Open mbohri-cslt opened 1 year ago
Can you provide an example input, sorry? I'm not sure what "namespace IAM" means here.
Hello,
I have the same enhancement request as @mbohri-cslt (if I understood well his request).
For the moment, there are resources to manage IAM on Data Fusion at the instance level (google_data_fusion_instance_iam). However, it is not possible to manage IAM at the namespace level in a specific Data Fusion instance.
These new resources could be named google_data_fusion_instance_namespace_iam_policy
, google_data_fusion_instance_namespace_iam_member
, and google_data_fusion_instance_namespace_iam_binding
.
These resources would take the same arguments in input as google_data_fusion_instance_iam
, plus a specific namespace name in the Data Fusion instance. The possible roles would be the roles currently available when managing permissions in a Data Fusion instance : Cloud Data Fusion Developer, Cloud Data Fusion Operator, Cloud Data Fusion Admin, Cloud Data Fusion Viewer.
Example:
resource "google_data_fusion_instance_namespace_iam_binding" "binding" {
project = google_data_fusion_instance.basic_instance.project
region = google_data_fusion_instance.basic_instance.region
name = google_data_fusion_instance.basic_instance.name
namespace = "default"
role = "roles/datafusion.operator"
members = [
"user:jane@example.com",
]
}
Community Note
Description
In order to use RBAC for the Datafusion namespace and automate the IAM permission through Terraform there is no mechanism to achieve this currently in a clean way using Terraform resources.
google_data_fusion_instance_iam_policy resources do not support namespaces as input to provide permission to a principal.
New or Affected Resource(s)
google_data_fusion_instance_namespace_iam_policy google_data_fusion_instance_namespace_iam_binding google_data_fusion_instance_namespace_iam_member
Potential Terraform Configuration
References
0000
b/314617018