Merge pull request #83 from terraform-google-modules/ludo-service-accounts-changes
Refactor service account module outputs
This commit is contained in:
commit
c91769628b
|
@ -54,32 +54,13 @@ locals {
|
||||||
]
|
]
|
||||||
]
|
]
|
||||||
])
|
])
|
||||||
keys = (
|
keys = var.generate_keys ? google_service_account_key.keys : {}
|
||||||
var.generate_keys
|
prefix = var.prefix != null ? "${var.prefix}-" : ""
|
||||||
? {
|
resource = try(google_service_account.service_accounts[var.names[0]], null)
|
||||||
for name in var.names :
|
|
||||||
name => lookup(google_service_account_key.keys, name, null)
|
|
||||||
}
|
|
||||||
: {}
|
|
||||||
)
|
|
||||||
prefix = (
|
|
||||||
var.prefix != ""
|
|
||||||
? "${var.prefix}-"
|
|
||||||
: ""
|
|
||||||
)
|
|
||||||
resource = (
|
|
||||||
length(var.names) > 0
|
|
||||||
? lookup(local.resources, var.names[0], null)
|
|
||||||
: null
|
|
||||||
)
|
|
||||||
resource_iam_emails = {
|
resource_iam_emails = {
|
||||||
for name, resource in local.resources :
|
for name, resource in google_service_account.service_accounts :
|
||||||
name => "serviceAccount:${resource.email}"
|
name => "serviceAccount:${resource.email}"
|
||||||
}
|
}
|
||||||
resources = {
|
|
||||||
for name in var.names :
|
|
||||||
name => lookup(google_service_account.service_accounts, name, null)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_service_account" "service_accounts" {
|
resource "google_service_account" "service_accounts" {
|
||||||
|
|
|
@ -21,27 +21,30 @@ output "service_account" {
|
||||||
|
|
||||||
output "service_accounts" {
|
output "service_accounts" {
|
||||||
description = "Service account resources."
|
description = "Service account resources."
|
||||||
value = local.resources
|
value = google_service_account.service_accounts
|
||||||
}
|
}
|
||||||
|
|
||||||
output "email" {
|
output "email" {
|
||||||
description = "Service account email (for single use)."
|
description = "Service account email (for single use)."
|
||||||
value = local.resource == null ? null : local.resource.email
|
value = try(local.resource.email, null)
|
||||||
}
|
}
|
||||||
|
|
||||||
output "iam_email" {
|
output "iam_email" {
|
||||||
description = "IAM-format service account email (for single use)."
|
description = "IAM-format service account email (for single use)."
|
||||||
value = local.resource == null ? null : "serviceAccount:${local.resource.email}"
|
value = try("serviceAccount:${local.resource.email}", null)
|
||||||
}
|
}
|
||||||
|
|
||||||
output "key" {
|
output "key" {
|
||||||
description = "Service account key (for single use)."
|
description = "Service account key (for single use)."
|
||||||
value = lookup(local.keys, var.names[0], null)
|
value = try(local.keys[var.names[0]], null)
|
||||||
}
|
}
|
||||||
|
|
||||||
output "emails" {
|
output "emails" {
|
||||||
description = "Service account emails."
|
description = "Service account emails."
|
||||||
value = { for name, resource in local.resources : name => resource.email }
|
value = {
|
||||||
|
for name, resource in google_service_account.service_accounts :
|
||||||
|
name => resource.email
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
output "iam_emails" {
|
output "iam_emails" {
|
||||||
|
@ -51,12 +54,18 @@ output "iam_emails" {
|
||||||
|
|
||||||
output "emails_list" {
|
output "emails_list" {
|
||||||
description = "Service account emails."
|
description = "Service account emails."
|
||||||
value = [for name, resource in local.resources : resource.email]
|
value = [
|
||||||
|
for name, resource in google_service_account.service_accounts :
|
||||||
|
resource.email
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
output "iam_emails_list" {
|
output "iam_emails_list" {
|
||||||
description = "IAM-format service account emails."
|
description = "IAM-format service account emails."
|
||||||
value = [for name, resource in local.resources : "serviceAccount:${resource.email}"]
|
value = [
|
||||||
|
for name, resource in google_service_account.service_accounts :
|
||||||
|
"serviceAccount:${resource.email}"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
output "keys" {
|
output "keys" {
|
||||||
|
|
|
@ -20,23 +20,6 @@ variable "generate_keys" {
|
||||||
default = false
|
default = false
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "names" {
|
|
||||||
description = "Names of the service accounts to create."
|
|
||||||
type = list(string)
|
|
||||||
default = []
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "prefix" {
|
|
||||||
description = "Prefix applied to service account names."
|
|
||||||
type = string
|
|
||||||
default = ""
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "project_id" {
|
|
||||||
description = "Project id where service account will be created."
|
|
||||||
type = string
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "iam_members" {
|
variable "iam_members" {
|
||||||
description = "Map of member lists which are granted authoritative roles on the service accounts, keyed by role."
|
description = "Map of member lists which are granted authoritative roles on the service accounts, keyed by role."
|
||||||
type = map(list(string))
|
type = map(list(string))
|
||||||
|
@ -78,3 +61,20 @@ variable "iam_storage_roles" {
|
||||||
type = map(list(string))
|
type = map(list(string))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "names" {
|
||||||
|
description = "Names of the service accounts to create."
|
||||||
|
type = list(string)
|
||||||
|
default = []
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "prefix" {
|
||||||
|
description = "Prefix applied to service account names."
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "project_id" {
|
||||||
|
description = "Project id where service account will be created."
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
# Copyright 2020 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
|
@ -0,0 +1,30 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2020 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
module "test" {
|
||||||
|
source = "../../../../modules/iam-service-accounts"
|
||||||
|
project_id = var.project_id
|
||||||
|
names = ["sa-one", "sa-two", "sa-three"]
|
||||||
|
prefix = var.prefix
|
||||||
|
generate_keys = var.generate_keys
|
||||||
|
iam_members = var.iam_members
|
||||||
|
iam_roles = var.iam_roles
|
||||||
|
iam_billing_roles = var.iam_billing_roles
|
||||||
|
iam_folder_roles = var.iam_folder_roles
|
||||||
|
iam_organization_roles = var.iam_organization_roles
|
||||||
|
iam_project_roles = var.iam_project_roles
|
||||||
|
iam_storage_roles = var.iam_storage_roles
|
||||||
|
}
|
|
@ -0,0 +1,65 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2020 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
variable "generate_keys" {
|
||||||
|
type = bool
|
||||||
|
default = false
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "iam_members" {
|
||||||
|
type = map(list(string))
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "iam_roles" {
|
||||||
|
type = list(string)
|
||||||
|
default = []
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "iam_billing_roles" {
|
||||||
|
type = map(list(string))
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "iam_folder_roles" {
|
||||||
|
type = map(list(string))
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "iam_organization_roles" {
|
||||||
|
type = map(list(string))
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "iam_project_roles" {
|
||||||
|
type = map(list(string))
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "iam_storage_roles" {
|
||||||
|
type = map(list(string))
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "prefix" {
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "project_id" {
|
||||||
|
type = string
|
||||||
|
default = "my-project"
|
||||||
|
}
|
|
@ -0,0 +1,51 @@
|
||||||
|
# Copyright 2020 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
|
||||||
|
import os
|
||||||
|
import pytest
|
||||||
|
|
||||||
|
|
||||||
|
FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
|
||||||
|
|
||||||
|
|
||||||
|
def test_resources(plan_runner):
|
||||||
|
"Test service account resource."
|
||||||
|
_, resources = plan_runner(FIXTURES_DIR)
|
||||||
|
assert len(resources) == 3
|
||||||
|
assert set(r['type'] for r in resources) == set(['google_service_account'])
|
||||||
|
assert set(r['values']['account_id'] for r in resources) == set([
|
||||||
|
'sa-one', 'sa-two', 'sa-three'
|
||||||
|
])
|
||||||
|
_, resources = plan_runner(FIXTURES_DIR, prefix='foo')
|
||||||
|
assert set(r['values']['account_id'] for r in resources) == set([
|
||||||
|
'foo-sa-one', 'foo-sa-two', 'foo-sa-three'
|
||||||
|
])
|
||||||
|
|
||||||
|
|
||||||
|
def test_iam_roles(plan_runner):
|
||||||
|
"Test iam roles with no memmbers."
|
||||||
|
_, resources = plan_runner(FIXTURES_DIR,
|
||||||
|
iam_roles='["roles/iam.serviceAccountUser"]')
|
||||||
|
assert len(resources) == 6
|
||||||
|
iam_resources = [r for r in resources if r['type']
|
||||||
|
!= 'google_service_account']
|
||||||
|
assert len(iam_resources) == 3
|
||||||
|
assert set(r['type'] for r in iam_resources) == set(
|
||||||
|
['google_service_account_iam_binding'])
|
||||||
|
assert [r['index'] for r in iam_resources] == [
|
||||||
|
'sa-one-roles/iam.serviceAccountUser',
|
||||||
|
'sa-three-roles/iam.serviceAccountUser',
|
||||||
|
'sa-two-roles/iam.serviceAccountUser',
|
||||||
|
]
|
Loading…
Reference in New Issue