0

I am attempting to add multiple roles to a GCP group in multiple projects via Terraform. I've skimmed through documentation, other threads here, and have attempted multiple trial/error attempts with no luck.

Below is what I have:


vars.tf

variable "specific_group" {
  type    = string
  default = "group:specificgroup@domain.com"
}

variable "group_bigtable_roles" {
  type    = list(string)
  default = [
    "roles/bigtable.admin",
    "roles/cloudfunctions.developer",
    "roles/cloudscheduler.admin",
    "roles/deploymentmanager.editor",
    ]
}

locals.tf

locals {
...
    bigtable = {
      project1 = "123"
      project2 = "456"
      project3 = "789"
      ...
    }
}

specificgroup.tf

resource "google_project_iam_member" "specific_group_bigtable_roles" {
  for_each = local.projects.bigtable
  project  = each.key
  member   = var.specific_group
  count    = length(var.group_bigtable_roles)
  role     = "var.group_bigtable_roles[count.index]"
}

I am currently getting an error that the resource (in specificgroup.tf) can only explicitly have for_each or count. I understand the reasoning for that error, but I've tried to do nested for_each and other things with no luck either. Is it possible to have separate for_each's in the same resource? I feel like I'm getting somewhere but it's currently just a brick wall to me. Any help or guidance is appreciated!

throwawaythecoal
  • 3
  • 2
  • That's the boring side of Terraform. You have to bend your code to fit its constraint. I don't remember the trick (I did that years ago!) but you could find a solution on the internet. The idea is not having a map but an array. – guillaume blaquiere Jul 25 '23 at 19:37
  • Are you planning on having all the roles for each of the projects? – Marko E Jul 25 '23 at 19:39
  • guillaumeblaquiere Yes, I agree, manipulating code to fit the constraint is boring! @MarkoE Yep, that's correct. I want four roles assigned to the group in a total of seven projects. – throwawaythecoal Jul 25 '23 at 20:04
  • I assume it's not possible to put these projects into a folder and apply the roles on the folder level? – vpgcloud Jul 26 '23 at 08:16
  • @vpriesner That's correct. I'm afraid that won't be possible. I wish it was though! – throwawaythecoal Jul 26 '23 at 15:03

1 Answers1

0

The solution is to create a list of combinations so you only need one for_each:

variable "specific_group" {
  type    = string
  default = "group:specificgroup@domain.com"
}

variable "group_bigtable_roles" {
  type    = list(string)
  default = [
    "roles/bigtable.admin",
    "roles/cloudfunctions.developer",
    "roles/cloudscheduler.admin",
    "roles/deploymentmanager.editor",
    ]
}

variable "group_bigtable_projects" {
  type    = list(string)
  default = [
    "123",
    "456",
    "789"
  ]
}

locals {
   project_role_combination_list = distinct(flatten([
    for project in var.group_bigtable_projects : [
      for role in var.group_bigtable_roles : {
        project = project
        role    = role
      }
    ]
  ]))
}

resource "google_project_iam_member" "specific_group_bigtable_roles" {
  for_each = { for entry in local.project_role_combination_list: "${entry.project}.${entry.role}" => entry }
  project  = each.value.project
  role     = each.value.role
  member   = var.specific_group
}
vpgcloud
  • 1,294
  • 2
  • 10
  • 19