From 54d880fe3a1059577433fcb8fc1b28824eb7adf7 Mon Sep 17 00:00:00 2001 From: Gustavo Valverde Date: Thu, 24 Aug 2023 15:24:24 +0100 Subject: [PATCH] fix(organization): use correct role for bindings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, setting a binding was using the binding `key` as the the role, which does not necessarily have the correct format. Causing errors like: ``` │ Error: Error applying IAM policy for organization "***REDACTED***": Error setting IAM policy for organization "***REDACTED***": googleapi: Error 400: The role name must be in the form "roles/{role}", "organizations/{organization_id}/roles/{role}", or "projects/{project_id}/roles/{role}"., badRequest │ │ with module.organization.google_organization_iam_binding.bindings["sa_resman_delegated_iam"], │ on ../../../modules/organization/iam.tf line 51, in resource "google_organization_iam_binding" "bindings": │ 51: resource "google_organization_iam_binding" "bindings" { ``` --- modules/organization/iam.tf | 2 +- modules/organization/variables.tf | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/organization/iam.tf b/modules/organization/iam.tf index 2882d02a..81a8d2b0 100644 --- a/modules/organization/iam.tf +++ b/modules/organization/iam.tf @@ -51,7 +51,7 @@ resource "google_organization_iam_binding" "authoritative" { resource "google_organization_iam_binding" "bindings" { for_each = var.iam_bindings org_id = local.organization_id_numeric - role = each.key + role = each.value.role members = each.value.members dynamic "condition" { for_each = each.value.condition == null ? [] : [""] diff --git a/modules/organization/variables.tf b/modules/organization/variables.tf index cf59cae6..1a00dfe9 100644 --- a/modules/organization/variables.tf +++ b/modules/organization/variables.tf @@ -53,6 +53,7 @@ variable "iam_bindings" { description = "Authoritative IAM bindings in {ROLE => {members = [], condition = {}}}." type = map(object({ members = list(string) + role = string condition = optional(object({ expression = string title = string