feat: add conversion between iam and primitive roles (#62)

* add conversion between iam and primitive roles * fmt
terraform-google-modules · Apr 28, 2020 · f454638 · f454638
1 parent 7d64e2c
commit f454638
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/main.tf b/main.tf
@@ -16,6 +16,11 @@
 
 locals {
   tables = { for table in var.tables : table["table_id"] => table }
+  iam_to_primitive = {
+    "roles/bigquery.dataOwner" : "OWNER"
+    "roles/bigquery.dataEditor" : "EDITOR"
+    "roles/bigquery.dataViewer" : "READER"
+  }
 }
 
 resource "google_bigquery_dataset" "main" {
@@ -31,7 +36,10 @@ resource "google_bigquery_dataset" "main" {
   dynamic "access" {
     for_each = var.access
     content {
-      role = access.value.role
+      # BigQuery API converts IAM to primitive roles in its backend.
+      # This causes Terraform to show a diff on every plan that uses IAM equivalent roles.
+      # Thus, do the conversion between IAM to primitive role here to prevent the diff.
+      role = lookup(local.iam_to_primitive, access.value.role, access.value.role)
 
       domain         = lookup(access.value, "domain", null)
       group_by_email = lookup(access.value, "group_by_email", null)

diff --git a/variables.tf b/variables.tf
@@ -66,7 +66,7 @@ variable "access" {
 
   # At least one owner access is required.
   default = [{
-    role          = "OWNER"
+    role          = "roles/bigquery.dataOwner"
     special_group = "projectOwners"
   }]
 }