google_iam_policy should allow to use empty binding (without any members/roles) or not requiring binding field

[radkomateusz]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• If an issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to "hashibot", a community member has claimed the issue already.

Terraform Version

Terraform v0.12.8
google provider -> 2.15.0

Affected Resource(s)

• google_iam_policy

Terraform Configuration Files

data "google_iam_policy" "iam_policy" {
  audit_config {
    service = "storage.googleapis.com"
    audit_log_configs {
      log_type = "DATA_READ"
    }
    audit_log_configs {
      log_type = "DATA_WRITE"
    }
    audit_log_configs {
      log_type = "ADMIN_READ"
    }
  }

  binding {}  // or without 'binding {}'
}

Expected Behavior

Binding field should be optional or binding is allowed to be empty to allow creation google_iam_policy with audit_config and empty IAM binding (no IAM's set at given resource)

Actual Behavior

in case of empty binding {}

Error: Missing required argument
The argument "members" is required, but no definition was found.
The argument "role" is required, but no definition was found.

in case of lack of binding {}:

Error: "binding": required field is not set

Steps to Reproduce

1. terraform plan

Important Factoids

Context:
We had below configuration:

resource "google_folder_iam_policy" "folder_iam_policy" {
  folder = google_folder.folder.name
  policy_data = "{}" //empty policy - we want to ensure that any iams was set on that folder
}

and some audit_config was manually set on mentioned folder.

After fixing referenced issue with state of audit_config (google provider 2.15.0) , terraform plan wants to remove audit_config on given folder which was previously manually set (which is good from terraform point of view).

As we don't want to remove that audit_config we created google_iam_policy as in example where we defined audit_config and we used it in our google_folder_iam_policy, but due to the errors we couldn't achieve our goal -> we want to have empty iam binding.

References

• set auditconfigs in state for iam policy resources #4447

[slevenick]

This makes sense, I'll look into removing the requirement on binding not being empty. It may end up being a complicated change

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!