How can I safely migrate from google_project_iam_policy resources to google_project_iam_member?












2















I have a TF project which currently uses a single google_project_iam_policy resource, and would like to transition to using
google_project_iam_member.



The documentation warns:




google_project_iam_policy cannot be used in conjunction with google_project_iam_binding and google_project_iam_member or they will fight over what your policy should be.




Is there a safe path to migrate from one style to the other?






terraform-provider-gcp







share|improve this question



























    2















    I have a TF project which currently uses a single google_project_iam_policy resource, and would like to transition to using
    google_project_iam_member.



    The documentation warns:




    google_project_iam_policy cannot be used in conjunction with google_project_iam_binding and google_project_iam_member or they will fight over what your policy should be.




    Is there a safe path to migrate from one style to the other?






    terraform-provider-gcp







    share|improve this question

























      2












      2








      2


      1






      I have a TF project which currently uses a single google_project_iam_policy resource, and would like to transition to using
      google_project_iam_member.



      The documentation warns:




      google_project_iam_policy cannot be used in conjunction with google_project_iam_binding and google_project_iam_member or they will fight over what your policy should be.




      Is there a safe path to migrate from one style to the other?






      terraform-provider-gcp







      share|improve this question














      I have a TF project which currently uses a single google_project_iam_policy resource, and would like to transition to using
      google_project_iam_member.



      The documentation warns:




      google_project_iam_policy cannot be used in conjunction with google_project_iam_binding and google_project_iam_member or they will fight over what your policy should be.




      Is there a safe path to migrate from one style to the other?






      terraform-provider-gcp




      terraform-provider-gcp






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 14 '18 at 0:51









      Mike WilliamsMike Williams

      984




      984
























          1 Answer
          1






          active

          oldest

          votes


















          2














          google_project_iam_policy might fight with google_project_iam_binding and google_project_iam_member, but it should be possible to use them concurrently for a brief period (provided they contain the same values).



          I haven't tested this, but I think it should be possible to do something like:




          1. Mirror the current google_project_iam_policy permissions into a new set of google_project_iam_binding or google_project_iam_member resources

          2. Run terraform apply to add the new resources to your terraform state file

          3. Remove the old google_project_iam_policy resources from your terraform config, but don't run terraform apply

          4. Run terraform state rm <resource-name> for each of the old google_project_iam_policy resources

          5. Run terraform plan and confirm no changes are planned






          share|improve this answer























            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53291631%2fhow-can-i-safely-migrate-from-google-project-iam-policy-resources-to-google-proj%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            2














            google_project_iam_policy might fight with google_project_iam_binding and google_project_iam_member, but it should be possible to use them concurrently for a brief period (provided they contain the same values).



            I haven't tested this, but I think it should be possible to do something like:




            1. Mirror the current google_project_iam_policy permissions into a new set of google_project_iam_binding or google_project_iam_member resources

            2. Run terraform apply to add the new resources to your terraform state file

            3. Remove the old google_project_iam_policy resources from your terraform config, but don't run terraform apply

            4. Run terraform state rm <resource-name> for each of the old google_project_iam_policy resources

            5. Run terraform plan and confirm no changes are planned






            share|improve this answer




























              2














              google_project_iam_policy might fight with google_project_iam_binding and google_project_iam_member, but it should be possible to use them concurrently for a brief period (provided they contain the same values).



              I haven't tested this, but I think it should be possible to do something like:




              1. Mirror the current google_project_iam_policy permissions into a new set of google_project_iam_binding or google_project_iam_member resources

              2. Run terraform apply to add the new resources to your terraform state file

              3. Remove the old google_project_iam_policy resources from your terraform config, but don't run terraform apply

              4. Run terraform state rm <resource-name> for each of the old google_project_iam_policy resources

              5. Run terraform plan and confirm no changes are planned






              share|improve this answer


























                2












                2








                2







                google_project_iam_policy might fight with google_project_iam_binding and google_project_iam_member, but it should be possible to use them concurrently for a brief period (provided they contain the same values).



                I haven't tested this, but I think it should be possible to do something like:




                1. Mirror the current google_project_iam_policy permissions into a new set of google_project_iam_binding or google_project_iam_member resources

                2. Run terraform apply to add the new resources to your terraform state file

                3. Remove the old google_project_iam_policy resources from your terraform config, but don't run terraform apply

                4. Run terraform state rm <resource-name> for each of the old google_project_iam_policy resources

                5. Run terraform plan and confirm no changes are planned






                share|improve this answer













                google_project_iam_policy might fight with google_project_iam_binding and google_project_iam_member, but it should be possible to use them concurrently for a brief period (provided they contain the same values).



                I haven't tested this, but I think it should be possible to do something like:




                1. Mirror the current google_project_iam_policy permissions into a new set of google_project_iam_binding or google_project_iam_member resources

                2. Run terraform apply to add the new resources to your terraform state file

                3. Remove the old google_project_iam_policy resources from your terraform config, but don't run terraform apply

                4. Run terraform state rm <resource-name> for each of the old google_project_iam_policy resources

                5. Run terraform plan and confirm no changes are planned







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 15 '18 at 23:08









                James HealyJames Healy

                9,48122130




                9,48122130






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53291631%2fhow-can-i-safely-migrate-from-google-project-iam-policy-resources-to-google-proj%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    The Sandy Post

                    Image
                    The Sandy Post From Wikipedia, the free encyclopedia Jump to navigation Jump to search The Sandy Post Type Weekly Newspaper Format Tabloid Owner(s) Community Newspapers/Pamplin Media Group Publisher J. Mark Garber Editor Steve Brown Founded 1937  ( 1937 ) Headquarters Sandy, Oregon Circulation 3,800 Website www.pamplinmedia.com/sandy-post-home/ This article needs additional citations for verification . Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (February 2010) (Learn how and when to remove this template message) The Sandy Post is a weekly newspaper, published in Sandy, Oregon, United States. The paper, founded in 1937, serves the communities of Sandy, Boring, the Villages at Mount Hood and the surrounding areas. The newspaper is owned by Community Newspapers/Pamplin Media Group, a company of ...
                    Read more

                    Danny Elfman

                    Image
                    Danny Elfman From Wikipedia, the free encyclopedia Jump to navigation Jump to search Danny Elfman Elfman at the 2010 San Diego Comic-Con Born Daniel Robert Elfman ( 1953-05-29 ) May 29, 1953 (age 65) Los Angeles, California, U.S. Spouse(s) Bridget Fonda ( m.  2003) Children 1 Musical career Genres Rock [1] ska [2] new wave film music video game music Occupation(s) Composer, singer, songwriter, record producer Instruments Trombone guitar percussion vocals keyboards [3] Years active 1972–present Associated acts Oingo Boingo James Newton Howard Daniel Robert Elfman (born May 29, 1953) is an American composer, singer, songwriter, and record producer. Elfman first became known for being the lead singer and songwriter for the band Oingo Boingo from 1974 to 1995. He is well known for scoring films and television shows, particularly his frequent collabora...
                    Read more

                    Pages that link to "Head v. Amoskeag Manufacturing Co."

                    Image
                    Help Pages that link to "Head v. Amoskeag Manufacturing Co." ← Head v. Amoskeag Manufacturing Co. Jump to navigation Jump to search What links here Page:   Namespace:  all (Article) Talk User User talk Wikipedia Wikipedia talk File File talk MediaWiki MediaWiki talk Template Template talk Help Help talk Category Category talk Portal Portal talk Book Book talk Draft Draft talk TimedText TimedText talk Module Module talk Gadget Gadget talk Gadget definition Gadget definition talk   Invert selection Filters Hide transclusions | Hide links | Hide redirects The following pages link to Head v. Amoskeag Manufacturing Co. External tools: Show redirects only View (previous 50 | next 50) (20 | 50 | 100 | 250 | 500) Amoskeag Manufacturing Company ‎ (links | edit) List of United States Supreme Court cases by the Waite Court ‎ (links | edit) Talk:Head v. Amoskeag Manuf...
                    Read more