Conditional binding for Service Account roles

[minzetaos]

TL;DR

The submodule member-iam service_accounts_iam doesn't support conditional binding, which is inconvenient for managing service account's permission through Terraform. Do you guys consider updating the module?

Terraform Resources

Add condition block to main.tf for resource "google_project_iam_member"

Detailed design

No response

Additional information

No response

[imrannayer]

Can you plz elaborate which sub-module is missing conditional support?

[minzetaos]

It's the service_accounts_iam module. It has conditional block for its principles, but look like it doesn't have conditional block for its own permission, which should involve this resource google_project_iam_member or google_organization_iam_member

[imrannayer]

@minzetaos purpose of service account IAM module is to grant permission on the service account. It is granting permission to service account on project or organization.

[minzetaos]

@imrannayer But wouldn't it be better and more common sense that service account module also includes granting service account permission to resources? Otherwise, users have to use two modules to control one service account.

[imrannayer]

@minzetaos These are two separate use cases and thats why handled by separate module. You can write a wrapper module which calls both modules to combine the functionality if you have a repetitive use case.

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days