Skip to content

Roll out full IAM interface to artifact registry module #2605

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
NitriKx opened this issue Oct 4, 2024 · 4 comments
Closed

Roll out full IAM interface to artifact registry module #2605

NitriKx opened this issue Oct 4, 2024 · 4 comments
Assignees
@juliocc

Comments

@NitriKx
Copy link
Contributor

NitriKx commented Oct 4, 2024
edited
Loading

Describe the bug

The current implementation of the artifact-registry module is using an iam_binding resource to set the permissions, which is dropping any IAM permissions that has been set by another module.

Environment

Terraform v1.7.4
on darwin_arm64

c2780fa

To Reproduce

  1. Create a repository using the artifact-registry module in a Terraform module A. Add some IAM permissions on the repository (service account for instance)
  2. In a second Terraform module B, add some permissions to the repository (to add the service agent of another project to read artifacts)
  3. Apply again the Terraform module A.

Expected behavior
The permissions set by the Terraform module B should be kept, alongside the one set by the module A

Result
The permissions set by the Terraform module B are dropped when applying the module A

Additional context
More insights on my current use case: I'm creating a Terraform module that creates a Virtual repository, but also creates the permissions in the remote GCP projects where the upstream repositories live.
In that context I have permissions set at:

  1. at the creation of the upstream repository (allow some service accounts for the CI)
  2. at the creation of the virtual repository
@juliocc juliocc self-assigned this Oct 4, 2024
@ludoo ludoo changed the title artifact-registry should use iam_member instead of iam_binding Roll out full IAM interface to artifact registry module Oct 4, 2024
@ludoo
Copy link
Collaborator

ludoo commented Oct 4, 2024

The IAM interface used across all our modules supports both authoritative and additive bindings. Artifact registry is the exception and has never been updated to the new interface. I changed the title to reflect what actually needs to be done.

@NitriKx NitriKx mentioned this issue Oct 4, 2024
Merged
4 tasks
@NitriKx
Copy link
Contributor Author

NitriKx commented Oct 4, 2024

I've opened this PR, please let me know if that was the right way to implement the new interface

juliocc added a commit that referenced this issue Oct 4, 2024
@juliocc
Add full IAM support to modules/artifact-registry
0f565e2 
Fixes #2605
@juliocc juliocc mentioned this issue Oct 4, 2024
Closed
@juliocc
Copy link
Collaborator

juliocc commented Oct 4, 2024

Ah sorry, we basically did the same thing. I'll close mine.

@ludoo
Copy link
Collaborator

ludoo commented Oct 7, 2024

This has been merged, closing this (and thanks for flagging and taking care of it).

@ludoo ludoo closed this as completed Oct 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@juliocc juliocc

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add full IAM support to modules/artifact-registry GoogleCloudPlatform/cloud-foundation-fabric
3 participants
@ludoo @juliocc @NitriKx