Remove iam_roles from secret_manager

modules/secret-manager/README.md

@@ -25,7 +25,7 @@ module "secret-manager" {
 
 ### Secret IAM bindings
 
-IAM bindings can be set per secret in the same way as for most other modules supporting IAM, via `iam_roles` and `iam_members` variables.
+IAM bindings can be set per secret in the same way as for most other modules supporting IAM, using the `iam_members` variable.
 
 ```hcl
 module "secret-manager" {
@@ -35,10 +35,6 @@ module "secret-manager" {
     test-auto   = null
     test-manual = ["europe-west1", "europe-west4"]
   }
-  iam_roles  = {
-    test-auto   = ["roles/secretmanager.secretAccessor"]
-    test-manual = ["roles/secretmanager.secretAccessor"]
-  }
   iam_members = {
     test-auto   = {
       "roles/secretmanager.secretAccessor" = ["group:auto-readers@example.com"]
@@ -80,8 +76,7 @@ module "secret-manager" {
 | name | description | type | required | default |
 |---|---|:---: |:---:|:---:|
 | project_id | Project id where the keyring will be created. | <code title="">string</code> | ✓ |  |
-| *iam_members* | IAM members keyed by secret name and role. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> |  | <code title="">{}</code> |
-| *iam_roles* | IAM roles keyed by secret name. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
+| *iam_members* | IAM members keyed by secret name and role. | <code title="map&#40;map&#40;set&#40;string&#41;&#41;&#41;">map(map(set(string)))</code> |  | <code title="">{}</code> |
 | *labels* | Optional labels for each secret. | <code title="map&#40;map&#40;string&#41;&#41;">map(map(string))</code> |  | <code title="">{}</code> |
 | *secrets* | Map of secrets to manage and their locations. If locations is null, automatic management will be set. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 | *versions* | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | <code title="map&#40;map&#40;object&#40;&#123;&#10;enabled &#61; bool&#10;data    &#61; string&#10;&#125;&#41;&#41;&#41;">map(map(object({...})))</code> |  | <code title="">{}</code> |

modules/secret-manager/main.tf

@@ -16,13 +16,15 @@
 
 locals {
   # distinct is needed to make the expanding function argument work
-  iam_pairs = flatten([
-    for name, roles in var.iam_roles :
-    [for role in roles : { name = name, role = role }]
+  iam_members = flatten([
+    for secret, roles in var.iam_members : [
+      for role, members in roles : {
+        secret  = secret
+        role    = role
+        members = members
+      }
+    ]
   ])
-  iam_keypairs = {
-    for pair in local.iam_pairs : "${pair.name}-${pair.role}" => pair
-  }
   version_pairs = flatten([
     for secret, versions in var.versions : [
       for name, attrs in versions : merge(attrs, { name = name, secret = secret })
@@ -73,11 +75,12 @@ resource "google_secret_manager_secret_version" "default" {
 }
 
 resource "google_secret_manager_secret_iam_binding" "default" {
-  provider  = google-beta
-  for_each  = local.iam_keypairs
+  provider = google-beta
+  for_each = {
+    for binding in local.iam_members :
+    "${binding.secret}.${binding.role}" => binding
+  }
   role      = each.value.role
-  secret_id = google_secret_manager_secret.default[each.value.name].id
-  members = lookup(
-    lookup(var.iam_members, each.value.name, {}), each.value.role, []
-  )
+  secret_id = google_secret_manager_secret.default[each.value.secret].id
+  members   = each.value.members
 }

modules/secret-manager/variables.tf

@@ -16,13 +16,7 @@
 
 variable "iam_members" {
   description = "IAM members keyed by secret name and role."
-  type        = map(map(list(string)))
-  default     = {}
-}
-
-variable "iam_roles" {
-  description = "IAM roles keyed by secret name."
-  type        = map(list(string))
+  type        = map(map(set(string)))
   default     = {}
 }