From 96e037eae312e86d479a0cdfbae02ce02ff7df36 Mon Sep 17 00:00:00 2001 From: Sebastian Macarescu Date: Wed, 15 Dec 2021 18:03:57 +0200 Subject: [PATCH 1/6] create iam policy --- main.tf | 9 +++++++++ outputs.tf | 5 +++++ variables.tf | 12 ++++++++++++ 3 files changed, 26 insertions(+) diff --git a/main.tf b/main.tf index 211591e..6265975 100644 --- a/main.tf +++ b/main.tf @@ -59,3 +59,12 @@ data "aws_iam_policy_document" "this" { } } } + +resource "aws_iam_policy" "policy" { + count = local.enabled && var.create_iam_policy ? 1 : 0 + + name = module.this.id + description = var.description + policy = join("", data.aws_iam_policy_document.this.*.json) + tags = module.this.tags +} diff --git a/outputs.tf b/outputs.tf index 3b563ca..bf965ef 100644 --- a/outputs.tf +++ b/outputs.tf @@ -2,3 +2,8 @@ output "json" { description = "JSON body of the IAM policy document" value = try(data.aws_iam_policy_document.this[0].json, null) } + +output "policy_arn" { + description = "ARN of created IAM policy" + value = join("", resource.aws_iam_policy.policy.*.arn) +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index 6ad4a16..442f5a3 100644 --- a/variables.tf +++ b/variables.tf @@ -16,3 +16,15 @@ variable "iam_policy_statements" { description = "List of IAM policy statements to use in the policy. This can be used with or instead of the `var.iam_source_json_url`." default = [] } + +variable "description" { + type = string + description = "Description of IAM policy" + default = "" +} + +variable "create_iam_policy" { + type = bool + description = "If set to true will create IAM policy in AWS" + default = false +} \ No newline at end of file From 8977fad82e41dbfb8296cc1e1de921aba3dd909e Mon Sep 17 00:00:00 2001 From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Date: Wed, 15 Dec 2021 16:07:45 +0000 Subject: [PATCH 2/6] Auto Format --- README.md | 4 ++++ docs/terraform.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/README.md b/README.md index 09f4375..b308c9b 100644 --- a/README.md +++ b/README.md @@ -194,6 +194,7 @@ Available targets: | Name | Type | |------|------| +| [aws_iam_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [http_http.iam_source_json_url](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source | @@ -204,7 +205,9 @@ Available targets: | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | +| [create\_iam\_policy](#input\_create\_iam\_policy) | If set to true will create IAM policy in AWS | `bool` | `false` | no | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [description](#input\_description) | Description of IAM policy | `string` | `""` | no | | [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | @@ -228,6 +231,7 @@ Available targets: | Name | Description | |------|-------------| | [json](#output\_json) | JSON body of the IAM policy document | +| [policy\_arn](#output\_policy\_arn) | ARN of created IAM policy | diff --git a/docs/terraform.md b/docs/terraform.md index 58270c9..e2ae0d1 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -24,6 +24,7 @@ | Name | Type | |------|------| +| [aws_iam_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [http_http.iam_source_json_url](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source | @@ -34,7 +35,9 @@ | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | +| [create\_iam\_policy](#input\_create\_iam\_policy) | If set to true will create IAM policy in AWS | `bool` | `false` | no | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [description](#input\_description) | Description of IAM policy | `string` | `""` | no | | [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | @@ -58,4 +61,5 @@ | Name | Description | |------|-------------| | [json](#output\_json) | JSON body of the IAM policy document | +| [policy\_arn](#output\_policy\_arn) | ARN of created IAM policy | From a095f8d251d27d8762594bb94ab60def29531374 Mon Sep 17 00:00:00 2001 From: Sebastian Macarescu Date: Mon, 20 Dec 2021 20:50:00 +0200 Subject: [PATCH 3/6] fix review --- main.tf | 2 +- variables.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 6265975..2c986b5 100644 --- a/main.tf +++ b/main.tf @@ -61,7 +61,7 @@ data "aws_iam_policy_document" "this" { } resource "aws_iam_policy" "policy" { - count = local.enabled && var.create_iam_policy ? 1 : 0 + count = local.enabled && var.iam_policy_enabled ? 1 : 0 name = module.this.id description = var.description diff --git a/variables.tf b/variables.tf index 442f5a3..23bfb99 100644 --- a/variables.tf +++ b/variables.tf @@ -20,10 +20,10 @@ variable "iam_policy_statements" { variable "description" { type = string description = "Description of IAM policy" - default = "" + default = null } -variable "create_iam_policy" { +variable "iam_policy_enabled" { type = bool description = "If set to true will create IAM policy in AWS" default = false From ff37a4365691ed9cb31aa3868ad60f2d36ae0fef Mon Sep 17 00:00:00 2001 From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Date: Mon, 20 Dec 2021 18:51:17 +0000 Subject: [PATCH 4/6] Auto Format --- README.md | 4 ++-- docs/terraform.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index b308c9b..61601af 100644 --- a/README.md +++ b/README.md @@ -205,12 +205,12 @@ Available targets: | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | -| [create\_iam\_policy](#input\_create\_iam\_policy) | If set to true will create IAM policy in AWS | `bool` | `false` | no | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [description](#input\_description) | Description of IAM policy | `string` | `""` | no | +| [description](#input\_description) | Description of IAM policy | `string` | `null` | no | | [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [iam\_policy\_enabled](#input\_iam\_policy\_enabled) | If set to true will create IAM policy in AWS | `bool` | `false` | no | | [iam\_policy\_statements](#input\_iam\_policy\_statements) | List of IAM policy statements to use in the policy. This can be used with or instead of the `var.iam_source_json_url`. | `any` | `[]` | no | | [iam\_source\_json](#input\_iam\_source\_json) | IAM source JSON policy to use as `source_json` argument. This can be used with or instead of the `var.iam_policy_statements`. this cannot be used with `var.iam_source_json_url`. | `string` | `null` | no | | [iam\_source\_json\_url](#input\_iam\_source\_json\_url) | IAM source JSON policy to download and use as `source_json` argument. This is useful when using a 3rd party service that provides their own policy. This can be used with or instead of the `var.iam_policy_statements`. | `string` | `null` | no | diff --git a/docs/terraform.md b/docs/terraform.md index e2ae0d1..44b945f 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -35,12 +35,12 @@ | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | -| [create\_iam\_policy](#input\_create\_iam\_policy) | If set to true will create IAM policy in AWS | `bool` | `false` | no | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [description](#input\_description) | Description of IAM policy | `string` | `""` | no | +| [description](#input\_description) | Description of IAM policy | `string` | `null` | no | | [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [iam\_policy\_enabled](#input\_iam\_policy\_enabled) | If set to true will create IAM policy in AWS | `bool` | `false` | no | | [iam\_policy\_statements](#input\_iam\_policy\_statements) | List of IAM policy statements to use in the policy. This can be used with or instead of the `var.iam_source_json_url`. | `any` | `[]` | no | | [iam\_source\_json](#input\_iam\_source\_json) | IAM source JSON policy to use as `source_json` argument. This can be used with or instead of the `var.iam_policy_statements`. this cannot be used with `var.iam_source_json_url`. | `string` | `null` | no | | [iam\_source\_json\_url](#input\_iam\_source\_json\_url) | IAM source JSON policy to download and use as `source_json` argument. This is useful when using a 3rd party service that provides their own policy. This can be used with or instead of the `var.iam_policy_statements`. | `string` | `null` | no | From 140ce4ebc7b5ac365df55725f9fe42e783bec34c Mon Sep 17 00:00:00 2001 From: nitrocode Date: Mon, 20 Dec 2021 14:27:41 -0500 Subject: [PATCH 5/6] Apply suggestions from code review --- main.tf | 2 +- outputs.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index c33e916..5ba98d0 100644 --- a/main.tf +++ b/main.tf @@ -61,7 +61,7 @@ data "aws_iam_policy_document" "this" { } } -resource "aws_iam_policy" "policy" { +resource "aws_iam_policy" "default" { count = local.enabled && var.iam_policy_enabled ? 1 : 0 name = module.this.id diff --git a/outputs.tf b/outputs.tf index bf965ef..259a6fa 100644 --- a/outputs.tf +++ b/outputs.tf @@ -5,5 +5,5 @@ output "json" { output "policy_arn" { description = "ARN of created IAM policy" - value = join("", resource.aws_iam_policy.policy.*.arn) + value = join("", aws_iam_policy.default.*.arn) } \ No newline at end of file From b2553cda820cf2e905b3ca6c5f2aaec411cc7e1b Mon Sep 17 00:00:00 2001 From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Date: Mon, 20 Dec 2021 19:28:40 +0000 Subject: [PATCH 6/6] Auto Format --- README.md | 2 +- docs/terraform.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d92c389..8fecdac 100644 --- a/README.md +++ b/README.md @@ -192,7 +192,7 @@ Available targets: | Name | Type | |------|------| -| [aws_iam_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [http_http.iam_source_json_url](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source | diff --git a/docs/terraform.md b/docs/terraform.md index 44b945f..3631c5d 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -24,7 +24,7 @@ | Name | Type | |------|------| -| [aws_iam_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [http_http.iam_source_json_url](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |