Multiple IAM Bindings

[vedantthapa]

Currently, crossplane has a one-to-one relationship between role and member fields in a ProjectIAMMember resource. Therefore, multiple ProjectIAMMember resources are required to be specified for each role/member combination. This makes it difficult to map multiple roles/members from a crossplane claim to it's composition.

Here's a related upstream issue: https://github.com/upbound/provider-gcp/issues/14

Currently this is fixed by delegating addition of users to the owner of the project.

Other potential fixes:

• Use a terraform workspace to handle IAM Permissions.
  • Cons: Increased dependency on terraform
• Config connector has support for adding multiple users in a single resource.
  • Cons: Need to install config connector crds just for one resource and configure the https://github.com/crossplane-contrib/provider-kubernetes to use config connector with crossplane.

[vedantthapa]

I suspect this can also be resolved by using crossplane functions. This one in particular: https://github.com/crossplane-contrib/function-go-templating.

The idea would be template a ProjectIAMMember resource and insert role and member fields at runtime. Similar to how helm would handle this use-case.