-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose data sources that allow for looking up existing IAM policies #14095
Comments
Looking at this, it would make a lot of sense to support HCL policies directly on the policy resource instead (but really support both in parallel- the impact would be large enough that we should never deprecate I'm not sure what the utility of these lookups would be for Terraform users- they'd be difficult to string through a configuration- but this wouldn't be hard enough to implement or confusing enough to users to block on that, really. Other tools with Terraform [provider]-based providers/operators could derive more utility from datasource support, though.
@geojaz what would support have unblocked for you specifically? I'm wondering about that to apply to datasources-in-general, most of the time today when evaluating their utility I'm looking for "could a user use this in configuration?". |
It'll probably be the same amount of work to do this for 1-2 than to just do it for them all, honestly. @ScottSuarez this issue will cover adding a datasource output to our IAM framework that applies to all IAM types. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Description
For essentially all resources in this provider, there's a datasource that does a "lookup"/get of the current state- except for IAM. In IAM, the datasource is used to DEFINE policy rather than GET the policy. Why?
This feels like a "strange" gap in our support given there are gcloud commands like
gcloud projects get-iam-policy --project=$PROJECT_ID
orgcloud iam service-accounts get-iam-policy $GSA_ID
that return useful information.There must be some history here for why IAM policies can't be a resource with a corresponding datasource, but I'm not aware of it. Is there a way we could support IAM policy lookups like this without breaking existing usage?
For context, I would like to be able to do this in terraform, it's bitten me a couple times, but this actually comes from a user that is consume the terraform provider via pulumi.
I'm not sure what the best path forward is, but wanted to get this issue created for discussion.
New or Affected Resource(s)
We should keep the scope limited, perhaps we try 2 new datasources and see how those go?
data "google_project_iam_policy"
(roughly equivalent togcloud projects get-iam-policy --project=$PROJECT_ID
)data "google_service_account_iam_policy"
(roughly equivalent togcloud iam service-accounts get-iam-policy $GSA_ID
)Potential Terraform Configuration
b/273370142
The text was updated successfully, but these errors were encountered: