Merge pull request terraform-google-modules#78 from averbuks/averbuks…

…-billing-acc-iam

Add billing_account_iam module

CHANGELOG.md

@@ -10,6 +10,12 @@ corresponding pull request appended.
 
 ## [Unreleased]
 
+## [5.1.0]
+
+### Added
+
+- Submodule `billing_accounts_iam`. [#78]
+
 ## [5.0.0]
 
 This is a backward incompatible release. Refer to the [upgrade guide](docs/upgrading_to_iam_5.0.md) for more details.
@@ -89,7 +95,8 @@ management.
 [usage-example]: README.md#usage
 [caveats]: README.md#caveats
 
-[Unreleased]: https://github.com/terraform-google-modules/terraform-google-iam/compare/v5.0.0...HEAD
+[Unreleased]: https://github.com/terraform-google-modules/terraform-google-iam/compare/v5.1.0...HEAD
+[5.1.0]: https://github.com/terraform-google-modules/terraform-google-iam/compare/v5.0.0...v5.1.0
 [5.0.0]: https://github.com/terraform-google-modules/terraform-google-iam/compare/v4.0.0...v5.0.0
 [4.0.0]: https://github.com/terraform-google-modules/terraform-google-iam/compare/v3.0.0...v4.0.0
 [3.0.0]: https://github.com/terraform-google-modules/terraform-google-iam/compare/v2.0.0...v3.0.0
@@ -112,3 +119,4 @@ management.
 [#61]: https://github.com/terraform-google-modules/terraform-google-iam/pull/61
 [#64]: https://github.com/terraform-google-modules/terraform-google-iam/pull/64
 [#73]: https://github.com/terraform-google-modules/terraform-google-iam/pull/73
+[#78]: https://github.com/terraform-google-modules/terraform-google-iam/pull/78

examples/billing_account/README.md

@@ -0,0 +1,12 @@
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| billing\_account\_id | Billing Account ID to apply IAM bindings | string | n/a | yes |
+| group\_email | Email for group to receive roles (ex. group@example.com) | string | n/a | yes |
+| sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | string | n/a | yes |
+| user\_email | Email for group to receive roles (Ex. user@example.com) | string | n/a | yes |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+

examples/billing_account/main.tf

@@ -0,0 +1,48 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/******************************************
+  Provider configuration
+ *****************************************/
+provider "google" {
+  version = "~> 2.7"
+}
+
+provider "google-beta" {
+  version = "~> 2.7"
+}
+
+/******************************************
+  Module billing_account_iam_binding calling
+ *****************************************/
+module "billing-account-iam" {
+  source = "../../modules/billing_accounts_iam/"
+
+  billing_account_ids = [var.billing_account_id]
+
+  mode = "additive"
+
+  bindings = {
+    "roles/billing.viewer" = [
+      "user:${var.user_email}",
+    ]
+
+    "roles/billing.user" = [
+      "serviceAccount:${var.sa_email}",
+      "group:${var.group_email}",
+    ]
+  }
+}

examples/billing_account/variables.tf

@@ -0,0 +1,35 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "group_email" {
+  type        = string
+  description = "Email for group to receive roles (ex. group@example.com)"
+}
+
+variable "sa_email" {
+  type        = string
+  description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)"
+}
+
+variable "user_email" {
+  type        = string
+  description = "Email for group to receive roles (Ex. user@example.com)"
+}
+
+variable "billing_account_id" {
+  type        = string
+  description = "Billing Account ID to apply IAM bindings"
+}

examples/billing_account/versions.tf

@@ -0,0 +1,19 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}

modules/billing_accounts_iam/README.md

@@ -0,0 +1,44 @@
+# Module Billing Accounts IAM
+
+This optional module is used to assign Billing Accounts roles
+
+## Usage
+
+```hcl
+module "billing-account-iam" {
+  source  = "terraform-google-modules/iam/google//modules/billing_accounts_iam"
+  billing_account_ids = ["035617-1B8VBC-AF0TD9"]
+
+  mode = "additive"
+
+  bindings = {
+    "roles/billing.viewer" = [
+      "serviceAccount:my-sa@my-project.iam.gserviceaccount.com",
+      "group:my-group@my-org.com",
+    ]
+
+    "roles/billing.user" = [
+      "user:my-user@my-org.com",
+    ]
+  }
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| billing\_account\_ids | Billing Accounts IDs list to add the IAM policies/bindings | list(string) | `<list>` | no |
+| bindings | Map of role (key) and list of members (value) to add the IAM policies/bindings | map(list(string)) | n/a | yes |
+| mode | Mode for adding the IAM policies/bindings, additive and authoritative | string | `"additive"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| billing\_account\_ids | Billing Accounts which received bindings. |
+| members | Members which were bound to the billing accounts. |
+| roles | Roles which were assigned to members. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/billing_accounts_iam/main.tf

@@ -0,0 +1,45 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/******************************************
+  Run helper module to get generic calculated data
+ *****************************************/
+module "helper" {
+  source   = "../helper"
+  bindings = var.bindings
+  mode     = var.mode
+  entities = var.billing_account_ids
+}
+
+/******************************************
+  Billing Account IAM binding authoritative
+ *****************************************/
+resource "google_billing_account_iam_binding" "billing_account_iam_authoritative" {
+  for_each           = module.helper.set_authoritative
+  billing_account_id = module.helper.bindings_authoritative[each.key].name
+  role               = module.helper.bindings_authoritative[each.key].role
+  members            = module.helper.bindings_authoritative[each.key].members
+}
+
+/******************************************
+  Billing Account IAM binding additive
+ *****************************************/
+resource "google_billing_account_iam_member" "billing_account_iam_additive" {
+  for_each           = module.helper.set_additive
+  billing_account_id = module.helper.bindings_additive[each.key].name
+  role               = module.helper.bindings_additive[each.key].role
+  member             = module.helper.bindings_additive[each.key].member
+}

modules/billing_accounts_iam/outputs.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "billing_account_ids" {
+  value       = distinct(module.helper.bindings_by_member[*].name)
+  description = "Billing Accounts which received bindings."
+}
+
+output "roles" {
+  value       = distinct(module.helper.bindings_by_member[*].role)
+  description = "Roles which were assigned to members."
+}
+
+output "members" {
+  value       = distinct(module.helper.bindings_by_member[*].member)
+  description = "Members which were bound to the billing accounts."
+}

modules/billing_accounts_iam/variables.tf

@@ -0,0 +1,31 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+variable "billing_account_ids" {
+  description = "Billing Accounts IDs list to add the IAM policies/bindings"
+  default     = []
+  type        = list(string)
+}
+
+variable "mode" {
+  description = "Mode for adding the IAM policies/bindings, additive and authoritative"
+  type        = string
+  default     = "additive"
+}
+
+variable "bindings" {
+  description = "Map of role (key) and list of members (value) to add the IAM policies/bindings"
+  type        = map(list(string))
+}