From f72bea3f96ab3d6b1ac3e5ccc7fd09314bc76e19 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Fri, 6 Nov 2020 08:22:35 +0100
Subject: [PATCH] use new iam variable in container registry

---
 modules/container-registry/README.md          |  4 +-
 modules/container-registry/main.tf            |  2 +-
 modules/container-registry/variables.tf       |  8 ++--
 tests/modules/container_registry/__init__.py  | 13 +++++++
 .../container_registry/fixture/main.tf        | 24 ++++++++++++
 .../container_registry/fixture/variables.tf   | 20 ++++++++++
 tests/modules/container_registry/test_plan.py | 39 +++++++++++++++++++
 7 files changed, 103 insertions(+), 7 deletions(-)
 create mode 100644 tests/modules/container_registry/__init__.py
 create mode 100644 tests/modules/container_registry/fixture/main.tf
 create mode 100644 tests/modules/container_registry/fixture/variables.tf
 create mode 100644 tests/modules/container_registry/test_plan.py

diff --git a/modules/container-registry/README.md b/modules/container-registry/README.md
index ffafa387f..ac382ccc9 100644
--- a/modules/container-registry/README.md
+++ b/modules/container-registry/README.md
@@ -9,7 +9,7 @@ module "container_registry" {
   source     = "../../modules/container-registry"
   project_id = "myproject"
   location   = "EU"
-  iam_members = {
+  iam = {
     "roles/storage.admin" = ["group:cicd@example.com"]
   }
 }
@@ -21,7 +21,7 @@ module "container_registry" {
 | name | description | type | required | default |
 |---|---|:---: |:---:|:---:|
 | project_id | Registry project id. | <code title="">string</code> | ✓ |  |
-| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">null</code> |
+| *iam* | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 | *location* | Registry location. Can be US, EU, ASIA or empty | <code title="">string</code> |  | <code title=""></code> |
 
 ## Outputs
diff --git a/modules/container-registry/main.tf b/modules/container-registry/main.tf
index 7a84a281e..7c750e968 100644
--- a/modules/container-registry/main.tf
+++ b/modules/container-registry/main.tf
@@ -20,7 +20,7 @@ resource "google_container_registry" "registry" {
 }
 
 resource "google_storage_bucket_iam_binding" "bindings" {
-  for_each = var.iam_members
+  for_each = var.iam
   bucket   = google_container_registry.registry.id
   role     = each.key
   members  = each.value
diff --git a/modules/container-registry/variables.tf b/modules/container-registry/variables.tf
index 1e5ae3f65..72f3a87e1 100644
--- a/modules/container-registry/variables.tf
+++ b/modules/container-registry/variables.tf
@@ -14,10 +14,10 @@
  * limitations under the License.
  */
 
-variable "iam_members" {
-  description = "Map of member lists used to set authoritative bindings, keyed by role."
-  type        = map(set(string))
-  default     = null
+variable "iam" {
+  description = "IAM bindings for topic in {ROLE => [MEMBERS]} format."
+  type        = map(list(string))
+  default     = {}
 }
 
 variable "location" {
diff --git a/tests/modules/container_registry/__init__.py b/tests/modules/container_registry/__init__.py
new file mode 100644
index 000000000..6913f02e3
--- /dev/null
+++ b/tests/modules/container_registry/__init__.py
@@ -0,0 +1,13 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
diff --git a/tests/modules/container_registry/fixture/main.tf b/tests/modules/container_registry/fixture/main.tf
new file mode 100644
index 000000000..a9d6174b8
--- /dev/null
+++ b/tests/modules/container_registry/fixture/main.tf
@@ -0,0 +1,24 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "test" {
+  source     = "../../../../modules/container-registry"
+  project_id = "my-project"
+  location   = var.location
+  iam = {
+    "roles/storage.admin" = ["user:me@example.com"]
+  }
+}
diff --git a/tests/modules/container_registry/fixture/variables.tf b/tests/modules/container_registry/fixture/variables.tf
new file mode 100644
index 000000000..f3939ceed
--- /dev/null
+++ b/tests/modules/container_registry/fixture/variables.tf
@@ -0,0 +1,20 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "location" {
+  type    = string
+  default = "EU"
+}
diff --git a/tests/modules/container_registry/test_plan.py b/tests/modules/container_registry/test_plan.py
new file mode 100644
index 000000000..09a0caa53
--- /dev/null
+++ b/tests/modules/container_registry/test_plan.py
@@ -0,0 +1,39 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+import os
+import pytest
+
+
+FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
+
+
+@pytest.fixture
+def resources(plan_runner):
+  _, resources = plan_runner(FIXTURES_DIR)
+  return resources
+
+
+def test_resource_count(resources):
+  "Test number of resources created."
+  assert len(resources) == 2
+
+
+def test_iam(resources):
+  "Test IAM binding resources."
+  bindings = [r['values'] for r in resources if r['type']
+              == 'google_storage_bucket_iam_binding']
+  assert len(bindings) == 1
+  assert bindings[0]['role'] == 'roles/storage.admin'