refactor IAM additive bindings variables (#103)

* Invert the list for role/member mapping so that member is the key

* Add iam_additive_bindings to replace iam_additive_members and iam_additive_roles, change test suite accordingly

* attribute 'mode' added as it would error without

* Update Readme to reflect the new variable iam_additive_bindings

* test branch access

* iam_additive_bindings to replace iam_additive roles and iam_additive_members

* update foundation samples to new additive bindings format

* set bq dataset options in foundation environments to allow destroying

* trap exceptions raised during destroy in project module

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>

modules/project/main.tf

@@ -16,8 +16,8 @@
 
 locals {
   iam_additive_pairs = flatten([
-    for role in var.iam_additive_roles : [
-      for member in lookup(var.iam_additive_members, role, []) :
+    for member, roles in var.iam_additive_bindings : [
+      for role in roles :
       { role = role, member = member }
     ]
   ])
@@ -29,7 +29,9 @@ locals {
   parent_id   = var.parent == null ? null : split("/", var.parent)[1]
   prefix      = var.prefix == null ? "" : "${var.prefix}-"
   project = (
-    var.project_create ? google_project.project.0 : data.google_project.project.0
+    var.project_create
+    ? try(google_project.project.0, null)
+    : try(data.google_project.project.0, null)
   )
 }
 
@@ -100,7 +102,7 @@ resource "google_project_iam_binding" "authoritative" {
 }
 
 resource "google_project_iam_member" "additive" {
-  for_each = length(var.iam_additive_roles) > 0 ? local.iam_additive : {}
+  for_each = length(var.iam_additive_bindings) > 0 ? local.iam_additive : {}
   project  = local.project.project_id
   role     = each.value.role
   member   = each.value.member