Ability to reference a GKE google_compute_backend_service by kubernetes.io/service-name label

[achew22]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

I would like to reopen issue #5468 given that team who was a candidate to implement the functionality (the GKE team) has closed the associated Buganizer ticket as Won't Fix Infeasible) and instructed people to use the gcloud iap web command. I believe this is, ultimately, the same API that terraform-provider-google uses.

I'm going to copy over the information from the original ticket, but would be perfectly happy if we closed this one and reopened #5468.

--
Begin the original bug:

I have several GCE Ingresses with Identity-Aware Proxy enabled and I'm attempting to use Terraform specify which G Suite user groups are allowed to access (via the iap.httpsResourceAccessor role).

The GCE Ingresses and therefore also the corresponding Backend Services are managed by GKE, not Terraform. Therefore I am attempting to use the google_compute_backend_service data source reference in my google_iap_web_backend_service_iam_policy but am struggling to work out how to inform Terraform of the correct name attribute since it's an auto-generated name, e.g. k8s-be-12345--1234a12345xy78za.

The Kubernetes service name is available within the description of the backendServices API:

GET https://compute.googleapis.com/compute/v1/projects/{project}/global/backendServices

      "name": "k8s-be-12345--1234a12345xy78z",
      "description": "{\"kubernetes.io/service-name\":\"my-namespace/my-ingress\",\"kubernetes.io/service-port\":\"3000\"}",
      "selfLink": "https://www.googleapis.com/compute/v1/projects/<project>/global/backendServices/k8s-be-12345--1234a12345xy78z",

Could this be used to allow me to select which GCE Ingress I want to refer to in the google_compute_backend_service data source?

New or Affected Resource(s)

• google_compute_backend_service
• google_iap_web_backend_service_iam_policy

Potential Terraform Configuration

# Propose what you think the configuration to take advantage of this feature should look like.
# We may not use it verbatim, but it's helpful in understanding your intent.

data "google_iam_policy" "iap-team-access" {
  binding {
    role = "roles/iap.httpsResourceAccessor"

    members = [
      "group:my-first-team@example.com",
      "group:my-second-team@example.com",
    ]
  }

  audit_config {
    service = "iap.googleapis.com"
    audit_log_configs {
      log_type = "DATA_READ"
    }

    audit_log_configs {
      log_type = "DATA_WRITE"
    }

    audit_log_configs {
      log_type = "ADMIN_READ"
    }
  }
}

data google_compute_backend_service "my-ingress" {
  kubernetes-service-name = "my-namespace/my-ingress"
}

resource "google_project_iam_audit_config" "iap-audit-logging" {
  project = local.remote_proj_id
  service = "iap.googleapis.com"

  audit_log_config {
    log_type = "ADMIN_READ"
  }
  audit_log_config {
    log_type = "DATA_READ"
  }
  audit_log_config {
    log_type = "DATA_WRITE"
  }
}

resource "google_iap_web_backend_service_iam_policy" "my-ingress-team-access" {
  provider = google-beta
  project  = local.remote_proj_id

  web_backend_service = data.google_compute_backend_service.my-ingress.name
  policy_data         = data.google_iam_policy.iap-team-access.policy_data
}

References

• This is a recreation of Ability to reference a GKE google_compute_backend_service by kubernetes.io/service-name label #5468 (@dijitali, thank you for putting together such a nice issue).

[rileykarson]

This would be supported by a plural datasource for the resource, #8255

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.