Manage git user group membership with terraform

Now that the aws_iam_user_group_membership resource exists[1], we can
add these users to the relevant groups without clobbering existing
members of the group, meaning that our workaround is no longer
necessary.

[1]hashicorp/terraform-provider-aws#3365

concourse/pipelines/create-bosh-concourse.yml

@@ -1088,23 +1088,6 @@ jobs:
  params:
  file: updated-concourse-tfstate/concourse.tfstate
 
- # Temporary task to add the git-${DEPLOY_ENV} user to git group
- - task: add-git-user-to-group
- config:
- platform: linux
- image_resource: *awscli-image-resource
- inputs:
- - name: paas-bootstrap
- params:
- DEPLOY_ENV: ((deploy_env))
- run:
- path: sh
- args:
- - -e
- - -c
- - |
- aws iam add-user-to-group --user-name "git-${DEPLOY_ENV}" --group-name concourse-pool-git-rw
-
  - name: generate-concourse-config
  serial: true
  plan:

terraform/concourse/codecommit.tf

@@ -9,28 +9,10 @@ resource "aws_iam_user" "git" {
  name = "git-${var.env}"
 }
 
-# Until this feature request is not solved https://github.com/hashicorp/terraform/issues/5778,
-# `aws_iam_group_membership` will wipe all the other members from the
-# shared group.
-#
-# The workaround is use aws cli:
-#
-# aws iam add-user-to-group --user-name git-${DEPLOY_ENV} --group-name concourse-pool-git-rw
-#
-# We could do it using terraform provisioner local-exec calling out awscli
-# but we want to avoid this pattern so we will do it in a script in
-# the next step.
-#
-# Once they fix it upstream, we can replace it with this code:
-#
-# resource "aws_iam_group_membership" "concourse-pool-git-rw" {
-# name = "concourse-pool-git-rw"
-# group = "concourse-pool-git-rw"
-# users = [
-# "${aws_iam_user.git.name}",
-# ]
-# append = true
-#}
+resource "aws_iam_user_group_membership" "git_concourse_pool" {
+ user = "${aws_iam_user.git.name}"
+ groups = ["concourse-pool-git-rw"]
+}
 
 resource "aws_iam_user_ssh_key" "git" {
  username = "${aws_iam_user.git.name}"