Skip to content

[Feature Request]: [GSoC 2026] Managing the integrity of roles made by Terraform #39215

Description

@HansMarcus01

What would you like to happen?

Currently, the Apache Beam GCP infrastructure uses Terraform to manage IAM Custom Roles (e.g., beam_writer, beam_viewer). The deployment of these roles is handled by the .github/workflows/beam_Infrastructure_UsersPermissions.yml workflow, and the state is securely stored in a remote GCS backend (beam-terraform-infra-state).

There is currently no mechanism to guarantee the continuous integrity of these custom roles. If an administrator or a compromised account manually modifies a custom role directly in the Google Cloud Console (e.g., adding unauthorized permissions or deleting the role entirely), Terraform will not detect or correct this configuration drift until the next time a PR coincidentally updates the IAM files.

While our Python scripts (iam.py) audit user bindings on a daily schedule, the definitions of the custom roles themselves remain exposed to undetected out-of-band modifications.

Issue Priority

Priority: 2 (default / most feature requests should be filed as P2)

Issue Components

  • Component: Python SDK
  • Component: Java SDK
  • Component: Go SDK
  • Component: Typescript SDK
  • Component: IO connector
  • Component: Beam YAML
  • Component: Beam examples
  • Component: Beam playground
  • Component: Beam katas
  • Component: Website
  • Component: Infrastructure
  • Component: Spark Runner
  • Component: Flink Runner
  • Component: Prism Runner
  • Component: Twister2 Runner
  • Component: Hazelcast Jet Runner
  • Component: Google Cloud Dataflow Runner

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions