diff --git a/modules/cloud-run-v2/README.md b/modules/cloud-run-v2/README.md
index 4821a73df..5c577f528 100644
--- a/modules/cloud-run-v2/README.md
+++ b/modules/cloud-run-v2/README.md
@@ -842,9 +842,9 @@ module "cloud_run" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [name](variables.tf#L216) | Name used for Cloud Run service. | string | ✓ | |
-| [project_id](variables.tf#L231) | Project id used for all resources. | string | ✓ | |
-| [region](variables.tf#L236) | Region used for all resources. | string | ✓ | |
+| [name](variables.tf#L206) | Name used for Cloud Run service. | string | ✓ | |
+| [project_id](variables.tf#L221) | Project id used for all resources. | string | ✓ | |
+| [region](variables.tf#L226) | Region used for all resources. | string | ✓ | |
| [containers](variables.tf#L17) | Containers in name => attributes format. | map(object({…})) | | {} |
| [create_job](variables.tf#L80) | Create Cloud Run Job instead of Service. | bool | | false |
| [custom_audiences](variables.tf#L86) | Custom audiences for service. | list(string) | | null |
@@ -852,18 +852,18 @@ module "cloud_run" {
| [encryption_key](variables.tf#L98) | The full resource name of the Cloud KMS CryptoKey. | string | | null |
| [eventarc_triggers](variables.tf#L104) | Event arc triggers for different sources. | object({…}) | | {} |
| [iam](variables.tf#L122) | IAM bindings for Cloud Run service in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} |
-| [iap_config](variables.tf#L128) | If present, turns on Identity-Aware Proxy (IAP) for the Cloud Run service. | object({…}) | | null |
-| [ingress](variables.tf#L163) | Ingress settings. | string | | null |
-| [invoker_iam_disabled](variables.tf#L180) | Disables IAM permission check for run.routes.invoke for callers of this service. | bool | | false |
-| [labels](variables.tf#L186) | Resource labels. | map(string) | | {} |
-| [launch_stage](variables.tf#L192) | The launch stage as defined by Google Cloud Platform Launch Stages. | string | | null |
-| [managed_revision](variables.tf#L209) | Whether the Terraform module should control the deployment of revisions. | bool | | true |
-| [prefix](variables.tf#L221) | Optional prefix used for resource names. | string | | null |
-| [revision](variables.tf#L241) | Revision template configurations. | object({…}) | | {} |
-| [service_account](variables.tf#L280) | Service account email. Unused if service account is auto-created. | string | | null |
-| [service_account_create](variables.tf#L286) | Auto-create service account. | bool | | false |
-| [tag_bindings](variables.tf#L292) | Tag bindings for this service, in key => tag value id format. | map(string) | | {} |
-| [volumes](variables.tf#L299) | Named volumes in containers in name => attributes format. | map(object({…})) | | {} |
+| [iap_config](variables.tf#L128) | If present, turns on Identity-Aware Proxy (IAP) for the Cloud Run service. | object({…}) | | null |
+| [ingress](variables.tf#L153) | Ingress settings. | string | | null |
+| [invoker_iam_disabled](variables.tf#L170) | Disables IAM permission check for run.routes.invoke for callers of this service. | bool | | false |
+| [labels](variables.tf#L176) | Resource labels. | map(string) | | {} |
+| [launch_stage](variables.tf#L182) | The launch stage as defined by Google Cloud Platform Launch Stages. | string | | null |
+| [managed_revision](variables.tf#L199) | Whether the Terraform module should control the deployment of revisions. | bool | | true |
+| [prefix](variables.tf#L211) | Optional prefix used for resource names. | string | | null |
+| [revision](variables.tf#L231) | Revision template configurations. | object({…}) | | {} |
+| [service_account](variables.tf#L270) | Service account email. Unused if service account is auto-created. | string | | null |
+| [service_account_create](variables.tf#L276) | Auto-create service account. | bool | | false |
+| [tag_bindings](variables.tf#L282) | Tag bindings for this service, in key => tag value id format. | map(string) | | {} |
+| [volumes](variables.tf#L289) | Named volumes in containers in name => attributes format. | map(object({…})) | | {} |
| [vpc_connector_create](variables-vpcconnector.tf#L17) | Populate this to create a Serverless VPC Access connector. | object({…}) | | null |
## Outputs
diff --git a/modules/cloud-run-v2/service.tf b/modules/cloud-run-v2/service.tf
index 0d4d05340..1b8418716 100644
--- a/modules/cloud-run-v2/service.tf
+++ b/modules/cloud-run-v2/service.tf
@@ -530,12 +530,12 @@ locals {
iap_iam_additive = local.iap_enabled ? var.iap_config.iam_additive : []
use_iap_iam_binding = var.iap_config != null && try(var.iap_config.iam, null) != null
- iap_iam = local.iap_enabled ? var.iap_config.iam : []
+ iap_iam = local.iap_enabled ? var.iap_config.iam : []
}
resource "google_iap_web_cloud_run_service_iam_member" "member" {
- for_each = local.iap_iam_additive
+ for_each = toset(local.iap_iam_additive)
project = local.service.project
location = local.service.location
cloud_run_service_name = local.service.name
@@ -544,10 +544,10 @@ resource "google_iap_web_cloud_run_service_iam_member" "member" {
}
resource "google_iap_web_cloud_run_service_iam_binding" "binding" {
- for_each = length(local.iap_iam) == 0 ? {} : {1 = 1}
+ for_each = length(local.iap_iam) == 0 ? {} : { 1 = 1 }
project = local.service.project
location = local.service.location
cloud_run_service_name = local.service.name
role = "roles/iap.httpsResourceAccessor"
- member = local.iap_iam
+ members = local.iap_iam
}
\ No newline at end of file
diff --git a/modules/cloud-run-v2/variables.tf b/modules/cloud-run-v2/variables.tf
index d279e0d4f..8eeb32baa 100644
--- a/modules/cloud-run-v2/variables.tf
+++ b/modules/cloud-run-v2/variables.tf
@@ -133,17 +133,9 @@ variable "iap_config" {
})
default = null
- validation {
- condition = var.iap_config == null || (
- (try(var.iap_config.iam, null) != null && try(var.iap_config.iam_additive, null) == null) ||
- (try(var.iap_config.iam, null) == null && try(var.iap_config.iam_additive, null) != null)
- )
- error_message = "When iap_config is provided, exactly one of 'iam' or 'iam_additive' must be specified."
- }
-
validation {
condition = !(length(try(var.iap_config.iam, [])) > 0 && length(try(var.iap_config.iam_additive, [])) > 0)
- )
+
error_message = "When 'iam' or 'iam_additive' lists are provided in iap_config, they must not be empty."
}