global or zonal IAP SSH tunnel

[YannSfeir]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Identity Aware Proxy (IAP) SSH access can be set up not only for an specific instance, but also for a zone or globally. And that's my problem with the google_iap_tunnel_instance_iam_policy, google_iap_tunnel_instance_iam_binding and google_iap_tunnel_instance_iam_member because I can't use it with a Managed Instances Group for instance, considering instances can be replaced at any time and are on several different zones.

I would like to be able to set up a IAP SSH tunnel for all my instances, even with the instances not already created. Basically, zone and instance should be optional fields.

New or Affected Resource(s)

google_iap_tunnel_iam_policy
google_iap_tunnel_iam_binding
google_iap_tunnel_iam_member

Potential Terraform Configuration

resource "google_iap_tunnel_iam_policy" "policy" {
  project = google_compute_instance.tunnelvm.project
  policy_data = data.google_iam_policy.admin.policy_data
}

resource "google_iap_tunnel_iam_binding" "binding" {
  project = google_compute_instance.tunnelvm.project
  role = "roles/iap.tunnelResourceAccessor"
  members = [
    "user:[email protected]",
  ]
}

resource "google_iap_tunnel_iam_member" "member" {
  project = google_compute_instance.tunnelvm.project
  role = "roles/iap.tunnelResourceAccessor"
  member = "user:[email protected]"
}

• #0000

[semangard]

+1
For sure it is a mandatory missing feature.

[upodroid]

Hi

If you are looking to set up IAP for all instances, you should apply this role roles/iap.tunnelResourceAccessor to the project so every currrent and future VM will inherit this role.

It is bad idea to apply IAM policies to instances that are part of an Managed Instance Group. They are by design ephermeral so it is better to assign roles to zone or the project.

If you look here, https://cloud.google.com/iap/docs/managing-access#resources_and_permissions the iap.tunnel resource API call is functionally identical to doing something like this.

resource "google_project_iam_member" "project" {
  project = "your-project-id"
  role    = "roles/iap.tunnelResourceAccessor"
  member  = "user:[email protected]"
}

If this answers your question, please go ahead and close the issue.

Thank you

[YannSfeir]

Hello,

First of all, thanks for your quick answer.

But, the main issue with assigning the role roles/iap.tunnelResourceAccessor with IAM is we can't use conditions based on access levels. However, our IAP tunnels have a couple of restrictions based on access levels, which we won't be able to use with IAM...

So, we really need that kind of resources.

Thanks for your help!

[upodroid]

https://cloud.google.com/iam/docs/conditions-overview#example-access-level

[danawillow]

Just to link the prior request for this: #5577.

@upodroid, I'm pretty sure that specific condition is only valid for IAP resources, and doesn't work at the project IAM level. If you've been able to get it to work properly, I bet the subscribers on this issue would be interested in an example.

We can add new resources for this with https://cloud.google.com/iap/docs/reference/rest/v1/TopLevel/setIamPolicy.

[upodroid]

I assumed the OP wasn't using conditions but later on he talked about access levels which can be specified in IAM conditions and work if you use the iap.googleapis.com setIamPolicy calls.

On that note, there are other resources such as snapshots that have iam methods which we don't have resources for. I'll open separate issues for those.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!