Merge branch 'main' into feat/add_outputs_for_dr

Author: filippolmt

CHANGELOG.md

@@ -6,6 +6,28 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres
 to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+# [0.12.0] - 2026-01-22
+
+[Compare with previous version](https://github.com/sparkfabrik/terraform-google-gcp-application-bucket-creation-helper/compare/0.11.0...0.12.0)
+
+### Added
+
+- Added output`disaster_recovery_bucket_names` to provide a map from input bucket names to disaster recovery bucket names.
+
+### Fixed
+
+- Fixed `bucket_obj_adm` and `bucket_obj_vwr` variables causing "Invalid for_each argument" error when used with `append_random_suffix = true`. The `for_each` key for IAM member resources now uses the static input bucket name instead of the dynamically generated name (with random suffix).
+
+### Changed
+
+- **BREAKING CHANGE for existing users of `bucket_obj_adm`/`bucket_obj_vwr`**: The `for_each` key for `google_storage_bucket_iam_member.default_storage_admin` and `google_storage_bucket_iam_member.default_storage_viewer` resources has changed from `<generated_bucket_name>--<member>` to `<input_bucket_name>--<member>`.
+
+  **Example**: If your bucket input name is `myapp` and it gets a random suffix `a1b2`, the key changes from `myapp-a1b2--group:admins@example.com` to `myapp--group:admins@example.com`.
+
+  **Impact**: Terraform will plan to destroy and recreate the IAM bindings. This is safe - the IAM permissions will be briefly removed and immediately recreated. No data loss occurs.
+
+  **Migration**: No action required. Run `terraform apply` to recreate the IAM bindings with the new keys. If you want to avoid the brief permission gap, you can use `terraform state mv` to rename the resources before applying.
+
 # [0.11.0] - 2025-12-10
 
 [Compare with previous version](https://github.com/sparkfabrik/terraform-google-gcp-application-bucket-creation-helper/compare/0.10.0...0.11.0)

README.md

@@ -99,10 +99,8 @@ want to import existing buckets with a known name.
 | <a name="output_buckets_access_credentials"></a> [buckets\_access\_credentials](#output\_buckets\_access\_credentials) | Access credentials for the application buckets |
 | <a name="output_details_of_used_tag_keys"></a> [details\_of\_used\_tag\_keys](#output\_details\_of\_used\_tag\_keys) | Details of all the tag keys passed to this module (globals and per bucket). |
 | <a name="output_details_of_used_tag_values"></a> [details\_of\_used\_tag\_values](#output\_details\_of\_used\_tag\_values) | Details of all the tag values passed to this module (globals and per bucket). |
-| <a name="output_disaster_recovery_bucket_names"></a> [disaster\_recovery\_bucket\_names](#output\_disaster\_recovery\_bucket\_names) | The list with the names of the disaster recovery buckets. |
-| <a name="output_disaster_recovery_bucket_names_map"></a> [disaster\_recovery\_bucket\_names\_map](#output\_disaster\_recovery\_bucket\_names\_map) | Map from input bucket name to disaster recovery bucket name. |
+| <a name="output_disaster_recovery_bucket_names"></a> [disaster\_recovery\_bucket\_names](#output\_disaster\_recovery\_bucket\_names) | Map from input bucket name to disaster recovery bucket name. Use values() to get a list. |
 | <a name="output_generated_bucket_names"></a> [generated\_bucket\_names](#output\_generated\_bucket\_names) | The list with the names of the buckets managed by this module. |
-| <a name="output_generated_bucket_names_map"></a> [generated\_bucket\_names\_map](#output\_generated\_bucket\_names\_map) | Map from input bucket name to generated bucket name (with random suffix if enabled). |
 ## Resources
 
 | Name | Type |

main.tf

@@ -9,23 +9,23 @@ locals {
     bucket.append_random_suffix ? "${bucket.name}-${random_id.resources_suffix[bucket.name].hex}" : bucket.name
   }
 
-  generated_bucket_obj_admin_list = distinct(flatten([
+  generated_bucket_obj_admin_list = flatten([
     for bucket in var.buckets_list : [
       for bucket_obj_adm in bucket.bucket_obj_adm : {
-        bucket_name    = local.generated_bucket_names[bucket.name]
-        bucket_obj_adm = bucket_obj_adm
+        bucket_name      = bucket.name
+        bucket_obj_admin = bucket_obj_adm
       }
     ]
-  ]))
+  ])
 
-  generated_bucket_obj_vwr_list = distinct(flatten([
+  generated_bucket_obj_vwr_list = flatten([
     for bucket in var.buckets_list : [
       for bucket_obj_vwr in bucket.bucket_obj_vwr : {
-        bucket_name    = local.generated_bucket_names[bucket.name]
+        bucket_name    = bucket.name
         bucket_obj_vwr = bucket_obj_vwr
       }
     ]
-  ]))
+  ])
 
 }
 
@@ -194,15 +194,15 @@ resource "google_storage_bucket_iam_member" "viewer" {
 # Default Storage Admin Role
 resource "google_storage_bucket_iam_member" "default_storage_admin" {
   for_each = { for bucket in local.generated_bucket_obj_admin_list : "${bucket.bucket_name}--${bucket.bucket_obj_admin}" => bucket }
-  bucket   = google_storage_bucket.application[each.value.name].name
+  bucket   = google_storage_bucket.application[each.value.bucket_name].name
   role     = "roles/storage.objectAdmin"
   member   = each.value.bucket_obj_admin
 }
 
 # Default Storage Viewer Role
 resource "google_storage_bucket_iam_member" "default_storage_viewer" {
   for_each = { for bucket in local.generated_bucket_obj_vwr_list : "${bucket.bucket_name}--${bucket.bucket_obj_vwr}" => bucket }
-  bucket   = google_storage_bucket.application[each.value.name].name
+  bucket   = google_storage_bucket.application[each.value.bucket_name].name
   role     = "roles/storage.objectViewer"
   member   = each.value.bucket_obj_vwr
 }

outputs.tf

@@ -26,17 +26,7 @@ output "generated_bucket_names" {
   value       = [for k, v in local.generated_bucket_names : v]
 }
 
-output "generated_bucket_names_map" {
-  description = "Map from input bucket name to generated bucket name (with random suffix if enabled)."
-  value       = local.generated_bucket_names
-}
-
 output "disaster_recovery_bucket_names" {
-  description = "The list with the names of the disaster recovery buckets."
-  value       = [for k, bucket in google_storage_bucket.disaster_recovery : bucket.name]
-}
-
-output "disaster_recovery_bucket_names_map" {
-  description = "Map from input bucket name to disaster recovery bucket name."
+  description = "Map from input bucket name to disaster recovery bucket name. Use values() to get a list."
   value       = { for k, bucket in google_storage_bucket.disaster_recovery : k => bucket.name }
 }