net-vpc change of iam interface.
intotecho opened this issue · 1 comments
Hello,
I was using the old version of /cloud-foundation-fabric/modules/net-vpc
with the old interface that had var subnet_iam_permissions.
I was passing it this.
subnet_iam_permissions = {
"${local.subnet_id}" = {
"roles/compute.networkAdmin" = [
local.gis_iac_service_account
],
"roles/compute.networkUser" = local.subnet_id_access_accounts,
"roles/compute.instanceAdmin" = [
local.dashboard_iac_sa,
],
},
"${local.vertex_subnet_id}" = {
"roles/compute.networkUser" = local.vertexai_subnet_id_access_accounts,
},
"${local.serverless_subnet_id}" = {
"roles/compute.networkUser" = local.serverless_subnet_access_accounts
}
"${local.tm_serverless_subnet_id}" = {
"roles/compute.networkUser" = local.tm_serverless_subnet_access_accounts
}
}
To convert to the new interface, I removed all the above.
As expected, when I run a plan, all these are destroyed - with messages like
host_network.google_compute_subnetwork_iam_member.binding["europe-west3/serverless-access-sn.roles/compute.networkUser.serviceAccount:iac-sa@project-prj.iam.gserviceaccount.com"] will be destroyed
Then I added similar objects to the subnets parameter
subnets = [
{
ip_cidr_range = "10.101.0.0/16"
name = var.subnet_name_env
...
iam_bindings_additive = {
subnet-2-iam = [{
role = "roles/compute.networkAdmin"
members = [local.gis_iac_service_account]
},
{
role = "roles/compute.networkUser"
members = [local.subnet_id_access_accounts]
},
{
role = "roles/compute.instanceAdmin"
members = [local.dashboard_iac_sa]
}
]
}
},
{
ip_cidr_range = "10.104.0.0/16"
subnet_iam_additive = {
role = "roles/compute.networkUser"
members = [local.vertexai_subnet_id_access_accounts]
}
},
{
ip_cidr_range = "10.255.0.0/28"
...
subnet_iam_additive = {
role = "roles/compute.networkUser"
members = [local.serverless_subnet_access_accounts]
}
},
{
ip_cidr_range = "10.254.0.0/28" # Must be /28 and this only allows one vpc access connector.
name = var.subnet_tm_serverless_access_name
...
subnet_iam_additive = { // for Cloud SQL to talk to App Engine in another projet.
role = "roles/compute.networkUser"
members = [local.tm_serverless_subnet_access_accounts]
}
}
]
I have tried iam, subnet_iam and subnet_iam_additive and various syntaxes inside the subnet object.
However, I can't see the plan creating (or not destroying) those bindings.
I am afraid to apply the plan until it is either not changing the bindings, or destroying and creating the bindings.
Have I misunderstood how to convert to the new subnet variable?
The issue was that I was passing subnets as a variable into the module and my module defined subnets according to the old interface, so any value passed in subnet_iam_addititve was not sent to the module.