diff --git a/CHANGELOG.md b/CHANGELOG.md index 0d82244..d7cded9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,24 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +# [0.12.0] - 2026-01-22 + +[Compare with previous version](https://github.com/sparkfabrik/terraform-google-gcp-application-bucket-creation-helper/compare/0.11.0...0.12.0) + +### Fixed + +- Fixed `bucket_obj_adm` and `bucket_obj_vwr` variables causing "Invalid for_each argument" error when used with `append_random_suffix = true`. The `for_each` key for IAM member resources now uses the static input bucket name instead of the dynamically generated name (with random suffix). + +### Changed + +- **BREAKING CHANGE for existing users of `bucket_obj_adm`/`bucket_obj_vwr`**: The `for_each` key for `google_storage_bucket_iam_member.default_storage_admin` and `google_storage_bucket_iam_member.default_storage_viewer` resources has changed from `--` to `--`. + + **Example**: If your bucket input name is `myapp` and it gets a random suffix `a1b2`, the key changes from `myapp-a1b2--group:admins@example.com` to `myapp--group:admins@example.com`. + + **Impact**: Terraform will plan to destroy and recreate the IAM bindings. This is safe - the IAM permissions will be briefly removed and immediately recreated. No data loss occurs. + + **Migration**: No action required. Run `terraform apply` to recreate the IAM bindings with the new keys. If you want to avoid the brief permission gap, you can use `terraform state mv` to rename the resources before applying. + # [0.11.0] - 2025-12-10 [Compare with previous version](https://github.com/sparkfabrik/terraform-google-gcp-application-bucket-creation-helper/compare/0.10.0...0.11.0) diff --git a/main.tf b/main.tf index 1920388..078b461 100644 --- a/main.tf +++ b/main.tf @@ -9,23 +9,23 @@ locals { bucket.append_random_suffix ? "${bucket.name}-${random_id.resources_suffix[bucket.name].hex}" : bucket.name } - generated_bucket_obj_admin_list = distinct(flatten([ + generated_bucket_obj_admin_list = flatten([ for bucket in var.buckets_list : [ for bucket_obj_adm in bucket.bucket_obj_adm : { - bucket_name = local.generated_bucket_names[bucket.name] - bucket_obj_adm = bucket_obj_adm + bucket_name = bucket.name + bucket_obj_admin = bucket_obj_adm } ] - ])) + ]) - generated_bucket_obj_vwr_list = distinct(flatten([ + generated_bucket_obj_vwr_list = flatten([ for bucket in var.buckets_list : [ for bucket_obj_vwr in bucket.bucket_obj_vwr : { - bucket_name = local.generated_bucket_names[bucket.name] + bucket_name = bucket.name bucket_obj_vwr = bucket_obj_vwr } ] - ])) + ]) } @@ -194,7 +194,7 @@ resource "google_storage_bucket_iam_member" "viewer" { # Default Storage Admin Role resource "google_storage_bucket_iam_member" "default_storage_admin" { for_each = { for bucket in local.generated_bucket_obj_admin_list : "${bucket.bucket_name}--${bucket.bucket_obj_admin}" => bucket } - bucket = google_storage_bucket.application[each.value.name].name + bucket = google_storage_bucket.application[each.value.bucket_name].name role = "roles/storage.objectAdmin" member = each.value.bucket_obj_admin } @@ -202,7 +202,7 @@ resource "google_storage_bucket_iam_member" "default_storage_admin" { # Default Storage Viewer Role resource "google_storage_bucket_iam_member" "default_storage_viewer" { for_each = { for bucket in local.generated_bucket_obj_vwr_list : "${bucket.bucket_name}--${bucket.bucket_obj_vwr}" => bucket } - bucket = google_storage_bucket.application[each.value.name].name + bucket = google_storage_bucket.application[each.value.bucket_name].name role = "roles/storage.objectViewer" member = each.value.bucket_obj_vwr }