Skip to content

feat!: Swap count for for_each on subnet IAM resources #1009

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat!: Swap count for for_each on subnet IAM resources #1009

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a3f2ef2
First stab at fixing subnet IAM permissions that change every time a …
thatcoleyouknow Oct 11, 2025
9033868
Almost forgot about the shared_vpc_access module
thatcoleyouknow Oct 11, 2025
197ca51
Improving diff readability
thatcoleyouknow Oct 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 30 additions & 24 deletions modules/core_project_factory/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -212,20 +212,22 @@ resource "google_project_iam_member" "controlling_group_vpc_membership" {
*************************************************************************************/
resource "google_compute_subnetwork_iam_member" "service_account_role_to_vpc_subnets" {
provider = google-beta
count = var.grant_network_role && var.enable_shared_vpc_service_project && length(var.shared_vpc_subnets) > 0 && var.create_project_sa ? length(var.shared_vpc_subnets) : 0
for_each = (var.grant_network_role && var.enable_shared_vpc_service_project && length(var.shared_vpc_subnets) > 0 && var.create_project_sa) ? toset(var.shared_vpc_subnets) : toset([])

subnetwork = element(
split("/", var.shared_vpc_subnets[count.index]),
split("/", each.value),
index(
split("/", var.shared_vpc_subnets[count.index]),
"subnetworks",
) + 1,
split("/", each.value),
"subnetworks"
) + 1
)
role = "roles/compute.networkUser"

region = element(
split("/", var.shared_vpc_subnets[count.index]),
index(split("/", var.shared_vpc_subnets[count.index]), "regions") + 1,
split("/", each.value),
index(split("/", each.value), "regions") + 1
)
Comment on lines 217 to 228
Copy link

@gemini-code-assist gemini-code-assist bot Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The subnetwork argument of google_compute_subnetwork_iam_member can accept the subnetwork's self-link directly. Since var.shared_vpc_subnets contains the self-links, you can simplify the code by assigning each.value to subnetwork and removing the explicit region argument, as it can be inferred from the self-link. This makes the code cleaner and less brittle.

  subnetwork = each.value


role = "roles/compute.networkUser"
project = var.shared_vpc
member = local.s_account_fmt
}
Expand All @@ -235,20 +237,22 @@ resource "google_compute_subnetwork_iam_member" "service_account_role_to_vpc_sub
*************************************************************************************/
resource "google_compute_subnetwork_iam_member" "group_role_to_vpc_subnets" {
provider = google-beta
for_each = (var.grant_network_role && var.enable_shared_vpc_service_project && length(var.shared_vpc_subnets) > 0 && var.manage_group) ? toset(var.shared_vpc_subnets) : toset([])

count = var.grant_network_role && var.enable_shared_vpc_service_project && length(var.shared_vpc_subnets) > 0 && var.manage_group ? length(var.shared_vpc_subnets) : 0
subnetwork = element(
split("/", var.shared_vpc_subnets[count.index]),
split("/", each.value),
index(
split("/", var.shared_vpc_subnets[count.index]),
"subnetworks",
) + 1,
split("/", each.value),
"subnetworks"
) + 1
)
role = "roles/compute.networkUser"

region = element(
split("/", var.shared_vpc_subnets[count.index]),
index(split("/", var.shared_vpc_subnets[count.index]), "regions") + 1,
split("/", each.value),
index(split("/", each.value), "regions") + 1
)
Comment on lines 242 to 253
Copy link

@gemini-code-assist gemini-code-assist bot Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The subnetwork argument of google_compute_subnetwork_iam_member can accept the subnetwork's self-link directly. Since var.shared_vpc_subnets contains the self-links, you can simplify the code by assigning each.value to subnetwork and removing the explicit region argument, as it can be inferred from the self-link. This makes the code cleaner and less brittle.

  subnetwork = each.value


role = "roles/compute.networkUser"
member = local.group_id
project = var.shared_vpc
}
Expand All @@ -258,20 +262,22 @@ resource "google_compute_subnetwork_iam_member" "group_role_to_vpc_subnets" {
*************************************************************************************/
resource "google_compute_subnetwork_iam_member" "apis_service_account_role_to_vpc_subnets" {
provider = google-beta
for_each = (var.grant_network_role && var.enable_shared_vpc_service_project && length(var.shared_vpc_subnets) > 0) ? toset(var.shared_vpc_subnets) : toset([])

count = var.grant_network_role && var.enable_shared_vpc_service_project && length(var.shared_vpc_subnets) > 0 ? length(var.shared_vpc_subnets) : 0
subnetwork = element(
split("/", var.shared_vpc_subnets[count.index]),
split("/", each.value),
index(
split("/", var.shared_vpc_subnets[count.index]),
"subnetworks",
) + 1,
split("/", each.value),
"subnetworks"
) + 1
)
role = "roles/compute.networkUser"

region = element(
split("/", var.shared_vpc_subnets[count.index]),
index(split("/", var.shared_vpc_subnets[count.index]), "regions") + 1,
split("/", each.value),
index(split("/", each.value), "regions") + 1
)
Comment on lines 267 to 278
Copy link

@gemini-code-assist gemini-code-assist bot Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The subnetwork argument of google_compute_subnetwork_iam_member can accept the subnetwork's self-link directly. Since var.shared_vpc_subnets contains the self-links, you can simplify the code by assigning each.value to subnetwork and removing the explicit region argument, as it can be inferred from the self-link. This makes the code cleaner and less brittle.

  subnetwork = each.value


role = "roles/compute.networkUser"
project = var.shared_vpc
member = local.api_s_account_fmt

Expand Down
40 changes: 23 additions & 17 deletions modules/shared_vpc_access/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,21 +95,24 @@ locals {
*****************************************/
resource "google_compute_subnetwork_iam_member" "service_shared_vpc_subnet_users" {
provider = google-beta
count = var.grant_network_role ? length(local.subnetwork_api) : 0
for_each = var.grant_network_role ? toset(local.subnetwork_api) : toset([])

subnetwork = element(
split("/", split(",", local.subnetwork_api[count.index])[1]),
split("/", each.value),
index(
split("/", split(",", local.subnetwork_api[count.index])[1]),
"subnetworks",
) + 1,
split("/", each.value),
"subnetworks"
) + 1
)
role = local.apis[split(",", local.subnetwork_api[count.index])[0]].role

region = element(
split("/", split(",", local.subnetwork_api[count.index])[1]),
index(split("/", split(",", local.subnetwork_api[count.index])[1]), "regions") + 1,
split("/", each.value),
index(split("/", each.value), "regions") + 1
)
Comment on lines 100 to 111
Copy link

@gemini-code-assist gemini-code-assist bot Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

There seems to be a bug introduced here. each.value is a string like "${api},${subnet}". The original code correctly did split(",", ...)[1] to extract the subnet self-link before parsing it. This seems to have been lost in the refactoring. You need to split each.value by comma first.

Additionally, you can simplify this logic. The subnetwork argument accepts a self-link. You can pass the subnet self-link directly and remove the region argument, as it will be inferred.

  subnetwork = split(",", each.value)[1]


role = local.apis[split(",", each.value)[0]].role
project = var.host_project_id
member = format("serviceAccount:%s", local.apis[split(",", local.subnetwork_api[count.index])[0]].service_account)
member = format("serviceAccount:%s", local.apis[split(",", each.value)[0]].service_account)
}

/******************************************
Expand All @@ -118,19 +121,22 @@ resource "google_compute_subnetwork_iam_member" "service_shared_vpc_subnet_users
*****************************************/
resource "google_compute_subnetwork_iam_member" "cloudservices_shared_vpc_subnet_users" {
provider = google-beta
count = local.gke_shared_vpc_enabled && var.enable_shared_vpc_service_project && var.grant_network_role ? length(local.subnetwork_api) : 0
for_each = local.gke_shared_vpc_enabled && var.enable_shared_vpc_service_project && var.grant_network_role ? toset(local.subnetwork_api) : toset([])

subnetwork = element(
split("/", split(",", local.subnetwork_api[count.index])[1]),
split("/", each.value),
index(
split("/", split(",", local.subnetwork_api[count.index])[1]),
"subnetworks",
) + 1,
split("/", each.value),
"subnetworks"
) + 1
)
role = "roles/compute.networkUser"

region = element(
split("/", split(",", local.subnetwork_api[count.index])[1]),
index(split("/", split(",", local.subnetwork_api[count.index])[1]), "regions") + 1,
split("/", each.value),
index(split("/", each.value), "regions") + 1
)
Comment on lines 126 to 137
Copy link

@gemini-code-assist gemini-code-assist bot Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

There seems to be a bug introduced here. each.value is a string like "${api},${subnet}". The original code correctly did split(",", ...)[1] to extract the subnet self-link before parsing it. This seems to have been lost in the refactoring. You need to split each.value by comma first.

Additionally, you can simplify this logic. The subnetwork argument accepts a self-link. You can pass the subnet self-link directly and remove the region argument, as it will be inferred.

  subnetwork = split(",", each.value)[1]


role = "roles/compute.networkUser"
project = var.host_project_id
member = format("serviceAccount:%s@cloudservices.gserviceaccount.com", local.service_project_number)
}
Expand Down