Adds variable for members policy #75
Conversation
amandakarina
requested review from
bharathkkb,
erlanderlo and
morgante
as code owners
| @@ -101,34 +126,37 @@ resource "google_data_catalog_policy_tag" "ssn_child_policy_tag" { | |||
| } | |||
|
|
|||
| resource "google_data_catalog_policy_tag_iam_member" "private_sa_name" { | |||
| count = length(local.private_accounts) | |||
There was a problem hiding this comment.
Hey @bharathkkb
If I use for_each here, I got the following error:
Error: Invalid for_each argument
Step #2 - "converge-bigquery-sensitive-data":
Step #2 - "converge-bigquery-sensitive-data": on ../../../modules/data_warehouse_taxonomy/main.tf line 150, in resource "google_data_catalog_policy_tag_iam_member" "confidential_sa_ssn":
Step #2 - "converge-bigquery-sensitive-data": 150: for_each = toset(local.confidential_accounts)
Step #2 - "converge-bigquery-sensitive-data":
Step #2 - "converge-bigquery-sensitive-data": The "for_each" value depends on resource attributes that cannot be determined
Step #2 - "converge-bigquery-sensitive-data": until apply, so Terraform cannot predict how many instances will be created.
Step #2 - "converge-bigquery-sensitive-data": To work around this, use the -target argument to first apply only the
Step #2 - "converge-bigquery-sensitive-data": resources that the for_each depends on.
Because I'm creating an array that depends of a decision to create the service account or use an array.
private_accounts = length(var.confidential_access_members) == 0 ? ["serviceAccount:${module.service_accounts.emails["terraform-private-sa"]}"] : var.private_access_members
confidential_accounts = length(var.private_access_members) == 0 ? ["serviceAccount:${module.service_accounts.emails["terraform-confidential-sa"]}"] : var.confidential_access_members
At this point, the terraform can only knows the size of the array, but can reach the value that for_each access.
Do you have any idea of how we can solve this?
There was a problem hiding this comment.
There was a problem hiding this comment.
@amandakarina Could we use something like private_accounts = length(var.private_access_members) == 0 ? {"terraform-private-sa"="serviceAccount:${module.service_accounts.emails["terraform-private-sa"]}"} : {for m in var.private_access_members: m=>m} to get known keys with unknown values?
There was a problem hiding this comment.
@bharathkkb sounds pretty good!
| "roles/bigquery.dataViewer", | ||
| "roles/datacatalog.viewer", | ||
| ] | ||
| create_confidential_sa = length(var.confidential_access_members) == 0 ? ["terraform-confidential-sa"] : [] |
There was a problem hiding this comment.
@erlanderlo wondering about this #47 (comment). Did we reach a conclusion?
amandakarina
deleted the
feat/adds-variable-for-sensitive-data-service-accounts
branch
Fixes #47