diff --git a/modules/compute-vm/README.md b/modules/compute-vm/README.md
index 45895f288..18aaf2696 100644
--- a/modules/compute-vm/README.md
+++ b/modules/compute-vm/README.md
@@ -184,8 +184,7 @@ module "instance-group" {
| *encryption* | Encryption options. Only one of kms_key_self_link and disk_encryption_key_raw may be set. If needed, you can specify to encrypt or not the boot disk. | object({...}) | | null |
| *group* | Define this variable to create an instance group for instances. Disabled for template use. | object({...}) | | null |
| *hostname* | Instance FQDN name. | string | | null |
-| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use. | map(list(string)) | | {} |
-| *iam_roles* | List of roles used to set authoritative bindings. Ignored for template use. | list(string) | | [] |
+| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use. | map(set(string)) | | {} |
| *instance_count* | Number of instances to create (only for non-template usage). | number | | 1 |
| *instance_type* | Instance type. | string | | f1-micro |
| *labels* | Instance labels. | map(string) | | {} |
diff --git a/modules/compute-vm/main.tf b/modules/compute-vm/main.tf
index 1a9110228..457497908 100644
--- a/modules/compute-vm/main.tf
+++ b/modules/compute-vm/main.tf
@@ -25,9 +25,9 @@ locals {
for pair in setproduct(keys(local.names), keys(local.attached_disks)) :
"${pair[0]}-${pair[1]}" => { disk_name = pair[1], name = pair[0] }
}
- iam_roles = var.use_instance_template ? {} : {
- for pair in setproduct(var.iam_roles, keys(local.names)) :
- "${pair.0}/${pair.1}" => { role = pair.0, name = pair.1 }
+ iam_members = var.use_instance_template ? {} : {
+ for pair in setproduct(keys(var.iam_members), keys(local.names)) :
+ "${pair.0}/${pair.1}" => { role = pair.0, name = pair.1, members = var.iam_members[pair.0] }
}
names = (
var.use_instance_template ? { (var.name) = 0 } : {
@@ -196,12 +196,12 @@ resource "google_compute_instance" "default" {
}
resource "google_compute_instance_iam_binding" "default" {
- for_each = local.iam_roles
+ for_each = local.iam_members
project = var.project_id
zone = local.zones[each.value.name]
instance_name = each.value.name
role = each.value.role
- members = lookup(var.iam_members, each.value.role, [])
+ members = each.value.members
depends_on = [google_compute_instance.default]
}
diff --git a/modules/compute-vm/variables.tf b/modules/compute-vm/variables.tf
index 02c134800..604a57669 100644
--- a/modules/compute-vm/variables.tf
+++ b/modules/compute-vm/variables.tf
@@ -92,16 +92,10 @@ variable "hostname" {
variable "iam_members" {
description = "Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use."
- type = map(list(string))
+ type = map(set(string))
default = {}
}
-variable "iam_roles" {
- description = "List of roles used to set authoritative bindings. Ignored for template use."
- type = list(string)
- default = []
-}
-
variable "instance_count" {
description = "Number of instances to create (only for non-template usage)."
type = number
diff --git a/tests/modules/compute_vm/fixture/main.tf b/tests/modules/compute_vm/fixture/main.tf
index b80dcb23f..fb3dd42ca 100644
--- a/tests/modules/compute_vm/fixture/main.tf
+++ b/tests/modules/compute_vm/fixture/main.tf
@@ -25,7 +25,6 @@ module "test" {
instance_count = var.instance_count
use_instance_template = var.use_instance_template
group = var.group
- iam_roles = var.iam_roles
iam_members = var.iam_members
metadata = var.metadata
metadata_list = var.metadata_list
diff --git a/tests/modules/compute_vm/fixture/variables.tf b/tests/modules/compute_vm/fixture/variables.tf
index 6258905b7..bc61f3d6c 100644
--- a/tests/modules/compute_vm/fixture/variables.tf
+++ b/tests/modules/compute_vm/fixture/variables.tf
@@ -20,15 +20,10 @@ variable "group" {
}
variable "iam_members" {
- type = map(list(string))
+ type = map(set(string))
default = {}
}
-variable "iam_roles" {
- type = list(string)
- default = []
-}
-
variable "instance_count" {
type = number
default = 1
diff --git a/tests/modules/compute_vm/test_plan.py b/tests/modules/compute_vm/test_plan.py
index a37b55ac1..5cf1458d6 100644
--- a/tests/modules/compute_vm/test_plan.py
+++ b/tests/modules/compute_vm/test_plan.py
@@ -56,13 +56,12 @@ def test_group(plan_runner):
def test_iam(plan_runner):
- iam_roles = '["roles/compute.instanceAdmin", "roles/iam.serviceAccountUser"]'
iam_members = (
'{"roles/compute.instanceAdmin" = ["user:a@a.com", "user:b@a.com"],'
'"roles/iam.serviceAccountUser" = ["user:a@a.com"]}'
)
_, resources = plan_runner(
- FIXTURES_DIR, instance_count=2, iam_roles=iam_roles, iam_members=iam_members)
+ FIXTURES_DIR, instance_count=2, iam_members=iam_members)
assert len(resources) == 6
assert set(r['type'] for r in resources) == set([
'google_compute_instance', 'google_compute_instance_iam_binding'])
diff --git a/tests/modules/compute_vm/test_plan_zones.py b/tests/modules/compute_vm/test_plan_zones.py
index f4a00359c..9aa1ae240 100644
--- a/tests/modules/compute_vm/test_plan_zones.py
+++ b/tests/modules/compute_vm/test_plan_zones.py
@@ -49,10 +49,9 @@ def test_group(plan_runner):
def test_iam(plan_runner):
- iam_roles = '["roles/a", "roles/b"]'
iam_members = '{"roles/a" = ["user:a@a.com"], "roles/b" = ["user:a@a.com"]}'
_, resources = plan_runner(FIXTURES_DIR, instance_count=3,
- iam_roles=iam_roles, iam_members=iam_members,
+ iam_members=iam_members,
zones='["a", "b"]')
iam_bindings = dict(
(r['index'], r['values']['zone']) for r in resources if r['type']