hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform
https://registry.terraform.io/providers/hashicorp/google/latest/docs
Mozilla Public License 2.0
2.36k stars 1.75k forks source link

new resource: google_pubsub_schema_iam #14934

Open ksiedlarek opened 1 year ago

ksiedlarek commented 1 year ago

Community Note

Description

It is not possible to assign permissions on Pub/Sub schema level via Terraform. It can only be done by web console and causes issues for people who would like to maintain whole of their infrastructure as code.

New or Affected Resource(s)

Looking on existing resources we have google_pubsub_topic_iam & google_pubsub_subscription_iam, it would be great to have new one: google_pubsub_schema_iam

Potential Terraform Configuration

# Propose what you think the configuration to take advantage of this feature should look like.
# We may not use it verbatim, but it's helpful in understanding your intent.

data "google_iam_policy" "viewer" {
  binding {
    role = "roles/viewer"
    members = [
      "user:jane@example.com",
    ]
  }
}

resource "google_pubsub_schema_iam_policy" "policy" {
  project = google_pubsub_schema.example.project
  schema = google_pubsub_schema.example.name
  policy_data = data.google_iam_policy.viewer.policy_data
}

resource "google_pubsub_schema_iam_binding" "binding" {
  project = google_pubsub_schema.example.project
  topic = google_pubsub_schema.example.name
  role = "roles/viewer"
  members = [
    "user:jane@example.com",
  ]
}

resource "google_pubsub_schema_iam_member" "member" {
  project = google_pubsub_topic.example.project
  topic = google_pubsub_schema.example.name
  role = "roles/viewer"
  member = "user:jane@example.com"
}

References

bschaatsbergen commented 1 year ago

I would be happy to work on this, but as of now I don't see an iamSetPolicy and iamGetPolicy API call available for schema's.. https://cloud.google.com/pubsub/docs/reference/rest/v1/projects.schemas

I'll look into this, and if it's possible via the API I'll happily implement it ๐Ÿ‘๐Ÿผ

rileykarson commented 1 year ago

Good catch! Labeled.

Dasio commented 1 year ago

It seems that API is implemented, it's just not documented

curl -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://pubsub.googleapis.com/v1/projects/<project>/schemas/<schema>:getIamPolicy"

this works

Dasio commented 1 year ago

PR was merged and it will be released in 5.4.0 (changelog)

Can be closed

bschaatsbergen commented 1 year ago

Awesome! Thanks for working on this @Dasio