feat: Add support for conditional per_folder_admins and all_folder_adm… (#88)

MohdUmar20 · web-flow · commit fa587ae8887c · 2024-10-01T11:34:36.000-07:00
diff --git a/main.tf b/main.tf
@@ -18,16 +18,35 @@ locals {
   prefix       = var.prefix == "" ? "" : "${var.prefix}-"
   folders_list = [for name in var.names : try(google_folder.folders[name], "")]
   first_folder = try(local.folders_list[0], {})
-  folder_admin_roles_map_data = merge([
-    for name, config in var.per_folder_admins : {
-      for role in config.roles != null ? config.roles : var.folder_admin_roles : "${name}-${role}" =>
-      {
+
+  # Handle roles for per_folder_admins if provided
+  folder_admin_roles_map_data = flatten([
+    for name, config in var.per_folder_admins : [
+      for role in config.roles != null ? config.roles : var.folder_admin_roles : {
         name    = name,
         role    = role,
-        members = config.members,
+        members = config.members
       }
-    }
-  ]...)
+    ]
+  ])
+
+  # Handle roles for all_folder_admins if provided, applied to all folders only if they are not part of per_folder_admins
+  folder_admin_roles_all_folders = flatten([
+    for folder in var.names : [
+      for role in var.folder_admin_roles : {
+        name    = folder,
+        role    = role,
+        members = var.all_folder_admins
+      }
+    ]
+    # Only add roles for all_folder_admins if they are not already present in per_folder_admins
+    if length(var.all_folder_admins) > 0 && !contains(keys(var.per_folder_admins), folder)
+  ])
+
+  # Merge per_folder_admins and all_folder_admins, avoiding duplication
+  folder_admin_roles_combined = [
+    for role_map in concat(local.folder_admin_roles_map_data, local.folder_admin_roles_all_folders) : role_map
+  ]
 }
 
 resource "google_folder" "folders" {
@@ -41,13 +60,18 @@ resource "google_folder" "folders" {
 # give project creation access to service accounts
 # https://cloud.google.com/resource-manager/docs/access-control-folders#granting_folder-specific_roles_to_enable_project_creation
 
-resource "google_folder_iam_binding" "owners" {
-  for_each = var.set_roles ? local.folder_admin_roles_map_data : {}
-  folder   = google_folder.folders[each.value.name].name
-  role     = each.value.role
+locals {
+  folder_iam_bindings = var.set_roles && length(local.folder_admin_roles_combined) > 0 ? { for i, role in local.folder_admin_roles_combined : "${role.name}-${role.role}" => role } : {}
+}
+
+resource "google_folder_iam_binding" "owners_combined" {
+  for_each = local.folder_iam_bindings
+
+  folder = google_folder.folders[each.value.name].name
+  role   = each.value.role
 
-  members = concat(
+  members = distinct(flatten([
     each.value.members,
-    var.all_folder_admins,
-  )
+    length(var.all_folder_admins) > 0 && contains(var.names, each.value.name) ? var.all_folder_admins : []
+  ]))
 }
