Merge pull request #2 from mineiros-io/sameh-storage-bucket-iam

feat: storage bucket iam

Author: soerenmartius

main.tf

@@ -0,0 +1,51 @@
+resource "google_storage_bucket_iam_binding" "binding" {
+  count = var.module_enabled && var.policy_bindings == null && var.authoritative ? 1 : 0
+
+  bucket  = var.bucket
+  role    = var.role
+  members = var.members
+
+  depends_on = [var.module_depends_on]
+}
+
+resource "google_storage_bucket_iam_member" "member" {
+  for_each = var.module_enabled && var.policy_bindings == null && var.authoritative == false ? var.members : []
+
+  bucket = var.bucket
+  role   = var.role
+  member = each.value
+
+  depends_on = [var.module_depends_on]
+}
+
+resource "google_storage_bucket_iam_policy" "policy" {
+  count = var.module_enabled && var.policy_bindings != null ? 1 : 0
+
+  bucket      = var.bucket
+  policy_data = data.google_iam_policy.policy[0].policy_data
+
+  depends_on = [var.module_depends_on]
+}
+
+data "google_iam_policy" "policy" {
+  count = var.module_enabled && var.policy_bindings != null ? 1 : 0
+
+  dynamic "binding" {
+    for_each = var.policy_bindings
+
+    content {
+      role    = binding.value.role
+      members = try(binding.value.members, var.members)
+
+      dynamic "condition" {
+        for_each = try([binding.value.condition], [])
+
+        content {
+          expression  = condition.value.expression
+          title       = condition.value.title
+          description = try(condition.value.description, null)
+        }
+      }
+    }
+  }
+}

outputs.tf

@@ -0,0 +1,14 @@
+locals {
+  binding = try(google_storage_bucket_iam_binding.binding[0], null)
+  member  = try(google_storage_bucket_iam_member.member, null)
+  policy  = try(google_storage_bucket_iam_policy.policy[0], null)
+
+  iam_output = [local.binding, local.member, local.policy]
+
+  iam_output_index = var.policy_bindings != null ? 2 : var.authoritative ? 0 : 1
+}
+
+output "iam" {
+  description = "All attributes of the created 'iam_binding' or 'iam_member' or 'iam_policy' resource according to the mode."
+  value       = local.iam_output[local.iam_output_index]
+}

variables.tf

@@ -3,11 +3,40 @@
 # These variables must be set when using this module.
 # ---------------------------------------------------------------------------------------------------------------------
 
+variable "bucket" {
+  description = "(Required) Used to find the parent resource to bind the IAM policy to."
+  type        = string
+}
+
 # ---------------------------------------------------------------------------------------------------------------------
 # OPTIONAL VARIABLES
 # These variables have defaults, but may be overridden.
 # ---------------------------------------------------------------------------------------------------------------------
 
+variable "members" {
+  type        = set(string)
+  description = "(Optional) Identities that will be granted the privilege in role. Each entry can have one of the following values: 'allUsers', 'allAuthenticatedUsers', 'user:{emailid}', 'serviceAccount:{emailid}', 'group:{emailid}', 'domain:{domain}', 'projectOwner:projectid', 'projectEditor:projectid', 'projectViewer:projectid'."
+  default     = []
+}
+
+variable "role" {
+  description = "(Optional) The role that should be applied. Only one 'iam_binding' can be used per role. Note that custom roles must be of the format '[projects|organizations]/{parent-name}/roles/{role-name}'."
+  type        = string
+  default     = null
+}
+
+variable "authoritative" {
+  description = "(Optional) Whether to exclusively set (authoritative mode) or add (non-authoritative/additive mode) members to the role."
+  type        = bool
+  default     = true
+}
+
+variable "policy_bindings" {
+  description = "(Optional) A list of IAM policy bindings."
+  type        = any
+  default     = null
+}
+
 # ------------------------------------------------------------------------------
 # MODULE CONFIGURATION PARAMETERS
 # These variables are used to configure the module.