Hi, I am about to bootstrap my third project and I have a few IAM questions
I need to add group with multiple roles, i would like some guidance on best practice.
What’s better “google_project_iam_policy” or “google_project_iam_binding”?
I am familar with “google_project_iam_member” and my understanding that is for single roles.
Thanks
policy and binding are authoritative where as member is not (it is additive). The docs do a good job explaining the difference (https://www.terraform.io/docs/providers/google/r/google_project_iam.html). I feel it is a personal preference as to which you choose. If you prefer the non-authoritative nature of member you can still have a single resource manage multiple members/roles using a loop.
tfvarsmembers = ["user:username@foobar.com", "group:groupname@foobar.com"]
roles = ["roles/storage.admin", "roles/logging.viewer"
tflocals {
members_to_roles = {
for p in setproduct(
toset(var.members),
toset(var.roles)
) :
"${p[0]}-${p[1]}" => {
member = p[0]
role = p[1]
}
}
}
resource "google_project_iam_member" "main" {
for_each = local.members_to_roles
project = var.project_id
role = each.value.role
member = each.value.member
}