Add support for not managing audit_config in google_project_iam_policy

[natalysheinin]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

It is not possible to manage google_project_iam_policy without managing the audit_config policy.

New or Affected Resource(s)

• google_project_iam_policy

Potential Terraform Configuration

resource "google_project_iam_policy" "project-iam" {
  project     = local.project
  policy_data = data.google_iam_policy.my-project.policy_data
}

data "google_iam_policy" "my-project" {
  binding {
    role = "roles/storage.admin"
    members = [
      ...
    ]
  }
...

manage_audit_config_policy = False
}

References

• https://www.terraform.io/docs/providers/google/r/google_project_iam.html#google_project_iam_policy
• https://github.com/terraform-providers/terraform-provider-google/blob/master/google/resource_google_project_iam_policy_test.go#L260-L270

b/374161751

[danawillow]

Hey @natalysheinin, we have two other types of IAM resources that will manage a policy without audit configs: *_iam_binding resources, which are an authoritative list of members for a specific role, and *_iam_member resources, which ensure that a specific member is present in the list for that role. We typically recommend that users use those less authoritative versions of the IAM resources, which also don't manage audit configs.

Is there a specific reason why you need to be using the google_iam_policy resource, or would the binding/member resources work for you?

[natalysheinin]

I prefer using the google_iam_policy because it's provides much tighter security controls over the entirety of the IAM bindings in a given resource (org/folder/proj/etc).

If I couldn't use google_iam_policy, I would need to have 100+ empty bindings just to ensure that I am tracking the membership of every role. The terraform file would become to large and I'll never know if a new custom role or google-managed role is added that I am not tracking.

[rileykarson]

This makes sense, we support google_iam_policy (the whole policy entry), and google_iam_binding (a single entry in bindings), but could support google_iam_bindings to manage the bindings item at https://cloud.google.com/resource-manager/reference/rest/Shared.Types/Policy