From 02510f2a8aa3e82dfeeb00e6754b15d126890031 Mon Sep 17 00:00:00 2001 From: emily Date: Wed, 8 Jan 2020 12:47:34 -0800 Subject: [PATCH] Add warnings about custom role format for IAM bindings (#2937) Merged PR #2937. --- build/terraform | 2 +- build/terraform-beta | 2 +- templates/terraform/resource_iam.html.markdown.erb | 3 +++ third_party/terraform/resources/resource_iam_binding.go.erb | 1 + .../website/docs/r/bigtable_instance_iam.html.markdown | 3 +++ .../website/docs/r/dataproc_cluster_iam.html.markdown | 3 +++ .../terraform/website/docs/r/dataproc_job_iam.html.markdown | 3 +++ .../docs/r/google_billing_account_iam_member.html.markdown | 3 +++ .../website/docs/r/google_folder_iam_binding.html.markdown | 3 +++ .../website/docs/r/google_folder_iam_member.html.markdown | 3 +++ .../website/docs/r/google_organization_iam_binding.md | 3 +++ .../docs/r/google_organization_iam_member.html.markdown | 3 +++ .../terraform/website/docs/r/google_project_iam.html.markdown | 4 ++++ .../website/docs/r/google_service_account_iam.html.markdown | 3 +++ .../website/docs/r/healthcare_dataset_iam.html.markdown | 3 +++ .../website/docs/r/pubsub_subscription_iam.html.markdown | 3 +++ .../website/docs/r/spanner_database_iam.html.markdown | 4 ++++ .../website/docs/r/spanner_instance_iam.html.markdown | 3 +++ 18 files changed, 50 insertions(+), 2 deletions(-) diff --git a/build/terraform b/build/terraform index b0ee45e61c4f..4018ee13d670 160000 --- a/build/terraform +++ b/build/terraform @@ -1 +1 @@ -Subproject commit b0ee45e61c4fd2d21d6e1c8d2e690a1ffca09da0 +Subproject commit 4018ee13d67059726d758e266d67c2a49e102e26 diff --git a/build/terraform-beta b/build/terraform-beta index 0d77be0c5bc1..a13c7946ee6c 160000 --- a/build/terraform-beta +++ b/build/terraform-beta @@ -1 +1 @@ -Subproject commit 0d77be0c5bc1b57cb966254b7539ffba1ece899f +Subproject commit a13c7946ee6cf13d1ff6e291122553860b1bc53f diff --git a/templates/terraform/resource_iam.html.markdown.erb b/templates/terraform/resource_iam.html.markdown.erb index fafa4abd9aaa..7115dd2beaf5 100644 --- a/templates/terraform/resource_iam.html.markdown.erb +++ b/templates/terraform/resource_iam.html.markdown.erb @@ -277,6 +277,9 @@ $ terraform import <% if object.min_version.name == 'beta' %>-provider=google-be -> If you're importing a resource with beta features, make sure to include `-provider=google-beta` as an argument so that Terraform uses the correct provider to import your resource. +-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the + full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. + <% if object.base_url.include?("{{project}}")-%> ## User Project Overrides diff --git a/third_party/terraform/resources/resource_iam_binding.go.erb b/third_party/terraform/resources/resource_iam_binding.go.erb index bb7ec0027186..7241339b249d 100644 --- a/third_party/terraform/resources/resource_iam_binding.go.erb +++ b/third_party/terraform/resources/resource_iam_binding.go.erb @@ -146,6 +146,7 @@ func resourceIamBindingRead(newUpdaterFunc newResourceIamUpdaterFunc) schema.Rea } if binding == nil { + log.Printf("[WARNING] Binding for role %q not found, assuming it has no members. If you expected existing members bound for this role, make sure your role is correctly formatted.", eBinding.Role) log.Printf("[DEBUG] Binding for role %q and condition %+v not found in policy for %s, assuming it has no members.", eBinding.Role, eCondition, updater.DescribeResource()) d.Set("role", eBinding.Role) d.Set("members", nil) diff --git a/third_party/terraform/website/docs/r/bigtable_instance_iam.html.markdown b/third_party/terraform/website/docs/r/bigtable_instance_iam.html.markdown index 1fc149aff35b..73e89a320eb3 100644 --- a/third_party/terraform/website/docs/r/bigtable_instance_iam.html.markdown +++ b/third_party/terraform/website/docs/r/bigtable_instance_iam.html.markdown @@ -107,3 +107,6 @@ $ terraform import google_bigtable_instance_iam_binding.editor "projects/{projec $ terraform import google_bigtable_instance_iam_member.editor "projects/{project}/instances/{instance} roles/editor user:jane@example.com" ``` + +-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the + full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. diff --git a/third_party/terraform/website/docs/r/dataproc_cluster_iam.html.markdown b/third_party/terraform/website/docs/r/dataproc_cluster_iam.html.markdown index 8e9dbbe84cc2..707f9d532f2f 100644 --- a/third_party/terraform/website/docs/r/dataproc_cluster_iam.html.markdown +++ b/third_party/terraform/website/docs/r/dataproc_cluster_iam.html.markdown @@ -111,3 +111,6 @@ $ terraform import google_dataproc_cluster_iam_binding.editor "projects/{project $ terraform import google_dataproc_cluster_iam_member.editor "projects/{project}/regions/{region}/clusters/{cluster} roles/editor user:jane@example.com" ``` + +-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the + full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. diff --git a/third_party/terraform/website/docs/r/dataproc_job_iam.html.markdown b/third_party/terraform/website/docs/r/dataproc_job_iam.html.markdown index 0cdea119c9d0..8fc24c1cd232 100644 --- a/third_party/terraform/website/docs/r/dataproc_job_iam.html.markdown +++ b/third_party/terraform/website/docs/r/dataproc_job_iam.html.markdown @@ -111,3 +111,6 @@ $ terraform import google_dataproc_job_iam_binding.editor "projects/{project}/re $ terraform import google_dataproc_job_iam_member.editor "projects/{project}/regions/{region}/jobs/{job_id} roles/editor user:jane@example.com" ``` + +-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the + full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. diff --git a/third_party/terraform/website/docs/r/google_billing_account_iam_member.html.markdown b/third_party/terraform/website/docs/r/google_billing_account_iam_member.html.markdown index 68e27a0e81dd..2576a765576e 100644 --- a/third_party/terraform/website/docs/r/google_billing_account_iam_member.html.markdown +++ b/third_party/terraform/website/docs/r/google_billing_account_iam_member.html.markdown @@ -50,3 +50,6 @@ IAM member imports use space-delimited identifiers; the resource in question, th ``` $ terraform import google_billing_account_iam_member.binding "your-billing-account-id roles/viewer user:foo@example.com" ``` + +-> **Custom Roles**: If you're importing a IAM member with a custom role, make sure to use the + full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. diff --git a/third_party/terraform/website/docs/r/google_folder_iam_binding.html.markdown b/third_party/terraform/website/docs/r/google_folder_iam_binding.html.markdown index 8b8a453fffa4..bb824d1d97ad 100644 --- a/third_party/terraform/website/docs/r/google_folder_iam_binding.html.markdown +++ b/third_party/terraform/website/docs/r/google_folder_iam_binding.html.markdown @@ -70,3 +70,6 @@ IAM binding imports use space-delimited identifiers; first the resource in quest ``` $ terraform import google_folder_iam_binding.viewer "folder-name roles/viewer" ``` + +-> **Custom Roles**: If you're importing a IAM binding with a custom role, make sure to use the + full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. diff --git a/third_party/terraform/website/docs/r/google_folder_iam_member.html.markdown b/third_party/terraform/website/docs/r/google_folder_iam_member.html.markdown index bf01ecaf8a9e..6f3d79a89aef 100644 --- a/third_party/terraform/website/docs/r/google_folder_iam_member.html.markdown +++ b/third_party/terraform/website/docs/r/google_folder_iam_member.html.markdown @@ -62,3 +62,6 @@ IAM member imports use space-delimited identifiers; the resource in question, th ``` $ terraform import google_folder_iam_member.my_project "folder-name roles/viewer user:foo@example.com" ``` + +-> **Custom Roles**: If you're importing a IAM member with a custom role, make sure to use the + full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. diff --git a/third_party/terraform/website/docs/r/google_organization_iam_binding.md b/third_party/terraform/website/docs/r/google_organization_iam_binding.md index b387c18c2311..f00196b5b9b6 100644 --- a/third_party/terraform/website/docs/r/google_organization_iam_binding.md +++ b/third_party/terraform/website/docs/r/google_organization_iam_binding.md @@ -59,3 +59,6 @@ IAM binding imports use space-delimited identifiers; first the resource in quest ``` $ terraform import google_organization_iam_binding.my_org "your-org-id roles/viewer" ``` + +-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the + full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. diff --git a/third_party/terraform/website/docs/r/google_organization_iam_member.html.markdown b/third_party/terraform/website/docs/r/google_organization_iam_member.html.markdown index df547c2937c8..d88733f6633a 100644 --- a/third_party/terraform/website/docs/r/google_organization_iam_member.html.markdown +++ b/third_party/terraform/website/docs/r/google_organization_iam_member.html.markdown @@ -51,3 +51,6 @@ IAM member imports use space-delimited identifiers; the resource in question, th ``` $ terraform import google_organization_iam_member.my_org "your-org-id roles/viewer user:foo@example.com" ``` + +-> **Custom Roles**: If you're importing a IAM member with a custom role, make sure to use the + full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. diff --git a/third_party/terraform/website/docs/r/google_project_iam.html.markdown b/third_party/terraform/website/docs/r/google_project_iam.html.markdown index bf29aa11d73f..89ac8006ca71 100644 --- a/third_party/terraform/website/docs/r/google_project_iam.html.markdown +++ b/third_party/terraform/website/docs/r/google_project_iam.html.markdown @@ -235,3 +235,7 @@ IAM audit config imports use the identifier of the resource in question and the ``` terraform import google_project_iam_audit_config.my_project "your-project-id foo.googleapis.com" ``` + +-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the + full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. + diff --git a/third_party/terraform/website/docs/r/google_service_account_iam.html.markdown b/third_party/terraform/website/docs/r/google_service_account_iam.html.markdown index 9c45fb7da728..8f87bd776ca7 100644 --- a/third_party/terraform/website/docs/r/google_service_account_iam.html.markdown +++ b/third_party/terraform/website/docs/r/google_service_account_iam.html.markdown @@ -189,6 +189,9 @@ $ terraform import google_service_account_iam_binding.admin-account-iam "project $ terraform import google_service_account_iam_member.admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/editor user:foo@example.com" ``` +-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the +full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. + With conditions: ``` $ terraform import -provider=google-beta google_service_account_iam_binding.admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} iam.serviceAccountUser expires_after_2019_12_31" diff --git a/third_party/terraform/website/docs/r/healthcare_dataset_iam.html.markdown b/third_party/terraform/website/docs/r/healthcare_dataset_iam.html.markdown index 37b418c4f162..4c25184171c9 100644 --- a/third_party/terraform/website/docs/r/healthcare_dataset_iam.html.markdown +++ b/third_party/terraform/website/docs/r/healthcare_dataset_iam.html.markdown @@ -115,3 +115,6 @@ IAM policy imports use the identifier of the resource in question. This policy ``` $ terraform import google_healthcare_dataset_iam_policy.dataset_iam your-project-id/location-name/dataset-name ``` + +-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the + full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. diff --git a/third_party/terraform/website/docs/r/pubsub_subscription_iam.html.markdown b/third_party/terraform/website/docs/r/pubsub_subscription_iam.html.markdown index 5b1371252319..960d1b8ca9c8 100644 --- a/third_party/terraform/website/docs/r/pubsub_subscription_iam.html.markdown +++ b/third_party/terraform/website/docs/r/pubsub_subscription_iam.html.markdown @@ -104,3 +104,6 @@ $ terraform import google_pubsub_subscription_iam_binding.editor "projects/{your $ terraform import google_pubsub_subscription_iam_member.editor "projects/{your-project-id}/subscriptions/{your-subscription-name} roles/editor jane@example.com" ``` + +-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the + full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. diff --git a/third_party/terraform/website/docs/r/spanner_database_iam.html.markdown b/third_party/terraform/website/docs/r/spanner_database_iam.html.markdown index d386ef2d1010..a910b23838e6 100644 --- a/third_party/terraform/website/docs/r/spanner_database_iam.html.markdown +++ b/third_party/terraform/website/docs/r/spanner_database_iam.html.markdown @@ -125,3 +125,7 @@ IAM policy imports use the identifier of the resource in question, e.g. ``` $ terraform import google_spanner_database_iam_policy.database project-name/instance-name/database-name ``` + +-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the + full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`. + diff --git a/third_party/terraform/website/docs/r/spanner_instance_iam.html.markdown b/third_party/terraform/website/docs/r/spanner_instance_iam.html.markdown index 1b301502fc08..b2c953fad797 100644 --- a/third_party/terraform/website/docs/r/spanner_instance_iam.html.markdown +++ b/third_party/terraform/website/docs/r/spanner_instance_iam.html.markdown @@ -120,3 +120,6 @@ IAM policy imports use the identifier of the resource in question, e.g. ``` $ terraform import google_spanner_instance_iam_policy.instance project-name/instance-name ``` + +-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the + full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.