Add IAM support at the database level for Spanner

[Farhie]

Hi,

I would love to see the addition of a google_spanner_database_iam_policy resource to manage IAM policies on Spanner Databases. We are currently having to bind Spanner permissions at the project level which provides far too much access.

Following is an example of what this could look like setting an IAM policy on a Spanner database:

resource "google_spanner_instance" "order_instance" {
  config       = "nam3"
  name         = "${var.environment}-test-instance"
  project      = "${var.project}"
}

resource "google_service_account" "reader" {
  account_id   = "db-reader"
  display_name = "db-reader"
}

data "google_iam_policy" "database_reader_role" {
  binding {
    role = "roles/spanner.databaseReader"

    members = [
      "serviceAccount:${google_service_account.reader.email}",
    ]
  }
}

# THE FOLLOWING RESOURCE DOES NOT EXIST.
resource "google_spanner_database_iam_policy" "database_reader_policy" {
  target      = "${google_spanner_instance.order_instance.name}"
  policy_data = "${data.google_iam_policy.database_reader_role.policy_data}"
}

[paddycarver]

#1386 isn't the exact thing you were looking for, in that the usage looks like this:

resource "google_spanner_instance" "instance" {
  name         = "my-instance"
  config       = "regional-us-central1"
  display_name = "my-instance"
  num_nodes    = 1
}

resource "google_spanner_database" "database" {
  instance = "${google_spanner_instance.instance.name}"
  name     = "my-database"
}

data "google_iam_policy" "foo" {
	binding {
		role = "roles/my-role"

		members = ["serviceAccount:[email protected]"]
	}
}

resource "google_spanner_database_iam_policy" "foo" {
  project     = "${google_spanner_database.database.project}"
  database    = "${google_spanner_database.database.name}"
  instance    = "${google_spanner_database.database.instance}"
  policy_data = "${data.google_iam_policy.foo.policy_data}"
}

But hopefully that still fits your needs? Project is optional, and will use the provider default project if not set.

[Farhie]

Thanks for the update @paddycarver. Should work for us.

[paddycarver]

Awesome, glad to hear it! It'll ship in the next release, though because 1.11.0 went out yesterday, I imagine it'll be at least a week, probably two, before we get an official release with it.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!