From f454638175bfb429250697beea7e8ade3d634679 Mon Sep 17 00:00:00 2001
From: Umair Idris <umairidris93@gmail.com>
Date: Tue, 28 Apr 2020 14:14:23 -0400
Subject: [PATCH] feat: add conversion between iam and primitive roles (#62)

* add conversion between iam and primitive roles

* fmt
---
 main.tf      | 10 +++++++++-
 variables.tf |  2 +-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/main.tf b/main.tf
index e9535753..e78ac7ae 100644
--- a/main.tf
+++ b/main.tf
@@ -16,6 +16,11 @@
 
 locals {
   tables = { for table in var.tables : table["table_id"] => table }
+  iam_to_primitive = {
+    "roles/bigquery.dataOwner" : "OWNER"
+    "roles/bigquery.dataEditor" : "EDITOR"
+    "roles/bigquery.dataViewer" : "READER"
+  }
 }
 
 resource "google_bigquery_dataset" "main" {
@@ -31,7 +36,10 @@ resource "google_bigquery_dataset" "main" {
   dynamic "access" {
     for_each = var.access
     content {
-      role = access.value.role
+      # BigQuery API converts IAM to primitive roles in its backend.
+      # This causes Terraform to show a diff on every plan that uses IAM equivalent roles.
+      # Thus, do the conversion between IAM to primitive role here to prevent the diff.
+      role = lookup(local.iam_to_primitive, access.value.role, access.value.role)
 
       domain         = lookup(access.value, "domain", null)
       group_by_email = lookup(access.value, "group_by_email", null)
diff --git a/variables.tf b/variables.tf
index 4105ab8a..0712b752 100644
--- a/variables.tf
+++ b/variables.tf
@@ -66,7 +66,7 @@ variable "access" {
 
   # At least one owner access is required.
   default = [{
-    role          = "OWNER"
+    role          = "roles/bigquery.dataOwner"
     special_group = "projectOwners"
   }]
 }