diff --git a/README.md b/README.md index 410f53ee..62e0598a 100644 --- a/README.md +++ b/README.md @@ -118,7 +118,7 @@ You can choose the following resource types to apply the IAM bindings: - Kms Key Rings (`kms_key_rings` variable) - Kms Crypto Keys (`kms_crypto_keys` variable) -Set the specified variable on the module call to choose the resources to affect. Remember to set the `mode` [variable](#additive-and-authoritative-modes) and give enough [permissions](#permissions) to manage the selected resource as well. +Set the specified variable on the module call to choose the resources to affect. Remember to set the `mode` [variable](#additive-and-authoritative-modes) and give enough [permissions](#permissions) to manage the selected resource as well. Note that the `bindings` variable accepts an empty map `{}` passed in as an argument in the case that resources don't have IAM bindings to apply. ## Requirements diff --git a/modules/helper/main.tf b/modules/helper/main.tf index d7cce777..696922ac 100644 --- a/modules/helper/main.tf +++ b/modules/helper/main.tf @@ -25,14 +25,14 @@ locals { # Other rules regrading the dynamic nature of resources: # 1. The roles might never be dynamic. # 2. Members might only be dynamic in `authoritative` mode. - singular = length(var.entities) <= 1 + singular = length(var.entities) == 1 # In singular mode, replace entity name with a constant "default". This # will prevent the potentially dynamic resource name usage in the `for_each` aliased_entities = local.singular ? ["default"] : var.entities - # Cover the usecase of specifying singular entity instead of an array - real_entities = var.entity != "" ? [var.entity] : var.entities + # Values in the map need to be the proper entity names + real_entities = var.entities bindings_by_role = distinct(flatten([ for name in local.real_entities diff --git a/modules/helper/variables.tf b/modules/helper/variables.tf index a3bcfde1..e43df813 100644 --- a/modules/helper/variables.tf +++ b/modules/helper/variables.tf @@ -28,9 +28,3 @@ variable "entities" { description = "Entities list to add the IAM policies/bindings" type = list(string) } - -variable "entity" { - description = "Entity to add the IAM policies/bindings" - default = "" - type = string -} diff --git a/modules/projects_iam/README.md b/modules/projects_iam/README.md index 61b78392..34fa8d71 100644 --- a/modules/projects_iam/README.md +++ b/modules/projects_iam/README.md @@ -31,7 +31,6 @@ module "project-iam-bindings" { |------|-------------|:----:|:-----:|:-----:| | bindings | Map of role (key) and list of members (value) to add the IAM policies/bindings | map(list(string)) | n/a | yes | | mode | Mode for adding the IAM policies/bindings, additive and authoritative | string | `"additive"` | no | -| project | Project to add the IAM policies/bindings | string | `""` | no | | projects | Projects list to add the IAM policies/bindings | list(string) | `` | no | ## Outputs diff --git a/modules/projects_iam/main.tf b/modules/projects_iam/main.tf index cfe0a981..51cd525a 100644 --- a/modules/projects_iam/main.tf +++ b/modules/projects_iam/main.tf @@ -21,7 +21,6 @@ module "helper" { source = "../helper" bindings = var.bindings mode = var.mode - entity = var.project entities = var.projects } diff --git a/modules/projects_iam/variables.tf b/modules/projects_iam/variables.tf index cbd01b8d..2626bee3 100644 --- a/modules/projects_iam/variables.tf +++ b/modules/projects_iam/variables.tf @@ -14,12 +14,6 @@ * limitations under the License. */ -variable "project" { - description = "Project to add the IAM policies/bindings" - default = "" - type = string -} - variable "projects" { description = "Projects list to add the IAM policies/bindings" default = [] diff --git a/test/fixtures/helper/iam.tf b/test/fixtures/helper/iam.tf index 6d677ecf..6ce14ad9 100644 --- a/test/fixtures/helper/iam.tf +++ b/test/fixtures/helper/iam.tf @@ -46,6 +46,15 @@ module "iam_binding_subnet" { bindings = local.basic_bindings } +module "iam_binding_subnet_empty" { + source = "../../../modules/subnets_iam" + mode = var.mode + project = var.project_id + subnets_region = module.base.region + subnets = [] + bindings = local.basic_bindings +} + module "iam_binding_service_account" { source = "../../../modules/service_accounts_iam" mode = var.mode diff --git a/test/fixtures/static-and-dynamic/main.tf b/test/fixtures/static-and-dynamic/main.tf index b3a610c4..1ca954e2 100644 --- a/test/fixtures/static-and-dynamic/main.tf +++ b/test/fixtures/static-and-dynamic/main.tf @@ -104,9 +104,6 @@ module "projects_iam_authoritative_dynamic" { # Additive Dynamic -# We also test here that specifying `project` insead of the `projects` array works -# That's why the count is forced to 1 - resource "google_project" "additive_dynamic" { count = 1 @@ -119,7 +116,7 @@ resource "google_project" "additive_dynamic" { module "projects_iam_additive_dynamic" { source = "../../../modules/projects_iam" mode = "additive" - project = google_project.additive_dynamic[0].project_id + projects = [google_project.additive_dynamic[0].project_id] bindings = local.project_bindings }