Removing iam_roles from multiple modules

This commits removes the iam_roles variables from the modules: - artifact-registry - bigtable-instance - cloud-function - container-registry - endopoints - pubsub - source-repository
2020-10-30 18:55:54 +01:00
parent 96dba2256e
commit 82a1fe3c20
22 changed files with 51 additions and 133 deletions
--- a/modules/pubsub/README.md
+++ b/modules/pubsub/README.md
@@ -12,10 +12,6 @@ module "pubsub" {
  source     = "./modules/pubsub"
  project_id = "my-project"
  name       = "my-topic"
-  iam_roles = [
-    "roles/pubsub.viewer",
-    "roles/pubsub.subscriber"
-  ]
  iam_members = {
    "roles/pubsub.viewer"     = ["group:foo@example.com"]
    "roles/pubsub.subscriber" = ["user:user1@example.com"]
@@ -80,9 +76,6 @@ module "pubsub" {
    test-1 = null
    test-1 = null
  }
-  subscription_iam_roles = {
-    test-1 = ["roles/pubsub.subscriber"]
-  }
  subscription_iam_members = {
    test-1 = {
      "roles/pubsub.subscriber" = ["user:user1@ludomagno.net"]
@@ -100,14 +93,12 @@ module "pubsub" {
 | project_id | Project used for resources. | <code title="">string</code> | ✓ |  |
 | *dead_letter_configs* | Per-subscription dead letter policy configuration. | <code title="map&#40;object&#40;&#123;&#10;topic                &#61; string&#10;max_delivery_attemps &#61; number&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 | *defaults* | Subscription defaults for options. | <code title="object&#40;&#123;&#10;ack_deadline_seconds       &#61; number&#10;message_retention_duration &#61; number&#10;retain_acked_messages      &#61; bool&#10;expiration_policy_ttl      &#61; string&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;ack_deadline_seconds       &#61; null&#10;message_retention_duration &#61; null&#10;retain_acked_messages      &#61; null&#10;expiration_policy_ttl      &#61; null&#10;&#125;">...</code> |
-| *iam_members* | IAM members for each topic role. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
-| *iam_roles* | IAM roles for topic. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *iam_members* | IAM members for each topic role. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">{}</code> |
 | *kms_key* | KMS customer managed encryption key. | <code title="">string</code> |  | <code title="">null</code> |
 | *labels* | Labels. | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="">{}</code> |
 | *push_configs* | Push subscription configurations. | <code title="map&#40;object&#40;&#123;&#10;attributes &#61; map&#40;string&#41;&#10;endpoint   &#61; string&#10;oidc_token &#61; object&#40;&#123;&#10;audience              &#61; string&#10;service_account_email &#61; string&#10;&#125;&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 | *regions* | List of regions used to set persistence policy. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
-| *subscription_iam_members* | IAM members for each subscription and role. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> |  | <code title="">{}</code> |
-| *subscription_iam_roles* | IAM roles for each subscription. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
+| *subscription_iam_members* | IAM members for each subscription and role. | <code title="map&#40;map&#40;set&#40;string&#41;&#41;&#41;">map(map(set(string)))</code> |  | <code title="">{}</code> |
 | *subscriptions* | Topic subscriptions. Also define push configs for push subscriptions. If options is set to null subscription defaults will be used. Labels default to topic labels if set to null. | <code title="map&#40;object&#40;&#123;&#10;labels &#61; map&#40;string&#41;&#10;options &#61; object&#40;&#123;&#10;ack_deadline_seconds       &#61; number&#10;message_retention_duration &#61; number&#10;retain_acked_messages      &#61; bool&#10;expiration_policy_ttl      &#61; string&#10;&#125;&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |

 ## Outputs
--- a/modules/pubsub/main.tf
+++ b/modules/pubsub/main.tf
@@ -15,17 +15,15 @@
 */

 locals {
-  iam_pairs = var.subscription_iam_roles == null ? [] : flatten([
-    for name, roles in var.subscription_iam_roles :
-    [for role in roles : { name = name, role = role }]
+  sub_iam_members = flatten([
+    for sub, roles in var.subscription_iam_members : [
+      for role, members in roles : {
+        sub     = sub
+        role    = role
+        members = members
+      }
+    ]
  ])
-  iam_keypairs = {
-    for pair in local.iam_pairs :
-    "${pair.name}-${pair.role}" => pair
-  }
-  iam_members = (
-    var.subscription_iam_members == null ? {} : var.subscription_iam_members
-  )
  oidc_config = {
    for k, v in var.push_configs : k => v.oidc_token
  }
@@ -52,11 +50,11 @@ resource "google_pubsub_topic" "default" {
 }

 resource "google_pubsub_topic_iam_binding" "default" {
-  for_each = toset(var.iam_roles)
+  for_each = var.iam_members
  project  = var.project_id
  topic    = google_pubsub_topic.default.name
-  role     = each.value
-  members  = lookup(var.iam_members, each.value, [])
+  role     = each.key
+  members  = each.value
 }

 resource "google_pubsub_subscription" "default" {
@@ -103,11 +101,12 @@ resource "google_pubsub_subscription" "default" {
 }

 resource "google_pubsub_subscription_iam_binding" "default" {
-  for_each     = local.iam_keypairs
+  for_each = {
+    for binding in local.sub_iam_members :
+    "${binding.sub}.${binding.role}" => binding
+  }
  project      = var.project_id
-  subscription = google_pubsub_subscription.default[each.value.name].name
+  subscription = google_pubsub_subscription.default[each.value.sub].name
  role         = each.value.role
-  members = lookup(
-    lookup(local.iam_members, each.value.name, {}), each.value.role, []
-  )
+  members      = each.value.members
 }
--- a/modules/pubsub/variables.tf
+++ b/modules/pubsub/variables.tf
@@ -41,16 +41,10 @@ variable "defaults" {

 variable "iam_members" {
  description = "IAM members for each topic role."
-  type        = map(list(string))
+  type        = map(set(string))
  default     = {}
 }

-variable "iam_roles" {
-  description = "IAM roles for topic."
-  type        = list(string)
-  default     = []
-}
-
 variable "kms_key" {
  description = "KMS customer managed encryption key."
  type        = string
@@ -109,12 +103,6 @@ variable "subscriptions" {

 variable "subscription_iam_members" {
  description = "IAM members for each subscription and role."
-  type        = map(map(list(string)))
-  default     = {}
-}
-
-variable "subscription_iam_roles" {
-  description = "IAM roles for each subscription."
-  type        = map(list(string))
+  type        = map(map(set(string)))
  default     = {}
 }