Change service account IAM management to be additive (#17)

The IAM management granting a G Suite group access to the project factory service account was authoritative and would remove members added elsewhere. This commit replaces the authoritative binding management with additive binding management.
terraform-google-modules · Sep 4, 2018 · 71b4c98 · 71b4c98
1 parent 4d2cfc2
commit 71b4c98
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 4 deletions.
diff --git a/main.tf b/main.tf
@@ -170,15 +170,13 @@ resource "google_project_iam_member" "gsuite_group_role" {
 /******************************************
   Granting serviceAccountUser to group
  *****************************************/
-resource "google_service_account_iam_binding" "service_account_grant_to_group" {
+resource "google_service_account_iam_member" "service_account_grant_to_group" {
   count = "${local.gsuite_group ? 1 : 0}"
 
   service_account_id = "projects/${local.project_id}/serviceAccounts/${google_service_account.default_service_account.email}"
   role               = "roles/iam.serviceAccountUser"
 
-  members = [
-    "${data.null_data_source.data_group_email_format.outputs["group_fmt"]}",
-  ]
+  member = "${data.null_data_source.data_group_email_format.outputs["group_fmt"]}"
 }
 
 /*************************************************************************************

diff --git a/test/integration/gcloud/integration.bats b/test/integration/gcloud/integration.bats
@@ -203,6 +203,32 @@
   gcloud --quiet iam service-accounts delete "$SA_EMAIL" --project "$PROJECT_ID"
 }
 
+@test "Confirm Terraform service account IAM membership is additive" {
+  if [ "$GROUP_NAME" == "" -o "$CREATE_GROUP" != "true" ]; then
+    skip "GROUP_NAME is unset and CREATE_GROUP is false, skipping service account IAM management test"
+  fi
+
+  MANAGED_SA_EMAIL="$(terraform output service_account_email)"
+
+  PROJECT_ID="$(terraform output project_info_example)"
+  SA_ID="sa-${RANDOM}"
+  SA_EMAIL="${SA_ID}@${PROJECT_ID}.iam.gserviceaccount.com"
+
+  gcloud iam service-accounts create "$SA_ID" \
+    --project "$PROJECT_ID"
+
+  gcloud iam service-accounts add-iam-policy-binding \
+      $MANAGED_SA_EMAIL \
+      --member "serviceAccount:${SA_EMAIL}" \
+      --role "roles/iam.serviceAccountUser"
+
+  run terraform plan
+  [[ "$output" =~ No\ changes ]]
+
+  # tear down test iam account
+  gcloud --quiet iam service-accounts delete "$SA_EMAIL" --project "$PROJECT_ID"
+}
+
 @test "Test App Engine app created with the correct settings" {
 
   PROJECT_ID="$(terraform output project_info_example)"

diff --git a/test/integration/gcloud/run.sh b/test/integration/gcloud/run.sh
@@ -109,6 +109,10 @@ output "domain_example" {
 output "group_email_example" {
   value       = "${module.project-factory.group_email}"
 }
+
+output "service_account_email" {
+  value = "${module.project-factory.service_account_email}"
+}
 EOF
 }