search

terraform-google-modules / terraform-google-iam

Manages multiple IAM roles for resources on Google Cloud
https://registry.terraform.io/modules/terraform-google-modules/iam/google
Apache License 2.0
189 stars 171 forks source link

Fix supported permissions behavior #159

Closed jwtracy closed 2 years ago

jwtracy commented 2 years ago

Addressing this bug, https://github.com/terraform-google-modules/terraform-google-iam/issues/158

Adds a testable permission data source for the targeted entity. These supported permissions are set intersected with the included permissions of the role then set subtracted by the excluded permissions (either explicit or unsupported data source).

This might be a bug in the testable permissions API. resourcemanager.projects.list should be returned in the unsupported permissions for projects.

Note in the test below, resourcemanager.projects.list is not included in the role even after being removed as a manually excluded permission.

 # module.custom-role-project.google_project_iam_custom_role.project-custom-role[0] will be created
 + resource "google_project_iam_custom_role" "project-custom-role" {
     + deleted     = (known after apply)
     + description = "This is a project level custom role."
     + id          = (known after apply)
     + name        = (known after apply)
     + permissions = [
         + "iam.roles.create",
         + "iam.roles.delete",
         + "iam.roles.list",
         + "iam.serviceAccounts.create",
         + "iam.serviceAccounts.delete",
         + "iam.serviceAccounts.disable",
         + "iam.serviceAccounts.enable",
         + "iam.serviceAccounts.get",
         + "iam.serviceAccounts.getIamPolicy",
         + "iam.serviceAccounts.list",
         + "iam.serviceAccounts.undelete",
         + "iam.serviceAccounts.update",
       ]
     + project     = "ci-iam-aea9"
     + role_id     = "iamDeleter"
     + stage       = "GA"
     + title       = "iamDeleter"
   }
comment-bot-dev commented 2 years ago

Thanks for the PR! 🚀
✅ Lint checks have passed.

github-actions[bot] commented 2 years ago

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

gorshunovr commented 9 months ago

Hello. I'm hitting this error. Workaround: add excluded_permissions = ["resourcemanager.projects.list"] to the module parameters.

Please, reopen. Thank you.

dirsigler commented 1 month ago

The provided solution acutally fixes the problem. Can this please be merged?