Add module for custom IAM roles

[stephen-soltesz]

This change adds a single, custom IAM role as a proof of concept for managing custom IAM roles through Terraform. This requires that the Cloud Build service account includes a role binding for roles/iam.roleAdmin. I have manually imported this role in sandbox. And, the plan applies with no changes.

NOTE: IAM recreations have a higher stakes than some resources.

See the warning from: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role

Warning:
Note that custom roles in GCP have the concept of a soft-delete. There are two issues that may arise from this and how roles are propagated. 1) creating a role may involve undeleting and then updating a role with the same name, possibly causing confusing behavior between undelete and update. 2) A deleted role is permanently deleted after 7 days, but it can take up to 30 more days (i.e. between 7 and 37 days after deletion) before the role name is made available again. This means a deleted role that has been deleted for more than 7 days cannot be changed at all by Terraform, and new roles cannot share that name.

---

This change is 

[stephen-soltesz]

Related to:

• Migrate data-processing clusters to us-central1 etl#1092

[nkinkade]

, with one suggestion/comment.

Where do most of those permissions come from? It feels like the custom role may be based on an existing, standard role, but perhaps with a few other permissions added. That is a rather ungainly list of permission. It would be nice if there was a more succinct way of declaring it, like " + ". For a proof of concept this is fine, and it may be that this is as good as it gets?

Reviewed 2 of 2 files at r1, all commit messages.
Reviewable status: complete! 1 of 1 approvals obtained (waiting on @stephen-soltesz)

---

modules/iam-custom-roles/cloudkubernetesdeployer.tf line 1 at r1 (raw file):

resource "google_project_iam_custom_role" "cloudkubernetesdeployer" {

At your discretion: to me the name would be more readable with underscores: cloud_kubernetes_deployer. However, I do understand the issue with underscores for everything TF and dashes for everything GCP, which is confusing.

[stephen-soltesz]

I agree with everything you're saying. I've removed this resource from the sandbox state for now. (which incidentally, in general this makes coincident edits between multiple people / PRs to terraform configs risky - one adds a resource the other removes it - this could be worse for resources like this that don't delete / recreate easily)

This role probably dates back to when we were first adopting GKE via travis and I think before IAM was as mature as it is today. I agree it looks like a a big list. And, I don't know why I thought a single custom role was preferable at the time. It may be now that a combination of standard roles would be preferable.

So, I think the priority should be to see if we can replace this specific custom role altogether.

So, let's hold on this PR for now. I think I picked a poor first case.

Reviewable status: complete! 1 of 1 approvals obtained (waiting on @nkinkade)

---

modules/iam-custom-roles/cloudkubernetesdeployer.tf line 1 at r1 (raw file):

Previously, nkinkade wrote…

At your discretion: to me the name would be more readable with underscores: cloud_kubernetes_deployer. However, I do understand the issue with underscores for everything TF and dashes for everything GCP, which is confusing.

I agree -- this name is just want already existed in GCP but this hints at our own conventions for how to create preferred names for custom roles. The old name is not it.