bug: override iam role binding which has no condition

Question

bug: override iam role binding which has no condition

Closed this issue 9 months ago · 0 comments

As-Is

when add user to iam role binding by terraform.

Terraform will perform the following actions:

  # google_project_iam_member.bq_user will be created
  + resource "google_project_iam_member" "bq_user" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + member  = "user:xxx"
      + project = "xxx"
      + role    = "roles/bigquery.dataEditor"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

After I add same role by prel

After I apply terraform, same create message showed and generate new binding

After I add same role by prel

ToBe

if Iam Role binding exists with no condition or condition which controlled by not prel, prel must not change this.
prel can only overwrite role binding setting if prel set in past.