google_iam_role return all included_permissions

[bdronneau]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Hi,

I'm using data iam_role in order to get included_permissions field and generate a custom role
In fields return, there is some fields flag as Not applicable for project-level custom roles or Not applicable for project-level custom roles.
Add some filters on the data source will allow more flexibility.

New or Affected Resource(s)

• data google_iam_role

Potential Terraform Configuration

data "google_iam_role" "iamRoleViewer" {
  name = "roles/viewer"
  type = "GA"
  level = "org"
}

References

[upodroid]

@rileykarson We can close this issue.

The API that this datasource implements doesn't have a way of requesting the API to only return project/org level permissions.

https://cloud.google.com/iam/docs/reference/rest/v1/roles/get

I recommend you go here and open a feature request with Google to implement this in their APIs. Once that is done, we can implement it in terraform.

[rileykarson]

Hmm, that seems right. @bdronneau can you point out a role that contains those messages? I tried roles/accesscontextmanager.policyEditor which I believe is org-only and did not see that result.

[bdronneau]

Hey @rileykarson ,

I use roles/viewer before opening this issue. I try this morning with Compute VIewer from the GCP Web ui (Create role from selection) a permission denied for custom role:

After digging in the link of @upodroid , in roles.get entry, there is a array includedPermissions with permissions. On this last object, field customRolesSupportLevel can be use for filtering. It's maybe overengineering to get in data_google_iam_role a field of all permissions, and a field with custom_role_support permissions.

[rileykarson]

Hmm- yeah, I think this would be infeasible to implement. In an example like you've provided Terraform would need to query the API 185 times to determine whether each permission is viable. These requests would need to happen on every single refresh/plan/apply, and would likely quickly burn through quota and cause Terraform to return errors as you hit get request quota limits.

[bdronneau]

Too bad, but I could not agree more.
Thank for your time.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!