feat: delete project permissions for replicator

malhussan · malhussan · commit eff262cd80ae · 2024-04-18T11:42:57.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Added
+
+- Option to provide replicator service account project deletion permission on specified landing zone folders
+
 ## [v0.2.0]
 
 ### Added
diff --git a/main.tf b/main.tf
@@ -26,6 +26,8 @@ module "replicator_sa" {
 
   landing_zone_folder_ids = var.landing_zone_folder_ids
 
+  can_delete_projects_in_landing_zone_folder_ids = var.can_delete_projects_in_landing_zone_folder_ids
+
   billing_account_id = var.billing_account_id
 
   service_account_key = var.service_account_keys
diff --git a/modules/meshcloud-replicator-service-account/module.tf b/modules/meshcloud-replicator-service-account/module.tf
@@ -72,6 +72,14 @@ resource "google_folder_iam_member" "replicator_service" {
   member = "serviceAccount:${google_service_account.replicator_service.email}"
 }
 
+resource "google_folder_iam_member" "replicator_service_project_deleter" {
+  for_each = var.can_delete_projects_in_landing_zone_folder_ids
+
+  folder = each.value
+  role   = "roles/resourcemanager.projectDeleter"
+  member = "serviceAccount:${google_service_account.replicator_service.email}"
+}
+
 /*
   Billing Accounts are associated with an organization and can thus inherit organization level role assignments
   see https://cloud.google.com/billing/docs/how-to/billing-access).
diff --git a/modules/meshcloud-replicator-service-account/variables.tf b/modules/meshcloud-replicator-service-account/variables.tf
@@ -18,6 +18,12 @@ variable "landing_zone_folder_ids" {
   description = "GCP Folders that make up the Landing Zone. The service account will only receive permissions on these folders."
 }
 
+variable "can_delete_projects_in_landing_zone_folder_ids" {
+  type        = set(string)
+  description = "The service account will have projectDeleter role only on the specified landing zone IDs."
+  default     = []
+}
+
 variable "billing_org_id" {
   type        = string
   description = "GCP Organization Id that holds billing account"
diff --git a/variables.tf b/variables.tf
@@ -23,6 +23,13 @@ variable "landing_zone_folder_ids" {
   description = "GCP Folders that make up the Landing Zone. The service account will only receive permissions on these folders."
 }
 
+variable "can_delete_projects_in_landing_zone_folder_ids" {
+  type        = set(string)
+  description = "The service account will have projectDeleter role only on the specified landing zone IDs."
+  default     = []
+}
+
+
 variable "cloud_billing_export_project_id" {
   type        = string
   description = "GCP Project where the BiqQuery table resides that holds the Cloud Billing export to BigQuery. See https://cloud.google.com/billing/docs/how-to/export-data-bigquery"
