Move profiles_enabled logic out of providers.tf and into `iam-rol…

…es` (cloudposse/terraform-aws-components#702)
cloudposse-terraform-components · Jun 5, 2023 · c6e2eb2 · c6e2eb2
1 parent 03aa513
commit c6e2eb2
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 25 deletions.
diff --git a/src/modules/iam-roles/README.md b/src/modules/iam-roles/README.md
@@ -2,14 +2,15 @@
 
 This submodule is used by other modules to determine which IAM Roles
 or AWS CLI Config Profiles to use for various tasks, most commonly
-for applying Terraform plans. 
+for applying Terraform plans.
 
 ## Special Configuration Needed
 
 In order to avoid having to pass customization information through every module
 that uses this submodule, if the default configuration does not suit your needs,
-you are expected to customize `variables.tf` with the defaults you want to 
-use in your project. For example, if you are including the `tenant` label
-in the designation of your "root" account (your Organization Management Account),
-then you should modify `variables.tf` so that `global_tenant_name` defaults
-to the appropriate value.
+you are expected to add `variables_override.tf` to override the variables with
+the defaults you want to use in your project. For example, if you are not using
+"core" as the `tenant` portion of your "root" account (your Organization Management Account),
+then you should include the `variable "overridable_global_tenant_name"` declaration
+in your `variables_override.tf` so that `overridable_global_tenant_name` defaults
+to the value you are using (or the empty string if you are not using `tenant` at all).
diff --git a/src/modules/iam-roles/main.tf b/src/modules/iam-roles/main.tf
@@ -22,5 +22,6 @@ module "account_map" {
 }
 
 locals {
-  account_name = lookup(module.always.descriptors, "account_name", module.always.stage)
+  account_name     = lookup(module.always.descriptors, "account_name", module.always.stage)
+  profiles_enabled = module.account_map.outputs.profiles_enabled
 }
diff --git a/src/modules/iam-roles/outputs.tf b/src/modules/iam-roles/outputs.tf
@@ -1,5 +1,5 @@
 output "terraform_role_arn" {
-  value       = module.account_map.outputs.terraform_roles[local.account_name]
+  value       = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[local.account_name]
   description = "The AWS Role ARN for Terraform to use when provisioning resources in the account, when Role ARNs are in use"
 }
 
@@ -9,7 +9,7 @@ output "terraform_role_arns" {
 }
 
 output "terraform_profile_name" {
-  value       = module.account_map.outputs.terraform_profiles[local.account_name]
+  value       = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[local.account_name] : null
   description = "The AWS config profile name for Terraform to use when provisioning resources in the account, when profiles are in use"
 }
 
@@ -27,17 +27,17 @@ output "org_role_arn" {
 }
 
 output "global_tenant_name" {
-  value       = var.global_tenant_name
+  value       = var.overridable_global_tenant_name
   description = "The `null-label` `tenant` value used for organization-wide resources"
 }
 
 output "global_environment_name" {
-  value       = var.global_environment_name
+  value       = var.overridable_global_environment_name
   description = "The `null-label` `environment` value used for regionless (global) resources"
 }
 
 output "global_stage_name" {
-  value       = var.global_stage_name
+  value       = var.overridable_global_stage_name
   description = "The `null-label` `stage` value for the organization management account (where the `account-map` state is stored)"
 }
 
@@ -50,22 +50,22 @@ output "current_account_account_name" {
 }
 
 output "dns_terraform_role_arn" {
-  value       = module.account_map.outputs.terraform_roles[module.account_map.outputs.dns_account_account_name]
+  value       = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[module.account_map.outputs.dns_account_account_name]
   description = "The AWS Role ARN for Terraform to use to provision DNS Zone delegations, when Role ARNs are in use"
 }
 
 output "dns_terraform_profile_name" {
-  value       = module.account_map.outputs.terraform_profiles[module.account_map.outputs.dns_account_account_name]
+  value       = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[module.account_map.outputs.dns_account_account_name] : null
   description = "The AWS config profile name for Terraform to use to provision DNS Zone delegations, when profiles are in use"
 }
 
 output "audit_terraform_role_arn" {
-  value       = module.account_map.outputs.terraform_roles[module.account_map.outputs.audit_account_account_name]
+  value       = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[module.account_map.outputs.audit_account_account_name]
   description = "The AWS Role ARN for Terraform to use to provision resources in the \"audit\" role account, when Role ARNs are in use"
 }
 
 output "audit_terraform_profile_name" {
-  value       = module.account_map.outputs.terraform_profiles[module.account_map.outputs.audit_account_account_name]
+  value       = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[module.account_map.outputs.audit_account_account_name] : null
   description = "The AWS config profile name for Terraform to use to provision resources in the \"audit\" role account, when profiles are in use"
 }
 
@@ -75,26 +75,26 @@ output "identity_account_account_name" {
 }
 
 output "identity_terraform_role_arn" {
-  value       = module.account_map.outputs.terraform_roles[module.account_map.outputs.identity_account_account_name]
+  value       = local.profiles_enabled ? null : module.account_map.outputs.terraform_roles[module.account_map.outputs.identity_account_account_name]
   description = "The AWS Role ARN for Terraform to use to provision resources in the \"identity\" role account, when Role ARNs are in use"
 }
 
 output "identity_terraform_profile_name" {
-  value       = module.account_map.outputs.terraform_profiles[module.account_map.outputs.identity_account_account_name]
+  value       = local.profiles_enabled ? module.account_map.outputs.terraform_profiles[module.account_map.outputs.identity_account_account_name] : null
   description = "The AWS config profile name for Terraform to use to provision resources in the \"identity\" role account, when profiles are in use"
 }
 
 output "identity_cicd_role_arn" {
-  value       = module.account_map.outputs.cicd_roles[module.account_map.outputs.identity_account_account_name]
+  value       = local.profiles_enabled ? null : module.account_map.outputs.cicd_roles[module.account_map.outputs.identity_account_account_name]
   description = "(Deprecated) The AWS Role ARN for CI/CD tools to assume to gain access to other accounts, when Role ARNs are in use"
 }
 
 output "identity_cicd_profile_name" {
-  value       = module.account_map.outputs.cicd_profiles[module.account_map.outputs.identity_account_account_name]
+  value       = local.profiles_enabled ? module.account_map.outputs.cicd_profiles[module.account_map.outputs.identity_account_account_name] : null
   description = "(Deprecated) The AWS config profile name for CI/CD tools to assume to gain access to other accounts, when profiles are in use"
 }
 
 output "profiles_enabled" {
-  value       = module.account_map.outputs.profiles_enabled
+  value       = local.profiles_enabled
   description = "When true, use AWS config profiles in Terraform AWS provider configurations. When false, use Role ARNs."
 }
diff --git a/src/modules/iam-roles/variables.tf b/src/modules/iam-roles/variables.tf
@@ -4,20 +4,24 @@ variable "privileged" {
   default     = false
 }
 
-variable "global_tenant_name" {
+## The overridable_* variables in this file provide Cloud Posse defaults.
+## Because this module is used in bootstrapping Terraform, we do not configure
+## these inputs in the normal way. Instead, to change the values, you should
+## add a `variables_override.tf` file and change the default to the value you want.
+variable "overridable_global_tenant_name" {
   type        = string
   description = "The tenant name used for organization-wide resources"
   default     = "core"
 }
 
-variable "global_environment_name" {
+variable "overridable_global_environment_name" {
   type        = string
   description = "Global environment name"
   default     = "gbl"
 }
 
-variable "global_stage_name" {
+variable "overridable_global_stage_name" {
   type        = string
-  description = "The stage name for the organization management account (where the `accout-map` state is stored)"
+  description = "The stage name for the organization management account (where the `account-map` state is stored)"
   default     = "root"
 }