Support google_privateca_certificate_template_iam_*

[steven-edgar]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

New or Affected Resource(s)

• google_privateca_certificate_template_iam_member
• google_privateca_certificate_template_iam_binding
• google_privateca_certificate_template_iam_policy

In order to fully define a GCP Certificate Authority Service we need to be able to set the IAM permissions on the CA template, support for which is currently lacking. See GCP documentation at
https://cloud.google.com/certificate-authority-service/docs/creating-certificate-template#grant-access
for a CLI example of adding a template IAM policy.
API also appears to support this functionality
https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/projects.locations.certificateTemplates/setIamPolicy

Potential Terraform Configuration

resource "google_privateca_certificate_template_iam_member" "template-iam" {
    template  = google_privateca_certificate_template.my-template.id
    role          = "roles/privateca.templateUser"
    member  = "serviceAccount:${google_service_account.my-sa.email}"
}

resource "google_privateca_certificate_template_iam_binding" "template-iam" {
    template  = google_privateca_certificate_template.my-template.id
    role          = "roles/privateca.templateUser"
    members  = ["serviceAccount:${google_service_account.my-sa.email}"]
}

resource "google_privateca_certificate_template_iam_policy" "template-iam" {
    template  = google_privateca_certificate_template.my-template.id
    policy_data = google_iam_policy.template-iam
}

data "google_iam_policy" "template-iam" {
    binding {
        role = "roles/privateca.templateUser"
        members = [
                           "serviceAccount:${google_service_account.my-sa.email}"
        ]
    }
}

References

[rileykarson]

Note: potentially size/m if we do this through mmv1, but size/l if we need to support IAM for this resource's source (DCL)

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.