-
Notifications
You must be signed in to change notification settings - Fork 1.3k
/
config.yaml
67 lines (63 loc) · 1.93 KB
/
config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
---
terraform:
pre: |
# This is a comment (pre)
post: |
output "custom_roles" {{
value = {{for resource, role in {resources}: resource => role.name}}
}}
roles:
- id: minimalRole
tfId: minimal-gce-role
title: 'Minimal set of privileges for GKE plus one extra permission.'
description: 'Minimal set of privileges for GKE plus one extra permission.'
stage: BETA
source:
- roles/monitoring.viewer
- roles/monitoring.metricWriter
- roles/logging.logWriter
parent: organizations/312281222529
include:
- '*'
append:
- storage.objects.list
- id: noIamEditor
tfId: no-iam-editor
title: 'roles/editor without resourcemanager.projects.setIamPolicy'
description: 'Predefined Editor role without Project IAM Admin.'
stage: BETA
source: roles/editor
parent: organizations/312281222529
include:
- resourcemanager.*
- compute.*
- container.*
exclude:
- resourcemanager.projects.setIamPolicy
# Not supported in custom roles:
- appengine.runtimes.actAsAdmin
- cloudonefs.*
- cloudsql.sslCerts.createEphemeral
- datastore.*
- domains.registrations.*
- gcp.redisenterprise.com/*
- gkehub.features.*
- run.routes.invoke
- servicemanagement.consumerSettings.*
- source.repos.update
- spanner.databaseOperations.delete
- spanner.databases.update
- stackdriver.projects.edit
- id: resourceIamPermissionsAdmin
title: 'Resource IAM Admin'
description: 'Manage "resource-level" IAM permissions.'
stage: BETA
source: //cloudresourcemanager.googleapis.com/organizations/312281222529
parent: organizations/312281222529
include:
- '*.setIamPolicy'
# - '/\.setIamPolicy$/' # Regular expression
exclude:
- resourcemanager.*.setIamPolicy
- cloudsupport.accounts.setIamPolicy
- securitycenter.*