From c05fc7271842a7bd8fd4b2c99a3cf16c2f1f0c2b Mon Sep 17 00:00:00 2001 From: Alex Tomlins Date: Tue, 27 Nov 2018 16:44:04 +0000 Subject: [PATCH] Manage git user group membership with terraform Now that the aws_iam_user_group_membership resource exists[1], we can add these users to the relevant groups without clobbering existing members of the group, meaning that our workaround is no longer necessary. [1]https://github.com/terraform-providers/terraform-provider-aws/pull/3365 --- concourse/pipelines/create-bosh-concourse.yml | 17 ------------ terraform/concourse/codecommit.tf | 26 +++---------------- 2 files changed, 4 insertions(+), 39 deletions(-) diff --git a/concourse/pipelines/create-bosh-concourse.yml b/concourse/pipelines/create-bosh-concourse.yml index e3beee53d..ad8c60369 100644 --- a/concourse/pipelines/create-bosh-concourse.yml +++ b/concourse/pipelines/create-bosh-concourse.yml @@ -1088,23 +1088,6 @@ jobs: params: file: updated-concourse-tfstate/concourse.tfstate - # Temporary task to add the git-${DEPLOY_ENV} user to git group - - task: add-git-user-to-group - config: - platform: linux - image_resource: *awscli-image-resource - inputs: - - name: paas-bootstrap - params: - DEPLOY_ENV: ((deploy_env)) - run: - path: sh - args: - - -e - - -c - - | - aws iam add-user-to-group --user-name "git-${DEPLOY_ENV}" --group-name concourse-pool-git-rw - - name: generate-concourse-config serial: true plan: diff --git a/terraform/concourse/codecommit.tf b/terraform/concourse/codecommit.tf index 2a46bfbce..c62f9c899 100644 --- a/terraform/concourse/codecommit.tf +++ b/terraform/concourse/codecommit.tf @@ -9,28 +9,10 @@ resource "aws_iam_user" "git" { name = "git-${var.env}" } -# Until this feature request is not solved https://github.com/hashicorp/terraform/issues/5778, -# `aws_iam_group_membership` will wipe all the other members from the -# shared group. -# -# The workaround is use aws cli: -# -# aws iam add-user-to-group --user-name git-${DEPLOY_ENV} --group-name concourse-pool-git-rw -# -# We could do it using terraform provisioner local-exec calling out awscli -# but we want to avoid this pattern so we will do it in a script in -# the next step. -# -# Once they fix it upstream, we can replace it with this code: -# -# resource "aws_iam_group_membership" "concourse-pool-git-rw" { -# name = "concourse-pool-git-rw" -# group = "concourse-pool-git-rw" -# users = [ -# "${aws_iam_user.git.name}", -# ] -# append = true -#} +resource "aws_iam_user_group_membership" "git_concourse_pool" { + user = "${aws_iam_user.git.name}" + groups = ["concourse-pool-git-rw"] +} resource "aws_iam_user_ssh_key" "git" { username = "${aws_iam_user.git.name}"