HansMarcus01 opened a new issue, #39215: URL: https://github.com/apache/beam/issues/39215
### What would you like to happen? Currently, the Apache Beam GCP infrastructure uses Terraform to manage IAM Custom Roles (e.g., beam_writer, beam_viewer). The deployment of these roles is handled by the .github/workflows/beam_Infrastructure_UsersPermissions.yml workflow, and the state is securely stored in a remote GCS backend (beam-terraform-infra-state). There is currently no mechanism to guarantee the continuous integrity of these custom roles. If an administrator or a compromised account manually modifies a custom role directly in the Google Cloud Console (e.g., adding unauthorized permissions or deleting the role entirely), Terraform will not detect or correct this configuration drift until the next time a PR coincidentally updates the IAM files. While our Python scripts (iam.py) audit user bindings on a daily schedule, the definitions of the custom roles themselves remain exposed to undetected out-of-band modifications. ### Issue Priority Priority: 2 (default / most feature requests should be filed as P2) ### Issue Components - [ ] Component: Python SDK - [ ] Component: Java SDK - [ ] Component: Go SDK - [ ] Component: Typescript SDK - [ ] Component: IO connector - [x] Component: Beam YAML - [ ] Component: Beam examples - [ ] Component: Beam playground - [ ] Component: Beam katas - [ ] Component: Website - [x] Component: Infrastructure - [ ] Component: Spark Runner - [ ] Component: Flink Runner - [ ] Component: Prism Runner - [ ] Component: Twister2 Runner - [ ] Component: Hazelcast Jet Runner - [ ] Component: Google Cloud Dataflow Runner -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
