Apigee Organization Admin (roles/apigee.admin) IIAM role when Apigee Control Plane created with IaC

Hi,

When we have a process of creating Apigee Control Plane using Terraform (automation) only similar to cloud-foundation-fabric/modules/apigee-organization at master · GoogleCloudPlatform/cloud-foundation-fabric (github.com) .

For use case where Google project is created newly for Apigee hybrid Org and we understand that GCP project maps to Apigee Control Plane Org in 1:1 fashion, then in that situation, sill we have to create the Apigee Organization Admin role under IAM Roles ?

Having such role will enable can enable some one to update Apigee Control Plane manually or accidently , without using IaC (which can lead us out of sync) hence

If situation is to use Terraform with build process to create Apigee Control plane, then IAM Roles should be read only permission in IAM and should not have "Apigee Organization Admin " to avoid updating without IaC (accidently?) or still we require such role Apigee Organization Admin in IAM for any reasons?

We do understand Listed SA roles are required About service accounts | Apigee X | Google Cloud

But IAM basic and predefined roles reference | IAM Documentation | Google Cloud

Apigee Organization Admin (roles/apigee.admin) can be avoided for IAM role for such situations?

@dino @strebel @kidiyoor

I understand your concern following best practices creating custom roles with only a subset of required permissions is definitely a sensible thing to do for a production hardened setup.

For the control plane you should definitely include CRUD permissions on the following resources for your custom role:

apigee.organization
apigee.envgroups
apigee.environments
apigee.envgroupattachments

Read-only permissions won’t be enough for the terraform SA.
The guidance here would be to limit access to the service account to prevent other users to use its permissions.

@strebel Looks like for Apigee Hybrid Control Plane creation using cloud-foundation-fabric/modules/apigee-organization at master · GoogleCloudPlatform/cloud-foundation-fabric (github.com) will require additional roles not just read only mode.

Please update what type of CRUD permissions on the following resources is required ? to justify .. I am not sure, if those details may be also included to cloud-foundation-fabric/README.md at master · GoogleCloudPlatform/cloud-foundation-fabric (github.com) as a best practice ?

Listed link provides predefined roles for Apigee IAM basic and predefined roles reference | IAM Documentation | Google Cloud

For Such use cases what should be the such role (to be defined) if specifically required by terraform ? If read only is not enough.

apigee.organization
apigee.envgroups
apigee.environments
apigee.envgroupattachments

Can you create a FR in the github repository for this please?

@strebel Created FR Apigee Control Plane created with IaC with least priveledge. Update in Read me · Issue #971 · GoogleCloudPlatform/cloud-foundation-fabric (github.com)