diff --git a/foundations/environments/main.tf b/foundations/environments/main.tf
index 3f839a3c..065dd5ac 100644
--- a/foundations/environments/main.tf
+++ b/foundations/environments/main.tf
@@ -86,11 +86,10 @@ module "tf-gcs-environments" {
###############################################################################
module "environment-folders" {
- source = "../../modules/folder"
- for_each = var.environments
- parent = var.root_node
- name = each.value
- iam_roles = local.folder_roles
+ source = "../../modules/folder"
+ for_each = var.environments
+ parent = var.root_node
+ name = each.value
iam_members = {
for role in local.folder_roles :
(role) => [module.tf-service-accounts[each.value].iam_email]
diff --git a/modules/folder/README.md b/modules/folder/README.md
index c9d84cc0..f4a164cf 100644
--- a/modules/folder/README.md
+++ b/modules/folder/README.md
@@ -48,7 +48,6 @@ module "folder" {
| name | Folder name. | string
| ✓ | |
| parent | Parent in folders/folder_id or organizations/org_id format. | string
| ✓ | |
| *iam_members* | List of IAM members keyed by role. | map(set(string))
| | null
|
-| *iam_roles* | List of IAM roles. | set(string)
| | null
|
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | map(bool)
| | {}
|
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | map(object({...}))
| | {}
|
diff --git a/modules/folder/main.tf b/modules/folder/main.tf
index ce183910..a0ac9b55 100644
--- a/modules/folder/main.tf
+++ b/modules/folder/main.tf
@@ -21,7 +21,7 @@ resource "google_folder" "folder" {
}
resource "google_folder_iam_binding" "authoritative" {
- for_each = var.iam_roles
+ for_each = toset(keys(var.iam_members))
folder = google_folder.folder.name
role = each.key
members = lookup(var.iam_members, each.key, [])
diff --git a/modules/folder/variables.tf b/modules/folder/variables.tf
index 47c2843b..d298ec4e 100644
--- a/modules/folder/variables.tf
+++ b/modules/folder/variables.tf
@@ -20,12 +20,6 @@ variable "iam_members" {
default = null
}
-variable "iam_roles" {
- description = "List of IAM roles."
- type = set(string)
- default = null
-}
-
variable "name" {
description = "Folder name."
type = string
diff --git a/modules/iam-service-account/README.md b/modules/iam-service-account/README.md
index f55c0b51..915b8b41 100644
--- a/modules/iam-service-account/README.md
+++ b/modules/iam-service-account/README.md
@@ -39,7 +39,6 @@ module "myproject-default-service-accounts" {
| *iam_members* | Map of members which are granted authoritative roles on the service account, keyed by role. | map(set(string))
| | {}
|
| *iam_organization_roles* | Project roles granted to the service account, by organization id. | map(set(string))
| | {}
|
| *iam_project_roles* | Project roles granted to the service account, by project id. | map(set(string))
| | {}
|
-| *iam_roles* | Authoritative roles granted on the service account. | set(string)
| | []
|
| *iam_storage_roles* | Storage roles granted to the service account, by bucket name. | map(set(string))
| | {}
|
| *prefix* | Prefix applied to service account names. | string
| | null
|
diff --git a/modules/iam-service-account/main.tf b/modules/iam-service-account/main.tf
index b749e172..e9f6ef6c 100644
--- a/modules/iam-service-account/main.tf
+++ b/modules/iam-service-account/main.tf
@@ -67,8 +67,7 @@ resource "google_service_account_key" "key" {
}
resource "google_service_account_iam_binding" "roles" {
- for_each = var.iam_roles
- #for_each = toset(keys(var.iam_members))
+ for_each = toset(keys(var.iam_members))
service_account_id = google_service_account.service_account.name
role = each.key
members = lookup(var.iam_members, each.key, [])
diff --git a/modules/iam-service-account/variables.tf b/modules/iam-service-account/variables.tf
index 6d29cb80..524a820e 100644
--- a/modules/iam-service-account/variables.tf
+++ b/modules/iam-service-account/variables.tf
@@ -26,12 +26,6 @@ variable "iam_members" {
default = {}
}
-variable "iam_roles" {
- description = "Authoritative roles granted on the service account."
- type = set(string)
- default = []
-}
-
variable "iam_billing_roles" {
description = "Project roles granted to the service account, by billing account id."
type = map(set(string))
diff --git a/modules/organization/README.md b/modules/organization/README.md
index c95bba8f..e0ea140f 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -13,7 +13,6 @@ This module allows managing several organization properties:
module "org" {
source = "./modules/organization"
org_id = 1234567890
- iam_roles = ["roles/projectCreator"]
iam_members = { "roles/projectCreator" = ["group:cloud-admins@example.org"] }
policy_boolean = {
"constraints/compute.disableGuestAttributesAccess" = true
@@ -40,7 +39,6 @@ module "org" {
| *iam_additive_bindings* | Map of roles lists used to set non authoritative bindings, keyed by members. | map(list(string))
| | {}
|
| *iam_audit_config* | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | map(map(list(string)))
| | {}
|
| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. | map(list(string))
| | {}
|
-| *iam_roles* | List of roles used to set authoritative bindings. | list(string)
| | []
|
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | map(bool)
| | {}
|
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | map(object({...}))
| | {}
|
diff --git a/modules/organization/main.tf b/modules/organization/main.tf
index a96ff141..77af682f 100644
--- a/modules/organization/main.tf
+++ b/modules/organization/main.tf
@@ -37,7 +37,7 @@ resource "google_organization_iam_custom_role" "roles" {
}
resource "google_organization_iam_binding" "authoritative" {
- for_each = toset(var.iam_roles)
+ for_each = toset(keys(var.iam_members))
org_id = var.org_id
role = each.value
members = lookup(var.iam_members, each.value, [])
diff --git a/modules/organization/variables.tf b/modules/organization/variables.tf
index 240e920f..b2cf18a1 100644
--- a/modules/organization/variables.tf
+++ b/modules/organization/variables.tf
@@ -26,12 +26,6 @@ variable "iam_members" {
default = {}
}
-variable "iam_roles" {
- description = "List of roles used to set authoritative bindings."
- type = list(string)
- default = []
-}
-
variable "iam_additive_bindings" {
description = "Map of roles lists used to set non authoritative bindings, keyed by members."
type = map(list(string))
diff --git a/tests/modules/folders/fixture/main.tf b/tests/modules/folders/fixture/main.tf
index 5eef7c12..926675d5 100644
--- a/tests/modules/folders/fixture/main.tf
+++ b/tests/modules/folders/fixture/main.tf
@@ -19,7 +19,6 @@ module "test" {
parent = "organizations/12345678"
name = "folder-a"
iam_members = var.iam_members
- iam_roles = var.iam_roles
policy_boolean = var.policy_boolean
policy_list = var.policy_list
}
diff --git a/tests/modules/folders/fixture/variables.tf b/tests/modules/folders/fixture/variables.tf
index 9b91f610..1267bdd7 100644
--- a/tests/modules/folders/fixture/variables.tf
+++ b/tests/modules/folders/fixture/variables.tf
@@ -19,11 +19,6 @@ variable "iam_members" {
default = {}
}
-variable "iam_roles" {
- type = list(string)
- default = []
-}
-
variable "policy_boolean" {
type = map(bool)
default = {}
diff --git a/tests/modules/folders/test_plan.py b/tests/modules/folders/test_plan.py
index d8d100de..73896ea7 100644
--- a/tests/modules/folders/test_plan.py
+++ b/tests/modules/folders/test_plan.py
@@ -30,34 +30,22 @@ def test_folder(plan_runner):
assert resource['values']['parent'] == 'organizations/12345678'
-def test_iam_roles_only(plan_runner):
- "Test folder resources with only iam roles passed."
- _, resources = plan_runner(FIXTURES_DIR,
- iam_roles='["roles/owner"]')
- assert len(resources) == 2
-
-
def test_iam(plan_runner):
"Test folder resources with iam roles and members."
- iam_roles = '["roles/owner"]'
iam_members = '{"roles/owner" = ["user:a@b.com"] }'
_, resources = plan_runner(FIXTURES_DIR,
- iam_roles=iam_roles,
iam_members=iam_members)
assert len(resources) == 2
def test_iam_multiple_members(plan_runner):
"Test folder resources with multiple iam members."
- iam_roles = '["roles/owner"]'
iam_members = '{"roles/owner" = ["user:a@b.com", "user:c@d.com"] }'
_, resources = plan_runner(FIXTURES_DIR,
- iam_roles=iam_roles,
iam_members=iam_members)
assert len(resources) == 2
def test_iam_multiple_roles(plan_runner):
"Test folder resources with multiple iam roles."
- iam_roles = '["roles/owner", "roles/viewer"]'
iam_members = (
'{ '
'"roles/owner" = ["user:a@b.com"], '
@@ -65,6 +53,5 @@ def test_iam_multiple_roles(plan_runner):
'} '
)
_, resources = plan_runner(FIXTURES_DIR,
- iam_roles=iam_roles,
iam_members=iam_members)
assert len(resources) == 3
diff --git a/tests/modules/iam_service_account/fixture/main.tf b/tests/modules/iam_service_account/fixture/main.tf
index 5f70b175..be903b70 100644
--- a/tests/modules/iam_service_account/fixture/main.tf
+++ b/tests/modules/iam_service_account/fixture/main.tf
@@ -21,7 +21,6 @@ module "test" {
prefix = var.prefix
generate_key = var.generate_key
iam_members = var.iam_members
- iam_roles = var.iam_roles
iam_billing_roles = var.iam_billing_roles
iam_folder_roles = var.iam_folder_roles
iam_organization_roles = var.iam_organization_roles
diff --git a/tests/modules/iam_service_account/fixture/variables.tf b/tests/modules/iam_service_account/fixture/variables.tf
index 0d5eba5b..1c2933b0 100644
--- a/tests/modules/iam_service_account/fixture/variables.tf
+++ b/tests/modules/iam_service_account/fixture/variables.tf
@@ -24,11 +24,6 @@ variable "iam_members" {
default = {}
}
-variable "iam_roles" {
- type = list(string)
- default = []
-}
-
variable "iam_billing_roles" {
type = map(list(string))
default = {}
diff --git a/tests/modules/iam_service_account/test_plan.py b/tests/modules/iam_service_account/test_plan.py
index 719bc574..a8a4d2cf 100644
--- a/tests/modules/iam_service_account/test_plan.py
+++ b/tests/modules/iam_service_account/test_plan.py
@@ -37,7 +37,6 @@ def test_resources(plan_runner):
def test_iam_roles(plan_runner):
"Test iam roles with one member."
variables = dict(
- iam_roles='["roles/iam.serviceAccountUser"]',
iam_members=(
'{'
'"roles/iam.serviceAccountUser" = ["user:a@b.com"] '
diff --git a/tests/modules/organization/fixture/main.tf b/tests/modules/organization/fixture/main.tf
index 63d1f466..718fe459 100644
--- a/tests/modules/organization/fixture/main.tf
+++ b/tests/modules/organization/fixture/main.tf
@@ -15,13 +15,12 @@
*/
module "test" {
- source = "../../../../modules/organization"
- org_id = 1234567890
- custom_roles = var.custom_roles
- iam_members = var.iam_members
- iam_roles = var.iam_roles
- iam_additive_bindings= var.iam_additive_bindings
- iam_audit_config = var.iam_audit_config
- policy_boolean = var.policy_boolean
- policy_list = var.policy_list
+ source = "../../../../modules/organization"
+ org_id = 1234567890
+ custom_roles = var.custom_roles
+ iam_members = var.iam_members
+ iam_additive_bindings = var.iam_additive_bindings
+ iam_audit_config = var.iam_audit_config
+ policy_boolean = var.policy_boolean
+ policy_list = var.policy_list
}
diff --git a/tests/modules/organization/fixture/variables.tf b/tests/modules/organization/fixture/variables.tf
index 148a43b7..a6b2123b 100644
--- a/tests/modules/organization/fixture/variables.tf
+++ b/tests/modules/organization/fixture/variables.tf
@@ -24,17 +24,11 @@ variable "iam_members" {
default = {}
}
-variable "iam_roles" {
- type = list(string)
- default = []
-}
-
variable "iam_additive_bindings" {
type = map(list(string))
default = {}
}
-
variable "iam_audit_config" {
type = map(map(list(string)))
default = {}