in internal/policygen/iam.go [154:183]
func members(rn runner.Runner, resources []*states.Resource, rootType, idField string) (map[root]roleBindings, error) {
var bindings = make(map[root]roleBindings)
resourceType := fmt.Sprintf("google_%s_iam_member", rootType) // non-authoritative
instances, err := terraform.GetInstancesForType(resources, resourceType)
if err != nil {
return nil, fmt.Errorf("get resource instances for type %q: %v", resourceType, err)
}
for _, ins := range instances {
if err := validateMandatoryStringFields(ins, []string{idField, "role", "member"}); err != nil {
return nil, err
}
id, err := normalizeID(rn, rootType, ins[idField].(string)) // Type checked in validate function.
if err != nil {
return nil, fmt.Errorf("normalize root resource ID: %v", err)
}
key := root{Type: rootType, ID: id}
// Init the roleBindings map if it didn't exist.
if _, ok := bindings[key]; !ok {
bindings[key] = make(roleBindings)
}
role := ins["role"].(string)
bindings[key][role] = append(bindings[key][role], ins["member"].(string))
}
return bindings, nil
}