Skip to content

Add support for iam_member field in access configuration #428

New issue
New issue
Open
Open
Add support for iam_member field in access configuration#428
Labels
enhancementNew feature or request
@bbacani

Description

@bbacani
bbacani
opened on Oct 3, 2025

TL;DR

The underlying Terraform provider resource google_bigquery_dataset now supports the iam_member field within the access block (alongside userByEmail, groupByEmail, etc.).

The current module implementation does not expose this field, which is needed for granting access to specific member types (e.g., allUsers, workload/workforce federated identities) that are not covered by the existing userByEmail, groupByEmail, domain, or specialGroup fields.

Using an iam_member type for access currently results in the following API error:

googleapi: Error 400: An access entry must have exactly one of userByEmail, groupByEmail, domain, specialGroup defined, view, routine, or dataset., invalid

Please update the module's access block configuration to include support for iam_member.

Terraform Resources

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_dataset#nested_access

Detailed design

https://github.com/terraform-google-modules/terraform-google-bigquery/blob/ac8f494e16c9579490a9996afffc4d25bbaf8ffb/main.tf#L52

  dynamic "access" {
    for_each = var.access
    content {
      # BigQuery API converts IAM to primitive roles in its backend.
      # This causes Terraform to show a diff on every plan that uses IAM equivalent roles.
      # Thus, do the conversion between IAM to primitive role here to prevent the diff.
      role = lookup(local.iam_to_primitive, access.value.role, access.value.role)

      # Additionally, using null as a default value would lead to a permanant diff
      # See https://github.com/hashicorp/terraform-provider-google/issues/4085#issuecomment-516923872
      domain         = lookup(access.value, "domain", "")
      group_by_email = lookup(access.value, "group_by_email", "")
      user_by_email  = lookup(access.value, "user_by_email", "")
      special_group  = lookup(access.value, "special_group", "")
      iam_group      = lookup(access.value, "iam_group", "")
    }
  }

Additional information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions