Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add IAM conditions support for project IAM #2575

Merged
merged 3 commits into from
Nov 7, 2019
Merged

add IAM conditions support for project IAM #2575

merged 3 commits into from
Nov 7, 2019

Conversation

danawillow
Copy link
Contributor

@danawillow danawillow commented Nov 1, 2019
edited
Loading

Part of hashicorp/terraform-provider-google#2909.

Tests don't work right now because even though the CI project is whitelisted, the tests make new projects that aren't whitelisted. I built the provider locally and checked that it worked (at least for binding and member, I didn't do it for project since it can be destructive)

Release Note Template for Downstream PRs (will be copied)

resourcemanager: added support for IAM Conditions to the `google_project_iam_*` resources (beta provider only)

`google_project_iam_*` resources now support IAM Conditions. If any conditions had been created out of band before this release, take extra care to ensure they are present in your Terraform config so the provider doesn't try to create new bindings with no conditions. Terraform will show a diff that it is adding the condition to the resource, which is safe to apply.

@modular-magician
Copy link
Collaborator

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, a7beb3f.

Pull request statuses

WARNING: The following files changed in commit a7beb3f may need corresponding changes in third_party/validator:

  • third_party/terraform/utils/iam_project.go.erb

No diff detected in terraform-google-conversion.
No diff detected in Ansible.
No diff detected in Inspec.

New Pull Requests

I built this PR into one or more new PRs on other repositories, and when those are closed, this PR will also be merged and closed.
depends: hashicorp/terraform-provider-google-beta#1321
depends: hashicorp/terraform-provider-google#4798

@danawillow
Copy link
Contributor Author

I'll do validator changes separately.

@danawillow danawillow requested a review from slevenick November 1, 2019 22:29
@danawillow
Copy link
Contributor Author

Ping @slevenick

slevenick
slevenick approved these changes Nov 5, 2019
View reviewed changes
third_party/terraform/website/docs/r/google_project_iam.html.markdown Outdated
@@ -61,6 +86,25 @@ resource "google_project_iam_binding" "project" {
}
```

With IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_versions.html)):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to note that this is not public beta yet, and that they will need to be whitelisted to be able to use this?

third_party/terraform/website/docs/r/google_project_iam.html.markdown Outdated
@@ -71,6 +115,22 @@ resource "google_project_iam_member" "project" {
}
```

With IAM Conditions ([beta](https://terraform.io/docs/providers/google/provider_versions.html)):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above

third_party/terraform/website/docs/r/google_project_iam.html.markdown Outdated
@@ -118,6 +178,9 @@ will not be inferred from the provider.

* `audit_log_config` - (Required only by google\_project\_iam\_audit\_config) The configuration for logging of each type of permission. This can be specified multiple times. Structure is documented below.

* `condition` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html)) An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe even another note here about this not being public beta. I can imagine lots of issues coming up where people are not whitelisted

@modular-magician
Copy link
Collaborator

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, 3e5cd61.

Pull request statuses

terraform-provider-google-beta already has an open PR.
No diff detected in terraform-google-conversion.
terraform-provider-google already has an open PR.
No diff detected in Ansible.
No diff detected in Inspec.

New Pull Requests

I didn't open any new pull requests because of this PR.

@danawillow
Copy link
Contributor Author

Added whitelist-only notes to all places in the docs conditions are mentioned (including the service account iam docs)

@modular-magician
Update tracked submodules -> HEAD on Thu Nov 7 00:56:56 UTC 2019
829793f 
Tracked submodules are build/terraform-beta build/terraform-mapper build/terraform build/ansible build/inspec.
@modular-magician modular-magician merged commit e297742 into GoogleCloudPlatform:master Nov 7, 2019
@danawillow danawillow deleted the iam-conditions branch November 7, 2019 00:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slevenick slevenick slevenick approved these changes

Assignees
No one assigned
Labels
automerged cla: yes downstream-generated terraform-provider-google terraform-provider-google-beta
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@danawillow @modular-magician @slevenick @googlebot