kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update folders module to Terraform 0.13

Browse Source 
With this commit the folders module (now called simply 'folder') only
creates a single google_folder resource. Support for creating multiple
folders is no longer needed since Terraform 0.13 added for_each support
to modules.
This commit is contained in:
Julio Castillo
2020-10-20 15:41:03 +02:00
parent 7ab87d0790
commit 2e7876b4c7
14 changed files with 163 additions and 241 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
modules/folders/README.md → modules/folder/README.md
View File

@@ -1,6 +1,6 @@
# Google Cloud Folder Module
This module allow creation and management of sets of folders sharing a common parent, and their individual IAM bindings. It also allows setting a common set of organization policies on all folders.
This module allows the creation and management of folders together with their individual IAM bindings and organization policies.
## Examples
@@ -8,17 +8,13 @@ This module allow creation and management of sets of folders sharing a common pa
```hcl
module "folder" {
source = "./modules/folders"
source = "./modules/folder"
parent = "organizations/1234567890"
names = ["Folder one", "Folder two"]
name = "Folder name"
iam_members = {
"Folder one" = {
"roles/owner" = ["group:users@example.com"]
}
}
iam_roles = {
"Folder one" = ["roles/owner"]
"roles/owner" = ["group:users@example.com"]
}
iam_roles = ["roles/owner"]
}
```
@@ -26,9 +22,9 @@ module "folder" {
```hcl
module "folder" {
source = "./modules/folders"
source = "./modules/folder"
parent = "organizations/1234567890"
names = ["Folder one", "Folder two"]
name = "Folder name"
policy_boolean = {
"constraints/compute.disableGuestAttributesAccess" = true
"constraints/compute.skipDefaultNetworkCreation" = true
@@ -49,10 +45,10 @@ module "folder" {
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| parent | Parent in folders/folder_id or organizations/org_id format. | <code title="">string</code> | ✓ | |
| *iam_members* | List of IAM members keyed by folder name and role. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> | | <code title="">null</code> |
| *iam_roles* | List of IAM roles keyed by folder name. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> | | <code title="">null</code> |
| *names* | Folder names. | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">[]</code> |
| name | Folder name. | <code title="">string</code> | ✓ | |
| parent | Parent in folders/folder_id or organizations/org_id format. | <code title="string&#10;validation &#123;&#10;condition &#61; can&#40;regex&#40;&#34;&#40;organizations&#124;folders&#41;&#47;&#91;0-9&#93;&#43;&#34;, var.parent&#41;&#41;&#10;error_message &#61; &#34;Parent must be of the form folders&#47;folder_id or organizations&#47;organization_id.&#34;&#10;&#125;">string</code> | ✓ | |
| *iam_members* | List of IAM members keyed by role. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> | | <code title="">null</code> |
| *iam_roles* | List of IAM roles. | <code title="set&#40;string&#41;">set(string)</code> | | <code title="">null</code> |
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map&#40;bool&#41;">map(bool)</code> | | <code title="">{}</code> |
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map&#40;object&#40;&#123;&#10;inherit_from_parent &#61; bool&#10;suggested_value &#61; string&#10;status &#61; bool&#10;values &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">{}</code> |
@@ -60,12 +56,7 @@ module "folder" {
| name | description | sensitive |
|---|---|:---:|
| folder | Folder resource (for single use). | |
| folders | Folder resources. | |
| id | Folder id (for single use). | |
| ids | Folder ids. | |
| ids_list | List of folder ids. | |
| name | Folder name (for single use). | |
| names | Folder names. | |
| names_list | List of folder names. | |
| folder | Folder resource. | |
| id | Folder id. | |
| name | Folder name. | |
<!-- END TFDOC -->

71
modules/folders/main.tf → modules/folder/main.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2018 Google LLC
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,63 +14,26 @@
* limitations under the License.
*/
locals {
folders = (
local.has_folders
? [for name in var.names : google_folder.folders[name]]
: []
)
# needed when destroying
has_folders = length(google_folder.folders) > 0
iam_pairs = var.iam_roles == null ? [] : flatten([
for name, roles in var.iam_roles :
[for role in roles : { name = name, role = role }]
])
iam_keypairs = {
for pair in local.iam_pairs :
"${pair.name}-${pair.role}" => pair
}
iam_members = var.iam_members == null ? {} : var.iam_members
policy_boolean_pairs = {
for pair in setproduct(var.names, keys(var.policy_boolean)) :
"${pair.0}-${pair.1}" => {
folder = pair.0,
policy = pair.1,
policy_data = var.policy_boolean[pair.1]
}
}
policy_list_pairs = {
for pair in setproduct(var.names, keys(var.policy_list)) :
"${pair.0}-${pair.1}" => {
folder = pair.0,
policy = pair.1,
policy_data = var.policy_list[pair.1]
}
}
}
resource "google_folder" "folders" {
for_each = toset(var.names)
display_name = each.value
resource "google_folder" "folder" {
display_name = var.name
parent = var.parent
}
resource "google_folder_iam_binding" "authoritative" {
for_each = local.iam_keypairs
folder = google_folder.folders[each.value.name].name
role = each.value.role
members = lookup(
lookup(local.iam_members, each.value.name, {}), each.value.role, []
)
for_each = var.iam_roles
folder = google_folder.folder.name
role = each.key
members = lookup(var.iam_members, each.key, [])
}
resource "google_folder_organization_policy" "boolean" {
for_each = local.policy_boolean_pairs
folder = google_folder.folders[each.value.folder].id
constraint = each.value.policy
for_each = var.policy_boolean
folder = google_folder.folder.name
constraint = each.key
dynamic boolean_policy {
for_each = each.value.policy_data == null ? [] : [each.value.policy_data]
for_each = each.value == null ? [] : [each.value]
iterator = policy
content {
enforced = policy.value
@@ -78,7 +41,7 @@ resource "google_folder_organization_policy" "boolean" {
}
dynamic restore_policy {
for_each = each.value.policy_data == null ? [""] : []
for_each = each.value == null ? [""] : []
content {
default = true
}
@@ -86,12 +49,12 @@ resource "google_folder_organization_policy" "boolean" {
}
resource "google_folder_organization_policy" "list" {
for_each = local.policy_list_pairs
folder = google_folder.folders[each.value.folder].id
constraint = each.value.policy
for_each = var.policy_list
folder = google_folder.folder.name
constraint = each.key
dynamic list_policy {
for_each = each.value.policy_data.status == null ? [] : [each.value.policy_data]
for_each = each.value.status == null ? [] : [each.value]
iterator = policy
content {
inherit_from_parent = policy.value.inherit_from_parent
@@ -130,7 +93,7 @@ resource "google_folder_organization_policy" "list" {
}
dynamic restore_policy {
for_each = each.value.policy_data.status == null ? [true] : []
for_each = each.value.status == null ? [true] : []
content {
default = true
}

35
modules/folder/outputs.tf Normal file
View File

@@ -0,0 +1,35 @@
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "folder" {
description = "Folder resource."
value = google_folder.folder
}
output "id" {
description = "Folder id."
value = google_folder.folder.name
depends_on = [
google_folder_iam_binding.authoritative,
google_folder_organization_policy.boolean,
google_folder_organization_policy.list
]
}
output "name" {
description = "Folder name."
value = google_folder.folder.display_name
}

21
modules/folders/variables.tf → modules/folder/variables.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2018 Google LLC
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -15,26 +15,29 @@
*/
variable "iam_members" {
description = "List of IAM members keyed by folder name and role."
type = map(map(list(string)))
description = "List of IAM members keyed by role."
type = map(set(string))
default = null
}
variable "iam_roles" {
description = "List of IAM roles keyed by folder name."
type = map(list(string))
description = "List of IAM roles."
type = set(string)
default = null
}
variable "names" {
description = "Folder names."
type = list(string)
default = []
variable "name" {
description = "Folder name."
type = string
}
variable "parent" {
description = "Parent in folders/folder_id or organizations/org_id format."
type = string
validation {
condition = can(regex("(organizations|folders)/[0-9]+", var.parent))
error_message = "Parent must be of the form folders/folder_id or organizations/organization_id."
}
}
variable "policy_boolean" {

2
modules/folders/versions.tf → modules/folder/versions.tf
View File

@@ -15,5 +15,5 @@
*/
terraform {
required_version = ">= 0.12.6"
required_version = ">= 0.13.0"
}

78
modules/folders/outputs.tf
View File

@@ -1,78 +0,0 @@
/**
* Copyright 2018 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "folder" {
description = "Folder resource (for single use)."
value = local.has_folders ? local.folders[0] : null
}
output "id" {
description = "Folder id (for single use)."
value = local.has_folders ? local.folders[0].name : null
depends_on = [
google_folder_iam_binding.authoritative,
google_folder_organization_policy.boolean,
google_folder_organization_policy.list
]
}
output "name" {
description = "Folder name (for single use)."
value = local.has_folders ? local.folders[0].display_name : null
}
output "folders" {
description = "Folder resources."
value = local.folders
}
output "ids" {
description = "Folder ids."
value = (
local.has_folders
? zipmap(var.names, [for f in local.folders : f.name])
: {}
)
depends_on = [
google_folder_iam_binding.authoritative,
google_folder_organization_policy.boolean,
google_folder_organization_policy.list
]
}
output "names" {
description = "Folder names."
value = (
local.has_folders
? zipmap(var.names, [for f in local.folders : f.display_name])
: {}
)
}
output "ids_list" {
description = "List of folder ids."
value = [for f in local.folders : f.name]
depends_on = [
google_folder_iam_binding.authoritative,
google_folder_organization_policy.boolean,
google_folder_organization_policy.list
]
}
output "names_list" {
description = "List of folder names."
value = [for f in local.folders : f.display_name]
}