Manage git user group membership with terraform

Now that the aws_iam_user_group_membership resource exists[1], we can add these users to the relevant groups without clobbering existing members of the group, meaning that our workaround is no longer necessary. [1]hashicorp/terraform-provider-aws#3365
alphagov · Nov 28, 2018 · b1e2e86 · b1e2e86
1 parent 5eab0c6
commit b1e2e86
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 39 deletions.
diff --git a/concourse/pipelines/create-bosh-concourse.yml b/concourse/pipelines/create-bosh-concourse.yml
@@ -1088,23 +1088,6 @@ jobs:
           params:
             file: updated-concourse-tfstate/concourse.tfstate
 
-      # Temporary task to add the git-${DEPLOY_ENV} user to git group
-      - task: add-git-user-to-group
-        config:
-          platform: linux
-          image_resource: *awscli-image-resource
-          inputs:
-          - name: paas-bootstrap
-          params:
-            DEPLOY_ENV: ((deploy_env))
-          run:
-            path: sh
-            args:
-            - -e
-            - -c
-            - |
-              aws iam add-user-to-group --user-name "git-${DEPLOY_ENV}" --group-name concourse-pool-git-rw
-
   - name: generate-concourse-config
     serial: true
     plan:

diff --git a/terraform/concourse/codecommit.tf b/terraform/concourse/codecommit.tf
@@ -9,28 +9,10 @@ resource "aws_iam_user" "git" {
   name = "git-${var.env}"
 }
 
-# Until this feature request is not solved https://github.com/hashicorp/terraform/issues/5778,
-# `aws_iam_group_membership` will wipe all the other members from the
-# shared group.
-#
-# The workaround is use aws cli:
-#
-#   aws iam add-user-to-group --user-name git-${DEPLOY_ENV} --group-name concourse-pool-git-rw
-#
-# We could do it using terraform provisioner local-exec calling out awscli
-# but we want to avoid this pattern so we will do it in a script in
-# the next step.
-#
-# Once they fix it upstream, we can replace it with this code:
-#
-# resource "aws_iam_group_membership" "concourse-pool-git-rw" {
-#    name = "concourse-pool-git-rw"
-#    group = "concourse-pool-git-rw"
-#    users = [
-#        "${aws_iam_user.git.name}",
-#    ]
-#    append = true
-#}
+resource "aws_iam_user_group_membership" "git_concourse_pool" {
+  user   = "${aws_iam_user.git.name}"
+  groups = ["concourse-pool-git-rw"]
+}
 
 resource "aws_iam_user_ssh_key" "git" {
   username   = "${aws_iam_user.git.name}"