Guidance on setting topic-level IAM
Closed this issue · 4 comments
TL;DR
Hi I'm not filing a bug or request at the moment but just looking for guidance.
I'm looking to move from the Cloud Foundation Fabric module for pubsub to this module. For the iam
input alternative, I don't see this exposed directly in the module, rather just allowing the pubsub P4SA to publish to the topic (in case the serviceAgent role isn't set at the project level, I'm assuming).
What is the expected course of action to set roles/pubsub.publisher
at the topic level using this module? Should we just a pubsub_topic_iam_member/binding
resource adjacent to this module? Or is there a better practice that I'm missing here? Is there any reason/philosophy as to why this is not supported within the module?
Terraform Resources
No response
Detailed design
No response
Additional information
No response
Hi @jwtracy
Fabric's IAM var seems to be role to list of members. Our pubsub IAM module would offer a similar interface.
Thank you for sharing! I'm early on in translations from CFF to CFT so these IAM modules are a useful find. I have two more questions,
- Do these resource level IAM modules preserve the GCP defaults for special IAM groups like
special_group:projectOwners
andspecial_group:projectEditors
? Or must those be manually be supplied? - For project iam does this module, when used in authoritative roles, preserve GCP services'
roles/***.serviceAgent
roles? Or must those be manually supplied? Tangentially, I have the same concern over theroles/editor
for<project-number>@cloudservices.***
binding that some APIs seem to require.
Do these resource level IAM modules preserve the GCP defaults for special IAM groups like special_group:projectOwners and special_group:projectEditors? Or must those be manually be supplied?
By default, we use "additive" (non-authoritative mode) so existing roles will be preserved.
For project iam does this module, when used in authoritative roles, preserve GCP services' roles/.serviceAgent roles? Or must those be manually supplied? Tangentially, I have the same concern over the roles/editor for @cloudservices. binding that some APIs seem to require.
This is why our strong recommendation is to use additive mode. If you use authoritative mode, you will have to manually supply the roles for all GCP services you use.
Thanks for the guidance here! I cam from using project_iam_policy
so bindings and member are a breath of fresh air. Thanks!