Update folders module to Terraform 0.13

With this commit the folders module (now called simply 'folder') only
creates a single google_folder resource. Support for creating multiple
folders is no longer needed since Terraform 0.13 added for_each support
to modules.

modules/folder/README.md

@@ -0,0 +1,62 @@
+# Google Cloud Folder Module
+
+This module allows the creation and management of folders together with their individual IAM bindings and organization policies.
+
+## Examples
+
+### IAM bindings
+
+```hcl
+module "folder" {
+  source = "./modules/folder"
+  parent = "organizations/1234567890"
+  name  = "Folder name"
+  iam_members = {
+    "roles/owner" = ["group:users@example.com"]
+  }
+  iam_roles = ["roles/owner"]
+}
+```
+
+### Organization policies
+
+```hcl
+module "folder" {
+  source = "./modules/folder"
+  parent = "organizations/1234567890"
+  name  = "Folder name"
+  policy_boolean = {
+    "constraints/compute.disableGuestAttributesAccess" = true
+    "constraints/compute.skipDefaultNetworkCreation" = true
+  }
+  policy_list = {
+    "constraints/compute.trustedImageProjects" = {
+      inherit_from_parent = null
+      suggested_value = null
+      status = true
+      values = ["projects/my-project"]
+    }
+  }
+}
+```
+
+<!-- BEGIN TFDOC -->
+## Variables
+
+| name | description | type | required | default |
+|---|---|:---: |:---:|:---:|
+| name | Folder name. | <code title="">string</code> | ✓ |  |
+| parent | Parent in folders/folder_id or organizations/org_id format. | <code title="string&#10;validation &#123;&#10;condition     &#61; can&#40;regex&#40;&#34;&#40;organizations&#124;folders&#41;&#47;&#91;0-9&#93;&#43;&#34;, var.parent&#41;&#41;&#10;error_message &#61; &#34;Parent must be of the form folders&#47;folder_id or organizations&#47;organization_id.&#34;&#10;&#125;">string</code> | ✓ |  |
+| *iam_members* | List of IAM members keyed by role. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">null</code> |
+| *iam_roles* | List of IAM roles. | <code title="set&#40;string&#41;">set(string)</code> |  | <code title="">null</code> |
+| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map&#40;bool&#41;">map(bool)</code> |  | <code title="">{}</code> |
+| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map&#40;object&#40;&#123;&#10;inherit_from_parent &#61; bool&#10;suggested_value     &#61; string&#10;status              &#61; bool&#10;values              &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
+
+## Outputs
+
+| name | description | sensitive |
+|---|---|:---:|
+| folder | Folder resource. |  |
+| id | Folder id. |  |
+| name | Folder name. |  |
+<!-- END TFDOC -->

modules/folder/main.tf

@@ -0,0 +1,101 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+resource "google_folder" "folder" {
+  display_name = var.name
+  parent       = var.parent
+}
+
+resource "google_folder_iam_binding" "authoritative" {
+  for_each = var.iam_roles
+  folder   = google_folder.folder.name
+  role     = each.key
+  members  = lookup(var.iam_members, each.key, [])
+}
+
+resource "google_folder_organization_policy" "boolean" {
+  for_each   = var.policy_boolean
+  folder     = google_folder.folder.name
+  constraint = each.key
+
+  dynamic boolean_policy {
+    for_each = each.value == null ? [] : [each.value]
+    iterator = policy
+    content {
+      enforced = policy.value
+    }
+  }
+
+  dynamic restore_policy {
+    for_each = each.value == null ? [""] : []
+    content {
+      default = true
+    }
+  }
+}
+
+resource "google_folder_organization_policy" "list" {
+  for_each   = var.policy_list
+  folder     = google_folder.folder.name
+  constraint = each.key
+
+  dynamic list_policy {
+    for_each = each.value.status == null ? [] : [each.value]
+    iterator = policy
+    content {
+      inherit_from_parent = policy.value.inherit_from_parent
+      suggested_value     = policy.value.suggested_value
+      dynamic allow {
+        for_each = policy.value.status ? [""] : []
+        content {
+          values = (
+            try(length(policy.value.values) > 0, false)
+            ? policy.value.values
+            : null
+          )
+          all = (
+            try(length(policy.value.values) > 0, false)
+            ? null
+            : true
+          )
+        }
+      }
+      dynamic deny {
+        for_each = policy.value.status ? [] : [""]
+        content {
+          values = (
+            try(length(policy.value.values) > 0, false)
+            ? policy.value.values
+            : null
+          )
+          all = (
+            try(length(policy.value.values) > 0, false)
+            ? null
+            : true
+          )
+        }
+      }
+    }
+  }
+
+  dynamic restore_policy {
+    for_each = each.value.status == null ? [true] : []
+    content {
+      default = true
+    }
+  }
+}

modules/folder/outputs.tf

@@ -0,0 +1,35 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "folder" {
+  description = "Folder resource."
+  value       = google_folder.folder
+}
+
+output "id" {
+  description = "Folder id."
+  value       = google_folder.folder.name
+  depends_on = [
+    google_folder_iam_binding.authoritative,
+    google_folder_organization_policy.boolean,
+    google_folder_organization_policy.list
+  ]
+}
+
+output "name" {
+  description = "Folder name."
+  value       = google_folder.folder.display_name
+}

modules/folder/variables.tf

@@ -0,0 +1,58 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "iam_members" {
+  description = "List of IAM members keyed by role."
+  type        = map(set(string))
+  default     = null
+}
+
+variable "iam_roles" {
+  description = "List of IAM roles."
+  type        = set(string)
+  default     = null
+}
+
+variable "name" {
+  description = "Folder name."
+  type        = string
+}
+
+variable "parent" {
+  description = "Parent in folders/folder_id or organizations/org_id format."
+  type        = string
+  validation {
+    condition     = can(regex("(organizations|folders)/[0-9]+", var.parent))
+    error_message = "Parent must be of the form folders/folder_id or organizations/organization_id."
+  }
+}
+
+variable "policy_boolean" {
+  description = "Map of boolean org policies and enforcement value, set value to null for policy restore."
+  type        = map(bool)
+  default     = {}
+}
+
+variable "policy_list" {
+  description = "Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny."
+  type = map(object({
+    inherit_from_parent = bool
+    suggested_value     = string
+    status              = bool
+    values              = list(string)
+  }))
+  default = {}
+}

modules/folder/versions.tf

@@ -0,0 +1,19 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.13.0"
+}