Merge pull request #17 from mineiros-io/mariux/fix

fix: work around weird terraform typing

CHANGELOG.md

@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.0.6]
+
+### Breaking
+
+- Removed support for Terraform `< 1.1.2`
+
+### Fixed
+
+- Fix a bug that is based on terraform type system issue
+
 ## [0.0.5]
 
 ### Added
@@ -41,7 +51,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Initial Implementation
 
-[unreleased]: https://github.com/mineiros-io/terraform-google-storage-bucket/compare/v0.0.5...HEAD
+[unreleased]: https://github.com/mineiros-io/terraform-google-storage-bucket/compare/v0.0.6...HEAD
+[0.0.6]: https://github.com/mineiros-io/terraform-google-storage-bucket/compare/v0.0.5...v0.0.6
 [0.0.5]: https://github.com/mineiros-io/terraform-google-storage-bucket/compare/v0.0.4...v0.0.5
 [0.0.4]: https://github.com/mineiros-io/terraform-google-storage-bucket/compare/v0.0.3...v0.0.4
 [0.0.3]: https://github.com/mineiros-io/terraform-google-storage-bucket/compare/v0.0.2...v0.0.3

iam.tf

@@ -1,24 +1,34 @@
 locals {
-  iam_map = var.policy_bindings == null ? { for iam in var.iam : iam.role => iam } : tomap({})
-
-  policy_bindings = var.policy_bindings != null ? {
-    iam_policy = {
-      policy_bindings = var.policy_bindings
-    }
-  } : tomap({})
+  iam_map = { for iam in var.iam : iam.role => iam }
 }
 
 module "iam" {
   source = "github.com/mineiros-io/terraform-google-storage-bucket-iam.git?ref=v0.0.2"
 
-  for_each = var.policy_bindings != null ? local.policy_bindings : local.iam_map
+  for_each = var.policy_bindings == null ? local.iam_map : {}
+
+  module_enabled    = var.module_enabled
+  module_depends_on = var.module_depends_on
+
+  bucket        = try(google_storage_bucket.bucket[0].name, null)
+  role          = each.value.role
+  members       = each.value.members
+  authoritative = try(each.value.authoritative, true)
+}
+
+moved {
+  from = module.iam["iam_policy"]
+  to   = module.policy_bindings[0]
+}
+
+module "policy_bindings" {
+  source = "github.com/mineiros-io/terraform-google-storage-bucket-iam.git?ref=v0.0.2"
+
+  count = var.policy_bindings != null ? 1 : 0
 
   module_enabled    = var.module_enabled
   module_depends_on = var.module_depends_on
 
   bucket          = try(google_storage_bucket.bucket[0].name, null)
-  role            = try(each.value.role, null)
-  members         = try(each.value.members, null)
-  authoritative   = try(each.value.authoritative, true)
-  policy_bindings = try(each.value.policy_bindings, null)
+  policy_bindings = var.policy_bindings
 }

outputs.tf

@@ -17,6 +17,11 @@ output "bucket" {
   value       = try(google_storage_bucket.bucket[0], null)
 }
 
+output "policy_binding" {
+  description = "All attributes of the created policy_bindings mineiros-io/storage-bucket-iam/google module."
+  value       = module.policy_bindings
+}
+
 # ----------------------------------------------------------------------------------------------------------------------
 # OUTPUT MODULE CONFIGURATION
 # ----------------------------------------------------------------------------------------------------------------------

test/unit-complete/main.tf

@@ -28,14 +28,21 @@ provider "google" {
   project = var.gcp_project
 }
 
+data "google_project" "project" {}
+
+resource "random_id" "suffix" {
+  byte_length = 16
+}
+
+
 # DO NOT RENAME MODULE NAME
 module "test" {
   source = "../.."
 
   module_enabled = true
 
   # add all required arguments
-  name = "unit-complete"
+  name = "unit-complete-${random_id.suffix.hex}"
 
   # add all optional arguments that create additional resources
   force_destroy               = true
@@ -78,6 +85,36 @@ module "test" {
   module_depends_on = ["nothing"]
 }
 
+module "testIAM" {
+  source = "../.."
+
+  name = "unit-complete-iam-${random_id.suffix.hex}"
+
+  force_destroy = true
+
+  iam = [
+    {
+      role    = "roles/storage.objectViewer"
+      members = ["projectOwner:${data.google_project.project.project_id}"]
+    }
+  ]
+}
+
+module "testPolicy" {
+  source = "../.."
+
+  name = "unit-complete-policy-${random_id.suffix.hex}"
+
+  force_destroy = true
+
+  policy_bindings = [
+    {
+      role    = "roles/storage.objectViewer"
+      members = ["projectOwner:${data.google_project.project.project_id}"]
+    }
+  ]
+}
+
 # outputs generate non-idempotent terraform plans so we disable them for now unless we need them.
 # output "all" {
 #   description = "All outputs of the module."

test/unit-disabled/main.tf

@@ -28,6 +28,8 @@ provider "google" {
   project = var.gcp_project
 }
 
+data "google_project" "project" {}
+
 # DO NOT RENAME MODULE NAME
 module "test" {
   source = "../.."
@@ -36,12 +38,66 @@ module "test" {
 
   # add all required arguments
   name = "unit-disabled"
+}
+
+module "testA" {
+  source = "../.."
+
+  module_enabled = false
+
+  # add all required arguments
+  name = "unit-disabled"
 
   # add all optional arguments that create additional resources
   iam = [
+    {
+      role    = "roles/storage.objectViewer"
+      members = ["projectOwner:${data.google_project.project.project_id}"]
+    }
+  ]
+}
+
+module "testB" {
+  source = "../.."
+
+  module_enabled = false
+
+  # add all required arguments
+  name = "unit-disabled"
+
+  # add all optional arguments that create additional resources
+  policy_bindings = [
+    {
+      role    = "roles/storage.objectViewer"
+      members = ["projectOwner:${data.google_project.project.project_id}"]
+    }
+  ]
+}
+
+module "testC" {
+  source = "../.."
+
+  module_enabled = false
+
+  # add all required arguments
+  name = "unit-disabled"
+
+  # add all optional arguments that create additional resources
+  policy_bindings = [
+    {
+      role    = "roles/storage.objectViewer"
+      members = ["projectOwner:${data.google_project.project.project_id}"]
+    }
+  ]
+
+  iam = [
+    {
+      role    = "roles/storage.objectViewer"
+      members = ["projectOwner:${data.google_project.project.project_id}"]
+    },
     {
       role    = "roles/storage.objectAdmin"
-      members = ["serviceAccount:noneExistingServiceAccount"]
+      members = ["projectOwner:${data.google_project.project.project_id}"]
     }
   ]
 }

variables.tf

@@ -138,12 +138,36 @@ variable "iam" {
   description = "(Optional) A list of IAM access."
   type        = any
   default     = []
+
+  # validate required keys in each object
+  validation {
+    condition     = alltrue([for x in var.iam : length(setintersection(keys(x), ["role", "members"])) == 2])
+    error_message = "Each object in var.iam must specify a role and a set of members."
+  }
+
+  # validate no invalid keys are in each object
+  validation {
+    condition     = alltrue([for x in var.iam : length(setsubtract(keys(x), ["role", "members", "authoritative"])) == 0])
+    error_message = "Each object in var.iam does only support role, members and authoritative attributes."
+  }
 }
 
 variable "policy_bindings" {
   description = "(Optional) A list of IAM policy bindings."
   type        = any
   default     = null
+
+  # validate required keys in each object
+  validation {
+    condition     = var.policy_bindings == null ? true : alltrue([for x in var.policy_bindings : length(setintersection(keys(x), ["role", "members"])) == 2])
+    error_message = "Each object in var.policy_bindings must specify a role and a set of members."
+  }
+
+  # validate no invalid keys are in each object
+  validation {
+    condition     = var.policy_bindings == null ? true : alltrue([for x in var.policy_bindings : length(setsubtract(keys(x), ["role", "members", "condition"])) == 0])
+    error_message = "Each object in var.policy_bindings does only support role, members and condition attributes."
+  }
 }
 
 # ------------------------------------------------------------------------------

versions.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.14, < 2.0"
+  required_version = ">= 1.1.2, < 2.0"
 
   required_providers {
     google = {