Support for per ComputeBackendService IAMPolicyMember for roles/iap*

[tonybenchsci]

Describe the feature or resource

IAP-Secured Web App User (roles/iap.httpsResourceAccessor) and IAP-Secured Tunnel User (roles/iap.tunnelResourceAccessor) should be configurable via Infra-as-Code using KCC for any ComputeBackendService resource and Tunnel (SSH/TCP) resources (VMs) respectively. Perhaps this could be a dictionary under spec.iapfor ComputeBackendService, or ComputeInstance. Alternatively, this can be IAMPolicy(Member) with a resourceRef to the ComputeBackendService/ComputeInstance resource.

Importance

This is considered a pain point, because we have tens of GCP projects each with tens of ComputeBackendServices using IAP. The configuration is currently manual in the GCP console and error prone.

[ve6yeq]

This is also critical as we are migrating away from using IP firewall rules to IAP for development access to cloud-hosted resources and we are using IaC as a policy audit log.

[xiaobaitusi]

Hi @tonybenchsci and @ve6yeq, thanks for opening this enhancement request.

Yes, KCC will support iap related iam management natively.

Could you share some more information about the priority/importance of this bug? Is it blocking, a friction-point, or nice-to-have?

[tonybenchsci]

Thanks @xiaobaitusi , currently IAP-Secured Web App User a painful friction-point. It will only get worse as we scale to more GCP projects, each with more IAP-enabled ComputeBackendServices. It's quite error-prone, and difficult to audit/control today as it's all manual via the GCP console. Everything else on the load-balancer is KCC-managed, so it's actually causing context-switching-overhead to have to remember this one thing isn't Infra-as-Code GitOps.

The IAP-Secured Tunnel User will soon become a blocker, because we may likely have security/audit requirements to only use IAM-based (rather than IP address firewall) access management.