terraform-example-foundation icon indicating copy to clipboard operation
terraform-example-foundation copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

Misleading variable name for `org_policy_admin_role`

Open eeaton opened this issue 1 year ago • 0 comments

TL;DR

[org_policy_admin_role](https://github.com/search?q=repo%3Aterraform-google-modules%2Fterraform-example-foundation%20org_policy_admin_role&type=code) is a variable optionally used to override the default behavior of IAM roles with a list of hardcoded. However, the intended usage of the variable is not clear because it has the same name as a reserved role name in GCP ([roles/orgpolicy.policyAdmin)

This is also non-intuitive to use because most groups have their IAM policies set in this repo, but the code to set roles for group_org_admins spans this and external modules.

Terraform Resources

Implementation in this repo that hardcodes additional role values based on the presence of this boolean variable:
https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/0-bootstrap/main.tf#L33

Bootstrap module that uses `org_admins_org_iam_permissions`
https://registry.terraform.io/modules/terraform-google-modules/bootstrap/google/latest

Detailed design

Change variable name to something that makes intent clear and does not duplicate a reserved role name in GCP. 

Ex: `org_policy_admin_role` -> `customize_roles_for_group_org_admins`

Additional information

No response

eeaton avatar Feb 26 '24 17:02 eeaton