Add resources google_cloud_tasks_queue_iam_*

[chriswacker]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

It would be great to have the queue-level IAM policy resources to avoid having to grant project-level roles/tasks.enqueuer to service accounts that only need access to a single queue. Thanks!

New or Affected Resource(s)

• google_cloud_tasks_queue_iam_member
• google_cloud_tasks_queue_iam_policy
• google_cloud_tasks_queue_iam_binding

Potential Terraform Configuration

resource "google_cloud_tasks_queue_iam_policy" "policy" {
  project = google_cloud_tasks_queue.example.project
  topic = google_cloud_tasks_queue.example.name
  policy_data = data.google_iam_policy.admin.policy_data
}

resource "google_cloud_tasks_queue_iam_binding" "binding" {
  project = google_cloud_tasks_queue.example.project
  topic = google_cloud_tasks_queue.example.name
  role = "roles/viewer"
  members = [
    "user:jane@example.com",
  ]
}

resource "google_cloud_tasks_queue_iam_member" "member" {
  project = google_cloud_tasks_queue.example.project
  topic = google_cloud_tasks_queue.example.name
  role = "roles/viewer"
  member = "user:jane@example.com"
}

[kostacasa]

For those looking for a temporary solution, you can run gcloud commands directly from Terraform which can set up fine grained permissions on queues.

module "queue_permission" {
  source  = "terraform-google-modules/gcloud/google"
  version = "~> 2.0"

  create_cmd_body  = "tasks queues add-iam-policy-binding ${google_cloud_tasks_queue.<queue_name>.id} --member=serviceAccount:${google_service_account.<service_account_name>.email} --role=roles/cloudtasks.enqueuer"
  destroy_cmd_body = "tasks queues remove-iam-policy-binding ${google_cloud_tasks_queue.<queue_name>.id} --member=serviceAccount:${google_service_account.<service_account_name>.email} --role=roles/cloudtasks.enqueuer"
}

[husseyd]

Any updates on this?

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.