search

terraform-google-modules / terraform-google-iam

Manages multiple IAM roles for resources on Google Cloud
https://registry.terraform.io/modules/terraform-google-modules/iam/google
Apache License 2.0
189 stars 170 forks source link

Repeated roles when using conditions causes race conditions in the authoritative mode of Module Project IAM #211

Closed rialg closed 6 months ago

rialg commented 8 months ago

TL;DR

When the same role is assigned with and without conditions in terraform-google-modules/iam/google//modules/projects_iam, then the terraform plan faces a race condition, it sometimes removes the users from the conditional binding and some times it removes the rolebindings without the condition.

Expected behavior

No overlap in the two google_project_iam_binding created for a role with and without conditions.

Observed behavior

In the terraform plan there are always either the google_project_iam_binding without the condition or with it being deleted and redeployed. For example:

 #module.projects_iam_bindings.google_project_iam_binding.project_iam_authoritative["default--roles/compute.instanceAdmin.v1--my_constraint"] will be updated in-place
  ~ resource "google_project_iam_binding" "project_iam_authoritative" {
        id      = "project/roles/compute.instanceAdmin.v1/compute_instance_admin_jit_constraint/JIT managed access/has({}.jitAccessConstraint)"
      ~ members = [
          + "group:mygroup@example.com",
        ]
        # (3 unchanged attributes hidden)
        # (1 unchanged block hidden)
    }
  # module.projects_iam_bindings.google_project_iam_binding.project_iam_authoritative["default--roles/iam.serviceAccountUser"] will be updated in-place
  ~ resource "google_project_iam_binding" "project_iam_authoritative" {
        id      = "project/roles/iam.serviceAccountUser"
      ~ members = [
          - "group:mygroup@example.com",
            # (9 unchanged elements hidden)
        ]
        # (3 unchanged attributes hidden)
    }

Terraform Configuration

module "projects_iam_bindings" {
  source  = "terraform-google-modules/iam/google//modules/projects_iam"
  version = "~> 7.1"

  projects = [var.project_id]
  mode     = "authoritative"

  bindings = {

    "roles/cloudsql.admin" = [
      "serviceAccount:someserviceacount@example.com",
    ]

  }

  conditional_bindings = [
    {
      role        = "roles/cloudsql.admin"
      title       = "cloud_sql_admin__constraint"
      description = "My constraint"
      expression  = "resource.name.startsWith('projects/${var.project_number}/someconstraint')"
      members = [
        "group:mygroup@example.com",
      ]
    }
  ]

}

### Terraform Version

```sh
Terraform v1.3.7

Additional information

No response

github-actions[bot] commented 6 months ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days