From 96471a8dd3068e90f2c776b2940116f14dbdf143 Mon Sep 17 00:00:00 2001
From: rs1986x <33729460+rs1986x@users.noreply.github.com>
Date: Fri, 30 Dec 2022 05:48:27 +0100
Subject: [PATCH] feat: cloud run services iam submodule (#164)

---
 examples/cloud_run_service/README.md        | 22 +++++++++
 examples/cloud_run_service/main.tf          | 40 +++++++++++++++
 examples/cloud_run_service/variables.tf     | 54 +++++++++++++++++++++
 examples/cloud_run_service/versions.tf      | 29 +++++++++++
 modules/cloud_run_services_iam/README.md    | 47 ++++++++++++++++++
 modules/cloud_run_services_iam/main.tf      | 49 +++++++++++++++++++
 modules/cloud_run_services_iam/outputs.tf   | 31 ++++++++++++
 modules/cloud_run_services_iam/variables.tf | 43 ++++++++++++++++
 8 files changed, 315 insertions(+)
 create mode 100644 examples/cloud_run_service/README.md
 create mode 100644 examples/cloud_run_service/main.tf
 create mode 100644 examples/cloud_run_service/variables.tf
 create mode 100644 examples/cloud_run_service/versions.tf
 create mode 100644 modules/cloud_run_services_iam/README.md
 create mode 100644 modules/cloud_run_services_iam/main.tf
 create mode 100644 modules/cloud_run_services_iam/outputs.tf
 create mode 100644 modules/cloud_run_services_iam/variables.tf

diff --git a/examples/cloud_run_service/README.md b/examples/cloud_run_service/README.md
new file mode 100644
index 00000000..22eb2502
--- /dev/null
+++ b/examples/cloud_run_service/README.md
@@ -0,0 +1,22 @@
+# Cloud Run Example
+
+This example illustrates how to use the `cloud_run_service_iam` submodule
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| cloud\_run\_service\_location | The location of the cloud run instance | `string` | n/a | yes |
+| cloud\_run\_service\_one | First cloud run service to add the IAM policies/bindings | `string` | n/a | yes |
+| cloud\_run\_service\_project | Project id of the cloud run service | `string` | n/a | yes |
+| cloud\_run\_service\_two | Second cloud run service to add the IAM policies/bindings | `string` | n/a | yes |
+| group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes |
+| sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes |
+| user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes |
+
+## Outputs
+
+No output.
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/cloud_run_service/main.tf b/examples/cloud_run_service/main.tf
new file mode 100644
index 00000000..966e5507
--- /dev/null
+++ b/examples/cloud_run_service/main.tf
@@ -0,0 +1,40 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/******************************************
+  Module cloud_run_service_iam_binding calling
+ *****************************************/
+module "cloud_run_service_iam_binding" {
+  source             = "../../modules/cloud_run_services_iam/"
+  project            = var.cloud_run_service_project
+  location           = var.cloud_run_service_location
+  cloud_run_services = [var.cloud_run_service_one, var.cloud_run_service_two]
+  mode               = "authoritative"
+
+  bindings = {
+    "roles/role.admin" = [
+      "serviceAccount:${var.sa_email}",
+      "group:${var.group_email}",
+      "user:${var.user_email}",
+    ]
+    "roles/role.invoker" = [
+      "serviceAccount:${var.sa_email}",
+      "group:${var.group_email}",
+      "user:${var.user_email}",
+    ]
+  }
+}
+
diff --git a/examples/cloud_run_service/variables.tf b/examples/cloud_run_service/variables.tf
new file mode 100644
index 00000000..d297360f
--- /dev/null
+++ b/examples/cloud_run_service/variables.tf
@@ -0,0 +1,54 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "group_email" {
+  type        = string
+  description = "Email for group to receive roles (ex. group@example.com)"
+}
+
+variable "sa_email" {
+  type        = string
+  description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)"
+}
+
+variable "user_email" {
+  type        = string
+  description = "Email for group to receive roles (Ex. user@example.com)"
+}
+
+/******************************************
+  cloud_run_service_iam_binding variables
+ *****************************************/
+variable "cloud_run_service_project" {
+  type        = string
+  description = "Project id of the cloud run service"
+}
+
+variable "cloud_run_service_location" {
+  type        = string
+  description = "The location of the cloud run instance"
+}
+
+variable "cloud_run_service_one" {
+  type        = string
+  description = "First cloud run service to add the IAM policies/bindings"
+}
+
+variable "cloud_run_service_two" {
+  type        = string
+  description = "Second cloud run service to add the IAM policies/bindings"
+}
+
diff --git a/examples/cloud_run_service/versions.tf b/examples/cloud_run_service/versions.tf
new file mode 100644
index 00000000..31d0a1bf
--- /dev/null
+++ b/examples/cloud_run_service/versions.tf
@@ -0,0 +1,29 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 4.0"
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = "~> 4.0"
+    }
+  }
+}
diff --git a/modules/cloud_run_services_iam/README.md b/modules/cloud_run_services_iam/README.md
new file mode 100644
index 00000000..80fec9b6
--- /dev/null
+++ b/modules/cloud_run_services_iam/README.md
@@ -0,0 +1,47 @@
+# Module Cloud Run Service IAM
+
+This optional module is used to assign cloud run service roles
+
+## Example Usage
+```
+module "cloud-run-services-iam-bindings" {
+  source             = "terraform-google-modules/iam/google//modules/cloud_run_services_iam"
+  project            = "my_cloud_run_project"
+  cloud_run_services = ["my_cloud_run_service_one", "my_cloud_run_service_two"]
+  mode               = "authoritative"
+
+  bindings = {
+    "roles/run.invoker" = [
+      "serviceAccount:my-sa@my-project.iam.gserviceaccount.com",
+      "group:my-group@my-org.com",
+      "user:my-user@my-org.com",
+    ]
+    "roles/run.admin" = [
+      "serviceAccount:my-sa@my-project.iam.gserviceaccount.com",
+      "group:my-group@my-org.com",
+      "user:my-user@my-org.com",
+    ]
+  }
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| bindings | Map of role (key) and list of members (value) to add the IAM policies/bindings | `map(any)` | n/a | yes |
+| cloud\_run\_services | Cloud Run services list to add the IAM policies/bindings | `list(string)` | `[]` | no |
+| location | The location of the cloud run instance | `string` | `""` | no |
+| mode | Mode for adding the IAM policies/bindings, additive and authoritative | `string` | `"additive"` | no |
+| project | Project to add the IAM policies/bindings | `string` | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| cloud\_run\_services | Cloud Run services which received for bindings. |
+| members | Members which were bound to the Cloud Run services. |
+| roles | Roles which were assigned to members. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/cloud_run_services_iam/main.tf b/modules/cloud_run_services_iam/main.tf
new file mode 100644
index 00000000..eec85593
--- /dev/null
+++ b/modules/cloud_run_services_iam/main.tf
@@ -0,0 +1,49 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/******************************************
+  Run helper module to get generic calculated data
+ *****************************************/
+module "helper" {
+  source   = "../helper"
+  bindings = var.bindings
+  mode     = var.mode
+  entities = var.cloud_run_services
+}
+
+/******************************************
+  Cloud Run Servive IAM binding authoritative
+ *****************************************/
+resource "google_cloud_run_service_iam_binding" "cloud_run_iam_authoritative" {
+  for_each = module.helper.set_authoritative
+  project  = var.project
+  location = var.location
+  service  = module.helper.bindings_authoritative[each.key].name
+  role     = module.helper.bindings_authoritative[each.key].role
+  members  = module.helper.bindings_authoritative[each.key].members
+}
+
+/******************************************
+   Cloud Run Servive IAM binding additive
+ *****************************************/
+resource "google_cloud_run_service_iam_member" "cloud_run_iam_additive" {
+  for_each = module.helper.set_additive
+  project  = var.project
+  location = var.location
+  service  = module.helper.bindings_additive[each.key].name
+  role     = module.helper.bindings_additive[each.key].role
+  member   = module.helper.bindings_additive[each.key].member
+}
diff --git a/modules/cloud_run_services_iam/outputs.tf b/modules/cloud_run_services_iam/outputs.tf
new file mode 100644
index 00000000..0e1917d0
--- /dev/null
+++ b/modules/cloud_run_services_iam/outputs.tf
@@ -0,0 +1,31 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "cloud_run_services" {
+  value       = distinct(module.helper.bindings_by_member[*].name)
+  description = "Cloud Run services which received for bindings."
+  depends_on  = [google_cloud_run_service_iam_binding.cloud_run_iam_authoritative, google_cloud_run_service_iam_member.cloud_run_iam_additive]
+}
+
+output "roles" {
+  value       = distinct(module.helper.bindings_by_member[*].role)
+  description = "Roles which were assigned to members."
+}
+
+output "members" {
+  value       = distinct(module.helper.bindings_by_member[*].member)
+  description = "Members which were bound to the Cloud Run services."
+}
diff --git a/modules/cloud_run_services_iam/variables.tf b/modules/cloud_run_services_iam/variables.tf
new file mode 100644
index 00000000..d90231ae
--- /dev/null
+++ b/modules/cloud_run_services_iam/variables.tf
@@ -0,0 +1,43 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project" {
+  description = "Project to add the IAM policies/bindings"
+  default     = ""
+  type        = string
+}
+
+variable "location" {
+  description = "The location of the cloud run instance"
+  default     = ""
+  type        = string
+}
+
+variable "cloud_run_services" {
+  description = "Cloud Run services list to add the IAM policies/bindings"
+  default     = []
+  type        = list(string)
+}
+
+variable "mode" {
+  description = "Mode for adding the IAM policies/bindings, additive and authoritative"
+  default     = "additive"
+}
+
+variable "bindings" {
+  description = "Map of role (key) and list of members (value) to add the IAM policies/bindings"
+  type        = map(any)
+}