terraform-provider-google icon indicating copy to clipboard operation
terraform-provider-google copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Authoritative doesn't mean much to your average end-user google_project_iam_binding

Open woodham1 opened this issue 1 year ago • 4 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to a user, that user is claiming responsibility for the issue.
  • Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

The following description of the google_project_iam_binding isn't clear.

Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.

To the average end user, myself included it isn't immediately clear that the policy being enacted here will remove all users associated with the role that are not included in the list. Yes, I know that is what authoritative means post-mortem, but this doesn't help me after I've already blown up all my iam bindings associated with my users or groups.

New or Affected Resource(s)

  • google_project_iam_binding

Potential Terraform Configuration

References

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_binding

woodham1 avatar Feb 20 '24 21:02 woodham1

Possible fix:

Caution: Authoritative mode means this update will OVERWRITE the existing list of members with this role. Any current members not included in the new list will LOSE their role assignment. Other roles not stated in the IAM Binding are unaffected.

woodham1 avatar Feb 20 '24 21:02 woodham1

Whatever change we make here (if any) should also be made to all other IAM documentation to maintain consistency.

melinath avatar Feb 28 '24 21:02 melinath

Related: https://github.com/GoogleCloudPlatform/magic-modules/pull/10631

And duplicate issue: https://github.com/hashicorp/terraform-provider-google/issues/18042

SarahFrench avatar May 08 '24 08:05 SarahFrench

Other resources google_.*_iam_binding/, such as google_organization_iam_binding m google_bigtable_instance_iam_binding, google_billing_account_iam_binding, google_dataproc_cluster_iam_binding, google_dataproc_job_iam_binding are probably affected in this issue.

hgsgtk avatar May 08 '24 21:05 hgsgtk