Update folder IAM policies for compute.xpnAdmin role

[brettcurtis]

Summary by CodeRabbit

• Documentation

  • Updated issue templates to enhance labeling for new enhancements and beginner-friendly issues.

• Chores

  • Upgraded a tool within the pre-commit hooks to its latest version for improved checks.

• Refactor

  • Adjusted IAM role assignments to better align with access requirements across different environments.

[infracost]

Infracost report

💰 Monthly cost will not change

Governance checks

🟢 50 passed

48 FinOps policies, 1 Tagging policy, and 1 Guardrail passed.

_{View in Infracost Cloud. This comment will be updated when code changes.}

[coderabbitai]

Walkthrough

The recent updates include a tweak to GitHub issue labeling, an upgrade to a pre-commit hook version, and refinements in IAM role configurations for production environments. The changes aim to enhance issue tracking, maintain up-to-date code quality checks, and optimize access management across different roles.

Changes

File Path	Change Summary
.github/ISSUE_TEMPLATE/.../custom-iam-role.yml	Added labels "enhancement" and "good-first-issue"; removed trailing whitespace.
.pre-commit-config.yaml	Updated pre-commit-terraform to v1.86.0.
global/infra/tfvars/.../production.tfvars	Modified IAM policies and adjusted role assignments.

🐇✨
To the code, we hop and leap,
Labels and hooks, in our keep.
Roles refined, with care we thread,
In IAM fields, we softly tread. 🌱🔧

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat with CodeRabbit Bot (@coderabbitai)

• You can directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
• You can tag CodeRabbit on specific lines of code or entire files in the PR by tagging @coderabbitai in a comment. Examples:
  • @coderabbitai generate unit tests for this file
  • @coderabbitai modularize this function
• You can tag @coderabbitai in a PR comment and ask questions about the PR and the codebase. Examples:
  • @coderabbitai gather interesting statistics about this repository and render them in a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai generate unit tests for the src/utils.ts file.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between a156baa and 4faaa9b.

Files selected for processing (3)

• .github/ISSUE_TEMPLATE/add-update-custom-iam-role.yml (2 hunks)
• .pre-commit-config.yaml (1 hunks)
• global/infra/tfvars/production.tfvars (5 hunks)

Files skipped from review due to trivial changes (2)

• .github/ISSUE_TEMPLATE/add-update-custom-iam-role.yml
• .pre-commit-config.yaml

Additional comments: 5

global/infra/tfvars/production.tfvars (5)

• 63-68: The role for [email protected] under the "Sandbox" environment has been changed to roles/compute.xpnAdmin. Verify that this change aligns with the intended access control policies and that all necessary permissions are included in this role for the "Sandbox" environment.

• 88-93: The role for [email protected] under the "Production" environment has been changed to roles/compute.xpnAdmin. Ensure that this change is consistent with the security policies and that the compute.xpnAdmin role provides the appropriate permissions for the "Production" environment.

• 117-123: The role for [email protected] under the "Sandbox" environment has been assigned both roles/compute.xpnAdmin and roles/resourcemanager.folderIamAdmin. This seems to be a duplication as the same group is listed twice with different roles. Confirm if this is intentional and if both roles are necessary.

• 142-148: The role for [email protected] under the "Non-Production" environment has been assigned both roles/compute.xpnAdmin and roles/resourcemanager.folderIamAdmin. Similar to the previous comment, verify the necessity of both roles for the same group in the "Non-Production" environment.

• 167-173: The role for [email protected] under the "Production" environment has been assigned both roles/compute.xpnAdmin and roles/resourcemanager.folderIamAdmin. Ensure that assigning both roles to the same group is intentional and justified by the access requirements in the "Production" environment.