Add customrolessupportlevel filtered attribute to d/google_iam_role

[sleterrier]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

We have written an iam_custom_role module which allows for the creation of roles using existing roles as a source. Some Google managed roles (e.g: roles/owner) contains permissions incompatible with custom role which are, to my knowledge, not exposed by any Terraform google provider datasource. The only workaround I have found so far is to maintain a static list of incompatible permissions in our custom module. This is hardly scalable, since the list would need to be updated every time Google adds new incompatible permissions to any role we use a source.
Having an additonal attribute "incompatible_permissions" on d/google_iam_role would allow for a dynamic lookup of permissions to exclude when building our custom role(s).

I can share the code of our custom_role module if that helps.

New or Affected Resource(s)

• d/google_iam_role

Potential Terraform Configuration

data "google_iam_role" "target" {
  name = "roles/owner"
}

output "custom_role_incompatible_permissions" {
	value = data.google_iam_role.target.incompatible_permissions
}

Attribute Reference

• incompatible_permissions - specifies the list of one or more permissions incompatible with custom role, as per customRolesSupportLevel.

References

• customRolesSupportLevel API

[onetwopunch]

I'll take this one. @danawillow feel free to assign me.

[morgante]

@onetwopunch Instead of attaching this to the role, I'd actually suggest we do this through a separate data source as suggested in #4812. There's already an API which matches up against this.

[onetwopunch]

@morgante thanks for linking this! It’s really funny I actually didn’t see it at all but my implementation is almost exactly what you were suggesting in that issue. Just finalizing tests right now before pushing a PR. You can’t really attach to the role since testable permission is scoped to a particular resource as your issue shows. Anyway I’ll make sure to CC you on the PR, likely tomorrow it’ll be ready for review.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!