Fixes #4: Allow referencing computed value

 * Changed internal processing structure of `bindings`
 * Everything moved to submodules
 * Updated variables
 * Added `*_num` variable to make counts work with computed values
 * Updated examples
 * Updatet README.md
 * Added tests for subnets

CHANGELOG.md

@@ -10,6 +10,12 @@ corresponding pull request appended.
 
 ## [Unreleased]
 
+## [2.1.0] - 2019-YY-ZZ
+
+### Fixed
+
+ - Allow referencing computed values. [#43]
+
 ### Fixed
 
 - Fix issue with long IAM bindings list. [#32]
@@ -73,3 +79,4 @@ management.
 [#24]: https://github.com/terraform-google-modules/terraform-google-iam/pull/24
 [#29]: https://github.com/terraform-google-modules/terraform-google-iam/pull/29
 [#32]: https://github.com/terraform-google-modules/terraform-google-iam/pull/32
+[#43]: https://github.com/terraform-google-modules/terraform-google-iam/pull/43

README.md

@@ -86,11 +86,12 @@ Following variables are the most important to control module's behavior:
 
 - Project
 
-  This variable can be defined either on `provider` section and the module calling itself. It is only used for the following resources:
+  This variable must be defined in case of using one the following modules:
 
-  - `service_accounts`
-  - `pubsub_topics`
-  - `pubsub_subscriptions`
+  - `pubsub_subscriptions_iam`
+  - `pubsub_topics_iam`
+  - `service_accounts_iam`
+  - `subnets_iam`
 
 #### Additive and Authoritative Modes
 
@@ -105,19 +106,58 @@ In additive mode, this module leaves existing bindings unaffected. Instead, any
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| bindings | Map of role (key) and list of members (value) to add the IAM policies/bindings | map | n/a | yes |
 | folders | Folders list to add the IAM policies/bindings | list(string) | `<list>` | no |
-| kms\_crypto\_keys | Kms Crypto Key list to add the IAM policies/bindings | list(string) | `<list>` | no |
-| kms\_key\_rings | Kms Key Rings list to add the IAM policies/bindings | list(string) | `<list>` | no |
-| mode | Mode for adding the IAM policies/bindings, additive and authoritative | string | `"additive"` | no |
-| organizations | Organizations list to add the IAM policies/bindings | list | `<list>` | no |
+| folders\_bindings | Map of role (key) and list of members (value) to add the Folders IAM policies/bindings | map | n/a | yes |
+| folders\_bindings\_num | Number of Folders bindings, in case using dependcies of outher resources's outputs | number | `"0"` | no |
+| folders\_mode | Mode for adding the Folders IAM policies/bindings, additive and authoritative | string | `"additive"` | no |
+| folders\_num | Number of Folders, in case using dependcies of outher resources's outputs | number | `"0"` | no |
+| kms\_crypto\_keys | KMS Crypto Keys list to add the IAM policies/bindings | list(string) | `<list>` | no |
+| kms\_crypto\_keys\_bindings | Map of role (key) and list of members (value) to add the KMS Crypto Keys IAM policies/bindings | map | n/a | yes |
+| kms\_crypto\_keys\_bindings\_num | Number of KMS Crypto Keys bindings, in case using dependcies of outher resources's outputs | number | `"0"` | no |
+| kms\_crypto\_keys\_mode | Mode for adding the KMS Crypto Keys IAM policies/bindings, additive and authoritative | string | `"additive"` | no |
+| kms\_crypto\_keys\_num | Number of KMS Crypto Keys, in case using dependcies of outher resources's outputs | number | `"0"` | no |
+| kms\_key\_rings | KMS Key Rings list to add the IAM policies/bindings | list(string) | `<list>` | no |
+| kms\_key\_rings\_bindings | Map of role (key) and list of members (value) to add the KMS Key Rings IAM policies/bindings | map | n/a | yes |
+| kms\_key\_rings\_bindings\_num | Number of KMS Key Rings bindings, in case using dependcies of outher resources's outputs | number | `"0"` | no |
+| kms\_key\_rings\_mode | Mode for adding the KMS Key Rings IAM policies/bindings, additive and authoritative | string | `"additive"` | no |
+| kms\_key\_rings\_num | Number of KMS Key Rings, in case using dependcies of outher resources's outputs | number | `"0"` | no |
+| organizations | Organizations list to add the IAM policies/bindings | list(string) | `<list>` | no |
+| organizations\_bindings | Map of role (key) and list of members (value) to add the Organizations IAM policies/bindings | map | n/a | yes |
+| organizations\_bindings\_num | Number of Organizations bindings, in case using dependcies of outher resources's outputs | number | `"0"` | no |
+| organizations\_mode | Mode for adding the Organizations IAM policies/bindings, additive and authoritative | string | `"additive"` | no |
+| organizations\_num | Number of Organizations, in case using dependcies of outher resources's outputs | number | `"0"` | no |
 | project | Project to add the IAM policies/bindings | string | `""` | no |
 | projects | Projects list to add the IAM policies/bindings | list(string) | `<list>` | no |
-| pubsub\_subscriptions | Pubsub subscriptions list to add the IAM policies/bindings | list(string) | `<list>` | no |
-| pubsub\_topics | Pubsub topics list to add the IAM policies/bindings | list(string) | `<list>` | no |
+| projects\_bindings | Map of role (key) and list of members (value) to add the Projects IAM policies/bindings | map | n/a | yes |
+| projects\_bindings\_num | Number of Projects bindings, in case using dependcies of outher resources's outputs | number | `"0"` | no |
+| projects\_mode | Mode for adding the Projects IAM policies/bindings, additive and authoritative | string | `"additive"` | no |
+| projects\_num | Number of Projects, in case using dependcies of outher resources's outputs | number | `"0"` | no |
+| pubsub\_subscriptions | PubSub Subscriptions list to add the IAM policies/bindings | list(string) | `<list>` | no |
+| pubsub\_subscriptions\_bindings | Map of role (key) and list of members (value) to add the PubSub Subscriptions IAM policies/bindings | map | n/a | yes |
+| pubsub\_subscriptions\_bindings\_num | Number of PubSub Subscriptions bindings, in case using dependcies of outher resources's outputs | number | `"0"` | no |
+| pubsub\_subscriptions\_mode | Mode for adding the PubSub Subscriptions IAM policies/bindings, additive and authoritative | string | `"additive"` | no |
+| pubsub\_subscriptions\_num | Number of PubSub Subscriptions, in case using dependcies of outher resources's outputs | number | `"0"` | no |
+| pubsub\_topics | PubSub Topics list to add the IAM policies/bindings | list(string) | `<list>` | no |
+| pubsub\_topics\_bindings | Map of role (key) and list of members (value) to add the PubSub Topics IAM policies/bindings | map | n/a | yes |
+| pubsub\_topics\_bindings\_num | Number of PubSub Topics bindings, in case using dependcies of outher resources's outputs | number | `"0"` | no |
+| pubsub\_topics\_mode | Mode for adding the PubSub Topics IAM policies/bindings, additive and authoritative | string | `"additive"` | no |
+| pubsub\_topics\_num | Number of PubSub Topics, in case using dependcies of outher resources's outputs | number | `"0"` | no |
 | service\_accounts | Service Accounts list to add the IAM policies/bindings | list(string) | `<list>` | no |
-| storage\_buckets | Buckets list to add the IAM policies/bindings | list(string) | `<list>` | no |
+| service\_accounts\_bindings | Map of role (key) and list of members (value) to add the Service Accounts IAM policies/bindings | map | n/a | yes |
+| service\_accounts\_bindings\_num | Number of Service Accounts bindings, in case using dependcies of outher resources's outputs | number | `"0"` | no |
+| service\_accounts\_mode | Mode for adding the Service Accounts IAM policies/bindings, additive and authoritative | string | `"additive"` | no |
+| service\_accounts\_num | Number of Service Accounts, in case using dependcies of outher resources's outputs | number | `"0"` | no |
+| storage\_buckets | Storage Buckets list to add the IAM policies/bindings | list(string) | `<list>` | no |
+| storage\_buckets\_bindings | Map of role (key) and list of members (value) to add the Storage Buckets IAM policies/bindings | map | n/a | yes |
+| storage\_buckets\_bindings\_num | Number of Storage Buckets bindings, in case using dependcies of outher resources's outputs | number | `"0"` | no |
+| storage\_buckets\_mode | Mode for adding the Storage Buckets IAM policies/bindings, additive and authoritative | string | `"additive"` | no |
+| storage\_buckets\_num | Number of Storage Buckets, in case using dependcies of outher resources's outputs | number | `"0"` | no |
 | subnets | Subnets list to add the IAM policies/bindings | list(string) | `<list>` | no |
+| subnets\_bindings | Map of role (key) and list of members (value) to add the Subnets IAM policies/bindings | map | n/a | yes |
+| subnets\_bindings\_num | Number of Subnets bindings, in case using dependcies of outher resources's outputs | number | `"0"` | no |
+| subnets\_mode | Mode for adding the Subnets IAM policies/bindings, additive and authoritative | string | `"additive"` | no |
+| subnets\_num | Number of Subnets, in case using dependcies of outher resources's outputs | number | `"0"` | no |
+| subnets\_region | Subnets region | string | n/a | yes |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
@@ -127,9 +167,9 @@ In additive mode, this module leaves existing bindings unaffected. Instead, any
 
 This Terraform module performs operations over some variables before making any changes on the IAM bindings in GCP.
 
-Because of that, it is important to note that putting a value or attribute of a resource within the following variables, will cause an error:
+To avoid error related to putting a value or attribute of a resource within the following variables:
 
-- `bindings`
+- `project`
 - `projects`
 - `organizations`
 - `folders`
@@ -140,8 +180,22 @@ Because of that, it is important to note that putting a value or attribute of a
 - `pubsub_subscriptions`
 - `kms_key_rings`
 - `kms_crypto_keys`
-
-For example, this will fail:
+- `projects_bindings`
+- `organizations_bindings`
+- `folders_bindings`
+- `service_accounts_bindings`
+- `subnets_bindings`
+- `storage_buckets_bindings`
+- `pubsub_topics_bindings`
+- `pubsub_subscriptions_bindings`
+- `kms_key_rings_bindings`
+- `kms_crypto_keys_bindings`
+
+Set variables named `*_num`.
+* For `authoritative` mode set variable equals to the number of roles applyed
+* For `additive` mode set variable equals to the number of Service Accounts and users and groups applyed
+
+For example, `authoritative` mode:
 
 ```hcl
 resource google_folder "my_new_folder" {
@@ -153,13 +207,14 @@ resource "google_service_account" "my_service_account" {
   account_id   = "my-new-service-account"
 }
 
-module "iam_binding" {
-  source = "terraform-google-modules/iam/google"
-  mode   = "authoritative"
+module "folders_iam_binding" {
+  source       = "terraform-google-modules/iam/google//modules/folders_iam"
+  mode         = "authoritative"
 
-  folders = ["${google_folder.my_new_folder.id}"]
+  folders      = ["${google_folder.my_new_folder.id}"]
+  folders_num  = 1
 
-  bindings = {
+  bindings     = {
     "roles/storage.admin" = [
       "group:test_sa_group@lnescidev.com",
       "serviceAccount:${google_service_account.my_service_account.id}",
@@ -170,23 +225,43 @@ module "iam_binding" {
       "user:someone@google.com",
     ]
   }
+  bindings_num = 2
 }
 ```
 
-First, because the `folders` variable has a reference to a resource that is not already created (`my_new_folder`). Second because the `bindings` variable has a reference to `my_service_account` and it is not created yet. The error output is as follows: `(...) value of 'count' cannot be computed`
+`additive` mode:
+
+```hcl
+resource google_folder "my_new_folder" {
+  display_name = "folder-test"
+  parent = "76543265432"
+}
 
-#### Workaround
+resource "google_service_account" "my_service_account" {
+  account_id   = "my-new-service-account"
+}
 
-To avoid this error, use values or attributes of resources that are already created before calling this module.
+module "folders_iam_binding" {
+  source = "terraform-google-modules/iam/google//modules/folders_iam"
+  mode         = "additive"
 
-Note that as soon as the resources have been created once they **can** be referenced successfully (once they are in the Terraform state file).
+  folders      = ["${google_folder.my_new_folder.id}"]
+  folders_num  = 1
 
-Therefore, a simple workaround is as follows:
+  bindings     = {
+    "roles/storage.admin" = [
+      "group:test_sa_group@lnescidev.com",
+      "serviceAccount:${google_service_account.my_service_account.id}",
+    ]
 
-1. Comment out the call to this module.
-2. Run `terraform apply` to create the other resources and persist them to the state file.
-3. Uncomment this module.
-4. Run `terraform apply` to apply the bindings.
+    "roles/compute.networkAdmin" = [
+      "group:test_sa_group@lnescidev.com",
+      "user:someone@google.com",
+    ]
+  }
+  bindings_num = 4
+}
+```
 
 ## IAM Bindings
 
@@ -213,8 +288,8 @@ The project has the following folders and files:
 - /examples: examples for using this module.
 - /scripts: Scripts for specific tasks on module (see Infrastructure section on this file).
 - /test: Folders with files for testing the module (see Testing section on this file).
-- /main.tf: main file for this module, contains all the logic for operate the module.
-- /*_iam.tf: files for manage the IAM bindings for each resource type.
+- /main.tf: main file for this module, contains all the variables for operate the module.
+- /modules: modules to manage the IAM bindings for each resource type.
 - /variables.tf: all the variables for the module.
 - /output.tf: the outputs of the module.
 - /readme.MD: this file.

examples/folder/main.tf

@@ -29,7 +29,7 @@ provider "google-beta" {
   Module folder_iam_binding calling
  *****************************************/
 module "folder-iam" {
-  source  = "../../"
+  source  = "../../modules/folders_iam/"
   folders = ["${var.folder_one}", "${var.folder_two}"]
 
   mode = "additive"

examples/kms_crypto_key/main.tf

@@ -29,7 +29,7 @@ provider "google-beta" {
   Module kms_crypto_key_iam_binding calling
  *****************************************/
 module "kms_crypto_key_iam_binding" {
-  source          = "../../"
+  source          = "../../modules/kms_crypto_keys_iam/"
   kms_crypto_keys = [var.kms_crypto_key_one, var.kms_crypto_key_two]
 
   mode = "authoritative"

examples/kms_key_ring/main.tf

@@ -29,7 +29,7 @@ provider "google-beta" {
   Module kms_key_ring_iam_binding calling
  *****************************************/
 module "kms_key_ring_iam_binding" {
-  source        = "../../"
+  source        = "../../modules/kms_key_rings_iam/"
   kms_key_rings = [var.kms_key_ring_one, var.kms_key_ring_two]
 
   mode = "additive"

examples/organization/main.tf

@@ -29,7 +29,7 @@ provider "google-beta" {
   Module organization_iam_binding calling
  *****************************************/
 module "organization_iam_binding" {
-  source        = "../../"
+  source        = "../../modules/organizations_iam/"
   organizations = [var.organization_one, var.organization_two]
 
   mode = "authoritative"

examples/project/main.tf

@@ -29,7 +29,7 @@ provider "google-beta" {
   Module project_iam_binding calling
  *****************************************/
 module "project_iam_binding" {
-  source   = "../../"
+  source   = "../../modules/projects_iam/"
   projects = [var.project_one, var.project_two]
 
   mode = "additive"

examples/pubsub_subscription/main.tf

@@ -29,7 +29,7 @@ provider "google-beta" {
   Module pubsub_subscription_iam_binding calling
  *****************************************/
 module "pubsub_subscription_iam_binding" {
-  source               = "../../"
+  source               = "../../modules/pubsub_subscriptions_iam/"
   project              = var.pubsub_subscription_project
   pubsub_subscriptions = [var.pubsub_subscription_one, var.pubsub_subscription_two]
 

examples/pubsub_topic/main.tf

@@ -29,7 +29,7 @@ provider "google-beta" {
   Module pubsub_topic_iam_binding calling
  *****************************************/
 module "pubsub_topic_iam_binding" {
-  source        = "../../"
+  source        = "../../modules/pubsub_topics_iam/"
   project       = var.pubsub_topic_project
   pubsub_topics = [var.pubsub_topic_one, var.pubsub_topic_two]
 

examples/service_account/README.md

@@ -3,6 +3,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| credentials\_file\_path | Path to the service account | string | n/a | yes |
 | group\_email | Email for group to receive roles (ex. group@example.com) | string | n/a | yes |
 | sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | string | n/a | yes |
 | service\_account\_one | First service Account to add the IAM policies/bindings | string | n/a | yes |

examples/service_account/main.tf

@@ -33,11 +33,11 @@ provider "google-beta" {
   Module service_account_iam_binding calling
  *****************************************/
 module "service_account_iam_binding" {
-  source = "../../"
+  source = "../../modules/service_accounts_iam/"
 
   service_accounts = [var.service_account_one, var.service_account_two]
-
-  mode = "additive"
+  project          = var.service_account_project
+  mode             = "additive"
 
   bindings = {
     "roles/iam.serviceAccountKeyAdmin" = [

examples/storage_bucket/main.tf

@@ -29,7 +29,7 @@ provider "google-beta" {
   Module pubsub_subscription_iam_binding calling
  *****************************************/
 module "storage_buckets_iam_binding" {
-  source          = "../../"
+  source          = "../../modules/storage_buckets_iam/"
   storage_buckets = [var.storage_bucket_one, var.storage_bucket_two]
 
   mode = "additive"

examples/subnet/main.tf

@@ -44,11 +44,12 @@ provider "google-beta" {
   Module pubsub_subscription_iam_binding calling
  *****************************************/
 module "subnet_iam_binding" {
-  source = "../../"
+  source = "../../modules/subnets_iam"
 
-  subnets = [local.subnet_one_full, local.subnet_two_full]
-
-  mode = "authoritative"
+  subnets         = [local.subnet_one_full, local.subnet_two_full]
+  subnets_region  = var.region
+  project         = var.project
+  mode            = "authoritative"
 
   bindings = {
     "roles/compute.networkUser" = [