Conditional binding for Service Account roles
minzetaos opened this issue · 6 comments
TL;DR
The submodule member-iam service_accounts_iam
doesn't support conditional binding, which is inconvenient for managing service account's permission through Terraform. Do you guys consider updating the module?
Terraform Resources
Add condition block to main.tf for resource "google_project_iam_member"
Detailed design
No response
Additional information
No response
Can you plz elaborate which sub-module is missing conditional support?
It's the service_accounts_iam module. It has conditional
block for its principles, but look like it doesn't have conditional
block for its own permission, which should involve this resource google_project_iam_member
or google_organization_iam_member
@minzetaos purpose of service account IAM module is to grant permission on the service account. It is granting permission to service account on project or organization.
@imrannayer But wouldn't it be better and more common sense that service account module also includes granting service account permission to resources? Otherwise, users have to use two modules to control one service account.
@minzetaos These are two separate use cases and thats why handled by separate module. You can write a wrapper module which calls both modules to combine the functionality if you have a repetitive use case.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days