Fixed PR comments

examples/billing_account/main.tf

@@ -25,6 +25,30 @@ provider "google-beta" {
   version = "~> 2.7"
 }
 
+locals {
+
+  bindings={
+    "roles/billing.viewer" = [
+      "serviceAccount:billing-iam-test-01@${var.project_id}.iam.gserviceaccount.com",
+    ]
+
+    "roles/billing.admin" = [
+      "serviceAccount:billing-iam-test-01@${var.project_id}.iam.gserviceaccount.com",
+      "serviceAccount:billing-iam-test-02@${var.project_id}.iam.gserviceaccount.com",
+    ]
+  }
+}
+
+resource "google_service_account" "service_account_01" {
+  account_id = "billing-iam-test-01"
+  project    = var.project_id
+}
+
+resource "google_service_account" "service_account_02" {
+  account_id = "billing-iam-test-02"
+  project    = var.project_id
+}
+
 /******************************************
   Module billing_account_iam_binding calling
  *****************************************/
@@ -35,14 +59,5 @@ module "billing-account-iam" {
 
   mode = "additive"
 
-  bindings = {
-    "roles/billing.viewer" = [
-      "user:${var.user_email}",
-    ]
-
-    "roles/billing.user" = [
-      "serviceAccount:${var.sa_email}",
-      "group:${var.group_email}",
-    ]
-  }
+  bindings = local.bindings
 }

examples/billing_account/outputs.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "service_account_address" {
+  value       = [google_service_account.service_account_01.email, google_service_account.service_account_02.email]
+  description = "Member which was bound to projects."
+}
+
+output "billing_account_ids" {
+  value       = module.billing-account-iam.billing_account_ids
+  description = "Billing Accounts which received bindings."
+}
+
+output "members" {
+  value       = local.bindings
+  description = "Members which were bound to the billing accounts."
+}

examples/billing_account/variables.tf

@@ -14,22 +14,12 @@
  * limitations under the License.
  */
 
-variable "group_email" {
-  type        = string
-  description = "Email for group to receive roles (ex. group@example.com)"
-}
-
-variable "sa_email" {
-  type        = string
-  description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)"
-}
-
-variable "user_email" {
+variable "billing_account_id" {
   type        = string
-  description = "Email for group to receive roles (Ex. user@example.com)"
+  description = "Billing Account ID to apply IAM bindings"
 }
 
-variable "billing_account_id" {
+variable "project_id" {
   type        = string
-  description = "Billing Account ID to apply IAM bindings"
+  description = "Project ID for the module"
 }

test/fixtures/billing-iam/main.tf

@@ -14,30 +14,6 @@
  * limitations under the License.
  */
 
-locals {
-  billing_roles = ["roles/billing.admin", "roles/billing.viewer"]
-  members       = [var.member1, var.member2]
-
-  member_group_0 = [
-    "serviceAccount:${var.member1}",
-    "serviceAccount:${var.member2}",
-  ]
-
-  member_group_1 = [
-    "serviceAccount:${var.member2}",
-  ]
-
-  member_groups = [local.member_group_0, local.member_group_1]
-
-  # 1 or 2 roles amount can be specified to generate that amount of bindings.
-  # This variability is used to test how the module behaves on configuration updates.
-
-  billing_bindings = zipmap(
-    slice(local.billing_roles, 0, var.roles),
-    slice(local.member_groups, 0, var.roles)
-  )
-}
-
 provider "google" {
   version = "~> 2.7"
 }
@@ -49,8 +25,7 @@ provider "google-beta" {
 #additive
 
 module "iam_binding_billing_accounts_additive" {
-  source              = "../../../modules/billing_accounts_iam"
-  mode                = "additive"
-  bindings            = local.billing_bindings
-  billing_account_ids = [var.billing_iam_test_account]
+  source              = "../../../examples/billing_account"
+  billing_account_id  = var.billing_iam_test_account
+  project_id          = var.project_id
 }

test/fixtures/billing-iam/outputs.tf

@@ -20,15 +20,15 @@
 
 output "billing_iam_test_account" {
   value       = module.iam_binding_billing_accounts_additive.billing_account_ids
-  description = "Billing Accounts which received bindings."
-}
-
-output "roles" {
-  value       = module.iam_binding_billing_accounts_additive.roles
-  description = "Roles which were assigned to members."
+  description = "Billing Account which received bindings."
 }
 
 output "members" {
   value       = module.iam_binding_billing_accounts_additive.members
   description = "Members which were bound to the billing accounts."
 }
+
+output "billing_sa_admin" {
+  value       = var.billing_sa_admin
+  description = "Admin Service Account bound to Test Billing Account."
+}

test/fixtures/billing-iam/variables.tf

@@ -14,23 +14,17 @@
  * limitations under the License.
  */
 
-variable "member1" {
+variable "billing_iam_test_account" {
   type        = string
-  description = "Member created for binding with roles."
+  description = "Billing Account ID to use for testing IAM policies/bindings."
 }
 
-variable "member2" {
+variable "billing_sa_admin" {
   type        = string
-  description = "Member created for binding with roles."
-}
-
-variable "roles" {
-  type        = number
-  default     = 2
-  description = "Amount of roles to assign. Useful for testing how the module behaves on updates."
+  description = "Admin Service Account bound to Test Billing Account."
 }
 
-variable "billing_iam_test_account" {
+variable "project_id" {
   type        = string
-  description = "Billing Accounts IDs list to add the IAM policies/bindings."
+  description = "Project ID"
 }

test/integration/billing-iam/controls/billing-iam.rb

@@ -16,6 +16,7 @@
 
 billing_iam_test_account = attribute('billing_iam_test_account')
 members = attribute('members')
+billing_sa_admin = attribute('billing_sa_admin')
 
 control "GCP Billing IAM" do
             title "GCP Billing Bindings"
@@ -34,13 +35,17 @@
 
                 describe "members" do
                 it "are bound" do
-                    members.each do |member|
-                        expect(data['bindings'][0]['members']).to include(member)
+                    members.each_value do |member_value|
+                        member_value.each do |member|
+                            expect(data['bindings'][0]['members']).to include(member)
+                        end
                     end
                 end
 
-                it "are admin" do
-                    expect(data['bindings'][0]['role']).to eq 'roles/billing.admin'
+                describe "Billing IAM SA" do
+                it "is bound" do
+                    expect(data['bindings'][0]['members']).to include("serviceAccount:#{billing_sa_admin}")
+                    end
                 end
             end
         end

test/integration/billing-iam/inspec.yml

@@ -22,4 +22,7 @@ attributes:
     type: array
   - name: members
     required: true
-    type: array
+    type: hash
+  - name: billing_sa_admin
+    required: true
+    type: string

test/setup/outputs.tf

@@ -45,6 +45,11 @@ output "member2" {
   description = "Members created for binding with roles."
 }
 
+output "billing_sa_admin" {
+  value       = google_service_account.int_test.email
+  description = "Admin Service Account bound to Test Billing Account."
+}
+
 output "random_hexes" {
   value       = random_id.random_hexes[*].hex
   description = "List of pre-generated random id hexes. Required for 'for_each' to work when testing static scerarios."