Description
Using skip_iam_grants to skip custom role creation with use_existing_service_account fails. In my terraform configuration, I create a service account, assign the already created custom role with proper permissions. I set the service account name and private key to the module.
bigquery.datasets.get
compute.projects.get
pubsub.topics.get
storage.buckets.get
compute.sslPolicies.get
Module reference:
module "gcp_project_level_config" {
source = "lacework/config/gcp"
version = "~> 3.0"
project_id = var.project_id
required_config_apis = {} // apis already enabled
use_existing_service_account = true
skip_iam_grants = true
service_account_name = google_service_account.lacework_gcp_compliance_config.name
service_account_private_key = google_service_account_key.lacework_sa_compliance_key.private_key
}
I get the following error:
Expected behavior
The errors indicate that the module is still trying to assign custom role permission even though the skip_iam_grants is true and I use an existing service account. I am expecting that this step in
Line 124 in c0c0fc7
On line #L127 of main.tf, you're missing a condition that checks if skip_iam_grants is true, similar to the check for creating the custom role #L118. The expected behavior is that we don't assign a custom role if we have already created it and assigned it to an already created SA.
Please complete the following information):
- Terraform Version: "~> 1.8.0"
- Module Version "~> 3.0"