I am trying to create a deny policy with terraform to limit the power of the Roles I made in GCP IAM.
The thing is that deny policies in terraform are tied to principals (users/groups of users), not roles.
I wanted to know if there was a way to use the denial_condition in terraform so that the deny rule would only apply to the specific role I want it to affect, (or in this case the affect everyone except the admin role), but I don't know how to get the role in common expression language.
Since the deny policies work with principals, I was thinking of an alternative solution by putting all the users in groups, then attaching the roles and deny policies to those groups. But what I really want is to have the deny policy associated with a role, so that's why I wanted to see if the denial_condition could meet my requirement.
Curently the deny rule simply affects all users:
resource "google_iam_deny_policy" "account-admin-explicit-deny-policy" {
provider = google-beta
parent = urlencode("cloudresourcemanager.googleapis.com/projects/${var.project_id}")
name = "account-admin-explicit-deny-policy"
display_name = "Account Admin Explicit Deny Policy"
rules {
description = "Prevent the activation of new GCP APIs - those service/api activations should be controlled by administrators."
deny_rule {
denied_principals = ["principalSet://goog/public:all",]
# denial_condition {
# title = "Some expr"
# expression = "" # Check if non-admin
# }
denied_permissions = [
"serviceusage.googleapis.com/services.disable",
"serviceusage.googleapis.com/services.enable",
] # Limit permissions
exception_principals = []
}
}
}
How can I use the expression argument in the denial_condition block to check for the role with role_id account_admin_role? (The full role ID would be: projects/project-id-12345/roles/account_admin_role