add a google_organization_iam_policy resource

[lawrenae]

Hi,

I need the ability add multiple roles to a group at the organization level.

Actual

google_organization_iam_binding
google_organization_iam_custom_role
google_organization_iam_member

Expected

google_organization_iam_binding
google_organization_iam_custom_role
google_organization_iam_member
google_organization_iam_policy

I can do this at a project level like so:

resource "google_project_iam_policy" "project" {
  project     = "your-project-id"
  policy_data = "${data.google_iam_policy.admin.policy_data}"
}

data "google_iam_policy" "admin" {
  binding {
    role = "roles/editor"

    members = [
      "user:[email protected]",
    ]
  }
}

(from https://www.terraform.io/docs/providers/google/r/google_project_iam_policy.html)

and so would like the same at the organization level.

Am I missing it somewhere? Thanks in advance!

[danawillow]

The _policy resources are misleading- they intend to be the full authoritative version of the policy, meaning they overwrite any existing policies that were set manually or that came as a default with the project. Is that what you're hoping to get out of an organization policy resource?

In the meantime, you can accomplish what you want via either the _member or _binding resources, by just having multiple resources per group.

/cc @rosbo

[lawrenae]

thanks @danawillow -- I do think thats what I want. Essentially my thinking is that "org level" iam config should be overwritten by terraform so as to "reset" any customization of such config outside of terraform -- that is, if it isnt configured in terraform, it didnt happen :)

No doubt, it would be a dangerous thing to use, however

[nat-henderson]

By analogy to #843 / #1190, I think this can probably be done by ignoring defaults and placing big warnings on the docs page. I'll go do that real quick and we can discuss on the PR.

[nat-henderson]

I also want to let you know that we don't have any way to acceptance test this resource - we can't create organizations programmatically and our test org is administered by hand, so running this in a real live test is guaranteed to cause damage. Import is the only thing we can test without destructive effect, and that does work correctly.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!