fix(google_permissions): Use developer workgroups for default admin entitlement (#333)

jbuck · web-flow · commit 4f5c7fedf747 · 2025-08-05T18:19:45.000-04:00
There are some tenants that do not use a workgroup named the same as the tenant.
These tenants use .globals.extra_attributes.workgroup to specify the workgroup
with permissions to operate the service.

This module assumed that the workgroup would always match the tenant.
diff --git a/google_permissions/pam_entitlement.tf b/google_permissions/pam_entitlement.tf
@@ -43,7 +43,7 @@ locals {
   # Create the map with the hard-coded value and append the distinct principals
   entitlement_wg_map = var.app_code != "" ? merge(
     {
-      "default" : ["workgroup:${var.app_code}/developers"] # this the default value for the default system entitlement
+      "default" : var.developer_ids # this the default value for the default system entitlement
     },
     {
       for name, add_entitlement in try(local.additional_entitlements, []) : add_entitlement.key => add_entitlement.entitlement.principals

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ locals {`
`43`	`43`	`# Create the map with the hard-coded value and append the distinct principals`
`44`	`44`	`entitlement_wg_map = var.app_code != "" ? merge(`
`45`	`45`	`{`
`46`		`- "default" : ["workgroup:${var.app_code}/developers"] # this the default value for the default system entitlement`
	`46`	`+ "default" : var.developer_ids # this the default value for the default system entitlement`
`47`	`47`	`},`
`48`	`48`	`{`
`49`	`49`	`for name, add_entitlement in try(local.additional_entitlements, []) : add_entitlement.key => add_entitlement.entitlement.principals`