terraform-google-modules/terraform-google-service-accounts

Each run removes and adds roles to the SA

romanvogman opened this issue · 1 comments

romanvogman commented

TL;DR

Each terraform run removes roles from the SA if there is a binding resource (that is used for an other SA) with the same role

Expected behavior

Expecting to remain the same if no changes were done in the module by creating additional resource

Observed behavior

removed storage.objectViewer and roles/pubsub.subscriber because there are binding resources with the same roles which don't contain foo-sa SA in them

Terraform Configuration

module "foo-sa" {
  source        = "terraform-google-modules/service-accounts/google"
  version       = "4.2.2"
  project_id    = "${var.project}"
  names         = ["log-analyzer"]
  project_roles = [
    "${var.project}=>roles/bigquery.dataEditor",
    "${var.project}=>roles/bigquery.dataViewer",
    "${var.project}=>roles/pubsub.subscriber",
    "${var.project}=>roles/pubsub.viewer",
    "${var.project}=>roles/storage.objectViewer",
  ]
}

.
.
.

resource "google_project_iam_binding" "bucket-credentials" {
  project = var.project
  role    = "roles/storage.objectViewer"
  members = ["serviceAccount:${google_service_account.instances-sa.email}"]
}

resource "google_project_iam_binding" "subscriber-binding" {
  role    = "roles/pubsub.subscriber"
  members = ["serviceAccount:${google_service_account.instances-sa.email}"]
  project = var.project
}

Terraform Version

❯ tf -v
Terraform v1.5.7

Additional information

No response