iap_members logic update and regex validation

Deepraj1996 · Deepraj1996 · commit 92113c153a50 · 2025-08-22T15:34:09.000Z
diff --git a/metadata.yaml b/metadata.yaml
@@ -338,13 +338,13 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/run.admin
           - roles/iam.serviceAccountUser
           - roles/certificatemanager.owner
           - roles/vpcaccess.admin
           - roles/iam.serviceAccountAdmin
           - roles/storage.admin
           - roles/compute.admin
+          - roles/run.admin
     services:
       - certificatemanager.googleapis.com
       - cloudresourcemanager.googleapis.com
diff --git a/modules/backend/main.tf b/modules/backend/main.tf
@@ -17,6 +17,7 @@
 locals {
   is_backend_bucket       = var.backend_bucket_name != null && var.backend_bucket_name != ""
   serverless_neg_backends = local.is_backend_bucket ? [] : var.serverless_neg_backends
+  iap_access_members      = var.iap_config.enable ? coalesce(var.iap_config.iap_members, []) : []
 }
 
 resource "google_compute_backend_service" "default" {
@@ -367,7 +368,7 @@ resource "google_compute_backend_bucket" "default" {
 }
 
 resource "google_iap_web_backend_service_iam_member" "member" {
-  for_each            = toset(var.iap_config.iap_members)
+  for_each            = toset(local.iap_access_members)
   project             = google_compute_backend_service.default[0].project
   web_backend_service = google_compute_backend_service.default[0].name
   role                = "roles/iap.httpsResourceAccessor"
diff --git a/modules/backend/metadata.display.yaml b/modules/backend/metadata.display.yaml
@@ -85,11 +85,12 @@ spec:
         iap_config:
           name: iap_config
           title: Iap Config
-        iap_members:
-          name: iap_members
-          title: Iap Members
-          regexValidation: ^(?:allUsers|allAuthenticatedUsers)$|^((?:user|group|serviceAccount):(?:[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})|(?:domain:(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,})|(?:projectOwner|projectEditor|projectViewer):[a-z][a-z0-9-]{0,28}[a-z0-9])$
-          validation: Must be allUsers, allAuthenticatedUsers, or a service account in the format serviceAccount:email@example.com. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_web_backend_service_iam#google_iap_web_backend_service_iam_member).
+          properties:
+            iap_members:
+              name: iap_members
+              title: Iap Members
+              regexValidation: ^(?:allUsers|allAuthenticatedUsers)$|^((?:user|group|serviceAccount):(?:[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})|(?:domain:(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,})|(?:projectOwner|projectEditor|projectViewer):[a-z][a-z0-9-]{0,28}[a-z0-9])$
+              validation: Must be allUsers, allAuthenticatedUsers, or a service account in the format serviceAccount:email@example.com. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_web_backend_service_iam#google_iap_web_backend_service_iam_member).
         load_balancing_scheme:
           name: load_balancing_scheme
           title: Load Balancing Scheme
diff --git a/modules/backend/metadata.yaml b/modules/backend/metadata.yaml
@@ -338,13 +338,13 @@ spec:
     roles:
       - level: Project
         roles:
+          - roles/iam.serviceAccountUser
+          - roles/iam.serviceAccountAdmin
+          - roles/compute.admin
           - roles/storage.admin
           - roles/run.admin
           - roles/compute.networkAdmin
           - roles/iap.admin
-          - roles/iam.serviceAccountUser
-          - roles/iam.serviceAccountAdmin
-          - roles/compute.admin
     services:
       - cloudresourcemanager.googleapis.com
       - compute.googleapis.com
diff --git a/modules/dynamic_backends/metadata.yaml b/modules/dynamic_backends/metadata.yaml
@@ -330,13 +330,13 @@ spec:
     roles:
       - level: Project
         roles:
+          - roles/vpcaccess.admin
+          - roles/iam.serviceAccountAdmin
           - roles/storage.admin
           - roles/compute.admin
           - roles/run.admin
           - roles/iam.serviceAccountUser
           - roles/certificatemanager.owner
-          - roles/vpcaccess.admin
-          - roles/iam.serviceAccountAdmin
     services:
       - certificatemanager.googleapis.com
       - cloudresourcemanager.googleapis.com
diff --git a/modules/serverless_negs/metadata.yaml b/modules/serverless_negs/metadata.yaml
@@ -294,13 +294,13 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/run.admin
           - roles/iam.serviceAccountUser
           - roles/certificatemanager.owner
           - roles/vpcaccess.admin
           - roles/iam.serviceAccountAdmin
           - roles/storage.admin
           - roles/compute.admin
+          - roles/run.admin
     services:
       - certificatemanager.googleapis.com
       - cloudresourcemanager.googleapis.com

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@`
`17`	`17`	`locals {`
`18`	`18`	`is_backend_bucket = var.backend_bucket_name != null && var.backend_bucket_name != ""`
`19`	`19`	`serverless_neg_backends = local.is_backend_bucket ? [] : var.serverless_neg_backends`
	`20`	`+ iap_access_members = var.iap_config.enable ? coalesce(var.iap_config.iap_members, []) : []`
`20`	`21`	`}`
`21`	`22`
`22`	`23`	`resource "google_compute_backend_service" "default" {`
`@@ -367,7 +368,7 @@ resource "google_compute_backend_bucket" "default" {`
`367`	`368`	`}`
`368`	`369`
`369`	`370`	`resource "google_iap_web_backend_service_iam_member" "member" {`
`370`		`- for_each = toset(var.iap_config.iap_members)`
	`371`	`+ for_each = toset(local.iap_access_members)`
`371`	`372`	`project = google_compute_backend_service.default[0].project`
`372`	`373`	`web_backend_service = google_compute_backend_service.default[0].name`
`373`	`374`	`role = "roles/iap.httpsResourceAccessor"`