Replies: 3 comments
-
|
Can you provide an example of the expression that is not working and what do you expect it to work? |
Beta Was this translation helpful? Give feedback.
-
|
I'm working on the top level folder Teams. I`ve automated the generation of
the underlying team folders tagged with <team> tags (e.g. `team:disis`)
and, for each of these folders, three environment folders are generated
with tags env:dev, env:hom and env:prod.
What I'm trying to achieve is to create authoritative roles on the TEAMS
folder that works based on resources that have a combination of team and
env tags. So, I wrote this (under iam_bindings in file
data/top-level-folders/teams):
developer_disis_dev:
role: custom_developer_dev:
members: - ***@***.***
condition: title: dev-disis expression: |
resource.matchTag("${organization.id}/${tag_names.environment}",
'dev') && resource.matchTag("${organization.id}/team", 'disis')
developer_disis_hom: role: custom_developer_hom members:
- ***@***.*** condition: title:
hom-disis expression: |
resource.matchTag("${organization.id}/${tag_names.environment}",
'hom') && resource.matchTag("${organization.id}/team", 'disis')
This would work (with some adaptation) on iam_bindings_additive, however,
on iam_bindings, it does create the role binding but without any condition.
Does that make sense?
Edmar A. Lanes Junior
Analista de Tecnologia da Informação
Ministério Público do Paraná
Em qui., 28 de ago. de 2025 às 06:22, Wiktor Niesiobędzki <
***@***.***> escreveu:
… Can you provide an example of the expression that is not working and what
do you expect it to work?
—
Reply to this email directly, view it on GitHub
<#3280 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BTE63MMCGVFWLGM7HSF44JL3P3C6DAVCNFSM6AAAAACE7DNQGGVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTIMRUGMZDQMQ>
.
You are receiving this because you authored the thread.Message ID:
<GoogleCloudPlatform/cloud-foundation-fabric/repo-discussions/3280/comments/14243282
@github.com>
|
Beta Was this translation helpful? Give feedback.
-
|
Oh, that got mis-formatted badly along the way. I assume you meant something like that: iam_bindings:
developer_disis_dev:
role: custom_developer_dev
members:
- "***@***.***"
condition:
title: dev-disis
expression: |
resource.matchTag("${organization.id}/${tag_names.environment}", 'dev') && resource.matchTag("${organization.id}/team", 'disis')
developer_disis_hom:
role: custom_developer_hom
members:
- "***@***.***"
condition:
title: hom-disis
expression: |
resource.matchTag("${organization.id}/${tag_names.environment}",'hom') && resource.matchTag("${organization.id}/team", 'disis')I verified this example and it looks OK. If you use VSCode, and open It looks like this is a bug and I created PR for this: #3282 Thanks for reporting! |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Role apllication Condition Expressions in authoritative iam binding at top level folders doesn't seems to be working.
Does this supose to work?
Beta Was this translation helpful? Give feedback.
All reactions