Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
Hoping someone has a suggestion or has come across this issue before
Basically we have the following setup:
Core terraform remote state bucket in GCS with some default object acls (allow owners, editors & a select few core groups/service accounts rw access)
We then allow users/groups/service accounts outside of the core group to read particular state files which are relevant to them via remote datasources so we set an object acl on these as needed. As an example teamA can read core/teamA/firewall_rules/default.tfstate
This works fine once the object acl's are set on the particular state file BUT when a change is made to that resource core/teamA/firewall_rules such as adding a new rule, terraform writes the file with the default object acls and removes the existing acl's set for teamA
We can't add teamA to the default object acl's though as they should only have access to read their relevant state files
joe-boyce
commented
5 years ago
Hoping someone has a suggestion or has come across this issue before
Basically we have the following setup:
This works fine once the object acl's are set on the particular state file BUT when a change is made to that resource core/teamA/firewall_rules such as adding a new rule, terraform writes the file with the default object acls and removes the existing acl's set for teamA
We can't add teamA to the default object acl's though as they should only have access to read their relevant state files
Any ideas or workarounds?
Thanks,
Joe