1# Copyright 2023 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: core.cnrm.cloud.google.com/v1alpha1
16kind: ServiceMapping
17metadata:
18 name: iam.cnrm.cloud.google.com
19 namespace: cnrm-system
20spec:
21 name: IAM
22 version: v1beta1
23 serviceHostName: "iam.googleapis.com"
24 resources:
25 - name: google_iam_access_boundary_policy
26 kind: IAMAccessBoundaryPolicy
27 resourceID:
28 targetField: name
29 idTemplate: "{{parent}}/{{name}}"
30 idTemplateCanBeUsedToMatchResourceName: true
31 metadataMapping:
32 name: name
33 resourceReferences:
34 - tfField: parent
35 key: projectRef
36 parent: true
37 gvk:
38 kind: Project
39 version: v1beta1
40 group: resourcemanager.cnrm.cloud.google.com
41 valueTemplate: "cloudresourcemanager.googleapis.com%2Fprojects%2F{{value}}"
42 targetField: "name"
43 hierarchicalReferences:
44 - type: project
45 key: projectRef
46 - name: google_iam_custom_role
47 kind: IAMCustomRole
48 # Due to this being a custom KCC-only resource, the ID template is
49 # in a non-standard format to more easily allow for TF resource
50 # multiplexing.
51 idTemplate: "{{project?}}#{{org_id?}}#{{role_id}}"
52 # This TF resource has a custom crafted import ID that has an arbitrary format that is not able to be mapped
53 # cleanly to a URI, due to being a combination of multiple underlying resources.
54 idTemplateCanBeUsedToMatchResourceName: false
55 resourceAvailableInAssetInventory: true
56 metadataMapping:
57 name: role_id
58 resourceID:
59 targetField: role_id
60 containers:
61 - type: project
62 tfField: project
63 - type: organization
64 tfField: org_id
65 - name: google_service_account
66 kind: IAMServiceAccount
67 iamConfig:
68 policyName: google_service_account_iam_policy
69 policyMemberName: google_service_account_iam_member
70 referenceField:
71 name: service_account_id
72 type: id
73 supportsConditions: true
74 iamMemberReferenceConfig:
75 targetField: email
76 valueTemplate: "serviceAccount:{{value}}"
77 idTemplate: "projects/{{project}}/serviceAccounts/[{{account_id}}@{{project}}.iam.gserviceaccount.com|{{unique_id}}]"
78 # id template is complex, has an 'or' condition
79 idTemplateCanBeUsedToMatchResourceName: false
80 resourceAvailableInAssetInventory: true
81 metadataMapping:
82 name: account_id
83 resourceID:
84 targetField: account_id
85 containers:
86 - type: project
87 tfField: project
88 - name: google_service_account_key
89 kind: IAMServiceAccountKey
90 skipImport: true
91 # import not implemented
92 idTemplateCanBeUsedToMatchResourceName: false
93 resourceAvailableInAssetInventory: true
94 serverGeneratedIDField: "name"
95 resourceReferences:
96 - key: serviceAccountRef
97 tfField: service_account_id
98 targetField: email
99 gvk:
100 kind: IAMServiceAccount
101 version: v1beta1
102 group: iam.cnrm.cloud.google.com
103 parent: true
104 ignoredFields:
105 - keepers
View as plain text