fix(fleet_app_operator_permissions): enable multi use per project (#2045)

apeabody · web-flow · commit a83100d6ef33 · 2024-08-20T15:49:43.000-05:00
diff --git a/modules/fleet-app-operator-permissions/main.tf b/modules/fleet-app-operator-permissions/main.tf
@@ -39,21 +39,23 @@ locals {
   }
 }
 
-resource "google_project_iam_binding" "log_view_permissions" {
-  project = var.fleet_project_id
-  role    = "roles/logging.viewAccessor"
-  members = concat(local.user_principals, local.group_principals)
+resource "google_project_iam_member" "log_view_permissions" {
+  project  = var.fleet_project_id
+  for_each = toset(concat(local.user_principals, local.group_principals))
+  role     = "roles/logging.viewAccessor"
+  member   = each.value
   condition {
     title       = "conditional log view access"
     description = "log view access for scope ${var.scope_id}"
     expression  = "resource.name == \"projects/${var.fleet_project_id}/locations/global/buckets/fleet-o11y-scope-${var.scope_id}/views/fleet-o11y-scope-${var.scope_id}-k8s_container\" || resource.name == \"projects/${var.fleet_project_id}/locations/global/buckets/fleet-o11y-scope-${var.scope_id}/views/fleet-o11y-scope-${var.scope_id}-k8s_pod\""
   }
 }
 
-resource "google_project_iam_binding" "project_level_scope_permissions" {
-  project = var.fleet_project_id
-  role    = local.project_level_scope_role[var.role]
-  members = concat(local.user_principals, local.group_principals)
+resource "google_project_iam_member" "project_level_scope_permissions" {
+  project  = var.fleet_project_id
+  for_each = toset(concat(local.user_principals, local.group_principals))
+  role     = local.project_level_scope_role[var.role]
+  member   = each.value
 }
 
 resource "google_gke_hub_scope_iam_binding" "resource_level_scope_permissions" {

Original file line number	Diff line number	Diff line change
`@@ -39,21 +39,23 @@ locals {`
`39`	`39`	`}`
`40`	`40`	`}`
`41`	`41`
`42`		`-resource "google_project_iam_binding" "log_view_permissions" {`
`43`		`- project = var.fleet_project_id`
`44`		`- role = "roles/logging.viewAccessor"`
`45`		`- members = concat(local.user_principals, local.group_principals)`
	`42`	`+resource "google_project_iam_member" "log_view_permissions" {`
	`43`	`+ project = var.fleet_project_id`
	`44`	`+ for_each = toset(concat(local.user_principals, local.group_principals))`
	`45`	`+ role = "roles/logging.viewAccessor"`
	`46`	`+ member = each.value`
`46`	`47`	`condition {`
`47`	`48`	`title = "conditional log view access"`
`48`	`49`	`description = "log view access for scope ${var.scope_id}"`
`49`	`50`	`expression = "resource.name == \"projects/${var.fleet_project_id}/locations/global/buckets/fleet-o11y-scope-${var.scope_id}/views/fleet-o11y-scope-${var.scope_id}-k8s_container\" \|\| resource.name == \"projects/${var.fleet_project_id}/locations/global/buckets/fleet-o11y-scope-${var.scope_id}/views/fleet-o11y-scope-${var.scope_id}-k8s_pod\""`
`50`	`51`	`}`
`51`	`52`	`}`
`52`	`53`
`53`		`-resource "google_project_iam_binding" "project_level_scope_permissions" {`
`54`		`- project = var.fleet_project_id`
`55`		`- role = local.project_level_scope_role[var.role]`
`56`		`- members = concat(local.user_principals, local.group_principals)`
	`54`	`+resource "google_project_iam_member" "project_level_scope_permissions" {`
	`55`	`+ project = var.fleet_project_id`
	`56`	`+ for_each = toset(concat(local.user_principals, local.group_principals))`
	`57`	`+ role = local.project_level_scope_role[var.role]`
	`58`	`+ member = each.value`
`57`	`59`	`}`
`58`	`60`
`59`	`61`	`resource "google_gke_hub_scope_iam_binding" "resource_level_scope_permissions" {`