terraform-google-modules/terraform-google-pubsub

Guidance on setting topic-level IAM

Closed this issue · 4 comments

jwtracy commented

TL;DR

Hi I'm not filing a bug or request at the moment but just looking for guidance.

I'm looking to move from the Cloud Foundation Fabric module for pubsub to this module. For the iam input alternative, I don't see this exposed directly in the module, rather just allowing the pubsub P4SA to publish to the topic (in case the serviceAgent role isn't set at the project level, I'm assuming).

What is the expected course of action to set roles/pubsub.publisher at the topic level using this module? Should we just a pubsub_topic_iam_member/binding resource adjacent to this module? Or is there a better practice that I'm missing here? Is there any reason/philosophy as to why this is not supported within the module?

Terraform Resources

No response

Detailed design

No response

Additional information

No response

bharathkkb commented

Hi @jwtracy
Fabric's IAM var seems to be role to list of members. Our pubsub IAM module would offer a similar interface.

jwtracy commented

Thank you for sharing! I'm early on in translations from CFF to CFT so these IAM modules are a useful find. I have two more questions,

  1. Do these resource level IAM modules preserve the GCP defaults for special IAM groups like special_group:projectOwners and special_group:projectEditors? Or must those be manually be supplied?
  2. For project iam does this module, when used in authoritative roles, preserve GCP services' roles/***.serviceAgent roles? Or must those be manually supplied? Tangentially, I have the same concern over the roles/editor for <project-number>@cloudservices.*** binding that some APIs seem to require.
morgante commented

Do these resource level IAM modules preserve the GCP defaults for special IAM groups like special_group:projectOwners and special_group:projectEditors? Or must those be manually be supplied?

By default, we use "additive" (non-authoritative mode) so existing roles will be preserved.

For project iam does this module, when used in authoritative roles, preserve GCP services' roles/.serviceAgent roles? Or must those be manually supplied? Tangentially, I have the same concern over the roles/editor for @cloudservices. binding that some APIs seem to require.

This is why our strong recommendation is to use additive mode. If you use authoritative mode, you will have to manually supply the roles for all GCP services you use.

jwtracy commented

Thanks for the guidance here! I cam from using project_iam_policy so bindings and member are a breath of fresh air. Thanks!