Remove iam_roles from service accounts, folder and organization modules

This commit is contained in:
Julio Castillo 2020-10-21 09:37:05 +02:00
parent 66942cc5c6
commit 85fda5b1fe
18 changed files with 15 additions and 72 deletions

View File

@ -86,11 +86,10 @@ module "tf-gcs-environments" {
###############################################################################
module "environment-folders" {
source = "../../modules/folder"
for_each = var.environments
parent = var.root_node
name = each.value
iam_roles = local.folder_roles
source = "../../modules/folder"
for_each = var.environments
parent = var.root_node
name = each.value
iam_members = {
for role in local.folder_roles :
(role) => [module.tf-service-accounts[each.value].iam_email]

View File

@ -48,7 +48,6 @@ module "folder" {
| name | Folder name. | <code title="">string</code> | ✓ | |
| parent | Parent in folders/folder_id or organizations/org_id format. | <code title="string&#10;validation &#123;&#10;condition &#61; can&#40;regex&#40;&#34;&#40;organizations&#124;folders&#41;&#47;&#91;0-9&#93;&#43;&#34;, var.parent&#41;&#41;&#10;error_message &#61; &#34;Parent must be of the form folders&#47;folder_id or organizations&#47;organization_id.&#34;&#10;&#125;">string</code> | ✓ | |
| *iam_members* | List of IAM members keyed by role. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> | | <code title="">null</code> |
| *iam_roles* | List of IAM roles. | <code title="set&#40;string&#41;">set(string)</code> | | <code title="">null</code> |
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map&#40;bool&#41;">map(bool)</code> | | <code title="">{}</code> |
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map&#40;object&#40;&#123;&#10;inherit_from_parent &#61; bool&#10;suggested_value &#61; string&#10;status &#61; bool&#10;values &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">{}</code> |

View File

@ -21,7 +21,7 @@ resource "google_folder" "folder" {
}
resource "google_folder_iam_binding" "authoritative" {
for_each = var.iam_roles
for_each = toset(keys(var.iam_members))
folder = google_folder.folder.name
role = each.key
members = lookup(var.iam_members, each.key, [])

View File

@ -20,12 +20,6 @@ variable "iam_members" {
default = null
}
variable "iam_roles" {
description = "List of IAM roles."
type = set(string)
default = null
}
variable "name" {
description = "Folder name."
type = string

View File

@ -39,7 +39,6 @@ module "myproject-default-service-accounts" {
| *iam_members* | Map of members which are granted authoritative roles on the service account, keyed by role. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> | | <code title="">{}</code> |
| *iam_organization_roles* | Project roles granted to the service account, by organization id. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> | | <code title="">{}</code> |
| *iam_project_roles* | Project roles granted to the service account, by project id. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> | | <code title="">{}</code> |
| *iam_roles* | Authoritative roles granted on the service account. | <code title="set&#40;string&#41;">set(string)</code> | | <code title="">[]</code> |
| *iam_storage_roles* | Storage roles granted to the service account, by bucket name. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> | | <code title="">{}</code> |
| *prefix* | Prefix applied to service account names. | <code title="">string</code> | | <code title="">null</code> |

View File

@ -67,8 +67,7 @@ resource "google_service_account_key" "key" {
}
resource "google_service_account_iam_binding" "roles" {
for_each = var.iam_roles
#for_each = toset(keys(var.iam_members))
for_each = toset(keys(var.iam_members))
service_account_id = google_service_account.service_account.name
role = each.key
members = lookup(var.iam_members, each.key, [])

View File

@ -26,12 +26,6 @@ variable "iam_members" {
default = {}
}
variable "iam_roles" {
description = "Authoritative roles granted on the service account."
type = set(string)
default = []
}
variable "iam_billing_roles" {
description = "Project roles granted to the service account, by billing account id."
type = map(set(string))

View File

@ -13,7 +13,6 @@ This module allows managing several organization properties:
module "org" {
source = "./modules/organization"
org_id = 1234567890
iam_roles = ["roles/projectCreator"]
iam_members = { "roles/projectCreator" = ["group:cloud-admins@example.org"] }
policy_boolean = {
"constraints/compute.disableGuestAttributesAccess" = true
@ -40,7 +39,6 @@ module "org" {
| *iam_additive_bindings* | Map of roles lists used to set non authoritative bindings, keyed by members. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> | | <code title="">{}</code> |
| *iam_audit_config* | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> | | <code title="">{}</code> |
| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> | | <code title="">{}</code> |
| *iam_roles* | List of roles used to set authoritative bindings. | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">[]</code> |
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map&#40;bool&#41;">map(bool)</code> | | <code title="">{}</code> |
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map&#40;object&#40;&#123;&#10;inherit_from_parent &#61; bool&#10;suggested_value &#61; string&#10;status &#61; bool&#10;values &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> | | <code title="">{}</code> |

View File

@ -37,7 +37,7 @@ resource "google_organization_iam_custom_role" "roles" {
}
resource "google_organization_iam_binding" "authoritative" {
for_each = toset(var.iam_roles)
for_each = toset(keys(var.iam_members))
org_id = var.org_id
role = each.value
members = lookup(var.iam_members, each.value, [])

View File

@ -26,12 +26,6 @@ variable "iam_members" {
default = {}
}
variable "iam_roles" {
description = "List of roles used to set authoritative bindings."
type = list(string)
default = []
}
variable "iam_additive_bindings" {
description = "Map of roles lists used to set non authoritative bindings, keyed by members."
type = map(list(string))

View File

@ -19,7 +19,6 @@ module "test" {
parent = "organizations/12345678"
name = "folder-a"
iam_members = var.iam_members
iam_roles = var.iam_roles
policy_boolean = var.policy_boolean
policy_list = var.policy_list
}

View File

@ -19,11 +19,6 @@ variable "iam_members" {
default = {}
}
variable "iam_roles" {
type = list(string)
default = []
}
variable "policy_boolean" {
type = map(bool)
default = {}

View File

@ -30,34 +30,22 @@ def test_folder(plan_runner):
assert resource['values']['parent'] == 'organizations/12345678'
def test_iam_roles_only(plan_runner):
"Test folder resources with only iam roles passed."
_, resources = plan_runner(FIXTURES_DIR,
iam_roles='["roles/owner"]')
assert len(resources) == 2
def test_iam(plan_runner):
"Test folder resources with iam roles and members."
iam_roles = '["roles/owner"]'
iam_members = '{"roles/owner" = ["user:a@b.com"] }'
_, resources = plan_runner(FIXTURES_DIR,
iam_roles=iam_roles,
iam_members=iam_members)
assert len(resources) == 2
def test_iam_multiple_members(plan_runner):
"Test folder resources with multiple iam members."
iam_roles = '["roles/owner"]'
iam_members = '{"roles/owner" = ["user:a@b.com", "user:c@d.com"] }'
_, resources = plan_runner(FIXTURES_DIR,
iam_roles=iam_roles,
iam_members=iam_members)
assert len(resources) == 2
def test_iam_multiple_roles(plan_runner):
"Test folder resources with multiple iam roles."
iam_roles = '["roles/owner", "roles/viewer"]'
iam_members = (
'{ '
'"roles/owner" = ["user:a@b.com"], '
@ -65,6 +53,5 @@ def test_iam_multiple_roles(plan_runner):
'} '
)
_, resources = plan_runner(FIXTURES_DIR,
iam_roles=iam_roles,
iam_members=iam_members)
assert len(resources) == 3

View File

@ -21,7 +21,6 @@ module "test" {
prefix = var.prefix
generate_key = var.generate_key
iam_members = var.iam_members
iam_roles = var.iam_roles
iam_billing_roles = var.iam_billing_roles
iam_folder_roles = var.iam_folder_roles
iam_organization_roles = var.iam_organization_roles

View File

@ -24,11 +24,6 @@ variable "iam_members" {
default = {}
}
variable "iam_roles" {
type = list(string)
default = []
}
variable "iam_billing_roles" {
type = map(list(string))
default = {}

View File

@ -37,7 +37,6 @@ def test_resources(plan_runner):
def test_iam_roles(plan_runner):
"Test iam roles with one member."
variables = dict(
iam_roles='["roles/iam.serviceAccountUser"]',
iam_members=(
'{'
'"roles/iam.serviceAccountUser" = ["user:a@b.com"] '

View File

@ -15,13 +15,12 @@
*/
module "test" {
source = "../../../../modules/organization"
org_id = 1234567890
custom_roles = var.custom_roles
iam_members = var.iam_members
iam_roles = var.iam_roles
iam_additive_bindings= var.iam_additive_bindings
iam_audit_config = var.iam_audit_config
policy_boolean = var.policy_boolean
policy_list = var.policy_list
source = "../../../../modules/organization"
org_id = 1234567890
custom_roles = var.custom_roles
iam_members = var.iam_members
iam_additive_bindings = var.iam_additive_bindings
iam_audit_config = var.iam_audit_config
policy_boolean = var.policy_boolean
policy_list = var.policy_list
}

View File

@ -24,17 +24,11 @@ variable "iam_members" {
default = {}
}
variable "iam_roles" {
type = list(string)
default = []
}
variable "iam_additive_bindings" {
type = map(list(string))
default = {}
}
variable "iam_audit_config" {
type = map(map(list(string)))
default = {}