Skip to content
/ terraform-aws-mcaf-workspace Public

Terraform module to create a TFC workspace for resources in an AWS account.

License

Apache-2.0 license
0 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

schubergphilis/terraform-aws-mcaf-workspace

BranchesTags

Repository files navigation

terraform-aws-mcaf-workspace

This module uses the terraform-tfe-mcaf-workspace module to create a Terraform Cloud workspace and extends the features to manage AWS resources. This is done by creating either a IAM user or role and adding those credentials to the workspace.

Usage

Team access

This module supports assigning an existing team access to the created workspace.

To do this, pass a map to var.team_access using the team name as the key and either access or permissions to assign a team access to the workspace.

Example using a pre-existing role (see this link for allowed values):

team_access = {
  "MyTeamName" = {
    access = "write"
  }
}

Example using a custom role (see this link for a list of keys and their allowed values):

team_access = {
  "MyTeamName" = {
    permissions = {
      run_tasks         = false
      runs              = "apply"
      sentinel_mocks    = "read"
      state_versions    = "read-outputs"
      variables         = "write"
      workspace_locking = true
    }
  }
}

The above custom role is similar to the "write" pre-existing role, but blocks access to the workspace state (which is considered sensitive).

Requirements

Name Version
terraform >= 1.3.0
aws >= 4.0.0
random >= 3.0.0
tfe >= 0.51.0

Providers

Name Version
random >= 3.0.0
tfe >= 0.51.0

Modules

Name Source Version
tfe-workspace schubergphilis/mcaf-workspace/tfe ~> 2.0
workspace_iam_role schubergphilis/mcaf-role/aws ~> 0.4.0
workspace_iam_role_oidc schubergphilis/mcaf-role/aws ~> 0.4.0
workspace_iam_user schubergphilis/mcaf-user/aws ~> 0.4

Resources

Name Type
random_uuid.external_id resource
tfe_team_access.default resource
tfe_variable.aws_access_key_id resource
tfe_variable.aws_assume_role resource
tfe_variable.aws_assume_role_external_id resource
tfe_variable.aws_secret_access_key resource
tfe_variable.tfc_aws_provider_auth resource
tfe_variable.tfc_aws_run_role_arn resource
tfe_variable.tfc_aws_workload_identity_audience resource
tfe_team.default data source

Inputs

Name Description Type Default Required
name A name for the Terraform workspace string n/a yes
oauth_token_id The OAuth token ID of the VCS provider string n/a yes
terraform_organization The Terraform Enterprise organization to create the workspace in string n/a yes
agent_pool_id Agent pool ID, requires "execution_mode" to be set to agent string null no
agent_role_arns IAM role ARNs used by Terraform Cloud Agent to assume role in the created account list(string) null no
allow_destroy_plan Whether destroy plans can be queued on the workspace bool true no
assessments_enabled Whether to regularly run health assessments such as drift detection on the workspace bool true no
auth_method Configures how the workspace authenticates with the AWS account (can be iam_user, iam_role, or iam_role_oidc) string "iam_role_oidc" no
auto_apply Whether to automatically apply changes when a Terraform plan is successful bool false no
auto_apply_run_trigger Whether to automatically apply changes for runs that were created by run triggers from another workspace bool false no
branch The git branch to trigger the TFE workspace for string "main" no
clear_text_env_variables An optional map with clear text environment variables map(string) {} no
clear_text_hcl_variables An optional map with clear text HCL Terraform variables map(string) {} no
clear_text_terraform_variables An optional map with clear text Terraform variables map(string) {} no
description A description for the workspace string null no
execution_mode Which execution mode to use string "remote" no
file_triggers_enabled Whether to filter runs based on the changed files in a VCS push bool true no
global_remote_state Allow all workspaces in the organization to read the state of this workspace bool null no
notification_configuration Notification configuration, using name as key and config as value 
map(object({
    destination_type = string
    enabled          = optional(bool, true)
    url              = string
    triggers = optional(list(string), [
      "run:created",
      "run:planning",
      "run:needs_attention",
      "run:applying",
      "run:completed",
      "run:errored",
    ])
  }))
 {} no
oidc_settings OIDC settings to use if "auth_method" is set to "iam_role_oidc" 
object({
    audience     = optional(string, "aws.workload.identity")
    provider_arn = string
    site_address = optional(string, "app.terraform.io")
  })
 null no
path Path in which to create the IAM role or user string null no
permissions_boundary_arn ARN of the policy that is used to set the permissions boundary for the IAM role or IAM user string null no
policy The policy to attach to the pipeline role or user string null no
policy_arns A set of policy ARNs to attach to the pipeline user set(string) [] no
project_id ID of the project where the workspace should be created string null no
queue_all_runs When set to false no initial run is queued and all runs triggered by a webhook will not be queued, necessary if you need to set variable sets after creation. bool true no
region The default region of the account string null no
remote_state_consumer_ids A set of workspace IDs set as explicit remote state consumers for this workspace set(string) null no
repository_identifier The repository identifier to connect the workspace to string null no
role_name The IAM role name for a new pipeline role string null no
sensitive_env_variables An optional map with sensitive environment variables map(string) {} no
sensitive_hcl_variables An optional map with sensitive HCL Terraform variables 
map(object({
    sensitive = string
  }))
 {} no
sensitive_terraform_variables An optional map with sensitive Terraform variables map(string) {} no
ssh_key_id The SSH key ID to assign to the workspace string null no
tags A mapping of tags to assign to resource map(string) null no
team_access Map of team names and either type of fixed access or custom permissions to assign 
map(object({
    access = optional(string, null),
    permissions = optional(object({
      run_tasks         = bool
      runs              = string
      sentinel_mocks    = string
      state_versions    = string
      variables         = string
      workspace_locking = bool
    }), null)
  }))
 {} no
terraform_version The version of Terraform to use for this workspace string "latest" no
trigger_patterns List of glob patterns that describe the files Terraform Cloud monitors for changes. Trigger patterns are always appended to the root directory of the repository. Mutually exclusive with trigger-prefixes list(string) null no
trigger_prefixes List of repository-root-relative paths which should be tracked for changes list(string) 
[
  "modules"
]
 no
username The username for a new pipeline user string null no
variable_set_ids Map of variable set ids to attach to the workspace map(string) {} no
working_directory A relative path that Terraform will execute within string "terraform" no
workspace_tags A list of tag names for this workspace. Note that tags must only contain lowercase letters, numbers, colons, or hyphens list(string) null no

Outputs

Name Description
arn The workspace IAM user ARN
workspace_id The Terraform Cloud workspace ID
workspace_name The Terraform Cloud workspace name

About

Terraform module to create a TFC workspace for resources in an AWS account.

Topics

aws terraform hacktoberfest terraform-module

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

23 watching

Forks

6 forks
Report repository

Releases 11

v2.1.0 Latest
Sep 19, 2024
+ 10 releases

Packages

No packages published

Contributors 18

+ 4 contributors

Languages