Commit af4d1fd8 authored by Adam Robinson's avatar Adam Robinson
Browse files

use big query roles created in the project

parent ed7b9d78
......@@ -51,6 +51,56 @@ resource "google_logging_metric" "unexpected_bucket_access" {
}
}
resource "google_project_iam_custom_role" "BigQueryDataEditor_NO_Export" {
for_each = { for v in local.projects_storing_data : v => v }
role_id = "BigQueryDataEditor_NO_Export"
title = "BigQuery Data Editor - No Export"
description = "BigQuery Data Editor minus bigquery.tables.export and resourcemanager.projects.list"
project = google_project.hipaa_project[each.key].project_id
stage = "GA"
permissions = [
"bigquery.datasets.create",
"bigquery.datasets.get",
"bigquery.datasets.getIamPolicy",
"bigquery.datasets.updateTag",
"bigquery.models.updateTag",
"bigquery.routines.create",
"bigquery.routines.delete",
"bigquery.routines.get",
"bigquery.routines.list",
"bigquery.routines.update",
"bigquery.tables.create",
"bigquery.tables.delete",
"bigquery.tables.get",
"bigquery.tables.getData",
"bigquery.tables.list",
"bigquery.tables.update",
"bigquery.tables.updateData",
"bigquery.tables.updateTag",
"resourcemanager.projects.get",
//"resourcemanager.projects.list", not supported roles created in a project
]
}
resource "google_project_iam_custom_role" "BigQueryDataViewer_NO_Export" {
for_each = { for v in local.projects_storing_data : v => v }
role_id = "BigQueryDataViewer_NO_Export"
title = "BigQuery Data Viewer - No Export"
description = "BigQuery Data Viewer minus bigquery.tables.export, bigquery.tables.getData, and resourcemanager.projects.list"
project = google_project.hipaa_project[each.key].project_id
stage = "GA"
permissions = [
"bigquery.datasets.get",
"bigquery.datasets.getIamPolicy",
"bigquery.routines.get",
"bigquery.routines.list",
"bigquery.tables.get",
"bigquery.tables.list",
"resourcemanager.projects.get",
//"resourcemanager.projects.list", not supported roles created in a project
]
}
# Create BigQuery Dataset in Data or Worker projects
resource "google_bigquery_dataset" "hipaa_data_bq" {
for_each = { for v in local.projects_storing_data : v => v }
......@@ -68,7 +118,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
dynamic "access" {
for_each = each.key == "data" ? [local.read-only_group_email] : []
content {
role = "organizations/715302536254/roles/BigQueryDataViewer_NO_Export"
role = google_project_iam_custom_role.BigQueryDataViewer_NO_Export[each.key].id
group_by_email = access.value
}
}
......@@ -77,7 +127,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
dynamic "access" {
for_each = each.key == "data" ? [local.writer_group_email] : []
content {
role = "organizations/715302536254/roles/BigQueryDataEditor_NO_Export"
role = google_project_iam_custom_role.BigQueryDataEditor_NO_Export[each.key].id
group_by_email = access.value
}
}
......@@ -86,7 +136,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
dynamic "access" {
for_each = each.key == "data" ? local.datalab_service_account_readers : []
content {
role = "organizations/715302536254/roles/BigQueryDataViewer_NO_Export"
role = google_project_iam_custom_role.BigQueryDataViewer_NO_Export[each.key].id
user_by_email = access.value
}
}
......@@ -95,7 +145,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
dynamic "access" {
for_each = each.key != "data" ? [local.worker_project_email[each.key]] : []
content {
role = "organizations/715302536254/roles/BigQueryDataViewer_NO_Export"
role = google_project_iam_custom_role.BigQueryDataViewer_NO_Export[each.key].id
group_by_email = access.value
}
}
......@@ -104,7 +154,7 @@ resource "google_bigquery_dataset" "hipaa_data_bq" {
dynamic "access" {
for_each = compact([ for v in keys(var.datalab_user_list) : var.datalab_user_list[v] == each.value ? google_service_account.datalab_service_account[v].email : "" ])
content {
role = "organizations/715302536254/roles/BigQueryDataEditor_NO_Export"
role = google_project_iam_custom_role.BigQueryDataEditor_NO_Export[each.key].id
user_by_email = access.value
}
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment