feat: Create group with optional assumable roles #481
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Add
create_group
toiam-group-with-assumable-roles-policy
Motivation and Context
Sorry this is a bit long, because I need to show by example.
Currently,
iam-group-with-policies
hascreate_group
butiam-group-with-assumable-roles-policy
does not, yetiam-group-with-assumable-roles-policy
fails plan if its list of assumable roles is empty. We need IAM groups that can have policies and optionally have assumable roles, which from your master branch, we achieved by using theiam-group-complete
example as basis and editing:This has a local because the expression would otherwise be used in 3 places, it has a module count, and conditional logic on 2 attributes of the group-with-policies.
Sufficient code to achieve same on PR branch, where
create_group
is available on theiam-group-with-assumable-roles-policy
:No local, count, or logic. It is clean and simple to understand what is happening for anyone maintaining this code.
Note: I alternatively considered extending the
iam-group-with-assumable-roles-policy
module to allow an empty list of roles instead ofcreate_group
. However, I believe it is more natural to think of the "basic" group as a group with policies (when do you ever have a group without at least one policy!), and assumable roles as extra for the subset of groups where members need ability to assume roles.That being said, the iam-group-with-policies has
create_group
AND supports empty list of policies, why shouldn'tiam-group-with-assumable-roles-policy
have both too? In this PR, I only implementedcreate_group
.Breaking Changes
None, at least for terraform 1.1+ since even in 1.1 it had the ability to auto propose
resource
->resource[0]
after adding a count to an existing resource, which is what happened here for theaws_iam_group.this
. None of the existing examples break, as I verified for terraform 1.8 as explained below.How Has This Been Tested?
examples/*
to demonstrate and validate my change(s)examples/*
projectspre-commit run -a
on my pull requestI verified by terraform apply on master with tf 1.8, then switching to my branch and running terraform plan: terraform auto detects the need for some moves and plans no changes, this is a documented feature.