Added IAM member submodule

* Fix #75
terraform-google-modules · Dec 30, 2019 · ec60c2c · ec60c2c
1 parent cb1a2b4
commit ec60c2c
Show file tree

Hide file tree

Showing 17 changed files with 437 additions and 0 deletions.
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -71,3 +71,16 @@ suites:
           backend: local
     provisioner:
       name: terraform
+
+  - name: member-iam
+    driver:
+      name: terraform
+      command_timeout: 1800
+      root_module_directory: test/fixtures/member-iam
+    verifier:
+      name: terraform
+      systems:
+        - name: member-iam
+          backend: local
+    provisioner:
+      name: terraform
diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
@@ -22,6 +22,26 @@ steps:
   - 'TF_VAR_folder_id=$_FOLDER_ID'
   - 'TF_VAR_billing_account=$_BILLING_ACCOUNT'
 
+- id: create member-iam-local
+  waitFor:
+    - prepare
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create member-iam-local']
+- id: converge member-iam-local
+  waitFor:
+    - create member-iam-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge member-iam-local']
+- id: verify member-iam-local
+  waitFor:
+    - converge member-iam-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify member-iam-local']
+- id: destroy member-iam-local
+  waitFor:
+    - verify member-iam-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy member-iam-local']
 
 # ----- SUITE additive-local
 

diff --git a/examples/member_iam/README.md b/examples/member_iam/README.md
@@ -0,0 +1,21 @@
+# Member iam Module Example
+
+This example illustrates how to use the `member_iam` submodule
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| project\_id | Project id | string | n/a | yes |
+| service\_account\_address | Service account address | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| project\_id | Project id. |
+| roles | Project roles. |
+| service\_account\_address | Member which was bound to projects. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/member_iam/main.tf b/examples/member_iam/main.tf
@@ -0,0 +1,39 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/******************************************
+  Provider configuration
+ *****************************************/
+provider "google" {
+  version = "~> 2.7"
+}
+
+provider "google-beta" {
+  version = "~> 2.7"
+}
+
+resource "google_service_account" "member_iam_test" {
+  project      = var.project_id
+  account_id   = "member-iam-test"
+  display_name = "member-iam-test"
+}
+
+module "member_roles" {
+  source                  = "../../modules/member_iam"
+  service_account_address = google_service_account.member_iam_test.email
+  project_id              = var.project_id
+  project_roles           = ["roles/compute.networkAdmin", "roles/appengine.appAdmin"]
+}
diff --git a/examples/member_iam/outputs.tf b/examples/member_iam/outputs.tf
@@ -0,0 +1,30 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "roles" {
+  value       = module.member_roles.roles
+  description = "Project roles."
+}
+
+output "project_id" {
+  value       = var.project_id
+  description = "Project id."
+}
+
+output "service_account_address" {
+  value       = google_service_account.member_iam_test.email
+  description = "Member which was bound to projects."
+}
diff --git a/examples/member_iam/variables.tf b/examples/member_iam/variables.tf
@@ -0,0 +1,25 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "service_account_address" {
+  description = "Service account address"
+  type        = string
+}
+
+variable "project_id" {
+  description = "Project id"
+  type        = string
+}
diff --git a/examples/member_iam/versions.tf b/examples/member_iam/versions.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/modules/member_iam/README.md b/modules/member_iam/README.md
@@ -0,0 +1,32 @@
+# Module Member IAM
+
+This optional module is used to assign service account roles
+
+## Example Usage
+```
+module "member_roles" {
+  source          = "terraform-google-modules/iam/google//modules/member_iam"
+  service_account = "my-sa@my-project.iam.gserviceaccount.com"
+  project         = "my-project-one"
+  project_roles   = ["roles/compute.networkAdmin", "roles/appengine.appAdmin"]
+}
+
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| project\_id | Project id | string | n/a | yes |
+| project\_roles | List of IAM roles | list(string) | n/a | yes |
+| service\_account\_address | Service account address | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| project\_id | Project id. |
+| roles | Project roles. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/member_iam/main.tf b/modules/member_iam/main.tf
@@ -0,0 +1,22 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_project_iam_member" "project_iam_member" {
+  for_each = toset(var.project_roles)
+  project  = var.project_id
+  role     = each.key
+  member   = "serviceAccount:${var.service_account_address}"
+}
diff --git a/modules/member_iam/outputs.tf b/modules/member_iam/outputs.tf
@@ -0,0 +1,25 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "roles" {
+  value       = google_project_iam_member.project_iam_member
+  description = "Project roles."
+}
+
+output "project_id" {
+  value       = var.project_id
+  description = "Project id."
+}
diff --git a/modules/member_iam/variables.tf b/modules/member_iam/variables.tf
@@ -0,0 +1,30 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "service_account_address" {
+  description = "Service account address"
+  type        = string
+}
+
+variable "project_id" {
+  description = "Project id"
+  type        = string
+}
+
+variable "project_roles" {
+  description = "List of IAM roles"
+  type        = list(string)
+}
diff --git a/test/fixtures/member-iam/main.tf b/test/fixtures/member-iam/main.tf
@@ -0,0 +1,20 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "member_roles" {
+  source     = "../../../examples/member_iam"
+  project_id = var.project_id
+}
diff --git a/test/fixtures/member-iam/outputs.tf b/test/fixtures/member-iam/outputs.tf
@@ -0,0 +1,25 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "project_id" {
+  value       = var.project_id
+  description = "Project id."
+}
+
+output "service_account_email" {
+  value       = module.member_roles.service_account_address
+  description = "Member which was bound to projects."
+}
diff --git a/test/fixtures/member-iam/variables.tf b/test/fixtures/member-iam/variables.tf
@@ -0,0 +1,20 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "Project id"
+  type        = string
+}
diff --git a/test/fixtures/member-iam/versions.tf b/test/fixtures/member-iam/versions.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}