Skip to content

Commit

Permalink
feat: grant permissions for s3 native state locking to IAM Roles for …
Browse files Browse the repository at this point in the history 
…tfmigrate (#266)
  • Loading branch information
@suzuki-shunsuke
suzuki-shunsuke authored Dec 7, 2024
1 parent de1e9b4 commit 0c21354
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 2 deletions.
10 changes: 8 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ No modules.
| Name | Type |
|------|------|
| [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
| [aws_iam_policy.lock_terraform_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.put_terraform_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.put_tfmigrate_history](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.read_terraform_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
Expand All @@ -70,18 +71,23 @@ No modules.
| [aws_iam_role.terraform_plan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.tfmigrate_apply](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.tfmigrate_plan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.terraform_apply_lock_terraform_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.terraform_apply_put_terraform_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.terraform_apply_read_terraform_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.terraform_plan_lock_terraform_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.terraform_plan_read_terraform_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.tfmigrate_apply_lock_terraform_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.tfmigrate_apply_put_terraform_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.tfmigrate_apply_put_tfmigrate_history](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.tfmigrate_apply_read_terraform_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.tfmigrate_apply_read_tfmigrate_history](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.tfmigrate_plan_lock_terraform_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.tfmigrate_plan_read_terraform_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.tfmigrate_plan_read_tfmigrate_history](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.assume_role_policy_main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.assume_role_policy_pr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.lock_terraform_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.put_terraform_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.put_tfmigrate_history](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.read_terraform_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
Expand All @@ -91,8 +97,8 @@ No modules.

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_assume_role_policy_main_conditions"></a> [assume\_role\_policy\_main\_conditions](#input\_assume\_role\_policy\_main\_conditions) | n/a | <pre>list(object({<br> test = string<br> variable = string<br> values = list(string)<br> }))</pre> | `null` | no |
| <a name="input_assume_role_policy_pr_conditions"></a> [assume\_role\_policy\_pr\_conditions](#input\_assume\_role\_policy\_pr\_conditions) | n/a | <pre>list(object({<br> test = string<br> variable = string<br> values = list(string)<br> }))</pre> | `null` | no |
| <a name="input_assume_role_policy_main_conditions"></a> [assume\_role\_policy\_main\_conditions](#input\_assume\_role\_policy\_main\_conditions) | n/a | <pre>list(object({<br/> test = string<br/> variable = string<br/> values = list(string)<br/> }))</pre> | `null` | no |
| <a name="input_assume_role_policy_pr_conditions"></a> [assume\_role\_policy\_pr\_conditions](#input\_assume\_role\_policy\_pr\_conditions) | n/a | <pre>list(object({<br/> test = string<br/> variable = string<br/> values = list(string)<br/> }))</pre> | `null` | no |
| <a name="input_create_oidc_provider"></a> [create\_oidc\_provider](#input\_create\_oidc\_provider) | n/a | `bool` | `false` | no |
| <a name="input_main_branch"></a> [main\_branch](#input\_main\_branch) | n/a | `string` | `"main"` | no |
| <a name="input_name"></a> [name](#input\_name) | n/a | `string` | n/a | yes |
Expand Down
7 changes: 7 additions & 0 deletions iam_role_tfmigrate_apply.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,10 @@ resource "aws_iam_role_policy_attachment" "tfmigrate_apply_put_terraform_state"
role = aws_iam_role.tfmigrate_apply.name
policy_arn = aws_iam_policy.put_terraform_state[0].arn
}

resource "aws_iam_role_policy_attachment" "tfmigrate_apply_lock_terraform_state" {
count = var.s3_bucket_terraform_state_name == "" ? 0 : 1

role = aws_iam_role.tfmigrate_apply.name
policy_arn = aws_iam_policy.lock_terraform_state[0].arn
}
7 changes: 7 additions & 0 deletions iam_role_tfmigrate_plan.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,10 @@ resource "aws_iam_role_policy_attachment" "tfmigrate_plan_read_terraform_state"
role = aws_iam_role.tfmigrate_plan.name
policy_arn = aws_iam_policy.read_terraform_state[0].arn
}

resource "aws_iam_role_policy_attachment" "tfmigrate_plan_lock_terraform_state" {
count = var.s3_bucket_terraform_state_name == "" ? 0 : 1

role = aws_iam_role.tfmigrate_plan.name
policy_arn = aws_iam_policy.lock_terraform_state[0].arn
}

0 comments on commit 0c21354

Please sign in to comment.