From a10eb6861a5ed94b4ed8be58a1b315ef1581c6f0 Mon Sep 17 00:00:00 2001
From: Ian Knighton <iknighton@deseretdigital.com>
Date: Fri, 25 Oct 2024 15:44:20 -0600
Subject: [PATCH 1/2] chore: add terraform-docs config

---
 .terraform.docs.yml | 7 +++++++
 terraform-docs.md   | 2 --
 2 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 .terraform.docs.yml

diff --git a/.terraform.docs.yml b/.terraform.docs.yml
new file mode 100644
index 0000000..40ddcfa
--- /dev/null
+++ b/.terraform.docs.yml
@@ -0,0 +1,7 @@
+formatter: "md tbl"
+
+output:
+  file: "./terraform-docs.md"
+  mode: replace
+  template: |-
+        {{ .Content }}
\ No newline at end of file
diff --git a/terraform-docs.md b/terraform-docs.md
index d0a538b..bb6f352 100644
--- a/terraform-docs.md
+++ b/terraform-docs.md
@@ -1,5 +1,3 @@
-# Terraform-Docs
-
 ## Requirements
 
 | Name | Version |

From 36eca57b560c0a6406a29d626cbc85d6a082d1a5 Mon Sep 17 00:00:00 2001
From: Nathan Knowles <nknowles@deseretdigital.com>
Date: Wed, 20 Nov 2024 11:42:46 -0700
Subject: [PATCH 2/2] feat(terraform): update IAM policy resources for Pub/Sub

- Switched from `google_pubsub_topic_iam_binding` to `google_pubsub_topic_iam_member` and `google_pubsub_subscription_iam_member` to avoid destructive updates to IAM policies. Using `iam_binding` was removing all existing members from the policy when applying a single-member array, as confirmed during testing, despite unclear documentation.
- Updated the "Subscriber" policy to apply to the subscription instead of the dead letter topic. This ensures the subscription can read messages and forward them to the dead letter topic, resolving the incorrect resource target issue.
---
 resources.tf | 21 +++++++++------------
 1 file changed, 9 insertions(+), 12 deletions(-)

diff --git a/resources.tf b/resources.tf
index d8556fd..f73508a 100644
--- a/resources.tf
+++ b/resources.tf
@@ -14,20 +14,17 @@ resource "google_pubsub_topic" "dead_letter_subscription_topic" {
   labels = var.labels
 }
 
-resource "google_pubsub_topic_iam_binding" "assign_pubsub_publisher" {
-  topic = google_pubsub_topic.dead_letter_subscription_topic.id
-  role  = "roles/pubsub.publisher"
-  members = [
-    "serviceAccount:${var.pubsub_service_account}",
-  ]
+resource "google_pubsub_topic_iam_member" "assign_pubsub_publisher" {
+  project = google_pubsub_topic.dead_letter_subscription_topic.project
+  topic   = google_pubsub_topic.dead_letter_subscription_topic.id
+  role    = "roles/pubsub.publisher"
+  member  = "serviceAccount:${var.pubsub_service_account}"
 }
 
-resource "google_pubsub_topic_iam_binding" "assign_pubsub_subscriber" {
-  topic = google_pubsub_topic.dead_letter_subscription_topic.id
-  role  = "roles/pubsub.subscriber"
-  members = [
-    "serviceAccount:${var.pubsub_service_account}",
-  ]
+resource "google_pubsub_subscription_iam_member" "assign_pubsub_subscriber" {
+  subscription = google_pubsub_subscription.subscription.id
+  role         = "roles/pubsub.subscriber"
+  member       = "serviceAccount:${var.pubsub_service_account}"
 }
 
 resource "google_pubsub_subscription" "dead_letter_subscription" {