Add support for managing IAM policies on namespaces within Data Fusion instances

[mbohri-cslt]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

In order to use RBAC for the Datafusion namespace and automate the IAM permission through Terraform there is no mechanism to achieve this currently in a clean way using Terraform resources.

google_data_fusion_instance_iam_policy resources do not support namespaces as input to provide permission to a principal.

New or Affected Resource(s)

google_data_fusion_instance_namespace_iam_policy
google_data_fusion_instance_namespace_iam_binding
google_data_fusion_instance_namespace_iam_member

Potential Terraform Configuration

# Propose what you think the configuration to take advantage of this feature should look like.
# We may not use it verbatim, but it's helpful in understanding your intent.

References

• #0000

b/314617018

[rileykarson]

Can you provide an example input, sorry? I'm not sure what "namespace IAM" means here.

[NicolasLefortVeolia]

Hello,

I have the same enhancement request as @mbohri-cslt (if I understood well his request).

For the moment, there are resources to manage IAM on Data Fusion at the instance level (google_data_fusion_instance_iam). However, it is not possible to manage IAM at the namespace level in a specific Data Fusion instance.

These new resources could be named google_data_fusion_instance_namespace_iam_policy, google_data_fusion_instance_namespace_iam_member, and google_data_fusion_instance_namespace_iam_binding.

These resources would take the same arguments in input as google_data_fusion_instance_iam, plus a specific namespace name in the Data Fusion instance. The possible roles would be the roles currently available when managing permissions in a Data Fusion instance : Cloud Data Fusion Developer, Cloud Data Fusion Operator, Cloud Data Fusion Admin, Cloud Data Fusion Viewer.

Example:

resource "google_data_fusion_instance_namespace_iam_binding" "binding" {
  project = google_data_fusion_instance.basic_instance.project
  region = google_data_fusion_instance.basic_instance.region
  name = google_data_fusion_instance.basic_instance.name
  namespace = "default"
  role = "roles/datafusion.operator"
  members = [
    "user:[email protected]",
  ]
}

[rileykarson]

Got it, thanks! https://cloud.google.com/data-fusion/docs/reference/rest/v1beta1/projects.locations.instances.namespaces/getIamPolicy