GCP User IAM workflow modified to post Terraform plan as a comment on PRs (#36375)

* GCP User IAM workflow modified to post Terraform plan as a comment on PRs

* Update GCP IAM roles in users.yml and modify workflow permissions for pull requests

* Update role for user  to use custom beam_viewer role for testing

* Update beam_Infrastructure_UsersPermissions.yml

Changing event_name to p_r_t, and removing the specific ref to checkout

* Update beam_Infrastructure_UsersPermissions.yml

removing all p_r_t filters to make it match all prs

* Return the filer on pull_request_target beam_Infrastructure_UsersPermissions.yml

---------

Co-authored-by: P <pabloem@users.noreply.github.com>

Author: ksobrenat32

.github/workflows/beam_Infrastructure_UsersPermissions.yml

@@ -17,6 +17,8 @@
 
 # This workflow modifies the GCP User Roles when the infra/users.yml file is updated.
 # It applies the changes using Terraform to manage the IAM roles for users defined in the users.yml
+# If the workflow is triggered by a pull request, it will post the Terraform plan as a comment on the PR
+# as a code block for easy review.
 
 name: Modify the GCP User Roles according to the infra/users.yml file
 
@@ -28,6 +30,10 @@ on:
       - main
     paths:
       - 'infra/iam/users.yml'
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+    paths:
+      - 'infra/iam/users.yml'
 
 # This allows a subsequently queued workflow run to interrupt previous runs
 concurrency:
@@ -36,7 +42,8 @@ concurrency:
 
 #Setting explicit permissions for the action to avoid the default permissions which are `write-all` in case of pull_request_target event
 permissions:
-  contents: read
+  contents: write
+  pull-requests: write
 
 jobs:
   beam_UserRoles:
@@ -57,6 +64,28 @@ jobs:
       - name: Terraform Plan
         working-directory: ./infra/iam
         run: terraform plan -out=tfplan
+
+      - name: Convert plan to plaintext
+        if: github.event_name == 'pull_request_target'
+        working-directory: ./infra/iam
+        run: terraform show -no-color tfplan > tfplan.txt
+
+      - name: Create comment body
+        if: github.event_name == 'pull_request_target'
+        run: |
+          echo "### Terraform Plan for User Roles Changes" > comment_body.txt
+          echo '```' >> comment_body.txt
+          cat ./infra/iam/tfplan.txt >> comment_body.txt
+          echo '```' >> comment_body.txt
+
+      - name: Upload plan as a comment to PR
+        if: github.event_name == 'pull_request_target'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+        run: gh pr comment ${{ github.event.pull_request.number }} --body-file comment_body.txt
+
       - name: Terraform Apply
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'apache/beam'
         working-directory: ./infra/iam
         run: terraform apply -auto-approve tfplan

infra/iam/users.yml

@@ -14,20 +14,12 @@
 # limitations under the License.
 
 # IAM policy for project apache-beam-testing
-# Generated on 2025-09-19 18:17:58 UTC
+# Generated on 2025-10-07 16:00:39 UTC
 
 - username: WhatWouldAustinDo
   email: WhatWouldAustinDo@gmail.com
   permissions:
   - role: roles/editor
-- username: a.khorbaladze
-  email: a.khorbaladze@akvelon.us
-  permissions:
-  - role: roles/bigquery.admin
-  - role: roles/container.admin
-  - role: roles/editor
-  - role: roles/iam.serviceAccountUser
-  - role: roles/secretmanager.admin
 - username: aaronleeiv
   email: aaronleeiv@google.com
   permissions:
@@ -84,6 +76,7 @@
   - role: roles/iam.serviceAccountTokenCreator
   - role: roles/iam.serviceAccountUser
   - role: roles/iam.workloadIdentityUser
+  - role: roles/storage.objectAdmin
   - role: roles/viewer
 - username: allows-impersonation-new
   email: allows-impersonation-new@apache-beam-testing.iam.gserviceaccount.com
@@ -197,6 +190,7 @@
   - role: roles/managedkafka.schemaRegistryEditor
   - role: roles/monitoring.metricWriter
   - role: roles/monitoring.viewer
+  - role: roles/secretmanager.admin
   - role: roles/spanner.databaseAdmin
   - role: roles/stackdriver.resourceMetadata.writer
   - role: roles/storage.admin
@@ -238,6 +232,7 @@
   - role: roles/iam.serviceAccountTokenCreator
   - role: roles/iam.serviceAccountUser
   - role: roles/pubsub.admin
+  - role: roles/secretmanager.admin
   - role: roles/spanner.admin
   - role: roles/storage.admin
   - role: roles/storage.folderAdmin
@@ -372,7 +367,7 @@
 - username: enriquecaol04
   email: enriquecaol04@gmail.com
   permissions:
-  - role: roles/viewer
+  - role: projects/apache-beam-testing/roles/beam_viewer
 - username: eventarc-workflow-sa
   email: eventarc-workflow-sa@apache-beam-testing.iam.gserviceaccount.com
   permissions: