Removing iam_roles from multiple modules
This commits removes the iam_roles variables from the modules: - artifact-registry - bigtable-instance - cloud-function - container-registry - endopoints - pubsub - source-repository
This commit is contained in:
parent
96dba2256e
commit
82a1fe3c20
|
@ -63,9 +63,6 @@ module "pubsub" {
|
|||
project_id = module.project.project_id
|
||||
name = var.name
|
||||
subscriptions = { "${var.name}-default" = null }
|
||||
iam_roles = [
|
||||
"roles/pubsub.publisher"
|
||||
]
|
||||
iam_members = {
|
||||
"roles/pubsub.publisher" = [
|
||||
"serviceAccount:${module.project.service_accounts.robots.cloudasset}"
|
||||
|
|
|
@ -13,7 +13,6 @@ module "docker_artifact_registry" {
|
|||
location = "europe-west1"
|
||||
format = "DOCKER"
|
||||
id = "myregistry"
|
||||
iam_roles = ["roles/artifactregistry.admin"]
|
||||
iam_members = {
|
||||
"roles/artifactregistry.admin" = ["group:cicd@example.com"]
|
||||
}
|
||||
|
@ -29,8 +28,7 @@ module "docker_artifact_registry" {
|
|||
| project_id | Registry project id. | <code title="">string</code> | ✓ | |
|
||||
| *description* | An optional description for the repository | <code title="">string</code> | | <code title="">Terraform-managed registry</code> |
|
||||
| *format* | Repository format. One of DOCKER or UNSPECIFIED | <code title="">string</code> | | <code title="">DOCKER</code> |
|
||||
| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_roles* | List of roles used to set authoritative bindings. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||
| *labels* | Labels to be attached to the registry. | <code title="map(string)">map(string)</code> | | <code title="">{}</code> |
|
||||
| *location* | Registry location. Use `gcloud beta artifacts locations list' to get valid values | <code title="">string</code> | | <code title=""></code> |
|
||||
|
||||
|
|
|
@ -26,10 +26,10 @@ resource "google_artifact_registry_repository" "registry" {
|
|||
|
||||
resource "google_artifact_registry_repository_iam_binding" "bindings" {
|
||||
provider = google-beta
|
||||
for_each = toset(var.iam_roles)
|
||||
for_each = var.iam_members
|
||||
project = var.project_id
|
||||
location = google_artifact_registry_repository.registry.location
|
||||
repository = google_artifact_registry_repository.registry.name
|
||||
role = each.value
|
||||
members = lookup(var.iam_members, each.value, [])
|
||||
role = each.key
|
||||
members = each.value
|
||||
}
|
||||
|
|
|
@ -16,16 +16,10 @@
|
|||
|
||||
variable "iam_members" {
|
||||
description = "Map of member lists used to set authoritative bindings, keyed by role."
|
||||
type = map(list(string))
|
||||
type = map(set(string))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "iam_roles" {
|
||||
description = "List of roles used to set authoritative bindings."
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "location" {
|
||||
description = "Registry location. Use `gcloud beta artifacts locations list' to get valid values"
|
||||
type = string
|
||||
|
|
|
@ -27,7 +27,6 @@ module "big-table-instance" {
|
|||
}
|
||||
}
|
||||
}
|
||||
iam_roles = ["viewer"]
|
||||
iam_members = {
|
||||
viewer = ["user:viewer@testdomain.com"]
|
||||
}
|
||||
|
@ -45,8 +44,7 @@ module "big-table-instance" {
|
|||
| *cluster_id* | The ID of the Cloud Bigtable cluster. | <code title="">string</code> | | <code title="">europe-west1</code> |
|
||||
| *deletion_protection* | Whether or not to allow Terraform to destroy the instance. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the instance will fail. | <code title=""></code> | | <code title="">true</code> |
|
||||
| *display_name* | The human-readable display name of the Bigtable instance. | <code title=""></code> | | <code title="">null</code> |
|
||||
| *iam_members* | Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the instance are preserved. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_roles* | Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *iam_members* | Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the instance are preserved. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||
| *instance_type* | None | <code title="">string</code> | | <code title="">DEVELOPMENT</code> |
|
||||
| *num_nodes* | The number of nodes in your Cloud Bigtable cluster. | <code title="">number</code> | | <code title="">1</code> |
|
||||
| *storage_type* | The storage type to use. | <code title="">string</code> | | <code title="">SSD</code> |
|
||||
|
|
|
@ -18,10 +18,6 @@ locals {
|
|||
tables = {
|
||||
for k, v in var.tables : k => v.table_options != null ? v.table_options : var.table_options_defaults
|
||||
}
|
||||
|
||||
iam_roles_bindings = {
|
||||
for k in var.iam_roles : k => lookup(var.iam_members, k, [])
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_bigtable_instance" "default" {
|
||||
|
@ -39,11 +35,11 @@ resource "google_bigtable_instance" "default" {
|
|||
}
|
||||
|
||||
resource "google_bigtable_instance_iam_binding" "default" {
|
||||
for_each = local.iam_roles_bindings
|
||||
for_each = var.iam_members
|
||||
|
||||
project = var.project_id
|
||||
instance = google_bigtable_instance.default.name
|
||||
role = "roles/bigtable.${each.key}"
|
||||
role = each.key
|
||||
members = each.value
|
||||
}
|
||||
|
||||
|
|
|
@ -14,15 +14,9 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "iam_roles" {
|
||||
description = "Authoritative for a given role. Updates the IAM policy to grant a role to a list of members."
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "iam_members" {
|
||||
description = "Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the instance are preserved."
|
||||
type = map(list(string))
|
||||
type = map(set(string))
|
||||
default = {}
|
||||
}
|
||||
|
||||
|
|
|
@ -63,7 +63,6 @@ module "cf-http" {
|
|||
source_dir = "my-cf-source-folder"
|
||||
output_path = "bundle.zip"
|
||||
}
|
||||
iam_roles = ["roles/cloudfunctions.invoker"]
|
||||
iam_members = {
|
||||
"roles/cloudfunctions.invoker" = ["allUsers"]
|
||||
}
|
||||
|
@ -137,8 +136,7 @@ module "cf-http" {
|
|||
| *bucket_config* | Enable and configure auto-created bucket. Set fields to null to use defaults. | <code title="object({ location = string lifecycle_delete_age = number })">object({...})</code> | | <code title="">null</code> |
|
||||
| *environment_variables* | Cloud function environment variables. | <code title="map(string)">map(string)</code> | | <code title="">{}</code> |
|
||||
| *function_config* | Cloud function configuration. | <code title="object({ entry_point = string ingress_settings = string instances = number memory = number runtime = string timeout = number })">object({...})</code> | | <code title="{ entry_point = "main" ingress_settings = null instances = 1 memory = 256 runtime = "python37" timeout = 180 }">...</code> |
|
||||
| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_roles* | List of roles used to set authoritative bindings. Ignored for template use. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||
| *ingress_settings* | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL and ALLOW_INTERNAL_ONLY. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *labels* | Resource labels | <code title="map(string)">map(string)</code> | | <code title="">{}</code> |
|
||||
| *prefix* | Optional prefix used for resource names. | <code title="">string</code> | | <code title="">null</code> |
|
||||
|
|
|
@ -95,12 +95,12 @@ resource "google_cloudfunctions_function" "function" {
|
|||
}
|
||||
|
||||
resource "google_cloudfunctions_function_iam_binding" "default" {
|
||||
for_each = toset(var.iam_roles)
|
||||
for_each = var.iam_members
|
||||
project = var.project_id
|
||||
region = var.region
|
||||
cloud_function = google_cloudfunctions_function.function.name
|
||||
role = each.value
|
||||
members = try(var.iam_members[each.value], {})
|
||||
role = each.key
|
||||
members = each.value
|
||||
}
|
||||
|
||||
resource "google_storage_bucket" "bucket" {
|
||||
|
|
|
@ -44,16 +44,10 @@ variable "environment_variables" {
|
|||
|
||||
variable "iam_members" {
|
||||
description = "Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use."
|
||||
type = map(list(string))
|
||||
type = map(set(string))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "iam_roles" {
|
||||
description = "List of roles used to set authoritative bindings. Ignored for template use."
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "function_config" {
|
||||
description = "Cloud function configuration."
|
||||
type = object({
|
||||
|
|
|
@ -9,7 +9,6 @@ module "container_registry" {
|
|||
source = "../../modules/container-registry"
|
||||
project_id = "myproject"
|
||||
location = "EU"
|
||||
iam_roles = ["roles/storage.admin"]
|
||||
iam_members = {
|
||||
"roles/storage.admin" = ["group:cicd@example.com"]
|
||||
}
|
||||
|
@ -22,8 +21,7 @@ module "container_registry" {
|
|||
| name | description | type | required | default |
|
||||
|---|---|:---: |:---:|:---:|
|
||||
| project_id | Registry project id. | <code title="">string</code> | ✓ | |
|
||||
| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. | <code title="map(list(string))">map(list(string))</code> | | <code title="">null</code> |
|
||||
| *iam_roles* | List of roles used to set authoritative bindings. | <code title="list(string)">list(string)</code> | | <code title="">null</code> |
|
||||
| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. | <code title="map(set(string))">map(set(string))</code> | | <code title="">null</code> |
|
||||
| *location* | Registry location. Can be US, EU, ASIA or empty | <code title="">string</code> | | <code title=""></code> |
|
||||
|
||||
## Outputs
|
||||
|
|
|
@ -20,8 +20,8 @@ resource "google_container_registry" "registry" {
|
|||
}
|
||||
|
||||
resource "google_storage_bucket_iam_binding" "bindings" {
|
||||
for_each = toset(var.iam_roles)
|
||||
for_each = var.iam_members
|
||||
bucket = google_container_registry.registry.id
|
||||
role = each.value
|
||||
members = lookup(var.iam_members, each.value, [])
|
||||
role = each.key
|
||||
members = each.value
|
||||
}
|
||||
|
|
|
@ -16,13 +16,7 @@
|
|||
|
||||
variable "iam_members" {
|
||||
description = "Map of member lists used to set authoritative bindings, keyed by role."
|
||||
type = map(list(string))
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "iam_roles" {
|
||||
description = "List of roles used to set authoritative bindings."
|
||||
type = list(string)
|
||||
type = map(set(string))
|
||||
default = null
|
||||
}
|
||||
|
||||
|
|
|
@ -13,7 +13,6 @@ module "endpoint" {
|
|||
service_name = "YOUR-API.endpoints.YOUR-PROJECT-ID.cloud.goog"
|
||||
openapi_config = { "yaml_path" = "openapi.yaml" }
|
||||
grpc_config = null
|
||||
iam_roles = ["servicemanagement.serviceController"]
|
||||
iam_members = {
|
||||
"servicemanagement.serviceController" = ["serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com"]
|
||||
}
|
||||
|
@ -30,8 +29,7 @@ module "endpoint" {
|
|||
| grpc_config | The configuration for a gRPC enpoint. Either this or openapi_config must be specified. | <code title="object({ yaml_path = string protoc_output_path = string })">object({...})</code> | ✓ | |
|
||||
| openapi_config | The configuration for an OpenAPI endopoint. Either this or grpc_config must be specified. | <code title="object({ yaml_path = string })">object({...})</code> | ✓ | |
|
||||
| service_name | The name of the service. Usually of the form '$apiname.endpoints.$projectid.cloud.goog'. | <code title="">string</code> | ✓ | |
|
||||
| *iam_members* | Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the instance are preserved. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_roles* | Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *iam_members* | Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the instance are preserved. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||
| *project_id* | The project ID that the service belongs to. | <code title="">string</code> | | <code title="">null</code> |
|
||||
|
||||
## Outputs
|
||||
|
|
|
@ -14,12 +14,6 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
locals {
|
||||
iam_roles_bindings = {
|
||||
for k in var.iam_roles : k => lookup(var.iam_members, k, [])
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_endpoints_service" "default" {
|
||||
project = var.project_id
|
||||
service_name = var.service_name
|
||||
|
@ -29,8 +23,8 @@ resource "google_endpoints_service" "default" {
|
|||
}
|
||||
|
||||
resource "google_endpoints_service_iam_binding" "default" {
|
||||
for_each = local.iam_roles_bindings
|
||||
for_each = var.iam_members
|
||||
service_name = google_endpoints_service.default.service_name
|
||||
role = "roles/${each.key}"
|
||||
role = each.key
|
||||
members = each.value
|
||||
}
|
||||
|
|
|
@ -16,27 +16,22 @@
|
|||
|
||||
variable "grpc_config" {
|
||||
description = "The configuration for a gRPC enpoint. Either this or openapi_config must be specified."
|
||||
type = object({
|
||||
type = object({
|
||||
yaml_path = string
|
||||
protoc_output_path = string
|
||||
})
|
||||
}
|
||||
|
||||
variable "iam_roles" {
|
||||
description = "Authoritative for a given role. Updates the IAM policy to grant a role to a list of members."
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "iam_members" {
|
||||
description = "Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the instance are preserved."
|
||||
type = map(list(string))
|
||||
type = map(set(string))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "openapi_config" {
|
||||
description = "The configuration for an OpenAPI endopoint. Either this or grpc_config must be specified."
|
||||
type = object({
|
||||
type = object({
|
||||
yaml_path = string
|
||||
})
|
||||
}
|
||||
|
|
|
@ -12,10 +12,6 @@ module "pubsub" {
|
|||
source = "./modules/pubsub"
|
||||
project_id = "my-project"
|
||||
name = "my-topic"
|
||||
iam_roles = [
|
||||
"roles/pubsub.viewer",
|
||||
"roles/pubsub.subscriber"
|
||||
]
|
||||
iam_members = {
|
||||
"roles/pubsub.viewer" = ["group:foo@example.com"]
|
||||
"roles/pubsub.subscriber" = ["user:user1@example.com"]
|
||||
|
@ -80,9 +76,6 @@ module "pubsub" {
|
|||
test-1 = null
|
||||
test-1 = null
|
||||
}
|
||||
subscription_iam_roles = {
|
||||
test-1 = ["roles/pubsub.subscriber"]
|
||||
}
|
||||
subscription_iam_members = {
|
||||
test-1 = {
|
||||
"roles/pubsub.subscriber" = ["user:user1@ludomagno.net"]
|
||||
|
@ -100,14 +93,12 @@ module "pubsub" {
|
|||
| project_id | Project used for resources. | <code title="">string</code> | ✓ | |
|
||||
| *dead_letter_configs* | Per-subscription dead letter policy configuration. | <code title="map(object({ topic = string max_delivery_attemps = number }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
| *defaults* | Subscription defaults for options. | <code title="object({ ack_deadline_seconds = number message_retention_duration = number retain_acked_messages = bool expiration_policy_ttl = string })">object({...})</code> | | <code title="{ ack_deadline_seconds = null message_retention_duration = null retain_acked_messages = null expiration_policy_ttl = null }">...</code> |
|
||||
| *iam_members* | IAM members for each topic role. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_roles* | IAM roles for topic. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *iam_members* | IAM members for each topic role. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||
| *kms_key* | KMS customer managed encryption key. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *labels* | Labels. | <code title="map(string)">map(string)</code> | | <code title="">{}</code> |
|
||||
| *push_configs* | Push subscription configurations. | <code title="map(object({ attributes = map(string) endpoint = string oidc_token = object({ audience = string service_account_email = string }) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
| *regions* | List of regions used to set persistence policy. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *subscription_iam_members* | IAM members for each subscription and role. | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">{}</code> |
|
||||
| *subscription_iam_roles* | IAM roles for each subscription. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *subscription_iam_members* | IAM members for each subscription and role. | <code title="map(map(set(string)))">map(map(set(string)))</code> | | <code title="">{}</code> |
|
||||
| *subscriptions* | Topic subscriptions. Also define push configs for push subscriptions. If options is set to null subscription defaults will be used. Labels default to topic labels if set to null. | <code title="map(object({ labels = map(string) options = object({ ack_deadline_seconds = number message_retention_duration = number retain_acked_messages = bool expiration_policy_ttl = string }) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
|
|
@ -15,17 +15,15 @@
|
|||
*/
|
||||
|
||||
locals {
|
||||
iam_pairs = var.subscription_iam_roles == null ? [] : flatten([
|
||||
for name, roles in var.subscription_iam_roles :
|
||||
[for role in roles : { name = name, role = role }]
|
||||
sub_iam_members = flatten([
|
||||
for sub, roles in var.subscription_iam_members : [
|
||||
for role, members in roles : {
|
||||
sub = sub
|
||||
role = role
|
||||
members = members
|
||||
}
|
||||
]
|
||||
])
|
||||
iam_keypairs = {
|
||||
for pair in local.iam_pairs :
|
||||
"${pair.name}-${pair.role}" => pair
|
||||
}
|
||||
iam_members = (
|
||||
var.subscription_iam_members == null ? {} : var.subscription_iam_members
|
||||
)
|
||||
oidc_config = {
|
||||
for k, v in var.push_configs : k => v.oidc_token
|
||||
}
|
||||
|
@ -52,11 +50,11 @@ resource "google_pubsub_topic" "default" {
|
|||
}
|
||||
|
||||
resource "google_pubsub_topic_iam_binding" "default" {
|
||||
for_each = toset(var.iam_roles)
|
||||
for_each = var.iam_members
|
||||
project = var.project_id
|
||||
topic = google_pubsub_topic.default.name
|
||||
role = each.value
|
||||
members = lookup(var.iam_members, each.value, [])
|
||||
role = each.key
|
||||
members = each.value
|
||||
}
|
||||
|
||||
resource "google_pubsub_subscription" "default" {
|
||||
|
@ -103,11 +101,12 @@ resource "google_pubsub_subscription" "default" {
|
|||
}
|
||||
|
||||
resource "google_pubsub_subscription_iam_binding" "default" {
|
||||
for_each = local.iam_keypairs
|
||||
for_each = {
|
||||
for binding in local.sub_iam_members :
|
||||
"${binding.sub}.${binding.role}" => binding
|
||||
}
|
||||
project = var.project_id
|
||||
subscription = google_pubsub_subscription.default[each.value.name].name
|
||||
subscription = google_pubsub_subscription.default[each.value.sub].name
|
||||
role = each.value.role
|
||||
members = lookup(
|
||||
lookup(local.iam_members, each.value.name, {}), each.value.role, []
|
||||
)
|
||||
members = each.value.members
|
||||
}
|
||||
|
|
|
@ -41,16 +41,10 @@ variable "defaults" {
|
|||
|
||||
variable "iam_members" {
|
||||
description = "IAM members for each topic role."
|
||||
type = map(list(string))
|
||||
type = map(set(string))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "iam_roles" {
|
||||
description = "IAM roles for topic."
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "kms_key" {
|
||||
description = "KMS customer managed encryption key."
|
||||
type = string
|
||||
|
@ -109,12 +103,6 @@ variable "subscriptions" {
|
|||
|
||||
variable "subscription_iam_members" {
|
||||
description = "IAM members for each subscription and role."
|
||||
type = map(map(list(string)))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "subscription_iam_roles" {
|
||||
description = "IAM roles for each subscription."
|
||||
type = map(list(string))
|
||||
type = map(map(set(string)))
|
||||
default = {}
|
||||
}
|
||||
|
|
|
@ -12,7 +12,6 @@ module "repo" {
|
|||
source e = "./modules/source-repository"
|
||||
project_id = "my-project"
|
||||
name = "my-repo"
|
||||
iam_roles = ["roles/source.reader"]
|
||||
iam_members = {
|
||||
"roles/source.reader" = ["user:foo@example.com"]
|
||||
}
|
||||
|
@ -26,8 +25,7 @@ module "repo" {
|
|||
|---|---|:---: |:---:|:---:|
|
||||
| name | Repository topic name. | <code title="">string</code> | ✓ | |
|
||||
| project_id | Project used for resources. | <code title="">string</code> | ✓ | |
|
||||
| *iam_members* | IAM members for each topic role. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_roles* | IAM roles for topic. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *iam_members* | IAM members for each topic role. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -20,11 +20,11 @@ resource "google_sourcerepo_repository" "default" {
|
|||
}
|
||||
|
||||
resource "google_sourcerepo_repository_iam_binding" "default" {
|
||||
for_each = toset(var.iam_roles)
|
||||
for_each = var.iam_members
|
||||
project = var.project_id
|
||||
repository = google_sourcerepo_repository.default.name
|
||||
role = each.value
|
||||
members = lookup(var.iam_members, each.value, [])
|
||||
role = each.key
|
||||
members = each.value
|
||||
|
||||
depends_on = [
|
||||
google_sourcerepo_repository.default
|
||||
|
|
|
@ -21,16 +21,10 @@ variable "project_id" {
|
|||
|
||||
variable "iam_members" {
|
||||
description = "IAM members for each topic role."
|
||||
type = map(list(string))
|
||||
type = map(set(string))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "iam_roles" {
|
||||
description = "IAM roles for topic."
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
description = "Repository topic name."
|
||||
type = string
|
||||
|
|
Loading…
Reference in New Issue