Each run removes and adds roles to the SA
romanvogman opened this issue · 1 comments
romanvogman commented
TL;DR
Each terraform run removes roles from the SA if there is a binding resource (that is used for an other SA) with the same role
Expected behavior
Expecting to remain the same if no changes were done in the module by creating additional resource
Observed behavior
removed storage.objectViewer
and roles/pubsub.subscriber
because there are binding resources with the same roles which don't contain foo-sa
SA in them
Terraform Configuration
module "foo-sa" {
source = "terraform-google-modules/service-accounts/google"
version = "4.2.2"
project_id = "${var.project}"
names = ["log-analyzer"]
project_roles = [
"${var.project}=>roles/bigquery.dataEditor",
"${var.project}=>roles/bigquery.dataViewer",
"${var.project}=>roles/pubsub.subscriber",
"${var.project}=>roles/pubsub.viewer",
"${var.project}=>roles/storage.objectViewer",
]
}
.
.
.
resource "google_project_iam_binding" "bucket-credentials" {
project = var.project
role = "roles/storage.objectViewer"
members = ["serviceAccount:${google_service_account.instances-sa.email}"]
}
resource "google_project_iam_binding" "subscriber-binding" {
role = "roles/pubsub.subscriber"
members = ["serviceAccount:${google_service_account.instances-sa.email}"]
project = var.project
}
Terraform Version
❯ tf -v
Terraform v1.5.7
Additional information
No response