From cae5090ceee466b04a0c0f9a53d10418760fe4a5 Mon Sep 17 00:00:00 2001
From: dgourillon <50948886+dgourillon@users.noreply.github.com>
Date: Tue, 25 Feb 2025 12:14:25 +0100
Subject: [PATCH] Allow different principal types in bootstrap user variable
 (#2922)

* handle the iam_user_bootstrap_bindings with a local.bootstrap_user to handle the case where var.bootstrap_user is a WIF user (starts with principal:// and does not require to be added the prefix user:)

* terraform fmt

* fix linting

* lint fix

* reran terraform fmt

* Fix condition

---------

Co-authored-by: Julio Castillo <jccb@google.com>
---
 fast/stages/0-bootstrap/organization-iam.tf | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/fast/stages/0-bootstrap/organization-iam.tf b/fast/stages/0-bootstrap/organization-iam.tf
index 6227e5b4a..de16ede98 100644
--- a/fast/stages/0-bootstrap/organization-iam.tf
+++ b/fast/stages/0-bootstrap/organization-iam.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2024 Google LLC
+ * Copyright 2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -188,9 +188,16 @@ locals {
       ]
     }
   }
+  # Check if boostrap_user comes from WIF
+  bootstrap_principal = var.bootstrap_user == null ? null : (
+    strcontains(var.bootstrap_user, ":")
+    ? var.bootstrap_user
+    : "user:${var.bootstrap_user}"
+  )
+
   # bootstrap user bindings
   iam_user_bootstrap_bindings = var.bootstrap_user == null ? {} : {
-    "user:${var.bootstrap_user}" = {
+    (local.bootstrap_principal) = {
       authoritative = [
         "roles/logging.admin",
         "roles/owner",
@@ -198,7 +205,6 @@ locals {
         "roles/resourcemanager.projectCreator",
         "roles/resourcemanager.tagAdmin"
       ]
-      # TODO: align additive roles with the README
       additive = (
         local.billing_mode != "org" ? [] : [
           "roles/billing.admin"