new resource: google_pubsub_schema_iam

[ksiedlarek]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

It is not possible to assign permissions on Pub/Sub schema level via Terraform. It can only be done by web console and causes issues for people who would like to maintain whole of their infrastructure as code.

New or Affected Resource(s)

Looking on existing resources we have google_pubsub_topic_iam & google_pubsub_subscription_iam, it would be great to have new one: google_pubsub_schema_iam

Potential Terraform Configuration

# Propose what you think the configuration to take advantage of this feature should look like.
# We may not use it verbatim, but it's helpful in understanding your intent.

data "google_iam_policy" "viewer" {
  binding {
    role = "roles/viewer"
    members = [
      "user:jane@example.com",
    ]
  }
}

resource "google_pubsub_schema_iam_policy" "policy" {
  project = google_pubsub_schema.example.project
  schema = google_pubsub_schema.example.name
  policy_data = data.google_iam_policy.viewer.policy_data
}

resource "google_pubsub_schema_iam_binding" "binding" {
  project = google_pubsub_schema.example.project
  topic = google_pubsub_schema.example.name
  role = "roles/viewer"
  members = [
    "user:jane@example.com",
  ]
}

resource "google_pubsub_schema_iam_member" "member" {
  project = google_pubsub_topic.example.project
  topic = google_pubsub_schema.example.name
  role = "roles/viewer"
  member = "user:jane@example.com"
}

References

• b/298493785

[bschaatsbergen]

I would be happy to work on this, but as of now I don't see an iamSetPolicy and iamGetPolicy API call available for schema's.. https://cloud.google.com/pubsub/docs/reference/rest/v1/projects.schemas

I'll look into this, and if it's possible via the API I'll happily implement it 👍🏼

[rileykarson]

Good catch! Labeled.

[Dasio]

It seems that API is implemented, it's just not documented

curl -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://pubsub.googleapis.com/v1/projects/<project>/schemas/<schema>:getIamPolicy"

this works

[Dasio]

PR was merged and it will be released in 5.4.0 (changelog)

Can be closed

[bschaatsbergen]

Awesome! Thanks for working on this @Dasio