Remove iam_roles from net-vpc

2020-10-30 19:19:40 +01:00 · 2020-10-30 19:19:40 +01:00 · c75230adf3
parent 405a3c23d5
commit c75230adf3
6 changed files with 15 additions and 35 deletions
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@ -86,12 +86,6 @@ module "vpc-host" {
    local.service_project_1.project_id,
    local.service_project_2.project_id
  ]
-  iam_roles = {
-    "europe-west1/subnet-1" = [
-      "roles/compute.networkUser",
-      "roles/compute.securityAdmin"
-    ]
-  }
  iam_members = {
    "europe-west1/subnet-1" = {
      "roles/compute.networkUser" = [
@ -117,7 +111,6 @@ module "vpc-host" {
 | *delete_default_routes_on_create* | Set to true to delete the default routes at creation time. | <code title="">bool</code> |  | <code title="">false</code> |
 | *description* | An optional description of this resource (triggers recreation on change). | <code title="">string</code> |  | <code title="">Terraform-managed.</code> |
 | *iam_members* | List of IAM members keyed by subnet 'region/name' and role. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> |  | <code title="">{}</code> |
-| *iam_roles* | List of IAM roles keyed by subnet 'region/name'. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 | *log_config_defaults* | Default configuration for flow logs when enabled. | <code title="object&#40;&#123;&#10;aggregation_interval &#61; string&#10;flow_sampling        &#61; number&#10;metadata             &#61; string&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;aggregation_interval &#61; &#34;INTERVAL_5_SEC&#34;&#10;flow_sampling        &#61; 0.5&#10;metadata             &#61; &#34;INCLUDE_ALL_METADATA&#34;&#10;&#125;">...</code> |
 | *log_configs* | Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled. | <code title="map&#40;map&#40;string&#41;&#41;">map(map(string))</code> |  | <code title="">{}</code> |
 | *peering_config* | VPC peering configuration. | <code title="object&#40;&#123;&#10;peer_vpc_self_link &#61; string&#10;export_routes      &#61; bool&#10;import_routes      &#61; bool&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
--- a/modules/net-vpc/main.tf
+++ b/modules/net-vpc/main.tf
@ -16,14 +16,16 @@

 locals {
  iam_members = var.iam_members == null ? {} : var.iam_members
-  iam_pairs = var.iam_roles == null ? [] : flatten([
-    for subnet, roles in var.iam_roles :
-    [for role in roles : { subnet = subnet, role = role }]
+  subnet_iam_members = flatten([
+    for subnet, roles in local.iam_members : [
+      for role, members in roles : {
+        subnet  = subnet
+        role    = role
+        members = members
+      }
+    ]
  ])
-  iam_keypairs = {
-    for pair in local.iam_pairs :
-    "${pair.subnet}-${pair.role}" => pair
-  }
+
  log_configs = var.log_configs == null ? {} : var.log_configs
  peer_network = (
    var.peering_config == null
@ -152,14 +154,15 @@ resource "google_compute_subnetwork" "subnetwork" {
 }

 resource "google_compute_subnetwork_iam_binding" "binding" {
-  for_each   = local.iam_keypairs
+  for_each = {
+    for binding in local.subnet_iam_members :
+    "${binding.subnet}.${binding.role}" => binding
+  }
  project    = var.project_id
  subnetwork = google_compute_subnetwork.subnetwork[each.value.subnet].name
  region     = google_compute_subnetwork.subnetwork[each.value.subnet].region
  role       = each.value.role
-  members = lookup(
-    lookup(local.iam_members, each.value.subnet, {}), each.value.role, []
-  )
+  members    = each.value.members
 }

 resource "google_compute_route" "gateway" {
--- a/modules/net-vpc/variables.tf
+++ b/modules/net-vpc/variables.tf
@ -32,12 +32,6 @@ variable "description" {
  default     = "Terraform-managed."
 }

-variable "iam_roles" {
-  description = "List of IAM roles keyed by subnet 'region/name'."
-  type        = map(list(string))
-  default     = {}
-}
-
 variable "iam_members" {
  description = "List of IAM members keyed by subnet 'region/name' and role."
  type        = map(map(list(string)))
--- a/networking/shared-vpc-gke/main.tf
+++ b/networking/shared-vpc-gke/main.tf
@ -107,10 +107,6 @@ module "vpc-shared" {
      }
    }
  ]
-  iam_roles = {
-    "${var.region}/gke" = ["roles/compute.networkUser", "roles/compute.securityAdmin"]
-    "${var.region}/gce" = ["roles/compute.networkUser"]
-  }
  iam_members = {
    "${var.region}/gce" = {
      "roles/compute.networkUser" = concat(var.owners_gce, [
--- a/tests/modules/net_vpc/fixture/main.tf
+++ b/tests/modules/net_vpc/fixture/main.tf
@ -19,7 +19,6 @@ module "test" {
  project_id                  = var.project_id
  name                        = var.name
  iam_members                 = var.iam_members
-  iam_roles                   = var.iam_roles
  log_configs                 = var.log_configs
  log_config_defaults         = var.log_config_defaults
  peering_config              = var.peering_config
--- a/tests/modules/net_vpc/fixture/variables.tf
+++ b/tests/modules/net_vpc/fixture/variables.tf
@ -29,13 +29,8 @@ variable "auto_create_subnetworks" {
  default = false
 }

-variable "iam_roles" {
-  type    = map(list(string))
-  default = null
-}
-
 variable "iam_members" {
-  type    = map(map(list(string)))
+  type    = map(map(set(string)))
  default = null
 }