A number of resource types, such as RBAC RoleBindings in Kubernetes and IAMPolicyMember in Config Connector, contain group addresses with domain names that need to be customized by the package consumer. It's a best practice to use group names rather than individual user names wherever possible, because that makes permissions easier to manage as people's roles change, among other reasons. Sometimes these groups even have fixed names. An example of that is gke-security-groups: https://cloud.google.com/kubernetes-engine/docs/how-to/google-groups-rbac. In other cases, there are multiple groups with distinct purposes, such as in https://github.com/GoogleCloudPlatform/blueprints/tree/main/catalog/iam-foundation. Those group names can be assigned by convention. For those, convention over configuration is our friend: https://en.wikipedia.org/wiki/Convention_over_configuration. What we need is a function to replace the domain in relevant resource fields with the specified domain.

As in the set-gcp-location function (#2658), we might be able to get away with duck typing (path within resource), field name conventions, or, in this case, even value pattern matching (e.g., replace “@example.com”), but if not we may need to enumerate the fields similar to kustomize (e.g., https://github.com/kubernetes-sigs/kustomize/blob/master/api/konfig/builtinpluginconsts/images.go) until we can properly annotate the OpenAPI resource schemas with identifying field tags.

cc @morgante