Allow different principal types in bootstrap user variable (#2922)

* handle the iam_user_bootstrap_bindings with a local.bootstrap_user to handle the case where var.bootstrap_user is a WIF user (starts with principal:// and does not require to be added the prefix user:) * terraform fmt * fix linting * lint fix * reran terraform fmt * Fix condition --------- Co-authored-by: Julio Castillo <jccb@google.com>
2025-02-25 12:14:25 +01:00
parent 50265f2169
commit cae5090cee
1 changed files with 9 additions and 3 deletions
--- a/fast/stages/0-bootstrap/organization-iam.tf
+++ b/fast/stages/0-bootstrap/organization-iam.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2024 Google LLC
+ * Copyright 2025 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -188,9 +188,16 @@ locals {
      ]
    }
  }
+  # Check if boostrap_user comes from WIF
+  bootstrap_principal = var.bootstrap_user == null ? null : (
+    strcontains(var.bootstrap_user, ":")
+    ? var.bootstrap_user
+    : "user:${var.bootstrap_user}"
+  )
+
  # bootstrap user bindings
  iam_user_bootstrap_bindings = var.bootstrap_user == null ? {} : {
-    "user:${var.bootstrap_user}" = {
+    (local.bootstrap_principal) = {
      authoritative = [
        "roles/logging.admin",
        "roles/owner",
@@ -198,7 +205,6 @@ locals {
        "roles/resourcemanager.projectCreator",
        "roles/resourcemanager.tagAdmin"
      ]
-      # TODO: align additive roles with the README
      additive = (
        local.billing_mode != "org" ? [] : [
          "roles/billing.admin"