diff --git a/fast/stages/1-resman/organization.tf b/fast/stages/1-resman/organization.tf
index 11200035..90ded30e 100644
--- a/fast/stages/1-resman/organization.tf
+++ b/fast/stages/1-resman/organization.tf
@@ -48,21 +48,21 @@ module "organization" {
description = "Resource management context."
iam = {}
values = {
- data = null
- gke = null
- networking = null
- sandbox = null
- security = null
- teams = null
- tenant = null
+ data = {}
+ gke = {}
+ networking = {}
+ sandbox = {}
+ security = {}
+ teams = {}
+ tenant = {}
}
}
(var.tag_names.environment) = {
description = "Environment definition."
iam = {}
values = {
- development = null
- production = null
+ development = {}
+ production = {}
}
}
(var.tag_names.tenant) = {
diff --git a/modules/folder/README.md b/modules/folder/README.md
index fb455495..094bab58 100644
--- a/modules/folder/README.md
+++ b/modules/folder/README.md
@@ -303,10 +303,9 @@ module "org" {
tags = {
environment = {
description = "Environment specification."
- iam = null
values = {
- dev = null
- prod = null
+ dev = {}
+ prod = {}
}
}
}
diff --git a/modules/organization/README.md b/modules/organization/README.md
index 90ab4574..0af82e69 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -453,7 +453,7 @@ module "org" {
"roles/resourcemanager.tagAdmin" = ["group:${var.group_email}"]
}
values = {
- dev = null
+ dev = {}
prod = {
description = "Environment: production."
iam = {
@@ -502,8 +502,8 @@ module "org" {
| [network_tags](variables.tf#L148) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…}))
| | {}
|
| [org_policies](variables.tf#L170) | Organization policies applied to this organization keyed by policy name. | map(object({…}))
| | {}
|
| [org_policy_custom_constraints](variables.tf#L197) | Organization policy custom constraints keyed by constraint name. | map(object({…}))
| | {}
|
-| [tag_bindings](variables.tf#L220) | Tag bindings for this organization, in key => tag value id format. | map(string)
| | null
|
-| [tags](variables.tf#L226) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…}))
| | {}
|
+| [tag_bindings](variables.tf#L220) | Tag bindings for this organization, in key => tag value id format. | map(string)
| | {}
|
+| [tags](variables.tf#L227) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…}))
| | {}
|
## Outputs
diff --git a/modules/organization/tags.tf b/modules/organization/tags.tf
index 7fb1c068..d25757c2 100644
--- a/modules/organization/tags.tf
+++ b/modules/organization/tags.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -17,17 +17,12 @@
locals {
_tag_values = flatten([
for tag, attrs in local.tags : [
- for value, value_attrs in coalesce(attrs.values, {}) : {
- description = coalesce(
- value_attrs == null ? null : value_attrs.description,
- "Managed by the Terraform organization module."
- )
- key = "${tag}/${value}"
- id = try(value_attrs.id, null)
- name = value
- roles = keys(coalesce(
- value_attrs == null ? null : value_attrs.iam, {}
- ))
+ for value, value_attrs in attrs.values : {
+ description = value_attrs.description,
+ key = "${tag}/${value}"
+ id = try(value_attrs.id, null)
+ name = value
+ roles = keys(value_attrs.iam)
tag = tag
tag_id = attrs.id
tag_network = try(attrs.network, null) != null
@@ -47,7 +42,7 @@ locals {
])
_tags_iam = flatten([
for tag, attrs in local.tags : [
- for role in keys(coalesce(attrs.iam, {})) : {
+ for role in keys(attrs.iam) : {
role = role
tag = tag
tag_id = attrs.id
@@ -129,7 +124,7 @@ resource "google_tags_tag_value_iam_binding" "default" {
# bindings
resource "google_tags_tag_binding" "binding" {
- for_each = coalesce(var.tag_bindings, {})
+ for_each = var.tag_bindings
parent = "//cloudresourcemanager.googleapis.com/${var.organization_id}"
tag_value = each.value
}
diff --git a/modules/organization/variables.tf b/modules/organization/variables.tf
index f11900db..59d3ccf6 100644
--- a/modules/organization/variables.tf
+++ b/modules/organization/variables.tf
@@ -220,7 +220,8 @@ variable "organization_id" {
variable "tag_bindings" {
description = "Tag bindings for this organization, in key => tag value id format."
type = map(string)
- default = null
+ default = {}
+ nullable = false
}
variable "tags" {
@@ -238,9 +239,16 @@ variable "tags" {
nullable = false
default = {}
validation {
- condition = alltrue([
- for k, v in var.tags : v != null
- ])
+ condition = (
+ # all keys are non-null
+ alltrue([
+ for k, v in var.tags : v != null
+ ]) &&
+ # all values are non-null
+ alltrue(flatten([
+ for k, v in var.tags : [for k2, v2 in v.values : v2 != null]
+ ]))
+ )
error_message = "Use an empty map instead of null as value."
}
}
diff --git a/modules/project/README.md b/modules/project/README.md
index 3f51113a..d9b33e1e 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -666,10 +666,9 @@ module "org" {
tags = {
environment = {
description = "Environment specification."
- iam = null
values = {
- dev = null
- prod = null
+ dev = {}
+ prod = {}
}
}
}
diff --git a/tests/modules/organization/tags.tfvars b/tests/modules/organization/tags.tfvars
index 2a4dcb42..5d942674 100644
--- a/tests/modules/organization/tags.tfvars
+++ b/tests/modules/organization/tags.tfvars
@@ -13,8 +13,8 @@ tags = {
baz = {
id = "tagKeys/1234567890"
values = {
- one = null
- two = null
+ one = {}
+ two = {}
}
}
foobar = {
@@ -25,7 +25,7 @@ tags = {
]
}
values = {
- one = null
+ one = {}
two = {
description = "Foobar 2."
iam = {
diff --git a/tools/lockfile/default-versions_override.tf b/tools/lockfile/default-versions_override.tf
new file mode 100644
index 00000000..0cf33525
--- /dev/null
+++ b/tools/lockfile/default-versions_override.tf
@@ -0,0 +1,27 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file specifies the required version of the github provider used
+# during testing. This has to be in an override file, otherwise the
+# setup-tf-providers job fails because it copies default-versions.tf
+# before running `terraform init`
+
+terraform {
+ required_providers {
+ github = {
+ source = "integrations/github"
+ version = "~> 5.0"
+ }
+ }
+}
diff --git a/tools/lockfile/main.tf b/tools/lockfile/main.tf
index 14d5c4dc..7614f5bc 100644
--- a/tools/lockfile/main.tf
+++ b/tools/lockfile/main.tf
@@ -12,15 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-terraform {
- required_providers {
- github = {
- source = "integrations/github"
- version = "~> 5.0"
- }
- }
-}
-
data "archive_file" "bundle" {}
resource "azuread_user" "default" {}
resource "azurerm_resource_group" "default" {}