From 7e429425fe8a3598a38b490f35a6359ba13a25ff Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Tue, 16 Feb 2021 20:01:18 +0100
Subject: [PATCH] Fix IAM additive (#200)

* Fix wrong iam_addictive variable input (#197)

iam_additive variable from Project module expect { "roles" = list(string) } input

Co-authored-by: Emre Turan <emre@unl.global>

* fix project example

Co-authored-by: Emre Turan <turan.emre@gmail.com>
Co-authored-by: Emre Turan <emre@unl.global>
---
 foundations/environments/main.tf |  8 ++++----
 modules/project/README.md        | 19 ++++---------------
 2 files changed, 8 insertions(+), 19 deletions(-)

diff --git a/foundations/environments/main.tf b/foundations/environments/main.tf
index ad48eb24c..4352f2f22 100644
--- a/foundations/environments/main.tf
+++ b/foundations/environments/main.tf
@@ -24,8 +24,8 @@ module "tf-project" {
   parent          = var.root_node
   prefix          = var.prefix
   billing_account = var.billing_account_id
-  iam_additive = {
-    for name in var.iam_terraform_owners : (name) => ["roles/owner"]
+  iam_additive    = {
+    "roles/owner" = var.iam_terraform_owners
   }
   services = var.project_services
 }
@@ -158,8 +158,8 @@ module "sharedsvc-project" {
   parent          = var.root_node
   prefix          = var.prefix
   billing_account = var.billing_account_id
-  iam_additive = {
-    for name in var.iam_shared_owners : (name) => ["roles/owner"]
+  iam_additive    = {
+    "roles/owner" = var.iam_shared_owners
   }
   services = var.project_services
 }
diff --git a/modules/project/README.md b/modules/project/README.md
index 402cee0bc..12e78e396 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -36,23 +36,12 @@ module "project" {
   name            = "project-example"
 
   iam_additive = {
-    "group:usergroup_watermlon_experimentation@lemonadeinc.io" = [
-	    "roles/viewer",
-	    "roles/storage.objectAdmin"
-    ],
-    "group:usergroup_gcp_admin@lemonadeinc.io" = [
-	    "roles/owner",
-    ],
-    "group:usergroup_gcp_privilege_access@lemonadeinc.io" = [
-	    "roles/editor"
-    ],
-    "group:engineering@lemonadeinc.io" = [
-	    "roles/pubsub.subscriber",
-	    "roles/storage.objectViewer"
-    ],
+    "roles/viewer"               = ["group:one@example.org", "group:two@xample.org"],
+    "roles/storage.objectAdmin"  = ["group:two@example.org"],
+    "roles/owner"                = ["group:three@example.org"],
   }
 }
-# tftest:modules=1:resources=7
+# tftest:modules=1:resources=5
 ```
 
 ### Organization policies