feat: add dns zone IAM submodule (#181)

terraform-google-modules · Feb 15, 2023 · 4f6e19d · 4f6e19d
1 parent 7a023e4
commit 4f6e19d
Show file tree

Hide file tree

Showing 130 changed files with 631 additions and 121 deletions.
diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-# Copyright 2019 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

diff --git a/README.md b/README.md
@@ -5,18 +5,20 @@ This is a collection of submodules that make it easier to non-destructively mana
 * [Audit Config](modules/audit_config)
 * [BigQuery IAM](modules/bigquery_datasets_iam)
 * [Billing Accounts IAM](modules/billing_accounts_iam)
+* [Cloud Run Service IAM](modules/cloud_run_services_iam)
 * [Custom Role IAM](modules/custom_role_iam)
+* [DNS Zone IAM](modules/dns_zones_iam)
 * [Folders IAM](modules/folders_iam)
 * [KMS Crypto Keys IAM](modules/kms_crypto_keys_iam)
 * [KMS_Key Rings IAM](modules/kms_key_rings_iam)
 * [Organizations IAM](modules/organizations_iam)
 * [Projects IAM](modules/projects_iam)
 * [Pubsub Subscriptions IAM](modules/pubsub_subscriptions_iam)
 * [Pubsub Topics IAM](modules/pubsub_topics_iam)
+* [Secret Manager IAM](modules/secret_manager_iam)
 * [Service Accounts IAM](modules/service_accounts_iam)
 * [Storage Buckets IAM](modules/storage_buckets_iam)
 * [Subnets IAM](modules/subnets_iam)
-* [Secret Manager IAM](modules/secret_manager_iam)
 
 ## Compatibility
 This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue.
@@ -40,7 +42,7 @@ Full examples are in the [examples](./examples/) folder, but basic usage is as f
 ```hcl
 module "projects_iam_bindings" {
   source  = "terraform-google-modules/iam/google//modules/projects_iam"
-  version = "~> 7.5"
+  version = "~> 8.0"
 
   projects = ["project-123456", "project-9876543"]
 
@@ -67,7 +69,7 @@ The module also offers an **authoritative** mode which will remove all roles not
 ```hcl
 module "storage_buckets_iam_bindings" {
   source  = "terraform-google-modules/iam/google//modules/storage_buckets_iam"
-  version = "~> 6.4"
+  version = "~> 8.0"
 
   storage_buckets = ["my-storage-bucket"]
 
@@ -124,6 +126,7 @@ You can choose the following resource types to apply the IAM bindings:
 - Kms Key Rings (`kms_key_rings` variable)
 - Kms Crypto Keys (`kms_crypto_keys` variable)
 - Secret Manager Secrets (`secrets` variable)
+- DNS Zones (`managed_zones` variable)
 
 Set the specified variable on the module call to choose the resources to affect. Remember to set the `mode` [variable](#additive-and-authoritative-modes) and give enough [permissions](#permissions) to manage the selected resource as well. Note that the `bindings` variable accepts an empty map `{}` passed in as an argument in the case that resources don't have IAM bindings to apply.
 
@@ -186,6 +189,9 @@ In order to execute a submodule you must have a Service Account with an appropri
 - Secret Manager:
     - Secret Manager Admin: Full access to administer Secret Manager.
     - Custom: Add secretmanager.secrets.getIamPolicy and secretmanager.secrets.setIamPolicy permissions.
+- DNS Zone:
+    - DNS Administrator : Full access to administer DNS Zone.
+    - Custom: Add dns.managedZones.setIamPolicy, dns.managedZones.list and dns.managedZones.getIamPolicy permissions.
 
 ## Install
 

diff --git a/examples/dns_zone/README.md b/examples/dns_zone/README.md
@@ -0,0 +1,19 @@
+# DNS ZOne Example
+
+This example illustrates how to use the `bigquery_datasets_iam` submodule
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| group\_email | Email for group to receive roles (ex. [email protected]) | `string` | n/a | yes |
+| project\_id | Project ID to create BigQuery resources in | `string` | n/a | yes |
+| sa\_email | Email for Service Account to receive roles (Ex. [email protected]) | `string` | n/a | yes |
+| user\_email | Email for group to receive roles (Ex. [email protected]) | `string` | n/a | yes |
+
+## Outputs
+
+No output.
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/dns_zone/main.tf b/examples/dns_zone/main.tf
@@ -0,0 +1,50 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*********************************************
+  Module dns_zone_iam_binding calling
+ *********************************************/
+module "dns_zones_iam_binding" {
+  source  = "../../modules/dns_zones_iam/"
+  project = var.project_id
+  managed_zones = [
+    google_dns_managed_zone.dns_zone_one.name,
+  ]
+  mode = "authoritative"
+
+  bindings = {
+    "roles/viewer" = [
+      "serviceAccount:${var.sa_email}",
+      "group:${var.group_email}",
+      "user:${var.user_email}",
+    ]
+    "roles/dns.reader" = [
+      "serviceAccount:${var.sa_email}",
+      "group:${var.group_email}",
+      "user:${var.user_email}",
+    ]
+  }
+}
+
+resource "google_dns_managed_zone" "dns_zone_one" {
+  project  = var.project_id
+  name     = "test-iam-dns-${random_id.test.hex}-one"
+  dns_name = "example-${random_id.test.hex}.com."
+}
+
+resource "random_id" "test" {
+  byte_length = 4
+}
diff --git a/examples/dns_zone/variables.tf b/examples/dns_zone/variables.tf
@@ -0,0 +1,38 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "group_email" {
+  type        = string
+  description = "Email for group to receive roles (ex. [email protected])"
+}
+
+variable "sa_email" {
+  type        = string
+  description = "Email for Service Account to receive roles (Ex. [email protected])"
+}
+
+variable "user_email" {
+  type        = string
+  description = "Email for group to receive roles (Ex. [email protected])"
+}
+
+/******************************************
+  bigquery_dataset_iam_binding variables
+ *****************************************/
+variable "project_id" {
+  type        = string
+  description = "Project ID to create BigQuery resources in"
+}
diff --git a/examples/dns_zone/versions.tf b/examples/dns_zone/versions.tf
@@ -0,0 +1,29 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 4.0"
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = "~> 4.0"
+    }
+  }
+}
diff --git a/metadata.yaml b/metadata.yaml
@@ -152,3 +152,4 @@ spec:
   - iap.googleapis.com
   - secretmanager.googleapis.com
   - bigquery.googleapis.com
+  - dns.googleapis.com
diff --git a/modules/artifact_registry_iam/main.tf b/modules/artifact_registry_iam/main.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/artifact_registry_iam/outputs.tf b/modules/artifact_registry_iam/outputs.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/artifact_registry_iam/variables.tf b/modules/artifact_registry_iam/variables.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/artifact_registry_iam/versions.tf b/modules/artifact_registry_iam/versions.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2021 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/audit_config/main.tf b/modules/audit_config/main.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/audit_config/outputs.tf b/modules/audit_config/outputs.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/audit_config/variables.tf b/modules/audit_config/variables.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/audit_config/versions.tf b/modules/audit_config/versions.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2021 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/bigquery_datasets_iam/main.tf b/modules/bigquery_datasets_iam/main.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/bigquery_datasets_iam/outputs.tf b/modules/bigquery_datasets_iam/outputs.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/bigquery_datasets_iam/variables.tf b/modules/bigquery_datasets_iam/variables.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/bigquery_datasets_iam/versions.tf b/modules/bigquery_datasets_iam/versions.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2021 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/billing_accounts_iam/main.tf b/modules/billing_accounts_iam/main.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/billing_accounts_iam/outputs.tf b/modules/billing_accounts_iam/outputs.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/billing_accounts_iam/variables.tf b/modules/billing_accounts_iam/variables.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,6 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+
 variable "billing_account_ids" {
   description = "Billing Accounts IDs list to add the IAM policies/bindings"
   default     = []

diff --git a/modules/billing_accounts_iam/versions.tf b/modules/billing_accounts_iam/versions.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2021 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/cloud_run_services_iam/main.tf b/modules/cloud_run_services_iam/main.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/cloud_run_services_iam/outputs.tf b/modules/cloud_run_services_iam/outputs.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/cloud_run_services_iam/variables.tf b/modules/cloud_run_services_iam/variables.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/custom_role_iam/main.tf b/modules/custom_role_iam/main.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2020 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/custom_role_iam/outputs.tf b/modules/custom_role_iam/outputs.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/custom_role_iam/variables.tf b/modules/custom_role_iam/variables.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/modules/custom_role_iam/versions.tf b/modules/custom_role_iam/versions.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2021 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.