net-vpc change of iam interface.

Question

net-vpc change of iam interface.

intotecho opened this issue 4 months ago · 1 comments

Hello,
I was using the old version of /cloud-foundation-fabric/modules/net-vpc
with the old interface that had var subnet_iam_permissions.
I was passing it this.

  subnet_iam_permissions = {
    "${local.subnet_id}" = {
      "roles/compute.networkAdmin" = [
        local.gis_iac_service_account
      ],
      "roles/compute.networkUser" = local.subnet_id_access_accounts,
      "roles/compute.instanceAdmin" = [
        local.dashboard_iac_sa,
      ],
    },
    "${local.vertex_subnet_id}" = { 
      "roles/compute.networkUser" = local.vertexai_subnet_id_access_accounts,
    },
    "${local.serverless_subnet_id}" = { 
      "roles/compute.networkUser" = local.serverless_subnet_access_accounts
    }
    "${local.tm_serverless_subnet_id}" = { 
      "roles/compute.networkUser" = local.tm_serverless_subnet_access_accounts
    }
  }

To convert to the new interface, I removed all the above.
As expected, when I run a plan, all these are destroyed - with messages like

host_network.google_compute_subnetwork_iam_member.binding["europe-west3/serverless-access-sn.roles/compute.networkUser.serviceAccount:iac-sa@project-prj.iam.gserviceaccount.com"] will be destroyed

Then I added similar objects to the subnets parameter

subnets = [
    {
      ip_cidr_range         = "10.101.0.0/16"
      name                  = var.subnet_name_env
      ...
      iam_bindings_additive = {
        subnet-2-iam = [{
          role    = "roles/compute.networkAdmin"
          members = [local.gis_iac_service_account]
          },
          {
            role    = "roles/compute.networkUser"
            members = [local.subnet_id_access_accounts]
          },
          {
            role    = "roles/compute.instanceAdmin"
            members = [local.dashboard_iac_sa]
          }
        ]
      }
    },
    {
      ip_cidr_range         = "10.104.0.0/16"
      subnet_iam_additive = { 
        role    = "roles/compute.networkUser"
        members = [local.vertexai_subnet_id_access_accounts]
      }
    },
    {
      ip_cidr_range         = "10.255.0.0/28" 
       ...
      subnet_iam_additive = { 

        role    = "roles/compute.networkUser"
        members = [local.serverless_subnet_access_accounts]
      }
    },
    {
      ip_cidr_range         = "10.254.0.0/28" # Must be /28 and this only allows one vpc access connector.
      name                  = var.subnet_tm_serverless_access_name
...
      subnet_iam_additive = { // for Cloud SQL to talk to App Engine in another projet.
        role    = "roles/compute.networkUser"
        members = [local.tm_serverless_subnet_access_accounts]
      }
    }
  ]

I have tried iam, subnet_iam and subnet_iam_additive and various syntaxes inside the subnet object.

However, I can't see the plan creating (or not destroying) those bindings.

I am afraid to apply the plan until it is either not changing the bindings, or destroying and creating the bindings.
Have I misunderstood how to convert to the new subnet variable?

Answer 1 · 2024-02-14T04:28:30.000Z

The issue was that I was passing subnets as a variable into the module and my module defined subnets according to the old interface, so any value passed in subnet_iam_addititve was not sent to the module.