Fix shared VPC IAM bindings

This commit addresses issue terraform-google-modules#97 (terraform-google-modules#97) and updates the logic around IAM bindings with regard to shared VPC subnets. The logic is as follows: 1. If `var.shared_vpc` and `var.shared_vpc_subnets` are empty no bindings are mad 2. If `var.shared_vpc` is set but no subnets are provided with `var.shared_vpc_subnets` then the IAM bindings are set at the Host Project 3. If `var.shared_vpc` is set and `var.shared_vpc_subnets` contains subnets then the IAM bindings are granted on the subnetworks themselve This commit updates the logic used to calculate the Host Project bindings based on scenario 3 above. The tests have also been modified to ensure that those bindings AREN'T set.
glarizza · Mar 7, 2019 · 6354666 · 6354666
1 parent 5271216
commit 6354666
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/modules/core_project_factory/main.tf b/modules/core_project_factory/main.tf
@@ -198,7 +198,7 @@ resource "google_service_account_iam_member" "service_account_grant_to_group" {
   Account on shared VPC
  *****************************************************************************************************************/
 resource "google_project_iam_member" "controlling_group_vpc_membership" {
-  count = "${(var.shared_vpc != "" && (length(compact(var.shared_vpc_subnets)) > 0)) ? local.shared_vpc_users_length : 0}"
+  count = "${(var.shared_vpc != "" && (length(compact(var.shared_vpc_subnets)) == 0)) ? local.shared_vpc_users_length : 0}"
 
   project = "${var.shared_vpc}"
   role    = "roles/compute.networkUser"

diff --git a/test/integration/full/controls/shared-vpc.rb b/test/integration/full/controls/shared-vpc.rb
@@ -43,26 +43,26 @@
     end
 
     describe "roles/compute.networkUser" do
-      it "includes the project service account in the roles/compute.networkUser IAM binding" do
-        expect(bindings).to include(
+      it "does not include the project service account in the roles/compute.networkUser IAM binding" do
+        expect(bindings).not_to include(
           members: including("serviceAccount:#{service_account_email}"),
           role: "roles/compute.networkUser",
         )
       end
 
-      it "includes the group email in the roles/compute.networkUser IAM binding" do
+      it "does not include the group email in the roles/compute.networkUser IAM binding" do
         if group_email.nil? || group_email.empty?
           pending "group_email not defined - skipping test"
         end
 
-        expect(bindings).to include(
+        expect(bindings).not_to include(
           members: including("group:#{group_email}"),
           role: "roles/compute.networkUser",
         )
       end
 
-      it "includes the GKE service account in the roles/compute.networkUser IAM binding" do
-        expect(bindings).to include(
+      it "does not include the GKE service account in the roles/compute.networkUser IAM binding" do
+        expect(bindings).not_to include(
           members: including(
             "serviceAccount:service-#{project_number}@container-engine-robot.iam.gserviceaccount.com"
           ),