# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######### # Add all the required roles for IAP administration # https://cloud.google.com/iap/docs/using-tcp-forwarding#grant-permission ######################################## # Create the Service Account for the Bastion Host VM ######################################## apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: annotations: cnrm.cloud.google.com/project-id: PROJECT_ID # kpt-set: ${project-id} cnrm.cloud.google.com/blueprint: kpt-fn name: BASTION_SA_NAME # kpt-set: ${bastion-sa-name} namespace: config-control spec: displayName: Bastion Host SA --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: iap-user-tunnel namespace: config-control annotations: cnrm.cloud.google.com/blueprint: kpt-fn-live spec: member: group:admins@example.com # kpt-set: group:${bastion-admins} role: roles/iap.tunnelResourceAccessor resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: PROJECT_ID # kpt-set: ${project-id} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: iap-compute-admin namespace: config-control annotations: cnrm.cloud.google.com/blueprint: kpt-fn-live spec: member: group:admins@example.com # kpt-set: group:${bastion-admins} role: roles/compute.instanceAdmin.v1 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: PROJECT_ID # kpt-set: ${project-id} --- # # Add all the required role for IAP administration # https://cloud.google.com/compute/docs/instances/managing-instance-access#grant-iam-roles # apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: oslogin-admin namespace: config-control annotations: cnrm.cloud.google.com/blueprint: kpt-fn-live spec: member: group:admins@example.com # kpt-set: group:${bastion-admins} role: roles/compute.osAdminLogin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: PROJECT_ID # kpt-set: ${project-id}