Remove iam_roles from service accounts, folder and organization modules

foundations/environments/main.tf

@@ -86,11 +86,10 @@ module "tf-gcs-environments" {
 ###############################################################################
 
 module "environment-folders" {
-  source    = "../../modules/folder"
-  for_each  = var.environments
-  parent    = var.root_node
-  name      = each.value
-  iam_roles = local.folder_roles
+  source   = "../../modules/folder"
+  for_each = var.environments
+  parent   = var.root_node
+  name     = each.value
   iam_members = {
     for role in local.folder_roles :
     (role) => [module.tf-service-accounts[each.value].iam_email]

modules/folder/README.md

@@ -48,7 +48,6 @@ module "folder" {
 | name | Folder name. | <code title="">string</code> | ✓ |  |
 | parent | Parent in folders/folder_id or organizations/org_id format. | <code title="string&#10;validation &#123;&#10;condition     &#61; can&#40;regex&#40;&#34;&#40;organizations&#124;folders&#41;&#47;&#91;0-9&#93;&#43;&#34;, var.parent&#41;&#41;&#10;error_message &#61; &#34;Parent must be of the form folders&#47;folder_id or organizations&#47;organization_id.&#34;&#10;&#125;">string</code> | ✓ |  |
 | *iam_members* | List of IAM members keyed by role. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">null</code> |
-| *iam_roles* | List of IAM roles. | <code title="set&#40;string&#41;">set(string)</code> |  | <code title="">null</code> |
 | *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map&#40;bool&#41;">map(bool)</code> |  | <code title="">{}</code> |
 | *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map&#40;object&#40;&#123;&#10;inherit_from_parent &#61; bool&#10;suggested_value     &#61; string&#10;status              &#61; bool&#10;values              &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 

modules/folder/main.tf

@@ -21,7 +21,7 @@ resource "google_folder" "folder" {
 }
 
 resource "google_folder_iam_binding" "authoritative" {
-  for_each = var.iam_roles
+  for_each = toset(keys(var.iam_members))
   folder   = google_folder.folder.name
   role     = each.key
   members  = lookup(var.iam_members, each.key, [])

modules/folder/variables.tf

@@ -20,12 +20,6 @@ variable "iam_members" {
   default     = null
 }
 
-variable "iam_roles" {
-  description = "List of IAM roles."
-  type        = set(string)
-  default     = null
-}
-
 variable "name" {
   description = "Folder name."
   type        = string

modules/iam-service-account/README.md

@@ -39,7 +39,6 @@ module "myproject-default-service-accounts" {
 | *iam_members* | Map of members which are granted authoritative roles on the service account, keyed by role. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">{}</code> |
 | *iam_organization_roles* | Project roles granted to the service account, by organization id. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">{}</code> |
 | *iam_project_roles* | Project roles granted to the service account, by project id. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">{}</code> |
-| *iam_roles* | Authoritative roles granted on the service account. | <code title="set&#40;string&#41;">set(string)</code> |  | <code title="">[]</code> |
 | *iam_storage_roles* | Storage roles granted to the service account, by bucket name. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">{}</code> |
 | *prefix* | Prefix applied to service account names. | <code title="">string</code> |  | <code title="">null</code> |
 

modules/iam-service-account/main.tf

@@ -67,8 +67,7 @@ resource "google_service_account_key" "key" {
 }
 
 resource "google_service_account_iam_binding" "roles" {
-  for_each = var.iam_roles
-  #for_each           = toset(keys(var.iam_members))
+  for_each           = toset(keys(var.iam_members))
   service_account_id = google_service_account.service_account.name
   role               = each.key
   members            = lookup(var.iam_members, each.key, [])

modules/iam-service-account/variables.tf

@@ -26,12 +26,6 @@ variable "iam_members" {
   default     = {}
 }
 
-variable "iam_roles" {
-  description = "Authoritative roles granted on the service account."
-  type        = set(string)
-  default     = []
-}
-
 variable "iam_billing_roles" {
   description = "Project roles granted to the service account, by billing account id."
   type        = map(set(string))

modules/organization/README.md

@@ -13,7 +13,6 @@ This module allows managing several organization properties:
 module "org" {
   source      = "./modules/organization"
   org_id      = 1234567890
-  iam_roles   = ["roles/projectCreator"]
   iam_members = { "roles/projectCreator" = ["group:cloud-admins@example.org"] }
   policy_boolean = {
     "constraints/compute.disableGuestAttributesAccess" = true
@@ -40,7 +39,6 @@ module "org" {
 | *iam_additive_bindings* | Map of roles lists used to set non authoritative bindings, keyed by members. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 | *iam_audit_config* | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> |  | <code title="">{}</code> |
 | *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
-| *iam_roles* | List of roles used to set authoritative bindings. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
 | *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map&#40;bool&#41;">map(bool)</code> |  | <code title="">{}</code> |
 | *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map&#40;object&#40;&#123;&#10;inherit_from_parent &#61; bool&#10;suggested_value     &#61; string&#10;status              &#61; bool&#10;values              &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 

modules/organization/main.tf

@@ -37,7 +37,7 @@ resource "google_organization_iam_custom_role" "roles" {
 }
 
 resource "google_organization_iam_binding" "authoritative" {
-  for_each = toset(var.iam_roles)
+  for_each = toset(keys(var.iam_members))
   org_id   = var.org_id
   role     = each.value
   members  = lookup(var.iam_members, each.value, [])

modules/organization/variables.tf

@@ -26,12 +26,6 @@ variable "iam_members" {
   default     = {}
 }
 
-variable "iam_roles" {
-  description = "List of roles used to set authoritative bindings."
-  type        = list(string)
-  default     = []
-}
-
 variable "iam_additive_bindings" {
   description = "Map of roles lists used to set non authoritative bindings, keyed by members."
   type        = map(list(string))

tests/modules/folders/fixture/main.tf

@@ -19,7 +19,6 @@ module "test" {
   parent         = "organizations/12345678"
   name           = "folder-a"
   iam_members    = var.iam_members
-  iam_roles      = var.iam_roles
   policy_boolean = var.policy_boolean
   policy_list    = var.policy_list
 }

tests/modules/folders/fixture/variables.tf

@@ -19,11 +19,6 @@ variable "iam_members" {
   default = {}
 }
 
-variable "iam_roles" {
-  type    = list(string)
-  default = []
-}
-
 variable "policy_boolean" {
   type    = map(bool)
   default = {}

tests/modules/folders/test_plan.py

@@ -30,34 +30,22 @@ def test_folder(plan_runner):
   assert resource['values']['parent'] == 'organizations/12345678'
 
 
-def test_iam_roles_only(plan_runner):
-  "Test folder resources with only iam roles passed."
-  _, resources = plan_runner(FIXTURES_DIR,
-                             iam_roles='["roles/owner"]')
-  assert len(resources) == 2
-
-
 def test_iam(plan_runner):
   "Test folder resources with iam roles and members."
-  iam_roles = '["roles/owner"]'
   iam_members = '{"roles/owner" = ["user:a@b.com"] }'
   _, resources = plan_runner(FIXTURES_DIR,
-                             iam_roles=iam_roles,
                              iam_members=iam_members)
   assert len(resources) == 2
 
 def test_iam_multiple_members(plan_runner):
   "Test folder resources with multiple iam members."
-  iam_roles = '["roles/owner"]'
   iam_members = '{"roles/owner" = ["user:a@b.com", "user:c@d.com"] }'
   _, resources = plan_runner(FIXTURES_DIR,
-                             iam_roles=iam_roles,
                              iam_members=iam_members)
   assert len(resources) == 2
 
 def test_iam_multiple_roles(plan_runner):
   "Test folder resources with multiple iam roles."
-  iam_roles = '["roles/owner", "roles/viewer"]'
   iam_members = (
     '{ '
     '"roles/owner" = ["user:a@b.com"], '
@@ -65,6 +53,5 @@ def test_iam_multiple_roles(plan_runner):
     '} '
   )
   _, resources = plan_runner(FIXTURES_DIR,
-                             iam_roles=iam_roles,
                              iam_members=iam_members)
   assert len(resources) == 3

tests/modules/iam_service_account/fixture/main.tf

@@ -21,7 +21,6 @@ module "test" {
   prefix                 = var.prefix
   generate_key           = var.generate_key
   iam_members            = var.iam_members
-  iam_roles              = var.iam_roles
   iam_billing_roles      = var.iam_billing_roles
   iam_folder_roles       = var.iam_folder_roles
   iam_organization_roles = var.iam_organization_roles

tests/modules/iam_service_account/fixture/variables.tf

@@ -24,11 +24,6 @@ variable "iam_members" {
   default = {}
 }
 
-variable "iam_roles" {
-  type    = list(string)
-  default = []
-}
-
 variable "iam_billing_roles" {
   type    = map(list(string))
   default = {}

tests/modules/iam_service_account/test_plan.py

@@ -37,7 +37,6 @@ def test_resources(plan_runner):
 def test_iam_roles(plan_runner):
   "Test iam roles with one member."
   variables = dict(
-    iam_roles='["roles/iam.serviceAccountUser"]',
     iam_members=(
       '{'
       '"roles/iam.serviceAccountUser" = ["user:a@b.com"] '

tests/modules/organization/fixture/main.tf

@@ -15,13 +15,12 @@
  */
 
 module "test" {
-  source               = "../../../../modules/organization"
-  org_id               = 1234567890
-  custom_roles         = var.custom_roles
-  iam_members          = var.iam_members
-  iam_roles            = var.iam_roles
-  iam_additive_bindings= var.iam_additive_bindings
-  iam_audit_config     = var.iam_audit_config
-  policy_boolean       = var.policy_boolean
-  policy_list          = var.policy_list
+  source                = "../../../../modules/organization"
+  org_id                = 1234567890
+  custom_roles          = var.custom_roles
+  iam_members           = var.iam_members
+  iam_additive_bindings = var.iam_additive_bindings
+  iam_audit_config      = var.iam_audit_config
+  policy_boolean        = var.policy_boolean
+  policy_list           = var.policy_list
 }

tests/modules/organization/fixture/variables.tf

@@ -24,17 +24,11 @@ variable "iam_members" {
   default = {}
 }
 
-variable "iam_roles" {
-  type    = list(string)
-  default = []
-}
-
 variable "iam_additive_bindings" {
   type    = map(list(string))
   default = {}
 }
 
-
 variable "iam_audit_config" {
   type    = map(map(list(string)))
   default = {}