Move the publisher service account outside the subscrptions

Question

Move the publisher service account outside the subscrptions

Closed this issue 2 years ago · 2 comments

TL;DR

The roles/pubsub.publisher google_pubsub_topic_iam_member is created for_each subscription, but the permison has no reference to the subscription itselt.

Why the service account that has publish permissions is associated with the subscription? It'd like to see the _iam_member resource outside the subpscription for_each, and maybe receive a list of member to give access

Terraform Resources

The 


resource "google_pubsub_topic_iam_member" "push_topic_binding" {
  for_each = var.create_topic ? { for i in var.push_subscriptions : i.name => i } : {}

  project = var.project_id
  topic   = lookup(each.value, "dead_letter_topic", "projects/${var.project_id}/topics/${var.topic}")
  role    = "roles/pubsub.publisher"
  member  = "serviceAccount:${local.pubsub_svc_account_email}"
  depends_on = [
    google_pubsub_topic.topic,
  ]
}



### Detailed design

```markdown
Instead of `service_account` in the `pull_subscriptions` or `push_subscription`, to have a `publishers` variables on the module.


module "pubsub" {
  source  = "terraform-google-modules/pubsub/google"
  version = "~> 4.0"

  project_id = "my-project"

  create_topic                     = true
  topic                            = "my-topic"

  publishers                       = [
    "my-service@project.iam.gserviceaccount.com",
    "my-service2@project.iam.gserviceaccount.com",
  ]
}



### Additional information

Maybe the service_account on the subscription could be optional

Answer 1 · 2022-09-02T19:45:17.000Z

I could implemente and create a PR, but I wantet to know if there is a specific reason for the current design.

Answer 2 · 2022-09-02T19:51:03.000Z

sorry I think I mixed up some things..