From 3a4938874bbd50d81e89812bd23e364926b9e05e Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Thu, 5 Nov 2020 21:28:34 +0100
Subject: [PATCH] rename iam variables in pubsub module

---
 .../asset-inventory-feed-remediation/main.tf  |  2 +-
 modules/pubsub/README.md                      |  8 +--
 modules/pubsub/main.tf                        |  4 +-
 modules/pubsub/variables.tf                   | 12 ++--
 tests/modules/pubsub/__init__.py              | 13 +++++
 tests/modules/pubsub/fixture/main.tf          | 34 ++++++++++++
 tests/modules/pubsub/fixture/variables.tf     | 20 +++++++
 tests/modules/pubsub/test_plan.py             | 55 +++++++++++++++++++
 8 files changed, 135 insertions(+), 13 deletions(-)
 create mode 100644 tests/modules/pubsub/__init__.py
 create mode 100644 tests/modules/pubsub/fixture/main.tf
 create mode 100644 tests/modules/pubsub/fixture/variables.tf
 create mode 100644 tests/modules/pubsub/test_plan.py

diff --git a/cloud-operations/asset-inventory-feed-remediation/main.tf b/cloud-operations/asset-inventory-feed-remediation/main.tf
index 74e2bc2b4..17f486978 100644
--- a/cloud-operations/asset-inventory-feed-remediation/main.tf
+++ b/cloud-operations/asset-inventory-feed-remediation/main.tf
@@ -63,7 +63,7 @@ module "pubsub" {
   project_id    = module.project.project_id
   name          = var.name
   subscriptions = { "${var.name}-default" = null }
-  iam_members = {
+  iam = {
     "roles/pubsub.publisher" = [
       "serviceAccount:${module.project.service_accounts.robots.cloudasset}"
     ]
diff --git a/modules/pubsub/README.md b/modules/pubsub/README.md
index 974fe42c4..16b927626 100644
--- a/modules/pubsub/README.md
+++ b/modules/pubsub/README.md
@@ -12,7 +12,7 @@ module "pubsub" {
   source     = "./modules/pubsub"
   project_id = "my-project"
   name       = "my-topic"
-  iam_members = {
+  iam = {
     "roles/pubsub.viewer"     = ["group:foo@example.com"]
     "roles/pubsub.subscriber" = ["user:user1@example.com"]
   }
@@ -76,7 +76,7 @@ module "pubsub" {
     test-1 = null
     test-1 = null
   }
-  subscription_iam_members = {
+  subscription_iam = {
     test-1 = {
       "roles/pubsub.subscriber" = ["user:user1@ludomagno.net"]
     }
@@ -93,12 +93,12 @@ module "pubsub" {
 | project_id | Project used for resources. | <code title="">string</code> | ✓ |  |
 | *dead_letter_configs* | Per-subscription dead letter policy configuration. | <code title="map&#40;object&#40;&#123;&#10;topic                &#61; string&#10;max_delivery_attemps &#61; number&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 | *defaults* | Subscription defaults for options. | <code title="object&#40;&#123;&#10;ack_deadline_seconds       &#61; number&#10;message_retention_duration &#61; number&#10;retain_acked_messages      &#61; bool&#10;expiration_policy_ttl      &#61; string&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;ack_deadline_seconds       &#61; null&#10;message_retention_duration &#61; null&#10;retain_acked_messages      &#61; null&#10;expiration_policy_ttl      &#61; null&#10;&#125;">...</code> |
-| *iam_members* | IAM members for each topic role. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">{}</code> |
+| *iam* | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 | *kms_key* | KMS customer managed encryption key. | <code title="">string</code> |  | <code title="">null</code> |
 | *labels* | Labels. | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="">{}</code> |
 | *push_configs* | Push subscription configurations. | <code title="map&#40;object&#40;&#123;&#10;attributes &#61; map&#40;string&#41;&#10;endpoint   &#61; string&#10;oidc_token &#61; object&#40;&#123;&#10;audience              &#61; string&#10;service_account_email &#61; string&#10;&#125;&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 | *regions* | List of regions used to set persistence policy. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
-| *subscription_iam_members* | IAM members for each subscription and role. | <code title="map&#40;map&#40;set&#40;string&#41;&#41;&#41;">map(map(set(string)))</code> |  | <code title="">{}</code> |
+| *subscription_iam* | IAM bindings for subscriptions in {SUBSCRIPTION => {ROLE => [MEMBERS]}} format. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> |  | <code title="">{}</code> |
 | *subscriptions* | Topic subscriptions. Also define push configs for push subscriptions. If options is set to null subscription defaults will be used. Labels default to topic labels if set to null. | <code title="map&#40;object&#40;&#123;&#10;labels &#61; map&#40;string&#41;&#10;options &#61; object&#40;&#123;&#10;ack_deadline_seconds       &#61; number&#10;message_retention_duration &#61; number&#10;retain_acked_messages      &#61; bool&#10;expiration_policy_ttl      &#61; string&#10;&#125;&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 
 ## Outputs
diff --git a/modules/pubsub/main.tf b/modules/pubsub/main.tf
index 31caa2585..dd652e356 100644
--- a/modules/pubsub/main.tf
+++ b/modules/pubsub/main.tf
@@ -16,7 +16,7 @@
 
 locals {
   sub_iam_members = flatten([
-    for sub, roles in var.subscription_iam_members : [
+    for sub, roles in var.subscription_iam : [
       for role, members in roles : {
         sub     = sub
         role    = role
@@ -50,7 +50,7 @@ resource "google_pubsub_topic" "default" {
 }
 
 resource "google_pubsub_topic_iam_binding" "default" {
-  for_each = var.iam_members
+  for_each = var.iam
   project  = var.project_id
   topic    = google_pubsub_topic.default.name
   role     = each.key
diff --git a/modules/pubsub/variables.tf b/modules/pubsub/variables.tf
index e6b15083f..dd68354be 100644
--- a/modules/pubsub/variables.tf
+++ b/modules/pubsub/variables.tf
@@ -39,9 +39,9 @@ variable "defaults" {
   }
 }
 
-variable "iam_members" {
-  description = "IAM members for each topic role."
-  type        = map(set(string))
+variable "iam" {
+  description = "IAM bindings for topic in {ROLE => [MEMBERS]} format."
+  type        = map(list(string))
   default     = {}
 }
 
@@ -101,8 +101,8 @@ variable "subscriptions" {
   default = {}
 }
 
-variable "subscription_iam_members" {
-  description = "IAM members for each subscription and role."
-  type        = map(map(set(string)))
+variable "subscription_iam" {
+  description = "IAM bindings for subscriptions in {SUBSCRIPTION => {ROLE => [MEMBERS]}} format."
+  type        = map(map(list(string)))
   default     = {}
 }
diff --git a/tests/modules/pubsub/__init__.py b/tests/modules/pubsub/__init__.py
new file mode 100644
index 000000000..6913f02e3
--- /dev/null
+++ b/tests/modules/pubsub/__init__.py
@@ -0,0 +1,13 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
diff --git a/tests/modules/pubsub/fixture/main.tf b/tests/modules/pubsub/fixture/main.tf
new file mode 100644
index 000000000..aa4468a61
--- /dev/null
+++ b/tests/modules/pubsub/fixture/main.tf
@@ -0,0 +1,34 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "test" {
+  source     = "../../../../modules/pubsub"
+  project_id = "my-project"
+  regions    = ["europe-west1"]
+  name       = "test"
+  iam = {
+    "roles/pubsub.publisher" = ["user:me@example.com"]
+  }
+  subscriptions = {
+    test = null
+  }
+  subscription_iam = {
+    test = {
+      "roles/pubsub.subscriber" = ["user:me@example.com"]
+    }
+  }
+  labels = var.labels
+}
diff --git a/tests/modules/pubsub/fixture/variables.tf b/tests/modules/pubsub/fixture/variables.tf
new file mode 100644
index 000000000..4e0e03964
--- /dev/null
+++ b/tests/modules/pubsub/fixture/variables.tf
@@ -0,0 +1,20 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "labels" {
+  type    = map(string)
+  default = {}
+}
diff --git a/tests/modules/pubsub/test_plan.py b/tests/modules/pubsub/test_plan.py
new file mode 100644
index 000000000..424f481ca
--- /dev/null
+++ b/tests/modules/pubsub/test_plan.py
@@ -0,0 +1,55 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+import os
+import pytest
+
+
+FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
+
+
+@pytest.fixture
+def resources(plan_runner):
+  _, resources = plan_runner(FIXTURES_DIR)
+  return resources
+
+
+def test_resource_count(resources):
+  "Test number of resources created."
+  assert len(resources) == 4
+
+
+def test_iam(resources):
+  "Test IAM binding resources."
+  bindings = [r['values'] for r in resources if r['type']
+              == 'google_pubsub_topic_iam_binding']
+  assert len(bindings) == 1
+  assert bindings[0]['role'] == 'roles/pubsub.publisher'
+
+
+def test_subscriptions(resources):
+  "Test subscription resources."
+  subs = [r['values'] for r in resources if r['type']
+          == 'google_pubsub_subscription']
+  assert len(subs) == 1
+  assert set(s['name'] for s in subs) == set(['test'])
+
+
+def test_subscription_iam(resources):
+  "Test subscription IAM binding resources."
+  bindings = [r['values'] for r in resources if r['type']
+              == 'google_pubsub_subscription_iam_binding']
+  assert len(bindings) == 1
+  assert set(b['role'] for b in bindings) == set(['roles/pubsub.subscriber'])