diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md
index 39406973..d541d176 100644
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@@ -86,12 +86,6 @@ module "vpc-host" {
local.service_project_1.project_id,
local.service_project_2.project_id
]
- iam_roles = {
- "europe-west1/subnet-1" = [
- "roles/compute.networkUser",
- "roles/compute.securityAdmin"
- ]
- }
iam_members = {
"europe-west1/subnet-1" = {
"roles/compute.networkUser" = [
@@ -117,7 +111,6 @@ module "vpc-host" {
| *delete_default_routes_on_create* | Set to true to delete the default routes at creation time. | bool | | false |
| *description* | An optional description of this resource (triggers recreation on change). | string | | Terraform-managed. |
| *iam_members* | List of IAM members keyed by subnet 'region/name' and role. | map(map(list(string))) | | {} |
-| *iam_roles* | List of IAM roles keyed by subnet 'region/name'. | map(list(string)) | | {} |
| *log_config_defaults* | Default configuration for flow logs when enabled. | object({...}) | | ... |
| *log_configs* | Map keyed by subnet 'region/name' of optional configurations for flow logs when enabled. | map(map(string)) | | {} |
| *peering_config* | VPC peering configuration. | object({...}) | | null |
diff --git a/modules/net-vpc/main.tf b/modules/net-vpc/main.tf
index 9f22d375..bad4f870 100644
--- a/modules/net-vpc/main.tf
+++ b/modules/net-vpc/main.tf
@@ -16,14 +16,16 @@
locals {
iam_members = var.iam_members == null ? {} : var.iam_members
- iam_pairs = var.iam_roles == null ? [] : flatten([
- for subnet, roles in var.iam_roles :
- [for role in roles : { subnet = subnet, role = role }]
+ subnet_iam_members = flatten([
+ for subnet, roles in local.iam_members : [
+ for role, members in roles : {
+ subnet = subnet
+ role = role
+ members = members
+ }
+ ]
])
- iam_keypairs = {
- for pair in local.iam_pairs :
- "${pair.subnet}-${pair.role}" => pair
- }
+
log_configs = var.log_configs == null ? {} : var.log_configs
peer_network = (
var.peering_config == null
@@ -152,14 +154,15 @@ resource "google_compute_subnetwork" "subnetwork" {
}
resource "google_compute_subnetwork_iam_binding" "binding" {
- for_each = local.iam_keypairs
+ for_each = {
+ for binding in local.subnet_iam_members :
+ "${binding.subnet}.${binding.role}" => binding
+ }
project = var.project_id
subnetwork = google_compute_subnetwork.subnetwork[each.value.subnet].name
region = google_compute_subnetwork.subnetwork[each.value.subnet].region
role = each.value.role
- members = lookup(
- lookup(local.iam_members, each.value.subnet, {}), each.value.role, []
- )
+ members = each.value.members
}
resource "google_compute_route" "gateway" {
diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf
index 3a4d0c03..7aa0fd8b 100644
--- a/modules/net-vpc/variables.tf
+++ b/modules/net-vpc/variables.tf
@@ -32,12 +32,6 @@ variable "description" {
default = "Terraform-managed."
}
-variable "iam_roles" {
- description = "List of IAM roles keyed by subnet 'region/name'."
- type = map(list(string))
- default = {}
-}
-
variable "iam_members" {
description = "List of IAM members keyed by subnet 'region/name' and role."
type = map(map(list(string)))
diff --git a/networking/shared-vpc-gke/main.tf b/networking/shared-vpc-gke/main.tf
index ef6ee338..f3f73bb0 100644
--- a/networking/shared-vpc-gke/main.tf
+++ b/networking/shared-vpc-gke/main.tf
@@ -107,10 +107,6 @@ module "vpc-shared" {
}
}
]
- iam_roles = {
- "${var.region}/gke" = ["roles/compute.networkUser", "roles/compute.securityAdmin"]
- "${var.region}/gce" = ["roles/compute.networkUser"]
- }
iam_members = {
"${var.region}/gce" = {
"roles/compute.networkUser" = concat(var.owners_gce, [
diff --git a/tests/modules/net_vpc/fixture/main.tf b/tests/modules/net_vpc/fixture/main.tf
index a9d92d47..5ab2c4f8 100644
--- a/tests/modules/net_vpc/fixture/main.tf
+++ b/tests/modules/net_vpc/fixture/main.tf
@@ -19,7 +19,6 @@ module "test" {
project_id = var.project_id
name = var.name
iam_members = var.iam_members
- iam_roles = var.iam_roles
log_configs = var.log_configs
log_config_defaults = var.log_config_defaults
peering_config = var.peering_config
diff --git a/tests/modules/net_vpc/fixture/variables.tf b/tests/modules/net_vpc/fixture/variables.tf
index 908548dd..7388ad66 100644
--- a/tests/modules/net_vpc/fixture/variables.tf
+++ b/tests/modules/net_vpc/fixture/variables.tf
@@ -29,13 +29,8 @@ variable "auto_create_subnetworks" {
default = false
}
-variable "iam_roles" {
- type = map(list(string))
- default = null
-}
-
variable "iam_members" {
- type = map(map(list(string)))
+ type = map(map(set(string)))
default = null
}