feat: Switch to using IAMPartialPolicy instead of IAMPolicyMember (#62)

* Switch to using IAMPartialPolicy instead of IAMPolicyBinding

* fixed type in role value

* fixed indentation

Co-authored-by: kaariger <kaariger@users.noreply.github.com>

catalog/gitops/README.md

@@ -34,8 +34,8 @@ source-repo      5
 
 ```
 File                      APIVersion                                  Kind                  Name                              Namespace
-cloudbuild-iam.yaml       iam.cnrm.cloud.google.com/v1beta1           IAMPolicyMember       deployment-repo-cloudbuild-write  config-control
-cloudbuild-iam.yaml       iam.cnrm.cloud.google.com/v1beta1           IAMPolicyMember       source-repo-cloudbuild-read       config-control
+cloudbuild-iam.yaml       iam.cnrm.cloud.google.com/v1beta1           IAMPartialPolicy       deployment-repo-cloudbuild-write  config-control
+cloudbuild-iam.yaml       iam.cnrm.cloud.google.com/v1beta1           IAMPartialPolicy       source-repo-cloudbuild-read       config-control
 hydration-trigger.yaml    cloudbuild.cnrm.cloud.google.com/v1beta1    CloudBuildTrigger     source-repo-cicd-trigger          config-control
 services.yaml             serviceusage.cnrm.cloud.google.com/v1beta1  Service               cloudbuild.googleapis.com         config-control
 services.yaml             serviceusage.cnrm.cloud.google.com/v1beta1  Service               sourcerepo.googleapis.com         config-control
@@ -46,7 +46,7 @@ source-repositories.yaml  sourcerepo.cnrm.cloud.google.com/v1beta1    SourceRepo
 ## Resource References
 
 - [CloudBuildTrigger](https://cloud.google.com/config-connector/docs/reference/resource-docs/cloudbuild/cloudbuildtrigger)
-- [IAMPolicyMember](https://cloud.google.com/config-connector/docs/reference/resource-docs/iam/iampolicymember)
+- [IAMPartialPolicy](https://cloud.google.com/config-connector/docs/reference/resource-docs/iam/iampartialpolicy)
 - [Service](https://cloud.google.com/config-connector/docs/reference/resource-docs/serviceusage/service)
 - [SourceRepoRepository](https://cloud.google.com/config-connector/docs/reference/resource-docs/sourcerepo/sourcereporepository)
 
@@ -88,4 +88,3 @@ source-repositories.yaml  sourcerepo.cnrm.cloud.google.com/v1beta1    SourceRepo
     ```
     kpt live status --output table --poll-until current
     ```
-

catalog/gitops/cloudbuild-iam.yaml

@@ -13,34 +13,38 @@
 # limitations under the License.
 # Provides write access to deployment repo for cloudbuild trigger
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
-kind: IAMPolicyMember
+kind: IAMPartialPolicy
 metadata:
   name: deployment-repo-cloudbuild-write
   namespace: config-control # kpt-set: ${namespace}
   annotations:
     cnrm.cloud.google.com/blueprint: cnrm/gitops/v0.3.0
     cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
 spec:
-  member: serviceAccount:1234567890123@cloudbuild.gserviceaccount.com # kpt-set: serviceAccount:${project-number}@cloudbuild.gserviceaccount.com
   resourceRef:
     name: deployment-repo # kpt-set: ${deployment-repo}
     apiVersion: sourcerepo.cnrm.cloud.google.com/v1beta1
     kind: SourceRepoRepository
-  role: roles/source.writer
+  bindings:
+    - role: roles/source.writer
+      members:
+        - member: serviceAccount:1234567890123@cloudbuild.gserviceaccount.com # kpt-set: serviceAccount:${project-number}@cloudbuild.gserviceaccount.com
 ---
 # Provides read access to source repo for cloudbuild trigger
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
-kind: IAMPolicyMember
+kind: IAMPartialPolicy
 metadata:
   name: source-repo-cloudbuild-read
   namespace: config-control # kpt-set: ${namespace}
   annotations:
     cnrm.cloud.google.com/blueprint: cnrm/gitops/v0.3.0
     cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
 spec:
-  member: serviceAccount:1234567890123@cloudbuild.gserviceaccount.com # kpt-set: serviceAccount:${project-number}@cloudbuild.gserviceaccount.com
   resourceRef:
     name: source-repo # kpt-set: ${source-repo}
     apiVersion: sourcerepo.cnrm.cloud.google.com/v1beta1
     kind: SourceRepoRepository
-  role: roles/source.reader
+  bindings:
+    - role: roles/source.reader
+      members:
+        - member: serviceAccount:1234567890123@cloudbuild.gserviceaccount.com # kpt-set: serviceAccount:${project-number}@cloudbuild.gserviceaccount.com

catalog/gitops/configsync/README.md

@@ -30,15 +30,15 @@ This package has no sub-packages.
 ```
 File                    APIVersion                         Kind               Name                                        Namespace
 config-management.yaml  configmanagement.gke.io/v1         ConfigManagement   config-management
-configsync-iam.yaml     iam.cnrm.cloud.google.com/v1beta1  IAMPolicyMember    source-reader-sync-cluster-name-project-id  config-control
-configsync-iam.yaml     iam.cnrm.cloud.google.com/v1beta1  IAMPolicyMember    sync-cluster-name                           config-control
+configsync-iam.yaml     iam.cnrm.cloud.google.com/v1beta1  IAMPartialPolicy    source-reader-sync-cluster-name-project-id  config-control
+configsync-iam.yaml     iam.cnrm.cloud.google.com/v1beta1  IAMPartialPolicy    sync-cluster-name                           config-control
 configsync-iam.yaml     iam.cnrm.cloud.google.com/v1beta1  IAMServiceAccount  sync-cluster-name                           config-control
 ```
 
 ## Resource References
 
 - [ConfigManagement](https://cloud.google.com/anthos-config-management/docs/configmanagement-fields)
-- [IAMPolicyMember](https://cloud.google.com/config-connector/docs/reference/resource-docs/iam/iampolicymember)
+- [IAMPartialPolicy](https://cloud.google.com/config-connector/docs/reference/resource-docs/iam/iampartialpolicy)
 - [IAMServiceAccount](https://cloud.google.com/config-connector/docs/reference/resource-docs/iam/iamserviceaccount)
 
 ## Usage
@@ -79,4 +79,3 @@ configsync-iam.yaml     iam.cnrm.cloud.google.com/v1beta1  IAMServiceAccount  sy
     ```
     kpt live status --output table --poll-until current
     ```
-

catalog/gitops/configsync/configsync-iam.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # Config Sync GCP ServiceAccount (GSA)
-# This GSA can be used to grant Config Sync additional permissions with IAMPolicyMember
+# This GSA can be used to grant Config Sync additional permissions with IAMPartialPolicy
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMServiceAccount
 metadata:
@@ -26,34 +26,39 @@ spec:
 ---
 # Allow Config Sync Kubernetes ServiceAccount (KSA) to use the Config Sync GSA
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
-kind: IAMPolicyMember
+kind: IAMPartialPolicy
 metadata:
   name: sync-cluster-name # kpt-set: sync-${cluster-name}
   namespace: config-control # kpt-set: ${namespace}
   annotations:
     cnrm.cloud.google.com/blueprint: cnrm/gitops/configsync/v0.3.0
     cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
 spec:
-  member: serviceAccount:project-id.svc.id.goog[config-management-system/importer] # kpt-set: serviceAccount:${project-id}.svc.id.goog[config-management-system/importer]
   resourceRef:
     name: sync-cluster-name # kpt-set: sync-${cluster-name}
     apiVersion: iam.cnrm.cloud.google.com/v1beta1
     kind: IAMServiceAccount
-  role: roles/iam.workloadIdentityUser
+  bindings:
+    - role: roles/iam.workloadIdentityUser
+      members:
+        - member: serviceAccount:project-id.svc.id.goog[config-management-system/importer] # kpt-set: serviceAccount:${project-id}.svc.id.goog[config-management-system/importer]
 ---
 # Allow Config Sync GSA to read from CSR repos in the CSR project
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
-kind: IAMPolicyMember
+kind: IAMPartialPolicy
 metadata:
   name: source-reader-sync-cluster-name-project-id # kpt-set: source-reader-sync-${cluster-name}-${project-id}
   namespace: config-control # kpt-set: ${namespace}
   annotations:
     cnrm.cloud.google.com/blueprint: cnrm/gitops/configsync/v0.3.0
     cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
 spec:
-  member: serviceAccount:sync-cluster-name@project-id.iam.gserviceaccount.com # kpt-set: serviceAccount:sync-${cluster-name}@${project-id}.iam.gserviceaccount.com
+  member:
   resourceRef:
     apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
     kind: Project
     external: project-id # kpt-set: ${project-id}
-  role: roles/source.reader
+  bindings:
+    - role: roles/source.reader
+      members:
+        - member: serviceAccount:sync-cluster-name@project-id.iam.gserviceaccount.com # kpt-set: serviceAccount:sync-${cluster-name}@${project-id}.iam.gserviceaccount.com