feat: Adding iap_web_backend_services module

slightsey-recurly · slightsey-recurly · commit 9fdaafab7572 · 2025-05-28T08:53:48.000-07:00
Linting
diff --git a/README.md b/README.md
@@ -9,6 +9,7 @@ This is a collection of submodules that make it easier to non-destructively mana
 * [Custom Role IAM](modules/custom_role_iam)
 * [DNS Zone IAM](modules/dns_zones_iam)
 * [Folders IAM](modules/folders_iam)
+* [Iap Backend Service IAM](modules/iap_web_backend_services_iam)
 * [KMS Crypto Keys IAM](modules/kms_crypto_keys_iam)
 * [KMS_Key Rings IAM](modules/kms_key_rings_iam)
 * [Organizations IAM](modules/organizations_iam)
@@ -120,6 +121,7 @@ You can choose the following resource types to apply the IAM bindings:
 - Service Accounts (`service_accounts` variable)
 - Subnetworks (`subnets` variable)
 - Storage buckets (`storage_buckets` variable)
+- IAP Web Backend Service (`web_backend_services` variable)
 - Pubsub topics (`pubsub_topics` variable)
 - Pubsub subscriptions (`pubsub_subscriptions` variable)
 - Kms Key Rings (`kms_key_rings` variable)
diff --git a/examples/iap_web_backend_services/README.md b/examples/iap_web_backend_services/README.md
@@ -0,0 +1,20 @@
+# IAP Web Backend Service Example
+
+This example illustrates how to use the `iap_web_backend_services_iam` submodule
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| group\_email | Email for group to receive roles (ex. group@example.com) | `string` | n/a | yes |
+| iap\_web\_backend\_service | Name of iap\_web\_backend\_service to bind member to | `string` | n/a | yes |
+| project | Project where the artifact iap\_web\_backend\_services bindings are placed | `string` | n/a | yes |
+| sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | `string` | n/a | yes |
+| user\_email | Email for group to receive roles (Ex. user@example.com) | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/iap_web_backend_services/main.tf b/examples/iap_web_backend_services/main.tf
@@ -0,0 +1,34 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/******************************************
+  Module iap_web_backend_services calling
+ *****************************************/
+module "iap_web_backend_services" {
+  source  = "terraform-google-modules/iam/google//modules/iap_web_backend_services"
+  version = "~> 8.0"
+
+  iap_web_backend_services = [var.iap_web_backend_service]
+  mode            = "additive"
+
+  bindings = {
+    "roles/iap.httpsResourceAccessor" = [
+      "serviceAccount:${var.sa_email}",
+      "group:${var.group_email}",
+      "user:${var.user_email}",
+    ]
+  }
+}
diff --git a/examples/iap_web_backend_services/variables.tf b/examples/iap_web_backend_services/variables.tf
@@ -0,0 +1,45 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project" {
+  description = "Project where the artifact iap_web_backend_services bindings are placed"
+  type        = string
+}
+
+variable "group_email" {
+  type        = string
+  description = "Email for group to receive roles (ex. group@example.com)"
+}
+
+variable "sa_email" {
+  type        = string
+  description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)"
+}
+
+variable "user_email" {
+  type        = string
+  description = "Email for group to receive roles (Ex. user@example.com)"
+}
+
+/******************************************
+  google_iap_web_backend_service_iam_binding variables
+ *****************************************/
+variable "iap_web_backend_service" {
+  type        = string
+  description = "Name of iap_web_backend_service to bind member to"
+}
+
+
diff --git a/modules/iap_web_backend_services_iam/README.md b/modules/iap_web_backend_services_iam/README.md
@@ -0,0 +1,52 @@
+# Module iap_web_backend_services IAM
+
+This optional module is used to assign iap_web_backend_services roles
+
+## Example Usage
+```
+module "iap_web_backend_services_iam" {
+  source   = "terraform-google-modules/iam/google//modules/iap_web_backend_services_iam"
+  version  = "~> 8.0"
+
+  iap_web_backend_services = ["my-iap-backend-service-name"]
+  mode            = "additive"
+
+  bindings = {
+    "roles/iap.httpsResourceAccessor" = [
+      "serviceAccount:my-sa@my-project.iam.gserviceaccount.com",
+      "group:my-group@my-org.com",
+      "user:my-user@my-org.com",
+    ]
+  }
+  conditional_bindings = [
+    {
+      role = "roles/storage.admin"
+      title = "expires_after_2019_12_31"
+      description = "Expiring at midnight of 2019-12-31"
+      expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
+      members = ["user:my-user@my-org.com"]
+    }
+  ]
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| bindings | Map of role (key) and list of members (value) to add the IAM policies/bindings | `map(list(string))` | `{}` | no |
+| conditional\_bindings | List of maps of role and respective conditions, and the members to add the IAM policies/bindings | <pre>list(object({<br>    role        = string<br>    title       = string<br>    description = string<br>    expression  = string<br>    members     = list(string)<br>  }))</pre> | `[]` | no |
+| iap\_web\_backend\_services | IAP Web Backend Service list to add the IAM policies/bindings | `list(string)` | `[]` | no |
+| mode | Mode for adding the IAM policies/bindings, additive and authoritative | `string` | `"additive"` | no |
+| project | Project where the iap\_web\_backend\_services bindings are placed | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| iap\_web\_backend\_services | IAP Web Backend Services which received bindings. |
+| members | Members which were bound to the IAP Web Backend Service. |
+| roles | Roles which were assigned to members. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/iap_web_backend_services_iam/main.tf b/modules/iap_web_backend_services_iam/main.tf
@@ -0,0 +1,64 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/******************************************
+  Run helper module to get generic calculated data
+ *****************************************/
+module "helper" {
+  source               = "../helper"
+  bindings             = var.bindings
+  mode                 = var.mode
+  entities             = var.iap_web_backend_services
+  conditional_bindings = var.conditional_bindings
+}
+
+/******************************************
+  IAP Web Backend IAM binding authoritative
+ *****************************************/
+resource "google_iap_web_backend_service_iam_binding" "iap_web_backend_service_iam_authoritative" {
+  for_each            = module.helper.set_authoritative
+  web_backend_service = module.helper.bindings_authoritative[each.key].name
+  project             = var.project
+  role                = module.helper.bindings_authoritative[each.key].role
+  members             = module.helper.bindings_authoritative[each.key].members
+  dynamic "condition" {
+    for_each = module.helper.bindings_authoritative[each.key].condition.title == "" ? [] : [module.helper.bindings_authoritative[each.key].condition]
+    content {
+      title       = module.helper.bindings_authoritative[each.key].condition.title
+      description = module.helper.bindings_authoritative[each.key].condition.description
+      expression  = module.helper.bindings_authoritative[each.key].condition.expression
+    }
+  }
+}
+
+/******************************************
+  IAP Web Backend IAM binding additive
+ *****************************************/
+resource "google_iap_web_backend_service_iam_member" "iap_web_backend_service_iam_additive" {
+  for_each            = module.helper.set_additive
+  web_backend_service = module.helper.bindings_additive[each.key].name
+  project             = var.project
+  role                = module.helper.bindings_additive[each.key].role
+  member              = module.helper.bindings_additive[each.key].member
+  dynamic "condition" {
+    for_each = module.helper.bindings_additive[each.key].condition.title == "" ? [] : [module.helper.bindings_additive[each.key].condition]
+    content {
+      title       = module.helper.bindings_additive[each.key].condition.title
+      description = module.helper.bindings_additive[each.key].condition.description
+      expression  = module.helper.bindings_additive[each.key].condition.expression
+    }
+  }
+}
diff --git a/modules/iap_web_backend_services_iam/outputs.tf b/modules/iap_web_backend_services_iam/outputs.tf
@@ -0,0 +1,31 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "iap_web_backend_services" {
+  value       = distinct(module.helper.bindings_by_member[*].name)
+  description = "IAP Web Backend Services which received bindings."
+  depends_on  = [google_iap_web_backend_service_iam_binding.iap_web_backend_service_iam_authoritative, google_iap_web_backend_service_iam_member.iap_web_backend_service_iam_additive, ]
+}
+
+output "roles" {
+  value       = distinct(module.helper.bindings_by_member[*].role)
+  description = "Roles which were assigned to members."
+}
+
+output "members" {
+  value       = distinct(module.helper.bindings_by_member[*].member)
+  description = "Members which were bound to the IAP Web Backend Service."
+}
diff --git a/modules/iap_web_backend_services_iam/variables.tf b/modules/iap_web_backend_services_iam/variables.tf
@@ -0,0 +1,50 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "iap_web_backend_services" {
+  description = "IAP Web Backend Service list to add the IAM policies/bindings"
+  default     = []
+  type        = list(string)
+}
+
+variable "project" {
+  description = "Project where the iap_web_backend_services bindings are placed"
+  type        = string
+}
+
+variable "mode" {
+  description = "Mode for adding the IAM policies/bindings, additive and authoritative"
+  type        = string
+  default     = "additive"
+}
+
+variable "bindings" {
+  description = "Map of role (key) and list of members (value) to add the IAM policies/bindings"
+  type        = map(list(string))
+  default     = {}
+}
+
+variable "conditional_bindings" {
+  description = "List of maps of role and respective conditions, and the members to add the IAM policies/bindings"
+  type = list(object({
+    role        = string
+    title       = string
+    description = string
+    expression  = string
+    members     = list(string)
+  }))
+  default = []
+}
