Skip to content

fix: change IAM permission configuration from binding to member to avoid issues with permission granted from other sources #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 29, 2025
Merged

fix: change IAM permission configuration from binding to member to avoid issues with permission granted from other sources #6

merged 1 commit into from
May 29, 2025

Conversation

@Monska85
Copy link
Contributor

@Monska85 Monska85 commented May 29, 2025
edited by sparkfabrik-ai-bot bot
Loading

PR Type

Bug fix

Description

• Change IAM binding to member for workload identity
• Fix conflicts with multiple role bindings
• Update documentation and changelog
• Prevent permission management issues

Changes walkthrough 📝

Relevant files
Bug fix
main.tf
Replace IAM binding with member resource                                 

main.tf

• Replace google_service_account_iam_binding with
google_service_account_iam_member
• Change members array to single
member parameter
• Simplify IAM role assignment structure

 +2/-5     
Documentation
CHANGELOG.md
Add changelog entry for IAM fix                                                   

CHANGELOG.md

• Add version 0.3.1 entry with release date
• Document IAM binding to
member change
• Explain rationale for avoiding multiple binding
conflicts

 +8/-0     
README.md
Update resource documentation reference                                   

README.md

• Update resource reference from google_service_account_iam_binding to
google_service_account_iam_member

 +1/-1     
Need help?
  • Type /help how to ... in the comments thread for any questions about PR-Agent usage.
  • Check out the documentation for more information.
    •

    @Monska85
    fix: change IAM permission configuration from binding to member to av…
    7e167fa 
    …oid issues with permission granted from other sources
    @sparkfabrik-ai-bot
    Copy link

    sparkfabrik-ai-bot bot commented May 29, 2025

    PR Reviewer Guide 🔍

    Here are some key observations to aid the review process:

    ⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
    🧪 No relevant tests
    🔒 No security concerns identified
    ⚡ Recommended focus areas for review

    Resource Migration

    The change from google_service_account_iam_binding to google_service_account_iam_member is a breaking change that will cause Terraform to destroy and recreate the IAM permission. This could cause temporary loss of access during deployment. Consider using terraform state mv or import blocks to handle the migration gracefully.

     
    resource "google_service_account_iam_member" "this" {
  service_account_id = local.sa_name
  role               = "roles/iam.workloadIdentityUser"
  member             = local.principal_set
}

    @sparkfabrik-ai-bot
    Copy link

    sparkfabrik-ai-bot bot commented May 29, 2025

    PR Code Suggestions ✨

    No code suggestions found for the PR.

    @Monska85 Monska85 merged commit 8312ac9 into main May 29, 2025
    1 check passed
    @Monska85 Monska85 deleted the fix/change_binding_to_member branch May 29, 2025 12:59
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

    Reviewers

    No reviews

    Assignees

    No one assigned

    Labels

    Review effort 2/5

    Projects

    None yet

    Milestone

    No milestone

    Development

    Successfully merging this pull request may close these issues.

    2 participants

    @Monska85