Add IAM dependencies to outputs

GoogleCloudPlatform · Sep 3, 2024 · d47a6fd · d47a6fd
1 parent 51ef390
commit d47a6fd
Show file tree

Hide file tree

Showing 7 changed files with 84 additions and 19 deletions.
diff --git a/modules/artifact-registry/outputs.tf b/modules/artifact-registry/outputs.tf
@@ -17,16 +17,25 @@
 output "id" {
   description = "Fully qualified repository id."
   value       = google_artifact_registry_repository.registry.id
+  depends_on = [
+    google_artifact_registry_repository_iam_binding.bindings
+  ]
 }
 
 output "name" {
   description = "Repository name."
   value       = google_artifact_registry_repository.registry.name
+  depends_on = [
+    google_artifact_registry_repository_iam_binding.bindings
+  ]
 }
 
 output "repository" {
   description = "Repository object."
   value       = google_artifact_registry_repository.registry
+  depends_on = [
+    google_artifact_registry_repository_iam_binding.bindings
+  ]
 }
 
 output "url" {
@@ -36,5 +45,8 @@ output "url" {
     var.project_id,
     var.name
   ])
-  depends_on = [google_artifact_registry_repository.registry]
+  depends_on = [
+    google_artifact_registry_repository.registry,
+    google_artifact_registry_repository_iam_binding.bindings
+  ]
 }
diff --git a/modules/bigquery-dataset/outputs.tf b/modules/bigquery-dataset/outputs.tf
@@ -29,7 +29,8 @@ output "dataset_id" {
     google_bigquery_dataset_access.domain,
     google_bigquery_dataset_access.group_by_email,
     google_bigquery_dataset_access.special_group,
-    google_bigquery_dataset_access.user_by_email
+    google_bigquery_dataset_access.user_by_email,
+    google_bigquery_dataset_iam_binding.bindings,
   ]
 }
 
@@ -43,7 +44,8 @@ output "id" {
     google_bigquery_dataset_access.domain,
     google_bigquery_dataset_access.group_by_email,
     google_bigquery_dataset_access.special_group,
-    google_bigquery_dataset_access.user_by_email
+    google_bigquery_dataset_access.user_by_email,
+    google_bigquery_dataset_iam_binding.bindings,
   ]
 }
 
@@ -67,7 +69,8 @@ output "self_link" {
     google_bigquery_dataset_access.domain,
     google_bigquery_dataset_access.group_by_email,
     google_bigquery_dataset_access.special_group,
-    google_bigquery_dataset_access.user_by_email
+    google_bigquery_dataset_access.user_by_email,
+    google_bigquery_dataset_iam_binding.bindings,
   ]
 }
 

diff --git a/modules/gcs/outputs.tf b/modules/gcs/outputs.tf
@@ -30,7 +30,9 @@ output "id" {
   value       = "${local.prefix}${lower(var.name)}"
   depends_on = [
     google_storage_bucket.bucket,
-    google_storage_bucket_iam_binding.bindings
+    google_storage_bucket_iam_binding.bindings,
+    google_storage_bucket_iam_binding.authoritative,
+    google_storage_bucket_iam_member.bindings
   ]
 }
 
@@ -39,7 +41,9 @@ output "name" {
   value       = "${local.prefix}${lower(var.name)}"
   depends_on = [
     google_storage_bucket.bucket,
-    google_storage_bucket_iam_binding.bindings
+    google_storage_bucket_iam_binding.bindings,
+    google_storage_bucket_iam_binding.authoritative,
+    google_storage_bucket_iam_member.bindings
   ]
 }
 

diff --git a/modules/kms/outputs.tf b/modules/kms/outputs.tf
@@ -19,7 +19,11 @@ output "id" {
   value       = local.keyring.id
   depends_on = [
     google_kms_key_ring_iam_binding.authoritative,
-    google_kms_key_ring_iam_binding.bindings
+    google_kms_key_ring_iam_binding.bindings,
+    google_kms_key_ring_iam_member.bindings,
+    google_kms_crypto_key_iam_binding.authoritative,
+    google_kms_crypto_key_iam_binding.bindings,
+    google_kms_crypto_key_iam_member.members
   ]
 }
 
@@ -28,7 +32,11 @@ output "import_job" {
   value       = google_kms_key_ring_import_job.default
   depends_on = [
     google_kms_key_ring_iam_binding.authoritative,
-    google_kms_key_ring_iam_binding.bindings
+    google_kms_key_ring_iam_binding.bindings,
+    google_kms_key_ring_iam_member.bindings,
+    google_kms_crypto_key_iam_binding.authoritative,
+    google_kms_crypto_key_iam_binding.bindings,
+    google_kms_crypto_key_iam_member.members
   ]
 }
 
@@ -40,7 +48,8 @@ output "key_ids" {
   }
   depends_on = [
     google_kms_crypto_key_iam_binding.authoritative,
-    google_kms_crypto_key_iam_binding.bindings
+    google_kms_crypto_key_iam_binding.bindings,
+    google_kms_crypto_key_iam_member.members
   ]
 }
 
@@ -49,16 +58,24 @@ output "keyring" {
   value       = local.keyring
   depends_on = [
     google_kms_key_ring_iam_binding.authoritative,
-    google_kms_key_ring_iam_binding.bindings
+    google_kms_key_ring_iam_binding.bindings,
+    google_kms_crypto_key_iam_member.members,
+    google_kms_crypto_key_iam_binding.authoritative,
+    google_kms_crypto_key_iam_binding.bindings,
+    google_kms_crypto_key_iam_member.members,
   ]
 }
 
 output "keys" {
   description = "Key resources."
   value       = google_kms_crypto_key.default
   depends_on = [
+    google_kms_key_ring_iam_binding.authoritative,
+    google_kms_key_ring_iam_binding.bindings,
+    google_kms_key_ring_iam_member.bindings,
     google_kms_crypto_key_iam_binding.authoritative,
-    google_kms_crypto_key_iam_binding.bindings
+    google_kms_crypto_key_iam_binding.bindings,
+    google_kms_crypto_key_iam_member.members
   ]
 }
 
@@ -67,7 +84,11 @@ output "location" {
   value       = local.keyring.location
   depends_on = [
     google_kms_key_ring_iam_binding.authoritative,
-    google_kms_key_ring_iam_binding.bindings
+    google_kms_key_ring_iam_binding.bindings,
+    google_kms_key_ring_iam_member.bindings,
+    google_kms_crypto_key_iam_binding.authoritative,
+    google_kms_crypto_key_iam_binding.bindings,
+    google_kms_crypto_key_iam_member.members
   ]
 }
 
@@ -76,6 +97,10 @@ output "name" {
   value       = local.keyring.name
   depends_on = [
     google_kms_key_ring_iam_binding.authoritative,
-    google_kms_key_ring_iam_binding.bindings
+    google_kms_key_ring_iam_binding.bindings,
+    google_kms_key_ring_iam_member.bindings,
+    google_kms_crypto_key_iam_binding.authoritative,
+    google_kms_crypto_key_iam_binding.bindings,
+    google_kms_crypto_key_iam_member.members
   ]
 }
diff --git a/modules/project/cmek.tf b/modules/project/cmek.tf
@@ -54,8 +54,9 @@ locals {
       # use the deps listed above, if the service does not appear
       # there, use all the service agents belonging to the service
       for dep in try(local._cmek_agents_by_service[service], [for x in local._service_agents_by_api[service] : x.name]) : {
-        for key in keys :
-        "${key}.${local._aliased_service_agents[dep].name}" => {
+        # use index in map key, to allow specyfing keys, that will be created in the same apply
+        for index, key in keys :
+        "key-${index}.${local._aliased_service_agents[dep].name}" => {
           key   = key
           agent = local._aliased_service_agents[dep].iam_email
         }

diff --git a/modules/pubsub/outputs.tf b/modules/pubsub/outputs.tf
@@ -20,7 +20,8 @@ output "id" {
   depends_on = [
     google_pubsub_topic.default,
     google_pubsub_topic_iam_binding.authoritative,
-    google_pubsub_topic_iam_binding.bindings
+    google_pubsub_topic_iam_binding.bindings,
+    google_pubsub_topic_iam_member.bindings
   ]
 }
 
@@ -41,7 +42,8 @@ output "subscription_id" {
   }
   depends_on = [
     google_pubsub_subscription_iam_binding.authoritative,
-    google_pubsub_subscription_iam_binding.bindings
+    google_pubsub_subscription_iam_binding.bindings,
+    google_pubsub_subscription_iam_member.members
   ]
 }
 
@@ -50,7 +52,8 @@ output "subscriptions" {
   value       = google_pubsub_subscription.default
   depends_on = [
     google_pubsub_subscription_iam_binding.authoritative,
-    google_pubsub_subscription_iam_binding.bindings
+    google_pubsub_subscription_iam_binding.bindings,
+    google_pubsub_subscription_iam_member.members
   ]
 }
 
@@ -59,6 +62,7 @@ output "topic" {
   value       = google_pubsub_topic.default
   depends_on = [
     google_pubsub_topic_iam_binding.authoritative,
-    google_pubsub_topic_iam_binding.bindings
+    google_pubsub_topic_iam_binding.bindings,
+    google_pubsub_topic_iam_member.bindings
   ]
 }
diff --git a/modules/secret-manager/outputs.tf b/modules/secret-manager/outputs.tf
@@ -19,29 +19,45 @@ output "ids" {
   value = {
     for k, v in google_secret_manager_secret.default : v.secret_id => v.id
   }
+  depends_on = [
+    google_secret_manager_secret_iam_binding.default
+  ]
 }
 
 output "secrets" {
   description = "Secret resources."
   value       = google_secret_manager_secret.default
+  depends_on = [
+    google_secret_manager_secret_iam_binding.default
+  ]
+
 }
 
 output "version_ids" {
   description = "Version ids keyed by secret name : version name."
   value = {
     for k, v in google_secret_manager_secret_version.default : k => v.id
   }
+  depends_on = [
+    google_secret_manager_secret_iam_binding.default
+  ]
 }
 
 output "version_versions" {
   description = "Version versions keyed by secret name : version name."
   value = {
     for k, v in google_secret_manager_secret_version.default : k => v.version
   }
+  depends_on = [
+    google_secret_manager_secret_iam_binding.default
+  ]
 }
 
 output "versions" {
   description = "Secret versions."
   value       = google_secret_manager_secret_version.default
   sensitive   = true
+  depends_on = [
+    google_secret_manager_secret_iam_binding.default
+  ]
 }