GCP IAM question

Hi, I am about to bootstrap my third project and I have a few IAM questions

I need to add group with multiple roles, i would like some guidance on best practice.

What’s better “google_project_iam_policy” or “google_project_iam_binding”?

I am familar with “google_project_iam_member” and my understanding that is for single roles.

Thanks

policy and binding are authoritative where as member is not (it is additive). The docs do a good job explaining the difference (https://www.terraform.io/docs/providers/google/r/google_project_iam.html). I feel it is a personal preference as to which you choose. If you prefer the non-authoritative nature of member you can still have a single resource manage multiple members/roles using a loop.

tfvars

members = ["user:username@foobar.com", "group:groupname@foobar.com"]
roles   = ["roles/storage.admin", "roles/logging.viewer"

tf

locals {
  members_to_roles = {
    for p in setproduct(
      toset(var.members),
      toset(var.roles)
    ) :
    "${p[0]}-${p[1]}" => {
      member = p[0]
      role   = p[1]
    }
  }
}

resource "google_project_iam_member" "main" {
  for_each = local.members_to_roles

  project = var.project_id
  role    = each.value.role
  member  = each.value.member
}