
 
+variable "base_roles" {
+  type        = list(string)
+  description = "List of base predefined roles to use to compose custom role."
+  default     = []
+}
+
 variable "permissions" {
   type        = list(string)
   description = "IAM permissions assigned to Custom Role."
 }
 
+variable "excluded_permissions" {
+  type        = list(string)
+  description = "List of permissions to exclude from custom role."
+  default     = []
+}
+
 variable "description" {
   type        = string
   description = "Description of Custom role."
diff --git a/test/fixtures/custom-role/main.tf b/test/fixtures/custom-role/main.tf
@@ -23,3 +23,17 @@ module "create_custom_role_org" {
   source = "../../../examples/custom_role_org"
   org_id = var.org_id
 }
+
+module "create_custom_role_unsupported_permissions_org" {
+  source       = "../../../modules/custom_role_iam"
+  target_level = "org"
+  target_id    = var.org_id
+  role_id      = "customDatastoreViewer_${random_id.rand_custom_id.hex}"
+  base_roles   = ["roles/datastore.viewer"] # https://cloud.google.com/iam/docs/custom-roles-permissions-support
+  permissions  = []
+  members      = []
+}
+
+resource "random_id" "rand_custom_id" {
+  byte_length = 2
+}
diff --git a/test/fixtures/custom-role/outputs.tf b/test/fixtures/custom-role/outputs.tf
@@ -33,3 +33,8 @@ output "custom_role_id_org" {
   value       = module.create_custom_role_org.role_id
   description = "ID of the custom role created at organization level."
 }
+
+output "custom_role_id_org_unsupported" {
+  value       = module.create_custom_role_unsupported_permissions_org.custom_role_id
+  description = "ID of the custom role created formed from base role with unsupported permissions"
+}
diff --git a/test/integration/custom-role/controls/custom-role.rb b/test/integration/custom-role/controls/custom-role.rb
@@ -16,6 +16,7 @@
 
 custom_role_id_project = attribute('custom_role_id_project')
 custom_role_id_org = attribute('custom_role_id_org')
+custom_role_id_org_unsupported = attribute('custom_role_id_org_unsupported')
 project_id = attribute('project_id')
 org_id = attribute('org_id')
 
@@ -39,6 +40,9 @@
                 expect(data["description"]).to include("This is a project level custom role.")
                 expect(data["includedPermissions"]).to include("iam.roles.list")
                 expect(data["includedPermissions"]).to include("iam.roles.delete")
+                expect(data["includedPermissions"]).to include("iam.serviceAccounts.list")
+                expect(data["includedPermissions"]).to include("iam.serviceAccounts.delete")
+                expect(data["includedPermissions"]).not_to include("iam.serviceAccounts.setIamPolicy")
             end
         end
     end
@@ -60,6 +64,28 @@
                 expect(data["description"]).to include("This is an organization level custom role.")
                 expect(data["includedPermissions"]).to include("iam.roles.list")
                 expect(data["includedPermissions"]).to include("iam.roles.delete")
+                expect(data["includedPermissions"]).to include("iam.serviceAccounts.list")
+                expect(data["includedPermissions"]).to include("iam.serviceAccounts.delete")
+                expect(data["includedPermissions"]).not_to include("iam.serviceAccounts.setIamPolicy")
+            end
+        end
+    end
+
+    describe command ("gcloud iam roles describe #{custom_role_id_org_unsupported} --organization #{org_id} --format=json") do
+        its(:exit_status) { should eq 0 }
+        its(:stderr) { should eq '' }
+
+        let!(:data) do
+            if subject.exit_status == 0
+                JSON.parse(subject.stdout)
+            else
+                {}
+            end
+        end
+
+        describe "project_unsupported_custom_role" do
+            it "does not have permissions" do
+                expect(data["includedPermissions"]).not_to include("datastore.databases.get")
             end
         end
     end
diff --git a/test/integration/custom-role/inspec.yml b/test/integration/custom-role/inspec.yml
@@ -20,6 +20,9 @@ attributes:
   - name: custom_role_id_org
     required: true
     type: string
+  - name: custom_role_id_org_unsupported
+    required: true
+    type: string
   - name: project_id
     required: true
     type: string

Original file line number	Diff line number	Diff line change
`@@ -33,3 +33,8 @@ output "custom_role_id_org" {`
`33`	`33`	`value = module.create_custom_role_org.role_id`
`34`	`34`	`description = "ID of the custom role created at organization level."`
`35`	`35`	`}`
	`36`	`+`
	`37`	`+output "custom_role_id_org_unsupported" {`
	`38`	`+ value = module.create_custom_role_unsupported_permissions_org.custom_role_id`
	`39`	`+ description = "ID of the custom role created formed from base role with unsupported permissions"`
	`40`	`+}`