Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gcp: skip potentially dangerous kms_crypto/kms_key_ring_iam_policy/binding #12

Closed
4 tasks
Piotr1215 opened this issue Aug 22, 2022 · 0 comments
Closed
4 tasks

gcp: skip potentially dangerous kms_crypto/kms_key_ring_iam_policy/binding #12

Piotr1215 opened this issue Aug 22, 2022 · 0 comments
Labels
enhancement New feature or request

Comments

@Piotr1215
Copy link

Piotr1215 commented Aug 22, 2022
edited
Loading

What problem are you facing?

Provider Name: provider-gcp
Provider Version:

Moved from https://github.com/upbound/official-providers/issues/446

The above resources are a powerful mechanism and similarly to iam roles it can lead to cluster-wide outage (see example: https://upboundio.slack.com/archives/C013YNJ423Y/p1659622122579009).

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_kms_crypto_key_iam

Three different resources help you manage your IAM policy for KMS crypto key. Each of these resources serves a different use case:

google_kms_crypto_key_iam_policy: Authoritative. Sets the IAM policy for the crypto key and replaces any existing policy already attached.
google_kms_crypto_key_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the crypto key are preserved.
google_kms_crypto_key_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the crypto key are preserved.

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_kms_key_ring_iam

Three different resources help you manage your IAM policy for KMS key ring. Each of these resources serves a different use case:

google_kms_key_ring_iam_policy: Authoritative. Sets the IAM policy for the key ring and replaces any existing policy already attached.
google_kms_key_ring_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the key ring are preserved.
google_kms_key_ring_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the key ring are preserved.

More details and discussion about the dangers of using those resources can be found here: #14

How could Official Providers help solve your problem?

The suggestion is not to implement those, but use google_kms_crypto_key_iam_member and google_kms_key_ring_iam_member exclusively. Similar decision has been made in the platform team regarding the usage of other iam resources.
@Piotr1215 Piotr1215 added the enhancement New feature or request label Aug 22, 2022
@jeanduplessis jeanduplessis transferred this issue from another repository Oct 10, 2022
@Piotr1215 Piotr1215 closed this as not planned Won't fix, can't repro, duplicate, stale Apr 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Piotr1215