updated iap_config object to have enabled boolean field and iap_members variable

Author: Deepraj1996

build/int.cloudbuild.yaml

@@ -163,22 +163,22 @@ steps:
   waitFor:
     - teardown internal-lb-http gce-mig
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-IAP --stage init --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-iap --stage init --verbose']
 - id: apply backend-with-iap
   waitFor:
     - init backend-with-iap
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-IAP --stage apply --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-iap --stage apply --verbose']
 - id: verify backend-with-iap
   waitFor:
     - apply backend-with-iap
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-IAP --stage verify --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-iap --stage verify --verbose']
 - id: teardown backend-with-iap
   waitFor:
     - verify backend-with-iap
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-IAP --stage teardown --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-iap --stage teardown --verbose']
 tags:
 - 'ci'
 - 'integration'

examples/backend-with-iap/main.tf

@@ -21,6 +21,7 @@ module "lb-backend-iap" {
   project_id = var.project_id
   name       = "backend-with-iap"
   iap_config = {
+    enable      = true
     iap_members = ["user:[email protected]"]
   }
 }

examples/lb-http-separate-frontend-and-backend/main.tf

@@ -68,8 +68,8 @@ module "cloud-nat-group2" {
 }
 
 module "lb-http-backend" {
-  source     = "terraform-google-modules/lb-http/google//modules/backend"
-  version    = "~> 12.0"
+  source  = "terraform-google-modules/lb-http/google//modules/backend"
+  version = "~> 12.0"
 
   project_id = var.project_id
   name       = "backend-lb"
@@ -105,7 +105,7 @@ module "lb-http-backend" {
   ]
 
   iap_config = {
-    iap_members = []
+    enable = false
   }
 }
 

metadata.yaml

@@ -40,8 +40,8 @@ spec:
       - name: serverless_negs
         location: modules/serverless_negs
     examples:
-      - name: backend-with-IAP
-        location: examples/backend-with-IAP
+      - name: backend-with-iap
+        location: examples/backend-with-iap
       - name: cdn-policy
         location: examples/cdn-policy
       - name: certificate-map
@@ -338,13 +338,13 @@ spec:
     roles:
       - level: Project
         roles:
+          - roles/run.admin
+          - roles/iam.serviceAccountUser
           - roles/certificatemanager.owner
           - roles/vpcaccess.admin
           - roles/iam.serviceAccountAdmin
           - roles/storage.admin
           - roles/compute.admin
-          - roles/run.admin
-          - roles/iam.serviceAccountUser
     services:
       - certificatemanager.googleapis.com
       - cloudresourcemanager.googleapis.com

modules/backend/README.md

@@ -22,7 +22,7 @@ This module creates `google_compute_backend_service` resource and its dependenci
 | groups | The list of backend instance group which serves the traffic. | <pre>list(object({<br>    group       = string<br>    description = optional(string)<br><br>    balancing_mode               = optional(string)<br>    capacity_scaler              = optional(number)<br>    max_connections              = optional(number)<br>    max_connections_per_instance = optional(number)<br>    max_connections_per_endpoint = optional(number)<br>    max_rate                     = optional(number)<br>    max_rate_per_instance        = optional(number)<br>    max_rate_per_endpoint        = optional(number)<br>    max_utilization              = optional(number)<br>  }))</pre> | `[]` | no |
 | health\_check | Input for creating HttpHealthCheck or HttpsHealthCheck resource for health checking this BackendService. A health check must be specified unless the backend service uses an internet or serverless NEG as a backend. | <pre>object({<br>    host                = optional(string, null)<br>    request_path        = optional(string, null)<br>    request             = optional(string, null)<br>    response            = optional(string, null)<br>    port                = optional(number, null)<br>    port_name           = optional(string, null)<br>    proxy_header        = optional(string, null)<br>    port_specification  = optional(string, null)<br>    protocol            = optional(string, null)<br>    check_interval_sec  = optional(number, 5)<br>    timeout_sec         = optional(number, 5)<br>    healthy_threshold   = optional(number, 2)<br>    unhealthy_threshold = optional(number, 2)<br>    logging             = optional(bool, false)<br>  })</pre> | `null` | no |
 | host\_path\_mappings | The list of host/path for which traffic could be sent to the backend service | <pre>list(object({<br>    host = string<br>    path = string<br>  }))</pre> | <pre>[<br>  {<br>    "host": "*",<br>    "path": "/*"<br>  }<br>]</pre> | no |
-| iap\_config | Settings for enabling Cloud Identity Aware Proxy and Users/SAs to be given IAP HttpResourceAccessor access to the service. | <pre>object({<br>    iap_members          = list(string)<br>    oauth2_client_id     = optional(string)<br>    oauth2_client_secret = optional(string)<br>  })</pre> | <pre>{<br>  "iap_members": []<br>}</pre> | no |
+| iap\_config | Settings for enabling Cloud Identity Aware Proxy and Users/SAs to be given IAP HttpResourceAccessor access to the service. | <pre>object({<br>    enable               = bool<br>    oauth2_client_id     = optional(string)<br>    oauth2_client_secret = optional(string)<br>    iap_members          = list(string)<br>  })</pre> | <pre>{<br>  "enable": false,<br>  "iap_members": []<br>}</pre> | no |
 | load\_balancing\_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL\_MANAGED for Envoy-based load balancer, INTERNAL\_MANAGED for internal load balancer and INTERNAL\_SELF\_MANAGED for traffic director) | `string` | `"EXTERNAL_MANAGED"` | no |
 | locality\_lb\_policy | The load balancing algorithm used within the scope of the locality. | `string` | `null` | no |
 | log\_config | This field denotes the logging options for the load balancer traffic served by this backend service. If logging is enabled, logs will be exported to Stackdriver. | <pre>object({<br>    enable      = bool<br>    sample_rate = number<br>  })</pre> | <pre>{<br>  "enable": true,<br>  "sample_rate": 1<br>}</pre> | no |

modules/backend/main.tf

@@ -80,10 +80,10 @@ resource "google_compute_backend_service" "default" {
   }
 
   dynamic "iap" {
-    for_each = length(var.iap_config.iap_members) > 0 ? [1] : []
+    for_each = var.iap_config.enable ? [1] : []
     content {
       oauth2_client_id     = lookup(var.iap_config, "oauth2_client_id", "")
-      enabled              = length(var.iap_config.iap_members) > 0
+      enabled              = var.iap_config.enable
       oauth2_client_secret = lookup(var.iap_config, "oauth2_client_secret", "")
     }
   }

modules/backend/metadata.yaml

@@ -32,8 +32,8 @@ spec:
     description: {}
   content:
     examples:
-      - name: backend-with-IAP
-        location: examples/backend-with-IAP
+      - name: backend-with-iap
+        location: examples/backend-with-iap
       - name: cdn-policy
         location: examples/cdn-policy
       - name: certificate-map
@@ -194,11 +194,13 @@ spec:
         description: Settings for enabling Cloud Identity Aware Proxy and Users/SAs to be given IAP HttpResourceAccessor access to the service.
         varType: |-
           object({
-              iap_members          = list(string)
+              enable               = bool
               oauth2_client_id     = optional(string)
               oauth2_client_secret = optional(string)
+              iap_members          = list(string)
             })
         defaultValue:
+          enable: false
           iap_members: []
       - name: cdn_policy
         description: Cloud CDN configuration for this BackendService.
@@ -333,13 +335,13 @@ spec:
     roles:
       - level: Project
         roles:
+          - roles/compute.networkAdmin
+          - roles/iap.admin
           - roles/iam.serviceAccountUser
           - roles/iam.serviceAccountAdmin
           - roles/compute.admin
           - roles/storage.admin
           - roles/run.admin
-          - roles/compute.networkAdmin
-          - roles/iap.admin
     services:
       - cloudresourcemanager.googleapis.com
       - compute.googleapis.com

modules/backend/variables.tf

@@ -156,11 +156,12 @@ variable "backend_bucket_name" {
 variable "iap_config" {
   description = "Settings for enabling Cloud Identity Aware Proxy and Users/SAs to be given IAP HttpResourceAccessor access to the service."
   type = object({
-    iap_members          = list(string)
+    enable               = bool
     oauth2_client_id     = optional(string)
     oauth2_client_secret = optional(string)
+    iap_members          = list(string)
   })
-  default = { iap_members = [] }
+  default = { enable = false, iap_members = [] }
 }
 
 variable "cdn_policy" {

modules/dynamic_backends/metadata.yaml

@@ -32,8 +32,8 @@ spec:
     description: {}
   content:
     examples:
-      - name: backend-with-IAP
-        location: examples/backend-with-IAP
+      - name: backend-with-iap
+        location: examples/backend-with-iap
       - name: cdn-policy
         location: examples/cdn-policy
       - name: certificate-map
@@ -330,13 +330,13 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/iam.serviceAccountUser
-          - roles/certificatemanager.owner
           - roles/vpcaccess.admin
           - roles/iam.serviceAccountAdmin
           - roles/storage.admin
           - roles/compute.admin
           - roles/run.admin
+          - roles/iam.serviceAccountUser
+          - roles/certificatemanager.owner
     services:
       - certificatemanager.googleapis.com
       - cloudresourcemanager.googleapis.com

modules/frontend/metadata.yaml

@@ -32,8 +32,8 @@ spec:
     description: {}
   content:
     examples:
-      - name: backend-with-IAP
-        location: examples/backend-with-IAP
+      - name: backend-with-iap
+        location: examples/backend-with-iap
       - name: cdn-policy
         location: examples/cdn-policy
       - name: certificate-map
@@ -246,11 +246,11 @@ spec:
     roles:
       - level: Project
         roles:
+          - roles/iam.serviceAccountUser
           - roles/compute.admin
           - roles/storage.admin
           - roles/iap.admin
           - roles/certificatemanager.owner
-          - roles/iam.serviceAccountUser
     services:
       - certificatemanager.googleapis.com
       - compute.googleapis.com