google_project_iam_policy removes Role for service Networking API Google created service account

[varditn]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• If an issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to "hashibot", a community member has claimed the issue already.

Terraform Version

Terraform v0.11.11

• provider.google v1.20.0
• provider.google-beta v2.5.0
• provider.kubernetes v1.4.0

Affected Resource(s)

• google_project_iam_policy

Terraform Configuration Files

resource "google_project_iam_policy" "my_policy" {
  provider    = "google.k8s-project"
  project     = "${var.project}"
  policy_data = "${data.google_iam_policy.general-services.policy_data}"
}
data "google_iam_policy" "general-services" {
  provider = "google.k8s-project"

  binding {
    role = "roles/storage.objectViewer"

    members = [
      "serviceAccount:${google_service_account.[service-name].email}",
    ]
  }
}

Debug Output

Panic Output

Expected Behavior

Service account and role binding that were created automatically by enabling service Networking API for using resource google_service_networking_connection should be kept like other Google created service accounts.

Actual Behavior

Role binding to Service account serviceAccount:service-XXXXXXXX@service-networking.iam.gserviceaccount.com is being removed.

Steps to Reproduce

1. Enable service Networking API
2. Check in IAM that serviceAccount:service-XXXXXXXX@service-networking.iam.gserviceaccount.com has the role roles/servicenetworking.serviceAgent
3. terraform apply
4. check IAM again.

Important Factoids

References

[Chupaka]

From the docs:

google_project_iam_policy: Authoritative. Sets the IAM policy for the project and replaces any existing policy already attached.

So to keep that role binding, you need to use google_project_iam_policy_member, for example.

[varditn]

I agree that is the case for self-created service account but at least until google provider v1.20.0, google created accounts are ignored.
I believe that Google binding are being kept by the attribute restore_policy of google_project_iam_policy.
Example from our google_project_iam_policy:

restore_policy = {"bindings":[{"members":["serviceAccount:XXXXX-compute@developer.gserviceaccount.com"],"role":"roles/editor"}],"etag":"adsfhfsh"=","version":1}

In Google Provider v2.0.0 , it seems to change.

[daithi-walker]

Is there a work around for this? restore_policy and google_project_iam_policy_member are no longer available.

[rileykarson]

Per above, the _iam_policy class of resources are authoritative for the entire policy on a given entity, and these automatically created role:entity bindings will need to be added into your policy definition.

I'm not sure google_project_iam_policy_member was ever available, is google_project_iam_member what you mean? It's available.

The google_project_iam_member and google_project_iam_binding resources are appropriate for partial control of a policy. _member is great for expressing "I want this user to have this role", while _binding is for "I want exclusively these users to have this role".

[rileykarson]

Closing as working as intended- _policy is authoritative, and _binding/_member are probably a closer fit to intended.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!