Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix IAM policy behavior regression for empty members #4347

Merged
merged 1 commit into from
Aug 27, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions google/iam.go
Original file line number Diff line number Diff line change
Expand Up @@ -193,9 +193,10 @@ func createIamBindingsMap(bindings []*cloudresourcemanager.Binding) map[string]m
bm := make(map[string]map[string]struct{})
// Get each binding
for _, b := range bindings {
members := make(map[string]struct{})
// Initialize members map
if _, ok := bm[b.Role]; !ok {
bm[b.Role] = make(map[string]struct{})
if _, ok := bm[b.Role]; ok {
members = bm[b.Role]
}
// Get each member (user/principal) for the binding
for _, m := range b.Members {
Expand All @@ -210,7 +211,12 @@ func createIamBindingsMap(bindings []*cloudresourcemanager.Binding) map[string]m
m = strings.Join(pieces, ":")

// Add the member
bm[b.Role][m] = struct{}{}
members[m] = struct{}{}
}
if len(members) > 0 {
bm[b.Role] = members
} else {
delete(bm, b.Role)
}
}
return bm
Expand Down
18 changes: 18 additions & 0 deletions google/iam_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,24 @@ func TestIamMergeBindings(t *testing.T) {
input: []*cloudresourcemanager.Binding{},
expect: []*cloudresourcemanager.Binding{},
},
// No members returns no binding
{
input: []*cloudresourcemanager.Binding{
{
Role: "role-1",
},
{
Role: "role-2",
Members: []string{"member-2"},
},
},
expect: []*cloudresourcemanager.Binding{
{
Role: "role-2",
Members: []string{"member-2"},
},
},
},
// Nothing to merge - return same list
{
input: []*cloudresourcemanager.Binding{
Expand Down
38 changes: 38 additions & 0 deletions google/resource_google_project_iam_policy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,23 @@ func TestAccProjectIamPolicy_basic(t *testing.T) {
})
}

// Test that an IAM policy with empty members does not cause a permadiff.
func TestAccProjectIamPolicy_emptyMembers(t *testing.T) {
t.Parallel()

org := getTestOrgFromEnv(t)
pid := "terraform-" + acctest.RandString(10)
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
Steps: []resource.TestStep{
{
Config: testAccProjectIamPolicyEmptyMembers(pid, pname, org),
},
},
})
}

// Test that a non-collapsed IAM policy doesn't perpetually diff
func TestAccProjectIamPolicy_expanded(t *testing.T) {
t.Parallel()
Expand Down Expand Up @@ -276,6 +293,27 @@ resource "google_project" "acceptance" {
}`, pid, name, org)
}

func testAccProjectIamPolicyEmptyMembers(pid, name, org string) string {
return fmt.Sprintf(`
resource "google_project" "acceptance" {
project_id = "%s"
name = "%s"
org_id = "%s"
}

resource "google_project_iam_policy" "acceptance" {
project = "${google_project.acceptance.id}"
policy_data = "${data.google_iam_policy.expanded.policy_data}"
}

data "google_iam_policy" "expanded" {
binding {
role = "roles/viewer"
members = []
}
}`, pid, name, org)
}

func testAccProjectAssociatePolicyExpanded(pid, name, org string) string {
return fmt.Sprintf(`
resource "google_project" "acceptance" {
Expand Down