terraform-example-foundation icon indicating copy to clipboard operation
terraform-example-foundation copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

IAM roles not created consistently

Open eeaton opened this issue 1 year ago • 0 comments

TL;DR

Only some groups automatically have the recommended IAM roles defined. Some groups are setup in the initial section but never used in IAM policy, even though documentation at groups for access control recommends it.

It's confusing that some groups recommended for operational functions are optional (gcp_security_reviewer) and some are required (monitoring_workspace_users). I expected that the infra should still deploy with or without the group.

After investigating, I see the inconsistent behavior for "required" is because TF code explicitly creates the IAM role for the monitoring group, but it does not create any IAM role for the security group.

Expected behavior

Each group defined in both the required_groups and optional_groups should have IAM roles applied, as defined in the groups for access control guidance.

Observed behavior

Only those groups in the required_groups have IAM roles applied.

Terraform Configuration

n/a

Terraform Version

n/a

Additional information

No response

eeaton avatar Feb 29 '24 17:02 eeaton