fix: Support empty subnet bindings (#97)

BREAKING CHANGE: The `project` variable has been removed from the `projects_iam` submodule. Please use `projects` instead.

README.md

@@ -118,7 +118,7 @@ You can choose the following resource types to apply the IAM bindings:
 - Kms Key Rings (`kms_key_rings` variable)
 - Kms Crypto Keys (`kms_crypto_keys` variable)
 
-Set the specified variable on the module call to choose the resources to affect. Remember to set the `mode` [variable](#additive-and-authoritative-modes) and give enough [permissions](#permissions) to manage the selected resource as well.
+Set the specified variable on the module call to choose the resources to affect. Remember to set the `mode` [variable](#additive-and-authoritative-modes) and give enough [permissions](#permissions) to manage the selected resource as well. Note that the `bindings` variable accepts an empty map `{}` passed in as an argument in the case that resources don't have IAM bindings to apply.
 
 ## Requirements
 

modules/helper/main.tf

@@ -25,14 +25,14 @@ locals {
   # Other rules regrading the dynamic nature of resources:
   # 1. The roles might never be dynamic.
   # 2. Members might only be dynamic in `authoritative` mode.
-  singular = length(var.entities) <= 1
+  singular = length(var.entities) == 1
 
   # In singular mode, replace entity name with a constant "default". This
   # will prevent the potentially dynamic resource name usage in the `for_each`
   aliased_entities = local.singular ? ["default"] : var.entities
 
-  # Cover the usecase of specifying singular entity instead of an array
-  real_entities = var.entity != "" ? [var.entity] : var.entities
+  # Values in the map need to be the proper entity names
+  real_entities = var.entities
 
   bindings_by_role = distinct(flatten([
     for name in local.real_entities

modules/helper/variables.tf

@@ -28,9 +28,3 @@ variable "entities" {
   description = "Entities list to add the IAM policies/bindings"
   type        = list(string)
 }
-
-variable "entity" {
-  description = "Entity to add the IAM policies/bindings"
-  default     = ""
-  type        = string
-}

modules/projects_iam/README.md

@@ -31,7 +31,6 @@ module "project-iam-bindings" {
 |------|-------------|:----:|:-----:|:-----:|
 | bindings | Map of role (key) and list of members (value) to add the IAM policies/bindings | map(list(string)) | n/a | yes |
 | mode | Mode for adding the IAM policies/bindings, additive and authoritative | string | `"additive"` | no |
-| project | Project to add the IAM policies/bindings | string | `""` | no |
 | projects | Projects list to add the IAM policies/bindings | list(string) | `<list>` | no |
 
 ## Outputs

modules/projects_iam/main.tf

@@ -21,7 +21,6 @@ module "helper" {
   source   = "../helper"
   bindings = var.bindings
   mode     = var.mode
-  entity   = var.project
   entities = var.projects
 }
 

modules/projects_iam/variables.tf

@@ -14,12 +14,6 @@
  * limitations under the License.
  */
 
-variable "project" {
-  description = "Project to add the IAM policies/bindings"
-  default     = ""
-  type        = string
-}
-
 variable "projects" {
   description = "Projects list to add the IAM policies/bindings"
   default     = []

test/fixtures/helper/iam.tf

@@ -46,6 +46,15 @@ module "iam_binding_subnet" {
   bindings       = local.basic_bindings
 }
 
+module "iam_binding_subnet_empty" {
+  source         = "../../../modules/subnets_iam"
+  mode           = var.mode
+  project        = var.project_id
+  subnets_region = module.base.region
+  subnets        = []
+  bindings       = local.basic_bindings
+}
+
 module "iam_binding_service_account" {
   source           = "../../../modules/service_accounts_iam"
   mode             = var.mode

test/fixtures/static-and-dynamic/main.tf

@@ -104,9 +104,6 @@ module "projects_iam_authoritative_dynamic" {
 
 # Additive Dynamic
 
-# We also test here that specifying `project` insead of the `projects` array works
-# That's why the count is forced to 1
-
 resource "google_project" "additive_dynamic" {
   count = 1
 
@@ -119,7 +116,7 @@ resource "google_project" "additive_dynamic" {
 module "projects_iam_additive_dynamic" {
   source   = "../../../modules/projects_iam"
   mode     = "additive"
-  project  = google_project.additive_dynamic[0].project_id
+  projects = [google_project.additive_dynamic[0].project_id]
   bindings = local.project_bindings
 }