rename iam variables in folder unit module

2020-11-04 16:49:29 +01:00
parent 02d867ff3d
commit 0e1fb9bf9e
3 changed files with 11 additions and 22 deletions
--- a/modules/folders-unit/locals.tf
+++ b/modules/folders-unit/locals.tf
@@ -16,12 +16,7 @@

 locals {
  folder_roles = concat(var.iam_enviroment_roles, local.sa_xpn_folder_roles)
-  iam_members  = var.iam_members == null ? {} : var.iam_members
-  iam_roles    = var.iam_roles == null ? [] : var.iam_roles
-  unit_iam_bindings = {
-    for role in local.iam_roles :
-    role => lookup(local.iam_members, role, [])
-  }
+  iam          = var.iam == null ? {} : var.iam
  folder_iam_service_account_bindings = {
    for pair in setproduct(keys(var.environments), local.folder_roles) :
    "${pair.0}-${pair.1}" => { environment = pair.0, role = pair.1 }
--- a/modules/folders-unit/main.tf
+++ b/modules/folders-unit/main.tf
@@ -34,7 +34,7 @@ resource "google_folder" "environment" {
 }

 resource "google_folder_iam_binding" "unit" {
-  for_each = local.unit_iam_bindings
+  for_each = var.iam
  folder   = google_folder.unit.name
  role     = each.key
  members  = each.value
@@ -92,9 +92,9 @@ resource "google_storage_bucket" "tfstate" {
    var.prefix == null ? "" : "${var.prefix}-",
    "${var.short_name}-${each.key}-tf"
  ])
-  location           = var.gcs_defaults.location
-  storage_class      = var.gcs_defaults.storage_class
-  force_destroy      = false
+  location                    = var.gcs_defaults.location
+  storage_class               = var.gcs_defaults.storage_class
+  force_destroy               = false
  uniform_bucket_level_access = true
  versioning {
    enabled = true
--- a/modules/folders-unit/variables.tf
+++ b/modules/folders-unit/variables.tf
@@ -42,6 +42,12 @@ variable "gcs_defaults" {
  }
 }

+variable "iam" {
+  description = "IAM bindings for the top-level folder in {ROLE => [MEMBERS]} format."
+  type        = map(list(string))
+  default     = {}
+}
+
 variable "iam_billing_config" {
  description = "Grant billing user role to service accounts, defaults to granting on the billing account."
  type = object({
@@ -65,18 +71,6 @@ variable "iam_enviroment_roles" {
  ]
 }

-variable "iam_members" {
-  description = "IAM members for roles applied on the unit folder."
-  type        = map(list(string))
-  default     = null
-}
-
-variable "iam_roles" {
-  description = "IAM roles applied on the unit folder."
-  type        = list(string)
-  default     = null
-}
-
 variable "iam_xpn_config" {
  description = "Grant Shared VPC creation roles to service accounts, defaults to granting at folder level."
  type = object({