From b6e0557bbbf7b024df7835aec00ed5fd1c4a7032 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Mon, 18 Dec 2023 17:09:22 +0100 Subject: [PATCH] Simplify organization tags.tf locals (#1932) * Simplify organization tags.tf locals * Fix boilerplate * Override github provider version for tests --- fast/stages/1-resman/organization.tf | 18 +++++++------- modules/folder/README.md | 5 ++-- modules/organization/README.md | 6 ++--- modules/organization/tags.tf | 23 +++++++----------- modules/organization/variables.tf | 16 +++++++++--- modules/project/README.md | 5 ++-- tests/modules/organization/tags.tfvars | 6 ++--- tools/lockfile/default-versions_override.tf | 27 +++++++++++++++++++++ tools/lockfile/main.tf | 9 ------- 9 files changed, 67 insertions(+), 48 deletions(-) create mode 100644 tools/lockfile/default-versions_override.tf diff --git a/fast/stages/1-resman/organization.tf b/fast/stages/1-resman/organization.tf index 11200035..90ded30e 100644 --- a/fast/stages/1-resman/organization.tf +++ b/fast/stages/1-resman/organization.tf @@ -48,21 +48,21 @@ module "organization" { description = "Resource management context." iam = {} values = { - data = null - gke = null - networking = null - sandbox = null - security = null - teams = null - tenant = null + data = {} + gke = {} + networking = {} + sandbox = {} + security = {} + teams = {} + tenant = {} } } (var.tag_names.environment) = { description = "Environment definition." iam = {} values = { - development = null - production = null + development = {} + production = {} } } (var.tag_names.tenant) = { diff --git a/modules/folder/README.md b/modules/folder/README.md index fb455495..094bab58 100644 --- a/modules/folder/README.md +++ b/modules/folder/README.md @@ -303,10 +303,9 @@ module "org" { tags = { environment = { description = "Environment specification." - iam = null values = { - dev = null - prod = null + dev = {} + prod = {} } } } diff --git a/modules/organization/README.md b/modules/organization/README.md index 90ab4574..0af82e69 100644 --- a/modules/organization/README.md +++ b/modules/organization/README.md @@ -453,7 +453,7 @@ module "org" { "roles/resourcemanager.tagAdmin" = ["group:${var.group_email}"] } values = { - dev = null + dev = {} prod = { description = "Environment: production." iam = { @@ -502,8 +502,8 @@ module "org" { | [network_tags](variables.tf#L148) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | [org_policies](variables.tf#L170) | Organization policies applied to this organization keyed by policy name. | map(object({…})) | | {} | | [org_policy_custom_constraints](variables.tf#L197) | Organization policy custom constraints keyed by constraint name. | map(object({…})) | | {} | -| [tag_bindings](variables.tf#L220) | Tag bindings for this organization, in key => tag value id format. | map(string) | | null | -| [tags](variables.tf#L226) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | +| [tag_bindings](variables.tf#L220) | Tag bindings for this organization, in key => tag value id format. | map(string) | | {} | +| [tags](variables.tf#L227) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | ## Outputs diff --git a/modules/organization/tags.tf b/modules/organization/tags.tf index 7fb1c068..d25757c2 100644 --- a/modules/organization/tags.tf +++ b/modules/organization/tags.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -17,17 +17,12 @@ locals { _tag_values = flatten([ for tag, attrs in local.tags : [ - for value, value_attrs in coalesce(attrs.values, {}) : { - description = coalesce( - value_attrs == null ? null : value_attrs.description, - "Managed by the Terraform organization module." - ) - key = "${tag}/${value}" - id = try(value_attrs.id, null) - name = value - roles = keys(coalesce( - value_attrs == null ? null : value_attrs.iam, {} - )) + for value, value_attrs in attrs.values : { + description = value_attrs.description, + key = "${tag}/${value}" + id = try(value_attrs.id, null) + name = value + roles = keys(value_attrs.iam) tag = tag tag_id = attrs.id tag_network = try(attrs.network, null) != null @@ -47,7 +42,7 @@ locals { ]) _tags_iam = flatten([ for tag, attrs in local.tags : [ - for role in keys(coalesce(attrs.iam, {})) : { + for role in keys(attrs.iam) : { role = role tag = tag tag_id = attrs.id @@ -129,7 +124,7 @@ resource "google_tags_tag_value_iam_binding" "default" { # bindings resource "google_tags_tag_binding" "binding" { - for_each = coalesce(var.tag_bindings, {}) + for_each = var.tag_bindings parent = "//cloudresourcemanager.googleapis.com/${var.organization_id}" tag_value = each.value } diff --git a/modules/organization/variables.tf b/modules/organization/variables.tf index f11900db..59d3ccf6 100644 --- a/modules/organization/variables.tf +++ b/modules/organization/variables.tf @@ -220,7 +220,8 @@ variable "organization_id" { variable "tag_bindings" { description = "Tag bindings for this organization, in key => tag value id format." type = map(string) - default = null + default = {} + nullable = false } variable "tags" { @@ -238,9 +239,16 @@ variable "tags" { nullable = false default = {} validation { - condition = alltrue([ - for k, v in var.tags : v != null - ]) + condition = ( + # all keys are non-null + alltrue([ + for k, v in var.tags : v != null + ]) && + # all values are non-null + alltrue(flatten([ + for k, v in var.tags : [for k2, v2 in v.values : v2 != null] + ])) + ) error_message = "Use an empty map instead of null as value." } } diff --git a/modules/project/README.md b/modules/project/README.md index 3f51113a..d9b33e1e 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -666,10 +666,9 @@ module "org" { tags = { environment = { description = "Environment specification." - iam = null values = { - dev = null - prod = null + dev = {} + prod = {} } } } diff --git a/tests/modules/organization/tags.tfvars b/tests/modules/organization/tags.tfvars index 2a4dcb42..5d942674 100644 --- a/tests/modules/organization/tags.tfvars +++ b/tests/modules/organization/tags.tfvars @@ -13,8 +13,8 @@ tags = { baz = { id = "tagKeys/1234567890" values = { - one = null - two = null + one = {} + two = {} } } foobar = { @@ -25,7 +25,7 @@ tags = { ] } values = { - one = null + one = {} two = { description = "Foobar 2." iam = { diff --git a/tools/lockfile/default-versions_override.tf b/tools/lockfile/default-versions_override.tf new file mode 100644 index 00000000..0cf33525 --- /dev/null +++ b/tools/lockfile/default-versions_override.tf @@ -0,0 +1,27 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file specifies the required version of the github provider used +# during testing. This has to be in an override file, otherwise the +# setup-tf-providers job fails because it copies default-versions.tf +# before running `terraform init` + +terraform { + required_providers { + github = { + source = "integrations/github" + version = "~> 5.0" + } + } +} diff --git a/tools/lockfile/main.tf b/tools/lockfile/main.tf index 14d5c4dc..7614f5bc 100644 --- a/tools/lockfile/main.tf +++ b/tools/lockfile/main.tf @@ -12,15 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -terraform { - required_providers { - github = { - source = "integrations/github" - version = "~> 5.0" - } - } -} - data "archive_file" "bundle" {} resource "azuread_user" "default" {} resource "azurerm_resource_group" "default" {}