Fix bug in gsuite_group module that requires organizationViewer role

organizationViewer role should not be necessary if domain is specified.
terraform-google-modules · Mar 22, 2019 · dadf88c · dadf88c
1 parent cdd1751
commit dadf88c
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 6 deletions.
diff --git a/modules/core_project_factory/scripts/preconditions/preconditions.py b/modules/core_project_factory/scripts/preconditions/preconditions.py
@@ -72,7 +72,7 @@ def asdict(self):
 class OrgPermissions:
     # Permissions that the service account must have for any organization
     ALL_PERMISSIONS = [
-        # Typically granted with `roles/resourcemanager.organizationViewer`
+        # Typically granted with `roles/resourcemanager.organizationViewer`	
         "resourcemanager.organizations.get",
     ]
 
@@ -132,7 +132,7 @@ def validate(self, credentials):
             "Service account permissions on organization",
             resource,
             self.permissions,
-            response.get("permissions", []),
+            response.get("permissions", [])
         )
 
         return req.asdict()
@@ -209,7 +209,7 @@ def validate(self, credentials):
             "Service account permissions on host VPC project",
             resource,
             self.permissions,
-            response.get("permissions", []),
+            response.get("permissions", [])
         )
 
         return req.asdict()
@@ -295,7 +295,7 @@ def validate(self, credentials):
             "Service account permissions on billing account",
             resource,
             self.REQUIRED_PERMISSIONS,
-            response["permissions"],
+            response["permissions"]
         )
 
         return req.asdict()

diff --git a/modules/gsuite_group/main.tf b/modules/gsuite_group/main.tf
@@ -15,13 +15,15 @@
  */
 
 locals {
-  domain = "${var.domain != "" ? var.domain : data.google_organization.org.domain}"
-  email  = "${format("%s@%s", var.name, local.domain)}"
+  domain_list = "${concat(data.google_organization.org.*.domain, list("dummy"))}"
+  domain      = "${var.domain == "" ? element(local.domain_list, 0) : var.domain}"
+  email       = "${format("%s@%s", var.name, local.domain)}"
 }
 
 /*****************************************
   Organization info retrieval
  *****************************************/
 data "google_organization" "org" {
+  count        = "${var.domain == "" ? 1 : 0}"
   organization = "${var.org_id}"
 }