diff --git a/modules/iam-service-account/README.md b/modules/iam-service-account/README.md
index fe3b65b0..3f87d9d8 100644
--- a/modules/iam-service-account/README.md
+++ b/modules/iam-service-account/README.md
@@ -24,26 +24,37 @@ module "myproject-default-service-accounts" {
}
# tftest modules=1 resources=5
```
+
+## Files
+
+| name | description | resources |
+|---|---|---|
+| [iam.tf](./iam.tf) | None | google_billing_account_iam_member · google_folder_iam_member · google_organization_iam_member · google_project_iam_member · google_service_account_iam_binding · google_storage_bucket_iam_member |
+| [main.tf](./main.tf) | Module-level locals and resources. | google_service_account · google_service_account_key |
+| [outputs.tf](./outputs.tf) | Module outputs. | |
+| [variables.tf](./variables.tf) | Module variables. | |
+| [versions.tf](./versions.tf) | Version pins. | |
+
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [name](variables.tf#L71) | Name of the service account to create. | string | ✓ | |
-| [project_id](variables.tf#L82) | Project id where service account will be created. | string | ✓ | |
+| [name](variables.tf#L77) | Name of the service account to create. | string | ✓ | |
+| [project_id](variables.tf#L88) | Project id where service account will be created. | string | ✓ | |
| [description](variables.tf#L17) | Optional description. | string | | null |
| [display_name](variables.tf#L23) | Display name of the service account to create. | string | | "Terraform-managed." |
| [generate_key](variables.tf#L29) | Generate a key for service account. | bool | | false |
| [iam](variables.tf#L35) | IAM bindings on the service account in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} |
-| [iam_billing_roles](variables.tf#L41) | Billing account roles granted to the service account, by billing account id. Non-authoritative. | map(list(string)) | | {} |
-| [iam_folder_roles](variables.tf#L47) | Folder roles granted to the service account, by folder id. Non-authoritative. | map(list(string)) | | {} |
-| [iam_organization_roles](variables.tf#L53) | Organization roles granted to the service account, by organization id. Non-authoritative. | map(list(string)) | | {} |
-| [iam_project_roles](variables.tf#L59) | Project roles granted to the service account, by project id. | map(list(string)) | | {} |
-| [iam_storage_roles](variables.tf#L65) | Storage roles granted to the service account, by bucket name. | map(list(string)) | | {} |
-| [prefix](variables.tf#L76) | Prefix applied to service account names. | string | | null |
-| [public_keys_directory](variables.tf#L87) | Path to public keys data files to upload to the service account (should have `.pem` extension). | string | | "" |
-| [service_account_create](variables.tf#L93) | Create service account. When set to false, uses a data source to reference an existing service account. | bool | | true |
+| [iam_billing_roles](variables.tf#L42) | Billing account roles granted to the service account, by billing account id. Non-authoritative. | map(list(string)) | | {} |
+| [iam_folder_roles](variables.tf#L49) | Folder roles granted to the service account, by folder id. Non-authoritative. | map(list(string)) | | {} |
+| [iam_organization_roles](variables.tf#L56) | Organization roles granted to the service account, by organization id. Non-authoritative. | map(list(string)) | | {} |
+| [iam_project_roles](variables.tf#L63) | Project roles granted to the service account, by project id. | map(list(string)) | | {} |
+| [iam_storage_roles](variables.tf#L70) | Storage roles granted to the service account, by bucket name. | map(list(string)) | | {} |
+| [prefix](variables.tf#L82) | Prefix applied to service account names. | string | | null |
+| [public_keys_directory](variables.tf#L93) | Path to public keys data files to upload to the service account (should have `.pem` extension). | string | | "" |
+| [service_account_create](variables.tf#L99) | Create service account. When set to false, uses a data source to reference an existing service account. | bool | | true |
## Outputs
diff --git a/modules/iam-service-account/iam.tf b/modules/iam-service-account/iam.tf
new file mode 100644
index 00000000..44678f0e
--- /dev/null
+++ b/modules/iam-service-account/iam.tf
@@ -0,0 +1,110 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+ iam_billing_pairs = flatten([
+ for entity, roles in var.iam_billing_roles : [
+ for role in roles : [
+ { entity = entity, role = role }
+ ]
+ ]
+ ])
+ iam_folder_pairs = flatten([
+ for entity, roles in var.iam_folder_roles : [
+ for role in roles : [
+ { entity = entity, role = role }
+ ]
+ ]
+ ])
+ iam_organization_pairs = flatten([
+ for entity, roles in var.iam_organization_roles : [
+ for role in roles : [
+ { entity = entity, role = role }
+ ]
+ ]
+ ])
+ iam_project_pairs = flatten([
+ for entity, roles in var.iam_project_roles : [
+ for role in roles : [
+ { entity = entity, role = role }
+ ]
+ ]
+ ])
+ iam_storage_pairs = flatten([
+ for entity, roles in var.iam_storage_roles : [
+ for role in roles : [
+ { entity = entity, role = role }
+ ]
+ ]
+ ])
+}
+
+resource "google_service_account_iam_binding" "roles" {
+ for_each = var.iam
+ service_account_id = local.service_account.name
+ role = each.key
+ members = each.value
+}
+
+resource "google_billing_account_iam_member" "billing-roles" {
+ for_each = {
+ for pair in local.iam_billing_pairs :
+ "${pair.entity}-${pair.role}" => pair
+ }
+ billing_account_id = each.value.entity
+ role = each.value.role
+ member = local.resource_iam_email
+}
+
+resource "google_folder_iam_member" "folder-roles" {
+ for_each = {
+ for pair in local.iam_folder_pairs :
+ "${pair.entity}-${pair.role}" => pair
+ }
+ folder = each.value.entity
+ role = each.value.role
+ member = local.resource_iam_email
+}
+
+resource "google_organization_iam_member" "organization-roles" {
+ for_each = {
+ for pair in local.iam_organization_pairs :
+ "${pair.entity}-${pair.role}" => pair
+ }
+ org_id = each.value.entity
+ role = each.value.role
+ member = local.resource_iam_email
+}
+
+resource "google_project_iam_member" "project-roles" {
+ for_each = {
+ for pair in local.iam_project_pairs :
+ "${pair.entity}-${pair.role}" => pair
+ }
+ project = each.value.entity
+ role = each.value.role
+ member = local.resource_iam_email
+}
+
+resource "google_storage_bucket_iam_member" "bucket-roles" {
+ for_each = {
+ for pair in local.iam_storage_pairs :
+ "${pair.entity}-${pair.role}" => pair
+ }
+ bucket = each.value.entity
+ role = each.value.role
+ member = local.resource_iam_email
+}
diff --git a/modules/iam-service-account/main.tf b/modules/iam-service-account/main.tf
index f4d6952f..329d676e 100644
--- a/modules/iam-service-account/main.tf
+++ b/modules/iam-service-account/main.tf
@@ -15,41 +15,6 @@
*/
locals {
- iam_billing_pairs = flatten([
- for entity, roles in var.iam_billing_roles : [
- for role in roles : [
- { entity = entity, role = role }
- ]
- ]
- ])
- iam_folder_pairs = flatten([
- for entity, roles in var.iam_folder_roles : [
- for role in roles : [
- { entity = entity, role = role }
- ]
- ]
- ])
- iam_organization_pairs = flatten([
- for entity, roles in var.iam_organization_roles : [
- for role in roles : [
- { entity = entity, role = role }
- ]
- ]
- ])
- iam_project_pairs = flatten([
- for entity, roles in var.iam_project_roles : [
- for role in roles : [
- { entity = entity, role = role }
- ]
- ]
- ])
- iam_storage_pairs = flatten([
- for entity, roles in var.iam_storage_roles : [
- for role in roles : [
- { entity = entity, role = role }
- ]
- ]
- ])
# https://github.com/hashicorp/terraform/issues/22405#issuecomment-591917758
key = try(
var.generate_key
@@ -115,60 +80,3 @@ resource "google_service_account_key" "upload_key" {
service_account_id = local.service_account.email
public_key_data = each.value
}
-
-resource "google_service_account_iam_binding" "roles" {
- for_each = var.iam
- service_account_id = local.service_account.name
- role = each.key
- members = each.value
-}
-
-resource "google_billing_account_iam_member" "billing-roles" {
- for_each = {
- for pair in local.iam_billing_pairs :
- "${pair.entity}-${pair.role}" => pair
- }
- billing_account_id = each.value.entity
- role = each.value.role
- member = local.resource_iam_email
-}
-
-resource "google_folder_iam_member" "folder-roles" {
- for_each = {
- for pair in local.iam_folder_pairs :
- "${pair.entity}-${pair.role}" => pair
- }
- folder = each.value.entity
- role = each.value.role
- member = local.resource_iam_email
-}
-
-resource "google_organization_iam_member" "organization-roles" {
- for_each = {
- for pair in local.iam_organization_pairs :
- "${pair.entity}-${pair.role}" => pair
- }
- org_id = each.value.entity
- role = each.value.role
- member = local.resource_iam_email
-}
-
-resource "google_project_iam_member" "project-roles" {
- for_each = {
- for pair in local.iam_project_pairs :
- "${pair.entity}-${pair.role}" => pair
- }
- project = each.value.entity
- role = each.value.role
- member = local.resource_iam_email
-}
-
-resource "google_storage_bucket_iam_member" "bucket-roles" {
- for_each = {
- for pair in local.iam_storage_pairs :
- "${pair.entity}-${pair.role}" => pair
- }
- bucket = each.value.entity
- role = each.value.role
- member = local.resource_iam_email
-}
diff --git a/modules/iam-service-account/versions.tf b/modules/iam-service-account/versions.tf
index 29041268..e72a7800 100644
--- a/modules/iam-service-account/versions.tf
+++ b/modules/iam-service-account/versions.tf
@@ -13,7 +13,7 @@
# limitations under the License.
terraform {
- required_version = ">= 1.0.0"
+ required_version = ">= 1.1.0"
required_providers {
google = {
source = "hashicorp/google"