Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add iam_by_principals_additive to project, organization and folder modules #2814

Merged
merged 7 commits into from
Jan 14, 2025
Merged

Add iam_by_principals_additive to project, organization and folder modules #2814

merged 7 commits into from
Jan 14, 2025

Conversation

juliocc
Copy link
Collaborator

@juliocc juliocc commented Jan 13, 2025
edited
Loading

This pull request introduces the iam_by_principals_additive variable to the folder module, addressing the feature request outlined in #2805.

This implementation merges the functionality of iam_by_principals_additive with the existing iam_bindings_additive logic, utilizing a single google_folder_iam_member resource. While the core implementation is straightforward, the validation logic requires further review and likely expansion. Currently, validation only prevents the same principal/role combination from being defined in both iam_bindings_additive and iam_by_principals_additive.

Open questions:

  • should we maintain a single google_folder_iam_member resource for all additive bindings, or would a separate dedicated block for iam_by_principals_additive be preferable?
  • what other validations, if any, are necessary to ensure correct usage.
  • I'm chose iam_by_principals_additive to be consistent with the existing iam_bindings_additive naming.

Usage would be something like this:

module "folder" {
  source              = "./fabric/modules/folder"
  parent              = var.folder_id
  name                = "folder"

  iam_by_principals_additive = {
    "user:[email protected]" = [
      "roles/logging.admin",
      "roles/logging.viewer"
    ]
  }
}

And this should fail:

module "folder" {
  source              = "./fabric/modules/folder"
  parent              = var.folder_id
  name                = "folder"

  iam_bindings_additive = {
    "my-binding" = {
      role   = "roles/logging.admin"
      member = "user:[email protected]"
    }
  }

  iam_by_principals_additive = {
    "user:[email protected]" = [
      "roles/logging.admin",
      "roles/logging.viewer"
    ]
  }
}

Thoughts?

@ludoo
Copy link
Collaborator

ludoo commented Jan 14, 2025

I like this, the implementation is simple and readable.

I'm just slightly concerned about the additional additive surface this introduces, which IMHO will just make it easier to create unintentional overlaps between authoritative and additive. But that's kind of inevitable and the new interface might actually be useful, so...

As for how many resources, my preference would be for a single one but I don't think it makes a lot of difference TBH, both should work.

@github-actions github-actions bot added the on:tools New or changed tool label Jan 14, 2025
@juliocc juliocc force-pushed the jccb/iam_by_principals_additive branch from 1781dfb to 22d4050 Compare January 14, 2025 11:45
@juliocc juliocc changed the title [WIP] First attempt at iam_by_principals_additive Add iam_by_principals_additive to project, organization and folder modules Jan 14, 2025
@juliocc juliocc linked an issue Jan 14, 2025 that may be closed by this pull request
[FR]: Introduce iam_additive_by_principal just like iam_by_principals but for additive bindings #2805
Closed
@wiktorn
Copy link
Collaborator

wiktorn commented Jan 14, 2025

  • what other validations, if any, are necessary to ensure correct usage.

If any, I'd add a check, if there is any overlap in roles between authoritative roles and additive ones, though in my experience, this was usually caused by IAM grants managed by separate modules.

wiktorn
wiktorn approved these changes Jan 14, 2025
View reviewed changes
@juliocc juliocc enabled auto-merge (squash) January 14, 2025 12:20
@juliocc juliocc merged commit 7eff7b1 into master Jan 14, 2025
18 checks passed
@juliocc juliocc deleted the jccb/iam_by_principals_additive branch January 14, 2025 12:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ludoo ludoo ludoo approved these changes

@wiktorn wiktorn wiktorn approved these changes

@sruffilli sruffilli Awaiting requested review from sruffilli

Assignees
No one assigned
Labels
on:modules on:tools New or changed tool
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[FR]: Introduce iam_additive_by_principal just like iam_by_principals but for additive bindings
3 participants
@juliocc @ludoo @wiktorn