fix(organization): use correct role for bindings

Previously, setting a binding was using the binding `key` as the the role, which does not necessarily have the correct format. Causing errors like: ``` │ Error: Error applying IAM policy for organization "***REDACTED***": Error setting IAM policy for organization "***REDACTED***": googleapi: Error 400: The role name must be in the form "roles/{role}", "organizations/{organization_id}/roles/{role}", or "projects/{project_id}/roles/{role}"., badRequest │ │ with module.organization.google_organization_iam_binding.bindings["sa_resman_delegated_iam"], │ on ../../../modules/organization/iam.tf line 51, in resource "google_organization_iam_binding" "bindings": │ 51: resource "google_organization_iam_binding" "bindings" { ```
2023-08-24 15:24:24 +01:00 · 2023-08-24 15:24:24 +01:00 · 54d880fe3a
parent d36c53bbae
commit 54d880fe3a
2 changed files with 2 additions and 1 deletions
--- a/modules/organization/iam.tf
+++ b/modules/organization/iam.tf
@ -51,7 +51,7 @@ resource "google_organization_iam_binding" "authoritative" {
 resource "google_organization_iam_binding" "bindings" {
  for_each = var.iam_bindings
  org_id   = local.organization_id_numeric
-  role     = each.key
+  role     = each.value.role
  members  = each.value.members
  dynamic "condition" {
    for_each = each.value.condition == null ? [] : [""]
--- a/modules/organization/variables.tf
+++ b/modules/organization/variables.tf
@ -53,6 +53,7 @@ variable "iam_bindings" {
  description = "Authoritative IAM bindings in {ROLE => {members = [], condition = {}}}."
  type = map(object({
    members = list(string)
+    role    = string
    condition = optional(object({
      expression  = string
      title       = string