From ea5094472f04efb55b5695a0723e0999fbad6116 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 20 Aug 2024 18:25:04 +0000 Subject: [PATCH] fix(fleet_app_operator_permissions): enable multi use per project --- modules/fleet-app-operator-permissions/main.tf | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/modules/fleet-app-operator-permissions/main.tf b/modules/fleet-app-operator-permissions/main.tf index 81fc13a96c..e7bd846ba1 100644 --- a/modules/fleet-app-operator-permissions/main.tf +++ b/modules/fleet-app-operator-permissions/main.tf @@ -39,10 +39,11 @@ locals { } } -resource "google_project_iam_binding" "log_view_permissions" { - project = var.fleet_project_id - role = "roles/logging.viewAccessor" - members = concat(local.user_principals, local.group_principals) +resource "google_project_iam_member" "log_view_permissions" { + project = var.fleet_project_id + for_each = toset(concat(local.user_principals, local.group_principals)) + role = "roles/logging.viewAccessor" + member = each.value condition { title = "conditional log view access" description = "log view access for scope ${var.scope_id}" @@ -50,10 +51,11 @@ resource "google_project_iam_binding" "log_view_permissions" { } } -resource "google_project_iam_binding" "project_level_scope_permissions" { - project = var.fleet_project_id - role = local.project_level_scope_role[var.role] - members = concat(local.user_principals, local.group_principals) +resource "google_project_iam_member" "project_level_scope_permissions" { + project = var.fleet_project_id + for_each = toset(concat(local.user_principals, local.group_principals)) + role = local.project_level_scope_role[var.role] + member = each.value } resource "google_gke_hub_scope_iam_binding" "resource_level_scope_permissions" {