From f1a3c3ebe834a239d28e1ff4a6efdb6519caf6a3 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Fri, 6 Nov 2020 08:26:50 +0100
Subject: [PATCH] use new iam variables in kms module

---
 modules/kms/README.md                  |  8 ++++----
 modules/kms/main.tf                    |  4 ++--
 modules/kms/variables.tf               | 12 ++++++------
 tests/modules/kms/fixture/main.tf      |  4 ++--
 tests/modules/kms/fixture/variables.tf |  4 ++--
 5 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/modules/kms/README.md b/modules/kms/README.md
index 98c5743e..67b98c18 100644
--- a/modules/kms/README.md
+++ b/modules/kms/README.md
@@ -16,7 +16,7 @@ In this module **no lifecycle blocks are set on resources to prevent destroy**,
 module "kms" {
   source         = "../modules/kms"
   project_id     = "my-project"
-  iam_members    = {
+  iam    = {
     "roles/owner" = ["user:user1@example.com"]
   }
   keyring        = { location = "europe-west1", name = "test" }
@@ -31,7 +31,7 @@ module "kms" {
 module "kms" {
   source           = "../modules/kms"
   project_id       = "my-project"
-  key_iam_members = {
+  key_iam = {
     key-a = {
       "roles/owner" = ["user:user1@example.com"]
     }
@@ -72,8 +72,8 @@ module "kms" {
 |---|---|:---: |:---:|:---:|
 | keyring | Keyring attributes. | <code title="object&#40;&#123;&#10;location &#61; string&#10;name     &#61; string&#10;&#125;&#41;">object({...})</code> | ✓ |  |
 | project_id | Project id where the keyring will be created. | <code title="">string</code> | ✓ |  |
-| *iam_members* | Keyring IAM members. | <code title="map&#40;set&#40;string&#41;&#41;">map(set(string))</code> |  | <code title="">{}</code> |
-| *key_iam_members* | IAM members keyed by key name and role. | <code title="map&#40;map&#40;set&#40;string&#41;&#41;&#41;">map(map(set(string)))</code> |  | <code title="">{}</code> |
+| *iam* | Keyring IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
+| *key_iam* | Key IAM bindings for topic in {KEY => {ROLE => [MEMBERS]}} format. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> |  | <code title="">{}</code> |
 | *key_purpose* | Per-key purpose, if not set defaults will be used. If purpose is not `ENCRYPT_DECRYPT` (the default), `version_template.algorithm` is required. | <code title="map&#40;object&#40;&#123;&#10;purpose &#61; string&#10;version_template &#61; object&#40;&#123;&#10;algorithm        &#61; string&#10;protection_level &#61; string&#10;&#125;&#41;&#10;&#125;&#41;&#41;">map(object({...}))</code> |  | <code title="">{}</code> |
 | *key_purpose_defaults* | Defaults used for key purpose when not defined at the key level. If purpose is not `ENCRYPT_DECRYPT` (the default), `version_template.algorithm` is required. | <code title="object&#40;&#123;&#10;purpose &#61; string&#10;version_template &#61; object&#40;&#123;&#10;algorithm        &#61; string&#10;protection_level &#61; string&#10;&#125;&#41;&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;purpose          &#61; null&#10;version_template &#61; null&#10;&#125;">...</code> |
 | *keyring_create* | Set to false to manage keys and IAM bindings in an existing keyring. | <code title="">bool</code> |  | <code title="">true</code> |
diff --git a/modules/kms/main.tf b/modules/kms/main.tf
index a6f4795f..ab3a61aa 100644
--- a/modules/kms/main.tf
+++ b/modules/kms/main.tf
@@ -16,7 +16,7 @@
 
 locals {
   key_iam_members = flatten([
-    for key, roles in var.key_iam_members : [
+    for key, roles in var.key_iam : [
       for role, members in roles : {
         key     = key
         role    = role
@@ -51,7 +51,7 @@ resource "google_kms_key_ring" "default" {
 }
 
 resource "google_kms_key_ring_iam_binding" "default" {
-  for_each    = var.iam_members
+  for_each    = var.iam
   key_ring_id = local.keyring.self_link
   role        = each.key
   members     = each.value
diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf
index 1f104cdf..f0586910 100644
--- a/modules/kms/variables.tf
+++ b/modules/kms/variables.tf
@@ -14,15 +14,15 @@
  * limitations under the License.
  */
 
-variable "iam_members" {
-  description = "Keyring IAM members."
-  type        = map(set(string))
+variable "iam" {
+  description = "Keyring IAM bindings for topic in {ROLE => [MEMBERS]} format."
+  type        = map(list(string))
   default     = {}
 }
 
-variable "key_iam_members" {
-  description = "IAM members keyed by key name and role."
-  type        = map(map(set(string)))
+variable "key_iam" {
+  description = "Key IAM bindings for topic in {KEY => {ROLE => [MEMBERS]}} format."
+  type        = map(map(list(string)))
   default     = {}
 }
 
diff --git a/tests/modules/kms/fixture/main.tf b/tests/modules/kms/fixture/main.tf
index 45fd119b..c58824f8 100644
--- a/tests/modules/kms/fixture/main.tf
+++ b/tests/modules/kms/fixture/main.tf
@@ -16,8 +16,8 @@
 
 module "test" {
   source               = "../../../../modules/kms"
-  iam_members          = var.iam_members
-  key_iam_members      = var.key_iam_members
+  iam                  = var.iam
+  key_iam              = var.key_iam
   key_purpose          = var.key_purpose
   key_purpose_defaults = var.key_purpose_defaults
   keyring              = var.keyring
diff --git a/tests/modules/kms/fixture/variables.tf b/tests/modules/kms/fixture/variables.tf
index 04b77d84..65124e67 100644
--- a/tests/modules/kms/fixture/variables.tf
+++ b/tests/modules/kms/fixture/variables.tf
@@ -14,14 +14,14 @@
  * limitations under the License.
  */
 
-variable "iam_members" {
+variable "iam" {
   type = map(list(string))
   default = {
     "roles/owner" = ["user:ludo@ludomagno.net"]
   }
 }
 
-variable "key_iam_members" {
+variable "key_iam" {
   type = map(map(list(string)))
   default = {
     key-a = {