Fix IAM configuration. (#7)

* Fix IAM role bindings. * Update README. --------- Co-authored-by: jtreutel <[email protected]>
jtreutel · Nov 28, 2023 · e72186d · e72186d
1 parent b3f882a
commit e72186d
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 19 deletions.
diff --git a/README.md b/README.md
@@ -96,9 +96,9 @@ The following variables should be configured in a context or at the project leve
 
 - google_iam_workload_identity_pool.circleci
 - google_iam_workload_identity_pool_provider.circleci
-- google_service_account.circleci
-- google_service_account_iam_binding.circleci
-- google_service_account_iam_binding.circleci_sa_user
+- google_project_iam_member.project[]
+- google_service_account.circleci[0]
+- google_service_account_iam_member.circleci_impersonation
 
 Generated by tf-docs.
 <!-- BEGIN_TF_DOCS -->
@@ -136,7 +136,7 @@ No modules.
 | <a name="input_custom_attribute_mappings"></a> [custom\_attribute\_mappings](#input\_custom\_attribute\_mappings) | List of custom attribute mappings.  See https://cloud.google.com/iam/docs/workload-identity-federation#mapping and https://circleci.com/docs2/2.0/openid-connect-tokens#format-of-the-openid-connect-id-token. | `map(string)` | `{}` | no |
 | <a name="input_existing_service_account_email"></a> [existing\_service\_account\_email](#input\_existing\_service\_account\_email) | Enter the email of the GCP SA that CircleCI should impersonate.  Leave blank to create a new service account. | `string` | `""` | no |
 | <a name="input_resource_prefix"></a> [resource\_prefix](#input\_resource\_prefix) | A prefix that will be added to all resources created by this Terraform plan. | `string` | `"CircleCI"` | no |
-| <a name="input_roles_to_bind"></a> [roles\_to\_bind](#input\_roles\_to\_bind) | A list of IAM roles to bind to the service account.  e.g. roles/iam.serviceAccountAdmin | `list(string)` | n/a | yes |
+| <a name="input_roles_to_bind"></a> [roles\_to\_bind](#input\_roles\_to\_bind) | A set of IAM roles to bind to the service account.  e.g. roles/iam.serviceAccountAdmin | `set(string)` | n/a | yes |
 | <a name="input_sa_impersonation_filter_attribute"></a> [sa\_impersonation\_filter\_attribute](#input\_sa\_impersonation\_filter\_attribute) | A GCP workload identity pool provider attribute to use for restricting role impersonation to specific CircleCI orgs, projects, or contexts. Defaults to CircleCI org ID. | `string` | `""` | no |
 | <a name="input_sa_impersonation_filter_value"></a> [sa\_impersonation\_filter\_value](#input\_sa\_impersonation\_filter\_value) | A GCP workload identity pool provider attribute value to use for restricting role impersonation to specific CircleCI orgs, projects, or contexts. Defaults to CircleCI org ID. | `string` | `""` | no |
 | <a name="input_wip_provider_attribute_condition"></a> [wip\_provider\_attribute\_condition](#input\_wip\_provider\_attribute\_condition) | CEL expression describing which principles are allowed to impersonate service accounts. Defaults to anyone from your CircleCI org. | `string` | `""` | no |

diff --git a/main.tf b/main.tf
@@ -31,21 +31,17 @@ resource "google_service_account" "circleci" {
   display_name = "${var.resource_prefix} Pipeline User"
 }
 
-
-resource "google_service_account_iam_binding" "circleci" {
+#Allow CircleCI to impersonate SA
+resource "google_service_account_iam_member" "circleci_impersonation" {
   service_account_id = var.existing_service_account_email == "" ? google_service_account.circleci[0].name : var.existing_service_account_email
   role               = "roles/iam.workloadIdentityUser"
-  members = [
-    "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.circleci.workload_identity_pool_id}/${local.sa_impersonation_filter_attribute}/${local.sa_impersonation_filter_value}"
-  ]
+  member             = "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.circleci.workload_identity_pool_id}/${local.sa_impersonation_filter_attribute}/${local.sa_impersonation_filter_value}"
 }
 
-resource "google_service_account_iam_binding" "circleci_sa_user" {
-  count              = length(var.roles_to_bind)
-  service_account_id = google_service_account.circleci[0].name
-  role               = var.roles_to_bind[count.index]
-  members = [
-    "serviceAccount:${google_service_account.circleci[0].email}"
-  ]
-}
+resource "google_project_iam_member" "project" {
+  for_each = var.roles_to_bind
 
+  project = data.google_project.project.project_id
+  role    = each.value
+  member  = "serviceAccount:${var.existing_service_account_email == "" ? google_service_account.circleci[0].email : var.existing_service_account_email}"
+}
diff --git a/variables.tf b/variables.tf
@@ -32,8 +32,8 @@ variable "existing_service_account_email" {
 }
 
 variable "roles_to_bind" {
-  type        = list(string)
-  description = "A list of IAM roles to bind to the service account.  e.g. roles/iam.serviceAccountAdmin"
+  type        = set(string)
+  description = "A set of IAM roles to bind to the service account.  e.g. roles/iam.serviceAccountAdmin"
 }
 
 # These two variables can be used to restrict who can impersonate a service account based on the values of the assertions in the CircleCI OIDC token