diff --git a/modules/folders/main.tf b/modules/folders/main.tf index 920f712d29..3b2bbe8b97 100644 --- a/modules/folders/main.tf +++ b/modules/folders/main.tf @@ -16,7 +16,7 @@ locals { folders = [for name in var.names : google_folder.folders[name]] - iam_pairs = flatten([ + iam_pairs = var.iam_roles == null ? [] : flatten([ for name, roles in var.iam_roles : [for role in roles : { name = name, role = role }] ]) @@ -24,6 +24,7 @@ locals { for pair in local.iam_pairs : "${pair.name}-${pair.role}" => pair } + iam_members = var.iam_members == null ? {} : var.iam_members } resource "google_folder" "folders" { @@ -46,7 +47,7 @@ resource "google_folder_iam_binding" "authoritative" { folder = google_folder.folders[each.value.name].name role = each.value.role members = lookup( - lookup(var.iam_members, each.value.name, {}), each.value.role, [] + lookup(local.iam_members, each.value.name, {}), each.value.role, [] ) } diff --git a/modules/folders/variables.tf b/modules/folders/variables.tf index 9489bdacb5..742031633c 100644 --- a/modules/folders/variables.tf +++ b/modules/folders/variables.tf @@ -17,13 +17,13 @@ variable "iam_members" { description = "List of IAM members keyed by folder name and role." type = map(map(list(string))) - default = {} + default = null } variable "iam_roles" { description = "List of IAM roles keyed by folder name." type = map(list(string)) - default = {} + default = null } variable "names" { diff --git a/tests/modules/folders/__init__.py b/tests/modules/folders/__init__.py new file mode 100644 index 0000000000..6913f02e36 --- /dev/null +++ b/tests/modules/folders/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/tests/modules/folders/fixture/main.tf b/tests/modules/folders/fixture/main.tf new file mode 100644 index 0000000000..4848ec5aa4 --- /dev/null +++ b/tests/modules/folders/fixture/main.tf @@ -0,0 +1,23 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "test" { + source = "../../../../modules/folders" + parent = "organizations/12345678" + names = ["folder-a", "folder-b"] + iam_members = var.iam_members + iam_roles = var.iam_roles +} diff --git a/tests/modules/folders/fixture/variables.tf b/tests/modules/folders/fixture/variables.tf new file mode 100644 index 0000000000..02fb11081c --- /dev/null +++ b/tests/modules/folders/fixture/variables.tf @@ -0,0 +1,25 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "iam_members" { + type = map(map(list(string))) + default = null +} + +variable "iam_roles" { + type = map(list(string)) + default = null +} diff --git a/tests/modules/folders/test_plan.py b/tests/modules/folders/test_plan.py new file mode 100644 index 0000000000..fcb8fa64d7 --- /dev/null +++ b/tests/modules/folders/test_plan.py @@ -0,0 +1,49 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +import os +import pytest + + +FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture') + + +def test_folder(plan_runner): + "Test folder resources." + _, resources = plan_runner(FIXTURES_DIR) + assert len(resources) == 2 + assert set(r['type'] for r in resources) == set(['google_folder']) + assert set(r['values']['display_name'] for r in resources) == set([ + 'folder-a', 'folder-b' + ]) + assert set(r['values']['parent'] for r in resources) == set([ + 'organizations/12345678' + ]) + + +def test_iam_roles_only(plan_runner): + "Test folder resources with only iam roles passed." + _, resources = plan_runner( + FIXTURES_DIR, iam_roles='{folder-a = [ "roles/owner"]}') + assert len(resources) == 3 + + +def test_iam(plan_runner): + "Test folder resources with iam roles and members." + iam_roles = '{folder-a = ["roles/owner"], folder-b = ["roles/viewer"]}' + iam_members = '{folder-a = { "roles/owner" = ["user:a@b.com"] }}' + _, resources = plan_runner( + FIXTURES_DIR, iam_roles=iam_roles, iam_members=iam_members) + assert len(resources) == 4