From e1c1ed3a231ad4bb4dec30563f03bfd88d6a98dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= Date: Tue, 3 Sep 2024 16:41:41 +0000 Subject: [PATCH] Add IAM dependencies to outputs --- modules/artifact-registry/outputs.tf | 14 +++++++++- modules/bigquery-dataset/outputs.tf | 9 ++++--- modules/gcs/outputs.tf | 8 ++++-- modules/kms/outputs.tf | 39 +++++++++++++++++++++++----- modules/project/cmek.tf | 5 ++-- modules/pubsub/outputs.tf | 12 ++++++--- modules/secret-manager/outputs.tf | 16 ++++++++++++ 7 files changed, 84 insertions(+), 19 deletions(-) diff --git a/modules/artifact-registry/outputs.tf b/modules/artifact-registry/outputs.tf index 0a804888d..ad3cb7dcf 100644 --- a/modules/artifact-registry/outputs.tf +++ b/modules/artifact-registry/outputs.tf @@ -17,16 +17,25 @@ output "id" { description = "Fully qualified repository id." value = google_artifact_registry_repository.registry.id + depends_on = [ + google_artifact_registry_repository_iam_binding.bindings + ] } output "name" { description = "Repository name." value = google_artifact_registry_repository.registry.name + depends_on = [ + google_artifact_registry_repository_iam_binding.bindings + ] } output "repository" { description = "Repository object." value = google_artifact_registry_repository.registry + depends_on = [ + google_artifact_registry_repository_iam_binding.bindings + ] } output "url" { @@ -36,5 +45,8 @@ output "url" { var.project_id, var.name ]) - depends_on = [google_artifact_registry_repository.registry] + depends_on = [ + google_artifact_registry_repository.registry, + google_artifact_registry_repository_iam_binding.bindings + ] } diff --git a/modules/bigquery-dataset/outputs.tf b/modules/bigquery-dataset/outputs.tf index 3beb5f82c..21b3fe41c 100644 --- a/modules/bigquery-dataset/outputs.tf +++ b/modules/bigquery-dataset/outputs.tf @@ -29,7 +29,8 @@ output "dataset_id" { google_bigquery_dataset_access.domain, google_bigquery_dataset_access.group_by_email, google_bigquery_dataset_access.special_group, - google_bigquery_dataset_access.user_by_email + google_bigquery_dataset_access.user_by_email, + google_bigquery_dataset_iam_binding.bindings, ] } @@ -43,7 +44,8 @@ output "id" { google_bigquery_dataset_access.domain, google_bigquery_dataset_access.group_by_email, google_bigquery_dataset_access.special_group, - google_bigquery_dataset_access.user_by_email + google_bigquery_dataset_access.user_by_email, + google_bigquery_dataset_iam_binding.bindings, ] } @@ -67,7 +69,8 @@ output "self_link" { google_bigquery_dataset_access.domain, google_bigquery_dataset_access.group_by_email, google_bigquery_dataset_access.special_group, - google_bigquery_dataset_access.user_by_email + google_bigquery_dataset_access.user_by_email, + google_bigquery_dataset_iam_binding.bindings, ] } diff --git a/modules/gcs/outputs.tf b/modules/gcs/outputs.tf index e49bc7219..ed2f6c212 100644 --- a/modules/gcs/outputs.tf +++ b/modules/gcs/outputs.tf @@ -30,7 +30,9 @@ output "id" { value = "${local.prefix}${lower(var.name)}" depends_on = [ google_storage_bucket.bucket, - google_storage_bucket_iam_binding.bindings + google_storage_bucket_iam_binding.bindings, + google_storage_bucket_iam_binding.authoritative, + google_storage_bucket_iam_member.bindings ] } @@ -39,7 +41,9 @@ output "name" { value = "${local.prefix}${lower(var.name)}" depends_on = [ google_storage_bucket.bucket, - google_storage_bucket_iam_binding.bindings + google_storage_bucket_iam_binding.bindings, + google_storage_bucket_iam_binding.authoritative, + google_storage_bucket_iam_member.bindings ] } diff --git a/modules/kms/outputs.tf b/modules/kms/outputs.tf index acfb69b3e..9346ce6b8 100644 --- a/modules/kms/outputs.tf +++ b/modules/kms/outputs.tf @@ -19,7 +19,11 @@ output "id" { value = local.keyring.id depends_on = [ google_kms_key_ring_iam_binding.authoritative, - google_kms_key_ring_iam_binding.bindings + google_kms_key_ring_iam_binding.bindings, + google_kms_key_ring_iam_member.bindings, + google_kms_crypto_key_iam_binding.authoritative, + google_kms_crypto_key_iam_binding.bindings, + google_kms_crypto_key_iam_member.members ] } @@ -28,7 +32,11 @@ output "import_job" { value = google_kms_key_ring_import_job.default depends_on = [ google_kms_key_ring_iam_binding.authoritative, - google_kms_key_ring_iam_binding.bindings + google_kms_key_ring_iam_binding.bindings, + google_kms_key_ring_iam_member.bindings, + google_kms_crypto_key_iam_binding.authoritative, + google_kms_crypto_key_iam_binding.bindings, + google_kms_crypto_key_iam_member.members ] } @@ -40,7 +48,8 @@ output "key_ids" { } depends_on = [ google_kms_crypto_key_iam_binding.authoritative, - google_kms_crypto_key_iam_binding.bindings + google_kms_crypto_key_iam_binding.bindings, + google_kms_crypto_key_iam_member.members ] } @@ -49,7 +58,11 @@ output "keyring" { value = local.keyring depends_on = [ google_kms_key_ring_iam_binding.authoritative, - google_kms_key_ring_iam_binding.bindings + google_kms_key_ring_iam_binding.bindings, + google_kms_crypto_key_iam_member.members, + google_kms_crypto_key_iam_binding.authoritative, + google_kms_crypto_key_iam_binding.bindings, + google_kms_crypto_key_iam_member.members, ] } @@ -57,8 +70,12 @@ output "keys" { description = "Key resources." value = google_kms_crypto_key.default depends_on = [ + google_kms_key_ring_iam_binding.authoritative, + google_kms_key_ring_iam_binding.bindings, + google_kms_key_ring_iam_member.bindings, google_kms_crypto_key_iam_binding.authoritative, - google_kms_crypto_key_iam_binding.bindings + google_kms_crypto_key_iam_binding.bindings, + google_kms_crypto_key_iam_member.members ] } @@ -67,7 +84,11 @@ output "location" { value = local.keyring.location depends_on = [ google_kms_key_ring_iam_binding.authoritative, - google_kms_key_ring_iam_binding.bindings + google_kms_key_ring_iam_binding.bindings, + google_kms_key_ring_iam_member.bindings, + google_kms_crypto_key_iam_binding.authoritative, + google_kms_crypto_key_iam_binding.bindings, + google_kms_crypto_key_iam_member.members ] } @@ -76,6 +97,10 @@ output "name" { value = local.keyring.name depends_on = [ google_kms_key_ring_iam_binding.authoritative, - google_kms_key_ring_iam_binding.bindings + google_kms_key_ring_iam_binding.bindings, + google_kms_key_ring_iam_member.bindings, + google_kms_crypto_key_iam_binding.authoritative, + google_kms_crypto_key_iam_binding.bindings, + google_kms_crypto_key_iam_member.members ] } diff --git a/modules/project/cmek.tf b/modules/project/cmek.tf index 9cf83a6b5..fd3719126 100644 --- a/modules/project/cmek.tf +++ b/modules/project/cmek.tf @@ -54,8 +54,9 @@ locals { # use the deps listed above, if the service does not appear # there, use all the service agents belonging to the service for dep in try(local._cmek_agents_by_service[service], [for x in local._service_agents_by_api[service] : x.name]) : { - for key in keys : - "${key}.${local._aliased_service_agents[dep].name}" => { + # use index in map key, to allow specyfing keys, that will be created in the same apply + for index, key in keys : + "key-${index}.${local._aliased_service_agents[dep].name}" => { key = key agent = local._aliased_service_agents[dep].iam_email } diff --git a/modules/pubsub/outputs.tf b/modules/pubsub/outputs.tf index 8218e2b33..35ad069db 100644 --- a/modules/pubsub/outputs.tf +++ b/modules/pubsub/outputs.tf @@ -20,7 +20,8 @@ output "id" { depends_on = [ google_pubsub_topic.default, google_pubsub_topic_iam_binding.authoritative, - google_pubsub_topic_iam_binding.bindings + google_pubsub_topic_iam_binding.bindings, + google_pubsub_topic_iam_member.bindings ] } @@ -41,7 +42,8 @@ output "subscription_id" { } depends_on = [ google_pubsub_subscription_iam_binding.authoritative, - google_pubsub_subscription_iam_binding.bindings + google_pubsub_subscription_iam_binding.bindings, + google_pubsub_subscription_iam_member.members ] } @@ -50,7 +52,8 @@ output "subscriptions" { value = google_pubsub_subscription.default depends_on = [ google_pubsub_subscription_iam_binding.authoritative, - google_pubsub_subscription_iam_binding.bindings + google_pubsub_subscription_iam_binding.bindings, + google_pubsub_subscription_iam_member.members ] } @@ -59,6 +62,7 @@ output "topic" { value = google_pubsub_topic.default depends_on = [ google_pubsub_topic_iam_binding.authoritative, - google_pubsub_topic_iam_binding.bindings + google_pubsub_topic_iam_binding.bindings, + google_pubsub_topic_iam_member.bindings ] } diff --git a/modules/secret-manager/outputs.tf b/modules/secret-manager/outputs.tf index 7450ad742..89215567b 100644 --- a/modules/secret-manager/outputs.tf +++ b/modules/secret-manager/outputs.tf @@ -19,11 +19,18 @@ output "ids" { value = { for k, v in google_secret_manager_secret.default : v.secret_id => v.id } + depends_on = [ + google_secret_manager_secret_iam_binding.default + ] } output "secrets" { description = "Secret resources." value = google_secret_manager_secret.default + depends_on = [ + google_secret_manager_secret_iam_binding.default + ] + } output "version_ids" { @@ -31,6 +38,9 @@ output "version_ids" { value = { for k, v in google_secret_manager_secret_version.default : k => v.id } + depends_on = [ + google_secret_manager_secret_iam_binding.default + ] } output "version_versions" { @@ -38,10 +48,16 @@ output "version_versions" { value = { for k, v in google_secret_manager_secret_version.default : k => v.version } + depends_on = [ + google_secret_manager_secret_iam_binding.default + ] } output "versions" { description = "Secret versions." value = google_secret_manager_secret_version.default sensitive = true + depends_on = [ + google_secret_manager_secret_iam_binding.default + ] }