This is an automated email from the ASF dual-hosted git repository.
pabloem pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/beam.git
The following commit(s) were added to refs/heads/master by this push:
new 77973ca0aea GCP User IAM workflow modified to post Terraform plan as a
comment on PRs (#36375)
77973ca0aea is described below
commit 77973ca0aea0f8aa620ef9017b210e91325a2d39
Author: Enrique Calderon <[email protected]>
AuthorDate: Tue Oct 7 14:55:22 2025 -0600
GCP User IAM workflow modified to post Terraform plan as a comment on PRs
(#36375)
* GCP User IAM workflow modified to post Terraform plan as a comment on PRs
* Update GCP IAM roles in users.yml and modify workflow permissions for
pull requests
* Update role for user to use custom beam_viewer role for testing
* Update beam_Infrastructure_UsersPermissions.yml
Changing event_name to p_r_t, and removing the specific ref to checkout
* Update beam_Infrastructure_UsersPermissions.yml
removing all p_r_t filters to make it match all prs
* Return the filer on pull_request_target
beam_Infrastructure_UsersPermissions.yml
---------
Co-authored-by: P <[email protected]>
---
.../beam_Infrastructure_UsersPermissions.yml | 31 +++++++++++++++++++++-
infra/iam/users.yml | 15 ++++-------
2 files changed, 35 insertions(+), 11 deletions(-)
diff --git a/.github/workflows/beam_Infrastructure_UsersPermissions.yml
b/.github/workflows/beam_Infrastructure_UsersPermissions.yml
index 07f7c6fa240..1a73045a492 100644
--- a/.github/workflows/beam_Infrastructure_UsersPermissions.yml
+++ b/.github/workflows/beam_Infrastructure_UsersPermissions.yml
@@ -17,6 +17,8 @@
# This workflow modifies the GCP User Roles when the infra/users.yml file is
updated.
# It applies the changes using Terraform to manage the IAM roles for users
defined in the users.yml
+# If the workflow is triggered by a pull request, it will post the Terraform
plan as a comment on the PR
+# as a code block for easy review.
name: Modify the GCP User Roles according to the infra/users.yml file
@@ -28,6 +30,10 @@ on:
- main
paths:
- 'infra/iam/users.yml'
+ pull_request_target:
+ types: [opened, synchronize, reopened]
+ paths:
+ - 'infra/iam/users.yml'
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
@@ -36,7 +42,8 @@ concurrency:
#Setting explicit permissions for the action to avoid the default permissions
which are `write-all` in case of pull_request_target event
permissions:
- contents: read
+ contents: write
+ pull-requests: write
jobs:
beam_UserRoles:
@@ -57,6 +64,28 @@ jobs:
- name: Terraform Plan
working-directory: ./infra/iam
run: terraform plan -out=tfplan
+
+ - name: Convert plan to plaintext
+ if: github.event_name == 'pull_request_target'
+ working-directory: ./infra/iam
+ run: terraform show -no-color tfplan > tfplan.txt
+
+ - name: Create comment body
+ if: github.event_name == 'pull_request_target'
+ run: |
+ echo "### Terraform Plan for User Roles Changes" > comment_body.txt
+ echo '```' >> comment_body.txt
+ cat ./infra/iam/tfplan.txt >> comment_body.txt
+ echo '```' >> comment_body.txt
+
+ - name: Upload plan as a comment to PR
+ if: github.event_name == 'pull_request_target'
+ env:
+ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ GH_REPO: ${{ github.repository }}
+ run: gh pr comment ${{ github.event.pull_request.number }} --body-file
comment_body.txt
+
- name: Terraform Apply
+ if: github.event_name == 'push' && github.ref == 'refs/heads/main' &&
github.repository == 'apache/beam'
working-directory: ./infra/iam
run: terraform apply -auto-approve tfplan
diff --git a/infra/iam/users.yml b/infra/iam/users.yml
index c86446ba37b..bffdbebb7e7 100644
--- a/infra/iam/users.yml
+++ b/infra/iam/users.yml
@@ -14,20 +14,12 @@
# limitations under the License.
# IAM policy for project apache-beam-testing
-# Generated on 2025-09-19 18:17:58 UTC
+# Generated on 2025-10-07 16:00:39 UTC
- username: WhatWouldAustinDo
email: [email protected]
permissions:
- role: roles/editor
-- username: a.khorbaladze
- email: [email protected]
- permissions:
- - role: roles/bigquery.admin
- - role: roles/container.admin
- - role: roles/editor
- - role: roles/iam.serviceAccountUser
- - role: roles/secretmanager.admin
- username: aaronleeiv
email: [email protected]
permissions:
@@ -84,6 +76,7 @@
- role: roles/iam.serviceAccountTokenCreator
- role: roles/iam.serviceAccountUser
- role: roles/iam.workloadIdentityUser
+ - role: roles/storage.objectAdmin
- role: roles/viewer
- username: allows-impersonation-new
email: allows-impersonation-...@apache-beam-testing.iam.gserviceaccount.com
@@ -197,6 +190,7 @@
- role: roles/managedkafka.schemaRegistryEditor
- role: roles/monitoring.metricWriter
- role: roles/monitoring.viewer
+ - role: roles/secretmanager.admin
- role: roles/spanner.databaseAdmin
- role: roles/stackdriver.resourceMetadata.writer
- role: roles/storage.admin
@@ -238,6 +232,7 @@
- role: roles/iam.serviceAccountTokenCreator
- role: roles/iam.serviceAccountUser
- role: roles/pubsub.admin
+ - role: roles/secretmanager.admin
- role: roles/spanner.admin
- role: roles/storage.admin
- role: roles/storage.folderAdmin
@@ -372,7 +367,7 @@
- username: enriquecaol04
email: [email protected]
permissions:
- - role: roles/viewer
+ - role: projects/apache-beam-testing/roles/beam_viewer
- username: eventarc-workflow-sa
email: [email protected]
permissions:
