Hi All,
I have requirement where I need write block for folder level access for multiple users & service accounts , Since my ORDG enforced to use only UNIFORM BUCKET LEVEL access I cannot use granular method.
So I am trying to configure it through IAM conditions , The service accounts should have a viewer role to particular path / object and A single SA is having many paths as such. Here Am trying to use below 2 approaches
Approach 1 : using locals
locals{
name= [for k ,v in var.lists : “resource.name.startsWith(‘projects/_/buckets/{k}/objects/{v}’)”
}
locals {
test = join(“||”, local.name)
}
resource “google_storage_bucket_iam_binding” “my-bucket-binding” {
for_each = contains([“dev”,], var.env) ? var.lists : {}
bucket = “dnb-dap-dr-sto-g-poc”
role = “roles/storage.objectViewer”
members = [
"user:XXXXXXXX@gmail.com"
]
condition {
title = “my-folder”
description = “Allow access to the test_nithya subfolder”
expression = local.name
}
}
But in this approach I got issue that only one SA can be Use local.name, Since other SA in the coming iteration of block needs to have different paths.
So each SA will have role against different multiple paths ondifferent buckets .
Approach 2 : Using the same directly in expression
title = “my-folder”
description = “Allow access to the test_nithya subfolder”
expression = “{for k in var.lista : "resource.name.startsWith('projects/_/buckets/dnb-dap-dr-sto-g-poc/objects/{k}')” \n join(“||”, k) }" (I am not sure how to add join in same line
)
Finally my requirement is to have mutiple expressions for different multiple SA .
Do we have any Terraform supporting approach for this , that would be great full ! thanks.