dataplex aspect types module refactor (#3544)

modules/dataplex-aspect-types/README.md

@@ -75,13 +75,13 @@ IAM attributes can leverage substitutions for principals, which need to be defin
 module "aspect-types" {
   source     = "./fabric/modules/dataplex-aspect-types"
   project_id = "test-project"
+  context = {
+    iam_principals = {
+      test-sa = "serviceAccount:sa-0@test-project.iam.gserviceaccount.com"
+    }
+  }
   factories_config = {
     aspect_types = "data/aspect-types"
-    context = {
-      iam_principals = {
-        test-sa = "serviceAccount:sa-0@test-project.iam.gserviceaccount.com"
-      }
-    }
   }
 }
 # tftest modules=1 resources=4 files=aspect-0,aspect-1
@@ -125,7 +125,7 @@ display_name: "Test template 1."
 iam_bindings_additive:
   user:
     role: roles/dataplex.aspectTypeUser
-    member: test-sa
+    member: $iam_principals:test-sa
 metadata_template: |
   {
     "name": "tf-test-template-1",
@@ -158,10 +158,11 @@ metadata_template: |
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [project_id](variables.tf#L67) | Project id where resources will be created. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L77) | Project id where resources will be created. | <code>string</code> | ✓ |  |
 | [aspect_types](variables.tf#L17) | Aspect templates. Merged with those defined via the factory. | <code title="map&#40;object&#40;&#123;&#10;  description       &#61; optional&#40;string&#41;&#10;  display_name      &#61; optional&#40;string&#41;&#10;  labels            &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  metadata_template &#61; optional&#40;string&#41;&#10;  iam               &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    role    &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [factories_config](variables.tf#L48) | Paths to folders for the optional factories. | <code title="object&#40;&#123;&#10;  aspect_types &#61; optional&#40;string&#41;&#10;  context &#61; optional&#40;object&#40;&#123;&#10;    iam_principals &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [location](variables.tf#L60) | Location for aspect types. | <code>string</code> |  | <code>&#34;global&#34;</code> |
+| [context](variables.tf#L48) | Context-specific interpolations. | <code title="object&#40;&#123;&#10;  condition_vars &#61; optional&#40;map&#40;map&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  custom_roles   &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  iam_principals &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  locations      &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  project_ids    &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [factories_config](variables.tf#L61) | Paths to folders for the optional factories. | <code title="object&#40;&#123;&#10;  aspect_types &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [location](variables.tf#L70) | Location for aspect types. | <code>string</code> |  | <code>&#34;global&#34;</code> |
 
 ## Outputs
 

modules/dataplex-aspect-types/iam.tf

@@ -53,26 +53,28 @@ resource "google_dataplex_aspect_type_iam_binding" "authoritative" {
     for binding in local.iam :
     "${binding.aspect_type_id}.${binding.role}" => binding
   }
-  role           = each.value.role
   aspect_type_id = google_dataplex_aspect_type.default[each.value.aspect_type_id].id
+  role           = lookup(local.ctx.custom_roles, each.value.role, each.value.role)
   members = [
     for v in each.value.members :
-    lookup(var.factories_config.context.iam_principals, v, v)
+    lookup(local.ctx.iam_principals, v, v)
   ]
 }
 
 resource "google_dataplex_aspect_type_iam_binding" "bindings" {
   for_each       = local.iam_bindings
-  role           = each.value.role
   aspect_type_id = google_dataplex_aspect_type.default[each.value.aspect_type_id].id
+  role           = lookup(local.ctx.custom_roles, each.value.role, each.value.role)
   members = [
     for v in each.value.members :
-    lookup(var.factories_config.context.iam_principals, v, v)
+    lookup(local.ctx.iam_principals, v, v)
   ]
   dynamic "condition" {
     for_each = each.value.condition == null ? [] : [""]
     content {
-      expression  = each.value.condition.expression
+      expression = templatestring(
+        each.value.condition.expression, var.context.condition_vars
+      )
       title       = each.value.condition.title
       description = each.value.condition.description
     }
@@ -82,14 +84,16 @@ resource "google_dataplex_aspect_type_iam_binding" "bindings" {
 resource "google_dataplex_aspect_type_iam_member" "members" {
   for_each       = local.iam_bindings_additive
   aspect_type_id = google_dataplex_aspect_type.default[each.value.aspect_type_id].id
-  role           = each.value.role
+  role           = lookup(local.ctx.custom_roles, each.value.role, each.value.role)
   member = lookup(
-    var.factories_config.context.iam_principals, each.value.member, each.value.member
+    local.ctx.iam_principals, each.value.member, each.value.member
   )
   dynamic "condition" {
     for_each = each.value.condition == null ? [] : [""]
     content {
-      expression  = each.value.condition.expression
+      expression = templatestring(
+        each.value.condition.expression, var.context.condition_vars
+      )
       title       = each.value.condition.title
       description = each.value.condition.description
     }

modules/dataplex-aspect-types/main.tf

@@ -37,12 +37,22 @@ locals {
       metadata_template = lookup(v, "metadata_template", null)
     }
   })
+  ctx = {
+    for k, v in var.context : k => {
+      for kk, vv in v : "${local.ctx_p}${k}:${kk}" => vv
+    } if k != "condition_vars"
+  }
+  ctx_p    = "$"
+  location = try(local.ctx.locations[var.location], var.location)
+  project_id = var.project_id == null ? null : lookup(
+    local.ctx.project_ids, var.project_id, var.project_id
+  )
 }
 
 resource "google_dataplex_aspect_type" "default" {
   for_each          = local.aspect_types
-  project           = var.project_id
-  location          = var.location
+  project           = local.project_id
+  location          = local.location
   aspect_type_id    = each.key
   description       = each.value.description
   display_name      = each.value.display_name

modules/dataplex-aspect-types/schemas/aspect-type.schema.json

@@ -31,11 +31,11 @@
       "type": "object",
       "additionalProperties": false,
       "patternProperties": {
-        "^roles/": {
+        "^(?:roles/|\\$custom_roles:)": {
           "type": "array",
           "items": {
             "type": "string",
-            "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])"
+            "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:||\\$iam_principals:[a-z0-9_-]+)"
           }
         }
       }
@@ -52,12 +52,12 @@
               "type": "array",
               "items": {
                 "type": "string",
-                "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])"
+                "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\\$iam_principals:[a-z0-9_-]+)"
               }
             },
             "role": {
               "type": "string",
-              "pattern": "^roles/"
+              "pattern": "^(?:roles/|\\$custom_roles:)"
             },
             "condition": {
               "type": "object",
@@ -92,11 +92,11 @@
           "properties": {
             "member": {
               "type": "string",
-              "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])"
+              "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\\$iam_principals:[a-z0-9_-]+)"
             },
             "role": {
               "type": "string",
-              "pattern": "^roles/"
+              "pattern": "^(?:roles/|\\$custom_roles:)"
             },
             "condition": {
               "type": "object",

modules/dataplex-aspect-types/variables.tf

@@ -45,13 +45,23 @@ variable "aspect_types" {
   default  = {}
 }
 
+variable "context" {
+  description = "Context-specific interpolations."
+  type = object({
+    condition_vars = optional(map(map(string)), {})
+    custom_roles   = optional(map(string), {})
+    iam_principals = optional(map(string), {})
+    locations      = optional(map(string), {})
+    project_ids    = optional(map(string), {})
+  })
+  default  = {}
+  nullable = false
+}
+
 variable "factories_config" {
   description = "Paths to folders for the optional factories."
   type = object({
     aspect_types = optional(string)
-    context = optional(object({
-      iam_principals = optional(map(string), {})
-    }), {})
   })
   nullable = false
   default  = {}