How can I prevent new authoritative binding resources from clobbering existing bindings?

Question

All authoritative GCP IAM bindings have atrocious behaviour in that if you create a new tf resource for a GCP resource with existing bindings it won't check if there are any existing bindings and will totally overwrite it.

For example this:

resource "google_bigquery_dataset_iam_policy" "iam_policy" {
  dataset_id  = <THIS DATASET HAS EXISTING BINDINGS>
  policy_data = data.google_iam_policy.iam_policy.policy_data
}

The plan only shows me its adding the new bindings I have defined in data.google_iam_policy.iam_policy. What it doesn't tell me is that there are 20+ existing binding on this resource that its going to completely wipe out without any error or indication.

I found I could work around this by adding an import block:

import {
  id = <THIS DATASET HAS EXISTING BINDINGS>
  to = google_bigquery_dataset_iam_policy.iam_policy
}

resource "google_bigquery_dataset_iam_policy" "iam_policy" {
  dataset_id  = var.google_bigquery_dataset_id
  policy_data = data.google_iam_policy.iam_policy.policy_data
}

Now terraform imports the dataset bindings into the resource and I see a big diff with all my existing bindings. Its wild this is not default behaviour.

Its annoying though to add import statements to every resource so I tried to put them into a module I could use to dry up the config, but it seems you can't add import blocks in modules?

Is there any way around the import blocks limitation or some feature of the gcp provider I'm unaware of that fixing this behaviour?

Answer 1

You prevent new authoritative resources by using: google_project_iam_member. This resource is non-authoritative.

All resources have a non-authoritative resource iam member, for example: google_cloud_run_service_iam_member and dataset case: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_dataset_iam#google_bigquery_dataset_iam_member-1