Removing iam_roles from multiple modules

This commits removes the iam_roles variables from the modules:
 - artifact-registry
 - bigtable-instance
 - cloud-function
 - container-registry
 - endopoints
 - pubsub
 - source-repository

cloud-operations/asset-inventory-feed-remediation/main.tf

@@ -63,9 +63,6 @@ module "pubsub" {
   project_id    = module.project.project_id
   name          = var.name
   subscriptions = { "${var.name}-default" = null }
-  iam_roles = [
-    "roles/pubsub.publisher"
-  ]
   iam_members = {
     "roles/pubsub.publisher" = [
       "serviceAccount:${module.project.service_accounts.robots.cloudasset}"

modules/artifact-registry/README.md

@@ -13,7 +13,6 @@ module "docker_artifact_registry" {
   location   = "europe-west1"
   format     = "DOCKER"
   id         = "myregistry"
-  iam_roles  = ["roles/artifactregistry.admin"]
   iam_members = {
     "roles/artifactregistry.admin" = ["group:cicd@example.com"]
   }
@@ -29,8 +28,7 @@ module "docker_artifact_registry" {
 | project_id | Registry project id. | <code title="">string</code> | ✓ |  |
 | *description* | An optional description for the repository | <code title="">string</code> |  | <code title="">Terraform-managed registry</code> |
 | *format* | Repository format. One of DOCKER or UNSPECIFIED | <code title="">string</code> |  | <code title="">DOCKER</code> |
-| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
-| *iam_roles* | List of roles used to set authoritative bindings. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">{}</code> |
 | *labels* | Labels to be attached to the registry. | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="">{}</code> |
 | *location* | Registry location. Use `gcloud beta artifacts locations list' to get valid values | <code title="">string</code> |  | <code title=""></code> |
 

modules/artifact-registry/main.tf

@@ -26,10 +26,10 @@ resource "google_artifact_registry_repository" "registry" {
 
 resource "google_artifact_registry_repository_iam_binding" "bindings" {
   provider   = google-beta
-  for_each   = toset(var.iam_roles)
+  for_each   = var.iam_members
   project    = var.project_id
   location   = google_artifact_registry_repository.registry.location
   repository = google_artifact_registry_repository.registry.name
-  role       = each.value
-  members    = lookup(var.iam_members, each.value, [])
+  role       = each.key
+  members    = each.value
 }

modules/artifact-registry/variables.tf

@@ -16,16 +16,10 @@
 
 variable "iam_members" {
   description = "Map of member lists used to set authoritative bindings, keyed by role."
-  type        = map(list(string))
+  type        = map(set(string))
   default     = {}
 }
 
-variable "iam_roles" {
-  description = "List of roles used to set authoritative bindings."
-  type        = list(string)
-  default     = []
-}
-
 variable "location" {
   description = "Registry location. Use `gcloud beta artifacts locations list' to get valid values"
   type        = string

modules/bigtable-instance/README.md

@@ -27,7 +27,6 @@ module "big-table-instance" {
       }
     }
   }
-  iam_roles         = ["viewer"]
   iam_members       = {
     viewer = ["user:viewer@testdomain.com"]
   }
@@ -45,8 +44,7 @@ module "big-table-instance" {
 | *cluster_id* | The ID of the Cloud Bigtable cluster. | <code title="">string</code> |  | <code title="">europe-west1</code> |
 | *deletion_protection* | Whether or not to allow Terraform to destroy the instance. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the instance will fail. | <code title=""></code> |  | <code title="">true</code> |
 | *display_name* | The human-readable display name of the Bigtable instance. | <code title=""></code> |  | <code title="">null</code> |
-| *iam_members* | Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the instance are preserved. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
-| *iam_roles* | Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *iam_members* | Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the instance are preserved. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">{}</code> |
 | *instance_type* | None | <code title="">string</code> |  | <code title="">DEVELOPMENT</code> |
 | *num_nodes* | The number of nodes in your Cloud Bigtable cluster. | <code title="">number</code> |  | <code title="">1</code> |
 | *storage_type* | The storage type to use. | <code title="">string</code> |  | <code title="">SSD</code> |

modules/bigtable-instance/main.tf

@@ -18,10 +18,6 @@ locals {
   tables = {
     for k, v in var.tables : k => v.table_options != null ? v.table_options : var.table_options_defaults
   }
-
-  iam_roles_bindings = {
-    for k in var.iam_roles : k => lookup(var.iam_members, k, [])
-  }
 }
 
 resource "google_bigtable_instance" "default" {
@@ -39,11 +35,11 @@ resource "google_bigtable_instance" "default" {
 }
 
 resource "google_bigtable_instance_iam_binding" "default" {
-  for_each = local.iam_roles_bindings
+  for_each = var.iam_members
 
   project  = var.project_id
   instance = google_bigtable_instance.default.name
-  role     = "roles/bigtable.${each.key}"
+  role     = each.key
   members  = each.value
 }
 

modules/bigtable-instance/variables.tf

@@ -14,15 +14,9 @@
  * limitations under the License.
  */
 
-variable "iam_roles" {
-  description = "Authoritative for a given role. Updates the IAM policy to grant a role to a list of members."
-  type        = list(string)
-  default     = []
-}
-
 variable "iam_members" {
   description = "Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the instance are preserved."
-  type        = map(list(string))
+  type        = map(set(string))
   default     = {}
 }
 

modules/cloud-function/README.md

@@ -63,7 +63,6 @@ module "cf-http" {
     source_dir = "my-cf-source-folder"
     output_path = "bundle.zip"
   }
-  iam_roles     = ["roles/cloudfunctions.invoker"]
   iam_members   = {
     "roles/cloudfunctions.invoker" = ["allUsers"]
   }
@@ -137,8 +136,7 @@ module "cf-http" {
 | *bucket_config* | Enable and configure auto-created bucket. Set fields to null to use defaults. | <code title="object&#40;&#123;&#10;location             &#61; string&#10;lifecycle_delete_age &#61; number&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
 | *environment_variables* | Cloud function environment variables. | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="">{}</code> |
 | *function_config* | Cloud function configuration. | <code title="object&#40;&#123;&#10;entry_point      &#61; string&#10;ingress_settings &#61; string&#10;instances        &#61; number&#10;memory           &#61; number&#10;runtime          &#61; string&#10;timeout          &#61; number&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;entry_point      &#61; &#34;main&#34;&#10;ingress_settings &#61; null&#10;instances        &#61; 1&#10;memory           &#61; 256&#10;runtime          &#61; &#34;python37&#34;&#10;timeout          &#61; 180&#10;&#125;">...</code> |
-| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
-| *iam_roles* | List of roles used to set authoritative bindings. Ignored for template use. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">{}</code> |
 | *ingress_settings* | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL and ALLOW_INTERNAL_ONLY. | <code title="">string</code> |  | <code title="">null</code> |
 | *labels* | Resource labels | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="">{}</code> |
 | *prefix* | Optional prefix used for resource names. | <code title="">string</code> |  | <code title="">null</code> |

modules/cloud-function/main.tf

@@ -95,12 +95,12 @@ resource "google_cloudfunctions_function" "function" {
 }
 
 resource "google_cloudfunctions_function_iam_binding" "default" {
-  for_each       = toset(var.iam_roles)
+  for_each       = var.iam_members
   project        = var.project_id
   region         = var.region
   cloud_function = google_cloudfunctions_function.function.name
-  role           = each.value
-  members        = try(var.iam_members[each.value], {})
+  role           = each.key
+  members        = each.value
 }
 
 resource "google_storage_bucket" "bucket" {

modules/cloud-function/variables.tf

@@ -44,16 +44,10 @@ variable "environment_variables" {
 
 variable "iam_members" {
   description = "Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use."
-  type        = map(list(string))
+  type        = map(set(string))
   default     = {}
 }
 
-variable "iam_roles" {
-  description = "List of roles used to set authoritative bindings. Ignored for template use."
-  type        = list(string)
-  default     = []
-}
-
 variable "function_config" {
   description = "Cloud function configuration."
   type = object({

modules/container-registry/README.md

@@ -9,7 +9,6 @@ module "container_registry" {
   source     = "../../modules/container-registry"
   project_id = "myproject"
   location   = "EU"
-  iam_roles  = ["roles/storage.admin"]
   iam_members = {
     "roles/storage.admin" = ["group:cicd@example.com"]
   }
@@ -22,8 +21,7 @@ module "container_registry" {
 | name | description | type | required | default |
 |---|---|:---: |:---:|:---:|
 | project_id | Registry project id. | <code title="">string</code> | ✓ |  |
-| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">null</code> |
-| *iam_roles* | List of roles used to set authoritative bindings. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">null</code> |
+| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">null</code> |
 | *location* | Registry location. Can be US, EU, ASIA or empty | <code title="">string</code> |  | <code title=""></code> |
 
 ## Outputs

modules/container-registry/main.tf

@@ -20,8 +20,8 @@ resource "google_container_registry" "registry" {
 }
 
 resource "google_storage_bucket_iam_binding" "bindings" {
-  for_each = toset(var.iam_roles)
+  for_each = var.iam_members
   bucket   = google_container_registry.registry.id
-  role     = each.value
-  members  = lookup(var.iam_members, each.value, [])
+  role     = each.key
+  members  = each.value
 }

modules/container-registry/variables.tf

@@ -16,13 +16,7 @@
 
 variable "iam_members" {
   description = "Map of member lists used to set authoritative bindings, keyed by role."
-  type        = map(list(string))
-  default     = null
-}
-
-variable "iam_roles" {
-  description = "List of roles used to set authoritative bindings."
-  type        = list(string)
+  type        = map(set(string))
   default     = null
 }
 

modules/endpoints/README.md

@@ -13,7 +13,6 @@ module "endpoint" {
   service_name   = "YOUR-API.endpoints.YOUR-PROJECT-ID.cloud.goog"
   openapi_config = { "yaml_path" = "openapi.yaml" }
   grpc_config    = null
-  iam_roles      = ["servicemanagement.serviceController"]
   iam_members    = {
     "servicemanagement.serviceController" = ["serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com"]
   }
@@ -30,8 +29,7 @@ module "endpoint" {
 | grpc_config | The configuration for a gRPC enpoint. Either this or openapi_config must be specified. | <code title="object&#40;&#123;&#10;yaml_path          &#61; string&#10;protoc_output_path &#61; string&#10;&#125;&#41;">object({...})</code> | ✓ |  |
 | openapi_config | The configuration for an OpenAPI endopoint. Either this or grpc_config must be specified. | <code title="object&#40;&#123;&#10;yaml_path &#61; string&#10;&#125;&#41;">object({...})</code> | ✓ |  |
 | service_name | The name of the service. Usually of the form '$apiname.endpoints.$projectid.cloud.goog'. | <code title="">string</code> | ✓ |  |
-| *iam_members* | Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the instance are preserved. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
-| *iam_roles* | Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *iam_members* | Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the instance are preserved. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">{}</code> |
 | *project_id* | The project ID that the service belongs to. | <code title="">string</code> |  | <code title="">null</code> |
 
 ## Outputs

modules/endpoints/main.tf

@@ -14,12 +14,6 @@
  * limitations under the License.
  */
 
-locals {
-  iam_roles_bindings = {
-    for k in var.iam_roles : k => lookup(var.iam_members, k, [])
-  }
-}
-
 resource "google_endpoints_service" "default" {
   project              = var.project_id
   service_name         = var.service_name
@@ -29,8 +23,8 @@ resource "google_endpoints_service" "default" {
 }
 
 resource "google_endpoints_service_iam_binding" "default" {
-  for_each     = local.iam_roles_bindings
+  for_each     = var.iam_members
   service_name = google_endpoints_service.default.service_name
-  role         = "roles/${each.key}"
+  role         = each.key
   members      = each.value
 }

modules/endpoints/variables.tf

@@ -16,27 +16,22 @@
 
 variable "grpc_config" {
   description = "The configuration for a gRPC enpoint. Either this or openapi_config must be specified."
-  type        = object({
+  type = object({
     yaml_path          = string
     protoc_output_path = string
   })
 }
 
-variable "iam_roles" {
-  description = "Authoritative for a given role. Updates the IAM policy to grant a role to a list of members."
-  type        = list(string)
-  default     = []
-}
 
 variable "iam_members" {
   description = "Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the instance are preserved."
-  type        = map(list(string))
+  type        = map(set(string))
   default     = {}
 }
 
 variable "openapi_config" {
   description = "The configuration for an OpenAPI endopoint. Either this or grpc_config must be specified."
-  type        = object({
+  type = object({
     yaml_path = string
   })
 }

modules/pubsub/README.md

@@ -12,10 +12,6 @@ module "pubsub" {
   source     = "./modules/pubsub"
   project_id = "my-project"
   name       = "my-topic"
-  iam_roles = [
-    "roles/pubsub.viewer",
-    "roles/pubsub.subscriber"
-  ]
   iam_members = {
     "roles/pubsub.viewer"     = ["group:foo@example.com"]
     "roles/pubsub.subscriber" = ["user:user1@example.com"]
@@ -80,9 +76,6 @@ module "pubsub" {
     test-1 = null
     test-1 = null
   }
-  subscription_iam_roles = {
-    test-1 = ["roles/pubsub.subscriber"]
-  }
   subscription_iam_members = {
     test-1 = {
       "roles/pubsub.subscriber" = ["user:user1@ludomagno.net"]
@@ -100,14 +93,12 @@ module "pubsub" {
 | project_id | Project used for resources. | <code title="">string</code> | ✓ |  |
 | *dead_letter_configs* | Per-subscription dead letter policy configuration. | <code title="map&#40;object&#40;&#123;&#10;topic                &#61; string&#10;max_delivery_attemps &#61; number&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 | *defaults* | Subscription defaults for options. | <code title="object&#40;&#123;&#10;ack_deadline_seconds       &#61; number&#10;message_retention_duration &#61; number&#10;retain_acked_messages      &#61; bool&#10;expiration_policy_ttl      &#61; string&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;ack_deadline_seconds       &#61; null&#10;message_retention_duration &#61; null&#10;retain_acked_messages      &#61; null&#10;expiration_policy_ttl      &#61; null&#10;&#125;">...</code> |
-| *iam_members* | IAM members for each topic role. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
-| *iam_roles* | IAM roles for topic. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *iam_members* | IAM members for each topic role. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">{}</code> |
 | *kms_key* | KMS customer managed encryption key. | <code title="">string</code> |  | <code title="">null</code> |
 | *labels* | Labels. | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="">{}</code> |
 | *push_configs* | Push subscription configurations. | <code title="map&#40;object&#40;&#123;&#10;attributes &#61; map&#40;string&#41;&#10;endpoint   &#61; string&#10;oidc_token &#61; object&#40;&#123;&#10;audience              &#61; string&#10;service_account_email &#61; string&#10;&#125;&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 | *regions* | List of regions used to set persistence policy. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
-| *subscription_iam_members* | IAM members for each subscription and role. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> |  | <code title="">{}</code> |
-| *subscription_iam_roles* | IAM roles for each subscription. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
+| *subscription_iam_members* | IAM members for each subscription and role. | <code title="map&#40;map&#40;set&#40;string&#41;&#41;&#41;">map(map(set(string)))</code> |  | <code title="">{}</code> |
 | *subscriptions* | Topic subscriptions. Also define push configs for push subscriptions. If options is set to null subscription defaults will be used. Labels default to topic labels if set to null. | <code title="map&#40;object&#40;&#123;&#10;labels &#61; map&#40;string&#41;&#10;options &#61; object&#40;&#123;&#10;ack_deadline_seconds       &#61; number&#10;message_retention_duration &#61; number&#10;retain_acked_messages      &#61; bool&#10;expiration_policy_ttl      &#61; string&#10;&#125;&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 
 ## Outputs

modules/pubsub/main.tf

@@ -15,17 +15,15 @@
  */
 
 locals {
-  iam_pairs = var.subscription_iam_roles == null ? [] : flatten([
-    for name, roles in var.subscription_iam_roles :
-    [for role in roles : { name = name, role = role }]
+  sub_iam_members = flatten([
+    for sub, roles in var.subscription_iam_members : [
+      for role, members in roles : {
+        sub     = sub
+        role    = role
+        members = members
+      }
+    ]
   ])
-  iam_keypairs = {
-    for pair in local.iam_pairs :
-    "${pair.name}-${pair.role}" => pair
-  }
-  iam_members = (
-    var.subscription_iam_members == null ? {} : var.subscription_iam_members
-  )
   oidc_config = {
     for k, v in var.push_configs : k => v.oidc_token
   }
@@ -52,11 +50,11 @@ resource "google_pubsub_topic" "default" {
 }
 
 resource "google_pubsub_topic_iam_binding" "default" {
-  for_each = toset(var.iam_roles)
+  for_each = var.iam_members
   project  = var.project_id
   topic    = google_pubsub_topic.default.name
-  role     = each.value
-  members  = lookup(var.iam_members, each.value, [])
+  role     = each.key
+  members  = each.value
 }
 
 resource "google_pubsub_subscription" "default" {
@@ -103,11 +101,12 @@ resource "google_pubsub_subscription" "default" {
 }
 
 resource "google_pubsub_subscription_iam_binding" "default" {
-  for_each     = local.iam_keypairs
+  for_each = {
+    for binding in local.sub_iam_members :
+    "${binding.sub}.${binding.role}" => binding
+  }
   project      = var.project_id
-  subscription = google_pubsub_subscription.default[each.value.name].name
+  subscription = google_pubsub_subscription.default[each.value.sub].name
   role         = each.value.role
-  members = lookup(
-    lookup(local.iam_members, each.value.name, {}), each.value.role, []
-  )
+  members      = each.value.members
 }

modules/pubsub/variables.tf

@@ -41,16 +41,10 @@ variable "defaults" {
 
 variable "iam_members" {
   description = "IAM members for each topic role."
-  type        = map(list(string))
+  type        = map(set(string))
   default     = {}
 }
 
-variable "iam_roles" {
-  description = "IAM roles for topic."
-  type        = list(string)
-  default     = []
-}
-
 variable "kms_key" {
   description = "KMS customer managed encryption key."
   type        = string
@@ -109,12 +103,6 @@ variable "subscriptions" {
 
 variable "subscription_iam_members" {
   description = "IAM members for each subscription and role."
-  type        = map(map(list(string)))
-  default     = {}
-}
-
-variable "subscription_iam_roles" {
-  description = "IAM roles for each subscription."
-  type        = map(list(string))
+  type        = map(map(set(string)))
   default     = {}
 }

modules/source-repository/README.md

@@ -12,7 +12,6 @@ module "repo" {
   source    e = "./modules/source-repository"
   project_id = "my-project"
   name       = "my-repo"
-  iam_roles  = ["roles/source.reader"]
   iam_members = {
     "roles/source.reader" = ["user:foo@example.com"]
   }
@@ -26,8 +25,7 @@ module "repo" {
 |---|---|:---: |:---:|:---:|
 | name | Repository topic name. | <code title="">string</code> | ✓ |  |
 | project_id | Project used for resources. | <code title="">string</code> | ✓ |  |
-| *iam_members* | IAM members for each topic role. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
-| *iam_roles* | IAM roles for topic. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *iam_members* | IAM members for each topic role. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">{}</code> |
 
 ## Outputs
 

modules/source-repository/main.tf

@@ -20,11 +20,11 @@ resource "google_sourcerepo_repository" "default" {
 }
 
 resource "google_sourcerepo_repository_iam_binding" "default" {
-  for_each   = toset(var.iam_roles)
+  for_each   = var.iam_members
   project    = var.project_id
   repository = google_sourcerepo_repository.default.name
-  role       = each.value
-  members    = lookup(var.iam_members, each.value, [])
+  role       = each.key
+  members    = each.value
 
   depends_on = [
     google_sourcerepo_repository.default

modules/source-repository/variables.tf

@@ -21,16 +21,10 @@ variable "project_id" {
 
 variable "iam_members" {
   description = "IAM members for each topic role."
-  type        = map(list(string))
+  type        = map(set(string))
   default     = {}
 }
 
-variable "iam_roles" {
-  description = "IAM roles for topic."
-  type        = list(string)
-  default     = []
-}
-
 variable "name" {
   description = "Repository topic name."
   type        = string